tlshd: Add default keyrings for NFS

chucklever · chucklever · commit 96340c1a47be · 2025-06-09T11:16:59.000-04:00
The NFS mount command is to add keys to the .nfs keyring. Also add a
keyring for NFSD configuration.

Signed-off-by: Chuck Lever &lt;chuck.lever@oracle.com&gt;
diff --git a/src/tlshd/config.c b/src/tlshd/config.c
@@ -99,15 +99,18 @@ bool tlshd_config_init(const gchar *pathname)
 		for (i = 0; i < length; i++) {
 			if (!strcmp(keyrings[i], ".nvme"))
 				continue;
+			if (!strcmp(keyrings[i], ".nfs"))
+				continue;
+			if (!strcmp(keyrings[i], ".nfsd"))
+				continue;
 			tlshd_keyring_link_session(keyrings[i]);
 		}
 		g_strfreev(keyrings);
 	}
-	/*
-	 * Always link the default nvme subsystem keyring into the
-	 * session.
-	 */
+	/* The ".nvme", ".nfs", and ".nfsd" keyrings cannot be disabled. */
 	tlshd_keyring_link_session(".nvme");
+	tlshd_keyring_link_session(".nfs");
+	tlshd_keyring_link_session(".nfsd");
 
 	return true;
 }
diff --git a/src/tlshd/tlshd.conf.man b/src/tlshd/tlshd.conf.man
@@ -79,7 +79,13 @@ that contain handshake authentication tokens.
 .B tlshd
 links these keyrings into its session keyring.
 The configuration file may specify either a keyring's name or serial number.
-The default is to provide no keyring.
+.B tlshd
+always includes the
+.IR .nvme ,
+.IR .nfs ,
+and
+.I .nfsd
+keyrings on its session keyring.
 .P
 And, in this section, there are two subsections:
 .I [client]
