Linux 6.4 NFS Server Adds RPC-With-TLS Support

After the patches had been in development for well more than a year, sent out today for the Linux 6.4 merge window are the NFS server (NFSD) changes that include supporting RPC-with-TLS.

As noted in today's pull request of NFSD changes for Linux 6.4:

The big ticket item for this release is support for RPC-with-TLS [RFC 9289] has been added to the Linux NFS server. The goal is to provide a simple-to-deploy, low-overhead in-transit confidentiality and peer authentication mechanism. It can supplement NFS Kerberos and it can protect the use of legacy non-cryptographic user authentication flavors such as AUTH_SYS. The TLS Record protocol is handled entirely by kTLS, meaning it can use either software encryption or offload encryption to smart NICs.

The RPC-with-TLS is outlined in IETF's RFC 9289: "Toward Remote Procedure Call Encryption by Default."

This document describes a mechanism that, through the use of opportunistic Transport Layer Security (TLS), enables encryption of Remote Procedure Call (RPC) transactions while they are in transit. The proposed mechanism interoperates with Open Network Computing (ONC) RPC implementations that do not support it.

For more details on all of the NFSD server updates for Linux 6.4, see the pull request.