Commit be8e82ca authored by Hannes Reinecke's avatar Hannes Reinecke Committed by Keith Busch
Browse files

nvme-tcp: enable TLS handshake upcall 



Add a fabrics option 'tls' and start the TLS handshake upcall
with the default PSK. When TLS is started the PSK key serial
number is displayed in the sysfs attribute 'tls_key'

Signed-off-by: default avatarHannes Reinecke <hare@suse.de>
Reviewed-by: default avatarSagi Grimberg <sagi@grimberg.me>
Signed-off-by: default avatarKeith Busch <kbusch@kernel.org>
parent e40d4eb8

drivers/nvme/host/Kconfig

+15 −0
Original line number Diff line number Diff line
@@ -92,6 +92,21 @@ config NVME_TCP 


	  If unsure, say N.



config NVME_TCP_TLS

	bool "NVMe over Fabrics TCP TLS encryption support"

	depends on NVME_TCP

	select NVME_COMMON

	select NVME_KEYRING

	select NET_HANDSHAKE

	select KEYS

	help

	  Enables TLS encryption for NVMe TCP using the netlink handshake API.



	  The TLS handshake daemon is availble at

	  https://github.com/oracle/ktls-utils.



	  If unsure, say N.



config NVME_AUTH

	bool "NVM Express over Fabrics In-Band Authentication"

	depends on NVME_CORE

drivers/nvme/host/core.c

+1 −1
Original line number Diff line number Diff line
@@ -4400,7 +4400,7 @@ static void nvme_free_ctrl(struct device *dev) 


	if (!subsys || ctrl->instance != subsys->instance)

		ida_free(&nvme_instance_ida, ctrl->instance);



	key_put(ctrl->tls_key);

	nvme_free_cels(ctrl);

	nvme_mpath_uninit(ctrl);

	nvme_auth_stop(ctrl);

drivers/nvme/host/fabrics.c

+12 −0
Original line number Diff line number Diff line
@@ -647,6 +647,9 @@ static const match_table_t opt_tokens = { 
	{ NVMF_OPT_DISCOVERY,		"discovery"		},

	{ NVMF_OPT_DHCHAP_SECRET,	"dhchap_secret=%s"	},

	{ NVMF_OPT_DHCHAP_CTRL_SECRET,	"dhchap_ctrl_secret=%s"	},

#ifdef CONFIG_NVME_TCP_TLS

	{ NVMF_OPT_TLS,			"tls"			},

#endif

	{ NVMF_OPT_ERR,			NULL			}

};
@@ -671,6 +674,7 @@ static int nvmf_parse_options(struct nvmf_ctrl_options *opts, 
	opts->hdr_digest = false;

	opts->data_digest = false;

	opts->tos = -1; /* < 0 == use transport default */

	opts->tls = false;



	options = o = kstrdup(buf, GFP_KERNEL);

	if (!options)
@@ -955,6 +959,14 @@ static int nvmf_parse_options(struct nvmf_ctrl_options *opts, 
			kfree(opts->dhchap_ctrl_secret);

			opts->dhchap_ctrl_secret = p;

			break;

		case NVMF_OPT_TLS:

			if (!IS_ENABLED(CONFIG_NVME_TCP_TLS)) {

				pr_err("TLS is not supported\n");

				ret = -EINVAL;

				goto out;

			}

			opts->tls = true;

			break;

		default:

			pr_warn("unknown parameter or missing value '%s' in ctrl creation request\n",

				p);

drivers/nvme/host/fabrics.h

+3 −0
Original line number Diff line number Diff line
@@ -70,6 +70,7 @@ enum { 
	NVMF_OPT_DISCOVERY	= 1 << 22,

	NVMF_OPT_DHCHAP_SECRET	= 1 << 23,

	NVMF_OPT_DHCHAP_CTRL_SECRET = 1 << 24,

	NVMF_OPT_TLS		= 1 << 25,

};



/**
@@ -102,6 +103,7 @@ enum { 
 * @dhchap_secret: DH-HMAC-CHAP secret

 * @dhchap_ctrl_secret: DH-HMAC-CHAP controller secret for bi-directional

 *              authentication

 * @tls:        Start TLS encrypted connections (TCP)

 * @disable_sqflow: disable controller sq flow control

 * @hdr_digest: generate/verify header digest (TCP)

 * @data_digest: generate/verify data digest (TCP)
@@ -128,6 +130,7 @@ struct nvmf_ctrl_options { 
	struct nvmf_host	*host;

	char			*dhchap_secret;

	char			*dhchap_ctrl_secret;

	bool			tls;

	bool			disable_sqflow;

	bool			hdr_digest;

	bool			data_digest;

drivers/nvme/host/nvme.h

+1 −0
Original line number Diff line number Diff line
@@ -357,6 +357,7 @@ struct nvme_ctrl { 
	struct nvme_dhchap_key *ctrl_key;

	u16 transaction;

#endif

	struct key *tls_key;



	/* Power saving configuration */

	u64 ps_max_latency_us;