nvme-tcp: request secure channel concatenation

	bool "NVMe over Fabrics In-Band Authentication in host side"

	depends on NVME_CORE

	select NVME_AUTH

	select NVME_KEYRING if NVME_TCP_TLS

	select NVME_KEYRING

	help

	  This provides support for NVMe over Fabrics In-Band Authentication in

	  host side.

#include "nvme.h"

#include "fabrics.h"

#include <linux/nvme-auth.h>

#include <linux/nvme-keyring.h>

#define CHAP_BUF_SIZE 4096

static struct kmem_cache *nvme_chap_buf_cache;

	data->auth_type = NVME_AUTH_COMMON_MESSAGES;

	data->auth_id = NVME_AUTH_DHCHAP_MESSAGE_NEGOTIATE;

	data->t_id = cpu_to_le16(chap->transaction);

	data->sc_c = 0; /* No secure channel concatenation */

	if (ctrl->opts->concat && chap->qid == 0) {

		if (ctrl->opts->tls_key)

			data->sc_c = NVME_AUTH_SECP_REPLACETLSPSK;

		else

			data->sc_c = NVME_AUTH_SECP_NEWTLSPSK;

	} else

		data->sc_c = NVME_AUTH_SECP_NOSC;

	data->napd = 1;

	data->auth_protocol[0].dhchap.authid = NVME_AUTH_DHCHAP_AUTH_ID;

	data->auth_protocol[0].dhchap.halen = 3;

	data->hl = chap->hash_len;

	data->dhvlen = cpu_to_le16(chap->host_key_len);

	memcpy(data->rval, chap->response, chap->hash_len);

	if (ctrl->ctrl_key) {

	if (ctrl->ctrl_key)

		chap->bi_directional = true;

	if (ctrl->ctrl_key || ctrl->opts->concat) {

		get_random_bytes(chap->c2, chap->hash_len);

		data->cvalid = 1;

		memcpy(data->rval + chap->hash_len, chap->c2,

	} else {

		memset(chap->c2, 0, chap->hash_len);

	}

	if (ctrl->opts->concat)

		chap->s2 = 0;

	else

		chap->s2 = nvme_auth_get_seqnum();

	data->seqnum = cpu_to_le32(chap->s2);

	if (chap->host_key_len) {

		crypto_free_kpp(chap->dh_tfm);

}

void nvme_auth_revoke_tls_key(struct nvme_ctrl *ctrl)

{

	dev_dbg(ctrl->device, "Wipe generated TLS PSK %08x\n",

		key_serial(ctrl->opts->tls_key));

	key_revoke(ctrl->opts->tls_key);

	key_put(ctrl->opts->tls_key);

	ctrl->opts->tls_key = NULL;

}

EXPORT_SYMBOL_GPL(nvme_auth_revoke_tls_key);

static int nvme_auth_secure_concat(struct nvme_ctrl *ctrl,

				   struct nvme_dhchap_queue_context *chap)

{

	u8 *psk, *digest, *tls_psk;

	struct key *tls_key;

	size_t psk_len;

	int ret = 0;

	if (!chap->sess_key) {

		dev_warn(ctrl->device,

			 "%s: qid %d no session key negotiated\n",

			 __func__, chap->qid);

		return -ENOKEY;

	}

	if (chap->qid) {

		dev_warn(ctrl->device,

			 "qid %d: secure concatenation not supported on I/O queues\n",

			 chap->qid);

		return -EINVAL;

	}

	ret = nvme_auth_generate_psk(chap->hash_id, chap->sess_key,

				     chap->sess_key_len,

				     chap->c1, chap->c2,

				     chap->hash_len, &psk, &psk_len);

	if (ret) {

		dev_warn(ctrl->device,

			 "%s: qid %d failed to generate PSK, error %d\n",

			 __func__, chap->qid, ret);

		return ret;

	}

	dev_dbg(ctrl->device,

		  "%s: generated psk %*ph\n", __func__, (int)psk_len, psk);

	ret = nvme_auth_generate_digest(chap->hash_id, psk, psk_len,

					ctrl->opts->subsysnqn,

					ctrl->opts->host->nqn, &digest);

	if (ret) {

		dev_warn(ctrl->device,

			 "%s: qid %d failed to generate digest, error %d\n",

			 __func__, chap->qid, ret);

		goto out_free_psk;

	};

	dev_dbg(ctrl->device, "%s: generated digest %s\n",

		 __func__, digest);

	ret = nvme_auth_derive_tls_psk(chap->hash_id, psk, psk_len,

				       digest, &tls_psk);

	if (ret) {

		dev_warn(ctrl->device,

			 "%s: qid %d failed to derive TLS psk, error %d\n",

			 __func__, chap->qid, ret);

		goto out_free_digest;

	};

	tls_key = nvme_tls_psk_refresh(ctrl->opts->keyring,

				       ctrl->opts->host->nqn,

				       ctrl->opts->subsysnqn, chap->hash_id,

				       tls_psk, psk_len, digest);

	if (IS_ERR(tls_key)) {

		ret = PTR_ERR(tls_key);

		dev_warn(ctrl->device,

			 "%s: qid %d failed to insert generated key, error %d\n",

			 __func__, chap->qid, ret);

		tls_key = NULL;

	}

	kfree_sensitive(tls_psk);

	if (ctrl->opts->tls_key)

		nvme_auth_revoke_tls_key(ctrl);

	ctrl->opts->tls_key = tls_key;

out_free_digest:

	kfree_sensitive(digest);

out_free_psk:

	kfree_sensitive(psk);

	return ret;

}

static void nvme_queue_auth_work(struct work_struct *work)

{

	struct nvme_dhchap_queue_context *chap =

	}

	if (!ret) {

		chap->error = 0;

		if (ctrl->opts->concat &&

		    (ret = nvme_auth_secure_concat(ctrl, chap))) {

			dev_warn(ctrl->device,

				 "%s: qid %d failed to enable secure concatenation\n",

				 __func__, chap->qid);

			chap->error = ret;

		}

		return;

	}

			 "qid 0: authentication failed\n");

		return;

	}

	/*

	 * Only run authentication on the admin queue for secure concatenation.

	 */

	if (ctrl->opts->concat)

		return;

	for (q = 1; q < ctrl->queue_count; q++) {

		ret = nvme_auth_negotiate(ctrl, q);

	result = le32_to_cpu(res.u32);

	ctrl->cntlid = result & 0xFFFF;

	if (result & (NVME_CONNECT_AUTHREQ_ATR | NVME_CONNECT_AUTHREQ_ASCR)) {

		/* Secure concatenation is not implemented */

		if (result & NVME_CONNECT_AUTHREQ_ASCR) {

		/* Check for secure concatenation */

		if ((result & NVME_CONNECT_AUTHREQ_ASCR) &&

		    !ctrl->opts->concat) {

			dev_warn(ctrl->device,

				 "qid 0: secure concatenation is not supported\n");

			ret = -EOPNOTSUPP;

		/* Secure concatenation is not implemented */

		if (result & NVME_CONNECT_AUTHREQ_ASCR) {

			dev_warn(ctrl->device,

				 "qid 0: secure concatenation is not supported\n");

				 "qid %d: secure concatenation is not supported\n", qid);

			ret = -EOPNOTSUPP;

			goto out_free_data;

		}

#endif

#ifdef CONFIG_NVME_TCP_TLS

	{ NVMF_OPT_TLS,			"tls"			},

	{ NVMF_OPT_CONCAT,		"concat"		},

#endif

	{ NVMF_OPT_ERR,			NULL			}

};

	opts->tls = false;

	opts->tls_key = NULL;

	opts->keyring = NULL;

	opts->concat = false;

	options = o = kstrdup(buf, GFP_KERNEL);

	if (!options)

			}

			opts->tls = true;

			break;

		case NVMF_OPT_CONCAT:

			if (!IS_ENABLED(CONFIG_NVME_TCP_TLS)) {

				pr_err("TLS is not supported\n");

				ret = -EINVAL;

				goto out;

			}

			opts->concat = true;

			break;

		default:

			pr_warn("unknown parameter or missing value '%s' in ctrl creation request\n",

				p);

			pr_warn("failfast tmo (%d) larger than controller loss tmo (%d)\n",

				opts->fast_io_fail_tmo, ctrl_loss_tmo);

	}

	if (opts->concat) {

		if (opts->tls) {

			pr_err("Secure concatenation over TLS is not supported\n");

			ret = -EINVAL;

			goto out;

		}

		if (opts->tls_key) {

			pr_err("Cannot specify a TLS key for secure concatenation\n");

			ret = -EINVAL;

			goto out;

		}

		if (!opts->dhchap_secret) {

			pr_err("Need to enable DH-CHAP for secure concatenation\n");

			ret = -EINVAL;

			goto out;

		}

	}

	opts->host = nvmf_host_add(hostnqn, &hostid);

	if (IS_ERR(opts->host)) {

	NVMF_OPT_TLS		= 1 << 25,

	NVMF_OPT_KEYRING	= 1 << 26,

	NVMF_OPT_TLS_KEY	= 1 << 27,

	NVMF_OPT_CONCAT		= 1 << 28,

};

/**

 * @keyring:    Keyring to use for key lookups

 * @tls_key:    TLS key for encrypted connections (TCP)

 * @tls:        Start TLS encrypted connections (TCP)

 * @concat:     Enabled Secure channel concatenation (TCP)

 * @disable_sqflow: disable controller sq flow control

 * @hdr_digest: generate/verify header digest (TCP)

 * @data_digest: generate/verify data digest (TCP)

	struct key		*keyring;

	struct key		*tls_key;

	bool			tls;

	bool			concat;

	bool			disable_sqflow;

	bool			hdr_digest;

	bool			data_digest;

int nvme_auth_negotiate(struct nvme_ctrl *ctrl, int qid);

int nvme_auth_wait(struct nvme_ctrl *ctrl, int qid);

void nvme_auth_free(struct nvme_ctrl *ctrl);

void nvme_auth_revoke_tls_key(struct nvme_ctrl *ctrl);

#else

static inline int nvme_auth_init_ctrl(struct nvme_ctrl *ctrl)

{

	return -EPROTONOSUPPORT;

}

static inline void nvme_auth_free(struct nvme_ctrl *ctrl) {};

static inline void nvme_auth_revoke_tls_key(struct nvme_ctrl *ctrl) {};

#endif

u32 nvme_command_effects(struct nvme_ctrl *ctrl, struct nvme_ns *ns,