From patchwork Fri Oct 11 15:54:26 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Hannes Reinecke X-Patchwork-Id: 834708 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id F02E219755B for ; Fri, 11 Oct 2024 15:54:58 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1728662099; cv=none; b=XzLTZSecDBmQ8NT/5kJX9cHtIcvkqbWKxLxEm6n72VzKa86aSZgMacJdL0qudOPXXrbzK+eeC0dNiwi3p3yBazruU+opr9obWRR2Y4F42Iy2z/O8ajDHiOq8r7TsQEgxTZ1QsD1ho1S9PluJSLkFlJQkyrTM3hXGaZqIsxNlBZA= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1728662099; c=relaxed/simple; bh=FvaAP/PZSe5da8Br0cOgaV4n77+sOCWgAbrcmYowNpw=; h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References: MIME-Version; b=EoRSg/Q+8lOt8+Qnw/zR5+oCtq/aEfZ4kFg11Ue79Z31eIQdNilniDOPoWgWYtxFx4AYkrJUt0TZw+ntAluOLjQH754ZzWFSk2Hz1TLx7ZnUKSn9eRBo5aulL4u7pa+2XAKdtJHl+cQY2z2FUwS6Ltvl8nBlHuqZ5KBdej5KVjU= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=XTugryGB; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="XTugryGB" Received: by smtp.kernel.org (Postfix) with ESMTPSA id 2B539C4CEC7; Fri, 11 Oct 2024 15:54:56 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1728662098; bh=FvaAP/PZSe5da8Br0cOgaV4n77+sOCWgAbrcmYowNpw=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=XTugryGB4vlrnmWEyHDFpNyH7jo1c7NC1uPiPYITjMgRljLBd8HesI2UP6AaKbWsX Ry/DXiDWmPuxCU91JgIxN9uJWd8QOqPanCzi0YXQMbsk6lc7Jtr42kNqxolNzgNlB8 90xRpJ0gkgJ3cAoe9e0iEksebSq1rsSZ22PBG+VVSJLKv5sQXcWdwN936uWeVfRWQ9 YkvGiZv2548MFwe4JQrUr4lofGltZ+kf2eOP/9ZUN7e9tg4YnFZS9UpHt67hZFRyKq D6kX1tREjmhSzrghAoxycDKpR+zq7HJdC9YKST8l0Bq2tMg/QPihbvPW71tfAjQK9Z bphfRgLVtS5rw== From: Hannes Reinecke To: Christoph Hellwig Cc: Keith Busch , Sagi Grimberg , linux-nvme@lists.infradead.org, Eric Biggers , linux-crypto@vger.kernel.org, Hannes Reinecke Subject: [PATCH 5/9] nvme-keyring: add nvme_tls_psk_refresh() Date: Fri, 11 Oct 2024 17:54:26 +0200 Message-Id: <20241011155430.43450-6-hare@kernel.org> X-Mailer: git-send-email 2.35.3 In-Reply-To: <20241011155430.43450-1-hare@kernel.org> References: <20241011155430.43450-1-hare@kernel.org> Precedence: bulk X-Mailing-List: linux-crypto@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Add a function to refresh a generated PSK in the specified keyring. Signed-off-by: Hannes Reinecke Reviewed-by: Sagi Grimberg --- drivers/nvme/common/keyring.c | 64 +++++++++++++++++++++++++++++++++++ include/linux/nvme-keyring.h | 9 +++++ 2 files changed, 73 insertions(+) diff --git a/drivers/nvme/common/keyring.c b/drivers/nvme/common/keyring.c index ed5167f942d8..8cb253fcd586 100644 --- a/drivers/nvme/common/keyring.c +++ b/drivers/nvme/common/keyring.c @@ -124,6 +124,70 @@ static struct key *nvme_tls_psk_lookup(struct key *keyring, return key_ref_to_ptr(keyref); } +/** + * nvme_tls_psk_refresh - Refresh TLS PSK + * @keyring: Keyring holding the TLS PSK + * @hostnqn: Host NQN to use + * @subnqn: Subsystem NQN to use + * @hmac_id: Hash function identifier + * @data: TLS PSK key material + * @data_len: Length of @data + * @digest: TLS PSK digest + * + * Refresh a generated version 1 TLS PSK with the identity generated + * from @hmac_id, @hostnqn, @subnqn, and @digest in the keyring given + * by @keyring. + * + * Returns the updated key success or an error pointer otherwise. + */ +struct key *nvme_tls_psk_refresh(struct key *keyring, + const char *hostnqn, const char *subnqn, u8 hmac_id, + u8 *data, size_t data_len, const char *digest) +{ + key_perm_t keyperm = + KEY_POS_SEARCH | KEY_POS_VIEW | KEY_POS_READ | + KEY_POS_WRITE | KEY_POS_LINK | KEY_POS_SETATTR | + KEY_USR_SEARCH | KEY_USR_VIEW | KEY_USR_READ; + char *identity; + key_ref_t keyref; + key_serial_t keyring_id; + struct key *key; + + if (!hostnqn || !subnqn || !data || !data_len) + return ERR_PTR(-EINVAL); + + identity = kasprintf(GFP_KERNEL, "NVMe1G%02d %s %s %s", + hmac_id, hostnqn, subnqn, digest); + if (!identity) + return ERR_PTR(-ENOMEM); + + if (!keyring) + keyring = nvme_keyring; + keyring_id = key_serial(keyring); + pr_debug("keyring %x refresh tls psk '%s'\n", + keyring_id, identity); + keyref = key_create_or_update(make_key_ref(keyring, true), + "psk", identity, data, data_len, + keyperm, KEY_ALLOC_NOT_IN_QUOTA | + KEY_ALLOC_BUILT_IN | + KEY_ALLOC_BYPASS_RESTRICTION); + if (IS_ERR(keyref)) { + pr_debug("refresh tls psk '%s' failed, error %ld\n", + identity, PTR_ERR(keyref)); + kfree(identity); + return ERR_PTR(-ENOKEY); + } + kfree(identity); + /* + * Set the default timeout to 1 hour + * as suggested in TP8018. + */ + key = key_ref_to_ptr(keyref); + key_set_timeout(key, 3600); + return key; +} +EXPORT_SYMBOL_GPL(nvme_tls_psk_refresh); + /* * NVMe PSK priority list * diff --git a/include/linux/nvme-keyring.h b/include/linux/nvme-keyring.h index 19d2b256180f..351a02b1bbc3 100644 --- a/include/linux/nvme-keyring.h +++ b/include/linux/nvme-keyring.h @@ -8,6 +8,9 @@ #if IS_ENABLED(CONFIG_NVME_KEYRING) +struct key *nvme_tls_psk_refresh(struct key *keyring, + const char *hostnqn, const char *subnqn, u8 hmac_id, + u8 *data, size_t data_len, const char *digest); key_serial_t nvme_tls_psk_default(struct key *keyring, const char *hostnqn, const char *subnqn); @@ -15,6 +18,12 @@ key_serial_t nvme_keyring_id(void); struct key *nvme_tls_key_lookup(key_serial_t key_id); #else +static struct key *nvme_tls_psk_refresh(struct key *keyring, + const char *hostnqn, char *subnqn, u8 hmac_id, + u8 *data, size_t data_len, const char *digest) +{ + return ERR_PTR(-ENOTSUPP); +} static inline key_serial_t nvme_tls_psk_default(struct key *keyring, const char *hostnqn, const char *subnqn) {