From patchwork Mon Dec 2 14:29:51 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Hannes Reinecke X-Patchwork-Id: 846728 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 1D8152940F for ; Mon, 2 Dec 2024 14:30:15 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1733149815; cv=none; b=SnRtSUZXabxfNcO5/F7j4ES6NllhfnFaxOhmWHYBMnhPczqJ3vN5NQkUhlMQpTQaRSdG+FOyxsKEsWgoW9pVue15dSE7g8BPz9sMYm/JzcPYNAIjWTdMhsYCkl0L5fD9oT4jSMH5NAd9VGYDAFlqnbMWqthwh5L2bNdbF/SXHnE= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1733149815; c=relaxed/simple; bh=NQ/FL8/1bPXTvZi+dECQ5MFtHxFkdmLqMD736guOG64=; h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References: MIME-Version; b=QldpRNppZ7BPPikBFvGmQm03RVOwvjIGITxGRA0qyBPZVVA9f6dbmZQGBIMiy6hrpPfefkL/ObaDmqtWqRxQ0YjYdWKaKEP76mpurv/Vv/ZVbWfU89+Dsone+hYQlSvv7dDqs9P2uiiYcdTIiAN9bzWEqY+1kb9dQUHU3djmsoo= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=d+m6L8AQ; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="d+m6L8AQ" Received: by smtp.kernel.org (Postfix) with ESMTPSA id 52E2CC4CEDA; Mon, 2 Dec 2024 14:30:13 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1733149814; bh=NQ/FL8/1bPXTvZi+dECQ5MFtHxFkdmLqMD736guOG64=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=d+m6L8AQShVuLgKLC7QEJSiZGk77yY2cHm9Fu9a2Lz0NqGrDtgM01alRL4HX7ghuQ dFAXKumm7jqhG1nSXV3qg+SJljmtB+RYv7aJ2z/uYz7lcDk7uhetcvKSG/o7Syqkao ycUYzDeYg4LXpaO6vdeEh0IzaQ2UAU7HLw+7pwniGisRkC8IXcExQ0Gxvrsspx3N7C l9W/PQO8X/LuPxw7x2/y903Bi6Gqi3arKHb6TTw5p0eL1UhUnK3/FxI9P4V5zm7ZMh gvl4eF90vj4tJ6aTb2KNi93R0VV0Cks4b4XIY9Lov25rC7hQedV7dxCVm3aJdFYaV+ cYG7PDal/NbLQ== From: Hannes Reinecke To: Christoph Hellwig Cc: Keith Busch , Sagi Grimberg , linux-nvme@lists.infradead.org, Eric Biggers , linux-crypto@vger.kernel.org, Hannes Reinecke Subject: [PATCH 02/10] nvme: add nvme_auth_generate_psk() Date: Mon, 2 Dec 2024 15:29:51 +0100 Message-Id: <20241202142959.81321-3-hare@kernel.org> X-Mailer: git-send-email 2.35.3 In-Reply-To: <20241202142959.81321-1-hare@kernel.org> References: <20241202142959.81321-1-hare@kernel.org> Precedence: bulk X-Mailing-List: linux-crypto@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Add a function to generate a NVMe PSK from the shared credentials negotiated by DH-HMAC-CHAP. Signed-off-by: Hannes Reinecke Reviewed-by: Sagi Grimberg --- drivers/nvme/common/auth.c | 98 ++++++++++++++++++++++++++++++++++++++ include/linux/nvme-auth.h | 3 ++ 2 files changed, 101 insertions(+) diff --git a/drivers/nvme/common/auth.c b/drivers/nvme/common/auth.c index a3455f1d67fa..32a12899d0ce 100644 --- a/drivers/nvme/common/auth.c +++ b/drivers/nvme/common/auth.c @@ -11,6 +11,7 @@ #include #include #include +#include #include #include @@ -471,5 +472,102 @@ int nvme_auth_generate_key(u8 *secret, struct nvme_dhchap_key **ret_key) } EXPORT_SYMBOL_GPL(nvme_auth_generate_key); +/** + * nvme_auth_generate_psk - Generate a PSK for TLS + * @hmac_id: Hash function identifier + * @skey: Session key + * @skey_len: Length of @skey + * @c1: Value of challenge C1 + * @c2: Value of challenge C2 + * @hash_len: Hash length of the hash algorithm + * @ret_psk: Pointer too the resulting generated PSK + * @ret_len: length of @ret_psk + * + * Generate a PSK for TLS as specified in NVMe base specification, section 8.13.5.9: + * Generated PSK for TLS + * + * The generated PSK for TLS shall be computed applying the HMAC function using the + * hash function H( ) selected by the HashID parameter in the DH-HMAC-CHAP_Challenge + * message with the session key KS as key to the concatenation of the two challenges + * C1 and C2 (i.e., generated PSK = HMAC(KS, C1 || C2)). + * + * Returns 0 on success with a valid generated PSK pointer in @ret_psk and the length + * of @ret_psk in @ret_len, or a negative error number otherwise. + */ +int nvme_auth_generate_psk(u8 hmac_id, u8 *skey, size_t skey_len, + u8 *c1, u8 *c2, size_t hash_len, u8 **ret_psk,size_t *ret_len) +{ + struct crypto_shash *tfm; + struct shash_desc *shash; + u8 *psk; + const char *hmac_name; + int ret, psk_len; + + if (!c1 || !c2) { + pr_warn("%s: invalid parameter\n", __func__); + return -EINVAL; + } + + hmac_name = nvme_auth_hmac_name(hmac_id); + if (!hmac_name) { + pr_warn("%s: invalid hash algorithm %d\n", + __func__, hmac_id); + return -EINVAL; + } + + tfm = crypto_alloc_shash(hmac_name, 0, 0); + if (IS_ERR(tfm)) + return PTR_ERR(tfm); + + psk_len = crypto_shash_digestsize(tfm); + psk = kzalloc(psk_len, GFP_KERNEL); + if (!psk) { + ret = -ENOMEM; + goto out_free_tfm; + } + + shash = kmalloc(sizeof(struct shash_desc) + + crypto_shash_descsize(tfm), + GFP_KERNEL); + if (!shash) { + ret = -ENOMEM; + goto out_free_psk; + } + + shash->tfm = tfm; + ret = crypto_shash_setkey(tfm, skey, skey_len); + if (ret) + goto out_free_shash; + + ret = crypto_shash_init(shash); + if (ret) + goto out_free_shash; + + ret = crypto_shash_update(shash, c1, hash_len); + if (ret) + goto out_free_shash; + + ret = crypto_shash_update(shash, c2, hash_len); + if (ret) + goto out_free_shash; + + ret = crypto_shash_final(shash, psk); + if (!ret) { + *ret_psk = psk; + *ret_len = psk_len; + } + +out_free_shash: + kfree_sensitive(shash); +out_free_psk: + if (ret) + kfree_sensitive(psk); +out_free_tfm: + crypto_free_shash(tfm); + + return ret; +} +EXPORT_SYMBOL_GPL(nvme_auth_generate_psk); + MODULE_DESCRIPTION("NVMe Authentication framework"); MODULE_LICENSE("GPL v2"); diff --git a/include/linux/nvme-auth.h b/include/linux/nvme-auth.h index c1d0bc5d9624..b13884b04dfd 100644 --- a/include/linux/nvme-auth.h +++ b/include/linux/nvme-auth.h @@ -40,5 +40,8 @@ int nvme_auth_gen_pubkey(struct crypto_kpp *dh_tfm, int nvme_auth_gen_shared_secret(struct crypto_kpp *dh_tfm, u8 *ctrl_key, size_t ctrl_key_len, u8 *sess_key, size_t sess_key_len); +int nvme_auth_generate_psk(u8 hmac_id, u8 *skey, size_t skey_len, + u8 *c1, u8 *c2, size_t hash_len, + u8 **ret_psk, size_t *ret_len); #endif /* _NVME_AUTH_H */ From patchwork Mon Dec 2 14:29:53 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Hannes Reinecke X-Patchwork-Id: 846727 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 976BA204081 for ; Mon, 2 Dec 2024 14:30:19 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1733149820; cv=none; b=R6pNV33JKdDOTOVkyrCcwS3s6LieANueDo1SnD1K7vbkJpxUh5xrYA/LWwQmJtz93n/ZWxURyObCnCjQOSbDoiJO1jJsv7SF2C6fiRiIWDHdo1/MD4vxjjoAXNLvakVduVU1iB8BwDWj8ZlLOM1HFmkgnqoUhevPz+8n88V+noI= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1733149820; c=relaxed/simple; bh=9yLuiMsgmIlYmlHfQwMJCwezrB0HK+0HxDEZfGiPMUo=; h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References: MIME-Version; b=nJs/68GlNoqLwdMCMQ6uLBi2/CQgrg5bBu6pQPtEpFDDjTkHRKfLIqDWEHTmwdpvQEQO5tZx/xQ5QxDs5ps4b82hZGZz9YEvEVkUR2I0JVRGMRExGX1wYIL9uEv7nl4JsNhN52yen9anzhUYZNcpSioRxs6UpGPj1U+HK4SyUqA= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=FATK/8rA; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="FATK/8rA" Received: by smtp.kernel.org (Postfix) with ESMTPSA id 78186C4CED9; Mon, 2 Dec 2024 14:30:17 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1733149819; bh=9yLuiMsgmIlYmlHfQwMJCwezrB0HK+0HxDEZfGiPMUo=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=FATK/8rAed1hLnzaCM+YOBWLxlPGNVQCiJEely9TsLxX6syrEvJ8tdokTzG2+FtI1 yyp1uuHffbZyCQDeRu4iI1eWjPedKA98y20qbRngWGa6wtqJ97nM/aDhge2JLXdDjd e9YvQCkIZbei9qLAiPbsad7eZXh19GnfvpcbPOfgksOqLXCX8t22qhefBDi+rHkds7 /uE0a6XkLhXm7oRZkWuCqpT8zhfg9TvzIdm3C/w5vxcIxohu/6DoJf9e4On/hakSpT d7VX74dLB9dKbEMN3fPXVlExrVNQuHumXi+3B7xo+Zx4/jIm+c4lIt37fDYvn9Mkij S1jcVnVJI45yg== From: Hannes Reinecke To: Christoph Hellwig Cc: Keith Busch , Sagi Grimberg , linux-nvme@lists.infradead.org, Eric Biggers , linux-crypto@vger.kernel.org, Hannes Reinecke Subject: [PATCH 04/10] nvme: add nvme_auth_derive_tls_psk() Date: Mon, 2 Dec 2024 15:29:53 +0100 Message-Id: <20241202142959.81321-5-hare@kernel.org> X-Mailer: git-send-email 2.35.3 In-Reply-To: <20241202142959.81321-1-hare@kernel.org> References: <20241202142959.81321-1-hare@kernel.org> Precedence: bulk X-Mailing-List: linux-crypto@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Add a function to derive the TLS PSK as specified TP8018. Signed-off-by: Hannes Reinecke Reviewed-by: Sagi Grimberg --- drivers/nvme/common/Kconfig | 1 + drivers/nvme/common/auth.c | 109 ++++++++++++++++++++++++++++++++++++ include/linux/nvme-auth.h | 2 + 3 files changed, 112 insertions(+) diff --git a/drivers/nvme/common/Kconfig b/drivers/nvme/common/Kconfig index 244432e0b73d..da963e4f3f1f 100644 --- a/drivers/nvme/common/Kconfig +++ b/drivers/nvme/common/Kconfig @@ -12,3 +12,4 @@ config NVME_AUTH select CRYPTO_SHA512 select CRYPTO_DH select CRYPTO_DH_RFC7919_GROUPS + select CRYPTO_HKDF diff --git a/drivers/nvme/common/auth.c b/drivers/nvme/common/auth.c index 12ce9125693f..e81a50ac57c7 100644 --- a/drivers/nvme/common/auth.c +++ b/drivers/nvme/common/auth.c @@ -15,6 +15,8 @@ #include #include +#define HKDF_MAX_HASHLEN 64 + static u32 nvme_dhchap_seqnum; static DEFINE_MUTEX(nvme_dhchap_mutex); @@ -708,5 +710,112 @@ int nvme_auth_generate_digest(u8 hmac_id, u8 *psk, size_t psk_len, } EXPORT_SYMBOL_GPL(nvme_auth_generate_digest); +/** + * nvme_auth_derive_tls_psk - Derive TLS PSK + * @hmac_id: Hash function identifier + * @psk: generated input PSK + * @psk_len: size of @psk + * @psk_digest: TLS PSK digest + * @ret_psk: Pointer to the resulting TLS PSK + * + * Derive a TLS PSK as specified in TP8018 Section 3.6.1.3: + * TLS PSK and PSK identity Derivation + * + * The TLS PSK shall be derived as follows from an input PSK + * (i.e., either a retained PSK or a generated PSK) and a PSK + * identity using the HKDF-Extract and HKDF-Expand-Label operations + * (refer to RFC 5869 and RFC 8446) where the hash function is the + * one specified by the hash specifier of the PSK identity: + * 1. PRK = HKDF-Extract(0, Input PSK); and + * 2. TLS PSK = HKDF-Expand-Label(PRK, "nvme-tls-psk", PskIdentityContext, L), + * where PskIdentityContext is the hash identifier indicated in + * the PSK identity concatenated to a space character and to the + * Base64 PSK digest (i.e., " ") and L is the + * output size in bytes of the hash function (i.e., 32 for SHA-256 + * and 48 for SHA-384). + * + * Returns 0 on success with a valid psk pointer in @ret_psk or a negative + * error number otherwise. + */ +int nvme_auth_derive_tls_psk(int hmac_id, u8 *psk, size_t psk_len, + u8 *psk_digest, u8 **ret_psk) +{ + struct crypto_shash *hmac_tfm; + const char *hmac_name; + const char *psk_prefix = "tls13 nvme-tls-psk"; + static const char default_salt[HKDF_MAX_HASHLEN]; + size_t info_len, prk_len; + char *info; + unsigned char *prk, *tls_key; + int ret; + + hmac_name = nvme_auth_hmac_name(hmac_id); + if (!hmac_name) { + pr_warn("%s: invalid hash algorithm %d\n", + __func__, hmac_id); + return -EINVAL; + } + if (hmac_id == NVME_AUTH_HASH_SHA512) { + pr_warn("%s: unsupported hash algorithm %s\n", + __func__, hmac_name); + return -EINVAL; + } + + hmac_tfm = crypto_alloc_shash(hmac_name, 0, 0); + if (IS_ERR(hmac_tfm)) + return PTR_ERR(hmac_tfm); + + prk_len = crypto_shash_digestsize(hmac_tfm); + prk = kzalloc(prk_len, GFP_KERNEL); + if (!prk) { + ret = -ENOMEM; + goto out_free_shash; + } + + if (WARN_ON(prk_len > HKDF_MAX_HASHLEN)) { + ret = -EINVAL; + goto out_free_prk; + } + ret = hkdf_extract(hmac_tfm, psk, psk_len, + default_salt, prk_len, prk); + if (ret) + goto out_free_prk; + + ret = crypto_shash_setkey(hmac_tfm, prk, prk_len); + if (ret) + goto out_free_prk; + + info_len = strlen(psk_digest) + strlen(psk_prefix) + 5; + info = kzalloc(info_len, GFP_KERNEL); + if (!info) + goto out_free_prk; + + put_unaligned_be16(psk_len, info); + memcpy(info + 2, psk_prefix, strlen(psk_prefix)); + sprintf(info + 2 + strlen(psk_prefix), "%02d %s", hmac_id, psk_digest); + + tls_key = kzalloc(psk_len, GFP_KERNEL); + if (!tls_key) { + ret = -ENOMEM; + goto out_free_info; + } + ret = hkdf_expand(hmac_tfm, info, strlen(info), tls_key, psk_len); + if (ret) { + kfree(tls_key); + goto out_free_info; + } + *ret_psk = tls_key; + +out_free_info: + kfree(info); +out_free_prk: + kfree(prk); +out_free_shash: + crypto_free_shash(hmac_tfm); + + return ret; +} +EXPORT_SYMBOL_GPL(nvme_auth_derive_tls_psk); + MODULE_DESCRIPTION("NVMe Authentication framework"); MODULE_LICENSE("GPL v2"); diff --git a/include/linux/nvme-auth.h b/include/linux/nvme-auth.h index 998f06bf10fd..60e069a6757f 100644 --- a/include/linux/nvme-auth.h +++ b/include/linux/nvme-auth.h @@ -45,5 +45,7 @@ int nvme_auth_generate_psk(u8 hmac_id, u8 *skey, size_t skey_len, u8 **ret_psk, size_t *ret_len); int nvme_auth_generate_digest(u8 hmac_id, u8 *psk, size_t psk_len, char *subsysnqn, char *hostnqn, u8 **ret_digest); +int nvme_auth_derive_tls_psk(int hmac_id, u8 *psk, size_t psk_len, + u8 *psk_digest, u8 **ret_psk); #endif /* _NVME_AUTH_H */ From patchwork Mon Dec 2 14:29:55 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Hannes Reinecke X-Patchwork-Id: 846726 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 5F4022036FE for ; Mon, 2 Dec 2024 14:30:23 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1733149823; cv=none; b=UwUxbU9GkcXSLlQxHNfyslUXbdWjnhZf1IVAPh7Ieta1LyL6sKRx11QxJ2irYKCnjsmFDZpAODHbHMOVS0JONrnd78phFe+COedonLC/1228JEZUUlndxEoBm7ecDoQSxhViXhAnw5QZ5VetHmpMf6YMsGWt3BmB5jhBk7akHbI= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1733149823; c=relaxed/simple; bh=9JeXcUycqg7OBCWWoqnUUbdjnZuT/EKlo2YBlO3bWyk=; h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References: MIME-Version; b=gZNjLfAgcn/zY3Qno6mndyyh5cGKcZQ6zwQ3brbS0aKIA3iwp0IxKD9pz+Sn/9eMb0LHY1g7ZDh0hI1FPVaOaA4/L0WKFqzxTh/HylSKJHESwUlg0I4pE8rmf8V43eWr0i9Hjp0AN7U7Frq7BNsAZPr9BF8fF8nejkr+YbrI3YA= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=FKlStGQY; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="FKlStGQY" Received: by smtp.kernel.org (Postfix) with ESMTPSA id 9C729C4CED1; Mon, 2 Dec 2024 14:30:21 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1733149823; bh=9JeXcUycqg7OBCWWoqnUUbdjnZuT/EKlo2YBlO3bWyk=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=FKlStGQYXemxJ1VKQLmiNSgH1ujc/FhIKctIv1+fPL7LL5SdDJklHHwbZF8ggqv3A EudIpEvFbF+dXfJV6I+T0sybHhQBqyWkvvDsWaAwk4PNfwUPIchhQPxHyQXMskaayI GGM8Dq35VVDi1hrcJ+3KX/EjC9Icm/MKz8f8sZ1El4bmG3lsdz1hlYz09z6wsDXr7B /qVDF1NeqXCLCSQ6EvnaB2BI6dDFspnSJGBAsbhCmdDPCsrX1z2YlGb5Izj5VlD5GB lRi/u6G4RQGZwqyZFqrD5/UjOD407qlEcb0UoBOjoEtIJAvFuwPjlO/nKvjJwsSAjM bgzOfiv8ooujQ== From: Hannes Reinecke To: Christoph Hellwig Cc: Keith Busch , Sagi Grimberg , linux-nvme@lists.infradead.org, Eric Biggers , linux-crypto@vger.kernel.org, Hannes Reinecke Subject: [PATCH 06/10] nvme: always include Date: Mon, 2 Dec 2024 15:29:55 +0100 Message-Id: <20241202142959.81321-7-hare@kernel.org> X-Mailer: git-send-email 2.35.3 In-Reply-To: <20241202142959.81321-1-hare@kernel.org> References: <20241202142959.81321-1-hare@kernel.org> Precedence: bulk X-Mailing-List: linux-crypto@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 To avoid build errors when NVME_KEYRING is not set. Signed-off-by: Hannes Reinecke --- drivers/nvme/common/keyring.c | 1 - drivers/nvme/host/tcp.c | 1 - drivers/nvme/target/tcp.c | 1 - include/linux/nvme-keyring.h | 2 ++ 4 files changed, 2 insertions(+), 3 deletions(-) diff --git a/drivers/nvme/common/keyring.c b/drivers/nvme/common/keyring.c index 8cb253fcd586..32d16c53133b 100644 --- a/drivers/nvme/common/keyring.c +++ b/drivers/nvme/common/keyring.c @@ -5,7 +5,6 @@ #include #include -#include #include #include #include diff --git a/drivers/nvme/host/tcp.c b/drivers/nvme/host/tcp.c index 3e416af2659f..b5e11a0f7ba8 100644 --- a/drivers/nvme/host/tcp.c +++ b/drivers/nvme/host/tcp.c @@ -8,7 +8,6 @@ #include #include #include -#include #include #include #include diff --git a/drivers/nvme/target/tcp.c b/drivers/nvme/target/tcp.c index 7c51c2a8c109..fa59a7996efa 100644 --- a/drivers/nvme/target/tcp.c +++ b/drivers/nvme/target/tcp.c @@ -8,7 +8,6 @@ #include #include #include -#include #include #include #include diff --git a/include/linux/nvme-keyring.h b/include/linux/nvme-keyring.h index 351a02b1bbc3..009bee8e8090 100644 --- a/include/linux/nvme-keyring.h +++ b/include/linux/nvme-keyring.h @@ -6,6 +6,8 @@ #ifndef _NVME_KEYRING_H #define _NVME_KEYRING_H +#include + #if IS_ENABLED(CONFIG_NVME_KEYRING) struct key *nvme_tls_psk_refresh(struct key *keyring, From patchwork Mon Dec 2 14:29:57 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Hannes Reinecke X-Patchwork-Id: 846725 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 845821FDE2E for ; Mon, 2 Dec 2024 14:30:27 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1733149827; cv=none; b=pNlXcAL6n+KvO95zwGIq7NagKhrQ7NdEuOlbUx7XEKm747cTD9W1rsWFxqDI3M2gKCKkqSmIouzT7WmD7BPrEWyR4c23kxTbykGmpz6S9CKd13ZkqMHaNBiZXh2aSuMJlsSvrHMD1g9wrDSY2FeU5YiWx9+E/thRVfrXkoLsP5o= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1733149827; c=relaxed/simple; bh=q/4EU0cRrWIkiXqk0dXjd/z6g01ABRxjlms3ls0l7Wk=; h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References: MIME-Version; b=GU0+1eu9R5BNuvbIQFzqwLEN1uz2pHLbr7Jd7K7nl+ajRk++U0gMadOfqahJ42CtHMLQ8kzrLr783VaY16oHQBDj0c4zlqTVn8pmSFVNI4ydFDGoMMP4khyPI/HjOsCp8HVgM5Wno4P3IbxqIf5lnocRPa8UizatQwrjEUNuJFs= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=Yna05BER; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="Yna05BER" Received: by smtp.kernel.org (Postfix) with ESMTPSA id C1F82C4CED9; Mon, 2 Dec 2024 14:30:25 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1733149827; bh=q/4EU0cRrWIkiXqk0dXjd/z6g01ABRxjlms3ls0l7Wk=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=Yna05BERE7KZRQrjDT+s1JZ4+/VgYZnGOn4H5i/qmEqpHs/XjG7lnMpQBHjBPivB+ hP9i9q6+Jx3kr23X8kbDvrIv15dt9aP4sZgkoJiWG3NPj7sxHB+LMBi4WuK6aPpcq7 d3q9KOHyB+Y0U5sI0NzoJbYJB7pW+DlqIaYJDoMZ3yh5jr/F6XU7ljq/qDan7zME3c imEdAKn+mK+NP8rqTtVSRMeuCPLvQgQy5GQLaCDSQ8VoqGMiCUxt2kmWyUvOB0iGIG lUgqNEay2h0AmhUlpovN91t+4/TyCdNHhhwrRSbFVj9PoGwjjJYzWrcWwre03WaYcf dlAZ2KHyEHXdg== From: Hannes Reinecke To: Christoph Hellwig Cc: Keith Busch , Sagi Grimberg , linux-nvme@lists.infradead.org, Eric Biggers , linux-crypto@vger.kernel.org, Hannes Reinecke Subject: [PATCH 08/10] nvme-fabrics: reset admin connection for secure concatenation Date: Mon, 2 Dec 2024 15:29:57 +0100 Message-Id: <20241202142959.81321-9-hare@kernel.org> X-Mailer: git-send-email 2.35.3 In-Reply-To: <20241202142959.81321-1-hare@kernel.org> References: <20241202142959.81321-1-hare@kernel.org> Precedence: bulk X-Mailing-List: linux-crypto@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 When secure concatenation is requested the connection needs to be reset to enable TLS encryption on the new cnnection. That implies that the original connection used for the DH-CHAP negotiation really shouldn't be used, and we should reset as soon as the DH-CHAP negotiation has succeeded on the admin queue. Based on an idea from Sagi. Signed-off-by: Hannes Reinecke Reviewed-by: Sagi Grimberg --- drivers/nvme/host/tcp.c | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/drivers/nvme/host/tcp.c b/drivers/nvme/host/tcp.c index 9268c6f2c99f..3ce5cfe8a135 100644 --- a/drivers/nvme/host/tcp.c +++ b/drivers/nvme/host/tcp.c @@ -2260,6 +2260,16 @@ static int nvme_tcp_setup_ctrl(struct nvme_ctrl *ctrl, bool new) if (ret) return ret; + if (ctrl->opts && ctrl->opts->concat && !ctrl->tls_pskid) { + /* See comments for nvme_tcp_key_revoke_needed() */ + dev_dbg(ctrl->device, "restart admin queue for secure concatenation\n"); + nvme_stop_keep_alive(ctrl); + nvme_tcp_teardown_admin_queue(ctrl, false); + ret = nvme_tcp_configure_admin_queue(ctrl, false); + if (ret) + return ret; + } + if (ctrl->icdoff) { ret = -EOPNOTSUPP; dev_err(ctrl->device, "icdoff is not supported!\n"); From patchwork Mon Dec 2 14:29:59 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Hannes Reinecke X-Patchwork-Id: 846724 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id B393E2040B3 for ; Mon, 2 Dec 2024 14:30:31 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1733149831; cv=none; b=QEnxd9XNlgr5yDpevnhip1Gl4zq+5+HKz2F3frUH1URCpqQaRipdxel0nATBzsKzecysPh/+v+uhb1ryufio9dbBNKGqFUPmqVIw2SCQcvcY/PoVYVlSege/tZmCM5ZoMlF7JxyQMR5IeSatJzDPakvbM29UXQKGepE3/Dg5O0w= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1733149831; c=relaxed/simple; bh=Svjuo5V8Wl0PrlCCeCE0EAGZyFEy5Fqm+ODQK619Izs=; h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References: MIME-Version; b=VVLhm78445kgmwF55XMjnlCYA8tpTeE7k3d2AP4DqYz76Z1KyJk0QbSyCCh/6MSMfqGYc2IezI6S2xms1iutWRu2c+9VWOx8/xMP27jFzFeFVxwjFgjCL1e53lM4904PyqYuYj0qvzwtew5r2C5heXvGHNqPjCcMTMfNisk7sbk= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=Ts5SCsA8; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="Ts5SCsA8" Received: by smtp.kernel.org (Postfix) with ESMTPSA id E85D0C4CEE0; Mon, 2 Dec 2024 14:30:29 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1733149831; bh=Svjuo5V8Wl0PrlCCeCE0EAGZyFEy5Fqm+ODQK619Izs=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=Ts5SCsA8hHVvGW0b1j8JtWJeQprvER+MmBD6Jgk68/j4LH4Hvo4ytmmoBmCov3f2G mPx5uSVqmJaSpOvd2sQJAsR5wasxi8KwZE3/9jAEf01dtKqZElcOqCvlrN9/IsCKoJ birBdQh4QiIq/9oqAFSugvZDLTFJ83pwrewDyazoUu5lB/vG/YkwxVUejNja97gG4i jBPGimXHqxiHHo+s0ojH8gucZbEhhpxNGtvDQOfnNF2/3zugvaFhIY/ct7TaZ+DheY udUCmTZQxGCIWNgttg6GTq26wuCH3hbiuXC4p4nyMgk4yJgjsEP3dDEtsRmN4d2lMB qXi/kwFHJPrUg== From: Hannes Reinecke To: Christoph Hellwig Cc: Keith Busch , Sagi Grimberg , linux-nvme@lists.infradead.org, Eric Biggers , linux-crypto@vger.kernel.org, Hannes Reinecke Subject: [PATCH 10/10] nvmet: add tls_concat and tls_key debugfs entries Date: Mon, 2 Dec 2024 15:29:59 +0100 Message-Id: <20241202142959.81321-11-hare@kernel.org> X-Mailer: git-send-email 2.35.3 In-Reply-To: <20241202142959.81321-1-hare@kernel.org> References: <20241202142959.81321-1-hare@kernel.org> Precedence: bulk X-Mailing-List: linux-crypto@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Add debugfs entries to display the 'concat' and 'tls_key' controller attributes. Signed-off-by: Hannes Reinecke Reviewed-by: Sagi Grimberg --- drivers/nvme/target/debugfs.c | 27 +++++++++++++++++++++++++++ 1 file changed, 27 insertions(+) diff --git a/drivers/nvme/target/debugfs.c b/drivers/nvme/target/debugfs.c index 220c7391fc19..e4300eb95101 100644 --- a/drivers/nvme/target/debugfs.c +++ b/drivers/nvme/target/debugfs.c @@ -132,6 +132,27 @@ static int nvmet_ctrl_host_traddr_show(struct seq_file *m, void *p) } NVMET_DEBUGFS_ATTR(nvmet_ctrl_host_traddr); +#ifdef CONFIG_NVME_TARGET_TCP_TLS +static int nvmet_ctrl_tls_key_show(struct seq_file *m, void *p) +{ + struct nvmet_ctrl *ctrl = m->private; + key_serial_t keyid = nvmet_queue_tls_keyid(ctrl->sqs[0]); + + seq_printf(m, "%08x\n", keyid); + return 0; +} +NVMET_DEBUGFS_ATTR(nvmet_ctrl_tls_key); + +static int nvmet_ctrl_tls_concat_show(struct seq_file *m, void *p) +{ + struct nvmet_ctrl *ctrl = m->private; + + seq_printf(m, "%d\n", ctrl->concat); + return 0; +} +NVMET_DEBUGFS_ATTR(nvmet_ctrl_tls_concat); +#endif + int nvmet_debugfs_ctrl_setup(struct nvmet_ctrl *ctrl) { char name[32]; @@ -157,6 +178,12 @@ int nvmet_debugfs_ctrl_setup(struct nvmet_ctrl *ctrl) &nvmet_ctrl_state_fops); debugfs_create_file("host_traddr", S_IRUSR, ctrl->debugfs_dir, ctrl, &nvmet_ctrl_host_traddr_fops); +#ifdef CONFIG_NVME_TARGET_TCP_TLS + debugfs_create_file("tls_concat", S_IRUSR, ctrl->debugfs_dir, ctrl, + &nvmet_ctrl_tls_concat_fops); + debugfs_create_file("tls_key", S_IRUSR, ctrl->debugfs_dir, ctrl, + &nvmet_ctrl_tls_key_fops); +#endif return 0; }