[PATCH 01/18] nvme-keyring: register '.nvme' keyring and add CONFIG_NVME_TLS
Hannes Reinecke
hare at suse.de
Wed Mar 29 08:24:24 PDT 2023
On 3/29/23 16:49, Sagi Grimberg wrote:
>
>> Register a '.nvme' keyring to hold keys for TLS and DH-HMAC-CHAP and
>> add a new config option NVME_TLS to enable support for NVMe-TCP/TLS.
>> We need a separate keyring for NVMe as the configuration is done
>> via individual commands (eg for configfs), and the usual per-session
>> or per-process keyrings can't be used.
>>
>> Signed-off-by: Hannes Reinecke <hare at suse.de>
>> ---
>> drivers/nvme/common/Kconfig | 9 +++++++++
>> drivers/nvme/common/Makefile | 1 +
>> drivers/nvme/common/keyring.c | 36 +++++++++++++++++++++++++++++++++++
>> drivers/nvme/host/core.c | 19 +++++++++++++++---
>> include/linux/nvme-keyring.h | 12 ++++++++++++
>> 5 files changed, 74 insertions(+), 3 deletions(-)
>> create mode 100644 drivers/nvme/common/keyring.c
>> create mode 100644 include/linux/nvme-keyring.h
>>
>> diff --git a/drivers/nvme/common/Kconfig b/drivers/nvme/common/Kconfig
>> index 4514f44362dd..b6fff16da1fb 100644
>> --- a/drivers/nvme/common/Kconfig
>> +++ b/drivers/nvme/common/Kconfig
>> @@ -2,3 +2,12 @@
>> config NVME_COMMON
>> tristate
>> +
>> +config NVME_TLS
>> + bool "NVMe/TCP TLS encryption support"
>> + depends on NVME_COMMON
>
> depends on TLS as well? Or maybe select would be more appropriate?
>
I would argue 'depends', as we cannot use the standard
session/process/thread keyrings, as they'll vanish after the initial
'connect', and then there's no keyring to lookup keys for subsection
reconnects.
>> + select KEYS
>> + help
>> + Enables TLS encryption for NVMe/TCP using the netlink handshake
>> API.
>> +
>> + If unsure, say N.
>
> Would it not make sense to default it to y?
Yeah.
Cheers,
Hannes
--
Dr. Hannes Reinecke Kernel Storage Architect
hare at suse.de +49 911 74053 688
SUSE Software Solutions GmbH, Maxfeldstr. 5, 90409 Nürnberg
HRB 36809 (AG Nürnberg), Geschäftsführer: Ivo Totev, Andrew
Myers, Andrew McDonald, Martje Boudien Moerman
More information about the Linux-nvme
mailing list