[PATCH] nvme: expose TLS mode

Tue Apr 7 03:47:57 PDT 2026

On 4/1/26 10:52, Daniel Wagner wrote:
> It is not possible to determine the active TLS mode from the
> presence or absence of sysfs attributes like tls_key,
> tls_configured_key, or dhchap_secret.
> 
> With the introduction of the concat mode and optional DH-CHAP
> authentication, different configurations can result in identical
> sysfs state. This makes user space detection unreliable.
> 
> Expose the TLS mode explicitly to allow user space to
> unambiguously identify the active configuration and avoid
> fragile heuristics in nvme-cli.
> 
> Signed-off-by: Daniel Wagner <wagi at kernel.org>
> ---
> I am extending the test suite for nvme-cli to cover the use case of
> nvme connect --tls/--concat.
> 
> Currently, nvme-cli uses heuristics to determine whether --tls was used
> to initiate the connection. With the introduction of --concat, these
> heuristics are no longer reliable.
> 
> By exposing the TLS mode explicitly, nvme config can now generate a
> configuration based on the currently active connection.
> 
> $ nvme config --scan --dump --output-format json /dev/nvme1
> [
>    {
>      "hostnqn":"nqn.2014-08.org.nvmexpress:uuid:befdec4c-2234-11b2-a85c-ca77c773af36",
>      "hostid":"befdec4c-2234-11b2-a85c-ca77c773af36",
>      "dhchap_key":"DHHC-1:01:1+pb0VSbn3cBrOhwP5SHa6gwlbPikdZ0mmBKKXC74Sm0s0pb:",
>      "subsystems":[
>        {
>          "nqn":"nqn.io-1",
>          "ports":[
>            {
>              "transport":"tcp",
>              "traddr":"192.168.30.30",
>              "trsvcid":"4420",
>              "dhchap_key":"DHHC-1:01:1+pb0VSbn3cBrOhwP5SHa6gwlbPikdZ0mmBKKXC74Sm0s0pb:",
>              "dhchap_ctrl_key":"DHHC-1:01:uTcIEwLZsEoVJucx7sKVvzfwOTAfJ9ZGcvYWswHwF41mMSW1:",
>              "tls":true,
>              "keyring":".nvme"
>            }
>          ]
>        }
>      ]
>    }
> ]
> ---
>   drivers/nvme/host/sysfs.c | 18 ++++++++++++++++++
>   1 file changed, 18 insertions(+)
> 
> diff --git a/drivers/nvme/host/sysfs.c b/drivers/nvme/host/sysfs.c
> index 16c6fea4b2db..c4b5241371d6 100644
> --- a/drivers/nvme/host/sysfs.c
> +++ b/drivers/nvme/host/sysfs.c
> @@ -810,6 +810,23 @@ const struct attribute_group nvme_dev_attrs_group = {
>   EXPORT_SYMBOL_GPL(nvme_dev_attrs_group);
>   
>   #ifdef CONFIG_NVME_TCP_TLS
> +static ssize_t tls_mode_show(struct device *dev,
> +			     struct device_attribute *attr, char *buf)
> +{
> +	struct nvme_ctrl *ctrl = dev_get_drvdata(dev);
> +	const char *mode;
> +
> +	if (ctrl->opts->tls)
> +		mode = "tls";
> +	else if (ctrl->opts->concat)
> +		mode = "concat";
> +	else
> +		mode = "none";
> +
> +	return sysfs_emit(buf, "%s\n", mode);
> +}
> +static DEVICE_ATTR_RO(tls_mode);
> +
>   static ssize_t tls_key_show(struct device *dev,
>   			    struct device_attribute *attr, char *buf)
>   {
> @@ -845,6 +862,7 @@ static struct attribute *nvme_tls_attrs[] = {
>   	&dev_attr_tls_key.attr,
>   	&dev_attr_tls_configured_key.attr,
>   	&dev_attr_tls_keyring.attr,
> +	&dev_attr_tls_mode.attr,
>   	NULL,
>   };
>   
> 
Why not modify the 'is_visible' function to hide the attribute
when TLS is not enabled?
That would avoid the awkward 'none' setting ...

Cheers,

Hannes
-- 
Dr. Hannes Reinecke                  Kernel Storage Architect
hare at suse.de                                +49 911 74053 688
SUSE Software Solutions GmbH, Frankenstr. 146, 90461 Nürnberg
HRB 36809 (AG Nürnberg), GF: I. Totev, A. McDonald, W. Knoblich