[PATCH v3] nvme: expose TLS mode

Hannes Reinecke hare at suse.de
Mon Apr 13 00:43:48 PDT 2026 

On 4/8/26 18:19, Daniel Wagner wrote:
> It is not possible to determine the active TLS mode from the
> presence or absence of sysfs attributes like tls_key,
> tls_configured_key, or dhchap_secret.
> 
> With the introduction of the concat mode and optional DH-CHAP
> authentication, different configurations can result in identical
> sysfs state. This makes user space detection unreliable.
> 
> Expose the TLS mode explicitly to allow user space to
> unambiguously identify the active configuration and avoid
> fragile heuristics in nvme-cli.
> 
> Signed-off-by: Daniel Wagner <wagi at kernel.org>
> ---
> Fixed visibilty condition, the previous version used opts->tls_key but it should
> opts->tls.
> 
> Original cover letter (with fixed example):
> 
> I am extending the test suite for nvme-cli to cover the use case of
> nvme connect --tls/--concat.
> 
> Currently, nvme-cli uses heuristics to determine whether --tls was used
> to initiate the connection. With the introduction of --concat, these
> heuristics are no longer reliable.
> 
> By exposing the TLS mode explicitly, nvme config can now generate a
> configuration based on the currently active connection.
> 
> $ nvme connect --transport tcp --traddr 192.168.30.30 --trsvcid 4420  \
>    		--hostnqn nqn.2014-08.org.nvmexpress:uuid:befdec4c-2234-11b2-a85c-ca77c773af36  \
> 		--nqn nqn.io-1 --concat  \
> 		--dhchap-secret=DHHC-1:01:1+pb0VSbn3cBrOhwP5SHa6gwlbPikdZ0mmBKKXC74Sm0s0pb:   \
> 		--dump-config --output-format json
> [
>    {
>      "hostnqn":"nqn.2014-08.org.nvmexpress:uuid:befdec4c-2234-11b2-a85c-ca77c773af36",
>      "hostid":"befdec4c-2234-11b2-a85c-ca77c773af36",
>      "dhchap_key":"DHHC-1:01:1+pb0VSbn3cBrOhwP5SHa6gwlbPikdZ0mmBKKXC74Sm0s0pb:",
>      "subsystems":[
>        {
>          "nqn":"nqn.io-1",
>          "ports":[
>            {
>              "transport":"tcp",
>              "traddr":"192.168.30.30",
>              "trsvcid":"4420",
>              "dhchap_key":"DHHC-1:01:1+pb0VSbn3cBrOhwP5SHa6gwlbPikdZ0mmBKKXC74Sm0s0pb:",
>              "concat":true
>            }
>          ]
>        }
>      ]
>    }
> ]
> 
> $ nvme config --scan --dump --output-format json /dev/nvme1
> [
>    {
>      "hostnqn":"nqn.2014-08.org.nvmexpress:uuid:befdec4c-2234-11b2-a85c-ca77c773af36",
>      "hostid":"befdec4c-2234-11b2-a85c-ca77c773af36",
>      "dhchap_key":"DHHC-1:01:1+pb0VSbn3cBrOhwP5SHa6gwlbPikdZ0mmBKKXC74Sm0s0pb:",
>      "subsystems":[
>        {
>          "nqn":"nqn.io-1",
>          "ports":[
>            {
>              "transport":"tcp",
>              "traddr":"192.168.30.30",
>              "trsvcid":"4420",
>              "dhchap_key":"DHHC-1:01:1+pb0VSbn3cBrOhwP5SHa6gwlbPikdZ0mmBKKXC74Sm0s0pb:",
>              "concat":true
>            }
>          ]
>        }
>      ]
>    }
> ]
> 
> $ cat /sys/class/nvme-fabrics/ctl/nvme1/tls_mode
> concat
> ---
> Changes in v3:
> - Fixed visibilty conditions to opts->tls instead of opts->tls_key
> - Link to v2: https://patch.msgid.link/20260408-expose-tls-mode-v2-1-17a25aa414dc@kernel.org
> 
> Changes in v2:
> - fixed the example output
> - tls_mode only visible when either tls or concat is enabled. avoids 'none'
> - Link to v1: https://patch.msgid.link/20260401-expose-tls-mode-v1-1-433a83d1d23f@kernel.org
> ---
>   drivers/nvme/host/sysfs.c | 19 +++++++++++++++++++
>   1 file changed, 19 insertions(+)
> 
> diff --git a/drivers/nvme/host/sysfs.c b/drivers/nvme/host/sysfs.c
> index 16c6fea4b2db..df25c8fef063 100644
> --- a/drivers/nvme/host/sysfs.c
> +++ b/drivers/nvme/host/sysfs.c
> @@ -841,10 +841,26 @@ static ssize_t tls_keyring_show(struct device *dev,
>   }
>   static DEVICE_ATTR_RO(tls_keyring);
>   
> +static ssize_t tls_mode_show(struct device *dev,
> +			     struct device_attribute *attr, char *buf)
> +{
> +	struct nvme_ctrl *ctrl = dev_get_drvdata(dev);
> +	const char *mode;
> +
> +	if (ctrl->opts->tls)
> +		mode = "tls";
> +	else
> +		mode = "concat";
> +
> +	return sysfs_emit(buf, "%s\n", mode);
> +}
> +static DEVICE_ATTR_RO(tls_mode);
> +
>   static struct attribute *nvme_tls_attrs[] = {
>   	&dev_attr_tls_key.attr,
>   	&dev_attr_tls_configured_key.attr,
>   	&dev_attr_tls_keyring.attr,
> +	&dev_attr_tls_mode.attr,
>   	NULL,
>   };
>   
> @@ -866,6 +882,9 @@ static umode_t nvme_tls_attrs_are_visible(struct kobject *kobj,
>   	if (a == &dev_attr_tls_keyring.attr &&
>   	    !ctrl->opts->keyring)
>   		return 0;
> +	if (a == &dev_attr_tls_mode.attr &&
> +	    !ctrl->opts->tls && !ctrl->opts->concat)
> +		return 0;
>   
>   	return a->mode;
>   }
> 
Reviewed-by: Hannes Reinecke <hare at suse.de>

Cheers,

Hannes
-- 
Dr. Hannes Reinecke                  Kernel Storage Architect
hare at suse.de                                +49 911 74053 688
SUSE Software Solutions GmbH, Frankenstr. 146, 90461 Nürnberg
HRB 36809 (AG Nürnberg), GF: I. Totev, A. McDonald, W. Knoblich

More information about the Linux-nvme mailing list