[RFC nvme-keyring nvme-cli] Should NVMe/TLS PSKs support the request_key API?
Daniel Wagner
dwagner at suse.de
Thu Apr 23 10:15:37 PDT 2026
On Thu, Apr 23, 2026 at 02:05:45PM +0200, Hannes Reinecke wrote:
> > Biggest problem I see, requiring explicit loading of nvme_tcp before it
> > can be used with TLS:
> >
> > - The async uevent handling loses the race against the kernel when the
> > transport kmod is requested on demand.
> >
> > ┌────────┐ ┌──────────┐ ┌──────────┐ ┌──────┐
> > │ kernel │ │ nvme-cli │ │ modprobe │ │ udev │
> > └────┬───┘ └─────┬────┘ └─────┬────┘ └───┬──┘
> > │ │ │ │
> > │ connect │ │ │
> > │◄──────────────┤ │ │
> > │ │ │ │
> > │ request kmod │ │ │
> > ├───────────────────────────────►│ │
> > │ │ │ │
> > │ load kmod │ │ │
> > │◄───────────────────────────────┤ │
> > │ │ │ │
> > │ uevent kmod │ │ │
> > ├╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌►│
> > │ │ │ │
> > │ check keyring for PSK ❌ │ │
> > ├──┐ │ │ │
> > │ │ │ │ │
> > │◄─┘ │ │ │
> > │ │ │ │
> > │ connect failed ❌ │ │
> > ├──────────────►│ │ │
> > │ │ │ │
> > │ │ nvme tls --import --keyfile │
> > │ │◄──────────────────────────────┤
> > │ │ │ │
> > │ populate .nvme keyring │ │
> > │◄──────────────┤ │ │
> > │ │ │ │
Maurizio just added
load_nvme_fabrics_module();
to the connect command. So we could make the connect call wait for the
udev event, load the keys into the kernel and then write to
/dev/nvme-fabrics.
I see the /etc/nvme/tls-keys file is merely a stopgap solution. There is
certainly better ways to do this.
More information about the Linux-nvme
mailing list