[PATCHv3 00/18] nvme: In-kernel TLS support for TCP
Hannes Reinecke
hare at suse.de
Mon Apr 17 06:02:44 PDT 2023
Hi all,
finally I've managed to put all things together and enable in-kernel
TLS support for NVMe-over-TCP.
The patchset is based on the TLS upcall mechanism from Chuck Lever
(cf '[PATCH v7 0/2] Another crack at a handshake upcall mechanism'
posted to the linux netdev list), and requires the 'tlshd' userspace
daemon (https://github.com/oracle/ktls-utils) for the actual TLS handshake.
Changes for nvme-cli are already included in the upstream repository.
Theory of operation:
A dedicated '.nvme' keyring is created to hold the pre-shared keys (PSKs)
for the TLS handshake. Keys will have to be provisioned before TLS handshake
is attempted; that can be done with the 'nvme gen-tls-key' command for nvme-cli
(patches are already merged upstream).
After connection to the remote TCP port the client side will use the
'best' PSK (as inferred from the NVMe TCP spec) or the PSK specified
by the '--tls_key' option to nvme-cli and call the TLS userspace daemon
to initiate a TLS handshake.
The server side will then invoke the TLS userspace daemon to run the TLS
handshake.
If the TLS handshake succeeds the userspace daemon will be activating
kTLS on the socket, and control is passed back to the kernel.
To make this work I had to implement the 'read_sock()' functionality
for TLS; it seems to be holding up well enough (for me), but it really
could do with reviews from persons with more network stack knowledge.
As usual, comments and reviews are welcome.
Changes to v2:
- Included reviews from Sagi
- Removed MSG_SENDPAGE_NOTLAST
- Improved MSG_EOR handling for TLS
- Add config options NVME_TCP_TLS
and NVME_TARGET_TCP_TLS
Changes to the original RFC:
- Add a CONFIG_NVME_TLS config option
- Use a single PSK for the TLS handshake
- Make TLS connections mandatory
- Do not peek messages for the server
- Simplify data_ready callback
- Implement read_sock() for TLS
Hannes Reinecke (18):
nvme-keyring: register '.nvme' keyring
nvme-keyring: define a 'psk' keytype
nvme: add TCP TSAS definitions
nvme-tcp: add definitions for TLS cipher suites
nvme-keyring: implement nvme_tls_psk_default()
net/tls: implement ->read_sock()
net/tls: sanitize MSG_EOR handling
nvme-tcp: do not set MSG_SENDPAGE_NOTLAST
security/keys: export key_lookup()
nvme/tcp: allocate socket file
nvme-tcp: enable TLS handshake upcall
nvme-tcp: control message handling for recvmsg()
nvme-fabrics: parse options 'keyring' and 'tls_key'
nvmet: make TCP sectype settable via configfs
nvmet-tcp: allocate socket file
nvmet-tcp: enable TLS handshake upcall
nvmet-tcp: control messages for recvmsg()
nvmet-tcp: add configfs attribute 'param_keyring'
drivers/nvme/common/Kconfig | 4 +
drivers/nvme/common/Makefile | 3 +-
drivers/nvme/common/keyring.c | 182 ++++++++++++++++++++++++++++
drivers/nvme/host/Kconfig | 14 +++
drivers/nvme/host/core.c | 33 ++++-
drivers/nvme/host/fabrics.c | 77 +++++++++++-
drivers/nvme/host/fabrics.h | 9 ++
drivers/nvme/host/nvme.h | 1 +
drivers/nvme/host/tcp.c | 175 +++++++++++++++++++++++++--
drivers/nvme/target/Kconfig | 14 +++
drivers/nvme/target/configfs.c | 173 +++++++++++++++++++++++++-
drivers/nvme/target/nvmet.h | 1 +
drivers/nvme/target/tcp.c | 213 ++++++++++++++++++++++++++++++---
include/linux/nvme-keyring.h | 36 ++++++
include/linux/nvme-tcp.h | 6 +
include/linux/nvme.h | 10 ++
net/tls/tls.h | 2 +
net/tls/tls_device.c | 10 ++
net/tls/tls_main.c | 2 +
net/tls/tls_sw.c | 92 ++++++++++++++
security/keys/key.c | 1 +
21 files changed, 1020 insertions(+), 38 deletions(-)
create mode 100644 drivers/nvme/common/keyring.c
create mode 100644 include/linux/nvme-keyring.h
--
2.35.3
More information about the Linux-nvme
mailing list