[PATCH 05/17] nvme-keyring: implement nvme_tls_psk_default()
Max Gurtovoy
mgurtovoy at nvidia.com
Tue May 9 00:31:38 PDT 2023
Hannes,
I wonder if we can squash the keyring patches 1/17 + 2/17 + 5/17 to a
single patch ?
And start the series with some preparations in the nvme/tcp for it to
compile..
This will reduce the amount of commits and simplify the review.
On 19/04/2023 9:57, Hannes Reinecke wrote:
> Implement a function to select the preferred PSK for TLS.
>
> Signed-off-by: Hannes Reinecke <hare at suse.de>
> ---
> drivers/nvme/common/keyring.c | 48 +++++++++++++++++++++++++++++++++++
> include/linux/nvme-keyring.h | 8 ++++++
> 2 files changed, 56 insertions(+)
>
> diff --git a/drivers/nvme/common/keyring.c b/drivers/nvme/common/keyring.c
> index 494dd365052e..f8d9a208397b 100644
> --- a/drivers/nvme/common/keyring.c
> +++ b/drivers/nvme/common/keyring.c
> @@ -5,6 +5,7 @@
>
> #include <linux/module.h>
> #include <linux/seq_file.h>
> +#include <linux/key.h>
> #include <linux/key-type.h>
> #include <keys/user-type.h>
> #include <linux/nvme.h>
> @@ -103,6 +104,53 @@ static struct key *nvme_tls_psk_lookup(struct key *keyring,
> return key_ref_to_ptr(keyref);
> }
>
> +/*
> + * NVMe PSK priority list
> + *
> + * 'Retained' PSKs (ie 'generated == false')
> + * should be preferred to 'generated' PSKs,
> + * and SHA-384 should be preferred to SHA-256.
> + */
> +struct nvme_tls_psk_priority_list {
> + bool generated;
> + enum nvme_tcp_tls_cipher cipher;
> +} nvme_tls_psk_prio[] = {
> + { .generated = false,
> + .cipher = NVME_TCP_TLS_CIPHER_SHA384, },
> + { .generated = false,
> + .cipher = NVME_TCP_TLS_CIPHER_SHA256, },
> + { .generated = true,
> + .cipher = NVME_TCP_TLS_CIPHER_SHA384, },
> + { .generated = true,
> + .cipher = NVME_TCP_TLS_CIPHER_SHA256, },
> +};
> +
> +/*
> + * nvme_tls_psk_default - Return the preferred PSK to use for TLS ClientHello
> + */
> +key_serial_t nvme_tls_psk_default(struct key *keyring,
> + const char *hostnqn, const char *subnqn)
> +{
> + struct key *tls_key;
> + key_serial_t tls_key_id;
> + int prio;
> +
> + for (prio = 0; prio < ARRAY_SIZE(nvme_tls_psk_prio); prio++) {
> + bool generated = nvme_tls_psk_prio[prio].generated;
> + enum nvme_tcp_tls_cipher cipher = nvme_tls_psk_prio[prio].cipher;
> +
> + tls_key = nvme_tls_psk_lookup(keyring, hostnqn, subnqn,
> + cipher, generated);
> + if (!IS_ERR(tls_key)) {
> + tls_key_id = tls_key->serial;
> + key_put(tls_key);
> + return tls_key_id;
> + }
> + }
> + return 0;
> +}
> +EXPORT_SYMBOL_GPL(nvme_tls_psk_default);
> +
> int nvme_keyring_init(void)
> {
> int err;
> diff --git a/include/linux/nvme-keyring.h b/include/linux/nvme-keyring.h
> index 32bd264a71e6..4efea9dd967c 100644
> --- a/include/linux/nvme-keyring.h
> +++ b/include/linux/nvme-keyring.h
> @@ -8,12 +8,20 @@
>
> #ifdef CONFIG_NVME_KEYRING
>
> +key_serial_t nvme_tls_psk_default(struct key *keyring,
> + const char *hostnqn, const char *subnqn);
> +
> key_serial_t nvme_keyring_id(void);
> int nvme_keyring_init(void);
> void nvme_keyring_exit(void);
>
> #else
>
> +static inline key_serial_t nvme_tls_psk_default(struct key *keyring,
> + const char *hostnqn, const char *subnqn)
> +{
> + return 0;
> +}
> static inline key_serial_t nvme_keyring_id(void)
> {
> return 0;
More information about the Linux-nvme
mailing list