[PATCH 2/2] nvmet: Implement 'admin_only' authentication

Sagi Grimberg sagi at grimberg.me
Wed Jul 17 15:40:32 PDT 2024 


On 17/07/2024 14:03, Hannes Reinecke wrote:
> It might be sufficient to run authentication on the admin queue only,
> as this speeds up reconnection quite significantly.

By how much?

>   So add a configfs
> attribute 'dhchap_admin_only' for the 'host' configfs entry to enable
> this mode.
>
> Signed-off-by: Hannes Reinecke <hare at kernel.org>
> ---
>   drivers/nvme/target/auth.c             | 11 +++++++----
>   drivers/nvme/target/configfs.c         | 24 ++++++++++++++++++++++++
>   drivers/nvme/target/fabrics-cmd-auth.c |  7 +++++++
>   drivers/nvme/target/fabrics-cmd.c      |  7 +++++--
>   drivers/nvme/target/nvmet.h            |  2 ++
>   5 files changed, 45 insertions(+), 6 deletions(-)
>
> diff --git a/drivers/nvme/target/auth.c b/drivers/nvme/target/auth.c
> index 560321df5bf6..d5aae8d8cc92 100644
> --- a/drivers/nvme/target/auth.c
> +++ b/drivers/nvme/target/auth.c
> @@ -189,6 +189,8 @@ u8 nvmet_setup_auth(struct nvmet_ctrl *ctrl, struct nvmet_req *req)
>   		ctrl->shash_id = host->dhchap_hash_id;
>   	}
>   
> +	ctrl->dh_admin_only = host->dhchap_admin_only;
> +
>   	/* Skip the 'DHHC-1:XX:' prefix */
>   	nvme_auth_free_key(ctrl->host_key);
>   	ctrl->host_key = nvme_auth_extract_key(host->dhchap_secret + 10,
> @@ -279,10 +281,11 @@ void nvmet_destroy_auth(struct nvmet_ctrl *ctrl)
>   
>   bool nvmet_check_auth_status(struct nvmet_req *req)
>   {
> -	if (req->sq->ctrl->host_key &&
> -	    !req->sq->authenticated)
> -		return false;
> -	return true;
> +	if (!req->sq->ctrl->host_key)
> +		return true;
> +	if (req->sq->qid && req->sq->ctrl->dh_admin_only)
> +		return true;
> +	return req->sq->authenticated;
>   }
>   
>   int nvmet_auth_host_hash(struct nvmet_req *req, u8 *response,
> diff --git a/drivers/nvme/target/configfs.c b/drivers/nvme/target/configfs.c
> index bd87dfd173a4..807b0904ea88 100644
> --- a/drivers/nvme/target/configfs.c
> +++ b/drivers/nvme/target/configfs.c
> @@ -2134,11 +2134,34 @@ static ssize_t nvmet_host_dhchap_dhgroup_store(struct config_item *item,
>   
>   CONFIGFS_ATTR(nvmet_host_, dhchap_dhgroup);
>   
> +static ssize_t nvmet_host_dhchap_admin_only_show(struct config_item *item,
> +		char *page)
> +{
> +	struct nvmet_host *host = to_host(item);
> +
> +	return sprintf(page, "%d\n", host->dhchap_admin_only);
> +}
> +
> +static ssize_t nvmet_host_dhchap_admin_only_store(struct config_item *item,
> +		const char *page, size_t count)
> +{
> +	struct nvmet_host *host = to_host(item);
> +	bool val;
> +
> +	if (kstrtobool(page, &val))
> +		return -EINVAL;
> +	host->dhchap_admin_only = val;
> +	return count;
> +}
> +
> +CONFIGFS_ATTR(nvmet_host_, dhchap_admin_only);
> +
>   static struct configfs_attribute *nvmet_host_attrs[] = {
>   	&nvmet_host_attr_dhchap_key,
>   	&nvmet_host_attr_dhchap_ctrl_key,
>   	&nvmet_host_attr_dhchap_hash,
>   	&nvmet_host_attr_dhchap_dhgroup,
> +	&nvmet_host_attr_dhchap_admin_only,
>   	NULL,
>   };
>   #endif /* CONFIG_NVME_TARGET_AUTH */
> @@ -2178,6 +2201,7 @@ static struct config_group *nvmet_hosts_make_group(struct config_group *group,
>   #ifdef CONFIG_NVME_TARGET_AUTH
>   	/* Default to SHA256 */
>   	host->dhchap_hash_id = NVME_AUTH_HASH_SHA256;
> +	host->dhchap_admin_only = false;
>   #endif
>   
>   	config_group_init_type_name(&host->group, name, &nvmet_host_type);
> diff --git a/drivers/nvme/target/fabrics-cmd-auth.c b/drivers/nvme/target/fabrics-cmd-auth.c
> index 4c392488c451..4af10a78ce69 100644
> --- a/drivers/nvme/target/fabrics-cmd-auth.c
> +++ b/drivers/nvme/target/fabrics-cmd-auth.c
> @@ -62,6 +62,7 @@ static u8 nvmet_auth_negotiate(struct nvmet_req *req, void *d)
>   			return NVME_AUTH_DHCHAP_FAILURE_CONCAT_MISMATCH;
>   		}
>   		ctrl->concat = true;
> +		ctrl->dh_admin_only = true;
>   	}
>   
>   	if (data->napd != 1)
> @@ -248,6 +249,12 @@ void nvmet_execute_auth_send(struct nvmet_req *req)
>   			offsetof(struct nvmf_auth_send_command, tl);
>   		goto done;
>   	}
> +	if (req->sq->qid && ctrl->dh_admin_only) {
> +		pr_debug("%s: ctrl %d qid %d reject authentication on I/O queues\n",
> +			 __func__, ctrl->cntlid, req->sq->qid);
> +		status = NVME_SC_INVALID_OPCODE | NVME_STATUS_DNR;
> +		goto done;
> +	}
>   	if (!nvmet_check_transfer_len(req, tl)) {
>   		pr_debug("%s: transfer length mismatch (%u)\n", __func__, tl);
>   		return;
> diff --git a/drivers/nvme/target/fabrics-cmd.c b/drivers/nvme/target/fabrics-cmd.c
> index 1aabf55ef0a8..212fe271c8a4 100644
> --- a/drivers/nvme/target/fabrics-cmd.c
> +++ b/drivers/nvme/target/fabrics-cmd.c
> @@ -203,8 +203,11 @@ static u32 nvmet_connect_result(struct nvmet_ctrl *ctrl, struct nvmet_req *req)
>   {
>   	bool needs_auth = nvmet_has_auth(ctrl, req);
>   
> -	/* Do not authenticate I/O queues for secure concatenation */
> -	if (ctrl->concat && req->sq->qid)
> +	/*
> +	 * Do not request authentication for I/O queues for secure concatenation
> +	 * or when only the admin queue should be authenticated.
> +	 */
> +	if (req->sq->qid && (ctrl->concat || ctrl->dh_admin_only))
>   		needs_auth = false;
>   
>   	pr_debug("%s: ctrl %d qid %d should %sauthenticate, tls psk %08x\n",
> diff --git a/drivers/nvme/target/nvmet.h b/drivers/nvme/target/nvmet.h
> index 9486b43ab822..129b1cb8a4d1 100644
> --- a/drivers/nvme/target/nvmet.h
> +++ b/drivers/nvme/target/nvmet.h
> @@ -249,6 +249,7 @@ struct nvmet_ctrl {
>   	u8			dh_gid;
>   	u8			*dh_key;
>   	size_t			dh_keysize;
> +	bool			dh_admin_only;
>   #endif
>   #ifdef CONFIG_NVME_TARGET_TCP_TLS
>   	struct key		*tls_key;
> @@ -325,6 +326,7 @@ struct nvmet_host {
>   	u8			dhchap_ctrl_key_hash;
>   	u8			dhchap_hash_id;
>   	u8			dhchap_dhgroup_id;
> +	bool			dhchap_admin_only;
>   };
>   
>   static inline struct nvmet_host *to_host(struct config_item *item)

More information about the Linux-nvme mailing list