[PATCH 2/9] nvme-tcp: sanitize TLS key handling

Hannes Reinecke hare at suse.de
Sun Jul 21 23:24:44 PDT 2024 

On 7/21/24 13:14, Sagi Grimberg wrote:
> 
> 
> 
> On 19/07/2024 11:38, Hannes Reinecke wrote:
>> There is a difference between TLS configured (ie the user has
>> provisioned/requested a key) and TLS enabled (ie the connection
>> is encrypted with TLS). This becomes important for secure concatenation,
>> where the initial authentication is run on an unencrypted connection
>> (ie with TLS configured, but not enabled), and then the queue is reset to
>> run over TLS (ie TLS configured _and_ enabled).
>> So to differentiate between those two states store the generated
>> key in opts->tls_key (as we're using the same TLS key for all queues),
>> the key serial of the resulting TLS handshake in ctrl->tls_pskid
>> (to signal that TLS on the admin queue is enabled), and a simple
>> flag for the queues to indicated that TLS has been enabled.
>>
>> Signed-off-by: Hannes Reinecke <hare at kernel.org>
>> Reviewed-by: Christoph Hellwig <hch at lst.de>
>> ---
>>   drivers/nvme/host/core.c  |  1 -
>>   drivers/nvme/host/nvme.h  |  2 +-
>>   drivers/nvme/host/sysfs.c |  4 ++--
>>   drivers/nvme/host/tcp.c   | 47 ++++++++++++++++++++++++++++-----------
>>   4 files changed, 37 insertions(+), 17 deletions(-)
>>
[ .. ]
>> @@ -213,7 +214,15 @@ static inline int nvme_tcp_queue_id(struct 
>> nvme_tcp_queue *queue)
>>       return queue - queue->ctrl->queues;
>>   }
>> -static inline bool nvme_tcp_tls(struct nvme_ctrl *ctrl)
>> +static inline bool nvme_tcp_tls_enabled(struct nvme_tcp_queue *queue)
>> +{
>> +    if (!IS_ENABLED(CONFIG_NVME_TCP_TLS))
>> +        return 0;
>> +
>> +    return queue->tls_enabled;
>> +}
> 
> One suggestion.
> 
> Can we call it:
> nvme_tcp_queue_tls() ? It will first clarify that this is a queue level 
> setting,
> and will disambiguate (at least for me) the difference from 
> nvme_tcp_tls_configured().

Sure.

Cheers,

Hannes
-- 
Dr. Hannes Reinecke                  Kernel Storage Architect
hare at suse.de                                +49 911 74053 688
SUSE Software Solutions GmbH, Frankenstr. 146, 90461 Nürnberg
HRB 36809 (AG Nürnberg), GF: I. Totev, A. McDonald, W. Knoblich

More information about the Linux-nvme mailing list