[PATCH 3/9] nvme-tcp: check for invalidated or revoked key

Mon Jul 29 07:43:52 PDT 2024

On Mon, Jul 22, 2024 at 02:02:20PM +0200, Hannes Reinecke wrote:
> diff --git a/drivers/nvme/common/keyring.c b/drivers/nvme/common/keyring.c
> index 05e89307c8aa..ed5167f942d8 100644
> --- a/drivers/nvme/common/keyring.c
> +++ b/drivers/nvme/common/keyring.c
> @@ -20,6 +20,28 @@ key_serial_t nvme_keyring_id(void)
>  }
>  EXPORT_SYMBOL_GPL(nvme_keyring_id);
>  
> +static bool nvme_tls_psk_revoked(struct key *psk)
> +{
> +	return test_bit(KEY_FLAG_REVOKED, &psk->flags) ||
> +		test_bit(KEY_FLAG_INVALIDATED, &psk->flags);
> +}
> +
> +struct key *nvme_tls_key_lookup(key_serial_t key_id)
> +{
> +	struct key *key = key_lookup(key_id);
> +
> +	if (IS_ERR(key)) {
> +		pr_err("key id %08x not found\n", key_id);
> +		return key;
> +	}
> +	if (nvme_tls_psk_revoked(key)) {
> +		pr_err("key id %08x revoked\n", key_id);
> +		return ERR_PTR(-EKEYREVOKED);
> +	}
> +	return key;
> +}
> +EXPORT_SYMBOL_GPL(nvme_tls_key_lookup);
> +
>  static void nvme_tls_psk_describe(const struct key *key, struct seq_file *m)
>  {
>  	seq_puts(m, key->description);
> diff --git a/drivers/nvme/host/fabrics.c b/drivers/nvme/host/fabrics.c
> index f5f545fa0103..432efcbf9e2f 100644
> --- a/drivers/nvme/host/fabrics.c
> +++ b/drivers/nvme/host/fabrics.c
> @@ -665,7 +665,7 @@ static struct key *nvmf_parse_key(int key_id)
>  		return ERR_PTR(-EINVAL);
>  	}
>  
> -	key = key_lookup(key_id);
> +	key = nvme_tls_key_lookup(key_id);

We've had some fallout before with nvme modules vs built-in, so I test
for this now. Here's the relevant parts of my config:

CONFIG_NVME_KEYRING=m
...
CONFIG_NVME_FABRICS=y
...
CONFIG_NVME_TCP=m

And that gets this error:

vmlinux.o: in function `nvmf_parse_key':
/home/kbusch/src/linux/drivers/nvme/host/fabrics.c:668: undefined reference to `nvme_tls_key_lookup'