[PATCH 0/1] NVMe/TLS connection issues to SPDK
Chris Leech
cleech at redhat.com
Sun Jul 20 19:17:17 PDT 2025
I was attempting to debug connecting the Linux driver / libnvme /
ktls-utils host stack to the SPDK nvmf_tgt over TLS, and ran into some
issues.
The TLS connection fails to complete a handshake because the TLS PSKs
are different. The NVMe/TCP specified key derivation steps from the
configured interchange format, to a retained PSK and finally the TLS
PSK, is implemented incompatibly in libnvme and SPDK. After some
investigation, I believe the SPDK implementation to be correct and am
providing a libnvme patch to match it. With libnvme modified, I see the
TLS handshake complete in tlshd.
(Note that this was tested using the obsolete "version 0" PSK Identity
and TLS PSK derivation from the TCP transport 1.0 specification, as SPDK
has not been updated with the "version 1" changes)
The NVMe/TCP host driver then quickly fails when SPDK sends a TLS "New
Session Ticket" message before ICResp.
While possibly pointless due to the transport specification prohibition
on session resumption and 0-RTT data, I don't think this is necessarily
wrong and the host driver should be able to safely ignore it and
continue.
I'm working on testing that out, but a more general TLS message demuxing
layer to deal with post-handshake messages other than application data
may be wanted to avoid sprinkling checks around the nvme driver.
Chris Leech (1):
libnvme: TLS PSK derivation fixes
src/nvme/linux.c | 86 ++++++++++++++++++++++++++++++++----------------
1 file changed, 57 insertions(+), 29 deletions(-)
--
2.50.1
More information about the Linux-nvme
mailing list