kernel TLS configuration, was: Re: [ANNOUNCE] ktls-utils 1.0.0

[Christoph Hellwig]

On Tue, May 06, 2025 at 03:03:10PM +0200, Hannes Reinecke wrote:
> Hmm. We do that already:
> 
>         dev_dbg(nctrl->device, "queue %d: start TLS with key %x\n",
>                 qid, pskid);
>         memset(&args, 0, sizeof(args));
>         args.ta_sock = queue->sock;
>         args.ta_done = nvme_tcp_tls_done;
>         args.ta_data = queue;
>         args.ta_my_peerids[0] = pskid;
>         args.ta_num_peerids = 1;
>         if (nctrl->opts->keyring)
>                 keyring = key_serial(nctrl->opts->keyring);
>         args.ta_keyring = keyring;
>         args.ta_timeout_ms = tls_handshake_timeout * 1000;
>         queue->tls_err = -EOPNOTSUPP;
>         init_completion(&queue->tls_complete);
>         ret = tls_client_hello_psk(&args, GFP_KERNEL);
> 
> ... but we never evaluate the 'keyring' parameter from tlshd.
> Should be easy enough to fix.

That is only used to link the keyrind in tls_handshake_private_keyring
and never passed over netlink.