From: Hannes Reinecke <hare@suse.de>
To: Christoph Hellwig <hch@lst.de>
Cc: Sagi Grimberg <sagi@grimberg.me>, Keith Busch <kbusch@kernel.org>,
linux-nvme@lists.infradead.org,
Chuck Lever <chuck.lever@oracle.com>,
kernel-tls-handshake@lists.linux.dev,
Hannes Reinecke <hare@suse.de>
Subject: [PATCH 15/18] nvmet-tcp: enable TLS handshake upcall
Date: Wed, 29 Mar 2023 15:59:35 +0200 [thread overview]
Message-ID: <20230329135938.46905-16-hare@suse.de> (raw)
In-Reply-To: <20230329135938.46905-1-hare@suse.de>
Add functions to start the TLS handshake upcall when
the TCP RSAS sectype is set to 'tls1.3'.
Signed-off-by: Hannes Reincke <hare@suse.de>
---
drivers/nvme/target/configfs.c | 32 +++++++-
drivers/nvme/target/tcp.c | 135 ++++++++++++++++++++++++++++++++-
2 files changed, 163 insertions(+), 4 deletions(-)
diff --git a/drivers/nvme/target/configfs.c b/drivers/nvme/target/configfs.c
index ca66ee6dc153..36fbf6a22d09 100644
--- a/drivers/nvme/target/configfs.c
+++ b/drivers/nvme/target/configfs.c
@@ -159,10 +159,12 @@ static const struct nvmet_type_name_map nvmet_addr_treq[] = {
{ NVMF_TREQ_NOT_REQUIRED, "not required" },
};
+#define NVMET_PORT_TREQ(port) ((port)->disc_addr.treq & NVME_TREQ_SECURE_CHANNEL_MASK)
+
static ssize_t nvmet_addr_treq_show(struct config_item *item, char *page)
{
- u8 treq = to_nvmet_port(item)->disc_addr.treq &
- NVME_TREQ_SECURE_CHANNEL_MASK;
+ struct nvmet_port *port = to_nvmet_port(item);
+ u8 treq = NVMET_PORT_TREQ(port);
int i;
for (i = 0; i < ARRAY_SIZE(nvmet_addr_treq); i++) {
@@ -193,6 +195,17 @@ static ssize_t nvmet_addr_treq_store(struct config_item *item,
return -EINVAL;
found:
+#ifdef CONFIG_NVME_TLS
+ if (port->disc_addr.trtype == NVMF_TRTYPE_TCP) {
+ if (port->disc_addr.tsas.tcp.sectype != NVMF_TCP_SECTYPE_TLS13) {
+ pr_warn("cannot change TREQ when TLS is not enabled\n");
+ return -EINVAL;
+ } else if (nvmet_addr_treq[i].type == NVMF_TREQ_NOT_SPECIFIED) {
+ pr_warn("cannot set TREQ to 'not specified' when TLS is enabled\n");
+ return -EINVAL;
+ }
+ }
+#endif
treq |= nvmet_addr_treq[i].type;
port->disc_addr.treq = treq;
return count;
@@ -373,6 +386,7 @@ static ssize_t nvmet_addr_tsas_store(struct config_item *item,
const char *page, size_t count)
{
struct nvmet_port *port = to_nvmet_port(item);
+ u8 treq = port->disc_addr.treq & ~NVME_TREQ_SECURE_CHANNEL_MASK;
int i;
if (nvmet_is_port_enabled(port, __func__))
@@ -391,6 +405,20 @@ static ssize_t nvmet_addr_tsas_store(struct config_item *item,
found:
nvmet_port_init_tsas_tcp(port, nvmet_addr_tsas_tcp[i].type);
+ if (nvmet_addr_tsas_tcp[i].type == NVMF_TCP_SECTYPE_TLS13) {
+#ifdef CONFIG_NVME_TLS
+ if (NVMET_PORT_TREQ(port) == NVMF_TREQ_NOT_SPECIFIED)
+ treq |= NVMF_TREQ_REQUIRED;
+ else
+ treq |= NVMET_PORT_TREQ(port);
+#else
+ pr_err("TLS not supported\n");
+ return -EINVAL;
+#endif
+ } else {
+ /* Set to 'not specified' if TLS is not enabled */
+ treq |= NVMF_TREQ_NOT_SPECIFIED;
+ }
return count;
}
diff --git a/drivers/nvme/target/tcp.c b/drivers/nvme/target/tcp.c
index 5931971d715f..ebec882120fd 100644
--- a/drivers/nvme/target/tcp.c
+++ b/drivers/nvme/target/tcp.c
@@ -11,6 +11,10 @@
#include <linux/nvme-tcp.h>
#include <net/sock.h>
#include <net/tcp.h>
+#ifdef CONFIG_NVME_TLS
+#include <net/handshake.h>
+#include <linux/nvme-keyring.h>
+#endif
#include <linux/inet.h>
#include <linux/llist.h>
#include <crypto/hash.h>
@@ -40,6 +44,16 @@ module_param(idle_poll_period_usecs, int, 0644);
MODULE_PARM_DESC(idle_poll_period_usecs,
"nvmet tcp io_work poll till idle time period in usecs");
+#ifdef CONFIG_NVME_TLS
+/*
+ * TLS handshake timeout
+ */
+static int tls_handshake_timeout = 30;
+module_param(tls_handshake_timeout, int, 0644);
+MODULE_PARM_DESC(tls_handshake_timeout,
+ "nvme TLS handshake timeout in seconds (default 30)");
+#endif
+
#define NVMET_TCP_RECV_BUDGET 8
#define NVMET_TCP_SEND_BUDGET 8
#define NVMET_TCP_IO_WORK_BUDGET 64
@@ -130,6 +144,10 @@ struct nvmet_tcp_queue {
bool data_digest;
struct ahash_request *snd_hash;
struct ahash_request *rcv_hash;
+#ifdef CONFIG_NVME_TLS
+ struct key *tls_psk;
+ struct delayed_work tls_handshake_work;
+#endif
unsigned long poll_end;
@@ -1474,6 +1492,10 @@ static void nvmet_tcp_release_queue_work(struct work_struct *w)
nvmet_tcp_free_cmds(queue);
if (queue->hdr_digest || queue->data_digest)
nvmet_tcp_free_crypto(queue);
+#ifdef CONFIG_NVME_TLS
+ if (queue->tls_psk)
+ key_put(queue->tls_psk);
+#endif
ida_free(&nvmet_tcp_queue_ida, queue->idx);
page = virt_to_head_page(queue->pf_cache.va);
__page_frag_cache_drain(page, queue->pf_cache.pagecnt_bias);
@@ -1488,8 +1510,12 @@ static void nvmet_tcp_data_ready(struct sock *sk)
read_lock_bh(&sk->sk_callback_lock);
queue = sk->sk_user_data;
- if (likely(queue))
- queue_work_on(queue_cpu(queue), nvmet_tcp_wq, &queue->io_work);
+ if (queue->data_ready)
+ queue->data_ready(sk);
+ if (likely(queue) &&
+ queue->state != NVMET_TCP_Q_TLS_HANDSHAKE)
+ queue_work_on(queue_cpu(queue), nvmet_tcp_wq,
+ &queue->io_work);
read_unlock_bh(&sk->sk_callback_lock);
}
@@ -1597,6 +1623,89 @@ static int nvmet_tcp_set_queue_sock(struct nvmet_tcp_queue *queue)
return ret;
}
+#ifdef CONFIG_NVME_TLS
+static void nvmet_tcp_tls_queue_restart(struct nvmet_tcp_queue *queue)
+{
+ spin_lock(&queue->state_lock);
+ if (queue->state != NVMET_TCP_Q_TLS_HANDSHAKE) {
+ pr_warn("queue %d: TLS handshake already completed\n",
+ queue->idx);
+ spin_unlock(&queue->state_lock);
+ return;
+ }
+ queue->state = NVMET_TCP_Q_CONNECTING;
+ spin_unlock(&queue->state_lock);
+
+ pr_debug("queue %d: restarting queue after TLS handshake\n",
+ queue->idx);
+ /*
+ * Set callbacks after handshake; TLS implementation
+ * might have changed the socket callbacks.
+ */
+ nvmet_tcp_set_queue_sock(queue);
+}
+
+static void nvmet_tcp_tls_handshake_done(void *data, int status,
+ key_serial_t peerid)
+{
+ struct nvmet_tcp_queue *queue = data;
+
+ pr_debug("queue %d: TLS handshake done, key %x, status %d\n",
+ queue->idx, peerid, status);
+ if (!status) {
+ spin_lock(&queue->state_lock);
+ queue->tls_psk = key_lookup(peerid);
+ if (IS_ERR(queue->tls_psk)) {
+ pr_warn("queue %d: TLS key %x not found\n",
+ queue->idx, peerid);
+ queue->tls_psk = NULL;
+ }
+ spin_unlock(&queue->state_lock);
+ }
+ cancel_delayed_work_sync(&queue->tls_handshake_work);
+ if (status)
+ nvmet_tcp_schedule_release_queue(queue);
+ else
+ nvmet_tcp_tls_queue_restart(queue);
+}
+
+static void nvmet_tcp_tls_handshake_timeout_work(struct work_struct *w)
+{
+ struct nvmet_tcp_queue *queue = container_of(to_delayed_work(w),
+ struct nvmet_tcp_queue, tls_handshake_work);
+
+ pr_debug("queue %d: TLS handshake timeout\n", queue->idx);
+ nvmet_tcp_schedule_release_queue(queue);
+}
+
+static int nvmet_tcp_tls_handshake(struct nvmet_tcp_queue *queue)
+{
+ int ret = -EOPNOTSUPP;
+ struct tls_handshake_args args;
+
+ if (queue->state != NVMET_TCP_Q_TLS_HANDSHAKE) {
+ pr_warn("cannot start TLS in state %d\n", queue->state);
+ return -EINVAL;
+ }
+
+ pr_debug("queue %d: TLS ServerHello\n", queue->idx);
+ args.ta_sock = queue->sock;
+ args.ta_done = nvmet_tcp_tls_handshake_done;
+ args.ta_data = queue;
+ args.ta_keyring = nvme_keyring_id();
+ args.ta_timeout_ms = tls_handshake_timeout * 2 * 1024;
+
+ ret = tls_server_hello_psk(&args, GFP_KERNEL);
+ if (ret) {
+ pr_err("failed to start TLS, err=%d\n", ret);
+ } else {
+ queue_delayed_work(nvmet_wq, &queue->tls_handshake_work,
+ tls_handshake_timeout * HZ);
+ }
+ return ret;
+}
+#endif
+
static void nvmet_tcp_alloc_queue(struct nvmet_tcp_port *port,
struct socket *newsock)
{
@@ -1609,6 +1718,10 @@ static void nvmet_tcp_alloc_queue(struct nvmet_tcp_port *port,
INIT_WORK(&queue->release_work, nvmet_tcp_release_queue_work);
INIT_WORK(&queue->io_work, nvmet_tcp_io_work);
+#ifdef CONFIG_NVME_TLS
+ INIT_DELAYED_WORK(&queue->tls_handshake_work,
+ nvmet_tcp_tls_handshake_timeout_work);
+#endif
queue->sock = newsock;
queue->port = port;
queue->nr_cmds = 0;
@@ -1622,6 +1735,7 @@ static void nvmet_tcp_alloc_queue(struct nvmet_tcp_port *port,
init_llist_head(&queue->resp_list);
INIT_LIST_HEAD(&queue->resp_send_list);
+#ifdef CONFIG_NVME_TLS
if (queue->state == NVMET_TCP_Q_TLS_HANDSHAKE) {
queue->sock_file = sock_alloc_file(queue->sock, O_CLOEXEC, NULL);
if (IS_ERR(queue->sock_file)) {
@@ -1630,6 +1744,7 @@ static void nvmet_tcp_alloc_queue(struct nvmet_tcp_port *port,
goto out_free_queue;
}
}
+#endif
queue->idx = ida_alloc(&nvmet_tcp_queue_ida, GFP_KERNEL);
if (queue->idx < 0) {
@@ -1651,6 +1766,22 @@ static void nvmet_tcp_alloc_queue(struct nvmet_tcp_port *port,
list_add_tail(&queue->queue_list, &nvmet_tcp_queue_list);
mutex_unlock(&nvmet_tcp_queue_mutex);
+#ifdef CONFIG_NVME_TLS
+ if (queue->state == NVMET_TCP_Q_TLS_HANDSHAKE) {
+ struct sock *sk = queue->sock->sk;
+
+ /* Restore the default callbacks before starting upcall */
+ read_lock_bh(&sk->sk_callback_lock);
+ sk->sk_user_data = NULL;
+ sk->sk_data_ready = port->data_ready;
+ read_unlock_bh(&sk->sk_callback_lock);
+ if (!nvmet_tcp_tls_handshake(queue))
+ return;
+
+ /* TLS handshake failed, terminate the connection */
+ goto out_destroy_sq;
+ }
+#endif
ret = nvmet_tcp_set_queue_sock(queue);
if (ret)
goto out_destroy_sq;
--
2.35.3
next prev parent reply other threads:[~2023-03-29 14:00 UTC|newest]
Thread overview: 90+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-03-29 13:59 [PATCHv2 00/18] nvme: In-kernel TLS support for TCP Hannes Reinecke
2023-03-29 13:59 ` [PATCH 01/18] nvme-keyring: register '.nvme' keyring and add CONFIG_NVME_TLS Hannes Reinecke
2023-03-29 14:49 ` Sagi Grimberg
2023-03-29 15:24 ` Hannes Reinecke
2023-03-29 15:04 ` Sagi Grimberg
2023-03-29 15:26 ` Hannes Reinecke
2023-03-30 8:53 ` Daniel Wagner
2023-03-30 14:38 ` Sagi Grimberg
2023-03-29 13:59 ` [PATCH 02/18] nvme-keyring: define a 'psk' keytype Hannes Reinecke
2023-03-29 13:59 ` [PATCH 03/18] nvme: add TCP TSAS definitions Hannes Reinecke
2023-03-29 13:59 ` [PATCH 04/18] nvme-tcp: add definitions for TLS cipher suites Hannes Reinecke
2023-03-29 13:59 ` [PATCH 05/18] net/tls: implement ->read_sock() Hannes Reinecke
2023-03-29 15:37 ` Sagi Grimberg
2023-03-29 15:41 ` Hannes Reinecke
2023-03-29 15:43 ` Sagi Grimberg
2023-03-29 15:44 ` Sagi Grimberg
2023-03-29 13:59 ` [PATCH 06/18] nvme/tcp: allocate socket file Hannes Reinecke
2023-03-29 15:57 ` Sagi Grimberg
2023-03-29 13:59 ` [PATCH 07/18] nvme-keyring: implement nvme_tls_psk_default() Hannes Reinecke
2023-03-29 15:35 ` Sagi Grimberg
2023-03-29 13:59 ` [PATCH 08/18] security/keys: export key_lookup() Hannes Reinecke
2023-03-29 13:59 ` [PATCH 09/18] nvme-tcp: enable TLS handshake upcall Hannes Reinecke
2023-03-30 12:54 ` Daniel Wagner
2023-03-30 12:59 ` Hannes Reinecke
2023-03-30 15:03 ` Sagi Grimberg
2023-03-30 17:16 ` Hannes Reinecke
2023-03-29 13:59 ` [PATCH 10/18] nvme-tcp: fixup send workflow for kTLS Hannes Reinecke
2023-03-30 15:24 ` Sagi Grimberg
2023-03-30 17:26 ` Hannes Reinecke
2023-03-31 5:49 ` Jakub Kicinski
2023-03-31 6:03 ` Hannes Reinecke
2023-04-03 12:20 ` Sagi Grimberg
2023-04-03 14:59 ` Jakub Kicinski
2023-04-03 15:51 ` Sagi Grimberg
2023-04-03 18:48 ` Jakub Kicinski
2023-04-03 22:36 ` Sagi Grimberg
2023-03-29 13:59 ` [PATCH 11/18] nvme-tcp: control message handling for recvmsg() Hannes Reinecke
2023-03-30 15:25 ` Sagi Grimberg
2023-03-29 13:59 ` [PATCH 12/18] nvme-fabrics: parse options 'keyring' and 'tls_key' Hannes Reinecke
2023-03-30 15:33 ` Sagi Grimberg
2023-03-30 17:34 ` Hannes Reinecke
2023-04-03 12:24 ` Sagi Grimberg
2023-04-03 12:36 ` Hannes Reinecke
2023-04-03 13:07 ` Sagi Grimberg
2023-04-03 14:11 ` Hannes Reinecke
2023-04-03 16:13 ` Sagi Grimberg
2023-03-29 13:59 ` [PATCH 13/18] nvmet: make TCP sectype settable via configfs Hannes Reinecke
2023-03-30 16:07 ` Sagi Grimberg
2023-03-30 17:37 ` Hannes Reinecke
2023-04-03 12:31 ` Sagi Grimberg
2023-04-03 12:43 ` Hannes Reinecke
2023-03-29 13:59 ` [PATCH 14/18] nvmet-tcp: allocate socket file Hannes Reinecke
2023-03-30 16:08 ` Sagi Grimberg
2023-03-30 17:37 ` Hannes Reinecke
2023-03-29 13:59 ` Hannes Reinecke [this message]
2023-04-03 12:51 ` [PATCH 15/18] nvmet-tcp: enable TLS handshake upcall Sagi Grimberg
2023-04-03 14:05 ` Hannes Reinecke
2023-03-29 13:59 ` [PATCH 16/18] nvmet-tcp: rework sendpage for kTLS Hannes Reinecke
2023-04-03 12:52 ` Sagi Grimberg
2023-03-29 13:59 ` [PATCH 17/18] nvmet-tcp: control messages for recvmsg() Hannes Reinecke
2023-04-03 12:59 ` Sagi Grimberg
2023-03-29 13:59 ` [PATCH 18/18] nvmet-tcp: add configfs attribute 'param_keyring' Hannes Reinecke
2023-04-03 13:03 ` Sagi Grimberg
2023-04-03 14:13 ` Hannes Reinecke
2023-04-03 15:53 ` Sagi Grimberg
2023-04-14 10:30 ` Hannes Reinecke
2023-04-17 13:50 ` Sagi Grimberg
2023-04-17 14:01 ` Hannes Reinecke
2023-04-17 15:12 ` Sagi Grimberg
-- strict thread matches above, loose matches on Subject: below --
2023-03-21 12:43 [RFC PATCH 00/18] nvme: In-kernel TLS support for TCP Hannes Reinecke
2023-03-21 12:43 ` [PATCH 15/18] nvmet-tcp: enable TLS handshake upcall Hannes Reinecke
2023-03-22 12:13 ` Sagi Grimberg
2023-03-22 12:34 ` Hannes Reinecke
2023-03-22 12:51 ` Sagi Grimberg
2023-03-22 13:47 ` Hannes Reinecke
2023-03-22 15:42 ` Sagi Grimberg
2023-03-22 16:43 ` Hannes Reinecke
2023-03-22 16:49 ` Chuck Lever III
2023-03-23 7:21 ` Sagi Grimberg
2023-03-24 11:29 ` Hannes Reinecke
2023-03-26 7:18 ` Sagi Grimberg
2023-03-27 6:20 ` Hannes Reinecke
2023-03-28 8:44 ` Sagi Grimberg
2023-03-28 9:20 ` Hannes Reinecke
2023-03-28 9:43 ` Sagi Grimberg
2023-03-28 10:04 ` Hannes Reinecke
2023-03-28 13:22 ` Chuck Lever III
2023-03-28 15:29 ` Sagi Grimberg
2023-03-28 15:56 ` Chuck Lever III
2023-03-29 6:33 ` Sagi Grimberg
2023-03-23 7:44 ` Sagi Grimberg
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20230329135938.46905-16-hare@suse.de \
--to=hare@suse.de \
--cc=chuck.lever@oracle.com \
--cc=hch@lst.de \
--cc=kbusch@kernel.org \
--cc=kernel-tls-handshake@lists.linux.dev \
--cc=linux-nvme@lists.infradead.org \
--cc=sagi@grimberg.me \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).