From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mail-wm1-f42.google.com (mail-wm1-f42.google.com [209.85.128.42]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 7E66123AD for ; Wed, 22 Mar 2023 09:24:40 +0000 (UTC) Received: by mail-wm1-f42.google.com with SMTP id p13-20020a05600c358d00b003ed346d4522so10971291wmq.2 for ; Wed, 22 Mar 2023 02:24:40 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; t=1679477078; h=content-transfer-encoding:in-reply-to:from:references:cc:to :content-language:subject:user-agent:mime-version:date:message-id :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=3LG/dUdYrjO1W0C8j3PsQ44fgCxYIklWJkVY7fFSK68=; b=wfRFCjmF6bqyWl3c9UBUGa4GDgLzvD2DjBhjLYzl+2cI9gQXHkovwMEcbJEgHK0Z+O Hzn+AiFWMiTgdslnABQDXf6M5neWcMWYvVAEup5H2iPWF3X+56ePlwed83cExUg1PpYp o49RHqpBcB7rHTgzUt77mh5j4ew612pfHUKHEp+5D8yT9tpnQNKlJzWBXfZIoQs9I+/e AOlA84HR4DHMryOGEauqoqJH0dikfMeCeU5e7MVkqUTSv+GJfAhSHZKdFqy1uHuAHBLa 5XNYNIMUzqRPw8i9HO8ecXnwARdl5m8Jk0cWLLGhzKcy3OIbr3TibpvrmjYXoTb9lL4u aJQQ== X-Gm-Message-State: AO0yUKXiBgZA2wTRse/xa6+cMe4y6tVOl2SWE9rUR2Y0O8N1RDRU38cN vnpWZ5Mb48l8ZeUcwLFTWLc= X-Google-Smtp-Source: AK7set/ezQ0GT8X72o+BwtfYBCCj+u1/IfFrjMgmhrwosqkcy/RN6exYhi6pgOlwVJE+z83zsDJ/iQ== X-Received: by 2002:a05:600c:4515:b0:3ed:2eb5:c2e6 with SMTP id t21-20020a05600c451500b003ed2eb5c2e6mr5772364wmo.2.1679477078620; Wed, 22 Mar 2023 02:24:38 -0700 (PDT) Received: from [192.168.64.192] (bzq-219-42-90.isdn.bezeqint.net. [62.219.42.90]) by smtp.gmail.com with ESMTPSA id y18-20020a1c4b12000000b003ee70225ed2sm164054wma.15.2023.03.22.02.24.37 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Wed, 22 Mar 2023 02:24:38 -0700 (PDT) Message-ID: <65e17a9f-cc5a-0286-71fd-34c8560137cd@grimberg.me> Date: Wed, 22 Mar 2023 11:24:36 +0200 Precedence: bulk X-Mailing-List: kernel-tls-handshake@lists.linux.dev List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Thunderbird/102.8.0 Subject: Re: [PATCH 09/18] nvme-tcp: add connect option 'tls' Content-Language: en-US To: Hannes Reinecke , Christoph Hellwig Cc: Keith Busch , linux-nvme@lists.infradead.org, Chuck Lever , kernel-tls-handshake@lists.linux.dev References: <20230321124325.77385-1-hare@suse.de> <20230321124325.77385-10-hare@suse.de> From: Sagi Grimberg In-Reply-To: <20230321124325.77385-10-hare@suse.de> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit > Add a connect option 'tls' to request TLS1.3 in-band encryption, and > abort the connection attempt if TLS could not be established. > > Signed-off-by: Hannes Reinecke > --- > drivers/nvme/host/fabrics.c | 5 +++++ > drivers/nvme/host/fabrics.h | 2 ++ > drivers/nvme/host/tcp.c | 7 ++++++- > 3 files changed, 13 insertions(+), 1 deletion(-) > > diff --git a/drivers/nvme/host/fabrics.c b/drivers/nvme/host/fabrics.c > index bbaa04a0c502..fdff7cdff029 100644 > --- a/drivers/nvme/host/fabrics.c > +++ b/drivers/nvme/host/fabrics.c > @@ -609,6 +609,7 @@ static const match_table_t opt_tokens = { > { NVMF_OPT_DISCOVERY, "discovery" }, > { NVMF_OPT_DHCHAP_SECRET, "dhchap_secret=%s" }, > { NVMF_OPT_DHCHAP_CTRL_SECRET, "dhchap_ctrl_secret=%s" }, > + { NVMF_OPT_TLS, "tls" }, > { NVMF_OPT_ERR, NULL } > }; > > @@ -632,6 +633,7 @@ static int nvmf_parse_options(struct nvmf_ctrl_options *opts, > opts->hdr_digest = false; > opts->data_digest = false; > opts->tos = -1; /* < 0 == use transport default */ > + opts->tls = false; > > options = o = kstrdup(buf, GFP_KERNEL); > if (!options) > @@ -918,6 +920,9 @@ static int nvmf_parse_options(struct nvmf_ctrl_options *opts, > kfree(opts->dhchap_ctrl_secret); > opts->dhchap_ctrl_secret = p; > break; > + case NVMF_OPT_TLS: > + opts->tls = true; > + break; > default: > pr_warn("unknown parameter or missing value '%s' in ctrl creation request\n", > p); > diff --git a/drivers/nvme/host/fabrics.h b/drivers/nvme/host/fabrics.h > index dcac3df8a5f7..c4538a9d437c 100644 > --- a/drivers/nvme/host/fabrics.h > +++ b/drivers/nvme/host/fabrics.h > @@ -70,6 +70,7 @@ enum { > NVMF_OPT_DISCOVERY = 1 << 22, > NVMF_OPT_DHCHAP_SECRET = 1 << 23, > NVMF_OPT_DHCHAP_CTRL_SECRET = 1 << 24, > + NVMF_OPT_TLS = 1 << 25, > }; > > /** > @@ -128,6 +129,7 @@ struct nvmf_ctrl_options { > int max_reconnects; > char *dhchap_secret; > char *dhchap_ctrl_secret; > + bool tls; > bool disable_sqflow; > bool hdr_digest; > bool data_digest; > diff --git a/drivers/nvme/host/tcp.c b/drivers/nvme/host/tcp.c > index bcf24e9a08e1..bbff1f52a167 100644 > --- a/drivers/nvme/host/tcp.c > +++ b/drivers/nvme/host/tcp.c > @@ -1902,6 +1902,9 @@ static int nvme_tcp_alloc_admin_queue(struct nvme_ctrl *ctrl) > break; > } > if (ret) { > + /* Abort if TLS is requested */ > + if (num_keys && ctrl->opts->tls) > + goto out_free_queue; > /* Try without TLS */ > ret = nvme_tcp_alloc_queue(ctrl, 0, 0); > if (ret) > @@ -1934,6 +1937,8 @@ static int __nvme_tcp_alloc_io_queues(struct nvme_ctrl *ctrl) > break; > } > if (ret) { > + if (num_keys && ctrl->opts->tls) > + goto out_free_queues; I don't see why we even attempt tls if we're not explicitly told to.