From: Sagi Grimberg <sagi@grimberg.me>
To: Hannes Reinecke <hare@suse.de>, Christoph Hellwig <hch@lst.de>
Cc: Keith Busch <kbusch@kernel.org>,
linux-nvme@lists.infradead.org,
Chuck Lever <chuck.lever@oracle.com>,
kernel-tls-handshake@lists.linux.dev
Subject: Re: [PATCH 12/18] nvme-fabrics: parse options 'keyring' and 'tls_key'
Date: Thu, 30 Mar 2023 18:33:35 +0300 [thread overview]
Message-ID: <677f3f9a-872d-27fe-9a21-b41bbe1c44ff@grimberg.me> (raw)
In-Reply-To: <20230329135938.46905-13-hare@suse.de>
> Parse the fabrics options 'keyring' and 'tls_key' and store the
> referenced keys in the options structure.
Can you explain the reasoning to why a user need to pass a keyring
given that we already set up one?
>
> Signed-off-by: Hannes Reinecke <hare@suse.de>
> ---
> drivers/nvme/host/fabrics.c | 79 ++++++++++++++++++++++++++++++++++++-
> drivers/nvme/host/fabrics.h | 6 +++
> drivers/nvme/host/tcp.c | 20 +++++++---
> 3 files changed, 98 insertions(+), 7 deletions(-)
>
> diff --git a/drivers/nvme/host/fabrics.c b/drivers/nvme/host/fabrics.c
> index 3e4f0e45b58f..5f5e487d498c 100644
> --- a/drivers/nvme/host/fabrics.c
> +++ b/drivers/nvme/host/fabrics.c
> @@ -605,6 +605,8 @@ static const match_table_t opt_tokens = {
> { NVMF_OPT_NR_WRITE_QUEUES, "nr_write_queues=%d" },
> { NVMF_OPT_NR_POLL_QUEUES, "nr_poll_queues=%d" },
> { NVMF_OPT_TOS, "tos=%d" },
> + { NVMF_OPT_KEYRING, "keyring=%d" },
> + { NVMF_OPT_TLS_KEY, "tls_key=%d" },
> { NVMF_OPT_FAIL_FAST_TMO, "fast_io_fail_tmo=%d" },
> { NVMF_OPT_DISCOVERY, "discovery" },
> { NVMF_OPT_DHCHAP_SECRET, "dhchap_secret=%s" },
> @@ -620,8 +622,9 @@ static int nvmf_parse_options(struct nvmf_ctrl_options *opts,
> char *options, *o, *p;
> int token, ret = 0;
> size_t nqnlen = 0;
> - int ctrl_loss_tmo = NVMF_DEF_CTRL_LOSS_TMO;
> + int ctrl_loss_tmo = NVMF_DEF_CTRL_LOSS_TMO, key_id;
> uuid_t hostid;
> + struct key *key = NULL;
>
> /* Set defaults */
> opts->queue_size = NVMF_DEF_QUEUE_SIZE;
> @@ -889,6 +892,74 @@ static int nvmf_parse_options(struct nvmf_ctrl_options *opts,
> }
> opts->tos = token;
> break;
> + case NVMF_OPT_KEYRING:
> +#ifdef CONFIG_NVME_TLS
Same comment as before:
if (!IS_ENABLED(CONFIG_NVME_TLS)) {
pr_err("TLS is not supported\n");
ret = -EINVAL;
goto out;
}
> + if (match_int(args, &key_id)) {
> + ret = -EINVAL;
> + goto out;
> + }
> + if (key_id < 0) {
> + pr_err("Invalid keyring id %d\n", key_id);
> + ret = -EINVAL;
> + goto out;
> + }
> + if (!key_id) {
> + pr_debug("Using default keyring\n");
> + if (opts->keyring) {
> + key_put(opts->keyring);
> + opts->keyring = NULL;
> + }
> + break;
> + }
> + key = key_lookup(key_id);
> + if (!key) {
> + pr_err("Keyring id %08x not found\n", key_id);
> + ret = -ENOKEY;
> + goto out;
> + }
> + if (opts->keyring)
> + key_put(opts->keyring);
> + opts->keyring = key;
> + break;
> +#else
> + pr_err("TLS is not supported\n");
> + ret = -EINVAL;
> + goto out;
> +#endif
> + case NVMF_OPT_TLS_KEY:
> +#ifdef CONFIG_NVME_TLS
> + if (match_int(args, &key_id)) {
> + ret = -EINVAL;
> + goto out;
> + }
> + if (key_id < 0) {
> + pr_err("Invalid key id %d\n", key_id);
> + ret = -EINVAL;
> + goto out;
> + }
> + if (!key_id) {
> + pr_debug("Using 'best' PSK\n");
> + if (opts->tls_key) {
> + key_put(opts->tls_key);
> + opts->tls_key = NULL;
> + }
> + break;
> + }
> + key = key_lookup(key_id);
> + if (!key) {
> + pr_err("Key id %08x not found\n", key_id);
> + ret = -ENOKEY;
> + goto out;
> + }
> + if (opts->tls_key)
> + key_put(opts->tls_key);
> + opts->tls_key = key;
> +#else
> + pr_err("TLS is not supported\n");
> + ret = -EINVAL;
> + goto out;
> +#endif
> + break;
> case NVMF_OPT_DISCOVERY:
> opts->discovery_nqn = true;
> break;
> @@ -1054,6 +1125,12 @@ static int nvmf_check_allowed_opts(struct nvmf_ctrl_options *opts,
> void nvmf_free_options(struct nvmf_ctrl_options *opts)
> {
> nvmf_host_put(opts->host);
> +#ifdef CONFIG_NVME_TLS
> + if (opts->keyring)
> + key_put(opts->keyring);
> + if (opts->tls_key)
> + key_put(opts->tls_key);
I think key_put is null safe.
next prev parent reply other threads:[~2023-03-30 15:33 UTC|newest]
Thread overview: 69+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-03-29 13:59 [PATCHv2 00/18] nvme: In-kernel TLS support for TCP Hannes Reinecke
2023-03-29 13:59 ` [PATCH 01/18] nvme-keyring: register '.nvme' keyring and add CONFIG_NVME_TLS Hannes Reinecke
2023-03-29 14:49 ` Sagi Grimberg
2023-03-29 15:24 ` Hannes Reinecke
2023-03-29 15:04 ` Sagi Grimberg
2023-03-29 15:26 ` Hannes Reinecke
2023-03-30 8:53 ` Daniel Wagner
2023-03-30 14:38 ` Sagi Grimberg
2023-03-29 13:59 ` [PATCH 02/18] nvme-keyring: define a 'psk' keytype Hannes Reinecke
2023-03-29 13:59 ` [PATCH 03/18] nvme: add TCP TSAS definitions Hannes Reinecke
2023-03-29 13:59 ` [PATCH 04/18] nvme-tcp: add definitions for TLS cipher suites Hannes Reinecke
2023-03-29 13:59 ` [PATCH 05/18] net/tls: implement ->read_sock() Hannes Reinecke
2023-03-29 15:37 ` Sagi Grimberg
2023-03-29 15:41 ` Hannes Reinecke
2023-03-29 15:43 ` Sagi Grimberg
2023-03-29 15:44 ` Sagi Grimberg
2023-03-29 13:59 ` [PATCH 06/18] nvme/tcp: allocate socket file Hannes Reinecke
2023-03-29 15:57 ` Sagi Grimberg
2023-03-29 13:59 ` [PATCH 07/18] nvme-keyring: implement nvme_tls_psk_default() Hannes Reinecke
2023-03-29 15:35 ` Sagi Grimberg
2023-03-29 13:59 ` [PATCH 08/18] security/keys: export key_lookup() Hannes Reinecke
2023-03-29 13:59 ` [PATCH 09/18] nvme-tcp: enable TLS handshake upcall Hannes Reinecke
2023-03-30 12:54 ` Daniel Wagner
2023-03-30 12:59 ` Hannes Reinecke
2023-03-30 15:03 ` Sagi Grimberg
2023-03-30 17:16 ` Hannes Reinecke
2023-03-29 13:59 ` [PATCH 10/18] nvme-tcp: fixup send workflow for kTLS Hannes Reinecke
2023-03-30 15:24 ` Sagi Grimberg
2023-03-30 17:26 ` Hannes Reinecke
2023-03-31 5:49 ` Jakub Kicinski
2023-03-31 6:03 ` Hannes Reinecke
2023-04-03 12:20 ` Sagi Grimberg
2023-04-03 14:59 ` Jakub Kicinski
2023-04-03 15:51 ` Sagi Grimberg
2023-04-03 18:48 ` Jakub Kicinski
2023-04-03 22:36 ` Sagi Grimberg
2023-03-29 13:59 ` [PATCH 11/18] nvme-tcp: control message handling for recvmsg() Hannes Reinecke
2023-03-30 15:25 ` Sagi Grimberg
2023-03-29 13:59 ` [PATCH 12/18] nvme-fabrics: parse options 'keyring' and 'tls_key' Hannes Reinecke
2023-03-30 15:33 ` Sagi Grimberg [this message]
2023-03-30 17:34 ` Hannes Reinecke
2023-04-03 12:24 ` Sagi Grimberg
2023-04-03 12:36 ` Hannes Reinecke
2023-04-03 13:07 ` Sagi Grimberg
2023-04-03 14:11 ` Hannes Reinecke
2023-04-03 16:13 ` Sagi Grimberg
2023-03-29 13:59 ` [PATCH 13/18] nvmet: make TCP sectype settable via configfs Hannes Reinecke
2023-03-30 16:07 ` Sagi Grimberg
2023-03-30 17:37 ` Hannes Reinecke
2023-04-03 12:31 ` Sagi Grimberg
2023-04-03 12:43 ` Hannes Reinecke
2023-03-29 13:59 ` [PATCH 14/18] nvmet-tcp: allocate socket file Hannes Reinecke
2023-03-30 16:08 ` Sagi Grimberg
2023-03-30 17:37 ` Hannes Reinecke
2023-03-29 13:59 ` [PATCH 15/18] nvmet-tcp: enable TLS handshake upcall Hannes Reinecke
2023-04-03 12:51 ` Sagi Grimberg
2023-04-03 14:05 ` Hannes Reinecke
2023-03-29 13:59 ` [PATCH 16/18] nvmet-tcp: rework sendpage for kTLS Hannes Reinecke
2023-04-03 12:52 ` Sagi Grimberg
2023-03-29 13:59 ` [PATCH 17/18] nvmet-tcp: control messages for recvmsg() Hannes Reinecke
2023-04-03 12:59 ` Sagi Grimberg
2023-03-29 13:59 ` [PATCH 18/18] nvmet-tcp: add configfs attribute 'param_keyring' Hannes Reinecke
2023-04-03 13:03 ` Sagi Grimberg
2023-04-03 14:13 ` Hannes Reinecke
2023-04-03 15:53 ` Sagi Grimberg
2023-04-14 10:30 ` Hannes Reinecke
2023-04-17 13:50 ` Sagi Grimberg
2023-04-17 14:01 ` Hannes Reinecke
2023-04-17 15:12 ` Sagi Grimberg
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=677f3f9a-872d-27fe-9a21-b41bbe1c44ff@grimberg.me \
--to=sagi@grimberg.me \
--cc=chuck.lever@oracle.com \
--cc=hare@suse.de \
--cc=hch@lst.de \
--cc=kbusch@kernel.org \
--cc=kernel-tls-handshake@lists.linux.dev \
--cc=linux-nvme@lists.infradead.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).