From: Hannes Reinecke <hare@suse.de>
To: Christoph Hellwig <hch@lst.de>
Cc: Sagi Grimberg <sagi@grimberg.me>, Keith Busch <kbusch@kernel.org>,
linux-nvme@lists.infradead.org, Hannes Reinecke <hare@suse.de>
Subject: [PATCH 14/14] nvmet-tcp: control messages for recvmsg()
Date: Thu, 3 Aug 2023 12:51:02 +0200 [thread overview]
Message-ID: <20230803105102.30949-15-hare@suse.de> (raw)
In-Reply-To: <20230803105102.30949-1-hare@suse.de>
kTLS requires control messages for recvmsg() to relay any out-of-band
TLS messages (eg TLS alerts) to the caller.
Signed-off-by: Hannes Reinecke <hare@suse.de>
---
drivers/nvme/target/tcp.c | 87 +++++++++++++++++++++++++++++++++------
1 file changed, 74 insertions(+), 13 deletions(-)
diff --git a/drivers/nvme/target/tcp.c b/drivers/nvme/target/tcp.c
index 7279c994abd6..e2db573d68d9 100644
--- a/drivers/nvme/target/tcp.c
+++ b/drivers/nvme/target/tcp.c
@@ -14,6 +14,7 @@
#include <net/sock.h>
#include <net/tcp.h>
#include <net/tls.h>
+#include <net/tls_prot.h>
#include <net/handshake.h>
#include <linux/inet.h>
#include <linux/llist.h>
@@ -118,6 +119,7 @@ struct nvmet_tcp_cmd {
u32 pdu_len;
u32 pdu_recv;
int sg_idx;
+ char recv_cbuf[CMSG_LEN(sizeof(char))];
struct msghdr recv_msg;
struct bio_vec *iov;
u32 flags;
@@ -1116,12 +1118,49 @@ static inline bool nvmet_tcp_pdu_valid(u8 type)
return false;
}
+static int nvmet_tcp_tls_record_ok(struct socket *sock, struct msghdr *msg, char *cbuf)
+{
+ struct cmsghdr *cmsg = (struct cmsghdr *)cbuf;
+ u8 ctype, level, description;
+ int ret = 0;
+
+ if (!IS_ENABLED(CONFIG_NVME_TARGET_TCP_TLS))
+ return 0;
+
+ ctype = tls_get_record_type(sock->sk, cmsg);
+ switch (ctype) {
+ case 0:
+ break;
+ case TLS_RECORD_TYPE_DATA:
+ break;
+ case TLS_RECORD_TYPE_ALERT:
+ tls_alert_recv(sock->sk, msg, &level, &description);
+ pr_err("TLS Alert level %u desc %u\n", level, description);
+ ret = (level == TLS_ALERT_LEVEL_FATAL) ?
+ -ENOTCONN : -EAGAIN;
+ break;
+ default:
+ /* discard this record type */
+ pr_err("TLS record %d unhandled\n", ctype);
+ ret = -EAGAIN;
+ break;
+ }
+ return ret;
+}
+
static int nvmet_tcp_try_recv_pdu(struct nvmet_tcp_queue *queue)
{
struct nvme_tcp_hdr *hdr = &queue->pdu.cmd.hdr;
- int len;
+ int len, ret;
struct kvec iov;
- struct msghdr msg = { .msg_flags = MSG_DONTWAIT };
+ char cbuf[CMSG_LEN(sizeof(char))] = {};
+ struct msghdr msg = {
+#ifdef CONFIG_NVME_TARGET_TCP_TLS
+ .msg_control = cbuf,
+ .msg_controllen = sizeof(cbuf),
+#endif
+ .msg_flags = MSG_DONTWAIT
+ };
recv:
iov.iov_base = (void *)&queue->pdu + queue->offset;
@@ -1130,6 +1169,9 @@ static int nvmet_tcp_try_recv_pdu(struct nvmet_tcp_queue *queue)
iov.iov_len, msg.msg_flags);
if (unlikely(len < 0))
return len;
+ ret = nvmet_tcp_tls_record_ok(queue->sock, &msg, cbuf);
+ if (ret < 0)
+ return ret;
queue->offset += len;
queue->left -= len;
@@ -1182,16 +1224,21 @@ static void nvmet_tcp_prep_recv_ddgst(struct nvmet_tcp_cmd *cmd)
static int nvmet_tcp_try_recv_data(struct nvmet_tcp_queue *queue)
{
struct nvmet_tcp_cmd *cmd = queue->cmd;
- int ret;
+ int len, ret;
while (msg_data_left(&cmd->recv_msg)) {
- ret = sock_recvmsg(cmd->queue->sock, &cmd->recv_msg,
+ len = sock_recvmsg(cmd->queue->sock, &cmd->recv_msg,
cmd->recv_msg.msg_flags);
- if (ret <= 0)
+ if (len <= 0)
+ return len;
+ ret = nvmet_tcp_tls_record_ok(cmd->queue->sock,
+ &cmd->recv_msg,
+ cmd->recv_cbuf);
+ if (ret < 0)
return ret;
- cmd->pdu_recv += ret;
- cmd->rbytes_done += ret;
+ cmd->pdu_recv += len;
+ cmd->rbytes_done += len;
}
if (queue->data_digest) {
@@ -1209,20 +1256,30 @@ static int nvmet_tcp_try_recv_data(struct nvmet_tcp_queue *queue)
static int nvmet_tcp_try_recv_ddgst(struct nvmet_tcp_queue *queue)
{
struct nvmet_tcp_cmd *cmd = queue->cmd;
- int ret;
- struct msghdr msg = { .msg_flags = MSG_DONTWAIT };
+ int ret, len;
+ char cbuf[CMSG_LEN(sizeof(char))] = {};
+ struct msghdr msg = {
+#ifdef CONFIG_NVME_TARGET_TCP_TLS
+ .msg_control = cbuf,
+ .msg_controllen = sizeof(cbuf),
+#endif
+ .msg_flags = MSG_DONTWAIT
+ };
struct kvec iov = {
.iov_base = (void *)&cmd->recv_ddgst + queue->offset,
.iov_len = queue->left
};
- ret = kernel_recvmsg(queue->sock, &msg, &iov, 1,
+ len = kernel_recvmsg(queue->sock, &msg, &iov, 1,
iov.iov_len, msg.msg_flags);
- if (unlikely(ret < 0))
+ if (unlikely(len < 0))
+ return len;
+ ret = nvmet_tcp_tls_record_ok(queue->sock, &msg, cbuf);
+ if (ret < 0)
return ret;
- queue->offset += ret;
- queue->left -= ret;
+ queue->offset += len;
+ queue->left -= len;
if (queue->left)
return -EAGAIN;
@@ -1389,6 +1446,10 @@ static int nvmet_tcp_alloc_cmd(struct nvmet_tcp_queue *queue,
if (!c->r2t_pdu)
goto out_free_data;
+ if (IS_ENABLED(CONFIG_NVME_TARGET_TCP_TLS)) {
+ c->recv_msg.msg_control = c->recv_cbuf;
+ c->recv_msg.msg_controllen = sizeof(c->recv_cbuf);
+ }
c->recv_msg.msg_flags = MSG_DONTWAIT | MSG_NOSIGNAL;
list_add_tail(&c->entry, &queue->free_list);
--
2.35.3
prev parent reply other threads:[~2023-08-03 10:53 UTC|newest]
Thread overview: 45+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-08-03 10:50 [PATCHv5 00/14] nvme: In-kernel TLS support for TCP Hannes Reinecke
2023-08-03 10:50 ` [PATCH 01/14] nvme-keyring: register '.nvme' keyring Hannes Reinecke
2023-08-07 7:09 ` Sagi Grimberg
2023-08-03 10:50 ` [PATCH 02/14] nvme-keyring: define a 'psk' keytype Hannes Reinecke
2023-08-07 7:11 ` Sagi Grimberg
2023-08-03 10:50 ` [PATCH 03/14] nvme: add TCP TSAS definitions Hannes Reinecke
2023-08-03 10:50 ` [PATCH 04/14] nvme-tcp: add definitions for TLS cipher suites Hannes Reinecke
2023-08-03 10:50 ` [PATCH 05/14] nvme-keyring: implement nvme_tls_psk_default() Hannes Reinecke
2023-08-07 7:13 ` Sagi Grimberg
2023-08-03 10:50 ` [PATCH 06/14] security/keys: export key_lookup() Hannes Reinecke
2023-08-07 7:13 ` Sagi Grimberg
2023-08-03 10:50 ` [PATCH 07/14] nvme/tcp: allocate socket file Hannes Reinecke
2023-08-07 7:15 ` Sagi Grimberg
2023-08-07 7:23 ` Hannes Reinecke
2023-08-03 10:50 ` [PATCH 08/14] nvme-tcp: enable TLS handshake upcall Hannes Reinecke
2023-08-07 8:20 ` Sagi Grimberg
2023-08-07 8:32 ` Hannes Reinecke
2023-08-03 10:50 ` [PATCH 09/14] nvme-tcp: control message handling for recvmsg() Hannes Reinecke
2023-08-07 8:22 ` Sagi Grimberg
2023-08-08 6:39 ` Hannes Reinecke
2023-08-08 8:41 ` Sagi Grimberg
2023-08-08 8:51 ` Hannes Reinecke
2023-08-08 9:05 ` Sagi Grimberg
2023-08-08 10:57 ` Pawel Baldysiak
[not found] ` <20230808105403.3949653-1-pawel.baldysiak@dell.com>
2023-08-08 11:45 ` Sagi Grimberg
2023-08-08 11:56 ` Hannes Reinecke
2023-08-03 10:50 ` [PATCH 10/14] nvme-fabrics: parse options 'keyring' and 'tls_key' Hannes Reinecke
2023-08-07 8:23 ` Sagi Grimberg
2023-08-07 8:34 ` Hannes Reinecke
2023-08-03 10:50 ` [PATCH 11/14] nvmet: make TCP sectype settable via configfs Hannes Reinecke
2023-08-07 8:25 ` Sagi Grimberg
2023-08-03 10:51 ` [PATCH 12/14] nvmet-tcp: allocate socket file Hannes Reinecke
2023-08-07 8:27 ` Sagi Grimberg
2023-08-07 8:49 ` Hannes Reinecke
2023-08-07 8:53 ` Sagi Grimberg
2023-08-07 9:17 ` Hannes Reinecke
2023-08-07 10:42 ` Sagi Grimberg
2023-08-08 6:08 ` Hannes Reinecke
2023-08-08 8:44 ` Sagi Grimberg
2023-08-03 10:51 ` [PATCH 13/14] nvmet-tcp: enable TLS handshake upcall Hannes Reinecke
2023-08-07 8:51 ` Sagi Grimberg
2023-08-07 9:15 ` Hannes Reinecke
2023-08-07 11:49 ` Sagi Grimberg
2023-08-08 6:16 ` Hannes Reinecke
2023-08-03 10:51 ` Hannes Reinecke [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20230803105102.30949-15-hare@suse.de \
--to=hare@suse.de \
--cc=hch@lst.de \
--cc=kbusch@kernel.org \
--cc=linux-nvme@lists.infradead.org \
--cc=sagi@grimberg.me \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.