From: hare@kernel.org
To: Christoph Hellwig <hch@lst.de>
Cc: Keith Busch <kbusch@kernel.org>, Sagi Grimberg <sagi@grimberg.me>,
linux-nvme@lists.infradead.org, Hannes Reinecke <hare@suse.de>
Subject: [PATCH 05/13] nvme-keyring: add nvme_tls_psk_refresh()
Date: Sat, 27 Jan 2024 10:30:50 +0100 [thread overview]
Message-ID: <20240127093058.15699-6-hare@kernel.org> (raw)
In-Reply-To: <20240127093058.15699-1-hare@kernel.org>
From: Hannes Reinecke <hare@suse.de>
Add a function to refresh a generated PSK in the specified keyring.
Signed-off-by: Hannes Reinecke <hare@suse.de>
---
drivers/nvme/common/keyring.c | 50 +++++++++++++++++++++++++++++++++++
include/linux/nvme-keyring.h | 7 +++++
2 files changed, 57 insertions(+)
diff --git a/drivers/nvme/common/keyring.c b/drivers/nvme/common/keyring.c
index a5c0431c101c..c16f9496643f 100644
--- a/drivers/nvme/common/keyring.c
+++ b/drivers/nvme/common/keyring.c
@@ -104,6 +104,56 @@ static struct key *nvme_tls_psk_lookup(struct key *keyring,
return key_ref_to_ptr(keyref);
}
+struct key *nvme_tls_psk_refresh(struct key *keyring, char *hostnqn, char *subnqn,
+ u8 hmac_id, bool generated, u8 *data, size_t data_len, char *digest)
+{
+ key_perm_t keyperm =
+ KEY_POS_SEARCH | KEY_POS_VIEW | KEY_POS_READ |
+ KEY_POS_WRITE | KEY_POS_LINK | KEY_POS_SETATTR |
+ KEY_USR_SEARCH | KEY_USR_VIEW | KEY_USR_READ;
+ char *identity;
+ size_t identity_len = (NVMF_NQN_SIZE) * 2 + 77;
+ key_ref_t keyref;
+ key_serial_t keyring_id;
+ struct key *key;
+
+ if (!hostnqn || !subnqn || !data || !data_len)
+ return ERR_PTR(-EINVAL);
+
+ identity = kzalloc(identity_len, GFP_KERNEL);
+ if (!identity)
+ return ERR_PTR(-ENOMEM);
+
+ snprintf(identity, identity_len, "NVMe1%c%02d %s %s %s",
+ generated ? 'G' : 'R', hmac_id, hostnqn, subnqn, digest);
+
+ if (!keyring)
+ keyring = nvme_keyring;
+ keyring_id = key_serial(keyring);
+ pr_debug("keyring %x refresh tls psk '%s'\n",
+ keyring_id, identity);
+ keyref = key_create_or_update(make_key_ref(keyring, true),
+ "psk", identity, data, data_len,
+ keyperm, KEY_ALLOC_NOT_IN_QUOTA |
+ KEY_ALLOC_BUILT_IN |
+ KEY_ALLOC_BYPASS_RESTRICTION);
+ if (IS_ERR(keyref)) {
+ pr_debug("refresh tls psk '%s' failed, error %ld\n",
+ identity, PTR_ERR(keyref));
+ kfree(identity);
+ return ERR_PTR(-ENOKEY);
+ }
+ kfree(identity);
+ /*
+ * Set the default timeout to 1 hour
+ * as suggested in TP8018.
+ */
+ key = key_ref_to_ptr(keyref);
+ key_set_timeout(key, 3600);
+ return key;
+}
+EXPORT_SYMBOL_GPL(nvme_tls_psk_refresh);
+
/*
* NVMe PSK priority list
*
diff --git a/include/linux/nvme-keyring.h b/include/linux/nvme-keyring.h
index e10333d78dbb..d2b8a0783ad7 100644
--- a/include/linux/nvme-keyring.h
+++ b/include/linux/nvme-keyring.h
@@ -8,6 +8,8 @@
#if IS_ENABLED(CONFIG_NVME_KEYRING)
+struct key *nvme_tls_psk_refresh(struct key *keyring, char *hostnqn, char *subnqn,
+ u8 hmac_id, bool generated, u8 *data, size_t data_len, char *digest);
key_serial_t nvme_tls_psk_default(struct key *keyring,
const char *hostnqn, const char *subnqn);
@@ -15,6 +17,11 @@ key_serial_t nvme_keyring_id(void);
#else
+static struct key *nvme_tls_psk_refresh(struct key *keyring, char *hostnqn, char *subnqn,
+ u8 hmac_id, bool generated, u8 *data, size_t data_len, char *digest)
+{
+ return -ENOTSUPP;
+}
static inline key_serial_t nvme_tls_psk_default(struct key *keyring,
const char *hostnqn, const char *subnqn)
{
--
2.35.3
next prev parent reply other threads:[~2024-01-27 9:31 UTC|newest]
Thread overview: 29+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-01-27 9:30 [PATCHv2 00/13] nvme: implement secure concatenation hare
2024-01-27 9:30 ` [PATCH 01/13] crypto,fs: Separate out hkdf_extract() and hkdf_expand() hare
2024-01-27 9:30 ` [PATCH 02/13] nvme: add nvme_auth_generate_psk() hare
2024-03-07 10:42 ` Sagi Grimberg
2024-01-27 9:30 ` [PATCH 03/13] nvme: add nvme_auth_generate_digest() hare
2024-03-07 10:44 ` Sagi Grimberg
2024-01-27 9:30 ` [PATCH 04/13] nvme: add nvme_auth_derive_tls_psk() hare
2024-01-27 9:30 ` hare [this message]
2024-01-27 9:30 ` [PATCH 06/13] nvme-keyring: restrict match length for version '1' identifiers hare
2024-03-07 10:49 ` Sagi Grimberg
2024-03-07 11:35 ` Hannes Reinecke
2024-03-07 12:08 ` Sagi Grimberg
2024-03-07 12:13 ` Hannes Reinecke
2024-01-27 9:30 ` [PATCH 07/13] nvme-tcp: check for invalidated or revoked key hare
2024-03-07 10:51 ` Sagi Grimberg
2024-03-07 11:36 ` Hannes Reinecke
2024-01-27 9:30 ` [PATCH 08/13] nvme-fabrics: authentication errors are not retryable hare
2024-03-07 10:52 ` Sagi Grimberg
2024-03-07 11:37 ` Hannes Reinecke
2024-01-27 9:30 ` [PATCH 09/13] nvme-tcp: sanitize TLS key handling hare
2024-03-07 11:03 ` Sagi Grimberg
2024-03-07 11:42 ` Hannes Reinecke
2024-01-27 9:30 ` [PATCH 10/13] nvme-tcp: request secure channel concatenation hare
2024-01-27 9:30 ` [PATCH 11/13] nvme-tcp: combine reset and recovery hare
2024-03-07 11:08 ` Sagi Grimberg
2024-03-07 11:43 ` Hannes Reinecke
2024-01-27 9:30 ` [PATCH 12/13] nvme-tcp: reset after recovery for secure concatenation hare
2024-01-27 9:30 ` [PATCH 13/13] nvmet-tcp: support secure channel concatenation hare
2024-02-12 7:40 ` [PATCHv2 00/13] nvme: implement secure concatenation Hannes Reinecke
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20240127093058.15699-6-hare@kernel.org \
--to=hare@kernel.org \
--cc=hare@suse.de \
--cc=hch@lst.de \
--cc=kbusch@kernel.org \
--cc=linux-nvme@lists.infradead.org \
--cc=sagi@grimberg.me \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.