From: Hannes Reinecke <hare@kernel.org>
To: Christoph Hellwig <hch@lst.de>
Cc: Sagi Grimberg <sagi@grimberg.me>, Keith Busch <kbusch@kernel.org>,
linux-nvme@lists.infradead.org, Hannes Reinecke <hare@kernel.org>
Subject: [PATCH 15/19] nvme-tcp: do not start queues when TLS is not enabled for secure concatenation
Date: Wed, 8 May 2024 12:23:01 +0200 [thread overview]
Message-ID: <20240508102305.108949-16-hare@kernel.org> (raw)
In-Reply-To: <20240508102305.108949-1-hare@kernel.org>
For secure concatenation the TLS PSK is negotiated with DH-HMAC-CHAP,
and then the queue is reset to enable TLS. During that state we should
not start the I/O queues as the connection will be reset after
DH-HMAC-CHAP is run.
Signed-off-by: Hannes Reinecke <hare@kernel.org>
---
drivers/nvme/host/tcp.c | 11 +++++++++++
1 file changed, 11 insertions(+)
diff --git a/drivers/nvme/host/tcp.c b/drivers/nvme/host/tcp.c
index a9fd3169ae45..232ea8572cdd 100644
--- a/drivers/nvme/host/tcp.c
+++ b/drivers/nvme/host/tcp.c
@@ -2065,6 +2065,17 @@ static int nvme_tcp_configure_io_queues(struct nvme_ctrl *ctrl, bool new)
* queue number might have changed.
*/
nr_queues = min(ctrl->tagset->nr_hw_queues + 1, ctrl->queue_count);
+
+ /*
+ * If secure concatenation is enabled don't start queues
+ * when TLS is not enabled; the connection will be reset
+ * after DH-HMAC-CHAP is run to enable TLS.
+ */
+ if (new && ctrl->opts && ctrl->opts->concat && !ctrl->tls_pskid) {
+ nr_queues = 1;
+ dev_dbg(ctrl->device, "restrict I/O queues for secure concatenation\n");
+ }
+
ret = nvme_tcp_start_io_queues(ctrl, 1, nr_queues);
if (ret)
goto out_cleanup_connect_q;
--
2.35.3
next prev parent reply other threads:[~2024-05-08 11:31 UTC|newest]
Thread overview: 20+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-05-08 10:22 [PATCHv4 00/19] nvme: implement secure concatenation Hannes Reinecke
2024-05-08 10:22 ` [PATCH 01/19] nvme-keyring: restrict match length for version '1' identifiers Hannes Reinecke
2024-05-08 10:22 ` [PATCH 02/19] crypto,fs: Separate out hkdf_extract() and hkdf_expand() Hannes Reinecke
2024-05-08 10:22 ` [PATCH 03/19] nvme: add nvme_auth_generate_psk() Hannes Reinecke
2024-05-08 10:22 ` [PATCH 04/19] nvme: add nvme_auth_generate_digest() Hannes Reinecke
2024-05-08 10:22 ` [PATCH 05/19] nvme: add nvme_auth_derive_tls_psk() Hannes Reinecke
2024-05-08 10:22 ` [PATCH 06/19] nvme-keyring: add nvme_tls_psk_refresh() Hannes Reinecke
2024-05-08 10:22 ` [PATCH 07/19] nvme-tcp: sanitize TLS key handling Hannes Reinecke
2024-05-08 10:22 ` [PATCH 08/19] nvme-tcp: check for invalidated or revoked key Hannes Reinecke
2024-05-08 10:22 ` [PATCH 09/19] nvme: add a newline to the 'tls_key' sysfs attribute Hannes Reinecke
2024-05-08 10:22 ` [PATCH 10/19] nvme-sysfs: add 'tls_configured_key' " Hannes Reinecke
2024-05-08 10:22 ` [PATCH 11/19] nvme-sysfs: add 'tls_keyring' attribute Hannes Reinecke
2024-05-08 10:22 ` [PATCH 12/19] nvme-tcp: request secure channel concatenation Hannes Reinecke
2024-05-08 10:22 ` [PATCH 13/19] nvme-fabrics: reset connection for secure concatenation Hannes Reinecke
2024-05-08 10:23 ` [PATCH 14/19] nvme-tcp: reset after recovery " Hannes Reinecke
2024-05-08 10:23 ` Hannes Reinecke [this message]
2024-05-08 10:23 ` [PATCH 16/19] nvmet-auth: allow to clear DH-HMAC-CHAP keys Hannes Reinecke
2024-05-08 10:23 ` [PATCH 17/19] nvme-target: do not check authentication status for admin commands twice Hannes Reinecke
2024-05-08 10:23 ` [PATCH 18/19] nvme-target: do not check authentication status for I/O " Hannes Reinecke
2024-05-08 10:23 ` [PATCH 19/19] nvmet-tcp: support secure channel concatenation Hannes Reinecke
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20240508102305.108949-16-hare@kernel.org \
--to=hare@kernel.org \
--cc=hch@lst.de \
--cc=kbusch@kernel.org \
--cc=linux-nvme@lists.infradead.org \
--cc=sagi@grimberg.me \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.