From: hare@kernel.org
To: Christoph Hellwig <hch@lst.de>
Cc: Keith Busch <kbusch@kernel.org>, Sagi Grimberg <sagi@grimberg.me>,
linux-nvme@lists.infradead.org, Hannes Reinecke <hare@kernel.org>
Subject: [PATCH 1/2] nvmet: Implement 'admin_only' authentication
Date: Fri, 24 Jan 2025 12:47:37 +0100 [thread overview]
Message-ID: <20250124114738.115882-2-hare@kernel.org> (raw)
In-Reply-To: <20250124114738.115882-1-hare@kernel.org>
From: Hannes Reinecke <hare@kernel.org>
The spec allows for authentication to run on admin queues only, and secure
concatenation even requires it. So add a configfs attribute 'dhchap_admin_only'
to the target configuration to allow for testing independently of secure
concatenation.
Signed-off-by: Hannes Reinecke <hare@kernel.org>
---
drivers/nvme/target/auth.c | 11 +++++++----
drivers/nvme/target/configfs.c | 24 ++++++++++++++++++++++++
drivers/nvme/target/fabrics-cmd-auth.c | 7 +++++++
drivers/nvme/target/fabrics-cmd.c | 4 ++--
drivers/nvme/target/nvmet.h | 2 ++
5 files changed, 42 insertions(+), 6 deletions(-)
diff --git a/drivers/nvme/target/auth.c b/drivers/nvme/target/auth.c
index 0b0645ac5df4..70c8ad25277f 100644
--- a/drivers/nvme/target/auth.c
+++ b/drivers/nvme/target/auth.c
@@ -190,6 +190,8 @@ u8 nvmet_setup_auth(struct nvmet_ctrl *ctrl, struct nvmet_sq *sq)
ctrl->shash_id = host->dhchap_hash_id;
}
+ ctrl->dh_admin_only = host->dhchap_admin_only;
+
/* Skip the 'DHHC-1:XX:' prefix */
nvme_auth_free_key(ctrl->host_key);
ctrl->host_key = nvme_auth_extract_key(host->dhchap_secret + 10,
@@ -280,10 +282,11 @@ void nvmet_destroy_auth(struct nvmet_ctrl *ctrl)
bool nvmet_check_auth_status(struct nvmet_req *req)
{
- if (req->sq->ctrl->host_key &&
- !req->sq->authenticated)
- return false;
- return true;
+ if (!req->sq->ctrl->host_key)
+ return true;
+ if (req->sq->qid && req->sq->ctrl->dh_admin_only)
+ return true;
+ return req->sq->authenticated;
}
int nvmet_auth_host_hash(struct nvmet_req *req, u8 *response,
diff --git a/drivers/nvme/target/configfs.c b/drivers/nvme/target/configfs.c
index f59598766fce..9fd98395f219 100644
--- a/drivers/nvme/target/configfs.c
+++ b/drivers/nvme/target/configfs.c
@@ -2219,11 +2219,34 @@ static ssize_t nvmet_host_dhchap_dhgroup_store(struct config_item *item,
CONFIGFS_ATTR(nvmet_host_, dhchap_dhgroup);
+static ssize_t nvmet_host_dhchap_admin_only_show(struct config_item *item,
+ char *page)
+{
+ struct nvmet_host *host = to_host(item);
+
+ return sprintf(page, "%d\n", host->dhchap_admin_only);
+}
+
+static ssize_t nvmet_host_dhchap_admin_only_store(struct config_item *item,
+ const char *page, size_t count)
+{
+ struct nvmet_host *host = to_host(item);
+ bool val;
+
+ if (kstrtobool(page, &val))
+ return -EINVAL;
+ host->dhchap_admin_only = val;
+ return count;
+}
+
+CONFIGFS_ATTR(nvmet_host_, dhchap_admin_only);
+
static struct configfs_attribute *nvmet_host_attrs[] = {
&nvmet_host_attr_dhchap_key,
&nvmet_host_attr_dhchap_ctrl_key,
&nvmet_host_attr_dhchap_hash,
&nvmet_host_attr_dhchap_dhgroup,
+ &nvmet_host_attr_dhchap_admin_only,
NULL,
};
#endif /* CONFIG_NVME_TARGET_AUTH */
@@ -2263,6 +2286,7 @@ static struct config_group *nvmet_hosts_make_group(struct config_group *group,
#ifdef CONFIG_NVME_TARGET_AUTH
/* Default to SHA256 */
host->dhchap_hash_id = NVME_AUTH_HASH_SHA256;
+ host->dhchap_admin_only = false;
#endif
config_group_init_type_name(&host->group, name, &nvmet_host_type);
diff --git a/drivers/nvme/target/fabrics-cmd-auth.c b/drivers/nvme/target/fabrics-cmd-auth.c
index a7135b90f915..96d56ab2465f 100644
--- a/drivers/nvme/target/fabrics-cmd-auth.c
+++ b/drivers/nvme/target/fabrics-cmd-auth.c
@@ -62,6 +62,7 @@ static u8 nvmet_auth_negotiate(struct nvmet_req *req, void *d)
return NVME_AUTH_DHCHAP_FAILURE_CONCAT_MISMATCH;
}
ctrl->concat = true;
+ ctrl->dh_admin_only = true;
}
if (data->napd != 1)
@@ -253,6 +254,12 @@ void nvmet_execute_auth_send(struct nvmet_req *req)
offsetof(struct nvmf_auth_send_command, tl);
goto done;
}
+ if (req->sq->qid && ctrl->dh_admin_only) {
+ pr_debug("%s: ctrl %d qid %d reject authentication on I/O queues\n",
+ __func__, ctrl->cntlid, req->sq->qid);
+ status = NVME_SC_INVALID_OPCODE | NVME_STATUS_DNR;
+ goto done;
+ }
if (!nvmet_check_transfer_len(req, tl)) {
pr_debug("%s: transfer length mismatch (%u)\n", __func__, tl);
return;
diff --git a/drivers/nvme/target/fabrics-cmd.c b/drivers/nvme/target/fabrics-cmd.c
index 9c01a4b6e543..068494616a3e 100644
--- a/drivers/nvme/target/fabrics-cmd.c
+++ b/drivers/nvme/target/fabrics-cmd.c
@@ -239,8 +239,8 @@ static u32 nvmet_connect_result(struct nvmet_ctrl *ctrl, struct nvmet_sq *sq)
bool needs_auth = nvmet_has_auth(ctrl, sq);
key_serial_t keyid = nvmet_queue_tls_keyid(sq);
- /* Do not authenticate I/O queues for secure concatenation */
- if (ctrl->concat && sq->qid)
+ /* Disable authentication on I/O queues if requested */
+ if (ctrl->dh_admin_only && sq->qid)
needs_auth = false;
if (keyid)
diff --git a/drivers/nvme/target/nvmet.h b/drivers/nvme/target/nvmet.h
index 4dc7ba5d02a7..49e964b321c0 100644
--- a/drivers/nvme/target/nvmet.h
+++ b/drivers/nvme/target/nvmet.h
@@ -301,6 +301,7 @@ struct nvmet_ctrl {
u8 dh_gid;
u8 *dh_key;
size_t dh_keysize;
+ bool dh_admin_only;
#endif
#ifdef CONFIG_NVME_TARGET_TCP_TLS
struct key *tls_key;
@@ -379,6 +380,7 @@ struct nvmet_host {
u8 dhchap_ctrl_key_hash;
u8 dhchap_hash_id;
u8 dhchap_dhgroup_id;
+ bool dhchap_admin_only;
};
static inline struct nvmet_host *to_host(struct config_item *item)
--
2.35.3
next prev parent reply other threads:[~2025-01-24 11:47 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-01-24 11:47 [PATCHv2 0/2] nvme: restrict authentication to the admin queue hare
2025-01-24 11:47 ` hare [this message]
2025-01-24 13:49 ` [PATCH 1/2] nvmet: Implement 'admin_only' authentication Sagi Grimberg
2025-01-24 13:51 ` Hannes Reinecke
2025-01-28 8:11 ` Sagi Grimberg
2025-01-28 8:48 ` Hannes Reinecke
2025-01-24 11:47 ` [PATCH 2/2] nvme: Do not re-authenticate queues with no prior authentication hare
2025-01-28 8:06 ` Sagi Grimberg
[not found] ` <BY5PR04MB6849C5BBCCD96273CF2F2A52BCC42@BY5PR04MB6849.namprd04.prod.outlook.com>
[not found] ` <BY5PR04MB6849700BB53BBE24BBE640D4BCD32@BY5PR04MB6849.namprd04.prod.outlook.com>
2025-03-14 7:59 ` [PATCHv2 0/2] nvme: restrict authentication to the admin queue Hannes Reinecke
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20250124114738.115882-2-hare@kernel.org \
--to=hare@kernel.org \
--cc=hch@lst.de \
--cc=kbusch@kernel.org \
--cc=linux-nvme@lists.infradead.org \
--cc=sagi@grimberg.me \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.