All of lore.kernel.org
 help / color / mirror / Atom feed
From: Chris Leech <cleech@redhat.com>
To: linux-nvme@lists.infradead.org
Cc: Hannes Reinecke <hare@suse.de>, Daniel Wagner <dwagner@suse.de>,
	Maurizio Lombardi <mlombard@redhat.com>
Subject: [RFC nvme-keyring nvme-cli] Should NVMe/TLS PSKs support the request_key API?
Date: Wed, 22 Apr 2026 16:10:21 -0700	[thread overview]
Message-ID: <20260422231043.2689681-1-cleech@redhat.com> (raw)

Would it be of interest to support the request_key API with NVMe/TLS
PSKs? I think it would be an improvement, allowing PSKs to be loaded
into the keyring as needed.

Issues (if it was simple I'd just send a patch):

 - a key cannot have it's description changed
 - request_key() creates an uninstantiated key with the description set
 - tlshd (ktls-utils) uses the description as the PSK Identity
 - NVMe specifies this Identity in a way that the kernel cannot know it
   when a request_key() would be needed (it includes an encoding of the
   key length and a digest of the source key it was derived from)

As nvme_keyring can't just request the key it needs, I went through a
few ideas:

 - request a new keyring full of PSK keys
   (requesting a keyring is explicitly blocked)
 - have the user-space handler create a temporary keyring, put one or
   more PSKs in it, and return the keyring serial in a "psk request key"
   (worked, but seems unlikely to be accepted as intended use)
 - have a request key format that expects to receive a key containing
   one or more PSKs + identity metadata, unpack those in the kernel into
   actual psk keys than can be used

I'm going to follow this with a _rough_ prototype of the last option in
that list. The user-space side is a shell script, I'd replace that with
an new nvme-cli command (but the request_key configuration does
provide a convenient place to allow for other key storage solutions to
hook in).

Motivation: The current solution for loading NVMe/TLS PSKs into the
kernel keyring (70-nvmf-keys.rules in the nvme-cli repo) falls short in
a few areas by triggering from a kmod load uevent:

 - doesn't work for the target modules
   (that one's easy, /nvme_tcp/nvme_keyring/)
 - doesn't work if the modules are built into the kernel
 - doesn't work if the modules are loaded from initramfs, with more PSKs
   and connections are configured outside of the nBFT
 - only runs once, must load all keys and cannot help with new keys
   (ok, nvme-cli doesn't have a command to save to a keyfile without
    importing to the keyring first anyway)

 Biggest problem I see, requiring explicit loading of nvme_tcp before it
 can be used with TLS:

 - The async uevent handling loses the race against the kernel when the
   transport kmod is requested on demand.

  ┌────────┐     ┌──────────┐     ┌──────────┐     ┌──────┐
  │ kernel │     │ nvme-cli │     │ modprobe │     │ udev │
  └────┬───┘     └─────┬────┘     └─────┬────┘     └───┬──┘
       │               │                │              │
       │ connect       │                │              │
       │◄──────────────┤                │              │
       │               │                │              │
       │ request kmod  │                │              │
       ├───────────────────────────────►│              │
       │               │                │              │
       │ load kmod     │                │              │
       │◄───────────────────────────────┤              │
       │               │                │              │
       │ uevent kmod   │                │              │
       ├╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌►│
       │               │                │              │
       │ check keyring for PSK ❌       │              │
       ├──┐            │                │              │
       │  │            │                │              │
       │◄─┘            │                │              │
       │               │                │              │
       │ connect failed ❌              │              │
       ├──────────────►│                │              │
       │               │                │              │
       │               │ nvme tls --import --keyfile   │
       │               │◄──────────────────────────────┤
       │               │                │              │
       │ populate .nvme keyring         │              │
       │◄──────────────┤                │              │
       │               │                │              │

- Chris



             reply	other threads:[~2026-04-22 23:11 UTC|newest]

Thread overview: 5+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-04-22 23:10 Chris Leech [this message]
2026-04-22 23:10 ` [RFC PATCH] nvme-keyring: add request_key upcalls for dynamic key loading Chris Leech
2026-04-22 23:10 ` [RFC] example request-key helper script Chris Leech
2026-04-23 12:05 ` [RFC nvme-keyring nvme-cli] Should NVMe/TLS PSKs support the request_key API? Hannes Reinecke
2026-04-23 17:15   ` Daniel Wagner

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20260422231043.2689681-1-cleech@redhat.com \
    --to=cleech@redhat.com \
    --cc=dwagner@suse.de \
    --cc=hare@suse.de \
    --cc=linux-nvme@lists.infradead.org \
    --cc=mlombard@redhat.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.