From: Max Gurtovoy <mgurtovoy@nvidia.com>
To: Hannes Reinecke <hare@suse.de>, Sagi Grimberg <sagi@grimberg.me>
Cc: Christoph Hellwig <hch@lst.de>, Keith Busch <kbusch@kernel.org>,
linux-nvme@lists.infradead.org,
Chuck Lever <chuck.lever@oracle.com>,
kernel-tls-handshake@lists.linux.dev
Subject: Re: [PATCH 05/17] nvme-keyring: implement nvme_tls_psk_default()
Date: Tue, 9 May 2023 10:31:38 +0300 [thread overview]
Message-ID: <79ecbedd-9392-cc0f-dd7f-37668cd67d3d@nvidia.com> (raw)
In-Reply-To: <20230419065714.52076-6-hare@suse.de>
Hannes,
I wonder if we can squash the keyring patches 1/17 + 2/17 + 5/17 to a
single patch ?
And start the series with some preparations in the nvme/tcp for it to
compile..
This will reduce the amount of commits and simplify the review.
On 19/04/2023 9:57, Hannes Reinecke wrote:
> Implement a function to select the preferred PSK for TLS.
>
> Signed-off-by: Hannes Reinecke <hare@suse.de>
> ---
> drivers/nvme/common/keyring.c | 48 +++++++++++++++++++++++++++++++++++
> include/linux/nvme-keyring.h | 8 ++++++
> 2 files changed, 56 insertions(+)
>
> diff --git a/drivers/nvme/common/keyring.c b/drivers/nvme/common/keyring.c
> index 494dd365052e..f8d9a208397b 100644
> --- a/drivers/nvme/common/keyring.c
> +++ b/drivers/nvme/common/keyring.c
> @@ -5,6 +5,7 @@
>
> #include <linux/module.h>
> #include <linux/seq_file.h>
> +#include <linux/key.h>
> #include <linux/key-type.h>
> #include <keys/user-type.h>
> #include <linux/nvme.h>
> @@ -103,6 +104,53 @@ static struct key *nvme_tls_psk_lookup(struct key *keyring,
> return key_ref_to_ptr(keyref);
> }
>
> +/*
> + * NVMe PSK priority list
> + *
> + * 'Retained' PSKs (ie 'generated == false')
> + * should be preferred to 'generated' PSKs,
> + * and SHA-384 should be preferred to SHA-256.
> + */
> +struct nvme_tls_psk_priority_list {
> + bool generated;
> + enum nvme_tcp_tls_cipher cipher;
> +} nvme_tls_psk_prio[] = {
> + { .generated = false,
> + .cipher = NVME_TCP_TLS_CIPHER_SHA384, },
> + { .generated = false,
> + .cipher = NVME_TCP_TLS_CIPHER_SHA256, },
> + { .generated = true,
> + .cipher = NVME_TCP_TLS_CIPHER_SHA384, },
> + { .generated = true,
> + .cipher = NVME_TCP_TLS_CIPHER_SHA256, },
> +};
> +
> +/*
> + * nvme_tls_psk_default - Return the preferred PSK to use for TLS ClientHello
> + */
> +key_serial_t nvme_tls_psk_default(struct key *keyring,
> + const char *hostnqn, const char *subnqn)
> +{
> + struct key *tls_key;
> + key_serial_t tls_key_id;
> + int prio;
> +
> + for (prio = 0; prio < ARRAY_SIZE(nvme_tls_psk_prio); prio++) {
> + bool generated = nvme_tls_psk_prio[prio].generated;
> + enum nvme_tcp_tls_cipher cipher = nvme_tls_psk_prio[prio].cipher;
> +
> + tls_key = nvme_tls_psk_lookup(keyring, hostnqn, subnqn,
> + cipher, generated);
> + if (!IS_ERR(tls_key)) {
> + tls_key_id = tls_key->serial;
> + key_put(tls_key);
> + return tls_key_id;
> + }
> + }
> + return 0;
> +}
> +EXPORT_SYMBOL_GPL(nvme_tls_psk_default);
> +
> int nvme_keyring_init(void)
> {
> int err;
> diff --git a/include/linux/nvme-keyring.h b/include/linux/nvme-keyring.h
> index 32bd264a71e6..4efea9dd967c 100644
> --- a/include/linux/nvme-keyring.h
> +++ b/include/linux/nvme-keyring.h
> @@ -8,12 +8,20 @@
>
> #ifdef CONFIG_NVME_KEYRING
>
> +key_serial_t nvme_tls_psk_default(struct key *keyring,
> + const char *hostnqn, const char *subnqn);
> +
> key_serial_t nvme_keyring_id(void);
> int nvme_keyring_init(void);
> void nvme_keyring_exit(void);
>
> #else
>
> +static inline key_serial_t nvme_tls_psk_default(struct key *keyring,
> + const char *hostnqn, const char *subnqn)
> +{
> + return 0;
> +}
> static inline key_serial_t nvme_keyring_id(void)
> {
> return 0;
next prev parent reply other threads:[~2023-05-09 7:31 UTC|newest]
Thread overview: 46+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-04-19 6:56 [PATCHv4 00/17] nvme: In-kernel TLS support for TCP Hannes Reinecke
2023-04-19 6:56 ` [PATCH 01/17] nvme-keyring: register '.nvme' keyring Hannes Reinecke
2023-05-02 14:17 ` Aurelien Aptel
2023-04-19 6:56 ` [PATCH 02/17] nvme-keyring: define a 'psk' keytype Hannes Reinecke
2023-05-08 8:59 ` Max Gurtovoy
2023-05-08 13:56 ` Hannes Reinecke
2023-04-19 6:57 ` [PATCH 03/17] nvme: add TCP TSAS definitions Hannes Reinecke
2023-05-08 16:36 ` Max Gurtovoy
2023-05-08 21:01 ` Hannes Reinecke
2023-04-19 6:57 ` [PATCH 04/17] nvme-tcp: add definitions for TLS cipher suites Hannes Reinecke
2023-04-19 6:57 ` [PATCH 05/17] nvme-keyring: implement nvme_tls_psk_default() Hannes Reinecke
2023-05-09 7:31 ` Max Gurtovoy [this message]
2023-05-09 14:13 ` Hannes Reinecke
2023-04-19 6:57 ` [PATCH 06/17] net/tls: implement ->read_sock() Hannes Reinecke
2023-04-19 9:09 ` Sagi Grimberg
2023-05-09 23:30 ` Sagi Grimberg
2023-05-10 0:47 ` Jakub Kicinski
2023-05-17 6:43 ` Sagi Grimberg
2023-05-17 7:53 ` Hannes Reinecke
2023-05-17 7:54 ` Christoph Hellwig
2023-05-17 7:56 ` Hannes Reinecke
2023-05-17 9:36 ` Sagi Grimberg
2023-04-19 6:57 ` [PATCH 07/17] net/tls: handle MSG_EOR for tls_sw TX flow Hannes Reinecke
2023-05-09 9:19 ` Max Gurtovoy
2023-05-09 14:18 ` Hannes Reinecke
2023-05-09 15:13 ` Jakub Kicinski
2023-05-09 23:02 ` Max Gurtovoy
2023-05-09 23:07 ` Hannes Reinecke
2023-04-19 6:57 ` [PATCH 08/17] nvme-tcp: fixup MSG_SENDPAGE_NOTLAST Hannes Reinecke
2023-04-19 9:08 ` Sagi Grimberg
2023-04-19 6:57 ` [PATCH 09/17] security/keys: export key_lookup() Hannes Reinecke
2023-04-19 6:57 ` [PATCH 10/17] nvme/tcp: allocate socket file Hannes Reinecke
2023-04-19 6:57 ` [PATCH 11/17] nvme-tcp: enable TLS handshake upcall Hannes Reinecke
2023-05-09 9:48 ` Max Gurtovoy
2023-05-09 14:22 ` Hannes Reinecke
2023-05-09 23:16 ` Max Gurtovoy
2023-05-10 7:37 ` Hannes Reinecke
2023-04-19 6:57 ` [PATCH 12/17] nvme-tcp: control message handling for recvmsg() Hannes Reinecke
2023-04-19 6:57 ` [PATCH 13/17] nvme-fabrics: parse options 'keyring' and 'tls_key' Hannes Reinecke
2023-04-21 6:32 ` Daniel Wagner
2023-05-09 10:00 ` Max Gurtovoy
2023-05-09 14:24 ` Hannes Reinecke
2023-04-19 6:57 ` [PATCH 14/17] nvmet: make TCP sectype settable via configfs Hannes Reinecke
2023-04-19 6:57 ` [PATCH 15/17] nvmet-tcp: allocate socket file Hannes Reinecke
2023-04-19 6:57 ` [PATCH 16/17] nvmet-tcp: enable TLS handshake upcall Hannes Reinecke
2023-04-19 6:57 ` [PATCH 17/17] nvmet-tcp: control messages for recvmsg() Hannes Reinecke
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=79ecbedd-9392-cc0f-dd7f-37668cd67d3d@nvidia.com \
--to=mgurtovoy@nvidia.com \
--cc=chuck.lever@oracle.com \
--cc=hare@suse.de \
--cc=hch@lst.de \
--cc=kbusch@kernel.org \
--cc=kernel-tls-handshake@lists.linux.dev \
--cc=linux-nvme@lists.infradead.org \
--cc=sagi@grimberg.me \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox