[PATCH 12/17] nvme-fabrics: reset connection for secure concatenation

public inbox for linux-nvme@lists.infradead.org
 help / color / mirror / Atom feed

From: Hannes Reinecke <hare@kernel.org>
To: Christoph Hellwig <hch@lst.de>
Cc: Sagi Grimberg <sagi@grimberg.me>, Keith Busch <kbusch@kernel.org>,
	linux-nvme@lists.infradead.org, Hannes Reinecke <hare@kernel.org>,
	Hannes Reinecke <hare@suse.de>
Subject: [PATCH 12/17] nvme-fabrics: reset connection for secure concatenation
Date: Mon, 18 Mar 2024 16:03:11 +0100	[thread overview]
Message-ID: <20240318150316.138501-13-hare@kernel.org> (raw)
In-Reply-To: <20240318150316.138501-1-hare@kernel.org>

When secure concatenation is requested the connection needs to be
reset to enable TLS encryption on the new cnnection.
That implies that the original connection used for the DH-CHAP
negotiation really shouldn't be used, and we should reset as soon
as the DH-CHAP negotiation has succeeded on the admin queue.
The current implementation does not allow to easily skip
connection attempts on the I/O queues, so we connect I/O
queues, but disable namespace scanning on these queues.
With that no I/O can be issued on these queues, so we
can tear them down quickly without having to wait for
quiescing etc.
Once that is done we can reset the controller directly
after the ->create_ctrl() callback.

Signed-off-by: Hannes Reinecke <hare@suse.de>
---
 drivers/nvme/host/core.c    | 8 +++++++-
 drivers/nvme/host/fabrics.c | 6 ++++++
 2 files changed, 13 insertions(+), 1 deletion(-)

diff --git a/drivers/nvme/host/core.c b/drivers/nvme/host/core.c
index 9b601655f423..57b664d12863 100644
--- a/drivers/nvme/host/core.c
+++ b/drivers/nvme/host/core.c
@@ -4513,6 +4513,8 @@ EXPORT_SYMBOL_GPL(nvme_stop_ctrl);
 
 void nvme_start_ctrl(struct nvme_ctrl *ctrl)
 {
+	bool start_scan = ctrl->queue_count > 1;
+
 	nvme_enable_aen(ctrl);
 
 	/*
@@ -4525,7 +4527,11 @@ void nvme_start_ctrl(struct nvme_ctrl *ctrl)
 	    nvme_discovery_ctrl(ctrl))
 		nvme_change_uevent(ctrl, "NVME_EVENT=rediscover");
 
-	if (ctrl->queue_count > 1) {
+	/* Suppress namespace scanning during setting up secure concatenation */
+	if (ctrl->opts->concat && !ctrl->tls_key)
+		start_scan = false;
+
+	if (start_scan) {
 		nvme_queue_scan(ctrl);
 		nvme_unquiesce_io_queues(ctrl);
 		nvme_mpath_update(ctrl);
diff --git a/drivers/nvme/host/fabrics.c b/drivers/nvme/host/fabrics.c
index ae091e0e4ecf..06418e01ab69 100644
--- a/drivers/nvme/host/fabrics.c
+++ b/drivers/nvme/host/fabrics.c
@@ -1331,6 +1331,12 @@ nvmf_create_ctrl(struct device *dev, const char *buf)
 		goto out_module_put;
 	}
 
+	/* Reset controller to start TLS */
+	if (opts->concat) {
+		pr_debug("resetting for secure concatenation\n");
+		nvme_reset_ctrl(ctrl);
+	}
+
 	module_put(ops->module);
 	return ctrl;
 
-- 
2.35.3

next prev parent reply	other threads:[~2024-03-18 15:04 UTC|newest]

Thread overview: 53+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2024-03-18 15:02 [PATCHv3 00/17] nvme: implement secure concatenation Hannes Reinecke
2024-03-18 15:03 ` [PATCH 01/17] nvme-keyring: restrict match length for version '1' identifiers Hannes Reinecke
2024-03-18 15:03 ` [PATCH 02/17] nvme-tcp: check for invalidated or revoked key Hannes Reinecke
2024-04-07 20:51   ` Sagi Grimberg
2024-04-08  5:18     ` Hannes Reinecke
2024-03-18 15:03 ` [PATCH 03/17] crypto,fs: Separate out hkdf_extract() and hkdf_expand() Hannes Reinecke
2024-03-18 15:03 ` [PATCH 04/17] nvme: add nvme_auth_generate_psk() Hannes Reinecke
2024-04-07 20:59   ` Sagi Grimberg
2024-04-08  5:20     ` Hannes Reinecke
2024-03-18 15:03 ` [PATCH 05/17] nvme: add nvme_auth_generate_digest() Hannes Reinecke
2024-04-07 21:02   ` Sagi Grimberg
2024-03-18 15:03 ` [PATCH 06/17] nvme: add nvme_auth_derive_tls_psk() Hannes Reinecke
2024-04-07 21:04   ` Sagi Grimberg
2024-04-18 11:00     ` Hannes Reinecke
2024-03-18 15:03 ` [PATCH 07/17] nvme-keyring: add nvme_tls_psk_refresh() Hannes Reinecke
2024-03-18 15:03 ` [PATCH 08/17] nvme-tcp: sanitize TLS key handling Hannes Reinecke
2024-04-07 21:15   ` Sagi Grimberg
2024-04-08  6:48     ` Hannes Reinecke
2024-04-08 21:07       ` Sagi Grimberg
2024-04-08 21:32         ` Hannes Reinecke
2024-03-18 15:03 ` [PATCH 09/17] nvme-tcp: do not quiesce admin queue in nvme_tcp_teardown_io_queues() Hannes Reinecke
2024-04-07 21:24   ` Sagi Grimberg
2024-04-18 11:33     ` Hannes Reinecke
2024-03-18 15:03 ` [PATCH 10/17] nvme: add a newline to the 'tls_key' sysfs attribute Hannes Reinecke
2024-04-07 21:24   ` Sagi Grimberg
2024-03-18 15:03 ` [PATCH 11/17] nvme-tcp: request secure channel concatenation Hannes Reinecke
2024-04-07 21:41   ` Sagi Grimberg
2024-04-08  5:32     ` Hannes Reinecke
2024-04-08 21:09       ` Sagi Grimberg
2024-04-08 21:48         ` Hannes Reinecke
2024-04-21 11:14           ` Sagi Grimberg
2024-03-18 15:03 ` Hannes Reinecke [this message]
2024-04-07 21:46   ` [PATCH 12/17] nvme-fabrics: reset connection for secure concatenation Sagi Grimberg
2024-04-08  6:21     ` Hannes Reinecke
2024-04-08 21:21       ` Sagi Grimberg
2024-04-08 22:08         ` Hannes Reinecke
2024-04-21 11:20           ` Sagi Grimberg
2024-05-08  9:21             ` Hannes Reinecke
2024-03-18 15:03 ` [PATCH 13/17] nvme-tcp: reset after recovery " Hannes Reinecke
2024-04-07 21:49   ` Sagi Grimberg
2024-04-08  6:25     ` Hannes Reinecke
2024-04-08 21:23       ` Sagi Grimberg
2024-04-08 22:10         ` Hannes Reinecke
2024-04-21 11:22           ` Sagi Grimberg
2024-04-21 14:37             ` Hannes Reinecke
2024-04-21 15:09               ` Sagi Grimberg
2024-03-18 15:03 ` [PATCH 14/17] nvmet-auth: allow to clear DH-HMAC-CHAP keys Hannes Reinecke
2024-04-07 21:50   ` Sagi Grimberg
2024-03-18 15:03 ` [PATCH 15/17] nvme-target: do not check authentication status for admin commands twice Hannes Reinecke
2024-04-07 21:53   ` Sagi Grimberg
2024-03-18 15:03 ` [PATCH 16/17] nvme-target: do not check authentication status for I/O " Hannes Reinecke
2024-04-07 21:53   ` Sagi Grimberg
2024-03-18 15:03 ` [PATCH 17/17] nvmet-tcp: support secure channel concatenation Hannes Reinecke

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:9b601655f42 dfblob:57b664d1286 dfblob:ae091e0e4ec
dfblob:06418e01ab6 )
 OR (
bs:"[PATCH 12/17] nvme-fabrics: reset connection for secure concatenation" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20240318150316.138501-13-hare@kernel.org \
    --to=hare@kernel.org \
    --cc=hare@suse.de \
    --cc=hch@lst.de \
    --cc=kbusch@kernel.org \
    --cc=linux-nvme@lists.infradead.org \
    --cc=sagi@grimberg.me \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox