From: Hannes Reinecke <hare@kernel.org>
To: Sagi Grimberg <sagi@grimberg.me>
Cc: Christoph Hellwig <hch@lst.de>, Keith Busch <kbusch@kernel.org>,
linux-nvme@lists.infradead.org, Hannes Reinecke <hare@kernel.org>
Subject: [PATCH 02/16] nvme-tcp: sanitize TLS key handling
Date: Wed, 17 Jul 2024 11:10:17 +0200 [thread overview]
Message-ID: <20240717091031.143188-3-hare@kernel.org> (raw)
In-Reply-To: <20240717091031.143188-1-hare@kernel.org>
There is a difference between TLS configured (ie the user has
provisioned/requested a key) and TLS enabled (ie the connection
is encrypted with TLS). This becomes important for secure concatenation,
where the initial authentication is run unencrypted (ie with
TLS configured, but not enabled), and then the queue is reset to
run over TLS (ie TLS configured _and_ enabled).
So to differentiate between those two states store the provisioned
key in opts->tls_key (as we're using the same TLS key for all queues)
and only the key serial of the key negotiated by the TLS handshake
in queue->tls_pskid.
Signed-off-by: Hannes Reinecke <hare@kernel.org>
---
drivers/nvme/host/core.c | 1 -
drivers/nvme/host/nvme.h | 2 +-
drivers/nvme/host/sysfs.c | 4 ++--
drivers/nvme/host/tcp.c | 47 ++++++++++++++++++++++++++++-----------
4 files changed, 37 insertions(+), 17 deletions(-)
diff --git a/drivers/nvme/host/core.c b/drivers/nvme/host/core.c
index 8d8e7a3549c6..947f1e631ee5 100644
--- a/drivers/nvme/host/core.c
+++ b/drivers/nvme/host/core.c
@@ -4641,7 +4641,6 @@ static void nvme_free_ctrl(struct device *dev)
if (!subsys || ctrl->instance != subsys->instance)
ida_free(&nvme_instance_ida, ctrl->instance);
- key_put(ctrl->tls_key);
nvme_free_cels(ctrl);
nvme_mpath_uninit(ctrl);
cleanup_srcu_struct(&ctrl->srcu);
diff --git a/drivers/nvme/host/nvme.h b/drivers/nvme/host/nvme.h
index c63f2b452369..cdb53323f4eb 100644
--- a/drivers/nvme/host/nvme.h
+++ b/drivers/nvme/host/nvme.h
@@ -370,7 +370,7 @@ struct nvme_ctrl {
struct nvme_dhchap_key *ctrl_key;
u16 transaction;
#endif
- struct key *tls_key;
+ key_serial_t tls_pskid;
/* Power saving configuration */
u64 ps_max_latency_us;
diff --git a/drivers/nvme/host/sysfs.c b/drivers/nvme/host/sysfs.c
index 3c55f7edd181..5b1dee8a66ef 100644
--- a/drivers/nvme/host/sysfs.c
+++ b/drivers/nvme/host/sysfs.c
@@ -671,9 +671,9 @@ static ssize_t tls_key_show(struct device *dev,
{
struct nvme_ctrl *ctrl = dev_get_drvdata(dev);
- if (!ctrl->tls_key)
+ if (!ctrl->tls_pskid)
return 0;
- return sysfs_emit(buf, "%08x", key_serial(ctrl->tls_key));
+ return sysfs_emit(buf, "%08x", ctrl->tls_pskid);
}
static DEVICE_ATTR_RO(tls_key);
#endif
diff --git a/drivers/nvme/host/tcp.c b/drivers/nvme/host/tcp.c
index a2a47d3ab99f..92ad5b8cc1b4 100644
--- a/drivers/nvme/host/tcp.c
+++ b/drivers/nvme/host/tcp.c
@@ -165,6 +165,7 @@ struct nvme_tcp_queue {
bool hdr_digest;
bool data_digest;
+ bool tls_enabled;
struct ahash_request *rcv_hash;
struct ahash_request *snd_hash;
__le32 exp_ddgst;
@@ -213,7 +214,15 @@ static inline int nvme_tcp_queue_id(struct nvme_tcp_queue *queue)
return queue - queue->ctrl->queues;
}
-static inline bool nvme_tcp_tls(struct nvme_ctrl *ctrl)
+static inline bool nvme_tcp_tls_enabled(struct nvme_tcp_queue *queue)
+{
+ if (!IS_ENABLED(CONFIG_NVME_TCP_TLS))
+ return 0;
+
+ return queue->tls_enabled;
+}
+
+static inline bool nvme_tcp_tls_configured(struct nvme_ctrl *ctrl)
{
if (!IS_ENABLED(CONFIG_NVME_TCP_TLS))
return 0;
@@ -368,7 +377,7 @@ static inline bool nvme_tcp_queue_has_pending(struct nvme_tcp_queue *queue)
static inline bool nvme_tcp_queue_more(struct nvme_tcp_queue *queue)
{
- return !nvme_tcp_tls(&queue->ctrl->ctrl) &&
+ return !nvme_tcp_tls_enabled(queue) &&
nvme_tcp_queue_has_pending(queue);
}
@@ -1427,7 +1436,7 @@ static int nvme_tcp_init_connection(struct nvme_tcp_queue *queue)
memset(&msg, 0, sizeof(msg));
iov.iov_base = icresp;
iov.iov_len = sizeof(*icresp);
- if (nvme_tcp_tls(&queue->ctrl->ctrl)) {
+ if (nvme_tcp_tls_enabled(queue)) {
msg.msg_control = cbuf;
msg.msg_controllen = sizeof(cbuf);
}
@@ -1439,7 +1448,7 @@ static int nvme_tcp_init_connection(struct nvme_tcp_queue *queue)
goto free_icresp;
}
ret = -ENOTCONN;
- if (nvme_tcp_tls(&queue->ctrl->ctrl)) {
+ if (nvme_tcp_tls_enabled(queue)) {
ctype = tls_get_record_type(queue->sock->sk,
(struct cmsghdr *)cbuf);
if (ctype != TLS_RECORD_TYPE_DATA) {
@@ -1587,7 +1596,10 @@ static void nvme_tcp_tls_done(void *data, int status, key_serial_t pskid)
qid, pskid);
queue->tls_err = -ENOKEY;
} else {
- ctrl->ctrl.tls_key = tls_key;
+ queue->tls_enabled = true;
+ if (qid == 0)
+ ctrl->ctrl.tls_pskid = key_serial(tls_key);
+ key_put(tls_key);
queue->tls_err = 0;
}
@@ -1768,7 +1780,7 @@ static int nvme_tcp_alloc_queue(struct nvme_ctrl *nctrl, int qid,
}
/* If PSKs are configured try to start TLS */
- if (IS_ENABLED(CONFIG_NVME_TCP_TLS) && pskid) {
+ if (nvme_tcp_tls_configured(nctrl) && pskid) {
ret = nvme_tcp_start_tls(nctrl, queue, pskid);
if (ret)
goto err_init_connect;
@@ -1829,6 +1841,8 @@ static void nvme_tcp_stop_queue(struct nvme_ctrl *nctrl, int qid)
mutex_lock(&queue->queue_lock);
if (test_and_clear_bit(NVME_TCP_Q_LIVE, &queue->flags))
__nvme_tcp_stop_queue(queue);
+ /* Stopping the queue will disable TLS */
+ queue->tls_enabled = false;
mutex_unlock(&queue->queue_lock);
}
@@ -1925,16 +1939,17 @@ static int nvme_tcp_alloc_admin_queue(struct nvme_ctrl *ctrl)
int ret;
key_serial_t pskid = 0;
- if (nvme_tcp_tls(ctrl)) {
+ if (nvme_tcp_tls_configured(ctrl)) {
if (ctrl->opts->tls_key)
pskid = key_serial(ctrl->opts->tls_key);
- else
+ else {
pskid = nvme_tls_psk_default(ctrl->opts->keyring,
ctrl->opts->host->nqn,
ctrl->opts->subsysnqn);
- if (!pskid) {
- dev_err(ctrl->device, "no valid PSK found\n");
- return -ENOKEY;
+ if (!pskid) {
+ dev_err(ctrl->device, "no valid PSK found\n");
+ return -ENOKEY;
+ }
}
}
@@ -1957,13 +1972,14 @@ static int __nvme_tcp_alloc_io_queues(struct nvme_ctrl *ctrl)
{
int i, ret;
- if (nvme_tcp_tls(ctrl) && !ctrl->tls_key) {
+ if (nvme_tcp_tls_configured(ctrl) && !ctrl->tls_pskid) {
dev_err(ctrl->device, "no PSK negotiated\n");
return -ENOKEY;
}
+
for (i = 1; i < ctrl->queue_count; i++) {
ret = nvme_tcp_alloc_queue(ctrl, i,
- key_serial(ctrl->tls_key));
+ ctrl->tls_pskid);
if (ret)
goto out_free_queues;
}
@@ -2144,6 +2160,11 @@ static void nvme_tcp_teardown_admin_queue(struct nvme_ctrl *ctrl,
if (remove)
nvme_unquiesce_admin_queue(ctrl);
nvme_tcp_destroy_admin_queue(ctrl, remove);
+ if (ctrl->tls_pskid) {
+ dev_dbg(ctrl->device, "Wipe negotiated TLS_PSK %08x\n",
+ ctrl->tls_pskid);
+ ctrl->tls_pskid = 0;
+ }
}
static void nvme_tcp_teardown_io_queues(struct nvme_ctrl *ctrl,
--
2.35.3
next prev parent reply other threads:[~2024-07-17 9:10 UTC|newest]
Thread overview: 37+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-07-17 9:10 [PATCHv5 00/16] nvme: implement secure concatenation Hannes Reinecke
2024-07-17 9:10 ` [PATCH 01/16] nvme-keyring: restrict match length for version '1' identifiers Hannes Reinecke
2024-07-17 21:47 ` Sagi Grimberg
2024-07-17 9:10 ` Hannes Reinecke [this message]
2024-07-17 21:53 ` [PATCH 02/16] nvme-tcp: sanitize TLS key handling Sagi Grimberg
2024-07-18 7:10 ` Hannes Reinecke
2024-07-17 9:10 ` [PATCH 03/16] nvme-tcp: check for invalidated or revoked key Hannes Reinecke
2024-07-17 21:55 ` Sagi Grimberg
2024-07-17 9:10 ` [PATCH 04/16] nvme: add a newline to the 'tls_key' sysfs attribute Hannes Reinecke
2024-07-17 21:55 ` Sagi Grimberg
2024-07-17 9:10 ` [PATCH 05/16] nvme-sysfs: add 'tls_configured_key' " Hannes Reinecke
2024-07-17 21:58 ` Sagi Grimberg
2024-07-18 7:13 ` Hannes Reinecke
2024-07-17 9:10 ` [PATCH 06/16] nvme-sysfs: add 'tls_keyring' attribute Hannes Reinecke
2024-07-17 21:58 ` Sagi Grimberg
2024-07-17 9:10 ` [PATCH 07/16] crypto,fs: Separate out hkdf_extract() and hkdf_expand() Hannes Reinecke
2024-07-17 21:39 ` Sagi Grimberg
2024-07-17 9:10 ` [PATCH 08/16] nvme: add nvme_auth_generate_psk() Hannes Reinecke
2024-07-17 9:10 ` [PATCH 09/16] nvme: add nvme_auth_generate_digest() Hannes Reinecke
2024-07-17 9:10 ` [PATCH 10/16] nvme: add nvme_auth_derive_tls_psk() Hannes Reinecke
2024-07-17 22:01 ` Sagi Grimberg
2024-07-17 9:10 ` [PATCH 11/16] nvme-keyring: add nvme_tls_psk_refresh() Hannes Reinecke
2024-07-17 22:04 ` Sagi Grimberg
2024-07-17 9:10 ` [PATCH 12/16] nvme-tcp: request secure channel concatenation Hannes Reinecke
2024-07-17 22:31 ` Sagi Grimberg
2024-07-18 7:30 ` Hannes Reinecke
2024-07-17 9:10 ` [PATCH 13/16] nvme-fabrics: reset admin connection for secure concatenation Hannes Reinecke
2024-07-17 22:32 ` Sagi Grimberg
2024-07-17 9:10 ` [PATCH 14/16] nvmet-auth: allow to clear DH-HMAC-CHAP keys Hannes Reinecke
2024-07-17 22:32 ` Sagi Grimberg
2024-07-17 9:10 ` [PATCH 15/16] nvme-target: do not check authentication status for admin commands twice Hannes Reinecke
2024-07-17 22:33 ` Sagi Grimberg
2024-07-17 9:10 ` [PATCH 16/16] nvmet-tcp: support secure channel concatenation Hannes Reinecke
2024-07-17 22:36 ` Sagi Grimberg
2024-07-18 7:34 ` Hannes Reinecke
2024-07-17 21:38 ` [PATCHv5 00/16] nvme: implement secure concatenation Sagi Grimberg
2024-07-18 6:44 ` Hannes Reinecke
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20240717091031.143188-3-hare@kernel.org \
--to=hare@kernel.org \
--cc=hch@lst.de \
--cc=kbusch@kernel.org \
--cc=linux-nvme@lists.infradead.org \
--cc=sagi@grimberg.me \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox