From: Hannes Reinecke <hare@kernel.org>
To: Christoph Hellwig <hch@lst.de>
Cc: Keith Busch <kbusch@kernel.org>, Sagi Grimberg <sagi@grimberg.me>,
linux-nvme@lists.infradead.org, Hannes Reinecke <hare@kernel.org>
Subject: [PATCH 2/2] nvmet: Implement 'admin_only' authentication
Date: Wed, 17 Jul 2024 13:03:38 +0200 [thread overview]
Message-ID: <20240717110338.27332-3-hare@kernel.org> (raw)
In-Reply-To: <20240717110338.27332-1-hare@kernel.org>
It might be sufficient to run authentication on the admin queue only,
as this speeds up reconnection quite significantly. So add a configfs
attribute 'dhchap_admin_only' for the 'host' configfs entry to enable
this mode.
Signed-off-by: Hannes Reinecke <hare@kernel.org>
---
drivers/nvme/target/auth.c | 11 +++++++----
drivers/nvme/target/configfs.c | 24 ++++++++++++++++++++++++
drivers/nvme/target/fabrics-cmd-auth.c | 7 +++++++
drivers/nvme/target/fabrics-cmd.c | 7 +++++--
drivers/nvme/target/nvmet.h | 2 ++
5 files changed, 45 insertions(+), 6 deletions(-)
diff --git a/drivers/nvme/target/auth.c b/drivers/nvme/target/auth.c
index 560321df5bf6..d5aae8d8cc92 100644
--- a/drivers/nvme/target/auth.c
+++ b/drivers/nvme/target/auth.c
@@ -189,6 +189,8 @@ u8 nvmet_setup_auth(struct nvmet_ctrl *ctrl, struct nvmet_req *req)
ctrl->shash_id = host->dhchap_hash_id;
}
+ ctrl->dh_admin_only = host->dhchap_admin_only;
+
/* Skip the 'DHHC-1:XX:' prefix */
nvme_auth_free_key(ctrl->host_key);
ctrl->host_key = nvme_auth_extract_key(host->dhchap_secret + 10,
@@ -279,10 +281,11 @@ void nvmet_destroy_auth(struct nvmet_ctrl *ctrl)
bool nvmet_check_auth_status(struct nvmet_req *req)
{
- if (req->sq->ctrl->host_key &&
- !req->sq->authenticated)
- return false;
- return true;
+ if (!req->sq->ctrl->host_key)
+ return true;
+ if (req->sq->qid && req->sq->ctrl->dh_admin_only)
+ return true;
+ return req->sq->authenticated;
}
int nvmet_auth_host_hash(struct nvmet_req *req, u8 *response,
diff --git a/drivers/nvme/target/configfs.c b/drivers/nvme/target/configfs.c
index bd87dfd173a4..807b0904ea88 100644
--- a/drivers/nvme/target/configfs.c
+++ b/drivers/nvme/target/configfs.c
@@ -2134,11 +2134,34 @@ static ssize_t nvmet_host_dhchap_dhgroup_store(struct config_item *item,
CONFIGFS_ATTR(nvmet_host_, dhchap_dhgroup);
+static ssize_t nvmet_host_dhchap_admin_only_show(struct config_item *item,
+ char *page)
+{
+ struct nvmet_host *host = to_host(item);
+
+ return sprintf(page, "%d\n", host->dhchap_admin_only);
+}
+
+static ssize_t nvmet_host_dhchap_admin_only_store(struct config_item *item,
+ const char *page, size_t count)
+{
+ struct nvmet_host *host = to_host(item);
+ bool val;
+
+ if (kstrtobool(page, &val))
+ return -EINVAL;
+ host->dhchap_admin_only = val;
+ return count;
+}
+
+CONFIGFS_ATTR(nvmet_host_, dhchap_admin_only);
+
static struct configfs_attribute *nvmet_host_attrs[] = {
&nvmet_host_attr_dhchap_key,
&nvmet_host_attr_dhchap_ctrl_key,
&nvmet_host_attr_dhchap_hash,
&nvmet_host_attr_dhchap_dhgroup,
+ &nvmet_host_attr_dhchap_admin_only,
NULL,
};
#endif /* CONFIG_NVME_TARGET_AUTH */
@@ -2178,6 +2201,7 @@ static struct config_group *nvmet_hosts_make_group(struct config_group *group,
#ifdef CONFIG_NVME_TARGET_AUTH
/* Default to SHA256 */
host->dhchap_hash_id = NVME_AUTH_HASH_SHA256;
+ host->dhchap_admin_only = false;
#endif
config_group_init_type_name(&host->group, name, &nvmet_host_type);
diff --git a/drivers/nvme/target/fabrics-cmd-auth.c b/drivers/nvme/target/fabrics-cmd-auth.c
index 4c392488c451..4af10a78ce69 100644
--- a/drivers/nvme/target/fabrics-cmd-auth.c
+++ b/drivers/nvme/target/fabrics-cmd-auth.c
@@ -62,6 +62,7 @@ static u8 nvmet_auth_negotiate(struct nvmet_req *req, void *d)
return NVME_AUTH_DHCHAP_FAILURE_CONCAT_MISMATCH;
}
ctrl->concat = true;
+ ctrl->dh_admin_only = true;
}
if (data->napd != 1)
@@ -248,6 +249,12 @@ void nvmet_execute_auth_send(struct nvmet_req *req)
offsetof(struct nvmf_auth_send_command, tl);
goto done;
}
+ if (req->sq->qid && ctrl->dh_admin_only) {
+ pr_debug("%s: ctrl %d qid %d reject authentication on I/O queues\n",
+ __func__, ctrl->cntlid, req->sq->qid);
+ status = NVME_SC_INVALID_OPCODE | NVME_STATUS_DNR;
+ goto done;
+ }
if (!nvmet_check_transfer_len(req, tl)) {
pr_debug("%s: transfer length mismatch (%u)\n", __func__, tl);
return;
diff --git a/drivers/nvme/target/fabrics-cmd.c b/drivers/nvme/target/fabrics-cmd.c
index 1aabf55ef0a8..212fe271c8a4 100644
--- a/drivers/nvme/target/fabrics-cmd.c
+++ b/drivers/nvme/target/fabrics-cmd.c
@@ -203,8 +203,11 @@ static u32 nvmet_connect_result(struct nvmet_ctrl *ctrl, struct nvmet_req *req)
{
bool needs_auth = nvmet_has_auth(ctrl, req);
- /* Do not authenticate I/O queues for secure concatenation */
- if (ctrl->concat && req->sq->qid)
+ /*
+ * Do not request authentication for I/O queues for secure concatenation
+ * or when only the admin queue should be authenticated.
+ */
+ if (req->sq->qid && (ctrl->concat || ctrl->dh_admin_only))
needs_auth = false;
pr_debug("%s: ctrl %d qid %d should %sauthenticate, tls psk %08x\n",
diff --git a/drivers/nvme/target/nvmet.h b/drivers/nvme/target/nvmet.h
index 9486b43ab822..129b1cb8a4d1 100644
--- a/drivers/nvme/target/nvmet.h
+++ b/drivers/nvme/target/nvmet.h
@@ -249,6 +249,7 @@ struct nvmet_ctrl {
u8 dh_gid;
u8 *dh_key;
size_t dh_keysize;
+ bool dh_admin_only;
#endif
#ifdef CONFIG_NVME_TARGET_TCP_TLS
struct key *tls_key;
@@ -325,6 +326,7 @@ struct nvmet_host {
u8 dhchap_ctrl_key_hash;
u8 dhchap_hash_id;
u8 dhchap_dhgroup_id;
+ bool dhchap_admin_only;
};
static inline struct nvmet_host *to_host(struct config_item *item)
--
2.35.3
next prev parent reply other threads:[~2024-07-17 11:03 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-07-17 11:03 [PATCH 0/2] nvme: restrict authentication to the admin queue Hannes Reinecke
2024-07-17 11:03 ` [PATCH 1/2] nvme: Do not re-authenticate queues with no prior authentication Hannes Reinecke
2024-07-17 11:03 ` Hannes Reinecke [this message]
2024-07-17 22:40 ` [PATCH 2/2] nvmet: Implement 'admin_only' authentication Sagi Grimberg
2024-07-18 7:38 ` Hannes Reinecke
2024-07-21 11:32 ` Sagi Grimberg
2024-08-20 14:06 ` [PATCH 0/2] nvme: restrict authentication to the admin queue Hannes Reinecke
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20240717110338.27332-3-hare@kernel.org \
--to=hare@kernel.org \
--cc=hch@lst.de \
--cc=kbusch@kernel.org \
--cc=linux-nvme@lists.infradead.org \
--cc=sagi@grimberg.me \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).