public inbox for linux-kernel@vger.kernel.org
 help / color / mirror / Atom feed
* [PATCH] nvme: expose TLS mode
@ 2026-04-01  8:52 Daniel Wagner
  2026-04-01  9:04 ` Daniel Wagner
                   ` (2 more replies)
  0 siblings, 3 replies; 6+ messages in thread
From: Daniel Wagner @ 2026-04-01  8:52 UTC (permalink / raw)
  To: Keith Busch, Christoph Hellwig, Sagi Grimberg
  Cc: Hannes Reinecke, linux-nvme, linux-kernel, Daniel Wagner

It is not possible to determine the active TLS mode from the
presence or absence of sysfs attributes like tls_key,
tls_configured_key, or dhchap_secret.

With the introduction of the concat mode and optional DH-CHAP
authentication, different configurations can result in identical
sysfs state. This makes user space detection unreliable.

Expose the TLS mode explicitly to allow user space to
unambiguously identify the active configuration and avoid
fragile heuristics in nvme-cli.

Signed-off-by: Daniel Wagner <wagi@kernel.org>
---
I am extending the test suite for nvme-cli to cover the use case of
nvme connect --tls/--concat.

Currently, nvme-cli uses heuristics to determine whether --tls was used
to initiate the connection. With the introduction of --concat, these
heuristics are no longer reliable.

By exposing the TLS mode explicitly, nvme config can now generate a
configuration based on the currently active connection.

$ nvme config --scan --dump --output-format json /dev/nvme1
[
  {
    "hostnqn":"nqn.2014-08.org.nvmexpress:uuid:befdec4c-2234-11b2-a85c-ca77c773af36",
    "hostid":"befdec4c-2234-11b2-a85c-ca77c773af36",
    "dhchap_key":"DHHC-1:01:1+pb0VSbn3cBrOhwP5SHa6gwlbPikdZ0mmBKKXC74Sm0s0pb:",
    "subsystems":[
      {
        "nqn":"nqn.io-1",
        "ports":[
          {
            "transport":"tcp",
            "traddr":"192.168.30.30",
            "trsvcid":"4420",
            "dhchap_key":"DHHC-1:01:1+pb0VSbn3cBrOhwP5SHa6gwlbPikdZ0mmBKKXC74Sm0s0pb:",
            "dhchap_ctrl_key":"DHHC-1:01:uTcIEwLZsEoVJucx7sKVvzfwOTAfJ9ZGcvYWswHwF41mMSW1:",
            "tls":true,
            "keyring":".nvme"
          }
        ]
      }
    ]
  }
]
---
 drivers/nvme/host/sysfs.c | 18 ++++++++++++++++++
 1 file changed, 18 insertions(+)

diff --git a/drivers/nvme/host/sysfs.c b/drivers/nvme/host/sysfs.c
index 16c6fea4b2db..c4b5241371d6 100644
--- a/drivers/nvme/host/sysfs.c
+++ b/drivers/nvme/host/sysfs.c
@@ -810,6 +810,23 @@ const struct attribute_group nvme_dev_attrs_group = {
 EXPORT_SYMBOL_GPL(nvme_dev_attrs_group);
 
 #ifdef CONFIG_NVME_TCP_TLS
+static ssize_t tls_mode_show(struct device *dev,
+			     struct device_attribute *attr, char *buf)
+{
+	struct nvme_ctrl *ctrl = dev_get_drvdata(dev);
+	const char *mode;
+
+	if (ctrl->opts->tls)
+		mode = "tls";
+	else if (ctrl->opts->concat)
+		mode = "concat";
+	else
+		mode = "none";
+
+	return sysfs_emit(buf, "%s\n", mode);
+}
+static DEVICE_ATTR_RO(tls_mode);
+
 static ssize_t tls_key_show(struct device *dev,
 			    struct device_attribute *attr, char *buf)
 {
@@ -845,6 +862,7 @@ static struct attribute *nvme_tls_attrs[] = {
 	&dev_attr_tls_key.attr,
 	&dev_attr_tls_configured_key.attr,
 	&dev_attr_tls_keyring.attr,
+	&dev_attr_tls_mode.attr,
 	NULL,
 };
 

---
base-commit: 7aaa8047eafd0bd628065b15757d9b48c5f9c07d
change-id: 20260401-expose-tls-mode-10fdb5d459d4

Best regards,
--  
Daniel Wagner <wagi@kernel.org>


^ permalink raw reply related	[flat|nested] 6+ messages in thread
end of thread, other threads:[~2026-04-07 10:47 UTC | newest]

Thread overview: 6+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-04-01  8:52 [PATCH] nvme: expose TLS mode Daniel Wagner
2026-04-01  9:04 ` Daniel Wagner
2026-04-01 14:09 ` Christoph Hellwig
2026-04-02  6:42   ` Daniel Wagner
2026-04-07  5:54     ` Christoph Hellwig
2026-04-07 10:47 ` Hannes Reinecke

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox