From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mail-pf1-f179.google.com (mail-pf1-f179.google.com [209.85.210.179]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 5728C1624D5 for ; Mon, 11 May 2026 00:55:56 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.210.179 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1778460957; cv=none; b=uaGWwFZI4L8FIzfOyIJjIkTl8pubyDApSza6t/NtFoy46Ivqz3zq4ODOa6lq9SkZ2b7tQ+8aIoHh9jAN56ON2ENr8u+qPhY23pbWIOToPssrp/nLc4vtKbOwJSiCl13ZODI9PgydH3I7fW5qlP7QPqGc7bfn0DnMCIiPkGYWsj0= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1778460957; c=relaxed/simple; bh=BJSObekkgF9hYocI2KBDLFe+3fQxrUsCCyjlQIZvQWs=; h=From:To:Cc:Subject:Date:Message-ID:MIME-Version; b=WPJwBip528dQQlDydV17a/IYyDGJDKRvAhFthl1faGySTuIU4WlYirVk/g0hDqmRvgBI9CGkEjChx7DdnfVMZYuki4uty6OzH95Z887dpa3YW5P3JgSlVtOWZ1DaCDMmyueB+VDrgAd7QcAaiC8uasW9VDUV7mREII/c94Io4IQ= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=jjnMnIuc; arc=none smtp.client-ip=209.85.210.179 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="jjnMnIuc" Received: by mail-pf1-f179.google.com with SMTP id d2e1a72fcca58-82faf871346so2660067b3a.0 for ; Sun, 10 May 2026 17:55:56 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1778460955; x=1779065755; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=F+fVAJX1UjczDD5tc9E8J72M5wmOjYTKiF/0N7p+R/E=; b=jjnMnIuce5uUH3sHGVvI5IWDw9oHAQoCmsyrhrA68665RO1XEtyA7HKfHfBQTaeIGs JaREPlQXtQzXlQL5DKKgX9dPAKC3YNRRapdvB6A4qONcLAFYE8sKAWAgfdQDGg55xGmP j9VReJSGkCA7tTct/6D5eo0xx2Hg39isdF5mhgGPLHrIUO36tQcy9HKInTk968R3uVZA LiblvgKka12QD/uWN6pK7/1cTUqjJNnzvVvODiRilDoLCFsF4z1iLyAPILkbYDJx3k9R 315B5QJwuy7WK/ahHXZLr2yMkMS969O4KQqFTxVRXia+0dzv7yb/3vHyzcovGvfOvAm7 rg3g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1778460955; x=1779065755; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=F+fVAJX1UjczDD5tc9E8J72M5wmOjYTKiF/0N7p+R/E=; b=a13wn3CRuJ9eLZARdl/X8TFYDB6+4hQbzj/UhxUpzKALWZ5erSNOCHUG0nE3JQAGHT 15mM7/lDtGnSY2HxDc4WXH5Z/Oo9NdnARItLJ8Kkg3Lx9gErbTF5IiG6SSdTuXVZ2sox MRFunAo/J2Pjrk8IcOhMfV8HlOfdlufEP6EtimSweCpd+CBBUSudKogWTylN8DGt4c8z WNa9T1gsjL3pO940sqRM3SRTiB1BXE6iCQNV46zDLPUO1wZqJudMBqZKDW3Euj2RDz/m PyFr7QWL1wbk+5GvQX3okcN3GnjBQ+1k/5TKcHr3EmD9LfbaMN5nJ4Ppb7Ihr+KBxF+6 PXhA== X-Forwarded-Encrypted: i=1; AFNElJ/pvQzw6zji8hBS0485LP/glVy0geBt3KpnhtiNegFs/B9YRZu9lIITAfhCGIEokTNotYT9SSBFVrIaTeE=@vger.kernel.org X-Gm-Message-State: AOJu0YySJy3yUs0NFl6guDM7le+T7MGlLuH2towORpLsi6cqUej7Ce3D 9bDX1b8gVfq7uCjGs6YY9GN7hXxyLjROr5U0aYfECnqzWG+Sgpi50f6onGuWRQ== X-Gm-Gg: Acq92OEg4KtUnXGXjnN0KYeY8nkH5E0siwXVKHAGRdBQqosdV6xB9e1MW7nnmJXAgdP GpW4k0RS3EgTL5SP6uQCZcNn3c8FxMzJUHDUWy31RQLIdiojB6euXyK7+lXDEGd+7dId5iQB2R1 iBlatIdBVc1rGNJVyVrSs9WiQy96JyvTJFAe4ptFbO35wXnrWaWiI3AWJebkhnLEZSbp/3+Tb4M u6C7K5FpgldlpVb11mLpDmIE/IY8aKGJfRlz0eex8DFju42XO4sM33/gCX11CNo6RFyXYb3KL7z 8QEEn7AYpR/qUauxNyzi6AA7PA8rMYBOnYMDBlk5R03iWyEs9R+ldOdQ0dlcCPeJAy7ZDLdrkI8 wa0Czu7AhmXqsjsSlWI1+ebORQTOkMqpXRVfMVcJCia66v8+UtKc9PuKmnyngDFcs+eGeOGqTVH BWAg8q5ojEQAzoUWUIICPWwmHtXf22 X-Received: by 2002:a05:6a00:4517:b0:827:3d52:5d1a with SMTP id d2e1a72fcca58-83a58a2afc1mr19821159b3a.0.1778460955514; Sun, 10 May 2026 17:55:55 -0700 (PDT) Received: from zenbook ([159.196.5.243]) by smtp.gmail.com with ESMTPSA id d2e1a72fcca58-83965b333f2sm22352788b3a.20.2026.05.10.17.55.51 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 10 May 2026 17:55:55 -0700 (PDT) From: Wilfred Mallawa To: Keith Busch , Jens Axboe , Christoph Hellwig , Sagi Grimberg Cc: linux-nvme@lists.infradead.org, linux-kernel@vger.kernel.org, alistair.francis@wdc.com, Wilfred Mallawa Subject: [PATCH] nvme/tcp: handle rejected keys for secure concatnation Date: Mon, 11 May 2026 10:54:55 +1000 Message-ID: <20260511005454.2486599-2-wilfred.opensource@gmail.com> X-Mailer: git-send-email 2.54.0 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit From: Wilfred Mallawa The NVMe-TCP specification [1] states that if the PSK retained or generated is not available on the subsystem, the TLS 1.3 handshake shall be aborted with an unknown_psk_identity alert and the connection be closed. Currently, when an unknown_psk_identity alert is sent from an endpoint, tlshd returns EACCES as the TLS error. On subsequent reconnection attempts, we fail with the same error because we keep attempting to connect with a stale key. This may occur if the endpoint experienced a full reset and lost its PSK. With support in tlshd to return -EKEYREJECTED when an unknown_psk_identity alert is received, the kernel can now detect this condition and revoke the current tls_key. This allows the subsequent reconnect to perform re-authentication via DHCHAP to generate a fresh PSK. [1] https://nvmexpress.org/wp-content/uploads/NVM-Express-TCP-Transport-Specification-Revision-1.1-2024.08.05-Ratified.pdf Signed-off-by: Wilfred Mallawa --- drivers/nvme/host/tcp.c | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/drivers/nvme/host/tcp.c b/drivers/nvme/host/tcp.c index 15d36d6a728e..eff68eb7a5fe 100644 --- a/drivers/nvme/host/tcp.c +++ b/drivers/nvme/host/tcp.c @@ -1767,6 +1767,17 @@ static int nvme_tcp_start_tls(struct nvme_ctrl *nctrl, dev_err(nctrl->device, "queue %d: TLS handshake complete, error %d\n", qid, queue->tls_err); + + /* + * Key maybe stale, revoke it such that on a subsequent + * reconnect, we will generate a new PSK. + */ + if (queue->tls_err == EKEYREJECTED && qid == 0 && + nctrl->opts->concat && nctrl->opts->tls_key) { + nvme_auth_revoke_tls_key(nctrl); + dev_warn(nctrl->device, + "qid 0: revoking stale key\n"); + } } else { dev_dbg(nctrl->device, "queue %d: TLS handshake complete\n", qid); -- 2.54.0