From: Hannes Reinecke <hare@suse.de>
To: Christoph Hellwig <hch@lst.de>
Cc: Sagi Grimberg <sagi@grimberg.me>, Keith Busch <kbusch@kernel.org>,
linux-nvme@lists.infradead.org, Jakub Kicinski <kuba@kernel.org>,
Eric Dumazet <edumazet@google.com>,
Paolo Abeni <pabeni@redhat.com>,
netdev@vger.kernel.org, Hannes Reinecke <hare@suse.de>
Subject: [PATCH 05/18] nvme-keyring: implement nvme_tls_psk_default()
Date: Wed, 16 Aug 2023 14:05:55 +0200 [thread overview]
Message-ID: <20230816120608.37135-6-hare@suse.de> (raw)
In-Reply-To: <20230816120608.37135-1-hare@suse.de>
Implement a function to select the preferred PSK for TLS.
A 'retained' PSK should be preferred over a 'generated' PSK,
and SHA-384 should be preferred to SHA-256.
Signed-off-by: Hannes Reinecke <hare@suse.de>
Reviewed-by: Sagi Grimberg <sagi@grimberg.me>
---
drivers/nvme/common/keyring.c | 48 +++++++++++++++++++++++++++++++++++
include/linux/nvme-keyring.h | 8 ++++++
2 files changed, 56 insertions(+)
diff --git a/drivers/nvme/common/keyring.c b/drivers/nvme/common/keyring.c
index 494dd365052e..f8d9a208397b 100644
--- a/drivers/nvme/common/keyring.c
+++ b/drivers/nvme/common/keyring.c
@@ -5,6 +5,7 @@
#include <linux/module.h>
#include <linux/seq_file.h>
+#include <linux/key.h>
#include <linux/key-type.h>
#include <keys/user-type.h>
#include <linux/nvme.h>
@@ -103,6 +104,53 @@ static struct key *nvme_tls_psk_lookup(struct key *keyring,
return key_ref_to_ptr(keyref);
}
+/*
+ * NVMe PSK priority list
+ *
+ * 'Retained' PSKs (ie 'generated == false')
+ * should be preferred to 'generated' PSKs,
+ * and SHA-384 should be preferred to SHA-256.
+ */
+struct nvme_tls_psk_priority_list {
+ bool generated;
+ enum nvme_tcp_tls_cipher cipher;
+} nvme_tls_psk_prio[] = {
+ { .generated = false,
+ .cipher = NVME_TCP_TLS_CIPHER_SHA384, },
+ { .generated = false,
+ .cipher = NVME_TCP_TLS_CIPHER_SHA256, },
+ { .generated = true,
+ .cipher = NVME_TCP_TLS_CIPHER_SHA384, },
+ { .generated = true,
+ .cipher = NVME_TCP_TLS_CIPHER_SHA256, },
+};
+
+/*
+ * nvme_tls_psk_default - Return the preferred PSK to use for TLS ClientHello
+ */
+key_serial_t nvme_tls_psk_default(struct key *keyring,
+ const char *hostnqn, const char *subnqn)
+{
+ struct key *tls_key;
+ key_serial_t tls_key_id;
+ int prio;
+
+ for (prio = 0; prio < ARRAY_SIZE(nvme_tls_psk_prio); prio++) {
+ bool generated = nvme_tls_psk_prio[prio].generated;
+ enum nvme_tcp_tls_cipher cipher = nvme_tls_psk_prio[prio].cipher;
+
+ tls_key = nvme_tls_psk_lookup(keyring, hostnqn, subnqn,
+ cipher, generated);
+ if (!IS_ERR(tls_key)) {
+ tls_key_id = tls_key->serial;
+ key_put(tls_key);
+ return tls_key_id;
+ }
+ }
+ return 0;
+}
+EXPORT_SYMBOL_GPL(nvme_tls_psk_default);
+
int nvme_keyring_init(void)
{
int err;
diff --git a/include/linux/nvme-keyring.h b/include/linux/nvme-keyring.h
index 32bd264a71e6..4efea9dd967c 100644
--- a/include/linux/nvme-keyring.h
+++ b/include/linux/nvme-keyring.h
@@ -8,12 +8,20 @@
#ifdef CONFIG_NVME_KEYRING
+key_serial_t nvme_tls_psk_default(struct key *keyring,
+ const char *hostnqn, const char *subnqn);
+
key_serial_t nvme_keyring_id(void);
int nvme_keyring_init(void);
void nvme_keyring_exit(void);
#else
+static inline key_serial_t nvme_tls_psk_default(struct key *keyring,
+ const char *hostnqn, const char *subnqn)
+{
+ return 0;
+}
static inline key_serial_t nvme_keyring_id(void)
{
return 0;
--
2.35.3
next prev parent reply other threads:[~2023-08-16 12:06 UTC|newest]
Thread overview: 28+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-08-16 12:05 [PATCHv10 00/18] nvme: In-kernel TLS support for TCP Hannes Reinecke
2023-08-16 12:05 ` [PATCH 01/18] nvme-keyring: register '.nvme' keyring Hannes Reinecke
2023-08-16 12:05 ` [PATCH 02/18] nvme-keyring: define a 'psk' keytype Hannes Reinecke
2023-08-16 12:05 ` [PATCH 03/18] nvme: add TCP TSAS definitions Hannes Reinecke
2023-08-16 12:05 ` [PATCH 04/18] nvme-tcp: add definitions for TLS cipher suites Hannes Reinecke
2023-08-16 12:05 ` Hannes Reinecke [this message]
2023-08-16 12:05 ` [PATCH 06/18] security/keys: export key_lookup() Hannes Reinecke
2023-08-16 12:05 ` [PATCH 07/18] nvme-tcp: allocate socket file Hannes Reinecke
2023-08-16 12:05 ` [PATCH 08/18] nvme-tcp: enable TLS handshake upcall Hannes Reinecke
2023-08-16 12:05 ` [PATCH 09/18] nvme-tcp: control message handling for recvmsg() Hannes Reinecke
2023-08-16 12:06 ` [PATCH 10/18] nvme-tcp: improve icreq/icresp logging Hannes Reinecke
2023-08-17 10:44 ` Sagi Grimberg
[not found] ` <CGME20230818115353epcas5p1339bf7f9993a4f8a8d49a263e5bb8bbe@epcas5p1.samsung.com>
2023-08-18 11:50 ` Nitesh Shetty
2023-08-16 12:06 ` [PATCH 11/18] nvme-fabrics: parse options 'keyring' and 'tls_key' Hannes Reinecke
2023-08-17 9:20 ` Sagi Grimberg
2023-08-17 9:46 ` Hannes Reinecke
2023-08-17 10:41 ` Sagi Grimberg
2023-08-16 12:06 ` [PATCH 12/18] nvmet: make TCP sectype settable via configfs Hannes Reinecke
2023-08-16 12:06 ` [PATCH 13/18] nvmet-tcp: make nvmet_tcp_alloc_queue() a void function Hannes Reinecke
[not found] ` <CGME20230818100233epcas5p2b5f459a525d26b110ba92410f366c563@epcas5p2.samsung.com>
2023-08-18 9:59 ` Nitesh Shetty
2023-08-16 12:06 ` [PATCH 14/18] nvmet-tcp: allocate socket file Hannes Reinecke
2023-08-16 12:06 ` [PATCH 15/18] nvmet: Set 'TREQ' to 'required' when TLS is enabled Hannes Reinecke
2023-08-16 12:06 ` [PATCH 16/18] nvmet-tcp: enable TLS handshake upcall Hannes Reinecke
2023-08-20 14:55 ` Sagi Grimberg
2023-08-22 6:16 ` Hannes Reinecke
2023-08-16 12:06 ` [PATCH 17/18] nvmet-tcp: control messages for recvmsg() Hannes Reinecke
2023-08-16 12:06 ` [PATCH 18/18] nvmet-tcp: peek icreq before starting TLS Hannes Reinecke
-- strict thread matches above, loose matches on Subject: below --
2023-08-24 14:39 [PATCHv11 00/18] nvme: In-kernel TLS support for TCP Hannes Reinecke
2023-08-24 14:39 ` [PATCH 05/18] nvme-keyring: implement nvme_tls_psk_default() Hannes Reinecke
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20230816120608.37135-6-hare@suse.de \
--to=hare@suse.de \
--cc=edumazet@google.com \
--cc=hch@lst.de \
--cc=kbusch@kernel.org \
--cc=kuba@kernel.org \
--cc=linux-nvme@lists.infradead.org \
--cc=netdev@vger.kernel.org \
--cc=pabeni@redhat.com \
--cc=sagi@grimberg.me \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).