From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mail-yw1-f180.google.com (mail-yw1-f180.google.com [209.85.128.180]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 90442301143 for ; Wed, 2 Jul 2025 17:13:34 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.128.180 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1751476416; cv=none; b=SgViMsXeITfobnA+VSr/frFJvVIAM1WQRDz7IW0bqyOfeTAEPbo1NmAxRPndAbdiyWtUaEe6UTTXwTwWOAQCo1+ufpsUrlNs/xWanJIedGzQibo1MhQEljGedw6WjjJQ9HeSX2UJvvpducezYY9h3niQfiAO6hihPVhP1OiJ+7A= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1751476416; c=relaxed/simple; bh=6ONnQXR2dU76BoPoiTZ9smnDiHKsrvYzXzP8tch9Sxw=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=q6wLVUoOao+krVu1t0cLfMGczSTjtphJ0T9Ppfzb1CfG4W30Gal3dmec8TGDMsP4ARwKSzwaxUfGgu13gsCPVwlM/0k92brlHabN2pILbkrB53IH4gRFsrJyne87QMpVOep3pNzIUw0h2dXd/TT0ZZHlPgjoGtfZR8+87Z8xHoI= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=M3LA04vt; arc=none smtp.client-ip=209.85.128.180 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="M3LA04vt" Received: by mail-yw1-f180.google.com with SMTP id 00721157ae682-7086dcab64bso44506017b3.1 for ; Wed, 02 Jul 2025 10:13:34 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1751476413; x=1752081213; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=HzC/zLIfzRPBAOtSlLij+ZlV+IH7upN1LOCii50MvNg=; b=M3LA04vtsIbKwULbtXm9bnYXO0+J9sU/rN0YoJmZd4NIpSW/rAu5nEVzMH2UWKCU3+ o80KmMyDhPtCu5N+wmcZCCx0BDVpTUX6o53EruDJN+u2fDvZBtYuYQ1V7ENX089u9/uu 2f3JKyvypSZlDChtk/xuy0zYKCI7ChAzeoN2cYvEZOHsYtKSUK/CoqUagCBgc5UnhP+c YwqR0Qf3w9YkQUOHCsq/36NFPNIiEORKYcU2/vB1Tj7UUqp5aTaubkxGEjhy8TTEL1zE VgnnuTUFfDMlaUSQZ75o/Yy/SYpVGSpJWg2zdvF6NTG1rMwBvEXZOuzE9I2Zt+9gdFAv WAuw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1751476413; x=1752081213; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=HzC/zLIfzRPBAOtSlLij+ZlV+IH7upN1LOCii50MvNg=; b=kDuRzB8X0QNZejjIczgL+8r62d4zdyR3pC0MHMR6gaoSyQSVquFZ0nSwZVxEGEgGEH CnPEt4hog/M1QxtEWr1GTtdqS2jQdM3A9bMA92W+0HuSbr5OHCf0IPzqxiu8tvphLSRU CSBz0ewAeLtScnvaFaG7Hv3ia40JZgWdvTHvLTjugySEp0KUnSd2/2F+a8vHD772B2Ib ntLCcLwJpIqMGsS971CDEnXjuFpuLHupIp6f6zqQ6ke8uBBZnVtuBOgn+wTUdq5MGrIG ydBRRiKjauVmYyTfEteUHZ1mVopCRuFzLR0mowINHhb5JGr7TwNMo9bJF6Y5P6BemQ+b uDBA== X-Forwarded-Encrypted: i=1; AJvYcCW2zQCg0NBSRgQKGO852feKo/6AsPQBOmZODw4Ho9B+7/kYFz/yQhvLkeVlzceuQT0TR1s8O7g=@vger.kernel.org X-Gm-Message-State: AOJu0YwQuu6pXPhl1F4gDuB5FWEN2hYLGWXmPT/7Ya7qleori5//tLUL 0KnYKz0r2x/FDEps/qmKgCK7XHij7d+OydjsmQsnjMH4wR5h89tY/I9vTwpOwQ== X-Gm-Gg: ASbGncuKhMXHcPSd+5OvGYF4+IeIiDlgOX9NlErvOjAzu7a06s3x2ihmJewGaznqeJY mxo3MuRMWbMunevumr5fw4EcLy1a44QNBZawZbsLBTMak764/3/JXUBzmor8QGQxO6MTXO74Wtp tDGcdBV7XnJr7MKZ5cZo0W447nzqvwaOd03TYFZDHc26Va7N3Gd91+Pd/wHtnaYvbIqXPvlJXLl t2SqigUXwu2YtsGzQnjSf3ImsBhlphI/BFLlrrzrxjRFDDPbZbzmTUCiBpnZKNaP9CTwY7bi3dn 0gtcXDSb2DGS1w4SYygj8RYQ0xsBJ0h/OqRilft/2Raw9dpBSYgut7Ph3gY= X-Google-Smtp-Source: AGHT+IGUOrhNsJxTbTA5J+/gOaVMlZ+OXDU4ho9SszZAcR/3SyWQ1TcZs2S5Bj0ZRBi2qtFfrOILUg== X-Received: by 2002:a05:690c:4905:b0:710:edf9:d93b with SMTP id 00721157ae682-7164d2c9984mr60172477b3.11.1751476413223; Wed, 02 Jul 2025 10:13:33 -0700 (PDT) Received: from localhost ([2a03:2880:25ff:4::]) by smtp.gmail.com with ESMTPSA id 00721157ae682-71515c1adb5sm25455247b3.53.2025.07.02.10.13.32 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 02 Jul 2025 10:13:32 -0700 (PDT) From: Daniel Zahka To: Donald Hunter , Jakub Kicinski , "David S. Miller" , Eric Dumazet , Paolo Abeni , Simon Horman , Jonathan Corbet , Andrew Lunn Cc: Saeed Mahameed , Leon Romanovsky , Tariq Toukan , Boris Pismenny , Kuniyuki Iwashima , Willem de Bruijn , David Ahern , Neal Cardwell , Patrisious Haddad , Raed Salem , Jianbo Liu , Dragos Tatulea , Rahul Rameshbabu , Stanislav Fomichev , =?UTF-8?q?Toke=20H=C3=B8iland-J=C3=B8rgensen?= , Alexander Lobakin , Jacob Keller , netdev@vger.kernel.org Subject: [PATCH v3 05/19] psp: add op for rotation of device key Date: Wed, 2 Jul 2025 10:13:10 -0700 Message-ID: <20250702171326.3265825-6-daniel.zahka@gmail.com> X-Mailer: git-send-email 2.47.1 In-Reply-To: <20250702171326.3265825-1-daniel.zahka@gmail.com> References: <20250702171326.3265825-1-daniel.zahka@gmail.com> Precedence: bulk X-Mailing-List: netdev@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit From: Jakub Kicinski Rotating the device key is a key part of the PSP protocol design. Some external daemon needs to do it once a day, or so. Add a netlink op to perform this operation. Add a notification group for informing users that key has been rotated and they should rekey (next rotation will cut them off). Signed-off-by: Jakub Kicinski Signed-off-by: Daniel Zahka --- Notes: v1: - https://lore.kernel.org/netdev/20240510030435.120935-6-kuba@kernel.org/ Documentation/netlink/specs/psp.yaml | 21 +++++++++++++++ include/net/psp/types.h | 5 ++++ include/uapi/linux/psp.h | 3 +++ net/psp/psp-nl-gen.c | 15 +++++++++++ net/psp/psp-nl-gen.h | 2 ++ net/psp/psp_main.c | 3 ++- net/psp/psp_nl.c | 40 ++++++++++++++++++++++++++++ 7 files changed, 88 insertions(+), 1 deletion(-) diff --git a/Documentation/netlink/specs/psp.yaml b/Documentation/netlink/specs/psp.yaml index 706f4baf8764..054cc02b65ad 100644 --- a/Documentation/netlink/specs/psp.yaml +++ b/Documentation/netlink/specs/psp.yaml @@ -88,9 +88,30 @@ operations: notify: dev-get mcgrp: mgmt + - + name: key-rotate + doc: Rotate the device key. + attribute-set: dev + do: + request: + attributes: + - id + reply: + attributes: + - id + pre: psp-device-get-locked + post: psp-device-unlock + - + name: key-rotate-ntf + doc: Notification about device key getting rotated. + notify: key-rotate + mcgrp: use + mcast-groups: list: - name: mgmt + - + name: use ... diff --git a/include/net/psp/types.h b/include/net/psp/types.h index ba7e5c36975c..9191a88c349e 100644 --- a/include/net/psp/types.h +++ b/include/net/psp/types.h @@ -104,6 +104,11 @@ struct psp_dev_ops { */ int (*set_config)(struct psp_dev *psd, struct psp_dev_config *conf, struct netlink_ext_ack *extack); + + /** + * @key_rotate: rotate the device key + */ + int (*key_rotate)(struct psp_dev *psd, struct netlink_ext_ack *extack); }; #endif /* __NET_PSP_H */ diff --git a/include/uapi/linux/psp.h b/include/uapi/linux/psp.h index 4a404f085190..cbfbf3f0f364 100644 --- a/include/uapi/linux/psp.h +++ b/include/uapi/linux/psp.h @@ -32,11 +32,14 @@ enum { PSP_CMD_DEV_DEL_NTF, PSP_CMD_DEV_SET, PSP_CMD_DEV_CHANGE_NTF, + PSP_CMD_KEY_ROTATE, + PSP_CMD_KEY_ROTATE_NTF, __PSP_CMD_MAX, PSP_CMD_MAX = (__PSP_CMD_MAX - 1) }; #define PSP_MCGRP_MGMT "mgmt" +#define PSP_MCGRP_USE "use" #endif /* _UAPI_LINUX_PSP_H */ diff --git a/net/psp/psp-nl-gen.c b/net/psp/psp-nl-gen.c index 859712e7c2c1..7f49577ac72f 100644 --- a/net/psp/psp-nl-gen.c +++ b/net/psp/psp-nl-gen.c @@ -21,6 +21,11 @@ static const struct nla_policy psp_dev_set_nl_policy[PSP_A_DEV_PSP_VERSIONS_ENA [PSP_A_DEV_PSP_VERSIONS_ENA] = NLA_POLICY_MASK(NLA_U32, 0xf), }; +/* PSP_CMD_KEY_ROTATE - do */ +static const struct nla_policy psp_key_rotate_nl_policy[PSP_A_DEV_ID + 1] = { + [PSP_A_DEV_ID] = NLA_POLICY_MIN(NLA_U32, 1), +}; + /* Ops table for psp */ static const struct genl_split_ops psp_nl_ops[] = { { @@ -46,10 +51,20 @@ static const struct genl_split_ops psp_nl_ops[] = { .maxattr = PSP_A_DEV_PSP_VERSIONS_ENA, .flags = GENL_CMD_CAP_DO, }, + { + .cmd = PSP_CMD_KEY_ROTATE, + .pre_doit = psp_device_get_locked, + .doit = psp_nl_key_rotate_doit, + .post_doit = psp_device_unlock, + .policy = psp_key_rotate_nl_policy, + .maxattr = PSP_A_DEV_ID, + .flags = GENL_CMD_CAP_DO, + }, }; static const struct genl_multicast_group psp_nl_mcgrps[] = { [PSP_NLGRP_MGMT] = { "mgmt", }, + [PSP_NLGRP_USE] = { "use", }, }; struct genl_family psp_nl_family __ro_after_init = { diff --git a/net/psp/psp-nl-gen.h b/net/psp/psp-nl-gen.h index a099686cab5d..00a2d4ec59e4 100644 --- a/net/psp/psp-nl-gen.h +++ b/net/psp/psp-nl-gen.h @@ -20,9 +20,11 @@ psp_device_unlock(const struct genl_split_ops *ops, struct sk_buff *skb, int psp_nl_dev_get_doit(struct sk_buff *skb, struct genl_info *info); int psp_nl_dev_get_dumpit(struct sk_buff *skb, struct netlink_callback *cb); int psp_nl_dev_set_doit(struct sk_buff *skb, struct genl_info *info); +int psp_nl_key_rotate_doit(struct sk_buff *skb, struct genl_info *info); enum { PSP_NLGRP_MGMT, + PSP_NLGRP_USE, }; extern struct genl_family psp_nl_family; diff --git a/net/psp/psp_main.c b/net/psp/psp_main.c index 35f69fe3d1a2..7f1a6cda6a7a 100644 --- a/net/psp/psp_main.c +++ b/net/psp/psp_main.c @@ -54,7 +54,8 @@ psp_dev_create(struct net_device *netdev, int err; if (WARN_ON(!psd_caps->versions || - !psd_ops->set_config)) + !psd_ops->set_config || + !psd_ops->key_rotate)) return ERR_PTR(-EINVAL); psd = kzalloc(sizeof(*psd), GFP_KERNEL); diff --git a/net/psp/psp_nl.c b/net/psp/psp_nl.c index fda5ce800f82..b7006e50dc87 100644 --- a/net/psp/psp_nl.c +++ b/net/psp/psp_nl.c @@ -221,3 +221,43 @@ int psp_nl_dev_set_doit(struct sk_buff *skb, struct genl_info *info) nlmsg_free(rsp); return err; } + +int psp_nl_key_rotate_doit(struct sk_buff *skb, struct genl_info *info) +{ + struct psp_dev *psd = info->user_ptr[0]; + struct genl_info ntf_info; + struct sk_buff *ntf, *rsp; + int err; + + rsp = psp_nl_reply_new(info); + if (!rsp) + return -ENOMEM; + + genl_info_init_ntf(&ntf_info, &psp_nl_family, PSP_CMD_KEY_ROTATE); + ntf = psp_nl_reply_new(&ntf_info); + if (!ntf) { + err = -ENOMEM; + goto err_free_rsp; + } + + if (nla_put_u32(rsp, PSP_A_DEV_ID, psd->id) || + nla_put_u32(ntf, PSP_A_DEV_ID, psd->id)) { + err = -EMSGSIZE; + goto err_free_ntf; + } + + err = psd->ops->key_rotate(psd, info->extack); + if (err) + goto err_free_ntf; + + nlmsg_end(ntf, (struct nlmsghdr *)ntf->data); + genlmsg_multicast_netns(&psp_nl_family, dev_net(psd->main_netdev), ntf, + 0, PSP_NLGRP_USE, GFP_KERNEL); + return psp_nl_reply_send(rsp, info); + +err_free_ntf: + nlmsg_free(ntf); +err_free_rsp: + nlmsg_free(rsp); + return err; +} -- 2.47.1