nvme-tcp: enable TLS handshake upcall

Add a fabrics option 'tls' and start the TLS handshake upcall
with the default PSK. When TLS is started the PSK key serial
number is displayed in the sysfs attribute 'tls_key'

Signed-off-by: Hannes Reinecke <hare@suse.de>
Reviewed-by: Sagi Grimberg <sagi@grimberg.me>
Signed-off-by: Keith Busch <kbusch@kernel.org>

diff --git a/drivers/nvme/host/Kconfig b/drivers/nvme/host/Kconfig
index 2f6a7f8c94e8e081e779d6f33aac49667c6eaeb7..a517030d7d507744b7253fcaaa51b635c11dbc9d 100644 (file)
--- a/drivers/nvme/host/Kconfig
+++ b/drivers/nvme/host/Kconfig
@@ -92,6 +92,21 @@ config NVME_TCP
 
          If unsure, say N.
 
+config NVME_TCP_TLS
+       bool "NVMe over Fabrics TCP TLS encryption support"
+       depends on NVME_TCP
+       select NVME_COMMON
+       select NVME_KEYRING
+       select NET_HANDSHAKE
+       select KEYS
+       help
+         Enables TLS encryption for NVMe TCP using the netlink handshake API.
+
+         The TLS handshake daemon is availble at
+         https://github.com/oracle/ktls-utils.
+
+         If unsure, say N.
+
 config NVME_AUTH
        bool "NVM Express over Fabrics In-Band Authentication"
        depends on NVME_CORE

diff --git a/drivers/nvme/host/core.c b/drivers/nvme/host/core.c
index a49b65d34cda0388bcc467fdef862b02f3dc3f94..55e54ffb10035d5c5db99427eaa728d944704b1b 100644 (file)
--- a/drivers/nvme/host/core.c
+++ b/drivers/nvme/host/core.c
@@ -4400,7 +4400,7 @@ static void nvme_free_ctrl(struct device *dev)
 
        if (!subsys || ctrl->instance != subsys->instance)
                ida_free(&nvme_instance_ida, ctrl->instance);
-
+       key_put(ctrl->tls_key);
        nvme_free_cels(ctrl);
        nvme_mpath_uninit(ctrl);
        nvme_auth_stop(ctrl);

diff --git a/drivers/nvme/host/fabrics.c b/drivers/nvme/host/fabrics.c
index 8175d49f290901790a62774408e2004280215f2d..ddad482c353714ea073ed3e8188fa10cf431243c 100644 (file)
--- a/drivers/nvme/host/fabrics.c
+++ b/drivers/nvme/host/fabrics.c
@@ -647,6 +647,9 @@ static const match_table_t opt_tokens = {
        { NVMF_OPT_DISCOVERY,           "discovery"             },
        { NVMF_OPT_DHCHAP_SECRET,       "dhchap_secret=%s"      },
        { NVMF_OPT_DHCHAP_CTRL_SECRET,  "dhchap_ctrl_secret=%s" },
+#ifdef CONFIG_NVME_TCP_TLS
+       { NVMF_OPT_TLS,                 "tls"                   },
+#endif
        { NVMF_OPT_ERR,                 NULL                    }
 };
 
@@ -671,6 +674,7 @@ static int nvmf_parse_options(struct nvmf_ctrl_options *opts,
        opts->hdr_digest = false;
        opts->data_digest = false;
        opts->tos = -1; /* < 0 == use transport default */
+       opts->tls = false;
 
        options = o = kstrdup(buf, GFP_KERNEL);
        if (!options)
@@ -955,6 +959,14 @@ static int nvmf_parse_options(struct nvmf_ctrl_options *opts,
                        kfree(opts->dhchap_ctrl_secret);
                        opts->dhchap_ctrl_secret = p;
                        break;
+               case NVMF_OPT_TLS:
+                       if (!IS_ENABLED(CONFIG_NVME_TCP_TLS)) {
+                               pr_err("TLS is not supported\n");
+                               ret = -EINVAL;
+                               goto out;
+                       }
+                       opts->tls = true;
+                       break;
                default:
                        pr_warn("unknown parameter or missing value '%s' in ctrl creation request\n",
                                p);

diff --git a/drivers/nvme/host/fabrics.h b/drivers/nvme/host/fabrics.h
index 82e7a27ffbde351e72d8fff18923938196f237a1..dac17c3fee26ab6de016dc4b562f20873395a0cf 100644 (file)
--- a/drivers/nvme/host/fabrics.h
+++ b/drivers/nvme/host/fabrics.h
@@ -70,6 +70,7 @@ enum {
        NVMF_OPT_DISCOVERY      = 1 << 22,
        NVMF_OPT_DHCHAP_SECRET  = 1 << 23,
        NVMF_OPT_DHCHAP_CTRL_SECRET = 1 << 24,
+       NVMF_OPT_TLS            = 1 << 25,
 };
 
 /**
@@ -102,6 +103,7 @@ enum {
  * @dhchap_secret: DH-HMAC-CHAP secret
  * @dhchap_ctrl_secret: DH-HMAC-CHAP controller secret for bi-directional
  *              authentication
+ * @tls:        Start TLS encrypted connections (TCP)
  * @disable_sqflow: disable controller sq flow control
  * @hdr_digest: generate/verify header digest (TCP)
  * @data_digest: generate/verify data digest (TCP)
@@ -128,6 +130,7 @@ struct nvmf_ctrl_options {
        struct nvmf_host        *host;
        char                    *dhchap_secret;
        char                    *dhchap_ctrl_secret;
+       bool                    tls;
        bool                    disable_sqflow;
        bool                    hdr_digest;
        bool                    data_digest;

diff --git a/drivers/nvme/host/nvme.h b/drivers/nvme/host/nvme.h
index f35647c470afad09182a722cd6ae30991562dcb5..6fe7966f720b0e4d0712bda6eb82e40016dd00ef 100644 (file)
--- a/drivers/nvme/host/nvme.h
+++ b/drivers/nvme/host/nvme.h
@@ -357,6 +357,7 @@ struct nvme_ctrl {
        struct nvme_dhchap_key *ctrl_key;
        u16 transaction;
 #endif
+       struct key *tls_key;
 
        /* Power saving configuration */
        u64 ps_max_latency_us;

diff --git a/drivers/nvme/host/sysfs.c b/drivers/nvme/host/sysfs.c
index 212e1b05d2984f7a9d571612cec4e0f3d3f9f834..d0966159981c8bbfabb97c72dd9e39a74b719d6b 100644 (file)
--- a/drivers/nvme/host/sysfs.c
+++ b/drivers/nvme/host/sysfs.c
@@ -527,6 +527,19 @@ static DEVICE_ATTR(dhchap_ctrl_secret, S_IRUGO | S_IWUSR,
        nvme_ctrl_dhchap_ctrl_secret_show, nvme_ctrl_dhchap_ctrl_secret_store);
 #endif
 
+#ifdef CONFIG_NVME_TCP_TLS
+static ssize_t tls_key_show(struct device *dev,
+                           struct device_attribute *attr, char *buf)
+{
+       struct nvme_ctrl *ctrl = dev_get_drvdata(dev);
+
+       if (!ctrl->tls_key)
+               return 0;
+       return sysfs_emit(buf, "%08x", key_serial(ctrl->tls_key));
+}
+static DEVICE_ATTR_RO(tls_key);
+#endif
+
 static struct attribute *nvme_dev_attrs[] = {
        &dev_attr_reset_controller.attr,
        &dev_attr_rescan_controller.attr,
@@ -553,6 +566,9 @@ static struct attribute *nvme_dev_attrs[] = {
 #ifdef CONFIG_NVME_AUTH
        &dev_attr_dhchap_secret.attr,
        &dev_attr_dhchap_ctrl_secret.attr,
+#endif
+#ifdef CONFIG_NVME_TCP_TLS
+       &dev_attr_tls_key.attr,
 #endif
        NULL
 };
@@ -583,6 +599,11 @@ static umode_t nvme_dev_attrs_are_visible(struct kobject *kobj,
        if (a == &dev_attr_dhchap_ctrl_secret.attr && !ctrl->opts)
                return 0;
 #endif
+#ifdef CONFIG_NVME_TCP_TLS
+       if (a == &dev_attr_tls_key.attr &&
+           (!ctrl->opts || strcmp(ctrl->opts->transport, "tcp")))
+               return 0;
+#endif
 
        return a->mode;
 }

diff --git a/drivers/nvme/host/tcp.c b/drivers/nvme/host/tcp.c
index 5af6c7df44a6e6a62a003d9f81e07c53f291cff0..696fc2a7da52f27cf45e1ddd2ff71736996c2d09 100644 (file)
--- a/drivers/nvme/host/tcp.c
+++ b/drivers/nvme/host/tcp.c
@@ -8,9 +8,13 @@
 #include <linux/init.h>
 #include <linux/slab.h>
 #include <linux/err.h>
+#include <linux/key.h>
 #include <linux/nvme-tcp.h>
+#include <linux/nvme-keyring.h>
 #include <net/sock.h>
 #include <net/tcp.h>
+#include <net/tls.h>
+#include <net/handshake.h>
 #include <linux/blk-mq.h>
 #include <crypto/hash.h>
 #include <net/busy_poll.h>
@@ -31,6 +35,16 @@ static int so_priority;
 module_param(so_priority, int, 0644);
 MODULE_PARM_DESC(so_priority, "nvme tcp socket optimize priority");
 
+#ifdef CONFIG_NVME_TCP_TLS
+/*
+ * TLS handshake timeout
+ */
+static int tls_handshake_timeout = 10;
+module_param(tls_handshake_timeout, int, 0644);
+MODULE_PARM_DESC(tls_handshake_timeout,
+                "nvme TLS handshake timeout in seconds (default 10)");
+#endif
+
 #ifdef CONFIG_DEBUG_LOCK_ALLOC
 /* lockdep can detect a circular dependency of the form
  *   sk_lock -> mmap_lock (page fault) -> fs locks -> sk_lock
@@ -146,7 +160,10 @@ struct nvme_tcp_queue {
        struct ahash_request    *snd_hash;
        __le32                  exp_ddgst;
        __le32                  recv_ddgst;
-
+#ifdef CONFIG_NVME_TCP_TLS
+       struct completion       tls_complete;
+       int                     tls_err;
+#endif
        struct page_frag_cache  pf_cache;
 
        void (*state_change)(struct sock *);
@@ -1509,7 +1526,92 @@ static void nvme_tcp_set_queue_io_cpu(struct nvme_tcp_queue *queue)
        queue->io_cpu = cpumask_next_wrap(n - 1, cpu_online_mask, -1, false);
 }
 
-static int nvme_tcp_alloc_queue(struct nvme_ctrl *nctrl, int qid)
+#ifdef CONFIG_NVME_TCP_TLS
+static void nvme_tcp_tls_done(void *data, int status, key_serial_t pskid)
+{
+       struct nvme_tcp_queue *queue = data;
+       struct nvme_tcp_ctrl *ctrl = queue->ctrl;
+       int qid = nvme_tcp_queue_id(queue);
+       struct key *tls_key;
+
+       dev_dbg(ctrl->ctrl.device, "queue %d: TLS handshake done, key %x, status %d\n",
+               qid, pskid, status);
+
+       if (status) {
+               queue->tls_err = -status;
+               goto out_complete;
+       }
+
+       tls_key = key_lookup(pskid);
+       if (IS_ERR(tls_key)) {
+               dev_warn(ctrl->ctrl.device, "queue %d: Invalid key %x\n",
+                        qid, pskid);
+               queue->tls_err = -ENOKEY;
+       } else {
+               ctrl->ctrl.tls_key = tls_key;
+               queue->tls_err = 0;
+       }
+
+out_complete:
+       complete(&queue->tls_complete);
+}
+
+static int nvme_tcp_start_tls(struct nvme_ctrl *nctrl,
+                             struct nvme_tcp_queue *queue,
+                             key_serial_t pskid)
+{
+       int qid = nvme_tcp_queue_id(queue);
+       int ret;
+       struct tls_handshake_args args;
+       unsigned long tmo = tls_handshake_timeout * HZ;
+       key_serial_t keyring = nvme_keyring_id();
+
+       dev_dbg(nctrl->device, "queue %d: start TLS with key %x\n",
+               qid, pskid);
+       memset(&args, 0, sizeof(args));
+       args.ta_sock = queue->sock;
+       args.ta_done = nvme_tcp_tls_done;
+       args.ta_data = queue;
+       args.ta_my_peerids[0] = pskid;
+       args.ta_num_peerids = 1;
+       args.ta_keyring = keyring;
+       args.ta_timeout_ms = tls_handshake_timeout * 1000;
+       queue->tls_err = -EOPNOTSUPP;
+       init_completion(&queue->tls_complete);
+       ret = tls_client_hello_psk(&args, GFP_KERNEL);
+       if (ret) {
+               dev_err(nctrl->device, "queue %d: failed to start TLS: %d\n",
+                       qid, ret);
+               return ret;
+       }
+       ret = wait_for_completion_interruptible_timeout(&queue->tls_complete, tmo);
+       if (ret <= 0) {
+               if (ret == 0)
+                       ret = -ETIMEDOUT;
+
+               dev_err(nctrl->device,
+                       "queue %d: TLS handshake failed, error %d\n",
+                       qid, ret);
+               tls_handshake_cancel(queue->sock->sk);
+       } else {
+               dev_dbg(nctrl->device,
+                       "queue %d: TLS handshake complete, error %d\n",
+                       qid, queue->tls_err);
+               ret = queue->tls_err;
+       }
+       return ret;
+}
+#else
+static int nvme_tcp_start_tls(struct nvme_ctrl *nctrl,
+                             struct nvme_tcp_queue *queue,
+                             key_serial_t pskid)
+{
+       return -EPROTONOSUPPORT;
+}
+#endif
+
+static int nvme_tcp_alloc_queue(struct nvme_ctrl *nctrl, int qid,
+                               key_serial_t pskid)
 {
        struct nvme_tcp_ctrl *ctrl = to_tcp_ctrl(nctrl);
        struct nvme_tcp_queue *queue = &ctrl->queues[qid];
@@ -1632,6 +1734,13 @@ static int nvme_tcp_alloc_queue(struct nvme_ctrl *nctrl, int qid)
                goto err_rcv_pdu;
        }
 
+       /* If PSKs are configured try to start TLS */
+       if (pskid) {
+               ret = nvme_tcp_start_tls(nctrl, queue, pskid);
+               if (ret)
+                       goto err_init_connect;
+       }
+
        ret = nvme_tcp_init_connection(queue);
        if (ret)
                goto err_init_connect;
@@ -1781,10 +1890,22 @@ out_stop_queues:
 static int nvme_tcp_alloc_admin_queue(struct nvme_ctrl *ctrl)
 {
        int ret;
+       key_serial_t pskid = 0;
+
+       if (ctrl->opts->tls) {
+               pskid = nvme_tls_psk_default(NULL,
+                                             ctrl->opts->host->nqn,
+                                             ctrl->opts->subsysnqn);
+               if (!pskid) {
+                       dev_err(ctrl->device, "no valid PSK found\n");
+                       ret = -ENOKEY;
+                       goto out_free_queue;
+               }
+       }
 
-       ret = nvme_tcp_alloc_queue(ctrl, 0);
+       ret = nvme_tcp_alloc_queue(ctrl, 0, pskid);
        if (ret)
-               return ret;
+               goto out_free_queue;
 
        ret = nvme_tcp_alloc_async_req(to_tcp_ctrl(ctrl));
        if (ret)
@@ -1801,8 +1922,13 @@ static int __nvme_tcp_alloc_io_queues(struct nvme_ctrl *ctrl)
 {
        int i, ret;
 
+       if (ctrl->opts->tls && !ctrl->tls_key) {
+               dev_err(ctrl->device, "no PSK negotiated\n");
+               return -ENOKEY;
+       }
        for (i = 1; i < ctrl->queue_count; i++) {
-               ret = nvme_tcp_alloc_queue(ctrl, i);
+               ret = nvme_tcp_alloc_queue(ctrl, i,
+                               key_serial(ctrl->tls_key));
                if (ret)
                        goto out_free_queues;
        }
@@ -2630,7 +2756,7 @@ static struct nvmf_transport_ops nvme_tcp_transport = {
                          NVMF_OPT_HOST_TRADDR | NVMF_OPT_CTRL_LOSS_TMO |
                          NVMF_OPT_HDR_DIGEST | NVMF_OPT_DATA_DIGEST |
                          NVMF_OPT_NR_WRITE_QUEUES | NVMF_OPT_NR_POLL_QUEUES |
-                         NVMF_OPT_TOS | NVMF_OPT_HOST_IFACE,
+                         NVMF_OPT_TOS | NVMF_OPT_HOST_IFACE | NVMF_OPT_TLS,
        .create_ctrl    = nvme_tcp_create_ctrl,
 };