drivers/nvme/target/Kconfig | 1 + 1 file changed, 1 insertion(+)
Ensure that TLS support is enabled in the kernel when
NVME_TARGET_TCP_TLS is enabled. This allows TLS secure channels to be
used out of the box.
Signed-off-by: Alistair Francis <alistair.francis@wdc.com>
---
drivers/nvme/target/Kconfig | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/nvme/target/Kconfig b/drivers/nvme/target/Kconfig
index fb7446d6d682..4c253b433bf7 100644
--- a/drivers/nvme/target/Kconfig
+++ b/drivers/nvme/target/Kconfig
@@ -98,6 +98,7 @@ config NVME_TARGET_TCP_TLS
bool "NVMe over Fabrics TCP target TLS encryption support"
depends on NVME_TARGET_TCP
select NET_HANDSHAKE
+ select TLS
help
Enables TLS encryption for the NVMe TCP target using the netlink handshake API.
--
2.49.0On 4/24/25 03:13, Alistair Francis wrote: > Ensure that TLS support is enabled in the kernel when > NVME_TARGET_TCP_TLS is enabled. This allows TLS secure channels to be > used out of the box. > > Signed-off-by: Alistair Francis<alistair.francis@wdc.com> Looks good. Reviewed-by: Chaitanya Kulkarni <kch@nvidia.com> -ck
On 4/29/25 18:28, Chaitanya Kulkarni wrote: > On 4/24/25 03:13, Alistair Francis wrote: >> Ensure that TLS support is enabled in the kernel when >> NVME_TARGET_TCP_TLS is enabled. This allows TLS secure channels to be >> used out of the box. >> >> Signed-off-by: Alistair Francis<alistair.francis@wdc.com> > > Looks good. > > Reviewed-by: Chaitanya Kulkarni <kch@nvidia.com> > > -ck > Alistair, I think the same fix should be applied to the host side, too; check the last patch of my patch series to convert the authentication code to use the kernel keyring [1]. Should I send out that one as a stand-alone patch to get this issue resolved? [1] https://lore.kernel.org/linux-nvme/20250425094927.102656-13-hare@kernel.org/T/#u Cheers, Hannes -- Dr. Hannes Reinecke Kernel Storage Architect hare@suse.de +49 911 74053 688 SUSE Software Solutions GmbH, Frankenstr. 146, 90461 Nürnberg HRB 36809 (AG Nürnberg), GF: I. Totev, A. McDonald, W. Knoblich
On Wed, Apr 30, 2025 at 3:35 AM Hannes Reinecke <hare@suse.de> wrote: > > On 4/29/25 18:28, Chaitanya Kulkarni wrote: > > On 4/24/25 03:13, Alistair Francis wrote: > >> Ensure that TLS support is enabled in the kernel when > >> NVME_TARGET_TCP_TLS is enabled. This allows TLS secure channels to be > >> used out of the box. > >> > >> Signed-off-by: Alistair Francis<alistair.francis@wdc.com> > > > > Looks good. > > > > Reviewed-by: Chaitanya Kulkarni <kch@nvidia.com> > > > > -ck > > > Alistair, I think the same fix should be applied to the host side, too; > check the last patch of my patch series to convert the authentication > code to use the kernel keyring [1]. Yeah, you are right. The host also needs to be fixed. > > Should I send out that one as a stand-alone patch to get this issue > resolved? I think your patch would need some changes to remove the `NVME_KEYRING` part if you split it out. So I just sent a v2 of this patch with a fixes tag and the reviews added. This patch already has some reviews so hopefully it's close to being merged :) I will send a seperate host fix as well, but I'm also happy with your stand-alone patch being applied instead. As long as the issue is fixed! Alistair > > [1] > https://lore.kernel.org/linux-nvme/20250425094927.102656-13-hare@kernel.org/T/#u > > Cheers, > > Hannes > -- > Dr. Hannes Reinecke Kernel Storage Architect > hare@suse.de +49 911 74053 688 > SUSE Software Solutions GmbH, Frankenstr. 146, 90461 Nürnberg > HRB 36809 (AG Nürnberg), GF: I. Totev, A. McDonald, W. Knoblich
On 4/24/25 12:13, Alistair Francis wrote: > Ensure that TLS support is enabled in the kernel when > NVME_TARGET_TCP_TLS is enabled. This allows TLS secure channels to be > used out of the box. > > Signed-off-by: Alistair Francis <alistair.francis@wdc.com> > --- > drivers/nvme/target/Kconfig | 1 + > 1 file changed, 1 insertion(+) > > diff --git a/drivers/nvme/target/Kconfig b/drivers/nvme/target/Kconfig > index fb7446d6d682..4c253b433bf7 100644 > --- a/drivers/nvme/target/Kconfig > +++ b/drivers/nvme/target/Kconfig > @@ -98,6 +98,7 @@ config NVME_TARGET_TCP_TLS > bool "NVMe over Fabrics TCP target TLS encryption support" > depends on NVME_TARGET_TCP > select NET_HANDSHAKE > + select TLS > help > Enables TLS encryption for the NVMe TCP target using the netlink handshake API. > Reviewed-by: Hannes Reinecke <hare@suse.de> Cheers, Hannes -- Dr. Hannes Reinecke Kernel Storage Architect hare@suse.de +49 911 74053 688 SUSE Software Solutions GmbH, Frankenstr. 146, 90461 Nürnberg HRB 36809 (AG Nürnberg), GF: I. Totev, A. McDonald, W. Knoblich
On 4/29/25 7:17 AM, Hannes Reinecke wrote: > On 4/24/25 12:13, Alistair Francis wrote: >> Ensure that TLS support is enabled in the kernel when >> NVME_TARGET_TCP_TLS is enabled. This allows TLS secure channels to be >> used out of the box. >> >> Signed-off-by: Alistair Francis <alistair.francis@wdc.com> Fixes tag, please... -- Jens Axboe
On Thu, Apr 24, 2025 at 08:13:33PM +1000, Alistair Francis wrote: > Ensure that TLS support is enabled in the kernel when > NVME_TARGET_TCP_TLS is enabled. This allows TLS secure channels to be > used out of the box. How did the code even build before this?
On Tue, Apr 29, 2025 at 02:55:05PM +0200, Christoph Hellwig wrote: > On Thu, Apr 24, 2025 at 08:13:33PM +1000, Alistair Francis wrote: > > Ensure that TLS support is enabled in the kernel when > > NVME_TARGET_TCP_TLS is enabled. This allows TLS secure channels to be > > used out of the box. > > How did the code even build before this? The nvme tls code doesn't appear to use any symbols that depend on CONFIG_TLS, so I guess it would compile but wouldn't work at runtime. ?
On Wed, Apr 30, 2025 at 3:42 AM Keith Busch <kbusch@kernel.org> wrote: > > On Tue, Apr 29, 2025 at 02:55:05PM +0200, Christoph Hellwig wrote: > > On Thu, Apr 24, 2025 at 08:13:33PM +1000, Alistair Francis wrote: > > > Ensure that TLS support is enabled in the kernel when > > > NVME_TARGET_TCP_TLS is enabled. This allows TLS secure channels to be > > > used out of the box. > > > > How did the code even build before this? > > The nvme tls code doesn't appear to use any symbols that depend on > CONFIG_TLS, so I guess it would compile but wouldn't work at runtime. ? Yep. It happily builds but then just doesn't work, with no obvious error. Alistair
On 4/24/25 12:13, Alistair Francis wrote: > Ensure that TLS support is enabled in the kernel when > NVME_TARGET_TCP_TLS is enabled. This allows TLS secure channels to be > used out of the box. > > Signed-off-by: Alistair Francis <alistair.francis@wdc.com> > --- > drivers/nvme/target/Kconfig | 1 + > 1 file changed, 1 insertion(+) > > diff --git a/drivers/nvme/target/Kconfig b/drivers/nvme/target/Kconfig > index fb7446d6d682..4c253b433bf7 100644 > --- a/drivers/nvme/target/Kconfig > +++ b/drivers/nvme/target/Kconfig > @@ -98,6 +98,7 @@ config NVME_TARGET_TCP_TLS > bool "NVMe over Fabrics TCP target TLS encryption support" > depends on NVME_TARGET_TCP > select NET_HANDSHAKE > + select TLS > help > Enables TLS encryption for the NVMe TCP target using the netlink handshake API. > Reviewed-by: Hannes Reinecke <hare@suse.de> Cheers, Hannes -- Dr. Hannes Reinecke Kernel Storage Architect hare@suse.de +49 911 74053 688 SUSE Software Solutions GmbH, Frankenstr. 146, 90461 Nürnberg HRB 36809 (AG Nürnberg), GF: I. Totev, A. McDonald, W. Knoblich
© 2016 - 2026 Red Hat, Inc.