From nobody Sat Oct 4 14:13:13 2025 Received: from mail-pj1-f51.google.com (mail-pj1-f51.google.com [209.85.216.51]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 0CF081EBFE0 for ; Fri, 3 Oct 2025 04:32:12 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.216.51 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1759465934; cv=none; b=sy9wOPaSo/wMKxl8KhaivS5JeXSaHwLhkzY3OMByJQdgvd4HmgQEUkgBRkH9LWBJ7oNcgE1uOmxaPWAOGEUxTOmV+n2Ij43CnQKgZAIHcolBCNkDvNGcvLl+D+g4TbElX996pk2LuDUYK0Fi/jbeEvIkWuitqjGpHm49B6Lon2E= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1759465934; c=relaxed/simple; bh=JAlYfyPNqHylTqfeyHuOgAsuZYGxJ4FRoTTsZarTucI=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=rbqsVBhKuwRzEIbLe/IbEdY34gPuIHepQbT0dAGGFq8xFl1Nq8rx4jBESpus+RQXMWvPjFIGPn5CwA1avFtvenDWcW9N+AcuQgEhaAKRISNc5UV0SsFdbZT6lRjChAdyE6l0u+uZH85uc/4DfscRjAQB6OS/vBkQmKg/JkqCwKs= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=LLg2Xc5z; arc=none smtp.client-ip=209.85.216.51 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="LLg2Xc5z" Received: by mail-pj1-f51.google.com with SMTP id 98e67ed59e1d1-329a41dc2ebso1896223a91.3 for ; Thu, 02 Oct 2025 21:32:12 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1759465932; x=1760070732; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=lkrZ7jtnwuJJMNWE3SjrPhibeXNwDkGrjN+iU3yJy1Y=; b=LLg2Xc5zQvDDt/a3NLiNPWcrt5sOeeOfirB0Ti7rCS+kJTtytQKl1B9QkbFv6oUOTa lYXnz81cGrPFBYW+APJc8HxWdpQ1aJSlBUqqbG/CbtGJ0rh12FPzpohtAS//sltcmDV6 06mFLNlIeYYk4YDcnvSwHdoEyLoKknyIYhgg8tS6f2RupIVcWVAx0hM8S0jHA+lrBH9l I4fCHHAZ75Wk9qnpiTIO1lLDOUOA+iRzbCA0tX2axiK8//dbfaxiFGC+mjGRDlurCZw3 xvXGz8g/LYzBtjWbGPuIYKuihbTloYvF/NODvS52/1J/y5hyF5nM5bfoM/UpLcVnMIAs 5s2w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1759465932; x=1760070732; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=lkrZ7jtnwuJJMNWE3SjrPhibeXNwDkGrjN+iU3yJy1Y=; b=MwmNfpLafwM3ggRJDG75aHPmp0nyNvr4EotgneYQ8qTDlyxOweSLbj7AG/MDicX8+6 zSwZx2v72SohLOT8QNE7ZJJkxRagHsWGE3+SBs9kHxo+mhr9snNEGfqPPK5kXIil3k7v HeoeQQ9ChT3NKHJOuBLF1e6LJu1e4G5hNjXP+r63UVfZFrohf/2ONRTLeLBL33pCFhrG 9WTift777Pn0nQZkCdsQu/Wh3Onzl5I9SxOrzgx2rSHwLaR2/9+UtKNGhMqrroJsuAHe 1GT/ZNTenhQrrNy3MoOzf2Umvp6kw6W3RgRiFcWmI4Zxu7kHPtm0gKIgqQRSIy55bKmN 14Tw== X-Forwarded-Encrypted: i=1; AJvYcCUZXctNkidy0da+3GYA5N2Xy3pwLCmOWOM95NN8xNr9Bu/r87LKvtZ/v/tulhwTdF6CI158MBqpJMF+h4g=@vger.kernel.org X-Gm-Message-State: AOJu0Ywkt3OI4bXusLUsu9XVkWUTSfXXMmw9Ib8J+WopA1rXYu5753JF /t0ww4/3pFyVIrDMoztZer21njEA2UUCP9oiYY03Kjh4nDKFTk6uGwRx X-Gm-Gg: ASbGncvfZrgaWXfF7dqSiOTPJFFlAq4hEvwWO4ZL47ycU6jHBUziJyzoP7qRDfXWiDZ xPibO1s5PRSv49BEaC6npcQ0oMoA3NppBNHC1yzvORx/udEl8n87mP7gH9hll96Kp77ygsvvZkO vpykMLPLOhnKlABMLQfrnHLHhJ7L4IVycOMjHuDx3ovvR1w1qBBC+CEB0JTHC5Y7fAWn6VqKgGV skEf/hwXFvFha/3t1RRwdF+K6y68ZzHMq1y+6kNvpvU7VlAmkKKmt/qN+TdWwwky+czsMzqwR0M 0RrOuiHULgc/Mp2AdlY5U92LmDGhFm5I5DTcyjUJ3bTwxeSxJnEJ+TuFuc8NpFn92X7kuK/O8+S 1CfGTWmij1vJIieFeUwDq8fHzhkQqDT2YFPDTyCL4C/lx4HKqbVZr0/0ahFu0KKBxrf0YLK/D9n 5ojDe96FWR68kUxzNi792u+B8tqu3HYUgxRHlbBG4wdwYnbQubXRav X-Google-Smtp-Source: AGHT+IH3IfnWMDfyEsoSYvKJgmusiDgvOmiSTci9njbVxgtI3mIq48SZ262dEJui5ekxAzN1f2De9Q== X-Received: by 2002:a17:90b:3145:b0:32b:9774:d340 with SMTP id 98e67ed59e1d1-339c27b0fbbmr2111487a91.33.1759465932024; Thu, 02 Oct 2025 21:32:12 -0700 (PDT) Received: from toolbx.alistair23.me (2403-580b-97e8-0-82ce-f179-8a79-69f4.ip6.aussiebb.net. [2403:580b:97e8:0:82ce:f179:8a79:69f4]) by smtp.gmail.com with ESMTPSA id 98e67ed59e1d1-339a701c457sm6528233a91.23.2025.10.02.21.32.06 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 02 Oct 2025 21:32:11 -0700 (PDT) From: alistair23@gmail.com X-Google-Original-From: alistair.francis@wdc.com To: chuck.lever@oracle.com, hare@kernel.org, kernel-tls-handshake@lists.linux.dev, netdev@vger.kernel.org, linux-kernel@vger.kernel.org, linux-doc@vger.kernel.org, linux-nvme@lists.infradead.org, linux-nfs@vger.kernel.org Cc: kbusch@kernel.org, axboe@kernel.dk, hch@lst.de, sagi@grimberg.me, kch@nvidia.com, hare@suse.de, alistair23@gmail.com, Alistair Francis Subject: [PATCH v3 1/8] net/handshake: Store the key serial number on completion Date: Fri, 3 Oct 2025 14:31:32 +1000 Message-ID: <20251003043140.1341958-2-alistair.francis@wdc.com> X-Mailer: git-send-email 2.51.0 In-Reply-To: <20251003043140.1341958-1-alistair.francis@wdc.com> References: <20251003043140.1341958-1-alistair.francis@wdc.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" From: Alistair Francis Allow userspace to include a key serial number when completing a handshake with the HANDSHAKE_CMD_DONE command. We then store this serial number and will provide it back to userspace in the future. This allows userspace to save data to the keyring and then restore that data later. This will be used to support the TLS KeyUpdate operation, as now userspace can resume information about a established session. Signed-off-by: Alistair Francis --- v3: - No change v2: - Change "key-serial" to "session-id" Documentation/netlink/specs/handshake.yaml | 4 ++++ Documentation/networking/tls-handshake.rst | 2 ++ drivers/nvme/host/tcp.c | 3 ++- drivers/nvme/target/tcp.c | 3 ++- include/net/handshake.h | 4 +++- include/uapi/linux/handshake.h | 1 + net/handshake/genl.c | 5 +++-- net/handshake/tlshd.c | 15 +++++++++++++-- net/sunrpc/svcsock.c | 4 +++- net/sunrpc/xprtsock.c | 4 +++- 10 files changed, 36 insertions(+), 9 deletions(-) diff --git a/Documentation/netlink/specs/handshake.yaml b/Documentation/net= link/specs/handshake.yaml index 95c3fade7a8d..a273bc74d26f 100644 --- a/Documentation/netlink/specs/handshake.yaml +++ b/Documentation/netlink/specs/handshake.yaml @@ -87,6 +87,9 @@ attribute-sets: name: remote-auth type: u32 multi-attr: true + - + name: session-id + type: u32 =20 operations: list: @@ -123,6 +126,7 @@ operations: - status - sockfd - remote-auth + - session-id =20 mcast-groups: list: diff --git a/Documentation/networking/tls-handshake.rst b/Documentation/net= working/tls-handshake.rst index 6f5ea1646a47..d7287890056a 100644 --- a/Documentation/networking/tls-handshake.rst +++ b/Documentation/networking/tls-handshake.rst @@ -60,6 +60,8 @@ fills in a structure that contains the parameters of the = request: key_serial_t ta_my_privkey; unsigned int ta_num_peerids; key_serial_t ta_my_peerids[5]; + key_serial_t user_session_id; + }; =20 The @ta_sock field references an open and connected socket. The consumer diff --git a/drivers/nvme/host/tcp.c b/drivers/nvme/host/tcp.c index 9ef1d4aea838..700c37af52ba 100644 --- a/drivers/nvme/host/tcp.c +++ b/drivers/nvme/host/tcp.c @@ -1691,7 +1691,8 @@ static void nvme_tcp_set_queue_io_cpu(struct nvme_tcp= _queue *queue) qid, queue->io_cpu); } =20 -static void nvme_tcp_tls_done(void *data, int status, key_serial_t pskid) +static void nvme_tcp_tls_done(void *data, int status, key_serial_t pskid, + key_serial_t user_session_id) { struct nvme_tcp_queue *queue =3D data; struct nvme_tcp_ctrl *ctrl =3D queue->ctrl; diff --git a/drivers/nvme/target/tcp.c b/drivers/nvme/target/tcp.c index 470bf37e5a63..4ef4dd140ada 100644 --- a/drivers/nvme/target/tcp.c +++ b/drivers/nvme/target/tcp.c @@ -1780,7 +1780,8 @@ static int nvmet_tcp_tls_key_lookup(struct nvmet_tcp_= queue *queue, } =20 static void nvmet_tcp_tls_handshake_done(void *data, int status, - key_serial_t peerid) + key_serial_t peerid, + key_serial_t user_session_id) { struct nvmet_tcp_queue *queue =3D data; =20 diff --git a/include/net/handshake.h b/include/net/handshake.h index 8ebd4f9ed26e..dc2222fd6d99 100644 --- a/include/net/handshake.h +++ b/include/net/handshake.h @@ -18,7 +18,8 @@ enum { }; =20 typedef void (*tls_done_func_t)(void *data, int status, - key_serial_t peerid); + key_serial_t peerid, + key_serial_t user_session_id); =20 struct tls_handshake_args { struct socket *ta_sock; @@ -31,6 +32,7 @@ struct tls_handshake_args { key_serial_t ta_my_privkey; unsigned int ta_num_peerids; key_serial_t ta_my_peerids[5]; + key_serial_t user_session_id; }; =20 int tls_client_hello_anon(const struct tls_handshake_args *args, gfp_t fla= gs); diff --git a/include/uapi/linux/handshake.h b/include/uapi/linux/handshake.h index 662e7de46c54..b68ffbaa5f31 100644 --- a/include/uapi/linux/handshake.h +++ b/include/uapi/linux/handshake.h @@ -55,6 +55,7 @@ enum { HANDSHAKE_A_DONE_STATUS =3D 1, HANDSHAKE_A_DONE_SOCKFD, HANDSHAKE_A_DONE_REMOTE_AUTH, + HANDSHAKE_A_DONE_SESSION_ID, =20 __HANDSHAKE_A_DONE_MAX, HANDSHAKE_A_DONE_MAX =3D (__HANDSHAKE_A_DONE_MAX - 1) diff --git a/net/handshake/genl.c b/net/handshake/genl.c index f55d14d7b726..6cdce7e5dbc0 100644 --- a/net/handshake/genl.c +++ b/net/handshake/genl.c @@ -16,10 +16,11 @@ static const struct nla_policy handshake_accept_nl_poli= cy[HANDSHAKE_A_ACCEPT_HAN }; =20 /* HANDSHAKE_CMD_DONE - do */ -static const struct nla_policy handshake_done_nl_policy[HANDSHAKE_A_DONE_R= EMOTE_AUTH + 1] =3D { +static const struct nla_policy handshake_done_nl_policy[HANDSHAKE_A_DONE_S= ESSION_ID + 1] =3D { [HANDSHAKE_A_DONE_STATUS] =3D { .type =3D NLA_U32, }, [HANDSHAKE_A_DONE_SOCKFD] =3D { .type =3D NLA_S32, }, [HANDSHAKE_A_DONE_REMOTE_AUTH] =3D { .type =3D NLA_U32, }, + [HANDSHAKE_A_DONE_SESSION_ID] =3D { .type =3D NLA_U32, }, }; =20 /* Ops table for handshake */ @@ -35,7 +36,7 @@ static const struct genl_split_ops handshake_nl_ops[] =3D= { .cmd =3D HANDSHAKE_CMD_DONE, .doit =3D handshake_nl_done_doit, .policy =3D handshake_done_nl_policy, - .maxattr =3D HANDSHAKE_A_DONE_REMOTE_AUTH, + .maxattr =3D HANDSHAKE_A_DONE_SESSION_ID, .flags =3D GENL_CMD_CAP_DO, }, }; diff --git a/net/handshake/tlshd.c b/net/handshake/tlshd.c index 081093dfd553..2549c5dbccd8 100644 --- a/net/handshake/tlshd.c +++ b/net/handshake/tlshd.c @@ -26,7 +26,8 @@ =20 struct tls_handshake_req { void (*th_consumer_done)(void *data, int status, - key_serial_t peerid); + key_serial_t peerid, + key_serial_t user_session_id); void *th_consumer_data; =20 int th_type; @@ -39,6 +40,8 @@ struct tls_handshake_req { =20 unsigned int th_num_peerids; key_serial_t th_peerid[5]; + + key_serial_t user_session_id; }; =20 static struct tls_handshake_req * @@ -55,6 +58,7 @@ tls_handshake_req_init(struct handshake_req *req, treq->th_num_peerids =3D 0; treq->th_certificate =3D TLS_NO_CERT; treq->th_privkey =3D TLS_NO_PRIVKEY; + treq->user_session_id =3D TLS_NO_PRIVKEY; return treq; } =20 @@ -83,6 +87,13 @@ static void tls_handshake_remote_peerids(struct tls_hand= shake_req *treq, if (i >=3D treq->th_num_peerids) break; } + + nla_for_each_attr(nla, head, len, rem) { + if (nla_type(nla) =3D=3D HANDSHAKE_A_DONE_SESSION_ID) { + treq->user_session_id =3D nla_get_u32(nla); + break; + } + } } =20 /** @@ -105,7 +116,7 @@ static void tls_handshake_done(struct handshake_req *re= q, set_bit(HANDSHAKE_F_REQ_SESSION, &req->hr_flags); =20 treq->th_consumer_done(treq->th_consumer_data, -status, - treq->th_peerid[0]); + treq->th_peerid[0], treq->user_session_id); } =20 #if IS_ENABLED(CONFIG_KEYS) diff --git a/net/sunrpc/svcsock.c b/net/sunrpc/svcsock.c index e2c5e0e626f9..4ec3119bd113 100644 --- a/net/sunrpc/svcsock.c +++ b/net/sunrpc/svcsock.c @@ -444,13 +444,15 @@ static void svc_tcp_kill_temp_xprt(struct svc_xprt *x= prt) * @data: address of xprt to wake * @status: status of handshake * @peerid: serial number of key containing the remote peer's identity + * @user_session_id: serial number of the userspace session ID * * If a security policy is specified as an export option, we don't * have a specific export here to check. So we set a "TLS session * is present" flag on the xprt and let an upper layer enforce local * security policy. */ -static void svc_tcp_handshake_done(void *data, int status, key_serial_t pe= erid) +static void svc_tcp_handshake_done(void *data, int status, key_serial_t pe= erid, + key_serial_t user_session_id) { struct svc_xprt *xprt =3D data; struct svc_sock *svsk =3D container_of(xprt, struct svc_sock, sk_xprt); diff --git a/net/sunrpc/xprtsock.c b/net/sunrpc/xprtsock.c index 3aa987e7f072..bce0f43bef65 100644 --- a/net/sunrpc/xprtsock.c +++ b/net/sunrpc/xprtsock.c @@ -2589,9 +2589,11 @@ static int xs_tcp_tls_finish_connecting(struct rpc_x= prt *lower_xprt, * @data: address of xprt to wake * @status: status of handshake * @peerid: serial number of key containing the remote's identity + * @user_session_id: serial number of the userspace session ID * */ -static void xs_tls_handshake_done(void *data, int status, key_serial_t pee= rid) +static void xs_tls_handshake_done(void *data, int status, key_serial_t pee= rid, + key_serial_t user_session_id) { struct rpc_xprt *lower_xprt =3D data; struct sock_xprt *lower_transport =3D --=20 2.51.0 From nobody Sat Oct 4 14:13:13 2025 Received: from mail-pj1-f49.google.com (mail-pj1-f49.google.com [209.85.216.49]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 10F701F4CA9 for ; Fri, 3 Oct 2025 04:32:18 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.216.49 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1759465941; cv=none; b=tcwZww+LPa8p8iSEGuLilo12rdV4ZitIzHMdl5tqkBgjudXKvqsrA7Uyfc+alYsLfCrYOofPzcscB9WHTig1Zyd867obEab2r2Tb6P8rGbuMgbe0V0okiwACa/403T1fxXoLYYqJHmkAqehLm+bLRWtET2fTVeetjFVNt7WccF4= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1759465941; c=relaxed/simple; bh=Z6w0x3oPOM6C3EiKqL/1mOmpceuMWimWzPhFuNGO/7o=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=PiZT6WrPiONJxcmtR9Txtn6Te2cR/P1XHe+x4CJ9NMW2YveNc97DTVU1MnXD8+v5qLLGsJWiNrTRYnqOiSsbiJfD35Kf2r41dYkhop6WzpFFJDOcBuiig82LwsWFh8LaLTQFcEgmCrR8o/qmju5tLvX2S94YgDNbIpcjvcEsGkA= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=ZkI1BWbA; arc=none smtp.client-ip=209.85.216.49 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="ZkI1BWbA" Received: by mail-pj1-f49.google.com with SMTP id 98e67ed59e1d1-3327f8ed081so2159218a91.1 for ; Thu, 02 Oct 2025 21:32:18 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1759465938; x=1760070738; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=9morpPQKu8lXMrpuy/uDVQLBubkYtfu9D8D3JxjNjjM=; b=ZkI1BWbAYYeCs965+UolecO0r7VtgGHULzfHhuUUNERxLeJJLX1pHS11sWPeUkfU24 ozpWNjAOTltHmvJQTLHFw0FFUCek/aA8U+RqPdziox7PN6MC7LMcX8ZCuv61JfvQuSlj uXGHw5y2pSt+09zP1WguikSu83BQERTFgjCdk+v9h0UiQ+/ldx76eoDBrAdgu6E95VVo iydUyuRwzcs4pJ3rQ38/SJiJpFWYZsZ7V8tnfDZ/YpBlgMlYs73nbTcHliaorwXyRKBR 2W3I0ZxfvuE+1jJtL0C9W4YhVucgCBmLn7LrDdMJW5c/Tbrv08sgOo8Wygg+EjDUIqSi xx0Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1759465938; x=1760070738; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=9morpPQKu8lXMrpuy/uDVQLBubkYtfu9D8D3JxjNjjM=; b=paTzdGjLsdJ8xT86ByxYfI6XOa7gooDayVpbH9o8J+3EeY75RGLjOlsLYy+KJYLLsq oh1abYsuHkoa8VJ0IO79HOF1mctfroL9OkqkydaIew6cylufuk23EoAA7NEoPuE14DV+ HaVFjoIS/LlQWvKlNZ9g5/zR0C/CZEXm25ENCFoj/DWCtROSRjztlpliDN2OUpLM07lb 8OqWYNZ9fU+tInqMNAp/K/ebLsvgR7wVslHEIMzt0xgXiLZJfzpb4VHYvWgHbH+OT8aA 8wtWNmvMQTYxvvWj/g1kJ1J6L9QzWAzDmks/2mRdLUYGT4i9qLSn3zGti5uVygFXB/Ra YIEQ== X-Forwarded-Encrypted: i=1; AJvYcCWCoGpbEQh99SrO3v7KwQwc9y6dC/1tn3o4bJeufKfDjVbqkfD34PPycHque/zy7dTsb26Np53qNLHZm28=@vger.kernel.org X-Gm-Message-State: AOJu0YyAG6JGmVmSufJhx+bAz6pm8gLnWu/lY7/HZQJ+7GdFGhFiV+DQ ZICcmb3rhr5qm+xj1qBBeGw1M8Q8PwmoNzl0qduv1cXlfKJNl6pJvx5H X-Gm-Gg: ASbGncvme2qtXvFV0NMVYf28r3srRPR8RoYWvKGwV+FOOmkY3S5DDWx8xWHSd3Ymjdr G4v9RC0v4tTVUFGggL8h/vVCOZO8dPJ+Mj95UZNAoFG08W44EL9jUtQD9xVZrgejdTmNfLPa9uo ReGMdjH1szGlh+BLkTL0z31rboSEkLXqy3KSkizmXJevFWFa/8w/aKHBRowPIO9Z3Khp7TIwe1M 81f/lg3zY7RorLyi+tXPEAJU3Gcai/dCX0dwlTnKrKcjt6mucebkDl+E7iMZg3zv3/Ht2aM1yVn cX8v+msfnkvLKGbX784RlJ1swQ0yZvmbIYQl/3wznT/ezWwMex4cFEVwMfetG64vu1LsiYOn3qO rtWE5I81qWZ+0hxQ/WbtwpKxMDnI93lW7vZJZDSYuDqe5vRDSbDXBH+7TcB40waev6L5Bs4RjkE mKSsmNlHh1Gwdj9Z1Az87bAUDUGXq/q53gZBR+jhC/lp57yrcMkkpL X-Google-Smtp-Source: AGHT+IHs89hKTsl9/f/m+plS3Ev8/2NixvjRvxCPx92Pgo3FWsBpoEKCKAbX01MgtOEvv1xzIjE2Cw== X-Received: by 2002:a17:90b:4b8b:b0:335:28ee:eebe with SMTP id 98e67ed59e1d1-339c279e977mr2022144a91.30.1759465938258; Thu, 02 Oct 2025 21:32:18 -0700 (PDT) Received: from toolbx.alistair23.me (2403-580b-97e8-0-82ce-f179-8a79-69f4.ip6.aussiebb.net. [2403:580b:97e8:0:82ce:f179:8a79:69f4]) by smtp.gmail.com with ESMTPSA id 98e67ed59e1d1-339a701c457sm6528233a91.23.2025.10.02.21.32.12 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 02 Oct 2025 21:32:17 -0700 (PDT) From: alistair23@gmail.com X-Google-Original-From: alistair.francis@wdc.com To: chuck.lever@oracle.com, hare@kernel.org, kernel-tls-handshake@lists.linux.dev, netdev@vger.kernel.org, linux-kernel@vger.kernel.org, linux-doc@vger.kernel.org, linux-nvme@lists.infradead.org, linux-nfs@vger.kernel.org Cc: kbusch@kernel.org, axboe@kernel.dk, hch@lst.de, sagi@grimberg.me, kch@nvidia.com, hare@suse.de, alistair23@gmail.com, Alistair Francis Subject: [PATCH v3 2/8] net/handshake: Define handshake_sk_destruct_req Date: Fri, 3 Oct 2025 14:31:33 +1000 Message-ID: <20251003043140.1341958-3-alistair.francis@wdc.com> X-Mailer: git-send-email 2.51.0 In-Reply-To: <20251003043140.1341958-1-alistair.francis@wdc.com> References: <20251003043140.1341958-1-alistair.francis@wdc.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" From: Alistair Francis Define a `handshake_sk_destruct_req()` function to allow the destruction of the handshake req. This is required to avoid hash conflicts when handshake_req_hash_add() is called as part of submitting the KeyUpdate request. Signed-off-by: Alistair Francis --- v3: - New patch net/handshake/request.c | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/net/handshake/request.c b/net/handshake/request.c index 274d2c89b6b2..0d1c91c80478 100644 --- a/net/handshake/request.c +++ b/net/handshake/request.c @@ -98,6 +98,22 @@ static void handshake_sk_destruct(struct sock *sk) sk_destruct(sk); } =20 +/** + * handshake_sk_destruct_req - destroy an existing request + * @sk: socket on which there is an existing request + */ +static void handshake_sk_destruct_req(struct sock *sk) +{ + struct handshake_req *req; + + req =3D handshake_req_hash_lookup(sk); + if (!req) + return; + + trace_handshake_destruct(sock_net(sk), req, sk); + handshake_req_destroy(req); +} + /** * handshake_req_alloc - Allocate a handshake request * @proto: security protocol --=20 2.51.0 From nobody Sat Oct 4 14:13:13 2025 Received: from mail-pj1-f51.google.com (mail-pj1-f51.google.com [209.85.216.51]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 38B482010EE for ; Fri, 3 Oct 2025 04:32:24 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.216.51 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1759465946; cv=none; b=tfY8L6ytv7LW9eBYQvI7yfxzMOSVevRsX/kjfHM16fnLF95V1W4+NBdvAGgwR2cxOO5MvViVjMEiIHC9gWWKaRGVDA1XDAQLS8CoQt8Bmo4TVFw6+icul4d2H3yrOde66WiwlH1JL+2yeMM6KlakQi5oItCeGYeUynMxuHtUli4= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1759465946; c=relaxed/simple; bh=Bl1TRunIta5QQDe3lRPwonbH+J8i9iNM2VxNxK/XmSU=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=Qf7KfD1yGc8ND4Cy+4MVHcftxZlHVuNC0jovSfDUqVdui62QtM4PYS/9JKyL8ymrs6ao2WC5VrW4C3AdkNePhPHmxKqh7vR0q8ibRO1hENjlmurWPU7HMtXtuTh8OswS0rONimlhL2CxjZkuCl7nEWFIIL0bc4dKSd4mWQrBCdQ= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=CzEl4koh; arc=none smtp.client-ip=209.85.216.51 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="CzEl4koh" Received: by mail-pj1-f51.google.com with SMTP id 98e67ed59e1d1-32ed19ce5a3so1610062a91.0 for ; Thu, 02 Oct 2025 21:32:24 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1759465944; x=1760070744; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=jOV0qGYLCq+9ZQ//0z9A3z+3aG29/4P327MFfqw2xrc=; b=CzEl4kohMhiLGU72A5sArwP+L85QrX67hhJCG3zfczH5RdLXwJ0vzTKv8GqcLt/vu+ 1M3Aw781chc/cYYd/twjVhnvfx377c0fQo7ym4pFuL55xWQ+GxPGILVY1p1Q7YhqcI2n N53FYvgdCFEN2LLyxsaJJ7W7WQ55rWANY/ziMWRPFB7o7DiMbMaWx+kFVIWppCSpgMn9 i11gloJmrGfnF656rGXnu19dPcCrSA8QFG9cc8iouylfpZZFrZlTSLx+ULenE+4rIrXR 60LTItEVahVkLSp49+MPKEI7p995x4xnc4CGPdkhRULDj7et7w6cJc0yE1eqOa1FnIQM dqOw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1759465944; x=1760070744; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=jOV0qGYLCq+9ZQ//0z9A3z+3aG29/4P327MFfqw2xrc=; b=o8tKY2GRIrsOVsPX5QCU1WUKnaIydglFbrwe10u2I1FypHM1znw0wdjwFeYYAkJavG c9eMmKwiugSYVvMwQzRXaLkGZZt7LXwPs4u34nuKWvlNksaafWNJDt2k1wtxnogxSqSj u29taHH4OFw67qG92RPVbnlGFmz7qg/lbu2/LXlyulwRX3qMQ87TyAH5Ai1SYZCX1J94 b2BxNA4qqtFeQ3c9Ntit6yOI//9zH0raF/YaHAikaRffVmwrVMySyhwiMmIDkdD/2xaA 0yrjK3tfqAl4FJxIJYKUXsmzFbKs6W0JVg9BPhslRbVakRVS6EChixRdyRv8lc7vjgtj AyIQ== X-Forwarded-Encrypted: i=1; AJvYcCWiWwn1UYcahVpGK4HUMNwRp5s0g4KKrjHKPkAUSpRAyl7aLw1L8jkIEUIsxJO9jFe3BoyVplW4dmW0w3o=@vger.kernel.org X-Gm-Message-State: AOJu0YzYgnp8wmejuC2/L5z++mynwR1g0ayKmBUYgE43HT34qQZBTuMT Xg1RobShzWUOEuRgF6971SDqaICIMjvaEsadogXG+ebLx9NrgX43IXH2 X-Gm-Gg: ASbGnctdVWaKJ6IzQxzfPWUq3oPEOvUHtevulQHVPbAc0G2eN6/3XCkFi0fqBogSIdw V+WLUYG6fHXU1UcCJnR3xyB4ck6PNS1APLB2w1Jhz43bqhfBxyqxU/4aZiaX9hXWnO3uIW45jsP 2EvSjGEfkZoocx6M+NCV6hxDsGQySMqDKQ930GLUq92L9Xmfb+lC6yFy1O/4QfSiqSpziyrpv17 gXNs/z+SwJZs7kSsfD5otpV0/lJ9NcfwtEWGJ0Esd3MfE21xV7jJptOvku6/MePpyCLI4w1FLje v2KXWdPFOVJNsEEOpOYa4FGP7XMf/GfvSRvvbfVKlTlkOvLvE/UXCW7lxYRA9UejN3MxtUqLvwi +P/IjBC6Cj3aCFhjpMhjq6/rpnEZqHxlIwJWHTDnTHIz1VdDK6UL+dGRv5alJKcWxh1Ygw5JIqn nZ4yh6Dh0wdeeF65/Znc9gXnJJxSkhZr+ViXhm1HGKi21QTGNExTw/Bpdc6i31pBw= X-Google-Smtp-Source: AGHT+IGCDoUIKtDX/52HGaffkclK+hmjaIJ+Bue+zX3dUNN6Q+cAazG3rbJtO5YII+rQ/2wJMc8/6A== X-Received: by 2002:a17:90b:1d92:b0:32e:389b:8762 with SMTP id 98e67ed59e1d1-339c264f452mr2016481a91.0.1759465944489; Thu, 02 Oct 2025 21:32:24 -0700 (PDT) Received: from toolbx.alistair23.me (2403-580b-97e8-0-82ce-f179-8a79-69f4.ip6.aussiebb.net. [2403:580b:97e8:0:82ce:f179:8a79:69f4]) by smtp.gmail.com with ESMTPSA id 98e67ed59e1d1-339a701c457sm6528233a91.23.2025.10.02.21.32.18 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 02 Oct 2025 21:32:23 -0700 (PDT) From: alistair23@gmail.com X-Google-Original-From: alistair.francis@wdc.com To: chuck.lever@oracle.com, hare@kernel.org, kernel-tls-handshake@lists.linux.dev, netdev@vger.kernel.org, linux-kernel@vger.kernel.org, linux-doc@vger.kernel.org, linux-nvme@lists.infradead.org, linux-nfs@vger.kernel.org Cc: kbusch@kernel.org, axboe@kernel.dk, hch@lst.de, sagi@grimberg.me, kch@nvidia.com, hare@suse.de, alistair23@gmail.com, Alistair Francis Subject: [PATCH v3 3/8] net/handshake: Ensure the request is destructed on completion Date: Fri, 3 Oct 2025 14:31:34 +1000 Message-ID: <20251003043140.1341958-4-alistair.francis@wdc.com> X-Mailer: git-send-email 2.51.0 In-Reply-To: <20251003043140.1341958-1-alistair.francis@wdc.com> References: <20251003043140.1341958-1-alistair.francis@wdc.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" From: Alistair Francis To avoid future handshake_req_hash_add() calls failing with EEXIST when performing a KeyUpdate let's make sure the old request is destructed as part of the completion. Signed-off-by: Alistair Francis --- v3: - New patch net/handshake/request.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/net/handshake/request.c b/net/handshake/request.c index 0d1c91c80478..194725a8aaca 100644 --- a/net/handshake/request.c +++ b/net/handshake/request.c @@ -311,6 +311,8 @@ void handshake_complete(struct handshake_req *req, unsi= gned int status, /* Handshake request is no longer pending */ sock_put(sk); } + + handshake_sk_destruct_req(sk); } EXPORT_SYMBOL_IF_KUNIT(handshake_complete); =20 --=20 2.51.0 From nobody Sat Oct 4 14:13:13 2025 Received: from mail-pj1-f53.google.com (mail-pj1-f53.google.com [209.85.216.53]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id BE5C81D88A4 for ; Fri, 3 Oct 2025 04:32:31 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.216.53 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1759465953; cv=none; b=nFWCB4jS14bg7Jc1A3bjq4Mk8irvoBkQZxVuMynOlWVqepqajcALGwTajtTR8KOlEImQMk4nZs+b9EJxC6ec0VB6LDBRfblToSgvtEP/bCbAoxPc8rCI0OlEz4f938WZSci9c7+G+bYXqBZCgjEcfIul1A6GeN6i6nSQsLm3pRc= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1759465953; c=relaxed/simple; bh=7VMPKWz5uYNRKWr5qHgYxgxuacRdmA+VUVAZxwMcJxs=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=TupkcGVVPw9TzdSTgps5Q21kwni8TKRNbD2hDIu6V50SYNMtSIO1+TpkBGFiiJKqB8wJV6xgbfO+d+c9yypSk/Sq8ljeMhN8wM1VSgFWqSmCdtRIO9bggTI8cRrkZC9zYHiNEE014Bzj20lSeEFae0SJ9RK7GyyKsatA3K9X6QM= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=BPLD3Ddt; arc=none smtp.client-ip=209.85.216.53 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="BPLD3Ddt" Received: by mail-pj1-f53.google.com with SMTP id 98e67ed59e1d1-3381f041d7fso3174906a91.0 for ; Thu, 02 Oct 2025 21:32:31 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1759465951; x=1760070751; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=Z24lKsLPaefpARjOZTyt8urU57ilAGB24wkoWzevBy8=; b=BPLD3DdtB8ezPycD7XV3c2ksupBMXIpPLNXQFJ4fnB4qJJGkL9lu8iUiIqg43OJCSn fvX/Ymv4ymYTXYEejadMn/MKhLI3GhPNwY1jYT43Y53la8sjKYvqI+IAf9LxftAnbI2U xP+NwaMJb6bhCYTMwFCi6q5Tnu8JO753X+Lr4ddfCraPBWOz2fYFovDUb/LClNhWxu4U /y70RHJl5VDQGp7CsZhi2FjF15MNtCI+UeMEzjm8XYkrGCwTOjA4r9uOXncxmQtND3K7 vT3jkq44UdKrRkSzY/pS5mSZh6WI6wFZRW4fMyfppsdHx9Naxxhl7kicLSXNY71LUBgV +6Gw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1759465951; x=1760070751; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=Z24lKsLPaefpARjOZTyt8urU57ilAGB24wkoWzevBy8=; b=Zw91ADRTx5MaifgmU7hyDaJjrBxGug/pcF5q51kneBGk9nyIjMEVngvntR5tWEBztz EyPv0AxJXNrGCWimaLBrdUSnGg3QoVjg5YAbSE08HA0bunB9v3BN5Zb/7XkNNdD8YF0r 9W+2gCKzo95wrLozoBCNziAS5yvsKGZmiW2DfAh1QxEv6DOZjoV+IQv0kFkQL/OX3auL tC/beiS+5aSP2tX2jOaPc0QWI1JYybN8OruzHjnaQcl6MMhkP3tcJBGb9u1doXmSXAQ6 U/SI0HG3DSEptm66dRUbb6ZuJ6IMayzjJaCbRr/BXvyHZGKFxNvxTN+9pCZr+6zGAu3o cloQ== X-Forwarded-Encrypted: i=1; AJvYcCWeiWhqGCbivF5Xf3wGuOeqQy5PneMQxKs1CCrznMMcMi5Dl0Bst0wvx2rGnbj6McqeuoqyD4pBEDFrVh8=@vger.kernel.org X-Gm-Message-State: AOJu0YxC/FBlncuzayePnX7vwznXaAiKzcVtLWvaMGvk/UyFbrOijZat E+dPpIeSAzVO/z8oDI91wpJJJ2URYg0RURY/BzReO6BJhE8op4CzJnCu X-Gm-Gg: ASbGncsUc5YZzjkynwJF/G4hPXYOHiKB75L2mFT5MSmtgz61VaS1NDc2qjOgpkw/oQ7 LYbQDcTsosh/GXrW7aXoTaFP3uEUlNKe3WmsB5/t2LP00wMVzyRso/OouikC4j+qlvUppCbs0uE SdI3HwCURxDNjR9UUcq0dOEFBrNs8qXYXBbC2T8hGUO0OOPuM1fodtkg0Dhi0LKctyNBVjiUghL f6TqlisS61Xu41R4I50vcIIdfjy4J4Qr9oDrc7iZlMPvCuD2jYEv1melW2AwF4jYp6TzgHJSsKi Y/SBi9iESsz9bzq3tjAvdHAxmN8ngyVxujL95VIJx+XosA47DgwLOB8Ok5qoCQzqHaNIRkIDEBe MN9yDSlr8K8Y8x31t+H9s0y6ZRuoYWdt1yrQabdHxOh8GevngG7e2HqDd9OcUkjCXZpgko7f9/k EVM/PLmwfWINMsrNMlb+piYSUaWX9sQb7QU0lPDY56BBeeMrFE92JJ X-Google-Smtp-Source: AGHT+IGILMEf9Tw/o2u8qdi5b+EnvPskNraurbyacR0IziRkBvpz30elIe0oEPrEq1mEn5hgoKypZw== X-Received: by 2002:a17:90b:1b12:b0:314:2cd2:595d with SMTP id 98e67ed59e1d1-339c20c099cmr2180806a91.8.1759465950687; Thu, 02 Oct 2025 21:32:30 -0700 (PDT) Received: from toolbx.alistair23.me (2403-580b-97e8-0-82ce-f179-8a79-69f4.ip6.aussiebb.net. [2403:580b:97e8:0:82ce:f179:8a79:69f4]) by smtp.gmail.com with ESMTPSA id 98e67ed59e1d1-339a701c457sm6528233a91.23.2025.10.02.21.32.24 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 02 Oct 2025 21:32:30 -0700 (PDT) From: alistair23@gmail.com X-Google-Original-From: alistair.francis@wdc.com To: chuck.lever@oracle.com, hare@kernel.org, kernel-tls-handshake@lists.linux.dev, netdev@vger.kernel.org, linux-kernel@vger.kernel.org, linux-doc@vger.kernel.org, linux-nvme@lists.infradead.org, linux-nfs@vger.kernel.org Cc: kbusch@kernel.org, axboe@kernel.dk, hch@lst.de, sagi@grimberg.me, kch@nvidia.com, hare@suse.de, alistair23@gmail.com, Alistair Francis Subject: [PATCH v3 4/8] nvmet: Expose nvmet_stop_keep_alive_timer publically Date: Fri, 3 Oct 2025 14:31:35 +1000 Message-ID: <20251003043140.1341958-5-alistair.francis@wdc.com> X-Mailer: git-send-email 2.51.0 In-Reply-To: <20251003043140.1341958-1-alistair.francis@wdc.com> References: <20251003043140.1341958-1-alistair.francis@wdc.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" From: Alistair Francis Signed-off-by: Alistair Francis --- drivers/nvme/target/core.c | 1 + 1 file changed, 1 insertion(+) diff --git a/drivers/nvme/target/core.c b/drivers/nvme/target/core.c index 0dd7bd99afa3..bed1c6ebe83a 100644 --- a/drivers/nvme/target/core.c +++ b/drivers/nvme/target/core.c @@ -430,6 +430,7 @@ void nvmet_stop_keep_alive_timer(struct nvmet_ctrl *ctr= l) =20 cancel_delayed_work_sync(&ctrl->ka_work); } +EXPORT_SYMBOL_GPL(nvmet_stop_keep_alive_timer); =20 u16 nvmet_req_find_ns(struct nvmet_req *req) { --=20 2.51.0 From nobody Sat Oct 4 14:13:13 2025 Received: from mail-pf1-f181.google.com (mail-pf1-f181.google.com [209.85.210.181]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id E84F51F4190 for ; Fri, 3 Oct 2025 04:32:37 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.210.181 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1759465961; cv=none; b=EqUDsArOk+NV72QtnzVhgQtAYJXtIQt7VUC+lfrzm3HFFSICqfUHYqPaj/1CUy7Veumopt8u/J4UKjUyPPa4nuIigermzwUyHVADv4ovEyKNTXDDUttdRZawPSi0c5FED89qoOdYDfmOivjezJ6Tq3mIXuT0IYwgZH31CCYHUIw= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1759465961; c=relaxed/simple; bh=Uq3Z8RSrHwXrnNT1paL1AoU785TlGI3mneVec9VRjM4=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=rT8CrMKTxZKxAMj57kExvCtJdKA69O3bPNgyUwat+PKmXqpZvD/vtFyGAaLR62IjdB7eMz8N1cDmfrhO4nqMDAjWFJabwsYEKcEbgJUvXlCjr0NAPY2ZvL/wNCn+NH/MZoUejuC6VxttWwDDKCVe4xwI2RFQypHGpoXI0A8oWRg= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=mYShfsik; arc=none smtp.client-ip=209.85.210.181 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="mYShfsik" Received: by mail-pf1-f181.google.com with SMTP id d2e1a72fcca58-782e93932ffso1759147b3a.3 for ; Thu, 02 Oct 2025 21:32:37 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1759465957; x=1760070757; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=wDr+pGK9qXDhiZdQ2JtpI7GsJ+lt00Yrfq6Cg4/eIfw=; b=mYShfsikQFMcz9VCuaCUxFX20Qn8578lM+FvVSuRBuYAUwyYmfla7AD500h4acnXoX 9Vz0Kf6s9V7wzMkyDWzvpsKTt/Y9VTbIVQozU5AUHSFyYexXq0f5D6OjvMKtSgGjX61u swkZ6p9vFwX8zLrBGXJBiQQ7U2y6bXlBQzxD7O3b1zavjXTwebSwEw/5OpG//frD2nft B4K5WovlifzVRwEFa992kCBtcMRtf5qwNTnNIxMzkciwNhS5GaMzWoDls840t0Xq7uPF yeDA/AcSr0nliqDLIeGVyHAhTXaJ9EftMqJu0PxZQj5BodaGKMa3gpxPgixAj7GQEcTG 3/fg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1759465957; x=1760070757; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=wDr+pGK9qXDhiZdQ2JtpI7GsJ+lt00Yrfq6Cg4/eIfw=; b=wAtrb8wfjlUzNHAlLXTNCQWrGRunwqPiXmTxa+OGMiUJwJfHnWFl/dnTrQHaGuhz6a av/wNmXQKLOzT/EwXU9VOF+M6YGFkN5eESVfHcKgpRCSXpb95vEySIQMwXz1sCmQTL2b ZDfJ5RYmtOhOy5lT1eksc/Dku9rpQuy/+W5FSBAG7LkapUo4YzzNNc9ukNmeRa07DfGc 6VE2U9ZdOQqrXg8kHd40wYijLcalDmm+QDoLZW8AbR6Gr7C9Lg9nGkYfyrOe1Ym0Drvg K8Ef0MmGEw1bnl2VQkFQ5y3IixBjasPTqzv2CnO/Vm5jI7mzKjdWUM7HOry0ARQhmQ4Q LcAA== X-Forwarded-Encrypted: i=1; AJvYcCUDNd0vYaWXUJXLLDxrOAdoMikZGdFnJCVEJTgxSQeSbSkAVfZ/c+KmT+WikrMGtPv8ZSfAy4SnR9vKiP4=@vger.kernel.org X-Gm-Message-State: AOJu0YykD/4X+UR0df4aW2IQcRAjsCFH7YROLxgcSwBx35y7eC/KDxTS Y/e7L6DvadPgY6PzuVOorsgsBzzMmCMEAehwwdgjWCHNUkNNnjJ/C3D6 X-Gm-Gg: ASbGncuQKF5hT15jctjbdZdn1NL0x31gCjBF1yawVALeTbQwsfBrQ51C9R4pnQwf4p3 nqddi83k4NMZNjzBAHIU87DHxCrAwLPM1CYx/z+X1M1hKsEeuYtysA7tupc0TZ32kNxNJqL2XxX Nkx1FUTOcXR6hp7bvLMjxmKQSGt0wixsualwI2DI28lvR7nSj3IiUCXrBSGPznbvsLTWRTCRRaM YF4ppvFjAIr/XkHShk1WioOL3Chv5FkdmeeuBT5Ut4+CkSYp27AP+wxy+/MRNGwj55kTjGIie+y 8MGSL0Xjqi7jCpJoKpdpxkKETtoDYFv4wVZj0M02zDp8C5645+hO95SY1NmModuTF5MYRArIIm3 glzuoq3/MJr2yglbd8pYaJx7uMZpz95BmHp4fBUCZLBdX1s9Q6FnFFebsaS+DER4DR9J/0qeEUc A8g9yJ0WBx6pE2DlhTqE164NhVBWxN8xsk6mIe5uXN8tjwFHEr3gxE X-Google-Smtp-Source: AGHT+IHKBOsUY7IpU/J35nifIpXWMGavj61RcjI2MjowdpODALHppCvI2FcArSJWrhbcaKQdWgadxw== X-Received: by 2002:a17:90b:3b44:b0:32b:9bec:158f with SMTP id 98e67ed59e1d1-339c27d2f96mr2078376a91.29.1759465957036; Thu, 02 Oct 2025 21:32:37 -0700 (PDT) Received: from toolbx.alistair23.me (2403-580b-97e8-0-82ce-f179-8a79-69f4.ip6.aussiebb.net. [2403:580b:97e8:0:82ce:f179:8a79:69f4]) by smtp.gmail.com with ESMTPSA id 98e67ed59e1d1-339a701c457sm6528233a91.23.2025.10.02.21.32.31 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 02 Oct 2025 21:32:36 -0700 (PDT) From: alistair23@gmail.com X-Google-Original-From: alistair.francis@wdc.com To: chuck.lever@oracle.com, hare@kernel.org, kernel-tls-handshake@lists.linux.dev, netdev@vger.kernel.org, linux-kernel@vger.kernel.org, linux-doc@vger.kernel.org, linux-nvme@lists.infradead.org, linux-nfs@vger.kernel.org Cc: kbusch@kernel.org, axboe@kernel.dk, hch@lst.de, sagi@grimberg.me, kch@nvidia.com, hare@suse.de, alistair23@gmail.com, Alistair Francis Subject: [PATCH v3 5/8] net/handshake: Support KeyUpdate message types Date: Fri, 3 Oct 2025 14:31:36 +1000 Message-ID: <20251003043140.1341958-6-alistair.francis@wdc.com> X-Mailer: git-send-email 2.51.0 In-Reply-To: <20251003043140.1341958-1-alistair.francis@wdc.com> References: <20251003043140.1341958-1-alistair.francis@wdc.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" From: Alistair Francis When reporting the msg-type to userspace let's also support reporting KeyUpdate events. This supports reporting a client/server event and if the other side requested a KeyUpdateRequest. Link: https://datatracker.ietf.org/doc/html/rfc8446#section-4.6.3 Signed-off-by: Alistair Francis --- v3: - Fixup yamllint and kernel-doc failures Documentation/netlink/specs/handshake.yaml | 16 +++++++++- Documentation/networking/tls-handshake.rst | 4 +-- drivers/nvme/host/tcp.c | 12 ++++++-- drivers/nvme/target/tcp.c | 11 +++++-- include/net/handshake.h | 10 +++++-- include/uapi/linux/handshake.h | 13 +++++++++ net/handshake/tlshd.c | 34 ++++++++++++++++++---- 7 files changed, 84 insertions(+), 16 deletions(-) diff --git a/Documentation/netlink/specs/handshake.yaml b/Documentation/net= link/specs/handshake.yaml index a273bc74d26f..c72ec8fa7d7a 100644 --- a/Documentation/netlink/specs/handshake.yaml +++ b/Documentation/netlink/specs/handshake.yaml @@ -21,12 +21,18 @@ definitions: type: enum name: msg-type value-start: 0 - entries: [unspec, clienthello, serverhello] + entries: [unspec, clienthello, serverhello, clientkeyupdate, + clientkeyupdaterequest, serverkeyupdate, serverkeyupdaterequ= est] - type: enum name: auth value-start: 0 entries: [unspec, unauth, psk, x509] + - + type: enum + name: key-update-type + value-start: 0 + entries: [unspec, send, received, received_request_update] =20 attribute-sets: - @@ -74,6 +80,13 @@ attribute-sets: - name: keyring type: u32 + - + name: key-update-request + type: u32 + enum: key-update-type + - + name: key-serial + type: u32 - name: done attributes: @@ -116,6 +129,7 @@ operations: - certificate - peername - keyring + - key-serial - name: done doc: Handler reports handshake completion diff --git a/Documentation/networking/tls-handshake.rst b/Documentation/net= working/tls-handshake.rst index d7287890056a..f858011e5bfb 100644 --- a/Documentation/networking/tls-handshake.rst +++ b/Documentation/networking/tls-handshake.rst @@ -110,7 +110,7 @@ To initiate a client-side TLS handshake with a pre-shar= ed key, use: =20 .. code-block:: c =20 - ret =3D tls_client_hello_psk(args, gfp_flags); + ret =3D tls_client_hello_psk(args, gfp_flags, handshake_key_update_type); =20 However, in this case, the consumer fills in the @ta_my_peerids array with serial numbers of keys containing the peer identities it wishes @@ -140,7 +140,7 @@ or =20 .. code-block:: c =20 - ret =3D tls_server_hello_psk(args, gfp_flags); + ret =3D tls_server_hello_psk(args, gfp_flags, handshake_key_update_type); =20 The argument structure is filled in as above. =20 diff --git a/drivers/nvme/host/tcp.c b/drivers/nvme/host/tcp.c index 700c37af52ba..b07401ad68eb 100644 --- a/drivers/nvme/host/tcp.c +++ b/drivers/nvme/host/tcp.c @@ -20,6 +20,7 @@ #include #include #include +#include =20 #include "nvme.h" #include "fabrics.h" @@ -206,6 +207,10 @@ static struct workqueue_struct *nvme_tcp_wq; static const struct blk_mq_ops nvme_tcp_mq_ops; static const struct blk_mq_ops nvme_tcp_admin_mq_ops; static int nvme_tcp_try_send(struct nvme_tcp_queue *queue); +static int nvme_tcp_start_tls(struct nvme_ctrl *nctrl, + struct nvme_tcp_queue *queue, + key_serial_t pskid, + handshake_key_update_type keyupdate); =20 static inline struct nvme_tcp_ctrl *to_tcp_ctrl(struct nvme_ctrl *ctrl) { @@ -1726,7 +1731,8 @@ static void nvme_tcp_tls_done(void *data, int status,= key_serial_t pskid, =20 static int nvme_tcp_start_tls(struct nvme_ctrl *nctrl, struct nvme_tcp_queue *queue, - key_serial_t pskid) + key_serial_t pskid, + handshake_key_update_type keyupdate) { int qid =3D nvme_tcp_queue_id(queue); int ret; @@ -1748,7 +1754,7 @@ static int nvme_tcp_start_tls(struct nvme_ctrl *nctrl, args.ta_timeout_ms =3D tls_handshake_timeout * 1000; queue->tls_err =3D -EOPNOTSUPP; init_completion(&queue->tls_complete); - ret =3D tls_client_hello_psk(&args, GFP_KERNEL); + ret =3D tls_client_hello_psk(&args, GFP_KERNEL, keyupdate); if (ret) { dev_err(nctrl->device, "queue %d: failed to start TLS: %d\n", qid, ret); @@ -1898,7 +1904,7 @@ static int nvme_tcp_alloc_queue(struct nvme_ctrl *nct= rl, int qid, =20 /* If PSKs are configured try to start TLS */ if (nvme_tcp_tls_configured(nctrl) && pskid) { - ret =3D nvme_tcp_start_tls(nctrl, queue, pskid); + ret =3D nvme_tcp_start_tls(nctrl, queue, pskid, HANDSHAKE_KEY_UPDATE_TYP= E_UNSPEC); if (ret) goto err_init_connect; } diff --git a/drivers/nvme/target/tcp.c b/drivers/nvme/target/tcp.c index 4ef4dd140ada..bee0355195f5 100644 --- a/drivers/nvme/target/tcp.c +++ b/drivers/nvme/target/tcp.c @@ -214,6 +214,10 @@ static struct workqueue_struct *nvmet_tcp_wq; static const struct nvmet_fabrics_ops nvmet_tcp_ops; static void nvmet_tcp_free_cmd(struct nvmet_tcp_cmd *c); static void nvmet_tcp_free_cmd_buffers(struct nvmet_tcp_cmd *cmd); +#ifdef CONFIG_NVME_TARGET_TCP_TLS +static int nvmet_tcp_tls_handshake(struct nvmet_tcp_queue *queue, + handshake_key_update_type keyupdate); +#endif =20 static inline u16 nvmet_tcp_cmd_tag(struct nvmet_tcp_queue *queue, struct nvmet_tcp_cmd *cmd) @@ -1833,7 +1837,8 @@ static void nvmet_tcp_tls_handshake_timeout(struct wo= rk_struct *w) kref_put(&queue->kref, nvmet_tcp_release_queue); } =20 -static int nvmet_tcp_tls_handshake(struct nvmet_tcp_queue *queue) +static int nvmet_tcp_tls_handshake(struct nvmet_tcp_queue *queue, + handshake_key_update_type keyupdate) { int ret =3D -EOPNOTSUPP; struct tls_handshake_args args; @@ -1852,7 +1857,7 @@ static int nvmet_tcp_tls_handshake(struct nvmet_tcp_q= ueue *queue) args.ta_keyring =3D key_serial(queue->port->nport->keyring); args.ta_timeout_ms =3D tls_handshake_timeout * 1000; =20 - ret =3D tls_server_hello_psk(&args, GFP_KERNEL); + ret =3D tls_server_hello_psk(&args, GFP_KERNEL, keyupdate); if (ret) { kref_put(&queue->kref, nvmet_tcp_release_queue); pr_err("failed to start TLS, err=3D%d\n", ret); @@ -1934,7 +1939,7 @@ static void nvmet_tcp_alloc_queue(struct nvmet_tcp_po= rt *port, sk->sk_data_ready =3D port->data_ready; write_unlock_bh(&sk->sk_callback_lock); if (!nvmet_tcp_try_peek_pdu(queue)) { - if (!nvmet_tcp_tls_handshake(queue)) + if (!nvmet_tcp_tls_handshake(queue, HANDSHAKE_KEY_UPDATE_TYPE_UNSPEC)) return; /* TLS handshake failed, terminate the connection */ goto out_destroy_sq; diff --git a/include/net/handshake.h b/include/net/handshake.h index dc2222fd6d99..7da5d09b9bad 100644 --- a/include/net/handshake.h +++ b/include/net/handshake.h @@ -10,6 +10,10 @@ #ifndef _NET_HANDSHAKE_H #define _NET_HANDSHAKE_H =20 +#include + +#define handshake_key_update_type u32 + enum { TLS_NO_KEYRING =3D 0, TLS_NO_PEERID =3D 0, @@ -37,9 +41,11 @@ struct tls_handshake_args { =20 int tls_client_hello_anon(const struct tls_handshake_args *args, gfp_t fla= gs); int tls_client_hello_x509(const struct tls_handshake_args *args, gfp_t fla= gs); -int tls_client_hello_psk(const struct tls_handshake_args *args, gfp_t flag= s); +int tls_client_hello_psk(const struct tls_handshake_args *args, gfp_t flag= s, + handshake_key_update_type keyupdate); int tls_server_hello_x509(const struct tls_handshake_args *args, gfp_t fla= gs); -int tls_server_hello_psk(const struct tls_handshake_args *args, gfp_t flag= s); +int tls_server_hello_psk(const struct tls_handshake_args *args, gfp_t flag= s, + handshake_key_update_type keyupdate); =20 bool tls_handshake_cancel(struct sock *sk); void tls_handshake_close(struct socket *sock); diff --git a/include/uapi/linux/handshake.h b/include/uapi/linux/handshake.h index b68ffbaa5f31..b691530073c6 100644 --- a/include/uapi/linux/handshake.h +++ b/include/uapi/linux/handshake.h @@ -19,6 +19,10 @@ enum handshake_msg_type { HANDSHAKE_MSG_TYPE_UNSPEC, HANDSHAKE_MSG_TYPE_CLIENTHELLO, HANDSHAKE_MSG_TYPE_SERVERHELLO, + HANDSHAKE_MSG_TYPE_CLIENTKEYUPDATE, + HANDSHAKE_MSG_TYPE_CLIENTKEYUPDATEREQUEST, + HANDSHAKE_MSG_TYPE_SERVERKEYUPDATE, + HANDSHAKE_MSG_TYPE_SERVERKEYUPDATEREQUEST, }; =20 enum handshake_auth { @@ -28,6 +32,13 @@ enum handshake_auth { HANDSHAKE_AUTH_X509, }; =20 +enum handshake_key_update_type { + HANDSHAKE_KEY_UPDATE_TYPE_UNSPEC, + HANDSHAKE_KEY_UPDATE_TYPE_SEND, + HANDSHAKE_KEY_UPDATE_TYPE_RECEIVED, + HANDSHAKE_KEY_UPDATE_TYPE_RECEIVED_REQUEST_UPDATE, +}; + enum { HANDSHAKE_A_X509_CERT =3D 1, HANDSHAKE_A_X509_PRIVKEY, @@ -46,6 +57,8 @@ enum { HANDSHAKE_A_ACCEPT_CERTIFICATE, HANDSHAKE_A_ACCEPT_PEERNAME, HANDSHAKE_A_ACCEPT_KEYRING, + HANDSHAKE_A_ACCEPT_KEY_UPDATE_REQUEST, + HANDSHAKE_A_ACCEPT_KEY_SERIAL, =20 __HANDSHAKE_A_ACCEPT_MAX, HANDSHAKE_A_ACCEPT_MAX =3D (__HANDSHAKE_A_ACCEPT_MAX - 1) diff --git a/net/handshake/tlshd.c b/net/handshake/tlshd.c index 2549c5dbccd8..05126f8943f1 100644 --- a/net/handshake/tlshd.c +++ b/net/handshake/tlshd.c @@ -41,6 +41,7 @@ struct tls_handshake_req { unsigned int th_num_peerids; key_serial_t th_peerid[5]; =20 + int th_key_update_request; key_serial_t user_session_id; }; =20 @@ -58,7 +59,8 @@ tls_handshake_req_init(struct handshake_req *req, treq->th_num_peerids =3D 0; treq->th_certificate =3D TLS_NO_CERT; treq->th_privkey =3D TLS_NO_PRIVKEY; - treq->user_session_id =3D TLS_NO_PRIVKEY; + treq->user_session_id =3D args->user_session_id; + return treq; } =20 @@ -265,6 +267,16 @@ static int tls_handshake_accept(struct handshake_req *= req, break; } =20 + ret =3D nla_put_u32(msg, HANDSHAKE_A_ACCEPT_KEY_SERIAL, + treq->user_session_id); + if (ret < 0) + goto out_cancel; + + ret =3D nla_put_u32(msg, HANDSHAKE_A_ACCEPT_KEY_UPDATE_REQUEST, + treq->th_key_update_request); + if (ret < 0) + goto out_cancel; + genlmsg_end(msg, hdr); return genlmsg_reply(msg, info); =20 @@ -341,6 +353,7 @@ EXPORT_SYMBOL(tls_client_hello_x509); * tls_client_hello_psk - request a PSK-based TLS handshake on a socket * @args: socket and handshake parameters for this request * @flags: memory allocation control flags + * @keyupdate: specifies if and what type of KeyUpdate operation * * Return values: * %0: Handshake request enqueue; ->done will be called when complete @@ -348,7 +361,8 @@ EXPORT_SYMBOL(tls_client_hello_x509); * %-ESRCH: No user agent is available * %-ENOMEM: Memory allocation failed */ -int tls_client_hello_psk(const struct tls_handshake_args *args, gfp_t flag= s) +int tls_client_hello_psk(const struct tls_handshake_args *args, gfp_t flag= s, + handshake_key_update_type keyupdate) { struct tls_handshake_req *treq; struct handshake_req *req; @@ -362,7 +376,11 @@ int tls_client_hello_psk(const struct tls_handshake_ar= gs *args, gfp_t flags) if (!req) return -ENOMEM; treq =3D tls_handshake_req_init(req, args); - treq->th_type =3D HANDSHAKE_MSG_TYPE_CLIENTHELLO; + if (keyupdate !=3D HANDSHAKE_KEY_UPDATE_TYPE_UNSPEC) + treq->th_type =3D HANDSHAKE_MSG_TYPE_CLIENTKEYUPDATE; + else + treq->th_type =3D HANDSHAKE_MSG_TYPE_CLIENTHELLO; + treq->th_key_update_request =3D keyupdate; treq->th_auth_mode =3D HANDSHAKE_AUTH_PSK; treq->th_num_peerids =3D args->ta_num_peerids; for (i =3D 0; i < args->ta_num_peerids; i++) @@ -404,13 +422,15 @@ EXPORT_SYMBOL(tls_server_hello_x509); * tls_server_hello_psk - request a server TLS handshake on a socket * @args: socket and handshake parameters for this request * @flags: memory allocation control flags + * @keyupdate: specifies if and what type of KeyUpdate operation * * Return values: * %0: Handshake request enqueue; ->done will be called when complete * %-ESRCH: No user agent is available * %-ENOMEM: Memory allocation failed */ -int tls_server_hello_psk(const struct tls_handshake_args *args, gfp_t flag= s) +int tls_server_hello_psk(const struct tls_handshake_args *args, gfp_t flag= s, + handshake_key_update_type keyupdate) { struct tls_handshake_req *treq; struct handshake_req *req; @@ -419,7 +439,11 @@ int tls_server_hello_psk(const struct tls_handshake_ar= gs *args, gfp_t flags) if (!req) return -ENOMEM; treq =3D tls_handshake_req_init(req, args); - treq->th_type =3D HANDSHAKE_MSG_TYPE_SERVERHELLO; + if (keyupdate !=3D HANDSHAKE_KEY_UPDATE_TYPE_UNSPEC) + treq->th_type =3D HANDSHAKE_MSG_TYPE_SERVERKEYUPDATE; + else + treq->th_type =3D HANDSHAKE_MSG_TYPE_SERVERHELLO; + treq->th_key_update_request =3D keyupdate; treq->th_auth_mode =3D HANDSHAKE_AUTH_PSK; treq->th_num_peerids =3D 1; treq->th_peerid[0] =3D args->ta_my_peerids[0]; --=20 2.51.0 From nobody Sat Oct 4 14:13:13 2025 Received: from mail-pj1-f47.google.com (mail-pj1-f47.google.com [209.85.216.47]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 16BFB21ADB7 for ; Fri, 3 Oct 2025 04:32:43 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.216.47 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1759465965; cv=none; b=XGwlydYIgLGfH7Xp3KiqbZCCA1pslw5ehgAXzcY+x1EOli1H0ny+f3pcSlL7WWODavpL62+2fx0blEwXc3CCwwgr5NC4ciP1q+6s1EbA8CjHitY6/kKlgew0JXYStquth2TnhsrxBwrniJUvzmjx7lIVkLmmjKs/z0OEnf5Vdbs= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1759465965; c=relaxed/simple; bh=3UVQYHiEQ5R5MltmAyxrjBudfQCX1yI39rHghkihzo0=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=JC0eUlPNuRCCtnsl7/m+YnAENVuueNJfIkusIgKG+OHOtlmIWv6ccNZRWWsbIAC8TDHGWq72S634jcgOszzalmRwUxx5bpB05lPRZQwvpnOfZgFIP7V8k9Q1kVtC0wAN7OW+6ot2Cc0d2lajH96pCc7tFuG9z+E2xCDeou1sTlc= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=PF7xxG05; arc=none smtp.client-ip=209.85.216.47 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="PF7xxG05" Received: by mail-pj1-f47.google.com with SMTP id 98e67ed59e1d1-32e715cbad3so1931973a91.3 for ; Thu, 02 Oct 2025 21:32:43 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1759465963; x=1760070763; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=iUt0lx1wZ3OyjfIx3eBQc3LazcDXGlUQf7VsPfo32Ig=; b=PF7xxG05uYv1tozcMG+HMwkdYwVPMs9XLjEE0Op6dEnh9/grp2QFud7GN12N7SGK51 20sgjf42px0lsXw+ClUkLNvJmi2FCYZo4u7AmBEhcFNz/NwGIICyGTUuhjOsms40F0H4 GUzYjVgODYng8wsqQnYJM+WrzF6EoVKAll/huLIRi8nwcBykHWg2WMkqdRHlwczyHP5v BuS2krMKM6YUEEqWZc9MJlyWEBmGy59JcA+Nx0bTh6wEZTIvcRO2jgkOTrBWuciGOjMN FFYb48FfcWYrlqh5u4hAXC0/Zc8cpeIpoEHZNN1lmJsqX+Dt24Lt9onri74RHvcWnxwC YivQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1759465963; x=1760070763; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=iUt0lx1wZ3OyjfIx3eBQc3LazcDXGlUQf7VsPfo32Ig=; b=g+evQq+Yml83V56IgOjB50YYIDyuSDKbFNve0yK+ky1vRT3Kxb+F3XZ2ilpB0GYZuf 7c3fSf29hg81q/N0Rsr9+RxWu4mTlvlxWG6CNh3kdBUMK/hPv2zx5lAL9snlKMLcFRbK 5GV8E5slrDxgLLD5Ka/T2BSzP413u1nTkZRO9RRr0osOQE2mjqwO/IP+ahu/I+/kbcgi RkI97iPk658Jb+xrJ1ES8/yOcP9h7hynjX4ntXkQYdVmyOQG7u5F29klR76bWxQ6coY8 R79xeiEl1n+vSLWzGm+W6aYFICHLsBJ3WztSi5KfEGTXBCyhF/BXpFAX7hTaCjrLofjX zAjw== X-Forwarded-Encrypted: i=1; AJvYcCWPKi3KhFhBTNIZ34qyRoZQTyycFDfyX1B4HZrwOv39FBYDs9428xAoOWiQHGccZFaOV3XQuzZ1jXKouag=@vger.kernel.org X-Gm-Message-State: AOJu0YxPKsCtjve0AQcmr1IQqyCuJETE77qVSJ6Ofgxt3EKRbmx9LG49 E7VCrmUPEa94Ll61XKimn44KS1NihZlhVFWCHAZwJRZrpN9AobyDH26g X-Gm-Gg: ASbGnctbyVSweYEIQgIWTS0/sf6DliLh5jm0fg1bngCI50ddKsNVrNS5D9mqPFThfBJ jS4NYHC7iDCRlzEoZRgkRgFNhc4qmvsx0kvaE+1Q25G/snVuvagGx1zmhyK+l9mI0kENrQZ5aBd Bup56RwEDu7toRCBfVg4DYzQE8xsZwFepdMubOQRdWxOaIQ8Ue+MP79NCvBY+IbvJpXpKfycW6y 7GwFitCP/ONsR37CRa5aXARu+ejG7YGUGbzOYoKhWpqVPUhqjSabFajZHXqjoa5COEO52lnpNUU qbANlFg/12glp3J2tUXRYnea2u5pCFrrhWAgsAEKHQh05kZstNK5ncztDOi8jRvXmjbedfDHPRe lllvZxQFg4uC7Js4r6FhoEPTuxLbcs2+oXKtS62lcxghhvRF/vc1Mz/q9jjSUG12g5oYmkjgye2 +aefG7NcHCxHR+wdqNMO1eFW+F5fqyzNVhg7MPy/KjcR5fKurnIGyU X-Google-Smtp-Source: AGHT+IGhaBIUtKtuD6q+A3yD/rdltrPoLDs9xzkO82sKW85fbk3aQyiXoU7SizhTuE7KWD6NguZsNA== X-Received: by 2002:a17:90b:17cf:b0:32e:d011:ea1c with SMTP id 98e67ed59e1d1-339c274fd63mr2279693a91.15.1759465963241; Thu, 02 Oct 2025 21:32:43 -0700 (PDT) Received: from toolbx.alistair23.me (2403-580b-97e8-0-82ce-f179-8a79-69f4.ip6.aussiebb.net. [2403:580b:97e8:0:82ce:f179:8a79:69f4]) by smtp.gmail.com with ESMTPSA id 98e67ed59e1d1-339a701c457sm6528233a91.23.2025.10.02.21.32.37 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 02 Oct 2025 21:32:42 -0700 (PDT) From: alistair23@gmail.com X-Google-Original-From: alistair.francis@wdc.com To: chuck.lever@oracle.com, hare@kernel.org, kernel-tls-handshake@lists.linux.dev, netdev@vger.kernel.org, linux-kernel@vger.kernel.org, linux-doc@vger.kernel.org, linux-nvme@lists.infradead.org, linux-nfs@vger.kernel.org Cc: kbusch@kernel.org, axboe@kernel.dk, hch@lst.de, sagi@grimberg.me, kch@nvidia.com, hare@suse.de, alistair23@gmail.com, Alistair Francis Subject: [PATCH v3 6/8] nvme-tcp: Support KeyUpdate Date: Fri, 3 Oct 2025 14:31:37 +1000 Message-ID: <20251003043140.1341958-7-alistair.francis@wdc.com> X-Mailer: git-send-email 2.51.0 In-Reply-To: <20251003043140.1341958-1-alistair.francis@wdc.com> References: <20251003043140.1341958-1-alistair.francis@wdc.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" From: Alistair Francis If the nvme_tcp_try_send() or nvme_tcp_try_recv() functions return EKEYEXPIRED then the underlying TLS keys need to be updated. This occurs on an KeyUpdate event. If the NVMe Target (TLS server) initiates a KeyUpdate this patch will allow the NVMe layer to process the KeyUpdate request and forward the request to userspace. Userspace must then update the key to keep the connection alive. This patch allows us to handle the NVMe target sending a KeyUpdate request without aborting the connection. At this time we don't support initiating a KeyUpdate. Link: https://datatracker.ietf.org/doc/html/rfc8446#section-4.6.3 Signed-off-by: Alistair Francis --- v3: - Don't cancel existing handshake requests v2: - Don't change the state - Use a helper function for KeyUpdates - Continue sending in nvme_tcp_send_all() after a KeyUpdate - Remove command message using recvmsg drivers/nvme/host/tcp.c | 60 ++++++++++++++++++++++++++++++++++++----- 1 file changed, 54 insertions(+), 6 deletions(-) diff --git a/drivers/nvme/host/tcp.c b/drivers/nvme/host/tcp.c index b07401ad68eb..4f27319f0078 100644 --- a/drivers/nvme/host/tcp.c +++ b/drivers/nvme/host/tcp.c @@ -172,6 +172,7 @@ struct nvme_tcp_queue { bool tls_enabled; u32 rcv_crc; u32 snd_crc; + key_serial_t user_session_id; __le32 exp_ddgst; __le32 recv_ddgst; struct completion tls_complete; @@ -211,6 +212,7 @@ static int nvme_tcp_start_tls(struct nvme_ctrl *nctrl, struct nvme_tcp_queue *queue, key_serial_t pskid, handshake_key_update_type keyupdate); +static void update_tls_keys(struct nvme_tcp_queue *queue); =20 static inline struct nvme_tcp_ctrl *to_tcp_ctrl(struct nvme_ctrl *ctrl) { @@ -394,6 +396,14 @@ static inline void nvme_tcp_send_all(struct nvme_tcp_q= ueue *queue) do { ret =3D nvme_tcp_try_send(queue); } while (ret > 0); + + if (ret =3D=3D -EKEYEXPIRED) { + update_tls_keys(queue); + + do { + ret =3D nvme_tcp_try_send(queue); + } while (ret > 0); + } } =20 static inline bool nvme_tcp_queue_has_pending(struct nvme_tcp_queue *queue) @@ -1346,6 +1356,8 @@ static int nvme_tcp_try_send(struct nvme_tcp_queue *q= ueue) done: if (ret =3D=3D -EAGAIN) { ret =3D 0; + } else if (ret =3D=3D -EKEYEXPIRED) { + goto out; } else if (ret < 0) { dev_err(queue->ctrl->ctrl.device, "failed to send request %d\n", ret); @@ -1381,17 +1393,45 @@ static int nvme_tcp_try_recvmsg(struct nvme_tcp_que= ue *queue) } } while (result >=3D 0); =20 - if (result < 0 && result !=3D -EAGAIN) { + if (result =3D=3D -EKEYEXPIRED) { + return -EKEYEXPIRED; + } else if (result =3D=3D -EAGAIN) { + result =3D 0; + } else if (result < 0) { dev_err(queue->ctrl->ctrl.device, "receive failed: %d\n", result); queue->rd_enabled =3D false; nvme_tcp_error_recovery(&queue->ctrl->ctrl); - } else if (result =3D=3D -EAGAIN) - result =3D 0; + } =20 return result < 0 ? result : (queue->nr_cqe =3D nr_cqe); } =20 +static void update_tls_keys(struct nvme_tcp_queue *queue) +{ + int qid =3D nvme_tcp_queue_id(queue); + int ret; + + dev_dbg(queue->ctrl->ctrl.device, + "updating key for queue %d\n", qid); + + cancel_work(&queue->io_work); + + nvme_stop_keep_alive(&(queue->ctrl->ctrl)); + flush_work(&(queue->ctrl->ctrl).async_event_work); + + ret =3D nvme_tcp_start_tls(&(queue->ctrl->ctrl), + queue, queue->ctrl->ctrl.tls_pskid, + HANDSHAKE_KEY_UPDATE_TYPE_RECEIVED); + + if (ret < 0) { + dev_err(queue->ctrl->ctrl.device, + "failed to update the keys %d\n", ret); + nvme_tcp_fail_request(queue->request); + nvme_tcp_done_send_req(queue); + } +} + static void nvme_tcp_io_work(struct work_struct *w) { struct nvme_tcp_queue *queue =3D @@ -1407,15 +1447,21 @@ static void nvme_tcp_io_work(struct work_struct *w) mutex_unlock(&queue->send_mutex); if (result > 0) pending =3D true; - else if (unlikely(result < 0)) + else if (unlikely(result < 0)) { + if (result =3D=3D -EKEYEXPIRED) + update_tls_keys(queue); break; + } } =20 result =3D nvme_tcp_try_recvmsg(queue); if (result > 0) pending =3D true; - else if (unlikely(result < 0)) - return; + else if (unlikely(result < 0)) { + if (result =3D=3D -EKEYEXPIRED) + update_tls_keys(queue); + break; + } =20 /* did we get some space after spending time in recv? */ if (nvme_tcp_queue_has_pending(queue) && @@ -1723,6 +1769,7 @@ static void nvme_tcp_tls_done(void *data, int status,= key_serial_t pskid, ctrl->ctrl.tls_pskid =3D key_serial(tls_key); key_put(tls_key); queue->tls_err =3D 0; + queue->user_session_id =3D user_session_id; } =20 out_complete: @@ -1752,6 +1799,7 @@ static int nvme_tcp_start_tls(struct nvme_ctrl *nctrl, keyring =3D key_serial(nctrl->opts->keyring); args.ta_keyring =3D keyring; args.ta_timeout_ms =3D tls_handshake_timeout * 1000; + args.user_session_id =3D queue->user_session_id; queue->tls_err =3D -EOPNOTSUPP; init_completion(&queue->tls_complete); ret =3D tls_client_hello_psk(&args, GFP_KERNEL, keyupdate); --=20 2.51.0 From nobody Sat Oct 4 14:13:13 2025 Received: from mail-pl1-f179.google.com (mail-pl1-f179.google.com [209.85.214.179]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 8B132221714 for ; Fri, 3 Oct 2025 04:32:50 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.214.179 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1759465972; cv=none; b=sUSAtakmuYwgOo3dfYxFDhTHknL5nJxDgrHsPpkf1Rs57qIdy5XCXsyvCk62a8ICqD6GBC0rAEV4FlqiE5XUjJ9ngIZNTD5acF5Oha7mQoC9q7L+zyrN75T2E6hb4UpcV6nVwPdzT6Qx3i36RyHQw2QtO8TzZg0eaVPr7A/Kfhc= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1759465972; c=relaxed/simple; bh=tq8hWUi9WFbvZCSJuGUlfmGb2RK2ZeIth2EWUddFyYo=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=Q+Ke8z1qqz3InK2MhXDGXry59C/eL5RXOVbF9oir3F8oON9xkvX+MAl3Ou0hm9lNF2+n/bmP+SRlFVw879mqUIcAdNj+fz2Z1t+r5+k8RPq5dLeN7e+rgIupmN5GHmCaMfCf4oE2RpLixHmYehxYJHfDDPMHjjAjqBJGeHuVmUE= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=PU6sEbzS; arc=none smtp.client-ip=209.85.214.179 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="PU6sEbzS" Received: by mail-pl1-f179.google.com with SMTP id d9443c01a7336-27c369f898fso18966875ad.3 for ; Thu, 02 Oct 2025 21:32:50 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1759465969; x=1760070769; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=p/RhfwOg9G04zj7blr/LVSDCaR4a6pcdo5HXaRarZaQ=; b=PU6sEbzSwxWd7ic9h+HnsfdLmQOPUayx7qnzML9Eyk1HOPdKYMWnbildjcbxrEGM/A u/KKNKehqokS+cbO9Xkw9H20ommbNDQr+MlDTEJQw27aGzQdJKWNtHCU9Dox5D+OnESh 8IQe3C0x7/mEESHS1lI64c9V3eTUahQJ0HOrn/nVINvXWrUHe3M+4W4C0r6mO6eRTXUj AJPcMeS4B13yK7zXYydlfqDUb211wn5jK4xpcJ5r5QFm5Tw4qNJJpp8/g8Got3iHUZ/e tvXswUVwU6Qp6Q/E1r6wrYbpJ1+WxoUaqSUTDywJUrLhi7exfQSHdwrGYFp07d69Rvlx j09Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1759465969; x=1760070769; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=p/RhfwOg9G04zj7blr/LVSDCaR4a6pcdo5HXaRarZaQ=; b=ZB7l8nX3xjaVFud3QmikmkrEuYYmkYo4JJvNvKJa8Gve6wgywsFwP0ytxe3d29L4BC 7U+BBDK25AHJZv7z4d4iMemJvsYSURFyrkiRcsJTVkpGOv14jBjn7s4FQz++zpa2MNk9 5V30NaWuvq/5z8oQhxxe4VcUotCo+LMQCPJX91m2mYFVXJ5Lq2r1H64vHAOVWuUYbSUR Rt8xyvyZkMWcD0EdEh+1BGvkhYR2e+8DJV+VHFsFcRV3m1dg4nla8PIS4Ae58HqK188H 2ThRoKHv1eod7Qwg1M0c82OcSwvVe08JFyZqNafsvHjAUGGDti9UPn3LduYdAXug+xU7 SGCw== X-Forwarded-Encrypted: i=1; AJvYcCUiKekozHv66Tl7FgdxL1IQ2x/G3i/WzGTACgm53X+J/LJFwoJMKUH/4A0+FAi6qkGXe1VjGYAJ0hVZLQ8=@vger.kernel.org X-Gm-Message-State: AOJu0YzZkqAFKP7kzWpqj3O3mCXtNdYHsMbqZAZGMKBV15yQzefCtWBm BBQohCiK1KBalacwqvdW3xiCfOTgijaQ3yW3gyWCXha1DVbZc2Y/sxqF X-Gm-Gg: ASbGncus8en7csrLK9uMX/Bmbd9b4o5+e1hjYqI/e2VQ2MDhaSffdYl/SDFklbxoVho 7wGD5k31vExhevv+67ThDDhPws/1r69cDvDiJx9H+XnVMCUJXabvmKILcKUhf71yN3DlJTieJbJ t58ri+U+kVQ5T+xJsAG5KjkrUG65KunKhZFGsPSrzFpbwcRMvjXiYABB/PBiRDujF4jBUKpT0D0 aM7HAUGn8H/2r1NsslnS4kmKlwOMdUOIAJM84ws30RSnmXS7IXTIXE+DGZ+uQT7BJWUuDyobF0B HoNZYCGw0C8BB5HfdHUOg84Q0bJXbSDkc1RehHFzGUyzNt3cqXXwlQWMmTJNAL0LXPK3le9Ej58 /N61/+59b61MZcJflIB9VPg1xs8rKaGn8M/i1mCyV6d39UCmvAovn6T24OU3M0+ioJop15RmWgt q9OnhWiMjMcR83GsoyFa9MDx6rqqmBOdyAkvByLSI9p6cHR3D8d2Cz X-Google-Smtp-Source: AGHT+IHqijcQ2mML6mQfax0bd7bg5pqc9YIkhbyYMavM8Tyb3Jp75ZIWGmYxOuPUT9g3dT0PGrahEA== X-Received: by 2002:a17:903:fa6:b0:25f:45d9:6592 with SMTP id d9443c01a7336-28e9a65c0e9mr15641845ad.48.1759465969449; Thu, 02 Oct 2025 21:32:49 -0700 (PDT) Received: from toolbx.alistair23.me (2403-580b-97e8-0-82ce-f179-8a79-69f4.ip6.aussiebb.net. [2403:580b:97e8:0:82ce:f179:8a79:69f4]) by smtp.gmail.com with ESMTPSA id 98e67ed59e1d1-339a701c457sm6528233a91.23.2025.10.02.21.32.43 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 02 Oct 2025 21:32:48 -0700 (PDT) From: alistair23@gmail.com X-Google-Original-From: alistair.francis@wdc.com To: chuck.lever@oracle.com, hare@kernel.org, kernel-tls-handshake@lists.linux.dev, netdev@vger.kernel.org, linux-kernel@vger.kernel.org, linux-doc@vger.kernel.org, linux-nvme@lists.infradead.org, linux-nfs@vger.kernel.org Cc: kbusch@kernel.org, axboe@kernel.dk, hch@lst.de, sagi@grimberg.me, kch@nvidia.com, hare@suse.de, alistair23@gmail.com, Alistair Francis Subject: [PATCH v3 7/8] nvmet-tcp: Support KeyUpdate Date: Fri, 3 Oct 2025 14:31:38 +1000 Message-ID: <20251003043140.1341958-8-alistair.francis@wdc.com> X-Mailer: git-send-email 2.51.0 In-Reply-To: <20251003043140.1341958-1-alistair.francis@wdc.com> References: <20251003043140.1341958-1-alistair.francis@wdc.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" From: Alistair Francis If the nvmet_tcp_try_recv() function return EKEYEXPIRED or if we receive a KeyUpdate handshake type then the underlying TLS keys need to be updated. If the NVMe Host (TLS client) initiates a KeyUpdate this patch will allow the NVMe layer to process the KeyUpdate request and forward the request to userspace. Userspace must then update the key to keep the connection alive. This patch allows us to handle the NVMe host sending a KeyUpdate request without aborting the connection. At this time we don't support initiating a KeyUpdate. Link: https://datatracker.ietf.org/doc/html/rfc8446#section-4.6.3 Signed-off-by: Alistair Francis --- v3: - Use a write lock for sk_user_data - Fix build with CONFIG_NVME_TARGET_TCP_TLS disabled - Remove unused variable v2: - Use a helper function for KeyUpdates - Ensure keep alive timer is stopped - Wait for TLS KeyUpdate to complete drivers/nvme/target/tcp.c | 90 ++++++++++++++++++++++++++++++++++++--- 1 file changed, 85 insertions(+), 5 deletions(-) diff --git a/drivers/nvme/target/tcp.c b/drivers/nvme/target/tcp.c index bee0355195f5..fd59dd3ca632 100644 --- a/drivers/nvme/target/tcp.c +++ b/drivers/nvme/target/tcp.c @@ -175,6 +175,7 @@ struct nvmet_tcp_queue { =20 /* TLS state */ key_serial_t tls_pskid; + key_serial_t user_session_id; struct delayed_work tls_handshake_tmo_work; =20 unsigned long poll_end; @@ -186,6 +187,8 @@ struct nvmet_tcp_queue { struct sockaddr_storage sockaddr_peer; struct work_struct release_work; =20 + struct completion tls_complete; + int idx; struct list_head queue_list; =20 @@ -836,6 +839,11 @@ static int nvmet_tcp_try_send_one(struct nvmet_tcp_que= ue *queue, return 1; } =20 +#ifdef CONFIG_NVME_TARGET_TCP_TLS +static int nvmet_tcp_try_peek_pdu(struct nvmet_tcp_queue *queue); +static void nvmet_tcp_tls_handshake_timeout(struct work_struct *w); +#endif + static int nvmet_tcp_try_send(struct nvmet_tcp_queue *queue, int budget, int *sends) { @@ -844,6 +852,13 @@ static int nvmet_tcp_try_send(struct nvmet_tcp_queue *= queue, for (i =3D 0; i < budget; i++) { ret =3D nvmet_tcp_try_send_one(queue, i =3D=3D budget - 1); if (unlikely(ret < 0)) { +#ifdef CONFIG_NVME_TARGET_TCP_TLS + if (ret =3D=3D -EKEYEXPIRED && + queue->state !=3D NVMET_TCP_Q_DISCONNECTING && + queue->state !=3D NVMET_TCP_Q_TLS_HANDSHAKE) { + goto done; + } +#endif nvmet_tcp_socket_error(queue, ret); goto done; } else if (ret =3D=3D 0) { @@ -1110,6 +1125,45 @@ static inline bool nvmet_tcp_pdu_valid(u8 type) return false; } =20 +#ifdef CONFIG_NVME_TARGET_TCP_TLS +static int update_tls_keys(struct nvmet_tcp_queue *queue) +{ + int ret; + + cancel_work(&queue->io_work); + queue->state =3D NVMET_TCP_Q_TLS_HANDSHAKE; + + /* Restore the default callbacks before starting upcall */ + write_lock_bh(&queue->sock->sk->sk_callback_lock); + queue->sock->sk->sk_data_ready =3D queue->data_ready; + queue->sock->sk->sk_state_change =3D queue->state_change; + queue->sock->sk->sk_write_space =3D queue->write_space; + queue->sock->sk->sk_user_data =3D NULL; + write_unlock_bh(&queue->sock->sk->sk_callback_lock); + + nvmet_stop_keep_alive_timer(queue->nvme_sq.ctrl); + + INIT_DELAYED_WORK(&queue->tls_handshake_tmo_work, + nvmet_tcp_tls_handshake_timeout); + + ret =3D nvmet_tcp_tls_handshake(queue, HANDSHAKE_KEY_UPDATE_TYPE_RECEIVED= ); + + if (ret < 0) + return ret; + + ret =3D wait_for_completion_interruptible_timeout(&queue->tls_complete, 1= 0 * HZ); + + if (ret <=3D 0) { + tls_handshake_cancel(queue->sock->sk); + return ret; + } + + queue->state =3D NVMET_TCP_Q_LIVE; + + return ret; +} +#endif + static int nvmet_tcp_tls_record_ok(struct nvmet_tcp_queue *queue, struct msghdr *msg, char *cbuf) { @@ -1135,6 +1189,9 @@ static int nvmet_tcp_tls_record_ok(struct nvmet_tcp_q= ueue *queue, ret =3D -EAGAIN; } break; + case TLS_RECORD_TYPE_HANDSHAKE: + ret =3D -EAGAIN; + break; default: /* discard this record type */ pr_err("queue %d: TLS record %d unhandled\n", @@ -1344,6 +1401,13 @@ static int nvmet_tcp_try_recv(struct nvmet_tcp_queue= *queue, for (i =3D 0; i < budget; i++) { ret =3D nvmet_tcp_try_recv_one(queue); if (unlikely(ret < 0)) { +#ifdef CONFIG_NVME_TARGET_TCP_TLS + if (ret =3D=3D -EKEYEXPIRED && + queue->state !=3D NVMET_TCP_Q_DISCONNECTING && + queue->state !=3D NVMET_TCP_Q_TLS_HANDSHAKE) { + goto done; + } +#endif nvmet_tcp_socket_error(queue, ret); goto done; } else if (ret =3D=3D 0) { @@ -1408,14 +1472,26 @@ static void nvmet_tcp_io_work(struct work_struct *w) ret =3D nvmet_tcp_try_recv(queue, NVMET_TCP_RECV_BUDGET, &ops); if (ret > 0) pending =3D true; - else if (ret < 0) - return; + else if (ret < 0) { +#ifdef CONFIG_NVME_TARGET_TCP_TLS + if (ret =3D=3D -EKEYEXPIRED) + update_tls_keys(queue); + else +#endif + return; + } =20 ret =3D nvmet_tcp_try_send(queue, NVMET_TCP_SEND_BUDGET, &ops); if (ret > 0) pending =3D true; - else if (ret < 0) - return; + else if (ret < 0) { +#ifdef CONFIG_NVME_TARGET_TCP_TLS + if (ret =3D=3D -EKEYEXPIRED) + update_tls_keys(queue); + else +#endif + return; + } =20 } while (pending && ops < NVMET_TCP_IO_WORK_BUDGET); =20 @@ -1798,6 +1874,7 @@ static void nvmet_tcp_tls_handshake_done(void *data, = int status, } if (!status) { queue->tls_pskid =3D peerid; + queue->user_session_id =3D user_session_id; queue->state =3D NVMET_TCP_Q_CONNECTING; } else queue->state =3D NVMET_TCP_Q_FAILED; @@ -1813,6 +1890,7 @@ static void nvmet_tcp_tls_handshake_done(void *data, = int status, else nvmet_tcp_set_queue_sock(queue); kref_put(&queue->kref, nvmet_tcp_release_queue); + complete(&queue->tls_complete); } =20 static void nvmet_tcp_tls_handshake_timeout(struct work_struct *w) @@ -1843,7 +1921,7 @@ static int nvmet_tcp_tls_handshake(struct nvmet_tcp_q= ueue *queue, int ret =3D -EOPNOTSUPP; struct tls_handshake_args args; =20 - if (queue->state !=3D NVMET_TCP_Q_TLS_HANDSHAKE) { + if (queue->state !=3D NVMET_TCP_Q_TLS_HANDSHAKE && !keyupdate) { pr_warn("cannot start TLS in state %d\n", queue->state); return -EINVAL; } @@ -1856,7 +1934,9 @@ static int nvmet_tcp_tls_handshake(struct nvmet_tcp_q= ueue *queue, args.ta_data =3D queue; args.ta_keyring =3D key_serial(queue->port->nport->keyring); args.ta_timeout_ms =3D tls_handshake_timeout * 1000; + args.user_session_id =3D queue->user_session_id; =20 + init_completion(&queue->tls_complete); ret =3D tls_server_hello_psk(&args, GFP_KERNEL, keyupdate); if (ret) { kref_put(&queue->kref, nvmet_tcp_release_queue); --=20 2.51.0 From nobody Sat Oct 4 14:13:13 2025 Received: from mail-pf1-f175.google.com (mail-pf1-f175.google.com [209.85.210.175]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 5A023223337 for ; Fri, 3 Oct 2025 04:32:56 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.210.175 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1759465979; cv=none; b=g+bYxnebynmFYPih2pIC6Sg9wNeAY6pEqwulMsCIE4YYpMq0dFzWSfsC2y+bhKi/qPyp+V5kpSCp3vSMM8e7XOKad5R7ZlS1SDo8bTSDG6KI7m1wdX7wFO1DFEVOLOnS2RiVzGyOf4yLJ3dtNDtR9c5JB0PHsaqYfUS5yYJzrwQ= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1759465979; c=relaxed/simple; bh=/TjxyRjXn5vKm7N0CPYK5CIrgVeXHkM5aYlhADtKSeg=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=KULq3KSmFs1TKBVB+k5kham24rBvpKx3yFu9ap98QBkpiWQKnTB95KfyPYjgfZO5UPIeSWEOapL3h1YwrcfWUGXk33a2A4DUJbMve2GBjDdi5EgWZXVXFeRuEx5mtd6QFuVfPz/3F454LbAeVCMcBtETF4fgvV3RVi5sOt+AKGw= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=iwFlzdvc; arc=none smtp.client-ip=209.85.210.175 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="iwFlzdvc" Received: by mail-pf1-f175.google.com with SMTP id d2e1a72fcca58-7811a5ec5b6so2327086b3a.1 for ; Thu, 02 Oct 2025 21:32:56 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1759465976; x=1760070776; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=6RfUYBKsuo8ddTyCuM4jvFb8g3qBzZAb/Bm18mx0r0I=; b=iwFlzdvcAOpvQrdxPOpFKG648z1hp5V1ACgABbOyW2IUog7DRq4dCgqjWk8Rd7MPQ9 guNGGsjFLMBvbesBt7W1u43qYBioArFnL+RsS0EU0J9Ve842B3IdrMHAach1GN/Em4SA jzia6ClqJxoLd9c660/U2XWsTFwnR7cNz0OWfHebJ9OH8A/zkZ+4KrkHs28ErCjRvZTM Zz5cJT1NeXBM8GschXdLOEEcRowZcyL5ahGvDJRVZdLtA8Jw02f7cnm1vXk+0Gy+BKpI TRWOb5n3CyawhHeo8unr9fe9gteJOkI2f/GC8pWxs4ecwSRDaQqCNYRwGZU33AfqOxWA gJ7A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1759465976; x=1760070776; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=6RfUYBKsuo8ddTyCuM4jvFb8g3qBzZAb/Bm18mx0r0I=; b=tjKjOXSaNBqXWpsXZIelXbUnZDi72iwZTYZl+r4lyZfg2qV3w7/02Lq/tEYPkcvXQM ey+ynN0jbSFZ0qT+RYH0fMKfwEXrgOT3+/ODac0xxqkJL4CnZafvad2DOuSsjkmY1Co3 9l5wLpeAGpjO0Uu35coHt2kwNugjYC2AxP4vbFh2ylzbTK3w4e/OOg03Sf6L7FG9rMv2 YdLV7JUhz5oAVnlR02xPXQ//IMgvL/KyaokuJlFg9dP9eCSigyxbtK7RXBI8ElgIPllc rxUmh2fvWuThQEdyAimOPyReLZnIDxhQWg9lGh1YlfyVBi3opEOKGwsI3rf2f4RVU9iN BUyw== X-Forwarded-Encrypted: i=1; AJvYcCWvqO0oWu7TJor8PtZf8wyUnkeYH3LgpH0VLWl+oVf61YNKWTnk1wgFsWROH6fuVQrh5YeykLMgYKW5oVU=@vger.kernel.org X-Gm-Message-State: AOJu0Yx5eCr7XGB2F78dT3rRiGj23SWcjMJ+rrPK4ZmMneiFS05B7nN7 zd0b56MUDcseEyk6RU0QZwrw+gXQcLBHhpMDQBGn84TlOSTzBhnyYMA2 X-Gm-Gg: ASbGncsKRTOfI0UWDcMQ8mtZHbbOF5RHhwxS7zWpslZKqf4XIdOz7cZY1iHfvSffUfX ruxXtmZaOxo7z5WoaXRLveULiwQMRLYZvU2pOGM2pIcHHAp5IXh3VDFbAR+ynHleO3xcof6iqU2 8uNft9gHgkKOAWpJG7G9AxxCQrAAt31gobtTlLl6CGtQG512ql6Dr5GWqdRdvOkK4COWr9ni+pN FcMhh/At99GXGrUll3Vt6f6DkyHZA+j0bO3taxqxsKW96skpkf0Um/ZBQYpNDHa70cGBBJl3hTv aadfLfZS6LP4mFsXGqq45LhWysBNHOkuy48fTAHEh1MoXL9/TgpcuswvXDH9AI2Bi8DeBVSKQsz 5Q0b6WMSLSdP1xKqNOgq2Y8iEjgMbuvd56+LBaFfMQIR/FBkTmh53+v7WhbRRgMDJJ7bNpsfwAV bvvysoSDSrYfDi9V7C8f62Ex2P6TRm0yjvlPO15yTK3rDSdMLfjyPLGowC+4D5uME= X-Google-Smtp-Source: AGHT+IGGX+e0auRKkNgRCpHofPZBmDCRUu/ZNBz9qUrUPtdZIEwSRDXKxeRRWzhaVI2evV9MhLLdHA== X-Received: by 2002:a05:6a20:729c:b0:2da:f4be:c8c2 with SMTP id adf61e73a8af0-32b61dde689mr2200196637.31.1759465975599; Thu, 02 Oct 2025 21:32:55 -0700 (PDT) Received: from toolbx.alistair23.me (2403-580b-97e8-0-82ce-f179-8a79-69f4.ip6.aussiebb.net. [2403:580b:97e8:0:82ce:f179:8a79:69f4]) by smtp.gmail.com with ESMTPSA id 98e67ed59e1d1-339a701c457sm6528233a91.23.2025.10.02.21.32.49 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 02 Oct 2025 21:32:55 -0700 (PDT) From: alistair23@gmail.com X-Google-Original-From: alistair.francis@wdc.com To: chuck.lever@oracle.com, hare@kernel.org, kernel-tls-handshake@lists.linux.dev, netdev@vger.kernel.org, linux-kernel@vger.kernel.org, linux-doc@vger.kernel.org, linux-nvme@lists.infradead.org, linux-nfs@vger.kernel.org Cc: kbusch@kernel.org, axboe@kernel.dk, hch@lst.de, sagi@grimberg.me, kch@nvidia.com, hare@suse.de, alistair23@gmail.com, Alistair Francis Subject: [PATCH v3 8/8] nvme-tcp: Allow userspace to trigger a KeyUpdate with debugfs Date: Fri, 3 Oct 2025 14:31:39 +1000 Message-ID: <20251003043140.1341958-9-alistair.francis@wdc.com> X-Mailer: git-send-email 2.51.0 In-Reply-To: <20251003043140.1341958-1-alistair.francis@wdc.com> References: <20251003043140.1341958-1-alistair.francis@wdc.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" From: Alistair Francis Allow userspace to trigger a KeyUpdate via debugfs. This patch exposes a key_update file that can be written to with the queue number to trigger a KeyUpdate on that queue. Signed-off-by: Alistair Francis --- v3: - New patch drivers/nvme/host/tcp.c | 72 +++++++++++++++++++++++++++++++++++++++++ 1 file changed, 72 insertions(+) diff --git a/drivers/nvme/host/tcp.c b/drivers/nvme/host/tcp.c index 4f27319f0078..8c6d18727e90 100644 --- a/drivers/nvme/host/tcp.c +++ b/drivers/nvme/host/tcp.c @@ -11,6 +11,7 @@ #include #include #include +#include #include #include #include @@ -1432,6 +1433,75 @@ static void update_tls_keys(struct nvme_tcp_queue *q= ueue) } } =20 +#ifdef CONFIG_NVME_TCP_TLS +#define NVME_DEBUGFS_RW_ATTR(field) \ + static int field##_open(struct inode *inode, struct file *file) \ + { return single_open(file, field##_show, inode->i_private); } \ + \ + static const struct file_operations field##_fops =3D { \ + .open =3D field##_open, \ + .read =3D seq_read, \ + .write =3D field##_write, \ + .release =3D single_release, \ + } + +static int nvme_ctrl_key_update_show(struct seq_file *m, void *p) +{ + seq_printf(m, "0\n"); + + return 0; +} + +static ssize_t nvme_ctrl_key_update_write(struct file *file, const char __= user *buf, + size_t count, loff_t *ppos) +{ + struct seq_file *m =3D file->private_data; + struct nvme_ctrl *nctrl =3D m->private; + struct nvme_tcp_ctrl *ctrl =3D to_tcp_ctrl(nctrl); + char kbuf[16] =3D {0}; + int queue_nr, rc; + struct nvme_tcp_queue *queue; + + if (count > sizeof(kbuf) - 1) + return -EINVAL; + if (copy_from_user(kbuf, buf, count)) + return -EFAULT; + kbuf[count] =3D 0; + + rc =3D kstrtouint(kbuf, 10, &queue_nr); + if (rc) + return rc; + + if (queue_nr >=3D nctrl->queue_count) + return -EINVAL; + + queue =3D &ctrl->queues[queue_nr]; + + update_tls_keys(queue); + + return count; +} +NVME_DEBUGFS_RW_ATTR(nvme_ctrl_key_update); +#endif + +static void nvme_tcp_debugfs_init(struct nvme_ctrl *ctrl, + const char *dev_name) +{ + struct dentry *parent; + + /* create debugfs directory and attribute */ + parent =3D debugfs_create_dir(dev_name, NULL); + if (IS_ERR(parent)) { + pr_warn("%s: failed to create debugfs directory\n", dev_name); + return; + } + +#ifdef CONFIG_NVME_TCP_TLS + debugfs_create_file("key_update", S_IWUSR, parent, ctrl, + &nvme_ctrl_key_update_fops); +#endif +} + static void nvme_tcp_io_work(struct work_struct *w) { struct nvme_tcp_queue *queue =3D @@ -3065,6 +3135,8 @@ static struct nvme_ctrl *nvme_tcp_create_ctrl(struct = device *dev, list_add_tail(&ctrl->list, &nvme_tcp_ctrl_list); mutex_unlock(&nvme_tcp_ctrl_mutex); =20 + nvme_tcp_debugfs_init(&ctrl->ctrl, dev_name(dev)); + return &ctrl->ctrl; =20 out_uninit_ctrl: --=20 2.51.0