From: Alistair Francis <alistair.francis@wdc.com>
The TLS 1.3 specification allows the TLS client or server to send a
KeyUpdate. This is generally used when the sequence is about to
overflow or after a certain amount of bytes have been encrypted.
The TLS spec doesn't mandate the conditions though, so a KeyUpdate
can be sent by the TLS client or server at any time. This includes
when running NVMe-OF over a TLS 1.3 connection.
As such Linux should be able to handle a KeyUpdate event, as the
other NVMe side could initiate a KeyUpdate.
Upcoming WD NVMe-TCP hardware controllers implement TLS support
and send KeyUpdate requests.
This series builds on top of the existing TLS EKEYEXPIRED work,
which already detects a KeyUpdate request. We can now pass that
information up to the NVMe layer (target and host) and then pass
it up to userspace.
Userspace (ktls-utils) will need to save the connection state
in the keyring during the initial handshake. The kernel then
provides the key serial back to userspace when handling a
KeyUpdate. Userspace can use this to restore the connection
information and then update the keys, this final process
is similar to the initial handshake.
This series depends on the read_sock_cmsg() kernel patch:
https://lore.kernel.org/kernel-tls-handshake/20260217222033.1929211-1-cel@kernel.org
ktls-utils (tlshd) userspace patches are available at:
https://lore.kernel.org/kernel-tls-handshake/CAKmqyKNpFhPtM8HAkgRMKQA8_N7AgoeqaSTe2=0spPnb+Oz2ng@mail.gmail.com/T/#mb277f5c998282666d0f41cc02f4abf516fcc4e9c
Link: https://datatracker.ietf.org/doc/html/rfc8446#section-4.6.3
Based-on: 20260217222033.1929211-1-cel@kernel.org
v7:
- Don't use recvmsg() (see [1]) instead use read_sock_cmsg()
- Remove reviews from patch 4, as it changed a bit to support read_sock_cmsg()
v6:
- Don't free handshake request on completion (handshake_sk_destruct_req())
- Add handshake_req_keyupdate() which reuses existing handshake request
for a KeyUpdate
- Other small improvements and tidyups
v5:
- Cleanup code flow for nvme-tcp
- When using recvmsg in the host code first check for MSG_CTRUNC
in the msg_flags returned from recvmsg() and use that to determine
if it's a control message
- Drop clientkeyupdaterequest and serverkeyupdaterequest
v4:
- Don't stop the keep-alive timer
- Remove any support for sending a KeyUpdate
- Add tls_client_keyupdate_psk()' and 'tls_server_keyupdate_psk()'
- Code cleanups
- Change order of patches
v3:
- Rebase on the recvmsg() workflow patch
- Add debugfs support for the host
- Don't cancel an ongoing request
- Ensure a request is destructed on completion
v2:
- Change "key-serial" to "session-id"
- Fix reported build failures
- Drop tls_clear_err() function
- Stop keep alive timer during KeyUpdate
- Drop handshake message decoding in the NVMe layer
1: https://lists.infradead.org/pipermail/linux-nvme/2026-February/061252.html
Alistair Francis (5):
net/handshake: Store the key serial number on completion
net/handshake: Define handshake_req_keyupdate
net/handshake: Support KeyUpdate message types
nvme-tcp: Support KeyUpdate
nvmet-tcp: Support KeyUpdate
Documentation/netlink/specs/handshake.yaml | 20 +-
Documentation/networking/tls-handshake.rst | 1 +
drivers/nvme/host/tcp.c | 80 +++++++-
drivers/nvme/target/tcp.c | 213 ++++++++++++++-------
include/net/handshake.h | 11 +-
include/uapi/linux/handshake.h | 12 ++
net/handshake/genl.c | 5 +-
net/handshake/handshake.h | 2 +
net/handshake/request.c | 97 ++++++++++
net/handshake/tlshd.c | 97 +++++++++-
net/sunrpc/svcsock.c | 4 +-
net/sunrpc/xprtsock.c | 4 +-
12 files changed, 467 insertions(+), 79 deletions(-)
--
2.53.0