From: Alistair Francis <alistair.francis@wdc.com>
If the nvme_tcp_try_send() or nvme_tcp_try_recv() functions return
EKEYEXPIRED then the underlying TLS keys need to be updated. This occurs
on an KeyUpdate event as described in RFC8446
https://datatracker.ietf.org/doc/html/rfc8446#section-4.6.3.
If the NVMe Target (TLS server) initiates a KeyUpdate this patch will
allow the NVMe layer to process the KeyUpdate request and forward the
request to userspace. Userspace must then update the key to keep the
connection alive.
This patch allows us to handle the NVMe target sending a KeyUpdate
request without aborting the connection. At this time we don't support
initiating a KeyUpdate.
Signed-off-by: Alistair Francis <alistair.francis@wdc.com>
---
v7:
- Use read_sock_cmsg instead of recvmsg() to handle KeyUpdate
v6:
- Don't use `struct nvme_tcp_hdr` to determine TLS_HANDSHAKE_KEYUPDATE,
instead look at the cmsg fields.
- Don't flush async_event_work
v5:
- Cleanup code flow
- Check for MSG_CTRUNC in the msg_flags return from recvmsg
and use that to determine if it's a control message
v4:
- Remove all support for initiating KeyUpdate
- Don't call cancel_work() when updating keys
v3:
- Don't cancel existing handshake requests
v2:
- Don't change the state
- Use a helper function for KeyUpdates
- Continue sending in nvme_tcp_send_all() after a KeyUpdate
- Remove command message using recvmsg
drivers/nvme/host/tcp.c | 59 ++++++++++++++++++++++++++++++++++++++++-
1 file changed, 58 insertions(+), 1 deletion(-)
diff --git a/drivers/nvme/host/tcp.c b/drivers/nvme/host/tcp.c
index 8b6172dd1c0f..ade11d2ac9ef 100644
--- a/drivers/nvme/host/tcp.c
+++ b/drivers/nvme/host/tcp.c
@@ -171,6 +171,7 @@ struct nvme_tcp_queue {
bool tls_enabled;
u32 rcv_crc;
u32 snd_crc;
+ key_serial_t handshake_session_id;
__le32 exp_ddgst;
__le32 recv_ddgst;
struct completion tls_complete;
@@ -1361,6 +1362,59 @@ static int nvme_tcp_try_send(struct nvme_tcp_queue *queue)
return ret;
}
+static void update_tls_keys(struct nvme_tcp_queue *queue)
+{
+ int qid = nvme_tcp_queue_id(queue);
+ int ret;
+
+ dev_dbg(queue->ctrl->ctrl.device,
+ "updating key for queue %d\n", qid);
+
+ ret = nvme_tcp_start_tls(&(queue->ctrl->ctrl),
+ queue, queue->ctrl->ctrl.tls_pskid,
+ HANDSHAKE_KEY_UPDATE_TYPE_RECEIVED);
+
+ if (ret < 0) {
+ dev_err(queue->ctrl->ctrl.device,
+ "failed to update the keys %d\n", ret);
+ nvme_tcp_fail_request(queue->request);
+ }
+}
+
+static int nvme_tcp_recv_cmsg(read_descriptor_t *desc,
+ struct sk_buff *skb,
+ unsigned int offset, size_t len,
+ u8 content_type)
+{
+ struct nvme_tcp_queue *queue = desc->arg.data;
+ struct socket *sock = queue->sock;
+ struct sock *sk = sock->sk;
+
+ switch (content_type) {
+ case TLS_RECORD_TYPE_HANDSHAKE:
+ if (len == 5) {
+ u8 header[5];
+
+ if (!skb_copy_bits(skb, offset, header,
+ sizeof(header))) {
+ if (header[0] == TLS_HANDSHAKE_KEYUPDATE) {
+ dev_err(queue->ctrl->ctrl.device, "KeyUpdate message\n");
+ release_sock(sk);
+ update_tls_keys(queue);
+ lock_sock(sk);
+ return 0;
+ }
+ }
+ }
+
+ break;
+ default:
+ break;
+ }
+
+ return -EAGAIN;
+}
+
static int nvme_tcp_try_recv(struct nvme_tcp_queue *queue)
{
struct socket *sock = queue->sock;
@@ -1372,7 +1426,8 @@ static int nvme_tcp_try_recv(struct nvme_tcp_queue *queue)
rd_desc.count = 1;
lock_sock(sk);
queue->nr_cqe = 0;
- consumed = sock->ops->read_sock(sk, &rd_desc, nvme_tcp_recv_skb);
+ consumed = sock->ops->read_sock_cmsg(sk, &rd_desc, nvme_tcp_recv_skb,
+ nvme_tcp_recv_cmsg);
release_sock(sk);
return consumed == -EAGAIN ? 0 : consumed;
}
@@ -1708,6 +1763,7 @@ static void nvme_tcp_tls_done(void *data, int status, key_serial_t pskid,
ctrl->ctrl.tls_pskid = key_serial(tls_key);
key_put(tls_key);
queue->tls_err = 0;
+ queue->handshake_session_id = handshake_session_id;
}
out_complete:
@@ -1737,6 +1793,7 @@ static int nvme_tcp_start_tls(struct nvme_ctrl *nctrl,
keyring = key_serial(nctrl->opts->keyring);
args.ta_keyring = keyring;
args.ta_timeout_ms = tls_handshake_timeout * 1000;
+ args.ta_handshake_session_id = queue->handshake_session_id;
queue->tls_err = -EOPNOTSUPP;
init_completion(&queue->tls_complete);
if (keyupdate == HANDSHAKE_KEY_UPDATE_TYPE_UNSPEC)
--
2.53.0Hi,
kernel test robot noticed the following build errors:
[auto build test ERROR on trondmy-nfs/linux-next]
[also build test ERROR on net/main net-next/main linus/master v7.0-rc2 next-20260304]
[cannot apply to linux-nvme/for-next horms-ipvs/master]
[If your patch is applied to the wrong git tree, kindly drop us a note.
And when submitting patch, we suggest to use '--base' as documented in
https://git-scm.com/docs/git-format-patch#_base_tree_information]
url: https://github.com/intel-lab-lkp/linux/commits/alistair23-gmail-com/net-handshake-Store-the-key-serial-number-on-completion/20260304-134148
base: git://git.linux-nfs.org/projects/trondmy/linux-nfs.git linux-next
patch link: https://lore.kernel.org/r/20260304053500.590630-5-alistair.francis%40wdc.com
patch subject: [PATCH v7 4/5] nvme-tcp: Support KeyUpdate
config: sh-allmodconfig (https://download.01.org/0day-ci/archive/20260305/202603051846.RCN7R5uj-lkp@intel.com/config)
compiler: sh4-linux-gcc (GCC) 15.2.0
reproduce (this is a W=1 build): (https://download.01.org/0day-ci/archive/20260305/202603051846.RCN7R5uj-lkp@intel.com/reproduce)
If you fix the issue in a separate patch/commit (i.e. not just a new version of
the same patch/commit), kindly add following tags
| Reported-by: kernel test robot <lkp@intel.com>
| Closes: https://lore.kernel.org/oe-kbuild-all/202603051846.RCN7R5uj-lkp@intel.com/
All errors (new ones prefixed by >>):
drivers/nvme/host/tcp.c: In function 'nvme_tcp_try_recv':
>> drivers/nvme/host/tcp.c:1429:31: error: 'const struct proto_ops' has no member named 'read_sock_cmsg'; did you mean 'read_sock'?
1429 | consumed = sock->ops->read_sock_cmsg(sk, &rd_desc, nvme_tcp_recv_skb,
| ^~~~~~~~~~~~~~
| read_sock
vim +1429 drivers/nvme/host/tcp.c
1417
1418 static int nvme_tcp_try_recv(struct nvme_tcp_queue *queue)
1419 {
1420 struct socket *sock = queue->sock;
1421 struct sock *sk = sock->sk;
1422 read_descriptor_t rd_desc;
1423 int consumed;
1424
1425 rd_desc.arg.data = queue;
1426 rd_desc.count = 1;
1427 lock_sock(sk);
1428 queue->nr_cqe = 0;
> 1429 consumed = sock->ops->read_sock_cmsg(sk, &rd_desc, nvme_tcp_recv_skb,
1430 nvme_tcp_recv_cmsg);
1431 release_sock(sk);
1432 return consumed == -EAGAIN ? 0 : consumed;
1433 }
1434
--
0-DAY CI Kernel Test Service
https://github.com/intel/lkp-tests/wiki
Hi,
kernel test robot noticed the following build errors:
[auto build test ERROR on trondmy-nfs/linux-next]
[also build test ERROR on net/main net-next/main linus/master v7.0-rc2 next-20260304]
[cannot apply to linux-nvme/for-next horms-ipvs/master]
[If your patch is applied to the wrong git tree, kindly drop us a note.
And when submitting patch, we suggest to use '--base' as documented in
https://git-scm.com/docs/git-format-patch#_base_tree_information]
url: https://github.com/intel-lab-lkp/linux/commits/alistair23-gmail-com/net-handshake-Store-the-key-serial-number-on-completion/20260304-134148
base: git://git.linux-nfs.org/projects/trondmy/linux-nfs.git linux-next
patch link: https://lore.kernel.org/r/20260304053500.590630-5-alistair.francis%40wdc.com
patch subject: [PATCH v7 4/5] nvme-tcp: Support KeyUpdate
config: x86_64-buildonly-randconfig-006-20260305 (https://download.01.org/0day-ci/archive/20260305/202603051502.9qxZ0noK-lkp@intel.com/config)
compiler: clang version 20.1.8 (https://github.com/llvm/llvm-project 87f0227cb60147a26a1eeb4fb06e3b505e9c7261)
rustc: rustc 1.88.0 (6b00bc388 2025-06-23)
reproduce (this is a W=1 build): (https://download.01.org/0day-ci/archive/20260305/202603051502.9qxZ0noK-lkp@intel.com/reproduce)
If you fix the issue in a separate patch/commit (i.e. not just a new version of
the same patch/commit), kindly add following tags
| Reported-by: kernel test robot <lkp@intel.com>
| Closes: https://lore.kernel.org/oe-kbuild-all/202603051502.9qxZ0noK-lkp@intel.com/
All errors (new ones prefixed by >>):
>> drivers/nvme/host/tcp.c:1429:24: error: no member named 'read_sock_cmsg' in 'struct proto_ops'
1429 | consumed = sock->ops->read_sock_cmsg(sk, &rd_desc, nvme_tcp_recv_skb,
| ~~~~~~~~~ ^
1 error generated.
vim +1429 drivers/nvme/host/tcp.c
1417
1418 static int nvme_tcp_try_recv(struct nvme_tcp_queue *queue)
1419 {
1420 struct socket *sock = queue->sock;
1421 struct sock *sk = sock->sk;
1422 read_descriptor_t rd_desc;
1423 int consumed;
1424
1425 rd_desc.arg.data = queue;
1426 rd_desc.count = 1;
1427 lock_sock(sk);
1428 queue->nr_cqe = 0;
> 1429 consumed = sock->ops->read_sock_cmsg(sk, &rd_desc, nvme_tcp_recv_skb,
1430 nvme_tcp_recv_cmsg);
1431 release_sock(sk);
1432 return consumed == -EAGAIN ? 0 : consumed;
1433 }
1434
--
0-DAY CI Kernel Test Service
https://github.com/intel/lkp-tests/wiki
Hi,
kernel test robot noticed the following build errors:
[auto build test ERROR on trondmy-nfs/linux-next]
[also build test ERROR on net/main net-next/main linus/master v7.0-rc2 next-20260303]
[cannot apply to linux-nvme/for-next]
[If your patch is applied to the wrong git tree, kindly drop us a note.
And when submitting patch, we suggest to use '--base' as documented in
https://git-scm.com/docs/git-format-patch#_base_tree_information]
url: https://github.com/intel-lab-lkp/linux/commits/alistair23-gmail-com/net-handshake-Store-the-key-serial-number-on-completion/20260304-134148
base: git://git.linux-nfs.org/projects/trondmy/linux-nfs.git linux-next
patch link: https://lore.kernel.org/r/20260304053500.590630-5-alistair.francis%40wdc.com
patch subject: [PATCH v7 4/5] nvme-tcp: Support KeyUpdate
config: x86_64-rhel-9.4-kunit (https://download.01.org/0day-ci/archive/20260304/202603041124.uCwVY2n8-lkp@intel.com/config)
compiler: gcc-14 (Debian 14.2.0-19) 14.2.0
reproduce (this is a W=1 build): (https://download.01.org/0day-ci/archive/20260304/202603041124.uCwVY2n8-lkp@intel.com/reproduce)
If you fix the issue in a separate patch/commit (i.e. not just a new version of
the same patch/commit), kindly add following tags
| Reported-by: kernel test robot <lkp@intel.com>
| Closes: https://lore.kernel.org/oe-kbuild-all/202603041124.uCwVY2n8-lkp@intel.com/
All errors (new ones prefixed by >>):
drivers/nvme/host/tcp.c: In function 'nvme_tcp_try_recv':
>> drivers/nvme/host/tcp.c:1429:31: error: 'const struct proto_ops' has no member named 'read_sock_cmsg'; did you mean 'read_sock'?
1429 | consumed = sock->ops->read_sock_cmsg(sk, &rd_desc, nvme_tcp_recv_skb,
| ^~~~~~~~~~~~~~
| read_sock
vim +1429 drivers/nvme/host/tcp.c
1417
1418 static int nvme_tcp_try_recv(struct nvme_tcp_queue *queue)
1419 {
1420 struct socket *sock = queue->sock;
1421 struct sock *sk = sock->sk;
1422 read_descriptor_t rd_desc;
1423 int consumed;
1424
1425 rd_desc.arg.data = queue;
1426 rd_desc.count = 1;
1427 lock_sock(sk);
1428 queue->nr_cqe = 0;
> 1429 consumed = sock->ops->read_sock_cmsg(sk, &rd_desc, nvme_tcp_recv_skb,
1430 nvme_tcp_recv_cmsg);
1431 release_sock(sk);
1432 return consumed == -EAGAIN ? 0 : consumed;
1433 }
1434
--
0-DAY CI Kernel Test Service
https://github.com/intel/lkp-tests/wiki
On 3/4/26 06:34, alistair23@gmail.com wrote:
> From: Alistair Francis <alistair.francis@wdc.com>
>
> If the nvme_tcp_try_send() or nvme_tcp_try_recv() functions return
> EKEYEXPIRED then the underlying TLS keys need to be updated. This occurs
> on an KeyUpdate event as described in RFC8446
> https://datatracker.ietf.org/doc/html/rfc8446#section-4.6.3.
>
> If the NVMe Target (TLS server) initiates a KeyUpdate this patch will
> allow the NVMe layer to process the KeyUpdate request and forward the
> request to userspace. Userspace must then update the key to keep the
> connection alive.
>
> This patch allows us to handle the NVMe target sending a KeyUpdate
> request without aborting the connection. At this time we don't support
> initiating a KeyUpdate.
>
> Signed-off-by: Alistair Francis <alistair.francis@wdc.com>
> ---
> v7:
> - Use read_sock_cmsg instead of recvmsg() to handle KeyUpdate
> v6:
> - Don't use `struct nvme_tcp_hdr` to determine TLS_HANDSHAKE_KEYUPDATE,
> instead look at the cmsg fields.
> - Don't flush async_event_work
> v5:
> - Cleanup code flow
> - Check for MSG_CTRUNC in the msg_flags return from recvmsg
> and use that to determine if it's a control message
> v4:
> - Remove all support for initiating KeyUpdate
> - Don't call cancel_work() when updating keys
> v3:
> - Don't cancel existing handshake requests
> v2:
> - Don't change the state
> - Use a helper function for KeyUpdates
> - Continue sending in nvme_tcp_send_all() after a KeyUpdate
> - Remove command message using recvmsg
>
> drivers/nvme/host/tcp.c | 59 ++++++++++++++++++++++++++++++++++++++++-
> 1 file changed, 58 insertions(+), 1 deletion(-)
>
> diff --git a/drivers/nvme/host/tcp.c b/drivers/nvme/host/tcp.c
> index 8b6172dd1c0f..ade11d2ac9ef 100644
> --- a/drivers/nvme/host/tcp.c
> +++ b/drivers/nvme/host/tcp.c
> @@ -171,6 +171,7 @@ struct nvme_tcp_queue {
> bool tls_enabled;
> u32 rcv_crc;
> u32 snd_crc;
> + key_serial_t handshake_session_id;
> __le32 exp_ddgst;
> __le32 recv_ddgst;
> struct completion tls_complete;
> @@ -1361,6 +1362,59 @@ static int nvme_tcp_try_send(struct nvme_tcp_queue *queue)
> return ret;
> }
>
> +static void update_tls_keys(struct nvme_tcp_queue *queue)
> +{
> + int qid = nvme_tcp_queue_id(queue);
> + int ret;
> +
> + dev_dbg(queue->ctrl->ctrl.device,
> + "updating key for queue %d\n", qid);
> +
> + ret = nvme_tcp_start_tls(&(queue->ctrl->ctrl),
> + queue, queue->ctrl->ctrl.tls_pskid,
> + HANDSHAKE_KEY_UPDATE_TYPE_RECEIVED);
> +
> + if (ret < 0) {
> + dev_err(queue->ctrl->ctrl.device,
> + "failed to update the keys %d\n", ret);
> + nvme_tcp_fail_request(queue->request);
> + }
> +}
> +
> +static int nvme_tcp_recv_cmsg(read_descriptor_t *desc,
> + struct sk_buff *skb,
> + unsigned int offset, size_t len,
> + u8 content_type)
> +{
> + struct nvme_tcp_queue *queue = desc->arg.data;
> + struct socket *sock = queue->sock;
> + struct sock *sk = sock->sk;
> +
> + switch (content_type) {
> + case TLS_RECORD_TYPE_HANDSHAKE:
> + if (len == 5) {
> + u8 header[5];
> +
> + if (!skb_copy_bits(skb, offset, header,
> + sizeof(header))) {
> + if (header[0] == TLS_HANDSHAKE_KEYUPDATE) {
> + dev_err(queue->ctrl->ctrl.device, "KeyUpdate message\n");
> + release_sock(sk);
> + update_tls_keys(queue);
> + lock_sock(sk);
> + return 0;
> + }
> + }
> + }
> +
> + break;
> + default:
> + break;
> + }
I think a simple 'if' condition would be sufficient here, or do you have
handling of other TLS record types queued somewhere?
And we should log unhandled TLS records.
> +
> + return -EAGAIN;
> +}
> +
> static int nvme_tcp_try_recv(struct nvme_tcp_queue *queue)
> {
> struct socket *sock = queue->sock;
> @@ -1372,7 +1426,8 @@ static int nvme_tcp_try_recv(struct nvme_tcp_queue *queue)
> rd_desc.count = 1;
> lock_sock(sk);
> queue->nr_cqe = 0;
> - consumed = sock->ops->read_sock(sk, &rd_desc, nvme_tcp_recv_skb);
> + consumed = sock->ops->read_sock_cmsg(sk, &rd_desc, nvme_tcp_recv_skb,
> + nvme_tcp_recv_cmsg);
> release_sock(sk);
> return consumed == -EAGAIN ? 0 : consumed;
> }
> @@ -1708,6 +1763,7 @@ static void nvme_tcp_tls_done(void *data, int status, key_serial_t pskid,
> ctrl->ctrl.tls_pskid = key_serial(tls_key);
> key_put(tls_key);
> queue->tls_err = 0;
> + queue->handshake_session_id = handshake_session_id;
> }
>
> out_complete:
> @@ -1737,6 +1793,7 @@ static int nvme_tcp_start_tls(struct nvme_ctrl *nctrl,
> keyring = key_serial(nctrl->opts->keyring);
> args.ta_keyring = keyring;
> args.ta_timeout_ms = tls_handshake_timeout * 1000;
> + args.ta_handshake_session_id = queue->handshake_session_id;
> queue->tls_err = -EOPNOTSUPP;
> init_completion(&queue->tls_complete);
> if (keyupdate == HANDSHAKE_KEY_UPDATE_TYPE_UNSPEC)
Otherwise looks good.
Cheers,
Hannes
--
Dr. Hannes Reinecke Kernel Storage Architect
hare@suse.de +49 911 74053 688
SUSE Software Solutions GmbH, Frankenstr. 146, 90461 Nürnberg
HRB 36809 (AG Nürnberg), GF: I. Totev, A. McDonald, W. Knoblich
On Wed, Mar 4, 2026 at 5:40 PM Hannes Reinecke <hare@suse.de> wrote:
>
> On 3/4/26 06:34, alistair23@gmail.com wrote:
> > From: Alistair Francis <alistair.francis@wdc.com>
> >
> > If the nvme_tcp_try_send() or nvme_tcp_try_recv() functions return
> > EKEYEXPIRED then the underlying TLS keys need to be updated. This occurs
> > on an KeyUpdate event as described in RFC8446
> > https://datatracker.ietf.org/doc/html/rfc8446#section-4.6.3.
> >
> > If the NVMe Target (TLS server) initiates a KeyUpdate this patch will
> > allow the NVMe layer to process the KeyUpdate request and forward the
> > request to userspace. Userspace must then update the key to keep the
> > connection alive.
> >
> > This patch allows us to handle the NVMe target sending a KeyUpdate
> > request without aborting the connection. At this time we don't support
> > initiating a KeyUpdate.
> >
> > Signed-off-by: Alistair Francis <alistair.francis@wdc.com>
> > ---
> > v7:
> > - Use read_sock_cmsg instead of recvmsg() to handle KeyUpdate
> > v6:
> > - Don't use `struct nvme_tcp_hdr` to determine TLS_HANDSHAKE_KEYUPDATE,
> > instead look at the cmsg fields.
> > - Don't flush async_event_work
> > v5:
> > - Cleanup code flow
> > - Check for MSG_CTRUNC in the msg_flags return from recvmsg
> > and use that to determine if it's a control message
> > v4:
> > - Remove all support for initiating KeyUpdate
> > - Don't call cancel_work() when updating keys
> > v3:
> > - Don't cancel existing handshake requests
> > v2:
> > - Don't change the state
> > - Use a helper function for KeyUpdates
> > - Continue sending in nvme_tcp_send_all() after a KeyUpdate
> > - Remove command message using recvmsg
> >
> > drivers/nvme/host/tcp.c | 59 ++++++++++++++++++++++++++++++++++++++++-
> > 1 file changed, 58 insertions(+), 1 deletion(-)
> >
> > diff --git a/drivers/nvme/host/tcp.c b/drivers/nvme/host/tcp.c
> > index 8b6172dd1c0f..ade11d2ac9ef 100644
> > --- a/drivers/nvme/host/tcp.c
> > +++ b/drivers/nvme/host/tcp.c
> > @@ -171,6 +171,7 @@ struct nvme_tcp_queue {
> > bool tls_enabled;
> > u32 rcv_crc;
> > u32 snd_crc;
> > + key_serial_t handshake_session_id;
> > __le32 exp_ddgst;
> > __le32 recv_ddgst;
> > struct completion tls_complete;
> > @@ -1361,6 +1362,59 @@ static int nvme_tcp_try_send(struct nvme_tcp_queue *queue)
> > return ret;
> > }
> >
> > +static void update_tls_keys(struct nvme_tcp_queue *queue)
> > +{
> > + int qid = nvme_tcp_queue_id(queue);
> > + int ret;
> > +
> > + dev_dbg(queue->ctrl->ctrl.device,
> > + "updating key for queue %d\n", qid);
> > +
> > + ret = nvme_tcp_start_tls(&(queue->ctrl->ctrl),
> > + queue, queue->ctrl->ctrl.tls_pskid,
> > + HANDSHAKE_KEY_UPDATE_TYPE_RECEIVED);
> > +
> > + if (ret < 0) {
> > + dev_err(queue->ctrl->ctrl.device,
> > + "failed to update the keys %d\n", ret);
> > + nvme_tcp_fail_request(queue->request);
> > + }
> > +}
> > +
> > +static int nvme_tcp_recv_cmsg(read_descriptor_t *desc,
> > + struct sk_buff *skb,
> > + unsigned int offset, size_t len,
> > + u8 content_type)
> > +{
> > + struct nvme_tcp_queue *queue = desc->arg.data;
> > + struct socket *sock = queue->sock;
> > + struct sock *sk = sock->sk;
> > +
> > + switch (content_type) {
> > + case TLS_RECORD_TYPE_HANDSHAKE:
> > + if (len == 5) {
> > + u8 header[5];
> > +
> > + if (!skb_copy_bits(skb, offset, header,
> > + sizeof(header))) {
> > + if (header[0] == TLS_HANDSHAKE_KEYUPDATE) {
> > + dev_err(queue->ctrl->ctrl.device, "KeyUpdate message\n");
> > + release_sock(sk);
> > + update_tls_keys(queue);
> > + lock_sock(sk);
> > + return 0;
> > + }
> > + }
> > + }
> > +
> > + break;
> > + default:
> > + break;
> > + }
>
> I think a simple 'if' condition would be sufficient here, or do you have
> handling of other TLS record types queued somewhere?
> And we should log unhandled TLS records.
I like this approach as it makes it really easy to handle more types
in the future. I don't have any more record types queued anywhere so I
can change it to an if statement.
Good point about logging unhandled records
Alistair
>
> > +
> > + return -EAGAIN;
> > +}
> > +
> > static int nvme_tcp_try_recv(struct nvme_tcp_queue *queue)
> > {
> > struct socket *sock = queue->sock;
> > @@ -1372,7 +1426,8 @@ static int nvme_tcp_try_recv(struct nvme_tcp_queue *queue)
> > rd_desc.count = 1;
> > lock_sock(sk);
> > queue->nr_cqe = 0;
> > - consumed = sock->ops->read_sock(sk, &rd_desc, nvme_tcp_recv_skb);
> > + consumed = sock->ops->read_sock_cmsg(sk, &rd_desc, nvme_tcp_recv_skb,
> > + nvme_tcp_recv_cmsg);
> > release_sock(sk);
> > return consumed == -EAGAIN ? 0 : consumed;
> > }
> > @@ -1708,6 +1763,7 @@ static void nvme_tcp_tls_done(void *data, int status, key_serial_t pskid,
> > ctrl->ctrl.tls_pskid = key_serial(tls_key);
> > key_put(tls_key);
> > queue->tls_err = 0;
> > + queue->handshake_session_id = handshake_session_id;
> > }
> >
> > out_complete:
> > @@ -1737,6 +1793,7 @@ static int nvme_tcp_start_tls(struct nvme_ctrl *nctrl,
> > keyring = key_serial(nctrl->opts->keyring);
> > args.ta_keyring = keyring;
> > args.ta_timeout_ms = tls_handshake_timeout * 1000;
> > + args.ta_handshake_session_id = queue->handshake_session_id;
> > queue->tls_err = -EOPNOTSUPP;
> > init_completion(&queue->tls_complete);
> > if (keyupdate == HANDSHAKE_KEY_UPDATE_TYPE_UNSPEC)
>
> Otherwise looks good.
>
> Cheers,
>
> Hannes
> --
> Dr. Hannes Reinecke Kernel Storage Architect
> hare@suse.de +49 911 74053 688
> SUSE Software Solutions GmbH, Frankenstr. 146, 90461 Nürnberg
> HRB 36809 (AG Nürnberg), GF: I. Totev, A. McDonald, W. Knoblich
On Wed, Mar 04, 2026 at 09:37:22PM +1000, Alistair Francis wrote: > > I think a simple 'if' condition would be sufficient here, or do you have > > handling of other TLS record types queued somewhere? > > And we should log unhandled TLS records. > > I like this approach as it makes it really easy to handle more types > in the future. I don't have any more record types queued anywhere so I > can change it to an if statement. Agreed. OTOH having more than a handful of lines in switches like this is a always a bad idea, so factoring this out into a type-specific helper would be much preferred.
On 3/4/26 12:37, Alistair Francis wrote:
> On Wed, Mar 4, 2026 at 5:40 PM Hannes Reinecke <hare@suse.de> wrote:
>>
>> On 3/4/26 06:34, alistair23@gmail.com wrote:
>>> From: Alistair Francis <alistair.francis@wdc.com>
>>>
>>> If the nvme_tcp_try_send() or nvme_tcp_try_recv() functions return
>>> EKEYEXPIRED then the underlying TLS keys need to be updated. This occurs
>>> on an KeyUpdate event as described in RFC8446
>>> https://datatracker.ietf.org/doc/html/rfc8446#section-4.6.3.
>>>
>>> If the NVMe Target (TLS server) initiates a KeyUpdate this patch will
>>> allow the NVMe layer to process the KeyUpdate request and forward the
>>> request to userspace. Userspace must then update the key to keep the
>>> connection alive.
>>>
>>> This patch allows us to handle the NVMe target sending a KeyUpdate
>>> request without aborting the connection. At this time we don't support
>>> initiating a KeyUpdate.
>>>
>>> Signed-off-by: Alistair Francis <alistair.francis@wdc.com>
>>> ---
>>> v7:
>>> - Use read_sock_cmsg instead of recvmsg() to handle KeyUpdate
>>> v6:
>>> - Don't use `struct nvme_tcp_hdr` to determine TLS_HANDSHAKE_KEYUPDATE,
>>> instead look at the cmsg fields.
>>> - Don't flush async_event_work
>>> v5:
>>> - Cleanup code flow
>>> - Check for MSG_CTRUNC in the msg_flags return from recvmsg
>>> and use that to determine if it's a control message
>>> v4:
>>> - Remove all support for initiating KeyUpdate
>>> - Don't call cancel_work() when updating keys
>>> v3:
>>> - Don't cancel existing handshake requests
>>> v2:
>>> - Don't change the state
>>> - Use a helper function for KeyUpdates
>>> - Continue sending in nvme_tcp_send_all() after a KeyUpdate
>>> - Remove command message using recvmsg
>>>
>>> drivers/nvme/host/tcp.c | 59 ++++++++++++++++++++++++++++++++++++++++-
>>> 1 file changed, 58 insertions(+), 1 deletion(-)
>>>
>>> diff --git a/drivers/nvme/host/tcp.c b/drivers/nvme/host/tcp.c
>>> index 8b6172dd1c0f..ade11d2ac9ef 100644
>>> --- a/drivers/nvme/host/tcp.c
>>> +++ b/drivers/nvme/host/tcp.c
>>> @@ -171,6 +171,7 @@ struct nvme_tcp_queue {
>>> bool tls_enabled;
>>> u32 rcv_crc;
>>> u32 snd_crc;
>>> + key_serial_t handshake_session_id;
>>> __le32 exp_ddgst;
>>> __le32 recv_ddgst;
>>> struct completion tls_complete;
>>> @@ -1361,6 +1362,59 @@ static int nvme_tcp_try_send(struct nvme_tcp_queue *queue)
>>> return ret;
>>> }
>>>
>>> +static void update_tls_keys(struct nvme_tcp_queue *queue)
>>> +{
>>> + int qid = nvme_tcp_queue_id(queue);
>>> + int ret;
>>> +
>>> + dev_dbg(queue->ctrl->ctrl.device,
>>> + "updating key for queue %d\n", qid);
>>> +
>>> + ret = nvme_tcp_start_tls(&(queue->ctrl->ctrl),
>>> + queue, queue->ctrl->ctrl.tls_pskid,
>>> + HANDSHAKE_KEY_UPDATE_TYPE_RECEIVED);
>>> +
>>> + if (ret < 0) {
>>> + dev_err(queue->ctrl->ctrl.device,
>>> + "failed to update the keys %d\n", ret);
>>> + nvme_tcp_fail_request(queue->request);
>>> + }
>>> +}
>>> +
>>> +static int nvme_tcp_recv_cmsg(read_descriptor_t *desc,
>>> + struct sk_buff *skb,
>>> + unsigned int offset, size_t len,
>>> + u8 content_type)
>>> +{
>>> + struct nvme_tcp_queue *queue = desc->arg.data;
>>> + struct socket *sock = queue->sock;
>>> + struct sock *sk = sock->sk;
>>> +
>>> + switch (content_type) {
>>> + case TLS_RECORD_TYPE_HANDSHAKE:
>>> + if (len == 5) {
>>> + u8 header[5];
>>> +
>>> + if (!skb_copy_bits(skb, offset, header,
>>> + sizeof(header))) {
>>> + if (header[0] == TLS_HANDSHAKE_KEYUPDATE) {
>>> + dev_err(queue->ctrl->ctrl.device, "KeyUpdate message\n");
>>> + release_sock(sk);
>>> + update_tls_keys(queue);
>>> + lock_sock(sk);
>>> + return 0;
>>> + }
>>> + }
>>> + }
>>> +
>>> + break;
>>> + default:
>>> + break;
>>> + }
>>
>> I think a simple 'if' condition would be sufficient here, or do you have
>> handling of other TLS record types queued somewhere?
>> And we should log unhandled TLS records.
>
> I like this approach as it makes it really easy to handle more types
> in the future. I don't have any more record types queued anywhere so I
> can change it to an if statement.
>
> Good point about logging unhandled records
>
Which reminds me:
This is now a simple callback, and doesn't influence the main state machine.
In particular, we do _not_ reset the connection (as we did with the
original implementation) if we received an unhandled TLS record.
I guess we should be doing that nevertheless, as unhandled TLS records
also will include things like TLS Alert which really require us to
reset the connection.
Hmm?
Cheers,
Hannes
--
Dr. Hannes Reinecke Kernel Storage Architect
hare@suse.de +49 911 74053 688
SUSE Software Solutions GmbH, Frankenstr. 146, 90461 Nürnberg
HRB 36809 (AG Nürnberg), GF: I. Totev, A. McDonald, W. Knoblich
© 2016 - 2026 Red Hat, Inc.