From nobody Fri Apr 3 06:28:25 2026 Received: from mail-pj1-f48.google.com (mail-pj1-f48.google.com [209.85.216.48]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id BCD2930E84D for ; Wed, 4 Mar 2026 05:36:45 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.216.48 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1772602607; cv=none; b=qB8EhzIqU27Bden4V9Flloqcl5GiFQWtjoGv5DcHBCy1oZb3U3XjRKxTtIfobWhvxx5uDxSj1ZKjqYM06TguC7Iq6KWAZuz3CsIE9eZceP8Sdh9MgvAS0Zc3TqAuXZ4j4m6JDFHrfBUofS/mwGZ2fNinj+/3G/ZBuz/uOyDBfUM= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1772602607; c=relaxed/simple; bh=VqhcGKAJRjtRuoJc4J7oADAGv+ArrFQaBFuFFPKfX98=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=ZRDwOpwHKxOXRPgrFERgZp48Erf9JWY6O1y2B0dIZpq3w5ADhtSR8xR5KrSEKTqsixE4PTQEEI3WOt1NjZ8gck714JWaTZYFVmPO3e7Ocq18hR0V+I/r20C7Qp9C6+C9nYJOpZbgnYR8zTeK6ePE/gpFFAgx8XvZPcxjHOkVfLA= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=I191fUWK; arc=none smtp.client-ip=209.85.216.48 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="I191fUWK" Received: by mail-pj1-f48.google.com with SMTP id 98e67ed59e1d1-359863611faso1337416a91.3 for ; Tue, 03 Mar 2026 21:36:45 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1772602605; x=1773207405; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=YBh3mRAyM98WdbFlOpQdr++fXfCeSb+WIiI2vsSeFJY=; b=I191fUWK6J00M8nUnvQqLHXUQ5QXvTw7VzKEixDkPElT7NEVx7X3trrPMIK5FNfmHG 6fatEvh56jytkgN2r3McgdUtH/JskVGBvqgG9SvUW8WKW/5naxUoQzjF6eXa2eTEcfSy IW7M5PztbCYSPMh1hG1Rp7TVIvEMUb5TGVNXtnu/VYpfAue3NlW5TOm3BgoXJb80Xotk vOMRpuwcLz3EQ50d7q3jtFCGS0Ko1ScHoeaQ2U27pHLtHVYt6s7S0a1BksYD9CYrMKWm eUbK1p11ZDx+fNyPfybH0SsYh5XL1dGG9jBhYhOgaJEXAthvUELuZanrTnxkUvaFM7l8 8uAA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1772602605; x=1773207405; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=YBh3mRAyM98WdbFlOpQdr++fXfCeSb+WIiI2vsSeFJY=; b=CW9x8kLhMPr084ietI69aumJIr7KGDO30unTpTRbbMgl2v8n4TXAflhk9+YI4yKt6V Rl6ZdrTmwscaipIqf1vTHwiNFDEqXlbxbHi5HSGLfU/0rYr6AQfIgGa1ruRsgdaErqWI xG5qJuwAzvrFxrURqriXM4m1MFI3/AZ1lOjKvydN/g/IuH6OM+m1F0EklcuuLZ3rfbb3 OUNDiBfL2BjJh8oP3SkawwPuCa6kzOc12u6rgDG8HNu68Qj1zwJVDQiQtl50OOcZyUez qFnSyF2XbPBZyhF7aqFuVS/ooeX0MUlGd6cUeIqVgsBpNxQoAE7YTchmlT76pfK/ARYy phUg== X-Forwarded-Encrypted: i=1; AJvYcCVBrVrOKpkwrSoedUEWCz2mD9cJh2TB9J68yoQuNMN98ssPYLoZBxiFIAnfE5KvugphrrDO1nNTfHhStSg=@vger.kernel.org X-Gm-Message-State: AOJu0Ywgy9Jq5iOY/G68+mcwHH/Jp9iuaAH71iCDkzLAol13Km7L1LBI 0FvI5ZS1EeSCscU/dljqbaIkex+YERctXcW9SVD63G65kXyAudZtwA26 X-Gm-Gg: ATEYQzz1bNpEwWDhuOxeim5AYRa+os0Ja2/zldXNefq3gHkLRYIQ4ndvDKIGMpO2GH9 7pSpyo+BrcaeHOu8f1nSFgne2P4oL/eXFs2W46VaYrafdlKZXig/xLN5as9jThhLGeT6PL2ldYm +UVB2SrBXMRxEAYwpO6sQtzIZljsbP92743WPffG7dFR43v1UunZ1TRPWPrZ7WjwkGfYE2ZaCxE y4wMJCpe+o+vXlJcaob2wA7JXM/FQIY3U6ct4Vl2M2walCiN50DFRevWg/rhw3eHiJ99LXWfHXb 7cDRhi+4h9JwXQZJ4pbcfU5+roZGa0t4PiefPE2FwO+mIYl9iCLK1VQL3ogFzdw+SaIIASohsnh /9f7sm/23K+FKk/jcy/P2zsKIN7n56PXuJ+8PlAu5CWhYXauHA47WT6XVD/CwtX4d1HQlG2gGrO cLUwj7dQ1XUaqFvADOET7o+lkaWREpeH7D6vf4+TEJxb9CMdYRkmJA X-Received: by 2002:a17:90a:d44f:b0:354:a09a:1016 with SMTP id 98e67ed59e1d1-359a6a9f53dmr915696a91.30.1772602605048; Tue, 03 Mar 2026 21:36:45 -0800 (PST) Received: from toolbx.alistair23.me ([2403:581e:fdf9:0:6209:4521:6813:45b7]) by smtp.gmail.com with ESMTPSA id 98e67ed59e1d1-3599c090bfdsm4020057a91.8.2026.03.03.21.36.39 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 03 Mar 2026 21:36:44 -0800 (PST) From: alistair23@gmail.com X-Google-Original-From: alistair.francis@wdc.com To: chuck.lever@oracle.com, hare@kernel.org, kernel-tls-handshake@lists.linux.dev, netdev@vger.kernel.org, linux-kernel@vger.kernel.org, linux-doc@vger.kernel.org, linux-nvme@lists.infradead.org, linux-nfs@vger.kernel.org Cc: kbusch@kernel.org, axboe@kernel.dk, hch@lst.de, sagi@grimberg.me, kch@nvidia.com, hare@suse.de, alistair23@gmail.com, Alistair Francis Subject: [PATCH v7 3/5] net/handshake: Support KeyUpdate message types Date: Wed, 4 Mar 2026 15:34:58 +1000 Message-ID: <20260304053500.590630-4-alistair.francis@wdc.com> X-Mailer: git-send-email 2.53.0 In-Reply-To: <20260304053500.590630-1-alistair.francis@wdc.com> References: <20260304053500.590630-1-alistair.francis@wdc.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" From: Alistair Francis When reporting the msg-type to userspace let's also support reporting KeyUpdate events. This supports reporting a client/server event and if the other side requested a KeyUpdateRequest. Link: https://datatracker.ietf.org/doc/html/rfc8446#section-4.6.3 Signed-off-by: Alistair Francis Reviewed-by: Chuck Lever Reviewed-by: Hannes Reinecke --- v7: - No change v6: - Init th_key_update_request field to 0 v5: - Drop clientkeyupdaterequest and serverkeyupdaterequest v4: - Don't overload existing functions, instead create new ones v3: - Fixup yamllint and kernel-doc failures Documentation/netlink/specs/handshake.yaml | 16 ++++- drivers/nvme/host/tcp.c | 15 +++- drivers/nvme/target/tcp.c | 10 ++- include/net/handshake.h | 6 ++ include/uapi/linux/handshake.h | 11 +++ net/handshake/tlshd.c | 84 +++++++++++++++++++++- 6 files changed, 134 insertions(+), 8 deletions(-) diff --git a/Documentation/netlink/specs/handshake.yaml b/Documentation/net= link/specs/handshake.yaml index a273bc74d26f..2f77216c8ddf 100644 --- a/Documentation/netlink/specs/handshake.yaml +++ b/Documentation/netlink/specs/handshake.yaml @@ -21,12 +21,18 @@ definitions: type: enum name: msg-type value-start: 0 - entries: [unspec, clienthello, serverhello] + entries: [unspec, clienthello, serverhello, clientkeyupdate, + serverkeyupdate] - type: enum name: auth value-start: 0 entries: [unspec, unauth, psk, x509] + - + type: enum + name: key-update-type + value-start: 0 + entries: [unspec, send, received, received_request_update] =20 attribute-sets: - @@ -74,6 +80,13 @@ attribute-sets: - name: keyring type: u32 + - + name: key-update-request + type: u32 + enum: key-update-type + - + name: session-id + type: u32 - name: done attributes: @@ -116,6 +129,7 @@ operations: - certificate - peername - keyring + - session-id - name: done doc: Handler reports handshake completion diff --git a/drivers/nvme/host/tcp.c b/drivers/nvme/host/tcp.c index 204f45f791a3..8b6172dd1c0f 100644 --- a/drivers/nvme/host/tcp.c +++ b/drivers/nvme/host/tcp.c @@ -19,6 +19,7 @@ #include #include #include +#include =20 #include "nvme.h" #include "fabrics.h" @@ -205,6 +206,10 @@ static struct workqueue_struct *nvme_tcp_wq; static const struct blk_mq_ops nvme_tcp_mq_ops; static const struct blk_mq_ops nvme_tcp_admin_mq_ops; static int nvme_tcp_try_send(struct nvme_tcp_queue *queue); +static int nvme_tcp_start_tls(struct nvme_ctrl *nctrl, + struct nvme_tcp_queue *queue, + key_serial_t pskid, + enum handshake_key_update_type keyupdate); =20 static inline struct nvme_tcp_ctrl *to_tcp_ctrl(struct nvme_ctrl *ctrl) { @@ -1711,7 +1716,8 @@ static void nvme_tcp_tls_done(void *data, int status,= key_serial_t pskid, =20 static int nvme_tcp_start_tls(struct nvme_ctrl *nctrl, struct nvme_tcp_queue *queue, - key_serial_t pskid) + key_serial_t pskid, + enum handshake_key_update_type keyupdate) { int qid =3D nvme_tcp_queue_id(queue); int ret; @@ -1733,7 +1739,10 @@ static int nvme_tcp_start_tls(struct nvme_ctrl *nctr= l, args.ta_timeout_ms =3D tls_handshake_timeout * 1000; queue->tls_err =3D -EOPNOTSUPP; init_completion(&queue->tls_complete); - ret =3D tls_client_hello_psk(&args, GFP_KERNEL); + if (keyupdate =3D=3D HANDSHAKE_KEY_UPDATE_TYPE_UNSPEC) + ret =3D tls_client_hello_psk(&args, GFP_KERNEL); + else + ret =3D tls_client_keyupdate_psk(&args, GFP_KERNEL, keyupdate); if (ret) { dev_err(nctrl->device, "queue %d: failed to start TLS: %d\n", qid, ret); @@ -1883,7 +1892,7 @@ static int nvme_tcp_alloc_queue(struct nvme_ctrl *nct= rl, int qid, =20 /* If PSKs are configured try to start TLS */ if (nvme_tcp_tls_configured(nctrl) && pskid) { - ret =3D nvme_tcp_start_tls(nctrl, queue, pskid); + ret =3D nvme_tcp_start_tls(nctrl, queue, pskid, HANDSHAKE_KEY_UPDATE_TYP= E_UNSPEC); if (ret) goto err_init_connect; } diff --git a/drivers/nvme/target/tcp.c b/drivers/nvme/target/tcp.c index 63613e60f566..7f1c651a52a4 100644 --- a/drivers/nvme/target/tcp.c +++ b/drivers/nvme/target/tcp.c @@ -1861,7 +1861,8 @@ static void nvmet_tcp_tls_handshake_timeout(struct wo= rk_struct *w) kref_put(&queue->kref, nvmet_tcp_release_queue); } =20 -static int nvmet_tcp_tls_handshake(struct nvmet_tcp_queue *queue) +static int nvmet_tcp_tls_handshake(struct nvmet_tcp_queue *queue, + enum handshake_key_update_type keyupdate) { int ret =3D -EOPNOTSUPP; struct tls_handshake_args args; @@ -1880,7 +1881,10 @@ static int nvmet_tcp_tls_handshake(struct nvmet_tcp_= queue *queue) args.ta_keyring =3D key_serial(queue->port->nport->keyring); args.ta_timeout_ms =3D tls_handshake_timeout * 1000; =20 - ret =3D tls_server_hello_psk(&args, GFP_KERNEL); + if (keyupdate =3D=3D HANDSHAKE_KEY_UPDATE_TYPE_UNSPEC) + ret =3D tls_server_hello_psk(&args, GFP_KERNEL); + else + ret =3D tls_server_keyupdate_psk(&args, GFP_KERNEL, keyupdate); if (ret) { kref_put(&queue->kref, nvmet_tcp_release_queue); pr_err("failed to start TLS, err=3D%d\n", ret); @@ -1962,7 +1966,7 @@ static void nvmet_tcp_alloc_queue(struct nvmet_tcp_po= rt *port, sk->sk_data_ready =3D port->data_ready; write_unlock_bh(&sk->sk_callback_lock); if (!nvmet_tcp_try_peek_pdu(queue)) { - if (!nvmet_tcp_tls_handshake(queue)) + if (!nvmet_tcp_tls_handshake(queue, HANDSHAKE_KEY_UPDATE_TYPE_UNSPEC)) return; /* TLS handshake failed, terminate the connection */ goto out_destroy_sq; diff --git a/include/net/handshake.h b/include/net/handshake.h index d9b2411d5523..54fb101202d2 100644 --- a/include/net/handshake.h +++ b/include/net/handshake.h @@ -10,6 +10,8 @@ #ifndef _NET_HANDSHAKE_H #define _NET_HANDSHAKE_H =20 +#include + enum { TLS_NO_KEYRING =3D 0, TLS_NO_PEERID =3D 0, @@ -39,8 +41,12 @@ struct tls_handshake_args { int tls_client_hello_anon(const struct tls_handshake_args *args, gfp_t fla= gs); int tls_client_hello_x509(const struct tls_handshake_args *args, gfp_t fla= gs); int tls_client_hello_psk(const struct tls_handshake_args *args, gfp_t flag= s); +int tls_client_keyupdate_psk(const struct tls_handshake_args *args, gfp_t = flags, + enum handshake_key_update_type keyupdate); int tls_server_hello_x509(const struct tls_handshake_args *args, gfp_t fla= gs); int tls_server_hello_psk(const struct tls_handshake_args *args, gfp_t flag= s); +int tls_server_keyupdate_psk(const struct tls_handshake_args *args, gfp_t = flags, + enum handshake_key_update_type keyupdate); =20 bool tls_handshake_cancel(struct sock *sk); void tls_handshake_close(struct socket *sock); diff --git a/include/uapi/linux/handshake.h b/include/uapi/linux/handshake.h index 7fb3ef7f64df..ff8b423044ff 100644 --- a/include/uapi/linux/handshake.h +++ b/include/uapi/linux/handshake.h @@ -20,6 +20,8 @@ enum handshake_msg_type { HANDSHAKE_MSG_TYPE_UNSPEC, HANDSHAKE_MSG_TYPE_CLIENTHELLO, HANDSHAKE_MSG_TYPE_SERVERHELLO, + HANDSHAKE_MSG_TYPE_CLIENTKEYUPDATE, + HANDSHAKE_MSG_TYPE_SERVERKEYUPDATE, }; =20 enum handshake_auth { @@ -29,6 +31,13 @@ enum handshake_auth { HANDSHAKE_AUTH_X509, }; =20 +enum handshake_key_update_type { + HANDSHAKE_KEY_UPDATE_TYPE_UNSPEC, + HANDSHAKE_KEY_UPDATE_TYPE_SEND, + HANDSHAKE_KEY_UPDATE_TYPE_RECEIVED, + HANDSHAKE_KEY_UPDATE_TYPE_RECEIVED_REQUEST_UPDATE, +}; + enum { HANDSHAKE_A_X509_CERT =3D 1, HANDSHAKE_A_X509_PRIVKEY, @@ -47,6 +56,8 @@ enum { HANDSHAKE_A_ACCEPT_CERTIFICATE, HANDSHAKE_A_ACCEPT_PEERNAME, HANDSHAKE_A_ACCEPT_KEYRING, + HANDSHAKE_A_ACCEPT_KEY_UPDATE_REQUEST, + HANDSHAKE_A_ACCEPT_SESSION_ID, =20 __HANDSHAKE_A_ACCEPT_MAX, HANDSHAKE_A_ACCEPT_MAX =3D (__HANDSHAKE_A_ACCEPT_MAX - 1) diff --git a/net/handshake/tlshd.c b/net/handshake/tlshd.c index e72f45bdc226..d102211e9d77 100644 --- a/net/handshake/tlshd.c +++ b/net/handshake/tlshd.c @@ -41,6 +41,7 @@ struct tls_handshake_req { unsigned int th_num_peerids; key_serial_t th_peerid[5]; =20 + unsigned int th_key_update_request; key_serial_t th_handshake_session_id; }; =20 @@ -58,7 +59,9 @@ tls_handshake_req_init(struct handshake_req *req, treq->th_num_peerids =3D 0; treq->th_certificate =3D TLS_NO_CERT; treq->th_privkey =3D TLS_NO_PRIVKEY; - treq->th_handshake_session_id =3D TLS_NO_SESSION_ID; + treq->th_key_update_request =3D 0; + treq->th_handshake_session_id =3D args->ta_handshake_session_id; + return treq; } =20 @@ -265,6 +268,16 @@ static int tls_handshake_accept(struct handshake_req *= req, break; } =20 + ret =3D nla_put_u32(msg, HANDSHAKE_A_ACCEPT_SESSION_ID, + treq->th_handshake_session_id); + if (ret < 0) + goto out_cancel; + + ret =3D nla_put_u32(msg, HANDSHAKE_A_ACCEPT_KEY_UPDATE_REQUEST, + treq->th_key_update_request); + if (ret < 0) + goto out_cancel; + genlmsg_end(msg, hdr); return genlmsg_reply(msg, info); =20 @@ -373,6 +386,44 @@ int tls_client_hello_psk(const struct tls_handshake_ar= gs *args, gfp_t flags) } EXPORT_SYMBOL(tls_client_hello_psk); =20 +/** + * tls_client_keyupdate_psk - request a PSK-based TLS handshake on a socket + * @args: socket and handshake parameters for this request + * @flags: memory allocation control flags + * @keyupdate: specifies the type of KeyUpdate operation + * + * Return values: + * %0: Handshake request enqueue; ->done will be called when complete + * %-EINVAL: Wrong number of local peer IDs + * %-ESRCH: No user agent is available + * %-ENOMEM: Memory allocation failed + */ +int tls_client_keyupdate_psk(const struct tls_handshake_args *args, gfp_t = flags, + enum handshake_key_update_type keyupdate) +{ + struct tls_handshake_req *treq; + struct handshake_req *req; + unsigned int i; + + if (!args->ta_num_peerids || + args->ta_num_peerids > ARRAY_SIZE(treq->th_peerid)) + return -EINVAL; + + req =3D handshake_req_hash_lookup(args->ta_sock->sk); + if (!req) + return -ENOMEM; + treq =3D tls_handshake_req_init(req, args); + treq->th_type =3D HANDSHAKE_MSG_TYPE_CLIENTKEYUPDATE; + treq->th_key_update_request =3D keyupdate; + treq->th_auth_mode =3D HANDSHAKE_AUTH_PSK; + treq->th_num_peerids =3D args->ta_num_peerids; + for (i =3D 0; i < args->ta_num_peerids; i++) + treq->th_peerid[i] =3D args->ta_my_peerids[i]; + + return handshake_req_keyupdate(args->ta_sock, req, flags); +} +EXPORT_SYMBOL(tls_client_keyupdate_psk); + /** * tls_server_hello_x509 - request a server TLS handshake on a socket * @args: socket and handshake parameters for this request @@ -429,6 +480,37 @@ int tls_server_hello_psk(const struct tls_handshake_ar= gs *args, gfp_t flags) } EXPORT_SYMBOL(tls_server_hello_psk); =20 +/** + * tls_server_keyupdate_psk - request a server TLS KeyUpdate on a socket + * @args: socket and handshake parameters for this request + * @flags: memory allocation control flags + * @keyupdate: specifies the type of KeyUpdate operation + * + * Return values: + * %0: Handshake request enqueue; ->done will be called when complete + * %-ESRCH: No user agent is available + * %-ENOMEM: Memory allocation failed + */ +int tls_server_keyupdate_psk(const struct tls_handshake_args *args, gfp_t = flags, + enum handshake_key_update_type keyupdate) +{ + struct tls_handshake_req *treq; + struct handshake_req *req; + + req =3D handshake_req_hash_lookup(args->ta_sock->sk); + if (!req) + return -ENOMEM; + treq =3D tls_handshake_req_init(req, args); + treq->th_type =3D HANDSHAKE_MSG_TYPE_SERVERKEYUPDATE; + treq->th_key_update_request =3D keyupdate; + treq->th_auth_mode =3D HANDSHAKE_AUTH_PSK; + treq->th_num_peerids =3D 1; + treq->th_peerid[0] =3D args->ta_my_peerids[0]; + + return handshake_req_keyupdate(args->ta_sock, req, flags); +} +EXPORT_SYMBOL(tls_server_keyupdate_psk); + /** * tls_handshake_cancel - cancel a pending handshake * @sk: socket on which there is an ongoing handshake --=20 2.53.0