From nobody Mon Jun 15 06:28:01 2026
Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org
 [10.30.226.201])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id BC17C3A75A5
	for <linux-kernel@vger.kernel.org>; Wed,  8 Apr 2026 15:40:42 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=10.30.226.201
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1775662842; cv=none;
 b=HLixPgvu4+rTsRS5ZyDFqzdIITsS6u88NNVSCrtK5EtV17WHOcJiTKGsSDuwvoSLR/EE5p45gax6HKX2SemO5bc6K38kmwxW+OdEJsidfkkEPEziQf7Qo76sWvTwepe/7yhAWOPnfXunvbC8WKDIVG8Tft/x4dig4ocVum7JTRk=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1775662842; c=relaxed/simple;
	bh=T9eENRx8Vijbe7VUHRlA1HqOoKCLopgkVYMPovhYkEk=;
	h=From:Date:Subject:MIME-Version:Content-Type:Message-Id:To:Cc;
 b=PxMBqeMosNw01nAG26Vw+q2YC4p9O/092XxxSbwR0QWXRvTW/v2x/woiOaTzem1IFXW/cmXWyg9XPArk6X2ueqybiBGWYxnWPFxGcg3W+UVJln0+1VoGHZwl48U6P+j3xzbEhHgiIGl5M87cJiB6MH9K9RjQATcB9xnuUCSBS7Y=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org
 header.b=J8Bl87ZX; arc=none smtp.client-ip=10.30.226.201
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org
 header.b="J8Bl87ZX"
Received: by smtp.kernel.org (Postfix) with ESMTPSA id D750DC19421;
	Wed,  8 Apr 2026 15:40:41 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org;
	s=k20201202; t=1775662842;
	bh=T9eENRx8Vijbe7VUHRlA1HqOoKCLopgkVYMPovhYkEk=;
	h=From:Date:Subject:To:Cc:From;
	b=J8Bl87ZXTVzinTe4F9I1YLDGR9c95zdz64PSQfZXbLyZskTQg/XFGkPq8LCFqxdYB
	 zLD/VG/6wQ1T3Is2a0MQVjwneF0pFXabtiQB4hddbGR1JVYD1t+yGnUWCvy9BLfYbf
	 JdNXM0y60fxM8vu5l31V07t4ZsQkjbt8DqmevGnGHHThztB2+OGgsXc3PBF+UN5ogQ
	 aK8iUYXxyyrG2MY+h1yY88pAfLXHGfzqd0Aa4uxqHO2G4S0e5jlHehshXSTt9JaiC3
	 wpwsi1j+XLqKQx+rpymrZrkK4NjVf1MG9m5YcmzPi1Bx7GGZM93HUDv8i9zywoWWy8
	 NrrTxRFKfLwag==
From: Daniel Wagner <wagi@kernel.org>
Date: Wed, 08 Apr 2026 17:40:36 +0200
Subject: [PATCH v2] nvme: expose TLS mode
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Message-Id: <20260408-expose-tls-mode-v2-1-17a25aa414dc@kernel.org>
X-B4-Tracking: v=1; b=H4sIAAAAAAAC/3WNSw6CQBAFr0J6bZv5YdSV9zAsgG5gFBkyjQRDu
 LuAa5eV1Ks3g3D0LHBNZog8evGhW8EcEiibvKsZPa0MRpmTckojT30QxqEVfAVi1KqiIiWXXsj
 BuuojV37ai/fsx/IuHlwOW2YzGi9DiJ/9ctSb978+atTorM3PljQZW92eHDtujyHWkC3L8gVWN
 zzowQAAAA==
X-Change-ID: 20260401-expose-tls-mode-10fdb5d459d4
To: Keith Busch <kbusch@kernel.org>, Christoph Hellwig <hch@lst.de>,
 Sagi Grimberg <sagi@grimberg.me>
Cc: Hannes Reinecke <hare@suse.de>, linux-nvme@lists.infradead.org,
 linux-kernel@vger.kernel.org, Daniel Wagner <wagi@kernel.org>
X-Mailer: b4 0.15.1

It is not possible to determine the active TLS mode from the
presence or absence of sysfs attributes like tls_key,
tls_configured_key, or dhchap_secret.

With the introduction of the concat mode and optional DH-CHAP
authentication, different configurations can result in identical
sysfs state. This makes user space detection unreliable.

Expose the TLS mode explicitly to allow user space to
unambiguously identify the active configuration and avoid
fragile heuristics in nvme-cli.

Signed-off-by: Daniel Wagner <wagi@kernel.org>
---
As Hannes suggested, tls_mode is only visible when either --concat or --tls=
 is
used. This avoids the 'none' string.=20

Original cover letter (with fixed example):

I am extending the test suite for nvme-cli to cover the use case of
nvme connect --tls/--concat.

Currently, nvme-cli uses heuristics to determine whether --tls was used
to initiate the connection. With the introduction of --concat, these
heuristics are no longer reliable.

By exposing the TLS mode explicitly, nvme config can now generate a
configuration based on the currently active connection.

$ nvme connect --transport tcp --traddr 192.168.30.30 --trsvcid 4420  \
  		--hostnqn nqn.2014-08.org.nvmexpress:uuid:befdec4c-2234-11b2-a85c-ca77c=
773af36  \
		--nqn nqn.io-1 --concat  \
		--dhchap-secret=3DDHHC-1:01:1+pb0VSbn3cBrOhwP5SHa6gwlbPikdZ0mmBKKXC74Sm0s=
0pb:   \
		--dump-config --output-format json
[
  {
    "hostnqn":"nqn.2014-08.org.nvmexpress:uuid:befdec4c-2234-11b2-a85c-ca77=
c773af36",
    "hostid":"befdec4c-2234-11b2-a85c-ca77c773af36",
    "dhchap_key":"DHHC-1:01:1+pb0VSbn3cBrOhwP5SHa6gwlbPikdZ0mmBKKXC74Sm0s0p=
b:",
    "subsystems":[
      {
        "nqn":"nqn.io-1",
        "ports":[
          {
            "transport":"tcp",
            "traddr":"192.168.30.30",
            "trsvcid":"4420",
            "dhchap_key":"DHHC-1:01:1+pb0VSbn3cBrOhwP5SHa6gwlbPikdZ0mmBKKXC=
74Sm0s0pb:",
            "concat":true
          }
        ]
      }
    ]
  }
]

$ nvme config --scan --dump --output-format json /dev/nvme1
[
  {
    "hostnqn":"nqn.2014-08.org.nvmexpress:uuid:befdec4c-2234-11b2-a85c-ca77=
c773af36",
    "hostid":"befdec4c-2234-11b2-a85c-ca77c773af36",
    "dhchap_key":"DHHC-1:01:1+pb0VSbn3cBrOhwP5SHa6gwlbPikdZ0mmBKKXC74Sm0s0p=
b:",
    "subsystems":[
      {
        "nqn":"nqn.io-1",
        "ports":[
          {
            "transport":"tcp",
            "traddr":"192.168.30.30",
            "trsvcid":"4420",
            "dhchap_key":"DHHC-1:01:1+pb0VSbn3cBrOhwP5SHa6gwlbPikdZ0mmBKKXC=
74Sm0s0pb:",
            "concat":true
          }
        ]
      }
    ]
  }
]

$ cat /sys/class/nvme-fabrics/ctl/nvme1/tls_mode
concat
---
Changes in v2:
- fixed the example output
- tls_mode only visible when either tls or concat is enabled. avoids 'none'
- Link to v1: https://patch.msgid.link/20260401-expose-tls-mode-v1-1-433a83=
d1d23f@kernel.org
---
 drivers/nvme/host/sysfs.c | 19 +++++++++++++++++++
 1 file changed, 19 insertions(+)

diff --git a/drivers/nvme/host/sysfs.c b/drivers/nvme/host/sysfs.c
index 16c6fea4b2db..6590777ed71f 100644
--- a/drivers/nvme/host/sysfs.c
+++ b/drivers/nvme/host/sysfs.c
@@ -841,10 +841,26 @@ static ssize_t tls_keyring_show(struct device *dev,
 }
 static DEVICE_ATTR_RO(tls_keyring);
=20
+static ssize_t tls_mode_show(struct device *dev,
+			     struct device_attribute *attr, char *buf)
+{
+	struct nvme_ctrl *ctrl =3D dev_get_drvdata(dev);
+	const char *mode;
+
+	if (ctrl->opts->tls)
+		mode =3D "tls";
+	else
+		mode =3D "concat";
+
+	return sysfs_emit(buf, "%s\n", mode);
+}
+static DEVICE_ATTR_RO(tls_mode);
+
 static struct attribute *nvme_tls_attrs[] =3D {
 	&dev_attr_tls_key.attr,
 	&dev_attr_tls_configured_key.attr,
 	&dev_attr_tls_keyring.attr,
+	&dev_attr_tls_mode.attr,
 	NULL,
 };
=20
@@ -866,6 +882,9 @@ static umode_t nvme_tls_attrs_are_visible(struct kobjec=
t *kobj,
 	if (a =3D=3D &dev_attr_tls_keyring.attr &&
 	    !ctrl->opts->keyring)
 		return 0;
+	if (a =3D=3D &dev_attr_tls_mode.attr &&
+	    !ctrl->opts->tls_key && !ctrl->opts->concat)
+		return 0;
=20
 	return a->mode;
 }

---
base-commit: 7aaa8047eafd0bd628065b15757d9b48c5f9c07d
change-id: 20260401-expose-tls-mode-10fdb5d459d4

Best regards,
-- =20
Daniel Wagner <wagi@kernel.org>