Skip to content

Commit

Permalink
nvme-keyring: implement nvme_tls_psk_default()
Browse files Browse the repository at this point in the history
Implement a function to select the preferred PSK for TLS.
A 'retained' PSK should be preferred over a 'generated' PSK,
and SHA-384 should be preferred to SHA-256.

Signed-off-by: Hannes Reinecke <hare@suse.de>
Reviewed-by: Sagi Grimberg <sagi@grimberg.me>
Signed-off-by: Keith Busch <kbusch@kernel.org>
  • Loading branch information
Hannes Reinecke authored and Keith Busch committed Oct 11, 2023
1 parent a86062a commit 501cc6f
Show file tree
Hide file tree
Showing 2 changed files with 56 additions and 0 deletions.
48 changes: 48 additions & 0 deletions drivers/nvme/common/keyring.c
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,7 @@

#include <linux/module.h>
#include <linux/seq_file.h>
#include <linux/key.h>
#include <linux/key-type.h>
#include <keys/user-type.h>
#include <linux/nvme.h>
Expand Down Expand Up @@ -103,6 +104,53 @@ static struct key *nvme_tls_psk_lookup(struct key *keyring,
return key_ref_to_ptr(keyref);
}

/*
* NVMe PSK priority list
*
* 'Retained' PSKs (ie 'generated == false')
* should be preferred to 'generated' PSKs,
* and SHA-384 should be preferred to SHA-256.
*/
struct nvme_tls_psk_priority_list {
bool generated;
enum nvme_tcp_tls_cipher cipher;
} nvme_tls_psk_prio[] = {
{ .generated = false,
.cipher = NVME_TCP_TLS_CIPHER_SHA384, },
{ .generated = false,
.cipher = NVME_TCP_TLS_CIPHER_SHA256, },
{ .generated = true,
.cipher = NVME_TCP_TLS_CIPHER_SHA384, },
{ .generated = true,
.cipher = NVME_TCP_TLS_CIPHER_SHA256, },
};

/*
* nvme_tls_psk_default - Return the preferred PSK to use for TLS ClientHello
*/
key_serial_t nvme_tls_psk_default(struct key *keyring,
const char *hostnqn, const char *subnqn)
{
struct key *tls_key;
key_serial_t tls_key_id;
int prio;

for (prio = 0; prio < ARRAY_SIZE(nvme_tls_psk_prio); prio++) {
bool generated = nvme_tls_psk_prio[prio].generated;
enum nvme_tcp_tls_cipher cipher = nvme_tls_psk_prio[prio].cipher;

tls_key = nvme_tls_psk_lookup(keyring, hostnqn, subnqn,
cipher, generated);
if (!IS_ERR(tls_key)) {
tls_key_id = tls_key->serial;
key_put(tls_key);
return tls_key_id;
}
}
return 0;
}
EXPORT_SYMBOL_GPL(nvme_tls_psk_default);

int nvme_keyring_init(void)
{
int err;
Expand Down
8 changes: 8 additions & 0 deletions include/linux/nvme-keyring.h
Original file line number Diff line number Diff line change
Expand Up @@ -8,12 +8,20 @@

#ifdef CONFIG_NVME_KEYRING

key_serial_t nvme_tls_psk_default(struct key *keyring,
const char *hostnqn, const char *subnqn);

key_serial_t nvme_keyring_id(void);
int nvme_keyring_init(void);
void nvme_keyring_exit(void);

#else

static inline key_serial_t nvme_tls_psk_default(struct key *keyring,
const char *hostnqn, const char *subnqn)
{
return 0;
}
static inline key_serial_t nvme_keyring_id(void)
{
return 0;
Expand Down

0 comments on commit 501cc6f

Please sign in to comment.