[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <20250905024659.811386-1-alistair.francis@wdc.com>
Date: Fri, 5 Sep 2025 12:46:52 +1000
From: alistair23@...il.com
To: chuck.lever@...cle.com,
hare@...nel.org,
kernel-tls-handshake@...ts.linux.dev,
netdev@...r.kernel.org,
linux-kernel@...r.kernel.org,
linux-doc@...r.kernel.org,
linux-nvme@...ts.infradead.org,
linux-nfs@...r.kernel.org
Cc: kbusch@...nel.org,
axboe@...nel.dk,
hch@....de,
sagi@...mberg.me,
kch@...dia.com,
alistair23@...il.com,
Alistair Francis <alistair.francis@....com>
Subject: [PATCH v2 0/7] nvme-tcp: Support receiving KeyUpdate requests
From: Alistair Francis <alistair.francis@....com>
The TLS 1.3 specification allows the TLS client or server to send a
KeyUpdate. This is generally used when the sequence is about to
overflow or after a certain amount of bytes have been encrypted.
The TLS spec doesn't mandate the conditions though, so a KeyUpdate
can be sent by the TLS client or server at any time. This includes
when running NVMe-OF over a TLS 1.3 connection.
As such Linux should be able to handle a KeyUpdate event, as the
other NVMe side could initiate a KeyUpdate.
Upcoming WD NVMe-TCP hardware controllers implement TLS support
and send KeyUpdate requests.
This series builds on top of the existing TLS EKEYEXPIRED work,
which already detects a KeyUpdate request. We can now pass that
information up to the NVMe layer (target and host) and then pass
it up to userspace.
Userspace (ktls-utils) will need to save the connection state
in the keyring during the initial handshake. The kernel then
provides the key serial back to userspace when handling a
KeyUpdate. Userspace can use this to restore the connection
information and then update the keys, this final process
is similar to the initial handshake.
Link: https://datatracker.ietf.org/doc/html/rfc8446#section-4.6.3
v2:
- Change "key-serial" to "session-id"
- Fix reported build failures
- Drop tls_clear_err() function
- Stop keep alive timer during KeyUpdate
- Drop handshake message decoding in the NVMe layer
Alistair Francis (7):
net/handshake: Store the key serial number on completion
net/handshake: Make handshake_req_cancel public
net/handshake: Expose handshake_sk_destruct_req publically
nvmet: Expose nvmet_stop_keep_alive_timer publically
net/handshake: Support KeyUpdate message types
nvme-tcp: Support KeyUpdate
nvmet-tcp: Support KeyUpdate
Documentation/netlink/specs/handshake.yaml | 19 +++-
Documentation/networking/tls-handshake.rst | 4 +-
drivers/nvme/host/tcp.c | 88 +++++++++++++++--
drivers/nvme/target/core.c | 1 +
drivers/nvme/target/tcp.c | 104 +++++++++++++++++++--
include/net/handshake.h | 17 +++-
include/uapi/linux/handshake.h | 14 +++
net/handshake/genl.c | 5 +-
net/handshake/handshake.h | 1 -
net/handshake/request.c | 18 ++++
net/handshake/tlshd.c | 46 +++++++--
net/sunrpc/svcsock.c | 3 +-
net/sunrpc/xprtsock.c | 3 +-
13 files changed, 289 insertions(+), 34 deletions(-)
--
2.50.1
Powered by blists - more mailing lists