| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <8d6d76b4-6361-4392-9351-bd9d59c96ba0@suse.de>
Date: Mon, 20 Oct 2025 08:33:01 +0200
From: Hannes Reinecke <hare@...e.de>
To: alistair23@...il.com, chuck.lever@...cle.com, hare@...nel.org,
kernel-tls-handshake@...ts.linux.dev, netdev@...r.kernel.org,
linux-kernel@...r.kernel.org, linux-doc@...r.kernel.org,
linux-nvme@...ts.infradead.org, linux-nfs@...r.kernel.org
Cc: kbusch@...nel.org, axboe@...nel.dk, hch@....de, sagi@...mberg.me,
kch@...dia.com, Alistair Francis <alistair.francis@....com>
Subject: Re: [PATCH v4 6/7] nvme-tcp: Allow userspace to trigger a KeyUpdate
with debugfs
On 10/17/25 06:23, alistair23@...il.com wrote:
> From: Alistair Francis <alistair.francis@....com>
>
> Allow userspace to trigger a KeyUpdate via debugfs. This patch exposes a
> key_update file that can be written to with the queue number to trigger
> a KeyUpdate on that queue.
>
> Signed-off-by: Alistair Francis <alistair.francis@....com>
> ---
> v4:
> - No change
> v3:
> - New patch
>
> drivers/nvme/host/tcp.c | 72 +++++++++++++++++++++++++++++++++++++++++
> 1 file changed, 72 insertions(+)
>
> diff --git a/drivers/nvme/host/tcp.c b/drivers/nvme/host/tcp.c
> index 791e0cc91ad8..f5c7b646d002 100644
> --- a/drivers/nvme/host/tcp.c
> +++ b/drivers/nvme/host/tcp.c
> @@ -11,6 +11,7 @@
> #include <linux/crc32.h>
> #include <linux/nvme-tcp.h>
> #include <linux/nvme-keyring.h>
> +#include <linux/debugfs.h>
> #include <net/sock.h>
> #include <net/tcp.h>
> #include <net/tls.h>
> @@ -1429,6 +1430,75 @@ static void update_tls_keys(struct nvme_tcp_queue *queue)
> }
> }
>
> +#ifdef CONFIG_NVME_TCP_TLS
> +#define NVME_DEBUGFS_RW_ATTR(field) \
> + static int field##_open(struct inode *inode, struct file *file) \
> + { return single_open(file, field##_show, inode->i_private); } \
> + \
> + static const struct file_operations field##_fops = { \
> + .open = field##_open, \
> + .read = seq_read, \
> + .write = field##_write, \
> + .release = single_release, \
> + }
> +
> +static int nvme_ctrl_key_update_show(struct seq_file *m, void *p)
> +{
> + seq_printf(m, "0\n");
> +
> + return 0;
> +}
> +
> +static ssize_t nvme_ctrl_key_update_write(struct file *file, const char __user *buf,
> + size_t count, loff_t *ppos)
> +{
> + struct seq_file *m = file->private_data;
> + struct nvme_ctrl *nctrl = m->private;
> + struct nvme_tcp_ctrl *ctrl = to_tcp_ctrl(nctrl);
> + char kbuf[16] = {0};
> + int queue_nr, rc;
> + struct nvme_tcp_queue *queue;
> +
> + if (count > sizeof(kbuf) - 1)
> + return -EINVAL;
> + if (copy_from_user(kbuf, buf, count))
> + return -EFAULT;
> + kbuf[count] = 0;
> +
> + rc = kstrtouint(kbuf, 10, &queue_nr);
> + if (rc)
> + return rc;
> +
> + if (queue_nr >= nctrl->queue_count)
> + return -EINVAL;
> +
> + queue = &ctrl->queues[queue_nr];
> +
> + update_tls_keys(queue);
Are you sure this is correct?
'update_tls_keys' is issuing a handshake request
with 'HANDSHAKE_KEY_UPDATE_TYPE_RECEIVED'.
And the patch introducing it states:
At this time we don't support initiating a KeyUpdate.
So please move this to the patchset implementing support
for initiating KeyUpdates.
Cheers,
Hannes
--
Dr. Hannes Reinecke Kernel Storage Architect
hare@...e.de +49 911 74053 688
SUSE Software Solutions GmbH, Frankenstr. 146, 90461 Nürnberg
HRB 36809 (AG Nürnberg), GF: I. Totev, A. McDonald, W. Knoblich
Powered by blists - more mailing lists