fabrics: add configuration option 'tls_key'

Add a fabrics configuration option to specify the TLS PSK for a
connection. The PSK is referenced by its serial number, but stored
with its description in the JSON configuration file.

Signed-off-by: Hannes Reinecke <hare@suse.de>

diff --git a/doc/config-schema.json b/doc/config-schema.json
index 68b1e2fd9a7973007a5be3e868004864ee062ef7..f10671d415679ff3f88ea9ca3d7c066f7be24411 100644 (file)
--- a/doc/config-schema.json
+++ b/doc/config-schema.json
@@ -98,6 +98,10 @@
                    "description": "Keyring to store and lookup keys",
                    "type": "string",
                },
+               "tls_key": {
+                   "description": "TLS PSK for the connection",
+                   "type": "string",
+               },
                "nr_io_queues": {
                    "description": "Number of I/O queues",
                    "type": "integer"

diff --git a/doc/rst/fabrics.rst b/doc/rst/fabrics.rst
index ace7929d77cbcdaae5f5211f01c465d8ce96d54b..6df058c15b8f4fa253993c694206605ce31b36c8 100644 (file)
--- a/doc/rst/fabrics.rst
+++ b/doc/rst/fabrics.rst
@@ -28,6 +28,7 @@ Fabrics-specific definitions.
     int nr_poll_queues;
     int tos;
     int keyring;
+    int tls_key;
     bool duplicate_connect;
     bool disable_sqflow;
     bool hdr_digest;
@@ -73,6 +74,9 @@ Fabrics-specific definitions.
 ``keyring``
   Serial number of the keyring to store and lookup keys
 
+``tls_key``
+  Serial number of the TLS PSK for the connection
+
 ``duplicate_connect``
   Allow multiple connections to the same target
 

diff --git a/src/nvme/fabrics.c b/src/nvme/fabrics.c
index 8c9cff311147f023a9891b3513e35a5ca0f1bfa2..6dab54668c9a1219725a673543a16a0df331107a 100644 (file)
--- a/src/nvme/fabrics.c
+++ b/src/nvme/fabrics.c
@@ -217,6 +217,7 @@ static struct nvme_fabrics_config *merge_config(nvme_ctrl_t c,
        MERGE_CFG_OPTION(ctrl_cfg, cfg, fast_io_fail_tmo, 0);
        MERGE_CFG_OPTION(ctrl_cfg, cfg, tos, -1);
        MERGE_CFG_OPTION(ctrl_cfg, cfg, keyring, 0);
+       MERGE_CFG_OPTION(ctrl_cfg, cfg, tls_key, 0);
        MERGE_CFG_OPTION(ctrl_cfg, cfg, duplicate_connect, false);
        MERGE_CFG_OPTION(ctrl_cfg, cfg, disable_sqflow, false);
        MERGE_CFG_OPTION(ctrl_cfg, cfg, hdr_digest, false);
@@ -245,6 +246,7 @@ void nvmf_update_config(nvme_ctrl_t c, const struct nvme_fabrics_config *cfg)
        UPDATE_CFG_OPTION(ctrl_cfg, cfg, fast_io_fail_tmo, 0);
        UPDATE_CFG_OPTION(ctrl_cfg, cfg, tos, -1);
        UPDATE_CFG_OPTION(ctrl_cfg, cfg, keyring, 0);
+       UPDATE_CFG_OPTION(ctrl_cfg, cfg, tls_key, 0);
        UPDATE_CFG_OPTION(ctrl_cfg, cfg, duplicate_connect, false);
        UPDATE_CFG_OPTION(ctrl_cfg, cfg, disable_sqflow, false);
        UPDATE_CFG_OPTION(ctrl_cfg, cfg, hdr_digest, false);
@@ -520,6 +522,8 @@ static int build_options(nvme_host_t h, nvme_ctrl_t c, char **argstr)
            (strcmp(transport, "loop") &&
             add_int_argument(argstr, "tos", cfg->tos, true)) ||
            add_int_argument(argstr, "keyring", cfg->keyring, false) ||
+           (!strcmp(transport, "tcp") &&
+            add_int_argument(argstr, "tls_key", cfg->tls_key, false)) ||
            add_bool_argument(argstr, "duplicate_connect",
                              cfg->duplicate_connect) ||
            add_bool_argument(argstr, "disable_sqflow",

diff --git a/src/nvme/fabrics.h b/src/nvme/fabrics.h
index 68f171abddcc68ec012a903f1b8a657216a96a4c..9298f7b342a07e439eeb0e056bc19e96af0ee95b 100644 (file)
--- a/src/nvme/fabrics.h
+++ b/src/nvme/fabrics.h
@@ -36,6 +36,7 @@
  * @nr_poll_queues:    Number of queues to reserve for polling completions
  * @tos:               Type of service
  * @keyring:           Keyring to store and lookup keys
+ * @tls_key:           TLS PSK for the connection
  * @duplicate_connect: Allow multiple connections to the same target
  * @disable_sqflow:    Disable controller sq flow control
  * @hdr_digest:                Generate/verify header digest (TCP)
@@ -55,6 +56,7 @@ struct nvme_fabrics_config {
        int nr_poll_queues;
        int tos;
        int keyring;
+       int tls_key;
 
        bool duplicate_connect;
        bool disable_sqflow;

diff --git a/src/nvme/json.c b/src/nvme/json.c
index d0f36bd9177c7d1674149ac8b550163d2415848b..a74b5a4d1108a9115c6293cf79a0d4d2705bf211 100644 (file)
--- a/src/nvme/json.c
+++ b/src/nvme/json.c
@@ -78,6 +78,14 @@ static void json_update_attributes(nvme_ctrl_t c,
                                nvme_set_keyring(cfg->keyring);
                        }
                }
+               if (!strcmp("tls_key", key_str) && cfg->tls_key == 0) {
+                       long key;
+
+                       key = nvme_lookup_key("psk",
+                                             json_object_get_string(val_obj));
+                       if (key)
+                               cfg->tls_key = key;
+               }
        }
 }
 
@@ -325,6 +333,15 @@ static void json_update_port(struct json_object *ctrl_array, nvme_ctrl_t c)
                        free(desc);
                }
        }
+       if (cfg->tls_key) {
+               char *desc = nvme_describe_key_serial(cfg->tls_key);
+
+               if (desc) {
+                       json_object_object_add(port_obj, "tls_key",
+                                              json_object_new_string(desc));
+                       free(desc);
+               }
+       }
 
        json_object_array_add(ctrl_array, port_obj);
 }