tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
1
fork

Configure Feed

Select the types of activity you want to include in your feed.

nvme: Allow reauth from sysfs

Allow userspace to trigger a reauth (REPLACETLSPSK) from sysfs.
This can be done by writing a zero to the sysfs file.

echo 0 > /sys/devices/virtual/nvme-fabrics/ctl/nvme0/tls_configured_key

In order to use the new keys for the admin queue we call controller
reset. This isn't ideal, but I can't find a simpler way to reset the
admin queue TLS connection.

Signed-off-by: Alistair Francis <alistair.francis@wdc.com>
Reviewed-by: Sagi Grimberg <sagi@grimberg.me>
Reviewed-by: Christoph Hellwig <hch@lst.de>
Reviewed-by: Hannes Reinecke <hare@suse.de>
Reviewed-by: Wilfred Mallawa <wilfred.mallawa@wdc.com>
Signed-off-by: Keith Busch <kbusch@kernel.org>

authored by

Alistair Francis and committed by
Keith Busch ed6a9f7d 56d25f1a

+56 -1
+13
Documentation/ABI/testing/sysfs-nvme
··· 1 + What: /sys/devices/virtual/nvme-fabrics/ctl/.../tls_configured_key 2 + Date: November 2025 3 + KernelVersion: 6.19 4 + Contact: Linux NVMe mailing list <linux-nvme@lists.infradead.org> 5 + Description: 6 + The file is avaliable when using a secure concatanation 7 + connection to a NVMe target. Reading the file will return 8 + the serial of the currently negotiated key. 9 + 10 + Writing 0 to the file will trigger a PSK reauthentication 11 + (REPLACETLSPSK) with the target. After a reauthentication 12 + the value returned by tls_configured_key will be the new 13 + serial.
+43 -1
drivers/nvme/host/sysfs.c
··· 829 829 830 830 return sysfs_emit(buf, "%08x\n", key_serial(key)); 831 831 } 832 - static DEVICE_ATTR_RO(tls_configured_key); 832 + 833 + static ssize_t tls_configured_key_store(struct device *dev, 834 + struct device_attribute *attr, 835 + const char *buf, size_t count) 836 + { 837 + struct nvme_ctrl *ctrl = dev_get_drvdata(dev); 838 + int error, qid; 839 + 840 + error = kstrtoint(buf, 10, &qid); 841 + if (error) 842 + return error; 843 + 844 + /* 845 + * We currently only allow userspace to write a `0` indicating 846 + * generate a new key. 847 + */ 848 + if (qid) 849 + return -EINVAL; 850 + 851 + if (!ctrl->opts || !ctrl->opts->concat) 852 + return -EOPNOTSUPP; 853 + 854 + error = nvme_auth_negotiate(ctrl, 0); 855 + if (error < 0) { 856 + nvme_reset_ctrl(ctrl); 857 + return error; 858 + } 859 + 860 + error = nvme_auth_wait(ctrl, 0); 861 + if (error < 0) { 862 + nvme_reset_ctrl(ctrl); 863 + return error; 864 + } 865 + 866 + /* 867 + * We need to reset the TLS connection, so let's just 868 + * reset the controller. 869 + */ 870 + nvme_reset_ctrl(ctrl); 871 + 872 + return count; 873 + } 874 + static DEVICE_ATTR_RW(tls_configured_key); 833 875 834 876 static ssize_t tls_keyring_show(struct device *dev, 835 877 struct device_attribute *attr, char *buf)