Commit 1ecd5b03 authored by Konrad Sztyber's avatar Konrad Sztyber Committed by Tomasz Zawadzki
Browse files

bdev/nvme: use keyring for PSKs 



It is now possible to specify NVMe/TLS PSKs via keys attached to the
keyring.  For now, the old method is also available, but it's deprecated
and will be removed in the future.  No new RPC parameters have been
added, instead the PSK is first interpreted as a key name and, if that
fails, as path to the key file.

Signed-off-by: default avatarKonrad Sztyber <konrad.sztyber@intel.com>
Change-Id: I663e67ff11a3943c3c11d2f4ba4e31473fcc2e67
Reviewed-on: https://review.spdk.io/gerrit/c/spdk/spdk/+/21749


Tested-by: default avatarSPDK CI Jenkins <sys_sgci@intel.com>
Reviewed-by: default avatarAleksey Marchuk <alexeymar@nvidia.com>
Reviewed-by: default avatarJim Harris <jim.harris@samsung.com>
parent a6e805f5

doc/jsonrpc.md

+1 −1
Original line number Diff line number Diff line
@@ -4038,7 +4038,7 @@ num_io_queues | Optional | number | The number of IO queues to 
ctrlr_loss_timeout_sec     | Optional | number      | Time to wait until ctrlr is reconnected before deleting ctrlr.  -1 means infinite reconnects. 0 means no reconnect.

reconnect_delay_sec        | Optional | number      | Time to delay a reconnect trial. 0 means no reconnect.

fast_io_fail_timeout_sec   | Optional | number      | Time to wait until ctrlr is reconnected before failing I/O to ctrlr. 0 means no such timeout.

psk                        | Optional | string      | Path to a file contatining PSK for TLS (Enables SSL socket implementation for TCP)

psk                        | Optional | string      | Name of the pre-shared key to be used for TLS (Enables SSL socket implementation for TCP)

max_bdevs                  | Optional | number      | The size of the name array for newly created bdevs. Default is 128.



#### Example

mk/spdk.lib_deps.mk

+2 −2
Original line number Diff line number Diff line
@@ -146,7 +146,7 @@ DEPDIRS-bdev_delay := $(BDEV_DEPS_THREAD) 
DEPDIRS-bdev_iscsi := $(BDEV_DEPS_THREAD)

DEPDIRS-bdev_malloc := $(BDEV_DEPS_THREAD) accel dma

DEPDIRS-bdev_null := $(BDEV_DEPS_THREAD)

DEPDIRS-bdev_nvme = $(BDEV_DEPS_THREAD) accel nvme trace

DEPDIRS-bdev_nvme = $(BDEV_DEPS_THREAD) accel keyring nvme trace

DEPDIRS-bdev_ocf := $(BDEV_DEPS_THREAD)

DEPDIRS-bdev_passthru := $(BDEV_DEPS_THREAD)

DEPDIRS-bdev_raid := $(BDEV_DEPS_THREAD)
@@ -168,7 +168,7 @@ DEPDIRS-bdev_xnvme := $(BDEV_DEPS_THREAD) 
DEPDIRS-event_accel := init accel event_iobuf

DEPDIRS-event_vmd := init vmd $(JSON_LIBS) log thread util



DEPDIRS-event_bdev := init bdev event_accel event_vmd event_sock event_iobuf

DEPDIRS-event_bdev := init bdev event_accel event_vmd event_sock event_iobuf event_keyring



DEPDIRS-event_scheduler := event init json log

module/bdev/nvme/bdev_nvme.c

+30 −11
Original line number Diff line number Diff line
@@ -14,6 +14,7 @@ 
#include "spdk/endian.h"

#include "spdk/bdev.h"

#include "spdk/json.h"

#include "spdk/keyring.h"

#include "spdk/likely.h"

#include "spdk/nvme.h"

#include "spdk/nvme_ocssd.h"
@@ -463,7 +464,7 @@ _nvme_ctrlr_delete(struct nvme_ctrlr *nvme_ctrlr) 
	}



	pthread_mutex_destroy(&nvme_ctrlr->mutex);



	spdk_keyring_put_key(nvme_ctrlr->psk);

	free(nvme_ctrlr);



	pthread_mutex_lock(&g_bdev_nvme_mutex);
@@ -5100,6 +5101,7 @@ aer_cb(void *arg, const struct spdk_nvme_cpl *cpl) 
static void

free_nvme_async_probe_ctx(struct nvme_async_probe_ctx *ctx)

{

	spdk_keyring_put_key(ctx->drv_opts.tls_psk);

	free(ctx);

}
@@ -5305,9 +5307,20 @@ nvme_ctrlr_create(struct spdk_nvme_ctrlr *ctrlr, 
	}



	TAILQ_INIT(&nvme_ctrlr->trids);



	RB_INIT(&nvme_ctrlr->namespaces);



	/* Get another reference to the key, so the first one can be released from probe_ctx */

	if (ctx != NULL && ctx->drv_opts.tls_psk != NULL) {

		nvme_ctrlr->psk = spdk_keyring_get_key(spdk_key_get_name(ctx->drv_opts.tls_psk));

		if (nvme_ctrlr->psk == NULL) {

			/* Could only happen if the key was removed in the meantime */

			SPDK_ERRLOG("Couldn't get a reference to the key '%s'\n",

				    spdk_key_get_name(ctx->drv_opts.tls_psk));

			rc = -ENOKEY;

			goto err;

		}

	}



	path_id = calloc(1, sizeof(*path_id));

	if (path_id == NULL) {

		SPDK_ERRLOG("Failed to allocate trid entry pointer\n");
@@ -6042,15 +6055,19 @@ bdev_nvme_create(struct spdk_nvme_transport_id *trid, 
	ctx->drv_opts.disable_read_ana_log_page = true;

	ctx->drv_opts.transport_tos = g_opts.transport_tos;



	if (ctx->bdev_opts.psk_path[0] != '\0') {

		rc = bdev_nvme_load_psk(ctx->bdev_opts.psk_path,

	if (ctx->bdev_opts.psk[0] != '\0') {

		/* Try to use the keyring first */

		ctx->drv_opts.tls_psk = spdk_keyring_get_key(ctx->bdev_opts.psk);

		if (ctx->drv_opts.tls_psk == NULL) {

			rc = bdev_nvme_load_psk(ctx->bdev_opts.psk,

						ctx->drv_opts.psk, sizeof(ctx->drv_opts.psk));

			if (rc != 0) {

			SPDK_ERRLOG("Could not load PSK from %s\n", ctx->bdev_opts.psk_path);

				SPDK_ERRLOG("Could not load PSK from %s\n", ctx->bdev_opts.psk);

				free_nvme_async_probe_ctx(ctx);

				return rc;

			}

		}

	}



	if (nvme_bdev_ctrlr_get_by_name(base_name) == NULL || multipath) {

		attach_cb = connect_attach_cb;
@@ -8223,8 +8240,10 @@ nvme_ctrlr_config_json(struct spdk_json_write_ctx *w, 
	spdk_json_write_named_uint32(w, "reconnect_delay_sec", nvme_ctrlr->opts.reconnect_delay_sec);

	spdk_json_write_named_uint32(w, "fast_io_fail_timeout_sec",

				     nvme_ctrlr->opts.fast_io_fail_timeout_sec);

	if (nvme_ctrlr->opts.psk_path[0] != '\0') {

		spdk_json_write_named_string(w, "psk", nvme_ctrlr->opts.psk_path);

	if (nvme_ctrlr->psk != NULL) {

		spdk_json_write_named_string(w, "psk", spdk_key_get_name(nvme_ctrlr->psk));

	} else if (nvme_ctrlr->opts.psk[0] != '\0') {

		spdk_json_write_named_string(w, "psk", nvme_ctrlr->opts.psk);

	}



	opts = spdk_nvme_ctrlr_get_opts(nvme_ctrlr->ctrlr);

module/bdev/nvme/bdev_nvme.h

+3 −2
Original line number Diff line number Diff line
@@ -43,8 +43,8 @@ struct nvme_ctrlr_opts { 
	uint32_t reconnect_delay_sec;

	uint32_t fast_io_fail_timeout_sec;

	bool from_discovery_service;

	/* Path to the file containing PSK, used for dumping configuration. */

	char psk_path[PATH_MAX];

	/* Name of the PSK or path to the file containing PSK. */

	char psk[PATH_MAX];

};



struct nvme_async_probe_ctx {
@@ -154,6 +154,7 @@ struct nvme_ctrlr { 
	struct spdk_nvme_ana_group_descriptor	*copied_ana_desc;



	struct nvme_async_probe_ctx		*probe_ctx;

	struct spdk_key				*psk;



	pthread_mutex_t				mutex;

};

module/bdev/nvme/bdev_nvme_rpc.c

+3 −3
Original line number Diff line number Diff line
@@ -439,9 +439,9 @@ rpc_bdev_nvme_attach_controller(struct spdk_jsonrpc_request *request, 
			g_tls_log = true;

		}



		rc = snprintf(ctx->req.bdev_opts.psk_path, sizeof(ctx->req.bdev_opts.psk_path), "%s", ctx->req.psk);

		if (rc < 0 || (size_t)rc >= sizeof(ctx->req.bdev_opts.psk_path)) {

			spdk_jsonrpc_send_error_response_fmt(request, -EINVAL, "Could not store PSK path: %s",

		rc = snprintf(ctx->req.bdev_opts.psk, sizeof(ctx->req.bdev_opts.psk), "%s", ctx->req.psk);

		if (rc < 0 || (size_t)rc >= sizeof(ctx->req.bdev_opts.psk)) {

			spdk_jsonrpc_send_error_response_fmt(request, -EINVAL, "Could not store PSK: %s",

							     ctx->req.psk);

			goto cleanup;

		}