Commit c6c96e48 authored by Krzysztof Karas's avatar Krzysztof Karas Committed by Konrad Sztyber
Browse files

tcp: Mark TLS feature as experimental 



Add changelog and documentation entries.

Add a noticelog that will print upon first creation
of a listener with `secure_channel` option and after
calling bdev_nvme_attach_controller RPC for the first
time with TLS options.

Change-Id: I498978ca30c99afc0ee73c199a643b70ae53d1ae
Signed-off-by: default avatarKrzysztof Karas <krzysztof.karas@intel.com>
Reviewed-on: https://review.spdk.io/gerrit/c/spdk/spdk/+/18238


Reviewed-by: default avatarTomasz Zawadzki <tomasz.zawadzki@intel.com>
Tested-by: default avatarSPDK CI Jenkins <sys_sgci@intel.com>
Reviewed-by: default avatarKonrad Sztyber <konrad.sztyber@intel.com>
parent 2ce2fe09

CHANGELOG.md

+2 −0
Original line number Diff line number Diff line
@@ -68,6 +68,8 @@ TLS PSK identity is now generated from subsystem NQN and host NQN. 


PSK interchange format is now expected as input, when configuring TLS in SPDK.



TLS feature in SPDK is considered experimental



### sock



Added a callback `get_key()` to `spdk_sock_impl_opts` structure.

doc/nvmf.md

+1 −1
Original line number Diff line number Diff line
@@ -278,7 +278,7 @@ For step-by-step instructions for configuring and switching between paths, see @ 


The SPDK NVMe-oF target and initiator support establishing a secure TCP connection using Transport

Layer Security (TLS) protocol in compliance with NVMe TCP transport specification. Only version 1.3

of the TLS protocol is supported.

of the TLS protocol is supported. This feature is considered experimental.



Currently, it is only possible to establish a fabric secure channel using TLS and NVMe-oF in-band

authentication is not supported. The channel is protected by a symmetric pre-shared key (PSK) using

lib/nvmf/nvmf_rpc.c

+6 −0
Original line number Diff line number Diff line
@@ -18,6 +18,8 @@ 


#include "nvmf_internal.h"



static bool g_tls_log = false;



static int

json_write_hex_str(struct spdk_json_write_ctx *w, const void *data, size_t size)

{
@@ -902,6 +904,10 @@ rpc_nvmf_subsystem_add_listener(struct spdk_jsonrpc_request *request, 
		return;

	}

	ctx->opts.secure_channel = ctx->secure_channel;

	if (ctx->opts.secure_channel && !g_tls_log) {

		SPDK_NOTICELOG("TLS support is considered experimental\n");

		g_tls_log = true;

	}



	rc = spdk_nvmf_subsystem_pause(subsystem, 0, nvmf_rpc_listen_paused, ctx);

	if (rc != 0) {

module/bdev/nvme/bdev_nvme_rpc.c

+6 −0
Original line number Diff line number Diff line
@@ -23,6 +23,8 @@ 


#define TCP_PSK_INVALID_PERMISSIONS 0177



static bool g_tls_log = false;



static int

rpc_decode_action_on_timeout(const struct spdk_json_val *val, void *out)

{
@@ -468,6 +470,10 @@ rpc_bdev_nvme_attach_controller(struct spdk_jsonrpc_request *request, 
	}



	if (ctx->req.psk) {

		if (!g_tls_log) {

			SPDK_NOTICELOG("TLS support is considered experimental\n");

			g_tls_log = true;

		}

		rc = tcp_load_psk(ctx->req.psk, ctx->req.drv_opts.psk, sizeof(ctx->req.drv_opts.psk));

		if (rc) {

			spdk_jsonrpc_send_error_response_fmt(request, -EINVAL, "Could not retrieve PSK from file: %s",