| 1 | // SPDX-License-Identifier: GPL-2.0 |
|---|
| 2 | /* |
|---|
| 3 | * Copyright (c) 2023 Hannes Reinecke, SUSE Labs |
|---|
| 4 | */ |
|---|
| 5 | |
|---|
| 6 | #include <linux/module.h> |
|---|
| 7 | #include <linux/seq_file.h> |
|---|
| 8 | #include <linux/key.h> |
|---|
| 9 | #include <linux/key-type.h> |
|---|
| 10 | #include <keys/user-type.h> |
|---|
| 11 | #include <linux/nvme.h> |
|---|
| 12 | #include <linux/nvme-tcp.h> |
|---|
| 13 | #include <linux/nvme-keyring.h> |
|---|
| 14 | |
|---|
| 15 | static struct key *nvme_keyring; |
|---|
| 16 | |
|---|
| 17 | key_serial_t nvme_keyring_id(void) |
|---|
| 18 | { |
|---|
| 19 | return nvme_keyring->serial; |
|---|
| 20 | } |
|---|
| 21 | EXPORT_SYMBOL_GPL(nvme_keyring_id); |
|---|
| 22 | |
|---|
| 23 | static void nvme_tls_psk_describe(const struct key *key, struct seq_file *m) |
|---|
| 24 | { |
|---|
| 25 | seq_puts(m, s: key->description); |
|---|
| 26 | seq_printf(m, fmt: ": %u" , key->datalen); |
|---|
| 27 | } |
|---|
| 28 | |
|---|
| 29 | static bool nvme_tls_psk_match(const struct key *key, |
|---|
| 30 | const struct key_match_data *match_data) |
|---|
| 31 | { |
|---|
| 32 | const char *match_id; |
|---|
| 33 | size_t match_len; |
|---|
| 34 | |
|---|
| 35 | if (!key->description) { |
|---|
| 36 | pr_debug("%s: no key description\n" , __func__); |
|---|
| 37 | return false; |
|---|
| 38 | } |
|---|
| 39 | match_len = strlen(key->description); |
|---|
| 40 | pr_debug("%s: id %s len %zd\n" , __func__, key->description, match_len); |
|---|
| 41 | |
|---|
| 42 | if (!match_data->raw_data) { |
|---|
| 43 | pr_debug("%s: no match data\n" , __func__); |
|---|
| 44 | return false; |
|---|
| 45 | } |
|---|
| 46 | match_id = match_data->raw_data; |
|---|
| 47 | pr_debug("%s: match '%s' '%s' len %zd\n" , |
|---|
| 48 | __func__, match_id, key->description, match_len); |
|---|
| 49 | return !memcmp(p: key->description, q: match_id, size: match_len); |
|---|
| 50 | } |
|---|
| 51 | |
|---|
| 52 | static int nvme_tls_psk_match_preparse(struct key_match_data *match_data) |
|---|
| 53 | { |
|---|
| 54 | match_data->lookup_type = KEYRING_SEARCH_LOOKUP_ITERATE; |
|---|
| 55 | match_data->cmp = nvme_tls_psk_match; |
|---|
| 56 | return 0; |
|---|
| 57 | } |
|---|
| 58 | |
|---|
| 59 | static struct key_type nvme_tls_psk_key_type = { |
|---|
| 60 | .name = "psk" , |
|---|
| 61 | .flags = KEY_TYPE_NET_DOMAIN, |
|---|
| 62 | .preparse = user_preparse, |
|---|
| 63 | .free_preparse = user_free_preparse, |
|---|
| 64 | .match_preparse = nvme_tls_psk_match_preparse, |
|---|
| 65 | .instantiate = generic_key_instantiate, |
|---|
| 66 | .revoke = user_revoke, |
|---|
| 67 | .destroy = user_destroy, |
|---|
| 68 | .describe = nvme_tls_psk_describe, |
|---|
| 69 | .read = user_read, |
|---|
| 70 | }; |
|---|
| 71 | |
|---|
| 72 | static struct key *nvme_tls_psk_lookup(struct key *keyring, |
|---|
| 73 | const char *hostnqn, const char *subnqn, |
|---|
| 74 | int hmac, bool generated) |
|---|
| 75 | { |
|---|
| 76 | char *identity; |
|---|
| 77 | size_t identity_len = (NVMF_NQN_SIZE) * 2 + 11; |
|---|
| 78 | key_ref_t keyref; |
|---|
| 79 | key_serial_t keyring_id; |
|---|
| 80 | |
|---|
| 81 | identity = kzalloc(size: identity_len, GFP_KERNEL); |
|---|
| 82 | if (!identity) |
|---|
| 83 | return ERR_PTR(error: -ENOMEM); |
|---|
| 84 | |
|---|
| 85 | snprintf(buf: identity, size: identity_len, fmt: "NVMe0%c%02d %s %s" , |
|---|
| 86 | generated ? 'G' : 'R', hmac, hostnqn, subnqn); |
|---|
| 87 | |
|---|
| 88 | if (!keyring) |
|---|
| 89 | keyring = nvme_keyring; |
|---|
| 90 | keyring_id = key_serial(key: keyring); |
|---|
| 91 | pr_debug("keyring %x lookup tls psk '%s'\n" , |
|---|
| 92 | keyring_id, identity); |
|---|
| 93 | keyref = keyring_search(keyring: make_key_ref(key: keyring, possession: true), |
|---|
| 94 | type: &nvme_tls_psk_key_type, |
|---|
| 95 | description: identity, recurse: false); |
|---|
| 96 | if (IS_ERR(ptr: keyref)) { |
|---|
| 97 | pr_debug("lookup tls psk '%s' failed, error %ld\n" , |
|---|
| 98 | identity, PTR_ERR(keyref)); |
|---|
| 99 | kfree(objp: identity); |
|---|
| 100 | return ERR_PTR(error: -ENOKEY); |
|---|
| 101 | } |
|---|
| 102 | kfree(objp: identity); |
|---|
| 103 | |
|---|
| 104 | return key_ref_to_ptr(key_ref: keyref); |
|---|
| 105 | } |
|---|
| 106 | |
|---|
| 107 | /* |
|---|
| 108 | * NVMe PSK priority list |
|---|
| 109 | * |
|---|
| 110 | * 'Retained' PSKs (ie 'generated == false') |
|---|
| 111 | * should be preferred to 'generated' PSKs, |
|---|
| 112 | * and SHA-384 should be preferred to SHA-256. |
|---|
| 113 | */ |
|---|
| 114 | static struct nvme_tls_psk_priority_list { |
|---|
| 115 | bool generated; |
|---|
| 116 | enum nvme_tcp_tls_cipher cipher; |
|---|
| 117 | } nvme_tls_psk_prio[] = { |
|---|
| 118 | { .generated = false, |
|---|
| 119 | .cipher = NVME_TCP_TLS_CIPHER_SHA384, }, |
|---|
| 120 | { .generated = false, |
|---|
| 121 | .cipher = NVME_TCP_TLS_CIPHER_SHA256, }, |
|---|
| 122 | { .generated = true, |
|---|
| 123 | .cipher = NVME_TCP_TLS_CIPHER_SHA384, }, |
|---|
| 124 | { .generated = true, |
|---|
| 125 | .cipher = NVME_TCP_TLS_CIPHER_SHA256, }, |
|---|
| 126 | }; |
|---|
| 127 | |
|---|
| 128 | /* |
|---|
| 129 | * nvme_tls_psk_default - Return the preferred PSK to use for TLS ClientHello |
|---|
| 130 | */ |
|---|
| 131 | key_serial_t nvme_tls_psk_default(struct key *keyring, |
|---|
| 132 | const char *hostnqn, const char *subnqn) |
|---|
| 133 | { |
|---|
| 134 | struct key *tls_key; |
|---|
| 135 | key_serial_t tls_key_id; |
|---|
| 136 | int prio; |
|---|
| 137 | |
|---|
| 138 | for (prio = 0; prio < ARRAY_SIZE(nvme_tls_psk_prio); prio++) { |
|---|
| 139 | bool generated = nvme_tls_psk_prio[prio].generated; |
|---|
| 140 | enum nvme_tcp_tls_cipher cipher = nvme_tls_psk_prio[prio].cipher; |
|---|
| 141 | |
|---|
| 142 | tls_key = nvme_tls_psk_lookup(keyring, hostnqn, subnqn, |
|---|
| 143 | hmac: cipher, generated); |
|---|
| 144 | if (!IS_ERR(ptr: tls_key)) { |
|---|
| 145 | tls_key_id = tls_key->serial; |
|---|
| 146 | key_put(key: tls_key); |
|---|
| 147 | return tls_key_id; |
|---|
| 148 | } |
|---|
| 149 | } |
|---|
| 150 | return 0; |
|---|
| 151 | } |
|---|
| 152 | EXPORT_SYMBOL_GPL(nvme_tls_psk_default); |
|---|
| 153 | |
|---|
| 154 | static int __init nvme_keyring_init(void) |
|---|
| 155 | { |
|---|
| 156 | int err; |
|---|
| 157 | |
|---|
| 158 | nvme_keyring = keyring_alloc(description: ".nvme" , |
|---|
| 159 | GLOBAL_ROOT_UID, GLOBAL_ROOT_GID, |
|---|
| 160 | current_cred(), |
|---|
| 161 | perm: (KEY_POS_ALL & ~KEY_POS_SETATTR) | |
|---|
| 162 | (KEY_USR_ALL & ~KEY_USR_SETATTR), |
|---|
| 163 | KEY_ALLOC_NOT_IN_QUOTA, NULL, NULL); |
|---|
| 164 | if (IS_ERR(nvme_keyring)) |
|---|
| 165 | return PTR_ERR(nvme_keyring); |
|---|
| 166 | |
|---|
| 167 | err = register_key_type(&nvme_tls_psk_key_type); |
|---|
| 168 | if (err) { |
|---|
| 169 | key_put(nvme_keyring); |
|---|
| 170 | return err; |
|---|
| 171 | } |
|---|
| 172 | return 0; |
|---|
| 173 | } |
|---|
| 174 | |
|---|
| 175 | static void __exit nvme_keyring_exit(void) |
|---|
| 176 | { |
|---|
| 177 | unregister_key_type(ktype: &nvme_tls_psk_key_type); |
|---|
| 178 | key_revoke(key: nvme_keyring); |
|---|
| 179 | key_put(key: nvme_keyring); |
|---|
| 180 | } |
|---|
| 181 | |
|---|
| 182 | MODULE_LICENSE("GPL v2" ); |
|---|
| 183 | MODULE_AUTHOR("Hannes Reinecke <hare@suse.de>" ); |
|---|
| 184 | MODULE_DESCRIPTION("NVMe Keyring implementation" ); |
|---|
| 185 | module_init(nvme_keyring_init); |
|---|
| 186 | module_exit(nvme_keyring_exit); |
|---|
| 187 | |
|---|
