kernel/linux.git/drivers/nvme/target/auth.c, branch linux-7.0.y

Merge tag 'nvme-6.19-2025-12-04' of git://git.infradead.org/nvme into block-6.19

2025-12-05T03:58:19+00:00

Pull NVMe updates from Keith: "- Subsystem usage cleanups (Max) - Endpoint device fixes (Shin'ichiro) - Debug statements (Gerd) - FC fabrics cleanups and fixes (Daniel) - Consistent alloc API usages (Israel) - Code comment updates (Chu) - Authentication retry fix (Justin)" * tag 'nvme-6.19-2025-12-04' of git://git.infradead.org/nvme: nvme-fabrics: add ENOKEY to no retry criteria for authentication failures nvme-auth: use kvfree() for memory allocated with kvcalloc() nvmet-tcp: use kvcalloc for commands array nvmet-rdma: use kvcalloc for commands and responses arrays nvme: fix typo error in nvme target nvmet-fc: use pr_* print macros instead of dev_* nvmet-fcloop: remove unused lsdir member. nvmet-fcloop: check all request and response have been processed nvme-fc: check all request and response have been processed nvme-fc: don't hold rport lock when putting ctrl nvme-pci: add debug message on fail to read CSTS nvme-pci: print error message on failure in nvme_probe nvmet: pci-epf: fix DMA channel debug print nvmet: pci-epf: move DMA initialization to EPC init callback nvmet: remove redundant subsysnqn field from ctrl nvmet: add sanity checks when freeing subsystem

nvmet: remove redundant subsysnqn field from ctrl

2025-12-01T21:45:53+00:00

The subsysnqn field in the nvmet controller structure is redundant, since the subsystem NQN can always be accessed via the controller's subsystem reference. Remove this field to save memory and avoid unnecessary duplication. Signed-off-by: Max Gurtovoy Signed-off-by: Keith Busch

nvmet-auth: update sc_c in target host hash calculation

2025-11-17T16:05:58+00:00

Commit 7e091add9c43 "nvme-auth: update sc_c in host response" added the sc_c variable to the dhchap queue context structure which is appropriately set during negotiate and then used in the host response. This breaks secure concat connections with a Linux target as the target code wasn't updated at the same time. This patch fixes this by adding a new sc_c variable to the host hash calculations. Fixes: 7e091add9c43 ("nvme-auth: update sc_c in host response") Tested-by: Shin'ichiro Kawasaki Tested-by: Yi Zhang Reviewed-by: Martin George Reviewed-by: Christoph Hellwig Reviewed-by: Hannes Reinecke Signed-off-by: Alistair Francis Signed-off-by: Keith Busch

nvmet-auth: update sc_c in host response

2025-10-23T00:28:18+00:00

The target code should set the sc_c bit in calculating the host response based on the status of the 'concat' setting, otherwise we'll get an authentication mismatch for hosts setting that bit correctly. Fixes: 7e091add9c43 ("nvme-auth: update sc_c in host response") Signed-off-by: Hannes Reinecke Signed-off-by: Keith Busch

nvmet-auth: use SHASH_DESC_ON_STACK

2025-05-20T03:34:26+00:00

Use SHASH_DESC_ON_STACK to avoid explicit allocation. Signed-off-by: Hannes Reinecke Reviewed-by: Damien Le Moal Signed-off-by: Christoph Hellwig

nvmet-auth: authenticate on admin queue only

2025-05-20T03:34:25+00:00

Do not start authentication on I/O queues as it doesn't really add value, and secure concatenation disallows it anyway. Authentication commands on I/O queues are not aborted, so the host may still run the authentication protocol on I/O queues. Signed-off-by: Hannes Reinecke Reviewed-by: Sagi Grimberg Signed-off-by: Christoph Hellwig

nvmet-auth: always free derived key data

2025-04-30T13:09:09+00:00

After calling nvme_auth_derive_tls_psk() we need to free the resulting psk data, as either TLS is disable (and we don't need the data anyway) or the psk data is copied into the resulting key (and can be free, too). Fixes: fa2e0f8bbc68 ("nvmet-tcp: support secure channel concatenation") Reported-by: Yi Zhang Suggested-by: Maurizio Lombardi Signed-off-by: Hannes Reinecke Reviewed-by: Sagi Grimberg Tested-by: Yi Zhang Signed-off-by: Christoph Hellwig

nvmet: auth: use NULL to clear a pointer in nvmet_auth_sq_free()

2025-04-16T05:37:36+00:00

When compiling with C=1, the following sparse warning is generated: auth.c:243:23: warning: Using plain integer as NULL pointer Avoid this warning by using NULL to instead of 0 to set the sq tls_key pointer. Fixes: fa2e0f8bbc68 ("nvmet-tcp: support secure channel concatenation") Signed-off-by: Damien Le Moal Reviewed-by: Sagi Grimberg Reviewed-by: Chaitanya Kulkarni Reviewed-by: Hannes Reinecke Signed-off-by: Christoph Hellwig

nvmet-tcp: support secure channel concatenation

2025-03-20T23:53:54+00:00

Evaluate the SC_C flag during DH-CHAP-HMAC negotiation to check if secure concatenation as specified in the NVMe Base Specification v2.1, section 8.3.4.3: "Secure Channel Concatenationand" is requested. If requested the generated PSK is inserted into the keyring once negotiation has finished allowing for an encrypted connection once the admin queue is restarted. Signed-off-by: Hannes Reinecke Reviewed-by: Sagi Grimberg Signed-off-by: Keith Busch

nvmet: Add 'sq' argument to alloc_ctrl_args

2025-03-20T23:53:54+00:00

For secure concatenation the result of the TLS handshake will be stored in the 'sq' struct, so add it to the alloc_ctrl_args struct. Cc: Damien Le Moal Signed-off-by: Hannes Reinecke Reviewed-by: Sagi Grimberg Reviewed-by: Damien Le Moal Signed-off-by: Keith Busch