From: Hannes Reinecke <hare@xxxxxxx>
TCP connections can be encrypted using in-kernel TLS, so add a
testcase to exercise the various combinations.
Signed-off-by: Hannes Reinecke <hare@xxxxxxx>
[Shin'ichiro: added _have_libnvme_ver and _have_systemd_tlshd_service]
[Shin'ichiro: used _systemctl_start and _systemctl_stop]
[Shin'ichiro: fixed file mode]
Signed-off-by: Shin'ichiro Kawasaki <shinichiro.kawasaki@xxxxxxx>
---
tests/nvme/060 | 95 ++++++++++++++++++++++++++++++++++++++++++++++
tests/nvme/060.out | 10 +++++
tests/nvme/rc | 14 +++++++
3 files changed, 119 insertions(+)
create mode 100755 tests/nvme/060
create mode 100644 tests/nvme/060.out
diff --git a/tests/nvme/060 b/tests/nvme/060
new file mode 100755
index 0000000..d7424ac
--- /dev/null
+++ b/tests/nvme/060
@@ -0,0 +1,95 @@
+#!/bin/bash
+# SPDX-License-Identifier: GPL-3.0+
+# Copyright (C) 2024 Hannes Reinecke, SUSE Labs
+#
+# Create TLS-encrypted connections
+
+. tests/nvme/rc
+
+DESCRIPTION="Create TLS-encrypted connections"
+QUICK=1
+
+requires() {
+ _nvme_requires
+ _have_loop
+ _have_kernel_option NVME_TCP_TLS
+ _have_kernel_option NVME_TARGET_TCP_TLS
+ _require_kernel_nvme_fabrics_feature tls
+ _require_nvme_trtype tcp
+ _require_nvme_cli_tls
+ _have_libnvme_ver 1 11
+ _have_systemd_tlshd_service
+}
+
+set_conditions() {
+ _set_nvme_trtype "$@"
+}
+
+test() {
+ echo "Running ${TEST_NAME}"
+
+ _setup_nvmet
+
+ local hostkey
+ local ctrl
+
+ hostkey=$(nvme gen-tls-key -n "${def_hostnqn}" -c "${def_subsysnqn}" -m 1 -I 1 -i 2> /dev/null)
+ if [ -z "$hostkey" ] ; then
+ echo "nvme gen-tls-key failed"
+ return 1
+ fi
+
+ _systemctl_start tlshd
+
+ _nvmet_target_setup --blkdev file --tls
+
+ # Test unencrypted connection
+ echo "Test unencrypted connection w/ tls not required"
+ _nvme_connect_subsys
+
+ ctrl=$(_find_nvme_dev "${def_subsysnqn}")
+ if _nvme_ctrl_tls_key "$ctrl" > /dev/null; then
+ echo "WARNING: connection is encrypted"
+ fi
+
+ _nvme_disconnect_subsys
+
+ # Test encrypted connection
+ echo "Test encrypted connection w/ tls not required"
+ _nvme_connect_subsys --tls
+
+ ctrl=$(_find_nvme_dev "${def_subsysnqn}")
+ if ! _nvme_ctrl_tls_key "$ctrl" > /dev/null ; then
+ echo "WARNING: connection is not encrypted"
+ fi
+
+ _nvme_disconnect_subsys
+
+ # Reset target configuration
+ _nvmet_target_cleanup
+
+ _nvmet_target_setup --blkdev file --force-tls
+
+ # Test unencrypted connection
+ echo "Test unencrypted connection w/ tls required (should fail)"
+ _nvme_connect_subsys
+
+ _nvme_disconnect_subsys
+
+ # Test encrypted connection
+ echo "Test encrypted connection w/ tls required"
+ _nvme_connect_subsys --tls
+
+ ctrl=$(_find_nvme_dev "${def_subsysnqn}")
+ if ! _nvme_ctrl_tls_key "$ctrl" > /dev/null; then
+ echo "WARNING: connection is not encrypted"
+ fi
+
+ _nvme_disconnect_subsys
+
+ _nvmet_target_cleanup
+
+ _systemctl_stop
+
+ echo "Test complete"
+}
diff --git a/tests/nvme/060.out b/tests/nvme/060.out
new file mode 100644
index 0000000..b2975bb
--- /dev/null
+++ b/tests/nvme/060.out
@@ -0,0 +1,10 @@
+Running nvme/060
+Test unencrypted connection w/ tls not required
+disconnected 1 controller(s)
+Test encrypted connection w/ tls not required
+disconnected 1 controller(s)
+Test unencrypted connection w/ tls required (should fail)
+disconnected 0 controller(s)
+Test encrypted connection w/ tls required
+disconnected 1 controller(s)
+Test complete
diff --git a/tests/nvme/rc b/tests/nvme/rc
index e52437f..ac3949a 100644
--- a/tests/nvme/rc
+++ b/tests/nvme/rc
@@ -175,6 +175,14 @@ _require_nvme_cli_auth() {
return 0
}
+_require_nvme_cli_tls() {
+ if ! nvme gen-tls-key --subsysnqn nvmf-test-subsys > /dev/null 2>&1; then
+ SKIP_REASON+=("nvme gen-tls-key command missing")
+ return 1
+ fi
+ return 0
+}
+
_require_kernel_nvme_fabrics_feature() {
local feature="$1"
@@ -630,3 +638,9 @@ _have_libnvme_ver() {
fi
return 0
}
+
+_nvme_ctrl_tls_key() {
+ local ctrl="$1"
+
+ cat /sys/class/nvme/"$ctrl"/tls_key 2>/dev/null
+}
--
2.49.0
