On Tue, May 06, 2025 at 03:03:10PM +0200, Hannes Reinecke wrote: > Hmm. We do that already: > > dev_dbg(nctrl->device, "queue %d: start TLS with key %x\n", > qid, pskid); > memset(&args, 0, sizeof(args)); > args.ta_sock = queue->sock; > args.ta_done = nvme_tcp_tls_done; > args.ta_data = queue; > args.ta_my_peerids[0] = pskid; > args.ta_num_peerids = 1; > if (nctrl->opts->keyring) > keyring = key_serial(nctrl->opts->keyring); > args.ta_keyring = keyring; > args.ta_timeout_ms = tls_handshake_timeout * 1000; > queue->tls_err = -EOPNOTSUPP; > init_completion(&queue->tls_complete); > ret = tls_client_hello_psk(&args, GFP_KERNEL); > > ... but we never evaluate the 'keyring' parameter from tlshd. > Should be easy enough to fix. That is only used to link the keyrind in tls_handshake_private_keyring and never passed over netlink.
