On 5/6/25 16:46, Christoph Hellwig wrote:
On Tue, May 06, 2025 at 03:03:10PM +0200, Hannes Reinecke wrote:Hmm. We do that already: dev_dbg(nctrl->device, "queue %d: start TLS with key %x\n", qid, pskid); memset(&args, 0, sizeof(args)); args.ta_sock = queue->sock; args.ta_done = nvme_tcp_tls_done; args.ta_data = queue; args.ta_my_peerids[0] = pskid; args.ta_num_peerids = 1; if (nctrl->opts->keyring) keyring = key_serial(nctrl->opts->keyring); args.ta_keyring = keyring; args.ta_timeout_ms = tls_handshake_timeout * 1000; queue->tls_err = -EOPNOTSUPP; init_completion(&queue->tls_complete); ret = tls_client_hello_psk(&args, GFP_KERNEL); ... but we never evaluate the 'keyring' parameter from tlshd. Should be easy enough to fix.That is only used to link the keyrind in tls_handshake_private_keyring and never passed over netlink.
ktls-utils pull request #94. Cheers, Hannes -- Dr. Hannes Reinecke Kernel Storage Architect hare@xxxxxxx +49 911 74053 688 SUSE Software Solutions GmbH, Frankenstr. 146, 90461 Nürnberg HRB 36809 (AG Nürnberg), GF: I. Totev, A. McDonald, W. Knoblich
