nvme: add testcase for TLS-encrypted connections

TCP connections can be encrypted using in-kernel TLS, so add a
testcase to exercise the various combinations.

[Shin'ichiro: used _systemctl_start and _systemctl_stop]
[Shin'ichiro: fixed file mode]

Signed-off-by: Hannes Reinecke <[email protected]>
[Shin'ichiro: added _have_libnvme_ver and _have_systemd_tlshd_service]
Signed-off-by: Shin'ichiro Kawasaki <[email protected]>

Author: hreinecke

tests/nvme/062

@@ -0,0 +1,95 @@
+#!/bin/bash
+# SPDX-License-Identifier: GPL-3.0+
+# Copyright (C) 2024 Hannes Reinecke, SUSE Labs
+#
+# Create TLS-encrypted connections
+
+. tests/nvme/rc
+
+DESCRIPTION="Create TLS-encrypted connections"
+QUICK=1
+
+requires() {
+	_nvme_requires
+	_have_loop
+	_have_kernel_option NVME_TCP_TLS
+	_have_kernel_option NVME_TARGET_TCP_TLS
+	_require_kernel_nvme_fabrics_feature tls
+	_require_nvme_trtype tcp
+	_require_nvme_cli_tls
+	_have_libnvme_ver 1 11
+	_have_systemd_tlshd_service
+}
+
+set_conditions() {
+	_set_nvme_trtype "$@"
+}
+
+test() {
+	echo "Running ${TEST_NAME}"
+
+	_setup_nvmet
+
+	local hostkey
+	local ctrl
+
+	hostkey=$(nvme gen-tls-key -n "${def_hostnqn}" -c "${def_subsysnqn}" -m 1 -I 1 -i 2> /dev/null)
+	if [ -z "$hostkey" ] ; then
+		echo "nvme gen-tls-key failed"
+		return 1
+	fi
+
+	_systemctl_start tlshd
+
+	_nvmet_target_setup --blkdev file --tls
+
+	# Test unencrypted connection
+	echo "Test unencrypted connection w/ tls not required"
+	_nvme_connect_subsys
+
+	ctrl=$(_find_nvme_dev "${def_subsysnqn}")
+	if _nvme_ctrl_tls_key "$ctrl" > /dev/null; then
+		echo "WARNING: connection is encrypted"
+	fi
+
+	_nvme_disconnect_subsys
+
+	# Test encrypted connection
+	echo "Test encrypted connection w/ tls not required"
+	_nvme_connect_subsys --tls
+
+	ctrl=$(_find_nvme_dev "${def_subsysnqn}")
+	if ! _nvme_ctrl_tls_key "$ctrl" > /dev/null ; then
+                echo "WARNING: connection is not encrypted"
+        fi
+
+	_nvme_disconnect_subsys
+
+	# Reset target configuration
+	_nvmet_target_cleanup
+
+	_nvmet_target_setup --blkdev file --force-tls
+
+	# Test unencrypted connection
+	echo "Test unencrypted connection w/ tls required (should fail)"
+	_nvme_connect_subsys
+
+	_nvme_disconnect_subsys
+
+	# Test encrypted connection
+	echo "Test encrypted connection w/ tls required"
+	_nvme_connect_subsys --tls
+
+	ctrl=$(_find_nvme_dev "${def_subsysnqn}")
+	if ! _nvme_ctrl_tls_key "$ctrl" > /dev/null; then
+                echo "WARNING: connection is not encrypted"
+        fi
+
+	_nvme_disconnect_subsys
+
+	_nvmet_target_cleanup
+
+	_systemctl_stop
+
+	echo "Test complete"
+}

tests/nvme/062.out

@@ -0,0 +1,10 @@
+Running nvme/062
+Test unencrypted connection w/ tls not required
+disconnected 1 controller(s)
+Test encrypted connection w/ tls not required
+disconnected 1 controller(s)
+Test unencrypted connection w/ tls required (should fail)
+disconnected 0 controller(s)
+Test encrypted connection w/ tls required
+disconnected 1 controller(s)
+Test complete

tests/nvme/rc

@@ -175,6 +175,14 @@ _require_nvme_cli_auth() {
 	return 0
 }
 
+_require_nvme_cli_tls() {
+	if ! nvme gen-tls-key --subsysnqn nvmf-test-subsys > /dev/null 2>&1; then
+		SKIP_REASON+=("nvme gen-tls-key command missing")
+		return 1
+	fi
+	return 0
+}
+
 _require_kernel_nvme_fabrics_feature() {
 	local feature="$1"
 
@@ -630,3 +638,9 @@ _have_libnvme_ver() {
 	fi
 	return 0
 }
+
+_nvme_ctrl_tls_key() {
+	local ctrl="$1"
+
+	cat /sys/class/nvme/"$ctrl"/tls_key 2>/dev/null
+}