From dc3fa78aa2019b4c5453d6d00fd404fb7c4c41af Mon Sep 17 00:00:00 2001 From: Martin George Date: Sun, 4 Jan 2026 16:57:14 +0530 Subject: [PATCH 1/7] fabrics: fix concat during nvme connect-all During nvme connect-all, if a discovery log page record reports the sectype as anything other than NVMF_TCP_SECTYPE_NONE in nvmf_connect_disc_entry(), it then assumes that --tls should be default set for the same. But this holds true only for configured PSK TLS alone and not for generated PSK TLS. For generated PSK TLS connections using --concat (i.e. secure channel concat), this would lead to connection failures since both --tls and --concat are not to be invoked together. Fix this by distinguishing the two through their respective treq values and setting the appropriate --tls or --concat flags for each. Signed-off-by: Martin George (cherry picked from commit 3f2ca96d77b1) Signed-off-by: Daniel Wagner --- src/nvme/fabrics.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/src/nvme/fabrics.c b/src/nvme/fabrics.c index b0821e963..01413139d 100644 --- a/src/nvme/fabrics.c +++ b/src/nvme/fabrics.c @@ -1100,8 +1100,12 @@ nvme_ctrl_t nvmf_connect_disc_entry(nvme_host_t h, c->cfg.disable_sqflow = true; if (e->trtype == NVMF_TRTYPE_TCP && - e->tsas.tcp.sectype != NVMF_TCP_SECTYPE_NONE) - c->cfg.tls = true; + e->tsas.tcp.sectype != NVMF_TCP_SECTYPE_NONE) { + if (e->treq & NVMF_TREQ_REQUIRED) + c->cfg.tls = true; + else if (e->treq & NVMF_TREQ_NOT_REQUIRED) + c->cfg.concat = true; + } ret = nvmf_add_ctrl(h, c, cfg); if (!ret) From 1969824c9d8757902ac5d12bb6430c622f9cf41b Mon Sep 17 00:00:00 2001 From: Martin George Date: Fri, 16 Jan 2026 11:56:42 +0530 Subject: [PATCH 2/7] fabrics: add error if --tls and --concat are invoked together --tls and --concat are mutually exclusive and not meant to be invoked together. So add an appropriate error message for the same. Signed-off-by: Martin George (cherry picked from 75cfffcdf892) Signed-off-by: Daniel Wagner --- src/nvme/fabrics.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/src/nvme/fabrics.c b/src/nvme/fabrics.c index 01413139d..850ba02f5 100644 --- a/src/nvme/fabrics.c +++ b/src/nvme/fabrics.c @@ -627,6 +627,11 @@ static int build_options(nvme_host_t h, nvme_ctrl_t c, char **argstr) ctrlkey = nvme_ctrl_get_dhchap_key(c); + if (cfg->tls && cfg->concat) { + nvme_msg(h->r, LOG_ERR, "cannot specify --tls and --concat together\n"); + return -ENVME_CONNECT_INVAL; + } + if (cfg->tls) { ret = __nvme_import_keys_from_config(h, c, &keyring_id, &key_id); if (ret) { From fad4a88119e13ca4202c4276529b2ea0f3f7f16e Mon Sep 17 00:00:00 2001 From: Martin George Date: Fri, 16 Jan 2026 12:12:17 +0530 Subject: [PATCH 3/7] fabrics: add error if no dhchap-secret is specified with --concat --concat requires a corresponding dhchap-secret key to be passed with it. So add an appropriate error message if this is not done. Signed-off-by: Martin George (cherry picked from 62a3ec111d5d) Signed-off-by: Daniel Wagner --- src/nvme/fabrics.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/src/nvme/fabrics.c b/src/nvme/fabrics.c index 850ba02f5..5492fb9a5 100644 --- a/src/nvme/fabrics.c +++ b/src/nvme/fabrics.c @@ -632,6 +632,11 @@ static int build_options(nvme_host_t h, nvme_ctrl_t c, char **argstr) return -ENVME_CONNECT_INVAL; } + if (cfg->concat && !hostkey) { + nvme_msg(h->r, LOG_ERR, "required argument [--dhchap-secret | -S] not specified with --concat\n"); + return -ENVME_CONNECT_INVAL; + } + if (cfg->tls) { ret = __nvme_import_keys_from_config(h, c, &keyring_id, &key_id); if (ret) { From e485d28ade5540b4f34fd6a3fdcb0e713e342913 Mon Sep 17 00:00:00 2001 From: Martin George Date: Wed, 21 Jan 2026 21:56:33 +0530 Subject: [PATCH 4/7] fabrics: add additional debug messages for --tls and --concat Add additional debug messages when --tls and --concat is set respectively based on the treq and sectype fields for a given record in the discovery log page data during a nvme connect-all. This makes it easier to debug, otherwise can be quite confusing to the end user. Signed-off-by: Martin George (cherry picked from f0dd975155f4) Signed-off-by: Daniel Wagner --- src/nvme/fabrics.c | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/src/nvme/fabrics.c b/src/nvme/fabrics.c index 5492fb9a5..fe24b53fa 100644 --- a/src/nvme/fabrics.c +++ b/src/nvme/fabrics.c @@ -1111,10 +1111,15 @@ nvme_ctrl_t nvmf_connect_disc_entry(nvme_host_t h, if (e->trtype == NVMF_TRTYPE_TCP && e->tsas.tcp.sectype != NVMF_TCP_SECTYPE_NONE) { - if (e->treq & NVMF_TREQ_REQUIRED) + if (e->treq & NVMF_TREQ_REQUIRED) { + nvme_msg(h->r, LOG_DEBUG, "setting --tls due to treq %s and sectype %s\n", + nvmf_treq_str(e->treq), nvmf_sectype_str(e->tsas.tcp.sectype)); c->cfg.tls = true; - else if (e->treq & NVMF_TREQ_NOT_REQUIRED) + } else if (e->treq & NVMF_TREQ_NOT_REQUIRED) { + nvme_msg(h->r, LOG_DEBUG, "setting --concat due to treq %s and sectype %s\n", + nvmf_treq_str(e->treq), nvmf_sectype_str(e->tsas.tcp.sectype)); c->cfg.concat = true; + } } ret = nvmf_add_ctrl(h, c, cfg); From 45bf8e841a093ad99901743d2efcb9a0d810206e Mon Sep 17 00:00:00 2001 From: Martin George Date: Fri, 20 Mar 2026 22:47:43 +0530 Subject: [PATCH 5/7] tree: avoid updating --tls in nvme_read_sysfs_tls() It is wrongly assumed that the presence of the sysfs tls_key attribute indicates --tls alone was invoked. But this can also happen if --concat was invoked as well. And both --tls and --concat are mutually exclusive. Also, both --tls and --concat are already appropriately set earlier during configured & generated PSK TLS workflows respectively. So avoid explicitly setting --tls again here in nvme_read_sysfs_tls() as that's unnecessary and incorrect too. Signed-off-by: Martin George (cherry picked from f1818da3448f) Signed-off-by: Daniel Wagner --- src/nvme/tree.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/src/nvme/tree.c b/src/nvme/tree.c index c363cd13c..e0aa30649 100644 --- a/src/nvme/tree.c +++ b/src/nvme/tree.c @@ -2013,10 +2013,9 @@ static void nvme_read_sysfs_tls(nvme_root_t r, nvme_ctrl_t c) key = nvme_get_ctrl_attr(c, "tls_key"); if (!key) { - /* tls_key is only present if --tls has been used. */ + /* tls_key is only present if --tls or --concat has been used */ return; } - c->cfg.tls = true; keyring = nvme_get_ctrl_attr(c, "tls_keyring"); nvme_ctrl_set_keyring(c, keyring); From d9ece5cc26b6690f44e4b50bd502ae320aa9fec6 Mon Sep 17 00:00:00 2001 From: Martin George Date: Tue, 24 Mar 2026 22:32:34 +0530 Subject: [PATCH 6/7] fabrics: add helper to update tls and concat Only --tls was properly updated in nbft_connect(), and not --concat. But this is properly done in nvmf_connect_disc_entry() already. So add a helper function to update both --tls and --concat and invoke the same from nvmf_connect_disc_entry() and nbft_connect() respectively. Signed-off-by: Martin George [wagi: reformated the function to improve readability] (cherry picked from 99dd46fdff25) Signed-off-by: Daniel Wagner --- src/nvme/fabrics.c | 42 ++++++++++++++++++++++++++++++------------ 1 file changed, 30 insertions(+), 12 deletions(-) diff --git a/src/nvme/fabrics.c b/src/nvme/fabrics.c index fe24b53fa..3c4997d14 100644 --- a/src/nvme/fabrics.c +++ b/src/nvme/fabrics.c @@ -1011,6 +1011,34 @@ int nvmf_connect_ctrl(nvme_ctrl_t c) return 0; } +static void nvmf_update_tls_concat(struct nvmf_disc_log_entry *e, + nvme_ctrl_t c, nvme_host_t h) +{ + if (e->trtype != NVMF_TRTYPE_TCP || + e->tsas.tcp.sectype == NVMF_TCP_SECTYPE_NONE) + return; + + if (e->treq & NVMF_TREQ_REQUIRED) { + nvme_msg(h->r, LOG_DEBUG, + "setting --tls due to treq %s and sectype %s\n", + nvmf_treq_str(e->treq), + nvmf_sectype_str(e->tsas.tcp.sectype)); + + c->cfg.tls = true; + return; + } + + if (e->treq & NVMF_TREQ_NOT_REQUIRED) { + nvme_msg(h->r, LOG_DEBUG, + "setting --concat due to treq %s and sectype %s\n", + nvmf_treq_str(e->treq), + nvmf_sectype_str(e->tsas.tcp.sectype)); + + c->cfg.concat = true; + return; + } +} + nvme_ctrl_t nvmf_connect_disc_entry(nvme_host_t h, struct nvmf_disc_log_entry *e, const struct nvme_fabrics_config *cfg, @@ -1109,18 +1137,8 @@ nvme_ctrl_t nvmf_connect_disc_entry(nvme_host_t h, nvmf_check_option(h->r, disable_sqflow)) c->cfg.disable_sqflow = true; - if (e->trtype == NVMF_TRTYPE_TCP && - e->tsas.tcp.sectype != NVMF_TCP_SECTYPE_NONE) { - if (e->treq & NVMF_TREQ_REQUIRED) { - nvme_msg(h->r, LOG_DEBUG, "setting --tls due to treq %s and sectype %s\n", - nvmf_treq_str(e->treq), nvmf_sectype_str(e->tsas.tcp.sectype)); - c->cfg.tls = true; - } else if (e->treq & NVMF_TREQ_NOT_REQUIRED) { - nvme_msg(h->r, LOG_DEBUG, "setting --concat due to treq %s and sectype %s\n", - nvmf_treq_str(e->treq), nvmf_sectype_str(e->tsas.tcp.sectype)); - c->cfg.concat = true; - } - } + /* update tls or concat */ + nvmf_update_tls_concat(e, c, h); ret = nvmf_add_ctrl(h, c, cfg); if (!ret) From cb1c226a75f558ed963908b9f1892bab2a95e809 Mon Sep 17 00:00:00 2001 From: Daniel Wagner Date: Wed, 1 Apr 2026 10:31:32 +0200 Subject: [PATCH 7/7] nvme: expose tls mode in use It is not possible to determine the active TLS mode from the presence or absence of sysfs attributes like tls_key, tls_configured_key, or dhchap_secret. With the introduction of the concat mode and optional DH-CHAP authentication, different configurations can result in identical sysfs state. This makes user space detection unreliable. Read the TLS mode used from the newly added sysfs entry. (cherry picked from d0c4d3aedb1c) Signed-off-by: Daniel Wagner --- src/nvme/tree.c | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/src/nvme/tree.c b/src/nvme/tree.c index e0aa30649..29b62ae4c 100644 --- a/src/nvme/tree.c +++ b/src/nvme/tree.c @@ -1980,6 +1980,20 @@ static char *nvme_ctrl_lookup_phy_slot(nvme_root_t r, const char *address) return NULL; } +static void nvme_read_sysfs_tls_mode(nvme_root_t r, nvme_ctrl_t c) +{ + _cleanup_free_ char *mode = NULL; + + mode = nvme_get_ctrl_attr(c, "tls_mode"); + if (!mode) + return; + + if (!strcmp(mode, "tls")) + c->cfg.tls = true; + else if (!strcmp(mode, "concat")) + c->cfg.concat = true; +} + static void nvme_read_sysfs_dhchap(nvme_root_t r, nvme_ctrl_t c) { char *host_key, *ctrl_key; @@ -2088,6 +2102,7 @@ static int nvme_reconfigure_ctrl(nvme_root_t r, nvme_ctrl_t c, const char *path, c->phy_slot = nvme_ctrl_lookup_phy_slot(r, c->address); nvme_read_sysfs_dhchap(r, c); nvme_read_sysfs_tls(r, c); + nvme_read_sysfs_tls_mode(r, c); errno = 0; /* cleanup after nvme_get_ctrl_attr() */ return 0;