docs: add howto to setup TLS connections

igaw · igaw · commit eda38ad1aa43 · 2024-10-30T17:32:00.000+01:00
There are couple of step necessary to get TLS working nicely. Document
it how this is done.

Signed-off-by: Daniel Wagner &lt;wagi@kernel.org&gt;
diff --git a/TLS.md b/TLS.md
@@ -0,0 +1,194 @@
+# How to Set Up TLS for NVMe-TCP
+
+Enabling TLS for the NVMe-TCP feature requires a few configuration steps for both the kernel and userland.
+
+## Kernel Configuration
+
+To support TCP authentication and TLS encryption, enable the following kernel options:
+
+- For DHCHAP authentication:
+  `CONFIG_NVME_HOST_AUTH`
+
+- For TLS transport encryption:
+  `CONFIG_NVME_TCP_TLS`
+
+## Setting Up `tlshd`
+
+For TLS protocol support, which handles authentication and encryption, the kernel handles data encryption only, so userland support is required for the TLS handshake. The `tlshd` daemon implements the handshake process.
+
+### Requirements
+
+Ensure `tlshd` includes the commit `311d9438b984` ("tlshd: always link .nvme default keyring into the session") - likely in `ktls-utils` version 0.12. Alternatively, you can set the keyring manually in `/etc/tlshd.conf`:
+
+```ini
+[authenticate]
+keyrings = .nvme
+```
+
+No additional configuration is necessary for `tlshd`; simply start it as a daemon:
+
+```bash
+systemctl enable --now tlshd
+```
+
+## Loading Keys on Boot or Module Load
+
+The NVMe subsystem loading keys from the kernel keystore, which means these keys must be available in the keystore before establishing a connection.
+
+### Creating a New Key
+
+```bash
+nvme gen-tls-key \
+  --hostnqn nqn.2014-08.org.nvmexpress:uuid:befdec4c-2234-11b2-a85c-ca77c773af36 \
+  --subsysnqn nqn.io-1 --hmac 1 --identity 1 --insert --keyfile /etc/nvme/tls-keys
+```
+
+This command creates a new host key, inserts it into the kernel keyring, and appends the derived TLS PSK to the keyfile (`/etc/nvme/tls-keys`).
+
+### Inserting an Existing Key
+
+```bash
+nvme check-tls-key \
+  --hostnqn nqn.2014-08.org.nvmexpress:uuid:befdec4c-2234-11b2-a85c-ca77c773af36 \
+  --subsysnqn nqn.io-1 --identity 1 \
+  --keydata NVMeTLSkey-1:01:AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACtVQoZ: \
+  --insert --keyfile /etc/nvme/tls-keys
+```
+
+This command inserts the configured key (`--keydata`) into the kernel keyring and appends the derived TLS PSK to the keyfile.
+
+### Loading Keys on Boot or Module Load
+
+The kernel keyring does not persist keys, so userland must import keys into the keyring upon each boot or module load (for NVMe-TCP). To load keys:
+
+```bash
+nvme tls --import /etc/nvme/tls-keys
+```
+
+The `70-nvmf-keys.rules` udev rule ([source](https://github.com/linux-nvme/nvme-cli/blob/master/nvmf-autoconnect/udev-rules/70-nvmf-keys.rules.in)) will load keys from `/etc/nvme/tls-keys` automatically.
+
+### Recommendation for Handling TLS Keys
+
+The `nvme connect` command also allows passing a TLS key directly via the command line or a JSON config file. Avoid this method in production environments, as it may expose keys.
+
+## Establishing a Connection
+
+Once the keys are in the keystore, add the `--tls` option to establish a secure connection:
+
+```bash
+nvme connect --transport tcp --traddr 192.168.154.148 --trsvcid 4420 \
+             --hostnqn nqn.2014-08.org.nvmexpress:uuid:befdec4c-2234-11b2-a85c-ca77c773af36 \
+             --hostid befdec4c-2234-11b2-a85c-ca77c773af36 \
+             --nqn nqn.io-1 --tls --dump-config --output-format json
+```
+
+The resulting JSON output can be saved to simplify future connections:
+
+```json
+[
+  {
+    "hostnqn": "nqn.2014-08.org.nvmexpress:uuid:befdec4c-2234-11b2-a85c-ca77c773af36",
+    "hostid": "befdec4c-2234-11b2-a85c-ca77c773af36",
+    "subsystems": [
+      {
+        "nqn": "nqn.io-1",
+        "ports": [
+          {
+            "transport": "tcp",
+            "traddr": "192.168.154.148",
+            "trsvcid": "4420",
+            "dhchap_key": "none",
+            "tls": true
+          }
+        ]
+      }
+    ]
+  }
+]
+```
+
+Using this JSON file, you can connect with:
+
+```bash
+nvme connect --config config.json
+```
+
+## Setting Up the Target
+
+The same steps for creating keys and importing/exporting keys to/from the kernel are necessary for the target as they are for the host (see above).
+
+For the above example, you can use the `nvmetcli` config:
+
+```json
+{
+  "hosts": [
+    {
+      "nqn": "nqn.2014-08.org.nvmexpress:uuid:befdec4c-2234-11b2-a85c-ca77c773af36"
+    }
+  ],
+  "ports": [
+    {
+      "addr": {
+        "adrfam": "ipv4",
+        "traddr": "0.0.0.0",
+        "treq": "not specified",
+        "trsvcid": "4420",
+        "trtype": "tcp",
+        "tsas": "tls1.3"
+      },
+      "ana_groups": [
+        {
+          "ana": {
+            "state": "optimized"
+          },
+          "grpid": 1
+        }
+      ],
+      "param": {
+        "inline_data_size": "16384",
+        "pi_enable": "0"
+      },
+      "portid": 0,
+      "referrals": [],
+      "subsystems": [
+        "nqn.io-1"
+      ]
+    }
+  ],
+  "subsystems": [
+    {
+      "allowed_hosts": [
+        "nqn.2014-08.org.nvmexpress:uuid:befdec4c-2234-11b2-a85c-ca77c773af36"
+      ],
+      "attr": {
+        "allow_any_host": "0",
+        "cntlid_max": "65519",
+        "cntlid_min": "1",
+        "firmware": "6.8.0-rc",
+        "ieee_oui": "0x000000",
+        "model": "Linux",
+        "pi_enable": "0",
+        "qid_max": "128",
+        "serial": "0c74361069d9db6c65ef",
+        "version": "1.3"
+      },
+      "namespaces": [
+        {
+          "ana": {
+            "grpid": "1"
+          },
+          "ana_grpid": 1,
+          "device": {
+            "nguid": "00000000-0000-0000-0000-000000000000",
+            "path": "/dev/vdb",
+            "uuid": "91fdba0d-f87b-4c25-b80f-db7be1418b9e"
+          },
+          "enable": 1,
+          "nsid": 1
+        }
+      ],
+      "nqn": "nqn.io-1"
+    }
+  ]
+}
+```
