nvme-fabrics: reset admin connection for secure concatenation

When secure concatenation is requested the connection needs to be
reset to enable TLS encryption on the new cnnection.
That implies that the original connection used for the DH-CHAP
negotiation really shouldn't be used, and we should reset as soon
as the DH-CHAP negotiation has succeeded on the admin queue.

Based on an idea from Sagi.

Signed-off-by: Hannes Reinecke <hare@kernel.org>
Reviewed-by: Sagi Grimberg <sagi@grimberg.me>
Signed-off-by: Keith Busch <kbusch@kernel.org>

diff --git a/drivers/nvme/host/tcp.c b/drivers/nvme/host/tcp.c
index 196d363188539990aa22b1fd7ae9c99a284edc6f..feb2d7e17c4a14fc040c8038ff67e7f25d45fc95 100644 (file)
--- a/drivers/nvme/host/tcp.c
+++ b/drivers/nvme/host/tcp.c
@@ -2283,6 +2283,16 @@ static int nvme_tcp_setup_ctrl(struct nvme_ctrl *ctrl, bool new)
        if (ret)
                return ret;
 
+       if (ctrl->opts && ctrl->opts->concat && !ctrl->tls_pskid) {
+               /* See comments for nvme_tcp_key_revoke_needed() */
+               dev_dbg(ctrl->device, "restart admin queue for secure concatenation\n");
+               nvme_stop_keep_alive(ctrl);
+               nvme_tcp_teardown_admin_queue(ctrl, false);
+               ret = nvme_tcp_configure_admin_queue(ctrl, false);
+               if (ret)
+                       return ret;
+       }
+
        if (ctrl->icdoff) {
                ret = -EOPNOTSUPP;
                dev_err(ctrl->device, "icdoff is not supported!\n");