nvmet-auth: authenticate on admin queue only

Do not start authentication on I/O queues as it doesn't really add value,
and secure concatenation disallows it anyway.  Authentication commands on
I/O queues are not aborted, so the host may still run the authentication
protocol on I/O queues.

Signed-off-by: Hannes Reinecke <hare@kernel.org>
Reviewed-by: Sagi Grimberg <sagi@grimberg.me>
Signed-off-by: Christoph Hellwig <hch@lst.de>

diff --git a/drivers/nvme/target/auth.c b/drivers/nvme/target/auth.c
index 9429b821840856fb2ffa9a23be62d30366709148..111dfaaa14a7e71c720ff15836031995e92d0b7f 100644 (file)
--- a/drivers/nvme/target/auth.c
+++ b/drivers/nvme/target/auth.c
@@ -280,9 +280,12 @@ void nvmet_destroy_auth(struct nvmet_ctrl *ctrl)
 
 bool nvmet_check_auth_status(struct nvmet_req *req)
 {
-       if (req->sq->ctrl->host_key &&
-           !req->sq->authenticated)
-               return false;
+       if (req->sq->ctrl->host_key) {
+               if (req->sq->qid > 0)
+                       return true;
+               if (!req->sq->authenticated)
+                       return false;
+       }
        return true;
 }
 

diff --git a/drivers/nvme/target/fabrics-cmd.c b/drivers/nvme/target/fabrics-cmd.c
index f012bdf898502e1f285cc0079bc81ca64fc59047..14f55192367e1ea3bfc5170353090c9f28cdc684 100644 (file)
--- a/drivers/nvme/target/fabrics-cmd.c
+++ b/drivers/nvme/target/fabrics-cmd.c
@@ -239,8 +239,8 @@ static u32 nvmet_connect_result(struct nvmet_ctrl *ctrl, struct nvmet_sq *sq)
        bool needs_auth = nvmet_has_auth(ctrl, sq);
        key_serial_t keyid = nvmet_queue_tls_keyid(sq);
 
-       /* Do not authenticate I/O queues for secure concatenation */
-       if (ctrl->concat && sq->qid)
+       /* Do not authenticate I/O queues */
+       if (sq->qid)
                needs_auth = false;
 
        if (keyid)