nvme: testcases for TLS support #158
Conversation
Add a function to restrict testcases to TCP transport. Signed-off-by: Hannes Reinecke <[email protected]>
To start TLS-encrypted connections. Signed-off-by: Hannes Reinecke <[email protected]>
Add --tls option to _create_nvmet_subsystem and allow to specify the tls requirements in _create_nvmet_port. Signed-off-by: Hannes Reinecke <[email protected]>
TCP connections can be encrypted using in-kernel TLS, so add a testcase to exercise the various combinations. Signed-off-by: Hannes Reinecke <[email protected]>
To start secure concatenation the option '--concat' has to be passed to the 'nvme connect' command. Signed-off-by: Hannes Reinecke <[email protected]>
| return 1 | ||
| fi | ||
|
|
||
| systemctl start tlshd |
There was a problem hiding this comment.
I think you need to check that it exists as a dependency
There was a problem hiding this comment.
Maybe also check the version of ktls-utils?
Or just explain in a comment if you have any expectations from it?
There was a problem hiding this comment.
Yeah, good point. Will check what we can do here.
| _nvmet_target_setup --blkdev file --tls | ||
|
|
||
| # Test unencrypted connection | ||
| echo "Test unencrypted connection w/ tls not required" |
There was a problem hiding this comment.
umm, looks pretty useless...
There was a problem hiding this comment.
Don't think so. This is testing the 'not required' setting in nvmet, which should accept both TLS and non-TLS connections even if TLS is enabled on the target.
| echo "WARNING: connection is not encrypted" | ||
| fi | ||
|
|
||
| _nvme_disconnect_subsys |
There was a problem hiding this comment.
is there any room to test passing explicit keys and private keyrings to this test?
There was a problem hiding this comment.
I'd rather not do that here. This is for testing the 'default' case, where PSKs are pre-populated in the keyring and the connection picks up the keys automatically. Explicit keys and keyrings are really just for testing.
But we should have a separate testcase for that, true.
This pull request adds two new testcases for nvme TLS support, one for 'plain' TLS with TLS PSKs, and the other one for testing 'secure concatenation' where TLS is started after DH-HMAC-CHAP authentication.