Skip to content

fabrics: add additional error messages for --concat #3063

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
igaw merged 3 commits into from
Jan 16, 2026
Merged

fabrics: add additional error messages for --concat #3063

igaw merged 3 commits into from
Jan 16, 2026
+15 −0

Conversation

@martin-gpy
Copy link
Contributor

@martin-gpy martin-gpy commented Jan 16, 2026

Secure channel concat TLS has some specific prerequisites and conditions. So add appropriate error messages for each of these.

@martin-gpy
fabrics: add error if --tls and --concat are invoked together
e71b321 
--tls and --concat are mutually exclusive and not meant to be
invoked together. So add an appropriate error message for
the same.

Signed-off-by: Martin George <[email protected]>
@martin-gpy
fabrics: add error if no dhchap-secret is specified with --concat
7472fc3 
--concat requires a corresponding dhchap-secret key to be passed
with it. So add an appropriate error message if this is not done.

Signed-off-by: Martin George <[email protected]>
@martin-gpy
fabrics: add error if dhchap-ctrl-secret is specified with --concat
33dff6d 
--concat works only with unidirectional auth and not bidirectional auth.
As per section 8.3.4.5.9 Generated PSK for TLS in the NVMe base spec 2.1:

"The host may request secure channel concatenation with the TLS protocol
by setting the SC_C field in the AUTH_Negotiate message to NEWTLSPSK
while performing only unidirectional auth. In this case, the host shall
send a challenge value C2 to the controller and clear the sequence
number S2 to 0h to indicate that controller authentication is not
requested".

In the kernel too, if both host and controller auth keys are specified
with secure channel concat, it would ignore the controller key and
and default to using the host key itself for uni-auth with concat TLS.
So add an appropriate error to catch the same in the userspace itself.

Signed-off-by: Martin George <[email protected]>
@igaw igaw merged commit 5fdc131 into linux-nvme:master Jan 16, 2026
19 of 20 checks passed
@igaw
Copy link
Collaborator

igaw commented Jan 16, 2026

Thanks a lot. We should also update the documentation with this information. When the kernel eventually also supports to access the dhchap keys from the kernel keystore, we should update the error messages. But that's for another day.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@martin-gpy @igaw