xref: /spdk/test/nvmf/host/auth.sh (revision 8d3f8fb818735d717730489685debac3c814d0ac) 
1401ac9a5SKonrad Sztyber#!/usr/bin/env bash
2401ac9a5SKonrad Sztyber# SPDX-License-Identifier: BSD-3-Clause
3401ac9a5SKonrad Sztyber# Copyright (C) 2023 Intel Corporation.  All rights reserved.
4401ac9a5SKonrad Sztyber#
5401ac9a5SKonrad Sztyber
6401ac9a5SKonrad Sztybertestdir=$(readlink -f "$(dirname "$0")")
7401ac9a5SKonrad Sztyberrootdir=$(readlink -f "$testdir/../../../")
8401ac9a5SKonrad Sztyber
9401ac9a5SKonrad Sztybersource "$rootdir/test/common/autotest_common.sh"
10401ac9a5SKonrad Sztybersource "$rootdir/test/nvmf/common.sh"
11401ac9a5SKonrad Sztyber
12401ac9a5SKonrad Sztyber# shellcheck disable=SC2190
13401ac9a5SKonrad Sztyberdigests=("sha256" "sha384" "sha512")
14401ac9a5SKonrad Sztyber# There's a bug in the kernel with the way dhgroups are negotiated that makes it impossible to
15401ac9a5SKonrad Sztyber# select null dhgroup, so skip it for now.
16401ac9a5SKonrad Sztyberdhgroups=("ffdhe2048" "ffdhe3072" "ffdhe4096" "ffdhe6144" "ffdhe8192")
17401ac9a5SKonrad Sztybersubnqn="nqn.2024-02.io.spdk:cnode0"
18401ac9a5SKonrad Sztyberhostnqn="nqn.2024-02.io.spdk:host0"
19401ac9a5SKonrad Sztybernvmet_subsys="/sys/kernel/config/nvmet/subsystems/$subnqn"
20401ac9a5SKonrad Sztybernvmet_host="/sys/kernel/config/nvmet/hosts/$hostnqn"
213e4c5347SKonrad Sztyberkeys=() ckeys=()
22401ac9a5SKonrad Sztyber
23401ac9a5SKonrad Sztybercleanup() {
24401ac9a5SKonrad Sztyber	nvmftestfini || :
25401ac9a5SKonrad Sztyber	rm "$nvmet_subsys/allowed_hosts/$hostnqn" || :
26401ac9a5SKonrad Sztyber	rmdir "$nvmet_host" || :
27401ac9a5SKonrad Sztyber	clean_kernel_target || :
28401ac9a5SKonrad Sztyber	rm -f "${keys[@]}" "$output_dir/nvme-auth.log"
29401ac9a5SKonrad Sztyber	# configure_kernel_target() binds the SSDs to the kernel driver, so move them back to
30401ac9a5SKonrad Sztyber	# userspace, as this is what the tests running after this one expect
31401ac9a5SKonrad Sztyber	"$rootdir/scripts/setup.sh"
32401ac9a5SKonrad Sztyber}
33401ac9a5SKonrad Sztyber
34401ac9a5SKonrad Sztybernvmet_auth_init() {
35401ac9a5SKonrad Sztyber	configure_kernel_target "$subnqn" "$(get_main_ns_ip)"
36401ac9a5SKonrad Sztyber	mkdir "$nvmet_host"
37401ac9a5SKonrad Sztyber	echo 0 > "$nvmet_subsys/attr_allow_any_host"
38401ac9a5SKonrad Sztyber	ln -s "$nvmet_host" "$nvmet_subsys/allowed_hosts/$hostnqn"
39401ac9a5SKonrad Sztyber}
40401ac9a5SKonrad Sztyber
41401ac9a5SKonrad Sztybernvmet_auth_set_key() {
423e4c5347SKonrad Sztyber	local digest dhgroup keyid key ckey
43401ac9a5SKonrad Sztyber
44401ac9a5SKonrad Sztyber	digest="$1" dhgroup="$2" keyid="$3"
45401ac9a5SKonrad Sztyber	key=$(< "${keys[keyid]}")
463e4c5347SKonrad Sztyber	ckey=${ckeys[keyid]:+$(< ${ckeys[keyid]})}
47401ac9a5SKonrad Sztyber
48401ac9a5SKonrad Sztyber	echo "hmac($digest)" > "$nvmet_host/dhchap_hash"
49401ac9a5SKonrad Sztyber	echo "$dhgroup" > "$nvmet_host/dhchap_dhgroup"
50401ac9a5SKonrad Sztyber	echo "$key" > "$nvmet_host/dhchap_key"
513e4c5347SKonrad Sztyber	[[ -z "$ckey" ]] || echo "$ckey" > "$nvmet_host/dhchap_ctrl_key"
52401ac9a5SKonrad Sztyber}
53401ac9a5SKonrad Sztyber
54401ac9a5SKonrad Sztyberconnect_authenticate() {
553e4c5347SKonrad Sztyber	local digest dhgroup keyid ckey
56401ac9a5SKonrad Sztyber
57401ac9a5SKonrad Sztyber	digest="$1" dhgroup="$2" keyid="$3"
583e4c5347SKonrad Sztyber	ckey=(${ckeys[keyid]:+--dhchap-ctrlr-key "ckey${keyid}"})
593e4c5347SKonrad Sztyber
60401ac9a5SKonrad Sztyber	rpc_cmd bdev_nvme_set_options --dhchap-digests "$digest" --dhchap-dhgroups "$dhgroup"
61401ac9a5SKonrad Sztyber	rpc_cmd bdev_nvme_attach_controller -b nvme0 -t "$TEST_TRANSPORT" -f ipv4 \
62401ac9a5SKonrad Sztyber		-a "$(get_main_ns_ip)" -s "$NVMF_PORT" -q "$hostnqn" -n "$subnqn" \
633e4c5347SKonrad Sztyber		--dhchap-key "key${keyid}" "${ckey[@]}"
64401ac9a5SKonrad Sztyber	[[ $(rpc_cmd bdev_nvme_get_controllers | jq -r '.[].name') == "nvme0" ]]
65401ac9a5SKonrad Sztyber	rpc_cmd bdev_nvme_detach_controller nvme0
66401ac9a5SKonrad Sztyber}
67401ac9a5SKonrad Sztyber
68401ac9a5SKonrad Sztybernvmftestinit
69401ac9a5SKonrad Sztybernvmfappstart -L nvme_auth &> "$output_dir/nvme-auth.log"
70401ac9a5SKonrad Sztybertrap "cat "$output_dir/nvme-auth.log"; cleanup" SIGINT SIGTERM EXIT
71401ac9a5SKonrad Sztyber
723e4c5347SKonrad Sztyber# Set host/ctrlr key pairs with one combination w/o bidirectional authentication
730ed7af44SKonrad Sztyberkeys[0]=$(gen_dhchap_key "null" 32) ckeys[0]=$(gen_dhchap_key "sha512" 64)
740ed7af44SKonrad Sztyberkeys[1]=$(gen_dhchap_key "null" 48) ckeys[1]=$(gen_dhchap_key "sha384" 48)
750ed7af44SKonrad Sztyberkeys[2]=$(gen_dhchap_key "sha256" 32) ckeys[2]=$(gen_dhchap_key "sha256" 32)
760ed7af44SKonrad Sztyberkeys[3]=$(gen_dhchap_key "sha384" 48) ckeys[3]=$(gen_dhchap_key "null" 32)
770ed7af44SKonrad Sztyberkeys[4]=$(gen_dhchap_key "sha512" 64) ckeys[4]=""
78401ac9a5SKonrad Sztyber
79401ac9a5SKonrad Sztyberwaitforlisten "$nvmfpid"
80401ac9a5SKonrad Sztyberfor i in "${!keys[@]}"; do
81401ac9a5SKonrad Sztyber	rpc_cmd keyring_file_add_key "key$i" "${keys[i]}"
823e4c5347SKonrad Sztyber	[[ -n "${ckeys[i]}" ]] && rpc_cmd keyring_file_add_key "ckey$i" "${ckeys[i]}"
83401ac9a5SKonrad Sztyberdone
84401ac9a5SKonrad Sztyber
85401ac9a5SKonrad Sztybernvmet_auth_init
86401ac9a5SKonrad Sztyber
87401ac9a5SKonrad Sztyber# Connect with all digests/dhgroups enabled
88401ac9a5SKonrad Sztybernvmet_auth_set_key "sha256" "ffdhe2048" 1
89401ac9a5SKonrad Sztyberconnect_authenticate \
90401ac9a5SKonrad Sztyber	"$(
91401ac9a5SKonrad Sztyber		IFS=,
92401ac9a5SKonrad Sztyber		printf "%s" "${digests[*]}"
93401ac9a5SKonrad Sztyber	)" \
94401ac9a5SKonrad Sztyber	"$(
95401ac9a5SKonrad Sztyber		IFS=,
96401ac9a5SKonrad Sztyber		printf "%s" "${dhgroups[*]}"
97401ac9a5SKonrad Sztyber	)" 1
98401ac9a5SKonrad Sztyber
99401ac9a5SKonrad Sztyber# Check all digest/dhgroup/key combinations
100401ac9a5SKonrad Sztyberfor digest in "${digests[@]}"; do
101401ac9a5SKonrad Sztyber	for dhgroup in "${dhgroups[@]}"; do
102401ac9a5SKonrad Sztyber		for keyid in "${!keys[@]}"; do
103401ac9a5SKonrad Sztyber			nvmet_auth_set_key "$digest" "$dhgroup" "$keyid"
104401ac9a5SKonrad Sztyber			connect_authenticate "$digest" "$dhgroup" "$keyid"
105401ac9a5SKonrad Sztyber		done
106401ac9a5SKonrad Sztyber	done
107401ac9a5SKonrad Sztyberdone
108401ac9a5SKonrad Sztyber
109401ac9a5SKonrad Sztyber# Ensure that a missing key results in failed attach
110401ac9a5SKonrad Sztybernvmet_auth_set_key "sha256" "ffdhe2048" 1
111401ac9a5SKonrad Sztyberrpc_cmd bdev_nvme_set_options --dhchap-digests "sha256" --dhchap-dhgroups "ffdhe2048"
112401ac9a5SKonrad SztyberNOT rpc_cmd bdev_nvme_attach_controller -b nvme0 -t "$TEST_TRANSPORT" -f ipv4 \
113401ac9a5SKonrad Sztyber	-a "$(get_main_ns_ip)" -s "$NVMF_PORT" -q "$hostnqn" -n "$subnqn"
114401ac9a5SKonrad Sztyber(($(rpc_cmd bdev_nvme_get_controllers | jq 'length') == 0))
115401ac9a5SKonrad Sztyber
116401ac9a5SKonrad Sztyber# Check that mismatched keys result in failed attach
117401ac9a5SKonrad SztyberNOT rpc_cmd bdev_nvme_attach_controller -b nvme0 -t "$TEST_TRANSPORT" -f ipv4 \
118401ac9a5SKonrad Sztyber	-a "$(get_main_ns_ip)" -s "$NVMF_PORT" -q "$hostnqn" -n "$subnqn" \
119401ac9a5SKonrad Sztyber	--dhchap-key "key2"
120401ac9a5SKonrad Sztyber(($(rpc_cmd bdev_nvme_get_controllers | jq 'length') == 0))
121401ac9a5SKonrad Sztyber
1223e4c5347SKonrad Sztyber# Check that a failed controller authentication results in failed attach
1233e4c5347SKonrad SztyberNOT rpc_cmd bdev_nvme_attach_controller -b nvme0 -t "$TEST_TRANSPORT" -f ipv4 \
1243e4c5347SKonrad Sztyber	-a "$(get_main_ns_ip)" -s "$NVMF_PORT" -q "$hostnqn" -n "$subnqn" \
1253e4c5347SKonrad Sztyber	--dhchap-key "key1" --dhchap-ctrlr-key "ckey2"
1263e4c5347SKonrad Sztyber
127*8d3f8fb8SKonrad Sztyber# Check reauthentication
128*8d3f8fb8SKonrad Sztyberrpc_cmd bdev_nvme_attach_controller -b nvme0 -t "$TEST_TRANSPORT" -f ipv4 \
129*8d3f8fb8SKonrad Sztyber	-a "$(get_main_ns_ip)" -s "$NVMF_PORT" -q "$hostnqn" -n "$subnqn" \
130*8d3f8fb8SKonrad Sztyber	--dhchap-key "key1" --dhchap-ctrlr-key "ckey1" --ctrlr-loss-timeout-sec 1 \
131*8d3f8fb8SKonrad Sztyber	--reconnect-delay-sec 1
132*8d3f8fb8SKonrad Sztybernvmet_auth_set_key "sha256" "ffdhe2048" 2
133*8d3f8fb8SKonrad Sztyberrpc_cmd bdev_nvme_set_keys "nvme0" --dhchap-key "key2" --dhchap-ctrlr-key "ckey2"
134*8d3f8fb8SKonrad Sztyber[[ $(rpc_cmd bdev_nvme_get_controllers | jq -r '.[].name') == "nvme0" ]]
135*8d3f8fb8SKonrad Sztyber# Use wrong keys and verify that the ctrlr will get disconnected after ctrlr-loss-timeout-sec
136*8d3f8fb8SKonrad SztyberNOT rpc_cmd bdev_nvme_set_keys "nvme0" --dhchap-key "key1" --dhchap-ctrlr-key "ckey2"
137*8d3f8fb8SKonrad Sztyberwhile (($(rpc_cmd bdev_nvme_get_controllers | jq 'length') != 0)); do
138*8d3f8fb8SKonrad Sztyber	sleep 1s
139*8d3f8fb8SKonrad Sztyberdone
140*8d3f8fb8SKonrad Sztyber# Do the same, but this time try with a valid host key, but bad ctrlr key
141*8d3f8fb8SKonrad Sztybernvmet_auth_set_key "sha256" "ffdhe2048" 1
142*8d3f8fb8SKonrad Sztyberrpc_cmd bdev_nvme_attach_controller -b nvme0 -t "$TEST_TRANSPORT" -f ipv4 \
143*8d3f8fb8SKonrad Sztyber	-a "$(get_main_ns_ip)" -s "$NVMF_PORT" -q "$hostnqn" -n "$subnqn" \
144*8d3f8fb8SKonrad Sztyber	--dhchap-key "key1" --dhchap-ctrlr-key "ckey1" --ctrlr-loss-timeout-sec 1 \
145*8d3f8fb8SKonrad Sztyber	--reconnect-delay-sec 1
146*8d3f8fb8SKonrad Sztybernvmet_auth_set_key "sha256" "ffdhe2048" 2
147*8d3f8fb8SKonrad SztyberNOT rpc_cmd bdev_nvme_set_keys "nvme0" --dhchap-key "key2" --dhchap-ctrlr-key "ckey1"
148*8d3f8fb8SKonrad Sztyberwhile (($(rpc_cmd bdev_nvme_get_controllers | jq 'length') != 0)); do
149*8d3f8fb8SKonrad Sztyber	sleep 1s
150*8d3f8fb8SKonrad Sztyberdone
151*8d3f8fb8SKonrad Sztyber
152401ac9a5SKonrad Sztybertrap - SIGINT SIGTERM EXIT
153401ac9a5SKonrad Sztybercleanup
154