From cdb74aaa8c133f47430ef5226a07dd748d9758f7 Mon Sep 17 00:00:00 2001
From: Daniel Baumann <daniel@debian.org>
Date: Sun, 16 Feb 2025 10:51:20 +0100
Subject: [PATCH] Adding patch from upstream to handle unavailable keyring
 gracefully (Closes: #1087516).

Signed-off-by: Daniel Baumann <daniel@debian.org>
---
 debian/patches/0001-graceful-keyring.patch | 139 +++++++++++++++++++++
 debian/patches/series                      |   1 +
 2 files changed, 140 insertions(+)
 create mode 100644 debian/patches/0001-graceful-keyring.patch
 create mode 100644 debian/patches/series

diff --git a/debian/patches/0001-graceful-keyring.patch b/debian/patches/0001-graceful-keyring.patch
new file mode 100644
index 0000000..a772637
--- /dev/null
+++ b/debian/patches/0001-graceful-keyring.patch
@@ -0,0 +1,139 @@
+From c195e3b09198f4a1f266f57da30f88a8c9f8062c Mon Sep 17 00:00:00 2001
+From: Daniel Wagner <wagi@kernel.org>
+Date: Fri, 15 Nov 2024 15:58:30 +0100
+Subject: [PATCH 1/2] linux: do not do any keyring ops when no key is provided
+
+There is no point in accessing the keyring if we don't have to load a
+key into the kernel.
+
+Signed-off-by: Daniel Wagner <wagi@kernel.org>
+---
+ src/nvme/linux.c | 29 ++++++++++++++++++-----------
+ 1 file changed, 18 insertions(+), 11 deletions(-)
+
+diff --git a/src/nvme/linux.c b/src/nvme/linux.c
+index 53c0573c..a9ba58b3 100644
+--- a/src/nvme/linux.c
++++ b/src/nvme/linux.c
+@@ -1517,9 +1517,9 @@ long nvme_revoke_tls_key(const char *keyring, const char *key_type,
+ 	return keyctl_revoke(key);
+ }
+ 
+-static int __nvme_insert_tls_key(long keyring_id,
+-				 const char *hostnqn, const char *subsysnqn,
+-				 const char *identity, const char *key)
++static long __nvme_insert_tls_key(long keyring_id,
++				  const char *hostnqn, const char *subsysnqn,
++				  const char *identity, const char *key)
+ {
+ 	_cleanup_free_ unsigned char *key_data = NULL;
+ 	unsigned char version;
+@@ -1554,7 +1554,7 @@ int __nvme_import_keys_from_config(nvme_host_t h, nvme_ctrl_t c,
+ 	const char *hostnqn = nvme_host_get_hostnqn(h);
+ 	const char *subsysnqn = nvme_ctrl_get_subsysnqn(c);
+ 	const char *keyring, *key, *identity;
+-	long kr_id, id = 0;
++	long kr_id = 0, id = 0;
+ 
+ 	if (!hostnqn || !subsysnqn) {
+ 		nvme_msg(h->r, LOG_ERR, "Invalid NQNs (%s, %s)\n",
+@@ -1562,10 +1562,17 @@ int __nvme_import_keys_from_config(nvme_host_t h, nvme_ctrl_t c,
+ 		return -EINVAL;
+ 	}
+ 
++	/* If we don't have a key avoid all keyring operations */
++	key = nvme_ctrl_get_tls_key(c);
++	if (!key)
++		goto out;
++
+ 	keyring = nvme_ctrl_get_keyring(c);
+-	if (keyring)
++	if (keyring) {
+ 		kr_id = nvme_lookup_keyring(keyring);
+-	else
++		if (kr_id == 0)
++			return -errno;
++	} else
+ 		kr_id = c->cfg.keyring;
+ 
+ 	/*
+@@ -1573,18 +1580,17 @@ int __nvme_import_keys_from_config(nvme_host_t h, nvme_ctrl_t c,
+ 	 * keyring to connect command line and to the JSON config output.
+ 	 * That means we are explicitly selecting the keyring.
+ 	 */
+-	if (!kr_id)
++	if (!kr_id) {
+ 		kr_id = nvme_lookup_keyring(".nvme");
++		if (kr_id == 0)
++			return -errno;
++	}
+ 
+ 	if (nvme_set_keyring(kr_id) < 0) {
+ 		nvme_msg(h->r, LOG_ERR, "Failed to set keyring\n");
+ 		return -errno;
+ 	}
+ 
+-	key = nvme_ctrl_get_tls_key(c);
+-	if (!key)
+-		return 0;
+-
+ 	identity = nvme_ctrl_get_tls_key_identity(c);
+ 	if (identity)
+ 		id = nvme_lookup_key("psk", identity);
+@@ -1599,6 +1605,7 @@ int __nvme_import_keys_from_config(nvme_host_t h, nvme_ctrl_t c,
+ 		return -errno;
+ 	}
+ 
++out:
+ 	*keyring_id = kr_id;
+ 	*key_id = id;
+ 
+
+From 847ca6b6f7f8a04377da7183d663229e8b51b65d Mon Sep 17 00:00:00 2001
+From: Daniel Wagner <wagi@kernel.org>
+Date: Fri, 15 Nov 2024 16:05:05 +0100
+Subject: [PATCH 2/2] fabrics: do not attempt to import keys if tls is not
+ enabled
+
+There is no point in trying to import a key if the TLS option
+is not enabled.
+
+Signed-off-by: Daniel Wagner <wagi@kernel.org>
+---
+ src/nvme/fabrics.c | 22 ++++++++++++----------
+ 1 file changed, 12 insertions(+), 10 deletions(-)
+
+diff --git a/src/nvme/fabrics.c b/src/nvme/fabrics.c
+index 69acf04d..6aa62eea 100644
+--- a/src/nvme/fabrics.c
++++ b/src/nvme/fabrics.c
+@@ -627,17 +627,19 @@ static int build_options(nvme_host_t h, nvme_ctrl_t c, char **argstr)
+ 
+ 	ctrlkey = nvme_ctrl_get_dhchap_key(c);
+ 
+-	ret = __nvme_import_keys_from_config(h, c, &keyring_id, &key_id);
+-	if (ret) {
+-		errno = -ret;
+-		return -1;
+-	}
++	if (cfg->tls) {
++		ret = __nvme_import_keys_from_config(h, c, &keyring_id, &key_id);
++		if (ret) {
++			errno = -ret;
++			return -1;
++		}
+ 
+-	if (key_id == 0) {
+-		if (cfg->tls_configured_key)
+-			key_id = cfg->tls_configured_key;
+-		else
+-			key_id = cfg->tls_key;
++		if (key_id == 0) {
++			if (cfg->tls_configured_key)
++				key_id = cfg->tls_configured_key;
++			else
++				key_id = cfg->tls_key;
++		}
+ 	}
+ 
+ 	if (add_argument(r, argstr, transport, transport) ||
diff --git a/debian/patches/series b/debian/patches/series
new file mode 100644
index 0000000..4b5144b
--- /dev/null
+++ b/debian/patches/series
@@ -0,0 +1 @@
+0001-graceful-keyring.patch