[RFC PATCH 00/11] nvme: In-band authentication support
Hannes Reinecke
hare at suse.de
Mon Jul 19 04:11:23 PDT 2021
On 7/19/21 12:02 PM, Simo Sorce wrote:
> On Fri, 2021-07-16 at 13:04 +0200, Hannes Reinecke wrote:
>> Hi all,
>>
>> recent updates to the NVMe spec have added definitions for in-band
>> authentication, and seeing that it provides some real benefit especially
>> for NVMe-TCP here's an attempt to implement it.
>>
>> Tricky bit here is that the specification orients itself on TLS 1.3,
>> but supports only the FFDHE groups. Which of course the kernel doesn't
>> support. I've been able to come up with a patch for this, but as this
>> is my first attempt to fix anything in the crypto area I would invite
>> people more familiar with these matters to have a look.
>>
>> Also note that this is just for in-band authentication. Secure concatenation
>> (ie starting TLS with the negotiated parameters) is not implemented; one would
>> need to update the kernel TLS implementation for this, which at this time is
>> beyond scope.
>>
>> As usual, comments and reviews are welcome.
>
> Hi Hannes,
> could you please reference the specific standards that describe the
> NVMe authentication protocols?
>
https://nvmexpress.org/wp-content/uploads/NVM-Express-Base-Specification-2_0-2021.06.02-Ratified-5.pdf
Section '8.13 NVMe-over-Fabrics In-band authentication'
Cheers,
Hannes
--
Dr. Hannes Reinecke Kernel Storage Architect
hare at suse.de +49 911 74053 688
SUSE Software Solutions Germany GmbH, Maxfeldstr. 5, 90409 Nürnberg
HRB 36809 (AG Nürnberg), GF: Felix Imendörffer
More information about the Linux-nvme
mailing list