[PATCHv5 00/12] nvme: In-band authentication support

Hannes Reinecke hare at suse.de
Sun Nov 14 05:44:12 PST 2021 

On 11/14/21 11:40 AM, Sagi Grimberg wrote:
> 
> 
> On 11/12/21 2:59 PM, Hannes Reinecke wrote:
>> Hi all,
>>
>> recent updates to the NVMe spec have added definitions for in-band
>> authentication, and seeing that it provides some real benefit
>> especially for NVMe-TCP here's an attempt to implement it.
>>
>> Tricky bit here is that the specification orients itself on TLS 1.3,
>> but supports only the FFDHE groups. Which of course the kernel doesn't
>> support. I've been able to come up with a patch for this, but as this
>> is my first attempt to fix anything in the crypto area I would invite
>> people more familiar with these matters to have a look.
>>
>> Also note that this is just for in-band authentication. Secure
>> concatenation (ie starting TLS with the negotiated parameters) is not
>> implemented; one would need to update the kernel TLS implementation
>> for this, which at this time is beyond scope.
>>
>> As usual, comments and reviews are welcome.
>>
>> Changes to v4:
>> - Validate against blktest suite
> 
> Nice! thanks hannes, this is going to be very useful moving
> forward.
> 
Oh, definitely. The number of issue these tests found...

>> - Fixup base64 decoding
> 
> What was fixed up there?
> 
The padding character '=' wasn't handled correctly on decoding (the 
character itself was skipped, by the 'bits' value wasn't increased, 
leading to a spurious error in decoding an any key longer than 32 bit 
not being accepted.

>> - Transform secret with correct hmac algorithm
> 
> Is that what I reported last time? Can you perhaps
> point me to the exact patch that fixes this?

Well, no, not really; the patch itself got squashed in the main patches.
But problem here was that the key transformation from section 8.13.5.7 
had been using the hash algorithm from the initial challenge, not the 
one specified in the key itself.
This lead to decoding errors when using a key with a different length 
than the hash algorithm.

Cheers,

Hannes
-- 
Dr. Hannes Reinecke                Kernel Storage Architect
hare at suse.de                              +49 911 74053 688
SUSE Software Solutions GmbH, Maxfeldstr. 5, 90409 Nürnberg
HRB 36809 (AG Nürnberg), Geschäftsführer: Felix Imendörffer

More information about the Linux-nvme mailing list