[PATCHv6 00/12] nvme: In-band authentication support
Hannes Reinecke
hare at suse.de
Mon Nov 22 01:03:07 PST 2021
On 11/22/21 9:13 AM, Sagi Grimberg wrote:
>
>
> On 11/22/21 9:47 AM, Hannes Reinecke wrote:
>> Hi all,
>>
>> recent updates to the NVMe spec have added definitions for in-band
>> authentication, and seeing that it provides some real benefit
>> especially for NVMe-TCP here's an attempt to implement it.
>>
>> Tricky bit here is that the specification orients itself on TLS 1.3,
>> but supports only the FFDHE groups. Which of course the kernel doesn't
>> support. I've been able to come up with a patch for this, but as this
>> is my first attempt to fix anything in the crypto area I would invite
>> people more familiar with these matters to have a look.
>>
>> Also note that this is just for in-band authentication. Secure
>> concatenation (ie starting TLS with the negotiated parameters) is not
>> implemented; one would need to update the kernel TLS implementation
>> for this, which at this time is beyond scope.
>>
>> As usual, comments and reviews are welcome.
>>
>> Changes to v5:
>> - Unify nvme_auth_generate_key()
>> - Unify nvme_auth_extract_key()
>
> You mean nvme_auth_extract_secret() ?
>
Yes.
>> - Include reviews from Sagi
>
> What about the bug fix folded in?
Yeah, and that, to
Forgot to mention it.
Also note that I've already folded the nvme-cli patches into the git
repository to ease testing; I gather that the interface won't change
that much anymore, so I felt justified in doing so.
And I got tired of explaining to interested parties how to build a
non-standard nvme-cli :-)
But that's why I didn't post separate patches for nvme-cli.
Cheers,
Hannes
--
Dr. Hannes Reinecke Kernel Storage Architect
hare at suse.de +49 911 74053 688
SUSE Software Solutions Germany GmbH, 90409 Nürnberg
GF: F. Imendörffer, HRB 36809 (AG Nürnberg)
More information about the Linux-nvme
mailing list