[PATCH 1/2] Add 'gen-dhchap-key' command

[Sagi Grimberg]

>> On 9/13/21 1:24 PM, Hannes Reinecke wrote:
>>> Add command 'gen-dhchap-key' to generate an DH-HMAC-CHAP host key
>>> for NVMe in-band authentication.
>>>
>>> Signed-off-by: Hannes Reinecke <hare at suse.de>
>>> ---
>>>   Documentation/nvme-gen-dhchap-key.txt |  52 +++++++++
>>>   Makefile                              |  17 ++-
>>>   nvme-builtin.h                        |   1 +
>>>   nvme.c                                | 155 ++++++++++++++++++++++++++
>>>   util/argconfig.h                      |   1 +
>>>   util/base64.c                         |  62 +++++++++++
>>>   util/base64.h                         |   6 +
>>>   7 files changed, 293 insertions(+), 1 deletion(-)
>>>   create mode 100644 Documentation/nvme-gen-dhchap-key.txt
>>>   create mode 100644 util/base64.c
>>>   create mode 100644 util/base64.h
>>>
>>> diff --git a/Documentation/nvme-gen-dhchap-key.txt 
>>> b/Documentation/nvme-gen-dhchap-key.txt
>>> new file mode 100644
>>> index 0000000..eecde76
>>> --- /dev/null
>>> +++ b/Documentation/nvme-gen-dhchap-key.txt
>>> @@ -0,0 +1,52 @@
>>> +nvme-gen-dhchap-key(1)
>>> +===================
>>> +
>>> +NAME
>>> +----
>>> +nvme-gen-dhchap-key - Generate a host DH-HMAC-CHAP key
>>> +
>>> +SYNOPSIS
>>> +--------
>>> +[verse]
>>> +'nvme gen-dhchap-key' [--hmac=<hmac-id> | -h <hmac-id>]
>>> +              [--secret=<secret> | -s <secret> ]
>>> +              [--key-length=<len> | -l <len> ]
>>> +              [--nqn=<host-nqn> | -n <host-nqn> ]
>>
>> Maybe it is a good idea to have some sane defaults create
>> /etc/nvme/hostkey when installing nvme-cli? Or will it
>> take it unconditionally?
>>
> That was the idea; will put some statements into the man-page.
> But 'gen-dhchap-key' shouldn't be doing it automatically, but rather 
> behave similar to 'gen-hostnqn' (which also only prints out the host NQN 
> to stdout, and leaves is to the caller to forward that to 
> /etc/nvme/hostnqn).

Yes, but we also install these files when installing nvme-cli,
look at the spec and makefile (install-hostparams target).

However this one is different I think and we don't want to generate it
by default.

>> Overall looks good, do we want to allow different host keys
>> for different NVM subsystems?
> 
> Sigh. It's the same issue as we currently have with allowing different 
> host NQNs for the same system.
> 
> In theory we could, and there is nothing in the current code which 
> forbids us to do so. But tooling around it will be getting arbitrarily 
> complex; remember, it's not only the different host keys for different 
> NVM subsystems, but possibly also the various NVM subsystem keys if 
> someone were to enable bi-directional authentication.

Yee... it won't be long until we'll hear complaints on this one.
I think we need to have some simple format like:
<default>:<def_hostkey>
<subsystem1>:<hostkey1>
<subsystem2>:<hostkey2>
...

And we will need /etc/nvme/subsyskey in the same format:
<default>:<def_subsyskey>
<subsystem1>:<subsyskey1>
<subsystem2>:<subsyskey2>
...

And ideally we also have a way for nvme-cli to populate it in this
format (or some helper script for it).

> So would just stick with the simple case, and leave this as an exercise 
> to the reader.

Don't know if that is good enough...
What do others think?

> Which reminds me; might be that there's an update required to handle 
> keys for bi-directional authentication ... hmm.

Yes.