[PATCH 10/12] nvmet: Implement basic In-Band Authentication
Sagi Grimberg
sagi at grimberg.me
Tue Sep 28 15:36:47 PDT 2021
>>> Actually, having re-read the spec I'm not sure if the second path is
>>> correct.
>>> As per spec only the _host_ can trigger re-authentication. There is no
>>> provision for the controller to trigger re-authentication, and given
>>> that re-auth is a soft-state anyway (ie the current authentication
>>> stays valid until re-auth enters a final state) I _think_ we should be
>>> good with the current implementation, where we can change the
>>> controller keys
>>> via configfs, but they will only become active once the host triggers
>>> re-authentication.
>>
>> Agree, so the proposed addition is good with you?
>>
> Why would we need it?
> I do agree there's a bit missing for removing the old shash_tfm if there
> is a hash-id mismatch, but why would we need to reset the entire
> authentication?
Just need to update the new host dhchap_key from the host at this point
as the host is doing a re-authentication. I agree we don't need a big
hammer but we do need the re-authentication to not access old host
dhchap_key.
More information about the Linux-nvme
mailing list