[PATCH 10/12] nvmet: Implement basic In-Band Authentication
Hannes Reinecke
hare at suse.de
Tue Sep 28 23:01:53 PDT 2021
On 9/29/21 12:36 AM, Sagi Grimberg wrote:
>
>>>> Actually, having re-read the spec I'm not sure if the second path is
>>>> correct.
>>>> As per spec only the _host_ can trigger re-authentication. There is no
>>>> provision for the controller to trigger re-authentication, and given
>>>> that re-auth is a soft-state anyway (ie the current authentication
>>>> stays valid until re-auth enters a final state) I _think_ we should be
>>>> good with the current implementation, where we can change the
>>>> controller keys
>>>> via configfs, but they will only become active once the host triggers
>>>> re-authentication.
>>>
>>> Agree, so the proposed addition is good with you?
>>>
>> Why would we need it?
>> I do agree there's a bit missing for removing the old shash_tfm if there
>> is a hash-id mismatch, but why would we need to reset the entire
>> authentication?
>
> Just need to update the new host dhchap_key from the host at this point
> as the host is doing a re-authentication. I agree we don't need a big
> hammer but we do need the re-authentication to not access old host
> dhchap_key.
Sure. And, upon reviewing, I guess you are right; will be including your
snippet.
For the next round :-)
Cheers,
Hannes
--
Dr. Hannes Reinecke Kernel Storage Architect
hare at suse.de +49 911 74053 688
SUSE Software Solutions GmbH, Maxfeldstr. 5, 90409 Nürnberg
HRB 36809 (AG Nürnberg), Geschäftsführer: Felix Imendörffer
More information about the Linux-nvme
mailing list