[PATCH 10/12] nvmet: Implement basic In-Band Authentication

Sagi Grimberg sagi at grimberg.me
Wed Sep 29 13:02:09 PDT 2021


>> On the target:
>> # grep -r ''
>> /sys/kernel/config/nvmet/hosts/nqn.2014-08.org.nvmexpress\:uuid\:b73ff014-2723-4114-aa8d-2f784ecba4f4/
>>
>> /sys/kernel/config/nvmet/hosts/nqn.2014-08.org.nvmexpress:uuid:b73ff014-2723-4114-aa8d-2f784ecba4f4/dhchap_dhgroup:null
>>
>> /sys/kernel/config/nvmet/hosts/nqn.2014-08.org.nvmexpress:uuid:b73ff014-2723-4114-aa8d-2f784ecba4f4/dhchap_hash:hmac(sha512)
>>
>> /sys/kernel/config/nvmet/hosts/nqn.2014-08.org.nvmexpress:uuid:b73ff014-2723-4114-aa8d-2f784ecba4f4/dhchap_ctrl_key:
>>
>> /sys/kernel/config/nvmet/hosts/nqn.2014-08.org.nvmexpress:uuid:b73ff014-2723-4114-aa8d-2f784ecba4f4/dhchap_key:DHHC-1:03:KUwVlIUo627Pn05W/lRL2XD57kzIs1yZzJWdd2vgZJUC74kr:
>>
>>
>> On the host:
>> # ./nvme connect-all
>> --dhchap-secret="DHHC-1:03:KUwVlIUo627Pn05W/lRL2XD57kzIs1yZzJWdd2vgZJUC74kr:"
>>
>> failed to connect controller, error 5
>>
>> On the target dmesg:
>> [ 8695.716117] nvmet: creating controller 1 for subsystem
>> nqn.2014-08.org.nvmexpress.discovery for NQN
>> nqn.2014-08.org.nvmexpress:uuid:b73ff014-2723-4114-aa8d-2f784ecba4f4.
>> [ 8695.749996] nvmet: creating controller 2 for subsystem testnqn1 for
>> NQN nqn.2014-08.org.nvmexpress:uuid:b73ff014-2723-4114-aa8d-2f784ecba4f4
>> with DH-HMAC-CHAP.
>> [ 8695.755361] nvmet: ctrl 2 qid 0 failure1 (1)
>> [ 8695.755449] nvmet: ctrl 2 fatal error occurred!
>>
>> On the host dmesg:
>> [ 8781.616712] nvme nvme1: new ctrl: NQN
>> "nqn.2014-08.org.nvmexpress.discovery", addr 192.168.123.1:8009
>> [ 8781.637954] nvme nvme2: qid 0: authentication failed
>> [ 8781.638084] nvme nvme2: failed to connect queue: 0 ret=401
>>
>> If I change the dhchap_hash to hmac(sha256) authentication succeeds.
>> The failure with hmac(sha512) comes from the above condition as the
>> host is sending key length 64 and nvmet is expecting 32.
> 
> A-ha. That shouldn't have happened; selecting the hash on the target was
> _supposed_ to be reflected to the host.
> 
> You did mention something about blocktests; guess I'll need to bite the
> bullet and actually implement something there.

That is why I mentioned it ;)



More information about the Linux-nvme mailing list