[PATCH 08/18] nvme-tcp: enable TLS handshake upcall
Sagi Grimberg
sagi at grimberg.me
Wed Mar 22 06:16:10 PDT 2023
>> I have a more general question.
>> What is the scenario that we will have for a given hostnqn and
>> subsysnqn more than one valid identity? Do we need to support it?
>>
> Well; there are SHA-256 and SHA-384 identities. We need to _support_
> both, but seeing that we're dealing with retained PSKs for now I would
> assume that the admin ensures that both sides are able to support the
> chosen hash.
Yes, lets not over-complicate it.
> So the real choice is just between a 'retained' and a 'generated' PSK.
> And it is assumed that any 'retained' PSK should take priority for any
> 'generated' PSK.
> So for 'retained' PSKs we can use userland to pass in the PSK
> (or, indeed, having the kernel select one as we really only have on
> choice...)
> And for 'generated' PSKs they really come into play only if we don't
> have 'retained' PSKs, and if secure concatenation is enabled.
> But even there you can (out of necessity) only generate a single PSK,
> so again there is no choice.
>
> So in the light of all this I guess we can revert to only using a single
> PSK.
This makes perfect sense to me.
More information about the Linux-nvme
mailing list