[PATCHv2 00/13] nvme: implement secure concatenation

[Hannes Reinecke]

On 1/27/24 17:30, hare at kernel.org wrote:
> From: Hannes Reinecke <hare at suse.de>
> 
> Hi all,
> 
> here's my attempt to implement secure concatenation for NVMe-of TCP
> as outlined in TP8018.
> Secure concatenation means that a TLS PSK is generated from the key
> material negotiated by the DH-HMAC-CHAP protocol, and the TLS PSK
> is then used for a subsequent TLS connection.
> The difference between the original definition of secure concatenation
> and the method outlined in TP8018 is that with TP8018 the connection
> is reset after DH-HMAC-CHAP negotiation, and a new connection is setup
> with the generated TLS PSK.
> 
> To implement that I have decided on resetting the connection from the
> nvme-tcp driver after the initial connection has been set up.
> Another way would have been to offload the connection reset to userspace,
> and let nvme-cli reset the connection. But that would be a modification
> to the userspace interface, and hence I didn't go that way.
> The drawback with this approach is that we'll create all I/O queues
> before resetting for TLS, even though these queues should never be used.
> But fixing that requires a larger rewrite of the TCP driver to unify the
> setup and reconnect paths. So keep it that way for now.
> 
> As usual, comments and reviews are welcome.
> 
> Changes to the original submission:
> - Sanitize TLS key handling
> - Fixup modconfig compilation
> 
Ping?

Anyone interested in giving feedback?

Cheers,

Hannes
-- 
Dr. Hannes Reinecke                Kernel Storage Architect
hare at suse.de                              +49 911 74053 688
SUSE Software Solutions GmbH, Maxfeldstr. 5, 90409 Nürnberg
HRB 36809 (AG Nürnberg), GF: Ivo Totev, Andrew McDonald,
Werner Knoblich