[PATCHv15 00/10] nvme: implement secure concatenation
Keith Busch
kbusch at kernel.org
Fri Feb 28 14:41:24 PST 2025
On Mon, Feb 24, 2025 at 01:38:08PM +0100, Hannes Reinecke wrote:
> From: Hannes Reinecke <hare at suse.de>
>
> Hi all,
>
> here's my attempt to implement secure concatenation for NVMe-of TCP
> as outlined in TP8018 / NVMe Base Spec v2.1.
> The original (v5) patchset had been split in two, the first part of
> which has already been merged with nvme-6.11, and this is the second part
> which actually implements secure concatenation.
>
> Secure concatenation means that a TLS PSK is generated from the key
> material negotiated by the DH-HMAC-CHAP protocol, and the TLS PSK
> is then used for a subsequent TLS connection.
> With NVMe v2.1 the connection has to be reset after DH-HMAC-CHAP
> negotiation, and the new connection can then be started with TLS
> encryption using the generated TLS PSK.
>
> To implement that Sagi came up with the idea to directly reset the
> admin queue once the DH-CHAP negotiation has completed; that way
> it will be transparent to the upper layers and we don't have to
> worry about exposing queues which should not be used.
Queued up in nvme-6.15, thanks.
More information about the Linux-nvme
mailing list