[RFC PATCH 00/11] nvme: In-band authentication support
Sagi Grimberg
sagi at grimberg.me
Fri Jul 16 23:06:46 PDT 2021
> Hi all,
Hey Hannes, nice progress. This is definitely
a step in the right direction.
> recent updates to the NVMe spec have added definitions for in-band
> authentication, and seeing that it provides some real benefit especially
> for NVMe-TCP here's an attempt to implement it.
Please call out the TP 8006 specifically so people can look
into it.
> Tricky bit here is that the specification orients itself on TLS 1.3,
> but supports only the FFDHE groups. Which of course the kernel doesn't
> support. I've been able to come up with a patch for this, but as this
> is my first attempt to fix anything in the crypto area I would invite
> people more familiar with these matters to have a look.
Glad to see this turned out to be very simple!
> Also note that this is just for in-band authentication. Secure concatenation
> (ie starting TLS with the negotiated parameters) is not implemented; one would
> need to update the kernel TLS implementation for this, which at this time is
> beyond scope.
TLS is an additional effort, as discussed, inband auth alone
has merits and we should not lock it down to NVMe/TCP-TLS.
> As usual, comments and reviews are welcome.
Having another look into this now...
More information about the Linux-nvme
mailing list