[PATCHv6 00/12] nvme: In-band authentication support
Sagi Grimberg
sagi at grimberg.me
Mon Nov 22 03:32:40 PST 2021
>>> Hi all,
>>>
>>> recent updates to the NVMe spec have added definitions for in-band
>>> authentication, and seeing that it provides some real benefit
>>> especially for NVMe-TCP here's an attempt to implement it.
>>>
>>> Tricky bit here is that the specification orients itself on TLS 1.3,
>>> but supports only the FFDHE groups. Which of course the kernel doesn't
>>> support. I've been able to come up with a patch for this, but as this
>>> is my first attempt to fix anything in the crypto area I would invite
>>> people more familiar with these matters to have a look.
>>>
>>> Also note that this is just for in-band authentication. Secure
>>> concatenation (ie starting TLS with the negotiated parameters) is not
>>> implemented; one would need to update the kernel TLS implementation
>>> for this, which at this time is beyond scope.
>>>
>>> As usual, comments and reviews are welcome.
>>>
>>> Changes to v5:
>>> - Unify nvme_auth_generate_key()
>>> - Unify nvme_auth_extract_key()
>>
>> You mean nvme_auth_extract_secret() ?
>>
> Yes.
>
>>> - Include reviews from Sagi
>>
>> What about the bug fix folded in?
>
> Yeah, and that, to
> Forgot to mention it.
It is not the code that you shared in the other thread right?
>
> Also note that I've already folded the nvme-cli patches into the git
> repository to ease testing; I gather that the interface won't change
> that much anymore, so I felt justified in doing so.
It's ok, we can still change if we want to.
More information about the Linux-nvme
mailing list