[PATCHv6 00/12] nvme: In-band authentication support
Hannes Reinecke
hare at suse.de
Mon Nov 22 03:37:37 PST 2021
On 11/22/21 12:32 PM, Sagi Grimberg wrote:
>
>>>> Hi all,
>>>>
>>>> recent updates to the NVMe spec have added definitions for in-band
>>>> authentication, and seeing that it provides some real benefit
>>>> especially for NVMe-TCP here's an attempt to implement it.
>>>>
>>>> Tricky bit here is that the specification orients itself on TLS 1.3,
>>>> but supports only the FFDHE groups. Which of course the kernel doesn't
>>>> support. I've been able to come up with a patch for this, but as this
>>>> is my first attempt to fix anything in the crypto area I would invite
>>>> people more familiar with these matters to have a look.
>>>>
>>>> Also note that this is just for in-band authentication. Secure
>>>> concatenation (ie starting TLS with the negotiated parameters) is not
>>>> implemented; one would need to update the kernel TLS implementation
>>>> for this, which at this time is beyond scope.
>>>>
>>>> As usual, comments and reviews are welcome.
>>>>
>>>> Changes to v5:
>>>> - Unify nvme_auth_generate_key()
>>>> - Unify nvme_auth_extract_key()
>>>
>>> You mean nvme_auth_extract_secret() ?
>>>
>> Yes.
>>
>>>> - Include reviews from Sagi
>>>
>>> What about the bug fix folded in?
>>
>> Yeah, and that, to
>> Forgot to mention it.
>
> It is not the code that you shared in the other thread right?
>
Yes, it is.
It has been folded into v6.
And test 043 has been updated to check for this issue.
Cheers,
Hannes
--
Dr. Hannes Reinecke Kernel Storage Architect
hare at suse.de +49 911 74053 688
SUSE Software Solutions Germany GmbH, 90409 Nürnberg
GF: F. Imendörffer, HRB 36809 (AG Nürnberg)
More information about the Linux-nvme
mailing list