[PATCHv14 00/11] nvme: In-band authentication support

Chaitanya Kulkarni chaitanyak at nvidia.com
Fri Jun 10 02:06:10 PDT 2022 

On 6/8/22 23:20, Hannes Reinecke wrote:
> On 6/9/22 08:08, Hannes Reinecke wrote:
>> On 6/9/22 03:13, Chaitanya Kulkarni wrote:
>>> On 6/8/22 07:45, Hannes Reinecke wrote:
>>>> Hi all,
>>>>
>>>> recent updates to the NVMe spec have added definitions for in-band
>>>> authentication, and seeing that it provides some real benefit
>>>> especially for NVMe-TCP here's an attempt to implement it.
>>>>
>>>> Thanks to Nicolai Stange the crypto DH framework has been upgraded
>>>> to provide us with a FFDHE implementation; I've updated the patchset
>>>> to use the ephemeral key generation provided there.
>>>>
>>>> Note that this is just for in-band authentication. Secure
>>>> concatenation (ie starting TLS with the negotiated parameters)
>>>> requires a TLS handshake, which the in-kernel TLS implementation
>>>> does not provide. This is being worked on with a different patchset
>>>> which is still WIP.
>>>>
>>>> The nvme-cli support has already been merged; please use the latest
>>>> nvme-cli git repository to build the most recent version.
>>>>
>>>> A copy of this patchset can be found at
>>>> git://git.kernel.org/pub/scm/linux/kernel/git/hare/scsi-devel
>>>> branch auth.v14
>>>>
>>>> The patchset is being cut against v5.18.
>>>>
>>>> As usual, comments and reviews are welcome.
>>>>
>>>
>>>
>>> blktests (master) # ./check nvme/039
>>> nvme/039 (Create authenticated connections)                  [failed]
>>>       runtime  1.400s  ...  1.707s
>>>       --- tests/nvme/039.out    2022-06-08 18:09:06.239931529 -0700
>>>       +++ /mnt/data/blktests/results/nodev/nvme/039.out.bad    
>>> 2022-06-08
>>> 18:09:40.596663692 -0700
>>>       @@ -1,6 +1,7 @@
>>>        Running nvme/039
>>>       +tests/nvme/rc: line 269: printf: write error: Invalid argument
>>>        Test unauthenticated connection
>>>       -no controller found
>>>       +no controller found: failed to write to nvme-fabrics device
>>>        NQN:blktests-subsystem-1 disconnected 0 controller(s)
>>>        Test authenticated connection
>>>       ...
>>>       (Run 'diff -u tests/nvme/039.out > 
>>> /mnt/data/blktests/results/nodev/nvme/039.out.bad' to see the entire 
>> diff)
>>
>> Hmm. Not sure what has happened here, but all blktests worked on my 
>> testbed. I'll be rechecking with the latest nvme-cli build.
>>
>> Which nvme-cli version did you use?
>>
> Retested with latest nvme-cli:
> 
> # bash ./check tests/nvme/039
> nvme/039 (Create authenticated connections)                  [passed]
>      runtime  1.625s  ...  1.667s
> # bash ./check tests/nvme/040
> nvme/040 (Test dhchap key types for authenticated connections) [passed]
>      runtime  10.497s  ...  10.657s
> 
> So not sure what is happening at your end; the 'invalid argument' seems 
> to indicate that the 'connect' arguments are not understood.
> Maybe a missing config option during kernel build?
> 

This is the nvme config I've :-

nvme (nvme-5.18) # grep NVME .config
# NVME Support
CONFIG_NVME_COMMON=m
CONFIG_NVME_CORE=m
CONFIG_BLK_DEV_NVME=m
CONFIG_NVME_MULTIPATH=y
CONFIG_NVME_VERBOSE_ERRORS=y
CONFIG_NVME_HWMON=y
CONFIG_NVME_FABRICS=m
CONFIG_NVME_RDMA=m
CONFIG_NVME_FC=m
CONFIG_NVME_TCP=m
CONFIG_NVME_AUTH=y
CONFIG_NVME_TARGET=m
CONFIG_NVME_TARGET_PASSTHRU=y
CONFIG_NVME_TARGET_LOOP=m
CONFIG_NVME_TARGET_RDMA=m
CONFIG_NVME_TARGET_FC=m
CONFIG_NVME_TARGET_FCLOOP=m
CONFIG_NVME_TARGET_TCP=m
CONFIG_NVME_TARGET_AUTH=y
# end of NVME Support
CONFIG_RTC_NVMEM=y
CONFIG_NVMEM=y
CONFIG_NVMEM_SYSFS=y
# CONFIG_NVMEM_RMEM is not set
nvme (nvme-5.18) # grep NVME .config | grep AUTH
CONFIG_NVME_AUTH=y
CONFIG_NVME_TARGET_AUTH=y
nvme (nvme-5.18) #


after some debugging I found this :-

# ./check nvme/039
nvme/039 (Create authenticated connections)                  [failed]
     runtime  1.636s  ...  1.656s
     --- tests/nvme/039.out	2022-06-08 18:09:06.239931529 -0700
     +++ /mnt/data/blktests/results/nodev/nvme/039.out.bad	2022-06-10 
02:02:03.734310155 -0700
     @@ -1,6 +1,7 @@
      Running nvme/039
     +tests/nvme/rc: line 269: printf: write error: Invalid argument
      Test unauthenticated connection
     -no controller found
     +no controller found: failed to write to nvme-fabrics device
      NQN:blktests-subsystem-1 disconnected 0 controller(s)
      Test authenticated connection
     ...
     (Run 'diff -u tests/nvme/039.out 
/mnt/data/blktests/results/nodev/nvme/039.out.bad' to see the entire diff)

blktests (master) # dmesg  -c
   810.765135] run blktests nvme/039 at 2022-06-10 02:03:42
[  810.794825] nvmet: adding nsid 1 to subsystem blktests-subsystem-1
[  810.795094] nvmet: nvmet_ns_enable_store 535
[  810.795098] nvmet: nvmet_ns_enable 555
[  810.795100] nvmet: nvmet_ns_enable 559
[  810.795101] nvmet: nvmet_ns_enable 565
[  810.795102] nvmet: nvmet_ns_enable 573
*[  810.795108] nvmet: failed to open file /tmp/blktest-ns1.img: (-22)*0
[  810.797146] nvmet: nvmet_ns_enable 610
[  810.805542] nvmet: creating nvm controller 1 for subsystem 
blktests-subsystem-1 for NQN 
nqn.2014-08.org.nvmexpress:uuid:dbdf14ac-d4e5-4a3c-b547-3c39899650e7 
with DH-HMAC-CHAP.
*[  810.805556] nvme nvme1: qid 0: no key*
*[  810.805559] nvme nvme1: qid 0: authentication setup failed*
[  810.824145] nvmet: creating nvm controller 1 for subsystem 
blktests-subsystem-1 for NQN 
nqn.2014-08.org.nvmexpress:uuid:dbdf14ac-d4e5-4a3c-b547-3c39899650e7 
with DH-HMAC-CHAP.
[  810.824174] __nvme_auth_work 701
*[  810.829094] nvme nvme1: qid 0: authenticated with hash hmac(sha256) 
dhgroup null*
*[  810.829115] nvme nvme1: qid 0: authenticated*




> Cheers,
> 
> Hannes

More information about the Linux-nvme mailing list