[PATCHv14 00/11] nvme: In-band authentication support
Chaitanya Kulkarni
chaitanyak at nvidia.com
Fri Jun 10 02:17:18 PDT 2022
On 6/10/22 02:06, Chaitanya Kulkarni wrote:
> On 6/8/22 23:20, Hannes Reinecke wrote:
>> On 6/9/22 08:08, Hannes Reinecke wrote:
>>> On 6/9/22 03:13, Chaitanya Kulkarni wrote:
>>>> On 6/8/22 07:45, Hannes Reinecke wrote:
>>>>> Hi all,
>>>>>
>>>>> recent updates to the NVMe spec have added definitions for in-band
>>>>> authentication, and seeing that it provides some real benefit
>>>>> especially for NVMe-TCP here's an attempt to implement it.
>>>>>
>>>>> Thanks to Nicolai Stange the crypto DH framework has been upgraded
>>>>> to provide us with a FFDHE implementation; I've updated the patchset
>>>>> to use the ephemeral key generation provided there.
>>>>>
>>>>> Note that this is just for in-band authentication. Secure
>>>>> concatenation (ie starting TLS with the negotiated parameters)
>>>>> requires a TLS handshake, which the in-kernel TLS implementation
>>>>> does not provide. This is being worked on with a different patchset
>>>>> which is still WIP.
>>>>>
>>>>> The nvme-cli support has already been merged; please use the latest
>>>>> nvme-cli git repository to build the most recent version.
>>>>>
>>>>> A copy of this patchset can be found at
>>>>> git://git.kernel.org/pub/scm/linux/kernel/git/hare/scsi-devel
>>>>> branch auth.v14
>>>>>
>>>>> The patchset is being cut against v5.18.
>>>>>
>>>>> As usual, comments and reviews are welcome.
>>>>>
>>>>
>>>>
>>>> blktests (master) # ./check nvme/039
>>>> nvme/039 (Create authenticated connections) [failed]
>>>> runtime 1.400s ... 1.707s
>>>> --- tests/nvme/039.out 2022-06-08 18:09:06.239931529 -0700
>>>> +++ /mnt/data/blktests/results/nodev/nvme/039.out.bad 2022-06-08
>>>> 18:09:40.596663692 -0700
>>>> @@ -1,6 +1,7 @@
>>>> Running nvme/039
>>>> +tests/nvme/rc: line 269: printf: write error: Invalid argument
>>>> Test unauthenticated connection
>>>> -no controller found
>>>> +no controller found: failed to write to nvme-fabrics device
>>>> NQN:blktests-subsystem-1 disconnected 0 controller(s)
>>>> Test authenticated connection
>>>> ...
>>>> (Run 'diff -u tests/nvme/039.out >
>>>> /mnt/data/blktests/results/nodev/nvme/039.out.bad' to see the entire
>>> diff)
>>>
>>> Hmm. Not sure what has happened here, but all blktests worked on my
>>> testbed. I'll be rechecking with the latest nvme-cli build.
>>>
>>> Which nvme-cli version did you use?
>>>
>> Retested with latest nvme-cli:
>>
>> # bash ./check tests/nvme/039
>> nvme/039 (Create authenticated connections) [passed]
>> runtime 1.625s ... 1.667s
>> # bash ./check tests/nvme/040
>> nvme/040 (Test dhchap key types for authenticated connections) [passed]
>> runtime 10.497s ... 10.657s
>>
>> So not sure what is happening at your end; the 'invalid argument'
>> seems to indicate that the 'connect' arguments are not understood.
>> Maybe a missing config option during kernel build?
>>
>
> This is the nvme config I've :-
>
> nvme (nvme-5.18) # grep NVME .config
> # NVME Support
> CONFIG_NVME_COMMON=m
> CONFIG_NVME_CORE=m
> CONFIG_BLK_DEV_NVME=m
> CONFIG_NVME_MULTIPATH=y
> CONFIG_NVME_VERBOSE_ERRORS=y
> CONFIG_NVME_HWMON=y
> CONFIG_NVME_FABRICS=m
> CONFIG_NVME_RDMA=m
> CONFIG_NVME_FC=m
> CONFIG_NVME_TCP=m
> CONFIG_NVME_AUTH=y
> CONFIG_NVME_TARGET=m
> CONFIG_NVME_TARGET_PASSTHRU=y
> CONFIG_NVME_TARGET_LOOP=m
> CONFIG_NVME_TARGET_RDMA=m
> CONFIG_NVME_TARGET_FC=m
> CONFIG_NVME_TARGET_FCLOOP=m
> CONFIG_NVME_TARGET_TCP=m
> CONFIG_NVME_TARGET_AUTH=y
> # end of NVME Support
> CONFIG_RTC_NVMEM=y
> CONFIG_NVMEM=y
> CONFIG_NVMEM_SYSFS=y
> # CONFIG_NVMEM_RMEM is not set
> nvme (nvme-5.18) # grep NVME .config | grep AUTH
> CONFIG_NVME_AUTH=y
> CONFIG_NVME_TARGET_AUTH=y
> nvme (nvme-5.18) #
>
>
> after some debugging I found this :-
>
> # ./check nvme/039
> nvme/039 (Create authenticated connections) [failed]
> runtime 1.636s ... 1.656s
> --- tests/nvme/039.out 2022-06-08 18:09:06.239931529 -0700
> +++ /mnt/data/blktests/results/nodev/nvme/039.out.bad 2022-06-10
> 02:02:03.734310155 -0700
> @@ -1,6 +1,7 @@
> Running nvme/039
> +tests/nvme/rc: line 269: printf: write error: Invalid argument
> Test unauthenticated connection
> -no controller found
> +no controller found: failed to write to nvme-fabrics device
> NQN:blktests-subsystem-1 disconnected 0 controller(s)
> Test authenticated connection
> ...
> (Run 'diff -u tests/nvme/039.out
> /mnt/data/blktests/results/nodev/nvme/039.out.bad' to see the entire diff)
>
> blktests (master) # dmesg -c
> 810.765135] run blktests nvme/039 at 2022-06-10 02:03:42
> [ 810.794825] nvmet: adding nsid 1 to subsystem blktests-subsystem-1
> [ 810.795094] nvmet: nvmet_ns_enable_store 535
> [ 810.795098] nvmet: nvmet_ns_enable 555
> [ 810.795100] nvmet: nvmet_ns_enable 559
> [ 810.795101] nvmet: nvmet_ns_enable 565
> [ 810.795102] nvmet: nvmet_ns_enable 573
> *[ 810.795108] nvmet: failed to open file /tmp/blktest-ns1.img: (-22)*0
> [ 810.797146] nvmet: nvmet_ns_enable 610
> [ 810.805542] nvmet: creating nvm controller 1 for subsystem
> blktests-subsystem-1 for NQN
> nqn.2014-08.org.nvmexpress:uuid:dbdf14ac-d4e5-4a3c-b547-3c39899650e7
> with DH-HMAC-CHAP.
> *[ 810.805556] nvme nvme1: qid 0: no key*
> *[ 810.805559] nvme nvme1: qid 0: authentication setup failed*
> [ 810.824145] nvmet: creating nvm controller 1 for subsystem
> blktests-subsystem-1 for NQN
> nqn.2014-08.org.nvmexpress:uuid:dbdf14ac-d4e5-4a3c-b547-3c39899650e7
> with DH-HMAC-CHAP.
> [ 810.824174] __nvme_auth_work 701
> *[ 810.829094] nvme nvme1: qid 0: authenticated with hash hmac(sha256)
> dhgroup null*
> *[ 810.829115] nvme nvme1: qid 0: authenticated*
>
>
Even after using a loop device insted of passing file to the target ns
it still fails :-
blktests (master) # ./check nvme/039
nvme/039 (Create authenticated connections) [failed]
runtime 1.665s ... 1.713s
--- tests/nvme/039.out 2022-06-08 18:09:06.239931529 -0700
+++ /mnt/data/blktests/results/nodev/nvme/039.out.bad 2022-06-10
02:15:36.123178797 -0700
@@ -1,7 +1,10 @@
Running nvme/039
+losetup: /tmp/blktest-ns1.img: failed to set up loop device:
Device or resource busy
Test unauthenticated connection
-no controller found
+no controller found: failed to write to nvme-fabrics device
NQN:blktests-subsystem-1 disconnected 0 controller(s)
Test authenticated connection
...
(Run 'diff -u tests/nvme/039.out
/mnt/data/blktests/results/nodev/nvme/039.out.bad' to see the entire diff)
blktests (master) # dmesg -c
[ 1522.531012] run blktests nvme/039 at 2022-06-10 02:15:34
[ 1522.574487] nvmet: adding nsid 1 to subsystem blktests-subsystem-1
[ 1522.574773] nvmet: nvmet_ns_enable_store 535
[ 1522.574777] nvmet: nvmet_ns_enable 555
[ 1522.574779] nvmet: nvmet_ns_enable 559
[ 1522.574780] nvmet: nvmet_ns_enable 565
[ 1522.574781] nvmet: nvmet_ns_enable 573
[ 1522.584408] nvmet: nvmet_ns_enable 580
[ 1522.584418] nvmet: nvmet_ns_enable 596
[ 1522.584420] nvmet: nvmet_ns_enable 601
[ 1522.584421] nvmet: nvmet_ns_enable 605
[ 1522.584421] nvmet: nvmet_ns_enable 607
[ 1522.584422] nvmet: nvmet_ns_enable 610
[ 1522.592585] nvmet: creating nvm controller 1 for subsystem
blktests-subsystem-1 for NQN
nqn.2014-08.org.nvmexpress:uuid:d3c7574b-dcf2-4882-8141-93baf2c9291c
with DH-HMAC-CHAP.
[ 1522.592601] nvme nvme1: qid 0: no key
[ 1522.592604] nvme nvme1: qid 0: authentication setup failed
[ 1522.614144] nvmet: creating nvm controller 1 for subsystem
blktests-subsystem-1 for NQN
nqn.2014-08.org.nvmexpress:uuid:d3c7574b-dcf2-4882-8141-93baf2c9291c
with DH-HMAC-CHAP.
[ 1522.614171] __nvme_auth_work 701
[ 1522.619125] nvme nvme1: qid 0: authenticated with hash hmac(sha256)
dhgroup null
[ 1522.619154] nvme nvme1: qid 0: authenticated
[ 1522.619275] nvme nvme1: creating 48 I/O queues.
[ 1522.620508] __nvme_auth_work 701
[ 1522.625672] __nvme_auth_work 701
[ 1522.630451] __nvme_auth_work 701
[ 1522.635257] __nvme_auth_work 701
[ 1522.640227] __nvme_auth_work 701
[ 1522.644709] __nvme_auth_work 701
[ 1522.649660] __nvme_auth_work 701
[ 1522.654324] __nvme_auth_work 701
[ 1522.659129] __nvme_auth_work 701
[ 1522.663996] __nvme_auth_work 701
[ 1522.668686] __nvme_auth_work 701
[ 1522.673422] __nvme_auth_work 701
[ 1522.678153] __nvme_auth_work 701
[ 1522.682897] __nvme_auth_work 701
[ 1522.687692] __nvme_auth_work 701
[ 1522.692478] __nvme_auth_work 701
[ 1522.697329] __nvme_auth_work 701
[ 1522.701962] __nvme_auth_work 701
[ 1522.706674] __nvme_auth_work 701
[ 1522.711382] __nvme_auth_work 701
[ 1522.715998] __nvme_auth_work 701
[ 1522.720803] __nvme_auth_work 701
[ 1522.725550] __nvme_auth_work 701
[ 1522.730237] __nvme_auth_work 701
[ 1522.734947] __nvme_auth_work 701
[ 1522.739615] __nvme_auth_work 701
[ 1522.744340] __nvme_auth_work 701
[ 1522.749115] __nvme_auth_work 701
[ 1522.753804] __nvme_auth_work 701
[ 1522.758516] __nvme_auth_work 701
[ 1522.763498] __nvme_auth_work 701
[ 1522.768125] __nvme_auth_work 701
[ 1522.772960] __nvme_auth_work 701
[ 1522.777941] __nvme_auth_work 701
[ 1522.782815] __nvme_auth_work 701
[ 1522.787598] __nvme_auth_work 701
[ 1522.792304] __nvme_auth_work 701
[ 1522.796911] __nvme_auth_work 701
[ 1522.801722] __nvme_auth_work 701
[ 1522.806501] __nvme_auth_work 701
[ 1522.811436] __nvme_auth_work 701
[ 1522.816282] __nvme_auth_work 701
[ 1522.821029] __nvme_auth_work 701
[ 1522.825746] __nvme_auth_work 701
[ 1522.830410] __nvme_auth_work 701
[ 1522.835514] __nvme_auth_work 701
[ 1522.840346] __nvme_auth_work 701
[ 1522.845145] __nvme_auth_work 701
[ 1522.849755] nvme nvme1: new ctrl: "blktests-subsystem-1"
[ 1523.870772] nvme nvme1: Removing ctrl: NQN "blktests-subsystem-1"
[ 1524.212770] nvmet: nvmet_ns_enable_store 535
>
>
>> Cheers,
>>
>> Hannes
More information about the Linux-nvme
mailing list