[PATCHv5 00/16] nvme: implement secure concatenation
Sagi Grimberg
sagi at grimberg.me
Wed Jul 17 14:38:04 PDT 2024
On 17/07/2024 12:10, Hannes Reinecke wrote:
> Hi all,
>
> here's my attempt to implement secure concatenation for NVMe-of TCP
> as outlined in TP8018.
> Secure concatenation means that a TLS PSK is generated from the key
> material negotiated by the DH-HMAC-CHAP protocol, and the TLS PSK
> is then used for a subsequent TLS connection.
> The difference between the original definition of secure concatenation
> and the method outlined in TP8018 is that with TP8018 the connection
> is reset after DH-HMAC-CHAP negotiation, and a new connection is setup
> with the generated TLS PSK.
>
> To implement that Sagi came up with the idea to directly reset the
> admin queue once the DH-CHAP negotiation has completed; that way
> it will be transparent to the upper layers and we don't have to
> worry about exposing queues which should not be used.
I'm glad it worked out. Happy to see that this set is getting in shape!
>
> As usual, comments and reviews are welcome.
>
> Patchset can be found at
> git.kernel.org:/pub/scm/linux/kernel/git/hare/nvme.git
> branch secure-concat.v5
>
> Changes to v4:
> - Rework reset admin queue functionality based on an idea
> from Sagi (thanks!)
> - kbuild robot fixes
> - Fixup dhchap negotiation with non-empty C2 value
Can we split fixes from this patch set? (unless they are only
relevant only to the code introduced here).
More information about the Linux-nvme
mailing list