[PATCHv5 00/16] nvme: implement secure concatenation
Hannes Reinecke
hare at suse.de
Wed Jul 17 23:44:44 PDT 2024
On 7/17/24 23:38, Sagi Grimberg wrote:
>
>
> On 17/07/2024 12:10, Hannes Reinecke wrote:
>> Hi all,
>>
>> here's my attempt to implement secure concatenation for NVMe-of TCP
>> as outlined in TP8018.
>> Secure concatenation means that a TLS PSK is generated from the key
>> material negotiated by the DH-HMAC-CHAP protocol, and the TLS PSK
>> is then used for a subsequent TLS connection.
>> The difference between the original definition of secure concatenation
>> and the method outlined in TP8018 is that with TP8018 the connection
>> is reset after DH-HMAC-CHAP negotiation, and a new connection is setup
>> with the generated TLS PSK.
>>
>> To implement that Sagi came up with the idea to directly reset the
>> admin queue once the DH-CHAP negotiation has completed; that way
>> it will be transparent to the upper layers and we don't have to
>> worry about exposing queues which should not be used.
>
> I'm glad it worked out. Happy to see that this set is getting in shape!
>
>>
>> As usual, comments and reviews are welcome.
>>
>> Patchset can be found at
>> git.kernel.org:/pub/scm/linux/kernel/git/hare/nvme.git
>> branch secure-concat.v5
>>
>> Changes to v4:
>> - Rework reset admin queue functionality based on an idea
>> from Sagi (thanks!)
>> - kbuild robot fixes
>> - Fixup dhchap negotiation with non-empty C2 value
>
> Can we split fixes from this patch set? (unless they are only
> relevant only to the code introduced here).
Yes, thought about it myself already.
Will be doing that for the next round.
Cheers,
Hannes
--
Dr. Hannes Reinecke Kernel Storage Architect
hare at suse.de +49 911 74053 688
SUSE Software Solutions GmbH, Frankenstr. 146, 90461 Nürnberg
HRB 36809 (AG Nürnberg), GF: I. Totev, A. McDonald, W. Knoblich
More information about the Linux-nvme
mailing list