[PATCH 00/12] nvme-auth: switch to use the kernel keyring

[Hannes Reinecke]

Hey all,

the current NVMe authentication code is using a hand-crafted key structure;
idea was to have the initial implementation with a minimal set of dependencies.
(And me not having a good grasp on how to use the kernel keyring :-)
That had the drawback that keys always had to be specified on the nvme-cli
commandline, which is far from ideal from a security standpoint.

So this patchset switches the authentication code over to use the kernel keyring.
User-facing interface (namely argument to 'nvme connect') remain the same, but
the key data is converted into keys which are stored as a new key type 'dhchap'
with a random UUID as description in the kernel keyring.

With this I have updated the dhchap arguments to 'nvme connect' and the configfs
interface to either be the keydata (ie the original interface) _or_ a key serial
referring to a pre-populated dhchap key in the kernel keyring.
This allows for easier provisioning of keys and avoids the security risk from
having to specify the key data on the kernel commandline.

The entire patchset can be found at
git://git.kernel.org/pub/scm/linux/kernel/git/hare/nvme.git
branch dhchap-keyring.v1

As usual, comments and reviews are welcome.

Hannes Reinecke (12):
  nvme-auth: modify nvme_auth_transform_key() to return status
  nvme-auth: use SHASH_DESC_ON_STACK
  nvmet-auth: use SHASH_DESC_ON_STACK
  nvme-auth: do not cache the transformed secret
  nvme-keyring: add 'dhchap' key type
  nvme-auth: switch to use 'struct key'
  nvme-auth: drop nvme_dhchap_key structure and unused functions
  nvme: parse dhchap keys during option parsing
  nvmet-auth: parse dhchap key from configfs attribute
  nvme: allow to pass in key serial number as dhchap secret
  nvme-auth: wait for authentication to finish when changing keys
  nvme: Unify Kconfig settings

 drivers/nvme/common/Kconfig    |   1 +
 drivers/nvme/common/auth.c     | 245 +++++++++++++-----------------
 drivers/nvme/common/keyring.c  | 266 +++++++++++++++++++++++++++++++++
 drivers/nvme/host/Kconfig      |   4 +-
 drivers/nvme/host/auth.c       | 171 ++++++++++++++-------
 drivers/nvme/host/fabrics.c    |  94 +++++++++---
 drivers/nvme/host/fabrics.h    |  12 +-
 drivers/nvme/host/nvme.h       |   6 +-
 drivers/nvme/host/sysfs.c      | 204 ++++++++++++++++++-------
 drivers/nvme/target/Kconfig    |   3 +-
 drivers/nvme/target/auth.c     | 238 ++++++++++++++++++-----------
 drivers/nvme/target/configfs.c |  61 ++++++--
 drivers/nvme/target/nvmet.h    |  13 +-
 include/linux/nvme-auth.h      |  18 +--
 include/linux/nvme-keyring.h   |  22 ++-
 15 files changed, 948 insertions(+), 410 deletions(-)

-- 
2.35.3