[PATCH 00/12] nvme-auth: switch to use the kernel keyring
Sagi Grimberg
sagi at grimberg.me
Wed May 7 00:53:03 PDT 2025
On 25/04/2025 12:49, Hannes Reinecke wrote:
> Hey all,
>
> the current NVMe authentication code is using a hand-crafted key structure;
> idea was to have the initial implementation with a minimal set of dependencies.
> (And me not having a good grasp on how to use the kernel keyring :-)
> That had the drawback that keys always had to be specified on the nvme-cli
> commandline, which is far from ideal from a security standpoint.
>
> So this patchset switches the authentication code over to use the kernel keyring.
> User-facing interface (namely argument to 'nvme connect') remain the same, but
> the key data is converted into keys which are stored as a new key type 'dhchap'
> with a random UUID as description in the kernel keyring.
A welcome change Hannes.
Did not look into the patches yet, but we should start logging deprecation
messages on the existing interface I think.
More information about the Linux-nvme
mailing list