[PATCH 2/3] nvmet-auth: Don't log DHCHAP keys in nvmet_setup_auth()

Hannes Reinecke hare at suse.de
Tue Mar 3 23:19:59 PST 2026 

On 3/3/26 20:03, Thorsten Blum wrote:
> When debug logging is enabled, nvmet_setup_auth() logs the host and
> controller DHCHAP key bytes. Remove the keys from debug logs to avoid
> exposing key material.
> 
> Fixes: db1312dd9548 ("nvmet: implement basic In-Band Authentication")
> Cc: stable at vger.kernel.org
> Signed-off-by: Thorsten Blum <thorsten.blum at linux.dev>
> ---
>   drivers/nvme/target/auth.c | 10 ++++------
>   1 file changed, 4 insertions(+), 6 deletions(-)
> 
> diff --git a/drivers/nvme/target/auth.c b/drivers/nvme/target/auth.c
> index 2eadeb7e06f2..f24add0bb86f 100644
> --- a/drivers/nvme/target/auth.c
> +++ b/drivers/nvme/target/auth.c
> @@ -199,10 +199,9 @@ u8 nvmet_setup_auth(struct nvmet_ctrl *ctrl, struct nvmet_sq *sq)
>   		ctrl->host_key = NULL;
>   		goto out_free_hash;
>   	}
> -	pr_debug("%s: using hash %s key %*ph\n", __func__,
> +	pr_debug("%s: using hash %s\n", __func__,
>   		 ctrl->host_key->hash > 0 ?
> -		 nvme_auth_hmac_name(ctrl->host_key->hash) : "none",
> -		 (int)ctrl->host_key->len, ctrl->host_key->key);
> +		 nvme_auth_hmac_name(ctrl->host_key->hash) : "none");
>   
>   	nvme_auth_free_key(ctrl->ctrl_key);
>   	if (!host->dhchap_ctrl_secret) {
> @@ -217,10 +216,9 @@ u8 nvmet_setup_auth(struct nvmet_ctrl *ctrl, struct nvmet_sq *sq)
>   		ctrl->ctrl_key = NULL;
>   		goto out_free_hash;
>   	}
> -	pr_debug("%s: using ctrl hash %s key %*ph\n", __func__,
> +	pr_debug("%s: using ctrl hash %s\n", __func__,
>   		 ctrl->ctrl_key->hash > 0 ?
> -		 nvme_auth_hmac_name(ctrl->ctrl_key->hash) : "none",
> -		 (int)ctrl->ctrl_key->len, ctrl->ctrl_key->key);
> +		 nvme_auth_hmac_name(ctrl->ctrl_key->hash) : "none");
>   
>   out_free_hash:
>   	if (ret) {

Without the key the pr_debug calls are pretty much pointless anyway,
so you might want to remove them, too.

However, these debug prints really help when trying to figure out
authentication failures.
I think it would be better to add a compile-time option to disable
these outputs entirely.

I'll send a patch.

Cheers,

Hannes
-- 
Dr. Hannes Reinecke                  Kernel Storage Architect
hare at suse.de                                +49 911 74053 688
SUSE Software Solutions GmbH, Frankenstr. 146, 90461 Nürnberg
HRB 36809 (AG Nürnberg), GF: I. Totev, A. McDonald, W. Knoblich

More information about the Linux-nvme mailing list