[PATCHv3 0/8] nvme-auth: switch to use the kernel keyring

Tue Mar 17 06:20:17 PDT 2026

On Tue Mar 17, 2026 at 2:00 PM CET, Hannes Reinecke wrote:
> Hey all,
>
> the current NVMe authentication code is using a hand-crafted key
> structure; idea was to have the initial implementation with a minimal
> set of dependencies.
> (And me not having a good grasp on how to use the kernel keyring :-)
> That had the drawback that keys always had to be specified on the
> nvme-cli commandline, which is far from ideal from a security standpoint.
>
> So this patchset switches the authentication code over to use the
> kernel keyring. User-facing interface (namely argument to 'nvme
> connect') remain the same, but the key data is converted into keys
> which are stored as a new key type 'dhchap' with a random UUID as
> description in the kernel keyring.
>
> With this I have updated the dhchap arguments to 'nvme connect' and
> the configfs interface to either be the keydata (ie the original
> interface) _or_ a key description referring to a pre-populated dhchap
> key in the kernel keyring. This allows for easier provisioning of keys
> and avoids the security risk from having to specify the key data on
> the kernel commandline.
>
> The entire patchset can be found at
> git://git.kernel.org/pub/scm/linux/kernel/git/hare/nvme.git
> branch dhchap-keyring.v3

Are you sure you pushed it? I can't see it

$ git branch -a | grep dhchap
  remotes/hare/dhchap-keyring.v1
  remotes/hare/dhchap-keyring.v2

Maurizio

>
> There is a pull request to blktests (PR#175) which adds a test
> to exercise the new interface.
>
> As usual, comments and reviews are welcome.
>
> Changes to v2:
> - Update to v7.1
> - Include reviews fromn Sagi
> - Clarify decoded PSK length
> - Add more function descriptions
>
> Changes to the original submission:
> - Dropped patches merged with upstream
> - Modified the interface to refer to keys via the description
>   and not the serial number
>
> Hannes Reinecke (8):
>   nvme-auth: modify nvme_auth_transform_key() to return status
>   nvme-keyring: add 'dhchap' key type
>   nvme-auth: switch to use 'struct key'
>   nvme: parse dhchap keys during option parsing
>   nvmet-auth: parse dhchap key from configfs attribute
>   nvme: allow to pass in key description as dhchap secret
>   nvme-auth: wait for authentication to finish when changing keys
>   nvme-fabrics: allow to pass in keyring by name
>
>  drivers/nvme/common/Kconfig    |   1 +
>  drivers/nvme/common/auth.c     | 211 ++++++++++------------
>  drivers/nvme/common/keyring.c  | 314 +++++++++++++++++++++++++++++++++
>  drivers/nvme/host/Kconfig      |   1 -
>  drivers/nvme/host/auth.c       | 171 ++++++++++++------
>  drivers/nvme/host/fabrics.c    | 119 +++++++++----
>  drivers/nvme/host/fabrics.h    |  12 +-
>  drivers/nvme/host/nvme.h       |   6 +-
>  drivers/nvme/host/sysfs.c      | 211 ++++++++++++++++------
>  drivers/nvme/target/Kconfig    |   1 -
>  drivers/nvme/target/auth.c     | 224 ++++++++++++++---------
>  drivers/nvme/target/configfs.c |  86 +++++++--
>  drivers/nvme/target/nvmet.h    |  13 +-
>  include/linux/nvme-auth.h      |  17 +-
>  include/linux/nvme-keyring.h   |  22 ++-
>  15 files changed, 1028 insertions(+), 381 deletions(-)