[PATCHv3 0/8] nvme-auth: switch to use the kernel keyring
Hannes Reinecke
hare at suse.de
Tue Mar 17 07:44:05 PDT 2026
On 3/17/26 14:20, Maurizio Lombardi wrote:
> On Tue Mar 17, 2026 at 2:00 PM CET, Hannes Reinecke wrote:
>> Hey all,
>>
>> the current NVMe authentication code is using a hand-crafted key
>> structure; idea was to have the initial implementation with a minimal
>> set of dependencies.
>> (And me not having a good grasp on how to use the kernel keyring :-)
>> That had the drawback that keys always had to be specified on the
>> nvme-cli commandline, which is far from ideal from a security standpoint.
>>
>> So this patchset switches the authentication code over to use the
>> kernel keyring. User-facing interface (namely argument to 'nvme
>> connect') remain the same, but the key data is converted into keys
>> which are stored as a new key type 'dhchap' with a random UUID as
>> description in the kernel keyring.
>>
>> With this I have updated the dhchap arguments to 'nvme connect' and
>> the configfs interface to either be the keydata (ie the original
>> interface) _or_ a key description referring to a pre-populated dhchap
>> key in the kernel keyring. This allows for easier provisioning of keys
>> and avoids the security risk from having to specify the key data on
>> the kernel commandline.
>>
>> The entire patchset can be found at
>> git://git.kernel.org/pub/scm/linux/kernel/git/hare/nvme.git
>> branch dhchap-keyring.v3
>
> Are you sure you pushed it? I can't see it
>
> $ git branch -a | grep dhchap
> remotes/hare/dhchap-keyring.v1
> remotes/hare/dhchap-keyring.v2
>
Ho-hum. You are right; having a local branch doesn't equate with
havingit available on kernel.org. Pushed now.
Cheers,
Hannes
--
Dr. Hannes Reinecke Kernel Storage Architect
hare at suse.de +49 911 74053 688
SUSE Software Solutions GmbH, Frankenstr. 146, 90461 Nürnberg
HRB 36809 (AG Nürnberg), GF: I. Totev, A. McDonald, W. Knoblich
More information about the Linux-nvme
mailing list