[RFC PATCH 00/11] nvme: implement secure concatenation

All of lore.kernel.org
 help / color / mirror / Atom feed

From: hare@kernel.org
To: Christoph Hellwig <hch@lst.de>
Cc: Sagi Grimberg <sagi@grimberg.me>, Keith Busch <kbusch@kernel.org>,
	linux-nvme@lists.infradead.org, Hannes Reinecke <hare@suse.de>
Subject: [RFC PATCH 00/11] nvme: implement secure concatenation
Date: Tue, 23 Jan 2024 15:18:58 +0100	[thread overview]
Message-ID: <20240123141909.79061-1-hare@kernel.org> (raw)

From: Hannes Reinecke <hare@suse.de>

Hi all,

here's my attempt to implement secure concatenation for NVMe-of TCP
as outlined in TP8018.
Secure concatenation means that a TLS PSK is generated from the key
material negotiated by the DH-HMAC-CHAP protocol, and the TLS PSK
is then used for a subsequent TLS connection.
The difference between the original definition of secure concatenation
and the method outlined in TP8018 is that with TP8018 the connection
is reset after DH-HMAC-CHAP negotiation, and a new connection is setup
with the generated TLS PSK.

To implement that I have decided on resetting the connection from the
nvme-tcp driver after the initial connection has been set up.
Another way would have been to offload the connection reset to userspace,
and let nvme-cli reset the connection. But that would be a modification
to the userspace interface, and hence I didn't go that way.

As usual, comments and reviews are welcome.

Hannes Reinecke (11):
  crypto,fs: Separate out hkdf_extract() and hkdf_expand()
  nvme: add nvme_auth_generate_psk()
  nvme: add nvme_auth_generate_digest()
  nvme: add nvme_auth_derive_tls_psk()
  nvme-keyring: add nvme_tls_psk_refresh()
  nvme-keyring: restrict match length for version '1' identifiers
  nvme-tcp: check for invalidated or revoked key
  nvme-fabrics: authentication errors are not retryable
  nvme: add nvme_noretry_error()
  nvme-tcp: request secure channel concatenation
  nvmet-tcp: support secure channel concatenation

 crypto/Makefile                        |   1 +
 crypto/hkdf.c                          | 111 +++++++++++
 drivers/nvme/common/auth.c             | 252 +++++++++++++++++++++++++
 drivers/nvme/common/keyring.c          |  71 +++++++
 drivers/nvme/host/auth.c               | 108 ++++++++++-
 drivers/nvme/host/core.c               |   2 +-
 drivers/nvme/host/fabrics.c            |  46 ++++-
 drivers/nvme/host/fabrics.h            |   3 +
 drivers/nvme/host/fc.c                 |   4 +-
 drivers/nvme/host/nvme.h               |  10 +
 drivers/nvme/host/tcp.c                |  46 +++--
 drivers/nvme/target/auth.c             |  62 +++++-
 drivers/nvme/target/fabrics-cmd-auth.c |  43 ++++-
 drivers/nvme/target/fabrics-cmd.c      |  27 ++-
 drivers/nvme/target/nvmet.h            |  16 +-
 drivers/nvme/target/tcp.c              |  26 +++
 fs/crypto/hkdf.c                       |  68 +------
 include/crypto/hkdf.h                  |  18 ++
 include/linux/nvme-auth.h              |   5 +
 include/linux/nvme-keyring.h           |   7 +
 include/linux/nvme.h                   |   7 +
 21 files changed, 824 insertions(+), 109 deletions(-)
 create mode 100644 crypto/hkdf.c
 create mode 100644 include/crypto/hkdf.h

-- 
2.35.3

next             reply	other threads:[~2024-01-23 14:19 UTC|newest]

Thread overview: 12+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2024-01-23 14:18 hare [this message]
2024-01-23 14:18 ` [PATCH 01/11] crypto,fs: Separate out hkdf_extract() and hkdf_expand() hare
2024-01-23 14:19 ` [PATCH 02/11] nvme: add nvme_auth_generate_psk() hare
2024-01-23 14:19 ` [PATCH 03/11] nvme: add nvme_auth_generate_digest() hare
2024-01-23 14:19 ` [PATCH 04/11] nvme: add nvme_auth_derive_tls_psk() hare
2024-01-23 14:19 ` [PATCH 05/11] nvme-keyring: add nvme_tls_psk_refresh() hare
2024-01-23 14:19 ` [PATCH 06/11] nvme-keyring: restrict match length for version '1' identifiers hare
2024-01-23 14:19 ` [PATCH 07/11] nvme-tcp: check for invalidated or revoked key hare
2024-01-23 14:19 ` [PATCH 08/11] nvme-fabrics: authentication errors are not retryable hare
2024-01-23 14:19 ` [PATCH 09/11] nvme: add nvme_noretry_error() hare
2024-01-23 14:19 ` [PATCH 10/11] nvme-tcp: request secure channel concatenation hare
2024-01-23 14:19 ` [PATCH 11/11] nvmet-tcp: support " hare

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20240123141909.79061-1-hare@kernel.org \
    --to=hare@kernel.org \
    --cc=hare@suse.de \
    --cc=hch@lst.de \
    --cc=kbusch@kernel.org \
    --cc=linux-nvme@lists.infradead.org \
    --cc=sagi@grimberg.me \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.