From: hare@kernel.org
To: Christoph Hellwig <hch@lst.de>
Cc: Keith Busch <kbusch@kernel.org>, Sagi Grimberg <sagi@grimberg.me>,
linux-nvme@lists.infradead.org, Hannes Reinecke <hare@suse.de>
Subject: [PATCHv2 00/13] nvme: implement secure concatenation
Date: Sat, 27 Jan 2024 10:30:45 +0100 [thread overview]
Message-ID: <20240127093058.15699-1-hare@kernel.org> (raw)
From: Hannes Reinecke <hare@suse.de>
Hi all,
here's my attempt to implement secure concatenation for NVMe-of TCP
as outlined in TP8018.
Secure concatenation means that a TLS PSK is generated from the key
material negotiated by the DH-HMAC-CHAP protocol, and the TLS PSK
is then used for a subsequent TLS connection.
The difference between the original definition of secure concatenation
and the method outlined in TP8018 is that with TP8018 the connection
is reset after DH-HMAC-CHAP negotiation, and a new connection is setup
with the generated TLS PSK.
To implement that I have decided on resetting the connection from the
nvme-tcp driver after the initial connection has been set up.
Another way would have been to offload the connection reset to userspace,
and let nvme-cli reset the connection. But that would be a modification
to the userspace interface, and hence I didn't go that way.
The drawback with this approach is that we'll create all I/O queues
before resetting for TLS, even though these queues should never be used.
But fixing that requires a larger rewrite of the TCP driver to unify the
setup and reconnect paths. So keep it that way for now.
As usual, comments and reviews are welcome.
Changes to the original submission:
- Sanitize TLS key handling
- Fixup modconfig compilation
Hannes Reinecke (13):
crypto,fs: Separate out hkdf_extract() and hkdf_expand()
nvme: add nvme_auth_generate_psk()
nvme: add nvme_auth_generate_digest()
nvme: add nvme_auth_derive_tls_psk()
nvme-keyring: add nvme_tls_psk_refresh()
nvme-keyring: restrict match length for version '1' identifiers
nvme-tcp: check for invalidated or revoked key
nvme-fabrics: authentication errors are not retryable
nvme-tcp: sanitize TLS key handling
nvme-tcp: request secure channel concatenation
nvme-tcp: combine reset and recovery
nvme-tcp: reset after recovery for secure concatenation
nvmet-tcp: support secure channel concatenation
crypto/Makefile | 1 +
crypto/hkdf.c | 111 +++++++++++
drivers/nvme/common/auth.c | 252 +++++++++++++++++++++++++
drivers/nvme/common/keyring.c | 71 +++++++
drivers/nvme/host/auth.c | 108 ++++++++++-
drivers/nvme/host/core.c | 1 -
drivers/nvme/host/fabrics.c | 46 ++++-
drivers/nvme/host/fabrics.h | 3 +
drivers/nvme/host/nvme.h | 1 -
drivers/nvme/host/sysfs.c | 9 +-
drivers/nvme/host/tcp.c | 106 ++++++++---
drivers/nvme/target/auth.c | 73 ++++++-
drivers/nvme/target/fabrics-cmd-auth.c | 46 ++++-
drivers/nvme/target/fabrics-cmd.c | 30 ++-
drivers/nvme/target/nvmet.h | 30 ++-
drivers/nvme/target/tcp.c | 27 +++
fs/crypto/hkdf.c | 68 +------
include/crypto/hkdf.h | 18 ++
include/linux/nvme-auth.h | 5 +
include/linux/nvme-keyring.h | 7 +
include/linux/nvme.h | 7 +
21 files changed, 898 insertions(+), 122 deletions(-)
create mode 100644 crypto/hkdf.c
create mode 100644 include/crypto/hkdf.h
--
2.35.3
next reply other threads:[~2024-01-27 9:31 UTC|newest]
Thread overview: 29+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-01-27 9:30 hare [this message]
2024-01-27 9:30 ` [PATCH 01/13] crypto,fs: Separate out hkdf_extract() and hkdf_expand() hare
2024-01-27 9:30 ` [PATCH 02/13] nvme: add nvme_auth_generate_psk() hare
2024-03-07 10:42 ` Sagi Grimberg
2024-01-27 9:30 ` [PATCH 03/13] nvme: add nvme_auth_generate_digest() hare
2024-03-07 10:44 ` Sagi Grimberg
2024-01-27 9:30 ` [PATCH 04/13] nvme: add nvme_auth_derive_tls_psk() hare
2024-01-27 9:30 ` [PATCH 05/13] nvme-keyring: add nvme_tls_psk_refresh() hare
2024-01-27 9:30 ` [PATCH 06/13] nvme-keyring: restrict match length for version '1' identifiers hare
2024-03-07 10:49 ` Sagi Grimberg
2024-03-07 11:35 ` Hannes Reinecke
2024-03-07 12:08 ` Sagi Grimberg
2024-03-07 12:13 ` Hannes Reinecke
2024-01-27 9:30 ` [PATCH 07/13] nvme-tcp: check for invalidated or revoked key hare
2024-03-07 10:51 ` Sagi Grimberg
2024-03-07 11:36 ` Hannes Reinecke
2024-01-27 9:30 ` [PATCH 08/13] nvme-fabrics: authentication errors are not retryable hare
2024-03-07 10:52 ` Sagi Grimberg
2024-03-07 11:37 ` Hannes Reinecke
2024-01-27 9:30 ` [PATCH 09/13] nvme-tcp: sanitize TLS key handling hare
2024-03-07 11:03 ` Sagi Grimberg
2024-03-07 11:42 ` Hannes Reinecke
2024-01-27 9:30 ` [PATCH 10/13] nvme-tcp: request secure channel concatenation hare
2024-01-27 9:30 ` [PATCH 11/13] nvme-tcp: combine reset and recovery hare
2024-03-07 11:08 ` Sagi Grimberg
2024-03-07 11:43 ` Hannes Reinecke
2024-01-27 9:30 ` [PATCH 12/13] nvme-tcp: reset after recovery for secure concatenation hare
2024-01-27 9:30 ` [PATCH 13/13] nvmet-tcp: support secure channel concatenation hare
2024-02-12 7:40 ` [PATCHv2 00/13] nvme: implement secure concatenation Hannes Reinecke
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20240127093058.15699-1-hare@kernel.org \
--to=hare@kernel.org \
--cc=hare@suse.de \
--cc=hch@lst.de \
--cc=kbusch@kernel.org \
--cc=linux-nvme@lists.infradead.org \
--cc=sagi@grimberg.me \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.