From: Hannes Reinecke <hare@suse.de>
To: Christoph Hellwig <hch@lst.de>
Cc: Sagi Grimberg <sagi@grimberg.me>, Keith Busch <kbusch@kernel.org>,
linux-nvme@lists.infradead.org, linux-crypto@vger.kernel.org,
Hannes Reinecke <hare@suse.de>
Subject: [PATCHv12 00/11] nvme: In-band authentication support
Date: Wed, 18 May 2022 13:22:23 +0200 [thread overview]
Message-ID: <20220518112234.24264-1-hare@suse.de> (raw)
Hi all,
recent updates to the NVMe spec have added definitions for in-band
authentication, and seeing that it provides some real benefit
especially for NVMe-TCP here's an attempt to implement it.
Thanks to Nicolai Stange the crypto DH framework has been upgraded
to provide us with a FFDHE implementation; I've updated the patchset
to use the ephemeral key generation provided there.
Note that this is just for in-band authentication. Secure
concatenation (ie starting TLS with the negotiated parameters)
requires a TLS handshake, which the in-kernel TLS implementation
does not provide. This is being worked on with a different patchset
which is still WIP.
The nvme-cli support has already been merged; please use the latest
nvme-cli git repository to build the most recent version.
A copy of this patchset can be found at
git://git.kernel.org/pub/scm/linux/kernel/git/hare/scsi-devel
branch auth.v12
It is being cut against the latest master branch from Linus.
As usual, comments and reviews are welcome.
Changes to v11:
- Fixup type for FAILURE2 message (Prashant Nayak)
- Do not sent SUCCESS2 if bi-directional authentication is not requested
(Martin George)
Changes to v10:
- Fixup error return value when authentication failed
Changes to v9:
- Include review from Chaitanya
- Use sparse array for dhgroup and hash lookup
- Common function for auth_send and auth_receive
Changes to v8:
- Rebased to Nicolais crypto DH rework
- Fixed oops on non-fabrics devices
Changes to v7:
- Space out hash list and dhgroup list in nvme negotiate data
to be conformant with the spec
- Update sequence number handling to start with a random value and
ignore '0' as mandated by the spec
- Update nvme_auth_generate_key to return the key as suggested by
Sagi
- Add nvmet_parse_fabrics_io_cmd() as suggested by hch
Changes to v6:
- Use 'u8' for DH group id and hash id
- Use 'struct nvme_dhchap_key'
- Rename variables to drop 'DHCHAP'
- Include reviews from Chaitanya
Changes to v5:
- Unify nvme_auth_generate_key()
- Unify nvme_auth_extract_key()
- Fixed bug where re-authentication with wrong controller key would
not fail
- Include reviews from Sagi
Changes to v4:
- Validate against blktest suite
- Fixup base64 decoding
- Transform secret with correct hmac algorithm
Changes to v3:
- Renamed parameter to 'dhchap_ctrl_key'
- Fixed bi-directional authentication
- Included reviews from Sagi
- Fixed base64 algorithm for transport encoding
Changes to v2:
- Dropped non-standard algorithms
- Reworked base64 based on fs/crypto/fname.c
- Fixup crash with no keys
Changes to the original submission:
- Included reviews from Vladislav
- Included reviews from Sagi
- Implemented re-authentication support
- Fixed up key handling
Hannes Reinecke (11):
crypto: add crypto_has_shash()
crypto: add crypto_has_kpp()
lib/base64: RFC4648-compliant base64 encoding
nvme: add definitions for NVMe In-Band authentication
nvme-fabrics: decode 'authentication required' connect error
nvme: Implement In-Band authentication
nvme-auth: Diffie-Hellman key exchange support
nvmet: parse fabrics commands on io queues
nvmet: Implement basic In-Band Authentication
nvmet-auth: Diffie-Hellman key exchange support
nvmet-auth: expire authentication sessions
crypto/kpp.c | 6 +
crypto/shash.c | 6 +
drivers/nvme/host/Kconfig | 12 +
drivers/nvme/host/Makefile | 1 +
drivers/nvme/host/auth.c | 1464 ++++++++++++++++++++++++
drivers/nvme/host/auth.h | 40 +
drivers/nvme/host/core.c | 141 ++-
drivers/nvme/host/fabrics.c | 83 +-
drivers/nvme/host/fabrics.h | 7 +
drivers/nvme/host/nvme.h | 31 +
drivers/nvme/host/rdma.c | 1 +
drivers/nvme/host/tcp.c | 1 +
drivers/nvme/host/trace.c | 32 +
drivers/nvme/target/Kconfig | 13 +
drivers/nvme/target/Makefile | 1 +
drivers/nvme/target/admin-cmd.c | 4 +-
drivers/nvme/target/auth.c | 525 +++++++++
drivers/nvme/target/configfs.c | 138 ++-
drivers/nvme/target/core.c | 15 +
drivers/nvme/target/fabrics-cmd-auth.c | 536 +++++++++
drivers/nvme/target/fabrics-cmd.c | 55 +-
drivers/nvme/target/nvmet.h | 75 +-
include/crypto/hash.h | 2 +
include/crypto/kpp.h | 2 +
include/linux/base64.h | 16 +
include/linux/nvme.h | 204 +++-
lib/Makefile | 2 +-
lib/base64.c | 103 ++
28 files changed, 3501 insertions(+), 15 deletions(-)
create mode 100644 drivers/nvme/host/auth.c
create mode 100644 drivers/nvme/host/auth.h
create mode 100644 drivers/nvme/target/auth.c
create mode 100644 drivers/nvme/target/fabrics-cmd-auth.c
create mode 100644 include/linux/base64.h
create mode 100644 lib/base64.c
--
2.29.2
next reply other threads:[~2022-05-18 11:23 UTC|newest]
Thread overview: 26+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-05-18 11:22 Hannes Reinecke [this message]
2022-05-18 11:22 ` [PATCH 01/11] crypto: add crypto_has_shash() Hannes Reinecke
2022-05-27 10:05 ` Herbert Xu
2022-05-18 11:22 ` [PATCH 02/11] crypto: add crypto_has_kpp() Hannes Reinecke
2022-05-27 10:06 ` Herbert Xu
2022-05-18 11:22 ` [PATCH 03/11] lib/base64: RFC4648-compliant base64 encoding Hannes Reinecke
2022-05-18 11:22 ` [PATCH 04/11] nvme: add definitions for NVMe In-Band authentication Hannes Reinecke
2022-05-18 11:22 ` [PATCH 05/11] nvme-fabrics: decode 'authentication required' connect error Hannes Reinecke
2022-05-18 11:22 ` [PATCH 06/11] nvme: Implement In-Band authentication Hannes Reinecke
2022-05-18 11:22 ` [PATCH 07/11] nvme-auth: Diffie-Hellman key exchange support Hannes Reinecke
2022-05-18 11:22 ` [PATCH 08/11] nvmet: parse fabrics commands on io queues Hannes Reinecke
2022-05-18 11:22 ` [PATCH 09/11] nvmet: Implement basic In-Band Authentication Hannes Reinecke
2022-05-22 11:44 ` Max Gurtovoy
2022-05-23 6:03 ` Hannes Reinecke
2022-05-25 10:42 ` Sagi Grimberg
2022-06-07 10:46 ` Christoph Hellwig
2022-05-18 11:22 ` [PATCH 10/11] nvmet-auth: Diffie-Hellman key exchange support Hannes Reinecke
2022-05-18 11:22 ` [PATCH 11/11] nvmet-auth: expire authentication sessions Hannes Reinecke
2022-05-25 9:54 ` [PATCHv12 00/11] nvme: In-band authentication support Hannes Reinecke
2022-05-25 10:37 ` Sagi Grimberg
2022-05-26 9:00 ` Christoph Hellwig
2022-05-27 5:50 ` Hannes Reinecke
2022-05-27 6:31 ` Hannes Reinecke
2022-05-27 10:06 ` Herbert Xu
2022-05-27 10:21 ` Hannes Reinecke
2022-06-07 10:45 ` Christoph Hellwig
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20220518112234.24264-1-hare@suse.de \
--to=hare@suse.de \
--cc=hch@lst.de \
--cc=kbusch@kernel.org \
--cc=linux-crypto@vger.kernel.org \
--cc=linux-nvme@lists.infradead.org \
--cc=sagi@grimberg.me \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).