[RFC PATCH 00/11] nvme: implement secure concatenation

public inbox for linux-nvme@lists.infradead.org
 help / color / mirror / Atom feed

From: hare@kernel.org
To: Christoph Hellwig <hch@lst.de>
Cc: Sagi Grimberg <sagi@grimberg.me>, Keith Busch <kbusch@kernel.org>,
	linux-nvme@lists.infradead.org, Hannes Reinecke <hare@suse.de>
Subject: [RFC PATCH 00/11] nvme: implement secure concatenation
Date: Tue, 23 Jan 2024 15:18:58 +0100	[thread overview]
Message-ID: <20240123141909.79061-1-hare@kernel.org> (raw)

From: Hannes Reinecke <hare@suse.de>

Hi all,

here's my attempt to implement secure concatenation for NVMe-of TCP
as outlined in TP8018.
Secure concatenation means that a TLS PSK is generated from the key
material negotiated by the DH-HMAC-CHAP protocol, and the TLS PSK
is then used for a subsequent TLS connection.
The difference between the original definition of secure concatenation
and the method outlined in TP8018 is that with TP8018 the connection
is reset after DH-HMAC-CHAP negotiation, and a new connection is setup
with the generated TLS PSK.

To implement that I have decided on resetting the connection from the
nvme-tcp driver after the initial connection has been set up.
Another way would have been to offload the connection reset to userspace,
and let nvme-cli reset the connection. But that would be a modification
to the userspace interface, and hence I didn't go that way.

As usual, comments and reviews are welcome.

Hannes Reinecke (11):
  crypto,fs: Separate out hkdf_extract() and hkdf_expand()
  nvme: add nvme_auth_generate_psk()
  nvme: add nvme_auth_generate_digest()
  nvme: add nvme_auth_derive_tls_psk()
  nvme-keyring: add nvme_tls_psk_refresh()
  nvme-keyring: restrict match length for version '1' identifiers
  nvme-tcp: check for invalidated or revoked key
  nvme-fabrics: authentication errors are not retryable
  nvme: add nvme_noretry_error()
  nvme-tcp: request secure channel concatenation
  nvmet-tcp: support secure channel concatenation

 crypto/Makefile                        |   1 +
 crypto/hkdf.c                          | 111 +++++++++++
 drivers/nvme/common/auth.c             | 252 +++++++++++++++++++++++++
 drivers/nvme/common/keyring.c          |  71 +++++++
 drivers/nvme/host/auth.c               | 108 ++++++++++-
 drivers/nvme/host/core.c               |   2 +-
 drivers/nvme/host/fabrics.c            |  46 ++++-
 drivers/nvme/host/fabrics.h            |   3 +
 drivers/nvme/host/fc.c                 |   4 +-
 drivers/nvme/host/nvme.h               |  10 +
 drivers/nvme/host/tcp.c                |  46 +++--
 drivers/nvme/target/auth.c             |  62 +++++-
 drivers/nvme/target/fabrics-cmd-auth.c |  43 ++++-
 drivers/nvme/target/fabrics-cmd.c      |  27 ++-
 drivers/nvme/target/nvmet.h            |  16 +-
 drivers/nvme/target/tcp.c              |  26 +++
 fs/crypto/hkdf.c                       |  68 +------
 include/crypto/hkdf.h                  |  18 ++
 include/linux/nvme-auth.h              |   5 +
 include/linux/nvme-keyring.h           |   7 +
 include/linux/nvme.h                   |   7 +
 21 files changed, 824 insertions(+), 109 deletions(-)
 create mode 100644 crypto/hkdf.c
 create mode 100644 include/crypto/hkdf.h

-- 
2.35.3

next             reply	other threads:[~2024-01-23 14:19 UTC|newest]

Thread overview: 12+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2024-01-23 14:18 hare [this message]
2024-01-23 14:18 ` [PATCH 01/11] crypto,fs: Separate out hkdf_extract() and hkdf_expand() hare
2024-01-23 14:19 ` [PATCH 02/11] nvme: add nvme_auth_generate_psk() hare
2024-01-23 14:19 ` [PATCH 03/11] nvme: add nvme_auth_generate_digest() hare
2024-01-23 14:19 ` [PATCH 04/11] nvme: add nvme_auth_derive_tls_psk() hare
2024-01-23 14:19 ` [PATCH 05/11] nvme-keyring: add nvme_tls_psk_refresh() hare
2024-01-23 14:19 ` [PATCH 06/11] nvme-keyring: restrict match length for version '1' identifiers hare
2024-01-23 14:19 ` [PATCH 07/11] nvme-tcp: check for invalidated or revoked key hare
2024-01-23 14:19 ` [PATCH 08/11] nvme-fabrics: authentication errors are not retryable hare
2024-01-23 14:19 ` [PATCH 09/11] nvme: add nvme_noretry_error() hare
2024-01-23 14:19 ` [PATCH 10/11] nvme-tcp: request secure channel concatenation hare
2024-01-23 14:19 ` [PATCH 11/11] nvmet-tcp: support " hare

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20240123141909.79061-1-hare@kernel.org \
    --to=hare@kernel.org \
    --cc=hare@suse.de \
    --cc=hch@lst.de \
    --cc=kbusch@kernel.org \
    --cc=linux-nvme@lists.infradead.org \
    --cc=sagi@grimberg.me \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox