From: Hannes Reinecke <hare@kernel.org>
To: Christoph Hellwig <hch@lst.de>
Cc: Keith Busch <kbusch@kernel.org>, Sagi Grimberg <sagi@grimberg.me>,
linux-nvme@lists.infradead.org, Hannes Reinecke <hare@kernel.org>
Subject: [PATCH 00/12] nvme-auth: switch to use the kernel keyring
Date: Fri, 25 Apr 2025 11:49:15 +0200 [thread overview]
Message-ID: <20250425094927.102656-1-hare@kernel.org> (raw)
Hey all,
the current NVMe authentication code is using a hand-crafted key structure;
idea was to have the initial implementation with a minimal set of dependencies.
(And me not having a good grasp on how to use the kernel keyring :-)
That had the drawback that keys always had to be specified on the nvme-cli
commandline, which is far from ideal from a security standpoint.
So this patchset switches the authentication code over to use the kernel keyring.
User-facing interface (namely argument to 'nvme connect') remain the same, but
the key data is converted into keys which are stored as a new key type 'dhchap'
with a random UUID as description in the kernel keyring.
With this I have updated the dhchap arguments to 'nvme connect' and the configfs
interface to either be the keydata (ie the original interface) _or_ a key serial
referring to a pre-populated dhchap key in the kernel keyring.
This allows for easier provisioning of keys and avoids the security risk from
having to specify the key data on the kernel commandline.
The entire patchset can be found at
git://git.kernel.org/pub/scm/linux/kernel/git/hare/nvme.git
branch dhchap-keyring.v1
As usual, comments and reviews are welcome.
Hannes Reinecke (12):
nvme-auth: modify nvme_auth_transform_key() to return status
nvme-auth: use SHASH_DESC_ON_STACK
nvmet-auth: use SHASH_DESC_ON_STACK
nvme-auth: do not cache the transformed secret
nvme-keyring: add 'dhchap' key type
nvme-auth: switch to use 'struct key'
nvme-auth: drop nvme_dhchap_key structure and unused functions
nvme: parse dhchap keys during option parsing
nvmet-auth: parse dhchap key from configfs attribute
nvme: allow to pass in key serial number as dhchap secret
nvme-auth: wait for authentication to finish when changing keys
nvme: Unify Kconfig settings
drivers/nvme/common/Kconfig | 1 +
drivers/nvme/common/auth.c | 245 +++++++++++++-----------------
drivers/nvme/common/keyring.c | 266 +++++++++++++++++++++++++++++++++
drivers/nvme/host/Kconfig | 4 +-
drivers/nvme/host/auth.c | 171 ++++++++++++++-------
drivers/nvme/host/fabrics.c | 94 +++++++++---
drivers/nvme/host/fabrics.h | 12 +-
drivers/nvme/host/nvme.h | 6 +-
drivers/nvme/host/sysfs.c | 204 ++++++++++++++++++-------
drivers/nvme/target/Kconfig | 3 +-
drivers/nvme/target/auth.c | 238 ++++++++++++++++++-----------
drivers/nvme/target/configfs.c | 61 ++++++--
drivers/nvme/target/nvmet.h | 13 +-
include/linux/nvme-auth.h | 18 +--
include/linux/nvme-keyring.h | 22 ++-
15 files changed, 948 insertions(+), 410 deletions(-)
--
2.35.3
next reply other threads:[~2025-04-25 11:14 UTC|newest]
Thread overview: 26+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-04-25 9:49 Hannes Reinecke [this message]
2025-04-25 9:49 ` [PATCH 01/12] nvme-auth: modify nvme_auth_transform_key() to return status Hannes Reinecke
2025-05-07 7:24 ` Christoph Hellwig
2025-05-07 7:29 ` Hannes Reinecke
2025-04-25 9:49 ` [PATCH 02/12] nvme-auth: use SHASH_DESC_ON_STACK Hannes Reinecke
2025-05-07 7:28 ` Christoph Hellwig
2025-05-07 7:29 ` Hannes Reinecke
2025-05-07 7:35 ` Christoph Hellwig
2025-04-25 9:49 ` [PATCH 03/12] nvmet-auth: " Hannes Reinecke
2025-04-25 9:49 ` [PATCH 04/12] nvme-auth: do not cache the transformed secret Hannes Reinecke
2025-05-07 7:25 ` Christoph Hellwig
2025-04-25 9:49 ` [PATCH 05/12] nvme-keyring: add 'dhchap' key type Hannes Reinecke
2025-04-25 9:49 ` [PATCH 06/12] nvme-auth: switch to use 'struct key' Hannes Reinecke
2025-04-25 9:49 ` [PATCH 07/12] nvme-auth: drop nvme_dhchap_key structure and unused functions Hannes Reinecke
2025-05-07 7:26 ` Christoph Hellwig
2025-05-07 7:30 ` Hannes Reinecke
2025-04-25 9:49 ` [PATCH 08/12] nvme: parse dhchap keys during option parsing Hannes Reinecke
2025-04-25 9:49 ` [PATCH 09/12] nvmet-auth: parse dhchap key from configfs attribute Hannes Reinecke
2025-04-25 9:49 ` [PATCH 10/12] nvme: allow to pass in key serial number as dhchap secret Hannes Reinecke
2025-04-25 9:49 ` [PATCH 11/12] nvme-auth: wait for authentication to finish when changing keys Hannes Reinecke
2025-04-25 9:49 ` [PATCH 12/12] nvme: Unify Kconfig settings Hannes Reinecke
2025-05-07 7:23 ` Christoph Hellwig
2025-05-07 7:30 ` Hannes Reinecke
2025-05-07 7:19 ` [PATCH 00/12] nvme-auth: switch to use the kernel keyring Christoph Hellwig
2025-05-07 7:42 ` Hannes Reinecke
2025-05-07 7:53 ` Sagi Grimberg
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20250425094927.102656-1-hare@kernel.org \
--to=hare@kernel.org \
--cc=hch@lst.de \
--cc=kbusch@kernel.org \
--cc=linux-nvme@lists.infradead.org \
--cc=sagi@grimberg.me \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox