From: Hannes Reinecke <hare@suse.de>
To: Sagi Grimberg <sagi@grimberg.me>, Hannes Reinecke <hare@kernel.org>
Cc: Christoph Hellwig <hch@lst.de>, Keith Busch <kbusch@kernel.org>,
linux-nvme@lists.infradead.org
Subject: Re: [PATCHv5 00/16] nvme: implement secure concatenation
Date: Thu, 18 Jul 2024 08:44:44 +0200 [thread overview]
Message-ID: <59cad15b-1088-412e-8f61-6a5d87f81ccd@suse.de> (raw)
In-Reply-To: <58cea755-d1c1-483d-b6b8-008d22daba7f@grimberg.me>
On 7/17/24 23:38, Sagi Grimberg wrote:
>
>
> On 17/07/2024 12:10, Hannes Reinecke wrote:
>> Hi all,
>>
>> here's my attempt to implement secure concatenation for NVMe-of TCP
>> as outlined in TP8018.
>> Secure concatenation means that a TLS PSK is generated from the key
>> material negotiated by the DH-HMAC-CHAP protocol, and the TLS PSK
>> is then used for a subsequent TLS connection.
>> The difference between the original definition of secure concatenation
>> and the method outlined in TP8018 is that with TP8018 the connection
>> is reset after DH-HMAC-CHAP negotiation, and a new connection is setup
>> with the generated TLS PSK.
>>
>> To implement that Sagi came up with the idea to directly reset the
>> admin queue once the DH-CHAP negotiation has completed; that way
>> it will be transparent to the upper layers and we don't have to
>> worry about exposing queues which should not be used.
>
> I'm glad it worked out. Happy to see that this set is getting in shape!
>
>>
>> As usual, comments and reviews are welcome.
>>
>> Patchset can be found at
>> git.kernel.org:/pub/scm/linux/kernel/git/hare/nvme.git
>> branch secure-concat.v5
>>
>> Changes to v4:
>> - Rework reset admin queue functionality based on an idea
>> from Sagi (thanks!)
>> - kbuild robot fixes
>> - Fixup dhchap negotiation with non-empty C2 value
>
> Can we split fixes from this patch set? (unless they are only
> relevant only to the code introduced here).
Yes, thought about it myself already.
Will be doing that for the next round.
Cheers,
Hannes
--
Dr. Hannes Reinecke Kernel Storage Architect
hare@suse.de +49 911 74053 688
SUSE Software Solutions GmbH, Frankenstr. 146, 90461 Nürnberg
HRB 36809 (AG Nürnberg), GF: I. Totev, A. McDonald, W. Knoblich
prev parent reply other threads:[~2024-07-18 6:44 UTC|newest]
Thread overview: 37+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-07-17 9:10 [PATCHv5 00/16] nvme: implement secure concatenation Hannes Reinecke
2024-07-17 9:10 ` [PATCH 01/16] nvme-keyring: restrict match length for version '1' identifiers Hannes Reinecke
2024-07-17 21:47 ` Sagi Grimberg
2024-07-17 9:10 ` [PATCH 02/16] nvme-tcp: sanitize TLS key handling Hannes Reinecke
2024-07-17 21:53 ` Sagi Grimberg
2024-07-18 7:10 ` Hannes Reinecke
2024-07-17 9:10 ` [PATCH 03/16] nvme-tcp: check for invalidated or revoked key Hannes Reinecke
2024-07-17 21:55 ` Sagi Grimberg
2024-07-17 9:10 ` [PATCH 04/16] nvme: add a newline to the 'tls_key' sysfs attribute Hannes Reinecke
2024-07-17 21:55 ` Sagi Grimberg
2024-07-17 9:10 ` [PATCH 05/16] nvme-sysfs: add 'tls_configured_key' " Hannes Reinecke
2024-07-17 21:58 ` Sagi Grimberg
2024-07-18 7:13 ` Hannes Reinecke
2024-07-17 9:10 ` [PATCH 06/16] nvme-sysfs: add 'tls_keyring' attribute Hannes Reinecke
2024-07-17 21:58 ` Sagi Grimberg
2024-07-17 9:10 ` [PATCH 07/16] crypto,fs: Separate out hkdf_extract() and hkdf_expand() Hannes Reinecke
2024-07-17 21:39 ` Sagi Grimberg
2024-07-17 9:10 ` [PATCH 08/16] nvme: add nvme_auth_generate_psk() Hannes Reinecke
2024-07-17 9:10 ` [PATCH 09/16] nvme: add nvme_auth_generate_digest() Hannes Reinecke
2024-07-17 9:10 ` [PATCH 10/16] nvme: add nvme_auth_derive_tls_psk() Hannes Reinecke
2024-07-17 22:01 ` Sagi Grimberg
2024-07-17 9:10 ` [PATCH 11/16] nvme-keyring: add nvme_tls_psk_refresh() Hannes Reinecke
2024-07-17 22:04 ` Sagi Grimberg
2024-07-17 9:10 ` [PATCH 12/16] nvme-tcp: request secure channel concatenation Hannes Reinecke
2024-07-17 22:31 ` Sagi Grimberg
2024-07-18 7:30 ` Hannes Reinecke
2024-07-17 9:10 ` [PATCH 13/16] nvme-fabrics: reset admin connection for secure concatenation Hannes Reinecke
2024-07-17 22:32 ` Sagi Grimberg
2024-07-17 9:10 ` [PATCH 14/16] nvmet-auth: allow to clear DH-HMAC-CHAP keys Hannes Reinecke
2024-07-17 22:32 ` Sagi Grimberg
2024-07-17 9:10 ` [PATCH 15/16] nvme-target: do not check authentication status for admin commands twice Hannes Reinecke
2024-07-17 22:33 ` Sagi Grimberg
2024-07-17 9:10 ` [PATCH 16/16] nvmet-tcp: support secure channel concatenation Hannes Reinecke
2024-07-17 22:36 ` Sagi Grimberg
2024-07-18 7:34 ` Hannes Reinecke
2024-07-17 21:38 ` [PATCHv5 00/16] nvme: implement secure concatenation Sagi Grimberg
2024-07-18 6:44 ` Hannes Reinecke [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=59cad15b-1088-412e-8f61-6a5d87f81ccd@suse.de \
--to=hare@suse.de \
--cc=hare@kernel.org \
--cc=hch@lst.de \
--cc=kbusch@kernel.org \
--cc=linux-nvme@lists.infradead.org \
--cc=sagi@grimberg.me \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox