From: Hannes Reinecke <hare@suse.de>
To: Christoph Hellwig <hch@lst.de>, Hannes Reinecke <hare@kernel.org>
Cc: Keith Busch <kbusch@kernel.org>, Sagi Grimberg <sagi@grimberg.me>,
linux-nvme@lists.infradead.org
Subject: Re: [PATCH 07/10] nvme-tcp: request secure channel concatenation
Date: Tue, 28 Jan 2025 16:33:27 +0100 [thread overview]
Message-ID: <889ea62d-1ec1-4de5-a250-954b41015c6f@suse.de> (raw)
In-Reply-To: <20250128091131.GF25760@lst.de>
On 1/28/25 10:11, Christoph Hellwig wrote:
> On Wed, Jan 22, 2025 at 05:58:26PM +0100, Hannes Reinecke wrote:
>> Add a fabrics option 'concat' to request secure channel concatenation.
>> When secure channel concatenation is enabled a 'generated PSK' is inserted
>> into the keyring such that it's available after reset.
>
> That's a very sparse commit message. What is the point of doing this?
> What is the spec reference for the implementation? What is the user
> interface? Why does this now always select NVME_KEYRING?
>
Okay, I'll add a spec reference and improve the description.
And NVME_KEYRING is selected due to a kbuild failure for
some odd combination of build-in vs modular in host and target.
>> + if (!ctrl->opts->concat || chap->qid != 0)
>> + data->sc_c = NVME_AUTH_SECP_NOSC;
>> + else if (ctrl->opts->tls_key)
>> + data->sc_c = NVME_AUTH_SECP_REPLACETLSPSK;
>> + else
>> + data->sc_c = NVME_AUTH_SECP_NEWTLSPSK;
>
> Took me a while to unwind this. Why not make this a little easier as:
>
> if (ctrl->opts->concat && chap->qid == 0) {
> if (ctrl->opts->tls_key)
> data->sc_c = NVME_AUTH_SECP_REPLACETLSPSK;
> else
> data->sc_c = NVME_AUTH_SECP_NEWTLSPSK;
> } else {
> data->sc_c = NVME_AUTH_SECP_NOSC;
> }
>
> ?
>
Okay.
[ .. ]
>> --- a/include/linux/nvme.h
>> +++ b/include/linux/nvme.h
>> @@ -1746,6 +1746,13 @@ enum {
>> NVME_AUTH_DHGROUP_INVALID = 0xff,
>> };
>>
>> +enum {
>> + NVME_AUTH_SECP_NOSC = 0x00,
>> + NVME_AUTH_SECP_SC = 0x01,
>> + NVME_AUTH_SECP_NEWTLSPSK = 0x02,
>> + NVME_AUTH_SECP_REPLACETLSPSK = 0x03,
>> +};
>
> Comments please to explain what fields this applies to. Also we
> usuall try to split protocol definition additions into separate
> patches.
>
Sure, I can split it into a separate patch.
And promise to fixup of formatting :-)
Cheers,
Hannes
--
Dr. Hannes Reinecke Kernel Storage Architect
hare@suse.de +49 911 74053 688
SUSE Software Solutions GmbH, Frankenstr. 146, 90461 Nürnberg
HRB 36809 (AG Nürnberg), GF: I. Totev, A. McDonald, W. Knoblich
next prev parent reply other threads:[~2025-01-28 15:33 UTC|newest]
Thread overview: 30+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-01-22 16:58 [PATCHv14 00/10] nvme: implement secure concatenation Hannes Reinecke
2025-01-22 16:58 ` [PATCH 01/10] crypto,fs: Separate out hkdf_extract() and hkdf_expand() Hannes Reinecke
2025-01-22 16:58 ` [PATCH 02/10] nvme: add nvme_auth_generate_psk() Hannes Reinecke
2025-01-28 8:53 ` Christoph Hellwig
2025-01-28 15:26 ` Hannes Reinecke
2025-01-22 16:58 ` [PATCH 03/10] nvme: add nvme_auth_generate_digest() Hannes Reinecke
2025-01-28 8:56 ` Christoph Hellwig
2025-01-22 16:58 ` [PATCH 04/10] nvme: add nvme_auth_derive_tls_psk() Hannes Reinecke
2025-01-28 8:58 ` Christoph Hellwig
2025-02-03 13:37 ` Hannes Reinecke
2025-02-04 5:23 ` Christoph Hellwig
2025-01-22 16:58 ` [PATCH 05/10] nvme-keyring: add nvme_tls_psk_refresh() Hannes Reinecke
2025-01-28 9:00 ` Christoph Hellwig
2025-02-03 13:55 ` Hannes Reinecke
2025-01-22 16:58 ` [PATCH 06/10] nvme: always include <linux/key.h> Hannes Reinecke
2025-01-28 9:01 ` Christoph Hellwig
2025-02-03 13:55 ` Hannes Reinecke
2025-01-22 16:58 ` [PATCH 07/10] nvme-tcp: request secure channel concatenation Hannes Reinecke
2025-01-28 9:11 ` Christoph Hellwig
2025-01-28 15:33 ` Hannes Reinecke [this message]
2025-02-03 14:06 ` Hannes Reinecke
2025-01-22 16:58 ` [PATCH 08/10] nvme-fabrics: reset admin connection for secure concatenation Hannes Reinecke
2025-01-22 16:58 ` [PATCH 09/10] nvmet-tcp: support secure channel concatenation Hannes Reinecke
2025-01-28 9:15 ` Christoph Hellwig
2025-02-03 14:20 ` Hannes Reinecke
2025-01-22 16:58 ` [PATCH 10/10] nvmet: add tls_concat and tls_key debugfs entries Hannes Reinecke
2025-01-23 22:13 ` [PATCHv14 00/10] nvme: implement secure concatenation Sagi Grimberg
-- strict thread matches above, loose matches on Subject: below --
2024-12-03 11:02 [PATCHv13 " Hannes Reinecke
2024-12-03 11:02 ` [PATCH 07/10] nvme-tcp: request secure channel concatenation Hannes Reinecke
2024-12-24 11:45 ` Sagi Grimberg
2024-12-02 14:29 [PATCHv12 00/10] nvme: implement secure concatenation Hannes Reinecke
2024-12-02 14:29 ` [PATCH 07/10] nvme-tcp: request secure channel concatenation Hannes Reinecke
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=889ea62d-1ec1-4de5-a250-954b41015c6f@suse.de \
--to=hare@suse.de \
--cc=hare@kernel.org \
--cc=hch@lst.de \
--cc=kbusch@kernel.org \
--cc=linux-nvme@lists.infradead.org \
--cc=sagi@grimberg.me \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox