From: Hannes Reinecke <hare@suse.de>
To: Sagi Grimberg <sagi@grimberg.me>, Christoph Hellwig <hch@lst.de>
Cc: Keith Busch <keith.busch@wdc.com>,
Herbert Xu <herbert@gondor.apana.org.au>,
"David S . Miller" <davem@davemloft.net>,
linux-nvme@lists.infradead.org, linux-crypto@vger.kernel.org
Subject: Re: [PATCHv2 00/13] nvme: In-band authentication support
Date: Wed, 18 Aug 2021 07:44:30 +0200 [thread overview]
Message-ID: <dbf2ca1f-32f6-2aff-da08-d3fd2f977fa5@suse.de> (raw)
In-Reply-To: <5a69187b-cfb1-d09a-87e2-8435e27612a7@grimberg.me>
On 8/17/21 11:21 PM, Sagi Grimberg wrote:
>
>> Hi all,
>>
>> recent updates to the NVMe spec have added definitions for in-band
>> authentication, and seeing that it provides some real benefit
>> especially for NVMe-TCP here's an attempt to implement it.
>>
>> Tricky bit here is that the specification orients itself on TLS 1.3,
>> but supports only the FFDHE groups. Which of course the kernel doesn't
>> support. I've been able to come up with a patch for this, but as this
>> is my first attempt to fix anything in the crypto area I would invite
>> people more familiar with these matters to have a look.
>>
>> Also note that this is just for in-band authentication. Secure
>> concatenation (ie starting TLS with the negotiated parameters) is not
>> implemented; one would need to update the kernel TLS implementation
>> for this, which at this time is beyond scope.
>>
>> As usual, comments and reviews are welcome.
>
> Hey Hannes,
>
> First, can you also send the nvme-cli/nvmetcli bits as well?
>
Yes, will be done with the next round.
It first required a larger update to libnvme/nvme-cli to get everything
in order :-)
> Second, one thing that is not clear to me here is how this
> works with the discovery log page.
>
> If the user issues a discovery log page to establish connections
> to the controllers entries, where it picks the appropriate
> secret?
>
> In other words, when the user runs connect-all, how does it handle
> the secrets based on the content of the discovery log-page?
With the latest nvme-cli update I've implemented a json configuration,
which allows to store configuration on a per-controller basis.
This will be updated to hold the dhchap secrets, and we should be able
to specify individual secrets for each controller.
Cheers,
Hannes
--
Dr. Hannes Reinecke Kernel Storage Architect
hare@suse.de +49 911 74053 688
SUSE Software Solutions GmbH, Maxfeldstr. 5, 90409 Nürnberg
HRB 36809 (AG Nürnberg), Geschäftsführer: Felix Imendörffer
_______________________________________________
Linux-nvme mailing list
Linux-nvme@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-nvme
prev parent reply other threads:[~2021-08-18 5:44 UTC|newest]
Thread overview: 20+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-08-10 12:42 [PATCHv2 00/13] nvme: In-band authentication support Hannes Reinecke
2021-08-10 12:42 ` [PATCH 01/13] crypto: add crypto_has_shash() Hannes Reinecke
2021-08-10 12:42 ` [PATCH 02/13] crypto: add crypto_has_kpp() Hannes Reinecke
2021-08-10 12:42 ` [PATCH 03/13] crypto/ffdhe: Finite Field DH Ephemeral Parameters Hannes Reinecke
2021-08-10 12:42 ` [PATCH 04/13] lib/base64: RFC4648-compliant base64 encoding Hannes Reinecke
2021-08-10 19:13 ` Eric Biggers
2021-08-11 5:57 ` Hannes Reinecke
2021-08-10 12:42 ` [PATCH 05/13] nvme: add definitions for NVMe In-Band authentication Hannes Reinecke
2021-08-10 12:42 ` [PATCH 06/13] nvme-fabrics: decode 'authentication required' connect error Hannes Reinecke
2021-08-10 12:42 ` [PATCH 07/13] nvme: Implement In-Band authentication Hannes Reinecke
2021-08-10 12:42 ` [PATCH 08/13] nvme-auth: Diffie-Hellman key exchange support Hannes Reinecke
2021-08-10 12:42 ` [PATCH 09/13] nvmet: Parse fabrics commands on all queues Hannes Reinecke
2021-08-10 12:42 ` [PATCH 10/13] nvmet: Implement basic In-Band Authentication Hannes Reinecke
2021-08-10 12:42 ` [PATCH 11/13] nvmet-auth: Diffie-Hellman key exchange support Hannes Reinecke
2021-08-10 12:42 ` [PATCH 12/13] nvmet-auth: expire authentication sessions Hannes Reinecke
2021-08-10 12:42 ` [PATCH 13/13] nvme: add non-standard ECDH and curve25517 algorithms Hannes Reinecke
2021-08-12 12:25 ` Christoph Hellwig
2021-08-12 12:51 ` Hannes Reinecke
2021-08-17 21:21 ` [PATCHv2 00/13] nvme: In-band authentication support Sagi Grimberg
2021-08-18 5:44 ` Hannes Reinecke [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=dbf2ca1f-32f6-2aff-da08-d3fd2f977fa5@suse.de \
--to=hare@suse.de \
--cc=davem@davemloft.net \
--cc=hch@lst.de \
--cc=herbert@gondor.apana.org.au \
--cc=keith.busch@wdc.com \
--cc=linux-crypto@vger.kernel.org \
--cc=linux-nvme@lists.infradead.org \
--cc=sagi@grimberg.me \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox