From: Max Gurtovoy <mgurtovoy@nvidia.com>
To: Hannes Reinecke <hare@suse.de>, Christoph Hellwig <hch@lst.de>
Cc: Sagi Grimberg <sagi@grimberg.me>, Keith Busch <kbusch@kernel.org>,
linux-nvme@lists.infradead.org, linux-crypto@vger.kernel.org
Subject: Re: [PATCH 09/11] nvmet: Implement basic In-Band Authentication
Date: Sun, 22 May 2022 14:44:23 +0300 [thread overview]
Message-ID: <e13a0c12-362d-e4b6-c558-03367815264b@nvidia.com> (raw)
In-Reply-To: <20220518112234.24264-10-hare@suse.de>
Hi Hannes,
On 5/18/2022 2:22 PM, Hannes Reinecke wrote:
> Implement NVMe-oF In-Band authentication according to NVMe TPAR 8006.
> This patch adds three additional configfs entries 'dhchap_key',
> 'dhchap_ctrl_key', and 'dhchap_hash' to the 'host' configfs directory.
> The 'dhchap_key' and 'dhchap_ctrl_key' entries need to be in the ASCII
> format as specified in NVMe Base Specification v2.0 section 8.13.5.8
> 'Secret representation'.
> 'dhchap_hash' defaults to 'hmac(sha256)', and can be written to to
> switch to a different HMAC algorithm.
>
> Signed-off-by: Hannes Reinecke <hare@suse.de>
> ---
> drivers/nvme/target/Kconfig | 12 +
> drivers/nvme/target/Makefile | 1 +
> drivers/nvme/target/admin-cmd.c | 2 +
> drivers/nvme/target/auth.c | 367 ++++++++++++++++++
> drivers/nvme/target/configfs.c | 107 +++++-
> drivers/nvme/target/core.c | 11 +
> drivers/nvme/target/fabrics-cmd-auth.c | 491 +++++++++++++++++++++++++
> drivers/nvme/target/fabrics-cmd.c | 38 +-
> drivers/nvme/target/nvmet.h | 62 ++++
> 9 files changed, 1088 insertions(+), 3 deletions(-)
> create mode 100644 drivers/nvme/target/auth.c
> create mode 100644 drivers/nvme/target/fabrics-cmd-auth.c
>
> diff --git a/drivers/nvme/target/Kconfig b/drivers/nvme/target/Kconfig
> index 973561c93888..e569319be679 100644
> --- a/drivers/nvme/target/Kconfig
> +++ b/drivers/nvme/target/Kconfig
> @@ -83,3 +83,15 @@ config NVME_TARGET_TCP
> devices over TCP.
>
> If unsure, say N.
> +
> +config NVME_TARGET_AUTH
> + bool "NVMe over Fabrics In-band Authentication support"
> + depends on NVME_TARGET
> + depends on NVME_AUTH
> + select CRYPTO_HMAC
> + select CRYPTO_SHA256
> + select CRYPTO_SHA512
> + help
> + This enables support for NVMe over Fabrics In-band Authentication
> +
> + If unsure, say N.
> diff --git a/drivers/nvme/target/Makefile b/drivers/nvme/target/Makefile
> index 9837e580fa7e..c66820102493 100644
> --- a/drivers/nvme/target/Makefile
> +++ b/drivers/nvme/target/Makefile
> @@ -13,6 +13,7 @@ nvmet-y += core.o configfs.o admin-cmd.o fabrics-cmd.o \
> discovery.o io-cmd-file.o io-cmd-bdev.o
> nvmet-$(CONFIG_NVME_TARGET_PASSTHRU) += passthru.o
> nvmet-$(CONFIG_BLK_DEV_ZONED) += zns.o
> +nvmet-$(CONFIG_NVME_TARGET_AUTH) += fabrics-cmd-auth.o auth.o
> nvme-loop-y += loop.o
> nvmet-rdma-y += rdma.o
> nvmet-fc-y += fc.o
> diff --git a/drivers/nvme/target/admin-cmd.c b/drivers/nvme/target/admin-cmd.c
> index 31df40ac828f..fc8a957fad0a 100644
> --- a/drivers/nvme/target/admin-cmd.c
> +++ b/drivers/nvme/target/admin-cmd.c
> @@ -1018,6 +1018,8 @@ u16 nvmet_parse_admin_cmd(struct nvmet_req *req)
>
> if (nvme_is_fabrics(cmd))
> return nvmet_parse_fabrics_admin_cmd(req);
> + if (unlikely(!nvmet_check_auth_status(req)))
> + return NVME_SC_AUTH_REQUIRED | NVME_SC_DNR;
> if (nvmet_is_disc_subsys(nvmet_req_subsys(req)))
> return nvmet_parse_discovery_cmd(req);
>
> diff --git a/drivers/nvme/target/auth.c b/drivers/nvme/target/auth.c
> new file mode 100644
> index 000000000000..003c0faad7ff
> --- /dev/null
> +++ b/drivers/nvme/target/auth.c
> @@ -0,0 +1,367 @@
> +// SPDX-License-Identifier: GPL-2.0
> +/*
> + * NVMe over Fabrics DH-HMAC-CHAP authentication.
> + * Copyright (c) 2020 Hannes Reinecke, SUSE Software Solutions.
> + * All rights reserved.
> + */
> +#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
> +#include <linux/module.h>
> +#include <linux/init.h>
> +#include <linux/slab.h>
> +#include <linux/err.h>
> +#include <crypto/hash.h>
> +#include <linux/crc32.h>
> +#include <linux/base64.h>
> +#include <linux/ctype.h>
> +#include <linux/random.h>
> +#include <asm/unaligned.h>
> +
> +#include "nvmet.h"
> +#include "../host/auth.h"
maybe we can put the common stuff to include/linux/nvme-auth.h instead
of doing ../host/auth.h ?
next prev parent reply other threads:[~2022-05-22 11:44 UTC|newest]
Thread overview: 54+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-05-18 11:22 [PATCHv12 00/11] nvme: In-band authentication support Hannes Reinecke
2022-05-18 11:22 ` [PATCH 01/11] crypto: add crypto_has_shash() Hannes Reinecke
2022-05-27 10:05 ` Herbert Xu
2022-05-18 11:22 ` [PATCH 02/11] crypto: add crypto_has_kpp() Hannes Reinecke
2022-05-27 10:06 ` Herbert Xu
2022-05-18 11:22 ` [PATCH 03/11] lib/base64: RFC4648-compliant base64 encoding Hannes Reinecke
2022-05-18 11:22 ` [PATCH 04/11] nvme: add definitions for NVMe In-Band authentication Hannes Reinecke
2022-05-18 11:22 ` [PATCH 05/11] nvme-fabrics: decode 'authentication required' connect error Hannes Reinecke
2022-05-18 11:22 ` [PATCH 06/11] nvme: Implement In-Band authentication Hannes Reinecke
2022-05-18 11:22 ` [PATCH 07/11] nvme-auth: Diffie-Hellman key exchange support Hannes Reinecke
2022-05-18 11:22 ` [PATCH 08/11] nvmet: parse fabrics commands on io queues Hannes Reinecke
2022-05-18 11:22 ` [PATCH 09/11] nvmet: Implement basic In-Band Authentication Hannes Reinecke
2022-05-22 11:44 ` Max Gurtovoy [this message]
2022-05-23 6:03 ` Hannes Reinecke
2022-05-25 10:42 ` Sagi Grimberg
2022-06-07 10:46 ` Christoph Hellwig
2022-05-18 11:22 ` [PATCH 10/11] nvmet-auth: Diffie-Hellman key exchange support Hannes Reinecke
2022-05-18 11:22 ` [PATCH 11/11] nvmet-auth: expire authentication sessions Hannes Reinecke
2022-05-25 9:54 ` [PATCHv12 00/11] nvme: In-band authentication support Hannes Reinecke
2022-05-25 10:37 ` Sagi Grimberg
2022-05-26 9:00 ` Christoph Hellwig
2022-05-27 5:50 ` Hannes Reinecke
2022-05-27 6:31 ` Hannes Reinecke
2022-05-27 10:06 ` Herbert Xu
2022-05-27 10:21 ` Hannes Reinecke
2022-06-07 10:45 ` Christoph Hellwig
-- strict thread matches above, loose matches on Subject: below --
2022-06-27 9:51 [PATCHv18 " Hannes Reinecke
2022-06-27 9:52 ` [PATCH 09/11] nvmet: Implement basic In-Band Authentication Hannes Reinecke
2022-06-23 6:17 [PATCHv17 00/11] nvme: In-band authentication support Hannes Reinecke
2022-06-23 6:17 ` [PATCH 09/11] nvmet: Implement basic In-Band Authentication Hannes Reinecke
2022-06-21 17:24 [PATCHv16 00/11] nvme: In-band authentication support Hannes Reinecke
2022-06-21 17:24 ` [PATCH 09/11] nvmet: Implement basic In-Band Authentication Hannes Reinecke
2022-06-21 9:02 [PATCHv15 00/11] nvme: In-band authentication support Hannes Reinecke
2022-06-21 9:02 ` [PATCH 09/11] nvmet: Implement basic In-Band Authentication Hannes Reinecke
2022-06-08 14:45 [PATCHv14 00/11] nvme: In-band authentication support Hannes Reinecke
2022-06-08 14:45 ` [PATCH 09/11] nvmet: Implement basic In-Band Authentication Hannes Reinecke
2022-03-28 13:39 [PATCHv11 00/11] nvme: In-band authentication support Hannes Reinecke
2022-03-28 13:39 ` [PATCH 09/11] nvmet: Implement basic In-Band Authentication Hannes Reinecke
2022-03-28 8:08 [PATCHv10 00/11] nvme: In-band authentication support Hannes Reinecke
2022-03-28 8:08 ` [PATCH 09/11] nvmet: Implement basic In-Band Authentication Hannes Reinecke
2022-03-23 7:12 [PATCHv9 00/11] nvme: In-band authentication support Hannes Reinecke
2022-03-23 7:13 ` [PATCH 09/11] nvmet: Implement basic In-Band Authentication Hannes Reinecke
2021-07-16 11:04 [RFC PATCH 00/11] nvme: In-band authentication support Hannes Reinecke
2021-07-16 11:04 ` [PATCH 09/11] nvmet: Implement basic In-Band Authentication Hannes Reinecke
2021-07-17 16:49 ` Stephan Müller
2021-07-18 12:37 ` Hannes Reinecke
2021-07-18 12:56 ` Stephan Müller
2021-07-19 8:15 ` Hannes Reinecke
2021-07-19 8:51 ` Stephan Mueller
2021-07-19 9:57 ` Hannes Reinecke
2021-07-19 10:19 ` Stephan Mueller
2021-07-19 11:10 ` Hannes Reinecke
2021-07-19 11:52 ` Stephan Mueller
2021-07-19 12:08 ` Hannes Reinecke
2021-07-20 10:14 ` Hannes Reinecke
2021-07-20 10:49 ` Simo Sorce
2021-07-20 11:31 ` Hannes Reinecke
2021-07-20 14:44 ` Simo Sorce
2021-07-20 14:47 ` Stephan Mueller
2021-07-23 20:02 ` Vladislav Bolkhovitin
2021-07-18 13:26 ` Herbert Xu
2021-07-19 20:38 ` Sagi Grimberg
2021-07-20 6:08 ` Hannes Reinecke
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=e13a0c12-362d-e4b6-c558-03367815264b@nvidia.com \
--to=mgurtovoy@nvidia.com \
--cc=hare@suse.de \
--cc=hch@lst.de \
--cc=kbusch@kernel.org \
--cc=linux-crypto@vger.kernel.org \
--cc=linux-nvme@lists.infradead.org \
--cc=sagi@grimberg.me \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).