[PATCH v4 1/2] nvme: Add the DHCHAP maximum HD IDs

[PATCH v4 1/2] nvme: Add the DHCHAP maximum HD IDs

[alistair23]

From: Alistair Francis <alistair.francis@wdc.com>

In preperation for using DHCHAP length in upcoming host and target
patches let's add the hash and diffie-hellman ID length macros.

Signed-off-by: Alistair Francis <alistair.francis@wdc.com>
---
v4:
 - New patch

 include/linux/nvme.h | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/include/linux/nvme.h b/include/linux/nvme.h
index 655d194f8e72..b9d3dbe2564d 100644
--- a/include/linux/nvme.h
+++ b/include/linux/nvme.h
@@ -2332,4 +2332,8 @@ enum nvme_pr_change_ptpl {
 
 #define NVME_PR_IGNORE_KEY (1 << 3)
 
+/* Section 8.3.4.5.2 of the NVMe 2.1 */
+#define NVME_AUTH_DHCHAP_MAX_HASH_IDS 30
+#define NVME_AUTH_DHCHAP_MAX_DH_IDS 30
+
 #endif /* _LINUX_NVME_H */
-- 
2.53.0

[PATCH v4 2/2] nvme-auth: Don't propose NVME_AUTH_DHGROUP_NULL with SC_C

[alistair23]

From: Alistair Francis <alistair.francis@wdc.com>

Section 8.3.4.5.2 of the NVMe 2.1 base spec states that

"""
The 00h identifier shall not be proposed in an AUTH_Negotiate message
that requests secure channel concatenation (i.e., with the SC_C field
set to a non-zero value).
"""

We need to ensure that we don't set the NVME_AUTH_DHGROUP_NULL idlist if
SC_C is set.

Signed-off-by: Kamaljit Singh <kamaljit.singh@opensource.wdc.com>
Signed-off-by: Alistair Francis <alistair.francis@wdc.com>
Reviewed-by: Hannes Reinecke <hare@suse.de>
---
v4:
 - Split out header changes
v3:
 - Ensure chap->sc_c is set before the if statement
v2:
 - Use a macro for Diffie-Hellman Group Identifier List Offset
 - Use a pointer for data->auth_protocol[0].dhchap.idlist

 drivers/nvme/host/auth.c | 27 +++++++++++++++------------
 1 file changed, 15 insertions(+), 12 deletions(-)

diff --git a/drivers/nvme/host/auth.c b/drivers/nvme/host/auth.c
index 405e7c03b1cf..5b936ebb4347 100644
--- a/drivers/nvme/host/auth.c
+++ b/drivers/nvme/host/auth.c
@@ -125,6 +125,8 @@ static int nvme_auth_set_dhchap_negotiate_data(struct nvme_ctrl *ctrl,
 {
 	struct nvmf_auth_dhchap_negotiate_data *data = chap->buf;
 	size_t size = sizeof(*data) + sizeof(union nvmf_auth_protocol);
+	u8 dh_list_offset = NVME_AUTH_DHCHAP_MAX_DH_IDS;
+	u8 *idlist = data->auth_protocol[0].dhchap.idlist;
 
 	if (size > CHAP_BUF_SIZE) {
 		chap->status = NVME_AUTH_DHCHAP_FAILURE_INCORRECT_PAYLOAD;
@@ -141,21 +143,22 @@ static int nvme_auth_set_dhchap_negotiate_data(struct nvme_ctrl *ctrl,
 			data->sc_c = NVME_AUTH_SECP_NEWTLSPSK;
 	} else
 		data->sc_c = NVME_AUTH_SECP_NOSC;
+	chap->sc_c = data->sc_c;
 	data->napd = 1;
 	data->auth_protocol[0].dhchap.authid = NVME_AUTH_DHCHAP_AUTH_ID;
 	data->auth_protocol[0].dhchap.halen = 3;
-	data->auth_protocol[0].dhchap.dhlen = 6;
-	data->auth_protocol[0].dhchap.idlist[0] = NVME_AUTH_HASH_SHA256;
-	data->auth_protocol[0].dhchap.idlist[1] = NVME_AUTH_HASH_SHA384;
-	data->auth_protocol[0].dhchap.idlist[2] = NVME_AUTH_HASH_SHA512;
-	data->auth_protocol[0].dhchap.idlist[30] = NVME_AUTH_DHGROUP_NULL;
-	data->auth_protocol[0].dhchap.idlist[31] = NVME_AUTH_DHGROUP_2048;
-	data->auth_protocol[0].dhchap.idlist[32] = NVME_AUTH_DHGROUP_3072;
-	data->auth_protocol[0].dhchap.idlist[33] = NVME_AUTH_DHGROUP_4096;
-	data->auth_protocol[0].dhchap.idlist[34] = NVME_AUTH_DHGROUP_6144;
-	data->auth_protocol[0].dhchap.idlist[35] = NVME_AUTH_DHGROUP_8192;
-
-	chap->sc_c = data->sc_c;
+	idlist[0] = NVME_AUTH_HASH_SHA256;
+	idlist[1] = NVME_AUTH_HASH_SHA384;
+	idlist[2] = NVME_AUTH_HASH_SHA512;
+	if (chap->sc_c == NVME_AUTH_SECP_NOSC)
+		idlist[dh_list_offset++] = NVME_AUTH_DHGROUP_NULL;
+	idlist[dh_list_offset++] = NVME_AUTH_DHGROUP_2048;
+	idlist[dh_list_offset++] = NVME_AUTH_DHGROUP_3072;
+	idlist[dh_list_offset++] = NVME_AUTH_DHGROUP_4096;
+	idlist[dh_list_offset++] = NVME_AUTH_DHGROUP_6144;
+	idlist[dh_list_offset++] = NVME_AUTH_DHGROUP_8192;
+	data->auth_protocol[0].dhchap.dhlen =
+		dh_list_offset - NVME_AUTH_DHCHAP_MAX_DH_IDS;
 
 	return size;
 }
-- 
2.53.0

Re: [PATCH v4 1/2] nvme: Add the DHCHAP maximum HD IDs

[Christoph Hellwig]

Looks good:

Reviewed-by: Christoph Hellwig <hch@lst.de>

Re: [PATCH v4 2/2] nvme-auth: Don't propose NVME_AUTH_DHGROUP_NULL with SC_C

[Christoph Hellwig]

Looks good:

Reviewed-by: Christoph Hellwig <hch@lst.de>

Re: [PATCH v4 1/2] nvme: Add the DHCHAP maximum HD IDs

[yunje shin]

On Fri, Mar 20, 2026 at 9:21 AM <alistair23@gmail.com> wrote:
>
> From: Alistair Francis <alistair.francis@wdc.com>
>
> In preperation for using DHCHAP length in upcoming host and target
> patches let's add the hash and diffie-hellman ID length macros.
>
> Signed-off-by: Alistair Francis <alistair.francis@wdc.com>
> ---
> v4:
>  - New patch
>
>  include/linux/nvme.h | 4 ++++
>  1 file changed, 4 insertions(+)
>
> diff --git a/include/linux/nvme.h b/include/linux/nvme.h
> index 655d194f8e72..b9d3dbe2564d 100644
> --- a/include/linux/nvme.h
> +++ b/include/linux/nvme.h
> @@ -2332,4 +2332,8 @@ enum nvme_pr_change_ptpl {
>
>  #define NVME_PR_IGNORE_KEY (1 << 3)
>
> +/* Section 8.3.4.5.2 of the NVMe 2.1 */
> +#define NVME_AUTH_DHCHAP_MAX_HASH_IDS 30
> +#define NVME_AUTH_DHCHAP_MAX_DH_IDS 30
> +
>  #endif /* _LINUX_NVME_H */
> --
> 2.53.0
>

Looks good to me.

Reviewed-by: Yunje Shin <ioerts@kookmin.ac.kr>

Re: [PATCH v4 1/2] nvme: Add the DHCHAP maximum HD IDs

[Hannes Reinecke]

On 3/20/26 01:20, alistair23@gmail.com wrote:
> From: Alistair Francis <alistair.francis@wdc.com>
> 
> In preperation for using DHCHAP length in upcoming host and target
> patches let's add the hash and diffie-hellman ID length macros.
> 
> Signed-off-by: Alistair Francis <alistair.francis@wdc.com>
> ---
> v4:
>   - New patch
> 
Reviewed-by: Hannes Reinecke <hare@suse.de>

Cheers,

Hannes
-- 
Dr. Hannes Reinecke                  Kernel Storage Architect
hare@suse.de                                +49 911 74053 688
SUSE Software Solutions GmbH, Frankenstr. 146, 90461 Nürnberg
HRB 36809 (AG Nürnberg), GF: I. Totev, A. McDonald, W. Knoblich

Re: [PATCH v4 1/2] nvme: Add the DHCHAP maximum HD IDs

[Chris Leech]

On Fri, Mar 20, 2026 at 10:20:44AM +1000, alistair23@gmail.com wrote:
> From: Alistair Francis <alistair.francis@wdc.com>
> 
> In preperation for using DHCHAP length in upcoming host and target
> patches let's add the hash and diffie-hellman ID length macros.
> 
> Signed-off-by: Alistair Francis <alistair.francis@wdc.com>

Looks good to me.

Reviewed-by: Chris Leech <cleech@redhat.com>

Re: [PATCH v4 2/2] nvme-auth: Don't propose NVME_AUTH_DHGROUP_NULL with SC_C

[Chris Leech]

On Fri, Mar 20, 2026 at 10:20:45AM +1000, alistair23@gmail.com wrote:
> From: Alistair Francis <alistair.francis@wdc.com>
> 
> Section 8.3.4.5.2 of the NVMe 2.1 base spec states that
> 
> """
> The 00h identifier shall not be proposed in an AUTH_Negotiate message
> that requests secure channel concatenation (i.e., with the SC_C field
> set to a non-zero value).
> """
> 
> We need to ensure that we don't set the NVME_AUTH_DHGROUP_NULL idlist if
> SC_C is set.
> 
> Signed-off-by: Kamaljit Singh <kamaljit.singh@opensource.wdc.com>
> Signed-off-by: Alistair Francis <alistair.francis@wdc.com>
> Reviewed-by: Hannes Reinecke <hare@suse.de>

Looks good.

Reviewed-by: Chris Leech <cleech@redhat.com>

Re: [PATCH v4 1/2] nvme: Add the DHCHAP maximum HD IDs

[Keith Busch]

On Fri, Mar 20, 2026 at 10:20:44AM +1000, alistair23@gmail.com wrote:
> From: Alistair Francis <alistair.francis@wdc.com>
> 
> In preperation for using DHCHAP length in upcoming host and target
> patches let's add the hash and diffie-hellman ID length macros.

Thanks, applied to nvme-7.1.