Hi all,
Hey Hannes, nice progress. This is definitely a step in the right direction.
recent updates to the NVMe spec have added definitions for in-band authentication, and seeing that it provides some real benefit especially for NVMe-TCP here's an attempt to implement it.
Please call out the TP 8006 specifically so people can look into it.
Tricky bit here is that the specification orients itself on TLS 1.3, but supports only the FFDHE groups. Which of course the kernel doesn't support. I've been able to come up with a patch for this, but as this is my first attempt to fix anything in the crypto area I would invite people more familiar with these matters to have a look.
Glad to see this turned out to be very simple!
Also note that this is just for in-band authentication. Secure concatenation (ie starting TLS with the negotiated parameters) is not implemented; one would need to update the kernel TLS implementation for this, which at this time is beyond scope.
TLS is an additional effort, as discussed, inband auth alone has merits and we should not lock it down to NVMe/TCP-TLS.
As usual, comments and reviews are welcome.
Having another look into this now...
