On 7/19/21 11:23 AM, Sagi Grimberg wrote: > >> TLS 1.3 specifies ECDH and curve25517 in addition to the FFDHE >> groups, and these are already implemented in the kernel. > > So? > >> So add support for these non-standard groups for NVMe in-band >> authentication to validate the augmented challenge implementation. > > Why? why should users come to expect controllers to support it? Having ECDH and curve25517 algorithms (which are known-good implementations) allows one to validate the ffdhe implementation, ie to ensure that the remainder of the protocol works as designed, even if the ffdhe implementation might not. And one could argue that TLS1.3 specifies all of these algorithms, so NVMe with it's explicit reference to TLS should do so, too. But I don't insist on it; it's just nice for debugging, that's all. Cheers, Hannes -- Dr. Hannes Reinecke Kernel Storage Architect hare@xxxxxxx +49 911 74053 688 SUSE Software Solutions Germany GmbH, Maxfeldstr. 5, 90409 Nürnberg HRB 36809 (AG Nürnberg), GF: Felix Imendörffer
