On Fri, 2021-07-16 at 13:04 +0200, Hannes Reinecke wrote: > Hi all, > > recent updates to the NVMe spec have added definitions for in-band > authentication, and seeing that it provides some real benefit especially > for NVMe-TCP here's an attempt to implement it. > > Tricky bit here is that the specification orients itself on TLS 1.3, > but supports only the FFDHE groups. Which of course the kernel doesn't > support. I've been able to come up with a patch for this, but as this > is my first attempt to fix anything in the crypto area I would invite > people more familiar with these matters to have a look. > > Also note that this is just for in-band authentication. Secure concatenation > (ie starting TLS with the negotiated parameters) is not implemented; one would > need to update the kernel TLS implementation for this, which at this time is > beyond scope. > > As usual, comments and reviews are welcome. Hi Hannes, could you please reference the specific standards that describe the NVMe authentication protocols? Thanks, Simo. -- Simo Sorce RHEL Crypto Team Red Hat, Inc
