On 7/19/21 12:02 PM, Simo Sorce wrote: > On Fri, 2021-07-16 at 13:04 +0200, Hannes Reinecke wrote: >> Hi all, >> >> recent updates to the NVMe spec have added definitions for in-band >> authentication, and seeing that it provides some real benefit especially >> for NVMe-TCP here's an attempt to implement it. >> >> Tricky bit here is that the specification orients itself on TLS 1.3, >> but supports only the FFDHE groups. Which of course the kernel doesn't >> support. I've been able to come up with a patch for this, but as this >> is my first attempt to fix anything in the crypto area I would invite >> people more familiar with these matters to have a look. >> >> Also note that this is just for in-band authentication. Secure concatenation >> (ie starting TLS with the negotiated parameters) is not implemented; one would >> need to update the kernel TLS implementation for this, which at this time is >> beyond scope. >> >> As usual, comments and reviews are welcome. > > Hi Hannes, > could you please reference the specific standards that describe the > NVMe authentication protocols? > https://nvmexpress.org/wp-content/uploads/NVM-Express-Base-Specification-2_0-2021.06.02-Ratified-5.pdf Section '8.13 NVMe-over-Fabrics In-band authentication' Cheers, Hannes -- Dr. Hannes Reinecke Kernel Storage Architect hare@xxxxxxx +49 911 74053 688 SUSE Software Solutions Germany GmbH, Maxfeldstr. 5, 90409 Nürnberg HRB 36809 (AG Nürnberg), GF: Felix Imendörffer
