On 11/22/21 9:13 AM, Sagi Grimberg wrote: > > > On 11/22/21 9:47 AM, Hannes Reinecke wrote: >> Hi all, >> >> recent updates to the NVMe spec have added definitions for in-band >> authentication, and seeing that it provides some real benefit >> especially for NVMe-TCP here's an attempt to implement it. >> >> Tricky bit here is that the specification orients itself on TLS 1.3, >> but supports only the FFDHE groups. Which of course the kernel doesn't >> support. I've been able to come up with a patch for this, but as this >> is my first attempt to fix anything in the crypto area I would invite >> people more familiar with these matters to have a look. >> >> Also note that this is just for in-band authentication. Secure >> concatenation (ie starting TLS with the negotiated parameters) is not >> implemented; one would need to update the kernel TLS implementation >> for this, which at this time is beyond scope. >> >> As usual, comments and reviews are welcome. >> >> Changes to v5: >> - Unify nvme_auth_generate_key() >> - Unify nvme_auth_extract_key() > > You mean nvme_auth_extract_secret() ? > Yes. >> - Include reviews from Sagi > > What about the bug fix folded in? Yeah, and that, to Forgot to mention it. Also note that I've already folded the nvme-cli patches into the git repository to ease testing; I gather that the interface won't change that much anymore, so I felt justified in doing so. And I got tired of explaining to interested parties how to build a non-standard nvme-cli :-) But that's why I didn't post separate patches for nvme-cli. Cheers, Hannes -- Dr. Hannes Reinecke Kernel Storage Architect hare@xxxxxxx +49 911 74053 688 SUSE Software Solutions Germany GmbH, 90409 Nürnberg GF: F. Imendörffer, HRB 36809 (AG Nürnberg)
