On 11/22/21 12:32 PM, Sagi Grimberg wrote: > >>>> Hi all, >>>> >>>> recent updates to the NVMe spec have added definitions for in-band >>>> authentication, and seeing that it provides some real benefit >>>> especially for NVMe-TCP here's an attempt to implement it. >>>> >>>> Tricky bit here is that the specification orients itself on TLS 1.3, >>>> but supports only the FFDHE groups. Which of course the kernel doesn't >>>> support. I've been able to come up with a patch for this, but as this >>>> is my first attempt to fix anything in the crypto area I would invite >>>> people more familiar with these matters to have a look. >>>> >>>> Also note that this is just for in-band authentication. Secure >>>> concatenation (ie starting TLS with the negotiated parameters) is not >>>> implemented; one would need to update the kernel TLS implementation >>>> for this, which at this time is beyond scope. >>>> >>>> As usual, comments and reviews are welcome. >>>> >>>> Changes to v5: >>>> - Unify nvme_auth_generate_key() >>>> - Unify nvme_auth_extract_key() >>> >>> You mean nvme_auth_extract_secret() ? >>> >> Yes. >> >>>> - Include reviews from Sagi >>> >>> What about the bug fix folded in? >> >> Yeah, and that, to >> Forgot to mention it. > > It is not the code that you shared in the other thread right? > Yes, it is. It has been folded into v6. And test 043 has been updated to check for this issue. Cheers, Hannes -- Dr. Hannes Reinecke Kernel Storage Architect hare@xxxxxxx +49 911 74053 688 SUSE Software Solutions Germany GmbH, 90409 Nürnberg GF: F. Imendörffer, HRB 36809 (AG Nürnberg)
