Received: by 2002:a05:6a10:1287:0:0:0:0 with SMTP id d7csp1199029pxv; Fri, 16 Jul 2021 04:05:20 -0700 (PDT) X-Google-Smtp-Source: ABdhPJypzmhS746X+IdYaKj64nbD8k1WFxRsvbPyxt/fIWjFk0/CNPrc9dXtZI7HuhtmesgLkFWk X-Received: by 2002:a92:905:: with SMTP id y5mr6041500ilg.222.1626433520344; Fri, 16 Jul 2021 04:05:20 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1626433520; cv=none; d=google.com; s=arc-20160816; b=m3AVqY7Y1Z+zjyohPiPjCa/O7Ze8HI5ckXxR/ZAliJ7OHYeHMPAZd62Iyz6hANokrC kSFjtDjkuEkSVVfdEsk8SynqmvixHulA63cbC1xHHXrsIz9/A401/1kwW7H+tUeX6hg4 DvwqwlQQKJ4WlIsWuxPykLmJkB+OUi78/cMLGq6CeodYAr2+erE9H3SSPu1vqNREEFPG uRPrmDgwTvEm2zBnCqJg70Y8GHwe6MwzePXMOFRr10obx+5li6o3y/99+lUbkzzNX2CT vOZ45oLufs4vqUb4F0yoZ8qnMDazoQwpSViDb4M9o49u0BrnzfHSgs0qAgdSn+Bn6aks WiCA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :message-id:date:subject:cc:to:from:dkim-signature:dkim-signature; bh=C8+jbnRN3YHZZAIvtHiS36Wu7Wdx09uaJz3zYdIkw1s=; b=y5mDmqbZEvofoBFW/L9UbZvoqOcWBVzXiUsdWgqi5lU7h+YfFtS/rD+C4PCFosyYiq cXVaxyJ1bNLXxDkKLKRLvtVFSok8irdDWkvBip7A+IXzpiXo1QvFQXIbzxiaGj9E+V97 zZY3hhd1ff8BxZEVy4SnH08we/ErxEmR2JqrpCAF2sYjYQ4arpovoDvoOSE3qp3Wyc8O HKoh6EihFG+hy1xurGj7uDUKRK9wkjCV34g532Vgu7oURB1bJeuh6pj9Q1y3D0MCXCJj 0c/+3zWPJMKXwotF9GPsi31eyxIbLXLtZnGKBaIzycGE9GQamiWGFcNCgAfSC/UDxlFe i8FA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@suse.de header.s=susede2_rsa header.b=vIFqDPXE; dkim=neutral (no key) header.i=@suse.de header.b=JOZqLDMx; spf=pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-crypto-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id w5si10866093ilu.14.2021.07.16.04.04.56; Fri, 16 Jul 2021 04:05:20 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@suse.de header.s=susede2_rsa header.b=vIFqDPXE; dkim=neutral (no key) header.i=@suse.de header.b=JOZqLDMx; spf=pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-crypto-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230319AbhGPLHj (ORCPT + 99 others); Fri, 16 Jul 2021 07:07:39 -0400 Received: from smtp-out1.suse.de ([195.135.220.28]:49476 "EHLO smtp-out1.suse.de" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231937AbhGPLHi (ORCPT ); Fri, 16 Jul 2021 07:07:38 -0400 Received: from relay2.suse.de (relay2.suse.de [149.44.160.134]) by smtp-out1.suse.de (Postfix) with ESMTP id 4A6AF22BA9; Fri, 16 Jul 2021 11:04:42 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.de; s=susede2_rsa; t=1626433482; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version: content-transfer-encoding:content-transfer-encoding; bh=C8+jbnRN3YHZZAIvtHiS36Wu7Wdx09uaJz3zYdIkw1s=; b=vIFqDPXE7bwsA5y8oE4uoApySSEA9dvwUjInZyHA8oepU4+7uVtuk/zKWVqZJ0dX9UJd24 TAdfFHaDqox+yj38wBTslvaO2AsoY61hs2gHWFwReBb+CJU+UVgm6epjgzwen9N55mmR6R qeQd6mdnyGfrjkIw9B7A47vEJEMCb6I= DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=suse.de; s=susede2_ed25519; t=1626433482; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version: content-transfer-encoding:content-transfer-encoding; bh=C8+jbnRN3YHZZAIvtHiS36Wu7Wdx09uaJz3zYdIkw1s=; b=JOZqLDMx7LhKOU1/o2zUNtfW4ik3+5+Wi7KoTx59shvIa+qor4ck/nDWnFV1c4a/o2LkgV ibM1ybS0cqarWcDg== Received: from adalid.arch.suse.de (adalid.arch.suse.de [10.161.8.13]) by relay2.suse.de (Postfix) with ESMTP id B2778A3BB3; Fri, 16 Jul 2021 11:04:41 +0000 (UTC) Received: by adalid.arch.suse.de (Postfix, from userid 16045) id 70C775171604; Fri, 16 Jul 2021 13:04:41 +0200 (CEST) From: Hannes Reinecke To: Christoph Hellwig Cc: Sagi Grimberg , Keith Busch , linux-nvme@lists.infradead.org, Herbert Xu , "David S . Miller" , linux-crypto@vger.kernel.org, Hannes Reinecke Subject: [RFC PATCH 00/11] nvme: In-band authentication support Date: Fri, 16 Jul 2021 13:04:17 +0200 Message-Id: <20210716110428.9727-1-hare@suse.de> X-Mailer: git-send-email 2.29.2 MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-crypto@vger.kernel.org Hi all, recent updates to the NVMe spec have added definitions for in-band authentication, and seeing that it provides some real benefit especially for NVMe-TCP here's an attempt to implement it. Tricky bit here is that the specification orients itself on TLS 1.3, but supports only the FFDHE groups. Which of course the kernel doesn't support. I've been able to come up with a patch for this, but as this is my first attempt to fix anything in the crypto area I would invite people more familiar with these matters to have a look. Also note that this is just for in-band authentication. Secure concatenation (ie starting TLS with the negotiated parameters) is not implemented; one would need to update the kernel TLS implementation for this, which at this time is beyond scope. As usual, comments and reviews are welcome. Hannes Reinecke (11): crypto: add crypto_has_shash() crypto: add crypto_has_kpp() crypto/ffdhe: Finite Field DH Ephemeral Parameters lib/base64: RFC4648-compliant base64 encoding nvme: add definitions for NVMe In-Band authentication nvme: Implement In-Band authentication nvme-auth: augmented challenge support nvmet: Parse fabrics commands on all queues nvmet: Implement basic In-Band Authentication nvmet-auth: implement support for augmented challenge nvme: add non-standard ECDH and curve25517 algorithms crypto/Kconfig | 8 + crypto/Makefile | 1 + crypto/ffdhe_helper.c | 877 +++++++++++++++++ crypto/kpp.c | 6 + crypto/shash.c | 6 + drivers/nvme/host/Kconfig | 11 + drivers/nvme/host/Makefile | 1 + drivers/nvme/host/auth.c | 1188 ++++++++++++++++++++++++ drivers/nvme/host/auth.h | 23 + drivers/nvme/host/core.c | 77 +- drivers/nvme/host/fabrics.c | 65 +- drivers/nvme/host/fabrics.h | 8 + drivers/nvme/host/nvme.h | 15 + drivers/nvme/host/trace.c | 32 + drivers/nvme/target/Kconfig | 10 + drivers/nvme/target/Makefile | 1 + drivers/nvme/target/admin-cmd.c | 4 + drivers/nvme/target/auth.c | 608 ++++++++++++ drivers/nvme/target/configfs.c | 102 +- drivers/nvme/target/core.c | 10 + drivers/nvme/target/fabrics-cmd-auth.c | 472 ++++++++++ drivers/nvme/target/fabrics-cmd.c | 30 +- drivers/nvme/target/nvmet.h | 71 ++ include/crypto/ffdhe.h | 24 + include/crypto/hash.h | 2 + include/crypto/kpp.h | 2 + include/linux/base64.h | 16 + include/linux/nvme.h | 187 +++- lib/Makefile | 2 +- lib/base64.c | 111 +++ 30 files changed, 3961 insertions(+), 9 deletions(-) create mode 100644 crypto/ffdhe_helper.c create mode 100644 drivers/nvme/host/auth.c create mode 100644 drivers/nvme/host/auth.h create mode 100644 drivers/nvme/target/auth.c create mode 100644 drivers/nvme/target/fabrics-cmd-auth.c create mode 100644 include/crypto/ffdhe.h create mode 100644 include/linux/base64.h create mode 100644 lib/base64.c -- 2.29.2