Received: by 2002:a05:6a10:1d13:0:0:0:0 with SMTP id pp19csp1533797pxb; Tue, 17 Aug 2021 14:22:04 -0700 (PDT) X-Google-Smtp-Source: ABdhPJyA3bLOiS9awhpmGKgggvEhw4nn7q0kpzGxjdjmbg8reny63dkFD+3JaiN/y4IgntrPTCsd X-Received: by 2002:a6b:6603:: with SMTP id a3mr4585154ioc.68.1629235323828; Tue, 17 Aug 2021 14:22:03 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1629235323; cv=none; d=google.com; s=arc-20160816; b=r5MeSiZgHvWchsftQkWXQHKi3Emx5O3ETUFgR27rIcx0dHdOjcB/Jn+2N7bI0rCYO1 a29326W7PeZT0olLEt1GQFCZsM9x1h8SrEnXPiD9dG8KJ+roMrZZATOIdKW0dkq2CQY8 ZjEWxOHEfRw1SOwU0Qko8J8NhBy0LFWBSaePogz2m8Aj0+uRClBHAWbIiV2rpK03RwaT LfpDqz4gaiwEAsrOvPF+iMYnup9NX6BP6NXefCfzuhP+TMtVEIPGLeLz5bgrM19eMPGz 3M+bHMM7rKNRpOsXEzFzCoaIClnMPLFp1uMGfcg5/C0H5rMvZoxzY93knanSgCIyOfPy 6mVQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:content-language :in-reply-to:mime-version:user-agent:date:message-id:from:references :cc:to:subject; bh=h4c9eridmxkphFFOBoPmYKgD9hRWmeja2kwztcEKjsg=; b=eJTx6bcvVAiwrmtRendNc67C3qpINZfX/fUoP8OOZHqWuXWX4MI6GJUH5C3eesI/hS CmgdwEcJ2sa3WAmikB71kp9gMCn47ZX0PnQeWo5RmY7aAOJaxOVXwcoLyWEFYoOX6OwT 9Ku4UPE2o23/NYhRuA3lQJJTH3lAXqOw8jaK5mgChw7GKrn28+3nY1hU2fJ9o5Z+9pBi rwYpmZzuG/9EAL0Vj/L+IcRb617YQ+4cq6IZEA2R/6cuWwFJKmnIPtWOAqaWQ1IZ79g7 it2olW37no5x0ruSV1QAPlwyamOKLBhfCqh6b921KcEvfzYTAHyzzJ46vmpKkjt7MMTF HiPg== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-crypto-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id f15si3395727ilu.156.2021.08.17.14.21.46; Tue, 17 Aug 2021 14:22:03 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-crypto-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S234116AbhHQVWI (ORCPT + 99 others); Tue, 17 Aug 2021 17:22:08 -0400 Received: from mail-qt1-f173.google.com ([209.85.160.173]:43970 "EHLO mail-qt1-f173.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230515AbhHQVWI (ORCPT ); Tue, 17 Aug 2021 17:22:08 -0400 Received: by mail-qt1-f173.google.com with SMTP id l3so18403218qtk.10 for ; Tue, 17 Aug 2021 14:21:34 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:cc:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-language :content-transfer-encoding; bh=h4c9eridmxkphFFOBoPmYKgD9hRWmeja2kwztcEKjsg=; b=Jf1C/cjlRFVTDEz4mALs8qE9iC8hEszScFhJl18tx0/LMUlxvGDqGpc9nMfKVaszkk LhjknGbz9zwClgH3m/wLarFsyn53sTSDvE52GtrPw7rQmEj1coKdWizYDKy0ntq5u62/ OzLrsADGV7GHvpwlX0uqkgm+W4IueVzQFitu/BAEx0Pu2rw1EvTXi6Zls5MM5ZnW4AyB EU2Xev55yCJp/xw5TbiOLSwbpicXGmW+B7hkjA1zWAh3ilE/GRfQa0w7NVkTmrFmmOSY cnL5wrDwEbncQl7NduF7iqNhR5iBl4TRrgCa+1d07DZzTZ9u4uZ6wSGfx3UakHPUHbxW Pwzg== X-Gm-Message-State: AOAM533l4J1OuAT0crH2wFNA+5yyCdPovfcq3gkGx0LGhL6vJkHZ43al /ohgw7UvKlGPR6jtiP+OUDZTbzGKKns= X-Received: by 2002:ac8:7e81:: with SMTP id w1mr5007450qtj.81.1629235293764; Tue, 17 Aug 2021 14:21:33 -0700 (PDT) Received: from ?IPv6:2600:1700:65a0:78e0:6c86:2864:dd78:e408? ([2600:1700:65a0:78e0:6c86:2864:dd78:e408]) by smtp.gmail.com with ESMTPSA id 75sm2204474qko.100.2021.08.17.14.21.32 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Tue, 17 Aug 2021 14:21:33 -0700 (PDT) Subject: Re: [PATCHv2 00/13] nvme: In-band authentication support To: Hannes Reinecke , Christoph Hellwig Cc: Keith Busch , Herbert Xu , "David S . Miller" , linux-nvme@lists.infradead.org, linux-crypto@vger.kernel.org References: <20210810124230.12161-1-hare@suse.de> From: Sagi Grimberg Message-ID: <5a69187b-cfb1-d09a-87e2-8435e27612a7@grimberg.me> Date: Tue, 17 Aug 2021 14:21:30 -0700 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Thunderbird/78.11.0 MIME-Version: 1.0 In-Reply-To: <20210810124230.12161-1-hare@suse.de> Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-US Content-Transfer-Encoding: 7bit Precedence: bulk List-ID: X-Mailing-List: linux-crypto@vger.kernel.org > Hi all, > > recent updates to the NVMe spec have added definitions for in-band > authentication, and seeing that it provides some real benefit > especially for NVMe-TCP here's an attempt to implement it. > > Tricky bit here is that the specification orients itself on TLS 1.3, > but supports only the FFDHE groups. Which of course the kernel doesn't > support. I've been able to come up with a patch for this, but as this > is my first attempt to fix anything in the crypto area I would invite > people more familiar with these matters to have a look. > > Also note that this is just for in-band authentication. Secure > concatenation (ie starting TLS with the negotiated parameters) is not > implemented; one would need to update the kernel TLS implementation > for this, which at this time is beyond scope. > > As usual, comments and reviews are welcome. Hey Hannes, First, can you also send the nvme-cli/nvmetcli bits as well? Second, one thing that is not clear to me here is how this works with the discovery log page. If the user issues a discovery log page to establish connections to the controllers entries, where it picks the appropriate secret? In other words, when the user runs connect-all, how does it handle the secrets based on the content of the discovery log-page?