Received: by 2002:a05:6a10:1d13:0:0:0:0 with SMTP id pp19csp171318pxb; Tue, 17 Aug 2021 22:45:45 -0700 (PDT) X-Google-Smtp-Source: ABdhPJzIwZJG6ewQaoc5IZ+NLF2mH2XA/NReQ51F9yrgl/n7/AjeyPON3vGDNK8WovTUVxiHgoJS X-Received: by 2002:a6b:e616:: with SMTP id g22mr5992929ioh.67.1629265544774; Tue, 17 Aug 2021 22:45:44 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1629265544; cv=none; d=google.com; s=arc-20160816; b=jZ41CUl4+YvUOQoIOvb104CGi6W47vm2VhevKMuevZ24RlKzA1/NURbFeyc8TjNA7s g4T5tW8NWPDOb/I37Ir48V9qE56s0OyY0DmiLJmcD+Ok/M/dAMBI/btCylBTJlEjupy/ 2wr33hEe99QI3dDco4QvYV4/Mtluk94I0c7OGPRKzjZXEP05r+HM3JW2c64ZG1Jjzlso 34bAfA7nIvE1gZel2sojqqJIV6OpVULvHfz4gh2z7PjzzcSzIsAfcx/71YvDqhmTcnww K9CNd7PxKssEpusxp5qRckDmT5N+nsGmfvoysGXU01zJ4dRCIQM1gAeCzmD5w8Q0UQdF E9zQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:content-language :in-reply-to:mime-version:user-agent:date:message-id:from:references :cc:to:subject:dkim-signature:dkim-signature; bh=Q7gt9xQcpg8cLompgwAs2sgaTiNyRhomg3wa5s6AJxE=; b=si0cw3E5WpXqrEqI4uKQJHhlsJ5DrHofGWJ9ppTppmy8k5msYeoKW3XwckHSJ7FdIR PRT5uTCC4lY+ey8ZuCCunShjIy8uxcYfBtsvD+5Z7TumVM8PWm3NFwh3BOuYHvl87B7H HXNKim0yiUwURkGh/jikk75cGpAHmomnoCVBoh3xY0naVDqt8UbX/0L5e5fCfFwuZa+S YLNKa0ySULt8nIhyT3kVCpTFmtF4+9EGB6a4dFdIWgQ/w0Gv2a62V8p09iqa0zgUg48P JsShzgi4r6Dl70r9YihGCZg2isR9v/GwjdxMKujefkFrpgK8Ze4aIwg7lPytrfTUatSQ gb4g== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@suse.de header.s=susede2_rsa header.b=GwJqqya4; dkim=neutral (no key) header.i=@suse.de header.b=zKV4yycO; spf=pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-crypto-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=suse.de Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id l5si4568057iln.118.2021.08.17.22.45.32; Tue, 17 Aug 2021 22:45:44 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@suse.de header.s=susede2_rsa header.b=GwJqqya4; dkim=neutral (no key) header.i=@suse.de header.b=zKV4yycO; spf=pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-crypto-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=suse.de Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S237892AbhHRFpI (ORCPT + 99 others); Wed, 18 Aug 2021 01:45:08 -0400 Received: from smtp-out2.suse.de ([195.135.220.29]:50848 "EHLO smtp-out2.suse.de" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S237872AbhHRFpH (ORCPT ); Wed, 18 Aug 2021 01:45:07 -0400 Received: from imap1.suse-dmz.suse.de (imap1.suse-dmz.suse.de [192.168.254.73]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-521) server-digest SHA512) (No client certificate requested) by smtp-out2.suse.de (Postfix) with ESMTPS id F1B921FF80; Wed, 18 Aug 2021 05:44:31 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.de; s=susede2_rsa; t=1629265471; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=Q7gt9xQcpg8cLompgwAs2sgaTiNyRhomg3wa5s6AJxE=; b=GwJqqya4wErklpUfsHhkvceUHxU7++zXRRxL1ZA2tPLDfzCMF+E2KXG3ftzPT01KZL3t0o j/PQx+pkhVSHClamIyhh0/dVCtBOivIv/qn9gB/TU9xckEgKlF0RxeL7tl28HETYm1oSOA x615NaF4YbY/6cWJhs1fmGMznR/8D3k= DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=suse.de; s=susede2_ed25519; t=1629265471; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=Q7gt9xQcpg8cLompgwAs2sgaTiNyRhomg3wa5s6AJxE=; b=zKV4yycOMmovdQAhULrtF00NIo0gAUBBWL+J9SR27LszChgC1urhm3C1hlkMTV+ATONW8k E0xGU0Re4SI724AQ== Received: from imap1.suse-dmz.suse.de (imap1.suse-dmz.suse.de [192.168.254.73]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-521) server-digest SHA512) (No client certificate requested) by imap1.suse-dmz.suse.de (Postfix) with ESMTPS id CC28C13357; Wed, 18 Aug 2021 05:44:31 +0000 (UTC) Received: from dovecot-director2.suse.de ([192.168.254.65]) by imap1.suse-dmz.suse.de with ESMTPSA id 1m86MD+eHGEqagAAGKfGzw (envelope-from ); Wed, 18 Aug 2021 05:44:31 +0000 Subject: Re: [PATCHv2 00/13] nvme: In-band authentication support To: Sagi Grimberg , Christoph Hellwig Cc: Keith Busch , Herbert Xu , "David S . Miller" , linux-nvme@lists.infradead.org, linux-crypto@vger.kernel.org References: <20210810124230.12161-1-hare@suse.de> <5a69187b-cfb1-d09a-87e2-8435e27612a7@grimberg.me> From: Hannes Reinecke Message-ID: Date: Wed, 18 Aug 2021 07:44:30 +0200 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Thunderbird/78.12.0 MIME-Version: 1.0 In-Reply-To: <5a69187b-cfb1-d09a-87e2-8435e27612a7@grimberg.me> Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-US Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-crypto@vger.kernel.org On 8/17/21 11:21 PM, Sagi Grimberg wrote: > >> Hi all, >> >> recent updates to the NVMe spec have added definitions for in-band >> authentication, and seeing that it provides some real benefit >> especially for NVMe-TCP here's an attempt to implement it. >> >> Tricky bit here is that the specification orients itself on TLS 1.3, >> but supports only the FFDHE groups. Which of course the kernel doesn't >> support. I've been able to come up with a patch for this, but as this >> is my first attempt to fix anything in the crypto area I would invite >> people more familiar with these matters to have a look. >> >> Also note that this is just for in-band authentication. Secure >> concatenation (ie starting TLS with the negotiated parameters) is not >> implemented; one would need to update the kernel TLS implementation >> for this, which at this time is beyond scope. >> >> As usual, comments and reviews are welcome. > > Hey Hannes, > > First, can you also send the nvme-cli/nvmetcli bits as well? > Yes, will be done with the next round. It first required a larger update to libnvme/nvme-cli to get everything in order :-) > Second, one thing that is not clear to me here is how this > works with the discovery log page. > > If the user issues a discovery log page to establish connections > to the controllers entries, where it picks the appropriate > secret? > > In other words, when the user runs connect-all, how does it handle > the secrets based on the content of the discovery log-page? With the latest nvme-cli update I've implemented a json configuration, which allows to store configuration on a per-controller basis. This will be updated to hold the dhchap secrets, and we should be able to specify individual secrets for each controller. Cheers, Hannes -- Dr. Hannes Reinecke Kernel Storage Architect hare@suse.de +49 911 74053 688 SUSE Software Solutions GmbH, Maxfeldstr. 5, 90409 Nürnberg HRB 36809 (AG Nürnberg), Geschäftsführer: Felix Imendörffer