Received: by 2002:a05:6a11:4021:0:0:0:0 with SMTP id ky33csp65948pxb; Tue, 28 Sep 2021 15:37:29 -0700 (PDT) X-Google-Smtp-Source: ABdhPJwlzeri8/1uL1qaOoS018V1qvHzUC7/JBWHXo0eNWFchv3G8R+Mgkb9LgyAAJ/QD3pGDf2V X-Received: by 2002:a63:a112:: with SMTP id b18mr6686845pgf.387.1632868649561; Tue, 28 Sep 2021 15:37:29 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1632868649; cv=none; d=google.com; s=arc-20160816; b=bU8ohVakTZJVpFQx3xqK/oXM2wpsUVLzou/hdArzzFkRGILyQ/OVy3QbHmd2PuRxfd EFiReIt9Ag6I727ZTSPezm0QoV8N+3SNR63jZhda/9BRF6QZNLySQhPTYoB4C/ZnXx81 Ix4pGKrFMXYCAvnGJfFhVvvbv6gqzbJdQPHcZvtewV6XilPOfEddyeB44xJk2rv0S4Qk iWNHmZnDU2VpLwlx4OIUI0GOn+VdggsfvB0DrMVWJSRNvW2cFTVOisjuv06X0bvAHYVn pqbu8uejSGQrKB/1MgEyx3nVGBTZukcfvtNDE54qwrbzI5N4ItgUk9hM2DBDhqsIKnhJ AlNw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:content-language :in-reply-to:mime-version:user-agent:date:message-id:from:references :cc:to:subject; bh=S1uMPmMDCuhl7hGahrzQNiphiHqo3gb8qEbVNkjuXtg=; b=ThjRgEPtv4ukbguDcAKCd0VBDsZEWiLvtvI126PdkFZ8WeVvNC0MwRU7j2XS9PUYda dqJFCUhPeSUpWAexrGGS1sY4UnRbnnng5JjjjKQhHhHJffziH6hbTcpnt5HcEVVqzq+e LfolgPznNCPueKNPywzOKE+Pz8KS0nnlJbf89psiIfx45c93QMn/n7yqhWz1xYuY7csg nttfDkUWK3g8Kd4d0H9plefP7vdGZ5YWtZUPSpz7BAM9Y365vbe70AHMVTLfRltFI9yL D/StPwHEDWCBhuZ/lGWiKZuaYoXwmf40MpHoTC8LDLZiYhTOZinVYVFevQqR8iVPAFvO 8WnQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-crypto-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id i4si603796pfk.50.2021.09.28.15.37.07; Tue, 28 Sep 2021 15:37:29 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-crypto-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S243090AbhI1Wib (ORCPT + 99 others); Tue, 28 Sep 2021 18:38:31 -0400 Received: from mail-ed1-f47.google.com ([209.85.208.47]:39761 "EHLO mail-ed1-f47.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S243059AbhI1Wia (ORCPT ); Tue, 28 Sep 2021 18:38:30 -0400 Received: by mail-ed1-f47.google.com with SMTP id x7so984854edd.6 for ; Tue, 28 Sep 2021 15:36:50 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:subject:to:cc:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-language :content-transfer-encoding; bh=S1uMPmMDCuhl7hGahrzQNiphiHqo3gb8qEbVNkjuXtg=; b=Gq9mIBKrWXESnMLrzFyF1kPvmRlKabcsTiA3EnG1DJtxwC4r9oG7LuBn99oLABFlLG P6Ju5U8CVJJIpZv4L27tXVm7NhMx7C82+/DniOJrmtkRqew7DHY+jQMplvpNMds0/TmC nLsfzYeFLJ1zYyoOiqxk0maD0uzRgNdYZopWDe7wSprYNuFOwPjur4cEESRgCcpVwcQW yaUhbbFwedV2BcwXXEwksH8EUEivx/7YlRr9B3TDX8golq7OuHnQREI4WaoAo5qoAR6d ZOOE8gi/WG7pYJeVvZ9thcaXorZLyjHPi/6Rl/JGjoP4MJUg38ki40HZ6Sobwozsmpp0 +BiA== X-Gm-Message-State: AOAM532ilSfFX2aUbQ0gL24IF74Uo+dQIMb7c8aiT0C6fnUK8MU7g2on o93+djrZkCOMfdhdKo1St0tydgr6+l4= X-Received: by 2002:a17:906:86c4:: with SMTP id j4mr9446475ejy.355.1632868609382; Tue, 28 Sep 2021 15:36:49 -0700 (PDT) Received: from [10.100.102.14] (109-186-240-23.bb.netvision.net.il. [109.186.240.23]) by smtp.gmail.com with ESMTPSA id e22sm254319edu.35.2021.09.28.15.36.48 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Tue, 28 Sep 2021 15:36:49 -0700 (PDT) Subject: Re: [PATCH 10/12] nvmet: Implement basic In-Band Authentication To: Hannes Reinecke , Christoph Hellwig Cc: Keith Busch , Herbert Xu , "David S . Miller" , linux-nvme@lists.infradead.org, linux-crypto@vger.kernel.org References: <20210910064322.67705-1-hare@suse.de> <20210910064322.67705-11-hare@suse.de> <79742bd7-a41c-0abc-e7de-8d222b146d02@grimberg.me> <32d8f860-9fdb-606c-62b7-ad89837d8e71@grimberg.me> <2ccfb62a-d782-7bb2-4d41-6d1152851a4a@suse.de> From: Sagi Grimberg Message-ID: <24d3ee65-83e7-c958-cd17-eb4351a8349c@grimberg.me> Date: Wed, 29 Sep 2021 01:36:47 +0300 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Thunderbird/78.13.0 MIME-Version: 1.0 In-Reply-To: <2ccfb62a-d782-7bb2-4d41-6d1152851a4a@suse.de> Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-US Content-Transfer-Encoding: 7bit Precedence: bulk List-ID: X-Mailing-List: linux-crypto@vger.kernel.org >>> Actually, having re-read the spec I'm not sure if the second path is >>> correct. >>> As per spec only the _host_ can trigger re-authentication. There is no >>> provision for the controller to trigger re-authentication, and given >>> that re-auth is a soft-state anyway (ie the current authentication >>> stays valid until re-auth enters a final state) I _think_ we should be >>> good with the current implementation, where we can change the >>> controller keys >>> via configfs, but they will only become active once the host triggers >>> re-authentication. >> >> Agree, so the proposed addition is good with you? >> > Why would we need it? > I do agree there's a bit missing for removing the old shash_tfm if there > is a hash-id mismatch, but why would we need to reset the entire > authentication? Just need to update the new host dhchap_key from the host at this point as the host is doing a re-authentication. I agree we don't need a big hammer but we do need the re-authentication to not access old host dhchap_key.