Received: by 2002:a05:6602:18e:0:0:0:0 with SMTP id m14csp4020808ioo; Wed, 25 May 2022 13:03:24 -0700 (PDT) X-Google-Smtp-Source: ABdhPJwbA5pYV2yfFFi/ewPP/qRj0YjiVkKiNumo10IQsz6aroMiNzB8TPrMJAs5dLcGPrp4ynsJ X-Received: by 2002:a17:906:3ec1:b0:6e8:aae3:90de with SMTP id d1-20020a1709063ec100b006e8aae390demr30331214ejj.127.1653509003899; Wed, 25 May 2022 13:03:23 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1653509003; cv=none; d=google.com; s=arc-20160816; b=nJnSApcRtxio4LbhaJGqa5MWkR1Zrfb1ZTWIyFmhVsEh7VCWace7IMWM3KgGMYvjp5 U0SjmBfbh6EBodpb/xJk6XI2tnAmSH3MBjye0jwTASTNOtnR0U3lvFmdKctHPak+ovvi mp/nl98EF9hN+eYoCm8+wxLA87jShYW++gQVak/XWKv0EUqsACS36PtS0YWeyuL5y1J/ rLtbEsG3jtyyO5kPuiRSDwNYYvYrRjT4EctdKS9Q6h9+fcrpJL3VCxrvRbM6FahfaEQi 1no/Oar5iyITFpDC8r4gPkKq5Bmh/sie3VD8KXdiMqrFw4Yz7uadBEZpAE1fqVWaMJAV Wj4A== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:in-reply-to:from :references:cc:to:content-language:subject:user-agent:mime-version :date:message-id; bh=cYFvf5S74zrkxiUcx9efmkq8IReMie2+kmRtGzK9T9A=; b=h9Pg4+NzCKG3DoLCFV+0c7JXthXapCJOYHVV7Ji9ILNtHbFqrnOEaiCp4ng/SNmCX7 TrRxlMZpWnVZ4r6AaeykZWMO0Q3z5eDx4LJO5YpOAP9GFQlRtfFAsBweMp0Ro+XA4SAh nI9Ipe6TBaUNZLdcY/oOHivyGO/07mvOPRZGbh33pv6v4YHFNM56qqiCI+AqhCI4rcxk gBlKkXLKQXN8Q1dCCmQ9ewaJS48siEF3VW78qayiC8b/K2BA3KrAYz7euWg/syJQQ+0k wimHLfi+v//iC5giJb1uG27iiIjm08YkThwZBkqtdiJbFuL74Tz8XcbSnmR2aIHVks/D pI9Q== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-crypto-owner@vger.kernel.org Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id j20-20020a05640211d400b0042b64acfa9esi8285857edw.490.2022.05.25.13.02.37; Wed, 25 May 2022 13:03:23 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-crypto-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229671AbiEYKmq (ORCPT + 99 others); Wed, 25 May 2022 06:42:46 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:51032 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229642AbiEYKmq (ORCPT ); Wed, 25 May 2022 06:42:46 -0400 Received: from mail-wr1-f43.google.com (mail-wr1-f43.google.com [209.85.221.43]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id CFE23986EE for ; Wed, 25 May 2022 03:42:43 -0700 (PDT) Received: by mail-wr1-f43.google.com with SMTP id g23so1693462wrb.13 for ; Wed, 25 May 2022 03:42:43 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:message-id:date:mime-version:user-agent:subject :content-language:to:cc:references:from:in-reply-to :content-transfer-encoding; bh=cYFvf5S74zrkxiUcx9efmkq8IReMie2+kmRtGzK9T9A=; b=TfpTzoFFZCJTK9FuYkIGFGRIue6tkfDQFNQuHWhJ5NgTBWBlEGDj3EV3qiDFcxH+1B xzBD8Y9YstNKqzqLk+YxoBZa/sAdOoodzjQPb0C5no7oJH0dwL8/AqCdY9w+os2COHjZ vF7VrP7jT0+gf5iOKAclI0M3vw3irm0HEcgFnOjUUaVOYIuwiCxV8feAlhcAsTB2YypY 9M9uKSH16jj7rCdsT6rv3I8GJJ7GNKm9bNroO9MbNglMkCLEkV1HxcYEYSlasaBmtyyO YtpqyeM0qL1TXYi++1Tx5svaGQsneHQrUsMVrcDqHdhwKhBFqo4Fk4TkEyrP0TwtlR4e GnKQ== X-Gm-Message-State: AOAM532pomd3aLjBcQT6hP8/SxijMQlE1zJ3chw2pBUiNFz38lVxVfY0 tokHeFrlevIBrC66WRIWjBUFV2ysHFE= X-Received: by 2002:a5d:6782:0:b0:20f:dd3a:3edf with SMTP id v2-20020a5d6782000000b0020fdd3a3edfmr12628365wru.517.1653475362422; Wed, 25 May 2022 03:42:42 -0700 (PDT) Received: from [192.168.64.180] (bzq-219-42-90.isdn.bezeqint.net. [62.219.42.90]) by smtp.gmail.com with ESMTPSA id b24-20020a7bc258000000b003974ba5cacdsm1750495wmj.35.2022.05.25.03.42.41 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Wed, 25 May 2022 03:42:42 -0700 (PDT) Message-ID: Date: Wed, 25 May 2022 13:42:40 +0300 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Thunderbird/91.9.1 Subject: Re: [PATCH 09/11] nvmet: Implement basic In-Band Authentication Content-Language: en-US To: Hannes Reinecke , Max Gurtovoy , Christoph Hellwig Cc: Keith Busch , linux-nvme@lists.infradead.org, linux-crypto@vger.kernel.org References: <20220518112234.24264-1-hare@suse.de> <20220518112234.24264-10-hare@suse.de> <903b586c-b539-c4e5-9233-7e24aa55f11b@suse.de> From: Sagi Grimberg In-Reply-To: <903b586c-b539-c4e5-9233-7e24aa55f11b@suse.de> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit X-Spam-Status: No, score=-1.5 required=5.0 tests=BAYES_00, FREEMAIL_FORGED_FROMDOMAIN,FREEMAIL_FROM,HEADER_FROM_DIFFERENT_DOMAINS, NICE_REPLY_A,RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H2,SPF_HELO_NONE, SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=no autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-crypto@vger.kernel.org >> Hi Hannes, >> >> On 5/18/2022 2:22 PM, Hannes Reinecke wrote: >>> Implement NVMe-oF In-Band authentication according to NVMe TPAR 8006. >>> This patch adds three additional configfs entries 'dhchap_key', >>> 'dhchap_ctrl_key', and 'dhchap_hash' to the 'host' configfs directory. >>> The 'dhchap_key' and 'dhchap_ctrl_key' entries need to be in the ASCII >>> format as specified in NVMe Base Specification v2.0 section 8.13.5.8 >>> 'Secret representation'. >>> 'dhchap_hash' defaults to 'hmac(sha256)', and can be written to to >>> switch to a different HMAC algorithm. >>> >>> Signed-off-by: Hannes Reinecke >>> --- >>>   drivers/nvme/target/Kconfig            |  12 + >>>   drivers/nvme/target/Makefile           |   1 + >>>   drivers/nvme/target/admin-cmd.c        |   2 + >>>   drivers/nvme/target/auth.c             | 367 ++++++++++++++++++ >>>   drivers/nvme/target/configfs.c         | 107 +++++- >>>   drivers/nvme/target/core.c             |  11 + >>>   drivers/nvme/target/fabrics-cmd-auth.c | 491 +++++++++++++++++++++++++ >>>   drivers/nvme/target/fabrics-cmd.c      |  38 +- >>>   drivers/nvme/target/nvmet.h            |  62 ++++ >>>   9 files changed, 1088 insertions(+), 3 deletions(-) >>>   create mode 100644 drivers/nvme/target/auth.c >>>   create mode 100644 drivers/nvme/target/fabrics-cmd-auth.c >>> >>> diff --git a/drivers/nvme/target/Kconfig b/drivers/nvme/target/Kconfig >>> index 973561c93888..e569319be679 100644 >>> --- a/drivers/nvme/target/Kconfig >>> +++ b/drivers/nvme/target/Kconfig >>> @@ -83,3 +83,15 @@ config NVME_TARGET_TCP >>>         devices over TCP. >>>         If unsure, say N. >>> + >>> +config NVME_TARGET_AUTH >>> +    bool "NVMe over Fabrics In-band Authentication support" >>> +    depends on NVME_TARGET >>> +    depends on NVME_AUTH >>> +    select CRYPTO_HMAC >>> +    select CRYPTO_SHA256 >>> +    select CRYPTO_SHA512 >>> +    help >>> +      This enables support for NVMe over Fabrics In-band Authentication >>> + >>> +      If unsure, say N. >>> diff --git a/drivers/nvme/target/Makefile b/drivers/nvme/target/Makefile >>> index 9837e580fa7e..c66820102493 100644 >>> --- a/drivers/nvme/target/Makefile >>> +++ b/drivers/nvme/target/Makefile >>> @@ -13,6 +13,7 @@ nvmet-y        += core.o configfs.o admin-cmd.o >>> fabrics-cmd.o \ >>>               discovery.o io-cmd-file.o io-cmd-bdev.o >>>   nvmet-$(CONFIG_NVME_TARGET_PASSTHRU)    += passthru.o >>>   nvmet-$(CONFIG_BLK_DEV_ZONED)        += zns.o >>> +nvmet-$(CONFIG_NVME_TARGET_AUTH)    += fabrics-cmd-auth.o auth.o >>>   nvme-loop-y    += loop.o >>>   nvmet-rdma-y    += rdma.o >>>   nvmet-fc-y    += fc.o >>> diff --git a/drivers/nvme/target/admin-cmd.c >>> b/drivers/nvme/target/admin-cmd.c >>> index 31df40ac828f..fc8a957fad0a 100644 >>> --- a/drivers/nvme/target/admin-cmd.c >>> +++ b/drivers/nvme/target/admin-cmd.c >>> @@ -1018,6 +1018,8 @@ u16 nvmet_parse_admin_cmd(struct nvmet_req *req) >>>       if (nvme_is_fabrics(cmd)) >>>           return nvmet_parse_fabrics_admin_cmd(req); >>> +    if (unlikely(!nvmet_check_auth_status(req))) >>> +        return NVME_SC_AUTH_REQUIRED | NVME_SC_DNR; >>>       if (nvmet_is_disc_subsys(nvmet_req_subsys(req))) >>>           return nvmet_parse_discovery_cmd(req); >>> diff --git a/drivers/nvme/target/auth.c b/drivers/nvme/target/auth.c >>> new file mode 100644 >>> index 000000000000..003c0faad7ff >>> --- /dev/null >>> +++ b/drivers/nvme/target/auth.c >>> @@ -0,0 +1,367 @@ >>> +// SPDX-License-Identifier: GPL-2.0 >>> +/* >>> + * NVMe over Fabrics DH-HMAC-CHAP authentication. >>> + * Copyright (c) 2020 Hannes Reinecke, SUSE Software Solutions. >>> + * All rights reserved. >>> + */ >>> +#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt >>> +#include >>> +#include >>> +#include >>> +#include >>> +#include >>> +#include >>> +#include >>> +#include >>> +#include >>> +#include >>> + >>> +#include "nvmet.h" >>> +#include "../host/auth.h" >> >> maybe we can put the common stuff to include/linux/nvme-auth.h instead >> of doing ../host/auth.h ? >> >> > Yes, we can do that. > Will be fixing it for the next round. We already do that in nvmet-loop, I don't think it is really needed.