[PATCH blktests 0/6] Testsuite for nvme in-band authentication

[PATCH blktests 0/6] Testsuite for nvme in-band authentication

[Hannes Reinecke]

Hi all,

some people (Hi Sagi!) have complained that nvme in-band authentication
provide far too many configuration options to test it with some easy
commands. So here's a test suite for testing (most of) the various
configuration options and features.

As usual, comments and reviews are welcome.

Hannes Reinecke (6):
  nvmeof-tcp/001: simple test for nvmeof-tcp connection
  nvmeof-tcp/002: create an authenticated nvmeof-tcp connection
  nvmeof-tcp/003: test different key types
  nvmeof-tcp/004: test hash and dhgroup variations
  nvmeof-tcp/005: test bi-directional authentication
  nvmeof-tcp/006: test re-authentication

 tests/nvmeof-tcp/001     |  55 +++++++
 tests/nvmeof-tcp/001.out |   6 +
 tests/nvmeof-tcp/002     |  62 +++++++
 tests/nvmeof-tcp/002.out |   6 +
 tests/nvmeof-tcp/003     | 100 +++++++++++
 tests/nvmeof-tcp/003.out |  36 ++++
 tests/nvmeof-tcp/004     |  86 ++++++++++
 tests/nvmeof-tcp/004.out |  37 +++++
 tests/nvmeof-tcp/005     |  74 +++++++++
 tests/nvmeof-tcp/005.out |   6 +
 tests/nvmeof-tcp/006     | 113 +++++++++++++
 tests/nvmeof-tcp/006.out |  23 +++
 tests/nvmeof-tcp/rc      | 347 +++++++++++++++++++++++++++++++++++++++
 13 files changed, 951 insertions(+)
 create mode 100644 tests/nvmeof-tcp/001
 create mode 100644 tests/nvmeof-tcp/001.out
 create mode 100644 tests/nvmeof-tcp/002
 create mode 100644 tests/nvmeof-tcp/002.out
 create mode 100644 tests/nvmeof-tcp/003
 create mode 100644 tests/nvmeof-tcp/003.out
 create mode 100644 tests/nvmeof-tcp/004
 create mode 100644 tests/nvmeof-tcp/004.out
 create mode 100644 tests/nvmeof-tcp/005
 create mode 100644 tests/nvmeof-tcp/005.out
 create mode 100644 tests/nvmeof-tcp/006
 create mode 100644 tests/nvmeof-tcp/006.out
 create mode 100644 tests/nvmeof-tcp/rc

-- 
2.26.2

[PATCH 1/6] nvmeof-tcp/001: simple test for nvmeof-tcp connection

[Hannes Reinecke]

Signed-off-by: Hannes Reinecke <hare@suse.de>
---
 tests/nvmeof-tcp/001     |  55 +++++++
 tests/nvmeof-tcp/001.out |   6 +
 tests/nvmeof-tcp/rc      | 347 +++++++++++++++++++++++++++++++++++++++
 3 files changed, 408 insertions(+)
 create mode 100644 tests/nvmeof-tcp/001
 create mode 100644 tests/nvmeof-tcp/001.out
 create mode 100644 tests/nvmeof-tcp/rc

diff --git a/tests/nvmeof-tcp/001 b/tests/nvmeof-tcp/001
new file mode 100644
index 0000000..39f4108
--- /dev/null
+++ b/tests/nvmeof-tcp/001
@@ -0,0 +1,55 @@
+#!/bin/bash
+# SPDX-License-Identifier: GPL-3.0+
+# Copyright (C) 2021 Hannes Reinecke, SUSE Labs
+#
+# Test nvme over tcp connection
+
+. tests/nvmeof-tcp/rc
+
+DESCRIPTION="Create single TCP connection via localhost"
+QUICK=1
+
+requires() {
+	_nvme_requires
+	_have_modules loop
+	_require_nvme_trtype_is_fabrics
+}
+
+
+test() {
+	local port
+	local genctr
+	local subsys="blktests-subsystem-"
+	local hostid="$(uuidgen)"
+	local hostnqn="nqn.2014-08.org.nvmexpress:uuid:${hostid}"
+	local scratch="/tmp/blktest-ns1.img"
+
+	echo "Running ${TEST_NAME}"
+
+	_setup_nvmet
+
+	truncate -s 512M "${scratch}"
+
+	port="$(_create_nvmet_port "${nvme_trtype}")"
+
+	_create_nvmet_subsystem "${subsys}1" "${scratch}"
+	_add_nvmet_subsys_to_port "${port}" "${subsys}1"
+	_create_nvmet_host "${subsys}1" "${hostnqn}"
+
+	nvme connect -t "${nvme_trtype}" -n "${subsys}1" \
+	     -a "${def_traddr}" -s "${def_trsvcid}" \
+	     --hostnqn="${hostnqn}" --hostid="${hostid}"
+
+	nvme list-subsys
+
+	nvme disconnect -n "${subsys}1"
+
+	_remove_nvmet_subsystem_from_port "${port}" "${subsys}1"
+	_remove_nvmet_subsystem "${subsys}1"
+
+	_remove_nvmet_port "${port}"
+
+	rm ${scratch}
+
+	echo "Test complete"
+}
diff --git a/tests/nvmeof-tcp/001.out b/tests/nvmeof-tcp/001.out
new file mode 100644
index 0000000..1eae834
--- /dev/null
+++ b/tests/nvmeof-tcp/001.out
@@ -0,0 +1,6 @@
+Running nvmeof-tcp/001
+nvme-subsys0 - NQN=blktests-subsystem-1
+\
+ +- nvme0 tcp traddr=127.0.0.1,trsvcid=4420 live 
+NQN:blktests-subsystem-1 disconnected 1 controller(s)
+Test complete
diff --git a/tests/nvmeof-tcp/rc b/tests/nvmeof-tcp/rc
new file mode 100644
index 0000000..9ae0899
--- /dev/null
+++ b/tests/nvmeof-tcp/rc
@@ -0,0 +1,347 @@
+#!/bin/bash
+# SPDX-License-Identifier: GPL-3.0+
+# Copyright (C) 2018 Johannes Thumshirn
+#
+# Test specific to NVMe devices
+
+. common/rc
+
+def_traddr="127.0.0.1"
+def_adrfam="ipv4"
+def_trsvcid="4420"
+nvme_trtype=${nvme_trtype:-"tcp"}
+
+_nvme_requires() {
+	_have_program nvme
+	case ${nvme_trtype} in
+	loop)
+		_have_modules nvmet nvme-core nvme-loop
+		_have_configfs
+		;;
+	pci)
+		_have_modules nvme nvme-core
+		;;
+	tcp)
+		_have_modules nvmet nvme-core nvme-tcp nvmet-tcp
+		_have_configfs
+		;;
+	rdma)
+		_have_modules nvmet nvme-core nvme-rdma nvmet-rdma
+		_have_configfs
+		_have_program rdma
+		_have_modules rdma_rxe || _have_modules siw
+		;;
+	*)
+		SKIP_REASON="unsupported nvme_trtype=${nvme_trtype}"
+		return 1
+	esac
+	return 0
+}
+
+group_requires() {
+	_have_root
+}
+
+group_device_requires() {
+	_require_test_dev_is_nvme
+}
+
+NVMET_CFS="/sys/kernel/config/nvmet/"
+
+_require_test_dev_is_nvme() {
+	if ! readlink -f "$TEST_DEV_SYSFS/device" | grep -q nvme; then
+		SKIP_REASON="$TEST_DEV is not a NVMe device"
+		return 1
+	fi
+	return 0
+}
+
+_require_nvme_trtype_is_loop() {
+	if [[ "${nvme_trtype}" != "loop" ]]; then
+		SKIP_REASON="nvme_trtype=${nvme_trtype} is not supported in this test"
+		return 1
+	fi
+	return 0
+}
+
+_require_nvme_trtype_is_fabrics() {
+	if [[ "${nvme_trtype}" == "pci" ]]; then
+		SKIP_REASON="nvme_trtype=${nvme_trtype} is not supported in this test"
+		return 1
+	fi
+	return 0
+}
+
+_test_dev_nvme_ctrl() {
+	echo "/dev/char/$(cat "${TEST_DEV_SYSFS}/device/dev")"
+}
+
+_test_dev_nvme_nsid() {
+	cat "${TEST_DEV_SYSFS}/nsid"
+}
+
+_cleanup_nvmet() {
+	local dev
+	local port
+	local subsys
+	local transport
+	local name
+
+	if [[ ! -d "${NVMET_CFS}" ]]; then
+		return 0
+	fi
+
+	# Don't let successive Ctrl-Cs interrupt the cleanup processes
+	trap '' SIGINT
+
+	shopt -s nullglob
+
+	for dev in /sys/class/nvme/nvme*; do
+		dev="$(basename "$dev")"
+		transport="$(cat "/sys/class/nvme/${dev}/transport")"
+		if [[ "$transport" == "${nvme_trtype}" ]]; then
+			echo "WARNING: Test did not clean up ${nvme_trtype} device: ${dev}"
+			_nvme_disconnect_ctrl "${dev}"
+		fi
+	done
+
+	for port in "${NVMET_CFS}"/ports/*; do
+		name=$(basename "${port}")
+		echo "WARNING: Test did not clean up port: ${name}"
+		rm -f "${port}"/subsystems/*
+		rmdir "${port}"
+	done
+
+	for subsys in "${NVMET_CFS}"/subsystems/*; do
+		name=$(basename "${subsys}")
+		echo "WARNING: Test did not clean up subsystem: ${name}"
+		for ns in "${subsys}"/namespaces/*; do
+			rmdir "${ns}"
+		done
+		rmdir "${subsys}"
+	done
+
+	shopt -u nullglob
+	trap SIGINT
+
+	modprobe -r nvme-"${nvme_trtype}" 2>/dev/null
+	if [[ "${nvme_trtype}" != "loop" ]]; then
+		modprobe -r nvmet-"${nvme_trtype}" 2>/dev/null
+	fi
+	modprobe -r nvmet 2>/dev/null
+}
+
+_setup_nvmet() {
+	_register_test_cleanup _cleanup_nvmet
+	modprobe nvmet
+	if [[ "${nvme_trtype}" != "loop" ]]; then
+		modprobe nvmet-"${nvme_trtype}"
+	fi
+	modprobe nvme-"${nvme_trtype}"
+}
+
+_nvme_disconnect_ctrl() {
+	local ctrl="$1"
+
+	nvme disconnect -d "${ctrl}"
+}
+
+_nvme_disconnect_subsys() {
+	local subsysnqn="$1"
+
+	nvme disconnect -n "${subsysnqn}"
+}
+
+_nvme_connect_subsys() {
+	local trtype="$1"
+	local subsysnqn="$2"
+	local traddr="${3:-$def_traddr}"
+	local trsvcid="${4:-$def_trsvcid}"
+
+	ARGS=(-t "${trtype}" -n "${subsysnqn}")
+	if [[ "${trtype}" != "loop" ]]; then
+		ARGS+=(-a "${traddr}" -s "${trsvcid}")
+	fi
+	nvme connect "${ARGS[@]}"
+}
+
+_nvme_discover() {
+	local trtype="$1"
+	local traddr="${2:-$def_traddr}"
+	local trsvcid="${3:-$def_trsvcid}"
+
+	ARGS=(-t "${trtype}")
+	if [[ "${trtype}" != "loop" ]]; then
+		ARGS+=(-a "${traddr}" -s "${trsvcid}")
+	fi
+	nvme discover "${ARGS[@]}"
+}
+
+_create_nvmet_port() {
+	local trtype="$1"
+	local traddr="${2:-$def_traddr}"
+	local adrfam="${3:-$def_adrfam}"
+	local trsvcid="${4:-$def_trsvcid}"
+
+	local port
+	for ((port = 0; ; port++)); do
+		if [[ ! -e "${NVMET_CFS}/ports/${port}" ]]; then
+			break
+		fi
+	done
+
+	mkdir "${NVMET_CFS}/ports/${port}"
+	echo "${trtype}" > "${NVMET_CFS}/ports/${port}/addr_trtype"
+	echo "${traddr}" > "${NVMET_CFS}/ports/${port}/addr_traddr"
+	echo "${adrfam}" > "${NVMET_CFS}/ports/${port}/addr_adrfam"
+	echo "${trsvcid}" > "${NVMET_CFS}/ports/${port}/addr_trsvcid"
+
+	echo "${port}"
+}
+
+_remove_nvmet_port() {
+	local port="$1"
+	rmdir "${NVMET_CFS}/ports/${port}"
+}
+
+_create_nvmet_ns() {
+	local nvmet_subsystem="$1"
+	local nsid="$2"
+	local blkdev="$3"
+	local uuid="00000000-0000-0000-0000-000000000000"
+	local subsys_path="${NVMET_CFS}/subsystems/${nvmet_subsystem}"
+	local ns_path="${subsys_path}/namespaces/${nsid}"
+
+	if [[ $# -eq 4 ]]; then
+		uuid="$4"
+	fi
+
+	mkdir "${ns_path}"
+	printf "%s" "${blkdev}" > "${ns_path}/device_path"
+	printf "%s" "${uuid}" > "${ns_path}/device_uuid"
+	printf 1 > "${ns_path}/enable"
+}
+
+_create_nvmet_subsystem() {
+	local nvmet_subsystem="$1"
+	local blkdev="$2"
+	local uuid=$3
+	local cfs_path="${NVMET_CFS}/subsystems/${nvmet_subsystem}"
+
+	mkdir -p "${cfs_path}"
+	echo 1 > "${cfs_path}/attr_allow_any_host"
+	_create_nvmet_ns "${nvmet_subsystem}" "1" "${blkdev}" "${uuid}"
+}
+
+_create_nvmet_host() {
+	local nvmet_subsystem="$1"
+	local nvmet_hostnqn="$2"
+	local nvmet_hostkey="$3"
+	local cfs_path="${NVMET_CFS}/subsystems/${nvmet_subsystem}"
+
+	mkdir "${NVMET_CFS}/hosts/${nvmet_hostnqn}"
+	if [ "$nvmet_hostkey" ] ; then
+		echo "${nvmet_hostkey}" > \
+		     "${NVMET_CFS}/hosts/${nvmet_hostnqn}/dhchap_key"
+	fi
+	echo 0 > "${cfs_path}/attr_allow_any_host"
+	ln -s "${NVMET_CFS}/hosts/${nvmet_hostnqn}" \
+	   "${cfs_path}/allowed_hosts/${nvmet_hostnqn}"
+}
+
+_set_nvmet_hostkey() {
+	local nvmet_hostnqn="$1"
+	local nvmet_hostkey="$2"
+	local cfs_path="${NVMET_CFS}/hosts/${nvmet_hostnqn}"
+
+	echo "${nvmet_hostkey}" > \
+	     "${cfs_path}/dhchap_key"
+}
+
+_set_nvmet_ctrlkey() {
+	local nvmet_hostnqn="$1"
+	local nvmet_ctrlkey="$2"
+	local cfs_path="${NVMET_CFS}/hosts/${nvmet_hostnqn}"
+
+	echo "${nvmet_ctrlkey}" > \
+	     "${cfs_path}/dhchap_ctrl_key"
+}
+
+_set_nvmet_hash() {
+	local nvmet_hostnqn="$1"
+	local nvmet_hash="$2"
+	local cfs_path="${NVMET_CFS}/hosts/${nvmet_hostnqn}"
+
+	echo "${nvmet_hash}" > \
+	     "${cfs_path}/dhchap_hash"
+}
+
+_set_nvmet_dhgroup() {
+	local nvmet_hostnqn="$1"
+	local nvmet_dhgroup="$2"
+	local cfs_path="${NVMET_CFS}/hosts/${nvmet_hostnqn}"
+
+	echo "${nvmet_dhgroup}" > \
+	     "${cfs_path}/dhchap_dhgroup"
+}
+
+_remove_nvmet_ns() {
+	local nvmet_subsystem="$1"
+	local nsid=$2
+	local subsys_path="${NVMET_CFS}/subsystems/${nvmet_subsystem}"
+	local nvmet_ns_path="${subsys_path}/namespaces/${nsid}"
+
+	echo 0 > "${nvmet_ns_path}/enable"
+	rmdir "${nvmet_ns_path}"
+}
+
+_remove_nvmet_subsystem() {
+	local nvmet_subsystem="$1"
+	local subsys_path="${NVMET_CFS}/subsystems/${nvmet_subsystem}"
+
+	_remove_nvmet_ns "${nvmet_subsystem}" "1"
+	rm "${subsys_path}"/allowed_hosts/*
+	rmdir "${subsys_path}"
+}
+
+_remove_nvmet_host() {
+	local nvmet_host="$1"
+	local host_path="${NVMET_CFS}/hosts/${nvmet_host}"
+
+	rmdir "${host_path}"
+}
+	
+_add_nvmet_subsys_to_port() {
+	local port="$1"
+	local nvmet_subsystem="$2"
+
+	ln -s "${NVMET_CFS}/subsystems/${nvmet_subsystem}" \
+		"${NVMET_CFS}/ports/${port}/subsystems/${nvmet_subsystem}"
+}
+
+_remove_nvmet_subsystem_from_port() {
+	local port="$1"
+	local nvmet_subsystem="$2"
+
+	rm "${NVMET_CFS}/ports/${port}/subsystems/${nvmet_subsystem}"
+}
+
+_find_nvme_dev() {
+	local subsys=$1
+	local subsysnqn
+	local dev
+	for dev in /sys/class/nvme/nvme*; do
+		dev="$(basename "$dev")"
+		subsysnqn="$(cat "/sys/class/nvme/${dev}/subsysnqn")"
+		if [[ "$subsysnqn" == "$subsys" ]]; then
+			echo "$dev"
+			for ((i = 0; i < 10; i++)); do
+				if [[ -e /sys/block/$dev/uuid &&
+					-e /sys/block/$dev/wwid ]]; then
+					return
+				fi
+				sleep .1
+			done
+		fi
+	done
+}
-- 
2.26.2

[PATCH 2/6] nvmeof-tcp/002: create an authenticated nvmeof-tcp connection

[Hannes Reinecke]

Signed-off-by: Hannes Reinecke <hare@suse.de>
---
 tests/nvmeof-tcp/002     | 62 ++++++++++++++++++++++++++++++++++++++++
 tests/nvmeof-tcp/002.out |  6 ++++
 2 files changed, 68 insertions(+)
 create mode 100644 tests/nvmeof-tcp/002
 create mode 100644 tests/nvmeof-tcp/002.out

diff --git a/tests/nvmeof-tcp/002 b/tests/nvmeof-tcp/002
new file mode 100644
index 0000000..fad77c9
--- /dev/null
+++ b/tests/nvmeof-tcp/002
@@ -0,0 +1,62 @@
+#!/bin/bash
+# SPDX-License-Identifier: GPL-3.0+
+# Copyright (C) 2021 Hannes Reinecke, SUSE Labs
+#
+# Test nvme over tcp authentication
+
+. tests/nvmeof-tcp/rc
+
+DESCRIPTION="Create authenticated TCP connection via localhost"
+QUICK=1
+
+requires() {
+	_nvme_requires
+	_have_modules loop
+	_require_nvme_trtype_is_fabrics
+}
+
+
+test() {
+	local port
+	local genctr
+	local subsys="blktests-subsystem-"
+	local hostid="$(uuidgen)"
+	local hostnqn="nqn.2014-08.org.nvmexpress:uuid:${hostid}"
+	local scratch="/tmp/blktest-ns1.img"
+	local hostkey
+
+	echo "Running ${TEST_NAME}"
+
+	hostkey="$(nvme gen-dhchap-key -n ${subsys}1 2> /dev/null)"
+	if [ $? -ne 0 ] ; then
+		echo "nvme gen-dhchap-key command missing"
+		return 1
+	fi
+
+	_setup_nvmet
+
+	truncate -s 512M "${scratch}"
+
+	port="$(_create_nvmet_port "${nvme_trtype}")"
+
+	_create_nvmet_subsystem "${subsys}1" "${scratch}"
+	_add_nvmet_subsys_to_port "${port}" "${subsys}1"
+	_create_nvmet_host "${subsys}1" "${hostnqn}" "${hostkey}"
+
+	nvme connect -t "${nvme_trtype}" -n "${subsys}1" \
+	     -a "${def_traddr}" -s "${def_trsvcid}" -S "${hostkey}" \
+	     --hostnqn="${hostnqn}" --hostid="${hostid}"
+
+	nvme list-subsys
+
+	nvme disconnect -n "${subsys}1"
+
+	_remove_nvmet_subsystem_from_port "${port}" "${subsys}1"
+	_remove_nvmet_subsystem "${subsys}1"
+
+	_remove_nvmet_port "${port}"
+
+	rm ${scratch}
+
+	echo "Test complete"
+}
diff --git a/tests/nvmeof-tcp/002.out b/tests/nvmeof-tcp/002.out
new file mode 100644
index 0000000..c46ad3c
--- /dev/null
+++ b/tests/nvmeof-tcp/002.out
@@ -0,0 +1,6 @@
+Running nvmeof-tcp/002
+nvme-subsys0 - NQN=blktests-subsystem-1
+\
+ +- nvme0 tcp traddr=127.0.0.1,trsvcid=4420 live
+NQN:blktests-subsystem-1 disconnected 1 controller(s)
+Test complete
-- 
2.26.2

[PATCH 3/6] nvmeof-tcp/003: test different key types

[Hannes Reinecke]

Signed-off-by: Hannes Reinecke <hare@suse.de>
---
 tests/nvmeof-tcp/003     | 100 +++++++++++++++++++++++++++++++++++++++
 tests/nvmeof-tcp/003.out |  36 ++++++++++++++
 2 files changed, 136 insertions(+)
 create mode 100644 tests/nvmeof-tcp/003
 create mode 100644 tests/nvmeof-tcp/003.out

diff --git a/tests/nvmeof-tcp/003 b/tests/nvmeof-tcp/003
new file mode 100644
index 0000000..c8a91e9
--- /dev/null
+++ b/tests/nvmeof-tcp/003
@@ -0,0 +1,100 @@
+#!/bin/bash
+# SPDX-License-Identifier: GPL-3.0+
+# Copyright (C) 2021 Hannes Reinecke, SUSE Labs
+#
+# Test nvme over tcp dhchap keys
+
+. tests/nvmeof-tcp/rc
+
+DESCRIPTION="Test dhchap keys for authenticated TCP connection via localhost"
+QUICK=1
+
+requires() {
+	_nvme_requires
+	_have_modules loop
+	_require_nvme_trtype_is_fabrics
+}
+
+
+test() {
+	local port
+	local genctr
+	local subsys="blktests-subsystem-"
+	local hostid="$(uuidgen)"
+	local hostnqn="nqn.2014-08.org.nvmexpress:uuid:${hostid}"
+	local scratch="/tmp/blktest-ns1.img"
+	local hostkey
+
+	echo "Running ${TEST_NAME}"
+
+	hostkey="$(nvme gen-dhchap-key -n ${subsys}1 2> /dev/null)"
+	if [ $? -ne 0 ] ; then
+		echo "nvme gen-dhchap-key command missing"
+		return 1
+	fi
+
+	_setup_nvmet
+
+	truncate -s 512M "${scratch}"
+
+	port="$(_create_nvmet_port "${nvme_trtype}")"
+
+	_create_nvmet_subsystem "${subsys}1" "${scratch}"
+	_add_nvmet_subsys_to_port "${port}" "${subsys}1"
+	_create_nvmet_host "${subsys}1" "${hostnqn}" "${hostkey}"
+
+	nvme connect -t "${nvme_trtype}" -n "${subsys}1" \
+	     -a "${def_traddr}" -s "${def_trsvcid}" -S "${hostkey}" \
+	     --hostnqn="${hostnqn}" --hostid="${hostid}"
+
+	nvme list-subsys
+
+	nvme disconnect -n "${subsys}1"
+
+	for hmac in 1 2 3; do
+		echo "Testing hmac ${hmac}"
+		hostkey="$(nvme gen-dhchap-key --hmac=${hmac} -n ${subsys}1 2> /dev/null)"
+		if [ $? -ne 0 ] ; then
+			echo "couldn't generate host key for hmac ${hmac}"
+			return 1
+		fi
+		_set_nvmet_hostkey "${hostnqn}" "${hostkey}"
+	
+		nvme connect -t "${nvme_trtype}" -n "${subsys}1" \
+		     -a "${def_traddr}" -s "${def_trsvcid}" -S "${hostkey}" \
+		     --hostnqn="${hostnqn}" --hostid="${hostid}"
+
+		nvme list-subsys
+
+		nvme disconnect -n "${subsys}1"
+	done
+
+	for key_len in 32 48 64; do
+		echo "Testing key length ${key_len}"
+		hostkey="$(nvme gen-dhchap-key --key-length=${key_len} -n ${subsys}1 2> /dev/null)"
+		if [ $? -ne 0 ] ; then
+			echo "couldn't generate host key for length ${key_len}"
+			return 1
+		fi
+		_set_nvmet_hostkey "${hostnqn}" "${hostkey}"
+	
+		nvme connect -t "${nvme_trtype}" -n "${subsys}1" \
+		     -a "${def_traddr}" -s "${def_trsvcid}" -S "${hostkey}" \
+		     --hostnqn="${hostnqn}" --hostid="${hostid}"
+
+		nvme list-subsys
+
+		nvme disconnect -n "${subsys}1"
+	done
+
+	_remove_nvmet_subsystem_from_port "${port}" "${subsys}1"
+	_remove_nvmet_subsystem "${subsys}1"
+
+	_remove_nvmet_port "${port}"
+
+	_remove_nvmet_host "${hostnqn}"
+
+	rm ${scratch}
+
+	echo "Test complete"
+}
diff --git a/tests/nvmeof-tcp/003.out b/tests/nvmeof-tcp/003.out
new file mode 100644
index 0000000..4d85539
--- /dev/null
+++ b/tests/nvmeof-tcp/003.out
@@ -0,0 +1,36 @@
+Running nvmeof-tcp/003
+nvme-subsys0 - NQN=blktests-subsystem-1
+\
+ +- nvme0 tcp traddr=127.0.0.1,trsvcid=4420 live
+NQN:blktests-subsystem-1 disconnected 1 controller(s)
+Testing hmac 1
+nvme-subsys0 - NQN=blktests-subsystem-1
+\
+ +- nvme0 tcp traddr=127.0.0.1,trsvcid=4420 live
+NQN:blktests-subsystem-1 disconnected 1 controller(s)
+Testing hmac 2
+nvme-subsys0 - NQN=blktests-subsystem-1
+\
+ +- nvme0 tcp traddr=127.0.0.1,trsvcid=4420 live
+NQN:blktests-subsystem-1 disconnected 1 controller(s)
+Testing hmac 3
+nvme-subsys0 - NQN=blktests-subsystem-1
+\
+ +- nvme0 tcp traddr=127.0.0.1,trsvcid=4420 live
+NQN:blktests-subsystem-1 disconnected 1 controller(s)
+Testing key length 32
+nvme-subsys0 - NQN=blktests-subsystem-1
+\
+ +- nvme0 tcp traddr=127.0.0.1,trsvcid=4420 live
+NQN:blktests-subsystem-1 disconnected 1 controller(s)
+Testing key length 48
+nvme-subsys0 - NQN=blktests-subsystem-1
+\
+ +- nvme0 tcp traddr=127.0.0.1,trsvcid=4420 live
+NQN:blktests-subsystem-1 disconnected 1 controller(s)
+Testing key length 64
+nvme-subsys0 - NQN=blktests-subsystem-1
+\
+ +- nvme0 tcp traddr=127.0.0.1,trsvcid=4420 live
+NQN:blktests-subsystem-1 disconnected 1 controller(s)
+Test complete
-- 
2.26.2

[PATCH 4/6] nvmeof-tcp/004: test hash and dhgroup variations

[Hannes Reinecke]

Signed-off-by: Hannes Reinecke <hare@suse.de>
---
 tests/nvmeof-tcp/004     | 86 ++++++++++++++++++++++++++++++++++++++++
 tests/nvmeof-tcp/004.out | 37 +++++++++++++++++
 2 files changed, 123 insertions(+)
 create mode 100644 tests/nvmeof-tcp/004
 create mode 100644 tests/nvmeof-tcp/004.out

diff --git a/tests/nvmeof-tcp/004 b/tests/nvmeof-tcp/004
new file mode 100644
index 0000000..b9569dc
--- /dev/null
+++ b/tests/nvmeof-tcp/004
@@ -0,0 +1,86 @@
+#!/bin/bash
+# SPDX-License-Identifier: GPL-3.0+
+# Copyright (C) 2021 Hannes Reinecke, SUSE Labs
+#
+# Test nvme over tcp hash and dh group selection
+
+. tests/nvmeof-tcp/rc
+
+DESCRIPTION="Test hash and DH group for authenticated TCP connection via localhost"
+QUICK=1
+
+requires() {
+	_nvme_requires
+	_have_modules loop
+	_require_nvme_trtype_is_fabrics
+}
+
+
+test() {
+	local port
+	local genctr
+	local subsys="blktests-subsystem-"
+	local hostid="$(uuidgen)"
+	local hostnqn="nqn.2014-08.org.nvmexpress:uuid:${hostid}"
+	local scratch="/tmp/blktest-ns1.img"
+	local hostkey
+
+	echo "Running ${TEST_NAME}"
+
+	hostkey="$(nvme gen-dhchap-key -n ${subsys}1 2> /dev/null)"
+	if [ $? -ne 0 ] ; then
+		echo "nvme gen-dhchap-key command missing"
+		return 1
+	fi
+
+	_setup_nvmet
+
+	truncate -s 512M "${scratch}"
+
+	port="$(_create_nvmet_port "${nvme_trtype}")"
+
+	_create_nvmet_subsystem "${subsys}1" "${scratch}"
+	_add_nvmet_subsys_to_port "${port}" "${subsys}1"
+	_create_nvmet_host "${subsys}1" "${hostnqn}" "${hostkey}"
+
+	for hash in "hmac(sha384)" "hmac(sha512)" ; do
+
+		echo "Testing hash ${hash}"
+
+		_set_nvmet_hash "${hostnqn}" "${hash}"
+
+		nvme connect -t "${nvme_trtype}" -n "${subsys}1" \
+		     -a "${def_traddr}" -s "${def_trsvcid}" -S "${hostkey}" \
+		     --hostnqn="${hostnqn}" --hostid="${hostid}"
+
+		nvme list-subsys
+
+		nvme disconnect -n "${subsys}1"
+	done
+
+	for dhgroup in "ffdhe2048" "ffdhe3072" "ffdhe4096" "ffdhe6144" "ffdhe8192" ; do
+
+		echo "Testing DH group ${dhgroup}"
+
+		_set_nvmet_dhgroup "${hostnqn}" "${dhgroup}"
+	
+		nvme connect -t "${nvme_trtype}" -n "${subsys}1" \
+		     -a "${def_traddr}" -s "${def_trsvcid}" -S "${hostkey}" \
+		     --hostnqn="${hostnqn}" --hostid="${hostid}"
+
+		nvme list-subsys
+
+		nvme disconnect -n "${subsys}1"
+	done
+
+	_remove_nvmet_subsystem_from_port "${port}" "${subsys}1"
+	_remove_nvmet_subsystem "${subsys}1"
+
+	_remove_nvmet_port "${port}"
+
+	_remove_nvmet_host "${hostnqn}"
+
+	rm ${scratch}
+
+	echo "Test complete"
+}
diff --git a/tests/nvmeof-tcp/004.out b/tests/nvmeof-tcp/004.out
new file mode 100644
index 0000000..dc226c8
--- /dev/null
+++ b/tests/nvmeof-tcp/004.out
@@ -0,0 +1,37 @@
+Running nvmeof-tcp/004
+Testing hash hmac(sha384)
+nvme-subsys0 - NQN=blktests-subsystem-1
+\
+ +- nvme0 tcp traddr=127.0.0.1,trsvcid=4420 live
+NQN:blktests-subsystem-1 disconnected 1 controller(s)
+Testing hash hmac(sha512)
+nvme-subsys0 - NQN=blktests-subsystem-1
+\
+ +- nvme0 tcp traddr=127.0.0.1,trsvcid=4420 live
+NQN:blktests-subsystem-1 disconnected 1 controller(s)
+Testing DH group ffdhe2048
+nvme-subsys0 - NQN=blktests-subsystem-1
+\
+ +- nvme0 tcp traddr=127.0.0.1,trsvcid=4420 live
+NQN:blktests-subsystem-1 disconnected 1 controller(s)
+Testing DH group ffdhe3072
+nvme-subsys0 - NQN=blktests-subsystem-1
+\
+ +- nvme0 tcp traddr=127.0.0.1,trsvcid=4420 live
+NQN:blktests-subsystem-1 disconnected 1 controller(s)
+Testing DH group ffdhe4096
+nvme-subsys0 - NQN=blktests-subsystem-1
+\
+ +- nvme0 tcp traddr=127.0.0.1,trsvcid=4420 live
+NQN:blktests-subsystem-1 disconnected 1 controller(s)
+Testing DH group ffdhe6144
+nvme-subsys0 - NQN=blktests-subsystem-1
+\
+ +- nvme0 tcp traddr=127.0.0.1,trsvcid=4420 live
+NQN:blktests-subsystem-1 disconnected 1 controller(s)
+Testing DH group ffdhe8192
+nvme-subsys0 - NQN=blktests-subsystem-1
+\
+ +- nvme0 tcp traddr=127.0.0.1,trsvcid=4420 live
+NQN:blktests-subsystem-1 disconnected 1 controller(s)
+Test complete
-- 
2.26.2

[PATCH 5/6] nvmeof-tcp/005: test bi-directional authentication

[Hannes Reinecke]

Signed-off-by: Hannes Reinecke <hare@suse.de>
---
 tests/nvmeof-tcp/005     | 74 ++++++++++++++++++++++++++++++++++++++++
 tests/nvmeof-tcp/005.out |  6 ++++
 2 files changed, 80 insertions(+)
 create mode 100644 tests/nvmeof-tcp/005
 create mode 100644 tests/nvmeof-tcp/005.out

diff --git a/tests/nvmeof-tcp/005 b/tests/nvmeof-tcp/005
new file mode 100644
index 0000000..f33030a
--- /dev/null
+++ b/tests/nvmeof-tcp/005
@@ -0,0 +1,74 @@
+#!/bin/bash
+# SPDX-License-Identifier: GPL-3.0+
+# Copyright (C) 2021 Hannes Reinecke, SUSE Labs
+#
+# Test nvme over tcp bi-directional authentication
+
+. tests/nvmeof-tcp/rc
+
+DESCRIPTION="Test bi-directional authentication for TCP connection via localhost"
+QUICK=1
+
+requires() {
+	_nvme_requires
+	_have_modules loop
+	_require_nvme_trtype_is_fabrics
+}
+
+
+test() {
+	local port
+	local genctr
+	local subsys="blktests-subsystem-"
+	local hostid="$(uuidgen)"
+	local hostnqn="nqn.2014-08.org.nvmexpress:uuid:${hostid}"
+	local scratch="/tmp/blktest-ns1.img"
+	local hostkey
+
+	echo "Running ${TEST_NAME}"
+
+	hostkey="$(nvme gen-dhchap-key -n ${subsys}1 2> /dev/null)"
+	if [ $? -ne 0 ] ; then
+		echo "nvme gen-dhchap-key command missing"
+		return 1
+	fi
+
+	ctrlkey="$(nvme gen-dhchap-key -n ${subsys}1 2> /dev/null)"
+	if [ $? -ne 0 ] ; then
+		echo "nvme gen-dhchap-key command missing"
+		return 1
+	fi
+
+	_setup_nvmet
+
+	truncate -s 512M "${scratch}"
+
+	port="$(_create_nvmet_port "${nvme_trtype}")"
+
+	_create_nvmet_subsystem "${subsys}1" "${scratch}"
+	_add_nvmet_subsys_to_port "${port}" "${subsys}1"
+	_create_nvmet_host "${subsys}1" "${hostnqn}" "${hostkey}"
+
+	_set_nvmet_dhgroup "${hostnqn}" "ffdhe2048"
+	_set_nvmet_ctrlkey "${hostnqn}" "${ctrlkey}"
+	
+	nvme connect -t "${nvme_trtype}" -n "${subsys}1" \
+	     -a "${def_traddr}" -s "${def_trsvcid}" \
+	     -S "${hostkey}" -C "${ctrlkey}" \
+	     --hostnqn="${hostnqn}" --hostid="${hostid}"
+
+	nvme list-subsys
+
+	nvme disconnect -n "${subsys}1"
+
+	_remove_nvmet_subsystem_from_port "${port}" "${subsys}1"
+	_remove_nvmet_subsystem "${subsys}1"
+
+	_remove_nvmet_port "${port}"
+
+	_remove_nvmet_host "${hostnqn}"
+
+	rm ${scratch}
+
+	echo "Test complete"
+}
diff --git a/tests/nvmeof-tcp/005.out b/tests/nvmeof-tcp/005.out
new file mode 100644
index 0000000..2cd467a
--- /dev/null
+++ b/tests/nvmeof-tcp/005.out
@@ -0,0 +1,6 @@
+Running nvmeof-tcp/005
+nvme-subsys0 - NQN=blktests-subsystem-1
+\
+ +- nvme0 tcp traddr=127.0.0.1,trsvcid=4420 live
+NQN:blktests-subsystem-1 disconnected 1 controller(s)
+Test complete
-- 
2.26.2

[PATCH 6/6] nvmeof-tcp/006: test re-authentication

[Hannes Reinecke]

Signed-off-by: Hannes Reinecke <hare@suse.de>
---
 tests/nvmeof-tcp/006     | 113 +++++++++++++++++++++++++++++++++++++++
 tests/nvmeof-tcp/006.out |  23 ++++++++
 2 files changed, 136 insertions(+)
 create mode 100644 tests/nvmeof-tcp/006
 create mode 100644 tests/nvmeof-tcp/006.out

diff --git a/tests/nvmeof-tcp/006 b/tests/nvmeof-tcp/006
new file mode 100644
index 0000000..7376879
--- /dev/null
+++ b/tests/nvmeof-tcp/006
@@ -0,0 +1,113 @@
+#!/bin/bash
+# SPDX-License-Identifier: GPL-3.0+
+# Copyright (C) 2021 Hannes Reinecke, SUSE Labs
+#
+# Test nvme over tcp re-authentication
+
+. tests/nvmeof-tcp/rc
+
+DESCRIPTION="Test re-authentication for TCP connection via localhost"
+QUICK=1
+
+requires() {
+	_nvme_requires
+	_have_modules loop
+	_require_nvme_trtype_is_fabrics
+}
+
+
+test() {
+	local port
+	local genctr
+	local subsys="blktests-subsystem-"
+	local hostid="$(uuidgen)"
+	local hostnqn="nqn.2014-08.org.nvmexpress:uuid:${hostid}"
+	local scratch="/tmp/blktest-ns1.img"
+	local hostkey
+
+	echo "Running ${TEST_NAME}"
+
+	hostkey="$(nvme gen-dhchap-key -n ${subsys}1 2> /dev/null)"
+	if [ $? -ne 0 ] ; then
+		echo "nvme gen-dhchap-key command missing"
+		return 1
+	fi
+
+	ctrlkey="$(nvme gen-dhchap-key -n ${subsys}1 2> /dev/null)"
+	if [ $? -ne 0 ] ; then
+		echo "nvme gen-dhchap-key command missing"
+		return 1
+	fi
+
+	_setup_nvmet
+
+	truncate -s 512M "${scratch}"
+
+	port="$(_create_nvmet_port "${nvme_trtype}")"
+
+	_create_nvmet_subsystem "${subsys}1" "${scratch}"
+	_add_nvmet_subsys_to_port "${port}" "${subsys}1"
+	_create_nvmet_host "${subsys}1" "${hostnqn}" "${hostkey}"
+
+	_set_nvmet_dhgroup "${hostnqn}" "ffdhe2048"
+	_set_nvmet_ctrlkey "${hostnqn}" "${ctrlkey}"
+	
+	nvme connect -t "${nvme_trtype}" -n "${subsys}1" \
+	     -a "${def_traddr}" -s "${def_trsvcid}" \
+	     -S "${hostkey}" -C "${ctrlkey}" \
+	     --hostnqn="${hostnqn}" --hostid="${hostid}"
+
+	nvme list-subsys
+
+	ctrl=$(_find_nvme_dev "${subsys}1")
+
+	echo "Re-authenticate with original host key"
+
+	echo "${hostkey}" > /sys/class/nvme/${ctrl}/dhchap_secret
+
+	echo "Renew host key on the controller"
+
+	new_hostkey="$(nvme gen-dhchap-key -n ${subsys}1 2> /dev/null)"
+
+	_set_nvmet_hostkey "${hostnqn}" "${new_hostkey}"
+
+	echo "Re-authenticate with new host key"
+
+	echo "${new_hostkey}" > /sys/class/nvme/${ctrl}/dhchap_secret
+
+	nvme list-subsys
+
+	echo "Renew ctrl key on the controller"
+
+	new_ctrlkey="$(nvme gen-dhchap-key -n ${subsys}1 2> /dev/null)"
+
+	_set_nvmet_ctrlkey "${hostnqn}" "${new_ctrlkey}"
+
+	echo "Re-authenticate with new ctrl key"
+
+	echo "${new_ctrlkey}" > /sys/class/nvme/${ctrl}/dhchap_ctrl_secret
+
+	nvme list-subsys
+
+	echo "Change DH group to ffdhe8192"
+
+	_nvmet_set_dhgroup "${subsys}1" "ffdhe8192"
+
+	echo "Re-authenticate with changed DH group"
+	echo "${new_hostkey}" > /sys/class/nvme/${ctrl}/dhchap_secret
+
+	nvme list-subsys
+
+	nvme disconnect -n "${subsys}1"
+
+	_remove_nvmet_subsystem_from_port "${port}" "${subsys}1"
+	_remove_nvmet_subsystem "${subsys}1"
+
+	_remove_nvmet_port "${port}"
+
+	_remove_nvmet_host "${hostnqn}"
+
+	rm ${scratch}
+
+	echo "Test complete"
+}
diff --git a/tests/nvmeof-tcp/006.out b/tests/nvmeof-tcp/006.out
new file mode 100644
index 0000000..006d9fe
--- /dev/null
+++ b/tests/nvmeof-tcp/006.out
@@ -0,0 +1,23 @@
+Running nvmeof-tcp/006
+nvme-subsys0 - NQN=blktests-subsystem-1
+\
+ +- nvme0 tcp traddr=127.0.0.1,trsvcid=4420 live
+Re-authenticate with original host key
+Renew host key on the controller
+Re-authenticate with new host key
+nvme-subsys0 - NQN=blktests-subsystem-1
+\
+ +- nvme0 tcp traddr=127.0.0.1,trsvcid=4420 live
+Renew ctrl key on the controller
+Re-authenticate with new ctrl key
+nvme-subsys0 - NQN=blktests-subsystem-1
+\
+ +- nvme0 tcp traddr=127.0.0.1,trsvcid=4420 live
+Change DH group to ffdhe8192
+tests/nvmeof-tcp/006: line 94: _nvmet_set_dhgroup: command not found
+Re-authenticate with changed DH group
+nvme-subsys0 - NQN=blktests-subsystem-1
+\
+ +- nvme0 tcp traddr=127.0.0.1,trsvcid=4420 live
+NQN:blktests-subsystem-1 disconnected 1 controller(s)
+Test complete
-- 
2.26.2

Re: [PATCH 1/6] nvmeof-tcp/001: simple test for nvmeof-tcp connection

[Sagi Grimberg]

> Signed-off-by: Hannes Reinecke <hare@suse.de>
> ---
>   tests/nvmeof-tcp/001     |  55 +++++++
>   tests/nvmeof-tcp/001.out |   6 +
>   tests/nvmeof-tcp/rc      | 347 +++++++++++++++++++++++++++++++++++++++

Why another directory? why nvmeof-tcp? what prevents inband-auth
to be tested with loop/rdma?

>   3 files changed, 408 insertions(+)
>   create mode 100644 tests/nvmeof-tcp/001
>   create mode 100644 tests/nvmeof-tcp/001.out
>   create mode 100644 tests/nvmeof-tcp/rc
> 
> diff --git a/tests/nvmeof-tcp/001 b/tests/nvmeof-tcp/001
> new file mode 100644
> index 0000000..39f4108
> --- /dev/null
> +++ b/tests/nvmeof-tcp/001
> @@ -0,0 +1,55 @@
> +#!/bin/bash
> +# SPDX-License-Identifier: GPL-3.0+
> +# Copyright (C) 2021 Hannes Reinecke, SUSE Labs
> +#
> +# Test nvme over tcp connection
> +
> +. tests/nvmeof-tcp/rc
> +
> +DESCRIPTION="Create single TCP connection via localhost"
> +QUICK=1
> +
> +requires() {
> +	_nvme_requires
> +	_have_modules loop
> +	_require_nvme_trtype_is_fabrics
> +}
> +
> +
> +test() {
> +	local port
> +	local genctr
> +	local subsys="blktests-subsystem-"
> +	local hostid="$(uuidgen)"
> +	local hostnqn="nqn.2014-08.org.nvmexpress:uuid:${hostid}"
> +	local scratch="/tmp/blktest-ns1.img"
> +
> +	echo "Running ${TEST_NAME}"
> +
> +	_setup_nvmet
> +
> +	truncate -s 512M "${scratch}"
> +
> +	port="$(_create_nvmet_port "${nvme_trtype}")"
> +
> +	_create_nvmet_subsystem "${subsys}1" "${scratch}"
> +	_add_nvmet_subsys_to_port "${port}" "${subsys}1"
> +	_create_nvmet_host "${subsys}1" "${hostnqn}"
> +
> +	nvme connect -t "${nvme_trtype}" -n "${subsys}1" \
> +	     -a "${def_traddr}" -s "${def_trsvcid}" \
> +	     --hostnqn="${hostnqn}" --hostid="${hostid}"
> +
> +	nvme list-subsys
> +
> +	nvme disconnect -n "${subsys}1"
> +
> +	_remove_nvmet_subsystem_from_port "${port}" "${subsys}1"
> +	_remove_nvmet_subsystem "${subsys}1"
> +
> +	_remove_nvmet_port "${port}"
> +
> +	rm ${scratch}
> +
> +	echo "Test complete"
> +}
> diff --git a/tests/nvmeof-tcp/001.out b/tests/nvmeof-tcp/001.out
> new file mode 100644
> index 0000000..1eae834
> --- /dev/null
> +++ b/tests/nvmeof-tcp/001.out
> @@ -0,0 +1,6 @@
> +Running nvmeof-tcp/001
> +nvme-subsys0 - NQN=blktests-subsystem-1
> +\
> + +- nvme0 tcp traddr=127.0.0.1,trsvcid=4420 live
> +NQN:blktests-subsystem-1 disconnected 1 controller(s)
> +Test complete
> diff --git a/tests/nvmeof-tcp/rc b/tests/nvmeof-tcp/rc
> new file mode 100644
> index 0000000..9ae0899
> --- /dev/null
> +++ b/tests/nvmeof-tcp/rc
> @@ -0,0 +1,347 @@
> +#!/bin/bash
> +# SPDX-License-Identifier: GPL-3.0+
> +# Copyright (C) 2018 Johannes Thumshirn
> +#
> +# Test specific to NVMe devices

Isn't this just a copy of nvme/rc?

Re: [PATCH 1/6] nvmeof-tcp/001: simple test for nvmeof-tcp connection

[Hannes Reinecke]

On 11/14/21 11:31 AM, Sagi Grimberg wrote:
> 
>> Signed-off-by: Hannes Reinecke <hare@suse.de>
>> ---
>>   tests/nvmeof-tcp/001     |  55 +++++++
>>   tests/nvmeof-tcp/001.out |   6 +
>>   tests/nvmeof-tcp/rc      | 347 +++++++++++++++++++++++++++++++++++++++
> 
> Why another directory? why nvmeof-tcp? what prevents inband-auth
> to be tested with loop/rdma?
> 
Technically, nothing.
But as I'll be looking into tcp in-band _encryption_ as the next step I 
found it logical to have a disinct directory.
Especially as I still fail to see the actual use-case for using in-band 
authentication _without_ encryption.

We could rename it to nvmeof-auth, though.

Especially as there's the nvmeof-mp precedent, which also has a separate 
directory.

>>   3 files changed, 408 insertions(+)
>>   create mode 100644 tests/nvmeof-tcp/001
>>   create mode 100644 tests/nvmeof-tcp/001.out
>>   create mode 100644 tests/nvmeof-tcp/rc
>>
>> diff --git a/tests/nvmeof-tcp/001 b/tests/nvmeof-tcp/001
>> new file mode 100644
>> index 0000000..39f4108
>> --- /dev/null
>> +++ b/tests/nvmeof-tcp/001
>> @@ -0,0 +1,55 @@
>> +#!/bin/bash
>> +# SPDX-License-Identifier: GPL-3.0+
>> +# Copyright (C) 2021 Hannes Reinecke, SUSE Labs
>> +#
>> +# Test nvme over tcp connection
>> +
>> +. tests/nvmeof-tcp/rc
>> +
>> +DESCRIPTION="Create single TCP connection via localhost"
>> +QUICK=1
>> +
>> +requires() {
>> +    _nvme_requires
>> +    _have_modules loop
>> +    _require_nvme_trtype_is_fabrics
>> +}
>> +
>> +
>> +test() {
>> +    local port
>> +    local genctr
>> +    local subsys="blktests-subsystem-"
>> +    local hostid="$(uuidgen)"
>> +    local hostnqn="nqn.2014-08.org.nvmexpress:uuid:${hostid}"
>> +    local scratch="/tmp/blktest-ns1.img"
>> +
>> +    echo "Running ${TEST_NAME}"
>> +
>> +    _setup_nvmet
>> +
>> +    truncate -s 512M "${scratch}"
>> +
>> +    port="$(_create_nvmet_port "${nvme_trtype}")"
>> +
>> +    _create_nvmet_subsystem "${subsys}1" "${scratch}"
>> +    _add_nvmet_subsys_to_port "${port}" "${subsys}1"
>> +    _create_nvmet_host "${subsys}1" "${hostnqn}"
>> +
>> +    nvme connect -t "${nvme_trtype}" -n "${subsys}1" \
>> +         -a "${def_traddr}" -s "${def_trsvcid}" \
>> +         --hostnqn="${hostnqn}" --hostid="${hostid}"
>> +
>> +    nvme list-subsys
>> +
>> +    nvme disconnect -n "${subsys}1"
>> +
>> +    _remove_nvmet_subsystem_from_port "${port}" "${subsys}1"
>> +    _remove_nvmet_subsystem "${subsys}1"
>> +
>> +    _remove_nvmet_port "${port}"
>> +
>> +    rm ${scratch}
>> +
>> +    echo "Test complete"
>> +}
>> diff --git a/tests/nvmeof-tcp/001.out b/tests/nvmeof-tcp/001.out
>> new file mode 100644
>> index 0000000..1eae834
>> --- /dev/null
>> +++ b/tests/nvmeof-tcp/001.out
>> @@ -0,0 +1,6 @@
>> +Running nvmeof-tcp/001
>> +nvme-subsys0 - NQN=blktests-subsystem-1
>> +\
>> + +- nvme0 tcp traddr=127.0.0.1,trsvcid=4420 live
>> +NQN:blktests-subsystem-1 disconnected 1 controller(s)
>> +Test complete
>> diff --git a/tests/nvmeof-tcp/rc b/tests/nvmeof-tcp/rc
>> new file mode 100644
>> index 0000000..9ae0899
>> --- /dev/null
>> +++ b/tests/nvmeof-tcp/rc
>> @@ -0,0 +1,347 @@
>> +#!/bin/bash
>> +# SPDX-License-Identifier: GPL-3.0+
>> +# Copyright (C) 2018 Johannes Thumshirn
>> +#
>> +# Test specific to NVMe devices
> 
> Isn't this just a copy of nvme/rc?

Essentially, yes.
And I'd be happy to merge them, like having a common nvme rc
file to be used for all nvme related tests.

Cheers,

Hannes
-- 
Dr. Hannes Reinecke                Kernel Storage Architect
hare@suse.de                              +49 911 74053 688
SUSE Software Solutions GmbH, Maxfeldstr. 5, 90409 Nürnberg
HRB 36809 (AG Nürnberg), Geschäftsführer: Felix Imendörffer

Re: [PATCH 1/6] nvmeof-tcp/001: simple test for nvmeof-tcp connection

[Sagi Grimberg]

On 11/14/21 3:50 PM, Hannes Reinecke wrote:
> On 11/14/21 11:31 AM, Sagi Grimberg wrote:
>>
>>> Signed-off-by: Hannes Reinecke <hare@suse.de>
>>> ---
>>>   tests/nvmeof-tcp/001     |  55 +++++++
>>>   tests/nvmeof-tcp/001.out |   6 +
>>>   tests/nvmeof-tcp/rc      | 347 +++++++++++++++++++++++++++++++++++++++
>>
>> Why another directory? why nvmeof-tcp? what prevents inband-auth
>> to be tested with loop/rdma?
>>
> Technically, nothing.
> But as I'll be looking into tcp in-band _encryption_ as the next step I 
> found it logical to have a disinct directory.

It is unclear to me why the separate directory is needed. But at least
call it something else if you must have it.

> Especially as I still fail to see the actual use-case for using in-band 
> authentication _without_ encryption.

Not sure what you mean. For the same use-case that iscsi chap exists
for. The secrets are pre-shared.

Perhaps you can explain? My understanding is that the extension for
nvme-tcp TLS based auth is to avoid maintaining two sets of pre-shared
keys, i.e just maintain the TLS ones and not the dhchap ones. But maybe
I am missing something.

> We could rename it to nvmeof-auth, though.

or just add it as more tests under nvme (or create a subdirectory).

> Especially as there's the nvmeof-mp precedent, which also has a separate 
> directory.

That one is for nvme and dm-multipath, not really a native suite for
nvme.

Re: [PATCH 1/6] nvmeof-tcp/001: simple test for nvmeof-tcp connection

[Chaitanya Kulkarni]

Hannes,

On 11/14/2021 6:45 AM, Sagi Grimberg wrote:
> 
> 
> On 11/14/21 3:50 PM, Hannes Reinecke wrote:
>> On 11/14/21 11:31 AM, Sagi Grimberg wrote:
>>>
>>>> Signed-off-by: Hannes Reinecke <hare@suse.de>
>>>> ---
>>>>   tests/nvmeof-tcp/001     |  55 +++++++
>>>>   tests/nvmeof-tcp/001.out |   6 +
>>>>   tests/nvmeof-tcp/rc      | 347 
>>>> +++++++++++++++++++++++++++++++++++++++
>>>
>>> Why another directory? why nvmeof-tcp? what prevents inband-auth
>>> to be tested with loop/rdma?
>>>
>> Technically, nothing.
>> But as I'll be looking into tcp in-band _encryption_ as the next step 
>> I found it logical to have a disinct directory.
> 
> It is unclear to me why the separate directory is needed. But at least
> call it something else if you must have it.
> 
>> Especially as I still fail to see the actual use-case for using 
>> in-band authentication _without_ encryption.
> 
> Not sure what you mean. For the same use-case that iscsi chap exists
> for. The secrets are pre-shared.
> 
> Perhaps you can explain? My understanding is that the extension for
> nvme-tcp TLS based auth is to avoid maintaining two sets of pre-shared
> keys, i.e just maintain the TLS ones and not the dhchap ones. But maybe
> I am missing something.
> 
>> We could rename it to nvmeof-auth, though.
> 
> or just add it as more tests under nvme (or create a subdirectory).
> 
>> Especially as there's the nvmeof-mp precedent, which also has a 
>> separate directory.
> 
> That one is for nvme and dm-multipath, not really a native suite for
> nvme.
> 


It will be great if we can avoid crating a different directory as we
need to make make sure our tests are generic and can be applied to
different transports and new testcases that will get added to nvme
category (non-mp) can use this and existing infrastructure...

Re: [PATCH 1/6] nvmeof-tcp/001: simple test for nvmeof-tcp connection

[Hannes Reinecke]

On 11/14/21 3:45 PM, Sagi Grimberg wrote:
> 
> 
> On 11/14/21 3:50 PM, Hannes Reinecke wrote:
>> On 11/14/21 11:31 AM, Sagi Grimberg wrote:
>>>
>>>> Signed-off-by: Hannes Reinecke <hare@suse.de>
>>>> ---
>>>>   tests/nvmeof-tcp/001     |  55 +++++++
>>>>   tests/nvmeof-tcp/001.out |   6 +
>>>>   tests/nvmeof-tcp/rc      | 347 
>>>> +++++++++++++++++++++++++++++++++++++++
>>>
>>> Why another directory? why nvmeof-tcp? what prevents inband-auth
>>> to be tested with loop/rdma?
>>>
>> Technically, nothing.
>> But as I'll be looking into tcp in-band _encryption_ as the next step 
>> I found it logical to have a disinct directory.
> 
> It is unclear to me why the separate directory is needed. But at least
> call it something else if you must have it.
> 
>> Especially as I still fail to see the actual use-case for using 
>> in-band authentication _without_ encryption.
> 
> Not sure what you mean. For the same use-case that iscsi chap exists
> for. The secrets are pre-shared.
> 
And that's the use case I don't really get; the authentication is done 
only once during connection establishment, and then completely ignored
for the remainder of the session.

> Perhaps you can explain? My understanding is that the extension for
> nvme-tcp TLS based auth is to avoid maintaining two sets of pre-shared
> keys, i.e just maintain the TLS ones and not the dhchap ones. But maybe
> I am missing something.
> 
Yes, and no.
Technically TLS is independent from authentication, and as such you can 
'just' use encryption.
But if you want to have both there is the so-called secure 
concatenation, which allows you to use the negotiated shared key from 
authentication as PSK for TLS.

And that's where I think the real value lies for authentication; you 
precisely do _not_ have to maintain two sets of keys.

>> We could rename it to nvmeof-auth, though.
> 
> or just add it as more tests under nvme (or create a subdirectory).
> 
Sure we can. I just found it easier to create my own directory, 
especially seeing that the nvme subdir has the largest number of tests 
already.
But if you prefer I can move it under the 'nvme' directory.

Cheers,

Hannes
-- 
Dr. Hannes Reinecke                Kernel Storage Architect
hare@suse.de                              +49 911 74053 688
SUSE Software Solutions GmbH, Maxfeldstr. 5, 90409 Nürnberg
HRB 36809 (AG Nürnberg), Geschäftsführer: Felix Imendörffer

Re: [PATCH 1/6] nvmeof-tcp/001: simple test for nvmeof-tcp connection

[Sagi Grimberg]

>> It is unclear to me why the separate directory is needed. But at least
>> call it something else if you must have it.
>>
>>> Especially as I still fail to see the actual use-case for using 
>>> in-band authentication _without_ encryption.
>>
>> Not sure what you mean. For the same use-case that iscsi chap exists
>> for. The secrets are pre-shared.
>>
> And that's the use case I don't really get; the authentication is done 
> only once during connection establishment, and then completely ignored
> for the remainder of the session.

I have a different view on this. Authentication isn't really related to
the datapath, but really only relevant to the queue establishment.

> 
>> Perhaps you can explain? My understanding is that the extension for
>> nvme-tcp TLS based auth is to avoid maintaining two sets of pre-shared
>> keys, i.e just maintain the TLS ones and not the dhchap ones. But maybe
>> I am missing something.
>>
> Yes, and no.
> Technically TLS is independent from authentication, and as such you can 
> 'just' use encryption.
> But if you want to have both there is the so-called secure 
> concatenation, which allows you to use the negotiated shared key from 
> authentication as PSK for TLS.

Well, TLS is a longer journey for a number of reasons which I won't
elaborate here.

> And that's where I think the real value lies for authentication; you 
> precisely do _not_ have to maintain two sets of keys.

I can't say I completely agree with you. There are means today to
encrypt data over the wire. Granted, it will negate possible data
reduction gains, but still a mitigation exists.

On the other hand, today any unauthenticated host can connect to
any fabrics controller, which is a problem. I don't think you should
minimize the magnitude of your contribution as this is a real issue
with nvmeof acceptance in enterprise environments.

I do agree that when TLS is used, it is indeed very useful to not
have to maintain two sets of pre-shared secrets, but I don't think
that there is no use-case for inband authentication in the absence
of TLS.

> 
>>> We could rename it to nvmeof-auth, though.
>>
>> or just add it as more tests under nvme (or create a subdirectory).
>>
> Sure we can. I just found it easier to create my own directory, 
> especially seeing that the nvme subdir has the largest number of tests 
> already.
> But if you prefer I can move it under the 'nvme' directory.

I think that it would definitely be an improvement, also because people
usually run the nvme directory tests which is nice and simple, we should
strive to keep it this way.

Re: [PATCH 1/6] nvmeof-tcp/001: simple test for nvmeof-tcp connection

[Hannes Reinecke]

On 11/15/21 9:12 AM, Sagi Grimberg wrote:
> 
>>> It is unclear to me why the separate directory is needed. But at least
>>> call it something else if you must have it.
>>>
>>>> Especially as I still fail to see the actual use-case for using
>>>> in-band authentication _without_ encryption.
>>>
>>> Not sure what you mean. For the same use-case that iscsi chap exists
>>> for. The secrets are pre-shared.
>>>
>> And that's the use case I don't really get; the authentication is done
>> only once during connection establishment, and then completely ignored
>> for the remainder of the session.
> 
> I have a different view on this. Authentication isn't really related to
> the datapath, but really only relevant to the queue establishment.
> 
>>
>>> Perhaps you can explain? My understanding is that the extension for
>>> nvme-tcp TLS based auth is to avoid maintaining two sets of pre-shared
>>> keys, i.e just maintain the TLS ones and not the dhchap ones. But maybe
>>> I am missing something.
>>>
>> Yes, and no.
>> Technically TLS is independent from authentication, and as such you
>> can 'just' use encryption.
>> But if you want to have both there is the so-called secure
>> concatenation, which allows you to use the negotiated shared key from
>> authentication as PSK for TLS.
> 
> Well, TLS is a longer journey for a number of reasons which I won't
> elaborate here.
> 
Quite.

>> And that's where I think the real value lies for authentication; you
>> precisely do _not_ have to maintain two sets of keys.
> 
> I can't say I completely agree with you. There are means today to
> encrypt data over the wire. Granted, it will negate possible data
> reduction gains, but still a mitigation exists.
> 
> On the other hand, today any unauthenticated host can connect to
> any fabrics controller, which is a problem. I don't think you should
> minimize the magnitude of your contribution as this is a real issue
> with nvmeof acceptance in enterprise environments.
> 
That why I always took care to state that it's _my_ view.
Security is still a rather new topic to me, and as such quite some
techniques used here (derive key (a) from key (b) which is derived from
key (c) etc) feel rather redundant to me.
So there's a bit of a learning curve ahead :-)

> I do agree that when TLS is used, it is indeed very useful to not
> have to maintain two sets of pre-shared secrets, but I don't think
> that there is no use-case for inband authentication in the absence
> of TLS.
> 

Oh, surely not. I have been assured from several parties that they want
to use authentication, so who am I to argue with them :-)
And anyway, motivation was to have a working implementation before HW
vendors have a chance to mess things up :-)

>>
>>>> We could rename it to nvmeof-auth, though.
>>>
>>> or just add it as more tests under nvme (or create a subdirectory).
>>>
>> Sure we can. I just found it easier to create my own directory,
>> especially seeing that the nvme subdir has the largest number of tests
>> already.
>> But if you prefer I can move it under the 'nvme' directory.
> 
> I think that it would definitely be an improvement, also because people
> usually run the nvme directory tests which is nice and simple, we should
> strive to keep it this way.

Okay, will be doing so.

Cheers,

Hannes
-- 
Dr. Hannes Reinecke		           Kernel Storage Architect
hare@suse.de			                  +49 911 74053 688
SUSE Software Solutions Germany GmbH, Maxfeldstr. 5, 90409 Nürnberg
HRB 36809 (AG Nürnberg), GF: Felix Imendörffer

Re: [PATCH 5/6] nvmeof-tcp/005: test bi-directional authentication

[Sagi Grimberg]

Hannes,

Should we add negative test cases for each of these tests?
Currently for some reason I'm able to connect even though
I provide the host a different dhchap_ctrl_key.

Controller:
--
# grep -r '' 
/sys/kernel/config/nvmet/hosts/nqn.2014-08.org.nvmexpress:uuid:b73ff014-2723-4114-aa8d-2f784ecba4f4
/sys/kernel/config/nvmet/hosts/nqn.2014-08.org.nvmexpress:uuid:b73ff014-2723-4114-aa8d-2f784ecba4f4/dhchap_dhgroup:null
/sys/kernel/config/nvmet/hosts/nqn.2014-08.org.nvmexpress:uuid:b73ff014-2723-4114-aa8d-2f784ecba4f4/dhchap_hash:hmac(sha512)
/sys/kernel/config/nvmet/hosts/nqn.2014-08.org.nvmexpress:uuid:b73ff014-2723-4114-aa8d-2f784ecba4f4/dhchap_ctrl_key:DHHC-1:03:M4ik+B5zPy9vqzH0Ef9sLWXLL7HQ1JEqx0IkhMWwNPc0tq8ZLkTQstMl1A9wkMFzzo52hJwQ0wP9GELWmUwUgFisuGw=:
/sys/kernel/config/nvmet/hosts/nqn.2014-08.org.nvmexpress:uuid:b73ff014-2723-4114-aa8d-2f784ecba4f4/dhchap_key:DHHC-1:03:ynOWXFT8AC/OlvuIkpQ1RQlDAuHz2axeP43zmws90yRhPHNP5HyDQSI3m+WCBKcUfl7gRraflcb7nHAHR5mTh9t22Js=:
--

Host (use same key for -S and -C):
--
# ./nvme connect -t tcp -a 192.168.123.1 -n testnqn1 -s 8009 -S 
"DHHC-1:03:ynOWXFT8AC/OlvuIkpQ1RQlDAuHz2axeP43zmws90yRhPHNP5HyDQSI3m+WCBKcUfl7gRraflcb7nHAHR5mTh9t22Js=:" 
-C 
"DHHC-1:03:ynOWXFT8AC/OlvuIkpQ1RQlDAuHz2axeP43zmws90yRhPHNP5HyDQSI3m+WCBKcUfl7gRraflcb7nHAHR5mTh9t22Js=:"
# nvme list
Node                  SN                   Model 
             Namespace Usage                      Format           FW Rev
--------------------- -------------------- 
---------------------------------------- --------- 
-------------------------- ---------------- --------
/dev/nvme0n1          c7ebe13b94f6ad3885c7 Linux 
             1         268.44  GB / 268.44  GB    512   B +  0 B   5.15.0-r
--

Am I doing something wrong?

Re: [PATCH 5/6] nvmeof-tcp/005: test bi-directional authentication

[Hannes Reinecke]

On 11/17/21 10:50 PM, Sagi Grimberg wrote:
> Hannes,
> 
> Should we add negative test cases for each of these tests?
> Currently for some reason I'm able to connect even though
> I provide the host a different dhchap_ctrl_key.
> 
> Controller:
> -- 
> # grep -r ''
> /sys/kernel/config/nvmet/hosts/nqn.2014-08.org.nvmexpress:uuid:b73ff014-2723-4114-aa8d-2f784ecba4f4
> 
> /sys/kernel/config/nvmet/hosts/nqn.2014-08.org.nvmexpress:uuid:b73ff014-2723-4114-aa8d-2f784ecba4f4/dhchap_dhgroup:null
> 
> /sys/kernel/config/nvmet/hosts/nqn.2014-08.org.nvmexpress:uuid:b73ff014-2723-4114-aa8d-2f784ecba4f4/dhchap_hash:hmac(sha512)
> 
> /sys/kernel/config/nvmet/hosts/nqn.2014-08.org.nvmexpress:uuid:b73ff014-2723-4114-aa8d-2f784ecba4f4/dhchap_ctrl_key:DHHC-1:03:M4ik+B5zPy9vqzH0Ef9sLWXLL7HQ1JEqx0IkhMWwNPc0tq8ZLkTQstMl1A9wkMFzzo52hJwQ0wP9GELWmUwUgFisuGw=:
> 
> /sys/kernel/config/nvmet/hosts/nqn.2014-08.org.nvmexpress:uuid:b73ff014-2723-4114-aa8d-2f784ecba4f4/dhchap_key:DHHC-1:03:ynOWXFT8AC/OlvuIkpQ1RQlDAuHz2axeP43zmws90yRhPHNP5HyDQSI3m+WCBKcUfl7gRraflcb7nHAHR5mTh9t22Js=:
> 
> -- 
> 
> Host (use same key for -S and -C):
> -- 
> # ./nvme connect -t tcp -a 192.168.123.1 -n testnqn1 -s 8009 -S
> "DHHC-1:03:ynOWXFT8AC/OlvuIkpQ1RQlDAuHz2axeP43zmws90yRhPHNP5HyDQSI3m+WCBKcUfl7gRraflcb7nHAHR5mTh9t22Js=:"
> -C
> "DHHC-1:03:ynOWXFT8AC/OlvuIkpQ1RQlDAuHz2axeP43zmws90yRhPHNP5HyDQSI3m+WCBKcUfl7gRraflcb7nHAHR5mTh9t22Js=:"
> 
> # nvme list
> Node                  SN                   Model             Namespace
> Usage                      Format           FW Rev
> --------------------- --------------------
> ---------------------------------------- ---------
> -------------------------- ---------------- --------
> /dev/nvme0n1          c7ebe13b94f6ad3885c7 Linux             1        
> 268.44  GB / 268.44  GB    512   B +  0 B   5.15.0-r
> -- 
> 
> Am I doing something wrong?

Hmm. Not that I can see.

I'll be checking what's going on here.

And yes, some negative tests won't go amiss.
I'll be adding them; or, rather, update the current ones to test with
mismatched credentials, too.

Cheers,

Hannes
-- 
Dr. Hannes Reinecke		           Kernel Storage Architect
hare@suse.de			                  +49 911 74053 688
SUSE Software Solutions Germany GmbH, Maxfeldstr. 5, 90409 Nürnberg
HRB 36809 (AG Nürnberg), GF: Felix Imendörffer

Re: [PATCH 5/6] nvmeof-tcp/005: test bi-directional authentication

[Hannes Reinecke]

On 11/17/21 10:50 PM, Sagi Grimberg wrote:
> Hannes,
> 
> Should we add negative test cases for each of these tests?
> Currently for some reason I'm able to connect even though
> I provide the host a different dhchap_ctrl_key.
> 
> Controller:
> -- 
> # grep -r ''
> /sys/kernel/config/nvmet/hosts/nqn.2014-08.org.nvmexpress:uuid:b73ff014-2723-4114-aa8d-2f784ecba4f4
> 
> /sys/kernel/config/nvmet/hosts/nqn.2014-08.org.nvmexpress:uuid:b73ff014-2723-4114-aa8d-2f784ecba4f4/dhchap_dhgroup:null
> 
> /sys/kernel/config/nvmet/hosts/nqn.2014-08.org.nvmexpress:uuid:b73ff014-2723-4114-aa8d-2f784ecba4f4/dhchap_hash:hmac(sha512)
> 
> /sys/kernel/config/nvmet/hosts/nqn.2014-08.org.nvmexpress:uuid:b73ff014-2723-4114-aa8d-2f784ecba4f4/dhchap_ctrl_key:DHHC-1:03:M4ik+B5zPy9vqzH0Ef9sLWXLL7HQ1JEqx0IkhMWwNPc0tq8ZLkTQstMl1A9wkMFzzo52hJwQ0wP9GELWmUwUgFisuGw=:
> 
> /sys/kernel/config/nvmet/hosts/nqn.2014-08.org.nvmexpress:uuid:b73ff014-2723-4114-aa8d-2f784ecba4f4/dhchap_key:DHHC-1:03:ynOWXFT8AC/OlvuIkpQ1RQlDAuHz2axeP43zmws90yRhPHNP5HyDQSI3m+WCBKcUfl7gRraflcb7nHAHR5mTh9t22Js=:
> 
> -- 
> 
> Host (use same key for -S and -C):
> -- 
> # ./nvme connect -t tcp -a 192.168.123.1 -n testnqn1 -s 8009 -S
> "DHHC-1:03:ynOWXFT8AC/OlvuIkpQ1RQlDAuHz2axeP43zmws90yRhPHNP5HyDQSI3m+WCBKcUfl7gRraflcb7nHAHR5mTh9t22Js=:"
> -C
> "DHHC-1:03:ynOWXFT8AC/OlvuIkpQ1RQlDAuHz2axeP43zmws90yRhPHNP5HyDQSI3m+WCBKcUfl7gRraflcb7nHAHR5mTh9t22Js=:"
> 
> # nvme list
> Node                  SN                   Model             Namespace
> Usage                      Format           FW Rev
> --------------------- --------------------
> ---------------------------------------- ---------
> -------------------------- ---------------- --------
> /dev/nvme0n1          c7ebe13b94f6ad3885c7 Linux             1        
> 268.44  GB / 268.44  GB    512   B +  0 B   5.15.0-r
> -- 
> 
> Am I doing something wrong?
> 
D'oh. Fix is:

diff --git a/drivers/nvme/host/auth.c b/drivers/nvme/host/auth.c
index 4dafa04aee8c..68f195dd245a 100644
--- a/drivers/nvme/host/auth.c
+++ b/drivers/nvme/host/auth.c
@@ -1351,7 +1351,7 @@ static void __nvme_auth_work(struct work_struct *work)
        }

        ret = nvme_auth_process_dhchap_success1(ctrl, chap);
-       if (ret < 0) {
+       if (ret) {
                /* Controller authentication failed */
                goto fail2;
        }

I'll fold it into the next version.

Cheers,

Hannes
-- 
Dr. Hannes Reinecke		           Kernel Storage Architect
hare@suse.de			                  +49 911 74053 688
SUSE Software Solutions Germany GmbH, Maxfeldstr. 5, 90409 Nürnberg
HRB 36809 (AG Nürnberg), GF: Felix Imendörffer