linux-crypto.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: Hannes Reinecke <hare@suse.de>
To: Max Gurtovoy <mgurtovoy@nvidia.com>, Christoph Hellwig <hch@lst.de>
Cc: Sagi Grimberg <sagi@grimberg.me>, Keith Busch <kbusch@kernel.org>,
	linux-nvme@lists.infradead.org, linux-crypto@vger.kernel.org
Subject: Re: [PATCH 09/11] nvmet: Implement basic In-Band Authentication
Date: Mon, 23 May 2022 08:03:05 +0200	[thread overview]
Message-ID: <903b586c-b539-c4e5-9233-7e24aa55f11b@suse.de> (raw)
In-Reply-To: <e13a0c12-362d-e4b6-c558-03367815264b@nvidia.com>

On 5/22/22 13:44, Max Gurtovoy wrote:
> Hi Hannes,
> 
> On 5/18/2022 2:22 PM, Hannes Reinecke wrote:
>> Implement NVMe-oF In-Band authentication according to NVMe TPAR 8006.
>> This patch adds three additional configfs entries 'dhchap_key',
>> 'dhchap_ctrl_key', and 'dhchap_hash' to the 'host' configfs directory.
>> The 'dhchap_key' and 'dhchap_ctrl_key' entries need to be in the ASCII
>> format as specified in NVMe Base Specification v2.0 section 8.13.5.8
>> 'Secret representation'.
>> 'dhchap_hash' defaults to 'hmac(sha256)', and can be written to to
>> switch to a different HMAC algorithm.
>>
>> Signed-off-by: Hannes Reinecke <hare@suse.de>
>> ---
>>   drivers/nvme/target/Kconfig            |  12 +
>>   drivers/nvme/target/Makefile           |   1 +
>>   drivers/nvme/target/admin-cmd.c        |   2 +
>>   drivers/nvme/target/auth.c             | 367 ++++++++++++++++++
>>   drivers/nvme/target/configfs.c         | 107 +++++-
>>   drivers/nvme/target/core.c             |  11 +
>>   drivers/nvme/target/fabrics-cmd-auth.c | 491 +++++++++++++++++++++++++
>>   drivers/nvme/target/fabrics-cmd.c      |  38 +-
>>   drivers/nvme/target/nvmet.h            |  62 ++++
>>   9 files changed, 1088 insertions(+), 3 deletions(-)
>>   create mode 100644 drivers/nvme/target/auth.c
>>   create mode 100644 drivers/nvme/target/fabrics-cmd-auth.c
>>
>> diff --git a/drivers/nvme/target/Kconfig b/drivers/nvme/target/Kconfig
>> index 973561c93888..e569319be679 100644
>> --- a/drivers/nvme/target/Kconfig
>> +++ b/drivers/nvme/target/Kconfig
>> @@ -83,3 +83,15 @@ config NVME_TARGET_TCP
>>         devices over TCP.
>>         If unsure, say N.
>> +
>> +config NVME_TARGET_AUTH
>> +    bool "NVMe over Fabrics In-band Authentication support"
>> +    depends on NVME_TARGET
>> +    depends on NVME_AUTH
>> +    select CRYPTO_HMAC
>> +    select CRYPTO_SHA256
>> +    select CRYPTO_SHA512
>> +    help
>> +      This enables support for NVMe over Fabrics In-band Authentication
>> +
>> +      If unsure, say N.
>> diff --git a/drivers/nvme/target/Makefile b/drivers/nvme/target/Makefile
>> index 9837e580fa7e..c66820102493 100644
>> --- a/drivers/nvme/target/Makefile
>> +++ b/drivers/nvme/target/Makefile
>> @@ -13,6 +13,7 @@ nvmet-y        += core.o configfs.o admin-cmd.o 
>> fabrics-cmd.o \
>>               discovery.o io-cmd-file.o io-cmd-bdev.o
>>   nvmet-$(CONFIG_NVME_TARGET_PASSTHRU)    += passthru.o
>>   nvmet-$(CONFIG_BLK_DEV_ZONED)        += zns.o
>> +nvmet-$(CONFIG_NVME_TARGET_AUTH)    += fabrics-cmd-auth.o auth.o
>>   nvme-loop-y    += loop.o
>>   nvmet-rdma-y    += rdma.o
>>   nvmet-fc-y    += fc.o
>> diff --git a/drivers/nvme/target/admin-cmd.c 
>> b/drivers/nvme/target/admin-cmd.c
>> index 31df40ac828f..fc8a957fad0a 100644
>> --- a/drivers/nvme/target/admin-cmd.c
>> +++ b/drivers/nvme/target/admin-cmd.c
>> @@ -1018,6 +1018,8 @@ u16 nvmet_parse_admin_cmd(struct nvmet_req *req)
>>       if (nvme_is_fabrics(cmd))
>>           return nvmet_parse_fabrics_admin_cmd(req);
>> +    if (unlikely(!nvmet_check_auth_status(req)))
>> +        return NVME_SC_AUTH_REQUIRED | NVME_SC_DNR;
>>       if (nvmet_is_disc_subsys(nvmet_req_subsys(req)))
>>           return nvmet_parse_discovery_cmd(req);
>> diff --git a/drivers/nvme/target/auth.c b/drivers/nvme/target/auth.c
>> new file mode 100644
>> index 000000000000..003c0faad7ff
>> --- /dev/null
>> +++ b/drivers/nvme/target/auth.c
>> @@ -0,0 +1,367 @@
>> +// SPDX-License-Identifier: GPL-2.0
>> +/*
>> + * NVMe over Fabrics DH-HMAC-CHAP authentication.
>> + * Copyright (c) 2020 Hannes Reinecke, SUSE Software Solutions.
>> + * All rights reserved.
>> + */
>> +#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
>> +#include <linux/module.h>
>> +#include <linux/init.h>
>> +#include <linux/slab.h>
>> +#include <linux/err.h>
>> +#include <crypto/hash.h>
>> +#include <linux/crc32.h>
>> +#include <linux/base64.h>
>> +#include <linux/ctype.h>
>> +#include <linux/random.h>
>> +#include <asm/unaligned.h>
>> +
>> +#include "nvmet.h"
>> +#include "../host/auth.h"
> 
> maybe we can put the common stuff to include/linux/nvme-auth.h instead 
> of doing ../host/auth.h ?
> 
> 
Yes, we can do that.
Will be fixing it for the next round.

Cheers,

Hannes
-- 
Dr. Hannes Reinecke                Kernel Storage Architect
hare@suse.de                              +49 911 74053 688
SUSE Software Solutions GmbH, Maxfeldstr. 5, 90409 Nürnberg
HRB 36809 (AG Nürnberg), Geschäftsführer: Ivo Totev, Andrew
Myers, Andrew McDonald, Martje Boudien Moerman

  reply	other threads:[~2022-05-23  7:30 UTC|newest]

Thread overview: 46+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2022-05-18 11:22 [PATCHv12 00/11] nvme: In-band authentication support Hannes Reinecke
2022-05-18 11:22 ` [PATCH 01/11] crypto: add crypto_has_shash() Hannes Reinecke
2022-05-27 10:05   ` Herbert Xu
2022-05-18 11:22 ` [PATCH 02/11] crypto: add crypto_has_kpp() Hannes Reinecke
2022-05-27 10:06   ` Herbert Xu
2022-05-18 11:22 ` [PATCH 03/11] lib/base64: RFC4648-compliant base64 encoding Hannes Reinecke
2022-05-18 11:22 ` [PATCH 04/11] nvme: add definitions for NVMe In-Band authentication Hannes Reinecke
2022-05-18 11:22 ` [PATCH 05/11] nvme-fabrics: decode 'authentication required' connect error Hannes Reinecke
2022-05-18 11:22 ` [PATCH 06/11] nvme: Implement In-Band authentication Hannes Reinecke
2022-05-18 11:22 ` [PATCH 07/11] nvme-auth: Diffie-Hellman key exchange support Hannes Reinecke
2022-05-18 11:22 ` [PATCH 08/11] nvmet: parse fabrics commands on io queues Hannes Reinecke
2022-05-18 11:22 ` [PATCH 09/11] nvmet: Implement basic In-Band Authentication Hannes Reinecke
2022-05-22 11:44   ` Max Gurtovoy
2022-05-23  6:03     ` Hannes Reinecke [this message]
2022-05-25 10:42       ` Sagi Grimberg
2022-06-07 10:46     ` Christoph Hellwig
2022-05-18 11:22 ` [PATCH 10/11] nvmet-auth: Diffie-Hellman key exchange support Hannes Reinecke
2022-05-18 11:22 ` [PATCH 11/11] nvmet-auth: expire authentication sessions Hannes Reinecke
2022-05-25  9:54 ` [PATCHv12 00/11] nvme: In-band authentication support Hannes Reinecke
2022-05-25 10:37   ` Sagi Grimberg
2022-05-26  9:00   ` Christoph Hellwig
2022-05-27  5:50     ` Hannes Reinecke
2022-05-27  6:31       ` Hannes Reinecke
2022-05-27 10:06       ` Herbert Xu
2022-05-27 10:21         ` Hannes Reinecke
2022-06-07 10:45           ` Christoph Hellwig
  -- strict thread matches above, loose matches on Subject: below --
2021-07-16 11:04 [RFC PATCH " Hannes Reinecke
2021-07-16 11:04 ` [PATCH 09/11] nvmet: Implement basic In-Band Authentication Hannes Reinecke
2021-07-17 16:49   ` Stephan Müller
2021-07-18 12:37     ` Hannes Reinecke
2021-07-18 12:56       ` Stephan Müller
2021-07-19  8:15         ` Hannes Reinecke
2021-07-19  8:51           ` Stephan Mueller
2021-07-19  9:57             ` Hannes Reinecke
2021-07-19 10:19               ` Stephan Mueller
2021-07-19 11:10                 ` Hannes Reinecke
2021-07-19 11:52                   ` Stephan Mueller
2021-07-19 12:08                     ` Hannes Reinecke
2021-07-20 10:14                     ` Hannes Reinecke
2021-07-20 10:49                       ` Simo Sorce
2021-07-20 11:31                         ` Hannes Reinecke
2021-07-20 14:44                           ` Simo Sorce
2021-07-20 14:47                             ` Stephan Mueller
2021-07-23 20:02                 ` Vladislav Bolkhovitin
2021-07-18 13:26       ` Herbert Xu
2021-07-19 20:38   ` Sagi Grimberg
2021-07-20  6:08     ` Hannes Reinecke

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=903b586c-b539-c4e5-9233-7e24aa55f11b@suse.de \
    --to=hare@suse.de \
    --cc=hch@lst.de \
    --cc=kbusch@kernel.org \
    --cc=linux-crypto@vger.kernel.org \
    --cc=linux-nvme@lists.infradead.org \
    --cc=mgurtovoy@nvidia.com \
    --cc=sagi@grimberg.me \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).