Re: [PATCH 10/12] nvmet: Implement basic In-Band Authentication
From: Sagi Grimberg <sagi@grimberg.me>
Date: 2021-09-29 20:03:30
Also in:
linux-crypto
quoted
On the target: # grep -r '' /sys/kernel/config/nvmet/hosts/nqn.2014-08.org.nvmexpress\:uuid\:b73ff014-2723-4114-aa8d-2f784ecba4f4/ /sys/kernel/config/nvmet/hosts/nqn.2014-08.org.nvmexpress:uuid:b73ff014-2723-4114-aa8d-2f784ecba4f4/dhchap_dhgroup:null /sys/kernel/config/nvmet/hosts/nqn.2014-08.org.nvmexpress:uuid:b73ff014-2723-4114-aa8d-2f784ecba4f4/dhchap_hash:hmac(sha512) /sys/kernel/config/nvmet/hosts/nqn.2014-08.org.nvmexpress:uuid:b73ff014-2723-4114-aa8d-2f784ecba4f4/dhchap_ctrl_key: /sys/kernel/config/nvmet/hosts/nqn.2014-08.org.nvmexpress:uuid:b73ff014-2723-4114-aa8d-2f784ecba4f4/dhchap_key:DHHC-1:03:KUwVlIUo627Pn05W/lRL2XD57kzIs1yZzJWdd2vgZJUC74kr: On the host: # ./nvme connect-all --dhchap-secret="DHHC-1:03:KUwVlIUo627Pn05W/lRL2XD57kzIs1yZzJWdd2vgZJUC74kr:" failed to connect controller, error 5 On the target dmesg: [ 8695.716117] nvmet: creating controller 1 for subsystem nqn.2014-08.org.nvmexpress.discovery for NQN nqn.2014-08.org.nvmexpress:uuid:b73ff014-2723-4114-aa8d-2f784ecba4f4. [ 8695.749996] nvmet: creating controller 2 for subsystem testnqn1 for NQN nqn.2014-08.org.nvmexpress:uuid:b73ff014-2723-4114-aa8d-2f784ecba4f4 with DH-HMAC-CHAP. [ 8695.755361] nvmet: ctrl 2 qid 0 failure1 (1) [ 8695.755449] nvmet: ctrl 2 fatal error occurred! On the host dmesg: [ 8781.616712] nvme nvme1: new ctrl: NQN "nqn.2014-08.org.nvmexpress.discovery", addr 192.168.123.1:8009 [ 8781.637954] nvme nvme2: qid 0: authentication failed [ 8781.638084] nvme nvme2: failed to connect queue: 0 ret=401 If I change the dhchap_hash to hmac(sha256) authentication succeeds. The failure with hmac(sha512) comes from the above condition as the host is sending key length 64 and nvmet is expecting 32.A-ha. That shouldn't have happened; selecting the hash on the target was _supposed_ to be reflected to the host. You did mention something about blocktests; guess I'll need to bite the bullet and actually implement something there.
That is why I mentioned it ;) _______________________________________________ Linux-nvme mailing list Linux-nvme@lists.infradead.org http://lists.infradead.org/mailman/listinfo/linux-nvme