![]() The keyring, and the client side will be trying to establishĪ TLS connection with each matching PSK from the keyring. With this patchset all possible identities need to be part of ![]() So we have to test each possible identity and terminate the Sadly none of the userspace libraries implement this feature, So in theory we could sent the all in one go. TLS 1.3 allows for several identities to be sent with theĬlientHello. The NVMe TCP spec defines up to 4 PSK identities, and The one issue of note is the multiple identity handling. KTLS on the socket, and control is passed back to the kernel. If the TLS handshake succeeds the userspace daemon will be activating If not it's assumed to beĪ TLS ClientHello and the TLS userspace daemon is invoked for the TLS The server side will be doing a MSG_PEEK on the first incoming PDU afterĪccept(), and check if it's an TCP ICREQ packet. Matching PSKs, and call the TLS userspace daemon to initiate a TLS handshake. Is attempted I'll be sending a patch for nvme-cli separately.Īfter connection to the remote TCP port the client side will check if there are Keys will have to be provisioned before TLS handshake ![]() Posted to the linux netdev list), and requires the 'tlshd' userspaceĪ dedicated '.nvme' keyring is created to hold the pre-shared keys (PSKs)įor the TLS handshake. (cf ' Another crack at a handshake upcall mechanism' The patchset is based on the TLS upcall mechanism from Chuck Lever ` (18 more replies) 0 siblings, 19 replies 90+ messages in threadįrom: Hannes Reinecke 12:43 UTC ( / raw)Ĭc: Sagi Grimberg, Keith Busch, linux-nvme, Chuck Lever,įinally I've managed to put all things together and enable in-kernel 12:43 ` nvme-keyring: register '.nvme' keyring Hannes Reinecke Nvme: In-kernel TLS support for TCP archive mirror help / color / mirror / Atom feed * nvme: In-kernel TLS support for TCP 12:43 Hannes Reinecke ![]()
0 Comments
Leave a Reply. |
Details
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |