Re: [PATCH 00/21] nvme-auth: use crypto library for HMAC and hashing

[Chris Leech]

This series looks good to me.

Tested against the existing code for interoperability in
bi-directional authentication and TLS with auth generated PSKs.

Reviewed-by: Chris Leech <cleech@xxxxxxxxxx>

On Sun, Mar 01, 2026 at 11:59:38PM -0800, Eric Biggers wrote:
> This series converts the implementation of NVMe in-band authentication
> to use the crypto library instead of crypto_shash for HMAC and hashing.
> 
> The result is simpler, faster, and more reliable.  Notably, it
> eliminates a lot of dynamic memory allocations, indirect calls, lookups
> in crypto_alg_list, and other API overhead.  It also uses the library's
> support for initializing HMAC contexts directly from a raw key, which is
> an optimization not accessible via crypto_shash.  Finally, a lot of the
> error handling code goes away, since the library functions just always
> succeed and return void.
> 
> The last patch removes crypto/hkdf.c, as it's no longer needed.
> 
> This series applies to v7.0-rc1 and is targeting the nvme tree.
> 
> I've tested the TLS key derivation using the KUnit test suite added in
> this series.  I don't know how to test the other parts, but it all
> should behave the same as before.
> 
> Eric Biggers (21):
>   nvme-auth: add NVME_AUTH_MAX_DIGEST_SIZE constant
>   nvme-auth: common: constify static data
>   nvme-auth: use proper argument types
>   nvme-auth: common: add KUnit tests for TLS key derivation
>   nvme-auth: rename nvme_auth_generate_key() to nvme_auth_parse_key()
>   nvme-auth: common: explicitly verify psk_len == hash_len
>   nvme-auth: common: add HMAC helper functions
>   nvme-auth: common: use crypto library in nvme_auth_transform_key()
>   nvme-auth: common: use crypto library in
>     nvme_auth_augmented_challenge()
>   nvme-auth: common: use crypto library in nvme_auth_generate_psk()
>   nvme-auth: common: use crypto library in nvme_auth_generate_digest()
>   nvme-auth: common: use crypto library in nvme_auth_derive_tls_psk()
>   nvme-auth: host: use crypto library in
>     nvme_auth_dhchap_setup_host_response()
>   nvme-auth: host: use crypto library in
>     nvme_auth_dhchap_setup_ctrl_response()
>   nvme-auth: host: remove allocation of crypto_shash
>   nvme-auth: target: remove obsolete crypto_has_shash() checks
>   nvme-auth: target: use crypto library in nvmet_auth_host_hash()
>   nvme-auth: target: use crypto library in nvmet_auth_ctrl_hash()
>   nvme-auth: common: remove nvme_auth_digest_name()
>   nvme-auth: common: remove selections of no-longer used crypto modules
>   crypto: remove HKDF library
> 
>  crypto/Kconfig                         |   6 -
>  crypto/Makefile                        |   1 -
>  crypto/hkdf.c                          | 573 ------------------------
>  drivers/nvme/common/.kunitconfig       |   6 +
>  drivers/nvme/common/Kconfig            |  14 +-
>  drivers/nvme/common/Makefile           |   2 +
>  drivers/nvme/common/auth.c             | 587 ++++++++++---------------
>  drivers/nvme/common/tests/auth_kunit.c | 175 ++++++++
>  drivers/nvme/host/auth.c               | 160 +++----
>  drivers/nvme/host/sysfs.c              |   4 +-
>  drivers/nvme/target/auth.c             | 198 +++------
>  drivers/nvme/target/configfs.c         |   3 -
>  drivers/nvme/target/fabrics-cmd-auth.c |   4 +-
>  drivers/nvme/target/nvmet.h            |   2 +-
>  include/crypto/hkdf.h                  |  20 -
>  include/linux/nvme-auth.h              |  41 +-
>  include/linux/nvme.h                   |   5 +
>  17 files changed, 571 insertions(+), 1230 deletions(-)
>  delete mode 100644 crypto/hkdf.c
>  create mode 100644 drivers/nvme/common/.kunitconfig
>  create mode 100644 drivers/nvme/common/tests/auth_kunit.c
>  delete mode 100644 include/crypto/hkdf.h
> 
> 
> base-commit: 6de23f81a5e08be8fbf5e8d7e9febc72a5b5f27f
> -- 
> 2.53.0
> 
>