Skip to content

Add support for creating keys from pin#3220

Merged
igaw merged 4 commits intolinux-nvme:masterfrom
igaw:support-pin-secrets
Mar 31, 2026
Merged

Add support for creating keys from pin#3220
igaw merged 4 commits intolinux-nvme:masterfrom
igaw:support-pin-secrets

Conversation

@igaw
Copy link
Copy Markdown
Collaborator

@igaw igaw commented Mar 31, 2026
edited
Loading

For testing purpose it is very useful to have proper created secret keys
based on a pin.

To generate a new secret for the target:

$ nvme gen-tls-key -s pin:1234
NVMeTLSkey-1:01:9wCYVQqDvADjGIZo6q/v2SfmXZqqkNa9TcvYu97Ly3Q/gajh:

and then to connect from the host:

$ sudo nvme connect --transport tcp --traddr 192.168.30.30 --trsvcid 4420 --nqn nqn.io-1 --tls --tls-key pin:1234

The key generation uses following algorithm:

function create_key(seed, key_len):
    output = []
    counter = 0

    while length(output) < key_len:
        hash = HASH(seed || encode(counter))
        output += hash
        counter += 1

    return output[0:key_len]

@igaw
build: resort libnvme linker scripts
3f53169 
Sort alphabetically the symbols.

Signed-off-by: Daniel Wagner <wagi@kernel.org>
@igaw igaw force-pushed the support-pin-secrets branch 4 times, most recently from e95e3ed to c3d376d Compare March 31, 2026 09:36
igaw added 3 commits March 31, 2026 11:41
@igaw
linux: add nvme_create_raw_secret
7dbd3dd 
Move helper function to create the raw secret from the input string to
the library. This allows to use a common function to consistently create
the raw secret in nvme-cli and libnvme.

For testing purposes it is also helpful to generate a secret based from
a pin. Use the pin as seed and create the raw secret with a simple
algorithm:

	function create_key(seed, key_len):
	    output = []
	    counter = 0

	    while length(output) < key_len:
	        hash = HASH(seed || encode(counter))
	        output += hash
	        counter += 1

	    return output[0:key_len]

Signed-off-by: Daniel Wagner <wagi@kernel.org>
@igaw
fabris: add nvmf_context_free
d1efe07 
Introduce function to release all resource associated to a fabrics
context. This allows makes the opaque data structure more useful inside
the library.

Signed-off-by: Daniel Wagner <wagi@kernel.org>
@igaw
fabrics: allow tls key to be a pin
5d8b815 
For testing purpose it is very useful to have proper created secret keys
based on a pin. Thus extend nvmf_context_set_crypto to transform the pin
secret into a proper key.

Signed-off-by: Daniel Wagner <wagi@kernel.org>
@igaw igaw force-pushed the support-pin-secrets branch from c3d376d to 5d8b815 Compare March 31, 2026 09:43
@igaw igaw merged commit 27af156 into linux-nvme:master Mar 31, 2026
29 checks passed
@igaw igaw deleted the support-pin-secrets branch March 31, 2026 09:53
@igaw
Copy link
Copy Markdown
Collaborator Author

igaw commented Mar 31, 2026

@poettering IIRC you were asking for this feature. Here we go :)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@igaw