This series converts the implementation of NVMe in-band authentication
to use the crypto library instead of crypto_shash for HMAC and hashing.

The result is simpler, faster, and more reliable.  Notably, it
eliminates a lot of dynamic memory allocations, indirect calls, lookups
in crypto_alg_list, and other API overhead.  It also uses the library's
support for initializing HMAC contexts directly from a raw key, which is
an optimization not accessible via crypto_shash.  Finally, a lot of the
error handling code goes away, since the library functions just always
succeed and return void.

The last patch removes crypto/hkdf.c, as it's no longer needed.

This series applies to v7.0-rc1 and is targeting the nvme tree.

I've tested the TLS key derivation using the KUnit test suite added in
this series.  I don't know how to test the other parts, but it all
should behave the same as before.

Eric Biggers (21):
  nvme-auth: add NVME_AUTH_MAX_DIGEST_SIZE constant
  nvme-auth: common: constify static data
  nvme-auth: use proper argument types
  nvme-auth: common: add KUnit tests for TLS key derivation
  nvme-auth: rename nvme_auth_generate_key() to nvme_auth_parse_key()
  nvme-auth: common: explicitly verify psk_len == hash_len
  nvme-auth: common: add HMAC helper functions
  nvme-auth: common: use crypto library in nvme_auth_transform_key()
  nvme-auth: common: use crypto library in
    nvme_auth_augmented_challenge()
  nvme-auth: common: use crypto library in nvme_auth_generate_psk()
  nvme-auth: common: use crypto library in nvme_auth_generate_digest()
  nvme-auth: common: use crypto library in nvme_auth_derive_tls_psk()
  nvme-auth: host: use crypto library in
    nvme_auth_dhchap_setup_host_response()
  nvme-auth: host: use crypto library in
    nvme_auth_dhchap_setup_ctrl_response()
  nvme-auth: host: remove allocation of crypto_shash
  nvme-auth: target: remove obsolete crypto_has_shash() checks
  nvme-auth: target: use crypto library in nvmet_auth_host_hash()
  nvme-auth: target: use crypto library in nvmet_auth_ctrl_hash()
  nvme-auth: common: remove nvme_auth_digest_name()
  nvme-auth: common: remove selections of no-longer used crypto modules
  crypto: remove HKDF library

 crypto/Kconfig                         |   6 -
 crypto/Makefile                        |   1 -
 crypto/hkdf.c                          | 573 ------------------------
 drivers/nvme/common/.kunitconfig       |   6 +
 drivers/nvme/common/Kconfig            |  14 +-
 drivers/nvme/common/Makefile           |   2 +
 drivers/nvme/common/auth.c             | 587 ++++++++++---------------
 drivers/nvme/common/tests/auth_kunit.c | 175 ++++++++
 drivers/nvme/host/auth.c               | 160 +++----
 drivers/nvme/host/sysfs.c              |   4 +-
 drivers/nvme/target/auth.c             | 198 +++------
 drivers/nvme/target/configfs.c         |   3 -
 drivers/nvme/target/fabrics-cmd-auth.c |   4 +-
 drivers/nvme/target/nvmet.h            |   2 +-
 include/crypto/hkdf.h                  |  20 -
 include/linux/nvme-auth.h              |  41 +-
 include/linux/nvme.h                   |   5 +
 17 files changed, 571 insertions(+), 1230 deletions(-)
 delete mode 100644 crypto/hkdf.c
 create mode 100644 drivers/nvme/common/.kunitconfig
 create mode 100644 drivers/nvme/common/tests/auth_kunit.c
 delete mode 100644 include/crypto/hkdf.h


base-commit: 6de23f81a5e08be8fbf5e8d7e9febc72a5b5f27f
-- 
2.53.0

This series looks good to me.

Tested against the existing code for interoperability in
bi-directional authentication and TLS with auth generated PSKs.

Reviewed-by: Chris Leech <cleech@redhat.com>

On Sun, Mar 01, 2026 at 11:59:38PM -0800, Eric Biggers wrote:
> This series converts the implementation of NVMe in-band authentication
> to use the crypto library instead of crypto_shash for HMAC and hashing.
> 
> The result is simpler, faster, and more reliable.  Notably, it
> eliminates a lot of dynamic memory allocations, indirect calls, lookups
> in crypto_alg_list, and other API overhead.  It also uses the library's
> support for initializing HMAC contexts directly from a raw key, which is
> an optimization not accessible via crypto_shash.  Finally, a lot of the
> error handling code goes away, since the library functions just always
> succeed and return void.
> 
> The last patch removes crypto/hkdf.c, as it's no longer needed.
> 
> This series applies to v7.0-rc1 and is targeting the nvme tree.
> 
> I've tested the TLS key derivation using the KUnit test suite added in
> this series.  I don't know how to test the other parts, but it all
> should behave the same as before.
> 
> Eric Biggers (21):
>   nvme-auth: add NVME_AUTH_MAX_DIGEST_SIZE constant
>   nvme-auth: common: constify static data
>   nvme-auth: use proper argument types
>   nvme-auth: common: add KUnit tests for TLS key derivation
>   nvme-auth: rename nvme_auth_generate_key() to nvme_auth_parse_key()
>   nvme-auth: common: explicitly verify psk_len == hash_len
>   nvme-auth: common: add HMAC helper functions
>   nvme-auth: common: use crypto library in nvme_auth_transform_key()
>   nvme-auth: common: use crypto library in
>     nvme_auth_augmented_challenge()
>   nvme-auth: common: use crypto library in nvme_auth_generate_psk()
>   nvme-auth: common: use crypto library in nvme_auth_generate_digest()
>   nvme-auth: common: use crypto library in nvme_auth_derive_tls_psk()
>   nvme-auth: host: use crypto library in
>     nvme_auth_dhchap_setup_host_response()
>   nvme-auth: host: use crypto library in
>     nvme_auth_dhchap_setup_ctrl_response()
>   nvme-auth: host: remove allocation of crypto_shash
>   nvme-auth: target: remove obsolete crypto_has_shash() checks
>   nvme-auth: target: use crypto library in nvmet_auth_host_hash()
>   nvme-auth: target: use crypto library in nvmet_auth_ctrl_hash()
>   nvme-auth: common: remove nvme_auth_digest_name()
>   nvme-auth: common: remove selections of no-longer used crypto modules
>   crypto: remove HKDF library
> 
>  crypto/Kconfig                         |   6 -
>  crypto/Makefile                        |   1 -
>  crypto/hkdf.c                          | 573 ------------------------
>  drivers/nvme/common/.kunitconfig       |   6 +
>  drivers/nvme/common/Kconfig            |  14 +-
>  drivers/nvme/common/Makefile           |   2 +
>  drivers/nvme/common/auth.c             | 587 ++++++++++---------------
>  drivers/nvme/common/tests/auth_kunit.c | 175 ++++++++
>  drivers/nvme/host/auth.c               | 160 +++----
>  drivers/nvme/host/sysfs.c              |   4 +-
>  drivers/nvme/target/auth.c             | 198 +++------
>  drivers/nvme/target/configfs.c         |   3 -
>  drivers/nvme/target/fabrics-cmd-auth.c |   4 +-
>  drivers/nvme/target/nvmet.h            |   2 +-
>  include/crypto/hkdf.h                  |  20 -
>  include/linux/nvme-auth.h              |  41 +-
>  include/linux/nvme.h                   |   5 +
>  17 files changed, 571 insertions(+), 1230 deletions(-)
>  delete mode 100644 crypto/hkdf.c
>  create mode 100644 drivers/nvme/common/.kunitconfig
>  create mode 100644 drivers/nvme/common/tests/auth_kunit.c
>  delete mode 100644 include/crypto/hkdf.h
> 
> 
> base-commit: 6de23f81a5e08be8fbf5e8d7e9febc72a5b5f27f
> -- 
> 2.53.0
> 
>

Thanks, this looks really great:

Acked-by: Christoph Hellwig <hch@lst.de>

On Wed, Mar 04, 2026 at 02:23:27PM +0100, Christoph Hellwig wrote:
> Thanks, this looks really great:
> 
> Acked-by: Christoph Hellwig <hch@lst.de>
> 

Thanks.  I assume Keith will pick this series up for 7.1.  Keith, I
forgot to include you explicitly on the recipients list (I must have run
get_maintainer on drivers/nvme/target/ instead of drivers/nvme/common/),
but I assume you received this series via linux-nvme anyway.

- Eric

On Thu, Mar 05, 2026 at 11:31:50AM -0800, Eric Biggers wrote:
> On Wed, Mar 04, 2026 at 02:23:27PM +0100, Christoph Hellwig wrote:
> > Thanks, this looks really great:
> > 
> > Acked-by: Christoph Hellwig <hch@lst.de>
> > 
> 
> Thanks.  I assume Keith will pick this series up for 7.1.  Keith, I
> forgot to include you explicitly on the recipients list (I must have run
> get_maintainer on drivers/nvme/target/ instead of drivers/nvme/common/),
> but I assume you received this series via linux-nvme anyway.

No worries, I'll start up a 7.1 branch and get this queued up. Thanks!

On Thu, Mar 05, 2026 at 12:35:55PM -0700, Keith Busch wrote:
> On Thu, Mar 05, 2026 at 11:31:50AM -0800, Eric Biggers wrote:
> > On Wed, Mar 04, 2026 at 02:23:27PM +0100, Christoph Hellwig wrote:
> > > Thanks, this looks really great:
> > > 
> > > Acked-by: Christoph Hellwig <hch@lst.de>
> > > 
> > 
> > Thanks.  I assume Keith will pick this series up for 7.1.  Keith, I
> > forgot to include you explicitly on the recipients list (I must have run
> > get_maintainer on drivers/nvme/target/ instead of drivers/nvme/common/),
> > but I assume you received this series via linux-nvme anyway.
> 
> No worries, I'll start up a 7.1 branch and get this queued up. Thanks!

This hasn't made its way into linux-next yet.  Is that expected?

- Eric

On Wed, Mar 25, 2026 at 01:20:53PM -0700, Eric Biggers wrote:
> 
> This hasn't made its way into linux-next yet.  Is that expected?

It's in the nvme-7.1 branch, but linux-next doesn't pull from there.
I'll need to send a pull to Jens' block tree for linux-next inclusion. I
suppose it's about time we get the first one sent this week, so I'll
just double check everything and get something ready for tomorrow.

On Mon, 2 Mar 2026, at 08:59, Eric Biggers wrote:
> This series converts the implementation of NVMe in-band authentication
> to use the crypto library instead of crypto_shash for HMAC and hashing.
>
> The result is simpler, faster, and more reliable.  Notably, it
> eliminates a lot of dynamic memory allocations, indirect calls, lookups
> in crypto_alg_list, and other API overhead.  It also uses the library's
> support for initializing HMAC contexts directly from a raw key, which is
> an optimization not accessible via crypto_shash.  Finally, a lot of the
> error handling code goes away, since the library functions just always
> succeed and return void.
>
> The last patch removes crypto/hkdf.c, as it's no longer needed.
>
> This series applies to v7.0-rc1 and is targeting the nvme tree.
>
> I've tested the TLS key derivation using the KUnit test suite added in
> this series.  I don't know how to test the other parts, but it all
> should behave the same as before.
>
> Eric Biggers (21):
>   nvme-auth: add NVME_AUTH_MAX_DIGEST_SIZE constant
>   nvme-auth: common: constify static data
>   nvme-auth: use proper argument types
>   nvme-auth: common: add KUnit tests for TLS key derivation
>   nvme-auth: rename nvme_auth_generate_key() to nvme_auth_parse_key()
>   nvme-auth: common: explicitly verify psk_len == hash_len
>   nvme-auth: common: add HMAC helper functions
>   nvme-auth: common: use crypto library in nvme_auth_transform_key()
>   nvme-auth: common: use crypto library in
>     nvme_auth_augmented_challenge()
>   nvme-auth: common: use crypto library in nvme_auth_generate_psk()
>   nvme-auth: common: use crypto library in nvme_auth_generate_digest()
>   nvme-auth: common: use crypto library in nvme_auth_derive_tls_psk()
>   nvme-auth: host: use crypto library in
>     nvme_auth_dhchap_setup_host_response()
>   nvme-auth: host: use crypto library in
>     nvme_auth_dhchap_setup_ctrl_response()
>   nvme-auth: host: remove allocation of crypto_shash
>   nvme-auth: target: remove obsolete crypto_has_shash() checks
>   nvme-auth: target: use crypto library in nvmet_auth_host_hash()
>   nvme-auth: target: use crypto library in nvmet_auth_ctrl_hash()
>   nvme-auth: common: remove nvme_auth_digest_name()
>   nvme-auth: common: remove selections of no-longer used crypto modules
>   crypto: remove HKDF library
>

For the series,

Acked-by: Ard Biesheuvel <ardb@kernel.org>