From nobody Thu Apr  9 12:51:17 2026
Received: from mail-pl1-f176.google.com (mail-pl1-f176.google.com
 [209.85.214.176])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 637E217D6
	for <linux-kernel@vger.kernel.org>; Mon,  9 Mar 2026 04:27:50 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.214.176
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1773030471; cv=none;
 b=dE72zAqoEzj/vw4HFKfEMxBD55KQaXb/hModaw13/ST9bdQ8/h4wAYRORK8M3yPNbpZH4RTbdPYiLbDI64oeBN1i3HoX/v8AiY7kjIBMs1+PYkpT2a/BqhxUJa5P0p+5mTACGj7VcMjXk0aCZ28CBnXVcFjvk9baVXtu8VHgzXY=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1773030471; c=relaxed/simple;
	bh=QeHi5qqT3+tJalD/IndwsV+Okgb87OBXPxRhaVyr1cs=;
	h=From:To:Cc:Subject:Date:Message-ID:MIME-Version;
 b=kb+9+yRz+LiutHOixjN2dDVQBJm3Ml8B3ip9OUCMS3CmJ9vhfnT8Kpz9FLgodGCPnbEcEeGxN/zU6CKu11Yoa1f3oKTFAN5LadSJzaduaitw1YYlIPGjnx6xEGW9ymBYJKtX0ztWVkoyAd+C6tcA/GYKiLhQ5ZW2JUA4OkEyjtI=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=gmail.com;
 spf=pass smtp.mailfrom=gmail.com;
 dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
 header.b=IZVhYIAy; arc=none smtp.client-ip=209.85.214.176
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=gmail.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=gmail.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
 header.b="IZVhYIAy"
Received: by mail-pl1-f176.google.com with SMTP id
 d9443c01a7336-2ae4e538abdso74736585ad.3
        for <linux-kernel@vger.kernel.org>;
 Sun, 08 Mar 2026 21:27:50 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20230601; t=1773030470; x=1773635270;
 darn=vger.kernel.org;
        h=content-transfer-encoding:mime-version:message-id:date:subject:cc
         :to:from:from:to:cc:subject:date:message-id:reply-to;
        bh=TUR6e5Ssp3gFRl3Qw5xjvdZ0HUviL37ab7eciXMHhqY=;
        b=IZVhYIAyjEL05NugrNHNqWEcvGimbsj6ME47rNe4zGwB6t+a+bl67pr2fbg2kmWhao
         KRrpOyiR46Pn8ls2D4S8TrBOy7L0EA0a8xZoKtrGWb1xqs35lInwgDByZ7MFiLXuf596
         lDTkNcur1mcpI4nP3iws4zk9XRzq/vf1pviFU0JDSCY3XTlJVL1Gu6G5yYJ03M5fARGk
         CWvnUFnXcwfKeaOfagPB4n8CoiWuddbvBu3/zsImaDN27toGKCtHtwf4oiNYTeTzuSzi
         CrL0KrHOLr09a1CZAtnWs9YNNhTcUgbUzuI9Gsc2wP7X/WZ2TGbD/1f5hoArK515OEJQ
         oXyw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1773030470; x=1773635270;
        h=content-transfer-encoding:mime-version:message-id:date:subject:cc
         :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date
         :message-id:reply-to;
        bh=TUR6e5Ssp3gFRl3Qw5xjvdZ0HUviL37ab7eciXMHhqY=;
        b=lOE7zqaKXeUE6dJOYDfXK/WgcugbPBGsaXzG0Y9UlS5XXReOFeHEqKuV4BRCKdUOP4
         0BsKGoLwgVur3dOdUmGY5BZt8flZ08/7IYBh8DrhdFjFjokiCXYKG22wVochDZYyS6UZ
         4OowIM6Oo7tzJg/oAQzWL84+Cxed/IXDvQ6tGiSpkSIt4pO/vxJqR4GqLZ6jrK2VI4mE
         CSuIfrbNMYBuH88V0z9WkA3/J63ztWn90QuhvU1G+zRSJ8kv7A3Gz8yIOEqHLIXehxNJ
         BhUdcmIdtX2NF7oMzgzhNDzlr6YijSJa3Sc6gf8tDKfnxeC1elvGWvqJiZDkWl8KlGXp
         hyMA==
X-Forwarded-Encrypted: i=1;
 AJvYcCXr+kReqTQnTSEGmP/+TbcMJEY2ZYp6/Z36vHVLOALHLN0qzc3t2vx0UgQu29SuyfoQx8KmvwWRT2vcCuc=@vger.kernel.org
X-Gm-Message-State: AOJu0YxmxpUcMQo+SwcjnJNPu+ifmb94hgHHtTbctIUYvt/7v1Ky6tY+
	KJq1JGRYjzeMZDQD/dPxndwqOszHre+Tx8euTVQga7j8O/SRQ2T82KwR
X-Gm-Gg: ATEYQzxQj3wfdO3FGMo/ijZbvatPOSHvbIag+tViQ+u0HGnNNlQiJ1I3b5ZRYxvUgwS
	gSuDNqxvMKqyywqI8RgfTshr2+eSMZX7pckzKrGiFlHavT+5v5uQS08cGjVx6mhRTS1wFip8mx/
	kVnXX7Skhl62nyjyDWJBXys+SaPEo+n2W6EWjElYVIoAXNo/aPw692oOvvxNdf50Ku7h1tKqRqe
	dRc6LhKj3DKHqvmgHriAq17Me9aTIOW/FrcDmL/JQONRL0xAEqezSJTn8dQhT4eSxoqHqAvFoq6
	s7pO9IXEbwk8HY8DHdb15c37/dMTuhkNIBK09Dk5NglOYho8/3RHcjUY+iiOn1v1eRzR5k0HD3l
	Ige4RwGtunJtn25y9svIerSVfG27y55L+rzi75YXAKVH8dzJq1E4ZOdE3c52855BLfeHZ7y9ncM
	1Lv31udCqQjkUqz0h15qlmvS4p84jgSkWPJkCmurmldQ==
X-Received: by 2002:a17:903:3904:b0:2ae:4aaf:3b04 with SMTP id
 d9443c01a7336-2ae82494790mr116959845ad.56.1773030469748;
        Sun, 08 Mar 2026 21:27:49 -0700 (PDT)
Received: from toolbx.alistair23.me ([2403:581e:fdf9:0:6209:4521:6813:45b7])
        by smtp.gmail.com with ESMTPSA id
 d9443c01a7336-2ae83e57afesm98517655ad.6.2026.03.08.21.27.45
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Sun, 08 Mar 2026 21:27:49 -0700 (PDT)
From: alistair23@gmail.com
X-Google-Original-From: alistair.francis@wdc.com
To: hare@suse.de,
	kbusch@kernel.org,
	axboe@kernel.dk,
	hch@lst.de,
	sagi@grimberg.me,
	linux-nvme@lists.infradead.org,
	linux-kernel@vger.kernel.org
Cc: alistair23@gmail.com,
	Alistair Francis <alistair.francis@wdc.com>,
	Kamaljit Singh <kamaljit.singh@opensource.wdc.com>
Subject: [PATCH v2] nvme-auth: Don't propose NVME_AUTH_DHGROUP_NULL with SC_C
Date: Mon,  9 Mar 2026 14:27:33 +1000
Message-ID: <20260309042733.1137108-1-alistair.francis@wdc.com>
X-Mailer: git-send-email 2.53.0
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

From: Alistair Francis <alistair.francis@wdc.com>

Section 8.3.4.5.2 of the NVMe 2.1 base spec states that

"""
The 00h identifier shall not be proposed in an AUTH_Negotiate message
that requests secure channel concatenation (i.e., with the SC_C field
set to a non-zero value).
"""

We need to ensure that we don't set the NVME_AUTH_DHGROUP_NULL idlist if
SC_C is set.

Signed-off-by: Kamaljit Singh <kamaljit.singh@opensource.wdc.com>
Signed-off-by: Alistair Francis <alistair.francis@wdc.com>
Reviewed-by: Hannes Reinecke <hare@suse.de>
---
v2:
 - Use a macro for Diffie-Hellman Group Identifier List Offset
 - Use a pointer for data->auth_protocol[0].dhchap.idlist

 drivers/nvme/host/auth.c | 23 +++++++++++++----------
 include/linux/nvme.h     |  2 ++
 2 files changed, 15 insertions(+), 10 deletions(-)

diff --git a/drivers/nvme/host/auth.c b/drivers/nvme/host/auth.c
index 405e7c03b1cf..4e8e4ddd6c8d 100644
--- a/drivers/nvme/host/auth.c
+++ b/drivers/nvme/host/auth.c
@@ -125,6 +125,8 @@ static int nvme_auth_set_dhchap_negotiate_data(struct n=
vme_ctrl *ctrl,
 {
 	struct nvmf_auth_dhchap_negotiate_data *data =3D chap->buf;
 	size_t size =3D sizeof(*data) + sizeof(union nvmf_auth_protocol);
+	u8 dh_list_offset =3D DH_GID_LIST_OFFSET;
+	u8 *idlist =3D data->auth_protocol[0].dhchap.idlist;
=20
 	if (size > CHAP_BUF_SIZE) {
 		chap->status =3D NVME_AUTH_DHCHAP_FAILURE_INCORRECT_PAYLOAD;
@@ -144,16 +146,17 @@ static int nvme_auth_set_dhchap_negotiate_data(struct=
 nvme_ctrl *ctrl,
 	data->napd =3D 1;
 	data->auth_protocol[0].dhchap.authid =3D NVME_AUTH_DHCHAP_AUTH_ID;
 	data->auth_protocol[0].dhchap.halen =3D 3;
-	data->auth_protocol[0].dhchap.dhlen =3D 6;
-	data->auth_protocol[0].dhchap.idlist[0] =3D NVME_AUTH_HASH_SHA256;
-	data->auth_protocol[0].dhchap.idlist[1] =3D NVME_AUTH_HASH_SHA384;
-	data->auth_protocol[0].dhchap.idlist[2] =3D NVME_AUTH_HASH_SHA512;
-	data->auth_protocol[0].dhchap.idlist[30] =3D NVME_AUTH_DHGROUP_NULL;
-	data->auth_protocol[0].dhchap.idlist[31] =3D NVME_AUTH_DHGROUP_2048;
-	data->auth_protocol[0].dhchap.idlist[32] =3D NVME_AUTH_DHGROUP_3072;
-	data->auth_protocol[0].dhchap.idlist[33] =3D NVME_AUTH_DHGROUP_4096;
-	data->auth_protocol[0].dhchap.idlist[34] =3D NVME_AUTH_DHGROUP_6144;
-	data->auth_protocol[0].dhchap.idlist[35] =3D NVME_AUTH_DHGROUP_8192;
+	idlist[0] =3D NVME_AUTH_HASH_SHA256;
+	idlist[1] =3D NVME_AUTH_HASH_SHA384;
+	idlist[2] =3D NVME_AUTH_HASH_SHA512;
+	if (chap->sc_c =3D=3D NVME_AUTH_SECP_NOSC)
+		idlist[dh_list_offset++] =3D NVME_AUTH_DHGROUP_NULL;
+	idlist[dh_list_offset++] =3D NVME_AUTH_DHGROUP_2048;
+	idlist[dh_list_offset++] =3D NVME_AUTH_DHGROUP_3072;
+	idlist[dh_list_offset++] =3D NVME_AUTH_DHGROUP_4096;
+	idlist[dh_list_offset++] =3D NVME_AUTH_DHGROUP_6144;
+	idlist[dh_list_offset++] =3D NVME_AUTH_DHGROUP_8192;
+	data->auth_protocol[0].dhchap.dhlen =3D dh_list_offset - DH_GID_LIST_OFFS=
ET;
=20
 	chap->sc_c =3D data->sc_c;
=20
diff --git a/include/linux/nvme.h b/include/linux/nvme.h
index 655d194f8e72..bd540ef33b63 100644
--- a/include/linux/nvme.h
+++ b/include/linux/nvme.h
@@ -2332,4 +2332,6 @@ enum nvme_pr_change_ptpl {
=20
 #define NVME_PR_IGNORE_KEY (1 << 3)
=20
+#define DH_GID_LIST_OFFSET 30
+
 #endif /* _LINUX_NVME_H */
--=20
2.53.0