+ Andrei for VMware ESXi feedback on the iSCSI CHAP support. I know that UEFI iSCSI boot is supported and used by those users.
From: Bret Barkelew <Bret.Barkelew@...>
Sent: Tuesday, April 6, 2021 12:14 PM
To: Rabeda, Maciej <maciej.rabeda@...>; Daniel P. Berrangé <berrange@...>
Cc: Desimone, Nathaniel L <nathaniel.l.desimone@...>; rfc@edk2.groups.io; Samer El-Haj-Mahmoud <Samer.El-Haj-Mahmoud@...>; simo@...; Laszlo Ersek <lersek@...>; Wu, Jiaxin <jiaxin.wu@...>; Fu, Siyuan <siyuan.fu@...>; Yash Mankad <ymankad@...>; Pete Batard <pete@...>; Sean Brogan <sean.brogan@...>; Jose Barreto <Jose.Barreto@...>
Subject: RE: [EXTERNAL] Re: [edk2-rfc] removing CHAP-MD5 from IScsiDxe
Let me see what I can find...
- Bret
From: Rabeda, Maciej<mailto:maciej.rabeda@...>
Sent: Tuesday, April 6, 2021 3:37 AM
To: Daniel P. Berrangé<mailto:berrange@...>
Cc: Desimone, Nathaniel L<mailto:nathaniel.l.desimone@...>; rfc@edk2.groups.io<mailto:rfc@edk2.groups.io>; Samer El-Haj-Mahmoud<mailto:Samer.El-Haj-Mahmoud@...>; simo@...<mailto:simo@...>; Laszlo Ersek<mailto:lersek@...>; Wu, Jiaxin<mailto:jiaxin.wu@...>; Fu, Siyuan<mailto:siyuan.fu@...>; Yash Mankad<mailto:ymankad@...>; Pete Batard<mailto:pete@...>; Bret Barkelew<mailto:Bret.Barkelew@...>; Sean Brogan<mailto:sean.brogan@...>; Jose Barreto<mailto:Jose.Barreto@...>
Subject: [EXTERNAL] Re: [edk2-rfc] removing CHAP-MD5 from IScsiDxe
+Bret, Sean, Jose
Hi Sean, Bret,
In one of previous threads, Jose wrote that he pointed you to a
Microsoft person who should have more information on iSCSI on Windows.
I am wondering whether Windows iSCSI initiator supports CHAP hash
algorithms other than MD5.
Any chance we could reach out to that person and find it out?
Thanks,
Maciej
On 01-Apr-21 16:45, Daniel P. Berrangé wrote:
On Thu, Apr 01, 2021 at 04:24:27PM +0200, Rabeda, Maciej wrote:
Hi,
Sorry for the very late response.
Dropping iSCSI overall is a no-go - too many users + this is the only remote
block I/O we seem to support in EDKII.
As for RFC compliance vs EDKII policy on MD5... Naturally, CHAP with MD5
does not bring any security features due to MD5's vulnerability.
However, since MD5 is the only hash algorithm for CHAP supported by
IScsiDxe, removing MD5 implies removing CHAP-related code from IScsiDxe
overall, which I would be pretty hesitant to do.
RFC states that MD5 has to be supported, though I can see that CHAP
algorithm allows for different hash algorithms (https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.iana.org%2Fassignments%2Fppp-numbers%2Fppp-numbers.xhtml%23ppp-numbers-9&;data=04%7C01%7CBret.Barkelew%40microsoft.com%7Cab8feb1e15994536427308d8f8e7ea2c%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637533022248147469%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=BlTgYNPfP3vJF7u6QcRLZvt8BobHpy7n3H%2B7tIqxLqo%3D&reserved=0).
We could support CHAP with SHA-x in IScsiDxe, which removes the MD5
dependency and keeps the CHAP-related code in iSCSI still in place.
The question is: do OS-based initiators support hash algorithms other than
MD5 for CHAP?
I am pretty sure RHEL does (controlled via /etc/iscsi/iscsid.conf), but I am
not sure about others: Windows, VMware, ...
Linux kernel gained support for the SHA* family of hashes:
commit a572d24af4d16e70743feb0b4decb17aaae7ce43
Author: Maurizio Lombardi <mlombard@...<mailto:mlombard@...>>
Date: Mon Oct 28 13:38:20 2019 +0100
scsi: target: iscsi: CHAP: add support for SHA1, SHA256 and SHA3-256
This patch modifies the chap_server_compute_hash() function to make it
agnostic to the choice of hash algorithm that is used. It also adds
support to three new hash algorithms: SHA1, SHA256 and SHA3-256.
The chap_got_response() function has been removed because the digest type
validity is already checked by chap_server_open()
Link: https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Flore.kernel.org%2Fr%2F20191028123822.5864-2-mlombard%40redhat.com&;data=04%7C01%7CBret.Barkelew%40microsoft.com%7Cab8feb1e15994536427308d8f8e7ea2c%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637533022248147469%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=ZIUG2koYEF8gnAXpAQqIAEU0I2kS4F%2FFsGSMGPm7KxE%3D&reserved=0
Signed-off-by: Maurizio Lombardi <mlombard@...<mailto:mlombard@...>>
Tested-by: Chris Leech <cleech@...<mailto:cleech@...>>
Signed-off-by: Martin K. Petersen <martin.petersen@...<mailto:martin.petersen@...>>
NB SHA1 is just as undesirable as MD5 these days, so only the other two
are especially interesting/useful.
Regards,
Daniel
IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.
