| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 02 Jul 2015 14:02:36 -0500 From: Jeremy White <jwhite@...eweavers.com> To: Oliver Neukum <oneukum@...e.com> CC: Hans de Goede <hdegoede@...hat.com>, "Daniel P. Berrange" <berrange@...hat.com>, spice-devel@...ts.freedesktop.org, linux-usb@...r.kernel.org, linux-kernel@...r.kernel.org Subject: Re: [Spice-devel] [RFC PATCH 1/1] Add a usbredir kernel module to remotely connect USB devices over IP. On 07/02/2015 01:46 PM, Oliver Neukum wrote: > On Thu, 2015-07-02 at 10:57 -0500, Jeremy White wrote: >> On 07/02/2015 07:10 AM, Oliver Neukum wrote: >>> On Thu, 2015-07-02 at 13:35 +0200, Hans de Goede wrote: >>>> Hi, >>>> >>>> On 02-07-15 10:45, Oliver Neukum wrote: >>>>> On Wed, 2015-07-01 at 10:06 +0100, Daniel P. Berrange wrote: >>>>> >>>>>> I don't really think it is sensible to be defining & implementing new >>>>>> network services which can't support strong encryption and authentication. >>>>>> Rather than passing the file descriptor to the kernel and having it do >>>>>> the I/O directly, I think it would be better to dissassociate the kernel >>>>>> from the network transport, and thus leave all sockets layer data I/O >>>>>> to userspace daemons so they can layer in TLS or SASL or whatever else >>>>>> is appropriate for the security need. >>>>> >>>>> Hi, >>>>> >>>>> this hits a fundamental limit. Block IO must be done entirely in kernel >>>>> space or the system will deadlock. The USB stack is part of the block >>>>> layer and the SCSI error handling. Thus if you involve user space you >>>>> cannot honor memory allocation with GFP_NOFS and you break all APIs >>>>> where we pass GFP_NOIO in the USB stack. >>>>> >>>>> Supposed you need to reset a storage device for error handling. >>>>> Your user space programm does a syscall, which allocates memory >>>>> and needs to launder pages. It proceeds to write to the storage device >>>>> you wish to reset. >>>>> >>>>> It is the same problem FUSE has with writable mmap. You cannot do >>>>> block devices in user space sanely. >>>> >>>> So how is this dealt with for usbip ? >>> >>> As far as I can tell, it isn't. Running a storage device over usbip >>> is a bit dangerous. >> >> I don't follow that analysis. The usbip interactions with the usb stack >> all seem to be atomic, and never trigger a syscall, as far as I can >> tell. A port reset will flip a few bits and return. A urb enqueue >> queues and wakes a different thread, and returns. The alternate thread >> performs the sendmsg. >> >> I'm not suggesting that running a storage device over usbip is >> especially safe, but I don't see the limit on the design. > > Are you referring to the current code or the proposed user space pipe? I'm referring to current usbip code. But the proposed driver would have the same behavior. To be clear, I think the only tangible new proposal is the one Hans put forth, which would modify the driver I originally posted to use a netlink socket instead of a passing a file descriptor in via sysfs. That would allow the user space application responsible for initiating the request to provide TLS as desired. It comes with the expense of an extra memcpy, but I suspect Hans is right in saying the network latencies make that an irrelevant cost. Cheers, Jeremy -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists