lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Wed, 9 Jun 2021 09:38:50 +0000
From:   Parav Pandit <parav@...dia.com>
To:     Yunsheng Lin <linyunsheng@...wei.com>,
        Jakub Kicinski <kuba@...nel.org>
CC:     moyufeng <moyufeng@...wei.com>,
        Jakub Kicinski <jakub.kicinski@...ronome.com>,
        Jiri Pirko <jiri@...nulli.us>,
        Or Gerlitz <gerlitz.or@...il.com>,
        "netdev@...r.kernel.org" <netdev@...r.kernel.org>,
        "linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>,
        "michal.lkml@...kovi.net" <michal.lkml@...kovi.net>,
        "davem@...emloft.net" <davem@...emloft.net>,
        "gregkh@...uxfoundation.org" <gregkh@...uxfoundation.org>,
        Jiri Pirko <jiri@...dia.com>,
        Salil Mehta <salil.mehta@...wei.com>,
        "lipeng (Y)" <lipeng321@...wei.com>,
        Guangbin Huang <huangguangbin2@...wei.com>,
        "shenjian15@...wei.com" <shenjian15@...wei.com>,
        "chenhao (DY)" <chenhao288@...ilicon.com>,
        Jiaran Zhang <zhangjiaran@...wei.com>,
        "linuxarm@...neuler.org" <linuxarm@...neuler.org>
Subject: RE: [RFC net-next 0/8] Introducing subdev bus and devlink extension


> From: Yunsheng Lin <linyunsheng@...wei.com>
> Sent: Wednesday, June 9, 2021 2:46 PM
> 
[..]

> >> Is there any reason why VF use its own devlink instance?
> >
> > Primary use case for VFs is virtual environments where guest isn't
> > trusted, so tying the VF to the main devlink instance, over which
> > guest should have no control is counter productive.
> 
> The security is mainly about VF using in container case, right?
> Because VF using in VM, it is different host, it means a different devlink
> instance for VF, so there is no security issue for VF using in VM case?
> But it might not be the case for VF using in container?
Devlink instance has net namespace attached to it controlled using devlink reload command.
So a VF devlink instance can be assigned to a container/process running in a specific net namespace.

$ ip netns add n1
$ devlink dev reload pci/0000:06:00.4 netns n1
                                     ^^^^^^^^^^^^^
                                     PCI VF/PF/SF.

> Also, there is a "switch_id" concept from jiri's example, which seems to be
> not implemented yet?

switch_id is present for switch ports in [1] and documented in [2].

[1] /sys/class/net/representor_netdev/phys_switch_id.
[2] https://www.kernel.org/doc/Documentation/networking/switchdev.txt " Switch ID"

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ