lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Wed, 9 Mar 2022 10:11:06 +0000
From:   "Tian, Kevin" <kevin.tian@...el.com>
To:     Alex Williamson <alex.williamson@...hat.com>
CC:     Shameerali Kolothum Thodi <shameerali.kolothum.thodi@...wei.com>,
        "Jason Gunthorpe" <jgg@...dia.com>,
        "kvm@...r.kernel.org" <kvm@...r.kernel.org>,
        "linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>,
        "linux-crypto@...r.kernel.org" <linux-crypto@...r.kernel.org>,
        "linux-pci@...r.kernel.org" <linux-pci@...r.kernel.org>,
        "cohuck@...hat.com" <cohuck@...hat.com>,
        "mgurtovoy@...dia.com" <mgurtovoy@...dia.com>,
        "yishaih@...dia.com" <yishaih@...dia.com>,
        Linuxarm <linuxarm@...wei.com>,
        liulongfang <liulongfang@...wei.com>,
        "Zengtao (B)" <prime.zeng@...ilicon.com>,
        Jonathan Cameron <jonathan.cameron@...wei.com>,
        "Wangzhou (B)" <wangzhou1@...ilicon.com>,
        Xu Zaibo <xuzaibo@...wei.com>
Subject: RE: [PATCH v8 8/9] hisi_acc_vfio_pci: Add support for VFIO live
 migration

> From: Alex Williamson <alex.williamson@...hat.com>
> Sent: Wednesday, March 9, 2022 3:33 AM
> 
> On Tue, 8 Mar 2022 08:11:11 +0000
> "Tian, Kevin" <kevin.tian@...el.com> wrote:
> 
> > > From: Alex Williamson <alex.williamson@...hat.com>
> > > Sent: Tuesday, March 8, 2022 3:53 AM
> > > >
> > > > > I think we still require acks from Bjorn and Zaibo for select patches
> > > > > in this series.
> > > >
> > > > I checked with Ziabo. He moved projects and is no longer looking into
> > > crypto stuff.
> > > > Wangzhou and LiuLongfang now take care of this. Received acks from
> > > Wangzhou
> > > > already and I will request Longfang to provide his. Hope that's ok.
> > >
> > > Maybe a good time to have them update MAINTAINERS as well.  Thanks,
> > >
> >
> > I have one question here (similar to what we discussed for mdev before).
> >
> > Now we are adding vendor specific drivers under /drivers/vfio. Two drivers
> > on radar and more will come. Then what would be the criteria for
> > accepting such a driver? Do we prefer to a model in which the author
> should
> > provide enough background for vfio community to understand how it
> works
> > or as done here just rely on the PF driver owner to cover device specific
> > code?
> >
> > If the former we may need document some process for what information
> > is necessary and also need secure increased review bandwidth from key
> > reviewers in vfio community.
> >
> > If the latter then how can we guarantee no corner case overlooked by both
> > sides (i.e. how to know the coverage of total reviews)? Another open is
> who
> > from the PF driver sub-system should be considered as the one to give the
> > green signal. If the sub-system maintainer trusts the PF driver owner and
> > just pulls commits from him then having the r-b from the PF driver owner is
> > sufficient. But if the sub-system maintainer wants to review detail change
> > in every underlying driver then we probably also want to get the ack from
> > the maintainer.
> >
> > Overall I didn't mean to slow down the progress of this series. But above
> > does be some puzzle occurred in my review. 😊
> 
> Hi Kevin,
> 
> Good questions, I'd like a better understanding of expectations as
> well.  I think the intentions are the same as any other sub-system, the
> drivers make use of shared interfaces and extensions and the role of
> the sub-system should be to make sure those interfaces are used
> correctly and extensions fit well within the overall design.  However,
> just as the network maintainer isn't expected to fully understand every
> NIC driver, I think/hope we have the same expectations here.  It's
> certainly a benefit to the community and perceived trustworthiness if
> each driver outlines its operating model and security nuances, but
> those are only ever going to be the nuances identified by the people
> who have the access and energy to evaluate the device.
> 
> It's going to be up to the community to try to determine that any new
> drivers are seriously considering security and not opening any new gaps
> relative to behavior using the base vfio-pci driver.  For the driver
> examples we have, this seems a bit easier than evaluating an entire
> mdev device because they're largely providing direct access to the
> device rather than trying to multiplex a shared physical device.  We
> can therefore focus on incremental functionality, as both drivers have
> done, implementing a boilerplate vendor driver, then adding migration
> support.  I imagine this won't always be the case though and some
> drivers will re-implement much of the core to support further emulation
> and shared resources.
> 
> So how do we as a community want to handle this?  I wouldn't mind, I'd
> actually welcome, some sort of review requirement for new vfio vendor
> driver variants.  Is that reasonable?  What would be the criteria?
> Approval from the PF driver owner, if different/necessary, and at least
> one unaffiliated reviewer (preferably an active vfio reviewer or
> existing vfio variant driver owner/contributor)?  Ideas welcome.
> Thanks,
> 

Yes, and the criteria is the hard part. In the end it largely depend on 
the expectations of the reviewers.  

If the unaffiliated reviewer only cares about the usage of shared 
interfaces or extensions as you said then what this series does is
just fine. Such type of review can be easily done via reading code 
and doesn't require detail device knowledge.

On the other hand if the reviewer wants to do a full functional
review of how migration is actually supported for such device, 
whatever information (patch description, code comment, kdoc,
etc.) necessary to build a standalone migration story would be
appreciated, e.g.:

  - What composes the device state?
  - Which portion of the device state is exposed to and managed
    by the user and which is hidden from the user (i.e. controlled
    by the PF driver)?
  - Interface between the vfio driver and the device (and/or PF
    driver) to manage the device state;
  - Rich functional-level comments for the reviewer to dive into
    the migration flow;
  - ...

I guess we don't want to force one model over the other. Just
from my impression the more information the driver can 
provide the more time I'd like to spend on the review. Otherwise
it has to trend to the minimal form i.e. the first model.

and currently I don't have a concrete idea how the 2nd model will
work. maybe it will get clear only when a future driver attracts 
people to do thorough review...

Thanks
Kevin

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ