| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 20 Oct 2022 22:20:50 +0200
From: netdev@...io-technology.com
To: Vladimir Oltean <olteanv@...il.com>
Cc: davem@...emloft.net, kuba@...nel.org, netdev@...r.kernel.org,
Florian Fainelli <f.fainelli@...il.com>,
Andrew Lunn <andrew@...n.ch>,
Vivien Didelot <vivien.didelot@...il.com>,
Eric Dumazet <edumazet@...gle.com>,
Paolo Abeni <pabeni@...hat.com>,
Kurt Kanzenbach <kurt@...utronix.de>,
Hauke Mehrtens <hauke@...ke-m.de>,
Woojung Huh <woojung.huh@...rochip.com>,
UNGLinuxDriver@...rochip.com, Sean Wang <sean.wang@...iatek.com>,
Landen Chao <Landen.Chao@...iatek.com>,
DENG Qingfang <dqfext@...il.com>,
Matthias Brugger <matthias.bgg@...il.com>,
Claudiu Manoil <claudiu.manoil@....com>,
Alexandre Belloni <alexandre.belloni@...tlin.com>,
Jiri Pirko <jiri@...nulli.us>,
Ivan Vecera <ivecera@...hat.com>,
Roopa Prabhu <roopa@...dia.com>,
Nikolay Aleksandrov <razor@...ckwall.org>,
Shuah Khan <shuah@...nel.org>,
Russell King <linux@...linux.org.uk>,
Christian Marangi <ansuelsmth@...il.com>,
Daniel Borkmann <daniel@...earbox.net>,
Yuwei Wang <wangyuweihx@...il.com>,
Petr Machata <petrm@...dia.com>,
Ido Schimmel <idosch@...dia.com>,
Florent Fourcot <florent.fourcot@...irst.fr>,
Hans Schultz <schultz.hans@...il.com>,
Joachim Wiberg <troglobit@...il.com>,
Amit Cohen <amcohen@...dia.com>, linux-kernel@...r.kernel.org,
linux-arm-kernel@...ts.infradead.org,
linux-mediatek@...ts.infradead.org,
bridge@...ts.linux-foundation.org, linux-kselftest@...r.kernel.org
Subject: Re: [PATCH v8 net-next 10/12] net: dsa: mv88e6xxx: mac-auth/MAB
implementation
On 2022-10-20 15:25, Vladimir Oltean wrote:
>> diff --git a/drivers/net/dsa/mv88e6xxx/chip.c
>> b/drivers/net/dsa/mv88e6xxx/chip.c
>> index 352121cce77e..71843fe87f77 100644
>> --- a/drivers/net/dsa/mv88e6xxx/chip.c
>> +++ b/drivers/net/dsa/mv88e6xxx/chip.c
>> @@ -42,6 +42,7 @@
>> #include "ptp.h"
>> #include "serdes.h"
>> #include "smi.h"
>> +#include "switchdev.h"
>>
>> static void assert_reg_lock(struct mv88e6xxx_chip *chip)
>> {
>> @@ -924,6 +925,13 @@ static void mv88e6xxx_mac_link_down(struct
>> dsa_switch *ds, int port,
>> if (err)
>> dev_err(chip->dev,
>> "p%d: failed to force MAC link down\n", port);
>> + else
>> + if (mv88e6xxx_port_is_locked(chip, port)) {
>> + err = mv88e6xxx_atu_locked_entry_flush(ds, port);
>> + if (err)
>> + dev_err(chip->dev,
>> + "p%d: failed to clear locked entries\n", port);
>> + }
>
> This would not have been needed if dsa_port_set_state() would have
> called dsa_port_fast_age().
>
> Currently it only does that if dp->learning is true. From previous
> conversations I get the idea that with MAB, port learning will be
> false.
> But I don't understand why; isn't MAB CPU-assisted learning? I'm
> looking
> at the ocelot hardware support for this and I think it could be
> implemented using a similar mechanism, but I certainly don't want to
> add
> more workarounds such as this in other drivers.
>
> Are there any other ways to implement MAB other than through CPU
> assisted learning?
>
> We could add one more dp->mab flag which tracks the "mab" brport flag,
> and extend dsa_port_set_state() to also call dsa_port_fast_age() in
> that
> case, but I want to make sure there isn't something extremely obvious
> I'm missing about the "learning" flag.
>
In general locked ports block traffic from a host based on if there is a
FDB entry or not. In the non-offloaded case, there is only CPU assisted
learning, so the normal learning mechanism has to be disabled as any
learned entry will open the port for the learned MAC,vlan.
Thus learning is off for locked ports, which of course includes MAB.
So the 'learning' is based on authorizing MAC,vlan addresses, which
is done by userspace daemons, e.g. hostapd or what could be called
mabd.
Powered by blists - more mailing lists