[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <54AC4206.4030006@cloudius-systems.com>
Date: Tue, 06 Jan 2015 22:13:58 +0200
From: Vlad Zolotarov <vladz@...udius-systems.com>
To: Greg Rose <gvrose8192@...il.com>
CC: Gleb Natapov <gleb@...udius-systems.com>, netdev@...r.kernel.org,
Avi Kivity <avi@...udius-systems.com>,
jeffrey.t.kirsher@...el.com
Subject: Re: [PATCH net-next v3 0/5]: ixgbevf: Allow querying VFs RSS indirection
table and key
On 01/06/15 20:22, Greg Rose wrote:
> I accidentally replied just to Vlad - here is a reply to all.
>
> On Tue, Jan 6, 2015 at 9:30 AM, Vlad Zolotarov
> <vladz@...udius-systems.com> wrote:
>> On 01/06/15 18:59, Greg Rose wrote:
> [snip]
>
>
>>> I don't have any examples and that is not my area of expertise. But
>>> just because we can't think of a security risk or attack example
>>> doesn't mean there isn't one.
>>>
>>> Just add a policy hook so that the system admin can decide whether
>>> this information should be shared with the VFs and then we're covered
>>> for cases of both known and unknown exploits, risks, etc.
>> I absolutely disagree with u in regard of defining an RSS redirection table
>> and RSS hash key as a security sensitive data. I don't know how u got to
>> this conclusion.
> I have not reached any such conclusion - let me reiterate: I have no
> idea. It is not my area of expertise. However, to take the lowest
> risk route just add a policy hook so that a system admin can turn the
> feature on through the PF driver (which is acknowledged as secure) if
> they wish then there is no worry.
NP. Let's move on.
>> However I don't want to argue about any longer. Let's move on.
>>
>> Let's clarify one thing about this "hook". Do u agree that it should cover
>> only the cases when VF shares the mentioned above data with PF - namely for
>> all devices but x550?
> Look at how spoof checking is turned off/on for each VF using the "ip
> link set" commands. That's what I'm envisioning - some way to decide
> on a per VF basis which VFs should be allowed to perform the query.
I will but let's agree that x550 VFs should be out of this since their
RSS indirection table and Key belong to the specific domain and don't
impose any even theoretical thread.
thanks,
vlad
> Thanks,
>
> - Greg
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists