lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Message-ID: <270f309212915ad2b4a0513222039f20@imap.linux.ibm.com>
Date:   Wed, 02 Dec 2020 15:50:58 -0800
From:   Dany Madden <drt@...ux.ibm.com>
To:     drt@...ux.ibm.com
Cc:     Jakub Kicinski <kuba@...nel.org>, netdev@...r.kernel.org,
        sukadev@...ux.ibm.com, ljp@...ux.ibm.com
Subject: Re: [PATCH net-next v2] ibmvnic: process HMC disable command

On 2020-12-02 12:02, drt wrote:
> On 2020-11-30 10:19, drt wrote:
>> On 2020-11-25 15:55, drt wrote:
>>> On 2020-11-25 13:08, Jakub Kicinski wrote:
>>>> On Mon, 23 Nov 2020 18:58:41 -0500 Dany Madden wrote:
>>>>> Currently ibmvnic does not support the "Disable vNIC" command from
>>>>> the Hardware Management Console. The HMC uses this command to 
>>>>> disconnect
>>>>> the adapter from the network if the adapter is misbehaving or 
>>>>> sending
>>>>> malicious traffic. The effect of this command is equivalent to 
>>>>> setting
>>>>> the link to the "down" state on the linux client.
>>>>> 
>>>>> Enable support in ibmvnic driver for the Disable vNIC command.
>>>>> 
>>>>> Signed-off-by: Dany Madden <drt@...ux.ibm.com>
>>>> 
>>>> It seems that (a) user looking at the system where NIC was disabled 
>>>> has
>>>> no idea why netdev is not working even tho it's UP, and (b) AFAICT
>>>> nothing prevents the user from bringing the device down and back up
>>>> again.
>>> 
>>> User would see the interface as DOWN. ibmvnic_close() requests the
>>> vnicserver to do a link down. The vnicserver responds with a link
>>> state indication CRQ message with logical link down, client would 
>>> then
>>> do netif_carrier_off().
>>> 
>>> You are correct, nothing is preventing the user from bringing the
>>> device back online.
>>> 
>>>> 
>>>> You said this is to disable misbehaving and/or sending malicious 
>>>> vnic,
>>>> obviously the guest can ignore the command so it's not very 
>>>> dependable,
>>>> anyway.
>>> 
>>> Without this patch, ibmvnic would ignore the command. With this 
>>> patch,
>>> it will handle the disable command from the HMC. If the guest insists
>>> on being bad, the HMC does have the ability to remove vnic adapter
>>> from the guest.
>>> 
>>>> 
>>>> Would it not be sufficient to mark the carrier state as down to cut 
>>>> the
>>>> vnic off?
>>> Essentially, this is what ibmvnic_disable does.
>> 
>> Hello Jakub, did I address your concern? If not, please let me know.
> 
> Hello Jakub,
> 
> I am pulling this patch. Suka pointed out that rwi lock is not being
> held when it walks the rwi_list, also the reset bit is incorrectly
> checked. We will send a v3.
> 
> Apologize for any inconvenient.

It appears that my email is not showing up in the mailing archive 
because of email aliases. I hope this is going thru.

Please do not commit this patch.

> 
> thanks you!
> Dany
>> 
>> Thanks!

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ