lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Tue, 11 Jan 2022 11:24:18 -0800
From:   Jakub Kicinski <kuba@...nel.org>
To:     Parav Pandit <parav@...dia.com>
Cc:     Sunil Sudhakar Rani <sunrani@...dia.com>,
        Saeed Mahameed <saeedm@...dia.com>,
        Jiri Pirko <jiri@...dia.com>,
        "netdev@...r.kernel.org" <netdev@...r.kernel.org>,
        "davem@...emloft.net" <davem@...emloft.net>,
        Bodong Wang <bodong@...dia.com>
Subject: Re: [PATCH net-next 1/2] devlink: Add support to set port function
 as trusted

On Tue, 11 Jan 2022 18:26:16 +0000 Parav Pandit wrote:
> > From: Jakub Kicinski <kuba@...nel.org>
> > Sent: Tuesday, January 11, 2022 11:50 PM
> > > This discussed got paused in yet another year-end holidays. :)
> > > Resuming now and refreshing everyone's cache.
> > >
> > > We need to set/clear the capabilities of the function before deploying such  
> > > function. As you suggested we discussed the granular approach and at present we  
> > > have following features to on/off.  
> > >
> > > Generic features:
> > > 1. ipsec offload  
> > 
> > Why is ipsec offload a trusted feature?
>
> It isn't trusted feature. The scope in few weeks got expanded from
> trusted to more granular at controlling capabilities. One that came
> up was ipsec or other offloads that consumes more device resources. 

That's what I thought. Resource control is different than privileges,
and requires a different API.

> > > 2. ptp device
> > 
> > Makes sense.
> >   
> > > Device specific:
> > > 1. sw steering  
> > 
> > No idea what that is/entails.
> >   
> :) it the device specific knob.
> 
> > > 2. physical port counters query  
> > 
> > Still don't know why VF needs to know phy counters.
>
> A prometheous kind of monitoring software wants to monitor the
> physical port counters, running in a container. Such container
> doesn't have direct access to the PF or physical representor. Just
> for sake of monitoring counters, user doesn't want to run the
> monitoring container in root net ns.

Containerizing monitors seems very counter-intuitive to me.

> > > It was implicit that a driver API callback addition for both
> > > types of features is not good.  
> > > Devlink port function params enables to achieve both generic and
> > > device specific features.  
> > > Shall we proceed with port function params? What do you think?  
> > 
> > I already addressed this. I don't like devlink params. They muddy
> > the water between vendor specific gunk and bona fide Linux uAPI.
> > Build a normal dedicated API.  
> For sure we prefer the bona fide Linux uAPI for standard features.
> But internal knobs of how to do steering etc, is something not
> generic enough. May be only those quirks live in the port function
> params and rest in standard uAPIs?

Something talks to that steering API, and it's not netdev. So please
don't push problems which are not ours onto us.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ