lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Thu, 31 Mar 2022 10:45:10 +0300 From: Leon Romanovsky <leon@...nel.org> To: Shannon Nelson <snelson@...sando.io> Cc: "David S . Miller" <davem@...emloft.net>, Jakub Kicinski <kuba@...nel.org>, intel-wired-lan@...ts.osuosl.org, Jeff Kirsher <jeffrey.t.kirsher@...el.com>, Jesse Brandeburg <jesse.brandeburg@...el.com>, linux-kernel@...r.kernel.org, netdev@...r.kernel.org, Paolo Abeni <pabeni@...hat.com>, Raed Salem <raeds@...dia.com>, Shannon Nelson <shannon.nelson@...cle.com>, Tony Nguyen <anthony.l.nguyen@...el.com>, Steffen Klassert <steffen.klassert@...unet.com> Subject: Re: [PATCH net] ixgbe: ensure IPsec VF<->PF compatibility On Wed, Mar 30, 2022 at 09:13:21AM -0700, Shannon Nelson wrote: > On 3/30/22 4:01 AM, Leon Romanovsky wrote: > > From: Leon Romanovsky <leonro@...dia.com> > > > > The VF driver can forward any IPsec flags and such makes the function > > is not extendable and prone to backward/forward incompatibility. > > > > If new software runs on VF, it won't know that PF configured something > > completely different as it "knows" only XFRM_OFFLOAD_INBOUND flag. > > > > Fixes: eda0333ac293 ("ixgbe: add VF IPsec management") > > Reviewed-by: Raed Salem <raeds@...dia.com> > > Signed-off-by: Leon Romanovsky <leonro@...dia.com> > > --- > > There is no simple fix for this VF/PF incompatibility as long as FW > > doesn't filter/decline unsupported options when convey mailbox from VF > > to PF. > > --- > > drivers/net/ethernet/intel/ixgbe/ixgbe_ipsec.c | 4 +++- > > 1 file changed, 3 insertions(+), 1 deletion(-) > > > > diff --git a/drivers/net/ethernet/intel/ixgbe/ixgbe_ipsec.c b/drivers/net/ethernet/intel/ixgbe/ixgbe_ipsec.c > > index e596e1a9fc75..236f244e3f65 100644 > > --- a/drivers/net/ethernet/intel/ixgbe/ixgbe_ipsec.c > > +++ b/drivers/net/ethernet/intel/ixgbe/ixgbe_ipsec.c > > @@ -903,7 +903,9 @@ int ixgbe_ipsec_vf_add_sa(struct ixgbe_adapter *adapter, u32 *msgbuf, u32 vf) > > /* Tx IPsec offload doesn't seem to work on this > > * device, so block these requests for now. > > */ > > - if (!(sam->flags & XFRM_OFFLOAD_INBOUND)) { > > + sam->flags = sam->flags & ~XFRM_OFFLOAD_IPV6; > > + if (!(sam->flags & XFRM_OFFLOAD_INBOUND) || > > + sam->flags & ~XFRM_OFFLOAD_INBOUND) { > > So after stripping the IPV6 flag, you're checking to be sure that INBOUND is > the only flag enabled, right? > Could you use > if (sam->flags != XFRM_OFFLOAD_INBOUND) { > instead? Sure, I'll send new version soon. Thanks > > sln > > > err = -EOPNOTSUPP; > > goto err_out; > > } >
Powered by blists - more mailing lists