lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date:   Mon, 19 Sep 2022 16:06:10 +0800
From:   Jiaqing Zhao <jiaqing.zhao@...ux.intel.com>
To:     Paul Fertser <fercerpav@...il.com>
Cc:     Samuel Mendoza-Jonas <sam@...dozajonas.com>,
        "David S. Miller" <davem@...emloft.net>,
        Eric Dumazet <edumazet@...gle.com>,
        Paolo Abeni <pabeni@...hat.com>, netdev@...r.kernel.org,
        openbmc@...ts.ozlabs.org, linux-kernel@...r.kernel.org
Subject: Re: [PATCH] net/ncsi: Add Intel OS2BMC OEM command

On 2022-09-15 23:43, Paul Fertser wrote:
> Hello,
> 
> On Tue, Sep 13, 2022 at 10:12:06AM +0800, Jiaqing Zhao wrote:
>> On 2022-09-09 15:43, Paul Fertser wrote:
>>> On Fri, Sep 09, 2022 at 03:34:53PM +0800, Jiaqing Zhao wrote:
>>>>> Can you please outline some particular use cases for this feature?
>>>>>
>>>> It enables access between host and BMC when BMC shares the network connection
>>>> with host using NCSI, like accessing BMC via HTTP or SSH from host. 
>>>
>>> Why having a compile time kernel option here more appropriate than
>>> just running something like "/usr/bin/ncsi-netlink --package 0
>>> --channel 0 --index 3 --oem-payload 00000157200001" (this example uses
>>> another OEM command) on BMC userspace startup?
>>>
>>
>> Using ncsi-netlink is one way, but the package and channel id is undetermined
>> as it is selected at runtime. Calling the netlink command on a nonexistent
>> package/channel may lead to kernel panic.
> 
> That sounds like a bug all right. If you can reproduce, it's likely
> the fix is reasonably easy, please consider doing it.

It cannot be reproduced stably and varies on NICs, I'm still investigating it,
it might be some NIC firmware issue. 

>> Why I prefer the kernel option is that it applies the config to all ncsi
>> devices by default when setting up them. This reduces the effort and keeps
>> compatibility. Lots of things in current ncsi kernel driver can be done via
>> commands from userspace, but I think it is not a good idea to have a driver
>> resides on both kernel and userspace.
> 
> How should the developer decide whether to enable this compile-time
> option for a platform or not? If it's always nice to have why not
> add the code unconditionally? And if not, are you sure kernel compile
> time is the right decision point? So far I get an impression a sysfs
> runtime knob would be more useful.

Disabling Host-BMC traffic ensures the isolation between Host network and BMC's
management network, some developers/vendors may prefer disable it for security
concerns. Though having a runtime knob in sysfs would be useful, setting the
default behavior in kernel config is also useful from my point.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ