lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: 
 <CO1PR18MB46661FF0DD278978575A20C9A11EA@CO1PR18MB4666.namprd18.prod.outlook.com>
Date: Mon, 21 Aug 2023 06:46:02 +0000
From: Subbaraya Sundeep Bhatta <sbhatta@...vell.com>
To: Junfeng Guo <junfeng.guo@...el.com>,
        "intel-wired-lan@...ts.osuosl.org"
	<intel-wired-lan@...ts.osuosl.org>
CC: "netdev@...r.kernel.org" <netdev@...r.kernel.org>,
        "anthony.l.nguyen@...el.com" <anthony.l.nguyen@...el.com>,
        "jesse.brandeburg@...el.com" <jesse.brandeburg@...el.com>,
        "qi.z.zhang@...el.com" <qi.z.zhang@...el.com>,
        "ivecera@...hat.com"
	<ivecera@...hat.com>,
        "sridhar.samudrala@...el.com"
	<sridhar.samudrala@...el.com>
Subject: RE: [EXT] [PATCH iwl-next v5 00/15] Introduce the Parser Library

Hi,

>-----Original Message-----
>From: Junfeng Guo <junfeng.guo@...el.com>
>Sent: Monday, August 21, 2023 8:08 AM
>To: intel-wired-lan@...ts.osuosl.org
>Cc: netdev@...r.kernel.org; anthony.l.nguyen@...el.com;
>jesse.brandeburg@...el.com; qi.z.zhang@...el.com; ivecera@...hat.com;
>sridhar.samudrala@...el.com; Junfeng Guo <junfeng.guo@...el.com>
>Subject: [EXT] [PATCH iwl-next v5 00/15] Introduce the Parser Library
>
>External Email
>
>----------------------------------------------------------------------
>Current software architecture for flow filtering offloading limited
>the capability of Intel Ethernet 800 Series Dynamic Device
>Personalization (DDP) Package. The flow filtering offloading in the
>driver is enabled based on the naming parsers, each flow pattern is
>represented by a protocol header stack. And there are multiple layers
>(e.g., virtchnl) to maintain their own enum/macro/structure
>to represent a protocol header (IP, TCP, UDP ...), thus the extra
>parsers to verify if a pattern is supported by hardware or not as
>well as the extra converters that to translate represents between
>different layers. Every time a new protocol/field is requested to be
>supported, the corresponding logic for the parsers and the converters
>needs to be modified accordingly. Thus, huge & redundant efforts are
>required to support the increasing flow filtering offloading features,
>especially for the tunnel types flow filtering.
>
>This patch set provides a way for applications to send down training
>packets & masks (in binary) to the driver. Then these binary data
>would be used by the driver to generate certain data that are needed
>to create a filter rule in the filtering stage of switch/RSS/FDIR.
>
Which application? Can you provide usage example too. Is it okay to
parse binary data in kernel driver? We do have similar requirements I
am thinking if we can leverage this for all drivers. 

Thanks,
Sundeep

>Note that the impact of a malicious rule in the raw packet filter is
>limited to performance rather than functionality. It may affect the
>performance of the workload, similar to other limitations in FDIR/RSS
>on AVF. For example, there is no resource boundary for VF FDIR/RSS
>rules, so one malicious VF could potentially make other VFs
>inefficient in offloading.
>
>The parser library is expected to include boundary checks to prevent
>critical errors such as infinite loops or segmentation faults.
>However, only implementing and validating the parser emulator in a
>sandbox environment (like ebpf) presents a challenge.
>
>The idea is to make the driver be able to learn from the DDP package
>directly to understand how the hardware parser works (i.e., the
>Parser Library), so that it can process on the raw training packet
>(in binary) directly and create the filter rule accordingly.
>
>Based on this Parser Library, the raw flow filtering of
>switch/RSS/FDIR could be enabled to allow new flow filtering
>offloading features to be supported without any driver changes (only
>need to update the DDP package).
>
>
>v5:
>- Update copyrights of new files to be 2023 only.
>- Update patch set series prefix.
>- Fix typo on patch 2 commit message.
>
>v4:
>- Update cover letter series title.
>
>v3:
>- Replace magic hardcoded values with macros.
>- Use size_t to avoid superfluous type cast to uintptr_t in function
>  ice_parser_sect_item_get.
>- Prefix for static local function names to avoid namespace pollution.
>- Use strstarts() function instead of self implementation.
>
>v2:
>- Fix build warnings.
>
>
>Junfeng Guo (15):
>  ice: add parser create and destroy skeleton
>  ice: init imem table for parser
>  ice: init metainit table for parser
>  ice: init parse graph cam tables for parser
>  ice: init boost tcam and label tables for parser
>  ice: init ptype marker tcam table for parser
>  ice: init marker and protocol group tables for parser
>  ice: init flag redirect table for parser
>  ice: init XLT key builder for parser
>  ice: add parser runtime skeleton
>  ice: add internal help functions
>  ice: add parser execution main loop
>  ice: support double vlan mode configure for parser
>  ice: add tunnel port support for parser
>  ice: add API for parser profile initialization
>
> drivers/net/ethernet/intel/ice/Makefile       |  11 +
> drivers/net/ethernet/intel/ice/ice_bst_tcam.c | 313 +++++++
> drivers/net/ethernet/intel/ice/ice_bst_tcam.h |  52 ++
> drivers/net/ethernet/intel/ice/ice_common.h   |   4 +
> drivers/net/ethernet/intel/ice/ice_ddp.c      |  10 +-
> drivers/net/ethernet/intel/ice/ice_ddp.h      |  14 +
> drivers/net/ethernet/intel/ice/ice_flg_rd.c   |  73 ++
> drivers/net/ethernet/intel/ice/ice_flg_rd.h   |  24 +
> drivers/net/ethernet/intel/ice/ice_imem.c     | 279 ++++++
> drivers/net/ethernet/intel/ice/ice_imem.h     | 217 +++++
> drivers/net/ethernet/intel/ice/ice_metainit.c | 181 ++++
> drivers/net/ethernet/intel/ice/ice_metainit.h | 104 +++
> drivers/net/ethernet/intel/ice/ice_mk_grp.c   |  51 +
> drivers/net/ethernet/intel/ice/ice_mk_grp.h   |  17 +
> drivers/net/ethernet/intel/ice/ice_parser.c   | 562 +++++++++++
> drivers/net/ethernet/intel/ice/ice_parser.h   | 140 +++
> .../net/ethernet/intel/ice/ice_parser_rt.c    | 877 ++++++++++++++++++
> .../net/ethernet/intel/ice/ice_parser_rt.h    |  73 ++
> .../net/ethernet/intel/ice/ice_parser_util.h  |  37 +
> drivers/net/ethernet/intel/ice/ice_pg_cam.c   | 397 ++++++++
> drivers/net/ethernet/intel/ice/ice_pg_cam.h   | 142 +++
> .../net/ethernet/intel/ice/ice_proto_grp.c    |  90 ++
> .../net/ethernet/intel/ice/ice_proto_grp.h    |  31 +
> drivers/net/ethernet/intel/ice/ice_ptype_mk.c |  73 ++
> drivers/net/ethernet/intel/ice/ice_ptype_mk.h |  23 +
> drivers/net/ethernet/intel/ice/ice_tmatch.h   |  40 +
> drivers/net/ethernet/intel/ice/ice_type.h     |   1 +
> drivers/net/ethernet/intel/ice/ice_xlt_kb.c   | 262 ++++++
> drivers/net/ethernet/intel/ice/ice_xlt_kb.h   |  80 ++
> 29 files changed, 4173 insertions(+), 5 deletions(-)
> create mode 100644 drivers/net/ethernet/intel/ice/ice_bst_tcam.c
> create mode 100644 drivers/net/ethernet/intel/ice/ice_bst_tcam.h
> create mode 100644 drivers/net/ethernet/intel/ice/ice_flg_rd.c
> create mode 100644 drivers/net/ethernet/intel/ice/ice_flg_rd.h
> create mode 100644 drivers/net/ethernet/intel/ice/ice_imem.c
> create mode 100644 drivers/net/ethernet/intel/ice/ice_imem.h
> create mode 100644 drivers/net/ethernet/intel/ice/ice_metainit.c
> create mode 100644 drivers/net/ethernet/intel/ice/ice_metainit.h
> create mode 100644 drivers/net/ethernet/intel/ice/ice_mk_grp.c
> create mode 100644 drivers/net/ethernet/intel/ice/ice_mk_grp.h
> create mode 100644 drivers/net/ethernet/intel/ice/ice_parser.c
> create mode 100644 drivers/net/ethernet/intel/ice/ice_parser.h
> create mode 100644 drivers/net/ethernet/intel/ice/ice_parser_rt.c
> create mode 100644 drivers/net/ethernet/intel/ice/ice_parser_rt.h
> create mode 100644 drivers/net/ethernet/intel/ice/ice_parser_util.h
> create mode 100644 drivers/net/ethernet/intel/ice/ice_pg_cam.c
> create mode 100644 drivers/net/ethernet/intel/ice/ice_pg_cam.h
> create mode 100644 drivers/net/ethernet/intel/ice/ice_proto_grp.c
> create mode 100644 drivers/net/ethernet/intel/ice/ice_proto_grp.h
> create mode 100644 drivers/net/ethernet/intel/ice/ice_ptype_mk.c
> create mode 100644 drivers/net/ethernet/intel/ice/ice_ptype_mk.h
> create mode 100644 drivers/net/ethernet/intel/ice/ice_tmatch.h
> create mode 100644 drivers/net/ethernet/intel/ice/ice_xlt_kb.c
> create mode 100644 drivers/net/ethernet/intel/ice/ice_xlt_kb.h
>
>--
>2.25.1
>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ