| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <DM6PR11MB37235620147B5FBA1C204281E71EA@DM6PR11MB3723.namprd11.prod.outlook.com> Date: Mon, 21 Aug 2023 07:15:13 +0000 From: "Guo, Junfeng" <junfeng.guo@...el.com> To: Subbaraya Sundeep Bhatta <sbhatta@...vell.com>, "intel-wired-lan@...ts.osuosl.org" <intel-wired-lan@...ts.osuosl.org>, "Samudrala, Sridhar" <sridhar.samudrala@...el.com> CC: "netdev@...r.kernel.org" <netdev@...r.kernel.org>, "Nguyen, Anthony L" <anthony.l.nguyen@...el.com>, "Brandeburg, Jesse" <jesse.brandeburg@...el.com>, "Zhang, Qi Z" <qi.z.zhang@...el.com>, ivecera <ivecera@...hat.com> Subject: RE: [EXT] [PATCH iwl-next v5 00/15] Introduce the Parser Library > -----Original Message----- > From: Subbaraya Sundeep Bhatta <sbhatta@...vell.com> > Sent: Monday, August 21, 2023 14:46 > To: Guo, Junfeng <junfeng.guo@...el.com>; intel-wired- > lan@...ts.osuosl.org > Cc: netdev@...r.kernel.org; Nguyen, Anthony L > <anthony.l.nguyen@...el.com>; Brandeburg, Jesse > <jesse.brandeburg@...el.com>; Zhang, Qi Z <qi.z.zhang@...el.com>; > ivecera <ivecera@...hat.com>; Samudrala, Sridhar > <sridhar.samudrala@...el.com> > Subject: RE: [EXT] [PATCH iwl-next v5 00/15] Introduce the Parser > Library > > Hi, > > >-----Original Message----- > >From: Junfeng Guo <junfeng.guo@...el.com> > >Sent: Monday, August 21, 2023 8:08 AM > >To: intel-wired-lan@...ts.osuosl.org > >Cc: netdev@...r.kernel.org; anthony.l.nguyen@...el.com; > >jesse.brandeburg@...el.com; qi.z.zhang@...el.com; > ivecera@...hat.com; > >sridhar.samudrala@...el.com; Junfeng Guo <junfeng.guo@...el.com> > >Subject: [EXT] [PATCH iwl-next v5 00/15] Introduce the Parser Library > > > >External Email > > > >---------------------------------------------------------------------- > >Current software architecture for flow filtering offloading limited > >the capability of Intel Ethernet 800 Series Dynamic Device > >Personalization (DDP) Package. The flow filtering offloading in the > >driver is enabled based on the naming parsers, each flow pattern is > >represented by a protocol header stack. And there are multiple layers > >(e.g., virtchnl) to maintain their own enum/macro/structure > >to represent a protocol header (IP, TCP, UDP ...), thus the extra > >parsers to verify if a pattern is supported by hardware or not as > >well as the extra converters that to translate represents between > >different layers. Every time a new protocol/field is requested to be > >supported, the corresponding logic for the parsers and the converters > >needs to be modified accordingly. Thus, huge & redundant efforts are > >required to support the increasing flow filtering offloading features, > >especially for the tunnel types flow filtering. > > > >This patch set provides a way for applications to send down training > >packets & masks (in binary) to the driver. Then these binary data > >would be used by the driver to generate certain data that are needed > >to create a filter rule in the filtering stage of switch/RSS/FDIR. > > > Which application? Can you provide usage example too. Is it okay to > parse binary data in kernel driver? We do have similar requirements I > am thinking if we can leverage this for all drivers. > > Thanks, > Sundeep Thanks Sundeep for the concerns and feedback! Yes, this feature is to make full utilize of the Intel DDP capability for flow filtering offloading like FDIR and RSS on AVF driver. And the Parser Library is the foundation of the implementation. There is another patch set under review to enable the FDIR of raw-flow. https://patchwork.ozlabs.org/project/intel-wired-lan/list/?series=369367 The patch set for RSS of raw-flow enabling is under preparing now. Currently, the implementation of AVF method (tc flower) to configure the raw-flow filtering is also in progress now. Maybe @Samudrala, Sridhar can help give some info about the status. At this point, you can try some user-space applications like DPDK/VPP to understand how the raw-flow feature works. As for the risks about parsing binary data in kernel driver, the below statements may answer your concerns. Thanks! > > >Note that the impact of a malicious rule in the raw packet filter is > >limited to performance rather than functionality. It may affect the > >performance of the workload, similar to other limitations in FDIR/RSS > >on AVF. For example, there is no resource boundary for VF FDIR/RSS > >rules, so one malicious VF could potentially make other VFs > >inefficient in offloading. > > > >The parser library is expected to include boundary checks to prevent > >critical errors such as infinite loops or segmentation faults. > >However, only implementing and validating the parser emulator in a > >sandbox environment (like ebpf) presents a challenge. > > > >The idea is to make the driver be able to learn from the DDP package > >directly to understand how the hardware parser works (i.e., the > >Parser Library), so that it can process on the raw training packet > >(in binary) directly and create the filter rule accordingly. > > > >Based on this Parser Library, the raw flow filtering of > >switch/RSS/FDIR could be enabled to allow new flow filtering > >offloading features to be supported without any driver changes (only > >need to update the DDP package). > > > > > >v5: > >- Update copyrights of new files to be 2023 only. > >- Update patch set series prefix. > >- Fix typo on patch 2 commit message. > > > >v4: > >- Update cover letter series title. > > > >v3: > >- Replace magic hardcoded values with macros. > >- Use size_t to avoid superfluous type cast to uintptr_t in function > > ice_parser_sect_item_get. > >- Prefix for static local function names to avoid namespace pollution. > >- Use strstarts() function instead of self implementation. > > > >v2: > >- Fix build warnings. > > > > > >Junfeng Guo (15): > > ice: add parser create and destroy skeleton > > ice: init imem table for parser > > ice: init metainit table for parser > > ice: init parse graph cam tables for parser > > ice: init boost tcam and label tables for parser > > ice: init ptype marker tcam table for parser > > ice: init marker and protocol group tables for parser > > ice: init flag redirect table for parser > > ice: init XLT key builder for parser > > ice: add parser runtime skeleton > > ice: add internal help functions > > ice: add parser execution main loop > > ice: support double vlan mode configure for parser > > ice: add tunnel port support for parser > > ice: add API for parser profile initialization > > > > drivers/net/ethernet/intel/ice/Makefile | 11 + > > drivers/net/ethernet/intel/ice/ice_bst_tcam.c | 313 +++++++ > > drivers/net/ethernet/intel/ice/ice_bst_tcam.h | 52 ++ > > drivers/net/ethernet/intel/ice/ice_common.h | 4 + > > drivers/net/ethernet/intel/ice/ice_ddp.c | 10 +- > > drivers/net/ethernet/intel/ice/ice_ddp.h | 14 + > > drivers/net/ethernet/intel/ice/ice_flg_rd.c | 73 ++ > > drivers/net/ethernet/intel/ice/ice_flg_rd.h | 24 + > > drivers/net/ethernet/intel/ice/ice_imem.c | 279 ++++++ > > drivers/net/ethernet/intel/ice/ice_imem.h | 217 +++++ > > drivers/net/ethernet/intel/ice/ice_metainit.c | 181 ++++ > > drivers/net/ethernet/intel/ice/ice_metainit.h | 104 +++ > > drivers/net/ethernet/intel/ice/ice_mk_grp.c | 51 + > > drivers/net/ethernet/intel/ice/ice_mk_grp.h | 17 + > > drivers/net/ethernet/intel/ice/ice_parser.c | 562 +++++++++++ > > drivers/net/ethernet/intel/ice/ice_parser.h | 140 +++ > > .../net/ethernet/intel/ice/ice_parser_rt.c | 877 > ++++++++++++++++++ > > .../net/ethernet/intel/ice/ice_parser_rt.h | 73 ++ > > .../net/ethernet/intel/ice/ice_parser_util.h | 37 + > > drivers/net/ethernet/intel/ice/ice_pg_cam.c | 397 ++++++++ > > drivers/net/ethernet/intel/ice/ice_pg_cam.h | 142 +++ > > .../net/ethernet/intel/ice/ice_proto_grp.c | 90 ++ > > .../net/ethernet/intel/ice/ice_proto_grp.h | 31 + > > drivers/net/ethernet/intel/ice/ice_ptype_mk.c | 73 ++ > > drivers/net/ethernet/intel/ice/ice_ptype_mk.h | 23 + > > drivers/net/ethernet/intel/ice/ice_tmatch.h | 40 + > > drivers/net/ethernet/intel/ice/ice_type.h | 1 + > > drivers/net/ethernet/intel/ice/ice_xlt_kb.c | 262 ++++++ > > drivers/net/ethernet/intel/ice/ice_xlt_kb.h | 80 ++ > > 29 files changed, 4173 insertions(+), 5 deletions(-) > > create mode 100644 drivers/net/ethernet/intel/ice/ice_bst_tcam.c > > create mode 100644 drivers/net/ethernet/intel/ice/ice_bst_tcam.h > > create mode 100644 drivers/net/ethernet/intel/ice/ice_flg_rd.c > > create mode 100644 drivers/net/ethernet/intel/ice/ice_flg_rd.h > > create mode 100644 drivers/net/ethernet/intel/ice/ice_imem.c > > create mode 100644 drivers/net/ethernet/intel/ice/ice_imem.h > > create mode 100644 drivers/net/ethernet/intel/ice/ice_metainit.c > > create mode 100644 drivers/net/ethernet/intel/ice/ice_metainit.h > > create mode 100644 drivers/net/ethernet/intel/ice/ice_mk_grp.c > > create mode 100644 drivers/net/ethernet/intel/ice/ice_mk_grp.h > > create mode 100644 drivers/net/ethernet/intel/ice/ice_parser.c > > create mode 100644 drivers/net/ethernet/intel/ice/ice_parser.h > > create mode 100644 drivers/net/ethernet/intel/ice/ice_parser_rt.c > > create mode 100644 drivers/net/ethernet/intel/ice/ice_parser_rt.h > > create mode 100644 drivers/net/ethernet/intel/ice/ice_parser_util.h > > create mode 100644 drivers/net/ethernet/intel/ice/ice_pg_cam.c > > create mode 100644 drivers/net/ethernet/intel/ice/ice_pg_cam.h > > create mode 100644 drivers/net/ethernet/intel/ice/ice_proto_grp.c > > create mode 100644 drivers/net/ethernet/intel/ice/ice_proto_grp.h > > create mode 100644 drivers/net/ethernet/intel/ice/ice_ptype_mk.c > > create mode 100644 drivers/net/ethernet/intel/ice/ice_ptype_mk.h > > create mode 100644 drivers/net/ethernet/intel/ice/ice_tmatch.h > > create mode 100644 drivers/net/ethernet/intel/ice/ice_xlt_kb.c > > create mode 100644 drivers/net/ethernet/intel/ice/ice_xlt_kb.h > > > >-- > >2.25.1 > >
Powered by blists - more mailing lists