| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 5 Sep 2023 15:37:34 -0700 From: Jakub Kicinski <kuba@...nel.org> To: Junfeng Guo <junfeng.guo@...el.com> Cc: intel-wired-lan@...ts.osuosl.org, netdev@...r.kernel.org, anthony.l.nguyen@...el.com, jesse.brandeburg@...el.com, qi.z.zhang@...el.com, ivecera@...hat.com, sridhar.samudrala@...el.com, horms@...nel.org, edumazet@...gle.com, davem@...emloft.net, pabeni@...hat.com Subject: Re: [PATCH iwl-next v9 00/15] Introduce the Parser Library On Mon, 4 Sep 2023 10:14:40 +0800 Junfeng Guo wrote: > Current software architecture for flow filtering offloading limited > the capability of Intel Ethernet 800 Series Dynamic Device > Personalization (DDP) Package. The flow filtering offloading in the > driver is enabled based on the naming parsers, each flow pattern is > represented by a protocol header stack. And there are multiple layers > (e.g., virtchnl) to maintain their own enum/macro/structure > to represent a protocol header (IP, TCP, UDP ...), thus the extra > parsers to verify if a pattern is supported by hardware or not as > well as the extra converters that to translate represents between > different layers. Every time a new protocol/field is requested to be > supported, the corresponding logic for the parsers and the converters > needs to be modified accordingly. Thus, huge & redundant efforts are > required to support the increasing flow filtering offloading features, > especially for the tunnel types flow filtering. Are you talking about problems internal to ICE or the flower interface? > This patch set provides a way for applications to send down training > packets & masks (in binary) to the driver. Then these binary data > would be used by the driver to generate certain data that are needed > to create a filter rule in the filtering stage of switch/RSS/FDIR. What's the API for the user? I see a whole bunch of functions added here which never get called. > Note that the impact of a malicious rule in the raw packet filter is > limited to performance rather than functionality. It may affect the > performance of the workload, similar to other limitations in FDIR/RSS > on AVF. For example, there is no resource boundary for VF FDIR/RSS > rules, so one malicious VF could potentially make other VFs > inefficient in offloading. > > The parser library is expected to include boundary checks to prevent > critical errors such as infinite loops or segmentation faults. > However, only implementing and validating the parser emulator in a > sandbox environment (like ebpf) presents a challenge. > > The idea is to make the driver be able to learn from the DDP package > directly to understand how the hardware parser works (i.e., the > Parser Library), so that it can process on the raw training packet > (in binary) directly and create the filter rule accordingly. No idea what this means in terms of the larger networking stack. > Based on this Parser Library, the raw flow filtering of > switch/RSS/FDIR could be enabled to allow new flow filtering > offloading features to be supported without any driver changes (only > need to update the DDP package). Sounds like you are talking about some vague "vision" rather than the code you're actually posting. Given that you've posted 5 versions of this to netdev and got no notable comments, please don't CC netdev on the next version until you get some reviews inside Intel. Stuff like: +#define ICE_ERR_NOT_IMPL -1 should get caught by internal review.
Powered by blists - more mailing lists