lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <Z1lv/+VBldgUYTGw@gauss3.secunet.de>
Date: Wed, 11 Dec 2024 11:57:03 +0100
From: Steffen Klassert <steffen.klassert@...unet.com>
To: Jakub Kicinski <kuba@...nel.org>
CC: Feng Wang <wangfe@...gle.com>, Leon Romanovsky <leon@...nel.org>,
	<netdev@...r.kernel.org>, <antony.antony@...unet.com>, <pabeni@...hat.com>
Subject: Re: [PATCH v7] xfrm: add SA information to the offloaded packet when
 if_id is set

On Tue, Dec 10, 2024 at 07:20:48PM -0800, Jakub Kicinski wrote:
> On Tue, 10 Dec 2024 10:38:34 +0100 Steffen Klassert wrote:
> > > This patch was done based on our previous discussion.  I did the
> > > changes we agreed on.  
> > 
> > there is still no real packet offload support for netdev sim.
> > And as said, this is at most the second best option.
> > 
> > You need to prove that this works. I want a complete API,
> > but I also want a working one.
> > 
> > The easiest way to prove that this is implemented correctly
> > is to upstream your driver. Everyting else is controversial
> > and complicated.
> 
> Yes, I don't have full context but FWIW offload changes accompanied 
> by just netdevsim modifications raise a red flag:

Actually, we have the mlx5 driver that supports packet offload.
When that was implemented, xfrm interfaces were no usecase.
Because of that, we forgot to care for the xfrm interface ID as
a lookup key. The problem is that users can still configure
policies/states for xfrm interfaces and packet offload.
The driver then just don't know if a packet was routed via
a xfrm interface, and if so, via which one. So it might happen
that a wrong policy/state is applied to a packet.

My idea was to fix that by supporting xfrm interfaces
with packet offload in the stack. But after looking
a bit closer to the code yesterday, I noticed that we
might not need any stack changes to get this right.

I think the driver should do the following:

If xfrm interfaces are not supported:

- Reject policies and states that have xfrm interfaces
  configured.

If xfrm interfaces are supported:

- Accept policies and states that have xfrm interfaces
  configured.

- On TX: Use the drivers xdo_dev_offload_ok function
  to check if the packet came via the correct xfrm
  interface and/or amend that info by adding the
  xfrm state to the packets secpath.

- On RX: Driver traveses through the list of registered
  xfrm interfaces and match these against the used SAs
  xfrm interface ID.


By doing that, no stack changes should be required.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ