* [Intel-wired-lan] [iproute2 PATCH] iplink: Support VF Trust @ 2015-10-07 10:06 ` Hiroshi Shimamoto 0 siblings, 0 replies; 6+ messages in thread From: Hiroshi Shimamoto @ 2015-10-07 10:06 UTC (permalink / raw) To: intel-wired-lan From: Hiroshi Shimamoto <h-shimamoto@ct.jp.nec.com> Add IFLA_VF_TRUST message to trust the VF. PF can accept some privileged operation from the trusted VF. For example, ixgbe PF doesn't allow to enable VF promiscuous mode until the VF is trusted because it may hurt performance. To trust VF. # ip link set dev eth0 vf 1 trust on To untrust VF. # ip link set dev eth0 vf 1 trust off Signed-off-by: Hiroshi Shimamoto <h-shimamoto@ct.jp.nec.com> --- This patch implements a functionality for trusting a VF in ip command. The kernel side implementation of if_link was submitted as below. http://marc.info/?l=linux-netdev&m=144074520803184&w=2 [PATCH v8 1/3] if_link: Add control trust VF --- include/linux/if_link.h | 6 ++++++ ip/iplink.c | 13 +++++++++++++ man/man8/ip-link.8.in | 7 ++++++- 3 files changed, 25 insertions(+), 1 deletion(-) diff --git a/include/linux/if_link.h b/include/linux/if_link.h index 1934566..ca9a681 100644 --- a/include/linux/if_link.h +++ b/include/linux/if_link.h @@ -499,6 +499,7 @@ enum { * on/off switch */ IFLA_VF_STATS, /* network device statistics */ + IFLA_VF_TRUST, /* Trust VF */ __IFLA_VF_MAX, }; @@ -560,6 +561,11 @@ enum { #define IFLA_VF_STATS_MAX (__IFLA_VF_STATS_MAX - 1) +struct ifla_vf_trust { + __u32 vf; + __u32 setting; +}; + /* VF ports management section * * Nested layout of set/get msg is: diff --git a/ip/iplink.c b/ip/iplink.c index 1c45205..0536f34 100644 --- a/ip/iplink.c +++ b/ip/iplink.c @@ -82,6 +82,7 @@ void iplink_usage(void) fprintf(stderr, " [ spoofchk { on | off} ] ]\n"); fprintf(stderr, " [ query_rss { on | off} ] ]\n"); fprintf(stderr, " [ state { auto | enable | disable} ] ]\n"); + fprintf(stderr, " [ trust { on | off} ] ]\n"); fprintf(stderr, " [ master DEVICE ]\n"); fprintf(stderr, " [ nomaster ]\n"); fprintf(stderr, " [ addrgenmode { eui64 | none } ]\n"); @@ -352,6 +353,18 @@ static int iplink_parse_vf(int vf, int *argcp, char ***argvp, ivs.vf = vf; addattr_l(&req->n, sizeof(*req), IFLA_VF_RSS_QUERY_EN, &ivs, sizeof(ivs)); + } else if (matches(*argv, "trust") == 0) { + struct ifla_vf_trust ivt; + NEXT_ARG(); + if (matches(*argv, "on") == 0) + ivt.setting = 1; + else if (matches(*argv, "off") == 0) + ivt.setting = 0; + else + invarg("Invalid \"trust\" value\n", *argv); + ivt.vf = vf; + addattr_l(&req->n, sizeof(*req), IFLA_VF_TRUST, &ivt, sizeof(ivt)); + } else if (matches(*argv, "state") == 0) { struct ifla_vf_link_state ivl; diff --git a/man/man8/ip-link.8.in b/man/man8/ip-link.8.in index 4928249..6a0c876 100644 --- a/man/man8/ip-link.8.in +++ b/man/man8/ip-link.8.in @@ -142,7 +142,8 @@ ip-link \- network device configuration .B min_tx_rate .IR TXRATE " ] [" .B spoofchk { on | off } ] [ -.B state { auto | enable | disable} +.B state { auto | enable | disable} ] [ +.B trust { on | off } ] | .br .B master @@ -968,6 +969,10 @@ parameter must be specified. reflection of the PF link state, enable lets the VF to communicate with other VFs on this host even if the PF link state is down, disable causes the HW to drop any packets sent by the VF. +.sp +.BI trust " on|off" +- trust the specified VF user. This enables that VF user can set a specific feature +which may impact security and/or perfomance. (e.g. VF multicast promiscuous mode) .in -8 .TP -- 1.8.3.1 ^ permalink raw reply related [flat|nested] 6+ messages in thread
* [iproute2 PATCH] iplink: Support VF Trust @ 2015-10-07 10:06 ` Hiroshi Shimamoto 0 siblings, 0 replies; 6+ messages in thread From: Hiroshi Shimamoto @ 2015-10-07 10:06 UTC (permalink / raw) To: Rose, Gregory V, Or Gerlitz, Alexander Duyck, Skidmore, Donald C, Kirsher, Jeffrey T, intel-wired-lan@lists.osuosl.org, nhorman@redhat.com, jogreene@redhat.com, Linux Netdev List, Choi, Sy Jong, Rony Efraim, Edward Cree, David Miller, sassmann@redhat.com, stephen@networkplumber.org From: Hiroshi Shimamoto <h-shimamoto@ct.jp.nec.com> Add IFLA_VF_TRUST message to trust the VF. PF can accept some privileged operation from the trusted VF. For example, ixgbe PF doesn't allow to enable VF promiscuous mode until the VF is trusted because it may hurt performance. To trust VF. # ip link set dev eth0 vf 1 trust on To untrust VF. # ip link set dev eth0 vf 1 trust off Signed-off-by: Hiroshi Shimamoto <h-shimamoto@ct.jp.nec.com> --- This patch implements a functionality for trusting a VF in ip command. The kernel side implementation of if_link was submitted as below. http://marc.info/?l=linux-netdev&m=144074520803184&w=2 [PATCH v8 1/3] if_link: Add control trust VF --- include/linux/if_link.h | 6 ++++++ ip/iplink.c | 13 +++++++++++++ man/man8/ip-link.8.in | 7 ++++++- 3 files changed, 25 insertions(+), 1 deletion(-) diff --git a/include/linux/if_link.h b/include/linux/if_link.h index 1934566..ca9a681 100644 --- a/include/linux/if_link.h +++ b/include/linux/if_link.h @@ -499,6 +499,7 @@ enum { * on/off switch */ IFLA_VF_STATS, /* network device statistics */ + IFLA_VF_TRUST, /* Trust VF */ __IFLA_VF_MAX, }; @@ -560,6 +561,11 @@ enum { #define IFLA_VF_STATS_MAX (__IFLA_VF_STATS_MAX - 1) +struct ifla_vf_trust { + __u32 vf; + __u32 setting; +}; + /* VF ports management section * * Nested layout of set/get msg is: diff --git a/ip/iplink.c b/ip/iplink.c index 1c45205..0536f34 100644 --- a/ip/iplink.c +++ b/ip/iplink.c @@ -82,6 +82,7 @@ void iplink_usage(void) fprintf(stderr, " [ spoofchk { on | off} ] ]\n"); fprintf(stderr, " [ query_rss { on | off} ] ]\n"); fprintf(stderr, " [ state { auto | enable | disable} ] ]\n"); + fprintf(stderr, " [ trust { on | off} ] ]\n"); fprintf(stderr, " [ master DEVICE ]\n"); fprintf(stderr, " [ nomaster ]\n"); fprintf(stderr, " [ addrgenmode { eui64 | none } ]\n"); @@ -352,6 +353,18 @@ static int iplink_parse_vf(int vf, int *argcp, char ***argvp, ivs.vf = vf; addattr_l(&req->n, sizeof(*req), IFLA_VF_RSS_QUERY_EN, &ivs, sizeof(ivs)); + } else if (matches(*argv, "trust") == 0) { + struct ifla_vf_trust ivt; + NEXT_ARG(); + if (matches(*argv, "on") == 0) + ivt.setting = 1; + else if (matches(*argv, "off") == 0) + ivt.setting = 0; + else + invarg("Invalid \"trust\" value\n", *argv); + ivt.vf = vf; + addattr_l(&req->n, sizeof(*req), IFLA_VF_TRUST, &ivt, sizeof(ivt)); + } else if (matches(*argv, "state") == 0) { struct ifla_vf_link_state ivl; diff --git a/man/man8/ip-link.8.in b/man/man8/ip-link.8.in index 4928249..6a0c876 100644 --- a/man/man8/ip-link.8.in +++ b/man/man8/ip-link.8.in @@ -142,7 +142,8 @@ ip-link \- network device configuration .B min_tx_rate .IR TXRATE " ] [" .B spoofchk { on | off } ] [ -.B state { auto | enable | disable} +.B state { auto | enable | disable} ] [ +.B trust { on | off } ] | .br .B master @@ -968,6 +969,10 @@ parameter must be specified. reflection of the PF link state, enable lets the VF to communicate with other VFs on this host even if the PF link state is down, disable causes the HW to drop any packets sent by the VF. +.sp +.BI trust " on|off" +- trust the specified VF user. This enables that VF user can set a specific feature +which may impact security and/or perfomance. (e.g. VF multicast promiscuous mode) .in -8 .TP -- 1.8.3.1 ^ permalink raw reply related [flat|nested] 6+ messages in thread
* [Intel-wired-lan] [iproute2 PATCH] iplink: Support VF Trust 2015-10-07 10:06 ` Hiroshi Shimamoto @ 2015-10-12 16:54 ` Stephen Hemminger -1 siblings, 0 replies; 6+ messages in thread From: Stephen Hemminger @ 2015-10-12 16:54 UTC (permalink / raw) To: intel-wired-lan On Wed, 7 Oct 2015 10:06:32 +0000 Hiroshi Shimamoto <h-shimamoto@ct.jp.nec.com> wrote: > From: Hiroshi Shimamoto <h-shimamoto@ct.jp.nec.com> > > Add IFLA_VF_TRUST message to trust the VF. > PF can accept some privileged operation from the trusted VF. > For example, ixgbe PF doesn't allow to enable VF promiscuous mode until > the VF is trusted because it may hurt performance. > > To trust VF. > # ip link set dev eth0 vf 1 trust on > > To untrust VF. > # ip link set dev eth0 vf 1 trust off > > Signed-off-by: Hiroshi Shimamoto <h-shimamoto@ct.jp.nec.com> I am waiting until this is accepted into kernel before merging it into iproute2. ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [iproute2 PATCH] iplink: Support VF Trust @ 2015-10-12 16:54 ` Stephen Hemminger 0 siblings, 0 replies; 6+ messages in thread From: Stephen Hemminger @ 2015-10-12 16:54 UTC (permalink / raw) To: Hiroshi Shimamoto Cc: Rose, Gregory V, Or Gerlitz, Alexander Duyck, Skidmore, Donald C, Kirsher, Jeffrey T, intel-wired-lan@lists.osuosl.org, nhorman@redhat.com, jogreene@redhat.com, Linux Netdev List, Choi, Sy Jong, Rony Efraim, Edward Cree, David Miller, sassmann@redhat.com On Wed, 7 Oct 2015 10:06:32 +0000 Hiroshi Shimamoto <h-shimamoto@ct.jp.nec.com> wrote: > From: Hiroshi Shimamoto <h-shimamoto@ct.jp.nec.com> > > Add IFLA_VF_TRUST message to trust the VF. > PF can accept some privileged operation from the trusted VF. > For example, ixgbe PF doesn't allow to enable VF promiscuous mode until > the VF is trusted because it may hurt performance. > > To trust VF. > # ip link set dev eth0 vf 1 trust on > > To untrust VF. > # ip link set dev eth0 vf 1 trust off > > Signed-off-by: Hiroshi Shimamoto <h-shimamoto@ct.jp.nec.com> I am waiting until this is accepted into kernel before merging it into iproute2. ^ permalink raw reply [flat|nested] 6+ messages in thread
* [Intel-wired-lan] [iproute2 PATCH] iplink: Support VF Trust 2015-10-12 16:54 ` Stephen Hemminger @ 2015-10-12 18:59 ` Jeff Kirsher -1 siblings, 0 replies; 6+ messages in thread From: Jeff Kirsher @ 2015-10-12 18:59 UTC (permalink / raw) To: intel-wired-lan On Mon, 2015-10-12 at 09:54 -0700, Stephen Hemminger wrote: > On Wed, 7 Oct 2015 10:06:32 +0000 > Hiroshi Shimamoto <h-shimamoto@ct.jp.nec.com> wrote: > > > From: Hiroshi Shimamoto <h-shimamoto@ct.jp.nec.com> > > > > Add IFLA_VF_TRUST message to trust the VF. > > PF can accept some privileged operation from the trusted VF. > > For example, ixgbe PF doesn't allow to enable VF promiscuous mode > until > > the VF is trusted because it may hurt performance. > > > > To trust VF. > > # ip link set dev eth0 vf 1 trust on > > > > To untrust VF. > > # ip link set dev eth0 vf 1 trust off > > > > Signed-off-by: Hiroshi Shimamoto <h-shimamoto@ct.jp.nec.com> > > I am waiting until this is accepted into kernel before merging it > into iproute2. Yeah, I figured. I had him resend it since our validation team did not have these changes available to test Hiroshi's latest set of driver/core changes. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 819 bytes Desc: This is a digitally signed message part URL: <http://lists.osuosl.org/pipermail/intel-wired-lan/attachments/20151012/01b9a561/attachment.asc> ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [iproute2 PATCH] iplink: Support VF Trust @ 2015-10-12 18:59 ` Jeff Kirsher 0 siblings, 0 replies; 6+ messages in thread From: Jeff Kirsher @ 2015-10-12 18:59 UTC (permalink / raw) To: Stephen Hemminger, Hiroshi Shimamoto Cc: Rose, Gregory V, Or Gerlitz, Alexander Duyck, Skidmore, Donald C, intel-wired-lan@lists.osuosl.org, nhorman@redhat.com, jogreene@redhat.com, Linux Netdev List, Choi, Sy Jong, Rony Efraim, Edward Cree, David Miller, sassmann@redhat.com [-- Attachment #1: Type: text/plain, Size: 928 bytes --] On Mon, 2015-10-12 at 09:54 -0700, Stephen Hemminger wrote: > On Wed, 7 Oct 2015 10:06:32 +0000 > Hiroshi Shimamoto <h-shimamoto@ct.jp.nec.com> wrote: > > > From: Hiroshi Shimamoto <h-shimamoto@ct.jp.nec.com> > > > > Add IFLA_VF_TRUST message to trust the VF. > > PF can accept some privileged operation from the trusted VF. > > For example, ixgbe PF doesn't allow to enable VF promiscuous mode > until > > the VF is trusted because it may hurt performance. > > > > To trust VF. > > # ip link set dev eth0 vf 1 trust on > > > > To untrust VF. > > # ip link set dev eth0 vf 1 trust off > > > > Signed-off-by: Hiroshi Shimamoto <h-shimamoto@ct.jp.nec.com> > > I am waiting until this is accepted into kernel before merging it > into iproute2. Yeah, I figured. I had him resend it since our validation team did not have these changes available to test Hiroshi's latest set of driver/core changes. [-- Attachment #2: This is a digitally signed message part --] [-- Type: application/pgp-signature, Size: 819 bytes --] ^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2015-10-12 18:59 UTC | newest] Thread overview: 6+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2015-10-07 10:06 [Intel-wired-lan] [iproute2 PATCH] iplink: Support VF Trust Hiroshi Shimamoto 2015-10-07 10:06 ` Hiroshi Shimamoto 2015-10-12 16:54 ` [Intel-wired-lan] " Stephen Hemminger 2015-10-12 16:54 ` Stephen Hemminger 2015-10-12 18:59 ` [Intel-wired-lan] " Jeff Kirsher 2015-10-12 18:59 ` Jeff Kirsher
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.