From: Jason Gunthorpe <jgunthorpe@obsidianresearch.com>
To: Doug Ledford <dledford@redhat.com>
Cc: "'Christoph Hellwig'" <hch@infradead.org>,
Sagi Grimberg <sagig@dev.mellanox.co.il>,
Steve Wise <swise@opengridcomputing.com>,
sagig@mellanox.com, ogerlitz@mellanox.com, roid@mellanox.com,
linux-rdma@vger.kernel.org, eli@mellanox.com,
target-devel@vger.kernel.org, linux-nfs@vger.kernel.org,
trond.myklebust@primarydata.com, bfields@fieldses.org,
Oren Duer <oren@mellanox.com>
Subject: Re: [PATCH V3 1/5] RDMA/core: Transport-independent access flags
Date: Thu, 9 Jul 2015 16:53:06 -0600 [thread overview]
Message-ID: <20150709225306.GA30741@obsidianresearch.com> (raw)
In-Reply-To: <559EF332.7060103@redhat.com>
On Thu, Jul 09, 2015 at 06:18:26PM -0400, Doug Ledford wrote:
> A lot of this discussion is interesting and has gone off in an area that
> I think is worth pursuing in the long run. However, in the short run,
> this patch was a minor cleanup/simplification patch. These discussions
> are moving into complete redesigns and rearchitecting. Steve, I'm OK
> with the cleanup and would prefer that it stay separate from these
> larger issues.
So, I was originally of the view the flags change was fine.
But when I realized that it basically hides a
ib_get_dma_mr(IB_ACCESS_REMOTE_WRITE) behind an opaque API:
rdma_get_dma_mr(RDMA_MRR_READ_DEST)
I changed my mind.
For iWarp the above creates a rkey that can RDMA WRITE to any place in
system memory. If a remote guesses that rkey your system is totally
compromised. So it is insecure, and contrary to the advice in RFC5042.
Seeing rdma_get_dma_mr(RDMA_MRR_READ_DEST) added all over the code
base terrifies me, because it is utterly wrong, and looks harmless.
The mistep, is that enabling iSER for iWarp is not just this trivial
change:
- device->mr = ib_get_dma_mr(device->pd, IB_ACCESS_LOCAL_WRITE);
+ mr_roles = RDMA_MRR_RECV | RDMA_MRR_SEND | RDMA_MRR_WRITE_SOURCE |
+ RDMA_MRR_READ_DEST;
+ device->mr = rdma_get_dma_mr(device->pd, mr_roles, 0);
But, it must also follow the path of NFS and use FRMR on iWarp for
RDMA READ lkeys. This is the real quirk of iWarp, not that the MR
flags are slightly different.
WARNING: multiple messages have this Message-ID (diff)
From: Jason Gunthorpe <jgunthorpe@obsidianresearch.com>
To: Doug Ledford <dledford@redhat.com>
Cc: 'Christoph Hellwig' <hch@infradead.org>,
Sagi Grimberg <sagig@dev.mellanox.co.il>,
Steve Wise <swise@opengridcomputing.com>,
sagig@mellanox.com, ogerlitz@mellanox.com, roid@mellanox.com,
linux-rdma@vger.kernel.org, eli@mellanox.com,
target-devel@vger.kernel.org, linux-nfs@vger.kernel.org,
trond.myklebust@primarydata.com, bfields@fieldses.org,
Oren Duer <oren@mellanox.com>
Subject: Re: [PATCH V3 1/5] RDMA/core: Transport-independent access flags
Date: Thu, 9 Jul 2015 16:53:06 -0600 [thread overview]
Message-ID: <20150709225306.GA30741@obsidianresearch.com> (raw)
In-Reply-To: <559EF332.7060103@redhat.com>
On Thu, Jul 09, 2015 at 06:18:26PM -0400, Doug Ledford wrote:
> A lot of this discussion is interesting and has gone off in an area that
> I think is worth pursuing in the long run. However, in the short run,
> this patch was a minor cleanup/simplification patch. These discussions
> are moving into complete redesigns and rearchitecting. Steve, I'm OK
> with the cleanup and would prefer that it stay separate from these
> larger issues.
So, I was originally of the view the flags change was fine.
But when I realized that it basically hides a
ib_get_dma_mr(IB_ACCESS_REMOTE_WRITE) behind an opaque API:
rdma_get_dma_mr(RDMA_MRR_READ_DEST)
I changed my mind.
For iWarp the above creates a rkey that can RDMA WRITE to any place in
system memory. If a remote guesses that rkey your system is totally
compromised. So it is insecure, and contrary to the advice in RFC5042.
Seeing rdma_get_dma_mr(RDMA_MRR_READ_DEST) added all over the code
base terrifies me, because it is utterly wrong, and looks harmless.
The mistep, is that enabling iSER for iWarp is not just this trivial
change:
- device->mr = ib_get_dma_mr(device->pd, IB_ACCESS_LOCAL_WRITE);
+ mr_roles = RDMA_MRR_RECV | RDMA_MRR_SEND | RDMA_MRR_WRITE_SOURCE |
+ RDMA_MRR_READ_DEST;
+ device->mr = rdma_get_dma_mr(device->pd, mr_roles, 0);
But, it must also follow the path of NFS and use FRMR on iWarp for
RDMA READ lkeys. This is the real quirk of iWarp, not that the MR
flags are slightly different.
>From there, it is a logical wish: If Steve is going to FRMR'ize iSER
to be acceptable security wise, I'd rather see that work done on in a
general way. Hence the API discussion.
What do you think?
Jason
next prev parent reply other threads:[~2015-07-09 22:53 UTC|newest]
Thread overview: 223+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-07-05 23:21 [PATCH V3 0/5] Transport-independent MRs Steve Wise
2015-07-05 23:22 ` [PATCH V3 1/5] RDMA/core: Transport-independent access flags Steve Wise
2015-07-06 5:25 ` Christoph Hellwig
2015-07-06 14:23 ` Steve Wise
2015-07-06 14:23 ` Steve Wise
2015-07-07 8:58 ` 'Christoph Hellwig'
2015-07-06 7:09 ` Haggai Eran
2015-07-06 7:09 ` Haggai Eran
2015-07-06 14:29 ` Steve Wise
2015-07-06 14:29 ` Steve Wise
2015-07-07 14:17 ` Steve Wise
2015-07-07 14:17 ` Steve Wise
2015-07-07 14:34 ` Haggai Eran
2015-07-07 14:34 ` Haggai Eran
2015-07-07 14:46 ` Steve Wise
2015-07-07 14:46 ` Steve Wise
2015-07-07 15:07 ` Haggai Eran
2015-07-07 15:07 ` Haggai Eran
2015-07-06 7:53 ` Sagi Grimberg
2015-07-06 7:53 ` Sagi Grimberg
2015-07-06 14:37 ` Steve Wise
2015-07-06 14:37 ` Steve Wise
2015-07-06 16:17 ` Sagi Grimberg
2015-07-06 16:17 ` Sagi Grimberg
2015-07-06 16:55 ` Steve Wise
2015-07-06 16:55 ` Steve Wise
2015-07-07 9:00 ` Christoph Hellwig
2015-07-07 9:14 ` Sagi Grimberg
2015-07-07 9:14 ` Sagi Grimberg
2015-07-07 14:05 ` Steve Wise
2015-07-07 14:05 ` Steve Wise
2015-07-07 16:17 ` Jason Gunthorpe
2015-07-07 16:17 ` Jason Gunthorpe
2015-07-07 16:27 ` Sagi Grimberg
2015-07-07 16:27 ` Sagi Grimberg
2015-07-07 21:36 ` Jason Gunthorpe
2015-07-07 21:36 ` Jason Gunthorpe
2015-07-08 7:29 ` Sagi Grimberg
2015-07-08 8:13 ` 'Christoph Hellwig'
2015-07-08 8:13 ` 'Christoph Hellwig'
2015-07-08 10:05 ` Sagi Grimberg
2015-07-08 10:05 ` Sagi Grimberg
2015-07-08 10:20 ` 'Christoph Hellwig'
2015-07-08 10:20 ` 'Christoph Hellwig'
2015-07-08 11:08 ` Sagi Grimberg
2015-07-08 11:08 ` Sagi Grimberg
2015-07-08 17:14 ` Hefty, Sean
2015-07-08 17:14 ` Hefty, Sean
2015-07-09 8:46 ` Sagi Grimberg
2015-07-09 13:52 ` Chuck Lever
2015-07-10 19:34 ` Christoph Hellwig
2015-07-12 7:49 ` Sagi Grimberg
2015-07-13 16:50 ` Jason Gunthorpe
2015-07-14 8:06 ` Sagi Grimberg
2015-07-14 12:24 ` Tom Talpey
2015-07-14 12:24 ` Tom Talpey
2015-07-14 13:21 ` Sagi Grimberg
2015-07-14 13:21 ` Sagi Grimberg
2015-07-23 0:43 ` Hefty, Sean
2015-07-23 0:43 ` Hefty, Sean
2015-07-08 19:08 ` Jason Gunthorpe
2015-07-08 20:32 ` 'Christoph Hellwig'
2015-07-08 20:32 ` 'Christoph Hellwig'
2015-07-08 20:37 ` 'Christoph Hellwig'
2015-07-08 20:37 ` 'Christoph Hellwig'
2015-07-09 0:03 ` Jason Gunthorpe
2015-07-09 8:00 ` 'Christoph Hellwig'
2015-07-09 8:00 ` 'Christoph Hellwig'
2015-07-09 8:58 ` Sagi Grimberg
2015-07-09 8:58 ` Sagi Grimberg
2015-07-09 22:18 ` Doug Ledford
2015-07-09 22:18 ` Doug Ledford
2015-07-09 22:53 ` Jason Gunthorpe [this message]
2015-07-09 22:53 ` Jason Gunthorpe
2015-07-10 13:22 ` Tom Talpey
2015-07-10 16:11 ` Jason Gunthorpe
2015-07-10 16:11 ` Jason Gunthorpe
2015-07-10 17:56 ` Doug Ledford
2015-07-10 18:34 ` Chuck Lever
2015-07-10 18:42 ` Tom Talpey
2015-07-10 19:54 ` Jason Gunthorpe
2015-07-10 19:54 ` Jason Gunthorpe
2015-07-10 20:48 ` Jason Gunthorpe
2015-07-10 22:33 ` Doug Ledford
2015-07-10 22:33 ` Doug Ledford
2015-07-11 10:17 ` 'Christoph Hellwig'
2015-07-11 10:17 ` 'Christoph Hellwig'
2015-07-13 16:57 ` Jason Gunthorpe
2015-07-13 16:57 ` Jason Gunthorpe
2015-07-14 7:25 ` 'Christoph Hellwig'
2015-07-14 9:05 ` Sagi Grimberg
2015-07-14 15:35 ` 'Christoph Hellwig'
2015-07-14 17:26 ` Jason Gunthorpe
2015-07-15 7:10 ` Sagi Grimberg
2015-07-15 7:10 ` Sagi Grimberg
2015-07-10 22:30 ` Doug Ledford
2015-07-10 22:30 ` Doug Ledford
2015-07-10 20:57 ` Jason Gunthorpe
2015-07-10 22:27 ` Doug Ledford
2015-07-10 22:27 ` Doug Ledford
[not found] ` <20150710233417.GA8919@obsidianresearch.com>
2015-07-11 3:10 ` Doug Ledford
2015-07-11 3:10 ` Doug Ledford
2015-07-13 17:18 ` Jason Gunthorpe
2015-07-13 17:18 ` Jason Gunthorpe
2015-07-13 22:23 ` Tom Talpey
2015-07-11 16:37 ` Steve Wise
2015-07-12 10:46 ` Sagi Grimberg
2015-07-12 10:46 ` Sagi Grimberg
2015-07-14 19:25 ` Steve Wise
2015-07-14 19:25 ` Steve Wise
2015-07-14 19:29 ` Jason Gunthorpe
2015-07-14 19:32 ` Steve Wise
2015-07-14 19:32 ` Steve Wise
2015-07-14 19:37 ` Jason Gunthorpe
2015-07-14 19:55 ` 'Christoph Hellwig'
2015-07-14 19:55 ` 'Christoph Hellwig'
2015-07-14 20:10 ` Steve Wise
2015-07-14 20:10 ` Steve Wise
2015-07-14 20:29 ` Jason Gunthorpe
2015-07-14 20:29 ` Jason Gunthorpe
2015-07-14 20:40 ` Steve Wise
2015-07-14 20:40 ` Steve Wise
2015-07-14 20:44 ` Jason Gunthorpe
2015-07-14 20:44 ` Jason Gunthorpe
2015-07-14 20:54 ` Steve Wise
2015-07-14 20:54 ` Steve Wise
2015-07-14 20:59 ` Jason Gunthorpe
2015-07-14 20:59 ` Jason Gunthorpe
2015-07-14 20:50 ` Tom Talpey
2015-07-14 20:50 ` Tom Talpey
2015-07-15 6:50 ` 'Christoph Hellwig'
2015-07-15 19:12 ` Jason Gunthorpe
2015-07-15 19:12 ` Jason Gunthorpe
2015-07-16 6:41 ` Jason Gunthorpe
2015-07-16 6:41 ` Jason Gunthorpe
2015-07-16 8:04 ` 'Christoph Hellwig'
2015-07-16 8:04 ` 'Christoph Hellwig'
2015-07-16 16:13 ` Jason Gunthorpe
2015-07-16 16:13 ` Jason Gunthorpe
2015-07-15 8:47 ` Sagi Grimberg
2015-07-15 8:47 ` Sagi Grimberg
2015-07-15 12:19 ` 'Christoph Hellwig'
2015-07-15 12:19 ` 'Christoph Hellwig'
2015-07-15 19:17 ` Jason Gunthorpe
2015-07-15 19:17 ` Jason Gunthorpe
2015-07-14 20:46 ` Tom Talpey
2015-07-14 19:45 ` 'Christoph Hellwig'
2015-07-14 19:57 ` Jason Gunthorpe
2015-07-14 19:57 ` Jason Gunthorpe
2015-07-14 19:58 ` Steve Wise
2015-07-14 19:58 ` Steve Wise
2015-07-14 20:41 ` Jason Gunthorpe
2015-07-14 20:41 ` Jason Gunthorpe
2015-07-14 20:51 ` Steve Wise
2015-07-14 20:51 ` Steve Wise
2015-07-14 21:01 ` Steve Wise
2015-07-14 21:01 ` Steve Wise
2015-07-14 21:14 ` Jason Gunthorpe
2015-07-14 21:14 ` Jason Gunthorpe
2015-07-23 18:53 ` Hefty, Sean
2015-07-23 18:53 ` Hefty, Sean
2015-07-23 19:03 ` Steve Wise
2015-07-23 19:03 ` Steve Wise
2015-07-23 23:30 ` Hefty, Sean
2015-07-23 23:30 ` Hefty, Sean
2015-07-23 23:53 ` Jason Gunthorpe
2015-07-23 23:53 ` Jason Gunthorpe
2015-07-24 0:18 ` Hefty, Sean
2015-07-24 0:18 ` Hefty, Sean
2015-07-24 4:46 ` Jason Gunthorpe
2015-07-09 8:47 ` Sagi Grimberg
2015-07-09 8:47 ` Sagi Grimberg
2015-07-08 21:38 ` Tom Talpey
2015-07-08 23:36 ` Jason Gunthorpe
2015-07-09 11:02 ` Sagi Grimberg
2015-07-09 17:01 ` Jason Gunthorpe
2015-07-09 17:01 ` Jason Gunthorpe
2015-07-09 20:00 ` Tom Talpey
2015-07-09 21:16 ` Jason Gunthorpe
[not found] ` <20150709170142.GA21921-ePGOBjL8dl3ta4EC/59zMFaTQe2KTcn/@public.gmane.org>
2015-07-10 8:55 ` kernel memory registration (was: RDMA/core: Transport-independent access flags) Sagi Grimberg
[not found] ` <559F8881.7070308-LDSdmyG8hGV8YrgS2mwiifqBs+8SCbDb@public.gmane.org>
2015-07-10 16:35 ` Jason Gunthorpe
2015-07-11 10:31 ` 'Christoph Hellwig'
[not found] ` <20150711103153.GC14741-wEGCiKHe2LqWVfeAwA7xHQ@public.gmane.org>
2015-07-13 16:46 ` Jason Gunthorpe
[not found] ` <20150713164652.GC23832-ePGOBjL8dl3ta4EC/59zMFaTQe2KTcn/@public.gmane.org>
2015-07-14 8:24 ` kernel memory registration Sagi Grimberg
[not found] ` <55A4C73A.7080001-LDSdmyG8hGV8YrgS2mwiifqBs+8SCbDb@public.gmane.org>
2015-07-14 17:24 ` Jason Gunthorpe
2015-07-11 10:25 ` [PATCH V3 1/5] RDMA/core: Transport-independent access flags 'Christoph Hellwig'
2015-07-13 16:35 ` Jason Gunthorpe
2015-07-13 19:36 ` Tom Talpey
2015-07-13 20:15 ` Jason Gunthorpe
2015-07-14 9:10 ` Sagi Grimberg
2015-07-14 9:10 ` Sagi Grimberg
2015-07-14 15:36 ` 'Christoph Hellwig'
2015-07-14 15:36 ` 'Christoph Hellwig'
2015-07-14 15:47 ` Tom Talpey
2015-07-14 15:47 ` Tom Talpey
2015-07-14 16:22 ` Jason Gunthorpe
2015-07-14 16:22 ` Jason Gunthorpe
2015-07-14 7:37 ` 'Christoph Hellwig'
2015-07-14 9:22 ` Sagi Grimberg
2015-07-14 12:12 ` Tom Talpey
2015-07-14 12:12 ` Tom Talpey
2015-07-14 13:23 ` Sagi Grimberg
2015-07-14 14:45 ` Steve Wise
2015-07-14 14:45 ` Steve Wise
2015-07-14 15:40 ` 'Christoph Hellwig'
2015-07-14 15:40 ` 'Christoph Hellwig'
2015-07-08 8:11 ` 'Christoph Hellwig'
2015-07-06 7:58 ` Sagi Grimberg
2015-07-06 7:58 ` Sagi Grimberg
2015-07-06 14:39 ` Steve Wise
2015-07-06 14:39 ` Steve Wise
2015-07-05 23:22 ` [PATCH V3 2/5] RDMA/iser: Use transport independent MR allocation Steve Wise
2015-07-05 23:22 ` [PATCH V3 3/5] RDMA/isert: " Steve Wise
2015-07-05 23:22 ` Steve Wise
2015-07-05 23:22 ` [PATCH V3 4/5] svcrdma: " Steve Wise
2015-07-05 23:22 ` Steve Wise
2015-07-05 23:22 ` [PATCH V3 5/5] xprtrdma: " Steve Wise
2015-07-05 23:22 ` Steve Wise
2015-07-06 5:25 ` [PATCH V3 0/5] Transport-independent MRs Christoph Hellwig
2015-07-06 5:25 ` Christoph Hellwig
2015-07-06 14:24 ` Steve Wise
2015-07-06 14:24 ` Steve Wise
2015-07-07 9:01 ` 'Christoph Hellwig'
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20150709225306.GA30741@obsidianresearch.com \
--to=jgunthorpe@obsidianresearch.com \
--cc=bfields@fieldses.org \
--cc=dledford@redhat.com \
--cc=eli@mellanox.com \
--cc=hch@infradead.org \
--cc=linux-nfs@vger.kernel.org \
--cc=linux-rdma@vger.kernel.org \
--cc=ogerlitz@mellanox.com \
--cc=oren@mellanox.com \
--cc=roid@mellanox.com \
--cc=sagig@dev.mellanox.co.il \
--cc=sagig@mellanox.com \
--cc=swise@opengridcomputing.com \
--cc=target-devel@vger.kernel.org \
--cc=trond.myklebust@primarydata.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.