From: Stephen Hemminger <stephen@networkplumber.org>
To: fengchengwen <fengchengwen@huawei.com>
Cc: Olivier Matz <olivier.matz@6wind.com>, <dev@dpdk.org>,
Thomas Monjalon <thomas@monjalon.net>,
Ferruh Yigit <ferruh.yigit@xilinx.com>,
"lihuisong@huawei.com" <lihuisong@huawei.com>
Subject: Re: Minutes of Technical Board Meeting, 2022-06-01
Date: Wed, 8 Jun 2022 19:30:50 -0700 [thread overview]
Message-ID: <20220608193050.589a5701@hermes.local> (raw)
In-Reply-To: <15e07c9f-e1ba-a789-0ef3-c8d8e1d820c0@huawei.com>
On Thu, 9 Jun 2022 10:07:28 +0800
fengchengwen <fengchengwen@huawei.com> wrote:
> On 2022/6/9 9:31, Stephen Hemminger wrote:
> > On Thu, 9 Jun 2022 08:41:35 +0800
> > fengchengwen <fengchengwen@huawei.com> wrote:
> >
> >> [snip]
> >>
> >>>
> >>> 4) Removal of KNI
> >>> -----------------
> >>>
> >>> There is no more maintainer for KNI.
> >>>
> >>> A progressive removal proposal was made:
> >>> - add a message at runtime and/or compilation to announce deprecation
> >>> - remove KNI example after 22.11
> >>> - remove lib + kmod from main repo for 23.11
> >>
> >> We still use KNI in some business scenarios, and we want to maintain it in this case.
> >
> >
> > Why?
>
> The KNI module can be used in following scenarios: when the PF is taken over by the DPDK,
> some traffic needs to be transmitted through the kernel protocol stack, we did have this
> application scenario.
>
> If do not proactively maintain the KNI, security risks may occur. and this's our starting point.
What is wrong with TAP or virtio user for your application?
KNI already is a security risk, it implicitly trusts userspace.
>
> >
> >>
> >> I recommend Huisong Li (lihuisong@huawei.com) as the new maintainer of the KNI.
> >>
> >> He has been involved in the community for several years and submitted some
> >> bugfix patches of KNI.
> >
> > KNI has several unfixable architectural issues.
>
> Could you show detail on this ?
The fact that KNI calls user mode holding the RTNL mutex is only one of many
places where KNI trusts user space.
> > It would never pass a full upstream kernel review.
> >
> > I hope you realize the security impacts of this.
>
> Is there another option to act like KNI role ?
Virtio user has been used as a better alternative. Bruce has recently taken
on providing more documentation to make the transistion easier.
One other option is you are free to take KNI on as a project that is maintained
in parallel with DPDK (like TREX and some other packages).
next prev parent reply other threads:[~2022-06-09 2:30 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-06-07 13:48 Minutes of Technical Board Meeting, 2022-06-01 Olivier Matz
2022-06-09 0:41 ` fengchengwen
2022-06-09 1:31 ` Stephen Hemminger
2022-06-09 2:07 ` fengchengwen
2022-06-09 2:30 ` Stephen Hemminger [this message]
2022-06-30 12:05 ` David Marchand
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20220608193050.589a5701@hermes.local \
--to=stephen@networkplumber.org \
--cc=dev@dpdk.org \
--cc=fengchengwen@huawei.com \
--cc=ferruh.yigit@xilinx.com \
--cc=lihuisong@huawei.com \
--cc=olivier.matz@6wind.com \
--cc=thomas@monjalon.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.