Re: [PATCH v4 1/2] Import CBOR library

[Greg Kroah-Hartman <gregkh@linuxfoundation.org>]

On Wed, Oct 11, 2023 at 11:48:43PM +0300, Petre Eftime wrote:
> On Wed, Oct 11, 2023 at 8:46 PM Greg Kroah-Hartman
> <gregkh@linuxfoundation.org> wrote:
> >
> > On Wed, Oct 11, 2023 at 02:24:48PM +0200, Arnd Bergmann wrote:
> > > On Tue, Oct 10, 2023, at 10:27, Greg Kroah-Hartman wrote:
> > > > On Tue, Oct 10, 2023 at 10:08:43AM +0200, Alexander Graf wrote:
> > > >> On 10.10.23 10:03, Greg Kroah-Hartman wrote:
> > > >>
> > > >> > > Out of these, the NSM communication protocol uses all except Semantic tags
> > > >> > > and Floats. The CBOR library that this patch imports does not have special
> > > >> > > handling for Semantic tags, which leaves only floats which are already
> > > >> > > #ifdef'ed out. That means there is not much to trim.
> > > >> > >
> > > >> > > What you see here is what's needed to parse CBOR in kernel - if that's what
> > > >> > > we want to do. I'm happy to rip it out again and make it a pure user space
> > > >> > > problem to do CBOR :).
> > > >> > Yes, why are we parsing this in the kernel?  What could go wrong with
> > > >> > adding yet-another-parser in privileged context?  :)
> > > >> >
> > > >> > Why does this have to be in the kernel, the data sent/recieved is over
> > > >> > virtio, so why does the kernel have to parse it?  I couldn't figure that
> > > >> > out from the driver, yet the driver seems to have a lot of hard-coded
> > > >> > parsing logic in it to assume specific message formats?
> > > >>
> > > >>
> > > >> The parsing doesn't have to be in kernel and it probably shouldn't be
> > > >> either. V3 of the patch was punting all the parsing to user space, at which
> > > >> point you and Arnd said I should give it a try to do the protocol parsing in
> > > >> kernel space instead. That's why the parser is here.
> > > >
> > > > Arnd said that, not me :)
> > > >
> > > >> If we conclude that all this in-kernel parsing is not worth it, I'm very
> > > >> happy to just go back to the the v3 ioctl interface and post v5 with hwrng
> > > >> merged into misc, but remove all CBOR logic again :)
> > > >
> > > > I think the less parsers we have in the kernel, the safer we are for
> > > > obvious reasons.  Unless you have a parser for this in rust?  :)
> > > >
> > > > I don't really know, having a generic interface is good, but at the
> > > > expense of this api is probably not good.  individual ioctls might be
> > > > better if there are not going to be any other drivers for this type of
> > > > thing?
> > >
> > > I was definitely expecting something simpler than what was possible
> > > in the v4 patch. I had another look now, and it's clear that the
> > > ioctl interface is still not great because the variable data structures
> > > shine through for some of the calls, and even to get to this point,
> > > a whole lot of complexity is required underneath.
> > >
> > > To get anything better, one would probably have to redesign the entire
> > > interface stack (hypervisor, kernel and userland) to use regular
> > > fixed data structures, and this seems unlikely to happen.
> >
> > Why not fix this and do it properly?  What's preventing that from
> > happening?  We don't want to create an interface here that is broken, or
> > insecure, or a pain to maintain, right?
> >
> > thanks,
> >
> > greg k-h
> 
> I would think the proposal to have fixed structures would be a
> downgrade in terms of maintainability, usability and security, not an
> improvement.
> 
> This current interface allows the hypervisor to extend the existing
> functionality at any time, and the Linux kernel does not have to
> change anything for that to work, the application does not have to be
> recompiled to use the new kernel headers at any point. Adding new
> APIs, adding new fields to API responses, or adding optional
> parameters to the API is fully backwards compatible, would also not
> require changes in userspace, as the CBOR data structures that are not
> recognized can simply be skipped. This allows easy backwards
> compatibility in most cases, and the userspace would be able to opt in
> to new features only if it requires them, without forcing the upgrade
> if it's not required.
> 
> With fixed structures, then the driver would need to be more
> explicitly versioned and would need to be able to handle multiple
> versions of the API at the same time, which is both more complex, less
> flexible and more prone to errors.

Yes, but you are trading off the complexity of adding
yet-another-protocol-parser to the kernel vs. making a strict
user/kernel api, right?

Which one is correct?  Can you verify that this parser really is correct
and doesn't have any overflows/security issues in it?  I can't, maybe
someone needs to write it in rust :)

thanks,

greg k-h