From: Jason Gunthorpe <jgg@nvidia.com>
To: "Tian, Kevin" <kevin.tian@intel.com>
Cc: "yishaih@nvidia.com" <yishaih@nvidia.com>,
"brett.creeley@amd.com" <brett.creeley@amd.com>,
"kvm@vger.kernel.org" <kvm@vger.kernel.org>,
"netdev@vger.kernel.org" <netdev@vger.kernel.org>,
"Cao, Yahui" <yahui.cao@intel.com>,
"edumazet@google.com" <edumazet@google.com>,
"shameerali.kolothum.thodi@huawei.com"
<shameerali.kolothum.thodi@huawei.com>,
"alex.williamson@redhat.com" <alex.williamson@redhat.com>,
"Chittim, Madhu" <madhu.chittim@intel.com>,
"intel-wired-lan@lists.osuosl.org"
<intel-wired-lan@lists.osuosl.org>,
"Samudrala, Sridhar" <sridhar.samudrala@intel.com>,
"kuba@kernel.org" <kuba@kernel.org>,
"pabeni@redhat.com" <pabeni@redhat.com>,
"davem@davemloft.net" <davem@davemloft.net>
Subject: Re: [Intel-wired-lan] [PATCH iwl-next v4 09/12] ice: Save and load TX Queue head
Date: Thu, 7 Dec 2023 10:48:07 -0400 [thread overview]
Message-ID: <20231207144807.GL2692119@nvidia.com> (raw)
In-Reply-To: <BN9PR11MB52766AECA2168F37AEF6995D8C8BA@BN9PR11MB5276.namprd11.prod.outlook.com>
On Thu, Dec 07, 2023 at 08:22:53AM +0000, Tian, Kevin wrote:
> > In virtual channel model, VF driver only send TX queue ring base and
> > length info to PF, while rest of the TX queue context are managed by PF.
> > TX queue length must be verified by PF during virtual channel message
> > processing. When PF uses dummy descriptors to advance TX head, it will
> > configure the TX ring base as the new address managed by PF itself. As a
> > result, all of the TX queue context is taken control of by PF and this
> > method won't generate any attacking vulnerability
>
> So basically the key points are:
>
> 1) TX queue head cannot be directly updated via VF mmio interface;
> 2) Using dummy descriptors to update TX queue head is possible but it
> must be done in PF's context;
> 3) FW provides a way to keep TX queue head intact when moving
> the TX queue ownership between VF and PF;
> 4) the TX queue context affected by the ownership change is largely
> initialized by the PF driver already, except ring base/size coming from
> virtual channel messages. This implies that a malicious guest VF driver
> cannot attack this small window though the tx head restore is done
> after all the VF state are restored;
> 5) and a missing point is that the temporary owner change doesn't
> expose the TX queue to the software stack on top of the PF driver
> otherwise that would be a severe issue.
This matches my impression of these patches. It is convoluted but the
explanation sounds find, and if Intel has done an internal security
review then I have no issue.
Jason
_______________________________________________
Intel-wired-lan mailing list
Intel-wired-lan@osuosl.org
https://lists.osuosl.org/mailman/listinfo/intel-wired-lan
WARNING: multiple messages have this Message-ID (diff)
From: Jason Gunthorpe <jgg@nvidia.com>
To: "Tian, Kevin" <kevin.tian@intel.com>
Cc: "Cao, Yahui" <yahui.cao@intel.com>,
"intel-wired-lan@lists.osuosl.org"
<intel-wired-lan@lists.osuosl.org>,
"kvm@vger.kernel.org" <kvm@vger.kernel.org>,
"netdev@vger.kernel.org" <netdev@vger.kernel.org>,
"Liu, Lingyu" <lingyu.liu@intel.com>,
"Chittim, Madhu" <madhu.chittim@intel.com>,
"Samudrala, Sridhar" <sridhar.samudrala@intel.com>,
"alex.williamson@redhat.com" <alex.williamson@redhat.com>,
"yishaih@nvidia.com" <yishaih@nvidia.com>,
"shameerali.kolothum.thodi@huawei.com"
<shameerali.kolothum.thodi@huawei.com>,
"brett.creeley@amd.com" <brett.creeley@amd.com>,
"davem@davemloft.net" <davem@davemloft.net>,
"edumazet@google.com" <edumazet@google.com>,
"kuba@kernel.org" <kuba@kernel.org>,
"pabeni@redhat.com" <pabeni@redhat.com>
Subject: Re: [PATCH iwl-next v4 09/12] ice: Save and load TX Queue head
Date: Thu, 7 Dec 2023 10:48:07 -0400 [thread overview]
Message-ID: <20231207144807.GL2692119@nvidia.com> (raw)
In-Reply-To: <BN9PR11MB52766AECA2168F37AEF6995D8C8BA@BN9PR11MB5276.namprd11.prod.outlook.com>
On Thu, Dec 07, 2023 at 08:22:53AM +0000, Tian, Kevin wrote:
> > In virtual channel model, VF driver only send TX queue ring base and
> > length info to PF, while rest of the TX queue context are managed by PF.
> > TX queue length must be verified by PF during virtual channel message
> > processing. When PF uses dummy descriptors to advance TX head, it will
> > configure the TX ring base as the new address managed by PF itself. As a
> > result, all of the TX queue context is taken control of by PF and this
> > method won't generate any attacking vulnerability
>
> So basically the key points are:
>
> 1) TX queue head cannot be directly updated via VF mmio interface;
> 2) Using dummy descriptors to update TX queue head is possible but it
> must be done in PF's context;
> 3) FW provides a way to keep TX queue head intact when moving
> the TX queue ownership between VF and PF;
> 4) the TX queue context affected by the ownership change is largely
> initialized by the PF driver already, except ring base/size coming from
> virtual channel messages. This implies that a malicious guest VF driver
> cannot attack this small window though the tx head restore is done
> after all the VF state are restored;
> 5) and a missing point is that the temporary owner change doesn't
> expose the TX queue to the software stack on top of the PF driver
> otherwise that would be a severe issue.
This matches my impression of these patches. It is convoluted but the
explanation sounds find, and if Intel has done an internal security
review then I have no issue.
Jason
next prev parent reply other threads:[~2023-12-07 14:48 UTC|newest]
Thread overview: 68+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-11-21 2:50 [Intel-wired-lan] [PATCH iwl-next v4 00/12] Add E800 live migration driver Yahui Cao
2023-11-21 2:50 ` Yahui Cao
2023-11-21 2:51 ` [Intel-wired-lan] [PATCH iwl-next v4 01/12] ice: Add function to get RX queue context Yahui Cao
2023-11-21 2:51 ` Yahui Cao
2023-12-08 22:01 ` [Intel-wired-lan] " Brett Creeley
2023-12-08 22:01 ` Brett Creeley
2023-11-21 2:51 ` [Intel-wired-lan] [PATCH iwl-next v4 02/12] ice: Add function to get and set TX " Yahui Cao
2023-11-21 2:51 ` Yahui Cao
2023-12-08 22:14 ` [Intel-wired-lan] " Brett Creeley
2023-12-08 22:14 ` Brett Creeley
2023-11-21 2:51 ` [Intel-wired-lan] [PATCH iwl-next v4 03/12] ice: Introduce VF state ICE_VF_STATE_REPLAYING_VC for migration Yahui Cao
2023-11-21 2:51 ` Yahui Cao
2023-12-08 22:28 ` [Intel-wired-lan] " Brett Creeley
2023-12-08 22:28 ` Brett Creeley
2024-02-12 23:07 ` [Intel-wired-lan] " Jacob Keller
2024-02-12 23:07 ` Jacob Keller
2023-11-21 2:51 ` [Intel-wired-lan] [PATCH iwl-next v4 04/12] ice: Add fundamental migration init and exit function Yahui Cao
2023-11-21 2:51 ` Yahui Cao
2023-11-21 2:51 ` [Intel-wired-lan] [PATCH iwl-next v4 05/12] ice: Log virtual channel messages in PF Yahui Cao
2023-11-21 2:51 ` Yahui Cao
2023-11-29 17:12 ` [Intel-wired-lan] " Simon Horman
2023-11-29 17:12 ` Simon Horman
2023-12-01 8:27 ` [Intel-wired-lan] " Cao, Yahui
2023-12-01 8:27 ` Cao, Yahui
2023-12-07 7:33 ` [Intel-wired-lan] " Tian, Kevin
2023-12-07 7:33 ` Tian, Kevin
2023-12-08 1:53 ` [Intel-wired-lan] " Brett Creeley
2023-12-08 1:53 ` Brett Creeley
2024-01-18 22:14 ` [Intel-wired-lan] " Jacob Keller
2023-11-21 2:51 ` [Intel-wired-lan] [PATCH iwl-next v4 06/12] ice: Add device state save/load function for migration Yahui Cao
2023-11-21 2:51 ` Yahui Cao
2023-12-07 7:39 ` [Intel-wired-lan] " Tian, Kevin
2023-12-07 7:39 ` Tian, Kevin
2023-11-21 2:51 ` [Intel-wired-lan] [PATCH iwl-next v4 07/12] ice: Fix VSI id in virtual channel message " Yahui Cao
2023-11-21 2:51 ` Yahui Cao
2023-12-07 7:42 ` [Intel-wired-lan] " Tian, Kevin
2023-12-07 7:42 ` Tian, Kevin
2023-11-21 2:51 ` [Intel-wired-lan] [PATCH iwl-next v4 08/12] ice: Save and load RX Queue head Yahui Cao
2023-11-21 2:51 ` Yahui Cao
2023-12-07 7:55 ` [Intel-wired-lan] " Tian, Kevin
2023-12-07 7:55 ` Tian, Kevin
2023-12-07 14:46 ` [Intel-wired-lan] " Jason Gunthorpe
2023-12-07 14:46 ` Jason Gunthorpe
2023-12-08 2:53 ` [Intel-wired-lan] " Tian, Kevin
2023-12-08 2:53 ` Tian, Kevin
2024-01-18 22:17 ` [Intel-wired-lan] " Jacob Keller
2023-11-21 2:51 ` [Intel-wired-lan] [PATCH iwl-next v4 09/12] ice: Save and load TX " Yahui Cao
2023-11-21 2:51 ` Yahui Cao
2023-12-07 8:22 ` [Intel-wired-lan] " Tian, Kevin
2023-12-07 8:22 ` Tian, Kevin
2023-12-07 14:48 ` Jason Gunthorpe [this message]
2023-12-07 14:48 ` Jason Gunthorpe
2023-11-21 2:51 ` [Intel-wired-lan] [PATCH iwl-next v4 10/12] ice: Add device suspend function for migration Yahui Cao
2023-11-21 2:51 ` Yahui Cao
2023-11-21 2:51 ` [Intel-wired-lan] [PATCH iwl-next v4 11/12] ice: Save and load mmio registers Yahui Cao
2023-11-21 2:51 ` Yahui Cao
2023-11-21 2:51 ` [Intel-wired-lan] [PATCH iwl-next v4 12/12] vfio/ice: Implement vfio_pci driver for E800 devices Yahui Cao
2023-11-21 2:51 ` Yahui Cao
2023-12-07 22:43 ` [Intel-wired-lan] " Alex Williamson
2023-12-07 22:43 ` Alex Williamson
2023-12-08 3:42 ` [Intel-wired-lan] " Tian, Kevin
2023-12-08 3:42 ` Tian, Kevin
2023-12-08 3:42 ` [Intel-wired-lan] " Tian, Kevin
2023-12-08 3:42 ` Tian, Kevin
2023-12-04 11:18 ` [Intel-wired-lan] [PATCH iwl-next v4 00/12] Add E800 live migration driver Cao, Yahui
2023-12-04 11:18 ` Cao, Yahui
2024-01-18 22:09 ` [Intel-wired-lan] " Jacob Keller
2024-01-18 22:09 ` Jacob Keller
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20231207144807.GL2692119@nvidia.com \
--to=jgg@nvidia.com \
--cc=alex.williamson@redhat.com \
--cc=brett.creeley@amd.com \
--cc=davem@davemloft.net \
--cc=edumazet@google.com \
--cc=intel-wired-lan@lists.osuosl.org \
--cc=kevin.tian@intel.com \
--cc=kuba@kernel.org \
--cc=kvm@vger.kernel.org \
--cc=madhu.chittim@intel.com \
--cc=netdev@vger.kernel.org \
--cc=pabeni@redhat.com \
--cc=shameerali.kolothum.thodi@huawei.com \
--cc=sridhar.samudrala@intel.com \
--cc=yahui.cao@intel.com \
--cc=yishaih@nvidia.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.