From: "Pavel Machek" <pavel@ucw.cz>
To: cip-dev@lists.cip-project.org
Cc: masashi.kudo@cybertrust.co.jp
Subject: Re: [cip-dev] FW: Needs of security patches on reference platforms
Date: Wed, 3 Jun 2020 17:21:51 +0200 [thread overview]
Message-ID: <20200603152151.GA16550@amd> (raw)
In-Reply-To: <e6529e13-4bb7-1105-9bc8-f84bc0b3132f@siemens.com>
[-- Attachment #1.1: Type: text/plain, Size: 1729 bytes --]
Hi!
> > At the IRC meeting (May 14th), the following two security patches were discussed.
> >
> > a. CVE related to KVM SVM on x86,
> > b. XDP sockets enabled for Cyclone V
> >
> > They were recently ported to upstream, and we would like to decide whether they should be backported to CIP or not.
>
> Why did not stable pick them up? Because they require active backporting
> work to make them apply?
Yes, IIRC.
> > Regarding a., SVM is for AMD CPUs only, so it might not actually be used.
> > If it is the case, we would like to ignore this patch.
>
> In general, KVM on AMD was surely a niche over the past years. Since
> Ryzen, this changed again, also for embedded.
>
> That said, I'm not aware of active use on our side at this point, but I
> may not have the full overview, and I can't speak for other members.
>
> >
> > Regarding b., XDP (express data path) is used for network intensive workloads to bypass certain parts of the network stack So, it may be used by big tech / web stuff, not embedded.
>
> XDP plays an essential role in deterministic networking, thus is
> absolutely an embedded thing as well. But that usually goes along with
> TSN, though it may not be limited to it.
Ok, good to know.
So... there are few reasons why it is important to know what is in use
or not:
1) If we see patch in stable, how much effort should be spent
reviewing it?
2) If we see a bad bug (probably CVE) that needs a backport, should we
backport this one? (or wait for someone else to do the work?)
Best regards,
Pavel
--
(english) http://www.livejournal.com/~pavelmachek
(cesky, pictures) http://atrey.karlin.mff.cuni.cz/~pavel/picture/horses/blog.html
[-- Attachment #1.2: Digital signature --]
[-- Type: application/pgp-signature, Size: 181 bytes --]
[-- Attachment #2: Type: text/plain, Size: 419 bytes --]
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#4667): https://lists.cip-project.org/g/cip-dev/message/4667
Mute This Topic: https://lists.cip-project.org/mt/74496040/4520388
Group Owner: cip-dev+owner@lists.cip-project.org
Unsubscribe: https://lists.cip-project.org/g/cip-dev/leave/8129055/727948398/xyzzy [cip-dev@archiver.kernel.org]
-=-=-=-=-=-=-=-=-=-=-=-
next prev parent reply other threads:[~2020-06-03 15:21 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-05-21 0:51 [cip-dev] Needs of security patches on reference platforms masashi.kudo
[not found] ` <TY2PR01MB497220F7BDB51660FF9B221FA0B10@TY2PR01MB4972.jpnprd01.prod.outlook.com>
2020-05-27 8:55 ` [cip-dev] FW: " Jan Kiszka
2020-05-27 9:15 ` masashi.kudo
2020-05-27 9:41 ` Chen-Yu Tsai
2020-06-03 15:21 ` Pavel Machek [this message]
2020-06-03 15:29 ` Jan Kiszka
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200603152151.GA16550@amd \
--to=pavel@ucw.cz \
--cc=cip-dev@lists.cip-project.org \
--cc=masashi.kudo@cybertrust.co.jp \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox