From mboxrd@z Thu Jan 1 00:00:00 1970 From: Wenzhuo Lu Subject: [PATCH v3] doc: Malicious Driver Detection not supported by ixgbe Date: Mon, 7 Mar 2016 13:28:10 +0800 Message-ID: <1457328490-31449-1-git-send-email-wenzhuo.lu@intel.com> References: <1456291984-7309-1-git-send-email-wenzhuo.lu@intel.com> To: dev@dpdk.org Return-path: Received: from mga04.intel.com (mga04.intel.com [192.55.52.120]) by dpdk.org (Postfix) with ESMTP id EFBBF2C22 for ; Mon, 7 Mar 2016 06:28:17 +0100 (CET) In-Reply-To: <1456291984-7309-1-git-send-email-wenzhuo.lu@intel.com> List-Id: patches and discussions about DPDK List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: dev-bounces@dpdk.org Sender: "dev" Announce that Malicious Driver Detection is not supported. v2: - Rework the words. v3: - Remove the duplicate info in the release note. - Create a new section for this description. Signed-off-by: Wenzhuo Lu Acked-by: Shaopeng He intel.com> --- doc/guides/nics/ixgbe.rst | 21 +++++++++++++++++++++ 1 file changed, 21 insertions(+) diff --git a/doc/guides/nics/ixgbe.rst b/doc/guides/nics/ixgbe.rst index 8cae299..0ee4ebc 100644 --- a/doc/guides/nics/ixgbe.rst +++ b/doc/guides/nics/ixgbe.rst @@ -178,3 +178,24 @@ load_balancer As in the case of l3fwd, set configure port_conf.rxmode.hw_ip_checksum=0 to enable vPMD. In addition, for improved performance, use -bsz "(32,32),(64,64),(32,32)" in load_balancer to avoid using the default burst size of 144. + + +Malicious Driver Detection not Supported +---------------------------------------- + +The Intel x550 series NICs support a feature called MDD (Malcicious +Driver Detection) which checks the behavior of the VF driver. +If this feature is enabled, the VF must use the advanced context descriptor +correctly and set the CC (Check Context) bit. +DPDK PF doesn't support MDD, but kernel PF does. We may hit problem in this +scenario kernel PF + DPDK VF. If user enables MDD in kernel PF, DPDK VF will +not work. Because kernel PF thinks the VF is malicious. But actually it's not. +The only reason is the VF doesn't act as MDD required. +There's significant performance impact to support MDD. DPDK should check if +the advanced context descriptor should be set and set it. And DPDK has to ask +the info about the header length from the upper layer, because parsing the +packet itself is not acceptale. So, it's too expensive to support MDD. +When using kernel PF + DPDK VF on x550, please make sure using the kernel +driver that disables MDD or can disable MDD. (Some kernel driver can use +this CLI 'insmod ixgbe.ko MDD=0,0' to disable MDD. Some kernel driver disables +it by default.) -- 1.9.3