From: Jakub Kicinski <kuba@kernel.org>
To: Jason Gunthorpe <jgg@nvidia.com>
Cc: Andy Gospodarek <andrew.gospodarek@broadcom.com>,
Christoph Hellwig <hch@infradead.org>,
Saeed Mahameed <saeed@kernel.org>, Arnd Bergmann <arnd@arndb.de>,
Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
Leon Romanovsky <leonro@nvidia.com>, Jiri Pirko <jiri@nvidia.com>,
Leonid Bloch <lbloch@nvidia.com>,
Itay Avraham <itayavr@nvidia.com>,
Saeed Mahameed <saeedm@nvidia.com>,
David Ahern <dsahern@kernel.org>,
Aron Silverton <aron.silverton@oracle.com>,
linux-kernel@vger.kernel.org, netdev@vger.kernel.org
Subject: Re: [PATCH V4 0/5] mlx5 ConnectX control misc driver
Date: Thu, 15 Feb 2024 17:40:34 -0800 [thread overview]
Message-ID: <20240215174034.34817c31@kernel.org> (raw)
In-Reply-To: <20240214183755.GH1088888@nvidia.com>
On Wed, 14 Feb 2024 14:37:55 -0400 Jason Gunthorpe wrote:
> On Wed, Feb 14, 2024 at 10:11:26AM -0800, Jakub Kicinski wrote:
> > On Wed, 14 Feb 2024 13:57:35 -0400 Jason Gunthorpe wrote:
> > > There is a clear split in my mind between:
> > > - inspection debugging
> > > - invasive mutating debugging
> > > - configuration
> >
> > Yes there's a clear split, and how are you going to enforce it on
> > an opaque interface? Put an "evil" bit in the common header?
>
> The interface is opaque through a subsystem, it doesn't mean it is
> completely opaque to every driver layer in the kernel. There is still a
> HW specific kernel driver that delivers the FW command to the actual
> HW.
>
> In the mlx5 model the kernel driver stamps the command with "uid"
> which is effectively a security scope label. This cannot be avoided by
> userspace and is fundamental to why mlx5ctl is secure in a lockdown
> kernel.
>
> For example mlx5's FW interface has the concept of security scopes. We
> have several defined today:
> - Kernel
> - Userspace rdma
> - Userspace rdma with CAP_NET_RAW
> - Userspace rdma with CAP_SYS_RAWIO
>
> So we trivally add three more for the scopes I listed above. The
> mlx5ctl driver as posted already introduced a new scope, for example.
>
> Userspace will ask the kernel for an appropriate security scope after
> opening the char-device. If userspace asks for invasive then you get a
> taint. Issuing an invasive command without a kernel applied invasive
> security label will be rejected by the FW.
>
> We trust the kernel to apply the security label for the origin of the
> command. We trust the the device FW to implement security scopes,
> because these are RDMA devices and all of RDMA and all of SRIOV
> virtualization are totally broken if the device FW cannot be trusted
> to maintain security separation between scopes.
You have changed the argument.
The problem Andy was raising is that users having access to low level
configuration will make it impossible for distro's support to tell
device configuration. There won't be any trace of activity at the OS
level.
To which you replied that you can differentiate between debugging and
configuration on an opaque interface, _in the kernel_.
Which I disagree with, obviously.
And now you're saying that you can maintain security if you trust
the firmware to enforce some rules.
I'm not talking about security here, the evil bit is just an example
of an unsound design.
next prev parent reply other threads:[~2024-02-16 1:40 UTC|newest]
Thread overview: 102+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-02-07 7:24 [PATCH V4 0/5] mlx5 ConnectX control misc driver Saeed Mahameed
2024-02-07 7:24 ` [PATCH V4 1/5] mlx5: Add aux dev for ctl interface Saeed Mahameed
2024-02-07 7:24 ` [PATCH V4 2/5] misc: mlx5ctl: Add mlx5ctl misc driver Saeed Mahameed
2024-02-29 11:44 ` Vegard Nossum
2024-03-02 8:04 ` Saeed Mahameed
2024-02-07 7:24 ` [PATCH V4 3/5] misc: mlx5ctl: Add info ioctl Saeed Mahameed
2024-02-29 11:47 ` Vegard Nossum
2024-03-02 8:03 ` Saeed Mahameed
2024-02-07 7:24 ` [PATCH V4 4/5] misc: mlx5ctl: Add command rpc ioctl Saeed Mahameed
2024-02-29 11:49 ` Vegard Nossum
2024-03-02 7:48 ` Saeed Mahameed
2024-02-07 7:24 ` [PATCH V4 5/5] misc: mlx5ctl: Add umem reg/unreg ioctl Saeed Mahameed
2024-02-29 11:51 ` Vegard Nossum
2024-02-07 15:03 ` [PATCH V4 0/5] mlx5 ConnectX control misc driver Jakub Kicinski
2024-02-08 5:03 ` Saeed Mahameed
2024-02-09 2:15 ` Jakub Kicinski
2024-02-09 6:55 ` Jiri Pirko
2024-02-09 22:42 ` David Ahern
2024-02-09 22:58 ` Jakub Kicinski
2024-02-10 5:01 ` David Ahern
2024-02-11 11:03 ` Greg Kroah-Hartman
2024-02-11 17:01 ` David Ahern
2024-02-14 20:31 ` David Ahern
2024-02-15 0:46 ` Jason Gunthorpe
2024-02-10 1:01 ` Jason Gunthorpe
2024-02-11 16:59 ` David Ahern
2024-02-14 8:29 ` Christoph Hellwig
2024-02-14 15:48 ` Jakub Kicinski
2024-02-15 7:00 ` Christoph Hellwig
2024-02-15 12:08 ` Jiri Pirko
2024-02-16 1:00 ` Jakub Kicinski
2024-02-16 15:05 ` Jason Gunthorpe
2024-02-15 13:21 ` Jason Gunthorpe
2024-02-16 1:10 ` Jakub Kicinski
2024-02-16 4:20 ` David Ahern
2024-02-16 19:04 ` Jason Gunthorpe
2024-02-14 16:17 ` Andy Gospodarek
2024-02-14 17:57 ` Jason Gunthorpe
2024-02-14 18:11 ` Jakub Kicinski
2024-02-14 18:37 ` Jason Gunthorpe
2024-02-16 1:40 ` Jakub Kicinski [this message]
2024-02-16 14:27 ` Jason Gunthorpe
2024-03-04 16:02 ` Jason Gunthorpe
2024-03-22 3:23 ` David Ahern
2024-03-22 7:32 ` Greg Kroah-Hartman
2024-03-22 15:24 ` David Ahern
2024-03-22 15:46 ` Andy Gospodarek
2024-03-22 20:58 ` Jakub Kicinski
2024-03-22 21:18 ` David Ahern
2024-03-22 22:40 ` Jakub Kicinski
2024-03-26 14:57 ` David Ahern
2024-04-01 12:30 ` Leon Romanovsky
2024-04-01 14:50 ` Jakub Kicinski
2024-04-01 18:10 ` Leon Romanovsky
2024-04-01 19:04 ` Jakub Kicinski
2024-04-02 19:20 ` Leon Romanovsky
2024-04-02 18:45 ` Jason Gunthorpe
2024-04-02 21:36 ` Jakub Kicinski
2024-04-02 22:46 ` Jason Gunthorpe
2024-04-02 23:21 ` Jakub Kicinski
2024-04-03 0:15 ` Jakub Kicinski
2024-04-03 6:57 ` Leon Romanovsky
2024-04-02 16:32 ` Edward Cree
2024-04-02 18:40 ` Jason Gunthorpe
2024-04-03 19:28 ` David Ahern
2024-04-04 17:35 ` Edward Cree
2024-04-04 18:33 ` Jason Gunthorpe
2024-04-04 19:31 ` Edward Cree
2024-04-05 11:21 ` Jason Gunthorpe
2024-04-04 19:53 ` Jakub Kicinski
2024-04-04 20:44 ` Jason Gunthorpe
2024-04-04 21:34 ` Jakub Kicinski
2024-04-05 11:13 ` Jason Gunthorpe
2024-04-05 15:38 ` Jakub Kicinski
2024-04-05 17:48 ` Jakub Kicinski
2024-04-08 16:45 ` Jason Gunthorpe
2024-04-08 16:41 ` Jason Gunthorpe
2024-04-04 18:44 ` Andrew Lunn
2024-04-04 20:25 ` Jason Gunthorpe
2024-04-04 20:53 ` Edward Cree
2024-04-05 11:00 ` Jason Gunthorpe
2024-04-02 18:48 ` Leon Romanovsky
2024-04-03 12:26 ` Edward Cree
2024-04-03 19:00 ` Leon Romanovsky
2024-04-03 19:31 ` David Ahern
2024-04-04 0:01 ` Jakub Kicinski
2024-04-04 3:57 ` David Ahern
2024-04-04 12:23 ` Jason Gunthorpe
2024-04-04 14:48 ` Jakub Kicinski
2024-04-04 17:47 ` Jason Gunthorpe
2024-04-04 18:06 ` Edward Cree
2024-04-04 18:35 ` Leon Romanovsky
2024-04-04 19:46 ` Edward Cree
2024-04-05 10:41 ` Leon Romanovsky
2024-04-08 8:02 ` Przemek Kitszel
2024-03-22 21:44 ` Jason Gunthorpe
2024-03-22 22:29 ` Jakub Kicinski
2024-03-23 1:27 ` Saeed Mahameed
2024-03-23 1:33 ` Jason Gunthorpe
2024-03-22 14:53 ` Aron Silverton
2024-04-30 1:36 ` David Ahern
2024-04-30 7:09 ` Greg Kroah-Hartman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20240215174034.34817c31@kernel.org \
--to=kuba@kernel.org \
--cc=andrew.gospodarek@broadcom.com \
--cc=arnd@arndb.de \
--cc=aron.silverton@oracle.com \
--cc=dsahern@kernel.org \
--cc=gregkh@linuxfoundation.org \
--cc=hch@infradead.org \
--cc=itayavr@nvidia.com \
--cc=jgg@nvidia.com \
--cc=jiri@nvidia.com \
--cc=lbloch@nvidia.com \
--cc=leonro@nvidia.com \
--cc=linux-kernel@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=saeed@kernel.org \
--cc=saeedm@nvidia.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).