From mboxrd@z Thu Jan 1 00:00:00 1970 From: Jason Gunthorpe Subject: Re: [for-next 4/6] net/mlx5: FPGA, Add basic support for Innova Date: Mon, 12 Jun 2017 10:17:46 -0600 Message-ID: <20170612161746.GC24829@obsidianresearch.com> References: <20170605151724.GA20182@obsidianresearch.com> <20170606161709.GA8671@obsidianresearch.com> <20170607154858.GA30124@obsidianresearch.com> <20170607192132.GA10929@obsidianresearch.com> <1497047041.7171.234.camel@redhat.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Cc: Doug Ledford , Saeed Mahameed , Ilan Tayari , Alexei Starovoitov , "David S. Miller" , "netdev@vger.kernel.org" , "linux-rdma@vger.kernel.org" , "jsorensen@fb.com" , Andy Shevchenko , "linux-fpga@vger.kernel.org" , Alan Tull , "yi1.li@linux.intel.com" , Boris Pismenny To: Majd Dibbiny Return-path: Received: from quartz.orcorp.ca ([184.70.90.242]:38515 "EHLO quartz.orcorp.ca" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752740AbdFLQRv (ORCPT ); Mon, 12 Jun 2017 12:17:51 -0400 Content-Disposition: inline In-Reply-To: Sender: netdev-owner@vger.kernel.org List-ID: On Sat, Jun 10, 2017 at 02:11:13PM +0000, Majd Dibbiny wrote: > >> This is especially true for mlx nics as there are many raw packet > >> bypass mechanisms available to userspace. > All of the Raw packet bypass mechanisms are restricted to > CAP_NET_RAW, and thus malicious users can't simply open a RAW Packet > QP and send it to the FPGA.. It is big expansion of CAP_NET_RAW to also basically also include reconfiguring ipsec xfrm. Plus, if someone configures ethernet bridging (eg in a VM situation) then could a hacked VM reconfigure this FPGA? Jason