From: Edward Cree <ecree@solarflare.com>
To: Hiroshi Shimamoto <h-shimamoto@ct.jp.nec.com>
Cc: "Rose, Gregory V" <gregory.v.rose@intel.com>,
"Skidmore, Donald C" <donald.c.skidmore@intel.com>,
"Kirsher, Jeffrey T" <jeffrey.t.kirsher@intel.com>,
"intel-wired-lan@lists.osuosl.org"
<intel-wired-lan@lists.osuosl.org>,
"nhorman@redhat.com" <nhorman@redhat.com>,
"jogreene@redhat.com" <jogreene@redhat.com>,
"Linux Netdev List" <netdev@vger.kernel.org>,
"Choi, Sy Jong" <sy.jong.choi@intel.com>,
Rony Efraim <ronye@mellanox.com>,
David Miller <davem@davemloft.net>,
Or Gerlitz <gerlitz.or@gmail.com>,
"sassmann@redhat.com" <sassmann@redhat.com>
Subject: Re: [PATCH v5 3/3] ixgbe: Add new ndo to trust VF
Date: Wed, 27 May 2015 10:03:55 +0100 [thread overview]
Message-ID: <5565887B.5010808@solarflare.com> (raw)
In-Reply-To: <7F861DC0615E0C47A872E6F3C5FCDDBD05EB9DA7@BPXM14GP.gisp.nec.co.jp>
On 27/05/15 01:27, Hiroshi Shimamoto wrote:
>>> I think the VF shouldn't directly know whether it is trusted or not
>> That's completely irrevelant. The person administering the PF will be the person who provided trusted privileges to the
>> VF. He'll then *tell* or somehow other communicate to the person administering the VF (probably himself/herself) and
>> then proceed to execute commands on that VF that require trusted privileges.
>>
>> If the VF does not have trusted privileges then the commands to add VLAN filters, set promiscuous modes, and any other
>> privileged commands will fail.
>>
>> Let's not get too fancy with this. It's simple - the host VMM admin provides trusted privileges to the VF. The person
>> administering the VF (if in fact it is not the same person, it usually will be) will proceed to do things that require
>> VF trusted privileges.
> Now I think that it's better to have an interface between PF and VF to know the VF is trusted.
> Otherwise VM cannot know whether its VF is trusted, that prevents automatic operations.
I don't think this is right. The approach to VF trust/permissions issues we took in sfc (and that I'd recommend following) was that all drivers will always _attempt_ actions on the assumption they have privilege, then if they in fact don't, they get an EPERM (either from the firmware or from some proxy in the PF driver) and they deal with that appropriately.
So in this case the VF would say "I have more than 30 mcast addrs, I need promisc", it would try to set promisc, the PF would decide "it's not trusted, Denied" and the VF would get an EPERM back. At which point the VF would presumably insert as many mcast addresses as it could and warn that it hadn't got them all (or, if the whole thing was triggered by adding a new mcast addr, it might be able to pass EPERM back to whoever requested it).
Then if the VF's privilege is changed, VFLR it so that it re-does all of its setup this time subject to the new permissions. (Alternatively, if the privilege is strictly increased, you can choose not to do this and instead the VF driver may be told from userspace to re-do the relevant setup, in which case traffic interruption may be able to be avoided.)
The advantage of this model is that the VF driver doesn't have to know what permissions different operations require; that knowledge can live in one place only (in our case the firmware, in your case it sounds like the PF driver) allowing the policy to be changed without problems with version skew.
The disadvantages are that the amount of control-plane traffic is increased (try, fail, try something else), and reinitialisation on privilege change may cause traffic interruption. But the former isn't a worry since the control plane traffic volume is so small. The latter would still have to happen on privilege decrease in any case, as Greg stated.
next prev parent reply other threads:[~2015-05-27 9:04 UTC|newest]
Thread overview: 19+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-05-20 0:06 [PATCH v5 3/3] ixgbe: Add new ndo to trust VF Hiroshi Shimamoto
2015-05-20 18:14 ` Skidmore, Donald C
2015-05-21 4:12 ` Hiroshi Shimamoto
2015-05-21 17:08 ` Skidmore, Donald C
2015-05-22 2:31 ` Hiroshi Shimamoto
2015-05-22 15:07 ` Rose, Gregory V
2015-05-22 17:51 ` Skidmore, Donald C
2015-05-26 0:59 ` Hiroshi Shimamoto
2015-05-26 17:45 ` Skidmore, Donald C
2015-05-26 18:03 ` Rose, Gregory V
2015-05-27 0:27 ` Hiroshi Shimamoto
2015-05-27 2:00 ` Rose, Gregory V
2015-05-27 16:00 ` Skidmore, Donald C
2015-05-27 16:19 ` Rose, Gregory V
2015-06-15 10:39 ` Hiroshi Shimamoto
2015-05-27 9:03 ` Edward Cree [this message]
2015-05-27 15:34 ` Skidmore, Donald C
2015-05-27 15:55 ` Rose, Gregory V
2015-05-27 17:04 ` Edward Cree
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=5565887B.5010808@solarflare.com \
--to=ecree@solarflare.com \
--cc=davem@davemloft.net \
--cc=donald.c.skidmore@intel.com \
--cc=gerlitz.or@gmail.com \
--cc=gregory.v.rose@intel.com \
--cc=h-shimamoto@ct.jp.nec.com \
--cc=intel-wired-lan@lists.osuosl.org \
--cc=jeffrey.t.kirsher@intel.com \
--cc=jogreene@redhat.com \
--cc=netdev@vger.kernel.org \
--cc=nhorman@redhat.com \
--cc=ronye@mellanox.com \
--cc=sassmann@redhat.com \
--cc=sy.jong.choi@intel.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).