From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from dpdk.org (dpdk.org [92.243.14.124]) by inbox.dpdk.org (Postfix) with ESMTP id 43921A2F6B for ; Tue, 8 Oct 2019 17:29:10 +0200 (CEST) Received: from [92.243.14.124] (localhost [127.0.0.1]) by dpdk.org (Postfix) with ESMTP id 252EB1D41B; Tue, 8 Oct 2019 17:29:09 +0200 (CEST) Received: from mail-io1-f68.google.com (mail-io1-f68.google.com [209.85.166.68]) by dpdk.org (Postfix) with ESMTP id 90991322C for ; Tue, 8 Oct 2019 17:29:08 +0200 (CEST) Received: by mail-io1-f68.google.com with SMTP id c25so37308231iot.12 for ; Tue, 08 Oct 2019 08:29:08 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=m+O59btZcGvYVX5uALTWiaIZZVob3lpwOL79w0EclYM=; b=ViVWrLr6/zELWdtp5+BlZxZX62QRSaqlgh58VvjRKjjS5Vgb9fOzrk+e4BV+iShk06 8RS55Jb6jiOLPR4HTkw/HeEcwVtioiuiZs62cODtyyGTBap7Q/mugyut5oC5sxXlIB+Q zdDBTHyYUtZKZIys/n53gybdoII0IbQLRyOSmSoly2nwZ/gf4rRWhWZcyEZQEoqNa9E1 s1TxyofcrWG6RPjuuC57w5pyfW/F1ubeeJMGxcV6Z22LtOZ61I9eBxk2CD8WfRgvDxk8 rq/M31eOBhUhfnAXZ0QKbdp04jHC/1I6g902fcpyKAj41Hwbl2dS/DQz5WRqaFIkmUa8 nZbg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=m+O59btZcGvYVX5uALTWiaIZZVob3lpwOL79w0EclYM=; b=Z7wkzNQDZ2bexdbVc+pM0oSD7Avze4Pe0HvLTndhd9pCpYlaXs5LJ29yxENk1Zjj/l j1Yi67FPZ3mJMpnGaSiXp/4bQ6Abi/fYFMuT2A8joaW+Sv8nIcFRJvWjnAzHE9ApnTCZ FwtyE7c7+gUC0sUEGYBcnBE0k0gm/oas9JeMjH9+B+YViWVH11IEzkm6603QBCzrj6O6 LXrTve9uVAshAtO2viPumkwleZXbrlxbizL7FxoJ+YA3MnXmku5tVupXcgCd30nFqTUM CNx3VNftdtm/qKrMgTyUCimEff2oNOAl84bDYTxGekR3BmBNTObqboMiha9pzdmTWmCg HChw== X-Gm-Message-State: APjAAAWKFrKe7sEBVlXefRjFRwKiugdFfeVZNauQXwcu7seX/VUSosVj UkhMXVFMnyXinq7mfo7Bu+Tt3U2I3nNmXkdd1Vo= X-Google-Smtp-Source: APXvYqxoAoRU7FmovcSGkNy7PtvGb94pMBS2kWWp7Stjm40+gPQSqH3h+rMCSeSmVhpRknFhCHrvYh4YMjY9/9e1h54= X-Received: by 2002:a92:de42:: with SMTP id e2mr19907079ilr.271.1570548547651; Tue, 08 Oct 2019 08:29:07 -0700 (PDT) MIME-Version: 1.0 References: <20190906091230.13923-1-vattunuru@marvell.com> <20191008081244.425551a0@hermes.lan> In-Reply-To: <20191008081244.425551a0@hermes.lan> From: Jerin Jacob Date: Tue, 8 Oct 2019 20:58:27 +0530 Message-ID: To: Stephen Hemminger Cc: Vamsi Attunuru , dpdk-dev , thomas@monjalon.net, jerinj@marvell.com Content-Type: text/plain; charset="UTF-8" X-Content-Filtered-By: Mailman/MimeDel 2.1.15 Subject: Re: [dpdk-dev] [PATCH v1 1/1] kernel/linux: introduce vfio_pf kernel module X-BeenThere: dev@dpdk.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: DPDK patches and discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: dev-bounces@dpdk.org Sender: "dev" On Tue, 8 Oct, 2019, 8:42 PM Stephen Hemminger, wrote: > On Fri, 6 Sep 2019 14:42:30 +0530 > wrote: > > > From: Vamsi Attunuru > > > > The DPDK use case such as VF representer or OVS offload etc > > would call for PF and VF PCIe devices to bind vfio-pci > > module to enable IOMMU protection. > > > > In addition to vSwitch use case, unlike, other PCI class of > > devices, Network class of PCIe devices would have additional > > responsibility on the PF devices such as promiscuous mode support > > etc. > > > > The above use cases demand VFIO needs bound to PF and its > > VF devices. This is use case is not supported in Linux kernel, > > due to a security issue where it is possible to have > > DoS in case if VF attached to guest over vfio-pci and netdev > > kernel driver runs on it and which something VF representer > > would like to enable it. > > > > Since we can not differentiate, the vfio-pci bounded VF devices > > runs DPDK application or netdev driver in guest, we can not > > introduce any scheme to fix DoS case and therefore not have > > proper support of this in the upstream kernel. > > > > The igb_uio enables such PF and VF binding support for > > non-iommu devices to make VF representer or OVS offload > > run on non-iommu devices with DoS vulnerability for netdev driver > > as VF. > > > > This kernel module, facilitate to enable SRIOV on PF devices, > > therefore, to run both PF and VF devices in VFIO mode knowing > > its impacts like igb_uio driver functions of non-iommu devices. > > > > Signed-off-by: Vamsi Attunuru > > Signed-off-by: Jerin Jacob > > NAK > Having kernel drivers not in upstream kernel is a long term > maintenance and security risk. Please work with upstream kernel > developers to get this merged there. > There is security issue in attaching DPDK PF driver and netdev bind to VF. So this scheme is not upsteamble to Linux kernel. Since rte_flow had VF action. We need this scheme to support VF action with VFIO. So, Out of tree is the only way as it is DPDK specific feature. Already sent patches to Linux kernel, it make sense to not accept this in upstream. We are already exposing such features through igb-uio for non VFIO device. IMO, there should not be any disparity between igb-uio and VFIO in DPDK. If we are against out of tree module, let's remove igb-uio as well. We can't have different treatment for similar issues.