From: Stephen Hemminger <stephen@networkplumber.org>
To: fengchengwen <fengchengwen@huawei.com>
Cc: Olivier Matz <olivier.matz@6wind.com>, <dev@dpdk.org>,
Thomas Monjalon <thomas@monjalon.net>,
Ferruh Yigit <ferruh.yigit@xilinx.com>,
"lihuisong@huawei.com" <lihuisong@huawei.com>
Subject: Re: Minutes of Technical Board Meeting, 2022-06-01
Date: Wed, 8 Jun 2022 19:30:50 -0700 [thread overview]
Message-ID: <20220608193050.589a5701@hermes.local> (raw)
In-Reply-To: <15e07c9f-e1ba-a789-0ef3-c8d8e1d820c0@huawei.com>
On Thu, 9 Jun 2022 10:07:28 +0800
fengchengwen <fengchengwen@huawei.com> wrote:
> On 2022/6/9 9:31, Stephen Hemminger wrote:
> > On Thu, 9 Jun 2022 08:41:35 +0800
> > fengchengwen <fengchengwen@huawei.com> wrote:
> >
> >> [snip]
> >>
> >>>
> >>> 4) Removal of KNI
> >>> -----------------
> >>>
> >>> There is no more maintainer for KNI.
> >>>
> >>> A progressive removal proposal was made:
> >>> - add a message at runtime and/or compilation to announce deprecation
> >>> - remove KNI example after 22.11
> >>> - remove lib + kmod from main repo for 23.11
> >>
> >> We still use KNI in some business scenarios, and we want to maintain it in this case.
> >
> >
> > Why?
>
> The KNI module can be used in following scenarios: when the PF is taken over by the DPDK,
> some traffic needs to be transmitted through the kernel protocol stack, we did have this
> application scenario.
>
> If do not proactively maintain the KNI, security risks may occur. and this's our starting point.
What is wrong with TAP or virtio user for your application?
KNI already is a security risk, it implicitly trusts userspace.
>
> >
> >>
> >> I recommend Huisong Li (lihuisong@huawei.com) as the new maintainer of the KNI.
> >>
> >> He has been involved in the community for several years and submitted some
> >> bugfix patches of KNI.
> >
> > KNI has several unfixable architectural issues.
>
> Could you show detail on this ?
The fact that KNI calls user mode holding the RTNL mutex is only one of many
places where KNI trusts user space.
> > It would never pass a full upstream kernel review.
> >
> > I hope you realize the security impacts of this.
>
> Is there another option to act like KNI role ?
Virtio user has been used as a better alternative. Bruce has recently taken
on providing more documentation to make the transistion easier.
One other option is you are free to take KNI on as a project that is maintained
in parallel with DPDK (like TREX and some other packages).
next prev parent reply other threads:[~2022-06-09 2:30 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-06-07 13:48 Olivier Matz
2022-06-09 0:41 ` fengchengwen
2022-06-09 1:31 ` Stephen Hemminger
2022-06-09 2:07 ` fengchengwen
2022-06-09 2:30 ` Stephen Hemminger [this message]
2022-06-30 12:05 ` David Marchand
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20220608193050.589a5701@hermes.local \
--to=stephen@networkplumber.org \
--cc=dev@dpdk.org \
--cc=fengchengwen@huawei.com \
--cc=ferruh.yigit@xilinx.com \
--cc=lihuisong@huawei.com \
--cc=olivier.matz@6wind.com \
--cc=thomas@monjalon.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).