From: Vlad Zolotarov <vladz@cloudius-systems.com>
To: "Michael S. Tsirkin" <mst@redhat.com>
Cc: "dev@dpdk.org" <dev@dpdk.org>
Subject: Re: [dpdk-dev] Having troubles binding an SR-IOV VF to uio_pci_generic on Amazon instance
Date: Wed, 30 Sep 2015 14:26:01 +0300 [thread overview]
Message-ID: <560BC6C9.4020505@cloudius-systems.com> (raw)
In-Reply-To: <20150930134533-mutt-send-email-mst@redhat.com>
On 09/30/15 13:58, Michael S. Tsirkin wrote:
> On Wed, Sep 30, 2015 at 01:37:22PM +0300, Vlad Zolotarov wrote:
>>
>> On 09/30/15 00:49, Michael S. Tsirkin wrote:
>>> On Tue, Sep 29, 2015 at 02:46:16PM -0700, Stephen Hemminger wrote:
>>>> On Tue, 29 Sep 2015 23:54:54 +0300
>>>> "Michael S. Tsirkin" <mst@redhat.com> wrote:
>>>>
>>>>> On Tue, Sep 29, 2015 at 07:41:09PM +0300, Vlad Zolotarov wrote:
>>>>>> The security breach motivation u brought in "[RFC PATCH] uio:
>>>>>> uio_pci_generic: Add support for MSI interrupts" thread seems a bit weak
>>>>>> since one u let the userland access to the bar it may do any funny thing
>>>>>> using the DMA engine of the device. This kind of stuff should be prevented
>>>>>> using the iommu and if it's enabled then any funny tricks using MSI/MSI-X
>>>>>> configuration will be prevented too.
>>>>>>
>>>>>> I'm about to send the patch to main Linux mailing list. Let's continue this
>>>>>> discussion there.
>>>>> Basically UIO shouldn't be used with devices capable of DMA.
>>>>> Use VFIO for that (yes, this implies an emulated or PV IOMMU).
>> If there is an IOMMU in the picture there shouldn't be any problem to use
>> UIO with DMA capable devices.
> UIO doesn't enforce the IOMMU though. That's why it's not a good fit.
Having said all that - does UIO denies to work with the devices with DMA
capability today? Either i have missed that logic or it's not there.
So all what u are so worried about may already be done today. That's why
I don't understand why adding a support for MSI/MSI-X interrupts
would change anything here. U are right that UIO *today* has a security
hole however it should be addressed separately and the same solution
that will cover the the security breach in the current code will cover
the "MSI/MSI-X security vulnerability" because they are actually exactly
the same
issue.
>
>>>>> I don't think this can change.
>>>> Given there is no PV IOMMU and even if there was it would be too slow for DPDK
>>>> use, I can't accept that.
>>> QEMU does allow emulating an iommu.
>> Amazon's EC2 xen HV doesn't. At least today. Therefore VFIO is not an option
>> there.
> Not only that, a bunch of boxes have their IOMMU disabled.
> So for such systems, you can't have userspace poking at
> device registers. You need a kernel driver to validate
> userspace requests before passing them on to devices.
I think u are describing a HV functionality here. ;) And yes, u are
absolutely right, HV has to control the non-privileged userland.
For HV/non-virtualized boxes a possible solution could be to allow UIO
only for some privileged group of processes.
>
>> And again, it's a general issue not DPDK specific.
>> Today one has to develop some proprietary modules (like igb_uio) to
>> workaround the issue and this is lame.
> Of course it is lame. So don't bypass the kernel then, use the upstream drivers.
This would impose a heavy performance penalty. The whole idea is to
bypass kernel. Especially for networking...
>
>> IMHO uio_pci_generic should
>> be fixed to be able to properly work within any virtualized environment and
>> not only with KVM.
> The motivation for UIO is pretty clear:
>
> For many types of devices, creating a Linux kernel driver is
> overkill. All that is really needed is some way to handle an
> interrupt and provide access to the memory space of the
> device. The logic of controlling the device does not
> necessarily have to be within the kernel, as the device does
> not need to take advantage of any of other resources that the
> kernel provides. One such common class of devices that are
> like this are for industrial I/O cards.
>
> Devices doing DMA do need to take advantage of memory protection
> that the kernel provides.
Well, yeah - but who said I has to be forbidden to work with the device
if MSI-X interrupts is my only option?
Kernel may provide a protection in the way that it would check the
process permissions and deny the UIO access to non-privileged processes.
I'm not sure it's the case today and if it's not the case then, as
mentioned above, this would rather be fixed ASAP exactly due to reasons
u bring up
here. And once it's done there shouldn't be any limitation to allow MSI
or MSI-X interrupts along with INT#X.
>
>>> DPDK uses static mappings, so I
>>> doubt it's speed matters at all.
>>>
>>> Anyway, DPDK is doing polling all the time. I don't see why does it
>>> insist on using interrupts to detect link up events. Just poll for that
>>> too.
>>>
next prev parent reply other threads:[~2015-09-30 11:26 UTC|newest]
Thread overview: 100+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-09-27 7:05 Vlad Zolotarov
2015-09-27 9:43 ` Michael S. Tsirkin
2015-09-27 10:50 ` Vladislav Zolotarov
2015-09-29 16:41 ` Vlad Zolotarov
2015-09-29 20:54 ` Michael S. Tsirkin
2015-09-29 21:46 ` Stephen Hemminger
2015-09-29 21:49 ` Michael S. Tsirkin
2015-09-30 10:37 ` Vlad Zolotarov
2015-09-30 10:58 ` Michael S. Tsirkin
2015-09-30 11:26 ` Vlad Zolotarov [this message]
[not found] ` <20150930143927-mutt-send-email-mst@redhat.com>
2015-09-30 11:53 ` Vlad Zolotarov
2015-09-30 12:03 ` Michael S. Tsirkin
2015-09-30 12:16 ` Vlad Zolotarov
2015-09-30 12:27 ` Michael S. Tsirkin
2015-09-30 12:50 ` Vlad Zolotarov
2015-09-30 15:26 ` Michael S. Tsirkin
2015-09-30 18:15 ` Vlad Zolotarov
2015-09-30 18:55 ` Michael S. Tsirkin
2015-09-30 19:06 ` Vlad Zolotarov
2015-09-30 19:10 ` Vlad Zolotarov
2015-09-30 19:11 ` Vlad Zolotarov
2015-09-30 19:39 ` Michael S. Tsirkin
2015-09-30 20:09 ` Vlad Zolotarov
2015-09-30 21:36 ` Stephen Hemminger
2015-09-30 21:53 ` Michael S. Tsirkin
2015-09-30 22:20 ` Vlad Zolotarov
2015-10-01 8:00 ` Vlad Zolotarov
2015-10-01 14:47 ` Stephen Hemminger
2015-10-01 15:03 ` Vlad Zolotarov
2015-09-30 13:05 ` Avi Kivity
2015-09-30 14:39 ` Michael S. Tsirkin
2015-09-30 14:53 ` Avi Kivity
2015-09-30 15:21 ` Michael S. Tsirkin
2015-09-30 15:36 ` Avi Kivity
2015-09-30 20:40 ` Michael S. Tsirkin
2015-09-30 21:00 ` Avi Kivity
2015-10-01 8:44 ` Michael S. Tsirkin
2015-10-01 8:46 ` Vlad Zolotarov
2015-10-01 8:52 ` Avi Kivity
2015-10-01 9:15 ` Michael S. Tsirkin
2015-10-01 9:22 ` Avi Kivity
2015-10-01 9:42 ` Michael S. Tsirkin
2015-10-01 9:53 ` Avi Kivity
2015-10-01 10:17 ` Michael S. Tsirkin
2015-10-01 10:24 ` Avi Kivity
2015-10-01 10:25 ` Avi Kivity
2015-10-01 10:44 ` Michael S. Tsirkin
2015-10-01 10:55 ` Avi Kivity
2015-10-01 21:17 ` Alexander Duyck
2015-10-02 13:50 ` Michael S. Tsirkin
2015-10-01 9:42 ` Vincent JARDIN
2015-10-01 9:43 ` Avi Kivity
2015-10-01 9:48 ` Vincent JARDIN
2015-10-01 9:54 ` Avi Kivity
2015-10-01 10:14 ` Michael S. Tsirkin
2015-10-01 10:23 ` Avi Kivity
2015-10-01 14:55 ` Stephen Hemminger
2015-10-01 15:49 ` Michael S. Tsirkin
2015-10-01 14:54 ` Stephen Hemminger
2015-10-01 9:55 ` Michael S. Tsirkin
2015-10-01 9:59 ` Avi Kivity
2015-10-01 10:38 ` Michael S. Tsirkin
2015-10-01 10:50 ` Avi Kivity
2015-10-01 11:09 ` Michael S. Tsirkin
2015-10-01 11:20 ` Avi Kivity
2015-10-01 11:27 ` Michael S. Tsirkin
2015-10-01 11:32 ` Avi Kivity
2015-10-01 15:01 ` Stephen Hemminger
2015-10-01 15:08 ` Avi Kivity
2015-10-01 15:46 ` Michael S. Tsirkin
2015-10-01 15:11 ` Michael S. Tsirkin
2015-10-01 15:19 ` Avi Kivity
2015-10-01 15:40 ` Michael S. Tsirkin
2015-10-01 11:31 ` Michael S. Tsirkin
2015-10-01 11:34 ` Avi Kivity
2015-10-01 11:08 ` Bruce Richardson
2015-10-01 11:23 ` Michael S. Tsirkin
2015-10-01 12:07 ` Bruce Richardson
2015-10-01 13:14 ` Michael S. Tsirkin
2015-10-01 16:04 ` Michael S. Tsirkin
2015-10-01 21:02 ` Alexander Duyck
2015-10-02 14:00 ` Michael S. Tsirkin
2015-10-02 14:07 ` Bruce Richardson
2015-10-04 9:07 ` Michael S. Tsirkin
2015-10-02 15:56 ` Gleb Natapov
2015-10-02 16:57 ` Alexander Duyck
2015-10-01 9:15 ` Avi Kivity
2015-10-01 9:29 ` Michael S. Tsirkin
2015-10-01 9:38 ` Avi Kivity
2015-10-01 10:07 ` Michael S. Tsirkin
2015-10-01 10:11 ` Avi Kivity
2015-10-01 9:16 ` Michael S. Tsirkin
2015-09-30 17:28 ` Stephen Hemminger
2015-09-30 17:39 ` Michael S. Tsirkin
2015-09-30 17:43 ` Stephen Hemminger
2015-09-30 18:50 ` Michael S. Tsirkin
2015-09-30 20:00 ` Gleb Natapov
2015-09-30 20:36 ` Michael S. Tsirkin
2015-10-01 5:04 ` Gleb Natapov
2015-09-30 17:44 ` Gleb Natapov
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=560BC6C9.4020505@cloudius-systems.com \
--to=vladz@cloudius-systems.com \
--cc=dev@dpdk.org \
--cc=mst@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).