From: Halil Pasic <pasic@linux.vnet.ibm.com>
To: "Michael S. Tsirkin" <mst@redhat.com>
Cc: "Longpeng(Mike)" <longpeng2@huawei.com>,
qemu-devel@nongnu.org, virtio-dev@lists.oasis-open.org,
luonengjun@huawei.com, cornelia.huck@de.ibm.com,
stefanha@redhat.com, denglingli@chinamobile.com,
Jani.Kokkonen@huawei.com, Ola.Liljedahl@arm.com,
Varun.Sethi@freescale.com, xin.zeng@intel.com,
brian.a.keating@intel.com, liang.j.ma@intel.com,
john.griffin@intel.com, weidong.huang@huawei.com, agraf@suse.de,
jasowang@redhat.com, vincent.jardin@6wind.com,
arei.gonglei@huawei.com, wangxinxin.wang@huawei.com,
jianjay.zhou@huawei.com
Subject: Re: [Qemu-devel] [virtio-dev] Re: [v23 1/2] virtio-crypto: Add virtio crypto device specification
Date: Fri, 16 Mar 2018 19:18:45 +0100 [thread overview]
Message-ID: <29aa3e9f-ae34-8888-4ec2-2fd22b4d747f@linux.vnet.ibm.com> (raw)
In-Reply-To: <20180316181953-mutt-send-email-mst@kernel.org>
On 03/16/2018 05:27 PM, Michael S. Tsirkin wrote:
> On Tue, Jan 09, 2018 at 06:05:41PM +0100, Halil Pasic wrote:
>>> +\item[\field{max_cipher_key_len}] is the maximum length of cipher key supported by the device.
>>
>> I can't find what happens if this limit isn't honored by the driver. Moreover
>> reading it is only SHOULD. Is it undefined behavior or should the device reject/fail
>> such requests? I think in qemu implementation we fail the request.
>>
>> This question is only about niceness. We are already good enough, IMHO:
>> since the implementer of the driver can't be sure what is going to happen
>> if the driver disregards max_cipher_key_len it is already an implicit
>> SHOULD.
>
> I am not sure documenting undefined behaviour is always required.
I kind of agree. But I'm afraid I did not get through my point. It's
about clarity. The driver supplying a cipher key larger that
max_cipher_key_len isn't violating any driver normative statement.
I find it strange make obtaining a piece of configuration a driver
normative but have neither a driver normative that says the driver must
(or should) operate according to the same (at least in certain)
circumstances nor a device normative that implicitly educates the driver
implementer what happens if the driver is acting stupid (see below).
> We certainly do not do this for all other devices>
"""
5.2.6.2 Device Requirements: Device Operation
A device MUST set the status byte to VIRTIO_BLK_S_IOERR for a write request if the VIRTIO_BLK_F_RO feature if offered, and MUST NOT write any data.
"""
I was under the impression, that we sometimes express what is naively
a driver-requirement (e.g. thou shall not write to a read only
device) as a device-requirement. This has benefits in my opinion:
the driver implementer is educated about a certain behavior being a no-no
and hopefully leading to sane error handling (with a compliant device
sitting on the other side) --- instead of offending drivers landing beyond
the spec (in undefined behavior land) by violating a driver-normative.
> Reading a field being SHOULD seems reasonable: e.g.
> driver might read it once and cache it in memory.
I don't quite understand. Let me quote the normative section
+\drivernormative{\subsubsection}{Device configuration layout}{Device Types / Crypto Device / Device configuration layout}
+
+\begin{itemize*}
+\item The driver MUST read the \field{status} from the bottom bit of status to check whether the
+ VIRTIO_CRYPTO_S_HW_READY is set, and the driver MUST reread it after device reset.
+\item The driver MUST NOT transmit any requests to the device if the VIRTIO_CRYPTO_S_HW_READY is not set.
+\item The driver MUST read \field{max_dataqueues} field to discover the number of data queues the device supports.
[..]
+\item The driver SHOULD read \field{max_cipher_key_len} to discover the maximum length of cipher key
+ the device supports.
Does it mean it's OK for the driver (e.g. after a configuration change
notification to use a stale) \field{max_cipher_key_len} ) as it is SHOULD read
bit it's not OK to use a stale \field{max_dataqueues}?
AFAIU all configuration space stuff eligible for caching, but
under certain circumstances the cache invalidates and a re-read
is necessary.
>
> Halil, could you try to split your comments between requirements
> for more conformance clauses/clarifications as opposed to
> defects where it's wrong and does not match actual or
> expected behaviour?
Yes. I'm already trying to tag my comments. 'This question is only
about niceness. We are already good enough' was supposed to indicate
that this one is not requirement.
Do you mean putting these in separate emails?
>
> I think spec is better off with some documentation for this
> device than none at all like today.
>
If the rest community says it's good enough, I won't fight against
inclusion neither in the repo nor in the next Committee Specification.
I would %100 agree with you if this were normal documentation.
The problem with standards is that both correctness and completeness
are crucial. What is not part of the standard, is not part of the
standard and period.
Virtio is especially tricky as there is no versions of the standard.
What once was a compliant device/driver must be kept compliant when
we change the text. That is why this better something than nothing
does not entirely work for me.
Regards,
Halil
WARNING: multiple messages have this Message-ID (diff)
From: Halil Pasic <pasic@linux.vnet.ibm.com>
To: "Michael S. Tsirkin" <mst@redhat.com>
Cc: "Longpeng(Mike)" <longpeng2@huawei.com>,
qemu-devel@nongnu.org, virtio-dev@lists.oasis-open.org,
luonengjun@huawei.com, cornelia.huck@de.ibm.com,
stefanha@redhat.com, denglingli@chinamobile.com,
Jani.Kokkonen@huawei.com, Ola.Liljedahl@arm.com,
Varun.Sethi@freescale.com, xin.zeng@intel.com,
brian.a.keating@intel.com, liang.j.ma@intel.com,
john.griffin@intel.com, weidong.huang@huawei.com, agraf@suse.de,
jasowang@redhat.com, vincent.jardin@6wind.com,
arei.gonglei@huawei.com, wangxinxin.wang@huawei.com,
jianjay.zhou@huawei.com
Subject: Re: [virtio-dev] Re: [Qemu-devel] [v23 1/2] virtio-crypto: Add virtio crypto device specification
Date: Fri, 16 Mar 2018 19:18:45 +0100 [thread overview]
Message-ID: <29aa3e9f-ae34-8888-4ec2-2fd22b4d747f@linux.vnet.ibm.com> (raw)
In-Reply-To: <20180316181953-mutt-send-email-mst@kernel.org>
On 03/16/2018 05:27 PM, Michael S. Tsirkin wrote:
> On Tue, Jan 09, 2018 at 06:05:41PM +0100, Halil Pasic wrote:
>>> +\item[\field{max_cipher_key_len}] is the maximum length of cipher key supported by the device.
>>
>> I can't find what happens if this limit isn't honored by the driver. Moreover
>> reading it is only SHOULD. Is it undefined behavior or should the device reject/fail
>> such requests? I think in qemu implementation we fail the request.
>>
>> This question is only about niceness. We are already good enough, IMHO:
>> since the implementer of the driver can't be sure what is going to happen
>> if the driver disregards max_cipher_key_len it is already an implicit
>> SHOULD.
>
> I am not sure documenting undefined behaviour is always required.
I kind of agree. But I'm afraid I did not get through my point. It's
about clarity. The driver supplying a cipher key larger that
max_cipher_key_len isn't violating any driver normative statement.
I find it strange make obtaining a piece of configuration a driver
normative but have neither a driver normative that says the driver must
(or should) operate according to the same (at least in certain)
circumstances nor a device normative that implicitly educates the driver
implementer what happens if the driver is acting stupid (see below).
> We certainly do not do this for all other devices>
"""
5.2.6.2 Device Requirements: Device Operation
A device MUST set the status byte to VIRTIO_BLK_S_IOERR for a write request if the VIRTIO_BLK_F_RO feature if offered, and MUST NOT write any data.
"""
I was under the impression, that we sometimes express what is naively
a driver-requirement (e.g. thou shall not write to a read only
device) as a device-requirement. This has benefits in my opinion:
the driver implementer is educated about a certain behavior being a no-no
and hopefully leading to sane error handling (with a compliant device
sitting on the other side) --- instead of offending drivers landing beyond
the spec (in undefined behavior land) by violating a driver-normative.
> Reading a field being SHOULD seems reasonable: e.g.
> driver might read it once and cache it in memory.
I don't quite understand. Let me quote the normative section
+\drivernormative{\subsubsection}{Device configuration layout}{Device Types / Crypto Device / Device configuration layout}
+
+\begin{itemize*}
+\item The driver MUST read the \field{status} from the bottom bit of status to check whether the
+ VIRTIO_CRYPTO_S_HW_READY is set, and the driver MUST reread it after device reset.
+\item The driver MUST NOT transmit any requests to the device if the VIRTIO_CRYPTO_S_HW_READY is not set.
+\item The driver MUST read \field{max_dataqueues} field to discover the number of data queues the device supports.
[..]
+\item The driver SHOULD read \field{max_cipher_key_len} to discover the maximum length of cipher key
+ the device supports.
Does it mean it's OK for the driver (e.g. after a configuration change
notification to use a stale) \field{max_cipher_key_len} ) as it is SHOULD read
bit it's not OK to use a stale \field{max_dataqueues}?
AFAIU all configuration space stuff eligible for caching, but
under certain circumstances the cache invalidates and a re-read
is necessary.
>
> Halil, could you try to split your comments between requirements
> for more conformance clauses/clarifications as opposed to
> defects where it's wrong and does not match actual or
> expected behaviour?
Yes. I'm already trying to tag my comments. 'This question is only
about niceness. We are already good enough' was supposed to indicate
that this one is not requirement.
Do you mean putting these in separate emails?
>
> I think spec is better off with some documentation for this
> device than none at all like today.
>
If the rest community says it's good enough, I won't fight against
inclusion neither in the repo nor in the next Committee Specification.
I would %100 agree with you if this were normal documentation.
The problem with standards is that both correctness and completeness
are crucial. What is not part of the standard, is not part of the
standard and period.
Virtio is especially tricky as there is no versions of the standard.
What once was a compliant device/driver must be kept compliant when
we change the text. That is why this better something than nothing
does not entirely work for me.
Regards,
Halil
---------------------------------------------------------------------
To unsubscribe, e-mail: virtio-dev-unsubscribe@lists.oasis-open.org
For additional commands, e-mail: virtio-dev-help@lists.oasis-open.org
next prev parent reply other threads:[~2018-03-16 18:19 UTC|newest]
Thread overview: 31+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-12-30 9:35 [Qemu-devel] [v23 0/2] virtio-crypto: virtio crypto device specification Longpeng(Mike)
2017-12-30 9:35 ` [Qemu-devel] [v23 1/2] virtio-crypto: Add " Longpeng(Mike)
2018-01-09 17:05 ` Halil Pasic
2018-01-09 17:05 ` [virtio-dev] " Halil Pasic
2018-01-09 17:41 ` Michael S. Tsirkin
2018-01-09 17:41 ` [virtio-dev] " Michael S. Tsirkin
2018-01-10 5:53 ` Longpeng (Mike)
2018-01-10 5:53 ` [virtio-dev] " Longpeng (Mike)
2018-06-20 3:34 ` [Qemu-devel] [virtio-dev] " Michael S. Tsirkin
2018-06-20 3:34 ` [virtio-dev] Re: [Qemu-devel] " Michael S. Tsirkin
2018-06-20 6:15 ` [Qemu-devel] [virtio-dev] " Longpeng (Mike)
2018-03-16 16:27 ` Michael S. Tsirkin
2018-03-16 16:27 ` [virtio-dev] Re: [Qemu-devel] " Michael S. Tsirkin
2018-03-16 18:18 ` Halil Pasic [this message]
2018-03-16 18:18 ` Halil Pasic
2018-03-19 0:13 ` [Qemu-devel] [virtio-dev] " Michael S. Tsirkin
2018-03-19 0:13 ` [virtio-dev] Re: [Qemu-devel] " Michael S. Tsirkin
2018-07-20 12:01 ` Longpeng (Mike)
2018-07-20 12:01 ` [virtio-dev] " Longpeng (Mike)
2018-07-26 16:55 ` Halil Pasic
2018-07-26 16:55 ` [virtio-dev] " Halil Pasic
2018-07-27 0:59 ` Longpeng (Mike)
2018-07-27 0:59 ` [virtio-dev] " Longpeng (Mike)
2018-07-27 11:51 ` [Qemu-devel] [virtio-dev] " Michael S. Tsirkin
2018-07-27 11:51 ` [virtio-dev] Re: [Qemu-devel] " Michael S. Tsirkin
2018-08-01 20:21 ` [Qemu-devel] [virtio-dev] " Halil Pasic
2018-08-01 20:21 ` [virtio-dev] " Halil Pasic
2018-08-02 1:56 ` Longpeng (Mike)
2018-08-02 1:56 ` [virtio-dev] " Longpeng (Mike)
2017-12-30 9:35 ` [Qemu-devel] [v23 2/2] virtio-crypto: Add conformance clauses Longpeng(Mike)
2017-12-30 9:35 ` [virtio-dev] " Longpeng(Mike)
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=29aa3e9f-ae34-8888-4ec2-2fd22b4d747f@linux.vnet.ibm.com \
--to=pasic@linux.vnet.ibm.com \
--cc=Jani.Kokkonen@huawei.com \
--cc=Ola.Liljedahl@arm.com \
--cc=Varun.Sethi@freescale.com \
--cc=agraf@suse.de \
--cc=arei.gonglei@huawei.com \
--cc=brian.a.keating@intel.com \
--cc=cornelia.huck@de.ibm.com \
--cc=denglingli@chinamobile.com \
--cc=jasowang@redhat.com \
--cc=jianjay.zhou@huawei.com \
--cc=john.griffin@intel.com \
--cc=liang.j.ma@intel.com \
--cc=longpeng2@huawei.com \
--cc=luonengjun@huawei.com \
--cc=mst@redhat.com \
--cc=qemu-devel@nongnu.org \
--cc=stefanha@redhat.com \
--cc=vincent.jardin@6wind.com \
--cc=virtio-dev@lists.oasis-open.org \
--cc=wangxinxin.wang@huawei.com \
--cc=weidong.huang@huawei.com \
--cc=xin.zeng@intel.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.