From: Tom Talpey <tom@talpey.com>
To: Long Li <longli@microsoft.com>, Steve French <sfrench@samba.org>,
"linux-cifs@vger.kernel.org" <linux-cifs@vger.kernel.org>,
"samba-technical@lists.samba.org"
<samba-technical@lists.samba.org>,
"linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>,
"linux-rdma@vger.kernel.org" <linux-rdma@vger.kernel.org>
Subject: Re: [RFC PATCH 00/09] Implement direct user I/O interfaces for RDMA
Date: Fri, 18 May 2018 17:58:25 -0700 [thread overview]
Message-ID: <d7ff714d-22ac-b011-915c-ed1cc52326ef@talpey.com> (raw)
In-Reply-To: <MWHPR2101MB0729BFF8F0A397805087C3A4CE900@MWHPR2101MB0729.namprd21.prod.outlook.com>
On 5/17/2018 11:03 PM, Long Li wrote:
>> Subject: Re: [RFC PATCH 00/09] Implement direct user I/O interfaces for
>> RDMA
>>
>> On 5/17/2018 8:22 PM, Long Li wrote:
>>> From: Long Li <longli@microsoft.com>
>>>
>>> This patchset implements direct user I/O through RDMA.
>>>
>>> In normal code path (even with cache=none), CIFS copies I/O data from
>>> user-space to kernel-space for security reasons.
>>>
>>> With this patchset, a new mounting option is introduced to have CIFS
>>> pin the user-space buffer into memory and performs I/O through RDMA.
>>> This avoids memory copy, at the cost of added security risk.
>>
>> What's the security risk? This type of direct i/o behavior is not uncommon,
>> and can certainly be made safe, using the appropriate memory registration
>> and protection domains. Any risk needs to be stated explicitly, and mitigation
>> provided, or at least described.
>
> I think it's an assumption that user-mode buffer can't be trusted, so CIFS always copies them into internal buffers, and calculate signature and encryption based on protocol used.
>
> With the direct buffer, the user can potentially modify the buffer when signature or encryption is in progress or after they are done.
I don't agree that the legacy copying behavior is because the buffer is
"untrusted". The buffer is the user's data, there's no trust issue here.
If the user application modifies the buffer while it's being sent, it's
a violation of the API contract, and the only victim is the application
itself. Same applies for receiving data. And as pointed out, most all
storage layers, file and block both, use this strategy for direct i/o.
Regarding signing, if the application alters the data then the integrity
hash will simply do its job and catch the application in the act. Again,
nothing suffers but the application.
Regarding encryption, I assume you're proposing to encrypt and decrypt
the data in a kernel buffer, effectively a copy. So in fact, in the
encryption case there's no need to pin and map the user buffer at all.
I'll mention however that Windows takes the path of not performing
RDMA placement when encrypting data. It saves nothing, and even adds
some overhead, because of the need to touch the buffer anyway to
manage the encryption/decryption.
Bottom line - no security implication for using user buffers directly.
Tom.
> I also want to point out that, I choose to implement .read_iter and .write_iter from file_operations to implement direct I/O (CIFS is already doing this for O_DIRECT, so following this code path will avoid a big mess up). The ideal choice is to implement .direct_IO from address_space_operations that I think eventually we want to move to.
>
>>
>> Tom.
>>
>>>
>>> This patchset is RFC. The work is in progress, do not merge.
>>>
>>>
>>> Long Li (9):
>>> Introduce offset for the 1st page in data transfer structures
>>> Change wdata alloc to support direct pages
>>> Change rdata alloc to support direct pages
>>> Change function to support offset when reading pages
>>> Change RDMA send to regonize page offset in the 1st page
>>> Change RDMA recv to support offset in the 1st page
>>> Support page offset in memory regsitrations
>>> Implement no-copy file I/O interfaces
>>> Introduce cache=rdma moutning option
>>>
>>>
>>> fs/cifs/cifs_fs_sb.h | 2 +
>>> fs/cifs/cifsfs.c | 19 +++
>>> fs/cifs/cifsfs.h | 3 +
>>> fs/cifs/cifsglob.h | 6 +
>>> fs/cifs/cifsproto.h | 4 +-
>>> fs/cifs/cifssmb.c | 10 +-
>>> fs/cifs/connect.c | 13 +-
>>> fs/cifs/dir.c | 5 +
>>> fs/cifs/file.c | 351
>> ++++++++++++++++++++++++++++++++++++++++++----
>>> fs/cifs/inode.c | 4 +-
>>> fs/cifs/smb2ops.c | 2 +-
>>> fs/cifs/smb2pdu.c | 22 ++-
>>> fs/cifs/smbdirect.c | 132 ++++++++++-------
>>> fs/cifs/smbdirect.h | 2 +-
>>> fs/read_write.c | 7 +
>>> include/linux/ratelimit.h | 2 +-
>>> 16 files changed, 489 insertions(+), 95 deletions(-)
>>>
> N�����r��y���b�X��ǧv�^�){.n�+����{��ٚ�{ay�\x1d
ʇڙ�,j\a��f���h���z�\x1e
�w���\f
���j:+v���w�j�m����\a����zZ+�����ݢj"��!tml=
>
WARNING: multiple messages have this Message-ID (diff)
From: Tom Talpey <tom@talpey.com>
To: Long Li <longli@microsoft.com>, Steve French <sfrench@samba.org>,
"linux-cifs@vger.kernel.org" <linux-cifs@vger.kernel.org>,
"samba-technical@lists.samba.org"
<samba-technical@lists.samba.org>,
"linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>,
"linux-rdma@vger.kernel.org" <linux-rdma@vger.kernel.org>
Subject: Re: [RFC PATCH 00/09] Implement direct user I/O interfaces for RDMA
Date: Fri, 18 May 2018 17:58:25 -0700 [thread overview]
Message-ID: <d7ff714d-22ac-b011-915c-ed1cc52326ef@talpey.com> (raw)
In-Reply-To: <MWHPR2101MB0729BFF8F0A397805087C3A4CE900@MWHPR2101MB0729.namprd21.prod.outlook.com>
On 5/17/2018 11:03 PM, Long Li wrote:
>> Subject: Re: [RFC PATCH 00/09] Implement direct user I/O interfaces for
>> RDMA
>>
>> On 5/17/2018 8:22 PM, Long Li wrote:
>>> From: Long Li <longli@microsoft.com>
>>>
>>> This patchset implements direct user I/O through RDMA.
>>>
>>> In normal code path (even with cache=none), CIFS copies I/O data from
>>> user-space to kernel-space for security reasons.
>>>
>>> With this patchset, a new mounting option is introduced to have CIFS
>>> pin the user-space buffer into memory and performs I/O through RDMA.
>>> This avoids memory copy, at the cost of added security risk.
>>
>> What's the security risk? This type of direct i/o behavior is not uncommon,
>> and can certainly be made safe, using the appropriate memory registration
>> and protection domains. Any risk needs to be stated explicitly, and mitigation
>> provided, or at least described.
>
> I think it's an assumption that user-mode buffer can't be trusted, so CIFS always copies them into internal buffers, and calculate signature and encryption based on protocol used.
>
> With the direct buffer, the user can potentially modify the buffer when signature or encryption is in progress or after they are done.
I don't agree that the legacy copying behavior is because the buffer is
"untrusted". The buffer is the user's data, there's no trust issue here.
If the user application modifies the buffer while it's being sent, it's
a violation of the API contract, and the only victim is the application
itself. Same applies for receiving data. And as pointed out, most all
storage layers, file and block both, use this strategy for direct i/o.
Regarding signing, if the application alters the data then the integrity
hash will simply do its job and catch the application in the act. Again,
nothing suffers but the application.
Regarding encryption, I assume you're proposing to encrypt and decrypt
the data in a kernel buffer, effectively a copy. So in fact, in the
encryption case there's no need to pin and map the user buffer at all.
I'll mention however that Windows takes the path of not performing
RDMA placement when encrypting data. It saves nothing, and even adds
some overhead, because of the need to touch the buffer anyway to
manage the encryption/decryption.
Bottom line - no security implication for using user buffers directly.
Tom.
> I also want to point out that, I choose to implement .read_iter and .write_iter from file_operations to implement direct I/O (CIFS is already doing this for O_DIRECT, so following this code path will avoid a big mess up). The ideal choice is to implement .direct_IO from address_space_operations that I think eventually we want to move to.
>
>>
>> Tom.
>>
>>>
>>> This patchset is RFC. The work is in progress, do not merge.
>>>
>>>
>>> Long Li (9):
>>> Introduce offset for the 1st page in data transfer structures
>>> Change wdata alloc to support direct pages
>>> Change rdata alloc to support direct pages
>>> Change function to support offset when reading pages
>>> Change RDMA send to regonize page offset in the 1st page
>>> Change RDMA recv to support offset in the 1st page
>>> Support page offset in memory regsitrations
>>> Implement no-copy file I/O interfaces
>>> Introduce cache=rdma moutning option
>>>
>>>
>>> fs/cifs/cifs_fs_sb.h | 2 +
>>> fs/cifs/cifsfs.c | 19 +++
>>> fs/cifs/cifsfs.h | 3 +
>>> fs/cifs/cifsglob.h | 6 +
>>> fs/cifs/cifsproto.h | 4 +-
>>> fs/cifs/cifssmb.c | 10 +-
>>> fs/cifs/connect.c | 13 +-
>>> fs/cifs/dir.c | 5 +
>>> fs/cifs/file.c | 351
>> ++++++++++++++++++++++++++++++++++++++++++----
>>> fs/cifs/inode.c | 4 +-
>>> fs/cifs/smb2ops.c | 2 +-
>>> fs/cifs/smb2pdu.c | 22 ++-
>>> fs/cifs/smbdirect.c | 132 ++++++++++-------
>>> fs/cifs/smbdirect.h | 2 +-
>>> fs/read_write.c | 7 +
>>> include/linux/ratelimit.h | 2 +-
>>> 16 files changed, 489 insertions(+), 95 deletions(-)
>>>
> N�����r��y���b�X��ǧv�^�){.n�+����{��ٚ�{ay�\x1dʇڙ�,j\a��f���h���z�\x1e�w���\f���j:+v���w�j�m����\a����zZ+�����ݢj"��!tml=
>
next prev parent reply other threads:[~2018-05-19 0:58 UTC|newest]
Thread overview: 25+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-05-18 0:22 [RFC PATCH 00/09] Implement direct user I/O interfaces for RDMA Long Li
2018-05-17 23:10 ` Tom Talpey
2018-05-18 6:03 ` Long Li
2018-05-18 6:44 ` Christoph Hellwig
2018-05-19 0:58 ` Tom Talpey [this message]
2018-05-19 0:58 ` Tom Talpey
2018-05-18 6:42 ` Christoph Hellwig
2018-05-18 0:22 ` [RFC PATCH 01/09] Introduce offset for the 1st page in data transfer structures Long Li
2018-05-18 6:37 ` Steve French
2018-05-18 0:22 ` [RFC PATCH 02/09] Change wdata alloc to support direct pages Long Li
2018-05-19 1:05 ` Tom Talpey
2018-05-18 0:22 ` [RFC PATCH 03/09] Change rdata " Long Li
2018-05-18 0:22 ` [RFC PATCH 04/09] Change function to support offset when reading pages Long Li
2018-05-18 0:22 ` [RFC PATCH 05/09] Change RDMA send to regonize page offset in the 1st page Long Li
2018-05-19 1:09 ` Tom Talpey
2018-05-19 5:54 ` Long Li
2018-05-18 0:22 ` [RFC PATCH 06/09] Change RDMA recv to support " Long Li
2018-05-18 0:22 ` [RFC PATCH 07/09] Support page offset in memory regsitrations Long Li
2018-05-18 0:22 ` [RFC PATCH 08/09] Implement direct file I/O interfaces Long Li
2018-05-18 0:22 ` [RFC PATCH 09/09] Introduce cache=rdma moutning option Long Li
2018-05-18 7:26 ` Christoph Hellwig
2018-05-18 19:00 ` Long Li
2018-05-18 20:44 ` Steve French
2018-05-18 20:58 ` Long Li
2018-05-19 1:20 ` Tom Talpey
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=d7ff714d-22ac-b011-915c-ed1cc52326ef@talpey.com \
--to=tom@talpey.com \
--cc=linux-cifs@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-rdma@vger.kernel.org \
--cc=longli@microsoft.com \
--cc=samba-technical@lists.samba.org \
--cc=sfrench@samba.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.