From: Jason Gunthorpe <jgg@ziepe.ca>
To: Jakub Kicinski <kuba@kernel.org>
Cc: Oded Gabbay <oded.gabbay@gmail.com>,
Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
Leon Romanovsky <leon@kernel.org>,
Gal Pressman <galpress@amazon.com>,
"Linux-Kernel@Vger. Kernel. Org" <linux-kernel@vger.kernel.org>,
netdev@vger.kernel.org, SW_Drivers <SW_Drivers@habana.ai>,
"David S. Miller" <davem@davemloft.net>,
Andrew Lunn <andrew@lunn.ch>,
Florian Fainelli <f.fainelli@gmail.com>,
linux-rdma@vger.kernel.org
Subject: Re: [PATCH v3 00/14] Adding GAUDI NIC code to habanalabs driver
Date: Tue, 22 Sep 2020 08:49:39 -0300 [thread overview]
Message-ID: <20200922114939.GF8409@ziepe.ca> (raw)
In-Reply-To: <20200921142053.1d2310f6@kicinski-fedora-pc1c0hjn.dhcp.thefacebook.com>
On Mon, Sep 21, 2020 at 02:20:53PM -0700, Jakub Kicinski wrote:
> I'd wager the only reason you expose the netdevs at all is for link
> settings, stats, packet capture and debug. You'd never run TCP traffic
> over those links. And you're fighting against using Linux APIs for the
> only real traffic that runs on those links - RDMA(ish) traffic.
The usual working flow is to use something like TCP to exchange
connection information then pivot to RDMA for the actual data
flow. This is why a driver like this could get away with such a low
performance implementation for a 100G NIC, it is just application boot
metadata being exchanged.
Sniffing probably won't work as typically the HW will capture the RoCE
traffic before reaching Linux - and the Linux driver couldn't handle a
100G flow anyhow. Stats might not work either.
As far as the "usual rules" we do require that accelerator devices
sharing a netdev are secure in the concept of netdev userspace
security. They can access the assigned RoCEv2 UDP port but cannot do
things like forge src IP/MAC addresses, violate VLANs, reach outside
net namespaces, capature arbitary traffic, etc.
This stuff is tricky and generally requires HW support. Someone has to
audit all of this and ensure it meets the netdev security requirements
too, otherwise it will need CAP_NET_RAW to function. Obviously this
requires seeing enough of a userspace implementation to understand how
the design approaches verbs 'Address Handles' and so forth.
RDMA HW has had errors before and when discovered it was blocked with
CAP_NET_RAW until new chip revs came out, this is something I take
very seriously.
Jason
next prev parent reply other threads:[~2020-09-22 11:49 UTC|newest]
Thread overview: 83+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-09-15 17:10 [PATCH v3 00/14] Adding GAUDI NIC code to habanalabs driver Oded Gabbay
2020-09-15 17:10 ` [PATCH v3 02/14] habanalabs/gaudi: add NIC firmware-related definitions Oded Gabbay
2020-09-15 17:10 ` [PATCH v3 03/14] habanalabs/gaudi: add NIC security configuration Oded Gabbay
2020-09-15 17:10 ` [PATCH v3 04/14] habanalabs/gaudi: add support for NIC QMANs Oded Gabbay
2020-09-15 17:10 ` [PATCH v3 05/14] habanalabs/gaudi: add NIC Ethernet support Oded Gabbay
2020-09-15 17:10 ` [PATCH v3 06/14] habanalabs/gaudi: add NIC PHY code Oded Gabbay
2020-09-15 17:10 ` [PATCH v3 07/14] habanalabs/gaudi: allow user to get MAC addresses in INFO IOCTL Oded Gabbay
2020-09-15 17:10 ` [PATCH v3 08/14] habanalabs/gaudi: add a new IOCTL for NIC control operations Oded Gabbay
2020-09-15 17:10 ` [PATCH v3 09/14] habanalabs/gaudi: add CQ " Oded Gabbay
2020-09-15 17:10 ` [PATCH v3 10/14] habanalabs/gaudi: add WQ " Oded Gabbay
2020-09-15 17:10 ` [PATCH v3 11/14] habanalabs/gaudi: add QP error handling Oded Gabbay
2020-09-15 17:10 ` [PATCH v3 12/14] habanalabs/gaudi: Add ethtool support using coresight Oded Gabbay
2020-09-15 17:10 ` [PATCH v3 13/14] habanalabs/gaudi: support DCB protocol Oded Gabbay
2020-09-15 17:10 ` [PATCH v3 14/14] habanalabs/gaudi: add NIC init/fini calls from common code Oded Gabbay
2020-09-15 20:35 ` [PATCH v3 00/14] Adding GAUDI NIC code to habanalabs driver Jakub Kicinski
2020-09-15 20:46 ` Oded Gabbay
2020-09-15 21:04 ` Jakub Kicinski
2020-09-15 21:20 ` Oded Gabbay
2020-09-15 21:37 ` Andrew Lunn
2020-09-15 21:43 ` Oded Gabbay
2020-09-15 22:35 ` David Miller
2020-09-15 22:36 ` David Miller
2020-09-15 22:34 ` David Miller
2020-09-16 4:26 ` Oded Gabbay
2020-09-17 17:18 ` Jason Gunthorpe
2020-09-18 11:36 ` Gal Pressman
2020-09-18 11:52 ` Leon Romanovsky
2020-09-18 11:56 ` Oded Gabbay
2020-09-18 12:03 ` Leon Romanovsky
2020-09-18 12:07 ` Oded Gabbay
2020-09-18 12:19 ` Leon Romanovsky
2020-09-18 12:31 ` Oded Gabbay
2020-09-18 13:09 ` Leon Romanovsky
2020-09-19 6:40 ` Greg Kroah-Hartman
2020-09-19 8:20 ` Leon Romanovsky
2020-09-19 8:30 ` Greg Kroah-Hartman
2020-09-19 8:58 ` Leon Romanovsky
2020-09-19 16:43 ` Oded Gabbay
2020-09-19 17:27 ` Greg Kroah-Hartman
2020-09-19 19:22 ` Jason Gunthorpe
2020-09-20 8:47 ` Greg Kroah-Hartman
2020-09-20 19:05 ` Oded Gabbay
2020-09-21 10:39 ` Leon Romanovsky
2020-09-21 11:52 ` Jason Gunthorpe
2020-09-21 21:20 ` Jakub Kicinski
2020-09-22 11:49 ` Jason Gunthorpe [this message]
2020-09-19 18:49 ` Andrew Lunn
2020-09-18 11:56 ` Jason Gunthorpe
2020-09-18 11:59 ` Oded Gabbay
2020-09-18 12:16 ` Jason Gunthorpe
2020-09-18 12:34 ` Oded Gabbay
2020-09-18 12:50 ` Jason Gunthorpe
2020-09-18 13:02 ` Oded Gabbay
2020-09-18 13:26 ` Jason Gunthorpe
2020-09-18 13:49 ` Oded Gabbay
2020-09-18 13:59 ` Jason Gunthorpe
2020-09-18 14:12 ` Oded Gabbay
2020-09-18 14:19 ` Jason Gunthorpe
2020-09-18 14:45 ` Oded Gabbay
2020-09-18 15:07 ` Jason Gunthorpe
2020-09-18 15:15 ` Oded Gabbay
2020-09-18 15:28 ` Jason Gunthorpe
2020-09-21 11:22 ` Gal Pressman
2020-09-21 11:49 ` Leon Romanovsky
2020-09-22 11:41 ` Jason Gunthorpe
2020-09-22 12:46 ` Gal Pressman
2020-09-22 16:14 ` Jason Gunthorpe
2020-09-22 16:30 ` Gal Pressman
2020-09-22 16:52 ` Jason Gunthorpe
2020-09-18 12:10 ` Oded Gabbay
2020-09-15 20:42 ` David Miller
2020-09-15 20:49 ` Oded Gabbay
2020-09-16 6:26 ` Greg Kroah-Hartman
2020-09-16 6:36 ` Oded Gabbay
2020-09-16 7:42 ` Greg Kroah-Hartman
2020-09-16 8:02 ` Oded Gabbay
2020-09-16 8:22 ` Greg Kroah-Hartman
2020-09-16 8:47 ` Oded Gabbay
2020-09-16 12:00 ` Greg Kroah-Hartman
2020-09-20 16:45 ` Daniel Vetter
2020-09-16 23:04 ` Williams, Dan J
2020-09-18 12:00 ` Jason Gunthorpe
2020-09-18 12:01 ` Oded Gabbay
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200922114939.GF8409@ziepe.ca \
--to=jgg@ziepe.ca \
--cc=SW_Drivers@habana.ai \
--cc=andrew@lunn.ch \
--cc=davem@davemloft.net \
--cc=f.fainelli@gmail.com \
--cc=galpress@amazon.com \
--cc=gregkh@linuxfoundation.org \
--cc=kuba@kernel.org \
--cc=leon@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-rdma@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=oded.gabbay@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).