On Tue, Aug 30, 2016 at 02:06:53PM +0000, Daniel Jurgens wrote: > On 8/30/2016 8:53 AM, Paul Moore wrote: > > On Tue, Aug 30, 2016 at 3:46 AM, Leon Romanovsky <leon@xxxxxxxxxx> wrote: > >> On Mon, Aug 29, 2016 at 08:00:32PM -0400, Paul Moore wrote: > >>> On Mon, Aug 29, 2016 at 5:48 PM, Daniel Jurgens <danielj@xxxxxxxxxxxx> wrote: > >>>> On 8/29/2016 4:40 PM, Paul Moore wrote: > >>>>> On Fri, Jul 29, 2016 at 9:53 AM, Dan Jurgens <danielj@xxxxxxxxxxxx> wrote: > >>>>>> From: Daniel Jurgens <danielj@xxxxxxxxxxxx> > >>>>> ... > >>>>> > >>>>>> Daniel Jurgens (9): > >>>>>> IB/core: IB cache enhancements to support Infiniband security > >>>>>> IB/core: Enforce PKey security on QPs > >>>>>> selinux lsm IB/core: Implement LSM notification system > >>>>>> IB/core: Enforce security on management datagrams > >>>>>> selinux: Create policydb version for Infiniband support > >>>>>> selinux: Allocate and free infiniband security hooks > >>>>>> selinux: Implement Infiniband PKey "Access" access vector > >>>>>> selinux: Add IB Port SMP access vector > >>>>>> selinux: Add a cache for quicker retreival of PKey SIDs > >>>>> Hi Daniel, > >>>>> > >>>>> My apologies for such a long delay in responding to this latest > >>>>> patchset; conferences, travel, and vacation have made for a very busy > >>>>> August. After you posted the v2 patchset we had an off-list > >>>>> discussion regarding testing the SELinux/IB integration; unfortunately > >>>>> we realized that IB hardware would be needed to test this (no IB > >>>>> loopback device), but we agreed that having tests would be beneficial. > >>>>> > >>>>> Have you done any work yet towards adding SELinux/IB tests to the > >>>>> selinux-testsuite project? > >>>>> > >>>>> * https://github.com/SELinuxProject/selinux-testsuite > >>>> Hi Paul, I've not started doing that yet. I've been waiting for feedback of any kind from the RDMA list. I thought the test updates would be more appropriate around the time I'm submitting the changes to the user space utilities to allow labeling the new types. > >>> Okay, no problem. I just want the tests in place and functional when > >>> we merge the kernel code. > >> Hi Paul, > >> > >> IMHO, you can use Soft RoCE (RXE) [1] for it. > >> > >> ---- > >> Soft RoCE (RXE) - The software RoCE driver > >> > >> ib_rxe implements the RDMA transport and registers to the RDMA core > >> device as a kernel verbs provider. It also implements the packet IO > >> layer. On the other hand ib_rxe registers to the Linux netdev stack > >> as a udp encapsulating protocol, in that case RDMA, for sending and > >> receiving packets over any Ethernet device. This yields a RDMA > >> transport over the UDP/Ethernet network layer forming a RoCEv2 > >> compatible device. > >> > >> The configuration procedure of the Soft RoCE drivers requires > >> binding to any existing Ethernet network device. This is done with > >> /sys interface. > >> ---- > >> > >> [1] > >> https://git.kernel.org/cgit/linux/kernel/git/dledford/rdma.git/tree/drivers/infiniband/sw/rxe > > Hi Leon, > > > > It looks like v4.8 will have all the necessary pieces for this, yes? > > Is there any documentation on this other than the git log? Keep in > > mind I'm looking at this from the SELinux side, I'm very Infiniband > > ignorant at the moment; although Daniel has been very patient in > > walking me through some of the basics. > > > > Daniel, does this look like something we might be able to use? > > > I don't this will be useful, RoCE doesn't have partitions/PKeys because it uses Ethernet as the transport instead of Infiniband. > Yeah, sorry for the noise.
Attachment:
signature.asc
Description: PGP signature
