Re: [PATCH rdma-rc 1/2] IB/core: Only enforce security for InfiniBand

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 




On 21/11/2017 15:22, Leon Romanovsky wrote:
> On Tue, Nov 21, 2017 at 12:44:10PM +0200, Mark Bloch wrote:
>> Hi,
>>
>> On 21/11/2017 12:26, Leon Romanovsky wrote:
>>> From: Daniel Jurgens <danielj@xxxxxxxxxxxx>
>>>
>>> For now the only LSM security enforcement mechanism available is
>>> specific to InfiniBand. Bypass enforcement for non-IB link types.
>>> This fixes a regression where modify_qp fails for iWARP because
>>> querying the PKEY returns -EINVAL.
>>>
>>> Cc: Paul Moore <paul@xxxxxxxxxxxxxx>
>>> Cc: Don Dutile <ddutile@xxxxxxxxxx>
>>> Cc: stable@xxxxxxxxxxxxxxx
>>> Reported-by: Potnuri Bharat Teja <bharat@xxxxxxxxxxx>
>>> Fixes: d291f1a65232("IB/core: Enforce PKey security on QPs")
>>> Fixes: 47a2b338fe63("IB/core: Enforce security on management datagrams")
>>> Signed-off-by: Daniel Jurgens <danielj@xxxxxxxxxxxx>
>>> Reviewed-by: Parav Pandit <parav@xxxxxxxxxxxx>
>>> Tested-by: Potnuri Bharat Teja <bharat@xxxxxxxxxxx>
>>> Signed-off-by: Leon Romanovsky <leon@xxxxxxxxxx>
>>> ---
>>>  drivers/infiniband/core/security.c | 9 +++++++++
>>>  1 file changed, 9 insertions(+)
>>>
>>> diff --git a/drivers/infiniband/core/security.c b/drivers/infiniband/core/security.c
>>> index 23278ed5be45..314bf1137c7b 100644
>>> --- a/drivers/infiniband/core/security.c
>>> +++ b/drivers/infiniband/core/security.c
>>> @@ -417,8 +417,17 @@ void ib_close_shared_qp_security(struct ib_qp_security *sec)
>>>
>>>  int ib_create_qp_security(struct ib_qp *qp, struct ib_device *dev)
>>>  {
>>> +	u8 i = rdma_start_port(dev);
>>> +	bool is_ib = false;
>>>  	int ret;
>>>
>>> +	while (i <= rdma_end_port(dev) && !is_ib)
>>> +		is_ib = rdma_protocol_ib(dev, i++);
>>> +
>>
>> What happens if we have mixed port types?
> 
> We will have is_ib set and qp_sec will be allocated on device layer and
> not on port level, but because pkeys are IB specific term (at least, I
> didn't find any mentioning in RoCE spec), the modify_qp won't query
> for PKEYS.
> 
What is port level for qp_sec?

I just gave mlx4 as an example, but I was talking more about the ability of the RDMA
subsystem to support mixed port types, so in this case, if in the future a vendor
will come with an ib_device with 2 ports, one is IB and one is iWARP bad things will happen.

>> I believe mlx4 can expose two ports where each port uses a different ll protocol.
>> Was that changed?
> 
> It is still true.
> 
>>
>>> +	/* If this isn't an IB device don't create the security context */
>>> +	if (!is_ib)
>>> +		return 0;
>>> +
>>>  	qp->qp_sec = kzalloc(sizeof(*qp->qp_sec), GFP_KERNEL);
>>>  	if (!qp->qp_sec)
>>>  		return -ENOMEM;
>>>
>>
>> Mark.
>> --
>> To unsubscribe from this list: send the line "unsubscribe linux-rdma" in
>> the body of a message to majordomo@xxxxxxxxxxxxxxx
>> More majordomo info at  http://vger.kernel.org/majordomo-info.html

Mark



[Index of Archives]     [Linux Kernel]     [Kernel Development Newbies]     [Linux USB Devel]     [Video for Linux]     [Linux Audio Users]     [Yosemite Hiking]     [Linux Kernel]     [Linux SCSI]