[v3,0/3] vduse: add support for networking devices

Message ID	20230705100430.61927-1-maxime.coquelin@redhat.com (mailing list archive)
Headers	show Received: from lindbergh.monkeyblade.net (lindbergh.monkeyblade.net [23.128.96.19]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id A44DA20F4 for <netdev@vger.kernel.org>; Wed, 5 Jul 2023 10:04:40 +0000 (UTC) From: Maxime Coquelin <maxime.coquelin@redhat.com> To: xieyongji@bytedance.com, jasowang@redhat.com, mst@redhat.com, david.marchand@redhat.com, lulu@redhat.com Cc: linux-kernel@vger.kernel.org, virtualization@lists.linux-foundation.org, netdev@vger.kernel.org, xuanzhuo@linux.alibaba.com, eperezma@redhat.com, Maxime Coquelin <maxime.coquelin@redhat.com> Subject: [PATCH v3 0/3] vduse: add support for networking devices Date: Wed, 5 Jul 2023 12:04:27 +0200 Message-ID: <20230705100430.61927-1-maxime.coquelin@redhat.com> Precedence: bulk MIME-Version: 1.0 Content-Transfer-Encoding: 8bit
Series	vduse: add support for networking devices \| expand [v3,0/3] vduse: add support for networking devices [v3,1/3] vduse: validate block features only with block devices [v3,2/3] vduse: enable Virtio-net device type [v3,3/3] vduse: Temporarily disable control queue features

Maxime Coquelin July 5, 2023, 10:04 a.m. UTC

This small series enables virtio-net device type in VDUSE.
With it, basic operation have been tested, both with
virtio-vdpa and vhost-vdpa using DPDK Vhost library series
adding VDUSE support using split rings layout (merged in
DPDK v23.07-rc1).

Control queue support (and so multiqueue) has also been
tested, but requires a Kernel series from Jason Wang
relaxing control queue polling [1] to function reliably,
so while Jason rework is done, a patch is added to disable
CVQ and features that depend on it (tested also with DPDK
v23.07-rc1).

[1]: https://lore.kernel.org/lkml/CACGkMEtgrxN3PPwsDo4oOsnsSLJfEmBEZ0WvjGRr3whU+QasUg@mail.gmail.com/T/

v2 -> v3 changes:
=================
- Use allow list instead of deny list (Michael)

v1 -> v2 changes:
=================
- Add a patch to disable CVQ (Michael)

RFC -> v1 changes:
==================
- Fail device init if it does not support VERSION_1 (Jason)

Maxime Coquelin (3):
  vduse: validate block features only with block devices
  vduse: enable Virtio-net device type
  vduse: Temporarily disable control queue features

 drivers/vdpa/vdpa_user/vduse_dev.c | 51 +++++++++++++++++++++++++++---
 1 file changed, 47 insertions(+), 4 deletions(-)

Michael S. Tsirkin Aug. 10, 2023, 7:04 p.m. UTC | #1

On Wed, Jul 05, 2023 at 12:04:27PM +0200, Maxime Coquelin wrote:
> This small series enables virtio-net device type in VDUSE.
> With it, basic operation have been tested, both with
> virtio-vdpa and vhost-vdpa using DPDK Vhost library series
> adding VDUSE support using split rings layout (merged in
> DPDK v23.07-rc1).
> 
> Control queue support (and so multiqueue) has also been
> tested, but requires a Kernel series from Jason Wang
> relaxing control queue polling [1] to function reliably,
> so while Jason rework is done, a patch is added to disable
> CVQ and features that depend on it (tested also with DPDK
> v23.07-rc1).


So I can put this in next, the issue I think is
that of security: currently selinux can if necessary block
access to creating virtio block devices.
But if we have more than one type we need a way for selinux to
block specific types. Can be a patch on top but pls work to
address.

Another question is that with this userspace can inject
packets directly into net stack. Should we check CAP_NET_ADMIN
or such?



> [1]: https://lore.kernel.org/lkml/CACGkMEtgrxN3PPwsDo4oOsnsSLJfEmBEZ0WvjGRr3whU+QasUg@mail.gmail.com/T/
> 
> v2 -> v3 changes:
> =================
> - Use allow list instead of deny list (Michael)
> 
> v1 -> v2 changes:
> =================
> - Add a patch to disable CVQ (Michael)
> 
> RFC -> v1 changes:
> ==================
> - Fail device init if it does not support VERSION_1 (Jason)
> 
> Maxime Coquelin (3):
>   vduse: validate block features only with block devices
>   vduse: enable Virtio-net device type
>   vduse: Temporarily disable control queue features
> 
>  drivers/vdpa/vdpa_user/vduse_dev.c | 51 +++++++++++++++++++++++++++---
>  1 file changed, 47 insertions(+), 4 deletions(-)
> 
> -- 
> 2.41.0

Jakub Kicinski Aug. 10, 2023, 9:29 p.m. UTC | #2

On Thu, 10 Aug 2023 15:04:27 -0400 Michael S. Tsirkin wrote:
> Another question is that with this userspace can inject
> packets directly into net stack. Should we check CAP_NET_ADMIN
> or such?

Directly into the stack? I thought VDUSE is vDPA in user space,
meaning to get to the kernel the packet has to first go thru 
a virtio-net instance.

Or you mean directly into the network?

Michael S. Tsirkin Aug. 10, 2023, 9:42 p.m. UTC | #3

On Thu, Aug 10, 2023 at 02:29:49PM -0700, Jakub Kicinski wrote:
> On Thu, 10 Aug 2023 15:04:27 -0400 Michael S. Tsirkin wrote:
> > Another question is that with this userspace can inject
> > packets directly into net stack. Should we check CAP_NET_ADMIN
> > or such?
> 
> Directly into the stack? I thought VDUSE is vDPA in user space,
> meaning to get to the kernel the packet has to first go thru 
> a virtio-net instance.

yes. is that a sufficient filter in your opinion?

> Or you mean directly into the network?

Jakub Kicinski Aug. 10, 2023, 10 p.m. UTC | #4

On Thu, 10 Aug 2023 17:42:11 -0400 Michael S. Tsirkin wrote:
> > Directly into the stack? I thought VDUSE is vDPA in user space,
> > meaning to get to the kernel the packet has to first go thru 
> > a virtio-net instance.  
> 
> yes. is that a sufficient filter in your opinion?

Yes, the ability to create the device feels stronger than CAP_NET_RAW,
and a bit tangential to CAP_NET_ADMIN. But I don't have much practical
experience with virt so no strong opinion, perhaps it does make sense
for someone's deployment? Dunno..

Maxime Coquelin Aug. 29, 2023, 1:34 p.m. UTC | #5

On 8/11/23 00:00, Jakub Kicinski wrote:
> On Thu, 10 Aug 2023 17:42:11 -0400 Michael S. Tsirkin wrote:
>>> Directly into the stack? I thought VDUSE is vDPA in user space,
>>> meaning to get to the kernel the packet has to first go thru
>>> a virtio-net instance.
>>
>> yes. is that a sufficient filter in your opinion?
> 
> Yes, the ability to create the device feels stronger than CAP_NET_RAW,
> and a bit tangential to CAP_NET_ADMIN. But I don't have much practical
> experience with virt so no strong opinion, perhaps it does make sense
> for someone's deployment? Dunno..
> 

I'm not sure CAP_NET_ADMIN should be required for creating the VDUSE
devices, as the device could be attached to vhost-vDPA and so not
visible to the Kernel networking stack.

However, CAP_NET_ADMIN should be required to attach the VDUSE device to 
virtio-vdpa/virtio-net.

Does that make sense?

Maxime

Michael S. Tsirkin Aug. 29, 2023, 5:05 p.m. UTC | #6

On Tue, Aug 29, 2023 at 03:34:06PM +0200, Maxime Coquelin wrote:
> 
> 
> On 8/11/23 00:00, Jakub Kicinski wrote:
> > On Thu, 10 Aug 2023 17:42:11 -0400 Michael S. Tsirkin wrote:
> > > > Directly into the stack? I thought VDUSE is vDPA in user space,
> > > > meaning to get to the kernel the packet has to first go thru
> > > > a virtio-net instance.
> > > 
> > > yes. is that a sufficient filter in your opinion?
> > 
> > Yes, the ability to create the device feels stronger than CAP_NET_RAW,
> > and a bit tangential to CAP_NET_ADMIN. But I don't have much practical
> > experience with virt so no strong opinion, perhaps it does make sense
> > for someone's deployment? Dunno..
> > 
> 
> I'm not sure CAP_NET_ADMIN should be required for creating the VDUSE
> devices, as the device could be attached to vhost-vDPA and so not
> visible to the Kernel networking stack.
> 
> However, CAP_NET_ADMIN should be required to attach the VDUSE device to
> virtio-vdpa/virtio-net.
> 
> Does that make sense?
> 
> Maxime

OK. How are we going to enforce it?
Also, we need a way for selinux to enable/disable some of these things
but not others.

Maxime Coquelin Aug. 30, 2023, 11:27 a.m. UTC | #7

On 8/29/23 19:05, Michael S. Tsirkin wrote:
> On Tue, Aug 29, 2023 at 03:34:06PM +0200, Maxime Coquelin wrote:
>>
>>
>> On 8/11/23 00:00, Jakub Kicinski wrote:
>>> On Thu, 10 Aug 2023 17:42:11 -0400 Michael S. Tsirkin wrote:
>>>>> Directly into the stack? I thought VDUSE is vDPA in user space,
>>>>> meaning to get to the kernel the packet has to first go thru
>>>>> a virtio-net instance.
>>>>
>>>> yes. is that a sufficient filter in your opinion?
>>>
>>> Yes, the ability to create the device feels stronger than CAP_NET_RAW,
>>> and a bit tangential to CAP_NET_ADMIN. But I don't have much practical
>>> experience with virt so no strong opinion, perhaps it does make sense
>>> for someone's deployment? Dunno..
>>>
>>
>> I'm not sure CAP_NET_ADMIN should be required for creating the VDUSE
>> devices, as the device could be attached to vhost-vDPA and so not
>> visible to the Kernel networking stack.
>>
>> However, CAP_NET_ADMIN should be required to attach the VDUSE device to
>> virtio-vdpa/virtio-net.
>>
>> Does that make sense?
>>
>> Maxime
> 
> OK. How are we going to enforce it?

Actually, it seems already enforced for all VDPA devices types.
Indeed, the VDPA_CMD_DEV_NEW Netlink command used to add the device to
the VDPA bus has the GENL_ADMIN_PERM flag set, and so require
CAT_NET_ADMIN.

> Also, we need a way for selinux to enable/disable some of these things
> but not others.

Ok, I can do it in a patch on top.
Do you have a pointer where it is done for Virtio Block devices?

Maxime

Michael S. Tsirkin Aug. 30, 2023, 1:30 p.m. UTC | #8

On Wed, Aug 30, 2023 at 01:27:18PM +0200, Maxime Coquelin wrote:
> 
> 
> On 8/29/23 19:05, Michael S. Tsirkin wrote:
> > On Tue, Aug 29, 2023 at 03:34:06PM +0200, Maxime Coquelin wrote:
> > > 
> > > 
> > > On 8/11/23 00:00, Jakub Kicinski wrote:
> > > > On Thu, 10 Aug 2023 17:42:11 -0400 Michael S. Tsirkin wrote:
> > > > > > Directly into the stack? I thought VDUSE is vDPA in user space,
> > > > > > meaning to get to the kernel the packet has to first go thru
> > > > > > a virtio-net instance.
> > > > > 
> > > > > yes. is that a sufficient filter in your opinion?
> > > > 
> > > > Yes, the ability to create the device feels stronger than CAP_NET_RAW,
> > > > and a bit tangential to CAP_NET_ADMIN. But I don't have much practical
> > > > experience with virt so no strong opinion, perhaps it does make sense
> > > > for someone's deployment? Dunno..
> > > > 
> > > 
> > > I'm not sure CAP_NET_ADMIN should be required for creating the VDUSE
> > > devices, as the device could be attached to vhost-vDPA and so not
> > > visible to the Kernel networking stack.
> > > 
> > > However, CAP_NET_ADMIN should be required to attach the VDUSE device to
> > > virtio-vdpa/virtio-net.
> > > 
> > > Does that make sense?
> > > 
> > > Maxime
> > 
> > OK. How are we going to enforce it?
> 
> Actually, it seems already enforced for all VDPA devices types.
> Indeed, the VDPA_CMD_DEV_NEW Netlink command used to add the device to
> the VDPA bus has the GENL_ADMIN_PERM flag set, and so require
> CAT_NET_ADMIN.

Hmm good point. Pity I didn't notice earlier. Oh well there's always
the next release.

> > Also, we need a way for selinux to enable/disable some of these things
> > but not others.
> 
> Ok, I can do it in a patch on top.
> Do you have a pointer where it is done for Virtio Block devices?
> 
> Maxime

It's not done yet - at the moment vduse device is always block so we
didn't need the distinction.

[v3,0/3] vduse: add support for networking devices

Message

Comments