Received: by 2002:a05:6a10:206:0:0:0:0 with SMTP id 6csp5158905pxj; Wed, 9 Jun 2021 10:27:03 -0700 (PDT) X-Google-Smtp-Source: ABdhPJwNgNImn9GvbSVA26rC06lnSgCDmDVXEnvzLsG82TeGPLQ2XwVTvqx1QWxa9JU5Vsq03iGf X-Received: by 2002:a17:906:3ed0:: with SMTP id d16mr924270ejj.16.1623259622854; Wed, 09 Jun 2021 10:27:02 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1623259622; cv=none; d=google.com; s=arc-20160816; b=bOOAi3gIIM70axyqNHk3drlqwUpzR2YyBR326YjgqaOxhXq2ghNcjTRtUIz73HCMAl Z3eEi4rmFTBghl29MoyWjp2t077CbxVFMFJI9MSePG0YFGMB8Il3bsMrWBuDwjV+I4/x bnDXm6uIkRo/F6sxdyqnniD3epHNNFHvMlp9NUE17MbSJTxdKdPF1ivqHk2KzNF9eX9L 6CPNU2xXTTa/F6LUzsf/w6yhLoVler8Dnl95qHWcnbki+p77aPX86Nb2Rd0d5yYP2L1M wCeem0zv/i9hioEaEIIkbNyT5qGbFGxBwXmg6SF5UMR5gSBVR+raLXLYE0nUm08tLySK QD9w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:content-language :in-reply-to:mime-version:user-agent:date:message-id:from:references :cc:to:subject; bh=keWtvhBUNGVdjKhCRHxbjlBjyc/8nGcwTmRJeLTfdCY=; b=GEZSaLcN1sz4S5eXc/0JOhPDpApynTz+cAbqfCick74NFVoQZMAOlHWVuTlql3MtK/ 3IuakxUnnnT6LgFJNnL0izDsCPeOaOoNFPKT04dDw3mlKkAVeLIuYcV/19n18Xfk8t7A WBSF4BWSgSGj3UI+M4faA9+c65BfeoPKrkBkQrZQys53w1ulubCeDVvC1F29ug8jH409 ZJxM3dKvgVmgTXL7FDdo4TOfwxO3T07rC8SPF0uOg4d/flhwBuofc/jBctFqa/BYtXcX CpZNqMxKo+JCpiSTweZEXgn9g2ZMYTGsme/xczU49O8sH2OCf/WFZ6ROCSypicBFbtsG Ay2g== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=huawei.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id d23si258530ejz.732.2021.06.09.10.26.36; Wed, 09 Jun 2021 10:27:02 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=huawei.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S233098AbhFIMcR (ORCPT + 99 others); Wed, 9 Jun 2021 08:32:17 -0400 Received: from szxga03-in.huawei.com ([45.249.212.189]:5357 "EHLO szxga03-in.huawei.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S232910AbhFIMcQ (ORCPT ); Wed, 9 Jun 2021 08:32:16 -0400 Received: from dggemv704-chm.china.huawei.com (unknown [172.30.72.57]) by szxga03-in.huawei.com (SkyGuard) with ESMTP id 4G0RDK6GF0z6tkR; Wed, 9 Jun 2021 20:26:25 +0800 (CST) Received: from dggpemm500005.china.huawei.com (7.185.36.74) by dggemv704-chm.china.huawei.com (10.3.19.47) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2176.2; Wed, 9 Jun 2021 20:30:17 +0800 Received: from [127.0.0.1] (10.69.30.204) by dggpemm500005.china.huawei.com (7.185.36.74) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256) id 15.1.2176.2; Wed, 9 Jun 2021 20:30:17 +0800 Subject: Re: [RFC net-next 0/8] Introducing subdev bus and devlink extension To: Parav Pandit , Jakub Kicinski CC: moyufeng , Jakub Kicinski , Jiri Pirko , Or Gerlitz , "netdev@vger.kernel.org" , "linux-kernel@vger.kernel.org" , "michal.lkml@markovi.net" , "davem@davemloft.net" , "gregkh@linuxfoundation.org" , Jiri Pirko , Salil Mehta , "lipeng (Y)" , Guangbin Huang , "shenjian15@huawei.com" , "chenhao (DY)" , Jiaran Zhang , "linuxarm@openeuler.org" References: <1551418672-12822-1-git-send-email-parav@mellanox.com> <20210602093440.15dc5713@kicinski-fedora-PC1C0HJN.hsd1.ca.comcast.net> <857e7a19-1559-b929-fd15-05e8f38e9d45@huawei.com> <20210603105311.27bb0c4d@kicinski-fedora-PC1C0HJN.hsd1.ca.comcast.net> <20210604114109.3a7ada85@kicinski-fedora-PC1C0HJN.hsd1.ca.comcast.net> <4e7a41ed-3f4d-d55d-8302-df3bc42dedd4@huawei.com> <20210607124643.1bb1c6a1@kicinski-fedora-PC1C0HJN.hsd1.ca.comcast.net> <530ff54c-3cee-0eb6-30b0-b607826f68cf@huawei.com> <20210608102945.3edff79a@kicinski-fedora-PC1C0HJN.hsd1.ca.comcast.net> <2acd8373-b3dc-4920-1cbe-2b5ae29acb5b@huawei.com> From: Yunsheng Lin Message-ID: Date: Wed, 9 Jun 2021 20:30:14 +0800 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Thunderbird/52.2.0 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset="utf-8" Content-Language: en-US Content-Transfer-Encoding: 8bit X-Originating-IP: [10.69.30.204] X-ClientProxiedBy: dggeme720-chm.china.huawei.com (10.1.199.116) To dggpemm500005.china.huawei.com (7.185.36.74) X-CFilter-Loop: Reflected Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 2021/6/9 19:59, Parav Pandit wrote: >> From: Yunsheng Lin >> Sent: Wednesday, June 9, 2021 4:35 PM >> >> On 2021/6/9 17:38, Parav Pandit wrote: >>> >>>> From: Yunsheng Lin >>>> Sent: Wednesday, June 9, 2021 2:46 PM >>>> >>> [..] >>> >>>>>> Is there any reason why VF use its own devlink instance? >>>>> >>>>> Primary use case for VFs is virtual environments where guest isn't >>>>> trusted, so tying the VF to the main devlink instance, over which >>>>> guest should have no control is counter productive. >>>> >>>> The security is mainly about VF using in container case, right? >>>> Because VF using in VM, it is different host, it means a different >>>> devlink instance for VF, so there is no security issue for VF using in VM >> case? >>>> But it might not be the case for VF using in container? >>> Devlink instance has net namespace attached to it controlled using devlink >> reload command. >>> So a VF devlink instance can be assigned to a container/process running in a >> specific net namespace. >>> >>> $ ip netns add n1 >>> $ devlink dev reload pci/0000:06:00.4 netns n1 >>> ^^^^^^^^^^^^^ >>> PCI VF/PF/SF. >> >> Could we create another devlink instance when the net namespace of >> devlink port instance is changed? > Net namespace of (a) netdevice (b) rdma device (c) devlink instance can be changed. > Net namespace of devlink port cannot be changed. Yes, net namespace is changed based on the devlink instance, not devlink port instance, *right now*. > >> It may seems we need to change the net >> namespace based on devlink port instance instead of devlink instance. >> This way container case seems be similiar to the VM case? > I mostly do not understand the topology you have in mind or if you explained previously I missed the thread. > In your case what is the flavour of a devlink port? flavour of the devlink port instance is FLAVOUR_PHYSICAL or FLAVOUR_VIRTUAL. The reason I suggest to change the net namespace on devlink port instance instead of devlink instance is: I proposed that all the PF and VF in the same ASIC are registered to the same devlink instance as flavour FLAVOUR_PHYSICAL or FLAVOUR_VIRTUAL when there are in the same host and in the same net namespace. If a VF's devlink port instance is unregistered from old devlink instance in the old net namespace and registered to new devlink instance in the new net namespace(create a new devlink instance if needed) when devlink port instance's net namespace is changed, then the security mentioned by jakub is not a issue any more? > >> >>> >>>> Also, there is a "switch_id" concept from jiri's example, which seems >>>> to be not implemented yet? >>> >>> switch_id is present for switch ports in [1] and documented in [2]. >>> >>> [1] /sys/class/net/representor_netdev/phys_switch_id. >>> [2] >> https://www.kernel.org/doc/Documentation/networking/switchdev.txt " >> Switch ID" >> >> Thanks for info. >> I suppose we could use "switch_id" to indentify a eswitch since "switch_id is >> present for switch ports"? >> Where does the "switch_id" of switch port come from? Is it from FW? >> Or the driver generated it? >> >> Is there any rule for "switch_id"? Or is it vendor specific? >> >>> > It should be unique enough, usually generated out of board serial id or other fields such as vendor OUI that makes it fairly unique. > >