Received: by 2002:a05:6358:11c7:b0:104:8066:f915 with SMTP id i7csp4195966rwl; Mon, 10 Apr 2023 07:32:42 -0700 (PDT) X-Google-Smtp-Source: AKy350YopCrYI9d8pN003iNRdNW7D5ikrZrGe4SzAgTHn6P7wBgnSU8SxRXGptG8sBwNAgmIO3r4 X-Received: by 2002:a05:6a20:be0a:b0:cc:d514:62cf with SMTP id ge10-20020a056a20be0a00b000ccd51462cfmr6566420pzb.43.1681137162541; Mon, 10 Apr 2023 07:32:42 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1681137162; cv=none; d=google.com; s=arc-20160816; b=RHPjvkHdocb/0q03Wrlcv8zcplujKa+iuPD2K260tHVsfvqC3MdnRYGag0wzf45VAy 7yz1aZsxqZlnZ7ZRhvthRVFe/2YcxtPXxrX43brIOqwvyfrxzZL9aZxamjq/FOdOKKCB cwj+llj/oh1vtYLh4d+Uj4FfnI9R0JLymQxOT8KL3W/uhTZRYGV6exeElgX4adnmh6rz Ms/FlFUg6gPc94DRtODQaIuYcu/haq1jWylYdfBYCe3VgCeSzd9EUD+tF3314EcfN4AO L9pgILkXlKgRGpw23e2egALnk7vYYRk3SV9wR0fKMsEVFBCH/LRyVkoGCF/iwkYNnui1 it8A== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:in-reply-to:from :references:cc:to:subject:user-agent:mime-version:date:message-id; bh=FkyKuxb09vkmX7xWkn+1KsvDwl3qMB74hdCIDKbQ03o=; b=l0enL/DZYcEVBuAKYVqQS7dJxMPS49lnLriDL5ECssP/vIpuGXXmZWbuGVz4Y8yCz3 0ZxhATz4RqBfrHw2PfdWfkJKGs0voFZGK9w8rhjDXbW59AUuwh5LGd5p07F+32xF/K0D l9QReIs0gkvQcLlbPqcWwkxSCAkBZJD7ePUA7ijJur4ZG5cwuoQZj9XFPtZjkA2OD6/8 T07wQjrdsW3pxkStX5f1ykLfqreeABtXvo5ZsxS5ubctCZfP73dJCwuV/CWkSKwajXhd RgNc5lVTxjiR9TaunGrIjq5RiP8WCzrlDGoOkq6eW7yFXKgrJUK1CfdyBeeIjv9ME8rW gbtw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=alibaba.com Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id f16-20020a63f110000000b0050f77f03312si6179805pgi.853.2023.04.10.07.32.30; Mon, 10 Apr 2023 07:32:42 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=alibaba.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229724AbjDJOa4 (ORCPT + 99 others); Mon, 10 Apr 2023 10:30:56 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:33270 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229503AbjDJOay (ORCPT ); Mon, 10 Apr 2023 10:30:54 -0400 Received: from out30-131.freemail.mail.aliyun.com (out30-131.freemail.mail.aliyun.com [115.124.30.131]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 6448D4C3C; Mon, 10 Apr 2023 07:30:50 -0700 (PDT) X-Alimail-AntiSpam: AC=PASS;BC=-1|-1;BR=01201311R731e4;CH=green;DM=||false|;DS=||;FP=0|-1|-1|-1|0|-1|-1|-1;HT=ay29a033018046060;MF=guwen@linux.alibaba.com;NM=1;PH=DS;RN=12;SR=0;TI=SMTPD_---0VfoSju._1681137045; Received: from 30.221.131.183(mailfrom:guwen@linux.alibaba.com fp:SMTPD_---0VfoSju._1681137045) by smtp.aliyun-inc.com; Mon, 10 Apr 2023 22:30:46 +0800 Message-ID: <9f7eeb63-52a0-f83a-2e03-cf97ee419573@linux.alibaba.com> Date: Mon, 10 Apr 2023 22:30:45 +0800 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:102.0) Gecko/20100101 Thunderbird/102.8.0 Subject: Re: [RFC PATCH net-next v4 0/9] net/smc: Introduce SMC-D-based OS internal communication acceleration To: Niklas Schnelle , kgraul@linux.ibm.com, wenjia@linux.ibm.com, jaka@linux.ibm.com, wintera@linux.ibm.com, davem@davemloft.net, edumazet@google.com, kuba@kernel.org, pabeni@redhat.com Cc: linux-s390@vger.kernel.org, netdev@vger.kernel.org, linux-kernel@vger.kernel.org References: <1679887699-54797-1-git-send-email-guwen@linux.alibaba.com> <6156aaad710bc7350cbae6cb821289c8a37f44bb.camel@linux.ibm.com> From: Wen Gu In-Reply-To: <6156aaad710bc7350cbae6cb821289c8a37f44bb.camel@linux.ibm.com> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit X-Spam-Status: No, score=-11.2 required=5.0 tests=ENV_AND_HDR_SPF_MATCH, NICE_REPLY_A,RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H2,SPF_HELO_NONE, SPF_PASS,UNPARSEABLE_RELAY,USER_IN_DEF_SPF_WL autolearn=unavailable autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Hi Niklas, On 2023/4/6 01:04, Niklas Schnelle wrote: > > Let me just spell out some details here to make sure we're all on the > same page. > > You're assuming that GIDs are generated randomly at cryptographic > quality. In the code I can see that you use get_random_bytes() which as > its comment explains supplies the same quality randomness as > /dev/urandom so on modern kernels that should provide cryptographic > quality randomness and be fine. Might be something to keep in mind for > backports though. > > The fixed CHID of 0xFFFF makes sure this system identity confusion can > only occur between SMC-D loopback (and possibly virtio-ism?) never with > ISM based SMC-D or SMC-R as these never use this CHID value. Correct? Yes, CHID of 0xFFFF used for SMC-D loopback ensures the GID collision won't involve ISM based SMC-D or SMC-R. > > Now for the collision scenario above. As I understand it the > probability of the case where fallback does *not* occur is equivalent > to a 128 bit hash collision. Basically the random 64 bit GID_A > concatenated with the 64 bit DMB Token_A needs to just happen to match > the concatenation of the random 64 bit GID_B with DMB Token_B. Yes, almost like this. A very little correction: Token_A happens to match a DMB token in B's kernel (not necessary Token_B) and Token_B happens to match a DMB token in A's kernel (not necessary Token_A). With > that interpretation we can consult Wikipedia[0] for a nice table of how > many random GID+DMB Token choices are needed for a certain collision > probability. For 128 bits at least 8.2×10^11 tries would be needed just > to reach a 10^-15 collision probability. Considering the collision does > not only need to exist between two systems but these also need to try > to communicate with each other and happen to use the colliding DMBs for > things to get into the broken fallback case I think from a theoretical > point of view this sounds like neglible risk to me. > Thanks for the reference data. > That said I'm more worried about the fallback to TCP being broken due > to a code bug once the GIDs do match which is already extremely > unlikely and thus not naturally tested in the wild. Do we have a plan > how to keep testing that fallback scenario somehow. Maybe with a > selftest or something? > IIUC, you are worried about the code implementation of fallback when GID collides but DMB token check works? If so, I think we can provide a way to set loopback device's GID manually, so that we can inject GID collision fault to test the code. > If we can solve the testing part then I'm personally in favor of this > approach of going with cryptograhically random GID and DMB token. It's > simple and doesn't depend on external factors and doesn't need a > protocol extension except for possibly reserving CHID 0xFFFF. > > One more question though, what about the SEID why does that have to be > fixed and at least partially match what ISM devices use? I think I'm > missing some SMC protocol/design detail here. I'm guessing this would > require a protocol change? SEID related topic will be replied in the next e-mail. > > Thanks, > Niklas > > [0] https://en.wikipedia.org/wiki/Birthday_attack > Thanks! Wen Gu