Received: by 2002:a05:7412:d8a:b0:e2:908c:2ebd with SMTP id b10csp1079702rdg; Wed, 11 Oct 2023 13:56:36 -0700 (PDT) X-Google-Smtp-Source: AGHT+IH0PP8HBUNeK2g7BG6GcqepfQJSzlCYNhBnbhpM/cI94/aBYyiXucsiS8Vwud7ZY+gJavFO X-Received: by 2002:a05:6a00:ccd:b0:68b:e29c:b61 with SMTP id b13-20020a056a000ccd00b0068be29c0b61mr23504621pfv.19.1697057795484; Wed, 11 Oct 2023 13:56:35 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1697057795; cv=none; d=google.com; s=arc-20160816; b=laX6SICEark4sA7/n2u4OAEcZ9nQmX9DixtkqJf+E22OlMM9SNEa/0jXo5Mpb8vpeI oaSHXSyHnvFNDIUhuLW7MExeA8IrorE8iV3euTrZNT72dwZ2E0dtPcWu53zvMdawlWSN PJiGRMm5ixU3S6I535v/hCFwCzwVfjx9hQWo8eCmRlAS5YhuX4pK83QpXOxRFRzrnFlc Qi5YV/ZlxSv4S6Iy121qzhzpFn+nRdcp2zBtWccZGMpteJp/LeSjnTKNL3PfJCPiR60A m1q3d/DDSbdQaPy0xEJwNmrmyc4nONbvBXi3Ie73PebqtrP0bt+fFBZcus64AdoTVXb/ 5Edg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:in-reply-to:content-transfer-encoding :content-disposition:mime-version:references:message-id:subject:cc :to:from:date:dkim-signature; bh=BX6QJk5MeZehdBPlGP/LwvJWXrWiUnxsCNKMfaltXyE=; fh=yV6rIVfQow7pM/9ws6cZIzvdpAUiZTUQpKkgwKkoKqw=; b=Z19LUMvv9dfDLVwbBI1Z66oW7bKfyy1eXNIxIristmxK2ezWmp2ubmv7pLYa7+MPIi 1z9Pxqwd0ShJf2Srk1bmqnYdPzm1Y1xa1ns/Q+D5o/wADeYA9IYf3RFvugCgQ6BgAU6t QaQLz53n+gTlm3Z4SI2rM3lPA2ZHELNH6VEN8pNZTEGUq7/bWZN3R7E3Nv6qwa6khLFX Wu5LeGVSLSNAftggVuR/Lt7XpnGQI7eLQfJTUTPa6Dy/jjQ+6mJq/s02Ng09BkIZhLnl sPkKlwVZynplhDFU9i8fHwfBmDWLk+/8Ek2Xeo1p4SRL54VWdWCaEnOIbCfJV6EavyXi qL7Q== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=DNk4zAVc; spf=pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 23.128.96.37 as permitted sender) smtp.mailfrom=linux-crypto-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from snail.vger.email (snail.vger.email. [23.128.96.37]) by mx.google.com with ESMTPS id d185-20020a6336c2000000b0057e0c5a34f2si580265pga.631.2023.10.11.13.56.34 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 11 Oct 2023 13:56:35 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 23.128.96.37 as permitted sender) client-ip=23.128.96.37; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=DNk4zAVc; spf=pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 23.128.96.37 as permitted sender) smtp.mailfrom=linux-crypto-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: from out1.vger.email (depot.vger.email [IPv6:2620:137:e000::3:0]) by snail.vger.email (Postfix) with ESMTP id 03FA0802D511; Wed, 11 Oct 2023 13:56:22 -0700 (PDT) X-Virus-Status: Clean X-Virus-Scanned: clamav-milter 0.103.10 at snail.vger.email Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S233369AbjJKU4K (ORCPT + 99 others); Wed, 11 Oct 2023 16:56:10 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:38182 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231226AbjJKU4J (ORCPT ); Wed, 11 Oct 2023 16:56:09 -0400 Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 31E4D90; Wed, 11 Oct 2023 13:56:08 -0700 (PDT) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 30AE2C433C7; Wed, 11 Oct 2023 20:56:07 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1697057767; bh=QzNo7KGA7wDrWljwqf1UihreSsQi8vsYIXDzHfhUKmU=; h=Date:From:To:Cc:Subject:References:In-Reply-To:From; b=DNk4zAVc9ARRGwKGPbYQ39VlzTaZRFrNjryjUlzVOL21RrmVfeuOL6QC7ZFrXU+hJ Lrv7QOzt6CK88lxkd2Ge47R3WjlU7QSTml6/KhPPX2CLCj6UJ7vKKoPEi/1GkgAtER 5E7+8dOUqlZyQvXWtDsrGXmrOnkaDXNVGjcdutHk= Date: Wed, 11 Oct 2023 22:56:05 +0200 From: Greg Kroah-Hartman To: Petre Eftime Cc: Arnd Bergmann , Alexander Graf , linux-kernel@vger.kernel.org, linux-crypto@vger.kernel.org, Herbert Xu , Olivia Mackall , Erdem Meydanlli , Benjamin Herrenschmidt , David Woodhouse , "Michael S. Tsirkin" , Jason Wang , Xuan Zhuo , Kyunghwan Kwon Subject: Re: [PATCH v4 1/2] Import CBOR library Message-ID: <2023101149-cyclic-backless-640d@gregkh> References: <20231009212053.2007-1-graf@amazon.com> <20231009212053.2007-2-graf@amazon.com> <2023101010-overwrite-parakeet-91d5@gregkh> <0ee221bc-ea99-4724-9ebd-436e91417e4b@amazon.com> <2023101009-accustom-manifesto-8bdb@gregkh> <2023101001-ocelot-veteran-10db@gregkh> <2339287b-8b17-413b-aa86-f618ea7fc3fa@app.fastmail.com> <2023101156-helper-waving-09df@gregkh> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: X-Spam-Status: No, score=-4.4 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_MED, SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-crypto@vger.kernel.org X-Greylist: Sender passed SPF test, not delayed by milter-greylist-4.6.4 (snail.vger.email [0.0.0.0]); Wed, 11 Oct 2023 13:56:22 -0700 (PDT) On Wed, Oct 11, 2023 at 11:48:43PM +0300, Petre Eftime wrote: > On Wed, Oct 11, 2023 at 8:46 PM Greg Kroah-Hartman > wrote: > > > > On Wed, Oct 11, 2023 at 02:24:48PM +0200, Arnd Bergmann wrote: > > > On Tue, Oct 10, 2023, at 10:27, Greg Kroah-Hartman wrote: > > > > On Tue, Oct 10, 2023 at 10:08:43AM +0200, Alexander Graf wrote: > > > >> On 10.10.23 10:03, Greg Kroah-Hartman wrote: > > > >> > > > >> > > Out of these, the NSM communication protocol uses all except Semantic tags > > > >> > > and Floats. The CBOR library that this patch imports does not have special > > > >> > > handling for Semantic tags, which leaves only floats which are already > > > >> > > #ifdef'ed out. That means there is not much to trim. > > > >> > > > > > >> > > What you see here is what's needed to parse CBOR in kernel - if that's what > > > >> > > we want to do. I'm happy to rip it out again and make it a pure user space > > > >> > > problem to do CBOR :). > > > >> > Yes, why are we parsing this in the kernel? What could go wrong with > > > >> > adding yet-another-parser in privileged context? :) > > > >> > > > > >> > Why does this have to be in the kernel, the data sent/recieved is over > > > >> > virtio, so why does the kernel have to parse it? I couldn't figure that > > > >> > out from the driver, yet the driver seems to have a lot of hard-coded > > > >> > parsing logic in it to assume specific message formats? > > > >> > > > >> > > > >> The parsing doesn't have to be in kernel and it probably shouldn't be > > > >> either. V3 of the patch was punting all the parsing to user space, at which > > > >> point you and Arnd said I should give it a try to do the protocol parsing in > > > >> kernel space instead. That's why the parser is here. > > > > > > > > Arnd said that, not me :) > > > > > > > >> If we conclude that all this in-kernel parsing is not worth it, I'm very > > > >> happy to just go back to the the v3 ioctl interface and post v5 with hwrng > > > >> merged into misc, but remove all CBOR logic again :) > > > > > > > > I think the less parsers we have in the kernel, the safer we are for > > > > obvious reasons. Unless you have a parser for this in rust? :) > > > > > > > > I don't really know, having a generic interface is good, but at the > > > > expense of this api is probably not good. individual ioctls might be > > > > better if there are not going to be any other drivers for this type of > > > > thing? > > > > > > I was definitely expecting something simpler than what was possible > > > in the v4 patch. I had another look now, and it's clear that the > > > ioctl interface is still not great because the variable data structures > > > shine through for some of the calls, and even to get to this point, > > > a whole lot of complexity is required underneath. > > > > > > To get anything better, one would probably have to redesign the entire > > > interface stack (hypervisor, kernel and userland) to use regular > > > fixed data structures, and this seems unlikely to happen. > > > > Why not fix this and do it properly? What's preventing that from > > happening? We don't want to create an interface here that is broken, or > > insecure, or a pain to maintain, right? > > > > thanks, > > > > greg k-h > > I would think the proposal to have fixed structures would be a > downgrade in terms of maintainability, usability and security, not an > improvement. > > This current interface allows the hypervisor to extend the existing > functionality at any time, and the Linux kernel does not have to > change anything for that to work, the application does not have to be > recompiled to use the new kernel headers at any point. Adding new > APIs, adding new fields to API responses, or adding optional > parameters to the API is fully backwards compatible, would also not > require changes in userspace, as the CBOR data structures that are not > recognized can simply be skipped. This allows easy backwards > compatibility in most cases, and the userspace would be able to opt in > to new features only if it requires them, without forcing the upgrade > if it's not required. > > With fixed structures, then the driver would need to be more > explicitly versioned and would need to be able to handle multiple > versions of the API at the same time, which is both more complex, less > flexible and more prone to errors. Yes, but you are trading off the complexity of adding yet-another-protocol-parser to the kernel vs. making a strict user/kernel api, right? Which one is correct? Can you verify that this parser really is correct and doesn't have any overflows/security issues in it? I can't, maybe someone needs to write it in rust :) thanks, greg k-h