[Openib-windows] post_send/post_recv return values
Fabian Tillier
ftillier at silverstorm.com
Tue Mar 14 08:03:45 PST 2006
On 3/13/06, Yossi Leybovich <sleybo at mellanox.co.il> wrote:
>
>
> > -----Original Message-----
> > From: ftillier.sst at gmail.com [mailto:ftillier.sst at gmail.com]
> > On Behalf Of Fabian Tillier
> > Sent: Monday, March 13, 2006 10:48 PM
> > To: Tzachi Dar
> > Cc: Yossi Leybovich; openib-windows at openib.org; Ami Perlmutter
> > Subject: Re: [Openib-windows] post_send/post_recv return values
> >
> > On 3/13/06, Tzachi Dar <tzachid at mellanox.co.il> wrote:
> > >
> > > > If we transition some of these to assertions, we need to
> > > > make sure to have runtime checks in the proxy or we'll
> > > > have a security vulnerability.
> > >
> > > Please note that checking in the user mode is not enough.
> > > Even if we do perfect work there people can still change our
> > > code and attack the kernel. Therefor, the proxy must be
> > > secured in any case.
> >
> > That was exactly my point - if we take the checks out of the
> > HCA driver, they can't be eliminated - they have to be
> > relocated (to the proxy). Currently, the proxy doesn't have
> > to check if a work request exceeds the limits of a QP (the
> > proxy doesn't have that information), so adding these checks
> > in the proxy would actually complicate things.
>
> I was talking about data path verbs which bypass the kernel, the code
> does not path through the proxy at all.
> The HW is capable to handle any malformed WQE ,so the user can heart
> only himself.
Wrong, if the user-mode verb provider for an HCA is missing,
corrupted, or fails to load for some reason, the data paths go through
the kernel proxy. Thus, the kernel proxy must handle these, or we
must remove that functionality. I don't think removing the
functionality makes any sense, as it reduces the development costs for
HCA driver developers by letting them focus on a kernel driver without
losing support for user mode.
So in light of this, the HCA driver in kernel mode must do the checks,
or they must be moved into the proxy. Like I said earlier, moving
them into the proxy isn't very clean, as the proxy doesn't have the
requisite information to perform the checks.
- Fab
More information about the ofw
mailing list