[ofw] NetworkDirect API: Loading of "NDv2 Provider for Mellanox WinOF-2" requires admin privileges

Schmitt, Hubert Hubert.Schmitt at oce.com
Thu Sep 6 06:51:12 PDT 2018 

Hi Rani,

Sounds very promising to me.

Perhaps the predefined template SDDL_DEVOBJ_SYS_ALL_ADM_RWX_WORLD_R_RES_R might be a good choice, as described in
https://docs.microsoft.com/en-us/windows-hardware/drivers/kernel/sddl-for-device-objects(?).

If possible, I willingly would try some test version in advance. Or will I have to wait for an upcoming official release?

Thanks and Regards,
Hubert

BTW: Next I'm about to upgrade my system to the latest WinOF-2 2.0 + firmware 12_23_1020 to see if anything will change.

This message and attachment(s) are intended solely for use by the addressee and may contain information that is privileged, confidential or otherwise exempt from disclosure under applicable law. If you are not the intended recipient or agent thereof responsible for delivering this message to the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify the sender immediately by telephone or with a 'reply' message and delete the message and its attachment(s), if any, from your system(s). Thank you for your co-operation.



Von: Rani Sharoni [mailto:ranish at mellanox.com]
Gesendet: Donnerstag, 6. September 2018 09:05
An: Tziporet Koren; Hefty, Sean; Schmitt, Hubert; ofw at lists.openfabrics.org; Eilon Greenstein
Betreff: Re: [ofw] NetworkDirect API: Loading of "NDv2 Provider for Mellanox WinOF-2" requires admin privileges


Hi,



The winof-2 CX4 driver is NDIS miniport driver hence using NdisRegisterDeviceEx to register the underlying device.

We are using DefaultSDDLString == NULL which seem to restrict the device access to admin only.

Winof-1 CX3 has dedicated WDF filter driver that seems to to have no such restriction.
OTOH, we have not yet got such ask hence never actually noticed it.

I think that Linux also allow non-admin to access IB-verbs and therefore we should relax the device (maybe with configuration that allow security hardening).

Thanks,
Rani
________________________________
From: Tziporet Koren
Sent: Tuesday, September 4, 2018 7:52 PM
To: Hefty, Sean; Schmitt, Hubert; ofw at lists.openfabrics.org; Eilon Greenstein
Subject: Re: [ofw] NetworkDirect API: Loading of "NDv2 Provider for Mellanox WinOF-2" requires admin privileges

Sean

Thanks for answering.
Eilon can you look into this?



Tziporet Koren
VP of SW
Mellanox Technologies Ltd.
Mobile: +972-54-4689426


-------- Original message --------
From: "Hefty, Sean" <sean.hefty at intel.com>
Date: 04/09/2018 7:33 pm (GMT+02:00)
To: "Schmitt, Hubert" <Hubert.Schmitt at oce.com>, ofw at lists.openfabrics.org
Subject: Re: [ofw] NetworkDirect API: Loading of "NDv2 Provider for Mellanox WinOF-2" requires admin privileges

I didn't realize this mailing list was still active.  For most windows questions, you will need to contact the vendor directly.  AFAIK, the Windows OFED development hasn't been active in years, and went away once Microsoft created NetworkDirect.

- Sean


> Hello all,
>
> I have an issue in my NetworkDirect RDMA application when loading the
> Mellanox NDv2 provider. It seems as the newer WinOF-2 driver for
> ConnectX-4 IB HCAs (mlx5nd.dll) requires that the connecting process
> has adminstrator privileges.
>
> Because when running my application with normal user privileges, I get
> an error 0x80070005 (Access denied), whereas this has never been an
> issue with the older WinOF driver for ConnectX-3 HCAs (mlx4nd.dll).
>
> Here the failing code sequence from my ndhelper.cpp:
>
> static HMODULE      g_hProvider  = NULL;
> static IND2Provider g_pIProvider = NULL;
>
> static HRESULT LoadProvider( __in WSAPROTOCOL_INFOW* pProtocol ) {
>     WCHAR* pPath = ::GetProviderPath( pProtocol ); //
> %SystemRoot%\System32\mlx5nd.dll
>      g_hProvider = ::LoadLibraryW( pPath );
>     ::HeapFree( ::GetProcessHeap(), 0, pPath );
>
>     DLLGETCLASSOBJECT pfnDllGetClassObject =
> reinterpret_cast<DLLGETCLASSOBJECT>(
>         ::GetProcAddress( g_hProvider, "DllGetClassObject" )
>     );
>
>     DLLGETCLASSOBJECT pfnDllCanUnloadNow =
> reinterpret_cast<DLLCANUNLOADNOW>(
>         ::GetProcAddress(g_hProvider, "DllCanUnloadNow")
>     );
>
>     IClassFactory* pClassFactory;
>
>     HRESULT hr = pfnDllGetClassObject(
>         pProtocol->ProviderId,
>         IID_IClassFactory,
>         reinterpret_cast<void**>(&pClassFactory)
>     );
>
>     if (g_pIProvider == NULL) {
>         hr = pClassFactory->CreateInstance(
>             NULL,
>             IID_IND2Provider,
>             reinterpret_cast<void**>(&g_pIProvider)
>         );
>         if (FAILED(hr)) {
>             TRACE("ClassFactory->CreateInstance(IID_IND2Provider)
> failed with error 0x%08X", hr); // Without having admin rights, always
> ending up here!
>             g_pIProvider = NULL;
>         }
>         pClassFactory->Release();
>     }
> }
>
>
>
> Unfortunately, just giving my process admin privileges is not an
> option for me. So I would appreciate if someone has an idea how to
> overcome this issue.
> Perhaps some tuning of security configuration via dcomcnfg or the
> like(?)
>
> BTW: The Mellanox-provided tools nd_read_bw.exe and nd_write_bw.exe
> have the same behavior:
>
> *     Those from WinOF driver 5.35 on ConnectX-3 FDR HCA can run WITH
> or WITHOUT admin privileges.
> *     Those from WinOF-2 driver 1.80 on ConnectX-4 EDR HCA can run
> only WITH admin privileges.
>
> My system configuration:
>
> *     HPE DL380Gen10
> *     ConnectX-4 EDR Infiniband HCA (HPEIB EDR/EN 100Gb 2P 840QSFP28)
> *     Windows Server 2012 R2
> *     Mellanox WinOF-2 version 1.80
>
> Thanks and Regards,
> Hubert
>
>
>
> This message and attachment(s) are intended solely for use by the
> addressee and may contain information that is privileged, confidential
> or otherwise exempt from disclosure under applicable law. If you are
> not the intended recipient or agent thereof responsible for delivering
> this message to the intended recipient, you are hereby notified that
> any dissemination, distribution or copying of this communication is
> strictly prohibited. If you have received this communication in error,
> please notify the sender immediately by telephone or with a 'reply'
> message and delete the message and its attachment(s), if any, from
> your system(s). Thank you for your co-operation.
>
>

_______________________________________________
ofw mailing list
ofw at lists.openfabrics.org
https://emea01.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.openfabrics.org%2Fmailman%2Flistinfo%2Fofw&data=02%7C01%7Ctziporet%40mellanox.com%7Cd3d9df97849742fb59d908d6128432d3%7Ca652971c7d2e4d9ba6a4d149256f461b%7C0%7C0%7C636716756345475338&sdata=dzz%2FfF25tifvZ2Kl02lPDMxyQvYYkn5Sj0C8A%2FAxS10%3D&reserved=0
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openfabrics.org/pipermail/ofw/attachments/20180906/3530fd01/attachment-0001.html>

More information about the ofw mailing list