On 01/06/15 20:22, Greg Rose wrote:

I accidentally replied just to Vlad - here is a reply to all.

On Tue, Jan 6, 2015 at 9:30 AM, Vlad Zolotarov
[off-list ref]  wrote:

quoted

On 01/06/15 18:59, Greg Rose wrote:

[snip]

quoted

quoted

I don't have any examples and that is not my area of expertise.  But
just because we can't think of a security risk or attack example
doesn't mean there isn't one.

Just add a policy hook so that the system admin can decide whether
this information should be shared with the VFs and then we're covered
for cases of both known and unknown exploits, risks, etc.

I absolutely disagree with u in regard of defining an RSS redirection table
and RSS hash key as a security sensitive data. I don't know how u got to
this conclusion.

I have not reached any such conclusion - let me reiterate:  I have no
idea.  It is not my area of expertise.  However, to take the lowest
risk route just add a policy hook so that a system admin can turn the
feature on through the PF driver (which is acknowledged as secure) if
they wish then there is no worry.

NP. Let's move on.

quoted

However I don't want to argue about any longer. Let's move on.

Let's clarify one thing about this "hook". Do u agree that it should cover
only the cases when VF shares the mentioned above data with PF - namely for
all devices but x550?

Look at how spoof checking is turned off/on for each VF using the "ip
link set" commands.  That's what I'm envisioning - some way to decide
on a per VF basis which VFs should be allowed to perform the query.

I will but let's agree that x550 VFs should be out of this since their 
RSS indirection table and Key belong to the specific domain and don't 
impose any even theoretical thread.

thanks,
vlad

Thanks,

- Greg