On Mon, Jun 12, 2017 at 7:17 PM, Jason Gunthorpe <jguntho...@obsidianresearch.com> wrote: > On Sat, Jun 10, 2017 at 02:11:13PM +0000, Majd Dibbiny wrote: > >> >> This is especially true for mlx nics as there are many raw packet >> >> bypass mechanisms available to userspace. > >> All of the Raw packet bypass mechanisms are restricted to >> CAP_NET_RAW, and thus malicious users can't simply open a RAW Packet >> QP and send it to the FPGA.. > > It is big expansion of CAP_NET_RAW to also basically also include > reconfiguring ipsec xfrm. > > Plus, if someone configures ethernet bridging (eg in a VM situation) > then could a hacked VM reconfigure this FPGA? > > Jason
Hi Jason As we mentioned earlier, the device ensures that only the FPGA component in the driver can configure the FPGA regardless of any type of standard traffic. Thanks, Saeed.
