[dpdk-dev] [PATCH v2] doc: Malicious Driver Detection not supported by ixgbe
Hi Thomas, > > * ETH_TXQ_FLAGS_NOXSUMTCP > > > > +Malicious Driver Detection not Supported by ixgbe > > +^ > > Why is it in the vector PMD section? Sorry, I put it in the wrong place. Seems a whole new section is needed. > > > + Some kernel driver disables it by default.) > > Why repeating the whole explanation in the release notes? > I think the ixgbe doc is enough to say that a kernel option is required. OK, I'll remove this one :)
[dpdk-dev] [PATCH v2] doc: Malicious Driver Detection not supported by ixgbe
2016-02-26 12:48, Wenzhuo Lu: > --- a/doc/guides/nics/ixgbe.rst > +++ b/doc/guides/nics/ixgbe.rst > @@ -147,6 +147,26 @@ The following MACROs are used for these three features: > > * ETH_TXQ_FLAGS_NOXSUMTCP > > +Malicious Driver Detection not Supported by ixgbe > +^ Why is it in the vector PMD section? > + > +The Intel x550 series NICs support a feature called MDD (Malcicious > +Driver Detection) which checks the behavior of the VF driver. > +If this feature is enabled, the VF must use the advanced context descriptor > +correctly and set the CC (Check Context) bit. > +DPDK PF doesn't support MDD, but kernel PF does. We may hit problem in this > +scenario kernel PF + DPDK VF. If user enables MDD in kernel PF, DPDK VF will > +not work. Because kernel PF thinks the VF is malicious. But actually it's > not. > +The only reason is the VF doesn't act as MDD required. > +There's significant performance impact to support MDD. DPDK should check if > +the advanced context descriptor should be set and set it. And DPDK has to ask > +the info about the header length from the upper layer, because parsing the > +packet itself is not acceptale. So, it's too expensive to support MDD. > +When using kernel PF + DPDK VF on x550, please make sure using the kernel > +driver that disables MDD or can disable MDD. (Some kernel driver can use > +this CLI 'insmod ixgbe.ko MDD=0,0' to disable MDD. Some kernel driver > disables > +it by default.) > + > > Sample Application Notes > > diff --git a/doc/guides/rel_notes/release_16_04.rst > b/doc/guides/rel_notes/release_16_04.rst > index 5786f74..0647896 100644 > --- a/doc/guides/rel_notes/release_16_04.rst > +++ b/doc/guides/rel_notes/release_16_04.rst > @@ -90,6 +90,29 @@ This section should contain new known issues in this > release. Sample format: >tense. Add information on any known workarounds. > > > +Restriction > +--- > + > +* **Malicious Driver Detection is not supported by ixgbe** > + > + The Intel x550 series NICs support a feature called MDD (Malcicious > + Driver Detection) which checks the behavior of the VF driver. > + If this feature is enabled, the VF must use the advanced context descriptor > + correctly and set the CC (Check Context) bit. > + DPDK PF doesn't support MDD, but kernel PF does. We may hit problem in this > + scenario kernel PF + DPDK VF. If user enables MDD in kernel PF, DPDK VF > will > + not work. Because kernel PF thinks the VF is malicious. But actually it's > not. > + The only reason is the VF doesn't act as MDD required. > + There's significant performance impact to support MDD. DPDK should check if > + the advanced context descriptor should be set and set it. And DPDK has to > ask > + the info about the header length from the upper layer, because parsing the > + packet itself is not acceptale. So, it's too expensive to support MDD. > + When using kernel PF + DPDK VF on x550, please make sure using the kernel > + driver that disables MDD or can disable MDD. (Some kernel driver can use > + this CLI 'insmod ixgbe.ko MDD=0,0' to disable MDD. Some kernel driver > disables > + it by default.) Why repeating the whole explanation in the release notes? I think the ixgbe doc is enough to say that a kernel option is required.
[dpdk-dev] [PATCH v2] doc: Malicious Driver Detection not supported by ixgbe
Hi, > -Original Message- > From: dev [mailto:dev-bounces at dpdk.org] On Behalf Of Wenzhuo Lu > Sent: Friday, February 26, 2016 12:49 PM > To: dev at dpdk.org > Subject: [dpdk-dev] [PATCH v2] doc: Malicious Driver Detection not supported > by ixgbe > > Announce that Malicious Driver Detection is not supported. > > V2: > *Rework the words. > > Signed-off-by: Wenzhuo Lu Acked-by: Shaopeng He
[dpdk-dev] [PATCH v2] doc: Malicious Driver Detection not supported by ixgbe
Hi Bruce, > -Original Message- > From: Richardson, Bruce > Sent: Friday, February 26, 2016 10:41 PM > To: Lu, Wenzhuo > Cc: dev at dpdk.org > Subject: Re: [dpdk-dev] [PATCH v2] doc: Malicious Driver Detection not > supported by ixgbe > > On Fri, Feb 26, 2016 at 12:48:37PM +0800, Wenzhuo Lu wrote: > > Announce that Malicious Driver Detection is not supported. > > > > V2: > > *Rework the words. > > > > Signed-off-by: Wenzhuo Lu > > Hi Wenzhuo, > > just for future reference, please put the V2,v3 etc. updates below the cut > line "-- > -" so that they can be auto-stripped when applying the patch. > > /Bruce Got it. Thanks for the reminder :) > > > --- > > doc/guides/nics/ixgbe.rst | 20 > > doc/guides/rel_notes/release_16_04.rst | 23 +++ > > 2 files changed, 43 insertions(+) > > >
[dpdk-dev] [PATCH v2] doc: Malicious Driver Detection not supported by ixgbe
On Fri, Feb 26, 2016 at 12:48:37PM +0800, Wenzhuo Lu wrote: > Announce that Malicious Driver Detection is not supported. > > V2: > *Rework the words. > > Signed-off-by: Wenzhuo Lu Hi Wenzhuo, just for future reference, please put the V2,v3 etc. updates below the cut line "---" so that they can be auto-stripped when applying the patch. /Bruce > --- > doc/guides/nics/ixgbe.rst | 20 > doc/guides/rel_notes/release_16_04.rst | 23 +++ > 2 files changed, 43 insertions(+) >
[dpdk-dev] [PATCH v2] doc: Malicious Driver Detection not supported by ixgbe
Announce that Malicious Driver Detection is not supported. V2: *Rework the words. Signed-off-by: Wenzhuo Lu --- doc/guides/nics/ixgbe.rst | 20 doc/guides/rel_notes/release_16_04.rst | 23 +++ 2 files changed, 43 insertions(+) diff --git a/doc/guides/nics/ixgbe.rst b/doc/guides/nics/ixgbe.rst index 8cae299..7218cdd 100644 --- a/doc/guides/nics/ixgbe.rst +++ b/doc/guides/nics/ixgbe.rst @@ -147,6 +147,26 @@ The following MACROs are used for these three features: * ETH_TXQ_FLAGS_NOXSUMTCP +Malicious Driver Detection not Supported by ixgbe +^ + +The Intel x550 series NICs support a feature called MDD (Malcicious +Driver Detection) which checks the behavior of the VF driver. +If this feature is enabled, the VF must use the advanced context descriptor +correctly and set the CC (Check Context) bit. +DPDK PF doesn't support MDD, but kernel PF does. We may hit problem in this +scenario kernel PF + DPDK VF. If user enables MDD in kernel PF, DPDK VF will +not work. Because kernel PF thinks the VF is malicious. But actually it's not. +The only reason is the VF doesn't act as MDD required. +There's significant performance impact to support MDD. DPDK should check if +the advanced context descriptor should be set and set it. And DPDK has to ask +the info about the header length from the upper layer, because parsing the +packet itself is not acceptale. So, it's too expensive to support MDD. +When using kernel PF + DPDK VF on x550, please make sure using the kernel +driver that disables MDD or can disable MDD. (Some kernel driver can use +this CLI 'insmod ixgbe.ko MDD=0,0' to disable MDD. Some kernel driver disables +it by default.) + Sample Application Notes diff --git a/doc/guides/rel_notes/release_16_04.rst b/doc/guides/rel_notes/release_16_04.rst index 5786f74..0647896 100644 --- a/doc/guides/rel_notes/release_16_04.rst +++ b/doc/guides/rel_notes/release_16_04.rst @@ -90,6 +90,29 @@ This section should contain new known issues in this release. Sample format: tense. Add information on any known workarounds. +Restriction +--- + +* **Malicious Driver Detection is not supported by ixgbe** + + The Intel x550 series NICs support a feature called MDD (Malcicious + Driver Detection) which checks the behavior of the VF driver. + If this feature is enabled, the VF must use the advanced context descriptor + correctly and set the CC (Check Context) bit. + DPDK PF doesn't support MDD, but kernel PF does. We may hit problem in this + scenario kernel PF + DPDK VF. If user enables MDD in kernel PF, DPDK VF will + not work. Because kernel PF thinks the VF is malicious. But actually it's not. + The only reason is the VF doesn't act as MDD required. + There's significant performance impact to support MDD. DPDK should check if + the advanced context descriptor should be set and set it. And DPDK has to ask + the info about the header length from the upper layer, because parsing the + packet itself is not acceptale. So, it's too expensive to support MDD. + When using kernel PF + DPDK VF on x550, please make sure using the kernel + driver that disables MDD or can disable MDD. (Some kernel driver can use + this CLI 'insmod ixgbe.ko MDD=0,0' to disable MDD. Some kernel driver disables + it by default.) + + API Changes --- -- 1.9.3