[dpdk-dev] doc: Malicious Driver Detection not supported by ixgbe

Message ID

1456291984-7309-1-git-send-email-wenzhuo.lu@intel.com (mailing list archive)

State

Superseded, archived

Headers

From: Wenzhuo Lu <wenzhuo.lu@intel.com>
To: dev@dpdk.org
Date: Wed, 24 Feb 2016 13:33:04 +0800
Message-Id: <1456291984-7309-1-git-send-email-wenzhuo.lu@intel.com>
Subject: [dpdk-dev] [PATCH] doc: Malicious Driver Detection not supported by
	ixgbe
Precedence: list
Errors-To: dev-bounces@dpdk.org
Sender: "dev" <dev-bounces@dpdk.org>

Commit Message

Wenzhuo Lu Feb. 24, 2016, 5:33 a.m. UTC

  Signed-off-by: Wenzhuo Lu <wenzhuo.lu@intel.com>
---
 doc/guides/nics/ixgbe.rst              | 21 +++++++++++++++++++++
 doc/guides/rel_notes/release_16_04.rst | 24 ++++++++++++++++++++++++
 2 files changed, 45 insertions(+)

Comments

Stephen Hemminger Feb. 24, 2016, 5:04 p.m. UTC | #1

On Wed, 24 Feb 2016 13:33:04 +0800
Wenzhuo Lu <wenzhuo.lu@intel.com> wrote:

> +  On Intel x550 series NICs, HW supports a feature called MDD (Malcicious
> +  Driver Detection).
> +  MDD is used to check the behavior of the VF driver. It means when transmitting
> +  packets, the VF must use the advanced context descriptor and set it correctly.
> +  And VF must set the CC (Check Context) bit either.

This is hard sentence to read, why not reword as:

The Intel x550 series NIC's support1 a feature called MDD (Malcicious
Driver Detection) which checks the behavior of the VF driver.
If this feature is enabled, the VF must use the advanced context descriptor
correctly and set the CC (Check Context) bit.


> +  DPDK PF doesn't support MDD. We may hit problem in this scenario kernel PF +
> +  DPDK VF. If user enables MDD in kernel PF, DPDK VF will not work. Because
> +  kernel PF thinks the VF is malicious. But actually it's not. The only reason
> +  is the VF doesn't act as MDD required.
> +  There's significant performance impact to support MDD. DPDK should check if
> +  the advanced context descriptor should be set and set it. And DPDK has to ask
> +  the info about the header length from the upper layer, because parsing the
> +  packet itself is not acceptale. So, it's too expensive to support MDD.
> +  When using kernel PF + DPDK VF on x550, please make sure using the kernel
> +  driver that disables MDD or can disable MDD. (Some kernel driver can use
> +  this CLI 'insmod ixgbe.ko MDD=0,0' to disable MDD. Some kernel driver disable
> +  it by default.)
> +

Wenzhuo Lu Feb. 25, 2016, 1:13 a.m. UTC | #2

Hi Stephen,


> -----Original Message-----
> From: Stephen Hemminger [mailto:stephen@networkplumber.org]
> Sent: Thursday, February 25, 2016 1:04 AM
> To: Lu, Wenzhuo
> Cc: dev@dpdk.org
> Subject: Re: [dpdk-dev] [PATCH] doc: Malicious Driver Detection not supported
> by ixgbe
> 
> On Wed, 24 Feb 2016 13:33:04 +0800
> Wenzhuo Lu <wenzhuo.lu@intel.com> wrote:
> 
> > +  On Intel x550 series NICs, HW supports a feature called MDD
> > + (Malcicious  Driver Detection).
> > +  MDD is used to check the behavior of the VF driver. It means when
> > + transmitting  packets, the VF must use the advanced context descriptor and
> set it correctly.
> > +  And VF must set the CC (Check Context) bit either.
> 
> This is hard sentence to read, why not reword as:
> 
> The Intel x550 series NIC's support1 a feature called MDD (Malcicious Driver
> Detection) which checks the behavior of the VF driver.
> If this feature is enabled, the VF must use the advanced context descriptor
> correctly and set the CC (Check Context) bit.
Thanks for the suggestion. I'll try to make it better :)

> 
> 
> > +  DPDK PF doesn't support MDD. We may hit problem in this scenario
> > + kernel PF +  DPDK VF. If user enables MDD in kernel PF, DPDK VF will
> > + not work. Because  kernel PF thinks the VF is malicious. But
> > + actually it's not. The only reason  is the VF doesn't act as MDD required.
> > +  There's significant performance impact to support MDD. DPDK should
> > + check if  the advanced context descriptor should be set and set it.
> > + And DPDK has to ask  the info about the header length from the upper
> > + layer, because parsing the  packet itself is not acceptale. So, it's too
> expensive to support MDD.
> > +  When using kernel PF + DPDK VF on x550, please make sure using the
> > + kernel  driver that disables MDD or can disable MDD. (Some kernel
> > + driver can use  this CLI 'insmod ixgbe.ko MDD=0,0' to disable MDD.
> > + Some kernel driver disable  it by default.)
> > +

Patch

diff --git a/doc/guides/nics/ixgbe.rst b/doc/guides/nics/ixgbe.rst
index 8cae299..aac5586 100644
--- a/doc/guides/nics/ixgbe.rst
+++ b/doc/guides/nics/ixgbe.rst
@@ -147,6 +147,27 @@  The following MACROs are used for these three features:
 
 *   ETH_TXQ_FLAGS_NOXSUMTCP
 
+Malicious Driver Detection not Supported by ixgbe
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+On Intel x550 series NICs, HW supports a feature called MDD (Malcicious
+Driver Detection).
+MDD is used to check the behavior of the VF driver. It means when transmitting
+packets, the VF must use the advanced context descriptor and set it correctly.
+And VF must set the CC (Check Context) bit either.
+DPDK PF doesn't support MDD. We may hit problem in this scenario kernel PF +
+DPDK VF. If user enables MDD in kernel PF, DPDK VF will not work. Because
+kernel PF thinks the VF is malicious. But actually it's not. The only reason
+is the VF doesn't act as MDD required.
+There's significant performance impact to support MDD. DPDK should check if
+the advanced context descriptor should be set and set it. And DPDK has to ask
+the info about the header length from the upper layer, because parsing the
+packet itself is not acceptale. So, it's too expensive to support MDD.
+When using kernel PF + DPDK VF on x550, please make sure using the kernel
+driver that disables MDD or can disable MDD. (Some kernel driver can use
+this CLI 'insmod ixgbe.ko MDD=0,0' to disable MDD. Some kernel driver disable
+it by default.)
+
 
 Sample Application Notes
 ~~~~~~~~~~~~~~~~~~~~~~~~
diff --git a/doc/guides/rel_notes/release_16_04.rst b/doc/guides/rel_notes/release_16_04.rst
index 5786f74..df81c54 100644
--- a/doc/guides/rel_notes/release_16_04.rst
+++ b/doc/guides/rel_notes/release_16_04.rst
@@ -90,6 +90,30 @@  This section should contain new known issues in this release. Sample format:
   tense. Add information on any known workarounds.
 
 
+Restriction
+-----------
+
+* **Malicious Driver Detection is not supported by ixgbe**
+
+  On Intel x550 series NICs, HW supports a feature called MDD (Malcicious
+  Driver Detection).
+  MDD is used to check the behavior of the VF driver. It means when transmitting
+  packets, the VF must use the advanced context descriptor and set it correctly.
+  And VF must set the CC (Check Context) bit either.
+  DPDK PF doesn't support MDD. We may hit problem in this scenario kernel PF +
+  DPDK VF. If user enables MDD in kernel PF, DPDK VF will not work. Because
+  kernel PF thinks the VF is malicious. But actually it's not. The only reason
+  is the VF doesn't act as MDD required.
+  There's significant performance impact to support MDD. DPDK should check if
+  the advanced context descriptor should be set and set it. And DPDK has to ask
+  the info about the header length from the upper layer, because parsing the
+  packet itself is not acceptale. So, it's too expensive to support MDD.
+  When using kernel PF + DPDK VF on x550, please make sure using the kernel
+  driver that disables MDD or can disable MDD. (Some kernel driver can use
+  this CLI 'insmod ixgbe.ko MDD=0,0' to disable MDD. Some kernel driver disable
+  it by default.)
+
+
 API Changes
 -----------