Skip to content

Commit dd461d6

Browse files
h-shimamotoJeff Kirsher
h-shimamoto
authored and
Jeff Kirsher
committed
if_link: Add control trust VF
Add netlink directives and ndo entry to trust VF user. This controls the special permission of VF user. The administrator will dedicatedly trust VF user to use some features which impacts security and/or performance. The administrator never turn it on unless VF user is fully trusted. CC: Sy Jong Choi <[email protected]> Signed-off-by: Hiroshi Shimamoto <[email protected]> Acked-by: Greg Rose <[email protected]> Tested-by: Krishneil Singh <[email protected]> Signed-off-by: Jeff Kirsher <[email protected]>
1 parent 2fc4cd5 commit dd461d6

File tree

4 files changed

+31
-3
lines changed

4 files changed

+31
-3
lines changed

include/linux/if_link.h

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -24,5 +24,6 @@ struct ifla_vf_info {
2424
__u32 min_tx_rate;
2525
__u32 max_tx_rate;
2626
__u32 rss_query_en;
27+
__u32 trusted;
2728
};
2829
#endif /* _LINUX_IF_LINK_H */

include/linux/netdevice.h

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -881,6 +881,7 @@ typedef u16 (*select_queue_fallback_t)(struct net_device *dev,
881881
* int (*ndo_set_vf_rate)(struct net_device *dev, int vf, int min_tx_rate,
882882
* int max_tx_rate);
883883
* int (*ndo_set_vf_spoofchk)(struct net_device *dev, int vf, bool setting);
884+
* int (*ndo_set_vf_trust)(struct net_device *dev, int vf, bool setting);
884885
* int (*ndo_get_vf_config)(struct net_device *dev,
885886
* int vf, struct ifla_vf_info *ivf);
886887
* int (*ndo_set_vf_link_state)(struct net_device *dev, int vf, int link_state);
@@ -1109,6 +1110,8 @@ struct net_device_ops {
11091110
int max_tx_rate);
11101111
int (*ndo_set_vf_spoofchk)(struct net_device *dev,
11111112
int vf, bool setting);
1113+
int (*ndo_set_vf_trust)(struct net_device *dev,
1114+
int vf, bool setting);
11121115
int (*ndo_get_vf_config)(struct net_device *dev,
11131116
int vf,
11141117
struct ifla_vf_info *ivf);

include/uapi/linux/if_link.h

Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -550,6 +550,7 @@ enum {
550550
* on/off switch
551551
*/
552552
IFLA_VF_STATS, /* network device statistics */
553+
IFLA_VF_TRUST, /* Trust VF */
553554
__IFLA_VF_MAX,
554555
};
555556

@@ -611,6 +612,11 @@ enum {
611612

612613
#define IFLA_VF_STATS_MAX (__IFLA_VF_STATS_MAX - 1)
613614

615+
struct ifla_vf_trust {
616+
__u32 vf;
617+
__u32 setting;
618+
};
619+
614620
/* VF ports management section
615621
*
616622
* Nested layout of set/get msg is:

net/core/rtnetlink.c

Lines changed: 21 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -838,7 +838,8 @@ static inline int rtnl_vfinfo_size(const struct net_device *dev,
838838
/* IFLA_VF_STATS_BROADCAST */
839839
nla_total_size(sizeof(__u64)) +
840840
/* IFLA_VF_STATS_MULTICAST */
841-
nla_total_size(sizeof(__u64)));
841+
nla_total_size(sizeof(__u64)) +
842+
nla_total_size(sizeof(struct ifla_vf_trust)));
842843
return size;
843844
} else
844845
return 0;
@@ -1161,6 +1162,7 @@ static int rtnl_fill_ifinfo(struct sk_buff *skb, struct net_device *dev,
11611162
struct ifla_vf_link_state vf_linkstate;
11621163
struct ifla_vf_rss_query_en vf_rss_query_en;
11631164
struct ifla_vf_stats vf_stats;
1165+
struct ifla_vf_trust vf_trust;
11641166

11651167
/*
11661168
* Not all SR-IOV capable drivers support the
@@ -1170,6 +1172,7 @@ static int rtnl_fill_ifinfo(struct sk_buff *skb, struct net_device *dev,
11701172
*/
11711173
ivi.spoofchk = -1;
11721174
ivi.rss_query_en = -1;
1175+
ivi.trusted = -1;
11731176
memset(ivi.mac, 0, sizeof(ivi.mac));
11741177
/* The default value for VF link state is "auto"
11751178
* IFLA_VF_LINK_STATE_AUTO which equals zero
@@ -1183,7 +1186,8 @@ static int rtnl_fill_ifinfo(struct sk_buff *skb, struct net_device *dev,
11831186
vf_tx_rate.vf =
11841187
vf_spoofchk.vf =
11851188
vf_linkstate.vf =
1186-
vf_rss_query_en.vf = ivi.vf;
1189+
vf_rss_query_en.vf =
1190+
vf_trust.vf = ivi.vf;
11871191

11881192
memcpy(vf_mac.mac, ivi.mac, sizeof(ivi.mac));
11891193
vf_vlan.vlan = ivi.vlan;
@@ -1194,6 +1198,7 @@ static int rtnl_fill_ifinfo(struct sk_buff *skb, struct net_device *dev,
11941198
vf_spoofchk.setting = ivi.spoofchk;
11951199
vf_linkstate.link_state = ivi.linkstate;
11961200
vf_rss_query_en.setting = ivi.rss_query_en;
1201+
vf_trust.setting = ivi.trusted;
11971202
vf = nla_nest_start(skb, IFLA_VF_INFO);
11981203
if (!vf) {
11991204
nla_nest_cancel(skb, vfinfo);
@@ -1211,7 +1216,9 @@ static int rtnl_fill_ifinfo(struct sk_buff *skb, struct net_device *dev,
12111216
&vf_linkstate) ||
12121217
nla_put(skb, IFLA_VF_RSS_QUERY_EN,
12131218
sizeof(vf_rss_query_en),
1214-
&vf_rss_query_en))
1219+
&vf_rss_query_en) ||
1220+
nla_put(skb, IFLA_VF_TRUST,
1221+
sizeof(vf_trust), &vf_trust))
12151222
goto nla_put_failure;
12161223
memset(&vf_stats, 0, sizeof(vf_stats));
12171224
if (dev->netdev_ops->ndo_get_vf_stats)
@@ -1348,6 +1355,7 @@ static const struct nla_policy ifla_vf_policy[IFLA_VF_MAX+1] = {
13481355
[IFLA_VF_LINK_STATE] = { .len = sizeof(struct ifla_vf_link_state) },
13491356
[IFLA_VF_RSS_QUERY_EN] = { .len = sizeof(struct ifla_vf_rss_query_en) },
13501357
[IFLA_VF_STATS] = { .type = NLA_NESTED },
1358+
[IFLA_VF_TRUST] = { .len = sizeof(struct ifla_vf_trust) },
13511359
};
13521360

13531361
static const struct nla_policy ifla_vf_stats_policy[IFLA_VF_STATS_MAX + 1] = {
@@ -1587,6 +1595,16 @@ static int do_setvfinfo(struct net_device *dev, struct nlattr **tb)
15871595
return err;
15881596
}
15891597

1598+
if (tb[IFLA_VF_TRUST]) {
1599+
struct ifla_vf_trust *ivt = nla_data(tb[IFLA_VF_TRUST]);
1600+
1601+
err = -EOPNOTSUPP;
1602+
if (ops->ndo_set_vf_trust)
1603+
err = ops->ndo_set_vf_trust(dev, ivt->vf, ivt->setting);
1604+
if (err < 0)
1605+
return err;
1606+
}
1607+
15901608
return err;
15911609
}
15921610

0 commit comments

Comments
 (0)