SELINUX SUPPORT IN HFI1 AND PSM2

Similar documents
Ravindra Babu Ganapathi

CREATING A COMMON SOFTWARE VERBS IMPLEMENTATION

LNet Roadmap & Development. Amir Shehata Lustre * Network Engineer Intel High Performance Data Division

Sample for OpenCL* and DirectX* Video Acceleration Surface Sharing

INTEL PERCEPTUAL COMPUTING SDK. How To Use the Privacy Notification Tool

Software Evaluation Guide for ImTOO* YouTube* to ipod* Converter Downloading YouTube videos to your ipod

OpenCL* and Microsoft DirectX* Video Acceleration Surface Sharing

Small File I/O Performance in Lustre. Mikhail Pershin, Joe Gmitter Intel HPDD April 2018

Intel Desktop Board DZ68DB

Intel & Lustre: LUG Micah Bhakti

Intel Cache Acceleration Software for Windows* Workstation

Intel 945(GM/GME)/915(GM/GME)/ 855(GM/GME)/852(GM/GME) Chipsets VGA Port Always Enabled Hardware Workaround

Migration Guide: Numonyx StrataFlash Embedded Memory (P30) to Numonyx StrataFlash Embedded Memory (P33)

Clear CMOS after Hardware Configuration Changes

Evolving Small Cells. Udayan Mukherjee Senior Principal Engineer and Director (Wireless Infrastructure)

Software Evaluation Guide for WinZip 15.5*

Software Evaluation Guide for CyberLink MediaEspresso *

Installation Guide and Release Notes

JOURNEY TO VERBS IOCTL

Intel G31/P31 Express Chipset

Drive Recovery Panel

LED Manager for Intel NUC

Software Evaluation Guide for WinZip* esources-performance-documents.html

How to Create a.cibd File from Mentor Xpedition for HLDRC

How to Create a.cibd/.cce File from Mentor Xpedition for HLDRC

HPCG on Intel Xeon Phi 2 nd Generation, Knights Landing. Alexander Kleymenov and Jongsoo Park Intel Corporation SC16, HPCG BoF

Intel IXP400 Digital Signal Processing (DSP) Software: Priority Setting for 10 ms Real Time Task

Boot Agent Application Notes for BIOS Engineers

Intel Stereo 3D SDK Developer s Guide. Alpha Release

Bitonic Sorting. Intel SDK for OpenCL* Applications Sample Documentation. Copyright Intel Corporation. All Rights Reserved

Intel Desktop Board D945GCLF2

Software Evaluation Guide for Photodex* ProShow Gold* 3.2

Innovating and Integrating for Communications and Storage

Intel Atom Processor E3800 Product Family Development Kit Based on Intel Intelligent System Extended (ISX) Form Factor Reference Design

Intel Unite Plugin Guide for VDO360 Clearwater

Software Evaluation Guide for Sony Vegas Pro 8.0b* Blu-ray Disc Image Creation Burning HD video to Blu-ray Disc

Intel 82580EB/82580DB GbE Controller Feature Software Support. LAN Access Division (LAD)

Intel X48 Express Chipset Memory Controller Hub (MCH)

SDK API Reference Manual for VP8. API Version 1.12

Software Evaluation Guide Adobe Premiere Pro CS3 SEG

Bitonic Sorting Intel OpenCL SDK Sample Documentation

Intel Desktop Board D946GZAB

Intel 848P Chipset. Specification Update. Intel 82848P Memory Controller Hub (MCH) August 2003

Intel RealSense D400 Series Calibration Tools and API Release Notes

Intel Desktop Board DG41CN

Intel Desktop Board D975XBX2

Upgrading Intel Server Board Set SE8500HW4 to Support Intel Xeon Processors 7000 Sequence

Intel Unite. Intel Unite Firewall Help Guide

MICHAL MROZEK ZBIGNIEW ZDANOWICZ

Intel Desktop Board DG31PR

Intel RealSense Depth Module D400 Series Software Calibration Tool

Installation Guide and Release Notes

Optimizing the operations with sparse matrices on Intel architecture

Intel Core TM i7-4702ec Processor for Communications Infrastructure

Intel Desktop Board DG41RQ

Intel Desktop Board DH61SA

Intel Desktop Board DP55SB

What s P. Thierry

Intel Desktop Board D945GCCR

Intel Learning Series Developer Program Self Verification Program. Process Document

Intel Parallel Studio XE 2011 for Windows* Installation Guide and Release Notes

Intel Atom Processor D2000 Series and N2000 Series Embedded Application Power Guideline Addendum January 2012

Intel Software Guard Extensions Platform Software for Windows* OS Release Notes

True Scale Fabric Switches Series

Intel Desktop Board D845PT Specification Update

Installation Guide and Release Notes

Theory and Practice of the Low-Power SATA Spec DevSleep

Intel Atom Processor E6xx Series Embedded Application Power Guideline Addendum January 2012

Intel Parallel Studio XE 2011 SP1 for Linux* Installation Guide and Release Notes

IEEE1588 Frequently Asked Questions (FAQs)

Intel vpro Technology Virtual Seminar 2010

Intel Xeon Phi Coprocessor. Technical Resources. Intel Xeon Phi Coprocessor Workshop Pawsey Centre & CSIRO, Aug Intel Xeon Phi Coprocessor

Intel Core TM Processor i C Embedded Application Power Guideline Addendum

Mobile Client Capability Brief for Exporting Mail in Microsoft* Office* Outlook* 2007

Intel Desktop Board DP67DE

Forging a Future in Memory: New Technologies, New Markets, New Applications. Ed Doller Chief Technology Officer

Understanding Windows To Go

GUID Partition Table (GPT)

Intel Unite Solution Intel Unite Plugin for WebEx*

Intel Cache Acceleration Software - Workstation

Intel Desktop Board D945GCLF

Intel Setup and Configuration Service. (Lightweight)

Non-Volatile Memory Cache Enhancements: Turbo-Charging Client Platform Performance

Intel 6400/6402 Advanced Memory Buffer

Intel Desktop Board DH61CR

Intel vpro Technology Virtual Seminar 2010

Getting Compiler Advice from the Optimization Reports

Intel Desktop Board DH55TC

The Intel Processor Diagnostic Tool Release Notes

How to Configure Intel X520 Ethernet Server Adapter Based Virtual Functions on SuSE*Enterprise Linux Server* using Xen*

The Intel SSD Pro 2500 Series Guide for Microsoft edrive* Activation

Intel Manageability Commander User Guide

Desktop 4th Generation Intel Core, Intel Pentium, and Intel Celeron Processor Families and Intel Xeon Processor E3-1268L v3

Intel Media Server Studio 2018 R1 - HEVC Decoder and Encoder Release Notes (Version )

Intel SDK for OpenCL* - Sample for OpenCL* and Intel Media SDK Interoperability

Device Firmware Update (DFU) for Windows

Aircraft Smooth Motion Controls with Intel Perceptual Computing SDK. Cédric Andreolli - Intel

6th Generation Intel Core Processor Series

Intel s Architecture for NFV

12th ANNUAL WORKSHOP 2016 NVME OVER FABRICS. Presented by Phil Cayton Intel Corporation. April 6th, 2016

Transcription:

14th ANNUAL WORKSHOP 2018 SELINUX SUPPORT IN HFI1 AND PSM2 Dennis Dalessandro, Network SW Engineer Intel Corp 4/2/2018

NOTICES AND DISCLAIMERS INFORMATION IN THIS DOCUMENT IS PROVIDED IN CONNECTION WITH INTEL PRODUCTS. EXCEPT AS PROVIDED IN INTEL S TERMS AND CONDITIONS OF SALE FOR SUCH PRODUCTS, INTEL ASSUMES NO LIABILITY WHATSOEVER, AND INTEL DISCLAIMS ANY EXPRESS OR IMPLIED WARRANTY RELATING TO SALE AND/OR USE OF INTEL PRODUCTS, INCLUDING LIABILITY OR WARRANTIES RELATING TO FITNESS FOR A PARTICULAR PURPOSE, MERCHANTABILITY, OR INFRINGEMENT OF ANY PATENT, COPYRIGHT, OR OTHER INTELLECTUAL PROPERTY RIGHT. Intel products are not intended for use in medical, life-saving, life-sustaining, critical control or safety systems, or in nuclear facility applications. Intel products may contain design defects or errors known as errata which may cause the product to deviate from published specifications. Current characterized errata are available on request. Intel may make changes to dates, specifications, product descriptions, and plans referenced in this document at any time, without notice. This document may contain information on products in the design phase of development. The information herein is subject to change without notice. Do not finalize a design with this information. Intel processors of the same SKU may vary in frequency or power as a result of natural variability in the production process. Performance estimates were obtained prior to implementation of recent software patches and firmware updates intended to address exploits referred to as "Spectre" and "Meltdown." Implementation of these updates may make these results inapplicable to your device or system. Designers must not rely on the absence or characteristics of any features or instructions marked "reserved" or "undefined." Intel reserves these for future definition and shall have no responsibility whatsoever for conflicts or incompatibilities arising from future changes to them. Intel Corporation or its subsidiaries in the United States and other countries may have patents or pending patent applications, trademarks, copyrights, or other intellectual property rights that relate to the presented subject matter. The furnishing of documents and other materials and information does not provide any license, express or implied, by estoppel or otherwise, to any such patents, trademarks, copyrights, or other intellectual property rights. Some features may require you to purchase additional software, services or external hardware. Performance tests and ratings are measured using specific computer systems and/or components and reflect the approximate performance of Intel products as measured by those tests. Any difference in system hardware or software design or configuration may affect actual performance. Buyers should consult other sources of information to evaluate the performance of systems or components they are considering purchasing. For more information on performance tests and on the performance of Intel products, visit Intel Performance Benchmark Limitations Intel, the Intel logo are trademarks or registered trademarks of Intel Corporation or its subsidiaries in the United States and other countries. Other names and brands may be claimed as the property of others. Copyright 2018 Intel Corporation. All rights reserved. 2 OpenFabrics Alliance Workshop 2018

OPTIMIZATION NOTICE Optimization Notice Intel's compilers may or may not optimize to the same degree for non-intel microprocessors for optimizations that are not unique to Intel microprocessors. These optimizations include SSE2, SSE3, and SSE3 instruction sets and other optimizations. Intel does not guarantee the availability, functionality, or effectiveness of any optimization on microprocessors not manufactured by Intel. Microprocessor-dependent optimizations in this product are intended for use with Intel microprocessors. Certain optimizations not specific to Intel microarchitecture are reserved for Intel microprocessors. Please refer to the applicable product User and Reference Guides for more information regarding the specific instruction sets covered by this notice. Notice revision #20110804 3 OpenFabrics Alliance Workshop 2018

LEGAL NOTICES AND DISCLAIMERS Intel technologies features and benefits depend on system configuration and may require enabled hardware, software or service activation. Learn more at intel.com, or from the OEM or retailer. No computer system can be absolutely secure. Tests document performance of components on a particular test, in specific systems. Differences in hardware, software, or configuration will affect actual performance. Consult other sources of information to evaluate performance as you consider your purchase. For more complete information about performance and benchmark results, visit http://www.intel.com/performance. Intel, the Intel logo, Xeon and others are trademarks of Intel Corporation in the U.S. and/or other countries. *Other names and brands may be claimed as the property of others. 2018 Intel Corporation. 4 OpenFabrics Alliance Workshop 2018

WHAT IS SELINUX? Not just something you disable on grub boot line! It was always the first thing I did on pretty much any system Complicated Have been developing kernel code for years, yet SELinux still confuses me! Have you tried to write a policy? A good idea Security is an important topic but not one you should have to worry about It needs to just work and have tools to support Tools like audit2allow makes life much easier 5 OpenFabrics Alliance Workshop 2018

OK SO WHAT IS IT REALLY?!? Detailed explanation well beyond our scope here See Dan Jurgen s presentation from 2016 Provides a great overview of SELinux and how it applies to RDMA fabrics Mandatory Access Control (MAC) Goes beyond normal file permissions Multilevel Security (MLS) Just because user is root doesn t mean they have an all access pass Regular users can be granted different access depending on roles RDMA fabrics have PKeys so enforce access controls on them Example: User Access Public? Access Restricted? Access Top Secret? root YES NO NO user1234 YES YES NO tux YES YES YES 6 OpenFabrics Alliance Workshop 2018

VERBS SUPPORT ONLY Added to the kernel fairly recently (over the last few versions) Changes are in the IB core and SELinux core Should work with any driver that supports IB verbs Based on PKeys Is that the best or only option? Time will tell. User space tooling exists Does not support other protocols PSM in particular, which is why we have this talk PSM is our preferred communication library 7 OpenFabrics Alliance Workshop 2018

REQUIREMENTS FOR PSM SELINUX Support large number of labels Use existing PKey scheme For now, who knows what the future will bring Support kernel bypass Require no changes to user space Enable easy extension if we want to move away from being PKey based Require no changes to IB core or SELinux core Enable easy extension if we want to move away from being PKey based Be able to work with distro and IFS installations Only changing the hfi1.ko Require minimal to no modifications to PSM library Changing user space only if we have to, so far so good 8 OpenFabrics Alliance Workshop 2018

WHAT IS A PKEY? PKey is 16bit non-cryptographic value Does not need to be a secure value Knowing PKey doesn t mean you have access to it (AH! So SELinux ) hfi1 hardware currently supports PKey checking hardware checks all incoming packets to ensure a valid PKey send/recv contexts and SDMA engines have PKey hardware checks as well hfi1 driver is flexible and can support as many PKeys as needed 9 OpenFabrics Alliance Workshop 2018

WHAT IS THIS JKEY THING AND WHY USE IT? A JKey is a Job Key Unique to PSM Allows splitting up partitions further than Pkey Many Jkeys in a single partition Determined by the kernel Jkey = 0 has special meaning The rest of it is up to software Currently: Use the UID to come up with a JKey JKey space is currently divided up into buckets (that we can change!) admin users kernel protocols everyone else Using JKey as security field allows flexibility To scale to thousands of labels to meet future security needs For alternatives to PKey based security 10 OpenFabrics Alliance Workshop 2018

USING JKEY TO HOLD THE SECURITY FIELD JKey can be used to hold a flexible security field We can use the JKey to hold the index of the PKey This way we can use the JKey hardware checks to validate the PKey Could be something other than PKey some day Three JKey buckets becomes Four buckets Exact mapping and format of the JKey is still being finalized Must support sufficient number of JKeys and still maintain job separation 11 OpenFabrics Alliance Workshop 2018

PSM DATA TRANSFERS Two ways to send data Programmed I/O aka PIO Send Direct Memory Access aka SDMA Differ in how data goes from user space to the hfi1 hardware Hardware supports both Tradeoffs to using one vs the other beyond the scope of this talk PIO Kernel bypass SDMA Goes through the kernel for SDMA engine programming 12 OpenFabrics Alliance Workshop 2018

SDMA SEND BEFORE SELINUX PSM calls into kernel PKey is checked in software Verbs Application PSM Application User Verbs and PSM share SDMA engines Also means JKey can not be checked in hardware Even verbs can have multiple PKeys in packets for a particular SDMA Engine QP 0x2 PKey 0x8001 IB Core/Verbs QP 0x4 PKey 0x8003 SDMA PKey Check Kernel SDMA Engine SDMA Engine SDMA Engine SDMA Engine SDE JKey Check (PSM only) SDE JKey Check (PSM only) SDE JKey Check (PSM only) SDE JKey Check (PSM only) Hardware SDE PKey Check SDE PKey Check SDE PKey Check SDE PKey Check Launch FIFO 13 OpenFabrics Alliance Workshop 2018

PIO SEND BEFORE SELINUX verbs Goes through kernel Verbs Application PSM Application User Multiple QPs and PKeys could be mapped to the same context IB Core/Verbs Thus no HW PKey checks PSM QP 0x2 PKey 0x8001 QP 0x4 PKey 0x8003 Kernel Kernel bypass QP PKey Check Must use HW checks Includes JKey check PIO Send Context PIO Send Context PIO Send Context PIO Send Context Context PKey Check Context PKey Check Context PKey Check Context PKey Check Hardware Context JKey Check (PSM Only) Context JKey Check (PSM Only) Context JKey Check (PSM Only) Context JKey Check (PSM Only) Launch FIFO 14 OpenFabrics Alliance Workshop 2018

RECEIVING DATA BEFORE SELINUX Verbs Global PKey table check Verbs Application PSM Application User Limited to 16 Pkeys currently. We can support more. IB Core/Verbs Still has to be a check per QP PSM QP 0x2 PKey 0x8001 QP 0x4 PKey 0x8003 Kernel Kernel bypass Must use HW QP PKey Check Also includes JKey Kernel Rcv Ctxt Kernel Rcv Ctxt User Rcv Ctxt User Rcv Ctxt Global PKey Table Check Limited to 16 Entries JKey Check Hardware HW Receive Buffers 15 OpenFabrics Alliance Workshop 2018

SELINUX SDMA SUPPORT Verbs Still does PKey check in SW PSM Still does PKey check in SW Verbs Application IB Core/Verbs PSM Application JKey Check PKey Check User Kernel Adds additional check of JKey in software QP 0x2 PKey 0x8001 QP 0x4 PKey 0x8003 SDMA Can not use HW JKey checking since SDMA Engines are shared with verbs Same reason we can not use HW PKey checking SDMA Engine SDE JKey Check (PSM only) SDMA Engine SDE JKey Check (PSM only) SDMA Engine SDE JKey Check (PSM only) SDMA Engine SDE JKey Check (PSM only) Hardware SDE PKey Check SDE PKey Check SDE PKey Check SDE PKey Check Launch FIFO 16 OpenFabrics Alliance Workshop 2018

SELINUX PIO SUPPORT Verbs Nothing changes Verbs Application PSM Application User Pure SW based PSM IB Core/Verbs Kernel Nothing changes QP 0x2 PKey 0x8001 QP 0x4 PKey 0x8003 Pure HW based QP PKey Check PIO Send Context PIO Send Context PIO Send Context PIO Send Context Context PKey Check Context PKey Check Context PKey Check Context PKey Check Hardware Context JKey Check (PSM Only) Context JKey Check (PSM Only) Context JKey Check (PSM Only) Context JKey Check (PSM Only) Launch FIFO 17 OpenFabrics Alliance Workshop 2018

SELINUX RECEIVE SIDE SUPPORT Verbs Verbs Application PSM Application User Disable PKey checks since Required to support > 16 PKeys Still have to do a PKey check for the QP in software so HW check really not needed anyway PSM QP 0x2 PKey 0x8001 IB Core/Verbs QP PKey Check QP 0x4 PKey 0x8003 Kernel Use JKey check in HW Preserves kernel bypass Kernel Rcv Ctxt Kernel Rcv Ctxt User Rcv Ctxt User Rcv Ctxt Global PKey Table Check Limited to 16 Entries JKey Check Hardware HW Receive Buffers 18 OpenFabrics Alliance Workshop 2018

CURRENT STATUS Under development Targeting kernel 4.19 rough estimate and subject to change So far no changes required to PSM IB Core SELinux Core 19 OpenFabrics Alliance Workshop 2018

14th ANNUAL WORKSHOP 2018 THANK YOU Dennis Dalessandro, Network SW Engineer Intel Corp 4/2/2018

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback