[ovs-dev] [PATCH 1/1] daemon-unix: Support OVS-DPDK HW offloads for non-root user

David Marchand david.marchand at redhat.com
Thu Mar 11 20:44:02 UTC 2021

On Wed, Sep 16, 2020 at 10:06 PM Aaron Conole <aconole at redhat.com> wrote:
> David Marchand <david.marchand at redhat.com> writes:
> > On Tue, Sep 15, 2020 at 12:52 PM Ameer Mahagneh <ameerm at nvidia.com> wrote:
> >>
> >> For security reasons only root or privileged user can allocate Interconnect
> >> Context Memory (ICM). Add this capability for vendors that require ICM
> >> allocation when applying DPDK rte flows.
> >>
> >> Signed-off-by: Ameer Mahagneh <ameerm at nvidia.com>
> >> Acked-by: Eli Britstein <elibr at nvidia.com>
> >> ---
> Why is this needed?  SYS_RAWIO is extremely privileged and means that
> there is no point even in dropping privs or changing UID - the process
> with these caps is allowed to alter anything, map /dev/mem and
> /dev/kmem, etc.
> Is there really no other way of doing this?  This feels somewhat like a
> security regression rather than an improvement.  NOTE that we cannot
> even use an LSM to protect against this - sys_rawio is able to perform
> operations that can subvert LSMs.

I had forgotten about this patch... I was expecting someone from
Nvidia to reply but I see nothing on the ml.

I do not have the full story, but I hit an issue just yesterday and
spent today figuring this out.

For me, the impact is simple: without this capability, full
hw-offloads with mlx5 devices are unavailable with ovs running as non
The logs are not helping btw, example:
rte_flow creation failed: 1 ((null)).
Failed flow:   flow create 2 ingress priority 0 group 0 transfer
pattern eth src is 0c:42:a1:00:a8:7c dst is 6a:20:8f:82:52:49 type is
0x0800 / ipv4 / end actions count / port_id original 0 id 5 / end
And OVS automatically falls back to partial offloading.

Can nvidia people explain the need for this capability and if other
options have been considered?


David Marchand

More information about the dev mailing list