[openstack-dev] "Evil" Firmware

Ian Wells ijw.ubuntu at cack.org.uk
Fri Jan 17 12:17:08 UTC 2014


On 17 January 2014 01:16, Chris Friesen <chris.friesen at windriver.com> wrote:

> On 01/16/2014 05:12 PM, CARVER, PAUL wrote:
>
>  Jumping back to an earlier part of the discussion, it occurs to me
>> that this has broader implications. There's some discussion going on
>> under the heading of Neutron with regard to PCI passthrough. I
>> imagine it's under Neutron because of a desire to provide passthrough
>> access to NICs, but given some of the activity around GPU based
>> computing it seems like sooner or later someone is going to try to
>> offer multi-tenant cloud servers with the ability to do GPU based
>> computing if they haven't already.
>>
>
> I'd expect that the situation with PCI passthrough may be a bit different,
> at least in the common case.
>
> The usual scenario is to use SR-IOV to have a single physical device
> expose a bunch of virtual functions, and then a virtual function is passed
> through into a guest.
>

That entirely depends on the card in question.  Some cards support SRIOV
and some don't (you wouldn't normally use SRIOV on a GPU, as I understand
it, though you might reasonably expect it on a modern network card).  Even
on cards that do support SRIOV there's nothing stopping you assigning the
whole card.

But from the discussion here it seems that (whole card passthrough) +
(reprorgrammable firmware) would be the danger, and programmatically
there's no way to tell from the passthrough code in Nova whether any given
card has programmable firmware.  It's a fairly safe bet you can't reprogram
firmware permanently from a VF, agreed.
-- 
Ian.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20140117/42128bf0/attachment.html>


More information about the OpenStack-dev mailing list