On Sat, Jun 10, 2017 at 02:11:13PM +0000, Majd Dibbiny wrote: > >> This is especially true for mlx nics as there are many raw packet > >> bypass mechanisms available to userspace.
> All of the Raw packet bypass mechanisms are restricted to > CAP_NET_RAW, and thus malicious users can't simply open a RAW Packet > QP and send it to the FPGA.. It is big expansion of CAP_NET_RAW to also basically also include reconfiguring ipsec xfrm. Plus, if someone configures ethernet bridging (eg in a VM situation) then could a hacked VM reconfigure this FPGA? Jason
