Merge "Translate VF network capabilities to port binding" into stable/2023.1

Author: Zuul

nova/network/neutron.py

@@ -1601,6 +1601,13 @@ def _get_vf_pci_device_profile(self, pci_dev):
                 'pf_mac_address': pf_mac,
                 'vf_num': vf_num,
             })
+
+        # Update port binding capabilities using PCI device's network
+        # capabilities if they exist.
+        pci_net_caps = pci_dev.network_caps
+        if pci_net_caps:
+            vf_profile.update({'capabilities': pci_net_caps})
+
         return vf_profile
 
     def _get_pci_device_profile(self, pci_dev):

nova/objects/pci_device.py

@@ -588,6 +588,13 @@ def mac_address(self):
         """
         return self.extra_info.get('mac_address')
 
+    @property
+    def network_caps(self):
+        """PCI device network capabilities or empty list if not available"""
+        caps_json = self.extra_info.get('capabilities', '{}')
+        caps = jsonutils.loads(caps_json)
+        return caps.get('network', [])
+
 
 @base.NovaObjectRegistry.register
 class PciDeviceList(base.ObjectListBase, base.NovaObject):

nova/tests/fixtures/libvirt_data.py

@@ -2182,6 +2182,7 @@ def fake_kvm_guest():
         <feature name='rxvlan'/>
         <feature name='txvlan'/>
         <feature name='rxhash'/>
+        <feature name='switchdev'/>
         <capability type='80203'/>
       </capability>
     </device>""",  # noqa:E501

nova/tests/unit/network/test_neutron.py

@@ -8144,17 +8144,20 @@ def test__get_vf_pci_device_profile(self):
                        'pf_mac_address': '52:54:00:1e:59:c6',
                        'vf_num': 1,
                    },
+                   'network_caps': ['gso', 'sg', 'tso', 'tx'],
                    'dev_type': obj_fields.PciDeviceType.SRIOV_VF,
                   }
         PciDevice = collections.namedtuple('PciDevice',
                                ['vendor_id', 'product_id', 'address',
                                 'card_serial_number', 'sriov_cap',
-                                'dev_type', 'parent_addr'])
+                                'dev_type', 'parent_addr',
+                                'network_caps'])
         mydev = PciDevice(**pci_dev)
         self.assertEqual(self.api._get_vf_pci_device_profile(mydev),
                          {'pf_mac_address': '52:54:00:1e:59:c6',
                           'vf_num': 1,
-                          'card_serial_number': 'MT2113X00000'})
+                          'card_serial_number': 'MT2113X00000',
+                          'capabilities': ['gso', 'sg', 'tso', 'tx']})
 
     @mock.patch.object(
         neutronapi.API, '_get_vf_pci_device_profile',

nova/tests/unit/objects/test_pci_device.py

@@ -171,6 +171,16 @@ def test_pci_device_extra_info_card_serial_number(self):
         self.pci_device = pci_device.PciDevice.create(None, self.dev_dict)
         self.assertEqual(self.pci_device.card_serial_number, '42')
 
+    def test_pci_device_extra_info_network_capabilities(self):
+        self.dev_dict = copy.copy(dev_dict)
+        self.pci_device = pci_device.PciDevice.create(None, self.dev_dict)
+        self.assertEqual(self.pci_device.network_caps, [])
+
+        self.dev_dict = copy.copy(dev_dict)
+        self.dev_dict['capabilities'] = {'network': ['sg', 'tso', 'tx']}
+        self.pci_device = pci_device.PciDevice.create(None, self.dev_dict)
+        self.assertEqual(self.pci_device.network_caps, ['sg', 'tso', 'tx'])
+
     def test_update_device(self):
         self.pci_device = pci_device.PciDevice.create(None, dev_dict)
         self.pci_device.obj_reset_changes()

nova/tests/unit/virt/libvirt/test_host.py

@@ -1343,7 +1343,7 @@ def test_get_pcidev_info(self):
             "parent_ifname": "ens1",
             "capabilities": {
                 "network": ["rx", "tx", "sg", "tso", "gso", "gro", "rxvlan",
-                            "txvlan", "rxhash"],
+                            "txvlan", "rxhash", "switchdev"],
                 "sriov": {"pf_mac_address": "52:54:00:1e:59:c6",
                           "vf_num": 1},
                 # Should be obtained from the parent PF in this case.

releasenotes/notes/translate_vf_network_capabilities_to_port_binding-48abbfe0ce2923cf.yaml

@@ -0,0 +1,16 @@
+---
+fixes:
+  - |
+    Previously ``switchdev`` capabilities should be configured manually by a
+    user with admin privileges using port's binding profile. This blocked
+    regular users from managing ports with Open vSwitch hardware offloading
+    as providing write access to a port's binding profile to non-admin users
+    introduces security risks. For example, a binding profile may contain a
+    ``pci_slot`` definition, which denotes the host PCI address of the
+    device attached to the VM. A malicious user can use this parameter to
+    passthrough any host device to a guest, so it is impossible to provide
+    write access to a binding profile to regular users in many scenarios.
+
+    This patch fixes this situation by translating VF capabilities reported
+    by Libvirt to Neutron port binding profiles. Other VF capabilities are
+    translated as well for possible future use.