From: Yunsheng Lin linyunsheng@huawei.com Sent: Wednesday, June 9, 2021 2:46 PM
[..]
Is there any reason why VF use its own devlink instance?
Primary use case for VFs is virtual environments where guest isn't trusted, so tying the VF to the main devlink instance, over which guest should have no control is counter productive.
The security is mainly about VF using in container case, right? Because VF using in VM, it is different host, it means a different devlink instance for VF, so there is no security issue for VF using in VM case? But it might not be the case for VF using in container?
Devlink instance has net namespace attached to it controlled using devlink reload command. So a VF devlink instance can be assigned to a container/process running in a specific net namespace.
$ ip netns add n1 $ devlink dev reload pci/0000:06:00.4 netns n1 ^^^^^^^^^^^^^ PCI VF/PF/SF.
Also, there is a "switch_id" concept from jiri's example, which seems to be not implemented yet?
switch_id is present for switch ports in [1] and documented in [2].
[1] /sys/class/net/representor_netdev/phys_switch_id. [2] https://www.kernel.org/doc/Documentation/networking/switchdev.txt " Switch ID"