[PATCH 01/13] drm/amdgpu: introduce and honour DRM_FORCE_AUTH workaround

Fri Jun 21 10:16:42 UTC 2019

Am 21.06.19 um 11:35 schrieb Daniel Vetter:
> On Fri, Jun 21, 2019 at 11:25 AM Koenig, Christian
> <Christian.Koenig at amd.com> wrote:
>> Am 21.06.19 um 11:09 schrieb Daniel Vetter:
>>> On Fri, Jun 21, 2019 at 07:12:14AM +0000, Koenig, Christian wrote:
>>>> Am 20.06.19 um 18:30 schrieb Emil Velikov:
>>>>> On 2019/06/14, Koenig, Christian wrote:
>>>>>> Am 14.06.19 um 17:53 schrieb Emil Velikov:
>>>>>>> On 2019/06/14, Koenig, Christian wrote:
>>>>>>>> Am 14.06.19 um 14:09 schrieb Emil Velikov:
>>>>>>>>> On 2019/05/27, Emil Velikov wrote:
>>>>>>>>> [SNIP]
>>>>>>>>> Hi Christian,
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> In the following, I would like to summarise and emphasize the need for
>>>>>>>>> DRM_AUTH removal. I would kindly ask you to spend a couple of minutes
>>>>>>>>> extra reading it.
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> Today DRM drivers* do not make any distinction between primary and
>>>>>>>>> render node clients.
>>>>>>>> That is actually not 100% correct. We have a special case where a DRM
>>>>>>>> master is allowed to change the priority of render node clients.
>>>>>>>>
>>>>>>> Can you provide a link? I cannot find that code.
>>>>>> See amdgpu_sched_ioctl().
>>>>>>
>>>>>>>>> Thus for a render capable driver, any premise of
>>>>>>>>> separation, security or otherwise imposed via DRM_AUTH is a fallacy.
>>>>>>>> Yeah, that's what I agree on. I just don't think that removing DRM_AUTH
>>>>>>>> now is the right direction to take.
>>>>>>>>
>>>>>>> Could have been clearer - I'm talking about DRM_AUTH | DRM_RENDER_ALLOW
>>>>>>> ioctls.
>>>>>>>
>>>>>>> That aside, can you propose an alternative solution that addresses this
>>>>>>> and the second point just below?
>>>>>> Give me a few days to work on this, it's already Friday 6pm here.
>>>>>>
>>>>> Hi Christian,
>>>>>
>>>>> Any progress? As mentioned earlier, I'm OK with writing the patches although
>>>>> I would love to hear your plan.
>>>> First of all I tried to disable DRM authentication completely with a
>>>> kernel config option. Surprisingly that actually works out of the box at
>>>> least on the AMDGPU stack.
>>>>
>>>> This effectively allows us to get rid of DRI2 and the related security
>>>> problems. Only thing left for that is that I'm just not sure how to
>>>> signal this to userspace so that the DDX wouldn't advertise DRI2 at all
>>>> any more.
>>>>
>>>>
>>>> As a next step I looked into if we can disable the command submission
>>>> for DRM master. Turned out that this is relatively easy as well.
>>>>
>>>> All we have to do is to fix the bug Michel pointed out about KMS handles
>>>> for display and let the DDX use a render node instead of the DRM master
>>>> for Glamor. Still need to sync up with Michel and/or Marek whats the
>>>> best way of doing this.
>>>>
>>>>
>>>> The last step (and that's what I haven't tried yet) would be to disable
>>>> DRM authentication for Navi even when it is still compiled into the
>>>> kernel. But that is more or less just a typing exercise.
>>> So just to get this straight, we're now full on embracing a subsystem
>>> split here:
>>> - amdgpu plans to ditch dri2/rendering on primary nodes
>>> - bunch of drivers (I think more than i915 by now) merged the DRM_AUTH
>>>     removal
>>> - others are just hanging in there somehow
>>>
>>> "best of both^W worlds" ftw?
>> Yes, exactly!
>>
>> Think a step further, when this is upstream we can apply the DRM_AUTH
>> removal to amdgpu as well.
>>
>> Because we simply made sure that userspace is using the render node for
>> command submission and not the primary node.
>>
>> So nobody can go ahead and remove render node support any more :)
> How does this work? I thought the entire problem of DRM_AUTH removal
> for you was that it broke stuff, and you didn't want to deal with
> that.

Yeah, that is indeed still true.

It's just that we have done way to many projects with radeon/amdgpu and 
customized userspace stuff.

> We still have that exact problem afaics ... old userspace
> doesn't simply vanish, even if you entirely nuke it going forward.

Well old userspace doesn't work with new hardware either.

So the idea is to keep old userspace for old hardware working, but only 
disable old stuff for new hardware.

> Also, testing on the amdgpu stack isn't really testing a hole lot
> here, it's all the various silly compositors out there I'd expect to
> fall over. Will gbm/radeonsi/whatever just internally do all the
> necessary dma-buf import/export between the primary node and display
> node to keep this all working?

Yes, at least that's how I understand Michel's idea.

We keep both file descriptors for primary and render node around at the 
same time anyway. So the change is actually not that much.

This also solves the problem that people are running things as root, 
since we now always use the render node and never the primary node for 
everything except KMS.

Christian.

> -Daniel