[PATCH 01/13] drm/amdgpu: introduce and honour DRM_FORCE_AUTH workaround

Fri Jun 21 09:25:14 UTC 2019

Am 21.06.19 um 11:09 schrieb Daniel Vetter:
> On Fri, Jun 21, 2019 at 07:12:14AM +0000, Koenig, Christian wrote:
>> Am 20.06.19 um 18:30 schrieb Emil Velikov:
>>> On 2019/06/14, Koenig, Christian wrote:
>>>> Am 14.06.19 um 17:53 schrieb Emil Velikov:
>>>>> On 2019/06/14, Koenig, Christian wrote:
>>>>>> Am 14.06.19 um 14:09 schrieb Emil Velikov:
>>>>>>> On 2019/05/27, Emil Velikov wrote:
>>>>>>> [SNIP]
>>>>>>> Hi Christian,
>>>>>>>
>>>>>>>
>>>>>>> In the following, I would like to summarise and emphasize the need for
>>>>>>> DRM_AUTH removal. I would kindly ask you to spend a couple of minutes
>>>>>>> extra reading it.
>>>>>>>
>>>>>>>
>>>>>>> Today DRM drivers* do not make any distinction between primary and
>>>>>>> render node clients.
>>>>>> That is actually not 100% correct. We have a special case where a DRM
>>>>>> master is allowed to change the priority of render node clients.
>>>>>>
>>>>> Can you provide a link? I cannot find that code.
>>>> See amdgpu_sched_ioctl().
>>>>
>>>>>>> Thus for a render capable driver, any premise of
>>>>>>> separation, security or otherwise imposed via DRM_AUTH is a fallacy.
>>>>>> Yeah, that's what I agree on. I just don't think that removing DRM_AUTH
>>>>>> now is the right direction to take.
>>>>>>
>>>>> Could have been clearer - I'm talking about DRM_AUTH | DRM_RENDER_ALLOW
>>>>> ioctls.
>>>>>
>>>>> That aside, can you propose an alternative solution that addresses this
>>>>> and the second point just below?
>>>> Give me a few days to work on this, it's already Friday 6pm here.
>>>>
>>> Hi Christian,
>>>
>>> Any progress? As mentioned earlier, I'm OK with writing the patches although
>>> I would love to hear your plan.
>> First of all I tried to disable DRM authentication completely with a
>> kernel config option. Surprisingly that actually works out of the box at
>> least on the AMDGPU stack.
>>
>> This effectively allows us to get rid of DRI2 and the related security
>> problems. Only thing left for that is that I'm just not sure how to
>> signal this to userspace so that the DDX wouldn't advertise DRI2 at all
>> any more.
>>
>>
>> As a next step I looked into if we can disable the command submission
>> for DRM master. Turned out that this is relatively easy as well.
>>
>> All we have to do is to fix the bug Michel pointed out about KMS handles
>> for display and let the DDX use a render node instead of the DRM master
>> for Glamor. Still need to sync up with Michel and/or Marek whats the
>> best way of doing this.
>>
>>
>> The last step (and that's what I haven't tried yet) would be to disable
>> DRM authentication for Navi even when it is still compiled into the
>> kernel. But that is more or less just a typing exercise.
> So just to get this straight, we're now full on embracing a subsystem
> split here:
> - amdgpu plans to ditch dri2/rendering on primary nodes
> - bunch of drivers (I think more than i915 by now) merged the DRM_AUTH
>    removal
> - others are just hanging in there somehow
>
> "best of both^W worlds" ftw?

Yes, exactly!

Think a step further, when this is upstream we can apply the DRM_AUTH 
removal to amdgpu as well.

Because we simply made sure that userspace is using the render node for 
command submission and not the primary node.

So nobody can go ahead and remove render node support any more :)

Regards,
Christian.

> -Daniel