[PATCH 01/13] drm/amdgpu: introduce and honour DRM_FORCE_AUTH workaround

Koenig, Christian Christian.Koenig at amd.com
Mon May 27 10:47:39 UTC 2019 

Am 27.05.19 um 10:17 schrieb Emil Velikov:
> From: Emil Velikov <emil.velikov at collabora.com>
>
> Currently one can circumvent DRM_AUTH, when the ioctl is exposed via the
> render node. A seemingly deliberate design decision.
>
> Hence we can drop the DRM_AUTH all together (details in follow-up patch)
> yet not all userspace checks if it's authenticated, but instead uses
> uncommon assumptions.
>
> After days of digging through git log and testing, only a single (ab)use
> was spotted - the Mesa RADV driver, using the AMDGPU_INFO ioctl and
> assuming that failure implies lack of authentication.
>
> Affected versions are:
>   - the whole 18.2.x series, which is EOL
>   - the whole 18.3.x series, which is EOL
>   - the 19.0.x series, prior to 19.0.4

Well you could have saved your time, cause this is still a NAK.

For the record: I strongly think that we don't want to expose any render 
functionality on the primary node.

To even go a step further I would say that at least on AMD hardware we 
should completely disable DRI2 for one of the next generations.

As a follow up I would then completely disallow the DRM authentication 
for amdgpu, so that the command submission interface on the primary node 
can only be used by the display server.

Regards,
Christian.

>
> Add a special quirk for that case, thus we can drop DRM_AUTH bits as
> mentioned earlier.
>
> Since all the affected userspace is EOL, we also add a kconfig option
> to disable this quirk.
>
> The whole approach is inspired by DRIVER_KMS_LEGACY_CONTEXT
>
> Cc: Alex Deucher <alexander.deucher at amd.com>
> Cc: Christian König <christian.koenig at amd.com>
> Cc: amd-gfx at lists.freedesktop.org
> Cc: David Airlie <airlied at linux.ie>
> Cc: Daniel Vetter <daniel at ffwll.ch>
> Signed-off-by: Emil Velikov <emil.velikov at collabora.com>
> ---
>   drivers/gpu/drm/amd/amdgpu/Kconfig      | 16 ++++++++++++++++
>   drivers/gpu/drm/amd/amdgpu/amdgpu_kms.c | 12 +++++++++++-
>   drivers/gpu/drm/drm_ioctl.c             |  5 +++++
>   include/drm/drm_ioctl.h                 | 17 +++++++++++++++++
>   4 files changed, 49 insertions(+), 1 deletion(-)
>
> diff --git a/drivers/gpu/drm/amd/amdgpu/Kconfig b/drivers/gpu/drm/amd/amdgpu/Kconfig
> index 9221e5489069..da415f445187 100644
> --- a/drivers/gpu/drm/amd/amdgpu/Kconfig
> +++ b/drivers/gpu/drm/amd/amdgpu/Kconfig
> @@ -40,6 +40,22 @@ config DRM_AMDGPU_GART_DEBUGFS
>   	  Selecting this option creates a debugfs file to inspect the mapped
>   	  pages. Uses more memory for housekeeping, enable only for debugging.
>   
> +config DRM_AMDGPU_FORCE_AUTH
> +	bool "Force authentication check on AMDGPU_INFO ioctl"
> +	default y
> +	help
> +	  There were some version of the Mesa RADV drivers, which relied on
> +	  the ioctl failing, if the client is not authenticated.
> +
> +	  Namely, the following versions are affected:
> +	    - the whole 18.2.x series, which is EOL
> +	    - the whole 18.3.x series, which is EOL
> +	    - the 19.0.x series, prior to 19.0.4
> +
> +	  Modern distributions, should disable this. That will allow various
> +	  other clients to work, that would otherwise require root privileges.
> +
> +
>   source "drivers/gpu/drm/amd/acp/Kconfig"
>   source "drivers/gpu/drm/amd/display/Kconfig"
>   source "drivers/gpu/drm/amd/amdkfd/Kconfig"
> diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_kms.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_kms.c
> index b17d0545728e..b8076929440b 100644
> --- a/drivers/gpu/drm/amd/amdgpu/amdgpu_kms.c
> +++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_kms.c
> @@ -1214,7 +1214,17 @@ const struct drm_ioctl_desc amdgpu_ioctls_kms[] = {
>   	DRM_IOCTL_DEF_DRV(AMDGPU_GEM_MMAP, amdgpu_gem_mmap_ioctl, DRM_AUTH|DRM_RENDER_ALLOW),
>   	DRM_IOCTL_DEF_DRV(AMDGPU_GEM_WAIT_IDLE, amdgpu_gem_wait_idle_ioctl, DRM_AUTH|DRM_RENDER_ALLOW),
>   	DRM_IOCTL_DEF_DRV(AMDGPU_CS, amdgpu_cs_ioctl, DRM_AUTH|DRM_RENDER_ALLOW),
> -	DRM_IOCTL_DEF_DRV(AMDGPU_INFO, amdgpu_info_ioctl, DRM_AUTH|DRM_RENDER_ALLOW),
> +	/* The DRM_FORCE_AUTH is effectively a workaround for the RADV Mesa driver.
> +	 * This is required for Mesa:
> +	 *  - the whole 18.2.x series, which is EOL
> +	 *  - the whole 18.3.x series, which is EOL
> +	 *  - the 19.0.x series, prior to 19.0.4
> +	 */
> +	DRM_IOCTL_DEF_DRV(AMDGPU_INFO, amdgpu_info_ioctl,
> +#if defined(DRM_AMDGPU_FORCE_AUTH)
> +		DRM_FORCE_AUTH|
> +#endif
> +		DRM_AUTH|DRM_RENDER_ALLOW),
>   	DRM_IOCTL_DEF_DRV(AMDGPU_WAIT_CS, amdgpu_cs_wait_ioctl, DRM_AUTH|DRM_RENDER_ALLOW),
>   	DRM_IOCTL_DEF_DRV(AMDGPU_WAIT_FENCES, amdgpu_cs_wait_fences_ioctl, DRM_AUTH|DRM_RENDER_ALLOW),
>   	DRM_IOCTL_DEF_DRV(AMDGPU_GEM_METADATA, amdgpu_gem_metadata_ioctl, DRM_AUTH|DRM_RENDER_ALLOW),
> diff --git a/drivers/gpu/drm/drm_ioctl.c b/drivers/gpu/drm/drm_ioctl.c
> index 2263e3ddd822..9841c0076f02 100644
> --- a/drivers/gpu/drm/drm_ioctl.c
> +++ b/drivers/gpu/drm/drm_ioctl.c
> @@ -544,6 +544,11 @@ int drm_ioctl_permit(u32 flags, struct drm_file *file_priv)
>   		     drm_is_render_client(file_priv)))
>   		return -EACCES;
>   
> +	/* FORCE_AUTH is only for authenticated or render client */
> +	if (unlikely((flags & DRM_FORCE_AUTH) && !drm_is_render_client(file_priv) &&
> +		     !file_priv->authenticated))
> +		return -EACCES;
> +
>   	return 0;
>   }
>   EXPORT_SYMBOL(drm_ioctl_permit);
> diff --git a/include/drm/drm_ioctl.h b/include/drm/drm_ioctl.h
> index fafb6f592c4b..6084ee32043d 100644
> --- a/include/drm/drm_ioctl.h
> +++ b/include/drm/drm_ioctl.h
> @@ -126,6 +126,23 @@ enum drm_ioctl_flags {
>   	 * not set DRM_AUTH because they do not require authentication.
>   	 */
>   	DRM_RENDER_ALLOW	= BIT(5),
> +	/**
> +	 * @DRM_FORCE_AUTH:
> +	 *
> +	 * Authentication of the primary node is mandatory. Regardless that the
> +	 * user can usually circumvent that by using the render node with exact
> +	 * same ioctl.
> +	 *
> +	 * Note: this is effectively a workaround for AMDGPU AMDGPU_INFO ioctl
> +	 * and the RADV Mesa driver. This is required for Mesa:
> +	 *  - the whole 18.2.x series, which is EOL
> +	 *  - the whole 18.3.x series, which is EOL
> +	 *  - the 19.0.x series, prior to 19.0.4
> +	 *
> +	 * Note: later patch will effectively drop the DRM_AUTH for ioctls
> +	 * annotated as DRM_AUTH | DRM_RENDER_ALLOW.
> +	 */
> +	DRM_FORCE_AUTH          = BIT(6),
>   };
>   
>   /**

More information about the dri-devel mailing list