RFC: Drm-connector properties managed by another driver / privacy screen support

[Hans de Goede]

Hi,

On 4/17/20 1:55 PM, Jani Nikula wrote:
> On Fri, 17 Apr 2020, Pekka Paalanen <ppaalanen at gmail.com> wrote:
>> On Wed, 15 Apr 2020 17:40:46 +0200
>> Hans de Goede <hdegoede at redhat.com> wrote:
>>
>>> Hi,
>>>
>>> On 4/15/20 5:28 PM, Jani Nikula wrote:
>>>> On Wed, 15 Apr 2020, Hans de Goede <hdegoede at redhat.com> wrote:
>>>>> ii. Currently the "privacy-screen" property added by Rajat's
>>>>> patch-set is an enum with 2 possible values:
>>>>> "Enabled"
>>>>> "Disabled"
>>>>>
>>>>> We could add a third value "Not Available", which would be the
>>>>> default and then for internal panels always add the property
>>>>> so that we avoid the problem that detecting if the laptop has
>>>>> an internal privacy screen needs to be done before the connector
>>>>> is registered. Then we can add some hooks which allow an
>>>>> lcdshadow-driver to register itself against a connector later
>>>>> (which is non trivial wrt probe order, but lets ignore that for now).
>>>>
>>>> I regret dropping the ball on Rajat's series (sorry!).
>>>>
>>>> I do think having the connector property for this is the way to go.
>>>
>>> I 100% agree.
>>>
>>>> Even
>>>> if we couldn't necessarily figure out all the details on the kernel
>>>> internal connections, can we settle on the property though, so we could
>>>> move forward with Rajat's series?
>>>
>>> Yes please, this will also allow us to move forward with userspace
>>> support even if for testing that we do some hacks for the kernel's
>>> internal connections for now.
>>>
>>>> Moreover, do we actually need two properties, one which could indicate
>>>> userspace's desire for the property, and another that tells the hardware
>>>> state?
>>>
>>> No I do not think so. I would expect there to just be one property,
>>> I guess that if the state is (partly) firmware controlled then there
>>> might be a race, but we will need a notification mechanism (*) for
>>> firmware triggered state changes anyways, so shortly after loosing
>>> the race userspace will process the notification and it will know
>>> about it.
>>>
>>> One thing which might be useful is a way to signal that the property
>>> is read-only in case we ever hit hw where that is the case.
>>>
>>>> I'd so very much like to have no in-kernel/in-firmware shortcuts
>>>> to enable/disable the privacy screen, and instead have any hardware
>>>> buttons just be events that the userspace could react to. However I
>>>> don't think that'll be the case unfortunately.
>>>
>>> In my experience with keyboard-backlight support, we will (unfortunately)
>>> see a mix and in some case we will get a notification that the firmware
>>> has adjusted the state, rather then just getting a keypress and
>>> dealing with that ourselves.  In some cases we may even be able to
>>> choose, so the fw will deal with it by default but we can ask it
>>> to just send a key-press.  But I do believe that we can *not* expect
>>> that we will always just get a keypress for userspace to deal with.
>>
>> Hi,
>>
>> let's think about how userspace uses atomic KMS UAPI. The simplest way
>> to use atomic correctly is that userspace will for every update send the
>> full, complete set of all properties that exist, both known and unknown
>> to userspace (to recover from temporarily VT-switching to another KMS
>> program that changes unknown properties). Attempting to track which
>> properties already have their correct values in the kernel is extra
>> work for just extra bugs.
>>
>> Assuming the property is userspace-writable: if kernel goes and
>> changes the property value on its own, it will very likely be just
>> overwritten by userspace right after if userspace does not manage to
>> process the uevent first. If that happens and userspace later
>> processes the uevent, userspace queries the kernel for the current
>> proprerty state which is now what userspace wrote, not what firmware
>> set.
>>
>> Therefore you end up with the firmware hotkey working only randomly.
>>
>> It would be much better to have the hotkey events delivered to
>> userspace so that userspace can control the privacy screen and
>> everything will be reliable, both the hotkeys and any GUI for it.
> 
> I'd like this too. However I fear this is out of our control, and OEMs
> have and will anyway fiddle with the privacy screen directly no matter
> what we say, and we can't prevent that. From their POV it's easier for
> them to do their value-add in components they have total control over. I
> emphatize with that view, even if it's counter-productive from the Linux
> ecosystem POV.
> 
> So we'll just have to deal with it.

Ack, at least that is the case for the current generation Lenovo devices.

>> The other reliable option is that userspace must never be able to
>> change privacy screen state, only the hardware hotkeys can.
> 
> That, in turn, discourages anyone from doing the right thing, and blocks
> us from adding any nice additional features for privacy screens that
> only the userspace is capable of managing. For example, controlling
> privacy screen based on content, which seems like an obvious feature.

Right.

So we have the case here were both the firmware and userspace may change
the privacyscreen state (on/off) at any time.

This means that the atomic API use described by Pekka for this, where
userspace keeps all properties in memory, updates the one which it
wants to change and then commits simply cannot work here.

Userspace should only include this property in the transaction if
it actually wants to change it. Or it should do a read of it
and update its internal state before committing that state unless
it wants to change it. But always blindly committing the last value
used by userspace will simply not work, because then there is no
way for the kernel to know if userspace is just repeating itself
or actually wants to change the property.

As for the one vs two properties. For the current hw userspace can
always change the state at any time. But I can envision devices
where there is a hardware override forcing the privacy screen to
be on. So I guess that a r/w "software state" + a ro "hardware state"
property would make sense. Note that with the current gen. Lenovo
devices the hw-state will simply be a mirror of the sw-state and
the sw-state will be toggled by the firmware independently of
the last value requested by userspace.

I guess we could add a third ro firmware-state property, which
would reflect the last firmware requested value, but I cannot
really come up with clear semantics for this; nor can I come
up with how this actually helps.

TL;DR: Yes there will be races, because of both userspace +
the firmware having; and potentially using r/w access to
the privacy-screen state. But in practice I expect these
to not really be an issue. Important here is that userspace
only commits the property in a transaction to commit if
it actually intends to change the property so as to not
needlessly create a situation where we might hit the race.

As for 1 vs 2 properties for this I guess that in preparation
for potential devices where the state is locked, having a
r/w sw-state + a ro hw-state property makes sense.

So I suggest that we replace the current "privacy-screen" property
from Rajat's patch-set with 2 props named:

"privacy-screen-sw-state" (r/w)
"privacy-screen-hw-state" (ro)

Where for current gen hardware the privacy-screen-hw-state is
just a mirror of the sw-state.

Regards,

Hans