pages pinned for BO lifetime and security
Gurchetan Singh
gurchetansingh at chromium.org
Wed Jul 22 00:22:29 UTC 2020
+Christian who added DMABUF_MOVE_NOTIFY which added the relevant blurb:
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/drivers/dma-buf/Kconfig#n46
Currently, the user seems to amdgpu for P2P dma-buf and it seems to plumb
ttm (*move_notify) callback to dma-buf. We're not sure if it's a security
issue occurring across DRM drivers, or one more specific to the new amdgpu
use case.
On Tue, Jul 21, 2020 at 1:03 PM Chia-I Wu <olvaffe at gmail.com> wrote:
> Hi list,
>
> virtio-gpu is moving in the direction where BO pages are pinned for
> the lifetime for simplicity. I am wondering if that is considered a
> security issue in general, especially after running into the
> description of the new DMABUF_MOVE_NOTIFY config option.
>
> Most drivers do not have a shrinker, or whether a BO is purgeable is
> entirely controlled by the userspace (madvice). They can be
> categorized as "a security problem where userspace is able to pin
> unrestricted amounts of memory". But those drivers are normally found
> on systems without swap. I don't think the issue applies.
>
> Of the desktop GPU drivers, i915's shrinker certainly supports purging
> to swap. TTM is a bit hard to follow. I can't really tell if amdgpu
> or nouveau supports that. virtio-gpu is more commonly found on
> systems with swaps so I think it should follow the desktop practices?
>
> Truth is, the emulated virtio-gpu device always supports page moves
> with VIRTIO_GPU_CMD_RESOURCE_{ATTACH,DETACH}_BACKING. It is just that
> the driver does not make use of them. That makes this less of an
> issue because the driver can be fixed anytime (finger crossed that the
> emulator won't have bugs in these untested paths). This issue becomes
> more urgent because we are considering adding a new HW command[1]
> where page moves will be disallowed. We definitely don't want a HW
> command that is inherently insecure, if BO pages pinned for the
> lifetime is considered a security issue on desktops.
>
> [1] VIRTIO_GPU_CMD_RESOURCE_CREATE_BLOB
>
> https://gitlab.freedesktop.org/virgl/drm-misc-next/-/blob/virtio-gpu-next/include/uapi/linux/virtio_gpu.h#L396
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.freedesktop.org/archives/dri-devel/attachments/20200721/b9984b6d/attachment-0001.htm>
More information about the dri-devel
mailing list