lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Tue, 28 Feb 2023 14:23:37 +0300
From:   Dmitry Osipenko <dmitry.osipenko@...labora.com>
To:     Javier Martinez Canillas <javierm@...hat.com>,
        Gerd Hoffmann <kraxel@...hat.com>,
        Rob Clark <robdclark@...il.com>
Cc:     Rob Clark <robdclark@...omium.org>,
        open list <linux-kernel@...r.kernel.org>,
        dri-devel@...ts.freedesktop.org,
        Gurchetan Singh <gurchetansingh@...omium.org>,
        Ryan Neph <ryanneph@...omium.org>,
        David Airlie <airlied@...hat.com>,
        "open list:VIRTIO GPU DRIVER" 
        <virtualization@...ts.linux-foundation.org>
Subject: Re: [PATCH] drm/virtio: Add option to disable KMS support

On 2/28/23 12:19, Javier Martinez Canillas wrote:
> Gerd Hoffmann <kraxel@...hat.com> writes:
> 
> Hello Gerd,
> 
>> On Mon, Feb 27, 2023 at 07:40:11AM -0800, Rob Clark wrote:
>>> On Sun, Feb 26, 2023 at 10:38 PM Gerd Hoffmann <kraxel@...hat.com> wrote:
>>>> On Fri, Feb 24, 2023 at 10:02:24AM -0800, Rob Clark wrote:
>>>>> From: Rob Clark <robdclark@...omium.org>
>>>>>
>>>>> Add a build option to disable modesetting support.  This is useful in
>>>>> cases where the guest only needs to use the GPU in a headless mode, or
>>>>> (such as in the CrOS usage) window surfaces are proxied to a host
>>>>> compositor.
>>>> Why make that a compile time option?  There is a config option for the
>>>> number of scanouts (aka virtual displays) a device has.  Just set that
>>>> to zero (and fix the driver to not consider that configuration an
>>>> error).
>>> The goal is to not advertise DRIVER_MODESET (and DRIVER_ATOMIC).. I
>>> guess that could be done based on whether there are any scanouts, but
>>> it would mean making the drm_driver struct non-const.
>> Apparently there is a drm_device->driver_features override,
>> (amdgpu uses that).  The driver could simply drop the DRIVER_MODESET and
>> DRIVER_ATOMIC bits in case no scanout is present instead of throwing an
>> error.
>>
>>> And I think it is legitimate to allow the guest to make this choice,
>>> regardless of what the host decides to expose, since it is about the
>>> ioctl surface area that the guest kernel exposes to guest userspace.
>> I think it is a bad idea to make that a compile time option, I'd suggest
>> a runtime switch instead, for example a module parameter to ask the
>> driver to ignore any scanouts.
>>
> I don't think there's a need for a new module parameter, there's already
> the virtio-gpu 'modeset' module parameter to enable/disable modsetting
> and the global 'nomodeset' kernel cmdline parameter to do it for all DRM
> drivers.
> 
> Currently, many drivers just fail to probe when 'nomodeset' is present,
> but others only disable modsetting but keep the rendering part. In fact,
> most DRM only drivers just ignore the 'nomodeset' parameter.

IIUC, Rob's main point for having a config option is solely for security
reasons. The config option eliminates possibility of accidentally (or
intentionally) enabling KMS from software, which is better to have in
case of shipping a product (Chromebook) on which multiple teams are
working on.

-- 
Best regards,
Dmitry

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ