lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <CAPybu_2tUmYtNiSExNGpsxcF=7EO+ZHR8eGammBsg8iFh3B3wg@mail.gmail.com>
Date: Mon, 22 Jul 2024 12:42:52 +0200
From: Ricardo Ribalda Delgado <ricardo.ribalda@...il.com>
To: Laurent Pinchart <laurent.pinchart@...asonboard.com>
Cc: Dan Williams <dan.j.williams@...el.com>, 
	James Bottomley <James.Bottomley@...senpartnership.com>, ksummit@...ts.linux.dev, 
	linux-cxl@...r.kernel.org, linux-rdma@...r.kernel.org, netdev@...r.kernel.org, 
	jgg@...dia.com
Subject: Re: [MAINTAINERS SUMMIT] Device Passthrough Considered Harmful?

On Sun, Jul 21, 2024 at 9:25 PM Laurent Pinchart
<laurent.pinchart@...asonboard.com> wrote:
>
> On Tue, Jul 09, 2024 at 03:15:13PM -0700, Dan Williams wrote:
> > James Bottomley wrote:
> > > > The upstream discussion has yielded the full spectrum of positions on
> > > > device specific functionality, and it is a topic that needs cross-
> > > > kernel consensus as hardware increasingly spans cross-subsystem
> > > > concerns. Please consider it for a Maintainers Summit discussion.
> > >
> > > I'm with Greg on this ... can you point to some of the contrary
> > > positions?
> >
> > This thread has that discussion:
> >
> > http://lore.kernel.org/0-v1-9912f1a11620+2a-fwctl_jgg@nvidia.com
> >
> > I do not want to speak for others on the saliency of their points, all I
> > can say is that the contrary positions have so far not moved me to drop
> > consideration of fwctl for CXL.
> >
> > Where CXL has a Command Effects Log that is a reasonable protocol for
> > making decisions about opaque command codes, and that CXL already has a
> > few years of experience with the commands that *do* need a Linux-command
> > wrapper.
> >
> > Some open questions from that thread are: what does it mean for the fate
> > of a proposal if one subsystem Acks the ABI and another Naks it for a
> > device that crosses subsystem functionality? Would a cynical hardware
> > response just lead to plumbing an NVME admin queue, or CXL mailbox to
> > get device-specific commands past another subsystem's objection?
>
> My default answer would be to trust the maintainers of the relevant
> subsystems (or try to convince them when you disagree :-)). Not only
> should they know the technical implications best, they should also have
> a good view of the whole vertical stack, and the implications of
> pass-through for their ecosystem. This may result in a single NAK
> overriding ACKs, but we could also try to find technical solutions when
> we'll face such issues, to enforce different sets of rules for the
> different functions of a device.
>
> Subsystem hopping is something we're recently noticed for camera ISPs,
> where a vendor wanted to move from V4L2 to DRM. Technical reasons for
> doing so were given, and they were (in my opinion) rather excuses. The
> unspoken real (again in my opinion) reason was to avoid documenting the
> firmware interface and ship userspace binary blobs with no way for free
> software to use all the device's features. That's something we have been
> fighting against for years, trying to convince vendors that they can
> provide better and more open camera support without the world
> collapsing, with increasing success recently. Saying amen to
> pass-through in this case would be a huge step back that would hurt
> users and the whole ecosystem in the short and long term.

In my view, DRM is a more suitable model for complex ISPs than V4L2:

- Userspace Complexity: ISPs demand a highly complex and evolving API,
similar to Vulkan or OpenGL. Applications typically need a framework
like libcamera to utilize ISPs effectively, much like Mesa for
graphics cards.

- Lack of Standardization: There's no universal standard for ISPs;
each vendor implements unique features and usage patterns. DRM
addresses this through vendor-specific IOCTLs

- Proprietary Architectures: Vendors often don't fully disclose their
hardware architectures. DRM cleverly only necessitates a Mesa
implementation, not comprehensive documentation.


Our current approach of pushing back against vendors, instead of
seeking compromise, has resulted in the vast majority of the market
(99% if not more) relying on out-of-tree drivers. This leaves users
with no options for utilizing their cameras outside of Android.

DRM allows a hybrid model, where:
- Open Source Foundation: Standard use cases are covered by a fully
open-source stack.
- Vendor Differentiation: Vendors retain the freedom to implement
proprietary features (e.g., automatic makeup) as closed source.

This approach would allow billions of users to access their hardware
more securely and with in-tree driver support. Our current stubborn
pursuit of an idealistic goal has already negatively impacted both
users and the ecosystem.

The late wins, in my opinion, cannot scale to the consumer market, and
Linux will remain a niche market for ISPs.


If such a hybrid model goes against Linux goals, this is something
that should be agreed upon by the whole community, so we have the same
criteria for all subsystems.



--
Ricardo Ribalda

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ