From: Thomas Hellstrom <thellstrom@vmware.com>
To: One Thousand Gnomes <gnomes@lxorguk.ukuu.org.uk>
Cc: "linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>,
"dri-devel@lists.freedesktop.org"
<dri-devel@lists.freedesktop.org>
Subject: Re: DRM security flaws and security levels.
Date: Mon, 14 Apr 2014 14:56:15 +0200 [thread overview]
Message-ID: <534BDAEF.6090601@vmware.com> (raw)
In-Reply-To: <20140414134113.6c1a488d@alan.etchedpixels.co.uk>
On 04/14/2014 02:41 PM, One Thousand Gnomes wrote:
>> throw out all GPU memory on master drop and block ioctls requiring
>> authentication until master becomes active again.
> If you have a per driver method then the driver can implement whatever is
> optimal (possibly including throwing it all out).
>
>> -1: The driver allows an authenticated client to craft command streams
>> that could access any part of system memory. These drivers should be
>> kept in staging until they are fixed.
> I am not sure they belong in staging even.
>
>> 0: Drivers that are vulnerable to any of the above scenarios.
>> 1: Drivers that are immune against all above scenarios but allows any
>> authenticated client with *active* master to access all GPU memory. Any
>> enabled render nodes will be insecure, while primary nodes are secure.
>> 2: Drivers that are immune against all above scenarios and can protect
>> clients from accessing eachother's gpu memory:
>> Render nodes will be secure.
>>
>> Thoughts?
> Another magic number to read, another case to get wrong where the OS
> isn't providing security by default.
>
> If the driver can be fixed to handle it by flushing out all GPU memory
> then the driver should be fixed to do so. Adding magic udev nodes is just
> adding complexity that ought to be made to go away before it even becomes
> an API.
>
> So I think there are three cases
>
> - insecure junk driver. Shouldn't even be in staging
> - hardware isn't as smart enough, or perhaps has a performance problem so
> sometimes flushes all buffers away on a switch
> - drivers that behave well
>
> Do you then even need a sysfs node and udev hacks (remembering not
> everyone even deploys udev on their Linux based products)
>
> For the other cases
>
> - how prevalent are the problem older user space drivers nowdays ?
>
> - the fix for "won't fix" drivers is to move them to staging, and then
> if they are not fixed or do not acquire a new maintainer who will,
> delete them.
>
> - if we have 'can't fix drivers' then its a bit different and we need to
> understand better *why*.
>
> Don't screw the kernel up because there are people who can't be bothered
> to fix bugs. Moving them out of the tree is a great incentive to find
> someone to fix it.
>
On second thought I'm dropping this whole issue.
I've brought this and other security issues up before but nobody really
seems to care.
/Thomas
WARNING: multiple messages have this Message-ID (diff)
From: Thomas Hellstrom <thellstrom@vmware.com>
To: One Thousand Gnomes <gnomes@lxorguk.ukuu.org.uk>
Cc: "dri-devel@lists.freedesktop.org"
<dri-devel@lists.freedesktop.org>,
"linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>
Subject: Re: DRM security flaws and security levels.
Date: Mon, 14 Apr 2014 14:56:15 +0200 [thread overview]
Message-ID: <534BDAEF.6090601@vmware.com> (raw)
In-Reply-To: <20140414134113.6c1a488d@alan.etchedpixels.co.uk>
On 04/14/2014 02:41 PM, One Thousand Gnomes wrote:
>> throw out all GPU memory on master drop and block ioctls requiring
>> authentication until master becomes active again.
> If you have a per driver method then the driver can implement whatever is
> optimal (possibly including throwing it all out).
>
>> -1: The driver allows an authenticated client to craft command streams
>> that could access any part of system memory. These drivers should be
>> kept in staging until they are fixed.
> I am not sure they belong in staging even.
>
>> 0: Drivers that are vulnerable to any of the above scenarios.
>> 1: Drivers that are immune against all above scenarios but allows any
>> authenticated client with *active* master to access all GPU memory. Any
>> enabled render nodes will be insecure, while primary nodes are secure.
>> 2: Drivers that are immune against all above scenarios and can protect
>> clients from accessing eachother's gpu memory:
>> Render nodes will be secure.
>>
>> Thoughts?
> Another magic number to read, another case to get wrong where the OS
> isn't providing security by default.
>
> If the driver can be fixed to handle it by flushing out all GPU memory
> then the driver should be fixed to do so. Adding magic udev nodes is just
> adding complexity that ought to be made to go away before it even becomes
> an API.
>
> So I think there are three cases
>
> - insecure junk driver. Shouldn't even be in staging
> - hardware isn't as smart enough, or perhaps has a performance problem so
> sometimes flushes all buffers away on a switch
> - drivers that behave well
>
> Do you then even need a sysfs node and udev hacks (remembering not
> everyone even deploys udev on their Linux based products)
>
> For the other cases
>
> - how prevalent are the problem older user space drivers nowdays ?
>
> - the fix for "won't fix" drivers is to move them to staging, and then
> if they are not fixed or do not acquire a new maintainer who will,
> delete them.
>
> - if we have 'can't fix drivers' then its a bit different and we need to
> understand better *why*.
>
> Don't screw the kernel up because there are people who can't be bothered
> to fix bugs. Moving them out of the tree is a great incentive to find
> someone to fix it.
>
On second thought I'm dropping this whole issue.
I've brought this and other security issues up before but nobody really
seems to care.
/Thomas
next prev parent reply other threads:[~2014-04-14 12:56 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-04-11 12:42 DRM security flaws and security levels Thomas Hellstrom
2014-04-11 20:31 ` David Herrmann
2014-04-11 20:31 ` David Herrmann
2014-04-11 21:15 ` Thomas Hellstrom
2014-04-11 22:05 ` Rob Clark
2014-04-11 22:05 ` Rob Clark
2014-04-14 12:41 ` One Thousand Gnomes
2014-04-14 12:56 ` Thomas Hellstrom [this message]
2014-04-14 12:56 ` Thomas Hellstrom
2014-04-14 13:09 ` Rob Clark
2014-04-14 20:00 ` Martin Peres
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=534BDAEF.6090601@vmware.com \
--to=thellstrom@vmware.com \
--cc=dri-devel@lists.freedesktop.org \
--cc=gnomes@lxorguk.ukuu.org.uk \
--cc=linux-kernel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.