All of lore.kernel.org
 help / color / mirror / Atom feed
From: Eric Anholt <eric@anholt.net>
To: "Dave Airlie" <airlied@redhat.com>,
	"Kristian Høgsberg" <krh@bitplanet.net>
Cc: dri-devel <dri-devel@lists.freedesktop.org>
Subject: Re: [RFC] flink_to
Date: Tue, 13 Jul 2010 10:37:52 -0700	[thread overview]
Message-ID: <87oceb8eq7.fsf@pollan.anholt.net> (raw)
In-Reply-To: <1278974662.23716.27.camel@clockmaker-el6>


[-- Attachment #1.1: Type: text/plain, Size: 2119 bytes --]

On Tue, 13 Jul 2010 08:44:22 +1000, Dave Airlie <airlied@redhat.com> wrote:
> On Mon, 2010-07-12 at 11:55 -0400, Kristian Høgsberg wrote:
> > [ Let's try this again... ]

...

> > flink_to doesn't in itself solve the security problem, since user
> > space can still submit a batch buffer that reads or writes to an
> > absolute gtt offset (that is, no relocation).  The X front buffer
> > location is typically pretty predictable, for example.  flink_to does
> > give us the infrastructure to implement a secure system though.  There
> > are several ways this could be done: use a sw command checker to
> > reject absolute gtt offsets, unbind buffers from all other clients
> > before running executing the commands or use per-process gtt or
> > similar hw support.
> 
> Doesn't solve the security problem for *Intel*. On radeon for example
> we've always provided this type of security, GEM's interface is the only
> hole in that case (apart from the sw checker maybe missing some cases).
> So I'm quite happy that this is what we'd prefer.

I know Radeon's been struggling a lot with the CPU overhead of their
command submission, and given that we're CPU bound for most performance
stuff I look at right now, I'm not thrilled by the idea of adding
command checking.  Particularly the part where we have to analyze the
shader kernels.  I'm assuming we would disallow stateless access mode
writes/reads entirely, because that lets you access arbitrary graphics
memory from your instructions, and to bounds-check that you'd have to do
it in shader execution and that probably means emitting an IR to the
kernel instead of actual instructions.

Given that the security story today on Intel is "anybody that's authed
once can access all the buffers", adding flink_to and letting people
basically get authed even when not VT switched away from the X Server
seems fine to me.  If we want to provide these security guarantees
later, then we should just unbind, or use PPGTT if available.  The
performance wins should be sizeable with going to PPGTT, so we need to
get that done anyway.

[-- Attachment #1.2: Type: application/pgp-signature, Size: 197 bytes --]

[-- Attachment #2: Type: text/plain, Size: 159 bytes --]

_______________________________________________
dri-devel mailing list
dri-devel@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/dri-devel

  parent reply	other threads:[~2010-07-13 17:37 UTC|newest]

Thread overview: 5+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2010-07-12 15:55 [RFC] flink_to Kristian Høgsberg
2010-07-12 22:44 ` Dave Airlie
2010-07-13  2:30   ` Kristian Høgsberg
2010-07-13 17:37   ` Eric Anholt [this message]
  -- strict thread matches above, loose matches on Subject: below --
2010-07-12 14:59 Kristian Høgsberg

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=87oceb8eq7.fsf@pollan.anholt.net \
    --to=eric@anholt.net \
    --cc=airlied@redhat.com \
    --cc=dri-devel@lists.freedesktop.org \
    --cc=krh@bitplanet.net \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.