From: Daniel Vetter <daniel@ffwll.ch>
To: Chris Wilson <chris@chris-wilson.co.uk>,
bradley.d.volkin@intel.com, intel-gfx@lists.freedesktop.org
Subject: Re: [PATCH 02/13] drm/i915: Implement command buffer parsing logic
Date: Thu, 30 Jan 2014 09:53:28 +0100 [thread overview]
Message-ID: <20140130085328.GG17001@phenom.ffwll.local> (raw)
In-Reply-To: <20140129222836.GN28110@nuc-i3427.alporthouse.com>
On Wed, Jan 29, 2014 at 10:28:36PM +0000, Chris Wilson wrote:
> On Wed, Jan 29, 2014 at 01:55:03PM -0800, bradley.d.volkin@intel.com wrote:
> > +/*
> > + * Returns a pointer to a descriptor for the command specified by cmd_header.
> > + *
> > + * The caller must supply space for a default descriptor via the default_desc
> > + * parameter. If no descriptor for the specified command exists in the ring's
> > + * command parser tables, this function fills in default_desc based on the
> > + * ring's default length encoding and returns default_desc.
> > + */
> > +static const struct drm_i915_cmd_descriptor*
> > +find_cmd(struct intel_ring_buffer *ring,
> > + u32 cmd_header,
> > + struct drm_i915_cmd_descriptor *default_desc)
> > +{
> > + u32 mask;
> > + int i;
> > +
> > + for (i = 0; i < ring->cmd_table_count; i++) {
> > + const struct drm_i915_cmd_descriptor *desc;
> > +
> > + desc = find_cmd_in_table(&ring->cmd_tables[i], cmd_header);
> > + if (desc)
> > + return desc;
> > + }
> > +
> > + mask = ring->get_cmd_length_mask(cmd_header);
> > + if (!mask)
> > + return NULL;
> > +
> > + BUG_ON(!default_desc);
> > + default_desc->flags = CMD_DESC_SKIP;
> > + default_desc->length.mask = mask;
>
> If we turn off all hw validation (through use of the secure bit) should
> we not default to a whitelist of commands? Otherwise it just seems to be
> a case of running a fuzzer until we kill the machine.
Preventing hangs and dos is imo not the attack model, gpus are too fickle
for that. The attach model here is to prevent priveledge escalation and
information leaks. I.e. we want just containement of all read/write access
to the gtt space.
I think for that purpose an explicit whitelist of commands which target
things outside of the (pp)gtt is sufficient. radeon's checker design is
completely different, but pretty much the only command they have is
to load register values. Intel gpus otoh have a big set of special-purpose
commands to load (most) of the rendering pipeline state. So we have
hw built-in register whitelists for all that stuff since you just can't
load arbitrary registers and state with those commands.
Also note that for raw register access Bradley's scanner _is_ whitelist
based. And for general reads/writes gpu designers confirmed that those are
all MI_ commands (with very few specific exceptions like PIPE_CONTROL), so
as long as we check for the exceptions and otherwise only whitelist MI_
commands we know about we should be covered.
So I think this is sound.
-Daniel
--
Daniel Vetter
Software Engineer, Intel Corporation
+41 (0) 79 365 57 48 - http://blog.ffwll.ch
next prev parent reply other threads:[~2014-01-30 8:53 UTC|newest]
Thread overview: 142+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-11-26 16:51 [RFC 00/22] Gen7 batch buffer command parser bradley.d.volkin
2013-11-26 16:51 ` [RFC 01/22] drm/i915: Add data structures for " bradley.d.volkin
2013-11-26 16:51 ` [RFC 02/22] drm/i915: Initial command parser table definitions bradley.d.volkin
2013-11-26 16:51 ` [RFC 03/22] drm/i915: Hook command parser tables up to rings bradley.d.volkin
2013-11-26 16:51 ` [RFC 04/22] drm/i915: Add per-ring command length decode functions bradley.d.volkin
2013-11-26 16:51 ` [RFC 05/22] drm/i915: Implement command parsing bradley.d.volkin
2013-11-26 17:29 ` Chris Wilson
2013-11-26 17:38 ` Volkin, Bradley D
2013-11-26 17:56 ` Chris Wilson
2013-11-26 18:55 ` Volkin, Bradley D
2013-12-05 21:10 ` Volkin, Bradley D
2013-11-26 16:51 ` [RFC 06/22] drm/i915: Add a HAS_CMD_PARSER getparam bradley.d.volkin
2013-11-27 12:51 ` Daniel Vetter
2013-12-05 9:38 ` Kenneth Graunke
2013-12-05 17:22 ` Volkin, Bradley D
2013-12-05 17:26 ` Daniel Vetter
2013-11-26 16:51 ` [RFC 07/22] drm/i915: Add support for rejecting commands during parsing bradley.d.volkin
2013-11-26 16:51 ` [RFC 08/22] drm/i915: Add support for checking register accesses bradley.d.volkin
2013-11-26 16:51 ` [RFC 09/22] drm/i915: Add support for rejecting commands via bitmasks bradley.d.volkin
2013-11-26 16:51 ` [RFC 10/22] drm/i915: Reject unsafe commands bradley.d.volkin
2013-11-26 16:51 ` [RFC 11/22] drm/i915: Add register whitelists for mesa bradley.d.volkin
2013-11-26 16:51 ` [RFC 12/22] drm/i915: Enable register whitelist checks bradley.d.volkin
2013-11-26 16:51 ` [RFC 13/22] drm/i915: Enable bit checking for some commands bradley.d.volkin
2013-11-26 16:51 ` [RFC 14/22] drm/i915: Enable PPGTT command parser checks bradley.d.volkin
2013-11-26 16:51 ` [RFC 15/22] drm/i915: Reject commands that would store to global HWS page bradley.d.volkin
2013-11-26 16:51 ` [RFC 16/22] drm/i915: Reject additional commands bradley.d.volkin
2013-11-26 16:51 ` [RFC 17/22] drm/i915: Add parser data for perf monitoring GL extensions bradley.d.volkin
2013-11-26 16:51 ` [RFC 18/22] drm/i915: Reject MI_ARB_ON_OFF on VECS bradley.d.volkin
2013-11-26 16:51 ` [RFC 19/22] drm/i915: Fix length handling for MFX_WAIT bradley.d.volkin
2013-11-26 16:51 ` [RFC 20/22] drm/i915: Fix MI_STORE_DWORD_IMM parser defintion bradley.d.volkin
2013-11-26 18:08 ` Chris Wilson
2013-11-26 18:55 ` Volkin, Bradley D
2013-11-26 16:51 ` [RFC 21/22] drm/i915: Clean up command parser enable decision bradley.d.volkin
2013-11-26 16:51 ` [RFC 22/22] drm/i915: Enable command parsing by default bradley.d.volkin
2013-11-26 19:35 ` [RFC 00/22] Gen7 batch buffer command parser Daniel Vetter
2013-11-26 20:24 ` Volkin, Bradley D
2013-11-27 1:32 ` ykzhao
2013-11-27 8:10 ` Daniel Vetter
2013-11-27 8:23 ` Xiang, Haihao
2013-11-27 8:31 ` Daniel Vetter
2013-11-27 8:42 ` Xiang, Haihao
2013-11-27 8:47 ` Daniel Vetter
2013-11-27 8:54 ` Xiang, Haihao
2013-11-27 8:55 ` ykzhao
2013-12-04 8:13 ` Daniel Vetter
2013-12-04 8:22 ` Daniel Vetter
2013-12-05 1:40 ` Volkin, Bradley D
2013-12-05 7:48 ` Daniel Vetter
2013-12-05 20:47 ` Volkin, Bradley D
2013-12-05 23:42 ` Daniel Vetter
2013-11-27 1:26 ` Xiang, Haihao
2013-12-11 0:58 ` Volkin, Bradley D
2013-12-11 9:54 ` Daniel Vetter
2013-12-11 18:04 ` Volkin, Bradley D
2013-12-11 18:46 ` Daniel Vetter
2014-01-29 21:55 ` [PATCH 00/13] " bradley.d.volkin
2014-01-29 21:55 ` [PATCH 01/13] drm/i915: Refactor shmem pread setup bradley.d.volkin
2014-01-30 8:36 ` Daniel Vetter
2014-01-29 21:55 ` [PATCH 02/13] drm/i915: Implement command buffer parsing logic bradley.d.volkin
2014-01-29 22:28 ` Chris Wilson
2014-01-30 8:53 ` Daniel Vetter [this message]
2014-01-30 9:05 ` Daniel Vetter
2014-01-30 9:12 ` Daniel Vetter
2014-01-30 11:07 ` Daniel Vetter
2014-01-30 18:05 ` Volkin, Bradley D
2014-02-03 23:00 ` Volkin, Bradley D
2014-02-04 10:20 ` Daniel Vetter
2014-02-04 18:45 ` Volkin, Bradley D
2014-02-04 19:33 ` Daniel Vetter
2014-02-05 0:56 ` Volkin, Bradley D
2014-01-30 17:55 ` Volkin, Bradley D
2014-01-30 9:07 ` Daniel Vetter
2014-01-30 10:57 ` Chris Wilson
2014-02-05 15:15 ` Jani Nikula
2014-02-05 18:36 ` Volkin, Bradley D
2014-02-07 13:58 ` Jani Nikula
2014-02-07 14:45 ` Daniel Vetter
2014-02-11 18:12 ` Volkin, Bradley D
2014-02-11 18:21 ` Jani Nikula
2014-01-29 21:55 ` [PATCH 03/13] drm/i915: Initial command parser table definitions bradley.d.volkin
2014-02-05 14:22 ` Jani Nikula
2014-01-29 21:55 ` [PATCH 04/13] drm/i915: Reject privileged commands bradley.d.volkin
2014-02-05 15:22 ` Jani Nikula
2014-02-05 18:42 ` Volkin, Bradley D
2014-01-29 21:55 ` [PATCH 05/13] drm/i915: Allow some privileged commands from master bradley.d.volkin
2014-01-29 21:55 ` [PATCH 06/13] drm/i915: Add register whitelists for mesa bradley.d.volkin
2014-02-05 15:29 ` Jani Nikula
2014-02-05 18:47 ` Volkin, Bradley D
2014-01-29 21:55 ` [PATCH 07/13] drm/i915: Add register whitelist for DRM master bradley.d.volkin
2014-01-29 22:37 ` Chris Wilson
2014-01-29 23:18 ` Volkin, Bradley D
2014-01-30 9:02 ` Daniel Vetter
[not found] ` <20140130172206.GA26611@vpg-ubuntu-bdvolkin>
2014-01-30 20:41 ` Daniel Vetter
2014-01-29 21:55 ` [PATCH 08/13] drm/i915: Enable register whitelist checks bradley.d.volkin
2014-02-05 15:33 ` Jani Nikula
2014-02-05 18:49 ` Volkin, Bradley D
2014-01-29 21:55 ` [PATCH 09/13] drm/i915: Reject commands that explicitly generate interrupts bradley.d.volkin
2014-01-29 21:55 ` [PATCH 10/13] drm/i915: Enable PPGTT command parser checks bradley.d.volkin
2014-01-29 22:33 ` Chris Wilson
2014-01-29 23:00 ` Volkin, Bradley D
2014-01-29 23:08 ` Chris Wilson
2014-02-05 15:37 ` Jani Nikula
2014-02-05 18:54 ` Volkin, Bradley D
2014-01-29 21:55 ` [PATCH 11/13] drm/i915: Reject commands that would store to global HWS page bradley.d.volkin
2014-02-05 15:39 ` Jani Nikula
2014-01-29 21:55 ` [PATCH 12/13] drm/i915: Add a CMD_PARSER_VERSION getparam bradley.d.volkin
2014-01-30 9:19 ` Daniel Vetter
2014-01-30 17:25 ` Volkin, Bradley D
2014-01-29 21:55 ` [PATCH 13/13] drm/i915: Enable command parsing by default bradley.d.volkin
2014-01-29 22:11 ` [PATCH 00/13] Gen7 batch buffer command parser Daniel Vetter
2014-01-29 22:22 ` Volkin, Bradley D
2014-01-29 23:31 ` Daniel Vetter
2014-02-05 15:41 ` Jani Nikula
2014-01-29 21:57 ` [PATCH] intel: Merge i915_drm.h with cmd parser define bradley.d.volkin
2014-01-29 22:13 ` Chris Wilson
2014-01-29 22:26 ` Volkin, Bradley D
2014-01-30 9:20 ` Daniel Vetter
2014-01-30 17:28 ` Volkin, Bradley D
2014-02-04 10:26 ` Daniel Vetter
2014-01-29 21:58 ` [PATCH 1/6] tests: Add a test for the command parser bradley.d.volkin
2014-01-29 21:58 ` [PATCH 2/6] tests/gem_exec_parse: Add tests for rejected commands bradley.d.volkin
2014-01-29 21:58 ` [PATCH 3/6] tests/gem_exec_parse: Add tests for register whitelist bradley.d.volkin
2014-01-29 21:58 ` [PATCH 4/6] tests/gem_exec_parse: Add tests for bitmask checks bradley.d.volkin
2014-01-29 21:58 ` [PATCH 5/6] tests/gem_exec_parse: Test for batches w/o MI_BATCH_BUFFER_END bradley.d.volkin
2014-01-29 22:10 ` Chris Wilson
2014-01-30 11:46 ` Chris Wilson
2014-03-25 13:17 ` Daniel Vetter
2014-03-25 19:49 ` Volkin, Bradley D
2014-01-29 21:58 ` [PATCH 6/6] tests/gem_exec_parse: Test a command crossing a page boundary bradley.d.volkin
2014-01-29 22:12 ` Chris Wilson
2014-03-25 13:20 ` Daniel Vetter
2014-02-05 10:28 ` [RFC 00/22] Gen7 batch buffer command parser Chris Wilson
2014-02-05 18:18 ` Volkin, Bradley D
2014-02-05 18:25 ` Chris Wilson
2014-02-05 18:30 ` Daniel Vetter
2014-02-05 19:00 ` Volkin, Bradley D
2014-02-05 19:17 ` Daniel Vetter
2014-02-05 19:55 ` Volkin, Bradley D
-- strict thread matches above, loose matches on Subject: below --
2014-02-18 18:15 [PATCH 00/13] " bradley.d.volkin
2014-02-18 18:15 ` [PATCH 02/13] drm/i915: Implement command buffer parsing logic bradley.d.volkin
2014-03-06 13:10 ` Jani Nikula
2014-03-06 21:07 ` Daniel Vetter
2014-03-20 12:40 ` Jani Nikula
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20140130085328.GG17001@phenom.ffwll.local \
--to=daniel@ffwll.ch \
--cc=bradley.d.volkin@intel.com \
--cc=chris@chris-wilson.co.uk \
--cc=intel-gfx@lists.freedesktop.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox