From: Daniel Vetter <daniel@ffwll.ch>
To: Chris Wilson <chris@chris-wilson.co.uk>,
bradley.d.volkin@intel.com, intel-gfx@lists.freedesktop.org
Subject: Re: [PATCH 02/13] drm/i915: Implement command buffer parsing logic
Date: Thu, 30 Jan 2014 10:05:28 +0100 [thread overview]
Message-ID: <20140130090528.GI17001@phenom.ffwll.local> (raw)
In-Reply-To: <20140130085328.GG17001@phenom.ffwll.local>
On Thu, Jan 30, 2014 at 09:53:28AM +0100, Daniel Vetter wrote:
> On Wed, Jan 29, 2014 at 10:28:36PM +0000, Chris Wilson wrote:
> > On Wed, Jan 29, 2014 at 01:55:03PM -0800, bradley.d.volkin@intel.com wrote:
> > > +/*
> > > + * Returns a pointer to a descriptor for the command specified by cmd_header.
> > > + *
> > > + * The caller must supply space for a default descriptor via the default_desc
> > > + * parameter. If no descriptor for the specified command exists in the ring's
> > > + * command parser tables, this function fills in default_desc based on the
> > > + * ring's default length encoding and returns default_desc.
> > > + */
> > > +static const struct drm_i915_cmd_descriptor*
> > > +find_cmd(struct intel_ring_buffer *ring,
> > > + u32 cmd_header,
> > > + struct drm_i915_cmd_descriptor *default_desc)
> > > +{
> > > + u32 mask;
> > > + int i;
> > > +
> > > + for (i = 0; i < ring->cmd_table_count; i++) {
> > > + const struct drm_i915_cmd_descriptor *desc;
> > > +
> > > + desc = find_cmd_in_table(&ring->cmd_tables[i], cmd_header);
> > > + if (desc)
> > > + return desc;
> > > + }
> > > +
> > > + mask = ring->get_cmd_length_mask(cmd_header);
> > > + if (!mask)
> > > + return NULL;
> > > +
> > > + BUG_ON(!default_desc);
> > > + default_desc->flags = CMD_DESC_SKIP;
> > > + default_desc->length.mask = mask;
> >
> > If we turn off all hw validation (through use of the secure bit) should
> > we not default to a whitelist of commands? Otherwise it just seems to be
> > a case of running a fuzzer until we kill the machine.
>
> Preventing hangs and dos is imo not the attack model, gpus are too fickle
> for that. The attach model here is to prevent priveledge escalation and
> information leaks. I.e. we want just containement of all read/write access
> to the gtt space.
>
> I think for that purpose an explicit whitelist of commands which target
> things outside of the (pp)gtt is sufficient. radeon's checker design is
> completely different, but pretty much the only command they have is
> to load register values. Intel gpus otoh have a big set of special-purpose
> commands to load (most) of the rendering pipeline state. So we have
> hw built-in register whitelists for all that stuff since you just can't
> load arbitrary registers and state with those commands.
>
> Also note that for raw register access Bradley's scanner _is_ whitelist
> based. And for general reads/writes gpu designers confirmed that those are
> all MI_ commands (with very few specific exceptions like PIPE_CONTROL), so
> as long as we check for the exceptions and otherwise only whitelist MI_
> commands we know about we should be covered.
>
> So I think this is sound.
Hm, but while scrolling through the checker I haven't spotted a "reject
everything unknown" for MI_CLIENT commands. Bradley, have I missed that?
I think submitting an invented MI_CLIENT command would also be a good
testcase.
-Daniel
--
Daniel Vetter
Software Engineer, Intel Corporation
+41 (0) 79 365 57 48 - http://blog.ffwll.ch
next prev parent reply other threads:[~2014-01-30 9:05 UTC|newest]
Thread overview: 142+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-11-26 16:51 [RFC 00/22] Gen7 batch buffer command parser bradley.d.volkin
2013-11-26 16:51 ` [RFC 01/22] drm/i915: Add data structures for " bradley.d.volkin
2013-11-26 16:51 ` [RFC 02/22] drm/i915: Initial command parser table definitions bradley.d.volkin
2013-11-26 16:51 ` [RFC 03/22] drm/i915: Hook command parser tables up to rings bradley.d.volkin
2013-11-26 16:51 ` [RFC 04/22] drm/i915: Add per-ring command length decode functions bradley.d.volkin
2013-11-26 16:51 ` [RFC 05/22] drm/i915: Implement command parsing bradley.d.volkin
2013-11-26 17:29 ` Chris Wilson
2013-11-26 17:38 ` Volkin, Bradley D
2013-11-26 17:56 ` Chris Wilson
2013-11-26 18:55 ` Volkin, Bradley D
2013-12-05 21:10 ` Volkin, Bradley D
2013-11-26 16:51 ` [RFC 06/22] drm/i915: Add a HAS_CMD_PARSER getparam bradley.d.volkin
2013-11-27 12:51 ` Daniel Vetter
2013-12-05 9:38 ` Kenneth Graunke
2013-12-05 17:22 ` Volkin, Bradley D
2013-12-05 17:26 ` Daniel Vetter
2013-11-26 16:51 ` [RFC 07/22] drm/i915: Add support for rejecting commands during parsing bradley.d.volkin
2013-11-26 16:51 ` [RFC 08/22] drm/i915: Add support for checking register accesses bradley.d.volkin
2013-11-26 16:51 ` [RFC 09/22] drm/i915: Add support for rejecting commands via bitmasks bradley.d.volkin
2013-11-26 16:51 ` [RFC 10/22] drm/i915: Reject unsafe commands bradley.d.volkin
2013-11-26 16:51 ` [RFC 11/22] drm/i915: Add register whitelists for mesa bradley.d.volkin
2013-11-26 16:51 ` [RFC 12/22] drm/i915: Enable register whitelist checks bradley.d.volkin
2013-11-26 16:51 ` [RFC 13/22] drm/i915: Enable bit checking for some commands bradley.d.volkin
2013-11-26 16:51 ` [RFC 14/22] drm/i915: Enable PPGTT command parser checks bradley.d.volkin
2013-11-26 16:51 ` [RFC 15/22] drm/i915: Reject commands that would store to global HWS page bradley.d.volkin
2013-11-26 16:51 ` [RFC 16/22] drm/i915: Reject additional commands bradley.d.volkin
2013-11-26 16:51 ` [RFC 17/22] drm/i915: Add parser data for perf monitoring GL extensions bradley.d.volkin
2013-11-26 16:51 ` [RFC 18/22] drm/i915: Reject MI_ARB_ON_OFF on VECS bradley.d.volkin
2013-11-26 16:51 ` [RFC 19/22] drm/i915: Fix length handling for MFX_WAIT bradley.d.volkin
2013-11-26 16:51 ` [RFC 20/22] drm/i915: Fix MI_STORE_DWORD_IMM parser defintion bradley.d.volkin
2013-11-26 18:08 ` Chris Wilson
2013-11-26 18:55 ` Volkin, Bradley D
2013-11-26 16:51 ` [RFC 21/22] drm/i915: Clean up command parser enable decision bradley.d.volkin
2013-11-26 16:51 ` [RFC 22/22] drm/i915: Enable command parsing by default bradley.d.volkin
2013-11-26 19:35 ` [RFC 00/22] Gen7 batch buffer command parser Daniel Vetter
2013-11-26 20:24 ` Volkin, Bradley D
2013-11-27 1:32 ` ykzhao
2013-11-27 8:10 ` Daniel Vetter
2013-11-27 8:23 ` Xiang, Haihao
2013-11-27 8:31 ` Daniel Vetter
2013-11-27 8:42 ` Xiang, Haihao
2013-11-27 8:47 ` Daniel Vetter
2013-11-27 8:54 ` Xiang, Haihao
2013-11-27 8:55 ` ykzhao
2013-12-04 8:13 ` Daniel Vetter
2013-12-04 8:22 ` Daniel Vetter
2013-12-05 1:40 ` Volkin, Bradley D
2013-12-05 7:48 ` Daniel Vetter
2013-12-05 20:47 ` Volkin, Bradley D
2013-12-05 23:42 ` Daniel Vetter
2013-11-27 1:26 ` Xiang, Haihao
2013-12-11 0:58 ` Volkin, Bradley D
2013-12-11 9:54 ` Daniel Vetter
2013-12-11 18:04 ` Volkin, Bradley D
2013-12-11 18:46 ` Daniel Vetter
2014-01-29 21:55 ` [PATCH 00/13] " bradley.d.volkin
2014-01-29 21:55 ` [PATCH 01/13] drm/i915: Refactor shmem pread setup bradley.d.volkin
2014-01-30 8:36 ` Daniel Vetter
2014-01-29 21:55 ` [PATCH 02/13] drm/i915: Implement command buffer parsing logic bradley.d.volkin
2014-01-29 22:28 ` Chris Wilson
2014-01-30 8:53 ` Daniel Vetter
2014-01-30 9:05 ` Daniel Vetter [this message]
2014-01-30 9:12 ` Daniel Vetter
2014-01-30 11:07 ` Daniel Vetter
2014-01-30 18:05 ` Volkin, Bradley D
2014-02-03 23:00 ` Volkin, Bradley D
2014-02-04 10:20 ` Daniel Vetter
2014-02-04 18:45 ` Volkin, Bradley D
2014-02-04 19:33 ` Daniel Vetter
2014-02-05 0:56 ` Volkin, Bradley D
2014-01-30 17:55 ` Volkin, Bradley D
2014-01-30 9:07 ` Daniel Vetter
2014-01-30 10:57 ` Chris Wilson
2014-02-05 15:15 ` Jani Nikula
2014-02-05 18:36 ` Volkin, Bradley D
2014-02-07 13:58 ` Jani Nikula
2014-02-07 14:45 ` Daniel Vetter
2014-02-11 18:12 ` Volkin, Bradley D
2014-02-11 18:21 ` Jani Nikula
2014-01-29 21:55 ` [PATCH 03/13] drm/i915: Initial command parser table definitions bradley.d.volkin
2014-02-05 14:22 ` Jani Nikula
2014-01-29 21:55 ` [PATCH 04/13] drm/i915: Reject privileged commands bradley.d.volkin
2014-02-05 15:22 ` Jani Nikula
2014-02-05 18:42 ` Volkin, Bradley D
2014-01-29 21:55 ` [PATCH 05/13] drm/i915: Allow some privileged commands from master bradley.d.volkin
2014-01-29 21:55 ` [PATCH 06/13] drm/i915: Add register whitelists for mesa bradley.d.volkin
2014-02-05 15:29 ` Jani Nikula
2014-02-05 18:47 ` Volkin, Bradley D
2014-01-29 21:55 ` [PATCH 07/13] drm/i915: Add register whitelist for DRM master bradley.d.volkin
2014-01-29 22:37 ` Chris Wilson
2014-01-29 23:18 ` Volkin, Bradley D
2014-01-30 9:02 ` Daniel Vetter
[not found] ` <20140130172206.GA26611@vpg-ubuntu-bdvolkin>
2014-01-30 20:41 ` Daniel Vetter
2014-01-29 21:55 ` [PATCH 08/13] drm/i915: Enable register whitelist checks bradley.d.volkin
2014-02-05 15:33 ` Jani Nikula
2014-02-05 18:49 ` Volkin, Bradley D
2014-01-29 21:55 ` [PATCH 09/13] drm/i915: Reject commands that explicitly generate interrupts bradley.d.volkin
2014-01-29 21:55 ` [PATCH 10/13] drm/i915: Enable PPGTT command parser checks bradley.d.volkin
2014-01-29 22:33 ` Chris Wilson
2014-01-29 23:00 ` Volkin, Bradley D
2014-01-29 23:08 ` Chris Wilson
2014-02-05 15:37 ` Jani Nikula
2014-02-05 18:54 ` Volkin, Bradley D
2014-01-29 21:55 ` [PATCH 11/13] drm/i915: Reject commands that would store to global HWS page bradley.d.volkin
2014-02-05 15:39 ` Jani Nikula
2014-01-29 21:55 ` [PATCH 12/13] drm/i915: Add a CMD_PARSER_VERSION getparam bradley.d.volkin
2014-01-30 9:19 ` Daniel Vetter
2014-01-30 17:25 ` Volkin, Bradley D
2014-01-29 21:55 ` [PATCH 13/13] drm/i915: Enable command parsing by default bradley.d.volkin
2014-01-29 22:11 ` [PATCH 00/13] Gen7 batch buffer command parser Daniel Vetter
2014-01-29 22:22 ` Volkin, Bradley D
2014-01-29 23:31 ` Daniel Vetter
2014-02-05 15:41 ` Jani Nikula
2014-01-29 21:57 ` [PATCH] intel: Merge i915_drm.h with cmd parser define bradley.d.volkin
2014-01-29 22:13 ` Chris Wilson
2014-01-29 22:26 ` Volkin, Bradley D
2014-01-30 9:20 ` Daniel Vetter
2014-01-30 17:28 ` Volkin, Bradley D
2014-02-04 10:26 ` Daniel Vetter
2014-01-29 21:58 ` [PATCH 1/6] tests: Add a test for the command parser bradley.d.volkin
2014-01-29 21:58 ` [PATCH 2/6] tests/gem_exec_parse: Add tests for rejected commands bradley.d.volkin
2014-01-29 21:58 ` [PATCH 3/6] tests/gem_exec_parse: Add tests for register whitelist bradley.d.volkin
2014-01-29 21:58 ` [PATCH 4/6] tests/gem_exec_parse: Add tests for bitmask checks bradley.d.volkin
2014-01-29 21:58 ` [PATCH 5/6] tests/gem_exec_parse: Test for batches w/o MI_BATCH_BUFFER_END bradley.d.volkin
2014-01-29 22:10 ` Chris Wilson
2014-01-30 11:46 ` Chris Wilson
2014-03-25 13:17 ` Daniel Vetter
2014-03-25 19:49 ` Volkin, Bradley D
2014-01-29 21:58 ` [PATCH 6/6] tests/gem_exec_parse: Test a command crossing a page boundary bradley.d.volkin
2014-01-29 22:12 ` Chris Wilson
2014-03-25 13:20 ` Daniel Vetter
2014-02-05 10:28 ` [RFC 00/22] Gen7 batch buffer command parser Chris Wilson
2014-02-05 18:18 ` Volkin, Bradley D
2014-02-05 18:25 ` Chris Wilson
2014-02-05 18:30 ` Daniel Vetter
2014-02-05 19:00 ` Volkin, Bradley D
2014-02-05 19:17 ` Daniel Vetter
2014-02-05 19:55 ` Volkin, Bradley D
-- strict thread matches above, loose matches on Subject: below --
2014-02-18 18:15 [PATCH 00/13] " bradley.d.volkin
2014-02-18 18:15 ` [PATCH 02/13] drm/i915: Implement command buffer parsing logic bradley.d.volkin
2014-03-06 13:10 ` Jani Nikula
2014-03-06 21:07 ` Daniel Vetter
2014-03-20 12:40 ` Jani Nikula
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20140130090528.GI17001@phenom.ffwll.local \
--to=daniel@ffwll.ch \
--cc=bradley.d.volkin@intel.com \
--cc=chris@chris-wilson.co.uk \
--cc=intel-gfx@lists.freedesktop.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox