From: Thomas Hellstrom <thellstrom@vmware.com>
To: One Thousand Gnomes <gnomes@lxorguk.ukuu.org.uk>
Cc: "dri-devel@lists.freedesktop.org"
<dri-devel@lists.freedesktop.org>,
"linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>
Subject: Re: DRM security flaws and security levels.
Date: Mon, 14 Apr 2014 14:56:15 +0200 [thread overview]
Message-ID: <534BDAEF.6090601@vmware.com> (raw)
In-Reply-To: <20140414134113.6c1a488d@alan.etchedpixels.co.uk>
On 04/14/2014 02:41 PM, One Thousand Gnomes wrote:
>> throw out all GPU memory on master drop and block ioctls requiring
>> authentication until master becomes active again.
> If you have a per driver method then the driver can implement whatever is
> optimal (possibly including throwing it all out).
>
>> -1: The driver allows an authenticated client to craft command streams
>> that could access any part of system memory. These drivers should be
>> kept in staging until they are fixed.
> I am not sure they belong in staging even.
>
>> 0: Drivers that are vulnerable to any of the above scenarios.
>> 1: Drivers that are immune against all above scenarios but allows any
>> authenticated client with *active* master to access all GPU memory. Any
>> enabled render nodes will be insecure, while primary nodes are secure.
>> 2: Drivers that are immune against all above scenarios and can protect
>> clients from accessing eachother's gpu memory:
>> Render nodes will be secure.
>>
>> Thoughts?
> Another magic number to read, another case to get wrong where the OS
> isn't providing security by default.
>
> If the driver can be fixed to handle it by flushing out all GPU memory
> then the driver should be fixed to do so. Adding magic udev nodes is just
> adding complexity that ought to be made to go away before it even becomes
> an API.
>
> So I think there are three cases
>
> - insecure junk driver. Shouldn't even be in staging
> - hardware isn't as smart enough, or perhaps has a performance problem so
> sometimes flushes all buffers away on a switch
> - drivers that behave well
>
> Do you then even need a sysfs node and udev hacks (remembering not
> everyone even deploys udev on their Linux based products)
>
> For the other cases
>
> - how prevalent are the problem older user space drivers nowdays ?
>
> - the fix for "won't fix" drivers is to move them to staging, and then
> if they are not fixed or do not acquire a new maintainer who will,
> delete them.
>
> - if we have 'can't fix drivers' then its a bit different and we need to
> understand better *why*.
>
> Don't screw the kernel up because there are people who can't be bothered
> to fix bugs. Moving them out of the tree is a great incentive to find
> someone to fix it.
>
On second thought I'm dropping this whole issue.
I've brought this and other security issues up before but nobody really
seems to care.
/Thomas
next prev parent reply other threads:[~2014-04-14 12:56 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-04-11 12:42 DRM security flaws and security levels Thomas Hellstrom
2014-04-11 20:31 ` David Herrmann
2014-04-11 21:15 ` Thomas Hellstrom
2014-04-11 22:05 ` Rob Clark
2014-04-14 12:41 ` One Thousand Gnomes
2014-04-14 12:56 ` Thomas Hellstrom [this message]
2014-04-14 13:09 ` Rob Clark
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=534BDAEF.6090601@vmware.com \
--to=thellstrom@vmware.com \
--cc=dri-devel@lists.freedesktop.org \
--cc=gnomes@lxorguk.ukuu.org.uk \
--cc=linux-kernel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox