On 2019-06-21 9:12 a.m., Koenig, Christian wrote:
First of all I tried to disable DRM authentication completely with a kernel config option. Surprisingly that actually works out of the box at least on the AMDGPU stack.
This effectively allows us to get rid of DRI2 and the related security problems. Only thing left for that is that I'm just not sure how to signal this to userspace so that the DDX wouldn't advertise DRI2 at all any more.
FWIW, getting rid of DRI2 also needs to be discussed with amdgpu-pro OpenGL driver folks.
As a next step I looked into if we can disable the command submission for DRM master. Turned out that this is relatively easy as well.
All we have to do is to fix the bug Michel pointed out about KMS handles for display
I'm working on that, consider it fixed.
and let the DDX use a render node instead of the DRM master for Glamor. Still need to sync up with Michel and/or Marek whats the best way of doing this.
My suggestion was to add a new variant of amdgpu_device_initialize. When the new variant is called, libdrm_amdgpu internally uses a render node for command submission etc. whenever possible.