On Thu, Jun 06, 2019 at 11:59:15AM +0100, Emil Velikov wrote:

On Mon, 27 May 2019 at 09:19, Emil Velikov emil.l.velikov@gmail.com wrote:

...

From: Emil Velikov emil.velikov@collabora.com

The authentication can be circumvented, by design, by using the render node.

From the driver POV there is no distinction between primary and render nodes, thus we can drop the token.

Cc: Gerd Hoffmann kraxel@redhat.com Cc: virtualization@lists.linux-foundation.org Cc: David Airlie airlied@linux.ie Cc: Daniel Vetter daniel@ffwll.ch Signed-off-by: Emil Velikov emil.velikov@collabora.com

Acked-by: Gerd Hoffmann kraxel@redhat.com

Am 27.05.19 um 14:10 schrieb Emil Velikov:

On 2019/05/27, Christian König wrote:

...

Am 27.05.19 um 10:17 schrieb Emil Velikov:

...

From: Emil Velikov emil.velikov@collabora.com

There are cases (in mesa and applications) where one would open the primary node without properly authenticating the client.

Sometimes we don't check if the authentication succeeds, but there's also cases we simply forget to do it.

The former was a case for Mesa where it did not not check the return value of drmGetMagic() [1]. That was fixed recently although, there's the question of older drivers or other apps that exbibit this behaviour.

While omitting the call results in issues as seen in [2] and [3].

In the libva case, libva itself doesn't authenticate the DRM client and the vaGetDisplayDRM documentation doesn't mention if the app should either.

As of today, the official vainfo utility doesn't authenticate.

To workaround issues like these, some users resort to running their apps under sudo. Which admittedly isn't always a good idea.

Since any DRIVER_RENDER driver has sufficient isolation between clients, we can use that, for unauthenticated [primary node] ioctls that require DRM_AUTH. But only if the respective ioctl is tagged as DRM_RENDER_ALLOW.

v2:

• Rework/simplify if check (Daniel V)
• Add examples to commit messages, elaborate. (Daniel V)

v3:

• Use single unlikely (Daniel V)

v4:

• Patch was reverted because it broke AMDGPU, apply again. The AMDGPU

issue is fixed with earlier patch.

As far as I can see this only affects the following two IOCTLs after removing DRM_AUTH from the DRM_RENDER_ALLOW IOCTLs:

...

DRM_IOCTL_DEF(DRM_IOCTL_PRIME_HANDLE_TO_FD, drm_prime_handle_to_fd_ioctl, DRM_AUTH|DRM_UNLOCKED|DRM_RENDER_ALLOW),         DRM_IOCTL_DEF(DRM_IOCTL_PRIME_FD_TO_HANDLE, drm_prime_fd_to_handle_ioctl, DRM_AUTH|DRM_UNLOCKED|DRM_RENDER_ALLOW)

So I think it would be simpler to just remove DRM_AUTH from those two instead of allowing it for everybody.

If I understand you correctly this will remove DRM_AUTH also for drivers which expose only a primary node. I'm not sure if that is a good idea.

That's a good point, but I have doubts that those drivers implement the necessary callbacks and/or set the core feature flag for the IOCTLs.

So the maximum what could happen is that you change the returned error from -EACCES into -EOPNOTSUPP/-ENOSYS.

Regards, Christian.

That said, if others are OK with the idea I will prepare a patch.

Thanks Emil

Am 27.05.19 um 14:05 schrieb Emil Velikov:

On 2019/05/27, Koenig, Christian wrote:

...

Am 27.05.19 um 10:17 schrieb Emil Velikov:

...

From: Emil Velikov emil.velikov@collabora.com

Currently one can circumvent DRM_AUTH, when the ioctl is exposed via the render node. A seemingly deliberate design decision.

Hence we can drop the DRM_AUTH all together (details in follow-up patch) yet not all userspace checks if it's authenticated, but instead uses uncommon assumptions.

After days of digging through git log and testing, only a single (ab)use was spotted - the Mesa RADV driver, using the AMDGPU_INFO ioctl and assuming that failure implies lack of authentication.

Affected versions are:

• the whole 18.2.x series, which is EOL
• the whole 18.3.x series, which is EOL
• the 19.0.x series, prior to 19.0.4

Well you could have saved your time, cause this is still a NAK.

Did I mention that I've spent quite a bit of time in AMDVLK? Even fixed a bug while I was there :-)

Yeah, thanks for doing this.

But we have done so much stuff with customers which can't be audited this way, that I still have a really bad feeling about this :/

...

For the record: I strongly think that we don't want to expose any render functionality on the primary node.

To even go a step further I would say that at least on AMD hardware we should completely disable DRI2 for one of the next generations.

It's doable and overall pretty neat idea.

There is a consern that this approach may cause far more regressions that this series. We are talking about years worth of Mesa drivers (et al) that depend on render functionality exposed via the primary node.

Yeah, that's I'm perfectly aware of. It's the reason why I said we should only do it for new hardware generations.

But at some point I think we should do this and get rid of authentication/flink/DRI2/....

I'm OK with writing the patches, but it'll be up-to the AMDGPU team to follow-up with any regressions. Are you ok with that?

As long as we have a check like adev->family_id > WHATEVER_IS_THE_CURRENT_LATEST_UPSTREAM_HW, I think we are fine with that.

If I understood Michel correctly xf86-video-amdgpu should work, but modeset might break and needs a patch.

Fwiw I could also move the FORCE_AUTH hack to core drm, if you prefer.

Well, the hack is the least of my concerns.

Thanks, Christian.

Thanks Emil

On Mon, May 27, 2019 at 01:52:05PM +0100, Emil Velikov wrote:

On 2019/05/27, Koenig, Christian wrote:

...

Am 27.05.19 um 14:05 schrieb Emil Velikov:

...

On 2019/05/27, Koenig, Christian wrote:

...

Am 27.05.19 um 10:17 schrieb Emil Velikov:

...

From: Emil Velikov emil.velikov@collabora.com

Currently one can circumvent DRM_AUTH, when the ioctl is exposed via the render node. A seemingly deliberate design decision.

Hence we can drop the DRM_AUTH all together (details in follow-up patch) yet not all userspace checks if it's authenticated, but instead uses uncommon assumptions.

After days of digging through git log and testing, only a eingle (ab)use was spotted - the Mesa RADV driver, using the AMDGPU_INFO ioctl and assuming that failure implies lack of authentication.

Affected versions are:

• the whole 18.2.x series, which is EOL
• the whole 18.3.x series, which is EOL
• the 19.0.x series, prior to 19.0.4

Well you could have saved your time, cause this is still a NAK.

Did I mention that I've spent quite a bit of time in AMDVLK? Even fixed a bug while I was there :-)

Yeah, thanks for doing this.

But we have done so much stuff with customers which can't be audited this way, that I still have a really bad feeling about this :/

Fair point, I've already thought about those.

Example A: customer X, using closed source/private software Y. Ioctls A, B and C require the old behaviour - simply add FORCE_AUTH to the A B C and carry on happily.

Hm, if the entire concern here is all the bazillion different versions of blobs shipped in the past few years, why can't we just have a revert of this in the amdgpu DKMS? Not like one more patch among the hundres will matter. I'd suspect that the overlap of people wanting to run the blobs and people who don't run the DKMS or similar is roughly 0. Always been the case here at Intel at least.

If there's other stuff that we need to audit (like rocm or whatever), then we should look into those ofc. -Daniel

Example B: the team, as a whole thinks that this will be problematic for customer X - add FORCE_AUTH to all ioctls and carry on.

I do see and understand why anyone can be hesitant about the series.

IMHO the above examples, illustrate quite reasonable compromise between open-source and closed-source/private solutions.

Don't you agree?

...

...

...

For the record: I strongly think that we don't want to expose any render functionality on the primary node.

To even go a step further I would say that at least on AMD hardware we should completely disable DRI2 for one of the next generations.

It's doable and overall pretty neat idea.

There is a consern that this approach may cause far more regressions that this series. We are talking about years worth of Mesa drivers (et al) that depend on render functionality exposed via the primary node.

Yeah, that's I'm perfectly aware of. It's the reason why I said we should only do it for new hardware generations.

But at some point I think we should do this and get rid of authentication/flink/DRI2/....

Fwiw I share a similar sentiment. If you've looked through the series, this is effectively step 1, towards nuking DRM_AUTH :-)

...

...

I'm OK with writing the patches, but it'll be up-to the AMDGPU team to follow-up with any regressions. Are you ok with that?

As long as we have a check like adev->family_id > WHATEVER_IS_THE_CURRENT_LATEST_UPSTREAM_HW, I think we are fine with that.

If I understood Michel correctly xf86-video-amdgpu should work, but modeset might break and needs a patch.

Unless I have concrete WHATEVER_IS_THE... I cannot do much here :-(

Thanks Emil

Am 27.05.19 um 15:26 schrieb Emil Velikov:

On 2019/05/27, Daniel Vetter wrote:

...

On Mon, May 27, 2019 at 10:47:39AM +0000, Koenig, Christian wrote:

...

Am 27.05.19 um 10:17 schrieb Emil Velikov:

...

From: Emil Velikov emil.velikov@collabora.com

Currently one can circumvent DRM_AUTH, when the ioctl is exposed via the render node. A seemingly deliberate design decision.

Hence we can drop the DRM_AUTH all together (details in follow-up patch) yet not all userspace checks if it's authenticated, but instead uses uncommon assumptions.

After days of digging through git log and testing, only a single (ab)use was spotted - the Mesa RADV driver, using the AMDGPU_INFO ioctl and assuming that failure implies lack of authentication.

Affected versions are:

• the whole 18.2.x series, which is EOL
• the whole 18.3.x series, which is EOL
• the 19.0.x series, prior to 19.0.4

Well you could have saved your time, cause this is still a NAK.

For the record: I strongly think that we don't want to expose any render functionality on the primary node.

To even go a step further I would say that at least on AMD hardware we should completely disable DRI2 for one of the next generations.

As a follow up I would then completely disallow the DRM authentication for amdgpu, so that the command submission interface on the primary node can only be used by the display server.

So amdgpu is running in one direction, while everyone else is running in the other direction? Please note that your patch to change i915 landed already, so that ship is sailing (but we could ofc revert that back again).

Imo really not a great idea if we do a amdgpu vs. everyone else split here. If we want to deprecate dri2/flink/rendering on primary nodes across the stack, then that should be a stack wide decision, not an amdgpu one.

Cannot agree more - I would love to see drivers stay consistent.

Yeah, completely agree to that. That's why I think we should not do this at all and just let Intel fix it's userspace bugs :P

Anyway my concern is really that we should stop extending functionality on the primary node.

E.g. the render node is for use by the clients and the primary node for mode setting and use by the display server only.

Regards, Christian.

Fwiw, this series consistently paves the way toward nuking DRM_AUTH ;-)

Thanks Emil

Am 27.05.19 um 17:26 schrieb Daniel Vetter:

On Mon, May 27, 2019 at 3:42 PM Koenig, Christian Christian.Koenig@amd.com wrote:

...

Am 27.05.19 um 15:26 schrieb Emil Velikov:

...

On 2019/05/27, Daniel Vetter wrote:

...

On Mon, May 27, 2019 at 10:47:39AM +0000, Koenig, Christian wrote:

...

Am 27.05.19 um 10:17 schrieb Emil Velikov:

...

From: Emil Velikov emil.velikov@collabora.com

Currently one can circumvent DRM_AUTH, when the ioctl is exposed via the render node. A seemingly deliberate design decision.

Hence we can drop the DRM_AUTH all together (details in follow-up patch) yet not all userspace checks if it's authenticated, but instead uses uncommon assumptions.

After days of digging through git log and testing, only a single (ab)use was spotted - the Mesa RADV driver, using the AMDGPU_INFO ioctl and assuming that failure implies lack of authentication.

Affected versions are: - the whole 18.2.x series, which is EOL - the whole 18.3.x series, which is EOL - the 19.0.x series, prior to 19.0.4

Well you could have saved your time, cause this is still a NAK.

For the record: I strongly think that we don't want to expose any render functionality on the primary node.

To even go a step further I would say that at least on AMD hardware we should completely disable DRI2 for one of the next generations.

As a follow up I would then completely disallow the DRM authentication for amdgpu, so that the command submission interface on the primary node can only be used by the display server.

So amdgpu is running in one direction, while everyone else is running in the other direction? Please note that your patch to change i915 landed already, so that ship is sailing (but we could ofc revert that back again).

Imo really not a great idea if we do a amdgpu vs. everyone else split here. If we want to deprecate dri2/flink/rendering on primary nodes across the stack, then that should be a stack wide decision, not an amdgpu one.

Cannot agree more - I would love to see drivers stay consistent.

Yeah, completely agree to that. That's why I think we should not do this at all and just let Intel fix it's userspace bugs :P

So you're planning to submit that revert? You did jump the gun with sending out that patch after all too ... (aside from it got merged because of some other mixup with r-b tags and what not).

Well already regretting submitting that. On the other hand what is the minimum IOCTLs we need to get working to fix the vainfo issue?

Might be a good idea looking into reverting it partially, so that at least command submission and buffer allocation is still blocked.

Christian.

-Daniel

...

Anyway my concern is really that we should stop extending functionality on the primary node.

E.g. the render node is for use by the clients and the primary node for mode setting and use by the display server only.

Regards, Christian.

...

Fwiw, this series consistently paves the way toward nuking DRM_AUTH ;-)

Thanks Emil

Am 28.05.19 um 09:38 schrieb Daniel Vetter:

[SNIP]

...

Might be a good idea looking into reverting it partially, so that at least command submission and buffer allocation is still blocked.

I thought the issue is a lot more than vainfo, it's pretty much every hacked up compositor under the sun getting this wrong one way or another. Thinking about this some more, I also have no idea how you'd want to deprecate rendering on primary nodes in general. Apparently that breaks -modesetting already, and probably lots more compositors. And it looks like we're finally achieve the goal kms set out to 10 years ago, and new compositors are sprouting up all the time. I guess we could just break them all (on new hardware) and tell them to all suck it up. But I don't think that's a great option. And just deprecating this on amdgpu is going to be even harder, since then everywhere else it'll keep working, and it's just amdgpu.ko that looks broken.

Aside: I'm not supporting Emil's idea here because it fixes any issues Intel has - Intel doesn't care. I support it because reality sucks, people get this render vs. primary vs. multi-gpu prime wrong all the time (that's also why we have hardcoded display+gpu pairs in mesa for the various soc combinations out there), and this looks like a pragmatic solution. It'd be nice if every compositor and everything else would perfectly support multi gpu and only use render nodes for rendering, and only primary nodes for display. But reality is that people hack on stuff until gears on screen and then move on to more interesting things (to them). So I don't think we'll ever win this :-/

Yeah, but this is a classic case of working around user space issues by making kernel changes instead of fixing user space.

Having privileged (output control) and unprivileged (rendering control) functionality behind the same node is a mistake we have made a long time ago and render nodes finally seemed to be a way to fix that.

I mean why are compositors using the primary node in the first place? Because they want to have access to privileged resources I think and in this case it is perfectly ok to do so.

Now extending unprivileged access to the primary node actually sounds like a step into the wrong direction to me.

I rather think that we should go down the route of completely dropping command submission and buffer allocation through the primary node for non master clients. And then as next step at some point drop support for authentication/flink.

I mean we have done this with UMS as well and I don't see much other way to move forward and get rid of those ancient interface in the long term.

Regards, Christian.

-Daniel

On 2019/05/28, Daniel Vetter wrote:

On Tue, May 28, 2019 at 10:03 AM Koenig, Christian Christian.Koenig@amd.com wrote:

...

Am 28.05.19 um 09:38 schrieb Daniel Vetter:

...

[SNIP]

...

Might be a good idea looking into reverting it partially, so that at least command submission and buffer allocation is still blocked.

I thought the issue is a lot more than vainfo, it's pretty much every hacked up compositor under the sun getting this wrong one way or another. Thinking about this some more, I also have no idea how you'd want to deprecate rendering on primary nodes in general. Apparently that breaks -modesetting already, and probably lots more compositors. And it looks like we're finally achieve the goal kms set out to 10 years ago, and new compositors are sprouting up all the time. I guess we could just break them all (on new hardware) and tell them to all suck it up. But I don't think that's a great option. And just deprecating this on amdgpu is going to be even harder, since then everywhere else it'll keep working, and it's just amdgpu.ko that looks broken.

Aside: I'm not supporting Emil's idea here because it fixes any issues Intel has - Intel doesn't care. I support it because reality sucks, people get this render vs. primary vs. multi-gpu prime wrong all the time (that's also why we have hardcoded display+gpu pairs in mesa for the various soc combinations out there), and this looks like a pragmatic solution. It'd be nice if every compositor and everything else would perfectly support multi gpu and only use render nodes for rendering, and only primary nodes for display. But reality is that people hack on stuff until gears on screen and then move on to more interesting things (to them). So I don't think we'll ever win this :-/

Yeah, but this is a classic case of working around user space issues by making kernel changes instead of fixing user space.

Having privileged (output control) and unprivileged (rendering control) functionality behind the same node is a mistake we have made a long time ago and render nodes finally seemed to be a way to fix that.

I mean why are compositors using the primary node in the first place? Because they want to have access to privileged resources I think and in this case it is perfectly ok to do so.

Now extending unprivileged access to the primary node actually sounds like a step into the wrong direction to me.

I rather think that we should go down the route of completely dropping command submission and buffer allocation through the primary node for non master clients. And then as next step at some point drop support for authentication/flink.

I mean we have done this with UMS as well and I don't see much other way to move forward and get rid of those ancient interface in the long term.

Well kms had some really good benefits that drove quick adoption, like "suspend/resume actually has a chance of working" or "comes with buffer management so you can run multiple gears".

The render node thing is a lot more niche use case (prime, better priv separation), plus "it's cleaner design". And the "cleaner design" part is something that empirically doesn't seem to matter :-/ Just two examples:

• KHR_display/leases just iterated display resources on the fd needed

for rendering (and iirc there was even a patch to expose that for render nodes too so it works with DRI3), because implementing protocols is too hard. Barely managed to stop that one before it happened.

• Various video players use the vblank ioctl on directly to schedule

frames, without telling the compositor. I discovered that when I wanted to limite the vblank ioctl to master clients only. Again, apparently too hard to use the existing extensions, or fix the bugs in there, or whatever. One userspace got fixed last year, but it'll probably get copypasted around forever :-/

So I don't think we'll ever manage to roll a clean split out, and best we can do is give in and just hand userspace what it wants. As much as that's misguided and unclean and all that. Maybe it'll result in a least fewer stuff getting run as root to hack around this, because fixing properly seems not to be on the table.

The beauty of kms is that we've achieved the mission, everyone's writing their own thing. Which is also terrible, and I don't think it'll get better.

With the risk of coming rude I will repeat my earlier comment:

The problem is _neither_ Intel nor libva specific.

That said, let's step back for a moment and consider:

- the "block everything but KMS via the primary node" idea is great but orthogonal

- the series does address issues that are vendor-agnostic

- by default this series does _not_ cause any regression be that for new or old userspace

- there are two trivial solutions, if the AMD team has concerns about closed-source/private stack depending on the old behaviour If they want I can even write the patches ;-)

That said, the notable comments received so far are: - rework patch 13/13 to remove the DRM_AUTH from prime fd to/from handle. I'm OK but this will change the return code - from EACCES to ENOSYS

- vmwgfx will need a check on the reference ioctl(s) - IIRC Thomas is planning to drop nearly all DRM_AUTH instances in their driver.

Christian, as mentioned before - this series does _not_ add functionality to render nodes. It effectively paves a way towards removing DRM_AUTH.

I understand the series may feel a bit dirty. Yet I would gladly address any technical concerns you have.

Thanks Emil

On 2019/05/28, Koenig, Christian wrote:

Am 28.05.19 um 18:10 schrieb Emil Velikov:

...

On 2019/05/28, Daniel Vetter wrote:

...

On Tue, May 28, 2019 at 10:03 AM Koenig, Christian Christian.Koenig@amd.com wrote:

...

Am 28.05.19 um 09:38 schrieb Daniel Vetter:

...

[SNIP]

...

Might be a good idea looking into reverting it partially, so that at least command submission and buffer allocation is still blocked.

I thought the issue is a lot more than vainfo, it's pretty much every hacked up compositor under the sun getting this wrong one way or another. Thinking about this some more, I also have no idea how you'd want to deprecate rendering on primary nodes in general. Apparently that breaks -modesetting already, and probably lots more compositors. And it looks like we're finally achieve the goal kms set out to 10 years ago, and new compositors are sprouting up all the time. I guess we could just break them all (on new hardware) and tell them to all suck it up. But I don't think that's a great option. And just deprecating this on amdgpu is going to be even harder, since then everywhere else it'll keep working, and it's just amdgpu.ko that looks broken.

Aside: I'm not supporting Emil's idea here because it fixes any issues Intel has - Intel doesn't care. I support it because reality sucks, people get this render vs. primary vs. multi-gpu prime wrong all the time (that's also why we have hardcoded display+gpu pairs in mesa for the various soc combinations out there), and this looks like a pragmatic solution. It'd be nice if every compositor and everything else would perfectly support multi gpu and only use render nodes for rendering, and only primary nodes for display. But reality is that people hack on stuff until gears on screen and then move on to more interesting things (to them). So I don't think we'll ever win this :-/

Yeah, but this is a classic case of working around user space issues by making kernel changes instead of fixing user space.

Having privileged (output control) and unprivileged (rendering control) functionality behind the same node is a mistake we have made a long time ago and render nodes finally seemed to be a way to fix that.

I mean why are compositors using the primary node in the first place? Because they want to have access to privileged resources I think and in this case it is perfectly ok to do so.

Now extending unprivileged access to the primary node actually sounds like a step into the wrong direction to me.

I rather think that we should go down the route of completely dropping command submission and buffer allocation through the primary node for non master clients. And then as next step at some point drop support for authentication/flink.

I mean we have done this with UMS as well and I don't see much other way to move forward and get rid of those ancient interface in the long term.

Well kms had some really good benefits that drove quick adoption, like "suspend/resume actually has a chance of working" or "comes with buffer management so you can run multiple gears".

The render node thing is a lot more niche use case (prime, better priv separation), plus "it's cleaner design". And the "cleaner design" part is something that empirically doesn't seem to matter :-/ Just two examples:

• KHR_display/leases just iterated display resources on the fd needed

for rendering (and iirc there was even a patch to expose that for render nodes too so it works with DRI3), because implementing protocols is too hard. Barely managed to stop that one before it happened.

• Various video players use the vblank ioctl on directly to schedule

frames, without telling the compositor. I discovered that when I wanted to limite the vblank ioctl to master clients only. Again, apparently too hard to use the existing extensions, or fix the bugs in there, or whatever. One userspace got fixed last year, but it'll probably get copypasted around forever :-/

So I don't think we'll ever manage to roll a clean split out, and best we can do is give in and just hand userspace what it wants. As much as that's misguided and unclean and all that. Maybe it'll result in a least fewer stuff getting run as root to hack around this, because fixing properly seems not to be on the table.

The beauty of kms is that we've achieved the mission, everyone's writing their own thing. Which is also terrible, and I don't think it'll get better.

With the risk of coming rude I will repeat my earlier comment:

The problem is _neither_ Intel nor libva specific.

That said, let's step back for a moment and consider:

• the "block everything but KMS via the primary node" idea is great but

orthogonal

• the series does address issues that are vendor-agnostic

• by default this series does _not_ cause any regression be that for

new or old userspace

• there are two trivial solutions, if the AMD team has concerns about

closed-source/private stack depending on the old behaviour If they want I can even write the patches ;-)

That said, the notable comments received so far are:

• rework patch 13/13 to remove the DRM_AUTH from prime fd to/from

handle. I'm OK but this will change the return code - from EACCES to ENOSYS

• vmwgfx will need a check on the reference ioctl(s) - IIRC Thomas is

planning to drop nearly all DRM_AUTH instances in their driver.

Christian, as mentioned before - this series does _not_ add functionality to render nodes. It effectively paves a way towards removing DRM_AUTH.

But it adds functionality to the primary node.

Behaviour is adjusted - functionality was there since day 1.

...

I understand the series may feel a bit dirty. Yet I would gladly address any technical concerns you have.

Well putting compatibility issues aside my concern is that this is simply a bad design decision which we can't revert later on.

As sad above - any concerns (theoretical or actual regressions) can be trivially fixed _without_ reverting any of this.

I am more than happy to step up and address any regressions in timely manner.

As a reminder without this series, some of your customers are forced to run their applications as root.

Thanks Emil

On 2019/05/29, Dave Airlie wrote:

On Wed, 29 May 2019 at 02:47, Emil Velikov emil.l.velikov@gmail.com wrote:

...

On 2019/05/28, Koenig, Christian wrote:

...

Am 28.05.19 um 18:10 schrieb Emil Velikov:

...

On 2019/05/28, Daniel Vetter wrote:

...

On Tue, May 28, 2019 at 10:03 AM Koenig, Christian Christian.Koenig@amd.com wrote:

...

Am 28.05.19 um 09:38 schrieb Daniel Vetter: > [SNIP] >> Might be a good idea looking into reverting it partially, so that at >> least command submission and buffer allocation is still blocked. > I thought the issue is a lot more than vainfo, it's pretty much every > hacked up compositor under the sun getting this wrong one way or > another. Thinking about this some more, I also have no idea how you'd > want to deprecate rendering on primary nodes in general. Apparently > that breaks -modesetting already, and probably lots more compositors. > And it looks like we're finally achieve the goal kms set out to 10 > years ago, and new compositors are sprouting up all the time. I guess > we could just break them all (on new hardware) and tell them to all > suck it up. But I don't think that's a great option. And just > deprecating this on amdgpu is going to be even harder, since then > everywhere else it'll keep working, and it's just amdgpu.ko that looks > broken. > > Aside: I'm not supporting Emil's idea here because it fixes any issues > Intel has - Intel doesn't care. I support it because reality sucks, > people get this render vs. primary vs. multi-gpu prime wrong all the > time (that's also why we have hardcoded display+gpu pairs in mesa for > the various soc combinations out there), and this looks like a > pragmatic solution. It'd be nice if every compositor and everything > else would perfectly support multi gpu and only use render nodes for > rendering, and only primary nodes for display. But reality is that > people hack on stuff until gears on screen and then move on to more > interesting things (to them). So I don't think we'll ever win this :-/ Yeah, but this is a classic case of working around user space issues by making kernel changes instead of fixing user space.

Having privileged (output control) and unprivileged (rendering control) functionality behind the same node is a mistake we have made a long time ago and render nodes finally seemed to be a way to fix that.

I mean why are compositors using the primary node in the first place? Because they want to have access to privileged resources I think and in this case it is perfectly ok to do so.

Now extending unprivileged access to the primary node actually sounds like a step into the wrong direction to me.

I rather think that we should go down the route of completely dropping command submission and buffer allocation through the primary node for non master clients. And then as next step at some point drop support for authentication/flink.

I mean we have done this with UMS as well and I don't see much other way to move forward and get rid of those ancient interface in the long term.

Well kms had some really good benefits that drove quick adoption, like "suspend/resume actually has a chance of working" or "comes with buffer management so you can run multiple gears".

The render node thing is a lot more niche use case (prime, better priv separation), plus "it's cleaner design". And the "cleaner design" part is something that empirically doesn't seem to matter :-/ Just two examples:

• KHR_display/leases just iterated display resources on the fd needed

for rendering (and iirc there was even a patch to expose that for render nodes too so it works with DRI3), because implementing protocols is too hard. Barely managed to stop that one before it happened.

• Various video players use the vblank ioctl on directly to schedule

frames, without telling the compositor. I discovered that when I wanted to limite the vblank ioctl to master clients only. Again, apparently too hard to use the existing extensions, or fix the bugs in there, or whatever. One userspace got fixed last year, but it'll probably get copypasted around forever :-/

So I don't think we'll ever manage to roll a clean split out, and best we can do is give in and just hand userspace what it wants. As much as that's misguided and unclean and all that. Maybe it'll result in a least fewer stuff getting run as root to hack around this, because fixing properly seems not to be on the table.

The beauty of kms is that we've achieved the mission, everyone's writing their own thing. Which is also terrible, and I don't think it'll get better.

With the risk of coming rude I will repeat my earlier comment:

The problem is _neither_ Intel nor libva specific.

That said, let's step back for a moment and consider:

• the "block everything but KMS via the primary node" idea is great but

orthogonal

• the series does address issues that are vendor-agnostic

• by default this series does _not_ cause any regression be that for

new or old userspace

• there are two trivial solutions, if the AMD team has concerns about

closed-source/private stack depending on the old behaviour If they want I can even write the patches ;-)

That said, the notable comments received so far are:

• rework patch 13/13 to remove the DRM_AUTH from prime fd to/from

handle. I'm OK but this will change the return code - from EACCES to ENOSYS

• vmwgfx will need a check on the reference ioctl(s) - IIRC Thomas is

planning to drop nearly all DRM_AUTH instances in their driver.

Christian, as mentioned before - this series does _not_ add functionality to render nodes. It effectively paves a way towards removing DRM_AUTH.

But it adds functionality to the primary node.

Behaviour is adjusted - functionality was there since day 1.

...

...

I understand the series may feel a bit dirty. Yet I would gladly address any technical concerns you have.

Well putting compatibility issues aside my concern is that this is simply a bad design decision which we can't revert later on.

As sad above - any concerns (theoretical or actual regressions) can be trivially fixed _without_ reverting any of this.

I am more than happy to step up and address any regressions in timely manner.

As a reminder without this series, some of your customers are forced to run their applications as root.

I'm torn here on whether this is worth it. Have we got more use cases to justify it?

Should have mentioned: three DRM drivers (not counting i915) have dropped DRM_AUTH, assumingly for the same reasons I'm bringing here.

Apart from the libva, kmscube + gst and mesa, I'm expecting other projects to make the same mistake. Since the former three define the norm of using DRM.

The "fix" for all of these being "run as root" :-\

I'm wary of opening this up just because we can.

What can I do to alleviate that worry? I have spent over a week auditing code and designed so that we can reinstate the authentication only where needed.

Thanks Emil

On 2019/05/29, Koenig, Christian wrote:

Am 29.05.19 um 15:03 schrieb Emil Velikov:

...

On 2019/05/29, Dave Airlie wrote:

...

On Wed, 29 May 2019 at 02:47, Emil Velikov emil.l.velikov@gmail.com wrote:

...

On 2019/05/28, Koenig, Christian wrote:

...

Am 28.05.19 um 18:10 schrieb Emil Velikov:

...

On 2019/05/28, Daniel Vetter wrote: > On Tue, May 28, 2019 at 10:03 AM Koenig, Christian > Christian.Koenig@amd.com wrote: >> Am 28.05.19 um 09:38 schrieb Daniel Vetter: >>> [SNIP] >>>> Might be a good idea looking into reverting it partially, so that at >>>> least command submission and buffer allocation is still blocked. >>> I thought the issue is a lot more than vainfo, it's pretty much every >>> hacked up compositor under the sun getting this wrong one way or >>> another. Thinking about this some more, I also have no idea how you'd >>> want to deprecate rendering on primary nodes in general. Apparently >>> that breaks -modesetting already, and probably lots more compositors. >>> And it looks like we're finally achieve the goal kms set out to 10 >>> years ago, and new compositors are sprouting up all the time. I guess >>> we could just break them all (on new hardware) and tell them to all >>> suck it up. But I don't think that's a great option. And just >>> deprecating this on amdgpu is going to be even harder, since then >>> everywhere else it'll keep working, and it's just amdgpu.ko that looks >>> broken. >>> >>> Aside: I'm not supporting Emil's idea here because it fixes any issues >>> Intel has - Intel doesn't care. I support it because reality sucks, >>> people get this render vs. primary vs. multi-gpu prime wrong all the >>> time (that's also why we have hardcoded display+gpu pairs in mesa for >>> the various soc combinations out there), and this looks like a >>> pragmatic solution. It'd be nice if every compositor and everything >>> else would perfectly support multi gpu and only use render nodes for >>> rendering, and only primary nodes for display. But reality is that >>> people hack on stuff until gears on screen and then move on to more >>> interesting things (to them). So I don't think we'll ever win this :-/ >> Yeah, but this is a classic case of working around user space issues by >> making kernel changes instead of fixing user space. >> >> Having privileged (output control) and unprivileged (rendering control) >> functionality behind the same node is a mistake we have made a long time >> ago and render nodes finally seemed to be a way to fix that. >> >> I mean why are compositors using the primary node in the first place? >> Because they want to have access to privileged resources I think and in >> this case it is perfectly ok to do so. >> >> Now extending unprivileged access to the primary node actually sounds >> like a step into the wrong direction to me. >> >> I rather think that we should go down the route of completely dropping >> command submission and buffer allocation through the primary node for >> non master clients. And then as next step at some point drop support for >> authentication/flink. >> >> I mean we have done this with UMS as well and I don't see much other way >> to move forward and get rid of those ancient interface in the long term. > Well kms had some really good benefits that drove quick adoption, like > "suspend/resume actually has a chance of working" or "comes with > buffer management so you can run multiple gears". > > The render node thing is a lot more niche use case (prime, better priv > separation), plus "it's cleaner design". And the "cleaner design" part > is something that empirically doesn't seem to matter :-/ Just two > examples: > - KHR_display/leases just iterated display resources on the fd needed > for rendering (and iirc there was even a patch to expose that for > render nodes too so it works with DRI3), because implementing > protocols is too hard. Barely managed to stop that one before it > happened. > - Various video players use the vblank ioctl on directly to schedule > frames, without telling the compositor. I discovered that when I > wanted to limite the vblank ioctl to master clients only. Again, > apparently too hard to use the existing extensions, or fix the bugs in > there, or whatever. One userspace got fixed last year, but it'll > probably get copypasted around forever :-/ > > So I don't think we'll ever manage to roll a clean split out, and best > we can do is give in and just hand userspace what it wants. As much as > that's misguided and unclean and all that. Maybe it'll result in a > least fewer stuff getting run as root to hack around this, because > fixing properly seems not to be on the table. > > The beauty of kms is that we've achieved the mission, everyone's > writing their own thing. Which is also terrible, and I don't think > it'll get better. With the risk of coming rude I will repeat my earlier comment:

The problem is _neither_ Intel nor libva specific.

That said, let's step back for a moment and consider:

• the "block everything but KMS via the primary node" idea is great but

orthogonal

• the series does address issues that are vendor-agnostic

• by default this series does _not_ cause any regression be that for

new or old userspace

• there are two trivial solutions, if the AMD team has concerns about

closed-source/private stack depending on the old behaviour If they want I can even write the patches ;-)

That said, the notable comments received so far are:

• rework patch 13/13 to remove the DRM_AUTH from prime fd to/from

handle. I'm OK but this will change the return code - from EACCES to ENOSYS

• vmwgfx will need a check on the reference ioctl(s) - IIRC Thomas is

planning to drop nearly all DRM_AUTH instances in their driver.

Christian, as mentioned before - this series does _not_ add functionality to render nodes. It effectively paves a way towards removing DRM_AUTH.

But it adds functionality to the primary node.

Behaviour is adjusted - functionality was there since day 1.

...

...

I understand the series may feel a bit dirty. Yet I would gladly address any technical concerns you have.

Well putting compatibility issues aside my concern is that this is simply a bad design decision which we can't revert later on.

As sad above - any concerns (theoretical or actual regressions) can be trivially fixed _without_ reverting any of this.

I am more than happy to step up and address any regressions in timely manner.

As a reminder without this series, some of your customers are forced to run their applications as root.

I'm torn here on whether this is worth it. Have we got more use cases to justify it?

Should have mentioned: three DRM drivers (not counting i915) have dropped DRM_AUTH, assumingly for the same reasons I'm bringing here.

Apart from the libva, kmscube + gst and mesa, I'm expecting other projects to make the same mistake. Since the former three define the norm of using DRM.

The "fix" for all of these being "run as root" :-\

...

I'm wary of opening this up just because we can.

What can I do to alleviate that worry? I have spent over a week auditing code and designed so that we can reinstate the authentication only where needed.

Well I don't think the worry here is about regressions,

Glad to hear.

but rather about a design decision we will never be able to revert.

Can you think of any reason/issue why we would want to revert this? I will gladly spend some thing exploring how to address it.

So the question we have to ask is rather if it's a good design decision to resurrect the primary node with all its related compability burdens to work around an issue which is essentially an userspace coding error.

Can see you're not happy on the topic - I'm not too excited either. The truth to the matter is - DRM drivers have dropped DRM_AUTH regardless of my work.

It's very unfortunate, if AMDGPU stands out. Perhaps after some time and unhappy users you'll reconsider.

I believe that Linus has pointed out a number of times that kernel developers should care about our users. Even when it's an userspace error.

HTH Emil

On 2019/05/31, Koenig, Christian wrote:

Am 29.05.19 um 18:29 schrieb Emil Velikov:

...

On 2019/05/29, Koenig, Christian wrote:

...

Am 29.05.19 um 15:03 schrieb Emil Velikov:

...

On 2019/05/29, Dave Airlie wrote:

...

On Wed, 29 May 2019 at 02:47, Emil Velikov emil.l.velikov@gmail.com wrote:

...

On 2019/05/28, Koenig, Christian wrote: > Am 28.05.19 um 18:10 schrieb Emil Velikov: >> On 2019/05/28, Daniel Vetter wrote: >>> On Tue, May 28, 2019 at 10:03 AM Koenig, Christian >>> Christian.Koenig@amd.com wrote: >>>> Am 28.05.19 um 09:38 schrieb Daniel Vetter: >>>>> [SNIP] >>>>>> Might be a good idea looking into reverting it partially, so that at >>>>>> least command submission and buffer allocation is still blocked. >>>>> I thought the issue is a lot more than vainfo, it's pretty much every >>>>> hacked up compositor under the sun getting this wrong one way or >>>>> another. Thinking about this some more, I also have no idea how you'd >>>>> want to deprecate rendering on primary nodes in general. Apparently >>>>> that breaks -modesetting already, and probably lots more compositors. >>>>> And it looks like we're finally achieve the goal kms set out to 10 >>>>> years ago, and new compositors are sprouting up all the time. I guess >>>>> we could just break them all (on new hardware) and tell them to all >>>>> suck it up. But I don't think that's a great option. And just >>>>> deprecating this on amdgpu is going to be even harder, since then >>>>> everywhere else it'll keep working, and it's just amdgpu.ko that looks >>>>> broken. >>>>> >>>>> Aside: I'm not supporting Emil's idea here because it fixes any issues >>>>> Intel has - Intel doesn't care. I support it because reality sucks, >>>>> people get this render vs. primary vs. multi-gpu prime wrong all the >>>>> time (that's also why we have hardcoded display+gpu pairs in mesa for >>>>> the various soc combinations out there), and this looks like a >>>>> pragmatic solution. It'd be nice if every compositor and everything >>>>> else would perfectly support multi gpu and only use render nodes for >>>>> rendering, and only primary nodes for display. But reality is that >>>>> people hack on stuff until gears on screen and then move on to more >>>>> interesting things (to them). So I don't think we'll ever win this :-/ >>>> Yeah, but this is a classic case of working around user space issues by >>>> making kernel changes instead of fixing user space. >>>> >>>> Having privileged (output control) and unprivileged (rendering control) >>>> functionality behind the same node is a mistake we have made a long time >>>> ago and render nodes finally seemed to be a way to fix that. >>>> >>>> I mean why are compositors using the primary node in the first place? >>>> Because they want to have access to privileged resources I think and in >>>> this case it is perfectly ok to do so. >>>> >>>> Now extending unprivileged access to the primary node actually sounds >>>> like a step into the wrong direction to me. >>>> >>>> I rather think that we should go down the route of completely dropping >>>> command submission and buffer allocation through the primary node for >>>> non master clients. And then as next step at some point drop support for >>>> authentication/flink. >>>> >>>> I mean we have done this with UMS as well and I don't see much other way >>>> to move forward and get rid of those ancient interface in the long term. >>> Well kms had some really good benefits that drove quick adoption, like >>> "suspend/resume actually has a chance of working" or "comes with >>> buffer management so you can run multiple gears". >>> >>> The render node thing is a lot more niche use case (prime, better priv >>> separation), plus "it's cleaner design". And the "cleaner design" part >>> is something that empirically doesn't seem to matter :-/ Just two >>> examples: >>> - KHR_display/leases just iterated display resources on the fd needed >>> for rendering (and iirc there was even a patch to expose that for >>> render nodes too so it works with DRI3), because implementing >>> protocols is too hard. Barely managed to stop that one before it >>> happened. >>> - Various video players use the vblank ioctl on directly to schedule >>> frames, without telling the compositor. I discovered that when I >>> wanted to limite the vblank ioctl to master clients only. Again, >>> apparently too hard to use the existing extensions, or fix the bugs in >>> there, or whatever. One userspace got fixed last year, but it'll >>> probably get copypasted around forever :-/ >>> >>> So I don't think we'll ever manage to roll a clean split out, and best >>> we can do is give in and just hand userspace what it wants. As much as >>> that's misguided and unclean and all that. Maybe it'll result in a >>> least fewer stuff getting run as root to hack around this, because >>> fixing properly seems not to be on the table. >>> >>> The beauty of kms is that we've achieved the mission, everyone's >>> writing their own thing. Which is also terrible, and I don't think >>> it'll get better. >> With the risk of coming rude I will repeat my earlier comment: >> >> The problem is _neither_ Intel nor libva specific. >> >> >> >> That said, let's step back for a moment and consider: >> >> - the "block everything but KMS via the primary node" idea is great but >> orthogonal >> >> - the series does address issues that are vendor-agnostic >> >> - by default this series does _not_ cause any regression be that for >> new or old userspace >> >> - there are two trivial solutions, if the AMD team has concerns about >> closed-source/private stack depending on the old behaviour >> If they want I can even write the patches ;-) >> >> >> That said, the notable comments received so far are: >> - rework patch 13/13 to remove the DRM_AUTH from prime fd to/from >> handle. I'm OK but this will change the return code - from EACCES to >> ENOSYS >> >> - vmwgfx will need a check on the reference ioctl(s) - IIRC Thomas is >> planning to drop nearly all DRM_AUTH instances in their driver. >> >> >> Christian, as mentioned before - this series does _not_ add >> functionality to render nodes. It effectively paves a way towards >> removing DRM_AUTH. > But it adds functionality to the primary node. > Behaviour is adjusted - functionality was there since day 1.

>> I understand the series may feel a bit dirty. Yet I would gladly address >> any technical concerns you have. > Well putting compatibility issues aside my concern is that this is > simply a bad design decision which we can't revert later on. > As sad above - any concerns (theoretical or actual regressions) can be trivially fixed _without_ reverting any of this.

I am more than happy to step up and address any regressions in timely manner.

As a reminder without this series, some of your customers are forced to run their applications as root.

I'm torn here on whether this is worth it. Have we got more use cases to justify it?

Should have mentioned: three DRM drivers (not counting i915) have dropped DRM_AUTH, assumingly for the same reasons I'm bringing here.

Apart from the libva, kmscube + gst and mesa, I'm expecting other projects to make the same mistake. Since the former three define the norm of using DRM.

The "fix" for all of these being "run as root" :-\

...

I'm wary of opening this up just because we can.

What can I do to alleviate that worry? I have spent over a week auditing code and designed so that we can reinstate the authentication only where needed.

Well I don't think the worry here is about regressions,

Glad to hear.

...

but rather about a design decision we will never be able to revert.

Can you think of any reason/issue why we would want to revert this? I will gladly spend some thing exploring how to address it.

Well, to finally get rid of the primary node for non display hardware.

And in general to have a clean separation between display and rendering.

Clean separation of display and rendering is a good end goal to have, but is going to break the current userspace. In DRM we try to enforce the Linux guarantee of not breaking userspace.

If we want to maintain this guarantee we are effectively stuck with providing render functionality in the primary node, so we might as well do it properly (i.e., relax the auth restrictions).

But most importantly, if we are to pursue KMS-only primary nodes: - we should really have a wider discussion about it, and - this series does NOT impede any of if

Thanks Emil

Am 04.06.19 um 12:50 schrieb Michel Dänzer:

On 2019-05-28 10:03 a.m., Koenig, Christian wrote:

...

I rather think that we should go down the route of completely dropping command submission and buffer allocation through the primary node for non master clients. And then as next step at some point drop support for authentication/flink.

Keep in mind that even display servers aren't DRM master while their VT isn't active, so this might be problematic if a display server needs to do some command submission / buffer allocation during that time.

If I understand it correctly the DRM fd stays master even when the VT is switched away, it's just not the current master any more.

So in this case fpriv->is_master stays true, but drm_is_current_master(fpriv) returns false.

And yes we mixed that up in amdgpu, i915 and vmwgfx. Somebody should probably write patches to fix this.

Regards, Christian.

On 2019/05/27, Koenig, Christian wrote:

Am 27.05.19 um 15:26 schrieb Emil Velikov:

...

On 2019/05/27, Daniel Vetter wrote:

...

On Mon, May 27, 2019 at 10:47:39AM +0000, Koenig, Christian wrote:

...

Am 27.05.19 um 10:17 schrieb Emil Velikov:

...

From: Emil Velikov emil.velikov@collabora.com

Currently one can circumvent DRM_AUTH, when the ioctl is exposed via the render node. A seemingly deliberate design decision.

Hence we can drop the DRM_AUTH all together (details in follow-up patch) yet not all userspace checks if it's authenticated, but instead uses uncommon assumptions.

After days of digging through git log and testing, only a single (ab)use was spotted - the Mesa RADV driver, using the AMDGPU_INFO ioctl and assuming that failure implies lack of authentication.

Affected versions are:

• the whole 18.2.x series, which is EOL
• the whole 18.3.x series, which is EOL
• the 19.0.x series, prior to 19.0.4

Well you could have saved your time, cause this is still a NAK.

For the record: I strongly think that we don't want to expose any render functionality on the primary node.

To even go a step further I would say that at least on AMD hardware we should completely disable DRI2 for one of the next generations.

As a follow up I would then completely disallow the DRM authentication for amdgpu, so that the command submission interface on the primary node can only be used by the display server.

So amdgpu is running in one direction, while everyone else is running in the other direction? Please note that your patch to change i915 landed already, so that ship is sailing (but we could ofc revert that back again).

Imo really not a great idea if we do a amdgpu vs. everyone else split here. If we want to deprecate dri2/flink/rendering on primary nodes across the stack, then that should be a stack wide decision, not an amdgpu one.

Cannot agree more - I would love to see drivers stay consistent.

Yeah, completely agree to that. That's why I think we should not do this at all and just let Intel fix it's userspace bugs :P

Pretty sure I mentioned it before - might have been too subtle:

The problem is _neither_ Intel nor libva specific.

Anyway my concern is really that we should stop extending functionality on the primary node.

E.g. the render node is for use by the clients and the primary node for mode setting and use by the display server only.

Fully agreed. I'm not extending anything really. If anything - code is removed from drivers and core :-)

Thanks Emil

On 2019/05/27, Daniel Vetter wrote:

On Mon, May 27, 2019 at 09:17:29AM +0100, Emil Velikov wrote:

...

From: Emil Velikov emil.velikov@collabora.com

Currently one can circumvent DRM_AUTH, when the ioctl is exposed via the render node. A seemingly deliberate design decision.

Hence we can drop the DRM_AUTH all together (details in follow-up patch) yet not all userspace checks if it's authenticated, but instead uses uncommon assumptions.

After days of digging through git log and testing, only a single (ab)use was spotted - the Mesa RADV driver, using the AMDGPU_INFO ioctl and assuming that failure implies lack of authentication.

Maybe correction here: Id does not care about authentication at all. It wants to figure out whether it has access to modeset resources, which is something entirely different, but happened to match in amdgpu's case.

It feels like we have conflated the two (perhaps due to historical reasons) and I'm not 100% sure which one the AMDGPU code inspects.

How about:

Hence we can drop the DRM_AUTH all together (details in follow-up patch) yet that cause a regression in some userspace, when it conflates the authentication status with access to modeset resources.

After days of digging through git log and testing, only a single (ab)use was spotted - the Mesa RADV driver, using the AMDGPU_INFO ioctl.

...

Affected versions are:

• the whole 18.2.x series, which is EOL
• the whole 18.3.x series, which is EOL
• the 19.0.x series, prior to 19.0.4

Hm I think I'm blind, I'm not seeing the fix merged to mesa master. Still there on gitlab:

https://gitlab.freedesktop.org/mesa/mesa/blob/master/src/amd/vulkan/radv_dev...

What am I missing?

Opted for a simple, more generic solution see commit c962a78f18284e2971301bf68c9c60500ca398e4

This way, the same check is: - enforced where it's used - present for all Mesa Vulkan drivers

Will include the sha + commit title for v2.

...

Add a special quirk for that case, thus we can drop DRM_AUTH bits as mentioned earlier.

Since all the affected userspace is EOL, we also add a kconfig option to disable this quirk.

The whole approach is inspired by DRIVER_KMS_LEGACY_CONTEXT

Cc: Alex Deucher alexander.deucher@amd.com Cc: Christian König christian.koenig@amd.com Cc: amd-gfx@lists.freedesktop.org Cc: David Airlie airlied@linux.ie Cc: Daniel Vetter daniel@ffwll.ch Signed-off-by: Emil Velikov emil.velikov@collabora.com

Aside from the nits I think reasonable approach.

Great, glad to hear. Now all we need is to bribe^Wconvince Christian.

Thanks Emil

Am 14.06.19 um 14:09 schrieb Emil Velikov:

On 2019/05/27, Emil Velikov wrote: [SNIP] Hi Christian,

In the following, I would like to summarise and emphasize the need for DRM_AUTH removal. I would kindly ask you to spend a couple of minutes extra reading it.

Today DRM drivers* do not make any distinction between primary and render node clients.

That is actually not 100% correct. We have a special case where a DRM master is allowed to change the priority of render node clients.

Thus for a render capable driver, any premise of separation, security or otherwise imposed via DRM_AUTH is a fallacy.

Yeah, that's what I agree on. I just don't think that removing DRM_AUTH now is the right direction to take.

Considering the examples of flaky or outright missing drmAuth in prime open-source projects (mesa, kmscube, libva) we can reasonably assume other projects exbibit the same problem.

For these and/or other reasons, two DRM drivers have dropped DRM_AUTH since day one.

Since we are interested in providing consistent and predictable behaviour to user-space, dropping DRM_AUTH seems to be the most effective way forward.

Well and what do you do with drivers which doesn't implement render nodes?

Of course, I'd be more than happy to hear for any other way to achieve the goal outlined.

Based on the series, other maintainers agree with the idea/goal here. Amdgpu not following the same pattern would compromise predictability across drivers and complicate userspace, so I would kindly ask you to reconsider.

Alternatively, I see two ways to special case:

• New flag annotating amdgpu/radeon - akin to the one proposed earlier
• Check for amdgpu/radeon in core DRM

I perfectly agree that I don't want any special handling for amdgpu/radeon.

My key point is that with DRM_AUTH we created an authorization and authentication mess in DRM which is functionality which doesn't belong into the DRM subsystem in the first place.

Now on your pain point - not allowing render iocts via the primary node, and how this patch could make it harder to achieve that goal.

While I love the idea, there are number of obstacles that prevent us from doing so at this time:

• Ensuring both old and new userspace does not regress

Yeah, agree totally. That's why I said we should probably start doing this for only for upcoming hardware generations.

• Drivers (QXL, others?) do not expose a render node

Well isn't that is a rather big problem for the removal of DRM_AUTH in general?

E.g. at least QXL would then expose functionality on the primary node without authentication.

• We want to avoid driver specific behaviour

The only way forward that I can see is:

• Address QXL/others to expose render nodes
• Add a Kconfig toggle to disable !KMS ioctls via the primary node
• Jump-start ^^ with distribution X
• Fix user-space fallouts
• X months down the line, flip the Kconfig
• In case of regressions - revert the KConfig, goto Fix user-space...

Well that at least sounds like a plan :) Let's to this!

That said, the proposal will not conflict with the DRM_AUTH removal. If anything it is step 0.5 of the grand master plan.

That's the point I strongly disagree on.

By lowering the DRM_AUTH restriction you are encouraging userspace to use the shortcut and use the primary node for rendering instead of fixing the code and using the render node.

So at the end of the day userspace will most likely completely drop support for the render node, simply for the reason that it became superfluous. You can just open up the primary node and get the same functionality.

I absolutely can't understand how you can argue that this won't make it harder to cleanly separate rendering and primary node functionality.

Regards, Christian.

Tl;Dr: Removing DRM_AUTH is orthogonal to not allowing render iocts via the primary node. Here's an idea how to achieve the latter.

Thanks Emil

On 2019/06/14, Koenig, Christian wrote:

Am 14.06.19 um 14:09 schrieb Emil Velikov:

...

On 2019/05/27, Emil Velikov wrote: [SNIP] Hi Christian,

In the following, I would like to summarise and emphasize the need for DRM_AUTH removal. I would kindly ask you to spend a couple of minutes extra reading it.

Today DRM drivers* do not make any distinction between primary and render node clients.

That is actually not 100% correct. We have a special case where a DRM master is allowed to change the priority of render node clients.

Can you provide a link? I cannot find that code.

...

Thus for a render capable driver, any premise of separation, security or otherwise imposed via DRM_AUTH is a fallacy.

Yeah, that's what I agree on. I just don't think that removing DRM_AUTH now is the right direction to take.

Could have been clearer - I'm talking about DRM_AUTH | DRM_RENDER_ALLOW ioctls.

That aside, can you propose an alternative solution that addresses this and the second point just below?

...

Considering the examples of flaky or outright missing drmAuth in prime open-source projects (mesa, kmscube, libva) we can reasonably assume other projects exbibit the same problem.

For these and/or other reasons, two DRM drivers have dropped DRM_AUTH since day one.

Since we are interested in providing consistent and predictable behaviour to user-space, dropping DRM_AUTH seems to be the most effective way forward.

Well and what do you do with drivers which doesn't implement render nodes?

AFAICT there is a single non-DC driver which does not expose - QXL. I would expect it runs on a rather customised stack.

Would be great to fix that, but ETIME and it's the only exception to the rule.

...

Of course, I'd be more than happy to hear for any other way to achieve the goal outlined.

Based on the series, other maintainers agree with the idea/goal here. Amdgpu not following the same pattern would compromise predictability across drivers and complicate userspace, so I would kindly ask you to reconsider.

Alternatively, I see two ways to special case:

• New flag annotating amdgpu/radeon - akin to the one proposed earlier
• Check for amdgpu/radeon in core DRM

I perfectly agree that I don't want any special handling for amdgpu/radeon.

My key point is that with DRM_AUTH we created an authorization and authentication mess in DRM which is functionality which doesn't belong into the DRM subsystem in the first place.

Precisely and I've outlined below how to resolve this in the long run.

...

Now on your pain point - not allowing render iocts via the primary node, and how this patch could make it harder to achieve that goal.

While I love the idea, there are number of obstacles that prevent us from doing so at this time:

• Ensuring both old and new userspace does not regress

Yeah, agree totally. That's why I said we should probably start doing this for only for upcoming hardware generations.

That will side-step the regression issue, but will enforce driver specific behaviour outlined before.

...

• Drivers (QXL, others?) do not expose a render node

Well isn't that is a rather big problem for the removal of DRM_AUTH in general?

E.g. at least QXL would then expose functionality on the primary node without authentication.

With this series QXL remains functionally unchanged. I would love to fix that as well yet ETIME as mentioned above.

...

• We want to avoid driver specific behaviour

The only way forward that I can see is:

• Address QXL/others to expose render nodes
• Add a Kconfig toggle to disable !KMS ioctls via the primary node
• Jump-start ^^ with distribution X
• Fix user-space fallouts
• X months down the line, flip the Kconfig
• In case of regressions - revert the KConfig, goto Fix user-space...

Well that at least sounds like a plan :) Let's to this!

We're talking about months if not years until it comes to fruition. We need something quicker.

That said, I'm quite happy to take the first stab, yet this is not a replacement for this series.

...

That said, the proposal will not conflict with the DRM_AUTH removal. If anything it is step 0.5 of the grand master plan.

That's the point I strongly disagree on.

By lowering the DRM_AUTH restriction you are encouraging userspace to use the shortcut and use the primary node for rendering instead of fixing the code and using the render node.

Have to disagree here. After working on the user-space side and fixing issues in various projects I can honestly say that most user-space is sane and developers _care_ about doing things correctly.

So at the end of the day userspace will most likely completely drop support for the render node, simply for the reason that it became superfluous. You can just open up the primary node and get the same functionality.

I think you're being overly pessimistic here. This is coming from a person who is often closer to the pessimistic side of things.

As a middle ground how about we do the following: - Get this series as-is, alongside - picking the first three items from the grand master plan - happy to start a discussion about QXL - a patch for the Kconfig toggle, is coming in a few minutes - happy to prod my distribution of choice (Arch) and work with them

What do you think?

Thanks Emil

On 2019/06/14, Koenig, Christian wrote:

Am 14.06.19 um 17:53 schrieb Emil Velikov:

...

On 2019/06/14, Koenig, Christian wrote:

...

Am 14.06.19 um 14:09 schrieb Emil Velikov:

...

On 2019/05/27, Emil Velikov wrote: [SNIP] Hi Christian,

In the following, I would like to summarise and emphasize the need for DRM_AUTH removal. I would kindly ask you to spend a couple of minutes extra reading it.

Today DRM drivers* do not make any distinction between primary and render node clients.

That is actually not 100% correct. We have a special case where a DRM master is allowed to change the priority of render node clients.

Can you provide a link? I cannot find that code.

See amdgpu_sched_ioctl().

...

...

...

Thus for a render capable driver, any premise of separation, security or otherwise imposed via DRM_AUTH is a fallacy.

Yeah, that's what I agree on. I just don't think that removing DRM_AUTH now is the right direction to take.

Could have been clearer - I'm talking about DRM_AUTH | DRM_RENDER_ALLOW ioctls.

That aside, can you propose an alternative solution that addresses this and the second point just below?

Give me a few days to work on this, it's already Friday 6pm here.

Great thanks. Fwiw I was asking for a ideas/proposal, was not expecting you to write the patches ;-)

Emil

Am 20.06.19 um 18:30 schrieb Emil Velikov:

On 2019/06/14, Koenig, Christian wrote:

...

Am 14.06.19 um 17:53 schrieb Emil Velikov:

...

On 2019/06/14, Koenig, Christian wrote:

...

Am 14.06.19 um 14:09 schrieb Emil Velikov:

...

On 2019/05/27, Emil Velikov wrote: [SNIP] Hi Christian,

In the following, I would like to summarise and emphasize the need for DRM_AUTH removal. I would kindly ask you to spend a couple of minutes extra reading it.

Today DRM drivers* do not make any distinction between primary and render node clients.

That is actually not 100% correct. We have a special case where a DRM master is allowed to change the priority of render node clients.

Can you provide a link? I cannot find that code.

See amdgpu_sched_ioctl().

...

...

...

Thus for a render capable driver, any premise of separation, security or otherwise imposed via DRM_AUTH is a fallacy.

Yeah, that's what I agree on. I just don't think that removing DRM_AUTH now is the right direction to take.

Could have been clearer - I'm talking about DRM_AUTH | DRM_RENDER_ALLOW ioctls.

That aside, can you propose an alternative solution that addresses this and the second point just below?

Give me a few days to work on this, it's already Friday 6pm here.

Hi Christian,

Any progress? As mentioned earlier, I'm OK with writing the patches although I would love to hear your plan.

First of all I tried to disable DRM authentication completely with a kernel config option. Surprisingly that actually works out of the box at least on the AMDGPU stack.

This effectively allows us to get rid of DRI2 and the related security problems. Only thing left for that is that I'm just not sure how to signal this to userspace so that the DDX wouldn't advertise DRI2 at all any more.

As a next step I looked into if we can disable the command submission for DRM master. Turned out that this is relatively easy as well.

All we have to do is to fix the bug Michel pointed out about KMS handles for display and let the DDX use a render node instead of the DRM master for Glamor. Still need to sync up with Michel and/or Marek whats the best way of doing this.

The last step (and that's what I haven't tried yet) would be to disable DRM authentication for Navi even when it is still compiled into the kernel. But that is more or less just a typing exercise.

Regards, Christian.

Thanks Emil

Am 21.06.19 um 09:41 schrieb Michel Dänzer:

On 2019-06-21 9:12 a.m., Koenig, Christian wrote:

...

First of all I tried to disable DRM authentication completely with a kernel config option. Surprisingly that actually works out of the box at least on the AMDGPU stack.

This effectively allows us to get rid of DRI2 and the related security problems. Only thing left for that is that I'm just not sure how to signal this to userspace so that the DDX wouldn't advertise DRI2 at all any more.

FWIW, getting rid of DRI2 also needs to be discussed with amdgpu-pro OpenGL driver folks.

Good point, but I don't expect much problems from that direction.

IIRC they where quite happy to not have to support DRI2 except for a very very old X server version.

...

As a next step I looked into if we can disable the command submission for DRM master. Turned out that this is relatively easy as well.

All we have to do is to fix the bug Michel pointed out about KMS handles for display

I'm working on that, consider it fixed.

...

and let the DDX use a render node instead of the DRM master for Glamor. Still need to sync up with Michel and/or Marek whats the best way of doing this.

My suggestion was to add a new variant of amdgpu_device_initialize. When the new variant is called, libdrm_amdgpu internally uses a render node for command submission etc. whenever possible.

Yeah, sounds like a plan to me.

Christian.

Am 21.06.19 um 11:09 schrieb Daniel Vetter:

On Fri, Jun 21, 2019 at 07:12:14AM +0000, Koenig, Christian wrote:

...

Am 20.06.19 um 18:30 schrieb Emil Velikov:

...

On 2019/06/14, Koenig, Christian wrote:

...

Am 14.06.19 um 17:53 schrieb Emil Velikov:

...

On 2019/06/14, Koenig, Christian wrote:

...

Am 14.06.19 um 14:09 schrieb Emil Velikov: > On 2019/05/27, Emil Velikov wrote: > [SNIP] > Hi Christian, > > > In the following, I would like to summarise and emphasize the need for > DRM_AUTH removal. I would kindly ask you to spend a couple of minutes > extra reading it. > > > Today DRM drivers* do not make any distinction between primary and > render node clients. That is actually not 100% correct. We have a special case where a DRM master is allowed to change the priority of render node clients.

Can you provide a link? I cannot find that code.

See amdgpu_sched_ioctl().

...

...

> Thus for a render capable driver, any premise of > separation, security or otherwise imposed via DRM_AUTH is a fallacy. Yeah, that's what I agree on. I just don't think that removing DRM_AUTH now is the right direction to take.

Could have been clearer - I'm talking about DRM_AUTH | DRM_RENDER_ALLOW ioctls.

That aside, can you propose an alternative solution that addresses this and the second point just below?

Give me a few days to work on this, it's already Friday 6pm here.

Hi Christian,

Any progress? As mentioned earlier, I'm OK with writing the patches although I would love to hear your plan.

First of all I tried to disable DRM authentication completely with a kernel config option. Surprisingly that actually works out of the box at least on the AMDGPU stack.

This effectively allows us to get rid of DRI2 and the related security problems. Only thing left for that is that I'm just not sure how to signal this to userspace so that the DDX wouldn't advertise DRI2 at all any more.

As a next step I looked into if we can disable the command submission for DRM master. Turned out that this is relatively easy as well.

All we have to do is to fix the bug Michel pointed out about KMS handles for display and let the DDX use a render node instead of the DRM master for Glamor. Still need to sync up with Michel and/or Marek whats the best way of doing this.

The last step (and that's what I haven't tried yet) would be to disable DRM authentication for Navi even when it is still compiled into the kernel. But that is more or less just a typing exercise.

So just to get this straight, we're now full on embracing a subsystem split here:

• amdgpu plans to ditch dri2/rendering on primary nodes
• bunch of drivers (I think more than i915 by now) merged the DRM_AUTH removal
• others are just hanging in there somehow

"best of both^W worlds" ftw?

Yes, exactly!

Think a step further, when this is upstream we can apply the DRM_AUTH removal to amdgpu as well.

Because we simply made sure that userspace is using the render node for command submission and not the primary node.

So nobody can go ahead and remove render node support any more :)

Regards, Christian.

-Daniel

Am 21.06.19 um 11:35 schrieb Daniel Vetter:

On Fri, Jun 21, 2019 at 11:25 AM Koenig, Christian Christian.Koenig@amd.com wrote:

...

Am 21.06.19 um 11:09 schrieb Daniel Vetter:

...

On Fri, Jun 21, 2019 at 07:12:14AM +0000, Koenig, Christian wrote:

...

Am 20.06.19 um 18:30 schrieb Emil Velikov:

...

On 2019/06/14, Koenig, Christian wrote:

...

Am 14.06.19 um 17:53 schrieb Emil Velikov: > On 2019/06/14, Koenig, Christian wrote: >> Am 14.06.19 um 14:09 schrieb Emil Velikov: >>> On 2019/05/27, Emil Velikov wrote: >>> [SNIP] >>> Hi Christian, >>> >>> >>> In the following, I would like to summarise and emphasize the need for >>> DRM_AUTH removal. I would kindly ask you to spend a couple of minutes >>> extra reading it. >>> >>> >>> Today DRM drivers* do not make any distinction between primary and >>> render node clients. >> That is actually not 100% correct. We have a special case where a DRM >> master is allowed to change the priority of render node clients. >> > Can you provide a link? I cannot find that code. See amdgpu_sched_ioctl().

>>> Thus for a render capable driver, any premise of >>> separation, security or otherwise imposed via DRM_AUTH is a fallacy. >> Yeah, that's what I agree on. I just don't think that removing DRM_AUTH >> now is the right direction to take. >> > Could have been clearer - I'm talking about DRM_AUTH | DRM_RENDER_ALLOW > ioctls. > > That aside, can you propose an alternative solution that addresses this > and the second point just below? Give me a few days to work on this, it's already Friday 6pm here.

Hi Christian,

Any progress? As mentioned earlier, I'm OK with writing the patches although I would love to hear your plan.

First of all I tried to disable DRM authentication completely with a kernel config option. Surprisingly that actually works out of the box at least on the AMDGPU stack.

This effectively allows us to get rid of DRI2 and the related security problems. Only thing left for that is that I'm just not sure how to signal this to userspace so that the DDX wouldn't advertise DRI2 at all any more.

As a next step I looked into if we can disable the command submission for DRM master. Turned out that this is relatively easy as well.

All we have to do is to fix the bug Michel pointed out about KMS handles for display and let the DDX use a render node instead of the DRM master for Glamor. Still need to sync up with Michel and/or Marek whats the best way of doing this.

The last step (and that's what I haven't tried yet) would be to disable DRM authentication for Navi even when it is still compiled into the kernel. But that is more or less just a typing exercise.

So just to get this straight, we're now full on embracing a subsystem split here:

• amdgpu plans to ditch dri2/rendering on primary nodes
• bunch of drivers (I think more than i915 by now) merged the DRM_AUTH removal
• others are just hanging in there somehow

"best of both^W worlds" ftw?

Yes, exactly!

Think a step further, when this is upstream we can apply the DRM_AUTH removal to amdgpu as well.

Because we simply made sure that userspace is using the render node for command submission and not the primary node.

So nobody can go ahead and remove render node support any more :)

How does this work? I thought the entire problem of DRM_AUTH removal for you was that it broke stuff, and you didn't want to deal with that.

Yeah, that is indeed still true.

It's just that we have done way to many projects with radeon/amdgpu and customized userspace stuff.

We still have that exact problem afaics ... old userspace doesn't simply vanish, even if you entirely nuke it going forward.

Well old userspace doesn't work with new hardware either.

So the idea is to keep old userspace for old hardware working, but only disable old stuff for new hardware.

Also, testing on the amdgpu stack isn't really testing a hole lot here, it's all the various silly compositors out there I'd expect to fall over. Will gbm/radeonsi/whatever just internally do all the necessary dma-buf import/export between the primary node and display node to keep this all working?

Yes, at least that's how I understand Michel's idea.

We keep both file descriptors for primary and render node around at the same time anyway. So the change is actually not that much.

This also solves the problem that people are running things as root, since we now always use the render node and never the primary node for everything except KMS.

Christian.

-Daniel

Am 21.06.19 um 12:20 schrieb Emil Velikov:

On 2019/06/21, Daniel Vetter wrote:

...

On Fri, Jun 21, 2019 at 11:25 AM Koenig, Christian Christian.Koenig@amd.com wrote:

...

Am 21.06.19 um 11:09 schrieb Daniel Vetter:

...

On Fri, Jun 21, 2019 at 07:12:14AM +0000, Koenig, Christian wrote:

...

Am 20.06.19 um 18:30 schrieb Emil Velikov:

...

On 2019/06/14, Koenig, Christian wrote: > Am 14.06.19 um 17:53 schrieb Emil Velikov: >> On 2019/06/14, Koenig, Christian wrote: >>> Am 14.06.19 um 14:09 schrieb Emil Velikov: >>>> On 2019/05/27, Emil Velikov wrote: >>>> [SNIP] >>>> Hi Christian, >>>> >>>> >>>> In the following, I would like to summarise and emphasize the need for >>>> DRM_AUTH removal. I would kindly ask you to spend a couple of minutes >>>> extra reading it. >>>> >>>> >>>> Today DRM drivers* do not make any distinction between primary and >>>> render node clients. >>> That is actually not 100% correct. We have a special case where a DRM >>> master is allowed to change the priority of render node clients. >>> >> Can you provide a link? I cannot find that code. > See amdgpu_sched_ioctl(). > >>>> Thus for a render capable driver, any premise of >>>> separation, security or otherwise imposed via DRM_AUTH is a fallacy. >>> Yeah, that's what I agree on. I just don't think that removing DRM_AUTH >>> now is the right direction to take. >>> >> Could have been clearer - I'm talking about DRM_AUTH | DRM_RENDER_ALLOW >> ioctls. >> >> That aside, can you propose an alternative solution that addresses this >> and the second point just below? > Give me a few days to work on this, it's already Friday 6pm here. > Hi Christian,

Any progress? As mentioned earlier, I'm OK with writing the patches although I would love to hear your plan.

First of all I tried to disable DRM authentication completely with a kernel config option. Surprisingly that actually works out of the box at least on the AMDGPU stack.

This effectively allows us to get rid of DRI2 and the related security problems. Only thing left for that is that I'm just not sure how to signal this to userspace so that the DDX wouldn't advertise DRI2 at all any more.

As a next step I looked into if we can disable the command submission for DRM master. Turned out that this is relatively easy as well.

All we have to do is to fix the bug Michel pointed out about KMS handles for display and let the DDX use a render node instead of the DRM master for Glamor. Still need to sync up with Michel and/or Marek whats the best way of doing this.

The last step (and that's what I haven't tried yet) would be to disable DRM authentication for Navi even when it is still compiled into the kernel. But that is more or less just a typing exercise.

So just to get this straight, we're now full on embracing a subsystem split here:

• amdgpu plans to ditch dri2/rendering on primary nodes
• bunch of drivers (I think more than i915 by now) merged the DRM_AUTH removal
• others are just hanging in there somehow

"best of both^W worlds" ftw?

Yes, exactly!

Think a step further, when this is upstream we can apply the DRM_AUTH removal to amdgpu as well.

So this is effectively what I suggested/planned with a couple of caveats:

• making amdgpu behave differently from the rest of drm ;-(
• having the KConfig amdgpu only and merged before this DRM_AUTH

No this should apply to all drivers, not just amdgpu.

While I suggested:

• keeping amdgpu consistent with the rest
• exposing the KConfig option for the whole of the kernel, and
• merging it alongside this work

So I effectively waited for weeks, instead of simply going ahead and writing/submitting patches. That's a bit unfortunate...

...

...

Because we simply made sure that userspace is using the render node for command submission and not the primary node.

So nobody can go ahead and remove render node support any more :)

How does this work? I thought the entire problem of DRM_AUTH removal for you was that it broke stuff, and you didn't want to deal with that. We still have that exact problem afaics ... old userspace doesn't simply vanish, even if you entirely nuke it going forward.

Also, testing on the amdgpu stack isn't really testing a hole lot here, it's all the various silly compositors out there I'd expect to fall over. Will gbm/radeonsi/whatever just internally do all the necessary dma-buf import/export between the primary node and display node to keep this all working?

If I understood Christian, feel free to correct me, the fact that my earlier patch broke RADV was not the argument. The problem was was the patch does.

Well partially. That RADV broke is unfortunate, but we have done so many customized userspace stuff both based on Mesa/DDX as well as closed source components that it is just highly likely that we would break something else as well.

In particular, that user-space will "remove" render nodes.

Yes, that is my main concern here. You basically make render nodes superfluously. That gives userspace all legitimization to also remove support for them. That is not stupid or evil or whatever, userspace would just follow the kernel design.

I'm really sad that amdgpu insists on standing out, hope one day it will converge. Yet since all other maintainers are ok with the series, I'll start merging patches in a few hours. I'm really sad that amdgpu wants to stand out, hope it will converge sooner rather than later.

Christian, how would you like amdgpu handled - with a separate flag in the driver or shall we special case amdgpu within core drm?

No, I ask you to please stick around DRM_AUTH for at least amdgpu and radeon. And NOT enable any render node functionality for them on the primary node.

Thanks, Christian.

Thanks Emil

Am 21.06.19 um 12:53 schrieb Emil Velikov:

On 2019/06/21, Koenig, Christian wrote:

...

[SNIP] Well partially. That RADV broke is unfortunate, but we have done so many customized userspace stuff both based on Mesa/DDX as well as closed source components that it is just highly likely that we would break something else as well.

As an engineer I like to work with tangibles. The highly likely part is probable, but as mentioned multiple times the series allows for a _dead_ trivial way to address any such problems.

Well to clarify my concern is that this won't be so trivial.

You implemented on workaround for one specific case and it is perfectly possible that for other cases we would have to completely revert the removal of DRM_AUTH.

...

...

In particular, that user-space will "remove" render nodes.

Yes, that is my main concern here. You basically make render nodes superfluously. That gives userspace all legitimization to also remove support for them. That is not stupid or evil or whatever, userspace would just follow the kernel design.

Do you have an example of userspace doing such an extremely silly thing? It does seem like suspect you're a couple of steps beyond overcautious, perhaps rightfully so. Maybe you've seen some closed-source user-space going crazy? Or any other projects?

The key point is that I don't think this is silly or strange or crazy at all. See the kernel defines the interface userspace can and should use.

When the kernel defines that everything will work with the primary node it is perfectly valid for userspace to drop support for the render node.

I mean why should they keep this? Just because we tell them not to do this?

In other words, being cautious is great, but without references of misuse it's very hard for others to draw the full picture.

...

...

I'm really sad that amdgpu insists on standing out, hope one day it will converge. Yet since all other maintainers are ok with the series, I'll start merging patches in a few hours. I'm really sad that amdgpu wants to stand out, hope it will converge sooner rather than later.

Christian, how would you like amdgpu handled - with a separate flag in the driver or shall we special case amdgpu within core drm?

No, I ask you to please stick around DRM_AUTH for at least amdgpu and radeon. And NOT enable any render node functionality for them on the primary node.

My question is how do you want this handled:

• DRM_PLEASE_FORCE_AUTH - added to AMDGPU/RADEON, or
• driver_name == amdgpu, in core DRM.

I want to keep DRM_AUTH in amdgpu and radeon for at least the next 5-10 years.

At least until we have established that nobody is using the primary node for command submission any more. Plus some grace time to make sure that this has been spread enough.

Regards, Christian.

Thanks Emil

Am 21.06.19 um 13:58 schrieb Emil Velikov:

On 2019/06/21, Koenig, Christian wrote:

...

Am 21.06.19 um 12:53 schrieb Emil Velikov:

...

On 2019/06/21, Koenig, Christian wrote:

...

[SNIP] Well partially. That RADV broke is unfortunate, but we have done so many customized userspace stuff both based on Mesa/DDX as well as closed source components that it is just highly likely that we would break something else as well.

As an engineer I like to work with tangibles. The highly likely part is probable, but as mentioned multiple times the series allows for a _dead_ trivial way to address any such problems.

Well to clarify my concern is that this won't be so trivial.

You implemented on workaround for one specific case and it is perfectly possible that for other cases we would have to completely revert the removal of DRM_AUTH.

I would encourage you to take a closer look at my patch and point out how parcicular cases cannot be handled.