+Christian who added DMABUF_MOVE_NOTIFY which added the relevant blurb:
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/drivers/dma-buf/Kconfig#n46
Currently, the user seems to amdgpu for P2P dma-buf and it seems to plumb ttm (*move_notify) callback to dma-buf. We're not sure if it's a security issue occurring across DRM drivers, or one more specific to the new amdgpu use case.
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/drivers/dma-buf/Kconfig#n46
Currently, the user seems to amdgpu for P2P dma-buf and it seems to plumb ttm (*move_notify) callback to dma-buf. We're not sure if it's a security issue occurring across DRM drivers, or one more specific to the new amdgpu use case.
On Tue, Jul 21, 2020 at 1:03 PM Chia-I Wu <olvaffe@xxxxxxxxx> wrote:
Hi list,
virtio-gpu is moving in the direction where BO pages are pinned for
the lifetime for simplicity. I am wondering if that is considered a
security issue in general, especially after running into the
description of the new DMABUF_MOVE_NOTIFY config option.
Most drivers do not have a shrinker, or whether a BO is purgeable is
entirely controlled by the userspace (madvice). They can be
categorized as "a security problem where userspace is able to pin
unrestricted amounts of memory". But those drivers are normally found
on systems without swap. I don't think the issue applies.
Of the desktop GPU drivers, i915's shrinker certainly supports purging
to swap. TTM is a bit hard to follow. I can't really tell if amdgpu
or nouveau supports that. virtio-gpu is more commonly found on
systems with swaps so I think it should follow the desktop practices?
Truth is, the emulated virtio-gpu device always supports page moves
with VIRTIO_GPU_CMD_RESOURCE_{ATTACH,DETACH}_BACKING. It is just that
the driver does not make use of them. That makes this less of an
issue because the driver can be fixed anytime (finger crossed that the
emulator won't have bugs in these untested paths). This issue becomes
more urgent because we are considering adding a new HW command[1]
where page moves will be disallowed. We definitely don't want a HW
command that is inherently insecure, if BO pages pinned for the
lifetime is considered a security issue on desktops.
[1] VIRTIO_GPU_CMD_RESOURCE_CREATE_BLOB
https://gitlab.freedesktop.org/virgl/drm-misc-next/-/blob/virtio-gpu-next/include/uapi/linux/virtio_gpu.h#L396
_______________________________________________ dri-devel mailing list dri-devel@xxxxxxxxxxxxxxxxxxxxx https://lists.freedesktop.org/mailman/listinfo/dri-devel
