On Wed, 2005-08-24 at 00:40 +0200, Stephane Marchesin wrote: > Alan Cox wrote: > >>The log design presents numerous opportunities for rogue processes to do > >>bad things. At some level, that's inherent in the nature of direct > >>rendering. If you don't trust the processes, don't enable direct rendering. > > > > > > Thats a very poor answer to the problem. DRI needs to be moving towards > > being more secure, and building in assumptions of insecurity just makes > > it worse when better cards are used. > > Security is more than just the memory manager. To enforce video memory > protection, we'd have to audit the code and add memory protection to > existing drm modules. That is quite a lot of work, and requires > extensive knowledge of each card. So I don't think it's worth the > trouble with current cards.
I still think 'we may not succeed 100%, at least in the short term' is a bad excuse for not trying, but that seems to be mostly me. > > Its critical that the kernel knows what memory on the video space is > > being used for command queue and protects it. From the description of > > the SiS turboqueue I suspect you may be able to root a sis video box > > that way but without full docs I can't tell. > > Protecting a statically assigned command queue is one thing (something > similar to what's currently done on radeon would be sufficient), > protecting dynamically allocated video memory is another. If the DRM operated on memory objects instead of with offsets directly, it should be trivial: It only has to check that the caller has permission to access the memory objects involved. > > Other stuff like textures is merely annoyance value. Knowing who owned a > > block for cleanup matters and the DRI lock/mem handling on some chips > > already handles it. Its also cheap because you only have to track some > > kind of texture handles not pages for cleanup. > > Actually, the long term idea is to have both dri and ddx allocate from > the same memory pool. So we can't rely on texture handles for that. May I ask why we can't, assuming this is done via EXA callbacks into the DDX driver that use the shared memory manager? -- Earthling Michel Dänzer | Debian (powerpc), X and DRI developer Libre software enthusiast | http://svcs.affero.net/rm.php?r=daenzer ------------------------------------------------------- SF.Net email is Sponsored by the Better Software Conference & EXPO September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices Agile & Plan-Driven Development * Managing Projects & Teams * Testing & QA Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf -- _______________________________________________ Dri-devel mailing list Dri-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/dri-devel