Re: [mark.kette...@xs4all.nl: Check your machdep.allowaperture setting]
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 HI, Marc. Thanks for thoses explains. Is there a solution? especially when you have a arch Optimum GPU, where only the Intel GPU works? (yes, I know nvidia is evil!) On 6/13/19 10:55 AM, Marc Espie wrote: > On Wed, Jun 12, 2019 at 06:20:55PM +0200, Stephane HUC "PengouinBSD" wrote: > >> -BEGIN PGP SIGNED MESSAGE- >> Hash: SHA512 >> >> Hi, >> >> In the french documentation on obsd4a's wiki, I wrote: >> >> "When to add this option? >> When you see into xorg.log: >> $ head /var/log/Xorg.0.log >> [ 33.839] (WW) checkDevMem: failed to open /dev/xf86 and /dev/mem >> (Operation not permitted) >> Check that you have set 'machdep.allowaperture=1' >> in /etc/sysctl.conf and reboot your machine >> refer to xf86(4) for details >> (...) >> " >> It's right? >> >> You mention security risks and others problems. >> Which? >> Could you explain simply, please? > > Well, duh. > > allowaperture allows you to open the graphics device, which was the old > model prior to intel graphics and more. > > *if* X + inteldrm no longer needs the graphics device, it does not open > it. > > ... but it's still around. > > ... and allowaperture means some program could possibly still open it, > thus gaining low-level access to some part of the graphics card. > > The attack surface of graphics hardware being huge, it's likely you can > still do harm through that backdoor. - -- ~ " Fully Basic System Distinguish Life! " ~ " Libre as a BSD " +=<<< - Stephane HUC as PengouinBSD or CIOTBSD b...@stephane-huc.net -BEGIN PGP SIGNATURE- iHUEARYKAB0WIQScTRXz7kMlZfGpDZMTq98t3AMG7wUCXQIZeAAKCRATq98t3AMG 79tcAQD5+tKHzYenoVxAFzYm8noVJfbEO/qM/7AOxM7AKZZCUwEA8Hri9xFzWEZj fuguxJEm1rHIiNBkerWLJWdd08bX9gk= =t14P -END PGP SIGNATURE-
Re: [mark.kette...@xs4all.nl: Check your machdep.allowaperture setting]
On Wed, Jun 12, 2019 at 06:20:55PM +0200, Stephane HUC "PengouinBSD" wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA512 > > Hi, > > In the french documentation on obsd4a's wiki, I wrote: > > "When to add this option? > When you see into xorg.log: > $ head /var/log/Xorg.0.log > [33.839] (WW) checkDevMem: failed to open /dev/xf86 and /dev/mem > (Operation not permitted) > Check that you have set 'machdep.allowaperture=1' > in /etc/sysctl.conf and reboot your machine > refer to xf86(4) for details > (...) > " > It's right? > > You mention security risks and others problems. > Which? > Could you explain simply, please? Well, duh. allowaperture allows you to open the graphics device, which was the old model prior to intel graphics and more. *if* X + inteldrm no longer needs the graphics device, it does not open it. ... but it's still around. ... and allowaperture means some program could possibly still open it, thus gaining low-level access to some part of the graphics card. The attack surface of graphics hardware being huge, it's likely you can still do harm through that backdoor.
Re: [mark.kette...@xs4all.nl: Check your machdep.allowaperture setting]
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Hi, In the french documentation on obsd4a's wiki, I wrote: "When to add this option? When you see into xorg.log: $ head /var/log/Xorg.0.log [33.839] (WW) checkDevMem: failed to open /dev/xf86 and /dev/mem (Operation not permitted) Check that you have set 'machdep.allowaperture=1' in /etc/sysctl.conf and reboot your machine refer to xf86(4) for details (...) " It's right? You mention security risks and others problems. Which? Could you explain simply, please? On 6/12/19 12:58 AM, Marc Espie wrote: > I think this is generic enough to belong on misc@ - Forwarded > message from Mark Kettenis - > > Date: Tue, 11 Jun 2019 19:54:04 +0200 (CEST) From: Mark Kettenis > To: t...@openbsd.org Subject: Check your > machdep.allowaperture setting > > These days most OpenBSD users should have the machdep.allowaperture > sysctl set to 0 (the default). Having it set to seomething else > poses security risks and can actually cause problems, in particular > on systems that have multiple GPUs where one of tha GPUs is > supported by inteldrm(4) or radeondrm(4) and the other isn't. > > You'll only need to set machdep.allowaperture to a non-zero value > if inteldrm(4) or radeordrm(4) doesn't attach on your machine and > you can't use efifb(4) either. > > - End forwarded message - > - -- ~ " Fully Basic System Distinguish Life! " ~ " Libre as a BSD " +=<<< - Stephane HUC as PengouinBSD or CIOTBSD b...@stephane-huc.net -BEGIN PGP SIGNATURE- iHUEARYKAB0WIQScTRXz7kMlZfGpDZMTq98t3AMG7wUCXQEmVgAKCRATq98t3AMG 76k0AQDLAsK4JZEbe3jJAjP3APQP8UQMjkrB7D2qynFROiwzaAEA0CDCIIXFvwDC K58yeah0+01gzm2M6HDpRnl7tytBAQ8= =j7Rz -END PGP SIGNATURE-
Re: [mark.kette...@xs4all.nl: Check your machdep.allowaperture setting]
On 12/06/2019 00:58, Marc Espie wrote: I think this is generic enough to belong on misc@ - Forwarded message from Mark Kettenis - Date: Tue, 11 Jun 2019 19:54:04 +0200 (CEST) From: Mark Kettenis To: t...@openbsd.org Subject: Check your machdep.allowaperture setting These days most OpenBSD users should have the machdep.allowaperture sysctl set to 0 (the default). Having it set to seomething else poses security risks and can actually cause problems, in particular on systems that have multiple GPUs where one of tha GPUs is supported by inteldrm(4) or radeondrm(4) and the other isn't. You'll only need to set machdep.allowaperture to a non-zero value if inteldrm(4) or radeordrm(4) doesn't attach on your machine and you can't use efifb(4) either. - End forwarded message - Well if you need brightness settings on current intel gpus via intel_backlight, it has to be set at 3 with no way around it. For laptops you're in trouble I guess!
[mark.kette...@xs4all.nl: Check your machdep.allowaperture setting]
I think this is generic enough to belong on misc@ - Forwarded message from Mark Kettenis - Date: Tue, 11 Jun 2019 19:54:04 +0200 (CEST) From: Mark Kettenis To: t...@openbsd.org Subject: Check your machdep.allowaperture setting These days most OpenBSD users should have the machdep.allowaperture sysctl set to 0 (the default). Having it set to seomething else poses security risks and can actually cause problems, in particular on systems that have multiple GPUs where one of tha GPUs is supported by inteldrm(4) or radeondrm(4) and the other isn't. You'll only need to set machdep.allowaperture to a non-zero value if inteldrm(4) or radeordrm(4) doesn't attach on your machine and you can't use efifb(4) either. - End forwarded message -