VK_EXT_aquire_xlib_display and kernel security concerns
James Jones
jajones at nvidia.com
Mon Oct 16 17:45:59 UTC 2017
On 10/14/2017 02:00 AM, "Keith Packard" wrote:
>
> I've implemented this extension in DRM and have run into a conflict
> between the spec and the Linux architecture.
>
> The VkDisplayKHR parameter for VK_EXT_acquire_xlib_display can be
> found in two different ways:
>
> 1) Enumerate displays using vkGetPhysicalDeviceDisplayPropertiesKHR
>
> 2) Enumerate RROutputs using xcb_randr_get_screen_resources and
> convert that to a VkDisplayKHR with vkGetRandROutputDisplayEXT
>
> The former makes some assumptions which are not valid in all
> environments:
>
> a) It assumes that the Vulkan rendering driver can touch all of the
> display resources on the system.
>
> Under DRM, a regular user running vulkan can only open a 'rendering'
> node, which denies it all access to the display resources associated
> with the rendering hardware.
>
> b) It assumes that the rendering driver knows about the display
> hardware.
>
> There are many modern systems where the display hardware and
> rendering hardware are entirely separate, and we must use DMAbufs to
> get the rendered output sent from the rendering driver to the
> display driver.
>
> c) It assumes that X controls all display resources on the system.
>
> If you're running more than one X server on different displays, then
> you can end up with a VkDisplayKHR object which the X server doesn't
> manage, and hence cannot be 'acquired'.
I think at a lower level, we have different views of how
vkGetPhysicalDeviceDisplayPropertiesKHR/VK_KHR_display works.
vkGetPhysicalDeviceDisplayPropertiesKHR() is suppose to enumerate all
the displays on a given device. Vulkan is agnostic to the underlying
device model, so whether you want to init it on a DRM render or full
(control? I forget the terminology now.) device is up to the driver. I
assumed DRM drivers would try the display-capable node, then fall back
to a render node if that failed.
Regardless, it is supposed to enumerate all displays, whether you can
control them and perform modesets on them, acquire them, or none of
those ops. Enumeration in itself can be useful for purposes of
correlation, which would allow apps to discover where their windows are
without native window system APIs if some future extensions materialize.
Everyone focuses on the direct-to-display swapchain portion of
VK_KHR_display, but the core of it is really just a display enumeration API.
Therefore, for (b), such a device would enumerate no displays. It would
be up to the app to do some kind of cross-device interop to get images
from its render-only device to its display-only device. Hence all the
allocator work and stuff. If the driver/hardware vendor chooses to hide
that detail when presenting to X/wayland/etc, great, but it's pretty
hard to hide when doing direct-to-display presentation, as you point
out. Vulkan's an explicit API, and I never expected drivers to hide
this detail for direct-to-display swapchains.
For (c), I hope that after reading the above, there is no such
assumption. Of course the app can't acquire such a display, but that
shouldn't be unexpected. I had hoped that there would be a way to
enumerate "hidden" HMD displays using XRandR, and I thought you provided
that in your XRandR changes. It seems to be suggested below as well. If
apps have that, they can use vkGetRandROutputDisplayEXT to map them to
VkDisplayKHR objects, rather than the other way around. That way, they
could avoid an attempt to acquire a display from the wrong X server.
Going the other way, from Vulkan display enumeration -> X grab, was sort
of intended to be a stop-gap until RandR caught up. However, it works
fine as well if you don't mind a try-and-fail enumeration model. I just
try to avoid that when possible.
> I can work around a) by opening up access rights to view display
> resources to all applications with access to render nodes. I've had push
> back on this plan from the DRM maintainers as it dramatically changes
> the access control model used by DRM with unknown consequences for both
> security and application abuse.
FWIW, I think this would be great. I don't see why enumeration should
be a privileged operation. chmod +x the display directory please :-)
> I can't work around b) and c) as the
> vkGetPhysicalDeviceDisplayPropertiesKHR function doesn't have any
> information about the window system to allow it to limit the set of
> display resources to those shared by X and Vulkan.
>
> Using method 2) provides the necessary control as
> vkGetRandROutputDisplayEXT gets both the Vulkan and X contexts and can
> make suitable choices about what it can support.
>
> However, the reason vkAcquireXlibDisplay takes a VkDisplayKHR object
> instead of an RROutput parameter is so that it can access displays which
> X may not want to advertise to all clients. I don't think that's
> necessary; we can advertise the RROutput, but just not tell clients
> that it is "Connected" when the display shouldn't be incorporated into a
> 'normal 'desktop. A separate mechanism would be used to report Connected
> status and describe what kind of device is out there.
>
> So, here's what I propose:
>
> vkGetPhysicalDeviceDisplayPropertiesKHR will fail when the
> system does not provide access to display resources for unprivileged
> Vulkan applications. When this happens, the application is expected to
> discover the desired display resource through X and map that to a
> VkDisplayKHR using vkGetRandROutputDisplayEXT.
>
> Any VkDisplayKHR may be used with vkGetDisplayModePropertiesKHR.
Sounds good.
> Once vkAcquireXlibDisplay is called, all of the VK_KHR_display APIs will
> work, but the resources visible will be restricted to the acquired
> display and plane.
Our driver will likely continue to expose all resources, but would fail
swapchain creation or present if it didn't have access to some resource.
I agree there's a bit of an API hole here, but that's true for
KHR_display in general. I purposely didn't include a "do I have mode
set permissions" query in it because I wasn't sure enough what hte
semantics should be. It has some hand-wavy language saying swapchain
creation or present can fail due to lack of permissions instead as a
place-holder. As I say though, I prefer not to rely on try-and-fail, so
perhaps we could add some API here.
> With this secondary mechanism, DRM-based systems will expose all of
> their native functionality without compromising the current API design.
Let me know if you have suggestions to improve the Vulkan APIs.
Thanks,
-James
More information about the xorg-devel
mailing list