VK_EXT_aquire_xlib_display and kernel security concerns

James Jones jajones at nvidia.com
Mon Oct 16 20:01:21 UTC 2017 

On 10/16/2017 12:28 PM, Keith Packard wrote:
> James Jones <jajones at nvidia.com> writes:
> 
>> I think at a lower level, we have different views of how
>> vkGetPhysicalDeviceDisplayPropertiesKHR/VK_KHR_display works.
>> vkGetPhysicalDeviceDisplayPropertiesKHR() is suppose to enumerate all
>> the displays on a given device.
> 
> In many devices, the display controller and rendering hardware are
> separate devices, so it's up to user space to figure out the connection
> between them, and user DMAbufs to pass rendered output to the display.

Understood.  In that case, no displays should be enumerated on the 
"rendering hardware" device in Vulkan, unless the driver vendor opts for 
heroics.

>> I assumed DRM drivers would try the display-capable node, then fall
>> back to a render node if that failed.
> 
> No, they cannot as the display node is protected from normal user
> access.

Right, but normal processes don't need the display node, or aren't 
supposed to.  I assumed apps that need direct-to-display would have 
elevated permissions on systems configured to require it, or use 
"acquire" extensions, potentially combined with native secondary auth 
mechanisms, to get access.  This is why it bothers me that "normal user 
access" doesn't include display enumeration.

>>    Everyone focuses on the direct-to-display swapchain portion of
>> VK_KHR_display, but the core of it is really just a display
>> enumeration API.
> 
> Right, I think all I really need is to hand the driver a connection to
> the X server and it can use that to enumerate the available displays
> through the Vulkan API.
> 
>> For (c), I hope that after reading the above, there is no such
>> assumption.  Of course the app can't acquire such a display, but that
>> shouldn't be unexpected.  I had hoped that there would be a way to
>> enumerate "hidden" HMD displays using XRandR, and I thought you provided
>> that in your XRandR changes.
> 
> Yes, we're figuring out how to do that now. Dave has posted proposed
> kernel patches to the list which adds an EDID-based quirk to mark HMD
> displays as 'special'.
> 
> Our current thought is that we would list the 'special' outputs as
> Disconnected, but provide an EDID property for them. That way, normal X
> applications would continue to ignore them, but a special application
> could still discover the target device using EDID information.

Cool.

>> It seems to be suggested below as well. If apps have that, they can
>> use vkGetRandROutputDisplayEXT to map them to VkDisplayKHR objects,
>> rather than the other way around.  That way, they could avoid an
>> attempt to acquire a display from the wrong X server.
> 
> Yes, I have a test application which works this way. However, as the
> nVidia driver is hiding HMD outputs from X applications, an application
> wanting to support both nVidia and DRM drivers will have to try both
> methods.

Once a method is finalized to expose HMDs without having desktops pick 
them up, we can probably switch to that behavior.  We'll have to review 
the proposed disconnected-but-has-EDID idea above.  Currently, we have 
an option to force exposure of HMDs, but then they just look like normal 
displays to userspace.

>> FWIW, I think this would be great.  I don't see why enumeration should
>> be a privileged operation.  chmod +x the display directory please :-)
> 
> That was my initial plan, and it obviously works fine. Daniel Vetter
> has a reasonable aversion to providing this kind of access; "bad things"
> have happened in the past when we expose system information of this kind
> to all applications.
> 
> Besides, this fails in the case where the display device and rendering
> device are separate, so we end up needing another path for that anyways.

Given the current definition of a Vulkan-capable device, yes.  It's 
annoying that Vulkan can't yet expose a device that only has displays 
and the ability to import memory objects and create images from them.

I prefer the enumeration ability as a general principle though.  Is the 
discussion with Daniel Vetter captured somewhere so I can read up on the 
objections?  I couldn't find it with a naive Google or DRI devel search.

>> Let me know if you have suggestions to improve the Vulkan APIs.
> 
> Would it be reasonable to add a new function to the acquire_xlib_display
> extension that would let you pass the Display into the API before the
> vkGetPhysicalDeviceDisplayPropertiesKHR call? That would offer the least
> impact on applications using the API, allowing them to have a single
> enumeration mechanism for both DRM and nVidia devices. Right now, the
> pattern looks like:
> 
>          open X connection
>          enumerate displays using vk APIs
>          select desired display
>          acquire xlib display
> 
> That would change to
> 
>          open X connection
>          tell vk about the X connection
>          enumerate displays using vk APIs
>          select desired display
>          acquire xlib display

We've very much tried to avoid giving Vulkan itself stateful knowledge 
of a window system.  Swapchains have it, and that's it, which I feel is 
a rather clean design (others prefer swapchains not exist, which would 
be even cleaner, but... compromises).  EXT_acquire_xlib_display kind of 
has it, but it's tied to a specific object much like the swapchain case. 
  From a design perspective, I don't like the idea that a top-level 
Vulkan object, especially a physical device which is supposed to be 
immutable, would take on new properties because of which window system 
it's associated with.  However, if there are one or two commands that 
could benefit from a display connection, an alternative design would be 
to make an extension that provides the connection info to those commands 
and scope it's availability to Vulkan to be the duration of those commands.

> Without this function, every application would have to try both
> enumerations:
> 
>          open X connection
>          enumerate displays using vk APIS
>          if (success) {
>                  select desired display
>          } else {
>                  enumerate outputs using X apis
>                  select desired output
>                  map output to display
>          }
>          acquire xlib display
> 
> Alternatively, we could encourage applications to always use X lib APIs
> for selecting the output; there's more information provided about the
> device from that interface (like the EDID). That would require that the
> nVidia X driver not hide the HMD from X as it reportedly does today.

This is my preferred direction.

> Oh, one added benefit of telling Vulkan about the X display is that it
> could trim the list of outputs to those reachable by the rendering
> driver; definitely a point in favor of that method. In this case, we
> might want to extend the information made available through Vulkan to
> things like EDID so that applications aren't left guessing which output
> they want based solely on the display geometry.

There was more information in the original KHR_display extension draft, 
but people claimed it was overly verbose.  Some people felt raw EDID 
itself was too low-level I think.  We could revisit that though.  Note I 
still don't think it's a good idea to enumerate outputs not reachable by 
the rendering device anyway, so I don't see this as a positive for 
telling Vulkan more about X.

Thanks,
-James

More information about the xorg-devel mailing list