Message ID | 20210827100027.1577561-1-javierm@redhat.com (mailing list archive) |
---|---|
Headers | show |
Series | Allow to use DRM fbdev emulation layer with CONFIG_FB disabled | expand |
Hi Am 27.08.21 um 12:00 schrieb Javier Martinez Canillas: > This patch series splits the fbdev core support in two different Kconfig > symbols: FB and FB_CORE. The motivation for this is to allow CONFIG_FB to > be disabled, while still using fbcon with the DRM fbdev emulation layer. I'm skeptical. DRM's fbdev emulation is not just the console emulation, it's a full fbdev device. You can see the related device file as /dev/fb*. Providing the file while having CONFIG_FB disabled doesn't make much sense to me. I know it's not pretty, but it's consistent at least. If you want to remove fbdev, you could try to untangle fbdev and the console emulation such that DRM can set up a console by itself. Old fbdev drives would also set up the console individually. Another low-hangling fruit is a config option to enable/disable the fbdev userspace interface (i.e., dev/fb*). Disabling the interface would remove the rsp mmap of the fbdev graphics buffer. We sometimes have to use an extra shadow buffer because mmap requires non-moving buffers. Without mmap we might be able to avoid some of the costly internal memcpys for some of our drivers. Best regards Thomas > > The reason for doing this is that now with simpledrm we could just boot > with simpledrm -> real DRM driver, without needing any legacy fbdev driver > (e.g: efifb or simplefb) even for the early console. > > We want to do that in the Fedora kernel, but currently need to keep option > CONFIG_FB enabled and all fbdev drivers explicitly disabled, which makes > the configuration harder to maintain. > > It is a RFC because I'm not that familiar with the fbdev core, but I have > tested and works with CONFIG_DRM_FBDEV_EMULATION=y and CONFIG_FB disabled. > This config automatically disables all the fbdev drivers that is our goal. > > Patch 1/4 is just a clean up, patch 2/4 moves a couple of functions out of > fbsysfs.o, that are not related to sysfs attributes creation and finally > patch 3/4 makes the fbdev split that is mentioned above. > > Patch 4/4 makes the DRM fbdev emulation depend on the new FB_CORE symbol > instead of FB. This could be done as a follow-up but for completeness is > also included in this series. > > Best regards, > Javier > > > Javier Martinez Canillas (4): > fbdev: Rename fb_*_device() functions names to match what they do > fbdev: Move framebuffer_{alloc,release}() functions to fbmem.c > fbdev: Split frame buffer support in FB and FB_CORE symbols > drm: Make fbdev emulation depend on FB_CORE instead of FB > > arch/x86/Makefile | 2 +- > arch/x86/video/Makefile | 2 +- > drivers/gpu/drm/Kconfig | 2 +- > drivers/video/console/Kconfig | 2 +- > drivers/video/fbdev/Kconfig | 57 +++++++++++++--------- > drivers/video/fbdev/core/Makefile | 13 +++-- > drivers/video/fbdev/core/fbmem.c | 73 ++++++++++++++++++++++++++-- > drivers/video/fbdev/core/fbsysfs.c | 77 +----------------------------- > include/linux/fb.h | 18 ++++++- > 9 files changed, 134 insertions(+), 112 deletions(-) >
On Fri, Aug 27, 2021 at 07:50:23PM +0200, Thomas Zimmermann wrote: > Hi > > Am 27.08.21 um 12:00 schrieb Javier Martinez Canillas: > > This patch series splits the fbdev core support in two different Kconfig > > symbols: FB and FB_CORE. The motivation for this is to allow CONFIG_FB to > > be disabled, while still using fbcon with the DRM fbdev emulation layer. > > I'm skeptical. DRM's fbdev emulation is not just the console emulation, it's > a full fbdev device. You can see the related device file as /dev/fb*. > Providing the file while having CONFIG_FB disabled doesn't make much sense > to me. I know it's not pretty, but it's consistent at least. > > If you want to remove fbdev, you could try to untangle fbdev and the console > emulation such that DRM can set up a console by itself. Old fbdev drives > would also set up the console individually. Yeah given the horrendous security track record of all that code, and the maze of handover we have (stuff like flicker free boot and all that) I'm wondering whether typing a new drmcon wouldn't be faster and a lot more maintainable. With drm_client this shouldn't be too much work at least for the drm code. > Another low-hangling fruit is a config option to enable/disable the fbdev > userspace interface (i.e., dev/fb*). Disabling the interface would remove > the rsp mmap of the fbdev graphics buffer. We sometimes have to use an extra > shadow buffer because mmap requires non-moving buffers. Without mmap we > might be able to avoid some of the costly internal memcpys for some of our > drivers. And yeah stuff like that wouldn't be needed for drmcon either. -Daniel > > Best regards > Thomas > > > > > The reason for doing this is that now with simpledrm we could just boot > > with simpledrm -> real DRM driver, without needing any legacy fbdev driver > > (e.g: efifb or simplefb) even for the early console. > > > > We want to do that in the Fedora kernel, but currently need to keep option > > CONFIG_FB enabled and all fbdev drivers explicitly disabled, which makes > > the configuration harder to maintain. > > > > It is a RFC because I'm not that familiar with the fbdev core, but I have > > tested and works with CONFIG_DRM_FBDEV_EMULATION=y and CONFIG_FB disabled. > > This config automatically disables all the fbdev drivers that is our goal. > > > > Patch 1/4 is just a clean up, patch 2/4 moves a couple of functions out of > > fbsysfs.o, that are not related to sysfs attributes creation and finally > > patch 3/4 makes the fbdev split that is mentioned above. > > > > Patch 4/4 makes the DRM fbdev emulation depend on the new FB_CORE symbol > > instead of FB. This could be done as a follow-up but for completeness is > > also included in this series. > > > > Best regards, > > Javier > > > > > > Javier Martinez Canillas (4): > > fbdev: Rename fb_*_device() functions names to match what they do > > fbdev: Move framebuffer_{alloc,release}() functions to fbmem.c > > fbdev: Split frame buffer support in FB and FB_CORE symbols > > drm: Make fbdev emulation depend on FB_CORE instead of FB > > > > arch/x86/Makefile | 2 +- > > arch/x86/video/Makefile | 2 +- > > drivers/gpu/drm/Kconfig | 2 +- > > drivers/video/console/Kconfig | 2 +- > > drivers/video/fbdev/Kconfig | 57 +++++++++++++--------- > > drivers/video/fbdev/core/Makefile | 13 +++-- > > drivers/video/fbdev/core/fbmem.c | 73 ++++++++++++++++++++++++++-- > > drivers/video/fbdev/core/fbsysfs.c | 77 +----------------------------- > > include/linux/fb.h | 18 ++++++- > > 9 files changed, 134 insertions(+), 112 deletions(-) > > > > -- > Thomas Zimmermann > Graphics Driver Developer > SUSE Software Solutions Germany GmbH > Maxfeldstr. 5, 90409 Nürnberg, Germany > (HRB 36809, AG Nürnberg) > Geschäftsführer: Felix Imendörffer >
Hello Daniel and Thomas, On 8/27/21 10:20 PM, Daniel Vetter wrote: > On Fri, Aug 27, 2021 at 07:50:23PM +0200, Thomas Zimmermann wrote: >> Hi >> >> Am 27.08.21 um 12:00 schrieb Javier Martinez Canillas: >>> This patch series splits the fbdev core support in two different Kconfig >>> symbols: FB and FB_CORE. The motivation for this is to allow CONFIG_FB to >>> be disabled, while still using fbcon with the DRM fbdev emulation layer. >> >> I'm skeptical. DRM's fbdev emulation is not just the console emulation, it's >> a full fbdev device. You can see the related device file as /dev/fb*. >> Providing the file while having CONFIG_FB disabled doesn't make much sense >> to me. I know it's not pretty, but it's consistent at least. >> >> If you want to remove fbdev, you could try to untangle fbdev and the console >> emulation such that DRM can set up a console by itself. Old fbdev drives >> would also set up the console individually. > > Yeah given the horrendous security track record of all that code, and the > maze of handover we have (stuff like flicker free boot and all that) I'm > wondering whether typing a new drmcon wouldn't be faster and a lot more > maintainable. > We talked about a drmcon with Peter Robinson as well but then decided that a way to disable CONFIG_FB but still having the DRM fbdev emulation could be a intermediary step, hence these RFC patches. But yes, I agree that a drmcon would be the proper approach for this, to not need any fbdev support at all. We will just keep the explicit disable for the fbdev drivers then in the meantime. Thanks a lot for your feedback. Best regards,
On Sat, Aug 28, 2021 at 12:02:21AM +0200, Javier Martinez Canillas wrote: > Hello Daniel and Thomas, > > On 8/27/21 10:20 PM, Daniel Vetter wrote: > > On Fri, Aug 27, 2021 at 07:50:23PM +0200, Thomas Zimmermann wrote: > >> Hi > >> > >> Am 27.08.21 um 12:00 schrieb Javier Martinez Canillas: > >>> This patch series splits the fbdev core support in two different Kconfig > >>> symbols: FB and FB_CORE. The motivation for this is to allow CONFIG_FB to > >>> be disabled, while still using fbcon with the DRM fbdev emulation layer. > >> > >> I'm skeptical. DRM's fbdev emulation is not just the console emulation, it's > >> a full fbdev device. You can see the related device file as /dev/fb*. > >> Providing the file while having CONFIG_FB disabled doesn't make much sense > >> to me. I know it's not pretty, but it's consistent at least. > >> > >> If you want to remove fbdev, you could try to untangle fbdev and the console > >> emulation such that DRM can set up a console by itself. Old fbdev drives > >> would also set up the console individually. > > > > Yeah given the horrendous security track record of all that code, and the > > maze of handover we have (stuff like flicker free boot and all that) I'm > > wondering whether typing a new drmcon wouldn't be faster and a lot more > > maintainable. > > > > We talked about a drmcon with Peter Robinson as well but then decided that a > way to disable CONFIG_FB but still having the DRM fbdev emulation could be a > intermediary step, hence these RFC patches. > > But yes, I agree that a drmcon would be the proper approach for this, to not > need any fbdev support at all. We will just keep the explicit disable for the > fbdev drivers then in the meantime. I think the only intermediate step would be to disable the fbdev uapi (char node and anything in sysfs), while still registering against the fbcon layer so you have a console. But looking at the things syzbot finds the really problematic code is all in the fbcon and console layer in general, and /dev/fb0 seems pretty solid. I think for a substantial improvement here in robustness what you really want is - kmscon in userspace - disable FB layer - ideally also disable console/vt layer in the kernel - have a minimal emergency/boot-up log thing in drm, patches for that floated around a few times Otherwise it feels a bit like we're just doing Kconfig bikeshedding and no real improvement on the attack surface :-/ -Daniel
On 8/31/21 2:35 PM, Daniel Vetter wrote: > On Sat, Aug 28, 2021 at 12:02:21AM +0200, Javier Martinez Canillas wrote: [snip] >> >> We talked about a drmcon with Peter Robinson as well but then decided that a >> way to disable CONFIG_FB but still having the DRM fbdev emulation could be a >> intermediary step, hence these RFC patches. >> >> But yes, I agree that a drmcon would be the proper approach for this, to not >> need any fbdev support at all. We will just keep the explicit disable for the >> fbdev drivers then in the meantime. > > I think the only intermediate step would be to disable the fbdev uapi > (char node and anything in sysfs), while still registering against the > fbcon layer so you have a console. > Right, $subject disabled the sysfs interface but left the fbdev chardev. I can try to do a v2 that also disables that interface but just keep the fbcon part. > But looking at the things syzbot finds the really problematic code is all > in the fbcon and console layer in general, and /dev/fb0 seems pretty > solid. > Yes, but still would be an improvement in the sense that no legacy fbdev uAPI will be exposed and so user-space would only depend on the DRM/KMS interface. > I think for a substantial improvement here in robustness what you really > want is > - kmscon in userspace > - disable FB layer > - ideally also disable console/vt layer in the kernel Earlier in the thread it was mentioned that an in-kernel drmcon could be used instead. My worry with kmscon is that moving something as critical as console output to user-space might make harder to troubleshoot early booting issues. And also that will require user-space changes. An in-kernel drmcon could be a drop-in replacement though. > - have a minimal emergency/boot-up log thing in drm, patches for that > floated around a few times > Interesting. Do you have any pointers for this? My search-fu failed me when trying to find these patches. Best regards,
On Wed, Sep 01, 2021 at 11:08:10AM +0200, Javier Martinez Canillas wrote: > On 8/31/21 2:35 PM, Daniel Vetter wrote: > > On Sat, Aug 28, 2021 at 12:02:21AM +0200, Javier Martinez Canillas wrote: > > [snip] > > >> > >> We talked about a drmcon with Peter Robinson as well but then decided that a > >> way to disable CONFIG_FB but still having the DRM fbdev emulation could be a > >> intermediary step, hence these RFC patches. > >> > >> But yes, I agree that a drmcon would be the proper approach for this, to not > >> need any fbdev support at all. We will just keep the explicit disable for the > >> fbdev drivers then in the meantime. > > > > I think the only intermediate step would be to disable the fbdev uapi > > (char node and anything in sysfs), while still registering against the > > fbcon layer so you have a console. > > > > Right, $subject disabled the sysfs interface but left the fbdev chardev. I can > try to do a v2 that also disables that interface but just keep the fbcon part. > > > But looking at the things syzbot finds the really problematic code is all > > in the fbcon and console layer in general, and /dev/fb0 seems pretty > > solid. > > > > Yes, but still would be an improvement in the sense that no legacy fbdev uAPI > will be exposed and so user-space would only depend on the DRM/KMS interface. > > > I think for a substantial improvement here in robustness what you really > > want is > > - kmscon in userspace > > - disable FB layer > > - ideally also disable console/vt layer in the kernel > > Earlier in the thread it was mentioned that an in-kernel drmcon could be used > instead. My worry with kmscon is that moving something as critical as console > output to user-space might make harder to troubleshoot early booting issues. > > And also that will require user-space changes. An in-kernel drmcon could be a > drop-in replacement though. The drmcon wouldn't be a full console, but just an emergency log renderer. See Sam's reply, he found the series again. The real attack surface reduction is in getting rid of the console/vt uapi implementation from the kernel. -Daniel > > - have a minimal emergency/boot-up log thing in drm, patches for that > > floated around a few times > > > > Interesting. Do you have any pointers for this? My search-fu failed me when > trying to find these patches. > > Best regards, > -- > Javier Martinez Canillas > Linux Engineering > Red Hat >