Received: by 2002:a25:c593:0:0:0:0:0 with SMTP id v141csp244526ybe; Wed, 18 Sep 2019 16:26:46 -0700 (PDT) X-Google-Smtp-Source: APXvYqy7xRswahPNTty2Woz2WWIs3yR3yJeTUbHPpkasbjUb8oPsQT3Bc+uy0qLwMezz8yvB50H5 X-Received: by 2002:a50:fc0c:: with SMTP id i12mr11975034edr.82.1568849206811; Wed, 18 Sep 2019 16:26:46 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1568849206; cv=none; d=google.com; s=arc-20160816; b=Gm/mfveUSbfzabQL7GLHcmi5JtlhFa+IL6Tfpd07eWo0b2uOrg+f+UMKxgm3pOaVCE WOGkOu1h3n+Tw64nhcKveCsnE9NEx4C3/cYulRg7J9yD553m2gDVf/hXXELuOKBT8wYR lGuOaOmYczFk/ab0Pe9LuPsnRPwMk+VoQaMLdnVxl4K4wLzoiDcrQGU/9xfp0MS0zJSH v1RmNbA2OdmqA2iBiMO2VgxNKCbgfl9llXLJ2Jwurx2i6IRTSBFPloW/9OtBar++Y83D TXwSs8yBe0YIBa6hu7sFpjnAQUkZnY4VdlJKoAw199WMvKk26/eaMGJDKOK2TXW9t6cS 9WzA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:dkim-signature; bh=DgXcHi6LumSKsXK0wFWEwwduH7TINsc4eJamWRt8yTs=; b=zKsUfe6tc/x3ANqyElK3qk/hN2lQOCv/WNmH3VtfAnTg2o7nyrVxUVXzYP7KR7o5BJ Z7eJ0N66iShAZ2CUeO+ixjll9AwPXfmI9dBuYEoQ12GzqDGSrz7Q8st6dzpGSxSiXDve r/EFmsN+pry8E7SbaEPJhtHDkKvM7INaGHyWDZ58d5d715hI2JHYz5vkaZUqCgaDIeqN 0qD8VLjzyQeuxmnY6EunGCCt/uvXgyeCGU3bO4WyC9ZAfLmchqmnmniuehYaaCcjPMCW ZppAhN6OP4go0Di8Q6IIYgiJIc7I6IODwMGCeAnTt+GBubaLVPawIkFOEPYvUh5YSaWX gYkw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@fooishbar-org.20150623.gappssmtp.com header.s=20150623 header.b=vNFdVJ4C; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id g30si4383724eda.2.2019.09.18.16.26.23; Wed, 18 Sep 2019 16:26:46 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@fooishbar-org.20150623.gappssmtp.com header.s=20150623 header.b=vNFdVJ4C; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1732252AbfIRVaq (ORCPT + 99 others); Wed, 18 Sep 2019 17:30:46 -0400 Received: from mail-lj1-f193.google.com ([209.85.208.193]:34592 "EHLO mail-lj1-f193.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727737AbfIRVap (ORCPT ); Wed, 18 Sep 2019 17:30:45 -0400 Received: by mail-lj1-f193.google.com with SMTP id h2so1452569ljk.1 for ; Wed, 18 Sep 2019 14:30:44 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=fooishbar-org.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=DgXcHi6LumSKsXK0wFWEwwduH7TINsc4eJamWRt8yTs=; b=vNFdVJ4Cy7O0KvtSmfLAMZIlx2ACs+W2rohq5rc57FADo2r7TLRP84H/5yLIk1n/Oo CE0vwxDAWySlGwvp3ZH3lB7X7IhP1ItywFul3J7t1n0hC3aFEVhMziVOVXy5T2lxNYp4 aUeIYCDF0Rl3JX/RHpOKkLexC2a1tk5adVMrwXwY1OEEDJ5m2+ueFrAWaRE0+ciFjNaJ m8E+XeqK4nA+wVkO7ZOI8PoQhq3lL4wA4nl7Ra5LQ+LTW4lkE8EYhhLACASslmWDs/e2 Fhh0x6XH4xpO1dwZ/8OOwmNFDdND6qrL2s0hlSGUSSq5wGQFKc/nd3NYm3ch7OVcMTV4 mwXA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=DgXcHi6LumSKsXK0wFWEwwduH7TINsc4eJamWRt8yTs=; b=jSz0Ek3JDWhN2hvgo6M0ueo8PGra1t/uu/ADVMWVbJ8CmFgakAO2eGps5eIOQFBM58 U40oMQ93Arqv4UQZ37iQyrfZFtIXimnCXBW9KR3amve/zXWuNiaks7Dd4oMmNUMpg5Ko E3HILXaXum97/mNogm0yPteRQEF+1bA6BaiZ2Sp+IxcUv5IrMxmtTZtPguTtUXTVCqDB aO9tSbHhqXXNu+ho0b+aqgwmqWiOfCSWp7xM64sgCWD4hGenZavem67/pvHB+ZSZvahA bty8fJDQbiE5WlYhxpDN3iAUTUDyQIdk5KmckwC6LHOwsTAvCXdqjLGd2NL3A/GAIqjL 9RIA== X-Gm-Message-State: APjAAAW9HsntTfoWSxTZOdV1qjWtgdkmbqgqQiOd1A1lqWF2IgMekDEU e6ielF8oGuEhrYyJj4/PuGxYNDZnPimiQrS2hrvVxskH X-Received: by 2002:a2e:5b9a:: with SMTP id m26mr3392352lje.90.1568842243447; Wed, 18 Sep 2019 14:30:43 -0700 (PDT) MIME-Version: 1.0 References: <20190909134241.23297-1-ayan.halder@arm.com> <20190917125301.GQ3958@phenom.ffwll.local> <20190918120406.2ylkxx2rqsbhn2te@e110455-lin.cambridge.arm.com> In-Reply-To: <20190918120406.2ylkxx2rqsbhn2te@e110455-lin.cambridge.arm.com> From: Daniel Stone Date: Wed, 18 Sep 2019 22:30:12 +0100 Message-ID: Subject: Re: [RFC PATCH] drm:- Add a modifier to denote 'protected' framebuffer To: Liviu Dudau Cc: Daniel Vetter , Ayan Halder , "maxime.ripard@bootlin.com" , "linux-kernel@vger.kernel.org" , "dri-devel@lists.freedesktop.org" , "airlied@linux.ie" , nd , "sean@poorly.run" Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Hi Liviu, On Wed, 18 Sep 2019 at 13:04, Liviu Dudau wrote: > On Wed, Sep 18, 2019 at 09:49:40AM +0100, Daniel Stone wrote: > > I totally agree. Framebuffers aren't about the underlying memory they > > point to, but about how to _interpret_ that memory: it decorates a > > pointer with width, height, stride, format, etc, to allow you to make > > sense of that memory. I see content protection as being the same as > > physical contiguity, which is a property of the underlying memory > > itself. Regardless of the width, height, or format, you just cannot > > access that memory unless it's under the appropriate ('secure enough') > > conditions. > > > > So I think a dmabuf attribute would be most appropriate, since that's > > where you have to do all your MMU handling, and everything else you > > need to do to allow access to that buffer, anyway. > > Isn't it how AMD currently implements protected buffers as well? No idea to be honest, I haven't seen anything upstream. > > There's a lot of complexity beyond just 'it's protected'; for > > instance, some CP providers mandate that their content can only be > > streamed over HDCP 2.2 Type-1 when going through an external > > connection. One way you could do that is to use a secure world > > (external controller like Intel's ME, or CPU-internal enclave like SGX > > or TEE) to examine the display pipe configuration, and only then allow > > access to the buffers and/or keys. Stuff like that is always going to > > be out in the realm of vendor & product-policy-specific add-ons, but > > it should be possible to agree on at least the basic mechanics and > > expectations of a secure path without things like that. > > I also expect that going through the secure world will be pretty much transparent for > the kernel driver, as the most likely hardware implementations would enable > additional signaling that will get trapped and handled by the secure OS. I'm not > trying to simplify things, just taking the stance that it is userspace that is > coordinating all this, we're trying only to find a common ground on how to handle > this in the kernel. Yeah, makes sense. As a strawman, how about a new flag to drmPrimeHandleToFD() which sets the 'protected' flag on the resulting dmabuf? Cheers, Daniel