DRM Security David Herrmann <dh.herrmann@gmail.com> DRM - - PowerPoint PPT Presentation

drm security
SMART_READER_LITE
LIVE PREVIEW

DRM Security David Herrmann <dh.herrmann@gmail.com> DRM - - PowerPoint PPT Presentation

Feb 02, 2024 318 likes •583 views

DRM Security David Herrmann <dh.herrmann@gmail.com> DRM rendering mode-setting open(/dev/dri/card0, ...) (Dumb) Buffer Allocation ioctl(fd, DRM_IOCTL_MODE_CREATE_DUMB, &creq) mreq.handle = creq.handle; ioctl(fd,

slide-1
SLIDE 1

DRM Security

David Herrmann <dh.herrmann@gmail.com>

slide-2
SLIDE 2

DRM

rendering mode-setting

slide-3
SLIDE 3
  • pen(“/dev/dri/card0”, ...)
slide-4
SLIDE 4

(Dumb) Buffer Allocation

ioctl(fd, DRM_IOCTL_MODE_CREATE_DUMB, &creq) mreq.handle = creq.handle; ioctl(fd, DRM_IOCTL_MODE_MAP_DUMB, &mreq) mmap(fd, size, …, MAP_SHARED, …, mreq.offset)

slide-5
SLIDE 5

mmap-offsets are globally accessible

slide-6
SLIDE 6

for (i = 0; i < 0xffffffff; ++i) {

void *p = mmap(fd, …, i); if (p != MAP_FAILED)

break;

}

slide-7
SLIDE 7

for (i = 0; i < 0xffffffff; ++i) {

void *p = mmap(fd, …, i); if (p != MAP_FAILED)

break;

}

F I X E D

slide-8
SLIDE 8

ioctl(fd, DRM_IOCTL_MODE_CREATE_DUMB, &creq) mreq.handle = creq.handle; ioctl(fd, DRM_IOCTL_MODE_MAP_DUMB, &mreq) mmap(fd, size, …, MAP_SHARED, …, mreq.offset)

slide-9
SLIDE 9

Buffer Passing

lreq.handle = mreq.handle; ioctl(fd, DRM_IOCTL_GEM_FLINK, &lreq); send(somewhere, lreq.name, sizeof(lreq.name)); recv(somewhere, &oreq.name, sizeof(oreq.name)); ioctl(fd, DRM_IOCTL_GEM_OPEN, &oreq);

slide-10
SLIDE 10

for (i = 1; i < 0xffffffff; ++i) {

req.name = i; r = ioctl(fd, DRM_IOCTL_GEM_OPEN, &req); if (!r)

break;

}

slide-11
SLIDE 11

for (i = 1; i < 0xffffffff; ++i) {

req.name = i; r = ioctl(fd, DRM_IOCTL_GEM_OPEN, &req); if (!r)

break;

}

D E P R E C A T E D

slide-12
SLIDE 12

dma-buf

slide-13
SLIDE 13

req.handle = mreq.handle; ioctl(fd, DRM_IOCTL_PRIME_HANDLE_TO_FD, &req); send_unix_fd(somewhere, req.fd); recv_unix_fd(somewhere, &req.fd); ioctl(fd, DRM_IOCTL_PRIME_FD_TO_HANDLE, &req);

slide-14
SLIDE 14

DRM Authentication

  • pen(“/dev/dri/card0”, …);
slide-15
SLIDE 15

ioctl(fd, DRM_IOCTL_GET_MAGIC, &magic); send(somewhere, &magic, sizeof(magic)); recv(somewhere, &magic, sizeof(magic)); ioctl(fd, DRM_IOCTL_AUTH_MAGIC, &magic);

slide-16
SLIDE 16

ioctl(fd, DRM_IOCTL_GET_MAGIC, &magic); send(somewhere, &magic, sizeof(magic)); recv(somewhere, &magic, sizeof(magic)); ioctl(fd, DRM_IOCTL_AUTH_MAGIC, &magic);

O B S O L E T E

slide-17
SLIDE 17

Access-Management is done via file-system modes!

slide-18
SLIDE 18

There is a reason FD-passing is call SCM_RIGHTS

slide-19
SLIDE 19
  • pen(“/dev/dri/renderD128”, …);
slide-20
SLIDE 20

Render Nodes

  • No GEM_FLINK
  • No DRM AUTH/MAGIC
  • No Mode-setting
  • No global resources
  • No legacy DRM API
  • No DRM-Master
slide-21
SLIDE 21

OpenGL with Render-Nodes

fd = open(“/dev/dri/renderD128”, …); dev = gbm_create_device(fd); disp = eglGetDisplay(dev); eglInitialize(disp, major, minor); eglBindAPI(EGL_OPENGL_API); eglChooseConfig(disp, …, &conf); ctx = eglCreateContext(disp, conf, 0, &attrs); eglMakeCurrent(disp, 0, 0, ctx);

slide-22
SLIDE 22

surf = gbm_surface_create(dev, … attrs ...); wnd = eglCreateWindowSurface(disp, conf, surf, …); eglMakeCurrent(disp, wnd, wnd, ctx);

slide-23
SLIDE 23

DRM Master

slide-24
SLIDE 24
  • acquire DRM-Master:

– open()

  • r

– drmSetMaster()

  • drop DRM-Master

– close()

  • r

– drmDropMaster()

slide-25
SLIDE 25
  • acquire DRM-Master:

– open()

  • r

– drmSetMaster()

  • drop DRM-Master

– close()

  • r

– drmDropMaster()

R O O T O N L Y R O O T O N L Y