[mark.kettenis@xs4all.nl: Check your machdep.allowaperture setting]

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

[mark.kettenis@xs4all.nl: Check your machdep.allowaperture setting]

Marc Espie-2
I think this is generic enough to belong on misc@
----- Forwarded message from Mark Kettenis <[hidden email]> -----

Date: Tue, 11 Jun 2019 19:54:04 +0200 (CEST)
From: Mark Kettenis <[hidden email]>
To: [hidden email]
Subject: Check your machdep.allowaperture setting

These days most OpenBSD users should have the machdep.allowaperture
sysctl set to 0 (the default).  Having it set to seomething else poses
security risks and can actually cause problems, in particular on
systems that have multiple GPUs where one of tha GPUs is supported by
inteldrm(4) or radeondrm(4) and the other isn't.

You'll only need to set machdep.allowaperture to a non-zero value if
inteldrm(4) or radeordrm(4) doesn't attach on your machine and you
can't use efifb(4) either.

----- End forwarded message -----

Reply | Threaded
Open this post in threaded view
|

Re: [mark.kettenis@xs4all.nl: Check your machdep.allowaperture setting]

nothingness

On 12/06/2019 00:58, Marc Espie wrote:

> I think this is generic enough to belong on misc@
> ----- Forwarded message from Mark Kettenis <[hidden email]> -----
>
> Date: Tue, 11 Jun 2019 19:54:04 +0200 (CEST)
> From: Mark Kettenis <[hidden email]>
> To: [hidden email]
> Subject: Check your machdep.allowaperture setting
>
> These days most OpenBSD users should have the machdep.allowaperture
> sysctl set to 0 (the default).  Having it set to seomething else poses
> security risks and can actually cause problems, in particular on
> systems that have multiple GPUs where one of tha GPUs is supported by
> inteldrm(4) or radeondrm(4) and the other isn't.
>
> You'll only need to set machdep.allowaperture to a non-zero value if
> inteldrm(4) or radeordrm(4) doesn't attach on your machine and you
> can't use efifb(4) either.
>
> ----- End forwarded message -----
>
Well if you need brightness settings on current intel gpus via
intel_backlight, it has to be set at 3 with no way around it. For
laptops you're in trouble I guess!

Reply | Threaded
Open this post in threaded view
|

Re: [mark.kettenis@xs4all.nl: Check your machdep.allowaperture setting]

Stephane HUC "PengouinBSD"
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Hi,

In the french documentation on obsd4a's wiki, I wrote:

"When to add this option?
When you see into xorg.log:
$ head /var/log/Xorg.0.log
[    33.839] (WW) checkDevMem: failed to open /dev/xf86 and /dev/mem
        (Operation not permitted)
        Check that you have set 'machdep.allowaperture=1'
        in /etc/sysctl.conf and reboot your machine
        refer to xf86(4) for details
(...)
"
It's right?

You mention security risks and others problems.
Which?
Could you explain simply, please?


On 6/12/19 12:58 AM, Marc Espie wrote:

> I think this is generic enough to belong on misc@ ----- Forwarded
> message from Mark Kettenis <[hidden email]> -----
>
> Date: Tue, 11 Jun 2019 19:54:04 +0200 (CEST) From: Mark Kettenis
> <[hidden email]> To: [hidden email] Subject: Check your
> machdep.allowaperture setting
>
> These days most OpenBSD users should have the machdep.allowaperture
> sysctl set to 0 (the default).  Having it set to seomething else
> poses security risks and can actually cause problems, in particular
> on systems that have multiple GPUs where one of tha GPUs is
> supported by inteldrm(4) or radeondrm(4) and the other isn't.
>
> You'll only need to set machdep.allowaperture to a non-zero value
> if inteldrm(4) or radeordrm(4) doesn't attach on your machine and
> you can't use efifb(4) either.
>
> ----- End forwarded message -----
>


- --
~ " Fully Basic System Distinguish Life! " ~ " Libre as a BSD " +=<<<
- ----
<me>Stephane HUC as PengouinBSD or CIOTBSD</me>
<mail>[hidden email]</mail>
-----BEGIN PGP SIGNATURE-----

iHUEARYKAB0WIQScTRXz7kMlZfGpDZMTq98t3AMG7wUCXQEmVgAKCRATq98t3AMG
76k0AQDLAsK4JZEbe3jJAjP3APQP8UQMjkrB7D2qynFROiwzaAEA0CDCIIXFvwDC
K58yeah0+01gzm2M6HDpRnl7tytBAQ8=
=j7Rz
-----END PGP SIGNATURE-----

Reply | Threaded
Open this post in threaded view
|

Re: [mark.kettenis@xs4all.nl: Check your machdep.allowaperture setting]

Marc Espie-2
On Wed, Jun 12, 2019 at 06:20:55PM +0200, Stephane HUC "PengouinBSD" wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA512
>
> Hi,
>
> In the french documentation on obsd4a's wiki, I wrote:
>
> "When to add this option?
> When you see into xorg.log:
> $ head /var/log/Xorg.0.log
> [    33.839] (WW) checkDevMem: failed to open /dev/xf86 and /dev/mem
>         (Operation not permitted)
>         Check that you have set 'machdep.allowaperture=1'
>         in /etc/sysctl.conf and reboot your machine
>         refer to xf86(4) for details
> (...)
> "
> It's right?
>
> You mention security risks and others problems.
> Which?
> Could you explain simply, please?

Well, duh.

allowaperture allows you to open the graphics device, which was the old
model prior to intel  graphics and more.

*if* X + inteldrm no longer needs the graphics device, it does not open
it.

... but it's still around.

... and allowaperture means some program could possibly still open it,
thus gaining low-level access to some part of the graphics card.

The attack surface of graphics hardware being huge, it's likely you can
still do harm through that backdoor.

Reply | Threaded
Open this post in threaded view
|

Re: [mark.kettenis@xs4all.nl: Check your machdep.allowaperture setting]

Stephane HUC "PengouinBSD"

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512


HI, Marc.

Thanks for thoses explains.

Is there a solution?

especially when you have a arch Optimum GPU, where only the Intel GPU
works? (yes, I know nvidia is evil!)

On 6/13/19 10:55 AM, Marc Espie wrote:
> On Wed, Jun 12, 2019 at 06:20:55PM +0200, Stephane HUC "PengouinBSD" wrote: >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA512 >> >> Hi, >> >>
In the french documentation on obsd4a's wiki, I wrote: >> >> "When to
add this option? >> When you see into xorg.log: >> $ head
/var/log/Xorg.0.log >> [ 33.839] (WW) checkDevMem: failed to open
/dev/xf86 and /dev/mem >> (Operation not permitted) >> Check that you
have set 'machdep.allowaperture=1' >> in /etc/sysctl.conf and reboot
your machine >> refer to xf86(4) for details >> (...) >> " >> It's
right? >> >> You mention security risks and others problems. >> Which?
>> Could you explain simply, please? > > Well, duh. > > allowaperture
allows you to open the graphics device, which was the old > model prior
to intel graphics and more. > > *if* X + inteldrm no longer needs the
graphics device, it does not open > it. > > ... but it's still around. >
> ... and allowaperture means some program could possibly still open it,
> thus gaining low-level access to some part of the graphics card. > >
The attack surface of graphics hardware being huge, it's likely you can
> still do harm through that backdoor. - --
~ " Fully Basic System Distinguish Life! " ~ " Libre as a BSD "    +=<<<
- ----
<me>Stephane HUC as PengouinBSD or CIOTBSD</me>
<mail>[hidden email]</mail>
-----BEGIN PGP SIGNATURE-----

iHUEARYKAB0WIQScTRXz7kMlZfGpDZMTq98t3AMG7wUCXQIZeAAKCRATq98t3AMG
79tcAQD5+tKHzYenoVxAFzYm8noVJfbEO/qM/7AOxM7AKZZCUwEA8Hri9xFzWEZj
fuguxJEm1rHIiNBkerWLJWdd08bX9gk=
=t14P
-----END PGP SIGNATURE-----