On Wed, Jul 18, 2001 at 06:56:52PM -0400, Thor Lancelot Simon wrote:
> On Thu, Jul 19, 2001 at 08:36:43AM +1000, Andrew van der Stock wrote:
> > Greg,
> > 
> > The only bit of code that is relatively awful as it relates to IBM's
> > original decisions in 1980 or thereabouts is the bit that takes a card from
> > being mapped as a "VGA" card via I/O ports to being accessible via full
> > linear memory mapping. To get it from one to the other is the work of about
> 
> Allowing memory mapping of the framebuffer is no big deal.  Requiring that
> the host system allow *arbitrary memory mappings* in order to allow this
> to succeed -- that's a big deal.  It totally destroys the Unix security
> model.

Agreed, but right now there is no abstraction across all the platforms
that XFree supports that will let them get the job done, and do so
safely. That's not their fault, it's the fault of the OS teams, if we
are to blame anyone at all.

I suppose they could write that code themselves, but then that's really
not their job. XFree should provide the server and the card drivers, all
of which should be able to count on a device abstraction, ideally common
across all platforms.

I remember about 6 years ago when things like the GGI project started, I
thought all of this would be a moot point by now.

> Worse, because the device registers are mapped, too, and many of these
> devices can DMA to/from arbitrary addresses, even if the kernel provided
> a framebuffer handle this approach would *still* leave you totally hosed.

How would an X program cause this to happen, even a malicious one? I
mean outside of something like direct rendering?  What would it
take for an OpenGL or X program to cause this?

> The problem with what the XFree86 architecture puts in userland as
> opposed to the kernel is that it guarantees that you can't have X and
> have any meaningful kind of security at the same time.  

I have meaningful security and X.  

> Bear in mind that on most _modern_ Unix systems, there's an effort to ensure
> that even a rogue process running as root can be prevented from doing
> lasting damage to the system; XFree sidesteps all of that.

Off-topic, but the effort is pretty weak so far. You can cripple an
enterprise-class Sun server with vi on a large file, let along a monster
bug-beast like Seagate Reports. I can kill NetBSD with nothing more than
a stream of sendmail startups.

> Contrary to what's been said earlier in this thread, there *have* been
> reasonable interfaces between the kernel and X server implemented in
> X11 in the past, with reasonable performance and without the security
> problems of the XFree86 approach; the most obvious example is probably
> what DEC did in Ultrix and, I believe, in OSF/1.  I realize that the
> incredible variety of hardware that XFree86 supports makes this difficult
> if not downright impractical, but it's silly to pretend that it's never
> been done.

I don't think I'm arguing that this has never happened. What I said was
that the seperation of X server and graphics driver never happened in
most systems. The X server I ran on my DEC servers on DEC UNIX 3.x and
4.x around 1996-1998 was monolithic. The kernel driver did provide
abstraction to the hardware, but most of the graphics driver proper was
in the X server or a module... I can't remember right now if DEC UNIX
had separate loadable modules for different graphics cards or not right
now, it's been 4 year since I had a DEC workstation.

The major change in XFree 4.x is to remove the drivers from the X
server, which I see as a GoodThing(TM). It's a necessary step if you
want to get to the abstraction that workstation vendors have had, and
make it work on all the platforms (workstations included) that XFree
supports.

As far as I see, the 4.x series is just the first step in a larger plan.

> People will complain about this so long as they'd like to have X and
> reasonable security at the same time.  It's really not right to yell at
> them for wanting that (though the way some of them have expressed their
> desire in this thread isn't exactly great, either).

It's really OK in a way, because people often tell the truth or rather
more of it when they are passionate about it. But some people do
obviously have ideas that won't serve all users, and that's the target
that XFree has. They can't just make Shannon, Greg, or Thor happy and
be done with it, they have to cater to a large base of users, many
different systems, and applications that range from terminal emulators
to video editing to complex OpenGL displays.

This is not easy work, and none of have paid for it unless you just
happened to be generous and make a donation.

Does anyone really feel that the 4.x server is not a step in the right
direction? I don't see how we can get to non-setuid root X servers and
workstation-like benefits without this interim step.

I don't really think the kernel graphics drivers in *BSD or Linux are
really ready for the move yet, do any of you?


-- 
UNIX/Perl/C/Pizza__________________________________shannon@widomaker.com