+static int install_seccomp_filter() {
+
+ struct sock_filter filter[] = {
+ /* Check arch is 64bit x86 */
+ BPF_STMT(BPF_LD + BPF_W + BPF_ABS, (offsetof(struct seccomp_data, arch))),
+ BPF_JUMP(BPF_JMP + BPF_JEQ + BPF_K, AUDIT_ARCH_X86_64, 0, 12),
+
+ /* Futex is required for mutex locks */
+ #if defined __NR__newselect
+ BPF_STMT(BPF_LD + BPF_W + BPF_ABS, (offsetof(struct seccomp_data, nr))),
+ BPF_JUMP(BPF_JMP + BPF_JEQ + BPF_K, __NR__newselect, 11, 0),
+ #elif defined __NR_select
+ BPF_STMT(BPF_LD + BPF_W + BPF_ABS, (offsetof(struct seccomp_data, nr))),
+ BPF_JUMP(BPF_JMP + BPF_JEQ + BPF_K, __NR_select, 11, 0),
+ #else
+ BPF_STMT(BPF_LD + BPF_W + BPF_ABS, (offsetof(struct seccomp_data, nr))),
+ BPF_JUMP(BPF_JMP + BPF_JEQ + BPF_K, __NR_pselect6, 11, 0),
+ #endif
+
+ /* Allow system exit calls for the forked process */
+ BPF_STMT(BPF_LD + BPF_W + BPF_ABS, (offsetof(struct seccomp_data, nr))),
+ BPF_JUMP(BPF_JMP + BPF_JEQ + BPF_K, __NR_exit_group, 9, 0),
+
+ /* Allow system read calls */
+ BPF_STMT(BPF_LD + BPF_W + BPF_ABS, (offsetof(struct seccomp_data, nr))),
+ BPF_JUMP(BPF_JMP + BPF_JEQ + BPF_K, __NR_read, 7, 0),
+
+ /* Allow system write calls */
+ BPF_STMT(BPF_LD + BPF_W + BPF_ABS, (offsetof(struct seccomp_data, nr))),
+ BPF_JUMP(BPF_JMP + BPF_JEQ + BPF_K, __NR_write, 5, 0),
+
+ /* Allow system brk calls (we need this for malloc) */
+ BPF_STMT(BPF_LD + BPF_W + BPF_ABS, (offsetof(struct seccomp_data, nr))),
+ BPF_JUMP(BPF_JMP + BPF_JEQ + BPF_K, __NR_brk, 3, 0),
+
+ /* Futex is required for mutex locks */
+ BPF_STMT(BPF_LD + BPF_W + BPF_ABS, (offsetof(struct seccomp_data, nr))),
+ BPF_JUMP(BPF_JMP + BPF_JEQ + BPF_K, __NR_futex, 1, 0),
+
+ /* Return error if we hit a system call not on the whitelist */
+ BPF_STMT(BPF_RET + BPF_K, SECCOMP_RET_ERRNO | (EPERM & SECCOMP_RET_DATA)),
+
+ /* Allow whitelisted system calls */
+ BPF_STMT(BPF_RET + BPF_K, SECCOMP_RET_ALLOW),
+ };
+
+ struct sock_fprog prog = {
+ .len = (unsigned short)(sizeof(filter) / sizeof(filter[0])),
+ .filter = filter,
+ };
+
+ if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0))
+ return -1;
+
+ if (prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog))
+ return -1;
+
+ return 0;
+}
+
+/* Helper function with timeout support for reading from the pipe between
+ * processes used for secure compile.
+ */
+bool radv_sc_read(int fd, void *buf, size_t size, bool timeout)
+{
+ fd_set fds;
+ struct timeval tv;
+
+ FD_ZERO(&fds);
+ FD_SET(fd, &fds);
+
+ while (true) {
+ /* We can't rely on the value of tv after calling select() so
+ * we must reset it on each iteration of the loop.
+ */
+ tv.tv_sec = 5;
+ tv.tv_usec = 0;
+
+ int rval = select(fd + 1, &fds, NULL, NULL, timeout ? &tv : NULL);
+
+ if (rval == -1) {
+ /* select error */
+ return false;
+ } else if (rval) {
+ ssize_t bytes_read = read(fd, buf, size);
+ if (bytes_read < 0)
+ return false;
+
+ buf += bytes_read;
+ size -= bytes_read;
+ if (size == 0)
+ return true;
+ } else {
+ /* select timeout */
+ return false;
+ }
+ }
+}
+
+static bool radv_close_all_fds(const int *keep_fds, int keep_fd_count)
+{
+ DIR *d;
+ struct dirent *dir;
+ d = opendir("/proc/self/fd");
+ if (!d)
+ return false;
+ int dir_fd = dirfd(d);
+
+ while ((dir = readdir(d)) != NULL) {
+ if (dir->d_name[0] == '.')
+ continue;
+
+ int fd = atoi(dir->d_name);
+ if (fd == dir_fd)
+ continue;
+
+ bool keep = false;
+ for (int i = 0; !keep && i < keep_fd_count; ++i)
+ if (keep_fds[i] == fd)
+ keep = true;
+
+ if (keep)
+ continue;
+
+ close(fd);
+ }
+ closedir(d);
+ return true;
+}
+
+static bool secure_compile_open_fifo_fds(struct radv_secure_compile_state *sc,
+ int *fd_server, int *fd_client,
+ unsigned process, bool make_fifo)
+{
+ bool result = false;
+ char *fifo_server_path = NULL;
+ char *fifo_client_path = NULL;
+
+ if (asprintf(&fifo_server_path, "/tmp/radv_server_%s_%u", sc->uid, process) == -1)
+ goto open_fifo_exit;
+
+ if (asprintf(&fifo_client_path, "/tmp/radv_client_%s_%u", sc->uid, process) == -1)
+ goto open_fifo_exit;
+
+ if (make_fifo) {
+ int file1 = mkfifo(fifo_server_path, 0666);
+ if(file1 < 0)
+ goto open_fifo_exit;
+
+ int file2 = mkfifo(fifo_client_path, 0666);
+ if(file2 < 0)
+ goto open_fifo_exit;
+ }
+
+ *fd_server = open(fifo_server_path, O_RDWR);
+ if(*fd_server < 1)
+ goto open_fifo_exit;
+
+ *fd_client = open(fifo_client_path, O_RDWR);
+ if(*fd_client < 1) {
+ close(*fd_server);
+ goto open_fifo_exit;
+ }
+
+ result = true;
+
+open_fifo_exit:
+ free(fifo_server_path);
+ free(fifo_client_path);
+
+ return result;
+}
+
+static void run_secure_compile_device(struct radv_device *device, unsigned process,
+ int fd_idle_device_output)
+{
+ int fd_secure_input;
+ int fd_secure_output;
+ bool fifo_result = secure_compile_open_fifo_fds(device->sc_state,
+ &fd_secure_input,
+ &fd_secure_output,
+ process, false);
+
+ enum radv_secure_compile_type sc_type;
+
+ const int needed_fds[] = {
+ fd_secure_input,
+ fd_secure_output,
+ fd_idle_device_output,
+ };
+
+ if (!fifo_result || !radv_close_all_fds(needed_fds, ARRAY_SIZE(needed_fds)) ||
+ install_seccomp_filter() == -1) {
+ sc_type = RADV_SC_TYPE_INIT_FAILURE;
+ } else {
+ sc_type = RADV_SC_TYPE_INIT_SUCCESS;
+ device->sc_state->secure_compile_processes[process].fd_secure_input = fd_secure_input;
+ device->sc_state->secure_compile_processes[process].fd_secure_output = fd_secure_output;
+ }
+
+ write(fd_idle_device_output, &sc_type, sizeof(sc_type));
+
+ if (sc_type == RADV_SC_TYPE_INIT_FAILURE)
+ goto secure_compile_exit;
+
+ while (true) {
+ radv_sc_read(fd_secure_input, &sc_type, sizeof(sc_type), false);
+
+ if (sc_type == RADV_SC_TYPE_COMPILE_PIPELINE) {
+ struct radv_pipeline *pipeline;
+ bool sc_read = true;
+
+ pipeline = vk_zalloc2(&device->alloc, NULL, sizeof(*pipeline), 8,
+ VK_SYSTEM_ALLOCATION_SCOPE_OBJECT);
+
+ pipeline->device = device;
+
+ /* Read pipeline layout */
+ struct radv_pipeline_layout layout;
+ sc_read = radv_sc_read(fd_secure_input, &layout, sizeof(struct radv_pipeline_layout), true);
+ sc_read &= radv_sc_read(fd_secure_input, &layout.num_sets, sizeof(uint32_t), true);
+ if (!sc_read)
+ goto secure_compile_exit;
+
+ for (uint32_t set = 0; set < layout.num_sets; set++) {
+ uint32_t layout_size;
+ sc_read &= radv_sc_read(fd_secure_input, &layout_size, sizeof(uint32_t), true);
+ if (!sc_read)
+ goto secure_compile_exit;
+
+ layout.set[set].layout = malloc(layout_size);
+ layout.set[set].layout->layout_size = layout_size;
+ sc_read &= radv_sc_read(fd_secure_input, layout.set[set].layout,
+ layout.set[set].layout->layout_size, true);
+ }
+
+ pipeline->layout = &layout;
+
+ /* Read pipeline key */
+ struct radv_pipeline_key key;
+ sc_read &= radv_sc_read(fd_secure_input, &key, sizeof(struct radv_pipeline_key), true);
+
+ /* Read pipeline create flags */
+ VkPipelineCreateFlags flags;
+ sc_read &= radv_sc_read(fd_secure_input, &flags, sizeof(VkPipelineCreateFlags), true);
+
+ /* Read stage and shader information */
+ uint32_t num_stages;
+ const VkPipelineShaderStageCreateInfo *pStages[MESA_SHADER_STAGES] = { 0, };
+ sc_read &= radv_sc_read(fd_secure_input, &num_stages, sizeof(uint32_t), true);
+ if (!sc_read)
+ goto secure_compile_exit;
+
+ for (uint32_t i = 0; i < num_stages; i++) {
+
+ /* Read stage */
+ gl_shader_stage stage;
+ sc_read &= radv_sc_read(fd_secure_input, &stage, sizeof(gl_shader_stage), true);
+
+ VkPipelineShaderStageCreateInfo *pStage = calloc(1, sizeof(VkPipelineShaderStageCreateInfo));
+
+ /* Read entry point name */
+ size_t name_size;
+ sc_read &= radv_sc_read(fd_secure_input, &name_size, sizeof(size_t), true);
+ if (!sc_read)
+ goto secure_compile_exit;
+
+ char *ep_name = malloc(name_size);
+ sc_read &= radv_sc_read(fd_secure_input, ep_name, name_size, true);
+ pStage->pName = ep_name;
+
+ /* Read shader module */
+ size_t module_size;
+ sc_read &= radv_sc_read(fd_secure_input, &module_size, sizeof(size_t), true);
+ if (!sc_read)
+ goto secure_compile_exit;
+
+ struct radv_shader_module *module = malloc(module_size);
+ sc_read &= radv_sc_read(fd_secure_input, module, module_size, true);
+ pStage->module = radv_shader_module_to_handle(module);
+
+ /* Read specialization info */
+ bool has_spec_info;
+ sc_read &= radv_sc_read(fd_secure_input, &has_spec_info, sizeof(bool), true);
+ if (!sc_read)
+ goto secure_compile_exit;
+
+ if (has_spec_info) {
+ VkSpecializationInfo *specInfo = malloc(sizeof(VkSpecializationInfo));
+ pStage->pSpecializationInfo = specInfo;
+
+ sc_read &= radv_sc_read(fd_secure_input, &specInfo->dataSize, sizeof(size_t), true);
+ if (!sc_read)
+ goto secure_compile_exit;
+
+ void *si_data = malloc(specInfo->dataSize);
+ sc_read &= radv_sc_read(fd_secure_input, si_data, specInfo->dataSize, true);
+ specInfo->pData = si_data;
+
+ sc_read &= radv_sc_read(fd_secure_input, &specInfo->mapEntryCount, sizeof(uint32_t), true);
+ if (!sc_read)
+ goto secure_compile_exit;
+
+ VkSpecializationMapEntry *mapEntries = malloc(sizeof(VkSpecializationMapEntry) * specInfo->mapEntryCount);
+ for (uint32_t j = 0; j < specInfo->mapEntryCount; j++) {
+ sc_read &= radv_sc_read(fd_secure_input, &mapEntries[j], sizeof(VkSpecializationMapEntry), true);
+ if (!sc_read)
+ goto secure_compile_exit;
+ }
+
+ specInfo->pMapEntries = mapEntries;
+ }
+
+ pStages[stage] = pStage;
+ }
+
+ /* Compile the shaders */
+ VkPipelineCreationFeedbackEXT *stage_feedbacks[MESA_SHADER_STAGES] = { 0 };
+ radv_create_shaders(pipeline, device, NULL, &key, pStages, flags, NULL, stage_feedbacks);
+
+ /* free memory allocated above */
+ for (uint32_t set = 0; set < layout.num_sets; set++)
+ free(layout.set[set].layout);
+
+ for (uint32_t i = 0; i < MESA_SHADER_STAGES; i++) {
+ if (!pStages[i])
+ continue;
+
+ free((void *) pStages[i]->pName);
+ free(radv_shader_module_from_handle(pStages[i]->module));
+ if (pStages[i]->pSpecializationInfo) {
+ free((void *) pStages[i]->pSpecializationInfo->pData);
+ free((void *) pStages[i]->pSpecializationInfo->pMapEntries);
+ free((void *) pStages[i]->pSpecializationInfo);
+ }
+ free((void *) pStages[i]);
+ }
+
+ vk_free(&device->alloc, pipeline);
+
+ sc_type = RADV_SC_TYPE_COMPILE_PIPELINE_FINISHED;
+ write(fd_secure_output, &sc_type, sizeof(sc_type));
+
+ } else if (sc_type == RADV_SC_TYPE_DESTROY_DEVICE) {
+ goto secure_compile_exit;
+ }
+ }
+
+secure_compile_exit:
+ close(fd_secure_input);
+ close(fd_secure_output);
+ close(fd_idle_device_output);
+ _exit(0);
+}
+
+static enum radv_secure_compile_type fork_secure_compile_device(struct radv_device *device, unsigned process)
+{
+ int fd_secure_input[2];
+ int fd_secure_output[2];
+
+ /* create pipe descriptors (used to communicate between processes) */
+ if (pipe(fd_secure_input) == -1 || pipe(fd_secure_output) == -1)
+ return RADV_SC_TYPE_INIT_FAILURE;
+
+
+ int sc_pid;
+ if ((sc_pid = fork()) == 0) {
+ device->sc_state->secure_compile_thread_counter = process;
+ run_secure_compile_device(device, process, fd_secure_output[1]);
+ } else {
+ if (sc_pid == -1)
+ return RADV_SC_TYPE_INIT_FAILURE;
+
+ /* Read the init result returned from the secure process */
+ enum radv_secure_compile_type sc_type;
+ bool sc_read = radv_sc_read(fd_secure_output[0], &sc_type, sizeof(sc_type), true);
+
+ if (sc_type == RADV_SC_TYPE_INIT_FAILURE || !sc_read) {
+ close(fd_secure_input[0]);
+ close(fd_secure_input[1]);
+ close(fd_secure_output[1]);
+ close(fd_secure_output[0]);
+ int status;
+ waitpid(sc_pid, &status, 0);
+
+ return RADV_SC_TYPE_INIT_FAILURE;
+ } else {
+ assert(sc_type == RADV_SC_TYPE_INIT_SUCCESS);
+ write(device->sc_state->secure_compile_processes[process].fd_secure_output, &sc_type, sizeof(sc_type));
+
+ close(fd_secure_input[0]);
+ close(fd_secure_input[1]);
+ close(fd_secure_output[1]);
+ close(fd_secure_output[0]);
+
+ int status;
+ waitpid(sc_pid, &status, 0);
+ }
+ }
+
+ return RADV_SC_TYPE_INIT_SUCCESS;
+}
+
+/* Run a bare bones fork of a device that was forked right after its creation.
+ * This device will have low overhead when it is forked again before each
+ * pipeline compilation. This device sits idle and its only job is to fork
+ * itself.
+ */
+static void run_secure_compile_idle_device(struct radv_device *device, unsigned process,
+ int fd_secure_input, int fd_secure_output)
+{
+ enum radv_secure_compile_type sc_type = RADV_SC_TYPE_INIT_SUCCESS;
+ device->sc_state->secure_compile_processes[process].fd_secure_input = fd_secure_input;
+ device->sc_state->secure_compile_processes[process].fd_secure_output = fd_secure_output;
+
+ write(fd_secure_output, &sc_type, sizeof(sc_type));
+
+ while (true) {
+ radv_sc_read(fd_secure_input, &sc_type, sizeof(sc_type), false);
+
+ if (sc_type == RADV_SC_TYPE_FORK_DEVICE) {
+ sc_type = fork_secure_compile_device(device, process);
+
+ if (sc_type == RADV_SC_TYPE_INIT_FAILURE)
+ goto secure_compile_exit;
+
+ } else if (sc_type == RADV_SC_TYPE_DESTROY_DEVICE) {
+ goto secure_compile_exit;
+ }
+ }
+
+secure_compile_exit:
+ close(fd_secure_input);
+ close(fd_secure_output);
+ _exit(0);
+}
+
+static void destroy_secure_compile_device(struct radv_device *device, unsigned process)
+{
+ int fd_secure_input = device->sc_state->secure_compile_processes[process].fd_secure_input;
+
+ enum radv_secure_compile_type sc_type = RADV_SC_TYPE_DESTROY_DEVICE;
+ write(fd_secure_input, &sc_type, sizeof(sc_type));
+
+ close(device->sc_state->secure_compile_processes[process].fd_secure_input);
+ close(device->sc_state->secure_compile_processes[process].fd_secure_output);
+
+ int status;
+ waitpid(device->sc_state->secure_compile_processes[process].sc_pid, &status, 0);
+}
+
+static VkResult fork_secure_compile_idle_device(struct radv_device *device)
+{
+ device->sc_state = vk_zalloc(&device->alloc,
+ sizeof(struct radv_secure_compile_state),
+ 8, VK_SYSTEM_ALLOCATION_SCOPE_DEVICE);
+
+ mtx_init(&device->sc_state->secure_compile_mutex, mtx_plain);
+
+ pid_t upid = getpid();
+ time_t seconds = time(NULL);
+
+ char *uid;
+ if (asprintf(&uid, "%ld_%ld", (long) upid, (long) seconds) == -1)
+ return VK_ERROR_INITIALIZATION_FAILED;
+
+ device->sc_state->uid = uid;
+
+ uint8_t sc_threads = device->instance->num_sc_threads;
+ int fd_secure_input[MAX_SC_PROCS][2];
+ int fd_secure_output[MAX_SC_PROCS][2];
+
+ /* create pipe descriptors (used to communicate between processes) */
+ for (unsigned i = 0; i < sc_threads; i++) {
+ if (pipe(fd_secure_input[i]) == -1 ||
+ pipe(fd_secure_output[i]) == -1) {
+ return VK_ERROR_INITIALIZATION_FAILED;
+ }
+ }
+
+ device->sc_state->secure_compile_processes = vk_zalloc(&device->alloc,
+ sizeof(struct radv_secure_compile_process) * sc_threads, 8,
+ VK_SYSTEM_ALLOCATION_SCOPE_DEVICE);
+
+ for (unsigned process = 0; process < sc_threads; process++) {
+ if ((device->sc_state->secure_compile_processes[process].sc_pid = fork()) == 0) {
+ device->sc_state->secure_compile_thread_counter = process;
+ run_secure_compile_idle_device(device, process, fd_secure_input[process][0], fd_secure_output[process][1]);
+ } else {
+ if (device->sc_state->secure_compile_processes[process].sc_pid == -1)
+ return VK_ERROR_INITIALIZATION_FAILED;
+
+ /* Read the init result returned from the secure process */
+ enum radv_secure_compile_type sc_type;
+ bool sc_read = radv_sc_read(fd_secure_output[process][0], &sc_type, sizeof(sc_type), true);
+
+ bool fifo_result;
+ if (sc_read && sc_type == RADV_SC_TYPE_INIT_SUCCESS) {
+ fifo_result = secure_compile_open_fifo_fds(device->sc_state,
+ &device->sc_state->secure_compile_processes[process].fd_server,
+ &device->sc_state->secure_compile_processes[process].fd_client,
+ process, true);
+
+ device->sc_state->secure_compile_processes[process].fd_secure_input = fd_secure_input[process][1];
+ device->sc_state->secure_compile_processes[process].fd_secure_output = fd_secure_output[process][0];
+ }
+
+ if (sc_type == RADV_SC_TYPE_INIT_FAILURE || !sc_read || !fifo_result) {
+ close(fd_secure_input[process][0]);
+ close(fd_secure_input[process][1]);
+ close(fd_secure_output[process][1]);
+ close(fd_secure_output[process][0]);
+ int status;
+ waitpid(device->sc_state->secure_compile_processes[process].sc_pid, &status, 0);
+
+ /* Destroy any forks that were created sucessfully */
+ for (unsigned i = 0; i < process; i++) {
+ destroy_secure_compile_device(device, i);
+ }
+
+ return VK_ERROR_INITIALIZATION_FAILED;
+ }
+ }
+ }
+ return VK_SUCCESS;
+}
+
+static VkResult
+radv_create_pthread_cond(pthread_cond_t *cond)
+{
+ pthread_condattr_t condattr;
+ if (pthread_condattr_init(&condattr)) {
+ return VK_ERROR_INITIALIZATION_FAILED;
+ }
+
+ if (pthread_condattr_setclock(&condattr, CLOCK_MONOTONIC)) {
+ pthread_condattr_destroy(&condattr);
+ return VK_ERROR_INITIALIZATION_FAILED;
+ }
+ if (pthread_cond_init(cond, &condattr)) {
+ pthread_condattr_destroy(&condattr);
+ return VK_ERROR_INITIALIZATION_FAILED;
+ }
+ pthread_condattr_destroy(&condattr);
+ return VK_SUCCESS;
+}
+