From: Samuel Pitoiset Date: Sun, 12 Jul 2020 11:59:14 +0000 (+0200) Subject: radv: remove the secure compile support feature X-Git-Url: https://git.libre-soc.org/?a=commitdiff_plain;h=7324977e420260cea0627e3381a9f3ae4e62af0f;p=mesa.git radv: remove the secure compile support feature Steam was the only client of this feature and it seems no longer used. Signed-off-by: Samuel Pitoiset Reviewed-by: Bas Nieuwenhuizen Part-of: --- diff --git a/docs/envvars.rst b/docs/envvars.rst index 372a329e63a..de6d4960b7a 100644 --- a/docs/envvars.rst +++ b/docs/envvars.rst @@ -588,8 +588,6 @@ RADV driver environment variables ``tccompatcmask`` enable TC-compat cmask for MSAA images -``RADV_SECURE_COMPILE_THREADS`` - maximum number of secure compile threads (up to 32) ``RADV_TEX_ANISO`` force anisotropy filter (up to 16) ``RADV_TRACE_FILE`` diff --git a/src/amd/vulkan/radv_device.c b/src/amd/vulkan/radv_device.c index 58299a0e0e4..71ce12fb306 100644 --- a/src/amd/vulkan/radv_device.c +++ b/src/amd/vulkan/radv_device.c @@ -643,19 +643,9 @@ VkResult radv_CreateInstance( if (instance->apiVersion == 0) instance->apiVersion = VK_API_VERSION_1_0; - /* Get secure compile thread count. NOTE: We cap this at 32 */ -#define MAX_SC_PROCS 32 - char *num_sc_threads = getenv("RADV_SECURE_COMPILE_THREADS"); - if (num_sc_threads) - instance->num_sc_threads = MIN2(strtoul(num_sc_threads, NULL, 10), MAX_SC_PROCS); - instance->debug_flags = parse_debug_string(getenv("RADV_DEBUG"), radv_debug_options); - /* Disable memory cache when secure compile is set */ - if (radv_device_use_secure_compile(instance)) - instance->debug_flags |= RADV_DEBUG_NO_MEMORY_CACHE; - instance->perftest_flags = parse_debug_string(getenv("RADV_PERFTEST"), radv_perftest_options); @@ -2372,537 +2362,6 @@ radv_get_int_debug_option(const char *name, int default_value) return result; } -static int install_seccomp_filter() { - - struct sock_filter filter[] = { - /* Check arch is 64bit x86 */ - BPF_STMT(BPF_LD + BPF_W + BPF_ABS, (offsetof(struct seccomp_data, arch))), - BPF_JUMP(BPF_JMP + BPF_JEQ + BPF_K, AUDIT_ARCH_X86_64, 0, 12), - - /* Futex is required for mutex locks */ - #if defined __NR__newselect - BPF_STMT(BPF_LD + BPF_W + BPF_ABS, (offsetof(struct seccomp_data, nr))), - BPF_JUMP(BPF_JMP + BPF_JEQ + BPF_K, __NR__newselect, 11, 0), - #elif defined __NR_select - BPF_STMT(BPF_LD + BPF_W + BPF_ABS, (offsetof(struct seccomp_data, nr))), - BPF_JUMP(BPF_JMP + BPF_JEQ + BPF_K, __NR_select, 11, 0), - #else - BPF_STMT(BPF_LD + BPF_W + BPF_ABS, (offsetof(struct seccomp_data, nr))), - BPF_JUMP(BPF_JMP + BPF_JEQ + BPF_K, __NR_pselect6, 11, 0), - #endif - - /* Allow system exit calls for the forked process */ - BPF_STMT(BPF_LD + BPF_W + BPF_ABS, (offsetof(struct seccomp_data, nr))), - BPF_JUMP(BPF_JMP + BPF_JEQ + BPF_K, __NR_exit_group, 9, 0), - - /* Allow system read calls */ - BPF_STMT(BPF_LD + BPF_W + BPF_ABS, (offsetof(struct seccomp_data, nr))), - BPF_JUMP(BPF_JMP + BPF_JEQ + BPF_K, __NR_read, 7, 0), - - /* Allow system write calls */ - BPF_STMT(BPF_LD + BPF_W + BPF_ABS, (offsetof(struct seccomp_data, nr))), - BPF_JUMP(BPF_JMP + BPF_JEQ + BPF_K, __NR_write, 5, 0), - - /* Allow system brk calls (we need this for malloc) */ - BPF_STMT(BPF_LD + BPF_W + BPF_ABS, (offsetof(struct seccomp_data, nr))), - BPF_JUMP(BPF_JMP + BPF_JEQ + BPF_K, __NR_brk, 3, 0), - - /* Futex is required for mutex locks */ - BPF_STMT(BPF_LD + BPF_W + BPF_ABS, (offsetof(struct seccomp_data, nr))), - BPF_JUMP(BPF_JMP + BPF_JEQ + BPF_K, __NR_futex, 1, 0), - - /* Return error if we hit a system call not on the whitelist */ - BPF_STMT(BPF_RET + BPF_K, SECCOMP_RET_ERRNO | (EPERM & SECCOMP_RET_DATA)), - - /* Allow whitelisted system calls */ - BPF_STMT(BPF_RET + BPF_K, SECCOMP_RET_ALLOW), - }; - - struct sock_fprog prog = { - .len = (unsigned short)(sizeof(filter) / sizeof(filter[0])), - .filter = filter, - }; - - if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0)) - return -1; - - if (prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog)) - return -1; - - return 0; -} - -/* Helper function with timeout support for reading from the pipe between - * processes used for secure compile. - */ -bool radv_sc_read(int fd, void *buf, size_t size, bool timeout) -{ - fd_set fds; - struct timeval tv; - - FD_ZERO(&fds); - FD_SET(fd, &fds); - - while (true) { - /* We can't rely on the value of tv after calling select() so - * we must reset it on each iteration of the loop. - */ - tv.tv_sec = 5; - tv.tv_usec = 0; - - int rval = select(fd + 1, &fds, NULL, NULL, timeout ? &tv : NULL); - - if (rval == -1) { - /* select error */ - return false; - } else if (rval) { - ssize_t bytes_read = read(fd, buf, size); - if (bytes_read < 0) - return false; - - buf += bytes_read; - size -= bytes_read; - if (size == 0) - return true; - } else { - /* select timeout */ - return false; - } - } -} - -static bool radv_close_all_fds(const int *keep_fds, int keep_fd_count) -{ - DIR *d; - struct dirent *dir; - d = opendir("/proc/self/fd"); - if (!d) - return false; - int dir_fd = dirfd(d); - - while ((dir = readdir(d)) != NULL) { - if (dir->d_name[0] == '.') - continue; - - int fd = atoi(dir->d_name); - if (fd == dir_fd) - continue; - - bool keep = false; - for (int i = 0; !keep && i < keep_fd_count; ++i) - if (keep_fds[i] == fd) - keep = true; - - if (keep) - continue; - - close(fd); - } - closedir(d); - return true; -} - -static bool secure_compile_open_fifo_fds(struct radv_secure_compile_state *sc, - int *fd_server, int *fd_client, - unsigned process, bool make_fifo) -{ - bool result = false; - char *fifo_server_path = NULL; - char *fifo_client_path = NULL; - - if (asprintf(&fifo_server_path, "/tmp/radv_server_%s_%u", sc->uid, process) == -1) - goto open_fifo_exit; - - if (asprintf(&fifo_client_path, "/tmp/radv_client_%s_%u", sc->uid, process) == -1) - goto open_fifo_exit; - - if (make_fifo) { - int file1 = mkfifo(fifo_server_path, 0666); - if(file1 < 0) - goto open_fifo_exit; - - int file2 = mkfifo(fifo_client_path, 0666); - if(file2 < 0) - goto open_fifo_exit; - } - - *fd_server = open(fifo_server_path, O_RDWR); - if(*fd_server < 1) - goto open_fifo_exit; - - *fd_client = open(fifo_client_path, O_RDWR); - if(*fd_client < 1) { - close(*fd_server); - goto open_fifo_exit; - } - - result = true; - -open_fifo_exit: - free(fifo_server_path); - free(fifo_client_path); - - return result; -} - -static void run_secure_compile_device(struct radv_device *device, unsigned process, - int fd_idle_device_output) -{ - int fd_secure_input; - int fd_secure_output; - bool fifo_result = secure_compile_open_fifo_fds(device->sc_state, - &fd_secure_input, - &fd_secure_output, - process, false); - - enum radv_secure_compile_type sc_type; - - const int needed_fds[] = { - fd_secure_input, - fd_secure_output, - fd_idle_device_output, - }; - - if (!fifo_result || !radv_close_all_fds(needed_fds, ARRAY_SIZE(needed_fds)) || - install_seccomp_filter() == -1) { - sc_type = RADV_SC_TYPE_INIT_FAILURE; - } else { - sc_type = RADV_SC_TYPE_INIT_SUCCESS; - device->sc_state->secure_compile_processes[process].fd_secure_input = fd_secure_input; - device->sc_state->secure_compile_processes[process].fd_secure_output = fd_secure_output; - } - - write(fd_idle_device_output, &sc_type, sizeof(sc_type)); - - if (sc_type == RADV_SC_TYPE_INIT_FAILURE) - goto secure_compile_exit; - - while (true) { - radv_sc_read(fd_secure_input, &sc_type, sizeof(sc_type), false); - - if (sc_type == RADV_SC_TYPE_COMPILE_PIPELINE) { - struct radv_pipeline *pipeline; - bool sc_read = true; - - pipeline = vk_zalloc2(&device->vk.alloc, NULL, sizeof(*pipeline), 8, - VK_SYSTEM_ALLOCATION_SCOPE_OBJECT); - - pipeline->device = device; - - /* Read pipeline layout */ - struct radv_pipeline_layout layout; - sc_read = radv_sc_read(fd_secure_input, &layout, sizeof(struct radv_pipeline_layout), true); - sc_read &= radv_sc_read(fd_secure_input, &layout.num_sets, sizeof(uint32_t), true); - if (!sc_read) - goto secure_compile_exit; - - for (uint32_t set = 0; set < layout.num_sets; set++) { - uint32_t layout_size; - sc_read &= radv_sc_read(fd_secure_input, &layout_size, sizeof(uint32_t), true); - if (!sc_read) - goto secure_compile_exit; - - layout.set[set].layout = malloc(layout_size); - layout.set[set].layout->layout_size = layout_size; - sc_read &= radv_sc_read(fd_secure_input, layout.set[set].layout, - layout.set[set].layout->layout_size, true); - } - - pipeline->layout = &layout; - - /* Read pipeline key */ - struct radv_pipeline_key key; - sc_read &= radv_sc_read(fd_secure_input, &key, sizeof(struct radv_pipeline_key), true); - - /* Read pipeline create flags */ - VkPipelineCreateFlags flags; - sc_read &= radv_sc_read(fd_secure_input, &flags, sizeof(VkPipelineCreateFlags), true); - - /* Read stage and shader information */ - uint32_t num_stages; - const VkPipelineShaderStageCreateInfo *pStages[MESA_SHADER_STAGES] = { 0, }; - sc_read &= radv_sc_read(fd_secure_input, &num_stages, sizeof(uint32_t), true); - if (!sc_read) - goto secure_compile_exit; - - for (uint32_t i = 0; i < num_stages; i++) { - - /* Read stage */ - gl_shader_stage stage; - sc_read &= radv_sc_read(fd_secure_input, &stage, sizeof(gl_shader_stage), true); - - VkPipelineShaderStageCreateInfo *pStage = calloc(1, sizeof(VkPipelineShaderStageCreateInfo)); - - /* Read entry point name */ - size_t name_size; - sc_read &= radv_sc_read(fd_secure_input, &name_size, sizeof(size_t), true); - if (!sc_read) - goto secure_compile_exit; - - char *ep_name = malloc(name_size); - sc_read &= radv_sc_read(fd_secure_input, ep_name, name_size, true); - pStage->pName = ep_name; - - /* Read shader module */ - size_t module_size; - sc_read &= radv_sc_read(fd_secure_input, &module_size, sizeof(size_t), true); - if (!sc_read) - goto secure_compile_exit; - - struct radv_shader_module *module = malloc(module_size); - sc_read &= radv_sc_read(fd_secure_input, module, module_size, true); - pStage->module = radv_shader_module_to_handle(module); - - /* Read specialization info */ - bool has_spec_info; - sc_read &= radv_sc_read(fd_secure_input, &has_spec_info, sizeof(bool), true); - if (!sc_read) - goto secure_compile_exit; - - if (has_spec_info) { - VkSpecializationInfo *specInfo = malloc(sizeof(VkSpecializationInfo)); - pStage->pSpecializationInfo = specInfo; - - sc_read &= radv_sc_read(fd_secure_input, &specInfo->dataSize, sizeof(size_t), true); - if (!sc_read) - goto secure_compile_exit; - - void *si_data = malloc(specInfo->dataSize); - sc_read &= radv_sc_read(fd_secure_input, si_data, specInfo->dataSize, true); - specInfo->pData = si_data; - - sc_read &= radv_sc_read(fd_secure_input, &specInfo->mapEntryCount, sizeof(uint32_t), true); - if (!sc_read) - goto secure_compile_exit; - - VkSpecializationMapEntry *mapEntries = malloc(sizeof(VkSpecializationMapEntry) * specInfo->mapEntryCount); - for (uint32_t j = 0; j < specInfo->mapEntryCount; j++) { - sc_read &= radv_sc_read(fd_secure_input, &mapEntries[j], sizeof(VkSpecializationMapEntry), true); - if (!sc_read) - goto secure_compile_exit; - } - - specInfo->pMapEntries = mapEntries; - } - - pStages[stage] = pStage; - } - - /* Compile the shaders */ - VkPipelineCreationFeedbackEXT *stage_feedbacks[MESA_SHADER_STAGES] = { 0 }; - - /* Not fully to spec but if we're doing sandboxed compilations already this doesn't matter. */ - flags &= ~VK_PIPELINE_CREATE_FAIL_ON_PIPELINE_COMPILE_REQUIRED_BIT_EXT; - - radv_create_shaders(pipeline, device, NULL, &key, pStages, flags, NULL, stage_feedbacks); - - /* free memory allocated above */ - for (uint32_t set = 0; set < layout.num_sets; set++) - free(layout.set[set].layout); - - for (uint32_t i = 0; i < MESA_SHADER_STAGES; i++) { - if (!pStages[i]) - continue; - - free((void *) pStages[i]->pName); - free(radv_shader_module_from_handle(pStages[i]->module)); - if (pStages[i]->pSpecializationInfo) { - free((void *) pStages[i]->pSpecializationInfo->pData); - free((void *) pStages[i]->pSpecializationInfo->pMapEntries); - free((void *) pStages[i]->pSpecializationInfo); - } - free((void *) pStages[i]); - } - - vk_free(&device->vk.alloc, pipeline); - - sc_type = RADV_SC_TYPE_COMPILE_PIPELINE_FINISHED; - write(fd_secure_output, &sc_type, sizeof(sc_type)); - - } else if (sc_type == RADV_SC_TYPE_DESTROY_DEVICE) { - goto secure_compile_exit; - } - } - -secure_compile_exit: - close(fd_secure_input); - close(fd_secure_output); - close(fd_idle_device_output); - _exit(0); -} - -static enum radv_secure_compile_type fork_secure_compile_device(struct radv_device *device, unsigned process) -{ - int fd_secure_input[2]; - int fd_secure_output[2]; - - /* create pipe descriptors (used to communicate between processes) */ - if (pipe(fd_secure_input) == -1 || pipe(fd_secure_output) == -1) - return RADV_SC_TYPE_INIT_FAILURE; - - - int sc_pid; - if ((sc_pid = fork()) == 0) { - device->sc_state->secure_compile_thread_counter = process; - run_secure_compile_device(device, process, fd_secure_output[1]); - } else { - if (sc_pid == -1) - return RADV_SC_TYPE_INIT_FAILURE; - - /* Read the init result returned from the secure process */ - enum radv_secure_compile_type sc_type; - bool sc_read = radv_sc_read(fd_secure_output[0], &sc_type, sizeof(sc_type), true); - - if (sc_type == RADV_SC_TYPE_INIT_FAILURE || !sc_read) { - close(fd_secure_input[0]); - close(fd_secure_input[1]); - close(fd_secure_output[1]); - close(fd_secure_output[0]); - int status; - waitpid(sc_pid, &status, 0); - - return RADV_SC_TYPE_INIT_FAILURE; - } else { - assert(sc_type == RADV_SC_TYPE_INIT_SUCCESS); - write(device->sc_state->secure_compile_processes[process].fd_secure_output, &sc_type, sizeof(sc_type)); - - close(fd_secure_input[0]); - close(fd_secure_input[1]); - close(fd_secure_output[1]); - close(fd_secure_output[0]); - - int status; - waitpid(sc_pid, &status, 0); - } - } - - return RADV_SC_TYPE_INIT_SUCCESS; -} - -/* Run a bare bones fork of a device that was forked right after its creation. - * This device will have low overhead when it is forked again before each - * pipeline compilation. This device sits idle and its only job is to fork - * itself. - */ -static void run_secure_compile_idle_device(struct radv_device *device, unsigned process, - int fd_secure_input, int fd_secure_output) -{ - enum radv_secure_compile_type sc_type = RADV_SC_TYPE_INIT_SUCCESS; - device->sc_state->secure_compile_processes[process].fd_secure_input = fd_secure_input; - device->sc_state->secure_compile_processes[process].fd_secure_output = fd_secure_output; - - write(fd_secure_output, &sc_type, sizeof(sc_type)); - - while (true) { - radv_sc_read(fd_secure_input, &sc_type, sizeof(sc_type), false); - - if (sc_type == RADV_SC_TYPE_FORK_DEVICE) { - sc_type = fork_secure_compile_device(device, process); - - if (sc_type == RADV_SC_TYPE_INIT_FAILURE) - goto secure_compile_exit; - - } else if (sc_type == RADV_SC_TYPE_DESTROY_DEVICE) { - goto secure_compile_exit; - } - } - -secure_compile_exit: - close(fd_secure_input); - close(fd_secure_output); - _exit(0); -} - -static void destroy_secure_compile_device(struct radv_device *device, unsigned process) -{ - int fd_secure_input = device->sc_state->secure_compile_processes[process].fd_secure_input; - - enum radv_secure_compile_type sc_type = RADV_SC_TYPE_DESTROY_DEVICE; - write(fd_secure_input, &sc_type, sizeof(sc_type)); - - close(device->sc_state->secure_compile_processes[process].fd_secure_input); - close(device->sc_state->secure_compile_processes[process].fd_secure_output); - - int status; - waitpid(device->sc_state->secure_compile_processes[process].sc_pid, &status, 0); -} - -static VkResult fork_secure_compile_idle_device(struct radv_device *device) -{ - device->sc_state = vk_zalloc(&device->vk.alloc, - sizeof(struct radv_secure_compile_state), - 8, VK_SYSTEM_ALLOCATION_SCOPE_DEVICE); - - mtx_init(&device->sc_state->secure_compile_mutex, mtx_plain); - - pid_t upid = getpid(); - time_t seconds = time(NULL); - - char *uid; - if (asprintf(&uid, "%ld_%ld", (long) upid, (long) seconds) == -1) - return VK_ERROR_INITIALIZATION_FAILED; - - device->sc_state->uid = uid; - - uint8_t sc_threads = device->instance->num_sc_threads; - int fd_secure_input[MAX_SC_PROCS][2]; - int fd_secure_output[MAX_SC_PROCS][2]; - - /* create pipe descriptors (used to communicate between processes) */ - for (unsigned i = 0; i < sc_threads; i++) { - if (pipe(fd_secure_input[i]) == -1 || - pipe(fd_secure_output[i]) == -1) { - return VK_ERROR_INITIALIZATION_FAILED; - } - } - - device->sc_state->secure_compile_processes = vk_zalloc(&device->vk.alloc, - sizeof(struct radv_secure_compile_process) * sc_threads, 8, - VK_SYSTEM_ALLOCATION_SCOPE_DEVICE); - - for (unsigned process = 0; process < sc_threads; process++) { - if ((device->sc_state->secure_compile_processes[process].sc_pid = fork()) == 0) { - device->sc_state->secure_compile_thread_counter = process; - run_secure_compile_idle_device(device, process, fd_secure_input[process][0], fd_secure_output[process][1]); - } else { - if (device->sc_state->secure_compile_processes[process].sc_pid == -1) - return VK_ERROR_INITIALIZATION_FAILED; - - /* Read the init result returned from the secure process */ - enum radv_secure_compile_type sc_type; - bool sc_read = radv_sc_read(fd_secure_output[process][0], &sc_type, sizeof(sc_type), true); - - bool fifo_result; - if (sc_read && sc_type == RADV_SC_TYPE_INIT_SUCCESS) { - fifo_result = secure_compile_open_fifo_fds(device->sc_state, - &device->sc_state->secure_compile_processes[process].fd_server, - &device->sc_state->secure_compile_processes[process].fd_client, - process, true); - - device->sc_state->secure_compile_processes[process].fd_secure_input = fd_secure_input[process][1]; - device->sc_state->secure_compile_processes[process].fd_secure_output = fd_secure_output[process][0]; - } - - if (sc_type == RADV_SC_TYPE_INIT_FAILURE || !sc_read || !fifo_result) { - close(fd_secure_input[process][0]); - close(fd_secure_input[process][1]); - close(fd_secure_output[process][1]); - close(fd_secure_output[process][0]); - int status; - waitpid(device->sc_state->secure_compile_processes[process].sc_pid, &status, 0); - - /* Destroy any forks that were created sucessfully */ - for (unsigned i = 0; i < process; i++) { - destroy_secure_compile_device(device, i); - } - - return VK_ERROR_INITIALIZATION_FAILED; - } - } - } - return VK_SUCCESS; -} - static void radv_device_init_dispatch(struct radv_device *device) { @@ -3215,11 +2674,6 @@ VkResult radv_CreateDevice( goto fail; } - /* Temporarily disable secure compile while we create meta shaders, etc */ - uint8_t sc_threads = device->instance->num_sc_threads; - if (sc_threads) - device->instance->num_sc_threads = 0; - device->keep_shader_info = keep_shader_info; result = radv_device_init_meta(device); if (result != VK_SUCCESS) @@ -3278,15 +2732,6 @@ VkResult radv_CreateDevice( 1 << util_logbase2(device->force_aniso)); } - /* Fork device for secure compile as required */ - device->instance->num_sc_threads = sc_threads; - if (radv_device_use_secure_compile(device->instance)) { - - result = fork_secure_compile_idle_device(device); - if (result != VK_SUCCESS) - goto fail_meta; - } - *pDevice = radv_device_to_handle(device); return VK_SUCCESS; @@ -3355,17 +2800,6 @@ void radv_DestroyDevice( radv_thread_trace_finish(device); - if (radv_device_use_secure_compile(device->instance)) { - for (unsigned i = 0; i < device->instance->num_sc_threads; i++ ) { - destroy_secure_compile_device(device, i); - } - } - - if (device->sc_state) { - free(device->sc_state->uid); - vk_free(&device->vk.alloc, device->sc_state->secure_compile_processes); - } - vk_free(&device->vk.alloc, device->sc_state); vk_free(&device->vk.alloc, device); } diff --git a/src/amd/vulkan/radv_pipeline.c b/src/amd/vulkan/radv_pipeline.c index 8006b39b1ce..0c36fb7b96c 100644 --- a/src/amd/vulkan/radv_pipeline.c +++ b/src/amd/vulkan/radv_pipeline.c @@ -4773,197 +4773,6 @@ radv_pipeline_get_streamout_shader(struct radv_pipeline *pipeline) return NULL; } -static VkResult -radv_secure_compile(struct radv_pipeline *pipeline, - struct radv_device *device, - const struct radv_pipeline_key *key, - const VkPipelineShaderStageCreateInfo **pStages, - const VkPipelineCreateFlags flags, - unsigned num_stages) -{ - uint8_t allowed_pipeline_hashes[2][20]; - radv_hash_shaders(allowed_pipeline_hashes[0], pStages, - pipeline->layout, key, get_hash_flags(device)); - - /* Generate the GC copy hash */ - memcpy(allowed_pipeline_hashes[1], allowed_pipeline_hashes[0], 20); - allowed_pipeline_hashes[1][0] ^= 1; - - uint8_t allowed_hashes[2][20]; - for (unsigned i = 0; i < 2; ++i) { - disk_cache_compute_key(device->physical_device->disk_cache, - allowed_pipeline_hashes[i], 20, - allowed_hashes[i]); - } - - /* Do an early exit if all cache entries are already there. */ - bool may_need_copy_shader = pStages[MESA_SHADER_GEOMETRY]; - void *main_entry = disk_cache_get(device->physical_device->disk_cache, allowed_hashes[0], NULL); - void *copy_entry = NULL; - if (may_need_copy_shader) - copy_entry = disk_cache_get(device->physical_device->disk_cache, allowed_hashes[1], NULL); - - bool has_all_cache_entries = main_entry && (!may_need_copy_shader || copy_entry); - free(main_entry); - free(copy_entry); - - if(has_all_cache_entries) - return VK_SUCCESS; - - unsigned process = 0; - uint8_t sc_threads = device->instance->num_sc_threads; - while (true) { - mtx_lock(&device->sc_state->secure_compile_mutex); - if (device->sc_state->secure_compile_thread_counter < sc_threads) { - device->sc_state->secure_compile_thread_counter++; - for (unsigned i = 0; i < sc_threads; i++) { - if (!device->sc_state->secure_compile_processes[i].in_use) { - device->sc_state->secure_compile_processes[i].in_use = true; - process = i; - break; - } - } - mtx_unlock(&device->sc_state->secure_compile_mutex); - break; - } - mtx_unlock(&device->sc_state->secure_compile_mutex); - } - - int fd_secure_input = device->sc_state->secure_compile_processes[process].fd_secure_input; - int fd_secure_output = device->sc_state->secure_compile_processes[process].fd_secure_output; - - /* Fork a copy of the slim untainted secure compile process */ - enum radv_secure_compile_type sc_type = RADV_SC_TYPE_FORK_DEVICE; - write(fd_secure_input, &sc_type, sizeof(sc_type)); - - if (!radv_sc_read(fd_secure_output, &sc_type, sizeof(sc_type), true) || - sc_type != RADV_SC_TYPE_INIT_SUCCESS) - return VK_ERROR_DEVICE_LOST; - - fd_secure_input = device->sc_state->secure_compile_processes[process].fd_server; - fd_secure_output = device->sc_state->secure_compile_processes[process].fd_client; - - /* Write pipeline / shader module out to secure process via pipe */ - sc_type = RADV_SC_TYPE_COMPILE_PIPELINE; - write(fd_secure_input, &sc_type, sizeof(sc_type)); - - /* Write pipeline layout out to secure process */ - struct radv_pipeline_layout *layout = pipeline->layout; - write(fd_secure_input, layout, sizeof(struct radv_pipeline_layout)); - write(fd_secure_input, &layout->num_sets, sizeof(uint32_t)); - for (uint32_t set = 0; set < layout->num_sets; set++) { - write(fd_secure_input, &layout->set[set].layout->layout_size, sizeof(uint32_t)); - write(fd_secure_input, layout->set[set].layout, layout->set[set].layout->layout_size); - } - - /* Write pipeline key out to secure process */ - write(fd_secure_input, key, sizeof(struct radv_pipeline_key)); - - /* Write pipeline create flags out to secure process */ - write(fd_secure_input, &flags, sizeof(VkPipelineCreateFlags)); - - /* Write stage and shader information out to secure process */ - write(fd_secure_input, &num_stages, sizeof(uint32_t)); - for (uint32_t i = 0; i < MESA_SHADER_STAGES; i++) { - if (!pStages[i]) - continue; - - /* Write stage out to secure process */ - gl_shader_stage stage = ffs(pStages[i]->stage) - 1; - write(fd_secure_input, &stage, sizeof(gl_shader_stage)); - - /* Write entry point name out to secure process */ - size_t name_size = strlen(pStages[i]->pName) + 1; - write(fd_secure_input, &name_size, sizeof(size_t)); - write(fd_secure_input, pStages[i]->pName, name_size); - - /* Write shader module out to secure process */ - struct radv_shader_module *module = radv_shader_module_from_handle(pStages[i]->module); - assert(!module->nir); - size_t module_size = sizeof(struct radv_shader_module) + module->size; - write(fd_secure_input, &module_size, sizeof(size_t)); - write(fd_secure_input, module, module_size); - - /* Write specialization info out to secure process */ - const VkSpecializationInfo *specInfo = pStages[i]->pSpecializationInfo; - bool has_spec_info = specInfo ? true : false; - write(fd_secure_input, &has_spec_info, sizeof(bool)); - if (specInfo) { - write(fd_secure_input, &specInfo->dataSize, sizeof(size_t)); - write(fd_secure_input, specInfo->pData, specInfo->dataSize); - - write(fd_secure_input, &specInfo->mapEntryCount, sizeof(uint32_t)); - for (uint32_t j = 0; j < specInfo->mapEntryCount; j++) - write(fd_secure_input, &specInfo->pMapEntries[j], sizeof(VkSpecializationMapEntry)); - } - } - - /* Read the data returned from the secure process */ - while (sc_type != RADV_SC_TYPE_COMPILE_PIPELINE_FINISHED) { - if (!radv_sc_read(fd_secure_output, &sc_type, sizeof(sc_type), true)) - return VK_ERROR_DEVICE_LOST; - - if (sc_type == RADV_SC_TYPE_WRITE_DISK_CACHE) { - assert(device->physical_device->disk_cache); - - uint8_t disk_sha1[20]; - if (!radv_sc_read(fd_secure_output, disk_sha1, sizeof(uint8_t) * 20, true)) - return VK_ERROR_DEVICE_LOST; - - if (memcmp(disk_sha1, allowed_hashes[0], 20) && - memcmp(disk_sha1, allowed_hashes[1], 20)) - return VK_ERROR_DEVICE_LOST; - - uint32_t entry_size; - if (!radv_sc_read(fd_secure_output, &entry_size, sizeof(uint32_t), true)) - return VK_ERROR_DEVICE_LOST; - - struct cache_entry *entry = malloc(entry_size); - if (!radv_sc_read(fd_secure_output, entry, entry_size, true)) - return VK_ERROR_DEVICE_LOST; - - disk_cache_put(device->physical_device->disk_cache, - disk_sha1, entry, entry_size, - NULL); - - free(entry); - } else if (sc_type == RADV_SC_TYPE_READ_DISK_CACHE) { - uint8_t disk_sha1[20]; - if (!radv_sc_read(fd_secure_output, disk_sha1, sizeof(uint8_t) * 20, true)) - return VK_ERROR_DEVICE_LOST; - - if (memcmp(disk_sha1, allowed_hashes[0], 20) && - memcmp(disk_sha1, allowed_hashes[1], 20)) - return VK_ERROR_DEVICE_LOST; - - size_t size; - struct cache_entry *entry = (struct cache_entry *) - disk_cache_get(device->physical_device->disk_cache, - disk_sha1, &size); - - uint8_t found = entry ? 1 : 0; - write(fd_secure_input, &found, sizeof(uint8_t)); - - if (found) { - write(fd_secure_input, &size, sizeof(size_t)); - write(fd_secure_input, entry, size); - } - - free(entry); - } - } - - sc_type = RADV_SC_TYPE_DESTROY_DEVICE; - write(fd_secure_input, &sc_type, sizeof(sc_type)); - - mtx_lock(&device->sc_state->secure_compile_mutex); - device->sc_state->secure_compile_thread_counter--; - device->sc_state->secure_compile_processes[process].in_use = false; - mtx_unlock(&device->sc_state->secure_compile_mutex); - - return VK_SUCCESS; -} - static VkResult radv_pipeline_init(struct radv_pipeline *pipeline, struct radv_device *device, @@ -5001,15 +4810,12 @@ radv_pipeline_init(struct radv_pipeline *pipeline, } struct radv_pipeline_key key = radv_generate_graphics_pipeline_key(pipeline, pCreateInfo, &blend, has_view_index); - if (radv_device_use_secure_compile(device->instance)) { - return radv_secure_compile(pipeline, device, &key, pStages, pCreateInfo->flags, pCreateInfo->stageCount); - } else { - result = radv_create_shaders(pipeline, device, cache, &key, pStages, - pCreateInfo->flags, pipeline_feedback, - stage_feedbacks); - if (result != VK_SUCCESS) - return result; - } + + result = radv_create_shaders(pipeline, device, cache, &key, pStages, + pCreateInfo->flags, pipeline_feedback, + stage_feedbacks); + if (result != VK_SUCCESS) + return result; pipeline->graphics.spi_baryc_cntl = S_0286E0_FRONT_FACE_ALL_BITS(1); radv_pipeline_init_multisample_state(pipeline, &blend, pCreateInfo); @@ -5313,19 +5119,12 @@ static VkResult radv_compute_pipeline_create( struct radv_pipeline_key key = radv_generate_compute_pipeline_key(pipeline, pCreateInfo); - if (radv_device_use_secure_compile(device->instance)) { - result = radv_secure_compile(pipeline, device, &key, pStages, pCreateInfo->flags, 1); - *pPipeline = radv_pipeline_to_handle(pipeline); - + result = radv_create_shaders(pipeline, device, cache, &key, pStages, + pCreateInfo->flags, pipeline_feedback, + stage_feedbacks); + if (result != VK_SUCCESS) { + radv_pipeline_destroy(device, pipeline, pAllocator); return result; - } else { - result = radv_create_shaders(pipeline, device, cache, &key, pStages, - pCreateInfo->flags, pipeline_feedback, - stage_feedbacks); - if (result != VK_SUCCESS) { - radv_pipeline_destroy(device, pipeline, pAllocator); - return result; - } } pipeline->user_data_0[MESA_SHADER_COMPUTE] = radv_pipeline_stage_to_user_data_0(pipeline, MESA_SHADER_COMPUTE, device->physical_device->rad_info.chip_class); diff --git a/src/amd/vulkan/radv_pipeline_cache.c b/src/amd/vulkan/radv_pipeline_cache.c index b08395f5cfb..12657d06819 100644 --- a/src/amd/vulkan/radv_pipeline_cache.c +++ b/src/amd/vulkan/radv_pipeline_cache.c @@ -262,67 +262,6 @@ radv_is_cache_disabled(struct radv_device *device) return (device->instance->debug_flags & RADV_DEBUG_NO_CACHE); } -/* - * Secure compiles cannot open files so we get the parent process to load the - * cache entry for us. - */ -static struct cache_entry * -radv_sc_read_from_disk_cache(struct radv_device *device, uint8_t *disk_sha1) -{ - struct cache_entry *entry; - unsigned process = device->sc_state->secure_compile_thread_counter; - enum radv_secure_compile_type sc_type = RADV_SC_TYPE_READ_DISK_CACHE; - - write(device->sc_state->secure_compile_processes[process].fd_secure_output, - &sc_type, sizeof(enum radv_secure_compile_type)); - write(device->sc_state->secure_compile_processes[process].fd_secure_output, - disk_sha1, sizeof(uint8_t) * 20); - - uint8_t found_cache_entry; - if (!radv_sc_read(device->sc_state->secure_compile_processes[process].fd_secure_input, - &found_cache_entry, sizeof(uint8_t), true)) - return NULL; - - if (found_cache_entry) { - size_t entry_size; - if (!radv_sc_read(device->sc_state->secure_compile_processes[process].fd_secure_input, - &entry_size, sizeof(size_t), true)) - return NULL; - - entry = malloc(entry_size); - if (!radv_sc_read(device->sc_state->secure_compile_processes[process].fd_secure_input, - entry, entry_size, true)) - return NULL; - - return entry; - } - - return NULL; -} - -/* - * Secure compiles cannot open files so we get the parent process to write to - * the disk cache for us. - */ -static void -radv_sc_write_to_disk_cache(struct radv_device *device, uint8_t *disk_sha1, - struct cache_entry *entry) -{ - unsigned process = device->sc_state->secure_compile_thread_counter; - enum radv_secure_compile_type sc_type = RADV_SC_TYPE_WRITE_DISK_CACHE; - - write(device->sc_state->secure_compile_processes[process].fd_secure_output, - &sc_type, sizeof(enum radv_secure_compile_type)); - write(device->sc_state->secure_compile_processes[process].fd_secure_output, - disk_sha1, sizeof(uint8_t) * 20); - - uint32_t size = entry_size(entry); - write(device->sc_state->secure_compile_processes[process].fd_secure_output, - &size, sizeof(uint32_t)); - write(device->sc_state->secure_compile_processes[process].fd_secure_output, - entry, size); -} - bool radv_create_shader_variants_from_pipeline_cache(struct radv_device *device, struct radv_pipeline_cache *cache, @@ -356,14 +295,9 @@ radv_create_shader_variants_from_pipeline_cache(struct radv_device *device, disk_cache_compute_key(device->physical_device->disk_cache, sha1, 20, disk_sha1); - if (radv_device_use_secure_compile(device->instance)) { - entry = radv_sc_read_from_disk_cache(device, disk_sha1); - } else { - entry = (struct cache_entry *) - disk_cache_get(device->physical_device->disk_cache, - disk_sha1, NULL); - } - + entry = (struct cache_entry *) + disk_cache_get(device->physical_device->disk_cache, + disk_sha1, NULL); if (!entry) { radv_pipeline_cache_unlock(cache); return false; @@ -489,16 +423,8 @@ radv_pipeline_cache_insert_shaders(struct radv_device *device, disk_cache_compute_key(device->physical_device->disk_cache, sha1, 20, disk_sha1); - /* Write the cache item out to the parent of this forked - * process. - */ - if (radv_device_use_secure_compile(device->instance)) { - radv_sc_write_to_disk_cache(device, disk_sha1, entry); - } else { - disk_cache_put(device->physical_device->disk_cache, - disk_sha1, entry, entry_size(entry), - NULL); - } + disk_cache_put(device->physical_device->disk_cache, disk_sha1, + entry, entry_size(entry), NULL); } if (device->instance->debug_flags & RADV_DEBUG_NO_MEMORY_CACHE && diff --git a/src/amd/vulkan/radv_private.h b/src/amd/vulkan/radv_private.h index e710b0d58fb..644dcd0d81c 100644 --- a/src/amd/vulkan/radv_private.h +++ b/src/amd/vulkan/radv_private.h @@ -95,18 +95,6 @@ typedef uint32_t xcb_window_t; #define RADV_SUPPORT_ANDROID_HARDWARE_BUFFER 0 #endif -enum radv_secure_compile_type { - RADV_SC_TYPE_INIT_SUCCESS, - RADV_SC_TYPE_INIT_FAILURE, - RADV_SC_TYPE_COMPILE_PIPELINE, - RADV_SC_TYPE_COMPILE_PIPELINE_FINISHED, - RADV_SC_TYPE_READ_DISK_CACHE, - RADV_SC_TYPE_WRITE_DISK_CACHE, - RADV_SC_TYPE_FORK_DEVICE, - RADV_SC_TYPE_DESTROY_DEVICE, - RADV_SC_TYPE_COUNT -}; - #define radv_printflike(a, b) __attribute__((__format__(__printf__, a, b))) static inline uint32_t @@ -337,7 +325,6 @@ struct radv_instance { uint64_t debug_flags; uint64_t perftest_flags; - uint8_t num_sc_threads; struct vk_debug_report_instance debug_report_callbacks; @@ -358,12 +345,6 @@ struct radv_instance { bool enable_mrt_output_nan_fixup; }; -static inline -bool radv_device_use_secure_compile(struct radv_instance *instance) -{ - return instance->num_sc_threads; -} - VkResult radv_init_wsi(struct radv_physical_device *physical_device); void radv_finish_wsi(struct radv_physical_device *physical_device); @@ -743,36 +724,6 @@ VkResult radv_bo_list_add(struct radv_device *device, void radv_bo_list_remove(struct radv_device *device, struct radeon_winsys_bo *bo); -struct radv_secure_compile_process { - /* Secure process file descriptors. Used to communicate between the - * user facing device and the idle forked device used to fork a clean - * process for each new pipeline compile. - */ - int fd_secure_input; - int fd_secure_output; - - /* FIFO file descriptors used to communicate between the user facing - * device and the secure process that does the actual secure compile. - */ - int fd_server; - int fd_client; - - /* Secure compile process id */ - pid_t sc_pid; - - /* Is the secure compile process currently in use by a thread */ - bool in_use; -}; - -struct radv_secure_compile_state { - struct radv_secure_compile_process *secure_compile_processes; - uint32_t secure_compile_thread_counter; - mtx_t secure_compile_mutex; - - /* Unique process ID used to build name for FIFO file descriptor */ - char *uid; -}; - #define RADV_BORDER_COLOR_COUNT 4096 #define RADV_BORDER_COLOR_BUFFER_SIZE (sizeof(VkClearColorValue) * RADV_BORDER_COLOR_COUNT) @@ -859,8 +810,6 @@ struct radv_device { struct radv_device_border_color_data border_color_data; - struct radv_secure_compile_state *sc_state; - /* Condition variable for legacy timelines, to notify waiters when a * new point gets submitted. */ pthread_cond_t timeline_cond; @@ -1221,9 +1170,6 @@ radv_initialise_ds_surface(struct radv_device *device, struct radv_ds_buffer_info *ds, struct radv_image_view *iview); -bool -radv_sc_read(int fd, void *buf, size_t size, bool timeout); - /** * Attachment state when recording a renderpass instance. * diff --git a/src/amd/vulkan/radv_shader.c b/src/amd/vulkan/radv_shader.c index 0946560b833..ac6c751928e 100644 --- a/src/amd/vulkan/radv_shader.c +++ b/src/amd/vulkan/radv_shader.c @@ -1036,13 +1036,6 @@ radv_shader_variant_create(struct radv_device *device, radv_postprocess_config(device->physical_device, &config, &binary->info, binary->stage, &variant->config); - if (radv_device_use_secure_compile(device->instance)) { - if (binary->type == RADV_BINARY_TYPE_RTLD) - ac_rtld_close(&rtld_binary); - - return variant; - } - void *dest_ptr = radv_alloc_shader_memory(device, variant); if (!dest_ptr) { if (binary->type == RADV_BINARY_TYPE_RTLD)