OpenBSD Journal

machdep.allowaperture Warning / Change

Contributed by jolan on from the secure-by-default dept.

Theo has reminded everyone on misc@ that if they're not using X on a machine, it is wise to ensure that the X window system aperture driver is disabled -- for security reasons.

(Comments are closed)


Comments
  1. By Anonymous Coward (84.188.250.101) on

    Good to know.
    But is there absolutly NO grafic-card wich is not that "evil"?

    A solution would be to make the Kernel handle the drivers. Or am I wrong? (No request, just a question)

    Comments
    1. By Anonymous Coward (67.64.89.177) on

      Yes. The userspace driver model is as we call it, dumb.

    2. By Anonymous Coward (134.58.253.131) on

      Yes, but I doubt anyone wants to create drivers for the plethora of cards out there. I doubt you just want to put code from X.org inside kernel-space; at least not withouth thorough investigation first.

      And of course vendor-supplied binary blobs are totally unacceptable. Binary drivers in kernel-space don't even need to have bugs that allow clever tricks to abuse a video card to read main memory, as they can just read it...

      Comments
      1. By djm@ (203.217.30.86) on

        DRM (of DRI, not copy-protection) uses a small kernel driver to validate commands sent from userspace; checking that DMA ranges, etc. match allocated graphics memory or framebuffer. It seems like a reasonably sane model, but yeah - it requires extra kernel complexity for each adapter, or at least family of adapters.

  2. By Anonymous Coward (83.253.24.77) on

    Changes like this is why I love OpenBSD =D

    Comments
    1. By Anonymous Coward (66.65.22.47) on

      +1 :-D

  3. By pdemb (83.23.245.118) pdembinski@o2.pl on www.peter.dembinski.prv.pl

    Theo says: "this device exists on i386, amd64, alpha, cats, macppc, and sparc64".

    Does it mean that sparc (not 64) arch is safe to use for X terminal?

    Comments
    1. By Anonymous Coward (128.171.90.200) on

      The man pages seem to suggest so

      Comments
      1. By Anonymous Coward (128.171.90.200) on

        .. that it doesn't use the aperture driver I mean.

        see

        xf86(4)

        and

        the FAQ

        If it doesn't use the driver then it means it has less `evil`.

  4. By Anonymous Coward (62.252.32.11) on

    What is this alleged 'evil'? Is this a protection against some sort of possible exploit?

    Comments
    1. Comments
      1. By tedu (69.12.168.114) on

        or not at all.

    2. By Anonymous Coward (128.171.90.200) on

      direct memory access from user-level

      Comments

Latest Articles

Credits

Copyright © - Daniel Hartmeier. All rights reserved. Articles and comments are copyright their respective authors, submission implies license to publish on this web site. Contents of the archive prior to as well as images and HTML templates were copied from the fabulous original deadly.org with Jose's and Jim's kind permission. This journal runs as CGI with httpd(8) on OpenBSD, the source code is BSD licensed. undeadly \Un*dead"ly\, a. Not subject to death; immortal. [Obs.]