NetBSD Problem Report #59115

From www@netbsd.org  Sat Mar  1 09:58:21 2025
Return-Path: <www@netbsd.org>
Received: from mail.netbsd.org (mail.netbsd.org [199.233.217.200])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256
	 client-signature RSA-PSS (2048 bits) client-digest SHA256)
	(Client CN "mail.NetBSD.org", Issuer "mail.NetBSD.org CA" (not verified))
	by mollari.NetBSD.org (Postfix) with ESMTPS id A19B21A923D
	for <gnats-bugs@gnats.NetBSD.org>; Sat,  1 Mar 2025 09:58:21 +0000 (UTC)
Message-Id: <20250301095820.589A01A923F@mollari.NetBSD.org>
Date: Sat,  1 Mar 2025 09:58:20 +0000 (UTC)
From: nia@pkgsrc.org
Reply-To: nia@pkgsrc.org
To: gnats-bugs@NetBSD.org
Subject: x86 can (and should) set securelevel=1 by default
X-Send-Pr-Version: www-1.0

>Number:         59115
>Category:       security
>Synopsis:       x86 can (and should) set securelevel=1 by default
>Confidential:   no
>Severity:       non-critical
>Priority:       medium
>Responsible:    security-officer
>State:          open
>Class:          change-request
>Submitter-Id:   net
>Arrival-Date:   Sat Mar 01 10:00:01 +0000 2025
>Originator:     nia
>Release:        any version
>Organization:
The NetBSD Foundation
>Environment:
any version
>Description:
Various ports defaulting to securelevel=-1 has previously
been justified by Xorg needing to utilize direct access
to hardware devices.  This is no longer the case.

Most x86 devices have drmkms drivers which perform
privileged operations in the kernel and Xorg can be used
with full acceleration at securelevel=1.

Devices that don't can generally utilize the wsfb driver
which also performs hardware operations in the kernel.

By default, traditional BIOS boot initializes text mode
instead of a VESA VGA mode - this can be changed with
a bootloader option.  A VESA VGA mode should be enabled
in order to set up a proper wsdisplay device for Xorg (and
get higher resolution than 80x24).

The performance benefits from traditional userspace-based
Xorg 2d acceleration with modern hardware aren't as clear-cut
as they used to be, so wsfb is more useful than it used to be.
For these special cases (and rare cases where a card isn't
vesa compliant), a custom kernel configuration can be used,
such systems likely benefiting from a stripped down ungeneric
configuration.

NetBSD has been working for years to remove remaining users
of /dev/mem and this work has been quite successful.
>How-To-Repeat:

>Fix:
NetBSD Home
NetBSD PR Database Search
(Contact us) $NetBSD: query-full-pr,v 1.47 2022/09/11 19:34:41 kim Exp $
$NetBSD: gnats_config.sh,v 1.9 2014/08/02 14:16:04 spz Exp $
Copyright © 1994-2025 The NetBSD Foundation, Inc. ALL RIGHTS RESERVED.