[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] [PATCH v3 RESEND] libxl: Spice vdagent support for upstream qemu

To: fantonifabio@xxxxxxxxxx
From: Fabio Fantoni <fabio.fantoni@xxxxxxx>
Date: Tue, 23 Jul 2013 15:42:49 +0200
Cc: xen-devel@xxxxxxxxxxxxxxxxxxx, Ian.Campbell@xxxxxxxxxx, Stefano.Stabellini@xxxxxxxxxxxxx, Ian.Jackson@xxxxxxxxxxxxx, qemu-devel@xxxxxxxxxx, spice-devel@xxxxxxxxxxxxxxxxxxxxx
Delivery-date: Tue, 23 Jul 2013 13:43:15 +0000
List-id: Xen developer discussion <xen-devel.lists.xen.org>

Il 03/07/2013 15:54, fantonifabio@xxxxxxxxxx ha scritto:

Usage: spicevdagent=1|0 (default=0)
Enables spice vdagent. The Spice vdagent is an optional component for
enhancing user experience and performing guest-oriented management
tasks. Its features includes: client mouse mode (no need to grab mouse
by client, no mouse lag), automatic adjustment of screen resolution,
copy and paste (text and image) between client and domU. It also
requires vdagent service installed on domU o.s. to work.

Signed-off-by: Fabio Fantoni <fabio.fantoni@xxxxxxx>
---
  docs/man/xl.cfg.pod.5       |    9 +++++++++
  tools/libxl/libxl_create.c  |    1 +
  tools/libxl/libxl_dm.c      |    6 ++++++
  tools/libxl/libxl_types.idl |    1 +
  tools/libxl/xl_cmdimpl.c    |    2 ++
  5 files changed, 19 insertions(+)

diff --git a/docs/man/xl.cfg.pod.5 b/docs/man/xl.cfg.pod.5
index f8b4576..766862d 100644
--- a/docs/man/xl.cfg.pod.5
+++ b/docs/man/xl.cfg.pod.5
@@ -1123,6 +1123,15 @@ Specify the ticket password which is used by a client 
for connection.
  Whether SPICE agent is used for client mouse mode. The default is true
  (turn on)

+=item B<spicevdagent=BOOLEAN>

+
+Enables spice vdagent. The Spice vdagent is an optional component for
+enhancing user experience and performing guest-oriented management
+tasks. Its features includes: client mouse mode (no need to grab mouse
+by client, no mouse lag), automatic adjustment of screen resolution,
+copy and paste (text and image) between client and domU. It also
+requires vdagent service installed on domU o.s. to work. The default is 0.
+
  =back

=head3 Miscellaneous Emulated Hardware

diff --git a/tools/libxl/libxl_create.c b/tools/libxl/libxl_create.c
index cb9c822..8db5460 100644
--- a/tools/libxl/libxl_create.c
+++ b/tools/libxl/libxl_create.c
@@ -288,6 +288,7 @@ int libxl__domain_build_info_setdefault(libxl__gc *gc,
              libxl_defbool_setdefault(&b_info->u.hvm.spice.disable_ticketing,
                                       false);
              libxl_defbool_setdefault(&b_info->u.hvm.spice.agent_mouse, true);
+            libxl_defbool_setdefault(&b_info->u.hvm.spice.vdagent, false);
          }

libxl_defbool_setdefault(&b_info->u.hvm.nographic, false);

diff --git a/tools/libxl/libxl_dm.c b/tools/libxl/libxl_dm.c
index d10a58f..bc605e4 100644
--- a/tools/libxl/libxl_dm.c
+++ b/tools/libxl/libxl_dm.c
@@ -465,6 +465,12 @@ static char ** 
libxl__build_device_model_args_new(libxl__gc *gc,

flexarray_append(dm_args, "-spice");

              flexarray_append(dm_args, spiceoptions);
+            if (libxl_defbool_val(b_info->u.hvm.spice.vdagent)) {
+                flexarray_vappend(dm_args, "-device", "virtio-serial",
+                    "-chardev", "spicevmc,id=vdagent,name=vdagent", "-device",
+                    "virtserialport,chardev=vdagent,name=com.redhat.spice.0",
+                    NULL);
+            }
          }

switch (b_info->u.hvm.vga.kind) {

diff --git a/tools/libxl/libxl_types.idl b/tools/libxl/libxl_types.idl
index ecf1f0b..14425d1 100644
--- a/tools/libxl/libxl_types.idl
+++ b/tools/libxl/libxl_types.idl
@@ -172,6 +172,7 @@ libxl_spice_info = Struct("spice_info", [
      ("disable_ticketing", libxl_defbool),
      ("passwd",      string),
      ("agent_mouse", libxl_defbool),
+    ("vdagent",     libxl_defbool),
      ])

libxl_sdl_info = Struct("sdl_info", [

diff --git a/tools/libxl/xl_cmdimpl.c b/tools/libxl/xl_cmdimpl.c
index c1a969b..44a632c 100644
--- a/tools/libxl/xl_cmdimpl.c
+++ b/tools/libxl/xl_cmdimpl.c
@@ -1491,6 +1491,8 @@ skip_vfb:
                                  &b_info->u.hvm.spice.passwd, 0);
          xlu_cfg_get_defbool(config, "spiceagent_mouse",
                              &b_info->u.hvm.spice.agent_mouse, 0);
+        xlu_cfg_get_defbool(config, "spicevdagent",
+                            &b_info->u.hvm.spice.vdagent, 0);
          xlu_cfg_get_defbool(config, "nographic", &b_info->u.hvm.nographic, 0);
          xlu_cfg_get_defbool(config, "gfx_passthru",
                              &b_info->u.hvm.gfx_passthru, 0);


I haven't seen any more replies about that patch.

The complete Ian question was:

What are the security implications ?

I don't know the details about security implications but I think risksare minimal. vdagent is disabled by default, therefore you must enableit if you want to use it, and you need the spice client and vdagent mustbe installed on the domU os. Furthermore spice can be protected withpassword and/or ssl.


In particular, does it mean that when the user has a spice client
connected to a guest, the guest can spy on the user's clipboard all
the time ?

I don't know, do you think we should ask for details about securityimplications to qemu or spice experts? (added qemu-devel and spice-develon cc)


_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxx
http://lists.xen.org/xen-devel

References:
- [Xen-devel] [PATCH v3 RESEND] libxl: Spice vdagent support for upstream qemu
  - From: fantonifabio

Prev by Date: Re: [Xen-devel] [PATCH v2] interrupts: allow guest to set and clear MSI-X mask bit
Next by Date: Re: [Xen-devel] [PATCH v2 2/2] xen/m2p: use GNTTABOP_unmap_and_replace to reinstate the original mapping
Previous by thread: [Xen-devel] [PATCH v3 RESEND] libxl: Spice vdagent support for upstream qemu
Next by thread: [Xen-devel] XSAVE/XRSTOR crash resurgence in 4.3
Index(es):
- Date
- Thread

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.