|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [RFC PATCH 02/10] accel: Use qemu_security_policy_taint(), mark KVM and Xen as safe
On Thu, Sep 09, 2021 at 01:20:16AM +0200, Philippe Mathieu-Daudé wrote:
> Add the AccelClass::secure_policy_supported field to classify
> safe (within security boundary) vs unsafe accelerators.
>
> Signed-off-by: Philippe Mathieu-Daudé <philmd@xxxxxxxxxx>
> ---
> include/qemu/accel.h | 5 +++++
> accel/kvm/kvm-all.c | 1 +
> accel/xen/xen-all.c | 1 +
> softmmu/vl.c | 3 +++
> 4 files changed, 10 insertions(+)
>
> diff --git a/include/qemu/accel.h b/include/qemu/accel.h
> index 4f4c283f6fc..895e30be0de 100644
> --- a/include/qemu/accel.h
> +++ b/include/qemu/accel.h
> @@ -44,6 +44,11 @@ typedef struct AccelClass {
> hwaddr start_addr, hwaddr size);
> #endif
> bool *allowed;
> + /*
> + * Whether the accelerator is withing QEMU security policy boundary.
> + * See: https://www.qemu.org/contribute/security-process/
> + */
> + bool secure_policy_supported;
The security handling policy is a high level concept that is
open to variation over time and also by downstream distro
vendors.
At a code level we should be dealing in a more fundamental
concept. At an accelerator level we should really jsut
declare whether or not the accelerator impl is considered
to be secure against malicious guest code.
eg
/* Whether this accelerator is secure against execution
* of malciious guest machine code */
bool secure;
> /*
> * Array of global properties that would be applied when specific
> * accelerator is chosen. It works like MachineClass.compat_props
> diff --git a/accel/kvm/kvm-all.c b/accel/kvm/kvm-all.c
> index 0125c17edb8..eb6b9e44df2 100644
> --- a/accel/kvm/kvm-all.c
> +++ b/accel/kvm/kvm-all.c
> @@ -3623,6 +3623,7 @@ static void kvm_accel_class_init(ObjectClass *oc, void
> *data)
> ac->init_machine = kvm_init;
> ac->has_memory = kvm_accel_has_memory;
> ac->allowed = &kvm_allowed;
> + ac->secure_policy_supported = true;
>
> object_class_property_add(oc, "kernel-irqchip", "on|off|split",
> NULL, kvm_set_kernel_irqchip,
> diff --git a/accel/xen/xen-all.c b/accel/xen/xen-all.c
> index 69aa7d018b2..57867af5faf 100644
> --- a/accel/xen/xen-all.c
> +++ b/accel/xen/xen-all.c
> @@ -198,6 +198,7 @@ static void xen_accel_class_init(ObjectClass *oc, void
> *data)
> ac->setup_post = xen_setup_post;
> ac->allowed = &xen_allowed;
> ac->compat_props = g_ptr_array_new();
> + ac->secure_policy_supported = true;
>
> compat_props_add(ac->compat_props, compat, G_N_ELEMENTS(compat));
>
> diff --git a/softmmu/vl.c b/softmmu/vl.c
> index 92c05ac97ee..e4f94e159c3 100644
> --- a/softmmu/vl.c
> +++ b/softmmu/vl.c
> @@ -2388,6 +2388,9 @@ static int do_configure_accelerator(void *opaque,
> QemuOpts *opts, Error **errp)
> return 0;
> }
>
> + qemu_security_policy_taint(!ac->secure_policy_supported,
> + "%s accelerator", acc);
We need this information to be introspectable, becuase stuff printed
to stderr is essentially opaque to libvirt and mgmt apps above.
We don't have a convenient "query-accel" command but I think this
could possibly fit into 'query-target'. ie the TargetInfo struct
gain a field:
##
# @TargetInfo:
#
# Information describing the QEMU target.
#
# @arch: the target architecture
# @secure: Whether the currently active accelerator for this target
# is secure against execution of malicous guest code
#
# Since: 1.2
##
{ 'struct': 'TargetInfo',
'data': { 'arch': 'SysEmuTarget',
'secure': 'bool'} }
Regards,
Daniel
--
|: https://berrange.com -o- https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org -o- https://fstop138.berrange.com :|
|: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|
|
 |
Lists.xenproject.org is hosted with RackSpace, monitoring our |