From: "Michael S. Tsirkin" <mst@redhat.com>
To: Peter Maydell <peter.maydell@linaro.org>
Cc: qemu-devel@nongnu.org, "Stefan Hajnoczi" <stefanha@redhat.com>,
"Bernhard Beschow" <shentey@gmail.com>,
"Thomas Huth" <thuth@redhat.com>,
"Philippe Mathieu-Daudé" <philmd@linaro.org>,
"Jiaxun Yang" <jiaxun.yang@flygoat.com>,
"Paolo Bonzini" <pbonzini@redhat.com>,
"Marcel Apfelbaum" <marcel.apfelbaum@gmail.com>,
"Alistair Francis" <Alistair.Francis@wdc.com>,
"Palmer Dabbelt" <palmer@dabbelt.com>,
qemu-riscv@nongnu.org, qemu-ppc@nongnu.org,
"Huacai Chen" <chenhuacai@kernel.org>,
qemu-s390x@nongnu.org, "Halil Pasic" <pasic@linux.ibm.com>,
"Christian Borntraeger" <borntraeger@linux.ibm.com>,
"Song Gao" <gaosong@loongson.cn>,
"Bibo Mao" <maobibo@loongson.cn>
Subject: Re: [RFC PATCH] docs/system/security: Restrict "virtualization use case" to specific machines
Date: Mon, 8 Sep 2025 10:45:40 -0400 [thread overview]
Message-ID: <20250908104125-mutt-send-email-mst@kernel.org> (raw)
In-Reply-To: <20250908125058.220973-1-peter.maydell@linaro.org>
On Mon, Sep 08, 2025 at 01:50:57PM +0100, Peter Maydell wrote:
> Currently our security policy defines a "virtualization use case"
> where we consider bugs to be security issues, and a
> "non-virtualization use case" where we do not make any security
> guarantees and don't consider bugs to be security issues.
>
> The rationale for this split is that much code in QEMU is older and
> was not written with malicious guests in mind, and we don't have the
> resources to audit, fix and defend it. So instead we inform users
> about what the can in practice rely on as a security barrier, and
> what they can't.
>
> We don't currently restrict the "virtualization use case" to any
> particular set of machine types. This means that we have effectively
> barred ourselves from adding KVM support to any machine type that we
> don't want to put into the "bugs are security issues" category, even
> if it would be useful for users to be able to get better performance
> with a trusted guest by enabling KVM. This seems an unnecessary
> restriction, and in practice the set of machine types it makes
> sense to use for untrusted-guest virtualization is quite small.
>
> Specifically, we would like to be able to enable the use of
> KVM with the imx8 development board machine types, but we don't
> want to commit ourselves to having to support those SoC models
> and device models as part of QEMU's security boundary:
> https://lore.kernel.org/qemu-devel/20250629204851.1778-3-shentey@gmail.com/
>
> This patch updates the security policy to explicitly list the
> machine types we consider to be useful for the "virtualization
> use case".
This use-case sounds reasonable to me. I also imagine that
some machines can get fixed down the road perhaps to
the point where they enter the "virtualization use case".
However, since we are
getting this elaborate, would my old idea of a runtime flag
make sense now?
To recap, the idea was to add a "-virt" flag that will
block any machines, devices and so on not considered
part of the "virtualization use case".
We could also create a mechanism for downstreams to
tweak this as they see fit.
> This is an RFC partly to see if we have consensus that this change
> makes sense, and partly because I was only able to identify the
> machine types we want to cover for some of our target architectures.
> If maintainers for the other architectures could clarify which
> machine types work with KVM that would be helpful.
>
> Notes on the listed machine types:
>
> architectures I'm pretty sure about:
>
> aarch64:
> -- virt is definitely the only supported one
> s390x:
> -- s390-ccw-virtio is the only machine type for this architecture
> loongarch64:
> -- virt is the only machine type for this architecture
>
> architectures where I've made a guess:
>
> i386, x86_64:
> -- I have assumed that all machine types except the "experimental"
> x-remote are supported
>
> architectures I don't know:
>
> mips, mips64
> riscv32, riscv64
> ppc, ppc64
>
> Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
> ---
> docs/system/security.rst | 28 ++++++++++++++++++++++++++++
> 1 file changed, 28 insertions(+)
>
> diff --git a/docs/system/security.rst b/docs/system/security.rst
> index f2092c8768b..395c2d7fb88 100644
> --- a/docs/system/security.rst
> +++ b/docs/system/security.rst
> @@ -35,6 +35,34 @@ malicious:
> Bugs affecting these entities are evaluated on whether they can cause damage in
> real-world use cases and treated as security bugs if this is the case.
>
> +To be covered by this security support policy you must:
> +
> +- use a virtualization accelerator like KVM or HVF
> +- use one of the machine types listed below
> +
> +It may be possible to use other machine types with a virtualization
> +accelerator to provide improved performance with a trusted guest
> +workload, but any machine type not listed here should not be
> +considered to be providing guest isolation or security guarantees,
> +and falls under the "non-virtualization use case".
> +
> +Supported machine types for the virtualization use case, by target architecture:
> +
> +aarch64
> + ``virt``
> +i386, x86_64
> + ``microvm``, ``xenfv``, ``xenpv``, ``xenpvh``, ``pc``, ``q35``, ``isapc``
> +s390x
> + ``s390-ccw-virtio``
> +loongarch64:
> + ``virt``
> +ppc, ppc64:
> + TODO
> +mips, mips64:
> + TODO
> +riscv32, riscv64:
> + TODO
> +
> Non-virtualization Use Case
> '''''''''''''''''''''''''''
>
> --
> 2.43.0
next prev parent reply other threads:[~2025-09-08 14:47 UTC|newest]
Thread overview: 27+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-09-08 12:50 [RFC PATCH] docs/system/security: Restrict "virtualization use case" to specific machines Peter Maydell
2025-09-08 13:09 ` Paolo Bonzini
2025-09-08 13:21 ` Thomas Huth
2025-09-24 23:57 ` Philippe Mathieu-Daudé
2025-09-08 13:42 ` Stefan Hajnoczi
2025-09-08 14:45 ` Michael S. Tsirkin [this message]
2025-09-08 15:15 ` Daniel P. Berrangé
2025-09-25 0:05 ` Philippe Mathieu-Daudé
2025-09-25 9:22 ` Daniel P. Berrangé
2025-10-13 10:40 ` Bernhard Beschow
2025-10-13 11:12 ` Michael S. Tsirkin
2025-10-13 11:47 ` Daniel P. Berrangé
2025-10-13 11:59 ` Michael S. Tsirkin
2025-10-13 19:36 ` Bernhard Beschow
2025-10-14 12:20 ` Peter Maydell
2025-10-14 12:38 ` Bibo Mao
2025-10-14 13:22 ` Daniel P. Berrangé
2025-10-14 13:24 ` Peter Maydell
2025-09-08 15:09 ` Daniel P. Berrangé
2025-09-08 15:15 ` Peter Maydell
2025-09-24 18:16 ` Bernhard Beschow
2025-09-25 0:19 ` Philippe Mathieu-Daudé
2025-09-25 9:04 ` Peter Maydell
2025-09-25 0:14 ` Philippe Mathieu-Daudé
2025-10-13 12:09 ` Bernhard Beschow
2025-10-13 11:17 ` Bernhard Beschow
2025-09-09 5:19 ` Bernhard Beschow
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20250908104125-mutt-send-email-mst@kernel.org \
--to=mst@redhat.com \
--cc=Alistair.Francis@wdc.com \
--cc=borntraeger@linux.ibm.com \
--cc=chenhuacai@kernel.org \
--cc=gaosong@loongson.cn \
--cc=jiaxun.yang@flygoat.com \
--cc=maobibo@loongson.cn \
--cc=marcel.apfelbaum@gmail.com \
--cc=palmer@dabbelt.com \
--cc=pasic@linux.ibm.com \
--cc=pbonzini@redhat.com \
--cc=peter.maydell@linaro.org \
--cc=philmd@linaro.org \
--cc=qemu-devel@nongnu.org \
--cc=qemu-ppc@nongnu.org \
--cc=qemu-riscv@nongnu.org \
--cc=qemu-s390x@nongnu.org \
--cc=shentey@gmail.com \
--cc=stefanha@redhat.com \
--cc=thuth@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.