From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: "Michael S. Tsirkin" <mst@redhat.com>
Cc: "David Hildenbrand (Arm)" <david@kernel.org>,
"Hari Mishal" <harimishal1@gmail.com>,
"Jason Wang" <jasowangio@gmail.com>,
"Xuan Zhuo" <xuanzhuo@linux.alibaba.com>,
"Eugenio Pérez" <eperezma@redhat.com>,
virtualization@lists.linux.dev, linux-kernel@vger.kernel.org,
elena.reshetova@intel.com, carlos.bilbao.osdev@gmail.com
Subject: Re: [PATCH v2 1/4] virtio-mem: validate device-reported block size
Date: Fri, 17 Jul 2026 14:07:50 +0200 [thread overview]
Message-ID: <2026071759-thermal-synopsis-7568@gregkh> (raw)
In-Reply-To: <20260717065219-mutt-send-email-mst@kernel.org>
On Fri, Jul 17, 2026 at 06:52:46AM -0400, Michael S. Tsirkin wrote:
> On Fri, Jul 17, 2026 at 12:46:52PM +0200, Greg Kroah-Hartman wrote:
> > On Fri, Jul 17, 2026 at 06:23:57AM -0400, Michael S. Tsirkin wrote:
> > > On Fri, Jul 17, 2026 at 12:15:09PM +0200, Greg Kroah-Hartman wrote:
> > > > On Fri, Jul 17, 2026 at 06:10:41AM -0400, Michael S. Tsirkin wrote:
> > > > > On Fri, Jul 17, 2026 at 11:14:23AM +0200, Greg Kroah-Hartman wrote:
> > > > > > On Fri, Jul 17, 2026 at 04:59:32AM -0400, Michael S. Tsirkin wrote:
> > > > > > > On Fri, Jul 17, 2026 at 10:39:40AM +0200, David Hildenbrand (Arm) wrote:
> > > > > > > > On 7/17/26 07:48, Michael S. Tsirkin wrote:
> > > > > > > > > On Thu, Jul 16, 2026 at 05:59:05PM +0200, David Hildenbrand (Arm) wrote:
> > > > > > > > >>> Or do we just always trust virtio mem devices explicitly?
> > > > > > > > >>
> > > > > > > > >> It's hard for me to understand where we draw the line, really.
> > > > > > > > >>
> > > > > > > > >> But maybe MST can clarify what we care about in virtio world where the
> > > > > > > > >> hypervisor is fully in charge of the device,
> > > > > > > > >
> > > > > > > > > Generally:
> > > > > > > > > - The guest is expected to whitelist drivers (most drivers have not
> > > > > > > > > been audited).
> > > > > > > >
> > > > > > > > But even if you audited your driver, who makes sure that we consider all ways
> > > > > > > > where the device could mess with us?
> > > > > > >
> > > > > > > A lot of this is up to a correct setup. For example, make sure all
> > > > > > > filesystems are encrypted and refuse to mount unencrypted ones.
> > > > > > >
> > > > > > > > Something feels off here.
> > > > > > > >
> > > > > > > > Handling selected out-of-spec scenarios like this feels like a band-aid. Happy
> > > > > > > > to be corrected.
> > > > > > >
> > > > > > > Well Documentation/security/snp-tdx-threat-model.rst puts it like this:
> > > > > > > It is important to note
> > > > > > > that this doesn’t imply that the host or VMM are intentionally
> > > > > > > malicious, but that there exists a security value in having a small CoCo
> > > > > > > VM TCB.
> > > > > > >
> > > > > > > and
> > > > > > >
> > > > > > > While traditionally the host has unlimited access to guest data and can
> > > > > > > leverage this access to attack the guest, the CoCo systems mitigate such
> > > > > > > attacks by adding security features like guest data confidentiality and
> > > > > > > integrity protection.
> > > > > > >
> > > > > > >
> > > > > > > now, when we are talking about "mitigation" it is indeed becoming a bit
> > > > > > > murky.
> > > > > > >
> > > > > > >
> > > > > > > For me, a rule of thumb I came up with is that if the validation happens
> > > > > > > to also be helful for users e.g. to work around buggy devices,
> > > > > > > or maybe because we feel failing gracefully is nice because this
> > > > > > > will allow to later make use of this config and old drivers will
> > > > > > > fail but at least not panic, then it is good to include.
> > > > > >
> > > > > > Why not do what USB does? Don't trust the device until AFTER probe()
> > > > > > succeeds? All of the needed checking should happen before then, as that
> > > > > > is a "slow path" so lots of validation and the like can happen at that
> > > > > > point.
> > > > > >
> > > > > > After that, during the normal data paths, after the driver is bound,
> > > > > > trust it all you want as attempting to validate every single packet is
> > > > > > just going to be impossible.
> > > > > >
> > > > > > thanks,
> > > > > >
> > > > > > greg k-h
> > > > >
> > > > > People do expect that data path validation at this point.
> > > >
> > > > Ok, so you want this patch :)
> > > >
> > > > And more, as you need to treat everything from the host as "untrusted",
> > > > and it must be "verified".
> > >
> > > Well. First it's not me) Second it's only specific configurations -
> > > for example there's no short term plan to validate filesystem code, people
> > > are expected to rely on encryption. The reasons have more to do
> > > with the available manpower than anything else.
> >
> > Sure, but again, for subsystems, you have to define your threat model as
> > the LLMs are churning against the code base and coming up with lots of
> > crazy ideas if a device should or should not be trusted and spitting out
> > patches and reports like the ones that are in the first few patches of
> > this series.
> >
> > So please, pick a model, let's document it, and go with that. I am
> > getting directly conflicting responses here.
> >
> > thanks,
> >
> > greg k-h
>
> Supposed to be this one:
> Documentation/security/snp-tdx-threat-model.rst
>
> what is missing?
A policy decision that needs to be made. All that document does is
describe a bunch of different "threats" yet does not decide what to do
about them at all from what I can tell.
And that's just for one subset of the CoC world, right? Is that
something that all virtio drivers need/want to care about?
So I don't see a real answer to the "does Linux trust the host to give
you good data or not" question in that file, am I missing it?
thanks,
greg k-h
next prev parent reply other threads:[~2026-07-17 12:07 UTC|newest]
Thread overview: 41+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-07-15 14:22 [PATCH 0/4] virtio: validate device-reported values across drivers Hari Mishal
2026-07-15 14:22 ` [PATCH 1/4] virtio-mem: validate device-reported block size Hari Mishal
2026-07-15 14:43 ` sashiko-bot
2026-07-15 15:57 ` Michael S. Tsirkin
2026-07-15 16:41 ` [PATCH v2 " Hari Mishal
2026-07-16 8:55 ` David Hildenbrand (Arm)
2026-07-16 14:18 ` Greg Kroah-Hartman
2026-07-16 15:59 ` David Hildenbrand (Arm)
2026-07-17 5:03 ` Greg Kroah-Hartman
2026-07-17 5:48 ` Michael S. Tsirkin
2026-07-17 8:39 ` David Hildenbrand (Arm)
2026-07-17 8:59 ` Michael S. Tsirkin
2026-07-17 9:14 ` Greg Kroah-Hartman
2026-07-17 10:10 ` Michael S. Tsirkin
2026-07-17 10:15 ` Greg Kroah-Hartman
2026-07-17 10:21 ` David Hildenbrand (Arm)
2026-07-17 10:28 ` Michael S. Tsirkin
2026-07-17 10:44 ` Greg Kroah-Hartman
2026-07-17 11:00 ` David Hildenbrand (Arm)
2026-07-17 10:23 ` Michael S. Tsirkin
2026-07-17 10:46 ` Greg Kroah-Hartman
2026-07-17 10:52 ` Michael S. Tsirkin
2026-07-17 12:07 ` Greg Kroah-Hartman [this message]
2026-07-17 13:08 ` Michael S. Tsirkin
2026-07-17 14:31 ` Greg Kroah-Hartman
2026-07-17 15:27 ` Michael Kelley
2026-07-17 16:28 ` Michael S. Tsirkin
2026-07-17 16:30 ` Michael S. Tsirkin
2026-07-15 14:22 ` [PATCH 2/4] virtio_input: validate device-reported multitouch slot count Hari Mishal
2026-07-15 14:35 ` sashiko-bot
2026-07-15 15:50 ` Michael S. Tsirkin
2026-07-15 16:07 ` Hari Mishal
2026-07-15 16:11 ` Michael S. Tsirkin
2026-07-15 18:25 ` Dmitry Torokhov
[not found] ` <CAMmC+=DXS=xs0CZyf+N-71NT8D51xQYatBv=dfVQC1aBohDdmA@mail.gmail.com>
[not found] ` <alkTnRb9qhgcMGGi@google.com>
2026-07-16 17:33 ` Dmitry Torokhov
2026-07-15 16:41 ` [PATCH v2 " Hari Mishal
2026-07-15 14:22 ` [PATCH 3/4] virtio_console: avoid NULL portdev dereference in in_intr() Hari Mishal
2026-07-15 14:37 ` sashiko-bot
2026-07-15 14:22 ` [PATCH 4/4] virtio_console: take a kref in find_port_by_vq() to fix port UAF Hari Mishal
2026-07-15 14:38 ` sashiko-bot
2026-07-15 14:42 ` [PATCH v2 " Hari Mishal
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=2026071759-thermal-synopsis-7568@gregkh \
--to=gregkh@linuxfoundation.org \
--cc=carlos.bilbao.osdev@gmail.com \
--cc=david@kernel.org \
--cc=elena.reshetova@intel.com \
--cc=eperezma@redhat.com \
--cc=harimishal1@gmail.com \
--cc=jasowangio@gmail.com \
--cc=linux-kernel@vger.kernel.org \
--cc=mst@redhat.com \
--cc=virtualization@lists.linux.dev \
--cc=xuanzhuo@linux.alibaba.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.