All of lore.kernel.org
 help / color / mirror / Atom feed
From: Fabiano Rosas <farosas@suse.de>
To: "Daniel P. Berrangé" <berrange@redhat.com>
Cc: "Marc-André Lureau" <marcandre.lureau@redhat.com>,
	qemu-devel@nongnu.org, "Thomas Huth" <thuth@redhat.com>,
	"Alex Bennée" <alex.bennee@linaro.org>,
	"Cédric Le Goater" <clg@redhat.com>,
	"Peter Maydell" <peter.maydell@linaro.org>,
	"Mauro Matteo Cascella" <mcascell@redhat.com>,
	"Michael S. Tsirkin" <mst@redhat.com>,
	"Philippe Mathieu-Daudé" <philmd@linaro.org>,
	"Pierrick Bouvier" <pierrick.bouvier@oss.qualcomm.com>,
	"Peter Xu" <peterx@redhat.com>
Subject: Re: [PATCH] docs: outline some guidelines for security classification
Date: Thu, 16 Jul 2026 15:34:20 -0300	[thread overview]
Message-ID: <87ech24wcz.fsf@suse.de> (raw)
In-Reply-To: <alj4V6I__bCOjRTt@redhat.com>

Daniel P. Berrangé <berrange@redhat.com> writes:

> On Thu, Jul 16, 2026 at 11:08:49AM -0300, Fabiano Rosas wrote:
>
>> Assumptions:
>> 
>> A) The migration stream is assumed to be secured by TLS on a per-host
>> basis.
>> 
>> B) For migration streams stored to file, including snapshots, it is
>> assumed that the storage file is authentic, i.e. the files are owned by
>> the party performing the live migration and have not been tampered with.
>
> Can you clarify "the party performing the live migration" ?
>
> Is that referring to the "guest owner" who initiates the migration,
> or is that referring to the mgmt app control plane.
>

I was thinking that the entity issuing qmp_migrate/loadvm should
guarantee the integrity of the file up to that moment and while QEMU is
reading it.

I would say when there's a management application, that is the entity
we're talking about, but could very well be an end-user issuing commands
to QEMU directly.

> The risk I've always been concerned about is the guest owner
> tampering with state files, though I'm increasing coming to
> the view point that state files must *never* be allowed to be
> modified by the guest owner. Mgmt apps must either prevent
> that through storage permissions, or detect that by digitally
> signing state files that are theoretically writable by guest
> owners & validate sig before restore.
>

I think it makes sense for the management app to impose such a
constraint. I'm not so sure about QEMU expecting that it does,
though. Some apps might have a different opinion and the users are
probably not going to like losing access.

Doesn't the guest owner already have control over what goes in the
migration stream in the first place?

>
>> C) The network ports used for migration are expected to be available
>> only during migration. No long-standing listening destination QEMU
>> process.
>
> I wonder, does that make a difference to our risk ?
>
> If we're concerned about an undesirable app/client conjnectnig to a
> open network port, QEMU has that threat no matter how short the time
> windows is that the ports are accepting incoming clients.  So I'm
> not sure this point helps us.
>

I'm more worried about an unexpected migration. An incoming vm will just
take whatever is given to it. If there is a (legitimate) migration
happening in a short window of time, attempts to hijack that destination
machine would cause a migration failure and be detectable.

Now I'm also thinking of an eavesdropper tagging along in some multifd
channel, if that's even possible.

>> D) The network used for migration is expected to be adequately isolated.
>
> Is that intended to be in additional to (A) or instead of (A) ?
>
> If in addition to (A) then I'm wondering what benefits listing
> this point brings - what risks are eliminated that TLS does not
> already eliminate ?
>

In addition. Then maybe you're right that there's no additional benefit,
I can't think of a scenario. However it's common practice for admins to
not use TLS and rely on network isolation. I don't want to make it seem
that TLS is mandatory. As Peter pointed out, it's not a default
configuration.

>> E) The migration source QEMU process is assumed to be secure. Compromise
>> of the source QEMU process is nonetheless possible but exploiting the
>> migration process is expected to grant no further privileges.
>
> This is the tricky assumption.
>
> Cnsider source host as 2 QEMU processes, one of tenant A and
> one for tenant B.
>
> If tenant A compromises their QEMU, and can wait until a live
> migration for tenant B is initiating, potentially tenant A can
> connect to a dest QEMU for tenant B. I would consider that to
> be gaining privileges.
>

I thought of that, but I can't understand how "dest QEMU for tenant B"
isn't just "dest QEMU for tenant A that has now took over". If none of
the stream from source B is reaching dest B, then that's harmless.

Unless some scenario like what I mentioned above with multifd is in
play.

Now, can tenant A bug their QEMU to the point that it receives a
migration from tenant B? Then that falls into IN SCOPE point 2 below.

Maybe we need to have a parentheses for the multi-tenant scenario.

I think we need some guideline to help triaging the infinite
hypotheticals of "what if source QEMU magically puts X one the stream?".

> With TLS we lack fine grained authentication in common setups
> today that rely on x509 certs configured per-host, not per-QEMU.
>
> In current libvirt we're introducing oout of the box support for
> TLS PSK, which means live migration sessions will be tied to
> individual matched (src,dst) QEMU pairs, so even if tenant A is
> compromised they would be able to do a TLS handshake for tenant
> B's dst QEMU.
>

ITYM "wouldn't be able".

> I'd like app mgmt apps to switch to PSK instad of x509 for
> live migration, but that'll take along time.
>

Is TLS PSK a reasonable setup to expect and to include in this policy?

> None the less if we can assume the source QEMU is trusted,
> then that eliminates a huge class of security vulnerabilities,
> turning them all into hardening bugs, so I understand this is
> very appealing to declare.
>

It is, I'm keen to do it. I expect a compromised QEMU to be either a
very rare situation or to fall into the "you have bigger problems"
area. But if we decide it's an important vector of attack, so be it.

>> For security consideration, the following are considered:
>> 
>> OUT OF SCOPE:
>> 
>> 1) Abort of destination QEMU process while migration is still in course.
>> Rationale: the source virtual machine is not affected.
>
> Ack.
>
>> 
>> 2) Migration failure.
>> Rationale: eventual failed migrations are part of normal operation.
>
> Ack.
>  
>> 3) Memory over-allocation issues in the destination QEMU process.
>> Rationale: the destination host's operating system is expected to
>> constrain resource usage. Process termination due to OOM falls under
>> point 1 above.
>
> Ack, that falls under our general exlclusion already too, though
> we might finesse the language a bit more.
>
>> IN SCOPE:
>> 
>> 1) Privilege escalation from the guest operating system into the
>> destination QEMU process or host.
>> 
>> 2) Tampering or exfiltration of migration stream data by a third party
>> at a lower privilege level than either QEMU processes involved in the
>> migration.
>> 
>> 3) Termination of the source QEMU process by source virtual machine
>> guest userspace, including by forcing host OS resource constraints to
>> be reached.
>> 
>> 4) Other tampering or exfiltration of data from the source QEMU process
>> if reached from migration code or migration stream manipulation.
>> 
>> 5) Causing source QEMU process to enter a state from which migration is
>> not possible permanently.
>> 
>> The overall effect of this policy is that only legitimately produced
>> migration data is considered for security implications, whether that
>> data is malicious or buggy.
>
> WIth this it seems like the only 2 scenarios where a migration security
> flaw can be issued are:
>
>  * Something goes wrong before/during the TLS handshake
>  * A bug in source QEMU, somehow allows a guest OS user
>    to set magic device data that turns into an exploitable
>    VM state record.
>

We don't need a bug in source QEMU, the magic data could be within
accepted parameters.

> Again, certainly appealing, but for the edge case that even with TLS,
> we don't have fine grained access control, so we know the source is
> a valid QEMU, but we don't know if it is the QEMU we expected.
>
> With regards,
> Daniel


  reply	other threads:[~2026-07-16 18:35 UTC|newest]

Thread overview: 17+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-07-07 10:59 [PATCH] docs: outline some guidelines for security classification Daniel P. Berrangé
2026-07-07 12:16 ` Thomas Huth
2026-07-07 12:20 ` Cédric Le Goater
2026-07-07 12:35 ` John Levon
2026-07-07 17:11   ` Daniel P. Berrangé
2026-07-07 12:43 ` Marc-André Lureau
2026-07-07 13:43   ` Michael S. Tsirkin
2026-07-07 16:35   ` Daniel P. Berrangé
2026-07-16 14:08     ` Fabiano Rosas
2026-07-16 15:27       ` Daniel P. Berrangé
2026-07-16 18:34         ` Fabiano Rosas [this message]
2026-07-16 15:40       ` Peter Xu
2026-07-16 18:51         ` Fabiano Rosas
2026-07-16 19:56           ` Peter Xu
2026-07-07 16:28 ` Mauro Matteo Cascella
2026-07-07 16:29   ` Daniel P. Berrangé
2026-07-16 20:47 ` Michael S. Tsirkin

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=87ech24wcz.fsf@suse.de \
    --to=farosas@suse.de \
    --cc=alex.bennee@linaro.org \
    --cc=berrange@redhat.com \
    --cc=clg@redhat.com \
    --cc=marcandre.lureau@redhat.com \
    --cc=mcascell@redhat.com \
    --cc=mst@redhat.com \
    --cc=peter.maydell@linaro.org \
    --cc=peterx@redhat.com \
    --cc=philmd@linaro.org \
    --cc=pierrick.bouvier@oss.qualcomm.com \
    --cc=qemu-devel@nongnu.org \
    --cc=thuth@redhat.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.