From: "Daniel P. Berrangé" <berrange@redhat.com>
To: "Philippe Mathieu-Daudé" <philmd@linaro.org>
Cc: qemu-devel@nongnu.org, Thomas Huth <thuth@redhat.com>,
Stefan Hajnoczi <stefanha@redhat.com>,
Peter Maydell <peter.maydell@linaro.org>,
Markus Armbruster <armbru@redhat.com>,
Paolo Bonzini <pbonzini@redhat.com>,
"Michael S. Tsirkin" <mst@redhat.com>
Subject: Re: [PATCH v2 17/32] accel: mark kvm, xen & hvf as secure; tcg & qtest as insecure
Date: Tue, 10 Mar 2026 13:28:09 +0000 [thread overview]
Message-ID: <abAcaahy_FsBonZ7@redhat.com> (raw)
In-Reply-To: <daec1668-d4a2-4aca-829d-250779b6efe1@linaro.org>
On Tue, Mar 10, 2026 at 02:09:45PM +0100, Philippe Mathieu-Daudé wrote:
> On 26/9/25 16:01, Daniel P. Berrangé wrote:
> > TCG is too complex to be considered to provide a security boundary
> > for malicious guest workloads. QTest is only used for functional
> > testing and thus is not relevant to mark secure.
> >
> > KVM, HVF and Xen, meanwhile are all servicing virtualization use
> > cases which must provide security.
> >
> > Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
> > ---
> > accel/accel-common.c | 1 +
> > accel/accel-system.c | 1 +
> > accel/accel-target.c | 1 +
> > accel/hvf/hvf-accel-ops.c | 1 +
> > accel/hvf/hvf-all.c | 1 +
> > accel/kvm/kvm-accel-ops.c | 1 +
> > accel/kvm/kvm-all.c | 1 +
> > accel/qtest/qtest.c | 2 ++
> > accel/tcg/tcg-accel-ops.c | 1 +
> > accel/tcg/tcg-all.c | 1 +
> > accel/xen/xen-all.c | 2 ++
> > 11 files changed, 13 insertions(+)
>
>
> > diff --git a/accel/hvf/hvf-accel-ops.c b/accel/hvf/hvf-accel-ops.c
> > index 8b794c2d41..e807103379 100644
> > --- a/accel/hvf/hvf-accel-ops.c
> > +++ b/accel/hvf/hvf-accel-ops.c
> > @@ -397,6 +397,7 @@ static const TypeInfo hvf_accel_ops_type = {
> > .parent = TYPE_ACCEL_OPS,
> > .class_init = hvf_accel_ops_class_init,
> > .abstract = true,
> > + .secure = true,
>
> IMHO an accelerator must be at least "supported" (in the MAINTAINERS
> definition, "Someone is actually paid to look after this") to declare
> it secure.
Sounds reasonable to me.
> So far HVF is not, and the current developers interacting with it
> don't seem to have time to cary such burden / responsibility.
Ok.
> > };
> > static void hvf_accel_ops_register_types(void)
> > diff --git a/accel/hvf/hvf-all.c b/accel/hvf/hvf-all.c
> > index 0a4b498e83..1d49a59053 100644
> > --- a/accel/hvf/hvf-all.c
> > +++ b/accel/hvf/hvf-all.c
> > @@ -304,6 +304,7 @@ static const TypeInfo hvf_accel_type = {
> > .parent = TYPE_ACCEL,
> > .instance_size = sizeof(HVFState),
> > .class_init = hvf_accel_class_init,
> > + .secure = true,
> > };
>
With regards,
Daniel
--
|: https://berrange.com ~~ https://hachyderm.io/@berrange :|
|: https://libvirt.org ~~ https://entangle-photo.org :|
|: https://pixelfed.art/berrange ~~ https://fstop138.berrange.com :|
next prev parent reply other threads:[~2026-03-10 13:28 UTC|newest]
Thread overview: 51+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-09-26 14:01 [PATCH v2 00/32] Encode object type security status in code Daniel P. Berrangé
2025-09-26 14:01 ` [PATCH v2 01/32] qom: replace 'abstract' with 'flags' Daniel P. Berrangé
2025-10-23 10:26 ` Markus Armbruster
2025-10-24 13:39 ` Daniel P. Berrangé
2025-09-26 14:01 ` [PATCH v2 02/32] qom: add tracking of security state of object types Daniel P. Berrangé
2025-09-26 14:01 ` [PATCH v2 03/32] qapi: add 'insecure-types' option for -compat argument Daniel P. Berrangé
2025-10-23 10:38 ` Markus Armbruster
2025-09-26 14:01 ` [PATCH v2 04/32] system: check security for accelerator types Daniel P. Berrangé
2025-09-26 14:01 ` [PATCH v2 05/32] system: report acclerator security status in help output Daniel P. Berrangé
2025-09-26 14:01 ` [PATCH v2 06/32] system: check security for machine types Daniel P. Berrangé
2025-10-23 11:51 ` Markus Armbruster
2025-09-26 14:01 ` [PATCH v2 07/32] system: report machine security status in help output Daniel P. Berrangé
2025-09-26 14:01 ` [PATCH v2 08/32] system: check security of device types Daniel P. Berrangé
2025-10-23 11:54 ` Markus Armbruster
2025-10-24 13:28 ` Daniel P. Berrangé
2025-09-26 14:01 ` [PATCH v2 09/32] system: report device security status in help output Daniel P. Berrangé
2025-10-23 11:57 ` Markus Armbruster
2025-09-26 14:01 ` [PATCH v2 10/32] hw/core: report security status in query-machines Daniel P. Berrangé
2025-10-23 12:17 ` Markus Armbruster
2025-10-24 13:32 ` Daniel P. Berrangé
2025-09-26 14:01 ` [PATCH v2 11/32] qom: report & filter on security status in qom-list-types Daniel P. Berrangé
2025-10-23 10:58 ` Markus Armbruster
2025-10-24 13:38 ` Daniel P. Berrangé
2025-09-26 14:01 ` [PATCH v2 12/32] docs: expand security docs with info about security status Daniel P. Berrangé
2025-10-23 12:22 ` Markus Armbruster
2025-10-24 13:42 ` Daniel P. Berrangé
2025-09-26 14:01 ` [PATCH v2 13/32] machine: add helpers for declaring secure/insecure machine types Daniel P. Berrangé
2025-09-26 14:01 ` [PATCH v2 14/32] hw: mark x86, s390, ppc, arm versioned machine types as secure Daniel P. Berrangé
2025-09-26 14:01 ` [PATCH v2 15/32] hw: declare Xen & microvm machines as secure, isapc as insecure Daniel P. Berrangé
2025-09-26 14:01 ` [PATCH v2 16/32] hw/core: declare 'none' machine to be insecure Daniel P. Berrangé
2025-09-26 14:01 ` [PATCH v2 17/32] accel: mark kvm, xen & hvf as secure; tcg & qtest as insecure Daniel P. Berrangé
2026-03-10 13:09 ` Philippe Mathieu-Daudé
2026-03-10 13:28 ` Daniel P. Berrangé [this message]
2025-09-26 14:01 ` [PATCH v2 18/32] hw: mark all virtio PCI devices as secure Daniel P. Berrangé
2025-09-26 14:01 ` [PATCH v2 19/32] hw: mark all virtio CCW " Daniel P. Berrangé
2025-09-26 14:01 ` [PATCH v2 20/32] hw: mark all vhost devices a secure Daniel P. Berrangé
2025-09-26 14:01 ` [PATCH v2 21/32] hw: mark all remaining virtio object types as secure Daniel P. Berrangé
2025-09-26 14:01 ` [PATCH v2 22/32] hw/vfio: mark all VFIO object classes " Daniel P. Berrangé
2025-09-26 14:01 ` [PATCH v2 23/32] hw/xen: mark all Xen related object types as being secure Daniel P. Berrangé
2025-09-26 14:01 ` [PATCH v2 24/32] hw/net: mark most non-virtio NICs as insecure Daniel P. Berrangé
2025-09-26 14:01 ` [PATCH v2 25/32] hw/usb: mark most USB devices/hosts as secure Daniel P. Berrangé
2025-09-26 14:01 ` [PATCH v2 26/32] hw/watchdog: mark some watchdog devices " Daniel P. Berrangé
2025-09-26 14:01 ` [PATCH v2 27/32] hw/scsi: mark most SCSI controllers as insecure / " Daniel P. Berrangé
2025-09-26 14:01 ` [PATCH v2 28/32] hw/ide: mark ICH9 and ide-hd/ide-cd " Daniel P. Berrangé
2025-09-26 14:01 ` [PATCH v2 29/32] hw: mark test/demo devices as insecure Daniel P. Berrangé
2025-09-26 14:01 ` [PATCH v2 30/32] hw: define most common PCI types as secure Daniel P. Berrangé
2025-09-26 14:01 ` [PATCH v2 31/32] hw/pci-host: define some PCI hosts " Daniel P. Berrangé
2025-09-26 14:01 ` [PATCH v2 32/32] hw/display: mark most display adapters as insecure Daniel P. Berrangé
2025-10-23 7:23 ` [PATCH v2 00/32] Encode object type security status in code Markus Armbruster
2025-10-23 9:00 ` Daniel P. Berrangé
2025-10-23 12:38 ` Markus Armbruster
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=abAcaahy_FsBonZ7@redhat.com \
--to=berrange@redhat.com \
--cc=armbru@redhat.com \
--cc=mst@redhat.com \
--cc=pbonzini@redhat.com \
--cc=peter.maydell@linaro.org \
--cc=philmd@linaro.org \
--cc=qemu-devel@nongnu.org \
--cc=stefanha@redhat.com \
--cc=thuth@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.