From: Bernhard Beschow <shentey@gmail.com>
To: Peter Maydell <peter.maydell@linaro.org>, qemu-devel@nongnu.org
Cc: "Stefan Hajnoczi" <stefanha@redhat.com>,
"Thomas Huth" <thuth@redhat.com>,
"Philippe Mathieu-Daudé" <philmd@linaro.org>,
"Jiaxun Yang" <jiaxun.yang@flygoat.com>,
"Paolo Bonzini" <pbonzini@redhat.com>,
"Michael S . Tsirkin" <mst@redhat.com>,
"Marcel Apfelbaum" <marcel.apfelbaum@gmail.com>,
"Alistair Francis" <Alistair.Francis@wdc.com>,
"Palmer Dabbelt" <palmer@dabbelt.com>,
qemu-riscv@nongnu.org, qemu-ppc@nongnu.org,
"Huacai Chen" <chenhuacai@kernel.org>,
qemu-s390x@nongnu.org, "Halil Pasic" <pasic@linux.ibm.com>,
"Christian Borntraeger" <borntraeger@linux.ibm.com>,
"Song Gao" <gaosong@loongson.cn>,
"Bibo Mao" <maobibo@loongson.cn>
Subject: Re: [PATCH v2] docs/system/security: Restrict "virtualization use case" to specific machines
Date: Tue, 28 Oct 2025 08:48:42 +0000 [thread overview]
Message-ID: <000E4FA1-EE4A-476B-8CAE-680FC068BCAA@gmail.com> (raw)
In-Reply-To: <CAFEAcA8RaZOXpav64E5-0CDhB66zQXRuLaFuz22GiyPGwGVQJw@mail.gmail.com>
Am 27. Oktober 2025 12:48:29 UTC schrieb Peter Maydell <peter.maydell@linaro.org>:
>On Thu, 16 Oct 2025 at 14:12, Peter Maydell <peter.maydell@linaro.org> wrote:
>>
>> Currently our security policy defines a "virtualization use case"
>> where we consider bugs to be security issues, and a
>> "non-virtualization use case" where we do not make any security
>> guarantees and don't consider bugs to be security issues.
>>
>> The rationale for this split is that much code in QEMU is older and
>> was not written with malicious guests in mind, and we don't have the
>> resources to audit, fix and defend it. So instead we inform users
>> about what the can in practice rely on as a security barrier, and
>> what they can't.
>>
>> We don't currently restrict the "virtualization use case" to any
>> particular set of machine types. This means that we have effectively
>> barred ourselves from adding KVM support to any machine type that we
>> don't want to put into the "bugs are security issues" category, even
>> if it would be useful for users to be able to get better performance
>> with a trusted guest by enabling KVM. This seems an unnecessary
>> restriction, and in practice the set of machine types it makes
>> sense to use for untrusted-guest virtualization is quite small.
>>
>> Specifically, we would like to be able to enable the use of
>> KVM with the imx8 development board machine types, but we don't
>> want to commit ourselves to having to support those SoC models
>> and device models as part of QEMU's security boundary:
>> https://lore.kernel.org/qemu-devel/20250629204851.1778-3-shentey@gmail.com/
>>
>> This patch updates the security policy to explicitly list the
>> machine types we consider to be useful for the "virtualization
>> use case".
>>
>> Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
>> ---
>> changes v1->v2: updated the list:
>> * remove isapc
>> * remove ppc, mips, mips64 (no machines supported)
>> * list pseries as only supported ppc64 machine
>> * list virt as only supported riscv32, riscv64 machine
>>
>> I believe the list to now be correct, and I think we generally
>> had some consensus about the idea on the v1 patch discussion, so
>> this one is a non-RFC patch.
>
>This has now had various reviews and acks, and no
>suggestions for further revision. I propose to take
>this via target-arm.next, unless anybody has any
>objections.
Sounds good, I'm looking forward to it.
Maybe we could then also merge https://lore.kernel.org/qemu-devel/20250629204851.1778-3-shentey@gmail.com/ which had some technical comments and no follow-up.
Best regards,
Bernhard
>
>thanks
>-- PMM
next prev parent reply other threads:[~2025-10-28 8:49 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-10-16 13:11 [PATCH v2] docs/system/security: Restrict "virtualization use case" to specific machines Peter Maydell
2025-10-16 19:55 ` Christian Borntraeger
2025-10-17 2:31 ` Bibo Mao
2025-10-17 7:06 ` Thomas Huth
2025-10-17 9:15 ` Harsh Prateek Bora
2025-10-17 11:42 ` Bernhard Beschow
2025-10-27 12:48 ` Peter Maydell
2025-10-28 8:48 ` Bernhard Beschow [this message]
2025-10-27 13:29 ` Markus Armbruster
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=000E4FA1-EE4A-476B-8CAE-680FC068BCAA@gmail.com \
--to=shentey@gmail.com \
--cc=Alistair.Francis@wdc.com \
--cc=borntraeger@linux.ibm.com \
--cc=chenhuacai@kernel.org \
--cc=gaosong@loongson.cn \
--cc=jiaxun.yang@flygoat.com \
--cc=maobibo@loongson.cn \
--cc=marcel.apfelbaum@gmail.com \
--cc=mst@redhat.com \
--cc=palmer@dabbelt.com \
--cc=pasic@linux.ibm.com \
--cc=pbonzini@redhat.com \
--cc=peter.maydell@linaro.org \
--cc=philmd@linaro.org \
--cc=qemu-devel@nongnu.org \
--cc=qemu-ppc@nongnu.org \
--cc=qemu-riscv@nongnu.org \
--cc=qemu-s390x@nongnu.org \
--cc=stefanha@redhat.com \
--cc=thuth@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).