[Qemu-devel] [PATCH 0/2] qemu block changes: keep backing file format v2

[Uri Lublin <uril@redhat.com>]

The purpose of this patches is to keep the backing file format together
with its name, to
1. Provide a way to know the backing file format without probing
   it (setting the format at creation time).
2. Enable using qcow2 format (and others) over host block devices.
   (only if the user specifically asks for it, by providing the format).

I call "hidden image format" to the following format of a backing file name:
"name\0format". Although it can be considered a hack, that's an easy
way to support old images with new qemu as well as old qemu with new images
(in which case probing would be done), without changing the qcow2 header.

If a hidden format exists, use it for the backing file.
If no hidden format (or an unknown one) exists we go back to probing.

Based on a previous patch from Shahar Frank.
http://lists.gnu.org/archive/html/qemu-devel/2008-12/msg01083.html

The "name\0format" was suggested by Kevin Wolf on the above thread.

Also fixes a security flaw found by Daniel P. Berrange on that
same thread which summarizes: "Autoprobing: just say no."

The first patch introduces the hidden image format.
The second patch enable the user to specify the image format
for the backing file upon image creation.

Changes from v1: use "name\0format" instead of "fmt:FMT:name"

Examples:
### Let /dev/loop0 and /dev/loop1 be qemu-images of format qcow2 and raw.

### 1. Specify qcow2 backing file. demonstrates qcow2 over host block device
# ./qemu-img create -F qcow2 -b /dev/loop0 -f qcow2 /tmp/u0.qcow2
Formatting '/tmp/u0.qcow2', fmt=qcow2, backing_file=/dev/loop0, backing_fmt=qcow2, size=20971520 kB

# ./x86_64-softmmu/qemu-system-x86_64 -L pc-bios/ -drive file=/tmp/u0.qcow2,format=qcow2
Works with no probing.

### 2. Specify raw backing file.
# ./qemu-img create -F raw -b /dev/loop1 -f qcow2 /tmp/u1.qcow2
Formatting '/tmp/u1.qcow2', fmt=qcow2, backing_file=/dev/loop1, backing_fmt=raw, size=307200 kB

### 3. Do not specify backing file format (qcow2).
###    Probing of /dev/loop0 "finds" a "host_device" format (instead of qcow2)
###    and results with the guest fails to boot.
###    Note: wrong size upon create.
# ./qemu-img create -b /dev/loop0 -f qcow2 /tmp/p0.qcow2
Formatting '/tmp/p0.qcow2', fmt=qcow2, backing_file=/dev/loop0, size=4245292 kB

# ./x86_64-softmmu/qemu-system-x86_64 -L pc-bios/ -drive file=/tmp/p0.qcow2,format=qcow2
Probing /dev/loop0 and guest fails to boot.

### 4. Do not specify backing file format (raw).
###   Probing of /dev/loop1 "finds" a "host_device" format
###   and results with the guest successfully boot.
###   If however a VM with /dev/loop1 is was previously started and the guest
###   modified the beginning of the file (writing a fake qcow2 header)
###   there is a security problem as the guest user can now access almost 
###   any file on the host (e.g. /etc/passwd).
# ./qemu-img create -b /dev/loop1 -f qcow2 /tmp/p1.qcow2
Formatting '/tmp/p1.qcow2', fmt=qcow2, backing_file=/dev/loop1, size=307200 kB

# ./x86_64-softmmu/qemu-system-x86_64 -L pc-bios/ -drive file=/tmp/p1.qcow2,format=qcow2
Works with probing.