From: "Daniel P. Berrange" <berrange@redhat.com>
To: Sander Eikelenboom <linux@eikelenboom.it>
Cc: Kevin Wolf <kwolf@redhat.com>,
xen-devel@lists.xensource.com, mst@redhat.com,
Stefano Stabellini <stefano.stabellini@eu.citrix.com>,
Markus Armbruster <armbru@redhat.com>,
qemu-devel@nongnu.org, Paolo Bonzini <pbonzini@redhat.com>,
John Snow <jsnow@redhat.com>,
rth@twiddle.net
Subject: Re: [Qemu-devel] [Xen-devel] [PATCH] Do not emulate a floppy drive when -nodefaults
Date: Thu, 14 May 2015 14:41:05 +0100 [thread overview]
Message-ID: <20150514134105.GJ3441@redhat.com> (raw)
In-Reply-To: <908546719.20150514152539@eikelenboom.it>
On Thu, May 14, 2015 at 03:25:39PM +0200, Sander Eikelenboom wrote:
>
> Thursday, May 14, 2015, 2:53:17 PM, you wrote:
>
>
>
> > On 14/05/2015 14:45, Markus Armbruster wrote:
> >> Paolo Bonzini <pbonzini@redhat.com> writes:
> >>
> >>> On 14/05/2015 14:02, Markus Armbruster wrote:
> >>>> It should certainly be off for pc-q35-2.4 and newer. Real Q35 boards
> >>>> commonly don't have an FDC (depends on the Super I/O chip used).
> >>>>
> >>>> We may want to keep it off for pc-i440fx-2.4 and newer. I doubt
> >>>> there's a real i440FX without an FDC, but our virtual i440FX is quite
> >>>> unlike a real one in other ways already.
> >>>
> >>> That would break libvirt for people upgrading from 2.3 to 2.4. So it's
> >>> more like pc-i440fx-3.0 and pc-q35-3.0.
> >>
> >> What exactly breaks when?
>
> > libvirt expects "-nodefaults -drive if=none,id=fdd0,... -global
> > isa-fdc.driveA=fdd0" to result in a machine with a working FDD. It
> > doesn't know that it has to add "-machine fdc=on".
>
> > Besides, adding a new machine option is not the best we can do. If the
> > default is "no FDC", all that is needed to add one back is -device. An
> > FDC is yet another ISA device, it is possible to create one with -device.
>
> >> add the magic to make -global isa-fdc... auto-set the option to on.
>
> > That would be ugly magic.
>
> > The more I think about this, the more I think this is just a kneejerk
> > reaction to a sensationalist announcement. The effect of this
> > vulnerability on properly configured data centers (running
> > non-prehistoric versions of Xen or KVM and using
> > stubdom/SELinux/AppArmor properly) should be really close to zero.
>
> > It's a storm in a tea cup.
>
> > Paolo
>
> I tend to kindly disagree if you look at the broader perspective, yes it's could
> be a storm in a tea cup, but there seems to be a pattern.
>
> From a "cmdline user" / "platform emulation" point of view i can imagine that some sort of
> auto configuration / bundling in platforms is necessary (to limit the length of
> the cmdline to be supplied).
>
> But from a library / toolstack point of view it's quite nasty if *all* more or
> less obscure options have to actively disabled. It's quite undoable, not to mention what
> happens when new ones get added.
>
> From this PoV it would be better to have to actively enable all the stuff you want.
>
> At least Xen seemed to have taken the "no-defaults" as the best option to get
> there so far, but that doesn't seem to
>
> It's not the first CVE that has come from this "you have to actively disable all
> you don't want to happen" and probably won't be the last.
>
> So a "-no-defaults-now-for-real" option/mode for libraries / toolstacks, that
> requires them to be very verbose, explicit and specific in what they actually
> want, could be valuable.
That doesn't really scale to be honest - a -no-defaults-now-for-real
basically means deleting the entire concept of machine types, and
requiring every single aspect of the base chipset to be explicitly
configured. That's certainly possible but its a massive code job for
QEMU and the management apps using QEMU. In fact the amount of code
we'll have to write to achieve that in both QEMU and libvirt would
probably introduce more bugs, so its questionable whether it would
even be a net win in terms of reducing CVEs.
Even if you disable some more default devices, the amount of code
that'll be taken out of the attack surface is going to be tiny
compared to the amount of code that will always remain due to the
feature needs of the OS.
So even with more default devices disabled, we have to assume that
we will continue to see CVEs in stuff that remains and so must ensure
we can mitigate the risks such that they have negligble impact on
people who have deployed QEMU. ie the goal should be that a guest
attack on QEMU ends up being nothing worse than a denial of service
on attacker themselves.
This is why using technologies such as SELinux, AppArmour, StubDomains
and seccomp are so important when running QEMU. There is scope for
applying more such as kernel namespaces to further isolate QEMU
processes from each other.
With these defences in place these kind of bugs really do become a
storm in a teacup as Paolo suggests. That's not to say they are not
important to fix, but we need to have some perspective about where
efforts should be best focused to reduce our security risk.
Regards,
Daniel
--
|: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org -o- http://virt-manager.org :|
|: http://autobuild.org -o- http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :|
next prev parent reply other threads:[~2015-05-14 13:41 UTC|newest]
Thread overview: 32+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-05-13 17:29 [Qemu-devel] [PATCH] Do not emulate a floppy drive when -nodefaults Stefano Stabellini
2015-05-13 17:42 ` Daniel P. Berrange
2015-05-13 18:15 ` Stefano Stabellini
2015-05-13 21:46 ` John Snow
2015-05-14 11:12 ` Stefano Stabellini
2015-05-14 11:18 ` Daniel P. Berrange
2015-05-14 11:46 ` Michael S. Tsirkin
2015-05-14 12:02 ` Markus Armbruster
2015-05-14 12:11 ` Paolo Bonzini
2015-05-14 12:45 ` Markus Armbruster
2015-05-14 12:48 ` Daniel P. Berrange
2015-05-14 12:53 ` Paolo Bonzini
2015-05-14 13:25 ` [Qemu-devel] [Xen-devel] " Sander Eikelenboom
2015-05-14 13:41 ` Daniel P. Berrange [this message]
2015-05-14 13:55 ` Paolo Bonzini
2015-05-14 14:39 ` Stefano Stabellini
2015-05-14 14:44 ` Paolo Bonzini
2015-05-14 14:52 ` Stefano Stabellini
2015-05-14 13:57 ` Michael S. Tsirkin
2015-05-14 14:07 ` [Qemu-devel] " Michael S. Tsirkin
2015-05-14 17:54 ` John Snow
2015-05-15 7:50 ` Markus Armbruster
2015-05-15 8:19 ` Paolo Bonzini
2015-05-15 10:20 ` Stefano Stabellini
2015-05-18 9:19 ` Kevin Wolf
2015-05-14 11:47 ` Michael S. Tsirkin
2015-05-14 11:54 ` Paolo Bonzini
2015-05-14 11:56 ` Michael S. Tsirkin
2015-05-14 12:47 ` Markus Armbruster
2015-05-14 4:38 ` Stefan Weil
2015-05-14 5:45 ` Michael S. Tsirkin
2015-05-13 21:44 ` Michael S. Tsirkin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20150514134105.GJ3441@redhat.com \
--to=berrange@redhat.com \
--cc=armbru@redhat.com \
--cc=jsnow@redhat.com \
--cc=kwolf@redhat.com \
--cc=linux@eikelenboom.it \
--cc=mst@redhat.com \
--cc=pbonzini@redhat.com \
--cc=qemu-devel@nongnu.org \
--cc=rth@twiddle.net \
--cc=stefano.stabellini@eu.citrix.com \
--cc=xen-devel@lists.xensource.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).