From: "Michael S. Tsirkin" <mst@redhat.com>
To: "Dr. David Alan Gilbert" <dgilbert@redhat.com>
Cc: "Daniel P. Berrange" <berrange@redhat.com>,
"Stefan Berger" <stefanb@linux.vnet.ibm.com>,
"Stefan Berger" <stefanb@us.ibm.com>,
"qemu-devel@nongnu.org" <qemu-devel@nongnu.org>,
"SERBAN, CRISTINA" <cs1731@att.com>,
"Marc-André Lureau" <marcandre.lureau@gmail.com>,
"Xu, Quan" <quan.xu@intel.com>,
"silviu.vlasceanu@gmail.com" <silviu.vlasceanu@gmail.com>,
"hagen.lauer@huawei.com" <hagen.lauer@huawei.com>,
"SHIH, CHING C" <cs1815@att.com>
Subject: Re: [Qemu-devel] [PATCH v5 1/4] Provide support for the CUSE TPM
Date: Wed, 1 Mar 2017 20:30:19 +0200 [thread overview]
Message-ID: <20170301202044-mutt-send-email-mst@kernel.org> (raw)
In-Reply-To: <20170301181801.GI2429@work-vm>
On Wed, Mar 01, 2017 at 06:18:01PM +0000, Dr. David Alan Gilbert wrote:
> * Michael S. Tsirkin (mst@redhat.com) wrote:
> > On Wed, Mar 01, 2017 at 06:06:02PM +0000, Dr. David Alan Gilbert wrote:
> > > * Michael S. Tsirkin (mst@redhat.com) wrote:
> > > > On Wed, Mar 01, 2017 at 05:38:23PM +0000, Daniel P. Berrange wrote:
> > > > > On Wed, Mar 01, 2017 at 12:25:46PM -0500, Stefan Berger wrote:
> > > > > > On 03/01/2017 12:16 PM, Michael S. Tsirkin wrote:
> > > > > > > On Wed, Mar 01, 2017 at 12:12:34PM -0500, Stefan Berger wrote:
> > > > > > > > On 03/01/2017 12:02 PM, Michael S. Tsirkin wrote:
> > > > > > > > > On Wed, Mar 01, 2017 at 04:31:04PM +0000, Daniel P. Berrange wrote:
> > > > > > > > > > On Wed, Mar 01, 2017 at 06:22:45PM +0200, Michael S. Tsirkin wrote:
> > > > > > > > > > > On Wed, Mar 01, 2017 at 09:50:38AM -0500, Stefan Berger wrote:
> > > > > > > > > > > > I had already proposed a linked-in version before I went to the out-of-process
> > > > > > > > > > > > design. Anthony's concerns back then were related to the code not being trusted
> > > > > > > > > > > > and a segfault in the code could bring down all of QEMU. That we have test
> > > > > > > > > > > > suites running over it didn't work as an argument. Some of the test suite are
> > > > > > > > > > > > private, though.
> > > > > > > > > > > Given how bad the alternative is maybe we should go back to that one.
> > > > > > > > > > > Same argument can be made for any device and we aren't making
> > > > > > > > > > > them out of process right now.
> > > > > > > > > > >
> > > > > > > > > > > IIMO it's less the in-process question (modularization
> > > > > > > > > > > of QEMU has been on the agenda since years and I don't
> > > > > > > > > > > think anyone is against it) it's more a code control/community question.
> > > > > > > > > > I rather disagree. Modularization of QEMU has seen few results
> > > > > > > > > > because it is generally a hard problem to solve when you have a
> > > > > > > > > > complex pre-existing codebase. I don't think code control has
> > > > > > > > > > been a factor in this - as long as QEMU can clearly define its
> > > > > > > > > > ABI/API between core & the modular pieces, it doesn't matter
> > > > > > > > > > who owns the module. We've seen this with vhost-user which is
> > > > > > > > > > essentially outsourcing network device backend impls to a 3rd
> > > > > > > > > > party project.
> > > > > > > > > And it was done precisely for community reasons. dpdk/VPP community is
> > > > > > > > > quite large and fell funded but they just can't all grok QEMU. They
> > > > > > > > > work for hardware vendors and do baremetal things. With the split we
> > > > > > > > > can focus on virtualization and they can focus on moving packets around.
> > > > > > > > >
> > > > > > > > >
> > > > > > > > > > QEMU's defined the vhost-user ABI/API and delegated
> > > > > > > > > > impl to something else.
> > > > > > > > > The vhost ABI isn't easy to maintain at all though. So I would not
> > > > > > > > > commit to that lightly without a good reason.
> > > > > > > > >
> > > > > > > > > It will be way more painful if the ABI is dictated by a 3rd party
> > > > > > > > > library.
> > > > > > > > Who should define it?
> > > > > > > >
> > > > > > > No one. Put it in same source tree with QEMU and forget ABI stability
> > > > > > > issues.
> > > > > >
> > > > > > You mean put the code implementing TPM 1.2 and/or TPM 2 into the QEMU tree?
> > > > > > These are multiple thousands of lines of code each and we'll break them
> > > > > > apart into logical chunks and review them?
> > > > >
> > > > > No, lets not make that mistake again - we only just got rid of the
> > > > > libcacard smartcard library code from QEMU git.
> > > > >
> > > > > Regards,
> > > > > Daniel
> > > >
> > > > I don't mean that as an external library. As an integral part of QEMU
> > > > adhering to our coding style etc - why not?
> > > >
> > > > I don't know what are the other options. How is depending on an ABI
> > > > with a utility with no other users and not packaged by most distros
> > > > good? You are calling out to a CUSE device but who's reviewing that
> > > > code?
> > > >
> > > > vl.c weights in a 4500 lines of code. several thousand lines is
> > > > not small but not unmanageable.
> > >
> > >
> > > That's 4500 lines of fairly generic code; not like the TPM where the number
> > > of people who really understand the details of it is pretty slim.
> > >
> > > It's better on most counts to have it as a separate process.
> > >
> > > Dave
> >
> > Separate process we start and stop automatically I don't mind. A
> > separate tree with a distinct coding style where no one will ever even
> > look at it? Not so much.
>
> That code is used elsewhere anyway,
Who uses it? Who packages it? Fedora doesn't ...
> so asking them to change the coding style
> isn't very nice.
> Even if they change the coding style it doesn't mean you're suddenly going to
> understand how a TPM works in detail and be able to review it.
I did in the past but I didn't kept abreast of the recent developments.
> Anyway, having it in a separate process locked down by SELinux means that even
> if it does go horribly wrong it won't break qemu.
>
> Dave
Since qemu does blocking ioctls on it and doesn't validate results
too much it sure can break QEMU - anything from DOS to random
code execution. That's why we want to keep it in tree and
start it ourselves - I don't want CVEs claiming not validating
some parameter we get from it is a remote code execution.
It should be just a library that yes, we can keep out of
process for extra security but no, we can't just out random
stuff in there and never care.
> > > > Anyway, it all boils down to lack of reviewers. I know I am not merging
> > > > the current implementation because I could not figure out what do qemu
> > > > bits do without looking at the implementation. I don't want to jump
> > > > between so many trees and coding styles. bios/qemu/linux/dpdk are
> > > > painful enough to manage. If some other maintainer volunteers, or if
> > > > Peter wants to merge it directly from Stefan, I won't object.
> > > >
> > > > > --
> > > > > |: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :|
> > > > > |: http://libvirt.org -o- http://virt-manager.org :|
> > > > > |: http://entangle-photo.org -o- http://search.cpan.org/~danberr/ :|
> > > --
> > > Dr. David Alan Gilbert / dgilbert@redhat.com / Manchester, UK
> --
> Dr. David Alan Gilbert / dgilbert@redhat.com / Manchester, UK
next prev parent reply other threads:[~2017-03-01 18:30 UTC|newest]
Thread overview: 96+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-01-04 15:23 [Qemu-devel] [PATCH v5 0/4] Extend TPM support with a QEMU-external TPM Stefan Berger
2016-01-04 15:23 ` [Qemu-devel] [PATCH v5 1/4] Provide support for the CUSE TPM Stefan Berger
2016-01-20 15:00 ` Daniel P. Berrange
2016-01-20 15:31 ` Stefan Berger
[not found] ` <201601201532.u0KFW2q2019737@d03av03.boulder.ibm.com>
2016-01-20 15:46 ` Daniel P. Berrange
2016-01-20 15:54 ` Stefan Berger
2016-01-20 16:03 ` Michael S. Tsirkin
2016-01-20 16:13 ` Stefan Berger
2016-01-20 16:22 ` Daniel P. Berrange
2016-01-21 11:36 ` Dr. David Alan Gilbert
2016-05-31 18:58 ` BICKFORD, JEFFREY E
2016-05-31 19:10 ` Dr. David Alan Gilbert
2016-06-01 22:54 ` BICKFORD, JEFFREY E
2016-06-13 10:56 ` Stefan Berger
2016-06-01 1:58 ` Xu, Quan
2016-06-13 11:02 ` Stefan Berger
2016-06-15 19:30 ` Dr. David Alan Gilbert
2016-06-15 20:54 ` Stefan Berger
2016-06-16 8:05 ` Dr. David Alan Gilbert
2016-06-16 8:25 ` Daniel P. Berrange
2016-06-16 15:20 ` Stefan Berger
2017-03-01 12:25 ` Stefan Berger
2017-03-01 12:54 ` Daniel P. Berrange
2017-03-01 13:25 ` Stefan Berger
2017-03-01 14:17 ` Marc-André Lureau
2017-03-01 14:50 ` Stefan Berger
2017-03-01 15:24 ` Marc-André Lureau
2017-03-01 15:58 ` Stefan Berger
2017-03-01 16:22 ` Michael S. Tsirkin
2017-03-01 16:31 ` Daniel P. Berrange
2017-03-01 16:57 ` Dr. David Alan Gilbert
2017-03-01 17:02 ` Michael S. Tsirkin
2017-03-01 17:12 ` Stefan Berger
2017-03-01 17:16 ` Michael S. Tsirkin
2017-03-01 17:20 ` Daniel P. Berrange
2017-03-01 18:03 ` Michael S. Tsirkin
2017-03-01 17:25 ` Stefan Berger
2017-03-01 17:38 ` Daniel P. Berrange
2017-03-01 17:58 ` Michael S. Tsirkin
2017-03-01 18:06 ` Dr. David Alan Gilbert
2017-03-01 18:09 ` Michael S. Tsirkin
2017-03-01 18:18 ` Dr. David Alan Gilbert
2017-03-01 18:30 ` Michael S. Tsirkin [this message]
2017-03-01 19:24 ` Stefan Berger
2017-03-01 23:36 ` Michael S. Tsirkin
2017-03-01 23:42 ` Michael S. Tsirkin
2017-03-01 18:11 ` Daniel P. Berrange
2017-03-01 18:20 ` Michael S. Tsirkin
2017-03-01 18:32 ` Marc-André Lureau
2017-03-01 18:56 ` Daniel P. Berrange
2017-03-01 19:18 ` Marc-André Lureau
2017-03-01 22:22 ` Michael S. Tsirkin
2017-03-01 17:36 ` Daniel P. Berrange
2017-03-01 15:18 ` Daniel P. Berrange
2017-03-01 15:40 ` Stefan Berger
2017-03-01 16:13 ` Daniel P. Berrange
2016-06-16 13:58 ` SERBAN, CRISTINA
2016-06-16 15:04 ` Stefan Berger
2016-06-16 15:22 ` Dr. David Alan Gilbert
2016-06-16 15:35 ` Stefan Berger
2016-06-16 17:54 ` Dr. David Alan Gilbert
2016-06-16 18:43 ` Stefan Berger
2016-06-16 19:24 ` Dr. David Alan Gilbert
2016-06-16 21:28 ` Stefan Berger
2017-02-28 18:31 ` Marc-André Lureau
2017-03-01 12:32 ` Stefan Berger
2016-01-28 13:15 ` Daniel P. Berrange
2016-01-28 14:51 ` Stefan Berger
2016-01-20 15:20 ` Michael S. Tsirkin
2016-01-20 15:36 ` Stefan Berger
[not found] ` <201601201536.u0KFanwG004844@d01av04.pok.ibm.com>
2016-01-20 15:58 ` Michael S. Tsirkin
2016-01-20 16:06 ` Stefan Berger
2016-01-20 18:54 ` Michael S. Tsirkin
2016-01-20 21:25 ` Stefan Berger
2016-01-21 5:08 ` Michael S. Tsirkin
2016-01-21 5:41 ` Xu, Quan
2016-01-21 9:19 ` Michael S. Tsirkin
2016-01-21 12:09 ` Stefan Berger
2016-01-20 16:15 ` Daniel P. Berrange
2016-01-04 15:23 ` [Qemu-devel] [PATCH v5 2/4] Introduce condition to notify waiters of completed command Stefan Berger
2016-01-04 15:23 ` [Qemu-devel] [PATCH v5 3/4] Introduce condition in TPM backend for notification Stefan Berger
2016-01-04 15:23 ` [Qemu-devel] [PATCH v5 4/4] Add support for VM suspend/resume for TPM TIS Stefan Berger
2016-01-05 1:26 ` [Qemu-devel] [PATCH v5 0/4] Extend TPM support with a QEMU-external TPM Xu, Quan
2016-01-05 3:36 ` Stefan Berger
2016-01-20 1:40 ` Xu, Quan
2016-01-20 9:23 ` Hagen Lauer
2016-01-20 9:41 ` Xu, Quan
2016-01-20 14:58 ` Daniel P. Berrange
2016-01-20 15:23 ` Stefan Berger
[not found] ` <201601201523.u0KFNwOH000398@d01av04.pok.ibm.com>
2016-01-20 15:42 ` Daniel P. Berrange
2016-01-20 19:51 ` Stefan Berger
[not found] ` <OF1010A111.39918A93-ON00257F40.006CA5ED-85257F40.006D2225@LocalDomain>
2016-01-20 20:16 ` Stefan Berger
2016-01-21 11:40 ` Dr. David Alan Gilbert
2016-01-21 12:31 ` Stefan Berger
[not found] ` <201601211231.u0LCVGCZ021111@d01av01.pok.ibm.com>
2016-01-21 14:53 ` Dr. David Alan Gilbert
[not found] ` <OF7ED031CA.CDD3196F-ON00257F41.004305BB-85257F41.0044C71A@LocalDomain>
2016-02-01 17:40 ` Stefan Berger
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20170301202044-mutt-send-email-mst@kernel.org \
--to=mst@redhat.com \
--cc=berrange@redhat.com \
--cc=cs1731@att.com \
--cc=cs1815@att.com \
--cc=dgilbert@redhat.com \
--cc=hagen.lauer@huawei.com \
--cc=marcandre.lureau@gmail.com \
--cc=qemu-devel@nongnu.org \
--cc=quan.xu@intel.com \
--cc=silviu.vlasceanu@gmail.com \
--cc=stefanb@linux.vnet.ibm.com \
--cc=stefanb@us.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).