From: Erik Skultety <eskultet@redhat.com>
To: "Daniel P. Berrangé" <berrange@redhat.com>
Cc: libvir-list@redhat.com, dinechin@redhat.com, mkletzan@redhat.com,
brijesh.singh@amd.com, qemu-devel@nongnu.org
Subject: Re: [Qemu-devel] [libvirt] AMD SEV's /dev/sev permissions and probing QEMU for capabilities
Date: Fri, 18 Jan 2019 11:56:58 +0100 [thread overview]
Message-ID: <20190118105658.GB24176@beluga.usersys.redhat.com> (raw)
In-Reply-To: <20190118101638.GE20660@redhat.com>
On Fri, Jan 18, 2019 at 10:16:38AM +0000, Daniel P. Berrangé wrote:
> On Fri, Jan 18, 2019 at 10:39:35AM +0100, Erik Skultety wrote:
> > Hi,
> > this is a summary of a private discussion I've had with guys CC'd on this email
> > about finding a solution to [1] - basically, the default permissions on
> > /dev/sev (below) make it impossible to query for SEV platform capabilities,
> > since by default we run QEMU as qemu:qemu when probing for capabilities. It's
> > worth noting is that this is only relevant to probing, since for a proper QEMU
> > VM we create a mount namespace for the process and chown all the nodes (needs a
> > SEV fix though).
> >
> > # ll /dev/sev
> > crw-------. 1 root root
> >
> > I suggested either force running QEMU as root for probing (despite the obvious
> > security implications) or using namespaces for probing too. Dan argued that
> > this would have a significant perf impact and suggested we ask systemd to add a
> > global udev rule.
>
> I've just realized there is a potential 3rd solution. Remember there is
> actually nothing inherantly special about the 'root' user as an account
> ID. 'root' gains its powers from the fact that it has many capabilities
> by default. 'qemu' can't access /dev/sev because it is owned by a
> different user (happens to be root) and 'qemu' does not have capabilities.
>
> So we can make probing work by using our capabilities code to grant
> CAP_DAC_OVERRIDE to the qemu process we spawn. So probing still runs
> as 'qemu', but can none the less access /dev/sev while it is owned
> by root. We were not using 'qemu' for sake of security, as the probing
> process is not executing any untrusthworthy code, so we don't loose any
> security protection by granting CAP_DAC_OVERRIDE.
Truth to be told, I was playing with the idea of using CAP_ capabilities,
however, because I'm paranoid (maybe too much) I took your comment "malicious
QEMU" as an axiom for the process not be trusted *at all*, regardless of what
it's doing, I decided to ditch the idea, because with CAP_DAC_OVERRIDE, you're
essentially giving QEMU an open ticket to any file on the filesystem (okay, not
any and not always because QEMU executed by system libvirt will be confined so
SElinux will still be our guardian angel).
[...]
> >
> > So, in conclusion, we absolutely need input from Brijesh (AMD) whether there
> > was something more than the low limit on number of guests behind the default
> > permissions. Also, we'd like to get some details on how the limit is managed,
> > helping to assess the approaches mentioned above.
>
> Regardless of this problem, I think it is important to have some docs
> in either libvirt or QEMU that describe the resource usage constraints
> so that management apps can decide how to best take advantage of SEV.
Agreed. In the meantime, I'll start working on adding /dev/sev into the
namespace only for SEV-enabled guests.
Thanks,
Erik
next prev parent reply other threads:[~2019-01-18 10:57 UTC|newest]
Thread overview: 23+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-01-18 9:39 [Qemu-devel] AMD SEV's /dev/sev permissions and probing QEMU for capabilities Erik Skultety
2019-01-18 10:16 ` Daniel P. Berrangé
2019-01-18 10:56 ` Erik Skultety [this message]
2019-01-18 11:11 ` Martin Kletzander
2019-01-18 11:17 ` Daniel P. Berrangé
2019-01-18 11:31 ` Martin Kletzander
2019-01-18 12:51 ` Singh, Brijesh
2019-01-23 12:55 ` Erik Skultety
2019-01-23 13:10 ` Daniel P. Berrangé
2019-01-23 13:22 ` Erik Skultety
2019-01-23 13:24 ` Daniel P. Berrangé
2019-01-23 13:33 ` Erik Skultety
2019-01-23 13:36 ` Daniel P. Berrangé
2019-01-23 15:02 ` Singh, Brijesh
2019-01-23 15:29 ` Erik Skultety
2019-01-29 16:15 ` Erik Skultety
2019-01-29 18:40 ` Daniel P. Berrangé
2019-01-30 8:06 ` Erik Skultety
2019-01-30 10:37 ` Daniel P. Berrangé
2019-01-30 13:39 ` Erik Skultety
2019-01-30 17:47 ` Singh, Brijesh
2019-01-30 18:18 ` Daniel P. Berrangé
2019-01-31 15:28 ` Erik Skultety
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190118105658.GB24176@beluga.usersys.redhat.com \
--to=eskultet@redhat.com \
--cc=berrange@redhat.com \
--cc=brijesh.singh@amd.com \
--cc=dinechin@redhat.com \
--cc=libvir-list@redhat.com \
--cc=mkletzan@redhat.com \
--cc=qemu-devel@nongnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).