From: "Michael S. Tsirkin" <mst@redhat.com>
To: Stefano Garzarella <sgarzare@redhat.com>
Cc: Stefan Hajnoczi <stefanha@redhat.com>,
qemu devel list <qemu-devel@nongnu.org>,
Kevin Wolf <kwolf@redhat.com>,
Eduardo Habkost <ehabkost@redhat.com>,
Laurent Vivier <lvivier@redhat.com>,
Paolo Bonzini <pbonzini@redhat.com>,
Max Reitz <mreitz@redhat.com>,
"Dr . David Alan Gilbert" <dgilbert@redhat.com>,
Marcel Apfelbaum <marcel.apfelbaum@gmail.com>,
Thomas Huth <thuth@redhat.com>,
qemu-block@nongnu.org
Subject: Re: [Qemu-devel] [PATCH v2 2/5] virtio-blk: add "discard-wzeroes" boolean property
Date: Mon, 4 Feb 2019 08:37:28 -0500 [thread overview]
Message-ID: <20190204083556-mutt-send-email-mst@kernel.org> (raw)
In-Reply-To: <20190204101614.hid4eiorvm37cq5f@steredhat>
On Mon, Feb 04, 2019 at 11:16:14AM +0100, Stefano Garzarella wrote:
> On Mon, Feb 04, 2019 at 11:33:07AM +0800, Stefan Hajnoczi wrote:
> > On Fri, Feb 01, 2019 at 06:18:52PM +0100, Stefano Garzarella wrote:
> > > On Fri, Feb 1, 2019 at 4:17 PM Michael S. Tsirkin <mst@redhat.com> wrote:
> > > > On Thu, Jan 31, 2019 at 04:19:11PM +0100, Stefano Garzarella wrote:
> > > > > In order to avoid migration issues, we enable DISCARD and
> > > > > WRITE ZEROES features only for machine type >= 4.0
> > > > >
> > > > > Suggested-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
> > > > > Signed-off-by: Stefano Garzarella <sgarzare@redhat.com>
> > > > > ---
> > > > > hw/block/virtio-blk.c | 2 ++
> > > > > hw/core/machine.c | 1 +
> > > > > include/hw/virtio/virtio-blk.h | 1 +
> > > > > 3 files changed, 4 insertions(+)
> > > > >
> > > > > diff --git a/hw/block/virtio-blk.c b/hw/block/virtio-blk.c
> > > > > index 8a6754d9a2..542ec52536 100644
> > > > > --- a/hw/block/virtio-blk.c
> > > > > +++ b/hw/block/virtio-blk.c
> > > > > @@ -1026,6 +1026,8 @@ static Property virtio_blk_properties[] = {
> > > > > DEFINE_PROP_UINT16("queue-size", VirtIOBlock, conf.queue_size, 128),
> > > > > DEFINE_PROP_LINK("iothread", VirtIOBlock, conf.iothread, TYPE_IOTHREAD,
> > > > > IOThread *),
> > > > > + DEFINE_PROP_BIT("discard-wzeroes", VirtIOBlock, conf.discard_wzeroes, 0,
> > > > > + true),
> > > > > DEFINE_PROP_END_OF_LIST(),
> > > > > };
> > > > >
> > > >
> > > > Thinking about it, are there security implications for discard?
> > > > Should we make it default false?
> > >
> > > Hi Michael,
> > >
> > > I'm not completely sure but if the guest can write on a specific sector,
> > > discard or write_zeroes operations should not have a security implication.
> > >
> > > Do I miss something?
> >
> > Recently page cache attacks have been discussed in the Linux community:
> > https://arxiv.org/pdf/1901.01161.pdf
> >
> > I guess the scenario Michael is thinking about involves either -drive
> > cache.direct=off (including cache=writeback or cache=writethrough) or
> > maybe a timing side-channel in the storage appliance.
> >
> > The discard operation may allow a guest to evict the cache, an important
> > primitive for page cache attacks.
> >
> > Most of the time disk images are not shared between guests at all.
> > Therefore the discard operation cannot be used to learn information
> > about other guests.
> >
> > Let's focus on shared disk images: shared disk images are either
> > read-only (then discard isn't allowed anyway) or they are shared
> > writable (but this already implies a trust relationship between the
> > guests).
> >
> > My opinion is that discard is safe because virtualization use cases are
> > quite different from the attacks possible with shared library files
> > between userspace processes. I'm curious if anyone has figured out a
> > realistic scenario where it does matter though...
>
> Many thanks for the explanation!
>
> I'll wait to send the v3 in order to understand if Michael agrees to
> leave discard feature enabled to default.
>
> Thanks,
> Stefano
OK. Maybe mention the above in the commit log.
--
MST
next prev parent reply other threads:[~2019-02-04 13:37 UTC|newest]
Thread overview: 32+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-01-31 15:19 [Qemu-devel] [PATCH v2 0/5] virtio-blk: add DISCARD and WRITE ZEROES features Stefano Garzarella
2019-01-31 15:19 ` [Qemu-devel] [PATCH v2 1/5] virtio-blk: add acct_failed param to virtio_blk_handle_rw_error() Stefano Garzarella
2019-02-01 5:15 ` Stefan Hajnoczi
2019-01-31 15:19 ` [Qemu-devel] [PATCH v2 2/5] virtio-blk: add "discard-wzeroes" boolean property Stefano Garzarella
2019-01-31 15:40 ` Dr. David Alan Gilbert
2019-01-31 15:50 ` Stefano Garzarella
2019-01-31 15:59 ` Dr. David Alan Gilbert
2019-01-31 16:43 ` Michael S. Tsirkin
2019-01-31 17:37 ` Stefano Garzarella
2019-02-05 20:54 ` Michael S. Tsirkin
2019-02-01 4:29 ` Stefan Hajnoczi
2019-02-01 9:09 ` Stefano Garzarella
2019-02-01 10:06 ` Stefan Hajnoczi
2019-02-01 15:16 ` Michael S. Tsirkin
2019-02-01 17:18 ` Stefano Garzarella
2019-02-04 3:33 ` Stefan Hajnoczi
2019-02-04 10:16 ` Stefano Garzarella
2019-02-04 13:37 ` Michael S. Tsirkin [this message]
2019-02-04 15:38 ` Stefano Garzarella
2019-01-31 15:19 ` [Qemu-devel] [PATCH v2 3/5] virtio-blk: add DISCARD and WRITE ZEROES features Stefano Garzarella
2019-01-31 16:04 ` Michael S. Tsirkin
2019-01-31 17:01 ` Stefano Garzarella
2019-01-31 17:13 ` Michael S. Tsirkin
2019-02-01 4:58 ` Stefan Hajnoczi
2019-02-01 9:54 ` Stefano Garzarella
2019-02-01 10:08 ` Stefan Hajnoczi
2019-01-31 15:19 ` [Qemu-devel] [PATCH v2 4/5] tests/virtio-blk: change assert on data_size in virtio_blk_request() Stefano Garzarella
2019-02-01 5:04 ` Stefan Hajnoczi
2019-01-31 15:19 ` [Qemu-devel] [PATCH v2 5/5] tests/virtio-blk: add test for WRITE_ZEROES command Stefano Garzarella
2019-02-01 5:15 ` Stefan Hajnoczi
2019-01-31 17:15 ` [Qemu-devel] [PATCH v2 0/5] virtio-blk: add DISCARD and WRITE ZEROES features Michael S. Tsirkin
2019-01-31 17:38 ` Stefano Garzarella
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190204083556-mutt-send-email-mst@kernel.org \
--to=mst@redhat.com \
--cc=dgilbert@redhat.com \
--cc=ehabkost@redhat.com \
--cc=kwolf@redhat.com \
--cc=lvivier@redhat.com \
--cc=marcel.apfelbaum@gmail.com \
--cc=mreitz@redhat.com \
--cc=pbonzini@redhat.com \
--cc=qemu-block@nongnu.org \
--cc=qemu-devel@nongnu.org \
--cc=sgarzare@redhat.com \
--cc=stefanha@redhat.com \
--cc=thuth@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).