From: "Daniel P. Berrangé" <berrange@redhat.com>
To: Greg Kurz <groug@kaod.org>
Cc: P J P <ppandit@redhat.com>,
David Gibson <david@gibson.dropbear.id.au>,
qemu-ppc@nongnu.org, QEMU Developers <qemu-devel@nongnu.org>,
Prasad J Pandit <pjp@fedoraproject.org>
Subject: Re: [Qemu-devel] [Qemu-ppc] [PATCH v3] ppc: add host-serial and host-model machine attributes
Date: Mon, 18 Feb 2019 11:52:18 +0000 [thread overview]
Message-ID: <20190218115218.GF32287@redhat.com> (raw)
In-Reply-To: <20190218123811.5b7a1d61@bahia.lan>
On Mon, Feb 18, 2019 at 12:38:11PM +0100, Greg Kurz wrote:
> On Mon, 18 Feb 2019 15:42:18 +0530
> P J P <ppandit@redhat.com> wrote:
>
> > From: Prasad J Pandit <pjp@fedoraproject.org>
> >
> > On ppc hosts, hypervisor shares following system attributes
> >
> > - /proc/device-tree/system-id
> > - /proc/device-tree/model
> >
> > with a guest. This could lead to information leakage and misuse.[*]
> > Add machine attributes to control such system information exposure
> > to a guest.
> >
> > [*] https://wiki.openstack.org/wiki/OSSN/OSSN-0028
> >
> > Reported-by: Daniel P. Berrangé <berrange@redhat.com>
> > Fix-suggested-by: Daniel P. Berrangé <berrange@redhat.com>
> > Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
> > ---
> > hw/ppc/spapr.c | 79 ++++++++++++++++++++++++++++++++++++++----
> > include/hw/ppc/spapr.h | 2 ++
> > 2 files changed, 75 insertions(+), 6 deletions(-)
> >
> > Update v3: move host-serial,host-model options to ppc sPAPR machine
> > -> https://lists.gnu.org/archive/html/qemu-devel/2019-02/msg03182.html
> >
> > diff --git a/hw/ppc/spapr.c b/hw/ppc/spapr.c
> > index 0942f35bf8..666e500376 100644
> > --- a/hw/ppc/spapr.c
> > +++ b/hw/ppc/spapr.c
> > @@ -1249,13 +1249,30 @@ static void *spapr_build_fdt(sPAPRMachineState *spapr,
> > * Add info to guest to indentify which host is it being run on
> > * and what is the uuid of the guest
> > */
> > - if (kvmppc_get_host_model(&buf)) {
> > - _FDT(fdt_setprop_string(fdt, 0, "host-model", buf));
> > - g_free(buf);
> > + if (spapr->host_model && !g_str_equal(spapr->host_model, "none")) {
> > + if (g_str_equal(spapr->host_model, "passthrough")) {
> > + /* -M host-model=passthrough */
> > + if (kvmppc_get_host_model(&buf)) {
> > + _FDT(fdt_setprop_string(fdt, 0, "host-model", buf));
> > + g_free(buf);
> > + }
> > + } else {
> > + /* -M host-model=<user-string> */
> > + _FDT(fdt_setprop_string(fdt, 0, "host-model", spapr->host_model));
> > + }
> > }
> > - if (kvmppc_get_host_serial(&buf)) {
> > - _FDT(fdt_setprop_string(fdt, 0, "host-serial", buf));
> > - g_free(buf);
> > +
> > + if (spapr->host_serial && !g_str_equal(spapr->host_serial, "none")) {
> > + if (g_str_equal(spapr->host_serial, "passthrough")) {
> > + /* -M host-serial=passthrough */
> > + if (kvmppc_get_host_serial(&buf)) {
> > + _FDT(fdt_setprop_string(fdt, 0, "host-serial", buf));
> > + g_free(buf);
> > + }
> > + } else {
> > + /* -M host-serial=<user-string> */
> > + _FDT(fdt_setprop_string(fdt, 0, "host-serial", spapr->host_serial));
> > + }
> > }
> >
> > buf = qemu_uuid_unparse_strdup(&qemu_uuid);
> > @@ -3138,6 +3155,36 @@ static void spapr_set_ic_mode(Object *obj, const char *value, Error **errp)
> > }
> > }
> >
> > +static char *spapr_get_host_model(Object *obj, Error **errp)
> > +{
> > + sPAPRMachineState *spapr = SPAPR_MACHINE(obj);
> > +
> > + return g_strdup(spapr->host_model);
> > +}
> > +
> > +static void spapr_set_host_model(Object *obj, const char *value, Error **errp)
> > +{
> > + sPAPRMachineState *spapr = SPAPR_MACHINE(obj);
> > +
> > + g_free(spapr->host_model);
> > + spapr->host_model = g_strdup(value);
> > +}
> > +
> > +static char *spapr_get_host_serial(Object *obj, Error **errp)
> > +{
> > + sPAPRMachineState *spapr = SPAPR_MACHINE(obj);
> > +
> > + return g_strdup(spapr->host_serial);
> > +}
> > +
> > +static void spapr_set_host_serial(Object *obj, const char *value, Error **errp)
> > +{
> > + sPAPRMachineState *spapr = SPAPR_MACHINE(obj);
> > +
> > + g_free(spapr->host_serial);
> > + spapr->host_serial = g_strdup(value);
> > +}
> > +
> > static void spapr_instance_init(Object *obj)
> > {
> > sPAPRMachineState *spapr = SPAPR_MACHINE(obj);
> > @@ -3183,6 +3230,20 @@ static void spapr_instance_init(Object *obj)
> > object_property_set_description(obj, "ic-mode",
> > "Specifies the interrupt controller mode (xics, xive, dual)",
> > NULL);
> > +
> > + spapr->host_model = NULL;
>
> This isn't needed since object_initialize_with_type() already takes care
> of zeroing the instance for us.
>
> > + object_property_add_str(obj, "host-model",
> > + spapr_get_host_model, spapr_set_host_model,
> > + &error_abort);
> > + object_property_set_description(obj, "host-model",
> > + "Set host's model-id to use - none|passthrough|string", &error_abort);
> > +
> > + spapr->host_serial = NULL;
>
> Same here.
>
> > + object_property_add_str(obj, "host-serial",
> > + spapr_get_host_serial, spapr_set_host_serial,
> > + &error_abort);
> > + object_property_set_description(obj, "host-serial",
> > + "Set host's system-id to use - none|passthrough|string", &error_abort);
> > }
> >
> > static void spapr_machine_finalizefn(Object *obj)
> > @@ -4080,9 +4141,15 @@ DEFINE_SPAPR_MACHINE(4_0, "4.0", true);
> > static void spapr_machine_3_1_class_options(MachineClass *mc)
> > {
> > sPAPRMachineClass *smc = SPAPR_MACHINE_CLASS(mc);
> > + static GlobalProperty compat[] = {
> > + { TYPE_SPAPR_MACHINE, "host-model", "passthrough" },
> > + { TYPE_SPAPR_MACHINE, "host-serial", "passthrough" },
> > + };
> >
>
> So... we don't fix the information leak for older machines by default ? From
> previous discussions, I understand it is for the sake of compatibility, but
> leaving the burden of securing the host to downstream or to the user still
> looks unsecure to me FWIW.
Maintaining guest ABI compatibility has to take priority, even over
fixing security issues, because we must never intentionally break
guest OS/applications by silently altering guest ABI. This is one of
the two reasons why machine type versioning exists (the other reason
being live migration data stream).
This is nothing new - we've done it before for security flaws where
a fix would involve changing guest ABI. This particular security flaw
is pretty minor compared to other cases that we've left unfixed by
default eg Meltdown / Spectre and is easily addressed by the user if
needed.
Regards,
Daniel
--
|: https://berrange.com -o- https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org -o- https://fstop138.berrange.com :|
|: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|
next prev parent reply other threads:[~2019-02-18 11:52 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-02-18 10:12 [Qemu-devel] [PATCH v3] ppc: add host-serial and host-model machine attributes P J P
2019-02-18 10:31 ` Daniel P. Berrangé
2019-02-18 11:38 ` [Qemu-devel] [Qemu-ppc] " Greg Kurz
2019-02-18 11:52 ` Daniel P. Berrangé [this message]
2019-02-18 12:57 ` Greg Kurz
2019-02-18 18:20 ` P J P
2019-02-19 1:21 ` David Gibson
2019-02-19 9:31 ` Daniel P. Berrangé
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190218115218.GF32287@redhat.com \
--to=berrange@redhat.com \
--cc=david@gibson.dropbear.id.au \
--cc=groug@kaod.org \
--cc=pjp@fedoraproject.org \
--cc=ppandit@redhat.com \
--cc=qemu-devel@nongnu.org \
--cc=qemu-ppc@nongnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).