qemu-devel.nongnu.org archive mirror
 help / color / mirror / Atom feed
From: "Daniel P. Berrangé" <berrange@redhat.com>
To: "Michael S. Tsirkin" <mst@redhat.com>
Cc: Kevin Wolf <kwolf@redhat.com>,
	Peter Maydell <peter.maydell@linaro.org>,
	Stefano Stabellini <sstabellini@kernel.org>,
	Prasad J Pandit <pjp@fedoraproject.org>,
	QEMU Developers <qemu-devel@nongnu.org>,
	Christian Schoenebeck <qemu_oss@crudebyte.com>,
	Michael Roth <mdroth@linux.vnet.ibm.com>,
	P J P <ppandit@redhat.com>, Greg Kurz <groug@kaod.org>,
	Stefan Hajnoczi <stefanha@redhat.com>,
	Paolo Bonzini <pbonzini@redhat.com>
Subject: Re: [PATCH 1/1] MAINTAINERS: introduce cve or security quotient field
Date: Tue, 14 Jul 2020 14:30:21 +0100	[thread overview]
Message-ID: <20200714133021.GF25187@redhat.com> (raw)
In-Reply-To: <20200714064921-mutt-send-email-mst@kernel.org>

On Tue, Jul 14, 2020 at 07:02:59AM -0400, Michael S. Tsirkin wrote:
> On Tue, Jul 14, 2020 at 11:22:28AM +0100, Peter Maydell wrote:
> > On Tue, 14 Jul 2020 at 11:12, Michael S. Tsirkin <mst@redhat.com> wrote:
> > > And for people who want to build QEMU with lots of functionality (like
> > > Fedora does), I think a -security flag would be a useful addition.
> > > We can then tell security researchers "only a high security issue
> > > if it reproduces with -security=high, only a security issue
> > > if it reproduces with -security=low".
> > 
> > I think a -security option would also be useful to users -- it
> > makes it easier for them to check "is this configuration using
> > something that I didn't realize was not intended to be secure".
> > For me, something useful for our users is much more compelling
> > than "this might make security researchers' lives a bit easier".
> > 
> > thanks
> > -- PMM
> 
> True. And I guess downstreams can also force the option to high or set the
> default to high rather easily if they want to.
> 
> So the option would be:
> 
> -security level
> 	Set minimal required security level of QEMU.
> 
> 	high: block use of QEMU functionality which is intended to be secure against
> 		malicious guests.
> 	low: allow use of all QEMU functionality, best effort security
> 		against malicious guests.
> 
> Default would be -security low.
> 
> Does this look reasonable?

The challenge I see is that wiring up a runtime flag into every relevant
part of the QEMU codebase is an pretty large amount of work. Every device,
every machine type, every backend type, every generic subsystem will all
need checks for this flag. It is possible, but it isn't going to be quick
or easy, especially with poor error reporting support in many areas.

Regards,
Daniel
-- 
|: https://berrange.com      -o-    https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org         -o-            https://fstop138.berrange.com :|
|: https://entangle-photo.org    -o-    https://www.instagram.com/dberrange :|



  parent reply	other threads:[~2020-07-14 13:32 UTC|newest]

Thread overview: 28+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2020-07-14  8:36 [PATCH 0/1] MAINTAINERS: add security quotient field P J P
2020-07-14  8:36 ` [PATCH 1/1] MAINTAINERS: introduce cve or " P J P
2020-07-14  9:42   ` Peter Maydell
2020-07-14  9:52     ` Daniel P. Berrangé
2020-07-14 10:12       ` Michael S. Tsirkin
2020-07-14 10:22         ` Peter Maydell
2020-07-14 11:02           ` Michael S. Tsirkin
2020-07-14 13:10             ` P J P
2020-07-16  6:55               ` Cornelia Huck
2020-07-16  8:36                 ` Daniel P. Berrangé
2020-07-16  9:21                   ` P J P
2020-07-16  9:39                     ` Daniel P. Berrangé
2020-07-16  9:45                     ` Christian Schoenebeck
2020-07-16 10:01                       ` Daniel P. Berrangé
2020-07-16 12:22                         ` Christian Schoenebeck
2020-07-16 12:54                           ` Daniel P. Berrangé
2020-07-14 13:30             ` Daniel P. Berrangé [this message]
2020-07-14 13:48               ` Kevin Wolf
2020-07-14 13:56                 ` Thomas Huth
2020-07-14 15:04                   ` Christian Schoenebeck
2020-07-14 14:02                 ` Daniel P. Berrangé
2020-07-14 10:18   ` Philippe Mathieu-Daudé
2020-07-14 11:51   ` Cornelia Huck
2020-07-16  8:56   ` Dr. David Alan Gilbert
2020-07-16  9:44     ` P J P
2020-07-16 10:09       ` Daniel P. Berrangé
2020-07-16 10:43         ` Markus Armbruster
2020-07-14  9:46 ` [PATCH 0/1] MAINTAINERS: add " Michael S. Tsirkin

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20200714133021.GF25187@redhat.com \
    --to=berrange@redhat.com \
    --cc=groug@kaod.org \
    --cc=kwolf@redhat.com \
    --cc=mdroth@linux.vnet.ibm.com \
    --cc=mst@redhat.com \
    --cc=pbonzini@redhat.com \
    --cc=peter.maydell@linaro.org \
    --cc=pjp@fedoraproject.org \
    --cc=ppandit@redhat.com \
    --cc=qemu-devel@nongnu.org \
    --cc=qemu_oss@crudebyte.com \
    --cc=sstabellini@kernel.org \
    --cc=stefanha@redhat.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).