From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-5.3 required=3.0 tests=BAYES_00,DKIM_INVALID, DKIM_SIGNED,HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,SPF_HELO_NONE, SPF_PASS,URIBL_BLOCKED,USER_AGENT_SANE_1 autolearn=no autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 7BEC0C433E7 for ; Tue, 14 Jul 2020 13:32:00 +0000 (UTC) Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id 4BB1A22280 for ; Tue, 14 Jul 2020 13:32:00 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=fail reason="signature verification failed" (1024-bit key) header.d=redhat.com header.i=@redhat.com header.b="irP91iMc" DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 4BB1A22280 Authentication-Results: mail.kernel.org; dmarc=fail (p=none dis=none) header.from=redhat.com Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=qemu-devel-bounces+qemu-devel=archiver.kernel.org@nongnu.org Received: from localhost ([::1]:52176 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1jvL2N-0007h3-Dy for qemu-devel@archiver.kernel.org; Tue, 14 Jul 2020 09:31:59 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:56640) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1jvL1L-0006OM-PY for qemu-devel@nongnu.org; Tue, 14 Jul 2020 09:30:55 -0400 Received: from us-smtp-2.mimecast.com ([205.139.110.61]:33378 helo=us-smtp-delivery-1.mimecast.com) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_CBC_SHA1:256) (Exim 4.90_1) (envelope-from ) id 1jvL1I-0008GH-TK for qemu-devel@nongnu.org; Tue, 14 Jul 2020 09:30:55 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1594733451; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type:in-reply-to:in-reply-to: references:references; bh=tialLkh8pgx8clCmqzYXrMqwYmrrkhzfrNyZzgw9jjs=; b=irP91iMc+kDxf1TS846Dkk4aaRY/QOHheArWwtr/a5mWd6NkvuEeLoWtZJAGrX/vUwUeoJ qkSkNim7STJz00sxqQ8lOvZcLYAODevjcUfGzlkxkS83RZLdDs+7B087IkmkjKyhJmrLzs bhP6ABY+tVcy307JHn+yQv2NYC20uSg= Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-150-B1hVY583PXyzKiahcLFkfQ-1; Tue, 14 Jul 2020 09:30:40 -0400 X-MC-Unique: B1hVY583PXyzKiahcLFkfQ-1 Received: from smtp.corp.redhat.com (int-mx06.intmail.prod.int.phx2.redhat.com [10.5.11.16]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id 57CC980BCBD; Tue, 14 Jul 2020 13:30:38 +0000 (UTC) Received: from redhat.com (unknown [10.36.110.42]) by smtp.corp.redhat.com (Postfix) with ESMTPS id ADA545FC31; Tue, 14 Jul 2020 13:30:23 +0000 (UTC) Date: Tue, 14 Jul 2020 14:30:21 +0100 From: Daniel =?utf-8?B?UC4gQmVycmFuZ8Op?= To: "Michael S. Tsirkin" Subject: Re: [PATCH 1/1] MAINTAINERS: introduce cve or security quotient field Message-ID: <20200714133021.GF25187@redhat.com> References: <20200714083631.888605-1-ppandit@redhat.com> <20200714083631.888605-2-ppandit@redhat.com> <20200714095233.GC25187@redhat.com> <20200714060916-mutt-send-email-mst@kernel.org> <20200714064921-mutt-send-email-mst@kernel.org> MIME-Version: 1.0 In-Reply-To: <20200714064921-mutt-send-email-mst@kernel.org> User-Agent: Mutt/1.14.5 (2020-06-23) X-Scanned-By: MIMEDefang 2.79 on 10.5.11.16 X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Received-SPF: pass client-ip=205.139.110.61; envelope-from=berrange@redhat.com; helo=us-smtp-delivery-1.mimecast.com X-detected-operating-system: by eggs.gnu.org: First seen = 2020/07/14 03:57:32 X-ACL-Warn: Detected OS = Linux 2.2.x-3.x [generic] [fuzzy] X-Spam_score_int: -40 X-Spam_score: -4.1 X-Spam_bar: ---- X-Spam_report: (-4.1 / 5.0 requ) BAYES_00=-1.9, DKIMWL_WL_HIGH=-1, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: Daniel =?utf-8?B?UC4gQmVycmFuZ8Op?= Cc: Kevin Wolf , Peter Maydell , Stefano Stabellini , Prasad J Pandit , QEMU Developers , Christian Schoenebeck , Michael Roth , P J P , Greg Kurz , Stefan Hajnoczi , Paolo Bonzini Errors-To: qemu-devel-bounces+qemu-devel=archiver.kernel.org@nongnu.org Sender: "Qemu-devel" On Tue, Jul 14, 2020 at 07:02:59AM -0400, Michael S. Tsirkin wrote: > On Tue, Jul 14, 2020 at 11:22:28AM +0100, Peter Maydell wrote: > > On Tue, 14 Jul 2020 at 11:12, Michael S. Tsirkin wrote: > > > And for people who want to build QEMU with lots of functionality (like > > > Fedora does), I think a -security flag would be a useful addition. > > > We can then tell security researchers "only a high security issue > > > if it reproduces with -security=high, only a security issue > > > if it reproduces with -security=low". > > > > I think a -security option would also be useful to users -- it > > makes it easier for them to check "is this configuration using > > something that I didn't realize was not intended to be secure". > > For me, something useful for our users is much more compelling > > than "this might make security researchers' lives a bit easier". > > > > thanks > > -- PMM > > True. And I guess downstreams can also force the option to high or set the > default to high rather easily if they want to. > > So the option would be: > > -security level > Set minimal required security level of QEMU. > > high: block use of QEMU functionality which is intended to be secure against > malicious guests. > low: allow use of all QEMU functionality, best effort security > against malicious guests. > > Default would be -security low. > > Does this look reasonable? The challenge I see is that wiring up a runtime flag into every relevant part of the QEMU codebase is an pretty large amount of work. Every device, every machine type, every backend type, every generic subsystem will all need checks for this flag. It is possible, but it isn't going to be quick or easy, especially with poor error reporting support in many areas. Regards, Daniel -- |: https://berrange.com -o- https://www.flickr.com/photos/dberrange :| |: https://libvirt.org -o- https://fstop138.berrange.com :| |: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|