From: "Daniel P. Berrangé" <berrange@redhat.com>
To: P J P <ppandit@redhat.com>
Cc: Kevin Wolf <kwolf@redhat.com>,
Peter Maydell <peter.maydell@linaro.org>,
Stefano Stabellini <sstabellini@kernel.org>,
"Michael S . Tsirkin" <mst@redhat.com>,
QEMU Developers <qemu-devel@nongnu.org>,
Christian Schoenebeck <qemu_oss@crudebyte.com>,
"Dr. David Alan Gilbert" <dgilbert@redhat.com>,
Michael Roth <mdroth@linux.vnet.ibm.com>,
Greg Kurz <groug@kaod.org>, Stefan Hajnoczi <stefanha@redhat.com>,
Paolo Bonzini <pbonzini@redhat.com>
Subject: Re: [PATCH 1/1] MAINTAINERS: introduce cve or security quotient field
Date: Thu, 16 Jul 2020 11:09:36 +0100 [thread overview]
Message-ID: <20200716100936.GL227735@redhat.com> (raw)
In-Reply-To: <nycvar.YSQ.7.78.906.2007161503230.950384@xnncv>
On Thu, Jul 16, 2020 at 03:14:51PM +0530, P J P wrote:
> +-- On Thu, 16 Jul 2020, Dr. David Alan Gilbert wrote --+
> | > + C: CVE/Security/Trust Quotient
> | > + H:High - Feature (or code) is meant to be safe and used by untrusted
> | > + guests. So any potential security issue must be processed with
> | > + due care and be considered as a CVE issue.
> | > + L:Low - Feature (or code) is not meant to be safe OR is experimental
> | > + OR is used in trusted environments only OR is not well
> | > + maintained. So any potential security issue can be processed
> | > + and fixed as regular non-security bug. No need for a CVE.
> |
> | That's a lot of OR's and it causes problems;
> | ....
>
> Yes, I started with the MAINTAINERS file thinking at least some segregation
> would be a step forward than nothing.
>
> | > QMP
> | > M: Markus Armbruster <armbru@redhat.com>
> | > S: Supported
> | > +C: Low
> | > F: monitor/monitor-internal.h
> | > F: monitor/qmp*
> | > F: monitor/misc.c
> |
> | QMP is critical to many uses, so you wouldn't want to exclude it from a secure build;
> | any security issue with it (e.g. misparsing an argument) would be very
> | serious and would need to be looked at;
>
> No, High OR Low was not for excluding it from any build. It was merely an
> indication to a user to decide whether an issue should be treated as a CVE one
> or can be fixed as regular bug.
>
> | but QMP is expected to be talking to another trusted endpoint.
>
> True; I set it to Low as QMP interface access is mostly given to privileged
> trusted users.
It needs to consider that the classification will eventually be used to decide
what features are enabled at build time. If QMP is marked as "low" and someone
does a build "only high", then QMP won't get compiled, and thus QEMU will be
useless for mgmt apps.
Also bear in the mind the documented security classification is that approx
anything relevant for use with KVM based deployment is to be considered part
of the trusted code set, and anything that only makes sense for use with TCG
is part of the untrusted code set.
This implies that much general purpose common infrastructure in QEMU is
going to be part of the trusted code set. So that automatically includes
QMP.
NB, the build time classification won't be perfect, but that's largely
because we don't have sufficient granularity in what we build. For
example, although we only care about QMP, IIUC, we can't turn off HMP
at build time. So we might consider HMP to be "low", despite the fact
that it is impossible to disable when building "only high features".
Regards,
Daniel
--
|: https://berrange.com -o- https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org -o- https://fstop138.berrange.com :|
|: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|
next prev parent reply other threads:[~2020-07-16 10:14 UTC|newest]
Thread overview: 28+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-07-14 8:36 [PATCH 0/1] MAINTAINERS: add security quotient field P J P
2020-07-14 8:36 ` [PATCH 1/1] MAINTAINERS: introduce cve or " P J P
2020-07-14 9:42 ` Peter Maydell
2020-07-14 9:52 ` Daniel P. Berrangé
2020-07-14 10:12 ` Michael S. Tsirkin
2020-07-14 10:22 ` Peter Maydell
2020-07-14 11:02 ` Michael S. Tsirkin
2020-07-14 13:10 ` P J P
2020-07-16 6:55 ` Cornelia Huck
2020-07-16 8:36 ` Daniel P. Berrangé
2020-07-16 9:21 ` P J P
2020-07-16 9:39 ` Daniel P. Berrangé
2020-07-16 9:45 ` Christian Schoenebeck
2020-07-16 10:01 ` Daniel P. Berrangé
2020-07-16 12:22 ` Christian Schoenebeck
2020-07-16 12:54 ` Daniel P. Berrangé
2020-07-14 13:30 ` Daniel P. Berrangé
2020-07-14 13:48 ` Kevin Wolf
2020-07-14 13:56 ` Thomas Huth
2020-07-14 15:04 ` Christian Schoenebeck
2020-07-14 14:02 ` Daniel P. Berrangé
2020-07-14 10:18 ` Philippe Mathieu-Daudé
2020-07-14 11:51 ` Cornelia Huck
2020-07-16 8:56 ` Dr. David Alan Gilbert
2020-07-16 9:44 ` P J P
2020-07-16 10:09 ` Daniel P. Berrangé [this message]
2020-07-16 10:43 ` Markus Armbruster
2020-07-14 9:46 ` [PATCH 0/1] MAINTAINERS: add " Michael S. Tsirkin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200716100936.GL227735@redhat.com \
--to=berrange@redhat.com \
--cc=dgilbert@redhat.com \
--cc=groug@kaod.org \
--cc=kwolf@redhat.com \
--cc=mdroth@linux.vnet.ibm.com \
--cc=mst@redhat.com \
--cc=pbonzini@redhat.com \
--cc=peter.maydell@linaro.org \
--cc=ppandit@redhat.com \
--cc=qemu-devel@nongnu.org \
--cc=qemu_oss@crudebyte.com \
--cc=sstabellini@kernel.org \
--cc=stefanha@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).