Re: [Qemu-devel] Re: Spice project is now open

[Dor Laor <dlaor@redhat.com>]

On 12/12/2009 07:40 PM, Anthony Liguori wrote:
> If Spice can crash a guest, that indicates to me that Spice is
> maintaining guest visible state.  That is difficult architecturally
> because if we want to do something like introduce a secure sandbox for
> running guest visible emulation, libspice would have to be part of that
> sandbox which would seem to be difficult.
>
> The VNC server cannot crash a guest by comparison.

That's not accurate:
https://bugzilla.redhat.com/show_bug.cgi?id=505641 -  (CVE-2009-3616) 
CVE-2009-3616 Remote VNC client can cause any QEMU VNC server to crash 
with a double-free

and again: https://bugzilla.redhat.com/show_bug.cgi?id=495646  -  Get 
segfault when changing vnc password


Why vnc server code should be protected and spice server not?
In addition, like Izik said, the qxl device/driver pair is a must. QXL 
is a great addition even in 'old' vnc mode since it supports lots of 
goodies. In addition for caching it also allows s3 state (qxl d3) for 
the OS, unlike Cirrus.

More VNC bugs that we run into:

https://bugzilla.redhat.com/show_bug.cgi?id=507880 -  qemu hangs during 
VNC connection from RHEVM
https://bugzilla.redhat.com/show_bug.cgi?id=490344 -  QEMU: Cannot VNC 
to a VM if a VNC is already opened to it
https://bugzilla.redhat.com/show_bug.cgi?id=497524 -  QEMU: Early BIOS 
error message cannot be seen after reboot in VNC
https://bugzilla.redhat.com/show_bug.cgi?id=501263 -  KVM: VNC screen is 
sometimes corrupted (at boot?)


If we'll break spice to components we have the following (and I'm not a 
spice expert):
1. QXL device/driver pair
    Is anyone debate we should have it in qemu?
    We should attach it SDL and vnc backend too anyway.
2. VDI (Virtual Desktop Interface)
    http://www.spice-space.org/vdi.html
    It's an abstraction layer for graphics/keyboard/mouse/sound
    /usb/serial.
    We need it anyway regardless of spice. What is our user like to
    switch from vnc to SDL on runtime? It's good for usb-over-ip for
    remoting, for various mouse modes, etc.
3. Spice server
    Shared library, in the same address space of qemu (like vnc server).
    Very sophisticated peace of code.
4. Spice client - independent.

So #1 shouldn't run into any opposition.
We can discuss why #2 is good, the layering separation between 
guest/host seems good idea to me.
As for #3, this is a library. If we have #2, one can even use a separate 
address space for sanity reasons. From my experience with spice (through 
all Red Hat QA), 99.9% of failures originated in qemu..

HTH,
Dor


>
> FWIW, I don't see any reason why Spice couldn't be made to be separate
> from guest emulation.  I think it would just require the right
> interfacing in qemu.  I think that's purely an implementation detail.
>
> Regards,
>
> Anthony Liguori