From: Paolo Bonzini <pbonzini@redhat.com>
To: Markus Armbruster <armbru@redhat.com>
Cc: stefanha@redhat.com, qemu-devel@nongnu.org,
qemu-block@nongnu.org, Max Reitz <mreitz@redhat.com>
Subject: Re: [Qemu-devel] [PATCH RFC for-2.3 1/1] block: New command line option --no-format-probing
Date: Tue, 24 Mar 2015 21:11:08 +0100 [thread overview]
Message-ID: <5511C4DC.2090602@redhat.com> (raw)
In-Reply-To: <87sicufihu.fsf@blackfin.pond.sub.org>
On 24/03/2015 17:49, Markus Armbruster wrote:
>> But what about migration from newer to older QEMU? Libvirt even
>> supports QEMU versions where the only way to specify disks is "-hda
>> XYZ", so it is _impossible_ to honor the format=raw specifier.
>
> If you migrate to a QEMU that doesn't understand the new option, libvirt
> simply won't set it. You lose the protection against libvirt bugs it
> provides. Guest won't notice.
>
> If you somehow manage to find a QEMU old enough to make libvirt use
> format-incapable interfaces, you'll be using insecure format probing on
> the destination. My patch makes no difference. Good luck migrating to
> such an old QEMU.
(Didn't mean live migration---sorry, could have simply said "switch").
Based on my reading of the code, libvirt will actually ignore the
allow_disk_format_probing setting, and not do anything about the format
when driving such an old QEMU. By contrast, if you specify a format and
libvirt invokes an old qemu-nbd without --format, libvirt fails hard.
That's already CVE worthy, isn't it?
So I think an option like this is premature. libvirt should _first of
all_ ensure that it completely abides by the allow_disk_format_probing
setting, including refusing to drive old QEMUs when format probing is
disabled. Once libvirt is consistent within itself, we can talk about
what help QEMU can provide.
Perfect is not the enemy of good here. Good is the enemy of secure.
> As to "near misses don't count": for me, what counts is actual users
> telling me about their difficulties using QEMU securely. Secure usage
> shouldn't be hard.
The right answer for them is probably "use libvirt" or "use Boxes"
depending on the actual usecase. Invoking QEMU manually is almost never
the right answer for random untrusted images download from the Internet.
Also, I suspect any advice to QEMU users about adding
--no-format-probing would be quickly forgotten.
That said, if _humans_ have interest in secure use of QEMU, that's a
much better and more interesting use case than libvirt's, because
libvirt is itself providing a secure management layer.
We have other security options, for example seccomp and FIPS mode.
Format probing definitely falls in this category. Let's add first of
all a -security grouping, where "-security [all=]on" enables all of them
but it's also possible to control the suboptions individually. Then we
can add format probing to this category. The same options can be added
to the utilities.
Let's iron out the kinks and do it for 2.4. It's a very useful feature
indeed.
But it's something we do for _users_, not for libvirt. If libvirt wants
to use those features as a parachute, better for them. But I still
maintain that for libvirt this is basically security theater, and the
priorities are others.
Paolo
next prev parent reply other threads:[~2015-03-24 20:11 UTC|newest]
Thread overview: 21+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-03-20 13:05 [Qemu-devel] [PATCH RFC for-2.3 0/1] block: New command line option --no-format-probing Markus Armbruster
2015-03-20 13:05 ` [Qemu-devel] [PATCH RFC for-2.3 1/1] " Markus Armbruster
2015-03-20 13:34 ` Max Reitz
2015-03-20 13:48 ` Markus Armbruster
2015-03-20 13:49 ` Max Reitz
2015-03-20 13:56 ` Eric Blake
2015-03-20 14:19 ` Markus Armbruster
2015-03-20 14:32 ` Eric Blake
2015-03-23 17:23 ` Paolo Bonzini
2015-03-23 17:48 ` Eric Blake
2015-03-23 17:50 ` Paolo Bonzini
2015-03-23 20:19 ` Markus Armbruster
2015-03-24 8:37 ` Paolo Bonzini
2015-03-24 14:22 ` [Qemu-devel] [Qemu-block] " Eric Blake
2015-03-24 16:49 ` [Qemu-devel] " Markus Armbruster
2015-03-24 20:11 ` Paolo Bonzini [this message]
2015-03-25 8:10 ` Markus Armbruster
2015-03-25 10:36 ` Paolo Bonzini
2015-03-20 14:01 ` [Qemu-devel] [PATCH RFC for-2.3 0/1] " Eric Blake
2015-03-20 14:27 ` Markus Armbruster
2015-03-20 14:17 ` [Qemu-devel] [RFC PATCH] qemu: enforce no format probing when possible Eric Blake
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=5511C4DC.2090602@redhat.com \
--to=pbonzini@redhat.com \
--cc=armbru@redhat.com \
--cc=mreitz@redhat.com \
--cc=qemu-block@nongnu.org \
--cc=qemu-devel@nongnu.org \
--cc=stefanha@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).