Re: [Qemu-devel] vNVRAM / blobstore design

qemu-devel.nongnu.org archive mirror
 help / color / mirror / Atom feed

From: Anthony Liguori <anthony@codemonkey.ws>
To: Stefan Berger <stefanb@linux.vnet.ibm.com>,
	"Michael S. Tsirkin" <mst@redhat.com>
Cc: Stefan Hajnoczi <stefanha@gmail.com>,
	Kent E Yoder <yoder1@us.ibm.com>,
	Corey Bryant <coreyb@linux.vnet.ibm.com>,
	qemu-devel <qemu-devel@nongnu.org>,
	Michael Roth <mdroth@linux.vnet.ibm.com>,
	Joel Schopp <jschopp@linux.vnet.ibm.com>,
	Kenneth Goldman <kgoldman@us.ibm.com>
Subject: Re: [Qemu-devel] vNVRAM / blobstore design
Date: Fri, 29 Mar 2013 10:12:05 -0500	[thread overview]
Message-ID: <87ppyiz1dm.fsf@codemonkey.ws> (raw)
In-Reply-To: <51559D37.9060402@linux.vnet.ibm.com>

Stefan Berger <stefanb@linux.vnet.ibm.com> writes:

> On 03/28/2013 01:39 PM, Michael S. Tsirkin wrote:
>> On Thu, Mar 28, 2013 at 12:27:45PM -0500, Anthony Liguori wrote:
>>> Stefan Berger <stefanb@linux.vnet.ibm.com> writes:
>>>
>>>> On 03/27/2013 03:12 PM, Stefan Berger wrote:
>>>>> On 03/27/2013 02:27 PM, Anthony Liguori wrote:
>>>>>> Stefan Berger <stefanb@linux.vnet.ibm.com> writes:
>>>>>>
>>>>>>> On 03/27/2013 01:14 PM, Anthony Liguori wrote:
>>>>>>>
>>>>>> Okay, the short response is:
>>>>>>
>>>>>> Just make the TPM have a DRIVE property, drop all notion of
>>>>>> NVRAM/blobstore, and used fixed offsets into the BlockDriverState for
>>>>>> each blob.
>>>>> Fine by me. I don't see the need for visitors. I guess sharing of the
>>>>> persistent storage between different types of devices is not a goal
>>>>> here so that a layer that hides the layout and the blobs' position
>>>>> within the storage would be necessary. Also fine by me for as long as
>>>>> we don't come back to this discussion.
>>>> One thing I'd like to get clarity about is the following corner-case. A
>>>> user supplies some VM image as persistent storage for the TPM.
>>> What Would Hardware Do?
>>>
>>> If you need to provide a tool to initialize the state, then just provide
>>> a small tool to do that or provide device option to initialize it that
>>> can be used on first run or something.
>>>
>>> Don't bother trying to add complexity with CRCs or anything like that.
>>> Just keep it simple.
>>>
>>> Regards,
>>>
>>> Anthony Liguori
>>
>> External tool sounds better. Update on first use creates
>> nasty corner cases - use isn't a well defined thing.
>> So it creates nasty interactions with migration etc.
>
> What do we do with the following error cases:
>
> - provided storage is too small to fit blobs into

Error creating device.

> - user skipped over using the external tool, storage is not formatted
> - provided storage contains unknown / corrupted data

Garbage in, garbage out.

> - encryption / decryption key is missing (yes, we want blob encryption!)
> - encryption / decryption key is wrong and decrypted data therefore are 
> corrupted

No, encrypting the nvram is not the device's job.  A user can either use
ecryptfs or AES encryption in qcow2 if they feel this is important.

There is nothing special about the TPM's nvram compared to a normal
virtual disk image.  Any argument you would make regarding key storage
is equally applicable to a virtual disk image.  An awful lot of private
keys are stored in virtual disk images today...

> Starting a device and providing it with corrupted data or data that 
> could not be properly decrypted becomes ambiguous. We can do better and 
> determine these error cases without starting up the device and having 
> the user guess what may be wrong : wrong key versus corrupted data. 
> Corrupted data is hopeless while a wrong key can  be fixed.

Same applies to virtual disk images.  If someone hands a guest a garbage
disk image, the behavior will be ambiguous.  It's not a job to prevent
users from doing this.

(In fact, it may even be desirable to test these conditions)

> My suggestion would be to have a layer inside of QEMU that handles these 
> error cases and QEMU would not start up unless these errors get 
> resolved. I think there is probably not much concern regarding the 
> separation of core vTPM functionality and this layer, but more how big 
> this layer becomes, what all it provides in terms of services and one 
> step further then whether it should not be a generic layer that can be 
> used by other devices as well.
>
> Some additional HMP/QMP commands to query for the above error conditions 
> can be implemented and depending on how severe they are another HMP/QMP 
> command can be implemented to resolve some of these error condition, 
> i.e., provide another AES key or go through the step of formatting etc. 
> If a block device is not big enough it may require the user to use 
> qemu-img again and start over.

You're overcomplicating things.  QEMU's role is not to prevent a user
from doing something unusual.  This isn't GNOME.

Regards,

Anthony Liguori

>
> Thanks.
>
>     Stefan

next prev parent reply	other threads:[~2013-03-29 15:12 UTC|newest]

Thread overview: 31+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2013-03-25 21:39 [Qemu-devel] vNVRAM / blobstore design Stefan Berger
2013-03-25 22:05 ` Anthony Liguori
2013-03-25 22:20   ` Stefan Berger
2013-03-27 15:17     ` Corey Bryant
2013-03-27 15:20       ` Corey Bryant
2013-03-27 15:30         ` Michael S. Tsirkin
2013-03-27 16:07           ` mdroth
2013-03-27 15:43         ` Kenneth Goldman
2013-03-27 15:53           ` Michael S. Tsirkin
2013-03-27 16:12             ` Joel Schopp
2013-03-27 16:46               ` Stefan Berger
2013-03-27 17:14                 ` Anthony Liguori
2013-03-27 17:27                   ` Stefan Berger
2013-03-27 18:27                     ` Anthony Liguori
2013-03-27 19:12                       ` Stefan Berger
2013-03-28 16:11                         ` Stefan Berger
2013-03-28 16:31                           ` Michael S. Tsirkin
2013-03-28 17:02                             ` Stefan Berger
2013-03-28 17:27                           ` Anthony Liguori
2013-03-28 17:36                             ` Stefan Berger
2013-03-28 17:39                             ` Michael S. Tsirkin
2013-03-29 13:55                               ` Stefan Berger
2013-03-29 15:12                                 ` Anthony Liguori [this message]
2013-03-29 17:33                           ` Kenneth Goldman
2013-03-31  8:17                             ` Michael S. Tsirkin
2013-03-31 20:48                               ` Kenneth Goldman
2013-04-02 12:06                                 ` Michael S. Tsirkin
2013-04-02 13:24                                   ` Kenneth Goldman
2013-04-02 13:37                                     ` Michael S. Tsirkin
2013-03-27 18:04                   ` Michael S. Tsirkin
2013-03-27 16:20             ` Kenneth Goldman

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=87ppyiz1dm.fsf@codemonkey.ws \
    --to=anthony@codemonkey.ws \
    --cc=coreyb@linux.vnet.ibm.com \
    --cc=jschopp@linux.vnet.ibm.com \
    --cc=kgoldman@us.ibm.com \
    --cc=mdroth@linux.vnet.ibm.com \
    --cc=mst@redhat.com \
    --cc=qemu-devel@nongnu.org \
    --cc=stefanb@linux.vnet.ibm.com \
    --cc=stefanha@gmail.com \
    --cc=yoder1@us.ibm.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).