* [PATCH v2 01/32] qom: replace 'abstract' with 'flags'
2025-09-26 14:01 [PATCH v2 00/32] Encode object type security status in code Daniel P. Berrangé
@ 2025-09-26 14:01 ` Daniel P. Berrangé
2025-10-23 10:26 ` Markus Armbruster
2025-09-26 14:01 ` [PATCH v2 02/32] qom: add tracking of security state of object types Daniel P. Berrangé
` (32 subsequent siblings)
33 siblings, 1 reply; 49+ messages in thread
From: Daniel P. Berrangé @ 2025-09-26 14:01 UTC (permalink / raw)
To: qemu-devel
Cc: Thomas Huth, Stefan Hajnoczi, Philippe Mathieu-Daudé,
Peter Maydell, Markus Armbruster, Paolo Bonzini,
Michael S. Tsirkin, Daniel P. Berrangé
This will allow extra boolean flags without expending the memory
usage of the Type struct.
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
---
qom/object.c | 21 ++++++++++++++-------
1 file changed, 14 insertions(+), 7 deletions(-)
diff --git a/qom/object.c b/qom/object.c
index 1856bb36c7..a654765e0a 100644
--- a/qom/object.c
+++ b/qom/object.c
@@ -45,6 +45,10 @@ struct InterfaceImpl
const char *typename;
};
+enum TypeImplFlags {
+ TYPE_IMPL_FLAG_ABSTRACT = (1 << 0),
+};
+
struct TypeImpl
{
const char *name;
@@ -63,7 +67,7 @@ struct TypeImpl
void (*instance_post_init)(Object *obj);
void (*instance_finalize)(Object *obj);
- bool abstract;
+ int flags;
const char *parent;
TypeImpl *parent_type;
@@ -127,7 +131,9 @@ static TypeImpl *type_new(const TypeInfo *info)
ti->instance_post_init = info->instance_post_init;
ti->instance_finalize = info->instance_finalize;
- ti->abstract = info->abstract;
+ if (info->abstract) {
+ ti->flags |= TYPE_IMPL_FLAG_ABSTRACT;
+ }
for (i = 0; info->interfaces && info->interfaces[i].type; i++) {
ti->interfaces[i].typename = g_strdup(info->interfaces[i].type);
@@ -348,11 +354,11 @@ static void type_initialize(TypeImpl *ti)
* This means interface types are all abstract.
*/
if (ti->instance_size == 0) {
- ti->abstract = true;
+ ti->flags |= TYPE_IMPL_FLAG_ABSTRACT;
}
if (type_is_ancestor(ti, type_interface)) {
assert(ti->instance_size == 0);
- assert(ti->abstract);
+ assert(ti->flags & TYPE_IMPL_FLAG_ABSTRACT);
assert(!ti->instance_init);
assert(!ti->instance_post_init);
assert(!ti->instance_finalize);
@@ -558,7 +564,7 @@ static void object_initialize_with_type(Object *obj, size_t size, TypeImpl *type
type_initialize(type);
g_assert(type->instance_size >= sizeof(Object));
- g_assert(type->abstract == false);
+ g_assert(!(type->flags & TYPE_IMPL_FLAG_ABSTRACT));
g_assert(size >= type->instance_size);
memset(obj, 0, type->instance_size);
@@ -1045,7 +1051,7 @@ ObjectClass *object_get_class(Object *obj)
bool object_class_is_abstract(ObjectClass *klass)
{
- return klass->type->abstract;
+ return klass->type->flags & TYPE_IMPL_FLAG_ABSTRACT;
}
const char *object_class_get_name(ObjectClass *klass)
@@ -1110,7 +1116,8 @@ static void object_class_foreach_tramp(gpointer key, gpointer value,
type_initialize(type);
k = type->class;
- if (!data->include_abstract && type->abstract) {
+ if (!data->include_abstract &&
+ (type->flags & TYPE_IMPL_FLAG_ABSTRACT)) {
return;
}
--
2.50.1
^ permalink raw reply related [flat|nested] 49+ messages in thread* Re: [PATCH v2 01/32] qom: replace 'abstract' with 'flags'
2025-09-26 14:01 ` [PATCH v2 01/32] qom: replace 'abstract' with 'flags' Daniel P. Berrangé
@ 2025-10-23 10:26 ` Markus Armbruster
2025-10-24 13:39 ` Daniel P. Berrangé
0 siblings, 1 reply; 49+ messages in thread
From: Markus Armbruster @ 2025-10-23 10:26 UTC (permalink / raw)
To: Daniel P. Berrangé
Cc: qemu-devel, Thomas Huth, Stefan Hajnoczi,
Philippe Mathieu-Daudé, Peter Maydell, Paolo Bonzini,
Michael S. Tsirkin
Daniel P. Berrangé <berrange@redhat.com> writes:
> This will allow extra boolean flags without expending the memory
"expanding", I guess.
> usage of the Type struct.
>
> Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
According to pahole, we currently have 7 unused bytes right after
@abstract. So this will pay off after the eighth flag, or the fourth if
something else plugs into the hole.
According to size, qemu-system-x86_64's text grows by 64 bytes.
> ---
> qom/object.c | 21 ++++++++++++++-------
> 1 file changed, 14 insertions(+), 7 deletions(-)
I wouldn't bother :)
^ permalink raw reply [flat|nested] 49+ messages in thread
* Re: [PATCH v2 01/32] qom: replace 'abstract' with 'flags'
2025-10-23 10:26 ` Markus Armbruster
@ 2025-10-24 13:39 ` Daniel P. Berrangé
0 siblings, 0 replies; 49+ messages in thread
From: Daniel P. Berrangé @ 2025-10-24 13:39 UTC (permalink / raw)
To: Markus Armbruster
Cc: qemu-devel, Thomas Huth, Stefan Hajnoczi,
Philippe Mathieu-Daudé, Peter Maydell, Paolo Bonzini,
Michael S. Tsirkin
On Thu, Oct 23, 2025 at 12:26:53PM +0200, Markus Armbruster wrote:
> Daniel P. Berrangé <berrange@redhat.com> writes:
>
> > This will allow extra boolean flags without expending the memory
>
> "expanding", I guess.
>
> > usage of the Type struct.
> >
> > Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
>
> According to pahole, we currently have 7 unused bytes right after
> @abstract. So this will pay off after the eighth flag, or the fourth if
> something else plugs into the hole.
>
> According to size, qemu-system-x86_64's text grows by 64 bytes.
>
> > ---
> > qom/object.c | 21 ++++++++++++++-------
> > 1 file changed, 14 insertions(+), 7 deletions(-)
>
> I wouldn't bother :)
Agreed, I'll drop this.
With regards,
Daniel
--
|: https://berrange.com -o- https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org -o- https://fstop138.berrange.com :|
|: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|
^ permalink raw reply [flat|nested] 49+ messages in thread
* [PATCH v2 02/32] qom: add tracking of security state of object types
2025-09-26 14:01 [PATCH v2 00/32] Encode object type security status in code Daniel P. Berrangé
2025-09-26 14:01 ` [PATCH v2 01/32] qom: replace 'abstract' with 'flags' Daniel P. Berrangé
@ 2025-09-26 14:01 ` Daniel P. Berrangé
2025-09-26 14:01 ` [PATCH v2 03/32] qapi: add 'insecure-types' option for -compat argument Daniel P. Berrangé
` (31 subsequent siblings)
33 siblings, 0 replies; 49+ messages in thread
From: Daniel P. Berrangé @ 2025-09-26 14:01 UTC (permalink / raw)
To: qemu-devel
Cc: Thomas Huth, Stefan Hajnoczi, Philippe Mathieu-Daudé,
Peter Maydell, Markus Armbruster, Paolo Bonzini,
Michael S. Tsirkin, Daniel P. Berrangé
This introduces a new flag "secure" against the Type/TypeInfo
structs, and helpers to check this against the ObjectClass
struct.
If an object is considered to provide a security boundary to
protect against untrusted code, the "secure" flag must be
explicitly set to true.
If an object is considered to NOT provide protection against
untrusted code, the "secure" flag must be explicitly set to
false
If the security protection of an object has not yet been
evaluated and/or decided upon, the "secure" flag must not be
initialized. It will be implicitly set to 'false' for the
purposes of code querying the status.
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
---
include/qom/object.h | 13 +++++++++++++
qom/object.c | 9 +++++++++
2 files changed, 22 insertions(+)
diff --git a/include/qom/object.h b/include/qom/object.h
index 26df6137b9..9893be9ef8 100644
--- a/include/qom/object.h
+++ b/include/qom/object.h
@@ -453,6 +453,10 @@ struct Object
* function.
* @abstract: If this field is true, then the class is considered abstract and
* cannot be directly instantiated.
+ * @secure: If this field is initialized to true, then the class is considered
+ * to provide a security boundary. If initialized to false, the class does
+ * not provide a security boundary. If uninitialized (and thus implicitly
+ * false) its status is not yet defined.
* @class_size: The size of the class object (derivative of #ObjectClass)
* for this object. If @class_size is 0, then the size of the class will be
* assumed to be the size of the parent class. This allows a type to avoid
@@ -485,6 +489,7 @@ struct TypeInfo
void (*instance_finalize)(Object *obj);
bool abstract;
+ bool secure;
size_t class_size;
void (*class_init)(ObjectClass *klass, const void *data);
@@ -996,6 +1001,14 @@ const char *object_class_get_name(ObjectClass *klass);
*/
bool object_class_is_abstract(ObjectClass *klass);
+/**
+ * object_class_is_secure:
+ * @klass: The class to check security of
+ *
+ * Returns: %true if @klass is declared to be secure, %false if not declared
+ */
+bool object_class_is_secure(ObjectClass *klass);
+
/**
* object_class_by_name:
* @typename: The QOM typename to obtain the class for.
diff --git a/qom/object.c b/qom/object.c
index a654765e0a..7e0921ae20 100644
--- a/qom/object.c
+++ b/qom/object.c
@@ -47,6 +47,7 @@ struct InterfaceImpl
enum TypeImplFlags {
TYPE_IMPL_FLAG_ABSTRACT = (1 << 0),
+ TYPE_IMPL_FLAG_SECURE = (1 << 1),
};
struct TypeImpl
@@ -134,6 +135,9 @@ static TypeImpl *type_new(const TypeInfo *info)
if (info->abstract) {
ti->flags |= TYPE_IMPL_FLAG_ABSTRACT;
}
+ if (info->secure) {
+ ti->flags |= TYPE_IMPL_FLAG_SECURE;
+ }
for (i = 0; info->interfaces && info->interfaces[i].type; i++) {
ti->interfaces[i].typename = g_strdup(info->interfaces[i].type);
@@ -1054,6 +1058,11 @@ bool object_class_is_abstract(ObjectClass *klass)
return klass->type->flags & TYPE_IMPL_FLAG_ABSTRACT;
}
+bool object_class_is_secure(ObjectClass *klass)
+{
+ return klass->type->flags & TYPE_IMPL_FLAG_SECURE;
+}
+
const char *object_class_get_name(ObjectClass *klass)
{
return klass->type->name;
--
2.50.1
^ permalink raw reply related [flat|nested] 49+ messages in thread* [PATCH v2 03/32] qapi: add 'insecure-types' option for -compat argument
2025-09-26 14:01 [PATCH v2 00/32] Encode object type security status in code Daniel P. Berrangé
2025-09-26 14:01 ` [PATCH v2 01/32] qom: replace 'abstract' with 'flags' Daniel P. Berrangé
2025-09-26 14:01 ` [PATCH v2 02/32] qom: add tracking of security state of object types Daniel P. Berrangé
@ 2025-09-26 14:01 ` Daniel P. Berrangé
2025-10-23 10:38 ` Markus Armbruster
2025-09-26 14:01 ` [PATCH v2 04/32] system: check security for accelerator types Daniel P. Berrangé
` (30 subsequent siblings)
33 siblings, 1 reply; 49+ messages in thread
From: Daniel P. Berrangé @ 2025-09-26 14:01 UTC (permalink / raw)
To: qemu-devel
Cc: Thomas Huth, Stefan Hajnoczi, Philippe Mathieu-Daudé,
Peter Maydell, Markus Armbruster, Paolo Bonzini,
Michael S. Tsirkin, Daniel P. Berrangé
This introduces a new 'insecure-types' option for the 'compat'
argument that accepts three values
* accept: Allow any usage
* reject: Reject with an error reported
* warn: Allow any usage, with a warning reported
For historical compatibility it defaults to 'accept'.
The 'reject' and 'warn' values will take effect for any type
that has been explicitly marked insecure, or is lacking an
explicit declaration of its security status.
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
---
include/qapi/compat-policy.h | 5 +++++
qapi/compat.json | 24 +++++++++++++++++++++++-
qapi/qapi-util.c | 30 ++++++++++++++++++++++++++++++
3 files changed, 58 insertions(+), 1 deletion(-)
diff --git a/include/qapi/compat-policy.h b/include/qapi/compat-policy.h
index ea65e10744..b2d0835c36 100644
--- a/include/qapi/compat-policy.h
+++ b/include/qapi/compat-policy.h
@@ -24,6 +24,11 @@ bool compat_policy_input_ok(uint64_t features,
const char *kind, const char *name,
Error **errp);
+bool compat_policy_check_security(CompatPolicy *policy,
+ const char *typename,
+ bool isSecure,
+ Error **errp);
+
/*
* Create a QObject input visitor for @obj for use with QMP
*
diff --git a/qapi/compat.json b/qapi/compat.json
index 90b8d51cf2..dcef10a3a5 100644
--- a/qapi/compat.json
+++ b/qapi/compat.json
@@ -37,6 +37,24 @@
{ 'enum': 'CompatPolicyOutput',
'data': [ 'accept', 'hide' ] }
+##
+# @CompatPolicySecurity:
+#
+# Policy for handling any devices or backends which
+# do not provide a security boundary to protect
+# against untrusted environments
+#
+# @accept: Allow any usage
+#
+# @reject: Reject with an error reported
+#
+# @warn: Allow any usage, with a warning reported
+#
+# Since: 10.2
+##
+{ 'enum': 'CompatPolicySecurity',
+ 'data': [ 'accept', 'reject', 'warn' ] }
+
##
# @CompatPolicy:
#
@@ -62,10 +80,14 @@
# @unstable-output: how to handle unstable output (default 'accept')
# (since 6.2)
#
+# @insecure-types: how to handle types that are not declared
+# secure (default 'accept') (since 10.2)
+#
# Since: 6.0
##
{ 'struct': 'CompatPolicy',
'data': { '*deprecated-input': 'CompatPolicyInput',
'*deprecated-output': 'CompatPolicyOutput',
'*unstable-input': 'CompatPolicyInput',
- '*unstable-output': 'CompatPolicyOutput' } }
+ '*unstable-output': 'CompatPolicyOutput',
+ '*insecure-types': 'CompatPolicySecurity' } }
diff --git a/qapi/qapi-util.c b/qapi/qapi-util.c
index 3d849fe034..ef982d903e 100644
--- a/qapi/qapi-util.c
+++ b/qapi/qapi-util.c
@@ -14,6 +14,7 @@
#include "qapi/compat-policy.h"
#include "qapi/error.h"
#include "qemu/ctype.h"
+#include "qemu/error-report.h"
#include "qapi/qmp/qerror.h"
CompatPolicy compat_policy;
@@ -58,6 +59,35 @@ bool compat_policy_input_ok(uint64_t features,
return true;
}
+bool compat_policy_check_security(CompatPolicy *policy,
+ const char *typename,
+ bool isSecure,
+ Error **errp)
+{
+ if (isSecure) {
+ return true;
+ }
+
+ switch (policy->insecure_types) {
+ case COMPAT_POLICY_SECURITY_ACCEPT:
+ return true;
+
+ case COMPAT_POLICY_SECURITY_REJECT:
+ error_setg(errp, "Type '%s' does not provide a security boundary "
+ "to protect against untrusted workloads", typename);
+ return false;
+
+ case COMPAT_POLICY_SECURITY_WARN:
+ warn_report("Type '%s' does not provide a security boundary "
+ "to protect against untrusted workloads", typename);
+ return true;
+
+ default:
+ g_assert_not_reached();
+ }
+}
+
+
const char *qapi_enum_lookup(const QEnumLookup *lookup, int val)
{
assert(val >= 0 && val < lookup->size);
--
2.50.1
^ permalink raw reply related [flat|nested] 49+ messages in thread* Re: [PATCH v2 03/32] qapi: add 'insecure-types' option for -compat argument
2025-09-26 14:01 ` [PATCH v2 03/32] qapi: add 'insecure-types' option for -compat argument Daniel P. Berrangé
@ 2025-10-23 10:38 ` Markus Armbruster
0 siblings, 0 replies; 49+ messages in thread
From: Markus Armbruster @ 2025-10-23 10:38 UTC (permalink / raw)
To: Daniel P. Berrangé
Cc: qemu-devel, Thomas Huth, Stefan Hajnoczi,
Philippe Mathieu-Daudé, Peter Maydell, Paolo Bonzini,
Michael S. Tsirkin
Daniel P. Berrangé <berrange@redhat.com> writes:
> This introduces a new 'insecure-types' option for the 'compat'
> argument that accepts three values
>
> * accept: Allow any usage
> * reject: Reject with an error reported
> * warn: Allow any usage, with a warning reported
>
> For historical compatibility it defaults to 'accept'.
>
> The 'reject' and 'warn' values will take effect for any type
> that has been explicitly marked insecure, or is lacking an
> explicit declaration of its security status.
>
> Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
Suggest to mention that the new option doesn't do anything, yet.
> ---
> include/qapi/compat-policy.h | 5 +++++
> qapi/compat.json | 24 +++++++++++++++++++++++-
> qapi/qapi-util.c | 30 ++++++++++++++++++++++++++++++
> 3 files changed, 58 insertions(+), 1 deletion(-)
>
> diff --git a/include/qapi/compat-policy.h b/include/qapi/compat-policy.h
> index ea65e10744..b2d0835c36 100644
> --- a/include/qapi/compat-policy.h
> +++ b/include/qapi/compat-policy.h
> @@ -24,6 +24,11 @@ bool compat_policy_input_ok(uint64_t features,
> const char *kind, const char *name,
> Error **errp);
>
> +bool compat_policy_check_security(CompatPolicy *policy,
> + const char *typename,
> + bool isSecure,
is_secure
> + Error **errp);
> +
> /*
> * Create a QObject input visitor for @obj for use with QMP
> *
> diff --git a/qapi/compat.json b/qapi/compat.json
> index 90b8d51cf2..dcef10a3a5 100644
> --- a/qapi/compat.json
> +++ b/qapi/compat.json
> @@ -37,6 +37,24 @@
> { 'enum': 'CompatPolicyOutput',
> 'data': [ 'accept', 'hide' ] }
>
> +##
> +# @CompatPolicySecurity:
> +#
> +# Policy for handling any devices or backends which
> +# do not provide a security boundary to protect
> +# against untrusted environments
Please wrap like this:
# Policy for handling any devices or backends which do not provide a
# security boundary to protect against untrusted environments
> +#
> +# @accept: Allow any usage
> +#
> +# @reject: Reject with an error reported
> +#
> +# @warn: Allow any usage, with a warning reported
> +#
> +# Since: 10.2
> +##
> +{ 'enum': 'CompatPolicySecurity',
> + 'data': [ 'accept', 'reject', 'warn' ] }
> +
> ##
> # @CompatPolicy:
> #
> @@ -62,10 +80,14 @@
> # @unstable-output: how to handle unstable output (default 'accept')
> # (since 6.2)
> #
> +# @insecure-types: how to handle types that are not declared
> +# secure (default 'accept') (since 10.2)
> +#
Please wrap like this:
# @insecure-types: how to handle types that are not declared secure
# (default 'accept') (since 10.2)
> # Since: 6.0
> ##
> { 'struct': 'CompatPolicy',
> 'data': { '*deprecated-input': 'CompatPolicyInput',
> '*deprecated-output': 'CompatPolicyOutput',
> '*unstable-input': 'CompatPolicyInput',
> - '*unstable-output': 'CompatPolicyOutput' } }
> + '*unstable-output': 'CompatPolicyOutput',
> + '*insecure-types': 'CompatPolicySecurity' } }
> diff --git a/qapi/qapi-util.c b/qapi/qapi-util.c
> index 3d849fe034..ef982d903e 100644
> --- a/qapi/qapi-util.c
> +++ b/qapi/qapi-util.c
> @@ -14,6 +14,7 @@
> #include "qapi/compat-policy.h"
> #include "qapi/error.h"
> #include "qemu/ctype.h"
> +#include "qemu/error-report.h"
> #include "qapi/qmp/qerror.h"
>
> CompatPolicy compat_policy;
> @@ -58,6 +59,35 @@ bool compat_policy_input_ok(uint64_t features,
> return true;
> }
>
> +bool compat_policy_check_security(CompatPolicy *policy,
> + const char *typename,
> + bool isSecure,
> + Error **errp)
> +{
> + if (isSecure) {
> + return true;
> + }
> +
> + switch (policy->insecure_types) {
> + case COMPAT_POLICY_SECURITY_ACCEPT:
> + return true;
> +
> + case COMPAT_POLICY_SECURITY_REJECT:
> + error_setg(errp, "Type '%s' does not provide a security boundary "
> + "to protect against untrusted workloads", typename);
> + return false;
> +
> + case COMPAT_POLICY_SECURITY_WARN:
> + warn_report("Type '%s' does not provide a security boundary "
> + "to protect against untrusted workloads", typename);
> + return true;
The error messages are hard to judge until we see uses. I figure what
"untrusted workloads" actually means depends on the type. For a device,
it's probably an untrusted guest. For a block backend, it could be an
untrusted image.
> +
> + default:
> + g_assert_not_reached();
> + }
> +}
> +
> +
> const char *qapi_enum_lookup(const QEnumLookup *lookup, int val)
> {
> assert(val >= 0 && val < lookup->size);
^ permalink raw reply [flat|nested] 49+ messages in thread
* [PATCH v2 04/32] system: check security for accelerator types
2025-09-26 14:01 [PATCH v2 00/32] Encode object type security status in code Daniel P. Berrangé
` (2 preceding siblings ...)
2025-09-26 14:01 ` [PATCH v2 03/32] qapi: add 'insecure-types' option for -compat argument Daniel P. Berrangé
@ 2025-09-26 14:01 ` Daniel P. Berrangé
2025-09-26 14:01 ` [PATCH v2 05/32] system: report acclerator security status in help output Daniel P. Berrangé
` (29 subsequent siblings)
33 siblings, 0 replies; 49+ messages in thread
From: Daniel P. Berrangé @ 2025-09-26 14:01 UTC (permalink / raw)
To: qemu-devel
Cc: Thomas Huth, Stefan Hajnoczi, Philippe Mathieu-Daudé,
Peter Maydell, Markus Armbruster, Paolo Bonzini,
Michael S. Tsirkin, Daniel P. Berrangé
This wires up the accelerator creation code to apply the compat policy
security check. When multiple -accel options are given, normal fallback
logic applies. IOW, if one is rejected by the security check, it will
carry on to try the next accelerator until one passes the security
check.
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
---
system/vl.c | 9 +++++++++
1 file changed, 9 insertions(+)
diff --git a/system/vl.c b/system/vl.c
index 00f3694725..6f7fdb8663 100644
--- a/system/vl.c
+++ b/system/vl.c
@@ -2383,12 +2383,21 @@ static int do_configure_accelerator(void *opaque, QemuOpts *opts, Error **errp)
AccelState *accel;
int ret;
bool qtest_with_kvm;
+ Error *local_err = NULL;
if (!acc) {
error_setg(errp, QERR_MISSING_PARAMETER, "accel");
goto bad;
}
+ if (!compat_policy_check_security(&compat_policy,
+ object_class_get_name(OBJECT_CLASS(ac)),
+ object_class_is_secure(OBJECT_CLASS(ac)),
+ &local_err)) {
+ error_report_err(local_err);
+ goto bad;
+ }
+
qtest_with_kvm = g_str_equal(acc, "kvm") && qtest_chrdev != NULL;
if (!ac) {
--
2.50.1
^ permalink raw reply related [flat|nested] 49+ messages in thread* [PATCH v2 05/32] system: report acclerator security status in help output
2025-09-26 14:01 [PATCH v2 00/32] Encode object type security status in code Daniel P. Berrangé
` (3 preceding siblings ...)
2025-09-26 14:01 ` [PATCH v2 04/32] system: check security for accelerator types Daniel P. Berrangé
@ 2025-09-26 14:01 ` Daniel P. Berrangé
2025-09-26 14:01 ` [PATCH v2 06/32] system: check security for machine types Daniel P. Berrangé
` (28 subsequent siblings)
33 siblings, 0 replies; 49+ messages in thread
From: Daniel P. Berrangé @ 2025-09-26 14:01 UTC (permalink / raw)
To: qemu-devel
Cc: Thomas Huth, Stefan Hajnoczi, Philippe Mathieu-Daudé,
Peter Maydell, Markus Armbruster, Paolo Bonzini,
Michael S. Tsirkin, Daniel P. Berrangé
When '-accel help' is given, report the security status of each
accelerator.
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
---
system/vl.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/system/vl.c b/system/vl.c
index 6f7fdb8663..38c6caf524 100644
--- a/system/vl.c
+++ b/system/vl.c
@@ -3433,7 +3433,9 @@ void qemu_init(int argc, char **argv)
g_str_has_suffix(typename, ACCEL_CLASS_SUFFIX)) {
gchar **optname = g_strsplit(typename,
ACCEL_CLASS_SUFFIX, 0);
- printf("%s\n", optname[0]);
+ printf("%s%s\n", optname[0],
+ object_class_is_secure(OBJECT_CLASS(el->data)) ?
+ " (secure)" : "");
g_strfreev(optname);
}
g_free(typename);
--
2.50.1
^ permalink raw reply related [flat|nested] 49+ messages in thread* [PATCH v2 06/32] system: check security for machine types
2025-09-26 14:01 [PATCH v2 00/32] Encode object type security status in code Daniel P. Berrangé
` (4 preceding siblings ...)
2025-09-26 14:01 ` [PATCH v2 05/32] system: report acclerator security status in help output Daniel P. Berrangé
@ 2025-09-26 14:01 ` Daniel P. Berrangé
2025-10-23 11:51 ` Markus Armbruster
2025-09-26 14:01 ` [PATCH v2 07/32] system: report machine security status in help output Daniel P. Berrangé
` (27 subsequent siblings)
33 siblings, 1 reply; 49+ messages in thread
From: Daniel P. Berrangé @ 2025-09-26 14:01 UTC (permalink / raw)
To: qemu-devel
Cc: Thomas Huth, Stefan Hajnoczi, Philippe Mathieu-Daudé,
Peter Maydell, Markus Armbruster, Paolo Bonzini,
Michael S. Tsirkin, Daniel P. Berrangé
This wires up the machine creation code to apply the compat policy
security check.
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
---
system/vl.c | 17 +++++++++++++++--
1 file changed, 15 insertions(+), 2 deletions(-)
diff --git a/system/vl.c b/system/vl.c
index 38c6caf524..716bf6d490 100644
--- a/system/vl.c
+++ b/system/vl.c
@@ -2182,10 +2182,19 @@ static void qemu_create_machine_containers(Object *machine)
}
}
-static void qemu_create_machine(QDict *qdict)
+static int qemu_create_machine(QDict *qdict)
{
MachineClass *machine_class = select_machine(qdict, &error_fatal);
object_set_machine_compat_props(machine_class->compat_props);
+ Error *local_err;
+
+ if (!compat_policy_check_security(&compat_policy,
+ object_class_get_name(OBJECT_CLASS(machine_class)),
+ object_class_is_secure(OBJECT_CLASS(machine_class)),
+ &local_err)) {
+ error_report_err(local_err);
+ return -1;
+ }
current_machine = MACHINE(object_new_with_class(OBJECT_CLASS(machine_class)));
object_property_add_child(object_get_root(), "machine",
@@ -2222,6 +2231,8 @@ static void qemu_create_machine(QDict *qdict)
false, &error_abort);
qobject_unref(default_opts);
}
+
+ return 0;
}
static int global_init_func(void *opaque, QemuOpts *opts, Error **errp)
@@ -3763,7 +3774,9 @@ void qemu_init(int argc, char **argv)
/* Transfer QemuOpts options into machine options */
parse_memory_options();
- qemu_create_machine(machine_opts_dict);
+ if (qemu_create_machine(machine_opts_dict) < 0) {
+ exit(1);
+ }
/*
* Load incoming CPR state before any devices are created, because it
--
2.50.1
^ permalink raw reply related [flat|nested] 49+ messages in thread* Re: [PATCH v2 06/32] system: check security for machine types
2025-09-26 14:01 ` [PATCH v2 06/32] system: check security for machine types Daniel P. Berrangé
@ 2025-10-23 11:51 ` Markus Armbruster
0 siblings, 0 replies; 49+ messages in thread
From: Markus Armbruster @ 2025-10-23 11:51 UTC (permalink / raw)
To: Daniel P. Berrangé
Cc: qemu-devel, Thomas Huth, Stefan Hajnoczi,
Philippe Mathieu-Daudé, Peter Maydell, Paolo Bonzini,
Michael S. Tsirkin
Daniel P. Berrangé <berrange@redhat.com> writes:
> This wires up the machine creation code to apply the compat policy
> security check.
>
> Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
> ---
> system/vl.c | 17 +++++++++++++++--
> 1 file changed, 15 insertions(+), 2 deletions(-)
>
> diff --git a/system/vl.c b/system/vl.c
> index 38c6caf524..716bf6d490 100644
> --- a/system/vl.c
> +++ b/system/vl.c
> @@ -2182,10 +2182,19 @@ static void qemu_create_machine_containers(Object *machine)
> }
> }
>
> -static void qemu_create_machine(QDict *qdict)
> +static int qemu_create_machine(QDict *qdict)
Suggest bool.
> {
> MachineClass *machine_class = select_machine(qdict, &error_fatal);
> object_set_machine_compat_props(machine_class->compat_props);
> + Error *local_err;
> +
> + if (!compat_policy_check_security(&compat_policy,
> + object_class_get_name(OBJECT_CLASS(machine_class)),
> + object_class_is_secure(OBJECT_CLASS(machine_class)),
> + &local_err)) {
> + error_report_err(local_err);
> + return -1;
> + }
>
> current_machine = MACHINE(object_new_with_class(OBJECT_CLASS(machine_class)));
> object_property_add_child(object_get_root(), "machine",
> @@ -2222,6 +2231,8 @@ static void qemu_create_machine(QDict *qdict)
> false, &error_abort);
> qobject_unref(default_opts);
> }
> +
> + return 0;
> }
>
> static int global_init_func(void *opaque, QemuOpts *opts, Error **errp)
> @@ -3763,7 +3774,9 @@ void qemu_init(int argc, char **argv)
> /* Transfer QemuOpts options into machine options */
> parse_memory_options();
>
> - qemu_create_machine(machine_opts_dict);
> + if (qemu_create_machine(machine_opts_dict) < 0) {
> + exit(1);
> + }
>
> /*
> * Load incoming CPR state before any devices are created, because it
^ permalink raw reply [flat|nested] 49+ messages in thread
* [PATCH v2 07/32] system: report machine security status in help output
2025-09-26 14:01 [PATCH v2 00/32] Encode object type security status in code Daniel P. Berrangé
` (5 preceding siblings ...)
2025-09-26 14:01 ` [PATCH v2 06/32] system: check security for machine types Daniel P. Berrangé
@ 2025-09-26 14:01 ` Daniel P. Berrangé
2025-09-26 14:01 ` [PATCH v2 08/32] system: check security of device types Daniel P. Berrangé
` (26 subsequent siblings)
33 siblings, 0 replies; 49+ messages in thread
From: Daniel P. Berrangé @ 2025-09-26 14:01 UTC (permalink / raw)
To: qemu-devel
Cc: Thomas Huth, Stefan Hajnoczi, Philippe Mathieu-Daudé,
Peter Maydell, Markus Armbruster, Paolo Bonzini,
Michael S. Tsirkin, Daniel P. Berrangé
When '-machine help' is given, report the security status of each
machine.
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
---
system/vl.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/system/vl.c b/system/vl.c
index 716bf6d490..fec3a195f6 100644
--- a/system/vl.c
+++ b/system/vl.c
@@ -1578,9 +1578,10 @@ static void machine_help_func(const QDict *qdict)
if (mc->alias) {
printf("%-20s %s (alias of %s)\n", mc->alias, mc->desc, mc->name);
}
- printf("%-20s %s%s%s\n", mc->name, mc->desc,
+ printf("%-20s %s%s%s%s\n", mc->name, mc->desc,
mc->is_default ? " (default)" : "",
- mc->deprecation_reason ? " (deprecated)" : "");
+ mc->deprecation_reason ? " (deprecated)" : "",
+ object_class_is_secure(OBJECT_CLASS(mc)) ? " (secure)" : "");
}
}
--
2.50.1
^ permalink raw reply related [flat|nested] 49+ messages in thread* [PATCH v2 08/32] system: check security of device types
2025-09-26 14:01 [PATCH v2 00/32] Encode object type security status in code Daniel P. Berrangé
` (6 preceding siblings ...)
2025-09-26 14:01 ` [PATCH v2 07/32] system: report machine security status in help output Daniel P. Berrangé
@ 2025-09-26 14:01 ` Daniel P. Berrangé
2025-10-23 11:54 ` Markus Armbruster
2025-09-26 14:01 ` [PATCH v2 09/32] system: report device security status in help output Daniel P. Berrangé
` (25 subsequent siblings)
33 siblings, 1 reply; 49+ messages in thread
From: Daniel P. Berrangé @ 2025-09-26 14:01 UTC (permalink / raw)
To: qemu-devel
Cc: Thomas Huth, Stefan Hajnoczi, Philippe Mathieu-Daudé,
Peter Maydell, Markus Armbruster, Paolo Bonzini,
Michael S. Tsirkin, Daniel P. Berrangé
This wires up the DeviceClass types to have their
security checked when devices are created.
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
---
system/qdev-monitor.c | 9 +++++++++
1 file changed, 9 insertions(+)
diff --git a/system/qdev-monitor.c b/system/qdev-monitor.c
index 2ac92d0a07..520fe5c495 100644
--- a/system/qdev-monitor.c
+++ b/system/qdev-monitor.c
@@ -43,6 +43,8 @@
#include "hw/qdev-properties.h"
#include "hw/clock.h"
#include "hw/boards.h"
+#include "qapi/compat-policy.h"
+
/*
* Aliases were a bad idea from the start. Let's keep them
@@ -644,6 +646,13 @@ DeviceState *qdev_device_add_from_qdict(const QDict *opts,
return NULL;
}
+ if (!compat_policy_check_security(&compat_policy,
+ object_class_get_name(OBJECT_CLASS(dc)),
+ object_class_is_secure(OBJECT_CLASS(dc)),
+ errp)) {
+ return NULL;
+ }
+
/* find bus */
path = qdict_get_try_str(opts, "bus");
if (path != NULL) {
--
2.50.1
^ permalink raw reply related [flat|nested] 49+ messages in thread* Re: [PATCH v2 08/32] system: check security of device types
2025-09-26 14:01 ` [PATCH v2 08/32] system: check security of device types Daniel P. Berrangé
@ 2025-10-23 11:54 ` Markus Armbruster
2025-10-24 13:28 ` Daniel P. Berrangé
0 siblings, 1 reply; 49+ messages in thread
From: Markus Armbruster @ 2025-10-23 11:54 UTC (permalink / raw)
To: Daniel P. Berrangé
Cc: qemu-devel, Thomas Huth, Stefan Hajnoczi,
Philippe Mathieu-Daudé, Peter Maydell, Paolo Bonzini,
Michael S. Tsirkin
Daniel P. Berrangé <berrange@redhat.com> writes:
> This wires up the DeviceClass types to have their
> security checked when devices are created.
>
> Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
> ---
> system/qdev-monitor.c | 9 +++++++++
> 1 file changed, 9 insertions(+)
>
> diff --git a/system/qdev-monitor.c b/system/qdev-monitor.c
> index 2ac92d0a07..520fe5c495 100644
> --- a/system/qdev-monitor.c
> +++ b/system/qdev-monitor.c
> @@ -43,6 +43,8 @@
> #include "hw/qdev-properties.h"
> #include "hw/clock.h"
> #include "hw/boards.h"
> +#include "qapi/compat-policy.h"
> +
>
> /*
> * Aliases were a bad idea from the start. Let's keep them
> @@ -644,6 +646,13 @@ DeviceState *qdev_device_add_from_qdict(const QDict *opts,
> return NULL;
> }
>
> + if (!compat_policy_check_security(&compat_policy,
> + object_class_get_name(OBJECT_CLASS(dc)),
> + object_class_is_secure(OBJECT_CLASS(dc)),
> + errp)) {
> + return NULL;
> + }
> +
> /* find bus */
> path = qdict_get_try_str(opts, "bus");
> if (path != NULL) {
All users of compat_policy_check_security() in this series pass
object_class_get_name(<the-object>),
object_class_is_secure(<the-object>),
Have you considered passing just <the-object> instead?
^ permalink raw reply [flat|nested] 49+ messages in thread* Re: [PATCH v2 08/32] system: check security of device types
2025-10-23 11:54 ` Markus Armbruster
@ 2025-10-24 13:28 ` Daniel P. Berrangé
0 siblings, 0 replies; 49+ messages in thread
From: Daniel P. Berrangé @ 2025-10-24 13:28 UTC (permalink / raw)
To: Markus Armbruster
Cc: qemu-devel, Thomas Huth, Stefan Hajnoczi,
Philippe Mathieu-Daudé, Peter Maydell, Paolo Bonzini,
Michael S. Tsirkin
On Thu, Oct 23, 2025 at 01:54:24PM +0200, Markus Armbruster wrote:
> Daniel P. Berrangé <berrange@redhat.com> writes:
>
> > This wires up the DeviceClass types to have their
> > security checked when devices are created.
> >
> > Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
> > ---
> > system/qdev-monitor.c | 9 +++++++++
> > 1 file changed, 9 insertions(+)
> >
> > diff --git a/system/qdev-monitor.c b/system/qdev-monitor.c
> > index 2ac92d0a07..520fe5c495 100644
> > --- a/system/qdev-monitor.c
> > +++ b/system/qdev-monitor.c
> > @@ -43,6 +43,8 @@
> > #include "hw/qdev-properties.h"
> > #include "hw/clock.h"
> > #include "hw/boards.h"
> > +#include "qapi/compat-policy.h"
> > +
> >
> > /*
> > * Aliases were a bad idea from the start. Let's keep them
> > @@ -644,6 +646,13 @@ DeviceState *qdev_device_add_from_qdict(const QDict *opts,
> > return NULL;
> > }
> >
> > + if (!compat_policy_check_security(&compat_policy,
> > + object_class_get_name(OBJECT_CLASS(dc)),
> > + object_class_is_secure(OBJECT_CLASS(dc)),
> > + errp)) {
> > + return NULL;
> > + }
> > +
> > /* find bus */
> > path = qdict_get_try_str(opts, "bus");
> > if (path != NULL) {
>
> All users of compat_policy_check_security() in this series pass
>
> object_class_get_name(<the-object>),
> object_class_is_secure(<the-object>),
>
> Have you considered passing just <the-object> instead?
That would make qapi/qapi-compat.c have a dependency on QOM which I
felt was undesirable. What I could do, however, is introduced a
object_check_security method in qom/object.c that calls into
compat_policy_check_security, so we simplify the callers.
With regards,
Daniel
--
|: https://berrange.com -o- https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org -o- https://fstop138.berrange.com :|
|: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|
^ permalink raw reply [flat|nested] 49+ messages in thread
* [PATCH v2 09/32] system: report device security status in help output
2025-09-26 14:01 [PATCH v2 00/32] Encode object type security status in code Daniel P. Berrangé
` (7 preceding siblings ...)
2025-09-26 14:01 ` [PATCH v2 08/32] system: check security of device types Daniel P. Berrangé
@ 2025-09-26 14:01 ` Daniel P. Berrangé
2025-10-23 11:57 ` Markus Armbruster
2025-09-26 14:01 ` [PATCH v2 10/32] hw/core: report security status in query-machines Daniel P. Berrangé
` (24 subsequent siblings)
33 siblings, 1 reply; 49+ messages in thread
From: Daniel P. Berrangé @ 2025-09-26 14:01 UTC (permalink / raw)
To: qemu-devel
Cc: Thomas Huth, Stefan Hajnoczi, Philippe Mathieu-Daudé,
Peter Maydell, Markus Armbruster, Paolo Bonzini,
Michael S. Tsirkin, Daniel P. Berrangé
When '-device help' is given, report the security status of each
device.
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
---
system/qdev-monitor.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/system/qdev-monitor.c b/system/qdev-monitor.c
index 520fe5c495..86ae64dccd 100644
--- a/system/qdev-monitor.c
+++ b/system/qdev-monitor.c
@@ -166,6 +166,9 @@ static void qdev_print_devinfo(DeviceClass *dc)
if (!dc->user_creatable) {
qemu_printf(", no-user");
}
+ if (object_class_is_secure(OBJECT_CLASS(dc))) {
+ qemu_printf(", secure");
+ }
qemu_printf("\n");
}
--
2.50.1
^ permalink raw reply related [flat|nested] 49+ messages in thread* Re: [PATCH v2 09/32] system: report device security status in help output
2025-09-26 14:01 ` [PATCH v2 09/32] system: report device security status in help output Daniel P. Berrangé
@ 2025-10-23 11:57 ` Markus Armbruster
0 siblings, 0 replies; 49+ messages in thread
From: Markus Armbruster @ 2025-10-23 11:57 UTC (permalink / raw)
To: Daniel P. Berrangé
Cc: qemu-devel, Thomas Huth, Stefan Hajnoczi,
Philippe Mathieu-Daudé, Peter Maydell, Paolo Bonzini,
Michael S. Tsirkin
Daniel P. Berrangé <berrange@redhat.com> writes:
> When '-device help' is given, report the security status of each
> device.
Affects not just "-device help" and "device_add help", but also "info
qdm".
> Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
> ---
> system/qdev-monitor.c | 3 +++
> 1 file changed, 3 insertions(+)
>
> diff --git a/system/qdev-monitor.c b/system/qdev-monitor.c
> index 520fe5c495..86ae64dccd 100644
> --- a/system/qdev-monitor.c
> +++ b/system/qdev-monitor.c
> @@ -166,6 +166,9 @@ static void qdev_print_devinfo(DeviceClass *dc)
> if (!dc->user_creatable) {
> qemu_printf(", no-user");
> }
> + if (object_class_is_secure(OBJECT_CLASS(dc))) {
> + qemu_printf(", secure");
> + }
> qemu_printf("\n");
> }
^ permalink raw reply [flat|nested] 49+ messages in thread
* [PATCH v2 10/32] hw/core: report security status in query-machines
2025-09-26 14:01 [PATCH v2 00/32] Encode object type security status in code Daniel P. Berrangé
` (8 preceding siblings ...)
2025-09-26 14:01 ` [PATCH v2 09/32] system: report device security status in help output Daniel P. Berrangé
@ 2025-09-26 14:01 ` Daniel P. Berrangé
2025-10-23 12:17 ` Markus Armbruster
2025-09-26 14:01 ` [PATCH v2 11/32] qom: report & filter on security status in qom-list-types Daniel P. Berrangé
` (23 subsequent siblings)
33 siblings, 1 reply; 49+ messages in thread
From: Daniel P. Berrangé @ 2025-09-26 14:01 UTC (permalink / raw)
To: qemu-devel
Cc: Thomas Huth, Stefan Hajnoczi, Philippe Mathieu-Daudé,
Peter Maydell, Markus Armbruster, Paolo Bonzini,
Michael S. Tsirkin, Daniel P. Berrangé
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
---
hw/core/machine-qmp-cmds.c | 1 +
qapi/machine.json | 8 +++++++-
2 files changed, 8 insertions(+), 1 deletion(-)
diff --git a/hw/core/machine-qmp-cmds.c b/hw/core/machine-qmp-cmds.c
index 6aca1a626e..4d9906f64a 100644
--- a/hw/core/machine-qmp-cmds.c
+++ b/hw/core/machine-qmp-cmds.c
@@ -100,6 +100,7 @@ MachineInfoList *qmp_query_machines(bool has_compat_props, bool compat_props,
if (mc->default_ram_id) {
info->default_ram_id = g_strdup(mc->default_ram_id);
}
+ info->secure = object_class_is_secure(OBJECT_CLASS(mc));
if (compat_props && mc->compat_props) {
int i;
diff --git a/qapi/machine.json b/qapi/machine.json
index 038eab281c..bb2b308ccd 100644
--- a/qapi/machine.json
+++ b/qapi/machine.json
@@ -194,6 +194,11 @@
# present when `query-machines` argument @compat-props is true.
# (since 9.1)
#
+# @secure: If true, the machine is declared to provide a security
+# boundary from the guest; if false the machine is either
+# not providing a security boundary, or its status is undefined.
+# (since 10.2)
+#
# Features:
#
# @unstable: Member @compat-props is experimental.
@@ -207,7 +212,8 @@
'deprecated': 'bool', '*default-cpu-type': 'str',
'*default-ram-id': 'str', 'acpi': 'bool',
'*compat-props': { 'type': ['CompatProperty'],
- 'features': ['unstable'] } } }
+ 'features': ['unstable'] },
+ 'secure': 'bool' } }
##
# @query-machines:
--
2.50.1
^ permalink raw reply related [flat|nested] 49+ messages in thread* Re: [PATCH v2 10/32] hw/core: report security status in query-machines
2025-09-26 14:01 ` [PATCH v2 10/32] hw/core: report security status in query-machines Daniel P. Berrangé
@ 2025-10-23 12:17 ` Markus Armbruster
2025-10-24 13:32 ` Daniel P. Berrangé
0 siblings, 1 reply; 49+ messages in thread
From: Markus Armbruster @ 2025-10-23 12:17 UTC (permalink / raw)
To: Daniel P. Berrangé
Cc: qemu-devel, Thomas Huth, Stefan Hajnoczi,
Philippe Mathieu-Daudé, Peter Maydell, Paolo Bonzini,
Michael S. Tsirkin
Daniel P. Berrangé <berrange@redhat.com> writes:
> Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
> ---
> hw/core/machine-qmp-cmds.c | 1 +
> qapi/machine.json | 8 +++++++-
> 2 files changed, 8 insertions(+), 1 deletion(-)
>
> diff --git a/hw/core/machine-qmp-cmds.c b/hw/core/machine-qmp-cmds.c
> index 6aca1a626e..4d9906f64a 100644
> --- a/hw/core/machine-qmp-cmds.c
> +++ b/hw/core/machine-qmp-cmds.c
> @@ -100,6 +100,7 @@ MachineInfoList *qmp_query_machines(bool has_compat_props, bool compat_props,
> if (mc->default_ram_id) {
> info->default_ram_id = g_strdup(mc->default_ram_id);
> }
> + info->secure = object_class_is_secure(OBJECT_CLASS(mc));
>
> if (compat_props && mc->compat_props) {
> int i;
> diff --git a/qapi/machine.json b/qapi/machine.json
> index 038eab281c..bb2b308ccd 100644
> --- a/qapi/machine.json
> +++ b/qapi/machine.json
> @@ -194,6 +194,11 @@
> # present when `query-machines` argument @compat-props is true.
> # (since 9.1)
> #
> +# @secure: If true, the machine is declared to provide a security
> +# boundary from the guest; if false the machine is either
> +# not providing a security boundary, or its status is undefined.
> +# (since 10.2)
> +#
> # Features:
> #
> # @unstable: Member @compat-props is experimental.
> @@ -207,7 +212,8 @@
> 'deprecated': 'bool', '*default-cpu-type': 'str',
> '*default-ram-id': 'str', 'acpi': 'bool',
> '*compat-props': { 'type': ['CompatProperty'],
> - 'features': ['unstable'] } } }
> + 'features': ['unstable'] },
> + 'secure': 'bool' } }
>
> ##
> # @query-machines:
Isn't this redundant with qom-list-types?
{"execute": "qom-list-types", "arguments": {"implements": "machine"}}
^ permalink raw reply [flat|nested] 49+ messages in thread* Re: [PATCH v2 10/32] hw/core: report security status in query-machines
2025-10-23 12:17 ` Markus Armbruster
@ 2025-10-24 13:32 ` Daniel P. Berrangé
0 siblings, 0 replies; 49+ messages in thread
From: Daniel P. Berrangé @ 2025-10-24 13:32 UTC (permalink / raw)
To: Markus Armbruster
Cc: qemu-devel, Thomas Huth, Stefan Hajnoczi,
Philippe Mathieu-Daudé, Peter Maydell, Paolo Bonzini,
Michael S. Tsirkin
On Thu, Oct 23, 2025 at 02:17:42PM +0200, Markus Armbruster wrote:
> Daniel P. Berrangé <berrange@redhat.com> writes:
>
> > Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
> > ---
> > hw/core/machine-qmp-cmds.c | 1 +
> > qapi/machine.json | 8 +++++++-
> > 2 files changed, 8 insertions(+), 1 deletion(-)
> >
> > diff --git a/hw/core/machine-qmp-cmds.c b/hw/core/machine-qmp-cmds.c
> > index 6aca1a626e..4d9906f64a 100644
> > --- a/hw/core/machine-qmp-cmds.c
> > +++ b/hw/core/machine-qmp-cmds.c
> > @@ -100,6 +100,7 @@ MachineInfoList *qmp_query_machines(bool has_compat_props, bool compat_props,
> > if (mc->default_ram_id) {
> > info->default_ram_id = g_strdup(mc->default_ram_id);
> > }
> > + info->secure = object_class_is_secure(OBJECT_CLASS(mc));
> >
> > if (compat_props && mc->compat_props) {
> > int i;
> > diff --git a/qapi/machine.json b/qapi/machine.json
> > index 038eab281c..bb2b308ccd 100644
> > --- a/qapi/machine.json
> > +++ b/qapi/machine.json
> > @@ -194,6 +194,11 @@
> > # present when `query-machines` argument @compat-props is true.
> > # (since 9.1)
> > #
> > +# @secure: If true, the machine is declared to provide a security
> > +# boundary from the guest; if false the machine is either
> > +# not providing a security boundary, or its status is undefined.
> > +# (since 10.2)
> > +#
> > # Features:
> > #
> > # @unstable: Member @compat-props is experimental.
> > @@ -207,7 +212,8 @@
> > 'deprecated': 'bool', '*default-cpu-type': 'str',
> > '*default-ram-id': 'str', 'acpi': 'bool',
> > '*compat-props': { 'type': ['CompatProperty'],
> > - 'features': ['unstable'] } } }
> > + 'features': ['unstable'] },
> > + 'secure': 'bool' } }
> >
> > ##
> > # @query-machines:
>
> Isn't this redundant with qom-list-types?
>
> {"execute": "qom-list-types", "arguments": {"implements": "machine"}}
Well if the mgmt app is already using 'query-machines' for other reasons,
and doesn't currently use 'qom-list-types', then it is useful to have
the info reported in the former too. Also I viewed the 'secure' flag
as being conceptually twinned with the 'deprecated' flag which is also
here in 'query-machines'.
With regards,
Daniel
--
|: https://berrange.com -o- https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org -o- https://fstop138.berrange.com :|
|: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|
^ permalink raw reply [flat|nested] 49+ messages in thread
* [PATCH v2 11/32] qom: report & filter on security status in qom-list-types
2025-09-26 14:01 [PATCH v2 00/32] Encode object type security status in code Daniel P. Berrangé
` (9 preceding siblings ...)
2025-09-26 14:01 ` [PATCH v2 10/32] hw/core: report security status in query-machines Daniel P. Berrangé
@ 2025-09-26 14:01 ` Daniel P. Berrangé
2025-10-23 10:58 ` Markus Armbruster
2025-09-26 14:01 ` [PATCH v2 12/32] docs: expand security docs with info about security status Daniel P. Berrangé
` (22 subsequent siblings)
33 siblings, 1 reply; 49+ messages in thread
From: Daniel P. Berrangé @ 2025-09-26 14:01 UTC (permalink / raw)
To: qemu-devel
Cc: Thomas Huth, Stefan Hajnoczi, Philippe Mathieu-Daudé,
Peter Maydell, Markus Armbruster, Paolo Bonzini,
Michael S. Tsirkin, Daniel P. Berrangé
This adds:
* a new boolean 'secure' field to the type info returned by
qom-list-types, which will be set if the type provides a
security boundary
* a new boolean 'secure' parameter to the arguments of
qom-list-types, which can be used to filter types based
on their security status
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
---
qapi/qom.json | 10 ++++++++--
qom/qom-qmp-cmds.c | 30 ++++++++++++++++++++++++------
2 files changed, 32 insertions(+), 8 deletions(-)
diff --git a/qapi/qom.json b/qapi/qom.json
index 830cb2ffe7..3e5e7e6f6f 100644
--- a/qapi/qom.json
+++ b/qapi/qom.json
@@ -210,12 +210,15 @@
# @abstract: the type is abstract and can't be directly instantiated.
# Omitted if false. (since 2.10)
#
+# @secure: the type provides a security boundary.
+# Omitted if false. (since 10.2)
+#
# @parent: Name of parent type, if any (since 2.10)
#
# Since: 1.1
##
{ 'struct': 'ObjectTypeInfo',
- 'data': { 'name': 'str', '*abstract': 'bool', '*parent': 'str' } }
+ 'data': { 'name': 'str', '*abstract': 'bool', '*parent': 'str', '*secure': 'bool' } }
##
# @qom-list-types:
@@ -227,12 +230,15 @@
#
# @abstract: if true, include abstract types in the results
#
+# @secure: if set, filter to only include types with matching security status
+# (since 10.2)
+#
# Returns: a list of types, or an empty list if no results are found
#
# Since: 1.1
##
{ 'command': 'qom-list-types',
- 'data': { '*implements': 'str', '*abstract': 'bool' },
+ 'data': { '*implements': 'str', '*abstract': 'bool', '*secure': 'bool' },
'returns': [ 'ObjectTypeInfo' ],
'allow-preconfig': true }
diff --git a/qom/qom-qmp-cmds.c b/qom/qom-qmp-cmds.c
index 57f1898cf6..9e221bb332 100644
--- a/qom/qom-qmp-cmds.c
+++ b/qom/qom-qmp-cmds.c
@@ -151,33 +151,51 @@ QObject *qmp_qom_get(const char *path, const char *property, Error **errp)
return object_property_get_qobject(obj, property, errp);
}
-static void qom_list_types_tramp(ObjectClass *klass, void *data)
+typedef struct {
+ ObjectTypeInfoList *list;
+ bool has_secure;
+ bool secure;
+} ObjectTypeInfoData;
+
+static void qom_list_types_tramp(ObjectClass *klass, void *opaque)
{
- ObjectTypeInfoList **pret = data;
+ ObjectTypeInfoData *data = opaque;
ObjectTypeInfo *info;
ObjectClass *parent = object_class_get_parent(klass);
+ if (data->has_secure &&
+ data->secure != object_class_is_secure(klass)) {
+ return;
+ }
+
info = g_malloc0(sizeof(*info));
info->name = g_strdup(object_class_get_name(klass));
info->has_abstract = info->abstract = object_class_is_abstract(klass);
+ info->has_secure = info->secure = object_class_is_secure(klass);
if (parent) {
info->parent = g_strdup(object_class_get_name(parent));
}
- QAPI_LIST_PREPEND(*pret, info);
+ QAPI_LIST_PREPEND(data->list, info);
}
ObjectTypeInfoList *qmp_qom_list_types(const char *implements,
bool has_abstract,
bool abstract,
+ bool has_secure,
+ bool secure,
Error **errp)
{
- ObjectTypeInfoList *ret = NULL;
+ ObjectTypeInfoData data = {
+ .list = NULL,
+ .has_secure = has_secure,
+ .secure = secure,
+ };
module_load_qom_all();
- object_class_foreach(qom_list_types_tramp, implements, abstract, &ret);
+ object_class_foreach(qom_list_types_tramp, implements, abstract, &data);
- return ret;
+ return data.list;
}
ObjectPropertyInfoList *qmp_device_list_properties(const char *typename,
--
2.50.1
^ permalink raw reply related [flat|nested] 49+ messages in thread* Re: [PATCH v2 11/32] qom: report & filter on security status in qom-list-types
2025-09-26 14:01 ` [PATCH v2 11/32] qom: report & filter on security status in qom-list-types Daniel P. Berrangé
@ 2025-10-23 10:58 ` Markus Armbruster
2025-10-24 13:38 ` Daniel P. Berrangé
0 siblings, 1 reply; 49+ messages in thread
From: Markus Armbruster @ 2025-10-23 10:58 UTC (permalink / raw)
To: Daniel P. Berrangé
Cc: qemu-devel, Thomas Huth, Stefan Hajnoczi,
Philippe Mathieu-Daudé, Peter Maydell, Paolo Bonzini,
Michael S. Tsirkin
Daniel P. Berrangé <berrange@redhat.com> writes:
> This adds:
>
> * a new boolean 'secure' field to the type info returned by
> qom-list-types, which will be set if the type provides a
> security boundary
>
> * a new boolean 'secure' parameter to the arguments of
> qom-list-types, which can be used to filter types based
> on their security status
>
> Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
I was about to ask for this feature in reply to PATCH 2 when I found
this patch. Consider moving it right after PATCH 2, or
forward-referencing it in PATCH 2's commit message.
> ---
> qapi/qom.json | 10 ++++++++--
> qom/qom-qmp-cmds.c | 30 ++++++++++++++++++++++++------
> 2 files changed, 32 insertions(+), 8 deletions(-)
>
> diff --git a/qapi/qom.json b/qapi/qom.json
> index 830cb2ffe7..3e5e7e6f6f 100644
> --- a/qapi/qom.json
> +++ b/qapi/qom.json
> @@ -210,12 +210,15 @@
> # @abstract: the type is abstract and can't be directly instantiated.
> # Omitted if false. (since 2.10)
> #
> +# @secure: the type provides a security boundary.
> +# Omitted if false. (since 10.2)
Please wrap like this:
# @secure: the type provides a security boundary. Omitted if false.
# (since 10.2)
> +#
> # @parent: Name of parent type, if any (since 2.10)
> #
> # Since: 1.1
> ##
> { 'struct': 'ObjectTypeInfo',
> - 'data': { 'name': 'str', '*abstract': 'bool', '*parent': 'str' } }
> + 'data': { 'name': 'str', '*abstract': 'bool', '*parent': 'str', '*secure': 'bool' } }
Long line. I think it's time to put each member on its own line.
>
> ##
> # @qom-list-types:
> @@ -227,12 +230,15 @@
> #
> # @abstract: if true, include abstract types in the results
> #
> +# @secure: if set, filter to only include types with matching security status
> +# (since 10.2)
Hmm.
absent false true
@abstract only concrete only concrete all
@secure all only insecure only secure (I think)
The difference is grating. Any ideas?
If we decide to keep it as is, please wrap like this:
# @secure: if set, filter to only include types with matching security
# status (since 10.2)
> +#
> # Returns: a list of types, or an empty list if no results are found
> #
> # Since: 1.1
> ##
> { 'command': 'qom-list-types',
> - 'data': { '*implements': 'str', '*abstract': 'bool' },
> + 'data': { '*implements': 'str', '*abstract': 'bool', '*secure': 'bool' },
> 'returns': [ 'ObjectTypeInfo' ],
> 'allow-preconfig': true }
>
> diff --git a/qom/qom-qmp-cmds.c b/qom/qom-qmp-cmds.c
> index 57f1898cf6..9e221bb332 100644
> --- a/qom/qom-qmp-cmds.c
> +++ b/qom/qom-qmp-cmds.c
> @@ -151,33 +151,51 @@ QObject *qmp_qom_get(const char *path, const char *property, Error **errp)
> return object_property_get_qobject(obj, property, errp);
> }
>
> -static void qom_list_types_tramp(ObjectClass *klass, void *data)
> +typedef struct {
> + ObjectTypeInfoList *list;
> + bool has_secure;
> + bool secure;
> +} ObjectTypeInfoData;
> +
> +static void qom_list_types_tramp(ObjectClass *klass, void *opaque)
> {
> - ObjectTypeInfoList **pret = data;
> + ObjectTypeInfoData *data = opaque;
> ObjectTypeInfo *info;
> ObjectClass *parent = object_class_get_parent(klass);
>
> + if (data->has_secure &&
> + data->secure != object_class_is_secure(klass)) {
> + return;
> + }
> +
> info = g_malloc0(sizeof(*info));
> info->name = g_strdup(object_class_get_name(klass));
> info->has_abstract = info->abstract = object_class_is_abstract(klass);
> + info->has_secure = info->secure = object_class_is_secure(klass);
> if (parent) {
> info->parent = g_strdup(object_class_get_name(parent));
> }
>
> - QAPI_LIST_PREPEND(*pret, info);
> + QAPI_LIST_PREPEND(data->list, info);
> }
>
> ObjectTypeInfoList *qmp_qom_list_types(const char *implements,
> bool has_abstract,
> bool abstract,
> + bool has_secure,
> + bool secure,
> Error **errp)
> {
> - ObjectTypeInfoList *ret = NULL;
> + ObjectTypeInfoData data = {
> + .list = NULL,
> + .has_secure = has_secure,
> + .secure = secure,
> + };
>
> module_load_qom_all();
> - object_class_foreach(qom_list_types_tramp, implements, abstract, &ret);
> + object_class_foreach(qom_list_types_tramp, implements, abstract, &data);
>
> - return ret;
> + return data.list;
> }
>
> ObjectPropertyInfoList *qmp_device_list_properties(const char *typename,
This fuses a change of how the list value is built with the addition of
a new list element member. I'd prefer them separate.
^ permalink raw reply [flat|nested] 49+ messages in thread* Re: [PATCH v2 11/32] qom: report & filter on security status in qom-list-types
2025-10-23 10:58 ` Markus Armbruster
@ 2025-10-24 13:38 ` Daniel P. Berrangé
0 siblings, 0 replies; 49+ messages in thread
From: Daniel P. Berrangé @ 2025-10-24 13:38 UTC (permalink / raw)
To: Markus Armbruster
Cc: qemu-devel, Thomas Huth, Stefan Hajnoczi,
Philippe Mathieu-Daudé, Peter Maydell, Paolo Bonzini,
Michael S. Tsirkin
On Thu, Oct 23, 2025 at 12:58:27PM +0200, Markus Armbruster wrote:
> Daniel P. Berrangé <berrange@redhat.com> writes:
>
> > This adds:
> >
> > * a new boolean 'secure' field to the type info returned by
> > qom-list-types, which will be set if the type provides a
> > security boundary
> >
> > * a new boolean 'secure' parameter to the arguments of
> > qom-list-types, which can be used to filter types based
> > on their security status
> >
> > Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
>
> I was about to ask for this feature in reply to PATCH 2 when I found
> this patch. Consider moving it right after PATCH 2, or
> forward-referencing it in PATCH 2's commit message.
>
> > ---
> > qapi/qom.json | 10 ++++++++--
> > qom/qom-qmp-cmds.c | 30 ++++++++++++++++++++++++------
> > 2 files changed, 32 insertions(+), 8 deletions(-)
> >
> > diff --git a/qapi/qom.json b/qapi/qom.json
> > index 830cb2ffe7..3e5e7e6f6f 100644
> > --- a/qapi/qom.json
> > +++ b/qapi/qom.json
> > @@ -210,12 +210,15 @@
> > # @abstract: the type is abstract and can't be directly instantiated.
> > # Omitted if false. (since 2.10)
> > #
> > +# @secure: the type provides a security boundary.
> > +# Omitted if false. (since 10.2)
>
> Please wrap like this:
>
> # @secure: the type provides a security boundary. Omitted if false.
> # (since 10.2)
>
> > +#
> > # @parent: Name of parent type, if any (since 2.10)
> > #
> > # Since: 1.1
> > ##
> > { 'struct': 'ObjectTypeInfo',
> > - 'data': { 'name': 'str', '*abstract': 'bool', '*parent': 'str' } }
> > + 'data': { 'name': 'str', '*abstract': 'bool', '*parent': 'str', '*secure': 'bool' } }
>
> Long line. I think it's time to put each member on its own line.
>
> >
> > ##
> > # @qom-list-types:
> > @@ -227,12 +230,15 @@
> > #
> > # @abstract: if true, include abstract types in the results
> > #
> > +# @secure: if set, filter to only include types with matching security status
> > +# (since 10.2)
>
> Hmm.
>
> absent false true
> @abstract only concrete only concrete all
> @secure all only insecure only secure (I think)
>
> The difference is grating. Any ideas?
I considered the current handling of @abstract to be flawed,
because there are three possible data sets you might want,
and the behaviour of @abstract only lets you query two of
the three - requires a second call to qom-list-types to
get the union of abstract and non-abstract.
Ideally we would fix @abstract but we can't do that without
back-compatibility fallout.
To avoid changing the default behaviour of qom-list-types
we need @secure==absent to return 'all', so that pretty
much forces us down this route of different behaviours
for @abstract vs @secure, unless we deprecate @abstract
and invent something completely new.
> > ObjectTypeInfoList *qmp_qom_list_types(const char *implements,
> > bool has_abstract,
> > bool abstract,
> > + bool has_secure,
> > + bool secure,
> > Error **errp)
> > {
> > - ObjectTypeInfoList *ret = NULL;
> > + ObjectTypeInfoData data = {
> > + .list = NULL,
> > + .has_secure = has_secure,
> > + .secure = secure,
> > + };
> >
> > module_load_qom_all();
> > - object_class_foreach(qom_list_types_tramp, implements, abstract, &ret);
> > + object_class_foreach(qom_list_types_tramp, implements, abstract, &data);
> >
> > - return ret;
> > + return data.list;
> > }
> >
> > ObjectPropertyInfoList *qmp_device_list_properties(const char *typename,
>
> This fuses a change of how the list value is built with the addition of
> a new list element member. I'd prefer them separate.
Sure, will change.
With regards,
Daniel
--
|: https://berrange.com -o- https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org -o- https://fstop138.berrange.com :|
|: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|
^ permalink raw reply [flat|nested] 49+ messages in thread
* [PATCH v2 12/32] docs: expand security docs with info about security status
2025-09-26 14:01 [PATCH v2 00/32] Encode object type security status in code Daniel P. Berrangé
` (10 preceding siblings ...)
2025-09-26 14:01 ` [PATCH v2 11/32] qom: report & filter on security status in qom-list-types Daniel P. Berrangé
@ 2025-09-26 14:01 ` Daniel P. Berrangé
2025-10-23 12:22 ` Markus Armbruster
2025-09-26 14:01 ` [PATCH v2 13/32] machine: add helpers for declaring secure/insecure machine types Daniel P. Berrangé
` (21 subsequent siblings)
33 siblings, 1 reply; 49+ messages in thread
From: Daniel P. Berrangé @ 2025-09-26 14:01 UTC (permalink / raw)
To: qemu-devel
Cc: Thomas Huth, Stefan Hajnoczi, Philippe Mathieu-Daudé,
Peter Maydell, Markus Armbruster, Paolo Bonzini,
Michael S. Tsirkin, Daniel P. Berrangé
The description of virtualization vs non-virtualization use
cases is a crude approximation of the security characteristics
of QEMU devices.
Document how QEMU can be probed to obtain information on the
security status of type classes, and how policies can be set
to inform or control their usage.
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
---
docs/system/security.rst | 43 ++++++++++++++++++++++++++++++++++++++++
1 file changed, 43 insertions(+)
diff --git a/docs/system/security.rst b/docs/system/security.rst
index f2092c8768..cda4bae6db 100644
--- a/docs/system/security.rst
+++ b/docs/system/security.rst
@@ -49,6 +49,49 @@ Bugs affecting the non-virtualization use case are not considered security
bugs at this time. Users with non-virtualization use cases must not rely on
QEMU to provide guest isolation or any security guarantees.
+Security status reporting
+'''''''''''''''''''''''''
+
+QEMU is progressively working to annotate object types to explicitly state
+whether they are considered to provide a security boundary or not.
+
+It is possible to control or identify the usage of types that do not offer
+an explicit security boundary using the ``insecure-types`` parameter to the
+``-compat`` argument, which accepts three values:
+
+ * accept: usage of any type will be permitted. This is the current
+ and historical default behaviour
+ * warn: usage of types not explicitly declared secure will result
+ in a warning message, but still be permitted.
+ * reject: usage of types not explicitly declared secure will result
+ in an error message, and will not be permitted.
+
+The compatibility policy will be honoured both at initial startup of
+QEMU and during any runtime alterations made with monitor commands.
+
+The status of any type class can be queried at runtime using the
+``qom-list-types`` command, whose returned information will flag any
+types declared as secure. The ``query-machines`` command will also
+reflect this same information for machine types.
+
+Machine type, accelerator and device security status can be queried
+using ``-machine help``, ``-accel help`` and ``-device help`` command
+line options respectively.
+
+The setting of the ``.secure`` field at the time a type class is
+declared in the code will determine whether bugs are eligible to
+be considered as security bugs:
+
+ * Explicitly declared ``.secure = true``: security bug process
+ applies, eligible for CVE assignment
+ * Explicitly declared ``.secure = false``: security bug process
+ does not apply, ineligible for CVE assignment
+ * No declaration of ``.secure`` property: follow the security
+ bug process initially. The virtualization vs non-virtualization
+ use case classification will be evaluated during bug triage
+ to determine whether to continue the security bug process,
+ or switch to the regular bug process.
+
Architecture
------------
--
2.50.1
^ permalink raw reply related [flat|nested] 49+ messages in thread* Re: [PATCH v2 12/32] docs: expand security docs with info about security status
2025-09-26 14:01 ` [PATCH v2 12/32] docs: expand security docs with info about security status Daniel P. Berrangé
@ 2025-10-23 12:22 ` Markus Armbruster
2025-10-24 13:42 ` Daniel P. Berrangé
0 siblings, 1 reply; 49+ messages in thread
From: Markus Armbruster @ 2025-10-23 12:22 UTC (permalink / raw)
To: Daniel P. Berrangé
Cc: qemu-devel, Thomas Huth, Stefan Hajnoczi,
Philippe Mathieu-Daudé, Peter Maydell, Paolo Bonzini,
Michael S. Tsirkin
Daniel P. Berrangé <berrange@redhat.com> writes:
> The description of virtualization vs non-virtualization use
> cases is a crude approximation of the security characteristics
> of QEMU devices.
>
> Document how QEMU can be probed to obtain information on the
> security status of type classes, and how policies can be set
> to inform or control their usage.
>
> Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
> ---
> docs/system/security.rst | 43 ++++++++++++++++++++++++++++++++++++++++
> 1 file changed, 43 insertions(+)
>
> diff --git a/docs/system/security.rst b/docs/system/security.rst
> index f2092c8768..cda4bae6db 100644
> --- a/docs/system/security.rst
> +++ b/docs/system/security.rst
> @@ -49,6 +49,49 @@ Bugs affecting the non-virtualization use case are not considered security
> bugs at this time. Users with non-virtualization use cases must not rely on
> QEMU to provide guest isolation or any security guarantees.
>
> +Security status reporting
> +'''''''''''''''''''''''''
> +
> +QEMU is progressively working to annotate object types to explicitly state
Suggest "The QEMU project is working"
> +whether they are considered to provide a security boundary or not.
> +
> +It is possible to control or identify the usage of types that do not offer
> +an explicit security boundary using the ``insecure-types`` parameter to the
> +``-compat`` argument, which accepts three values:
> +
> + * accept: usage of any type will be permitted. This is the current
> + and historical default behaviour
> + * warn: usage of types not explicitly declared secure will result
> + in a warning message, but still be permitted.
> + * reject: usage of types not explicitly declared secure will result
> + in an error message, and will not be permitted.
> +
> +The compatibility policy will be honoured both at initial startup of
> +QEMU and during any runtime alterations made with monitor commands.
This is about QOM. It doesn't cover security boundaries outside QOM,
e.g. in block backends. I think we better make this limitation quite
clear here.
> +
> +The status of any type class can be queried at runtime using the
> +``qom-list-types`` command, whose returned information will flag any
> +types declared as secure. The ``query-machines`` command will also
> +reflect this same information for machine types.
> +
> +Machine type, accelerator and device security status can be queried
> +using ``-machine help``, ``-accel help`` and ``-device help`` command
> +line options respectively.
> +
> +The setting of the ``.secure`` field at the time a type class is
> +declared in the code will determine whether bugs are eligible to
> +be considered as security bugs:
> +
> + * Explicitly declared ``.secure = true``: security bug process
> + applies, eligible for CVE assignment
> + * Explicitly declared ``.secure = false``: security bug process
> + does not apply, ineligible for CVE assignment
> + * No declaration of ``.secure`` property: follow the security
> + bug process initially. The virtualization vs non-virtualization
> + use case classification will be evaluated during bug triage
> + to determine whether to continue the security bug process,
> + or switch to the regular bug process.
Should this evaluation result in a declaration of .secure?
> +
> Architecture
> ------------
^ permalink raw reply [flat|nested] 49+ messages in thread
* Re: [PATCH v2 12/32] docs: expand security docs with info about security status
2025-10-23 12:22 ` Markus Armbruster
@ 2025-10-24 13:42 ` Daniel P. Berrangé
0 siblings, 0 replies; 49+ messages in thread
From: Daniel P. Berrangé @ 2025-10-24 13:42 UTC (permalink / raw)
To: Markus Armbruster
Cc: qemu-devel, Thomas Huth, Stefan Hajnoczi,
Philippe Mathieu-Daudé, Peter Maydell, Paolo Bonzini,
Michael S. Tsirkin
On Thu, Oct 23, 2025 at 02:22:12PM +0200, Markus Armbruster wrote:
> Daniel P. Berrangé <berrange@redhat.com> writes:
>
> > The description of virtualization vs non-virtualization use
> > cases is a crude approximation of the security characteristics
> > of QEMU devices.
> >
> > Document how QEMU can be probed to obtain information on the
> > security status of type classes, and how policies can be set
> > to inform or control their usage.
> >
> > Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
> > ---
> > docs/system/security.rst | 43 ++++++++++++++++++++++++++++++++++++++++
> > 1 file changed, 43 insertions(+)
> >
> > diff --git a/docs/system/security.rst b/docs/system/security.rst
> > index f2092c8768..cda4bae6db 100644
> > --- a/docs/system/security.rst
> > +++ b/docs/system/security.rst
> > @@ -49,6 +49,49 @@ Bugs affecting the non-virtualization use case are not considered security
> > bugs at this time. Users with non-virtualization use cases must not rely on
> > QEMU to provide guest isolation or any security guarantees.
> >
> > +Security status reporting
> > +'''''''''''''''''''''''''
> > +
> > +QEMU is progressively working to annotate object types to explicitly state
>
> Suggest "The QEMU project is working"
>
> > +whether they are considered to provide a security boundary or not.
> > +
> > +It is possible to control or identify the usage of types that do not offer
> > +an explicit security boundary using the ``insecure-types`` parameter to the
> > +``-compat`` argument, which accepts three values:
> > +
> > + * accept: usage of any type will be permitted. This is the current
> > + and historical default behaviour
> > + * warn: usage of types not explicitly declared secure will result
> > + in a warning message, but still be permitted.
> > + * reject: usage of types not explicitly declared secure will result
> > + in an error message, and will not be permitted.
> > +
> > +The compatibility policy will be honoured both at initial startup of
> > +QEMU and during any runtime alterations made with monitor commands.
>
> This is about QOM. It doesn't cover security boundaries outside QOM,
> e.g. in block backends. I think we better make this limitation quite
> clear here.
I was anticipating perhaps future work to bring this to non-QOM
stuff too like the block backends, but I guess we can mention
QOM now, and change it later if needed.
> > +Machine type, accelerator and device security status can be queried
> > +using ``-machine help``, ``-accel help`` and ``-device help`` command
> > +line options respectively.
> > +
> > +The setting of the ``.secure`` field at the time a type class is
> > +declared in the code will determine whether bugs are eligible to
> > +be considered as security bugs:
> > +
> > + * Explicitly declared ``.secure = true``: security bug process
> > + applies, eligible for CVE assignment
> > + * Explicitly declared ``.secure = false``: security bug process
> > + does not apply, ineligible for CVE assignment
> > + * No declaration of ``.secure`` property: follow the security
> > + bug process initially. The virtualization vs non-virtualization
> > + use case classification will be evaluated during bug triage
> > + to determine whether to continue the security bug process,
> > + or switch to the regular bug process.
>
> Should this evaluation result in a declaration of .secure?
Yeah, that would be good workflow.
With regards,
Daniel
--
|: https://berrange.com -o- https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org -o- https://fstop138.berrange.com :|
|: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|
^ permalink raw reply [flat|nested] 49+ messages in thread
* [PATCH v2 13/32] machine: add helpers for declaring secure/insecure machine types
2025-09-26 14:01 [PATCH v2 00/32] Encode object type security status in code Daniel P. Berrangé
` (11 preceding siblings ...)
2025-09-26 14:01 ` [PATCH v2 12/32] docs: expand security docs with info about security status Daniel P. Berrangé
@ 2025-09-26 14:01 ` Daniel P. Berrangé
2025-09-26 14:01 ` [PATCH v2 14/32] hw: mark x86, s390, ppc, arm versioned machine types as secure Daniel P. Berrangé
` (20 subsequent siblings)
33 siblings, 0 replies; 49+ messages in thread
From: Daniel P. Berrangé @ 2025-09-26 14:01 UTC (permalink / raw)
To: qemu-devel
Cc: Thomas Huth, Stefan Hajnoczi, Philippe Mathieu-Daudé,
Peter Maydell, Markus Armbruster, Paolo Bonzini,
Michael S. Tsirkin, Daniel P. Berrangé
The current DEFINE_MACHINE macro will declare machine type without any
explicit statement about the security status. As such the machine type
will be treated as implicitly insecure at runtime.
Introduce new DEFINE_SECURE_MACHINE and DEFINE_INSECURE_MACHINE macros
that allow code to make an explicit statement about security status
of the machine. All machine declarations should transition to the new
macros allowing the implicit macro to eventually be removed.
The same is done for the specialized i386 PC related macros.
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
---
include/hw/boards.h | 12 +++++++++++-
include/hw/i386/pc.h | 13 ++++++++++++-
2 files changed, 23 insertions(+), 2 deletions(-)
diff --git a/include/hw/boards.h b/include/hw/boards.h
index 665b620121..8105c54a90 100644
--- a/include/hw/boards.h
+++ b/include/hw/boards.h
@@ -762,7 +762,7 @@ struct MachineState {
} \
} while (0)
-#define DEFINE_MACHINE(namestr, machine_initfn) \
+#define DEFINE_MACHINE_IMPL(namestr, machine_initfn, issecure) \
static void machine_initfn##_class_init(ObjectClass *oc, const void *data) \
{ \
MachineClass *mc = MACHINE_CLASS(oc); \
@@ -772,6 +772,7 @@ struct MachineState {
.name = MACHINE_TYPE_NAME(namestr), \
.parent = TYPE_MACHINE, \
.class_init = machine_initfn##_class_init, \
+ .secure = issecure, \
}; \
static void machine_initfn##_register_types(void) \
{ \
@@ -779,6 +780,15 @@ struct MachineState {
} \
type_init(machine_initfn##_register_types)
+/* Implicitly insecure, prefer explicitly declaring security status */
+#define DEFINE_MACHINE(namestr, machine_initfn) \
+ DEFINE_MACHINE_IMPL(namestr, machine_initfn, false)
+
+#define DEFINE_SECURE_MACHINE(namestr, machine_initfn) \
+ DEFINE_MACHINE_IMPL(namestr, machine_initfn, true)
+#define DEFINE_INSECURE_MACHINE(namestr, machine_initfn) \
+ DEFINE_MACHINE_IMPL(namestr, machine_initfn, false)
+
extern GlobalProperty hw_compat_10_1[];
extern const size_t hw_compat_10_1_len;
diff --git a/include/hw/i386/pc.h b/include/hw/i386/pc.h
index e83157ab35..1ccb6ed9fc 100644
--- a/include/hw/i386/pc.h
+++ b/include/hw/i386/pc.h
@@ -301,7 +301,7 @@ extern const size_t pc_compat_2_7_len;
extern GlobalProperty pc_compat_2_6[];
extern const size_t pc_compat_2_6_len;
-#define DEFINE_PC_MACHINE(suffix, namestr, initfn, optsfn) \
+#define DEFINE_PC_MACHINE_IMPL(suffix, namestr, initfn, optsfn, issecure) \
static void pc_machine_##suffix##_class_init(ObjectClass *oc, \
const void *data) \
{ \
@@ -313,6 +313,7 @@ extern const size_t pc_compat_2_6_len;
.name = namestr TYPE_MACHINE_SUFFIX, \
.parent = TYPE_PC_MACHINE, \
.class_init = pc_machine_##suffix##_class_init, \
+ .secure = issecure, \
}; \
static void pc_machine_init_##suffix(void) \
{ \
@@ -320,6 +321,16 @@ extern const size_t pc_compat_2_6_len;
} \
type_init(pc_machine_init_##suffix)
+/* Implicitly insecure, prefer explicitly declaring security status */
+#define DEFINE_PC_MACHINE(suffix, namestr, initfn, optsfn) \
+ DEFINE_PC_MACHINE_IMPL(suffix, namestr, initfn, optsfn, false)
+
+#define DEFINE_SECURE_PC_MACHINE(suffix, namestr, initfn, optsfn) \
+ DEFINE_PC_MACHINE_IMPL(suffix, namestr, initfn, optsfn, true)
+#define DEFINE_INSECURE_PC_MACHINE(suffix, namestr, initfn, optsfn) \
+ DEFINE_PC_MACHINE_IMPL(suffix, namestr, initfn, optsfn, false)
+
+
#define DEFINE_PC_VER_MACHINE(namesym, namestr, initfn, isdefault, malias, ...) \
static void MACHINE_VER_SYM(init, namesym, __VA_ARGS__)( \
MachineState *machine) \
--
2.50.1
^ permalink raw reply related [flat|nested] 49+ messages in thread* [PATCH v2 14/32] hw: mark x86, s390, ppc, arm versioned machine types as secure
2025-09-26 14:01 [PATCH v2 00/32] Encode object type security status in code Daniel P. Berrangé
` (12 preceding siblings ...)
2025-09-26 14:01 ` [PATCH v2 13/32] machine: add helpers for declaring secure/insecure machine types Daniel P. Berrangé
@ 2025-09-26 14:01 ` Daniel P. Berrangé
2025-09-26 14:01 ` [PATCH v2 15/32] hw: declare Xen & microvm machines as secure, isapc as insecure Daniel P. Berrangé
` (19 subsequent siblings)
33 siblings, 0 replies; 49+ messages in thread
From: Daniel P. Berrangé @ 2025-09-26 14:01 UTC (permalink / raw)
To: qemu-devel
Cc: Thomas Huth, Stefan Hajnoczi, Philippe Mathieu-Daudé,
Peter Maydell, Markus Armbruster, Paolo Bonzini,
Michael S. Tsirkin, Daniel P. Berrangé
The versioned machine types are typically present for use in
virtualization use cases and can be expected to provide a security
barrier. The only exceptions are the m68k versioned machine types
which are only used with TCG.
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
---
hw/arm/virt.c | 1 +
hw/ppc/spapr.c | 1 +
hw/s390x/s390-virtio-ccw.c | 1 +
include/hw/i386/pc.h | 1 +
4 files changed, 4 insertions(+)
diff --git a/hw/arm/virt.c b/hw/arm/virt.c
index 02209fadcf..c25ef1c306 100644
--- a/hw/arm/virt.c
+++ b/hw/arm/virt.c
@@ -127,6 +127,7 @@ static void arm_virt_compat_set(MachineClass *mc)
.name = MACHINE_VER_TYPE_NAME("virt", __VA_ARGS__), \
.parent = TYPE_VIRT_MACHINE, \
.class_init = MACHINE_VER_SYM(class_init, virt, __VA_ARGS__), \
+ .secure = true, \
}; \
static void MACHINE_VER_SYM(register, virt, __VA_ARGS__)(void) \
{ \
diff --git a/hw/ppc/spapr.c b/hw/ppc/spapr.c
index eb22333404..3581f581a4 100644
--- a/hw/ppc/spapr.c
+++ b/hw/ppc/spapr.c
@@ -4748,6 +4748,7 @@ static void spapr_machine_latest_class_options(MachineClass *mc)
.name = MACHINE_VER_TYPE_NAME("pseries", __VA_ARGS__), \
.parent = TYPE_SPAPR_MACHINE, \
.class_init = MACHINE_VER_SYM(class_init, spapr, __VA_ARGS__), \
+ .secure = true, \
}; \
static void MACHINE_VER_SYM(register, spapr, __VA_ARGS__)(void) \
{ \
diff --git a/hw/s390x/s390-virtio-ccw.c b/hw/s390x/s390-virtio-ccw.c
index d0c6e80cb0..54bc4e1b74 100644
--- a/hw/s390x/s390-virtio-ccw.c
+++ b/hw/s390x/s390-virtio-ccw.c
@@ -896,6 +896,7 @@ static const TypeInfo ccw_machine_info = {
.name = MACHINE_VER_TYPE_NAME("s390-ccw-virtio", __VA_ARGS__), \
.parent = TYPE_S390_CCW_MACHINE, \
.class_init = MACHINE_VER_SYM(class_init, ccw, __VA_ARGS__), \
+ .secure = true, \
}; \
static void MACHINE_VER_SYM(register, ccw, __VA_ARGS__)(void) \
{ \
diff --git a/include/hw/i386/pc.h b/include/hw/i386/pc.h
index 1ccb6ed9fc..f576b3892e 100644
--- a/include/hw/i386/pc.h
+++ b/include/hw/i386/pc.h
@@ -353,6 +353,7 @@ extern const size_t pc_compat_2_6_len;
.name = MACHINE_VER_TYPE_NAME(namestr, __VA_ARGS__), \
.parent = TYPE_PC_MACHINE, \
.class_init = MACHINE_VER_SYM(class_init, namesym, __VA_ARGS__), \
+ .secure = true, \
}; \
static void MACHINE_VER_SYM(register, namesym, __VA_ARGS__)(void) \
{ \
--
2.50.1
^ permalink raw reply related [flat|nested] 49+ messages in thread* [PATCH v2 15/32] hw: declare Xen & microvm machines as secure, isapc as insecure
2025-09-26 14:01 [PATCH v2 00/32] Encode object type security status in code Daniel P. Berrangé
` (13 preceding siblings ...)
2025-09-26 14:01 ` [PATCH v2 14/32] hw: mark x86, s390, ppc, arm versioned machine types as secure Daniel P. Berrangé
@ 2025-09-26 14:01 ` Daniel P. Berrangé
2025-09-26 14:01 ` [PATCH v2 16/32] hw/core: declare 'none' machine to be insecure Daniel P. Berrangé
` (18 subsequent siblings)
33 siblings, 0 replies; 49+ messages in thread
From: Daniel P. Berrangé @ 2025-09-26 14:01 UTC (permalink / raw)
To: qemu-devel
Cc: Thomas Huth, Stefan Hajnoczi, Philippe Mathieu-Daudé,
Peter Maydell, Markus Armbruster, Paolo Bonzini,
Michael S. Tsirkin, Daniel P. Berrangé
The Xen and microvm machines are used in virtualization use cases,
while isapc is only for emulation.
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
---
hw/arm/xen-pvh.c | 1 +
hw/i386/isapc.c | 4 ++--
hw/i386/microvm.c | 1 +
hw/i386/pc_piix.c | 8 ++++----
hw/i386/xen/xen-pvh.c | 1 +
hw/i386/xen/xen_pvdevice.c | 1 +
hw/xen/xen-pvh-common.c | 1 +
hw/xenpv/xen_machine_pv.c | 2 +-
8 files changed, 12 insertions(+), 7 deletions(-)
diff --git a/hw/arm/xen-pvh.c b/hw/arm/xen-pvh.c
index 1a9eeb01c8..d6b777cb20 100644
--- a/hw/arm/xen-pvh.c
+++ b/hw/arm/xen-pvh.c
@@ -95,6 +95,7 @@ static const TypeInfo xen_arm_machine_type = {
.class_init = xen_arm_machine_class_init,
.instance_size = sizeof(XenPVHMachineState),
.instance_init = xen_arm_instance_init,
+ .secure = true,
};
static void xen_arm_machine_register_types(void)
diff --git a/hw/i386/isapc.c b/hw/i386/isapc.c
index 44f4a44672..2da7a255f9 100644
--- a/hw/i386/isapc.c
+++ b/hw/i386/isapc.c
@@ -185,5 +185,5 @@ static void isapc_machine_options(MachineClass *m)
m->no_parallel = !module_object_class_by_name(TYPE_ISA_PARALLEL);
}
-DEFINE_PC_MACHINE(isapc, "isapc", pc_init_isa,
- isapc_machine_options);
+DEFINE_INSECURE_PC_MACHINE(isapc, "isapc", pc_init_isa,
+ isapc_machine_options);
diff --git a/hw/i386/microvm.c b/hw/i386/microvm.c
index 94d22a232a..c9ff29da0e 100644
--- a/hw/i386/microvm.c
+++ b/hw/i386/microvm.c
@@ -729,6 +729,7 @@ static const TypeInfo microvm_machine_info = {
.instance_init = microvm_machine_initfn,
.class_size = sizeof(MicrovmMachineClass),
.class_init = microvm_class_init,
+ .secure = true,
.interfaces = (const InterfaceInfo[]) {
{ TYPE_HOTPLUG_HANDLER },
{ }
diff --git a/hw/i386/pc_piix.c b/hw/i386/pc_piix.c
index caf8bab68e..1d75b7c89e 100644
--- a/hw/i386/pc_piix.c
+++ b/hw/i386/pc_piix.c
@@ -755,8 +755,8 @@ static void xenfv_machine_4_2_options(MachineClass *m)
m->default_machine_opts = "accel=xen,suppress-vmdesc=on";
}
-DEFINE_PC_MACHINE(xenfv_4_2, "xenfv-4.2", pc_xen_hvm_init,
- xenfv_machine_4_2_options);
+DEFINE_SECURE_PC_MACHINE(xenfv_4_2, "xenfv-4.2", pc_xen_hvm_init,
+ xenfv_machine_4_2_options);
static void xenfv_machine_3_1_options(MachineClass *m)
{
@@ -767,6 +767,6 @@ static void xenfv_machine_3_1_options(MachineClass *m)
m->default_machine_opts = "accel=xen,suppress-vmdesc=on";
}
-DEFINE_PC_MACHINE(xenfv, "xenfv-3.1", pc_xen_hvm_init,
- xenfv_machine_3_1_options);
+DEFINE_SECURE_PC_MACHINE(xenfv, "xenfv-3.1", pc_xen_hvm_init,
+ xenfv_machine_3_1_options);
#endif
diff --git a/hw/i386/xen/xen-pvh.c b/hw/i386/xen/xen-pvh.c
index 067f73e977..f30cb82962 100644
--- a/hw/i386/xen/xen-pvh.c
+++ b/hw/i386/xen/xen-pvh.c
@@ -115,6 +115,7 @@ static const TypeInfo xen_pvh_x86_machine_type = {
.class_init = xen_pvh_machine_class_init,
.instance_init = xen_pvh_instance_init,
.instance_size = sizeof(XenPVHx86State),
+ .secure = true,
};
static void xen_pvh_machine_register_types(void)
diff --git a/hw/i386/xen/xen_pvdevice.c b/hw/i386/xen/xen_pvdevice.c
index 87a974ae5a..adf4948b9a 100644
--- a/hw/i386/xen/xen_pvdevice.c
+++ b/hw/i386/xen/xen_pvdevice.c
@@ -139,6 +139,7 @@ static const TypeInfo xen_pv_type_info = {
.parent = TYPE_PCI_DEVICE,
.instance_size = sizeof(XenPVDevice),
.class_init = xen_pv_class_init,
+ .secure = true,
.interfaces = (const InterfaceInfo[]) {
{ INTERFACE_CONVENTIONAL_PCI_DEVICE },
{ },
diff --git a/hw/xen/xen-pvh-common.c b/hw/xen/xen-pvh-common.c
index b93ff80c85..5b1572f531 100644
--- a/hw/xen/xen-pvh-common.c
+++ b/hw/xen/xen-pvh-common.c
@@ -389,6 +389,7 @@ static const TypeInfo xen_pvh_info = {
.instance_size = sizeof(XenPVHMachineState),
.class_size = sizeof(XenPVHMachineClass),
.class_init = xen_pvh_class_init,
+ .secure = true,
};
static void xen_pvh_register_types(void)
diff --git a/hw/xenpv/xen_machine_pv.c b/hw/xenpv/xen_machine_pv.c
index 99c02492ef..26a77ef007 100644
--- a/hw/xenpv/xen_machine_pv.c
+++ b/hw/xenpv/xen_machine_pv.c
@@ -69,4 +69,4 @@ static void xenpv_machine_init(MachineClass *mc)
mc->default_machine_opts = "accel=xen";
}
-DEFINE_MACHINE("xenpv", xenpv_machine_init)
+DEFINE_SECURE_MACHINE("xenpv", xenpv_machine_init)
--
2.50.1
^ permalink raw reply related [flat|nested] 49+ messages in thread* [PATCH v2 16/32] hw/core: declare 'none' machine to be insecure
2025-09-26 14:01 [PATCH v2 00/32] Encode object type security status in code Daniel P. Berrangé
` (14 preceding siblings ...)
2025-09-26 14:01 ` [PATCH v2 15/32] hw: declare Xen & microvm machines as secure, isapc as insecure Daniel P. Berrangé
@ 2025-09-26 14:01 ` Daniel P. Berrangé
2025-09-26 14:01 ` [PATCH v2 17/32] accel: mark kvm, xen & hvf as secure; tcg & qtest as insecure Daniel P. Berrangé
` (17 subsequent siblings)
33 siblings, 0 replies; 49+ messages in thread
From: Daniel P. Berrangé @ 2025-09-26 14:01 UTC (permalink / raw)
To: qemu-devel
Cc: Thomas Huth, Stefan Hajnoczi, Philippe Mathieu-Daudé,
Peter Maydell, Markus Armbruster, Paolo Bonzini,
Michael S. Tsirkin, Daniel P. Berrangé
This machine is currently intended for probing capabilities and thus
is not expected to run guest workloads. In the future it might be
possible to use it as a generic base from which to dynamically
construct new machines, but today it has no need to be declared to
be a secure machine.
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
---
hw/core/null-machine.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/hw/core/null-machine.c b/hw/core/null-machine.c
index a6e477a2d8..c2ff8b1b5b 100644
--- a/hw/core/null-machine.c
+++ b/hw/core/null-machine.c
@@ -55,4 +55,4 @@ static void machine_none_machine_init(MachineClass *mc)
mc->no_cdrom = 1;
}
-DEFINE_MACHINE("none", machine_none_machine_init)
+DEFINE_INSECURE_MACHINE("none", machine_none_machine_init)
--
2.50.1
^ permalink raw reply related [flat|nested] 49+ messages in thread* [PATCH v2 17/32] accel: mark kvm, xen & hvf as secure; tcg & qtest as insecure
2025-09-26 14:01 [PATCH v2 00/32] Encode object type security status in code Daniel P. Berrangé
` (15 preceding siblings ...)
2025-09-26 14:01 ` [PATCH v2 16/32] hw/core: declare 'none' machine to be insecure Daniel P. Berrangé
@ 2025-09-26 14:01 ` Daniel P. Berrangé
2025-09-26 14:01 ` [PATCH v2 18/32] hw: mark all virtio PCI devices as secure Daniel P. Berrangé
` (16 subsequent siblings)
33 siblings, 0 replies; 49+ messages in thread
From: Daniel P. Berrangé @ 2025-09-26 14:01 UTC (permalink / raw)
To: qemu-devel
Cc: Thomas Huth, Stefan Hajnoczi, Philippe Mathieu-Daudé,
Peter Maydell, Markus Armbruster, Paolo Bonzini,
Michael S. Tsirkin, Daniel P. Berrangé
TCG is too complex to be considered to provide a security boundary
for malicious guest workloads. QTest is only used for functional
testing and thus is not relevant to mark secure.
KVM, HVF and Xen, meanwhile are all servicing virtualization use
cases which must provide security.
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
---
accel/accel-common.c | 1 +
accel/accel-system.c | 1 +
accel/accel-target.c | 1 +
accel/hvf/hvf-accel-ops.c | 1 +
accel/hvf/hvf-all.c | 1 +
accel/kvm/kvm-accel-ops.c | 1 +
accel/kvm/kvm-all.c | 1 +
accel/qtest/qtest.c | 2 ++
accel/tcg/tcg-accel-ops.c | 1 +
accel/tcg/tcg-all.c | 1 +
accel/xen/xen-all.c | 2 ++
11 files changed, 13 insertions(+)
diff --git a/accel/accel-common.c b/accel/accel-common.c
index 850c5ab4b8..cb44315f27 100644
--- a/accel/accel-common.c
+++ b/accel/accel-common.c
@@ -138,6 +138,7 @@ static const TypeInfo accel_types[] = {
.class_size = sizeof(AccelClass),
.instance_size = sizeof(AccelState),
.abstract = true,
+ .secure = true,
},
};
diff --git a/accel/accel-system.c b/accel/accel-system.c
index 1e97c64fdc..fbffcccbd6 100644
--- a/accel/accel-system.c
+++ b/accel/accel-system.c
@@ -114,6 +114,7 @@ static const TypeInfo accel_ops_type_info = {
.name = TYPE_ACCEL_OPS,
.parent = TYPE_OBJECT,
.abstract = true,
+ .secure = true,
.class_size = sizeof(AccelOpsClass),
.class_init = accel_ops_class_init,
};
diff --git a/accel/accel-target.c b/accel/accel-target.c
index 7fd392fbc4..6ea9386cb8 100644
--- a/accel/accel-target.c
+++ b/accel/accel-target.c
@@ -31,6 +31,7 @@ static const TypeInfo accel_cpu_type = {
.parent = TYPE_OBJECT,
.abstract = true,
.class_size = sizeof(AccelCPUClass),
+ .secure = true,
};
static void register_accel_types(void)
diff --git a/accel/hvf/hvf-accel-ops.c b/accel/hvf/hvf-accel-ops.c
index 8b794c2d41..e807103379 100644
--- a/accel/hvf/hvf-accel-ops.c
+++ b/accel/hvf/hvf-accel-ops.c
@@ -397,6 +397,7 @@ static const TypeInfo hvf_accel_ops_type = {
.parent = TYPE_ACCEL_OPS,
.class_init = hvf_accel_ops_class_init,
.abstract = true,
+ .secure = true,
};
static void hvf_accel_ops_register_types(void)
diff --git a/accel/hvf/hvf-all.c b/accel/hvf/hvf-all.c
index 0a4b498e83..1d49a59053 100644
--- a/accel/hvf/hvf-all.c
+++ b/accel/hvf/hvf-all.c
@@ -304,6 +304,7 @@ static const TypeInfo hvf_accel_type = {
.parent = TYPE_ACCEL,
.instance_size = sizeof(HVFState),
.class_init = hvf_accel_class_init,
+ .secure = true,
};
static void hvf_type_init(void)
diff --git a/accel/kvm/kvm-accel-ops.c b/accel/kvm/kvm-accel-ops.c
index 8ed6945c2f..d4d30c311f 100644
--- a/accel/kvm/kvm-accel-ops.c
+++ b/accel/kvm/kvm-accel-ops.c
@@ -119,6 +119,7 @@ static const TypeInfo kvm_accel_ops_type = {
.parent = TYPE_ACCEL_OPS,
.class_init = kvm_accel_ops_class_init,
.abstract = true,
+ .secure = true,
};
static void kvm_accel_ops_register_types(void)
diff --git a/accel/kvm/kvm-all.c b/accel/kvm/kvm-all.c
index 9060599cd7..67f2172443 100644
--- a/accel/kvm/kvm-all.c
+++ b/accel/kvm/kvm-all.c
@@ -4066,6 +4066,7 @@ static const TypeInfo kvm_accel_type = {
.instance_init = kvm_accel_instance_init,
.class_init = kvm_accel_class_init,
.instance_size = sizeof(KVMState),
+ .secure = true,
};
static void kvm_type_init(void)
diff --git a/accel/qtest/qtest.c b/accel/qtest/qtest.c
index 1d4337d698..44649b0ebb 100644
--- a/accel/qtest/qtest.c
+++ b/accel/qtest/qtest.c
@@ -58,6 +58,7 @@ static const TypeInfo qtest_accel_type = {
.name = TYPE_QTEST_ACCEL,
.parent = TYPE_ACCEL,
.class_init = qtest_accel_class_init,
+ .secure = false,
};
module_obj(TYPE_QTEST_ACCEL);
@@ -77,6 +78,7 @@ static const TypeInfo qtest_accel_ops_type = {
.parent = TYPE_ACCEL_OPS,
.class_init = qtest_accel_ops_class_init,
.abstract = true,
+ .secure = false,
};
module_obj(ACCEL_OPS_NAME("qtest"));
diff --git a/accel/tcg/tcg-accel-ops.c b/accel/tcg/tcg-accel-ops.c
index 3bd9800504..125017df29 100644
--- a/accel/tcg/tcg-accel-ops.c
+++ b/accel/tcg/tcg-accel-ops.c
@@ -239,6 +239,7 @@ static const TypeInfo tcg_accel_ops_type = {
.parent = TYPE_ACCEL_OPS,
.class_init = tcg_accel_ops_class_init,
.abstract = true,
+ .secure = false,
};
module_obj(ACCEL_OPS_NAME("tcg"));
diff --git a/accel/tcg/tcg-all.c b/accel/tcg/tcg-all.c
index 18ea0c58b0..3aab82b51b 100644
--- a/accel/tcg/tcg-all.c
+++ b/accel/tcg/tcg-all.c
@@ -296,6 +296,7 @@ static const TypeInfo tcg_accel_type = {
.instance_init = tcg_accel_instance_init,
.class_init = tcg_accel_class_init,
.instance_size = sizeof(TCGState),
+ .secure = false,
};
module_obj(TYPE_TCG_ACCEL);
diff --git a/accel/xen/xen-all.c b/accel/xen/xen-all.c
index 97377d67d1..754a4099a4 100644
--- a/accel/xen/xen-all.c
+++ b/accel/xen/xen-all.c
@@ -147,6 +147,7 @@ static const TypeInfo xen_accel_type = {
.name = TYPE_XEN_ACCEL,
.parent = TYPE_ACCEL,
.class_init = xen_accel_class_init,
+ .secure = true,
};
static void xen_accel_ops_class_init(ObjectClass *oc, const void *data)
@@ -163,6 +164,7 @@ static const TypeInfo xen_accel_ops_type = {
.parent = TYPE_ACCEL_OPS,
.class_init = xen_accel_ops_class_init,
.abstract = true,
+ .secure = true,
};
static void xen_type_init(void)
--
2.50.1
^ permalink raw reply related [flat|nested] 49+ messages in thread* [PATCH v2 18/32] hw: mark all virtio PCI devices as secure
2025-09-26 14:01 [PATCH v2 00/32] Encode object type security status in code Daniel P. Berrangé
` (16 preceding siblings ...)
2025-09-26 14:01 ` [PATCH v2 17/32] accel: mark kvm, xen & hvf as secure; tcg & qtest as insecure Daniel P. Berrangé
@ 2025-09-26 14:01 ` Daniel P. Berrangé
2025-09-26 14:01 ` [PATCH v2 19/32] hw: mark all virtio CCW " Daniel P. Berrangé
` (15 subsequent siblings)
33 siblings, 0 replies; 49+ messages in thread
From: Daniel P. Berrangé @ 2025-09-26 14:01 UTC (permalink / raw)
To: qemu-devel
Cc: Thomas Huth, Stefan Hajnoczi, Philippe Mathieu-Daudé,
Peter Maydell, Markus Armbruster, Paolo Bonzini,
Michael S. Tsirkin, Daniel P. Berrangé
These are all intended for use in a virtualization scenario and must
provide a security boundary.
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
---
hw/display/virtio-gpu-pci-rutabaga.c | 1 +
hw/display/virtio-gpu-pci.c | 3 ++-
hw/virtio/virtio-pci.c | 3 +++
3 files changed, 6 insertions(+), 1 deletion(-)
diff --git a/hw/display/virtio-gpu-pci-rutabaga.c b/hw/display/virtio-gpu-pci-rutabaga.c
index 5fdff37f2c..56e32e9f5b 100644
--- a/hw/display/virtio-gpu-pci-rutabaga.c
+++ b/hw/display/virtio-gpu-pci-rutabaga.c
@@ -34,6 +34,7 @@ static const TypeInfo virtio_gpu_rutabaga_pci_info[] = {
.parent = TYPE_VIRTIO_GPU_PCI_BASE,
.instance_size = sizeof(VirtIOGPURutabagaPCI),
.instance_init = virtio_gpu_rutabaga_initfn,
+ .secure = true,
.interfaces = (const InterfaceInfo[]) {
{ INTERFACE_CONVENTIONAL_PCI_DEVICE },
{ },
diff --git a/hw/display/virtio-gpu-pci.c b/hw/display/virtio-gpu-pci.c
index c0d71b6254..6c7cac7a25 100644
--- a/hw/display/virtio-gpu-pci.c
+++ b/hw/display/virtio-gpu-pci.c
@@ -75,7 +75,8 @@ static const TypeInfo virtio_gpu_pci_base_info = {
.parent = TYPE_VIRTIO_PCI,
.instance_size = sizeof(VirtIOGPUPCIBase),
.class_init = virtio_gpu_pci_base_class_init,
- .abstract = true
+ .abstract = true,
+ .secure = true,
};
module_obj(TYPE_VIRTIO_GPU_PCI_BASE);
module_kconfig(VIRTIO_PCI);
diff --git a/hw/virtio/virtio-pci.c b/hw/virtio/virtio-pci.c
index 767216d795..f2f720792a 100644
--- a/hw/virtio/virtio-pci.c
+++ b/hw/virtio/virtio-pci.c
@@ -2494,6 +2494,7 @@ void virtio_pci_types_register(const VirtioPCIDeviceTypeInfo *t)
.name = t->generic_name,
.parent = base_type_info.name,
.class_init = virtio_pci_generic_class_init,
+ .secure = true,
.interfaces = (const InterfaceInfo[]) {
{ INTERFACE_PCIE_DEVICE },
{ INTERFACE_CONVENTIONAL_PCI_DEVICE },
@@ -2529,6 +2530,7 @@ void virtio_pci_types_register(const VirtioPCIDeviceTypeInfo *t)
.name = t->non_transitional_name,
.parent = base_type_info.name,
.instance_init = virtio_pci_non_transitional_instance_init,
+ .secure = true,
.interfaces = (const InterfaceInfo[]) {
{ INTERFACE_PCIE_DEVICE },
{ INTERFACE_CONVENTIONAL_PCI_DEVICE },
@@ -2543,6 +2545,7 @@ void virtio_pci_types_register(const VirtioPCIDeviceTypeInfo *t)
.name = t->transitional_name,
.parent = base_type_info.name,
.instance_init = virtio_pci_transitional_instance_init,
+ .secure = true,
.interfaces = (const InterfaceInfo[]) {
/*
* Transitional virtio devices work only as Conventional PCI
--
2.50.1
^ permalink raw reply related [flat|nested] 49+ messages in thread* [PATCH v2 19/32] hw: mark all virtio CCW devices as secure
2025-09-26 14:01 [PATCH v2 00/32] Encode object type security status in code Daniel P. Berrangé
` (17 preceding siblings ...)
2025-09-26 14:01 ` [PATCH v2 18/32] hw: mark all virtio PCI devices as secure Daniel P. Berrangé
@ 2025-09-26 14:01 ` Daniel P. Berrangé
2025-09-26 14:01 ` [PATCH v2 20/32] hw: mark all vhost devices a secure Daniel P. Berrangé
` (14 subsequent siblings)
33 siblings, 0 replies; 49+ messages in thread
From: Daniel P. Berrangé @ 2025-09-26 14:01 UTC (permalink / raw)
To: qemu-devel
Cc: Thomas Huth, Stefan Hajnoczi, Philippe Mathieu-Daudé,
Peter Maydell, Markus Armbruster, Paolo Bonzini,
Michael S. Tsirkin, Daniel P. Berrangé
These are all intended for use in a virtualization scenario and must
provide a security boundary.
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
---
hw/s390x/vhost-scsi-ccw.c | 1 +
hw/s390x/vhost-user-fs-ccw.c | 1 +
hw/s390x/vhost-vsock-ccw.c | 1 +
hw/s390x/virtio-ccw-9p.c | 1 +
hw/s390x/virtio-ccw-balloon.c | 1 +
hw/s390x/virtio-ccw-blk.c | 1 +
hw/s390x/virtio-ccw-crypto.c | 1 +
hw/s390x/virtio-ccw-gpu.c | 1 +
hw/s390x/virtio-ccw-input.c | 5 +++++
hw/s390x/virtio-ccw-md.c | 1 +
hw/s390x/virtio-ccw-mem.c | 1 +
hw/s390x/virtio-ccw-net.c | 1 +
hw/s390x/virtio-ccw-rng.c | 1 +
hw/s390x/virtio-ccw-scsi.c | 1 +
hw/s390x/virtio-ccw-serial.c | 1 +
hw/s390x/virtio-ccw.c | 1 +
16 files changed, 20 insertions(+)
diff --git a/hw/s390x/vhost-scsi-ccw.c b/hw/s390x/vhost-scsi-ccw.c
index 8341b23a95..2a16f8d06e 100644
--- a/hw/s390x/vhost-scsi-ccw.c
+++ b/hw/s390x/vhost-scsi-ccw.c
@@ -62,6 +62,7 @@ static const TypeInfo vhost_ccw_scsi = {
.instance_size = sizeof(VHostSCSICcw),
.instance_init = vhost_ccw_scsi_instance_init,
.class_init = vhost_ccw_scsi_class_init,
+ .secure = true,
};
static void virtio_ccw_scsi_register(void)
diff --git a/hw/s390x/vhost-user-fs-ccw.c b/hw/s390x/vhost-user-fs-ccw.c
index cc1b8227fc..74c2ac288b 100644
--- a/hw/s390x/vhost-user-fs-ccw.c
+++ b/hw/s390x/vhost-user-fs-ccw.c
@@ -64,6 +64,7 @@ static const TypeInfo vhost_user_fs_ccw = {
.instance_size = sizeof(VHostUserFSCcw),
.instance_init = vhost_user_fs_ccw_instance_init,
.class_init = vhost_user_fs_ccw_class_init,
+ .secure = true,
};
static void vhost_user_fs_ccw_register(void)
diff --git a/hw/s390x/vhost-vsock-ccw.c b/hw/s390x/vhost-vsock-ccw.c
index 552e9e86a4..60a286f6d5 100644
--- a/hw/s390x/vhost-vsock-ccw.c
+++ b/hw/s390x/vhost-vsock-ccw.c
@@ -71,6 +71,7 @@ static const TypeInfo vhost_vsock_ccw_info = {
.instance_size = sizeof(VHostVSockCCWState),
.instance_init = vhost_vsock_ccw_instance_init,
.class_init = vhost_vsock_ccw_class_init,
+ .secure = true,
};
static void vhost_vsock_ccw_register(void)
diff --git a/hw/s390x/virtio-ccw-9p.c b/hw/s390x/virtio-ccw-9p.c
index 72bf6ec80c..72430b9897 100644
--- a/hw/s390x/virtio-ccw-9p.c
+++ b/hw/s390x/virtio-ccw-9p.c
@@ -64,6 +64,7 @@ static const TypeInfo virtio_ccw_9p_info = {
.instance_size = sizeof(V9fsCCWState),
.instance_init = virtio_ccw_9p_instance_init,
.class_init = virtio_ccw_9p_class_init,
+ .secure = true,
};
static void virtio_ccw_9p_register(void)
diff --git a/hw/s390x/virtio-ccw-balloon.c b/hw/s390x/virtio-ccw-balloon.c
index 399b40f366..40425a5995 100644
--- a/hw/s390x/virtio-ccw-balloon.c
+++ b/hw/s390x/virtio-ccw-balloon.c
@@ -69,6 +69,7 @@ static const TypeInfo virtio_ccw_balloon = {
.instance_size = sizeof(VirtIOBalloonCcw),
.instance_init = virtio_ccw_balloon_instance_init,
.class_init = virtio_ccw_balloon_class_init,
+ .secure = true,
};
static void virtio_ccw_balloon_register(void)
diff --git a/hw/s390x/virtio-ccw-blk.c b/hw/s390x/virtio-ccw-blk.c
index 7d8c4a75ce..a61da0f6d6 100644
--- a/hw/s390x/virtio-ccw-blk.c
+++ b/hw/s390x/virtio-ccw-blk.c
@@ -67,6 +67,7 @@ static const TypeInfo virtio_ccw_blk = {
.instance_size = sizeof(VirtIOBlkCcw),
.instance_init = virtio_ccw_blk_instance_init,
.class_init = virtio_ccw_blk_class_init,
+ .secure = true,
};
static void virtio_ccw_blk_register(void)
diff --git a/hw/s390x/virtio-ccw-crypto.c b/hw/s390x/virtio-ccw-crypto.c
index 75e714603b..0903cc0c97 100644
--- a/hw/s390x/virtio-ccw-crypto.c
+++ b/hw/s390x/virtio-ccw-crypto.c
@@ -67,6 +67,7 @@ static const TypeInfo virtio_ccw_crypto = {
.instance_size = sizeof(VirtIOCryptoCcw),
.instance_init = virtio_ccw_crypto_instance_init,
.class_init = virtio_ccw_crypto_class_init,
+ .secure = true,
};
static void virtio_ccw_crypto_register(void)
diff --git a/hw/s390x/virtio-ccw-gpu.c b/hw/s390x/virtio-ccw-gpu.c
index edb6a47d37..9f6170bcd4 100644
--- a/hw/s390x/virtio-ccw-gpu.c
+++ b/hw/s390x/virtio-ccw-gpu.c
@@ -66,6 +66,7 @@ static const TypeInfo virtio_ccw_gpu = {
.instance_size = sizeof(VirtIOGPUCcw),
.instance_init = virtio_ccw_gpu_instance_init,
.class_init = virtio_ccw_gpu_class_init,
+ .secure = true,
};
module_obj(TYPE_VIRTIO_GPU_CCW);
module_kconfig(VIRTIO_CCW);
diff --git a/hw/s390x/virtio-ccw-input.c b/hw/s390x/virtio-ccw-input.c
index 2250d8cf98..f5e1a209d1 100644
--- a/hw/s390x/virtio-ccw-input.c
+++ b/hw/s390x/virtio-ccw-input.c
@@ -96,6 +96,7 @@ static const TypeInfo virtio_ccw_input = {
.instance_size = sizeof(VirtIOInputCcw),
.class_init = virtio_ccw_input_class_init,
.abstract = true,
+ .secure = true,
};
static const TypeInfo virtio_ccw_input_hid = {
@@ -103,6 +104,7 @@ static const TypeInfo virtio_ccw_input_hid = {
.parent = TYPE_VIRTIO_INPUT_CCW,
.instance_size = sizeof(VirtIOInputHIDCcw),
.abstract = true,
+ .secure = true,
};
static const TypeInfo virtio_ccw_keyboard = {
@@ -110,6 +112,7 @@ static const TypeInfo virtio_ccw_keyboard = {
.parent = TYPE_VIRTIO_INPUT_HID_CCW,
.instance_size = sizeof(VirtIOInputHIDCcw),
.instance_init = virtio_ccw_keyboard_instance_init,
+ .secure = true,
};
static const TypeInfo virtio_ccw_mouse = {
@@ -117,6 +120,7 @@ static const TypeInfo virtio_ccw_mouse = {
.parent = TYPE_VIRTIO_INPUT_HID_CCW,
.instance_size = sizeof(VirtIOInputHIDCcw),
.instance_init = virtio_ccw_mouse_instance_init,
+ .secure = true,
};
static const TypeInfo virtio_ccw_tablet = {
@@ -124,6 +128,7 @@ static const TypeInfo virtio_ccw_tablet = {
.parent = TYPE_VIRTIO_INPUT_HID_CCW,
.instance_size = sizeof(VirtIOInputHIDCcw),
.instance_init = virtio_ccw_tablet_instance_init,
+ .secure = true,
};
static void virtio_ccw_input_register(void)
diff --git a/hw/s390x/virtio-ccw-md.c b/hw/s390x/virtio-ccw-md.c
index 0370f58450..9a0264efda 100644
--- a/hw/s390x/virtio-ccw-md.c
+++ b/hw/s390x/virtio-ccw-md.c
@@ -140,6 +140,7 @@ static const TypeInfo virtio_ccw_md_info = {
.instance_size = sizeof(VirtIOMDCcw),
.class_size = sizeof(VirtIOMDCcwClass),
.abstract = true,
+ .secure = true,
.interfaces = (const InterfaceInfo[]) {
{ TYPE_MEMORY_DEVICE },
{ }
diff --git a/hw/s390x/virtio-ccw-mem.c b/hw/s390x/virtio-ccw-mem.c
index daa485d189..719386cfa7 100644
--- a/hw/s390x/virtio-ccw-mem.c
+++ b/hw/s390x/virtio-ccw-mem.c
@@ -216,6 +216,7 @@ static const TypeInfo virtio_ccw_mem = {
.instance_size = sizeof(VirtIOMEMCcw),
.instance_init = virtio_ccw_mem_instance_init,
.class_init = virtio_ccw_mem_class_init,
+ .secure = true,
};
static void virtio_ccw_mem_register_types(void)
diff --git a/hw/s390x/virtio-ccw-net.c b/hw/s390x/virtio-ccw-net.c
index a7d4afbeb9..b2ebc76000 100644
--- a/hw/s390x/virtio-ccw-net.c
+++ b/hw/s390x/virtio-ccw-net.c
@@ -70,6 +70,7 @@ static const TypeInfo virtio_ccw_net = {
.instance_size = sizeof(VirtIONetCcw),
.instance_init = virtio_ccw_net_instance_init,
.class_init = virtio_ccw_net_class_init,
+ .secure = true,
};
static void virtio_ccw_net_register(void)
diff --git a/hw/s390x/virtio-ccw-rng.c b/hw/s390x/virtio-ccw-rng.c
index 3263287d45..6216cc76dc 100644
--- a/hw/s390x/virtio-ccw-rng.c
+++ b/hw/s390x/virtio-ccw-rng.c
@@ -66,6 +66,7 @@ static const TypeInfo virtio_ccw_rng = {
.instance_size = sizeof(VirtIORNGCcw),
.instance_init = virtio_ccw_rng_instance_init,
.class_init = virtio_ccw_rng_class_init,
+ .secure = true,
};
static void virtio_ccw_rng_register(void)
diff --git a/hw/s390x/virtio-ccw-scsi.c b/hw/s390x/virtio-ccw-scsi.c
index 06b4c6c4a5..a9e99b5af1 100644
--- a/hw/s390x/virtio-ccw-scsi.c
+++ b/hw/s390x/virtio-ccw-scsi.c
@@ -76,6 +76,7 @@ static const TypeInfo virtio_ccw_scsi = {
.instance_size = sizeof(VirtIOSCSICcw),
.instance_init = virtio_ccw_scsi_instance_init,
.class_init = virtio_ccw_scsi_class_init,
+ .secure = true,
};
static void virtio_ccw_scsi_register(void)
diff --git a/hw/s390x/virtio-ccw-serial.c b/hw/s390x/virtio-ccw-serial.c
index 0dac590c08..5ae7bb2f30 100644
--- a/hw/s390x/virtio-ccw-serial.c
+++ b/hw/s390x/virtio-ccw-serial.c
@@ -76,6 +76,7 @@ static const TypeInfo virtio_ccw_serial = {
.instance_size = sizeof(VirtioSerialCcw),
.instance_init = virtio_ccw_serial_instance_init,
.class_init = virtio_ccw_serial_class_init,
+ .secure = true,
};
static void virtio_ccw_serial_register(void)
diff --git a/hw/s390x/virtio-ccw.c b/hw/s390x/virtio-ccw.c
index d2f85b39f3..5977357aa9 100644
--- a/hw/s390x/virtio-ccw.c
+++ b/hw/s390x/virtio-ccw.c
@@ -1249,6 +1249,7 @@ static const TypeInfo virtio_ccw_device_info = {
.class_init = virtio_ccw_device_class_init,
.class_size = sizeof(VirtIOCCWDeviceClass),
.abstract = true,
+ .secure = true,
};
/* virtio-ccw-bus */
--
2.50.1
^ permalink raw reply related [flat|nested] 49+ messages in thread* [PATCH v2 20/32] hw: mark all vhost devices a secure
2025-09-26 14:01 [PATCH v2 00/32] Encode object type security status in code Daniel P. Berrangé
` (18 preceding siblings ...)
2025-09-26 14:01 ` [PATCH v2 19/32] hw: mark all virtio CCW " Daniel P. Berrangé
@ 2025-09-26 14:01 ` Daniel P. Berrangé
2025-09-26 14:01 ` [PATCH v2 21/32] hw: mark all remaining virtio object types as secure Daniel P. Berrangé
` (13 subsequent siblings)
33 siblings, 0 replies; 49+ messages in thread
From: Daniel P. Berrangé @ 2025-09-26 14:01 UTC (permalink / raw)
To: qemu-devel
Cc: Thomas Huth, Stefan Hajnoczi, Philippe Mathieu-Daudé,
Peter Maydell, Markus Armbruster, Paolo Bonzini,
Michael S. Tsirkin, Daniel P. Berrangé
These are all intended for use in a virtualization scenario and must
provide a security boundary.
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
---
hw/block/vhost-user-blk.c | 1 +
hw/display/vhost-user-gpu.c | 1 +
hw/scsi/vhost-scsi.c | 1 +
hw/scsi/vhost-user-scsi.c | 1 +
hw/virtio/vhost-user-base.c | 3 ++-
hw/virtio/vhost-user-device.c | 1 +
hw/virtio/vhost-user-fs.c | 1 +
hw/virtio/vhost-user-gpio.c | 1 +
hw/virtio/vhost-user-i2c.c | 1 +
hw/virtio/vhost-user-input.c | 1 +
hw/virtio/vhost-user-rng.c | 1 +
hw/virtio/vhost-user-scmi.c | 1 +
hw/virtio/vhost-user-snd.c | 1 +
hw/virtio/vhost-user-vsock.c | 1 +
hw/virtio/vhost-vsock-common.c | 1 +
hw/virtio/vhost-vsock.c | 1 +
16 files changed, 17 insertions(+), 1 deletion(-)
diff --git a/hw/block/vhost-user-blk.c b/hw/block/vhost-user-blk.c
index c0cc5f6942..dbe672c5c4 100644
--- a/hw/block/vhost-user-blk.c
+++ b/hw/block/vhost-user-blk.c
@@ -618,6 +618,7 @@ static const TypeInfo vhost_user_blk_info = {
.instance_size = sizeof(VHostUserBlk),
.instance_init = vhost_user_blk_instance_init,
.class_init = vhost_user_blk_class_init,
+ .secure = true,
};
static void virtio_register_types(void)
diff --git a/hw/display/vhost-user-gpu.c b/hw/display/vhost-user-gpu.c
index 9fc6bbcd2c..3fc6267c4f 100644
--- a/hw/display/vhost-user-gpu.c
+++ b/hw/display/vhost-user-gpu.c
@@ -694,6 +694,7 @@ static const TypeInfo vhost_user_gpu_info = {
.instance_init = vhost_user_gpu_instance_init,
.instance_finalize = vhost_user_gpu_instance_finalize,
.class_init = vhost_user_gpu_class_init,
+ .secure = true,
};
module_obj(TYPE_VHOST_USER_GPU);
module_kconfig(VHOST_USER_GPU);
diff --git a/hw/scsi/vhost-scsi.c b/hw/scsi/vhost-scsi.c
index cdf405b0f8..7b8aec50e6 100644
--- a/hw/scsi/vhost-scsi.c
+++ b/hw/scsi/vhost-scsi.c
@@ -401,6 +401,7 @@ static const TypeInfo vhost_scsi_info = {
.instance_size = sizeof(VHostSCSI),
.class_init = vhost_scsi_class_init,
.instance_init = vhost_scsi_instance_init,
+ .secure = true,
.interfaces = (const InterfaceInfo[]) {
{ TYPE_FW_PATH_PROVIDER },
{ }
diff --git a/hw/scsi/vhost-user-scsi.c b/hw/scsi/vhost-user-scsi.c
index 25f2d894e7..0ce5436090 100644
--- a/hw/scsi/vhost-user-scsi.c
+++ b/hw/scsi/vhost-user-scsi.c
@@ -426,6 +426,7 @@ static const TypeInfo vhost_user_scsi_info = {
.instance_size = sizeof(VHostUserSCSI),
.class_init = vhost_user_scsi_class_init,
.instance_init = vhost_user_scsi_instance_init,
+ .secure = true,
.interfaces = (const InterfaceInfo[]) {
{ TYPE_FW_PATH_PROVIDER },
{ }
diff --git a/hw/virtio/vhost-user-base.c b/hw/virtio/vhost-user-base.c
index ff67a020b4..626657ced3 100644
--- a/hw/virtio/vhost-user-base.c
+++ b/hw/virtio/vhost-user-base.c
@@ -372,7 +372,8 @@ static const TypeInfo vub_types[] = {
.instance_size = sizeof(VHostUserBase),
.class_init = vub_class_init,
.class_size = sizeof(VHostUserBaseClass),
- .abstract = true
+ .abstract = true,
+ .secure = true,
}
};
diff --git a/hw/virtio/vhost-user-device.c b/hw/virtio/vhost-user-device.c
index 3939bdf755..d2e80c9f09 100644
--- a/hw/virtio/vhost-user-device.c
+++ b/hw/virtio/vhost-user-device.c
@@ -53,6 +53,7 @@ static const TypeInfo vud_info = {
.name = TYPE_VHOST_USER_DEVICE,
.parent = TYPE_VHOST_USER_BASE,
.class_init = vud_class_init,
+ .secure = true,
};
static void vu_register_types(void)
diff --git a/hw/virtio/vhost-user-fs.c b/hw/virtio/vhost-user-fs.c
index e77c69eb12..6861e4ff33 100644
--- a/hw/virtio/vhost-user-fs.c
+++ b/hw/virtio/vhost-user-fs.c
@@ -447,6 +447,7 @@ static const TypeInfo vuf_info = {
.instance_size = sizeof(VHostUserFS),
.instance_init = vuf_instance_init,
.class_init = vuf_class_init,
+ .secure = true,
};
static void vuf_register_types(void)
diff --git a/hw/virtio/vhost-user-gpio.c b/hw/virtio/vhost-user-gpio.c
index a7fd49b10a..47b9d685a2 100644
--- a/hw/virtio/vhost-user-gpio.c
+++ b/hw/virtio/vhost-user-gpio.c
@@ -53,6 +53,7 @@ static const TypeInfo vu_gpio_info = {
.parent = TYPE_VHOST_USER_BASE,
.instance_size = sizeof(VHostUserGPIO),
.class_init = vu_gpio_class_init,
+ .secure = true,
};
static void vu_gpio_register_types(void)
diff --git a/hw/virtio/vhost-user-i2c.c b/hw/virtio/vhost-user-i2c.c
index ae007fe97d..6e7558bc85 100644
--- a/hw/virtio/vhost-user-i2c.c
+++ b/hw/virtio/vhost-user-i2c.c
@@ -53,6 +53,7 @@ static const TypeInfo vu_i2c_info = {
.parent = TYPE_VHOST_USER_BASE,
.instance_size = sizeof(VHostUserI2C),
.class_init = vu_i2c_class_init,
+ .secure = true,
};
static void vu_i2c_register_types(void)
diff --git a/hw/virtio/vhost-user-input.c b/hw/virtio/vhost-user-input.c
index 5cfc5bbb56..a850e3770e 100644
--- a/hw/virtio/vhost-user-input.c
+++ b/hw/virtio/vhost-user-input.c
@@ -47,6 +47,7 @@ static const TypeInfo vhost_input_info = {
.parent = TYPE_VHOST_USER_BASE,
.instance_size = sizeof(VHostUserInput),
.class_init = vhost_input_class_init,
+ .secure = true,
};
static void vhost_input_register_types(void)
diff --git a/hw/virtio/vhost-user-rng.c b/hw/virtio/vhost-user-rng.c
index 61dadcda05..5ebae80635 100644
--- a/hw/virtio/vhost-user-rng.c
+++ b/hw/virtio/vhost-user-rng.c
@@ -55,6 +55,7 @@ static const TypeInfo vu_rng_info = {
.parent = TYPE_VHOST_USER_BASE,
.instance_size = sizeof(VHostUserRNG),
.class_init = vu_rng_class_init,
+ .secure = true,
};
static void vu_rng_register_types(void)
diff --git a/hw/virtio/vhost-user-scmi.c b/hw/virtio/vhost-user-scmi.c
index f9264c4374..565618d7aa 100644
--- a/hw/virtio/vhost-user-scmi.c
+++ b/hw/virtio/vhost-user-scmi.c
@@ -305,6 +305,7 @@ static const TypeInfo vu_scmi_info = {
.parent = TYPE_VIRTIO_DEVICE,
.instance_size = sizeof(VHostUserSCMI),
.class_init = vu_scmi_class_init,
+ .secure = true,
};
static void vu_scmi_register_types(void)
diff --git a/hw/virtio/vhost-user-snd.c b/hw/virtio/vhost-user-snd.c
index 732411c655..d79e7d037c 100644
--- a/hw/virtio/vhost-user-snd.c
+++ b/hw/virtio/vhost-user-snd.c
@@ -72,6 +72,7 @@ static const TypeInfo vu_snd_info = {
.parent = TYPE_VHOST_USER_BASE,
.instance_size = sizeof(VHostUserSound),
.class_init = vu_snd_class_init,
+ .secure = true,
};
static void vu_snd_register_types(void)
diff --git a/hw/virtio/vhost-user-vsock.c b/hw/virtio/vhost-user-vsock.c
index 993c287348..a430d07a55 100644
--- a/hw/virtio/vhost-user-vsock.c
+++ b/hw/virtio/vhost-user-vsock.c
@@ -175,6 +175,7 @@ static const TypeInfo vuv_info = {
.parent = TYPE_VHOST_VSOCK_COMMON,
.instance_size = sizeof(VHostUserVSock),
.class_init = vuv_class_init,
+ .secure = true,
};
static void vuv_register_types(void)
diff --git a/hw/virtio/vhost-vsock-common.c b/hw/virtio/vhost-vsock-common.c
index c6c44d8989..d06d2342d9 100644
--- a/hw/virtio/vhost-vsock-common.c
+++ b/hw/virtio/vhost-vsock-common.c
@@ -308,6 +308,7 @@ static const TypeInfo vhost_vsock_common_info = {
.instance_size = sizeof(VHostVSockCommon),
.class_init = vhost_vsock_common_class_init,
.abstract = true,
+ .secure = true,
};
static void vhost_vsock_common_register_types(void)
diff --git a/hw/virtio/vhost-vsock.c b/hw/virtio/vhost-vsock.c
index 107d88babe..0fefe94b52 100644
--- a/hw/virtio/vhost-vsock.c
+++ b/hw/virtio/vhost-vsock.c
@@ -226,6 +226,7 @@ static const TypeInfo vhost_vsock_info = {
.parent = TYPE_VHOST_VSOCK_COMMON,
.instance_size = sizeof(VHostVSock),
.class_init = vhost_vsock_class_init,
+ .secure = true,
};
static void vhost_vsock_register_types(void)
--
2.50.1
^ permalink raw reply related [flat|nested] 49+ messages in thread* [PATCH v2 21/32] hw: mark all remaining virtio object types as secure
2025-09-26 14:01 [PATCH v2 00/32] Encode object type security status in code Daniel P. Berrangé
` (19 preceding siblings ...)
2025-09-26 14:01 ` [PATCH v2 20/32] hw: mark all vhost devices a secure Daniel P. Berrangé
@ 2025-09-26 14:01 ` Daniel P. Berrangé
2025-09-26 14:01 ` [PATCH v2 22/32] hw/vfio: mark all VFIO object classes " Daniel P. Berrangé
` (12 subsequent siblings)
33 siblings, 0 replies; 49+ messages in thread
From: Daniel P. Berrangé @ 2025-09-26 14:01 UTC (permalink / raw)
To: qemu-devel
Cc: Thomas Huth, Stefan Hajnoczi, Philippe Mathieu-Daudé,
Peter Maydell, Markus Armbruster, Paolo Bonzini,
Michael S. Tsirkin, Daniel P. Berrangé
These are all intended for use in a virtualization scenario and must
provide a security boundary.
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
---
hw/9pfs/virtio-9p-device.c | 1 +
hw/audio/virtio-snd.c | 1 +
hw/block/virtio-blk.c | 1 +
hw/char/virtio-console.c | 2 ++
hw/char/virtio-serial-bus.c | 3 +++
hw/display/virtio-gpu-base.c | 3 ++-
hw/display/virtio-gpu-gl.c | 1 +
hw/display/virtio-gpu-rutabaga.c | 1 +
hw/display/virtio-gpu.c | 1 +
hw/input/virtio-input-hid.c | 5 +++++
hw/input/virtio-input-host.c | 1 +
hw/input/virtio-input.c | 1 +
hw/scsi/virtio-scsi.c | 2 ++
hw/virtio/vdpa-dev.c | 1 +
hw/virtio/virtio-balloon.c | 1 +
hw/virtio/virtio-bus.c | 1 +
hw/virtio/virtio-crypto.c | 1 +
hw/virtio/virtio-input-pci.c | 2 ++
hw/virtio/virtio-iommu.c | 2 ++
hw/virtio/virtio-md-pci.c | 1 +
hw/virtio/virtio-mem.c | 1 +
hw/virtio/virtio-mmio.c | 2 ++
hw/virtio/virtio-nsm.c | 1 +
hw/virtio/virtio-pmem.c | 1 +
hw/virtio/virtio-rng.c | 1 +
25 files changed, 37 insertions(+), 1 deletion(-)
diff --git a/hw/9pfs/virtio-9p-device.c b/hw/9pfs/virtio-9p-device.c
index 81b91e47c6..f5d7017d2e 100644
--- a/hw/9pfs/virtio-9p-device.c
+++ b/hw/9pfs/virtio-9p-device.c
@@ -268,6 +268,7 @@ static const TypeInfo virtio_device_info = {
.parent = TYPE_VIRTIO_DEVICE,
.instance_size = sizeof(V9fsVirtioState),
.class_init = virtio_9p_class_init,
+ .secure = true,
};
static void virtio_9p_register_types(void)
diff --git a/hw/audio/virtio-snd.c b/hw/audio/virtio-snd.c
index eca3319e59..166f82f78f 100644
--- a/hw/audio/virtio-snd.c
+++ b/hw/audio/virtio-snd.c
@@ -1386,6 +1386,7 @@ static const TypeInfo virtio_snd_types[] = {
.parent = TYPE_VIRTIO_DEVICE,
.instance_size = sizeof(VirtIOSound),
.class_init = virtio_snd_class_init,
+ .secure = true,
}
};
diff --git a/hw/block/virtio-blk.c b/hw/block/virtio-blk.c
index 9bab2716c1..e560d021a7 100644
--- a/hw/block/virtio-blk.c
+++ b/hw/block/virtio-blk.c
@@ -1915,6 +1915,7 @@ static const TypeInfo virtio_blk_info = {
.instance_init = virtio_blk_instance_init,
.class_init = virtio_blk_class_init,
.class_size = sizeof(VirtIOBlkClass),
+ .secure = true,
};
static void virtio_register_types(void)
diff --git a/hw/char/virtio-console.c b/hw/char/virtio-console.c
index 0932a3572b..3732b441e8 100644
--- a/hw/char/virtio-console.c
+++ b/hw/char/virtio-console.c
@@ -272,6 +272,7 @@ static const TypeInfo virtconsole_info = {
.name = "virtconsole",
.parent = TYPE_VIRTIO_CONSOLE_SERIAL_PORT,
.class_init = virtconsole_class_init,
+ .secure = true,
};
static const Property virtserialport_properties[] = {
@@ -297,6 +298,7 @@ static const TypeInfo virtserialport_info = {
.parent = TYPE_VIRTIO_SERIAL_PORT,
.instance_size = sizeof(VirtConsole),
.class_init = virtserialport_class_init,
+ .secure = true,
};
static void virtconsole_register_types(void)
diff --git a/hw/char/virtio-serial-bus.c b/hw/char/virtio-serial-bus.c
index 673c50f0be..56577f91df 100644
--- a/hw/char/virtio-serial-bus.c
+++ b/hw/char/virtio-serial-bus.c
@@ -852,6 +852,7 @@ static const TypeInfo virtser_bus_info = {
.parent = TYPE_BUS,
.instance_size = sizeof(VirtIOSerialBus),
.class_init = virtser_bus_class_init,
+ .secure = true,
};
static void virtser_bus_dev_print(Monitor *mon, DeviceState *qdev, int indent)
@@ -1109,6 +1110,7 @@ static const TypeInfo virtio_serial_port_type_info = {
.parent = TYPE_DEVICE,
.instance_size = sizeof(VirtIOSerialPort),
.abstract = true,
+ .secure = true,
.class_size = sizeof(VirtIOSerialPortClass),
.class_init = virtio_serial_port_class_init,
};
@@ -1189,6 +1191,7 @@ static const TypeInfo virtio_device_info = {
.parent = TYPE_VIRTIO_DEVICE,
.instance_size = sizeof(VirtIOSerial),
.class_init = virtio_serial_class_init,
+ .secure = true,
.interfaces = (const InterfaceInfo[]) {
{ TYPE_HOTPLUG_HANDLER },
{ }
diff --git a/hw/display/virtio-gpu-base.c b/hw/display/virtio-gpu-base.c
index 7269477a1c..c593ab146c 100644
--- a/hw/display/virtio-gpu-base.c
+++ b/hw/display/virtio-gpu-base.c
@@ -308,7 +308,8 @@ static const TypeInfo virtio_gpu_base_info = {
.instance_size = sizeof(VirtIOGPUBase),
.class_size = sizeof(VirtIOGPUBaseClass),
.class_init = virtio_gpu_base_class_init,
- .abstract = true
+ .abstract = true,
+ .secure = true,
};
module_obj(TYPE_VIRTIO_GPU_BASE);
module_kconfig(VIRTIO_GPU);
diff --git a/hw/display/virtio-gpu-gl.c b/hw/display/virtio-gpu-gl.c
index c06a078fb3..38a27e5459 100644
--- a/hw/display/virtio-gpu-gl.c
+++ b/hw/display/virtio-gpu-gl.c
@@ -205,6 +205,7 @@ static const TypeInfo virtio_gpu_gl_info = {
.parent = TYPE_VIRTIO_GPU,
.instance_size = sizeof(VirtIOGPUGL),
.class_init = virtio_gpu_gl_class_init,
+ .secure = true,
};
module_obj(TYPE_VIRTIO_GPU_GL);
module_kconfig(VIRTIO_GPU);
diff --git a/hw/display/virtio-gpu-rutabaga.c b/hw/display/virtio-gpu-rutabaga.c
index ed5ae52acb..d0b86f49c1 100644
--- a/hw/display/virtio-gpu-rutabaga.c
+++ b/hw/display/virtio-gpu-rutabaga.c
@@ -1132,6 +1132,7 @@ static const TypeInfo virtio_gpu_rutabaga_info[] = {
.parent = TYPE_VIRTIO_GPU,
.instance_size = sizeof(VirtIOGPURutabaga),
.class_init = virtio_gpu_rutabaga_class_init,
+ .secure = true,
},
};
diff --git a/hw/display/virtio-gpu.c b/hw/display/virtio-gpu.c
index 0a1a625b0e..0fcefa1f0b 100644
--- a/hw/display/virtio-gpu.c
+++ b/hw/display/virtio-gpu.c
@@ -1713,6 +1713,7 @@ static const TypeInfo virtio_gpu_info = {
.instance_size = sizeof(VirtIOGPU),
.class_size = sizeof(VirtIOGPUClass),
.class_init = virtio_gpu_class_init,
+ .secure = true,
};
module_obj(TYPE_VIRTIO_GPU);
module_kconfig(VIRTIO_GPU);
diff --git a/hw/input/virtio-input-hid.c b/hw/input/virtio-input-hid.c
index d986c3c16e..aa475641f6 100644
--- a/hw/input/virtio-input-hid.c
+++ b/hw/input/virtio-input-hid.c
@@ -260,6 +260,7 @@ static const TypeInfo virtio_input_hid_info = {
.instance_size = sizeof(VirtIOInputHID),
.class_init = virtio_input_hid_class_init,
.abstract = true,
+ .secure = true,
};
/* ----------------------------------------------------------------- */
@@ -317,6 +318,7 @@ static const TypeInfo virtio_keyboard_info = {
.parent = TYPE_VIRTIO_INPUT_HID,
.instance_size = sizeof(VirtIOInputHID),
.instance_init = virtio_keyboard_init,
+ .secure = true,
};
/* ----------------------------------------------------------------- */
@@ -410,6 +412,7 @@ static const TypeInfo virtio_mouse_info = {
.instance_size = sizeof(VirtIOInputHID),
.instance_init = virtio_mouse_init,
.class_init = virtio_mouse_class_init,
+ .secure = true,
};
/* ----------------------------------------------------------------- */
@@ -534,6 +537,7 @@ static const TypeInfo virtio_tablet_info = {
.instance_size = sizeof(VirtIOInputHID),
.instance_init = virtio_tablet_init,
.class_init = virtio_tablet_class_init,
+ .secure = true,
};
/* ----------------------------------------------------------------- */
@@ -619,6 +623,7 @@ static const TypeInfo virtio_multitouch_info = {
.parent = TYPE_VIRTIO_INPUT_HID,
.instance_size = sizeof(VirtIOInputHID),
.instance_init = virtio_multitouch_init,
+ .secure = true,
};
/* ----------------------------------------------------------------- */
diff --git a/hw/input/virtio-input-host.c b/hw/input/virtio-input-host.c
index 9f62532559..46db99eeb7 100644
--- a/hw/input/virtio-input-host.c
+++ b/hw/input/virtio-input-host.c
@@ -248,6 +248,7 @@ static const TypeInfo virtio_input_host_info = {
.instance_size = sizeof(VirtIOInputHost),
.instance_init = virtio_input_host_init,
.class_init = virtio_input_host_class_init,
+ .secure = true,
};
/* ----------------------------------------------------------------- */
diff --git a/hw/input/virtio-input.c b/hw/input/virtio-input.c
index a3f554f211..3bddcfc168 100644
--- a/hw/input/virtio-input.c
+++ b/hw/input/virtio-input.c
@@ -329,6 +329,7 @@ static const TypeInfo virtio_input_info = {
.class_size = sizeof(VirtIOInputClass),
.class_init = virtio_input_class_init,
.abstract = true,
+ .secure = true,
.instance_finalize = virtio_input_finalize,
};
diff --git a/hw/scsi/virtio-scsi.c b/hw/scsi/virtio-scsi.c
index 34ae14f7bf..7b91663a40 100644
--- a/hw/scsi/virtio-scsi.c
+++ b/hw/scsi/virtio-scsi.c
@@ -1430,6 +1430,7 @@ static const TypeInfo virtio_scsi_common_info = {
.parent = TYPE_VIRTIO_DEVICE,
.instance_size = sizeof(VirtIOSCSICommon),
.abstract = true,
+ .secure = true,
.class_init = virtio_scsi_common_class_init,
};
@@ -1438,6 +1439,7 @@ static const TypeInfo virtio_scsi_info = {
.parent = TYPE_VIRTIO_SCSI_COMMON,
.instance_size = sizeof(VirtIOSCSI),
.class_init = virtio_scsi_class_init,
+ .secure = true,
.interfaces = (const InterfaceInfo[]) {
{ TYPE_HOTPLUG_HANDLER },
{ }
diff --git a/hw/virtio/vdpa-dev.c b/hw/virtio/vdpa-dev.c
index d1da40afc8..a8c5375f5d 100644
--- a/hw/virtio/vdpa-dev.c
+++ b/hw/virtio/vdpa-dev.c
@@ -385,6 +385,7 @@ static const TypeInfo vhost_vdpa_device_info = {
.instance_size = sizeof(VhostVdpaDevice),
.class_init = vhost_vdpa_device_class_init,
.instance_init = vhost_vdpa_device_instance_init,
+ .secure = true,
};
static void register_vhost_vdpa_device_type(void)
diff --git a/hw/virtio/virtio-balloon.c b/hw/virtio/virtio-balloon.c
index db787d00b3..51f261dd32 100644
--- a/hw/virtio/virtio-balloon.c
+++ b/hw/virtio/virtio-balloon.c
@@ -1087,6 +1087,7 @@ static const TypeInfo virtio_balloon_info = {
.instance_size = sizeof(VirtIOBalloon),
.instance_init = virtio_balloon_instance_init,
.class_init = virtio_balloon_class_init,
+ .secure = true,
};
static void virtio_register_types(void)
diff --git a/hw/virtio/virtio-bus.c b/hw/virtio/virtio-bus.c
index 11adfbf3ab..2efc0e306f 100644
--- a/hw/virtio/virtio-bus.c
+++ b/hw/virtio/virtio-bus.c
@@ -360,6 +360,7 @@ static const TypeInfo virtio_bus_info = {
.parent = TYPE_BUS,
.instance_size = sizeof(VirtioBusState),
.abstract = true,
+ .secure = true,
.class_size = sizeof(VirtioBusClass),
.class_init = virtio_bus_class_init
};
diff --git a/hw/virtio/virtio-crypto.c b/hw/virtio/virtio-crypto.c
index 517f2089c5..e0bec9d6ee 100644
--- a/hw/virtio/virtio-crypto.c
+++ b/hw/virtio/virtio-crypto.c
@@ -1301,6 +1301,7 @@ static const TypeInfo virtio_crypto_info = {
.instance_size = sizeof(VirtIOCrypto),
.instance_init = virtio_crypto_instance_init,
.class_init = virtio_crypto_class_init,
+ .secure = true,
};
static void virtio_register_types(void)
diff --git a/hw/virtio/virtio-input-pci.c b/hw/virtio/virtio-input-pci.c
index 3be5358b4c..1ce9b28d8b 100644
--- a/hw/virtio/virtio-input-pci.c
+++ b/hw/virtio/virtio-input-pci.c
@@ -117,6 +117,7 @@ static const TypeInfo virtio_input_pci_info = {
.instance_size = sizeof(VirtIOInputPCI),
.class_init = virtio_input_pci_class_init,
.abstract = true,
+ .secure = true,
};
static const TypeInfo virtio_input_hid_pci_info = {
@@ -124,6 +125,7 @@ static const TypeInfo virtio_input_hid_pci_info = {
.parent = TYPE_VIRTIO_INPUT_PCI,
.instance_size = sizeof(VirtIOInputHIDPCI),
.abstract = true,
+ .secure = true,
};
static const VirtioPCIDeviceTypeInfo virtio_keyboard_pci_info = {
diff --git a/hw/virtio/virtio-iommu.c b/hw/virtio/virtio-iommu.c
index 3500f1b082..fa46f4129f 100644
--- a/hw/virtio/virtio-iommu.c
+++ b/hw/virtio/virtio-iommu.c
@@ -1706,12 +1706,14 @@ static const TypeInfo virtio_iommu_info = {
.instance_size = sizeof(VirtIOIOMMU),
.instance_init = virtio_iommu_instance_init,
.class_init = virtio_iommu_class_init,
+ .secure = true,
};
static const TypeInfo virtio_iommu_memory_region_info = {
.parent = TYPE_IOMMU_MEMORY_REGION,
.name = TYPE_VIRTIO_IOMMU_MEMORY_REGION,
.class_init = virtio_iommu_memory_region_class_init,
+ .secure = true,
};
static void virtio_register_types(void)
diff --git a/hw/virtio/virtio-md-pci.c b/hw/virtio/virtio-md-pci.c
index 9278b32cf8..9eefb84daa 100644
--- a/hw/virtio/virtio-md-pci.c
+++ b/hw/virtio/virtio-md-pci.c
@@ -138,6 +138,7 @@ static const TypeInfo virtio_md_pci_info = {
.instance_size = sizeof(VirtIOMDPCI),
.class_size = sizeof(VirtIOMDPCIClass),
.abstract = true,
+ .secure = true,
.interfaces = (const InterfaceInfo[]) {
{ TYPE_MEMORY_DEVICE },
{ }
diff --git a/hw/virtio/virtio-mem.c b/hw/virtio/virtio-mem.c
index c46f6f9c3e..a444b9dfff 100644
--- a/hw/virtio/virtio-mem.c
+++ b/hw/virtio/virtio-mem.c
@@ -1888,6 +1888,7 @@ static const TypeInfo virtio_mem_info = {
.instance_finalize = virtio_mem_instance_finalize,
.class_init = virtio_mem_class_init,
.class_size = sizeof(VirtIOMEMClass),
+ .secure = true,
.interfaces = (const InterfaceInfo[]) {
{ TYPE_RAM_DISCARD_MANAGER },
{ }
diff --git a/hw/virtio/virtio-mmio.c b/hw/virtio/virtio-mmio.c
index 532c67107b..1e3d949304 100644
--- a/hw/virtio/virtio-mmio.c
+++ b/hw/virtio/virtio-mmio.c
@@ -799,6 +799,7 @@ static const TypeInfo virtio_mmio_info = {
.parent = TYPE_SYS_BUS_DEVICE,
.instance_size = sizeof(VirtIOMMIOProxy),
.class_init = virtio_mmio_class_init,
+ .secure = true,
};
/* virtio-mmio-bus. */
@@ -881,6 +882,7 @@ static const TypeInfo virtio_mmio_bus_info = {
.parent = TYPE_VIRTIO_BUS,
.instance_size = sizeof(VirtioBusState),
.class_init = virtio_mmio_bus_class_init,
+ .secure = true,
};
static void virtio_mmio_register_types(void)
diff --git a/hw/virtio/virtio-nsm.c b/hw/virtio/virtio-nsm.c
index 3bf5e7009a..099342f379 100644
--- a/hw/virtio/virtio-nsm.c
+++ b/hw/virtio/virtio-nsm.c
@@ -1727,6 +1727,7 @@ static const TypeInfo virtio_nsm_info = {
.parent = TYPE_VIRTIO_DEVICE,
.instance_size = sizeof(VirtIONSM),
.class_init = virtio_nsm_class_init,
+ .secure = true,
};
static void virtio_register_types(void)
diff --git a/hw/virtio/virtio-pmem.c b/hw/virtio/virtio-pmem.c
index 3416ea1827..6e62efadf0 100644
--- a/hw/virtio/virtio-pmem.c
+++ b/hw/virtio/virtio-pmem.c
@@ -185,6 +185,7 @@ static const TypeInfo virtio_pmem_info = {
.class_size = sizeof(VirtIOPMEMClass),
.class_init = virtio_pmem_class_init,
.instance_size = sizeof(VirtIOPMEM),
+ .secure = true,
};
static void virtio_register_types(void)
diff --git a/hw/virtio/virtio-rng.c b/hw/virtio/virtio-rng.c
index 3df5d2576e..dec7bade7f 100644
--- a/hw/virtio/virtio-rng.c
+++ b/hw/virtio/virtio-rng.c
@@ -280,6 +280,7 @@ static const TypeInfo virtio_rng_info = {
.parent = TYPE_VIRTIO_DEVICE,
.instance_size = sizeof(VirtIORNG),
.class_init = virtio_rng_class_init,
+ .secure = true,
};
static void virtio_register_types(void)
--
2.50.1
^ permalink raw reply related [flat|nested] 49+ messages in thread* [PATCH v2 22/32] hw/vfio: mark all VFIO object classes as secure
2025-09-26 14:01 [PATCH v2 00/32] Encode object type security status in code Daniel P. Berrangé
` (20 preceding siblings ...)
2025-09-26 14:01 ` [PATCH v2 21/32] hw: mark all remaining virtio object types as secure Daniel P. Berrangé
@ 2025-09-26 14:01 ` Daniel P. Berrangé
2025-09-26 14:01 ` [PATCH v2 23/32] hw/xen: mark all Xen related object types as being secure Daniel P. Berrangé
` (11 subsequent siblings)
33 siblings, 0 replies; 49+ messages in thread
From: Daniel P. Berrangé @ 2025-09-26 14:01 UTC (permalink / raw)
To: qemu-devel
Cc: Thomas Huth, Stefan Hajnoczi, Philippe Mathieu-Daudé,
Peter Maydell, Markus Armbruster, Paolo Bonzini,
Michael S. Tsirkin, Daniel P. Berrangé
The VFIO subsystem is about securely passing host PCI devices
to a guest, so all the classes should be presumed to be offering
a security boundary.
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
---
hw/vfio/ap.c | 1 +
hw/vfio/ccw.c | 1 +
hw/vfio/container.c | 2 ++
hw/vfio/igd.c | 1 +
hw/vfio/iommufd.c | 2 ++
hw/vfio/pci.c | 3 +++
hw/vfio/spapr.c | 1 +
7 files changed, 11 insertions(+)
diff --git a/hw/vfio/ap.c b/hw/vfio/ap.c
index 7719f24579..811866876c 100644
--- a/hw/vfio/ap.c
+++ b/hw/vfio/ap.c
@@ -361,6 +361,7 @@ static const TypeInfo vfio_ap_info = {
.instance_size = sizeof(VFIOAPDevice),
.instance_init = vfio_ap_instance_init,
.class_init = vfio_ap_class_init,
+ .secure = true,
};
static void vfio_ap_type_init(void)
diff --git a/hw/vfio/ccw.c b/hw/vfio/ccw.c
index 9560b8d851..bddeb5dffd 100644
--- a/hw/vfio/ccw.c
+++ b/hw/vfio/ccw.c
@@ -729,6 +729,7 @@ static const TypeInfo vfio_ccw_info = {
.instance_size = sizeof(VFIOCCWDevice),
.instance_init = vfio_ccw_instance_init,
.class_init = vfio_ccw_class_init,
+ .secure = true,
};
static void register_vfio_ccw_type(void)
diff --git a/hw/vfio/container.c b/hw/vfio/container.c
index 030c6d3f89..a4d89cadcc 100644
--- a/hw/vfio/container.c
+++ b/hw/vfio/container.c
@@ -1265,10 +1265,12 @@ static const TypeInfo types[] = {
.instance_init = vfio_iommu_legacy_instance_init,
.instance_size = sizeof(VFIOContainer),
.class_init = vfio_iommu_legacy_class_init,
+ .secure = true,
}, {
.name = TYPE_HOST_IOMMU_DEVICE_LEGACY_VFIO,
.parent = TYPE_HOST_IOMMU_DEVICE,
.class_init = hiod_legacy_vfio_class_init,
+ .secure = true,
}
};
diff --git a/hw/vfio/igd.c b/hw/vfio/igd.c
index 4bfa2e0fcd..53d7dea87e 100644
--- a/hw/vfio/igd.c
+++ b/hw/vfio/igd.c
@@ -312,6 +312,7 @@ static const TypeInfo vfio_pci_igd_lpc_bridge_info = {
.name = "vfio-pci-igd-lpc-bridge",
.parent = TYPE_PCI_DEVICE,
.class_init = vfio_pci_igd_lpc_bridge_class_init,
+ .secure = true,
.interfaces = (const InterfaceInfo[]) {
{ INTERFACE_CONVENTIONAL_PCI_DEVICE },
{ },
diff --git a/hw/vfio/iommufd.c b/hw/vfio/iommufd.c
index 8c27222f75..2d6168a90e 100644
--- a/hw/vfio/iommufd.c
+++ b/hw/vfio/iommufd.c
@@ -958,10 +958,12 @@ static const TypeInfo types[] = {
.parent = TYPE_VFIO_IOMMU,
.instance_size = sizeof(VFIOIOMMUFDContainer),
.class_init = vfio_iommu_iommufd_class_init,
+ .secure = true,
}, {
.name = TYPE_HOST_IOMMU_DEVICE_IOMMUFD_VFIO,
.parent = TYPE_HOST_IOMMU_DEVICE_IOMMUFD,
.class_init = hiod_iommufd_vfio_class_init,
+ .secure = true,
}
};
diff --git a/hw/vfio/pci.c b/hw/vfio/pci.c
index bc0b4c4d56..f98384da93 100644
--- a/hw/vfio/pci.c
+++ b/hw/vfio/pci.c
@@ -3673,6 +3673,7 @@ static const TypeInfo vfio_pci_base_dev_info = {
.parent = TYPE_PCI_DEVICE,
.instance_size = sizeof(VFIOPCIDevice),
.abstract = true,
+ .secure = true,
.class_init = vfio_pci_base_dev_class_init,
.interfaces = (const InterfaceInfo[]) {
{ INTERFACE_PCIE_DEVICE },
@@ -3918,6 +3919,7 @@ static const TypeInfo vfio_pci_dev_info = {
.class_init = vfio_pci_dev_class_init,
.instance_init = vfio_instance_init,
.instance_finalize = vfio_instance_finalize,
+ .secure = true,
};
static const Property vfio_pci_dev_nohotplug_properties[] = {
@@ -3954,6 +3956,7 @@ static const TypeInfo vfio_pci_nohotplug_dev_info = {
.parent = TYPE_VFIO_PCI,
.instance_size = sizeof(VFIOPCIDevice),
.class_init = vfio_pci_nohotplug_dev_class_init,
+ .secure = true,
};
static void register_vfio_pci_dev_type(void)
diff --git a/hw/vfio/spapr.c b/hw/vfio/spapr.c
index c41e4588d6..a926faa0aa 100644
--- a/hw/vfio/spapr.c
+++ b/hw/vfio/spapr.c
@@ -571,6 +571,7 @@ static const TypeInfo types[] = {
.parent = TYPE_VFIO_IOMMU_LEGACY,
.instance_size = sizeof(VFIOSpaprContainer),
.class_init = vfio_iommu_spapr_class_init,
+ .secure = true,
},
};
--
2.50.1
^ permalink raw reply related [flat|nested] 49+ messages in thread* [PATCH v2 23/32] hw/xen: mark all Xen related object types as being secure
2025-09-26 14:01 [PATCH v2 00/32] Encode object type security status in code Daniel P. Berrangé
` (21 preceding siblings ...)
2025-09-26 14:01 ` [PATCH v2 22/32] hw/vfio: mark all VFIO object classes " Daniel P. Berrangé
@ 2025-09-26 14:01 ` Daniel P. Berrangé
2025-09-26 14:01 ` [PATCH v2 24/32] hw/net: mark most non-virtio NICs as insecure Daniel P. Berrangé
` (10 subsequent siblings)
33 siblings, 0 replies; 49+ messages in thread
From: Daniel P. Berrangé @ 2025-09-26 14:01 UTC (permalink / raw)
To: qemu-devel
Cc: Thomas Huth, Stefan Hajnoczi, Philippe Mathieu-Daudé,
Peter Maydell, Markus Armbruster, Paolo Bonzini,
Michael S. Tsirkin, Daniel P. Berrangé
All Xen paravirtualized devices are intended to provide a host /
guest security barrier, so mark all Xen object types as scure.
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
---
hw/block/xen-block.c | 3 +++
hw/char/xen_console.c | 1 +
hw/i386/xen/xen_platform.c | 1 +
hw/net/xen_nic.c | 1 +
hw/xen/xen-bus.c | 3 +++
hw/xen/xen-legacy-backend.c | 3 +++
hw/xen/xen_pt.c | 1 +
7 files changed, 13 insertions(+)
diff --git a/hw/block/xen-block.c b/hw/block/xen-block.c
index 74de897c79..5112d8bdb3 100644
--- a/hw/block/xen-block.c
+++ b/hw/block/xen-block.c
@@ -699,6 +699,7 @@ static const TypeInfo xen_block_type_info = {
.parent = TYPE_XEN_DEVICE,
.instance_size = sizeof(XenBlockDevice),
.abstract = true,
+ .secure = true,
.class_size = sizeof(XenBlockDeviceClass),
.class_init = xen_block_class_init,
};
@@ -740,6 +741,7 @@ static const TypeInfo xen_disk_type_info = {
.parent = TYPE_XEN_BLOCK_DEVICE,
.instance_size = sizeof(XenDiskDevice),
.class_init = xen_disk_class_init,
+ .secure = true,
};
static void xen_cdrom_unrealize(XenBlockDevice *blockdev)
@@ -787,6 +789,7 @@ static const TypeInfo xen_cdrom_type_info = {
.parent = TYPE_XEN_BLOCK_DEVICE,
.instance_size = sizeof(XenCDRomDevice),
.class_init = xen_cdrom_class_init,
+ .secure = true,
};
static void xen_block_register_types(void)
diff --git a/hw/char/xen_console.c b/hw/char/xen_console.c
index 9c34a554bf..7ba2d82c0f 100644
--- a/hw/char/xen_console.c
+++ b/hw/char/xen_console.c
@@ -513,6 +513,7 @@ static const TypeInfo xen_console_type_info = {
.parent = TYPE_XEN_DEVICE,
.instance_size = sizeof(XenConsole),
.class_init = xen_console_class_init,
+ .secure = true,
};
static void xen_console_register_types(void)
diff --git a/hw/i386/xen/xen_platform.c b/hw/i386/xen/xen_platform.c
index c8b852be0c..ec0084d6fb 100644
--- a/hw/i386/xen/xen_platform.c
+++ b/hw/i386/xen/xen_platform.c
@@ -604,6 +604,7 @@ static const TypeInfo xen_platform_info = {
.parent = TYPE_PCI_DEVICE,
.instance_size = sizeof(PCIXenPlatformState),
.class_init = xen_platform_class_init,
+ .secure = true,
.interfaces = (const InterfaceInfo[]) {
{ INTERFACE_CONVENTIONAL_PCI_DEVICE },
{ },
diff --git a/hw/net/xen_nic.c b/hw/net/xen_nic.c
index 34c6a1d0b0..eae29b4407 100644
--- a/hw/net/xen_nic.c
+++ b/hw/net/xen_nic.c
@@ -581,6 +581,7 @@ static const TypeInfo xen_net_type_info = {
.parent = TYPE_XEN_DEVICE,
.instance_size = sizeof(XenNetDev),
.class_init = xen_netdev_class_init,
+ .secure = true,
};
static void xen_net_register_types(void)
diff --git a/hw/xen/xen-bus.c b/hw/xen/xen-bus.c
index 6bd2e546f6..1098156209 100644
--- a/hw/xen/xen-bus.c
+++ b/hw/xen/xen-bus.c
@@ -399,6 +399,7 @@ static const TypeInfo xen_bus_type_info = {
.instance_size = sizeof(XenBus),
.class_size = sizeof(XenBusClass),
.class_init = xen_bus_class_init,
+ .secure = true,
.interfaces = (const InterfaceInfo[]) {
{ TYPE_HOTPLUG_HANDLER },
{ }
@@ -1122,6 +1123,7 @@ static const TypeInfo xen_device_type_info = {
.parent = TYPE_DEVICE,
.instance_size = sizeof(XenDevice),
.abstract = true,
+ .secure = true,
.class_size = sizeof(XenDeviceClass),
.class_init = xen_device_class_init,
};
@@ -1136,6 +1138,7 @@ static const TypeInfo xen_bridge_type_info = {
.name = TYPE_XEN_BRIDGE,
.parent = TYPE_SYS_BUS_DEVICE,
.instance_size = sizeof(XenBridge),
+ .secure = true,
};
static void xen_register_types(void)
diff --git a/hw/xen/xen-legacy-backend.c b/hw/xen/xen-legacy-backend.c
index 5ed53f8943..bc6c662678 100644
--- a/hw/xen/xen-legacy-backend.c
+++ b/hw/xen/xen-legacy-backend.c
@@ -648,6 +648,7 @@ static const TypeInfo xendev_type_info = {
.parent = TYPE_DYNAMIC_SYS_BUS_DEVICE,
.class_init = xendev_class_init,
.instance_size = sizeof(XenLegacyDevice),
+ .secure = true,
};
static void xen_sysbus_class_init(ObjectClass *klass, const void *data)
@@ -661,6 +662,7 @@ static const TypeInfo xensysbus_info = {
.name = TYPE_XENSYSBUS,
.parent = TYPE_BUS,
.class_init = xen_sysbus_class_init,
+ .secure = true,
.interfaces = (const InterfaceInfo[]) {
{ TYPE_HOTPLUG_HANDLER },
{ }
@@ -670,6 +672,7 @@ static const TypeInfo xensysbus_info = {
static const TypeInfo xensysdev_info = {
.name = TYPE_XENSYSDEV,
.parent = TYPE_SYS_BUS_DEVICE,
+ .secure = true,
};
static void xenbe_register_types(void)
diff --git a/hw/xen/xen_pt.c b/hw/xen/xen_pt.c
index 006b5b55f2..c3ffb95b2d 100644
--- a/hw/xen/xen_pt.c
+++ b/hw/xen/xen_pt.c
@@ -1079,6 +1079,7 @@ static const TypeInfo xen_pci_passthrough_info = {
.instance_finalize = xen_pci_passthrough_finalize,
.class_init = xen_pci_passthrough_class_init,
.class_size = sizeof(XenPTDeviceClass),
+ .secure = true,
.instance_init = xen_pci_passthrough_instance_init,
.interfaces = (const InterfaceInfo[]) {
{ INTERFACE_CONVENTIONAL_PCI_DEVICE },
--
2.50.1
^ permalink raw reply related [flat|nested] 49+ messages in thread* [PATCH v2 24/32] hw/net: mark most non-virtio NICs as insecure
2025-09-26 14:01 [PATCH v2 00/32] Encode object type security status in code Daniel P. Berrangé
` (22 preceding siblings ...)
2025-09-26 14:01 ` [PATCH v2 23/32] hw/xen: mark all Xen related object types as being secure Daniel P. Berrangé
@ 2025-09-26 14:01 ` Daniel P. Berrangé
2025-09-26 14:01 ` [PATCH v2 25/32] hw/usb: mark most USB devices/hosts as secure Daniel P. Berrangé
` (9 subsequent siblings)
33 siblings, 0 replies; 49+ messages in thread
From: Daniel P. Berrangé @ 2025-09-26 14:01 UTC (permalink / raw)
To: qemu-devel
Cc: Thomas Huth, Stefan Hajnoczi, Philippe Mathieu-Daudé,
Peter Maydell, Markus Armbruster, Paolo Bonzini,
Michael S. Tsirkin, Daniel P. Berrangé
Historically most NICs are only interesting for non-virtualization
use cases and have not been written with malicious guests in mind.
As a general rule either virtio-net or xen-net should be used in
all virtualized guests requiring a security boundary.
There are a handful of exceptions resulting from historical usage
in the x86 world, to support virtualized guests lacking virtio
support.
Thus the rtl8139, e1000 & e1000e NICs are declared to provide a
security boundary.
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
---
hw/net/allwinner-sun8i-emac.c | 1 +
hw/net/allwinner_emac.c | 3 ++-
hw/net/cadence_gem.c | 1 +
hw/net/can/can_kvaser_pci.c | 1 +
hw/net/can/can_mioe3680_pci.c | 1 +
hw/net/can/can_pcm3680_pci.c | 1 +
hw/net/can/ctucan_pci.c | 1 +
hw/net/can/xlnx-versal-canfd.c | 1 +
hw/net/can/xlnx-zynqmp-can.c | 1 +
hw/net/dp8393x.c | 1 +
hw/net/e1000.c | 1 +
hw/net/e1000e.c | 1 +
hw/net/eepro100.c | 1 +
hw/net/fsl_etsec/etsec.c | 1 +
hw/net/ftgmac100.c | 1 +
hw/net/igb.c | 1 +
hw/net/igbvf.c | 1 +
hw/net/imx_fec.c | 2 ++
hw/net/lan9118.c | 1 +
hw/net/lan9118_phy.c | 1 +
hw/net/lance.c | 1 +
hw/net/lasi_i82596.c | 1 +
hw/net/mcf_fec.c | 1 +
hw/net/msf2-emac.c | 1 +
hw/net/mv88w8618_eth.c | 1 +
hw/net/ne2000-isa.c | 1 +
hw/net/ne2000-pci.c | 1 +
hw/net/npcm7xx_emc.c | 1 +
hw/net/npcm_gmac.c | 1 +
hw/net/npcm_pcs.c | 1 +
hw/net/opencores_eth.c | 1 +
hw/net/pcnet-pci.c | 1 +
hw/net/rocker/rocker.c | 1 +
hw/net/rtl8139.c | 1 +
hw/net/smc91c111.c | 1 +
hw/net/spapr_llan.c | 1 +
hw/net/stellaris_enet.c | 1 +
hw/net/sungem.c | 1 +
hw/net/sunhme.c | 1 +
hw/net/tulip.c | 1 +
hw/net/virtio-net.c | 1 +
hw/net/vmxnet3.c | 1 +
hw/net/xgmac.c | 1 +
hw/net/xilinx_axienet.c | 1 +
hw/net/xilinx_ethlite.c | 1 +
45 files changed, 47 insertions(+), 1 deletion(-)
diff --git a/hw/net/allwinner-sun8i-emac.c b/hw/net/allwinner-sun8i-emac.c
index 30a81576b4..b03a917aa3 100644
--- a/hw/net/allwinner-sun8i-emac.c
+++ b/hw/net/allwinner-sun8i-emac.c
@@ -892,6 +892,7 @@ static const TypeInfo allwinner_sun8i_emac_info = {
.instance_size = sizeof(AwSun8iEmacState),
.instance_init = allwinner_sun8i_emac_init,
.class_init = allwinner_sun8i_emac_class_init,
+ .secure = false,
};
static void allwinner_sun8i_emac_register_types(void)
diff --git a/hw/net/allwinner_emac.c b/hw/net/allwinner_emac.c
index 77d089d988..836138bba3 100644
--- a/hw/net/allwinner_emac.c
+++ b/hw/net/allwinner_emac.c
@@ -528,8 +528,9 @@ static const TypeInfo aw_emac_info = {
.name = TYPE_AW_EMAC,
.parent = TYPE_SYS_BUS_DEVICE,
.instance_size = sizeof(AwEmacState),
- .instance_init = aw_emac_init,
+ .instance_init = aw_emac_init,
.class_init = aw_emac_class_init,
+ .secure = false,
};
static void aw_emac_register_types(void)
diff --git a/hw/net/cadence_gem.c b/hw/net/cadence_gem.c
index 44446666de..760e0d5e99 100644
--- a/hw/net/cadence_gem.c
+++ b/hw/net/cadence_gem.c
@@ -1833,6 +1833,7 @@ static const TypeInfo gem_info = {
.instance_size = sizeof(CadenceGEMState),
.instance_init = gem_init,
.class_init = gem_class_init,
+ .secure = false,
};
static void gem_register_types(void)
diff --git a/hw/net/can/can_kvaser_pci.c b/hw/net/can/can_kvaser_pci.c
index be16769de2..7764c29ced 100644
--- a/hw/net/can/can_kvaser_pci.c
+++ b/hw/net/can/can_kvaser_pci.c
@@ -305,6 +305,7 @@ static const TypeInfo kvaser_pci_info = {
.instance_size = sizeof(KvaserPCIState),
.class_init = kvaser_pci_class_init,
.instance_init = kvaser_pci_instance_init,
+ .secure = false,
.interfaces = (const InterfaceInfo[]) {
{ INTERFACE_CONVENTIONAL_PCI_DEVICE },
{ },
diff --git a/hw/net/can/can_mioe3680_pci.c b/hw/net/can/can_mioe3680_pci.c
index 44f3ba370d..3e1c5eda19 100644
--- a/hw/net/can/can_mioe3680_pci.c
+++ b/hw/net/can/can_mioe3680_pci.c
@@ -248,6 +248,7 @@ static const TypeInfo mioe3680_pci_info = {
.instance_size = sizeof(Mioe3680PCIState),
.class_init = mioe3680_pci_class_init,
.instance_init = mioe3680_pci_instance_init,
+ .secure = false,
.interfaces = (const InterfaceInfo[]) {
{ INTERFACE_CONVENTIONAL_PCI_DEVICE },
{ },
diff --git a/hw/net/can/can_pcm3680_pci.c b/hw/net/can/can_pcm3680_pci.c
index 7296d63be7..964e074a36 100644
--- a/hw/net/can/can_pcm3680_pci.c
+++ b/hw/net/can/can_pcm3680_pci.c
@@ -249,6 +249,7 @@ static const TypeInfo pcm3680i_pci_info = {
.instance_size = sizeof(Pcm3680iPCIState),
.class_init = pcm3680i_pci_class_init,
.instance_init = pcm3680i_pci_instance_init,
+ .secure = false,
.interfaces = (const InterfaceInfo[]) {
{ INTERFACE_CONVENTIONAL_PCI_DEVICE },
{ },
diff --git a/hw/net/can/ctucan_pci.c b/hw/net/can/ctucan_pci.c
index bed6785433..1530959ea8 100644
--- a/hw/net/can/ctucan_pci.c
+++ b/hw/net/can/ctucan_pci.c
@@ -262,6 +262,7 @@ static const TypeInfo ctucan_pci_info = {
.instance_size = sizeof(CtuCanPCIState),
.class_init = ctucan_pci_class_init,
.instance_init = ctucan_pci_instance_init,
+ .secure = false,
.interfaces = (const InterfaceInfo[]) {
{ INTERFACE_CONVENTIONAL_PCI_DEVICE },
{ },
diff --git a/hw/net/can/xlnx-versal-canfd.c b/hw/net/can/xlnx-versal-canfd.c
index 3eb111949f..0073812e3c 100644
--- a/hw/net/can/xlnx-versal-canfd.c
+++ b/hw/net/can/xlnx-versal-canfd.c
@@ -2068,6 +2068,7 @@ static const TypeInfo canfd_info = {
.instance_size = sizeof(XlnxVersalCANFDState),
.class_init = canfd_class_init,
.instance_init = canfd_init,
+ .secure = false,
};
static void canfd_register_types(void)
diff --git a/hw/net/can/xlnx-zynqmp-can.c b/hw/net/can/xlnx-zynqmp-can.c
index ca9edd4a5b..e859e447af 100644
--- a/hw/net/can/xlnx-zynqmp-can.c
+++ b/hw/net/can/xlnx-zynqmp-can.c
@@ -1194,6 +1194,7 @@ static const TypeInfo can_info = {
.instance_size = sizeof(XlnxZynqMPCANState),
.class_init = xlnx_zynqmp_can_class_init,
.instance_init = xlnx_zynqmp_can_init,
+ .secure = false,
};
static void can_register_types(void)
diff --git a/hw/net/dp8393x.c b/hw/net/dp8393x.c
index d49032059b..b508b6f779 100644
--- a/hw/net/dp8393x.c
+++ b/hw/net/dp8393x.c
@@ -956,6 +956,7 @@ static const TypeInfo dp8393x_info = {
.instance_size = sizeof(dp8393xState),
.instance_init = dp8393x_instance_init,
.class_init = dp8393x_class_init,
+ .secure = false,
};
static void dp8393x_register_types(void)
diff --git a/hw/net/e1000.c b/hw/net/e1000.c
index a80a7b0cdb..684350557f 100644
--- a/hw/net/e1000.c
+++ b/hw/net/e1000.c
@@ -1759,6 +1759,7 @@ static void e1000_register_types(void)
type_info.parent = TYPE_E1000_BASE;
type_info.class_data = info;
type_info.class_init = e1000_class_init;
+ type_info.secure = true,
type_register_static(&type_info);
}
diff --git a/hw/net/e1000e.c b/hw/net/e1000e.c
index 89e6d52ba0..83cf3cf643 100644
--- a/hw/net/e1000e.c
+++ b/hw/net/e1000e.c
@@ -721,6 +721,7 @@ static const TypeInfo e1000e_info = {
.instance_size = sizeof(E1000EState),
.class_init = e1000e_class_init,
.instance_init = e1000e_instance_init,
+ .secure = true,
.interfaces = (const InterfaceInfo[]) {
{ INTERFACE_PCIE_DEVICE },
{ }
diff --git a/hw/net/eepro100.c b/hw/net/eepro100.c
index d47df5a97f..3bc232d3c2 100644
--- a/hw/net/eepro100.c
+++ b/hw/net/eepro100.c
@@ -2094,6 +2094,7 @@ static void eepro100_register_types(void)
type_info.class_init = eepro100_class_init;
type_info.instance_size = sizeof(EEPRO100State);
type_info.instance_init = eepro100_instance_init;
+ type_info.secure = false,
type_info.interfaces = (const InterfaceInfo[]) {
{ INTERFACE_CONVENTIONAL_PCI_DEVICE },
{ },
diff --git a/hw/net/fsl_etsec/etsec.c b/hw/net/fsl_etsec/etsec.c
index 846f6cbc5d..4f82678941 100644
--- a/hw/net/fsl_etsec/etsec.c
+++ b/hw/net/fsl_etsec/etsec.c
@@ -437,6 +437,7 @@ static const TypeInfo etsec_types[] = {
.instance_size = sizeof(eTSEC),
.class_init = etsec_class_init,
.instance_init = etsec_instance_init,
+ .secure = false,
},
};
diff --git a/hw/net/ftgmac100.c b/hw/net/ftgmac100.c
index c41ce889cf..936a38a4f8 100644
--- a/hw/net/ftgmac100.c
+++ b/hw/net/ftgmac100.c
@@ -1277,6 +1277,7 @@ static const TypeInfo ftgmac100_info = {
.parent = TYPE_SYS_BUS_DEVICE,
.instance_size = sizeof(FTGMAC100State),
.class_init = ftgmac100_class_init,
+ .secure = false,
};
/*
diff --git a/hw/net/igb.c b/hw/net/igb.c
index e4c02365d6..6ab7af33d5 100644
--- a/hw/net/igb.c
+++ b/hw/net/igb.c
@@ -635,6 +635,7 @@ static const TypeInfo igb_info = {
.instance_size = sizeof(IGBState),
.class_init = igb_class_init,
.instance_init = igb_instance_init,
+ .secure = false,
.interfaces = (const InterfaceInfo[]) {
{ INTERFACE_PCIE_DEVICE },
{ }
diff --git a/hw/net/igbvf.c b/hw/net/igbvf.c
index 31d72c4977..8a193db414 100644
--- a/hw/net/igbvf.c
+++ b/hw/net/igbvf.c
@@ -325,6 +325,7 @@ static const TypeInfo igbvf_info = {
.parent = TYPE_PCI_DEVICE,
.instance_size = sizeof(IgbVfState),
.class_init = igbvf_class_init,
+ .secure = false,
.interfaces = (const InterfaceInfo[]) {
{ INTERFACE_PCIE_DEVICE },
{ }
diff --git a/hw/net/imx_fec.c b/hw/net/imx_fec.c
index e5e34dd1a4..d288ba0e2d 100644
--- a/hw/net/imx_fec.c
+++ b/hw/net/imx_fec.c
@@ -1261,12 +1261,14 @@ static const TypeInfo imx_fec_info = {
.instance_size = sizeof(IMXFECState),
.instance_init = imx_fec_init,
.class_init = imx_eth_class_init,
+ .secure = false,
};
static const TypeInfo imx_enet_info = {
.name = TYPE_IMX_ENET,
.parent = TYPE_IMX_FEC,
.instance_init = imx_enet_init,
+ .secure = false,
};
static void imx_eth_register_types(void)
diff --git a/hw/net/lan9118.c b/hw/net/lan9118.c
index 3017e12971..a190cf8a34 100644
--- a/hw/net/lan9118.c
+++ b/hw/net/lan9118.c
@@ -1325,6 +1325,7 @@ static const TypeInfo lan9118_info = {
.parent = TYPE_SYS_BUS_DEVICE,
.instance_size = sizeof(lan9118_state),
.class_init = lan9118_class_init,
+ .secure = false,
};
static void lan9118_register_types(void)
diff --git a/hw/net/lan9118_phy.c b/hw/net/lan9118_phy.c
index 4c4e03df11..a32eb3374f 100644
--- a/hw/net/lan9118_phy.c
+++ b/hw/net/lan9118_phy.c
@@ -216,6 +216,7 @@ static const TypeInfo types[] = {
.instance_size = sizeof(Lan9118PhyState),
.instance_init = lan9118_phy_init,
.class_init = lan9118_phy_class_init,
+ .secure = false,
}
};
diff --git a/hw/net/lance.c b/hw/net/lance.c
index dfb855c23a..366869a004 100644
--- a/hw/net/lance.c
+++ b/hw/net/lance.c
@@ -161,6 +161,7 @@ static const TypeInfo lance_info = {
.instance_size = sizeof(SysBusPCNetState),
.class_init = lance_class_init,
.instance_init = lance_instance_init,
+ .secure = false,
};
static void lance_register_types(void)
diff --git a/hw/net/lasi_i82596.c b/hw/net/lasi_i82596.c
index 9e1dd21546..323cbcef96 100644
--- a/hw/net/lasi_i82596.c
+++ b/hw/net/lasi_i82596.c
@@ -181,6 +181,7 @@ static const TypeInfo lasi_82596_info = {
.instance_size = sizeof(SysBusI82596State),
.class_init = lasi_82596_class_init,
.instance_init = lasi_82596_instance_init,
+ .secure = false,
};
static void lasi_82596_register_types(void)
diff --git a/hw/net/mcf_fec.c b/hw/net/mcf_fec.c
index ae128fa311..3a061139d0 100644
--- a/hw/net/mcf_fec.c
+++ b/hw/net/mcf_fec.c
@@ -681,6 +681,7 @@ static const TypeInfo mcf_fec_info = {
.instance_size = sizeof(mcf_fec_state),
.instance_init = mcf_fec_instance_init,
.class_init = mcf_fec_class_init,
+ .secure = false,
};
static void mcf_fec_register_types(void)
diff --git a/hw/net/msf2-emac.c b/hw/net/msf2-emac.c
index 59045973ab..3a72b96fac 100644
--- a/hw/net/msf2-emac.c
+++ b/hw/net/msf2-emac.c
@@ -581,6 +581,7 @@ static const TypeInfo msf2_emac_info = {
.instance_size = sizeof(MSF2EmacState),
.instance_init = msf2_emac_init,
.class_init = msf2_emac_class_init,
+ .secure = false,
};
static void msf2_emac_register_types(void)
diff --git a/hw/net/mv88w8618_eth.c b/hw/net/mv88w8618_eth.c
index 6f08846c81..77a748104d 100644
--- a/hw/net/mv88w8618_eth.c
+++ b/hw/net/mv88w8618_eth.c
@@ -392,6 +392,7 @@ static const TypeInfo mv88w8618_eth_info = {
.instance_size = sizeof(mv88w8618_eth_state),
.instance_init = mv88w8618_eth_init,
.class_init = mv88w8618_eth_class_init,
+ .secure = false,
};
static void musicpal_register_types(void)
diff --git a/hw/net/ne2000-isa.c b/hw/net/ne2000-isa.c
index 673c785abc..433a348f4d 100644
--- a/hw/net/ne2000-isa.c
+++ b/hw/net/ne2000-isa.c
@@ -142,6 +142,7 @@ static const TypeInfo ne2000_isa_info = {
.instance_size = sizeof(ISANE2000State),
.class_init = isa_ne2000_class_initfn,
.instance_init = isa_ne2000_instance_init,
+ .secure = false,
};
static void ne2000_isa_register_types(void)
diff --git a/hw/net/ne2000-pci.c b/hw/net/ne2000-pci.c
index ce937e1b61..23c663de10 100644
--- a/hw/net/ne2000-pci.c
+++ b/hw/net/ne2000-pci.c
@@ -122,6 +122,7 @@ static const TypeInfo ne2000_info = {
.instance_size = sizeof(PCINE2000State),
.class_init = ne2000_class_init,
.instance_init = ne2000_instance_init,
+ .secure = false,
.interfaces = (const InterfaceInfo[]) {
{ INTERFACE_CONVENTIONAL_PCI_DEVICE },
{ },
diff --git a/hw/net/npcm7xx_emc.c b/hw/net/npcm7xx_emc.c
index 9ba35e2c81..6e148b4fdd 100644
--- a/hw/net/npcm7xx_emc.c
+++ b/hw/net/npcm7xx_emc.c
@@ -867,6 +867,7 @@ static const TypeInfo npcm7xx_emc_info = {
.parent = TYPE_SYS_BUS_DEVICE,
.instance_size = sizeof(NPCM7xxEMCState),
.class_init = npcm7xx_emc_class_init,
+ .secure = false,
};
static void npcm7xx_emc_register_type(void)
diff --git a/hw/net/npcm_gmac.c b/hw/net/npcm_gmac.c
index 5e32cd3edf..f8cd4e5f12 100644
--- a/hw/net/npcm_gmac.c
+++ b/hw/net/npcm_gmac.c
@@ -933,6 +933,7 @@ static const TypeInfo npcm_gmac_types[] = {
.parent = TYPE_SYS_BUS_DEVICE,
.instance_size = sizeof(NPCMGMACState),
.class_init = npcm_gmac_class_init,
+ .secure = false,
},
};
DEFINE_TYPES(npcm_gmac_types)
diff --git a/hw/net/npcm_pcs.c b/hw/net/npcm_pcs.c
index 6aec105271..82bc1f16c3 100644
--- a/hw/net/npcm_pcs.c
+++ b/hw/net/npcm_pcs.c
@@ -405,6 +405,7 @@ static const TypeInfo npcm_pcs_types[] = {
.parent = TYPE_SYS_BUS_DEVICE,
.instance_size = sizeof(NPCMPCSState),
.class_init = npcm_pcs_class_init,
+ .secure = false,
},
};
DEFINE_TYPES(npcm_pcs_types)
diff --git a/hw/net/opencores_eth.c b/hw/net/opencores_eth.c
index 7e955c0132..8d1c4523dc 100644
--- a/hw/net/opencores_eth.c
+++ b/hw/net/opencores_eth.c
@@ -763,6 +763,7 @@ static const TypeInfo open_eth_info = {
.parent = TYPE_SYS_BUS_DEVICE,
.instance_size = sizeof(OpenEthState),
.class_init = open_eth_class_init,
+ .secure = false,
};
static void open_eth_register_types(void)
diff --git a/hw/net/pcnet-pci.c b/hw/net/pcnet-pci.c
index 0ca5bc2193..90a27cdab5 100644
--- a/hw/net/pcnet-pci.c
+++ b/hw/net/pcnet-pci.c
@@ -280,6 +280,7 @@ static const TypeInfo pcnet_info = {
.instance_size = sizeof(PCIPCNetState),
.class_init = pcnet_class_init,
.instance_init = pcnet_instance_init,
+ .secure = false,
.interfaces = (const InterfaceInfo[]) {
{ INTERFACE_CONVENTIONAL_PCI_DEVICE },
{ },
diff --git a/hw/net/rocker/rocker.c b/hw/net/rocker/rocker.c
index cc49701dd3..8923ec6473 100644
--- a/hw/net/rocker/rocker.c
+++ b/hw/net/rocker/rocker.c
@@ -1498,6 +1498,7 @@ static const TypeInfo rocker_info = {
.parent = TYPE_PCI_DEVICE,
.instance_size = sizeof(Rocker),
.class_init = rocker_class_init,
+ .secure = false,
.interfaces = (const InterfaceInfo[]) {
{ INTERFACE_CONVENTIONAL_PCI_DEVICE },
{ },
diff --git a/hw/net/rtl8139.c b/hw/net/rtl8139.c
index 324fb932aa..f8cc0b728d 100644
--- a/hw/net/rtl8139.c
+++ b/hw/net/rtl8139.c
@@ -3439,6 +3439,7 @@ static const TypeInfo rtl8139_info = {
.instance_size = sizeof(RTL8139State),
.class_init = rtl8139_class_init,
.instance_init = rtl8139_instance_init,
+ .secure = true,
.interfaces = (const InterfaceInfo[]) {
{ INTERFACE_CONVENTIONAL_PCI_DEVICE },
{ },
diff --git a/hw/net/smc91c111.c b/hw/net/smc91c111.c
index 5cd78e334b..59ebebdf19 100644
--- a/hw/net/smc91c111.c
+++ b/hw/net/smc91c111.c
@@ -928,6 +928,7 @@ static const TypeInfo smc91c111_info = {
.parent = TYPE_SYS_BUS_DEVICE,
.instance_size = sizeof(smc91c111_state),
.class_init = smc91c111_class_init,
+ .secure = false,
};
static void smc91c111_register_types(void)
diff --git a/hw/net/spapr_llan.c b/hw/net/spapr_llan.c
index f6f217d632..85b2c9809a 100644
--- a/hw/net/spapr_llan.c
+++ b/hw/net/spapr_llan.c
@@ -873,6 +873,7 @@ static const TypeInfo spapr_vlan_info = {
.class_init = spapr_vlan_class_init,
.instance_init = spapr_vlan_instance_init,
.instance_finalize = spapr_vlan_instance_finalize,
+ .secure = false,
};
static void spapr_vlan_register_types(void)
diff --git a/hw/net/stellaris_enet.c b/hw/net/stellaris_enet.c
index 2fc51e1e16..bebd1d04cc 100644
--- a/hw/net/stellaris_enet.c
+++ b/hw/net/stellaris_enet.c
@@ -516,6 +516,7 @@ static const TypeInfo stellaris_enet_info = {
.parent = TYPE_SYS_BUS_DEVICE,
.instance_size = sizeof(stellaris_enet_state),
.class_init = stellaris_enet_class_init,
+ .secure = false,
};
static void stellaris_enet_register_types(void)
diff --git a/hw/net/sungem.c b/hw/net/sungem.c
index b405eb89fa..1de709d274 100644
--- a/hw/net/sungem.c
+++ b/hw/net/sungem.c
@@ -1477,6 +1477,7 @@ static const TypeInfo sungem_info = {
.instance_size = sizeof(SunGEMState),
.class_init = sungem_class_init,
.instance_init = sungem_instance_init,
+ .secure = false,
.interfaces = (const InterfaceInfo[]) {
{ INTERFACE_CONVENTIONAL_PCI_DEVICE },
{ }
diff --git a/hw/net/sunhme.c b/hw/net/sunhme.c
index c2f7a8483d..59639afaac 100644
--- a/hw/net/sunhme.c
+++ b/hw/net/sunhme.c
@@ -958,6 +958,7 @@ static const TypeInfo sunhme_info = {
.class_init = sunhme_class_init,
.instance_size = sizeof(SunHMEState),
.instance_init = sunhme_instance_init,
+ .secure = false,
.interfaces = (const InterfaceInfo[]) {
{ INTERFACE_CONVENTIONAL_PCI_DEVICE },
{ }
diff --git a/hw/net/tulip.c b/hw/net/tulip.c
index 319af906c8..32e7839a83 100644
--- a/hw/net/tulip.c
+++ b/hw/net/tulip.c
@@ -1035,6 +1035,7 @@ static const TypeInfo tulip_info = {
.instance_size = sizeof(TULIPState),
.class_init = tulip_class_init,
.instance_init = tulip_instance_init,
+ .secure = false,
.interfaces = (const InterfaceInfo[]) {
{ INTERFACE_CONVENTIONAL_PCI_DEVICE },
{ },
diff --git a/hw/net/virtio-net.c b/hw/net/virtio-net.c
index 6b5b5dace3..b34c0f3afc 100644
--- a/hw/net/virtio-net.c
+++ b/hw/net/virtio-net.c
@@ -4259,6 +4259,7 @@ static const TypeInfo virtio_net_info = {
.instance_size = sizeof(VirtIONet),
.instance_init = virtio_net_instance_init,
.class_init = virtio_net_class_init,
+ .secure = true,
};
static void virtio_register_types(void)
diff --git a/hw/net/vmxnet3.c b/hw/net/vmxnet3.c
index af73aa8ef2..25e28e5467 100644
--- a/hw/net/vmxnet3.c
+++ b/hw/net/vmxnet3.c
@@ -2491,6 +2491,7 @@ static const TypeInfo vmxnet3_info = {
.instance_size = sizeof(VMXNET3State),
.class_init = vmxnet3_class_init,
.instance_init = vmxnet3_instance_init,
+ .secure = false,
.interfaces = (const InterfaceInfo[]) {
{ INTERFACE_PCIE_DEVICE },
{ INTERFACE_CONVENTIONAL_PCI_DEVICE },
diff --git a/hw/net/xgmac.c b/hw/net/xgmac.c
index d45f872467..fc71bc1e00 100644
--- a/hw/net/xgmac.c
+++ b/hw/net/xgmac.c
@@ -432,6 +432,7 @@ static const TypeInfo xgmac_enet_info = {
.parent = TYPE_SYS_BUS_DEVICE,
.instance_size = sizeof(XgmacState),
.class_init = xgmac_enet_class_init,
+ .secure = false,
};
static void xgmac_enet_register_types(void)
diff --git a/hw/net/xilinx_axienet.c b/hw/net/xilinx_axienet.c
index 1f5c748047..9b3618facb 100644
--- a/hw/net/xilinx_axienet.c
+++ b/hw/net/xilinx_axienet.c
@@ -1038,6 +1038,7 @@ static const TypeInfo xilinx_enet_info = {
.instance_size = sizeof(XilinxAXIEnet),
.class_init = xilinx_enet_class_init,
.instance_init = xilinx_enet_init,
+ .secure = false,
};
static const TypeInfo xilinx_enet_data_stream_info = {
diff --git a/hw/net/xilinx_ethlite.c b/hw/net/xilinx_ethlite.c
index 42b19d07c7..5ea2c1e692 100644
--- a/hw/net/xilinx_ethlite.c
+++ b/hw/net/xilinx_ethlite.c
@@ -401,6 +401,7 @@ static const TypeInfo xilinx_ethlite_types[] = {
.instance_size = sizeof(XlnxXpsEthLite),
.instance_init = xilinx_ethlite_init,
.class_init = xilinx_ethlite_class_init,
+ .secure = false,
},
};
--
2.50.1
^ permalink raw reply related [flat|nested] 49+ messages in thread* [PATCH v2 25/32] hw/usb: mark most USB devices/hosts as secure
2025-09-26 14:01 [PATCH v2 00/32] Encode object type security status in code Daniel P. Berrangé
` (23 preceding siblings ...)
2025-09-26 14:01 ` [PATCH v2 24/32] hw/net: mark most non-virtio NICs as insecure Daniel P. Berrangé
@ 2025-09-26 14:01 ` Daniel P. Berrangé
2025-09-26 14:01 ` [PATCH v2 26/32] hw/watchdog: mark some watchdog devices " Daniel P. Berrangé
` (8 subsequent siblings)
33 siblings, 0 replies; 49+ messages in thread
From: Daniel P. Berrangé @ 2025-09-26 14:01 UTC (permalink / raw)
To: qemu-devel
Cc: Thomas Huth, Stefan Hajnoczi, Philippe Mathieu-Daudé,
Peter Maydell, Markus Armbruster, Paolo Bonzini,
Michael S. Tsirkin, Daniel P. Berrangé
Most of the USB devices / host controllers are relevant for
virtualization use cases, so should be declared secure. The
exceptions are
* dwc2/dwc3 - emulating Raspberry Pi hardware.
* mtp - a complex file sharing device, unclear if
it has been used/proven sufficiently to consider
it secure
* braille - a variant of USB serial, using the
chardev baum backend, unclear that is written
with a hostile guest in mind
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
---
hw/usb/dev-audio.c | 1 +
hw/usb/dev-hid.c | 4 ++++
hw/usb/dev-hub.c | 1 +
hw/usb/dev-mtp.c | 1 +
hw/usb/dev-network.c | 1 +
hw/usb/dev-serial.c | 3 +++
hw/usb/dev-smartcard-reader.c | 3 +++
hw/usb/dev-storage-bot.c | 1 +
hw/usb/dev-storage-classic.c | 1 +
hw/usb/dev-storage.c | 1 +
hw/usb/dev-uas.c | 1 +
hw/usb/dev-wacom.c | 1 +
hw/usb/hcd-dwc2.c | 1 +
hw/usb/hcd-dwc3.c | 1 +
hw/usb/hcd-ehci-pci.c | 2 ++
hw/usb/hcd-ehci-sysbus.c | 8 ++++++++
hw/usb/hcd-ohci-pci.c | 1 +
hw/usb/hcd-ohci-sysbus.c | 1 +
hw/usb/hcd-uhci.c | 2 ++
hw/usb/hcd-xhci-nec.c | 1 +
hw/usb/hcd-xhci-pci.c | 2 ++
hw/usb/hcd-xhci-sysbus.c | 3 ++-
hw/usb/hcd-xhci.c | 1 +
hw/usb/host-libusb.c | 1 +
hw/usb/redirect.c | 1 +
25 files changed, 43 insertions(+), 1 deletion(-)
diff --git a/hw/usb/dev-audio.c b/hw/usb/dev-audio.c
index 26af709f31..8be35a1cdf 100644
--- a/hw/usb/dev-audio.c
+++ b/hw/usb/dev-audio.c
@@ -1019,6 +1019,7 @@ static const TypeInfo usb_audio_info = {
.parent = TYPE_USB_DEVICE,
.instance_size = sizeof(USBAudioState),
.class_init = usb_audio_class_init,
+ .secure = true,
};
static void usb_audio_register_types(void)
diff --git a/hw/usb/dev-hid.c b/hw/usb/dev-hid.c
index 96623aa322..79a3c0387f 100644
--- a/hw/usb/dev-hid.c
+++ b/hw/usb/dev-hid.c
@@ -790,6 +790,7 @@ static const TypeInfo usb_hid_type_info = {
.parent = TYPE_USB_DEVICE,
.instance_size = sizeof(USBHIDState),
.abstract = true,
+ .secure = true,
.class_init = usb_hid_class_initfn,
};
@@ -815,6 +816,7 @@ static const TypeInfo usb_tablet_info = {
.name = "usb-tablet",
.parent = TYPE_USB_HID,
.class_init = usb_tablet_class_initfn,
+ .secure = true,
};
static const Property usb_mouse_properties[] = {
@@ -837,6 +839,7 @@ static const TypeInfo usb_mouse_info = {
.name = "usb-mouse",
.parent = TYPE_USB_HID,
.class_init = usb_mouse_class_initfn,
+ .secure = true,
};
static const Property usb_keyboard_properties[] = {
@@ -860,6 +863,7 @@ static const TypeInfo usb_keyboard_info = {
.name = "usb-kbd",
.parent = TYPE_USB_HID,
.class_init = usb_keyboard_class_initfn,
+ .secure = true,
};
static void usb_hid_register_types(void)
diff --git a/hw/usb/dev-hub.c b/hw/usb/dev-hub.c
index a19350d9c4..66d6b76973 100644
--- a/hw/usb/dev-hub.c
+++ b/hw/usb/dev-hub.c
@@ -694,6 +694,7 @@ static const TypeInfo hub_info = {
.parent = TYPE_USB_DEVICE,
.instance_size = sizeof(USBHubState),
.class_init = usb_hub_class_initfn,
+ .secure = true,
};
static void usb_hub_register_types(void)
diff --git a/hw/usb/dev-mtp.c b/hw/usb/dev-mtp.c
index ce45c9cd06..11b0f284c7 100644
--- a/hw/usb/dev-mtp.c
+++ b/hw/usb/dev-mtp.c
@@ -2107,6 +2107,7 @@ static const TypeInfo mtp_info = {
.parent = TYPE_USB_DEVICE,
.instance_size = sizeof(MTPState),
.class_init = usb_mtp_class_initfn,
+ .secure = false,
};
static void usb_mtp_register_types(void)
diff --git a/hw/usb/dev-network.c b/hw/usb/dev-network.c
index 1df2454181..cb539d8dd3 100644
--- a/hw/usb/dev-network.c
+++ b/hw/usb/dev-network.c
@@ -1435,6 +1435,7 @@ static const TypeInfo net_info = {
.instance_size = sizeof(USBNetState),
.class_init = usb_net_class_initfn,
.instance_init = usb_net_instance_init,
+ .secure = true,
};
static void usb_net_register_types(void)
diff --git a/hw/usb/dev-serial.c b/hw/usb/dev-serial.c
index 1c116d8b0f..51d11ba4d0 100644
--- a/hw/usb/dev-serial.c
+++ b/hw/usb/dev-serial.c
@@ -655,6 +655,7 @@ static const TypeInfo usb_serial_dev_type_info = {
.parent = TYPE_USB_DEVICE,
.instance_size = sizeof(USBSerialState),
.abstract = true,
+ .secure = true,
.class_init = usb_serial_dev_class_init,
};
@@ -672,6 +673,7 @@ static const TypeInfo serial_info = {
.name = "usb-serial",
.parent = TYPE_USB_SERIAL,
.class_init = usb_serial_class_initfn,
+ .secure = true,
};
static const Property braille_properties[] = {
@@ -692,6 +694,7 @@ static const TypeInfo braille_info = {
.name = "usb-braille",
.parent = TYPE_USB_SERIAL,
.class_init = usb_braille_class_initfn,
+ .secure = false,
};
static void usb_serial_register_types(void)
diff --git a/hw/usb/dev-smartcard-reader.c b/hw/usb/dev-smartcard-reader.c
index 6ce7154fee..ebde3365f8 100644
--- a/hw/usb/dev-smartcard-reader.c
+++ b/hw/usb/dev-smartcard-reader.c
@@ -1178,6 +1178,7 @@ static const TypeInfo ccid_bus_info = {
.name = TYPE_CCID_BUS,
.parent = TYPE_BUS,
.instance_size = sizeof(CCIDBus),
+ .secure = true,
};
void ccid_card_send_apdu_to_guest(CCIDCardState *card,
@@ -1458,6 +1459,7 @@ static const TypeInfo ccid_info = {
.parent = TYPE_USB_DEVICE,
.instance_size = sizeof(USBCCIDState),
.class_init = ccid_class_initfn,
+ .secure = true,
.interfaces = (const InterfaceInfo[]) {
{ TYPE_HOTPLUG_HANDLER },
{ }
@@ -1478,6 +1480,7 @@ static const TypeInfo ccid_card_type_info = {
.parent = TYPE_DEVICE,
.instance_size = sizeof(CCIDCardState),
.abstract = true,
+ .secure = true,
.class_size = sizeof(CCIDCardClass),
.class_init = ccid_card_class_init,
};
diff --git a/hw/usb/dev-storage-bot.c b/hw/usb/dev-storage-bot.c
index df6ab7f656..d9b0277856 100644
--- a/hw/usb/dev-storage-bot.c
+++ b/hw/usb/dev-storage-bot.c
@@ -52,6 +52,7 @@ static const TypeInfo bot_info = {
.name = "usb-bot",
.parent = TYPE_USB_STORAGE,
.class_init = usb_msd_class_bot_initfn,
+ .secure = true,
};
static void register_types(void)
diff --git a/hw/usb/dev-storage-classic.c b/hw/usb/dev-storage-classic.c
index dabe156359..e3e7d79ecf 100644
--- a/hw/usb/dev-storage-classic.c
+++ b/hw/usb/dev-storage-classic.c
@@ -133,6 +133,7 @@ static const TypeInfo msd_info = {
.parent = TYPE_USB_STORAGE,
.class_init = usb_msd_class_storage_initfn,
.instance_init = usb_msd_instance_init,
+ .secure = true,
};
static void register_types(void)
diff --git a/hw/usb/dev-storage.c b/hw/usb/dev-storage.c
index b13fe345c4..374312e57a 100644
--- a/hw/usb/dev-storage.c
+++ b/hw/usb/dev-storage.c
@@ -607,6 +607,7 @@ static const TypeInfo usb_storage_dev_type_info = {
.parent = TYPE_USB_DEVICE,
.instance_size = sizeof(MSDState),
.abstract = true,
+ .secure = true,
.class_init = usb_msd_class_initfn_common,
};
diff --git a/hw/usb/dev-uas.c b/hw/usb/dev-uas.c
index 21cc2835c6..6fde2bdf71 100644
--- a/hw/usb/dev-uas.c
+++ b/hw/usb/dev-uas.c
@@ -982,6 +982,7 @@ static const TypeInfo uas_info = {
.parent = TYPE_USB_DEVICE,
.instance_size = sizeof(UASDevice),
.class_init = usb_uas_class_initfn,
+ .secure = true,
};
static void usb_uas_register_types(void)
diff --git a/hw/usb/dev-wacom.c b/hw/usb/dev-wacom.c
index f4b71a2147..6c2a37a53e 100644
--- a/hw/usb/dev-wacom.c
+++ b/hw/usb/dev-wacom.c
@@ -442,6 +442,7 @@ static const TypeInfo wacom_info = {
.parent = TYPE_USB_DEVICE,
.instance_size = sizeof(USBWacomState),
.class_init = usb_wacom_class_init,
+ .secure = true,
};
static void usb_wacom_register_types(void)
diff --git a/hw/usb/hcd-dwc2.c b/hw/usb/hcd-dwc2.c
index 83864505bb..10a996cc4a 100644
--- a/hw/usb/hcd-dwc2.c
+++ b/hw/usb/hcd-dwc2.c
@@ -1473,6 +1473,7 @@ static const TypeInfo dwc2_usb_type_info = {
.instance_init = dwc2_init,
.class_size = sizeof(DWC2Class),
.class_init = dwc2_class_init,
+ .secure = false,
};
static void dwc2_usb_register_types(void)
diff --git a/hw/usb/hcd-dwc3.c b/hw/usb/hcd-dwc3.c
index 98a342b8b8..54fa3a7922 100644
--- a/hw/usb/hcd-dwc3.c
+++ b/hw/usb/hcd-dwc3.c
@@ -682,6 +682,7 @@ static const TypeInfo usb_dwc3_info = {
.instance_size = sizeof(USBDWC3),
.class_init = usb_dwc3_class_init,
.instance_init = usb_dwc3_init,
+ .secure = false,
};
static void usb_dwc3_register_types(void)
diff --git a/hw/usb/hcd-ehci-pci.c b/hw/usb/hcd-ehci-pci.c
index 38ad3406b3..d80792422d 100644
--- a/hw/usb/hcd-ehci-pci.c
+++ b/hw/usb/hcd-ehci-pci.c
@@ -171,6 +171,7 @@ static const TypeInfo ehci_pci_type_info = {
.instance_init = usb_ehci_pci_init,
.instance_finalize = usb_ehci_pci_finalize,
.abstract = true,
+ .secure = true,
.class_init = ehci_class_init,
.interfaces = (const InterfaceInfo[]) {
{ INTERFACE_CONVENTIONAL_PCI_DEVICE },
@@ -219,6 +220,7 @@ static void ehci_pci_register_types(void)
TypeInfo ehci_type_info = {
.parent = TYPE_PCI_EHCI,
.class_init = ehci_data_class_init,
+ .secure = true,
};
int i;
diff --git a/hw/usb/hcd-ehci-sysbus.c b/hw/usb/hcd-ehci-sysbus.c
index 0449f5fa6d..24b8a72af3 100644
--- a/hw/usb/hcd-ehci-sysbus.c
+++ b/hw/usb/hcd-ehci-sysbus.c
@@ -240,6 +240,7 @@ static const TypeInfo ehci_sysbus_types[] = {
.instance_init = ehci_sysbus_init,
.instance_finalize = ehci_sysbus_finalize,
.abstract = true,
+ .secure = true,
.class_init = ehci_sysbus_class_init,
.class_size = sizeof(SysBusEHCIClass),
},
@@ -247,32 +248,38 @@ static const TypeInfo ehci_sysbus_types[] = {
.name = TYPE_PLATFORM_EHCI,
.parent = TYPE_SYS_BUS_EHCI,
.class_init = ehci_platform_class_init,
+ .secure = true,
},
{
.name = TYPE_EXYNOS4210_EHCI,
.parent = TYPE_SYS_BUS_EHCI,
.class_init = ehci_exynos4210_class_init,
+ .secure = true,
},
{
.name = TYPE_AW_H3_EHCI,
.parent = TYPE_SYS_BUS_EHCI,
.class_init = ehci_aw_h3_class_init,
+ .secure = true,
},
{
.name = TYPE_NPCM7XX_EHCI,
.parent = TYPE_SYS_BUS_EHCI,
.class_init = ehci_npcm7xx_class_init,
+ .secure = true,
},
{
.name = TYPE_TEGRA2_EHCI,
.parent = TYPE_SYS_BUS_EHCI,
.class_init = ehci_tegra2_class_init,
+ .secure = true,
},
{
.name = TYPE_PPC4xx_EHCI,
.parent = TYPE_SYS_BUS_EHCI,
.class_init = ehci_ppc4xx_class_init,
.instance_init = ehci_ppc4xx_init,
+ .secure = true,
},
{
.name = TYPE_FUSBH200_EHCI,
@@ -280,6 +287,7 @@ static const TypeInfo ehci_sysbus_types[] = {
.instance_size = sizeof(FUSBH200EHCIState),
.instance_init = fusbh200_ehci_init,
.class_init = fusbh200_ehci_class_init,
+ .secure = true,
},
};
diff --git a/hw/usb/hcd-ohci-pci.c b/hw/usb/hcd-ohci-pci.c
index 94d1077eb9..9adfe564db 100644
--- a/hw/usb/hcd-ohci-pci.c
+++ b/hw/usb/hcd-ohci-pci.c
@@ -149,6 +149,7 @@ static const TypeInfo ohci_pci_info = {
.parent = TYPE_PCI_DEVICE,
.instance_size = sizeof(OHCIPCIState),
.class_init = ohci_pci_class_init,
+ .secure = true,
.interfaces = (const InterfaceInfo[]) {
{ INTERFACE_CONVENTIONAL_PCI_DEVICE },
{ },
diff --git a/hw/usb/hcd-ohci-sysbus.c b/hw/usb/hcd-ohci-sysbus.c
index 3fc6cce44b..b57bbd4173 100644
--- a/hw/usb/hcd-ohci-sysbus.c
+++ b/hw/usb/hcd-ohci-sysbus.c
@@ -81,6 +81,7 @@ static const TypeInfo ohci_sysbus_types[] = {
.parent = TYPE_SYS_BUS_DEVICE,
.instance_size = sizeof(OHCISysBusState),
.class_init = ohci_sysbus_class_init,
+ .secure = true,
},
};
diff --git a/hw/usb/hcd-uhci.c b/hw/usb/hcd-uhci.c
index 4822c704f6..f3ab8dd978 100644
--- a/hw/usb/hcd-uhci.c
+++ b/hw/usb/hcd-uhci.c
@@ -1277,6 +1277,7 @@ static const TypeInfo uhci_pci_type_info = {
.instance_size = sizeof(UHCIState),
.class_size = sizeof(UHCIPCIDeviceClass),
.abstract = true,
+ .secure = true,
.class_init = uhci_class_init,
.interfaces = (const InterfaceInfo[]) {
{ INTERFACE_CONVENTIONAL_PCI_DEVICE },
@@ -1374,6 +1375,7 @@ static void uhci_register_types(void)
TypeInfo uhci_type_info = {
.parent = TYPE_UHCI,
.class_init = uhci_data_class_init,
+ .secure = true,
};
int i;
diff --git a/hw/usb/hcd-xhci-nec.c b/hw/usb/hcd-xhci-nec.c
index 9e0fea26f4..74815af265 100644
--- a/hw/usb/hcd-xhci-nec.c
+++ b/hw/usb/hcd-xhci-nec.c
@@ -67,6 +67,7 @@ static const TypeInfo nec_xhci_info = {
.instance_size = sizeof(XHCINecState),
.instance_init = nec_xhci_instance_init,
.class_init = nec_xhci_class_init,
+ .secure = true,
};
static void nec_xhci_register_types(void)
diff --git a/hw/usb/hcd-xhci-pci.c b/hw/usb/hcd-xhci-pci.c
index b93c80b09d..fedc5b7cc2 100644
--- a/hw/usb/hcd-xhci-pci.c
+++ b/hw/usb/hcd-xhci-pci.c
@@ -248,6 +248,7 @@ static const TypeInfo xhci_pci_info = {
.class_init = xhci_class_init,
.instance_init = xhci_instance_init,
.abstract = true,
+ .secure = true,
.interfaces = (const InterfaceInfo[]) {
{ INTERFACE_PCIE_DEVICE },
{ INTERFACE_CONVENTIONAL_PCI_DEVICE },
@@ -280,6 +281,7 @@ static const TypeInfo qemu_xhci_info = {
.parent = TYPE_XHCI_PCI,
.class_init = qemu_xhci_class_init,
.instance_init = qemu_xhci_instance_init,
+ .secure = true,
};
static void xhci_register_types(void)
diff --git a/hw/usb/hcd-xhci-sysbus.c b/hw/usb/hcd-xhci-sysbus.c
index 244698e5f2..f801290284 100644
--- a/hw/usb/hcd-xhci-sysbus.c
+++ b/hw/usb/hcd-xhci-sysbus.c
@@ -111,7 +111,8 @@ static const TypeInfo xhci_sysbus_info = {
.parent = TYPE_SYS_BUS_DEVICE,
.instance_size = sizeof(XHCISysbusState),
.class_init = xhci_sysbus_class_init,
- .instance_init = xhci_sysbus_instance_init
+ .instance_init = xhci_sysbus_instance_init,
+ .secure = true,
};
static void xhci_sysbus_register_types(void)
diff --git a/hw/usb/hcd-xhci.c b/hw/usb/hcd-xhci.c
index 292c378bfc..2218899d5c 100644
--- a/hw/usb/hcd-xhci.c
+++ b/hw/usb/hcd-xhci.c
@@ -3655,6 +3655,7 @@ static const TypeInfo xhci_info = {
.parent = TYPE_DEVICE,
.instance_size = sizeof(XHCIState),
.class_init = xhci_class_init,
+ .secure = true,
};
static void xhci_register_types(void)
diff --git a/hw/usb/host-libusb.c b/hw/usb/host-libusb.c
index b74670ae25..d42f9cdd70 100644
--- a/hw/usb/host-libusb.c
+++ b/hw/usb/host-libusb.c
@@ -1807,6 +1807,7 @@ static const TypeInfo usb_host_dev_info = {
.instance_size = sizeof(USBHostDevice),
.class_init = usb_host_class_initfn,
.instance_init = usb_host_instance_init,
+ .secure = true,
};
module_obj(TYPE_USB_HOST_DEVICE);
module_kconfig(USB);
diff --git a/hw/usb/redirect.c b/hw/usb/redirect.c
index f516ff42a1..038507ce0b 100644
--- a/hw/usb/redirect.c
+++ b/hw/usb/redirect.c
@@ -2619,6 +2619,7 @@ static const TypeInfo usbredir_dev_info = {
.instance_size = sizeof(USBRedirDevice),
.class_init = usbredir_class_initfn,
.instance_init = usbredir_instance_init,
+ .secure = true,
};
module_obj(TYPE_USB_REDIR);
module_kconfig(USB);
--
2.50.1
^ permalink raw reply related [flat|nested] 49+ messages in thread* [PATCH v2 26/32] hw/watchdog: mark some watchdog devices as secure
2025-09-26 14:01 [PATCH v2 00/32] Encode object type security status in code Daniel P. Berrangé
` (24 preceding siblings ...)
2025-09-26 14:01 ` [PATCH v2 25/32] hw/usb: mark most USB devices/hosts as secure Daniel P. Berrangé
@ 2025-09-26 14:01 ` Daniel P. Berrangé
2025-09-26 14:01 ` [PATCH v2 27/32] hw/scsi: mark most SCSI controllers as insecure / " Daniel P. Berrangé
` (7 subsequent siblings)
33 siblings, 0 replies; 49+ messages in thread
From: Daniel P. Berrangé @ 2025-09-26 14:01 UTC (permalink / raw)
To: qemu-devel
Cc: Thomas Huth, Stefan Hajnoczi, Philippe Mathieu-Daudé,
Peter Maydell, Markus Armbruster, Paolo Bonzini,
Michael S. Tsirkin, Daniel P. Berrangé
The ib700, i6300esb and spapr watchdog devices are marked as secure
since they have traditionally been used in virtualization use cases.
Other watchdogs are primarily for emulation.
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
---
hw/watchdog/allwinner-wdt.c | 3 +++
hw/watchdog/cmsdk-apb-watchdog.c | 1 +
hw/watchdog/sbsa_gwdt.c | 1 +
hw/watchdog/spapr_watchdog.c | 1 +
hw/watchdog/wdt_aspeed.c | 6 ++++++
hw/watchdog/wdt_diag288.c | 1 +
hw/watchdog/wdt_i6300esb.c | 1 +
hw/watchdog/wdt_ib700.c | 1 +
hw/watchdog/wdt_imx2.c | 1 +
9 files changed, 16 insertions(+)
diff --git a/hw/watchdog/allwinner-wdt.c b/hw/watchdog/allwinner-wdt.c
index 8fcd776675..2e4aa710ca 100644
--- a/hw/watchdog/allwinner-wdt.c
+++ b/hw/watchdog/allwinner-wdt.c
@@ -392,18 +392,21 @@ static const TypeInfo allwinner_wdt_info = {
.class_init = allwinner_wdt_class_init,
.class_size = sizeof(AwWdtClass),
.abstract = true,
+ .secure = false,
};
static const TypeInfo allwinner_wdt_sun4i_info = {
.name = TYPE_AW_WDT_SUN4I,
.parent = TYPE_AW_WDT,
.class_init = allwinner_wdt_sun4i_class_init,
+ .secure = false,
};
static const TypeInfo allwinner_wdt_sun6i_info = {
.name = TYPE_AW_WDT_SUN6I,
.parent = TYPE_AW_WDT,
.class_init = allwinner_wdt_sun6i_class_init,
+ .secure = false,
};
static void allwinner_wdt_register(void)
diff --git a/hw/watchdog/cmsdk-apb-watchdog.c b/hw/watchdog/cmsdk-apb-watchdog.c
index 6a8d07ca56..7f993903c2 100644
--- a/hw/watchdog/cmsdk-apb-watchdog.c
+++ b/hw/watchdog/cmsdk-apb-watchdog.c
@@ -409,6 +409,7 @@ static const TypeInfo cmsdk_apb_watchdog_info = {
.instance_size = sizeof(CMSDKAPBWatchdog),
.instance_init = cmsdk_apb_watchdog_init,
.class_init = cmsdk_apb_watchdog_class_init,
+ .secure = false,
};
static void luminary_watchdog_init(Object *obj)
diff --git a/hw/watchdog/sbsa_gwdt.c b/hw/watchdog/sbsa_gwdt.c
index ce84849df0..1113f93a7b 100644
--- a/hw/watchdog/sbsa_gwdt.c
+++ b/hw/watchdog/sbsa_gwdt.c
@@ -289,6 +289,7 @@ static const TypeInfo wdt_sbsa_gwdt_info = {
.parent = TYPE_SYS_BUS_DEVICE,
.name = TYPE_WDT_SBSA,
.instance_size = sizeof(SBSA_GWDTState),
+ .secure = false,
};
static void wdt_sbsa_gwdt_register_types(void)
diff --git a/hw/watchdog/spapr_watchdog.c b/hw/watchdog/spapr_watchdog.c
index 5b3f50de3a..2c3fa54c55 100644
--- a/hw/watchdog/spapr_watchdog.c
+++ b/hw/watchdog/spapr_watchdog.c
@@ -263,6 +263,7 @@ static const TypeInfo spapr_wdt_info = {
.parent = TYPE_DEVICE,
.instance_size = sizeof(SpaprWatchdog),
.class_init = spapr_wdt_class_init,
+ .secure = true,
};
static void spapr_watchdog_register_types(void)
diff --git a/hw/watchdog/wdt_aspeed.c b/hw/watchdog/wdt_aspeed.c
index 30226435ef..58545e1560 100644
--- a/hw/watchdog/wdt_aspeed.c
+++ b/hw/watchdog/wdt_aspeed.c
@@ -327,6 +327,7 @@ static const TypeInfo aspeed_wdt_info = {
.class_init = aspeed_wdt_class_init,
.class_size = sizeof(AspeedWDTClass),
.abstract = true,
+ .secure = false,
};
static void aspeed_2400_wdt_class_init(ObjectClass *klass, const void *data)
@@ -349,6 +350,7 @@ static const TypeInfo aspeed_2400_wdt_info = {
.parent = TYPE_ASPEED_WDT,
.instance_size = sizeof(AspeedWDTState),
.class_init = aspeed_2400_wdt_class_init,
+ .secure = false,
};
static void aspeed_2500_wdt_reset_pulse(AspeedWDTState *s, uint32_t property)
@@ -387,6 +389,7 @@ static const TypeInfo aspeed_2500_wdt_info = {
.parent = TYPE_ASPEED_WDT,
.instance_size = sizeof(AspeedWDTState),
.class_init = aspeed_2500_wdt_class_init,
+ .secure = false,
};
static void aspeed_2600_wdt_class_init(ObjectClass *klass, const void *data)
@@ -410,6 +413,7 @@ static const TypeInfo aspeed_2600_wdt_info = {
.parent = TYPE_ASPEED_WDT,
.instance_size = sizeof(AspeedWDTState),
.class_init = aspeed_2600_wdt_class_init,
+ .secure = false,
};
static void aspeed_1030_wdt_class_init(ObjectClass *klass, const void *data)
@@ -433,6 +437,7 @@ static const TypeInfo aspeed_1030_wdt_info = {
.parent = TYPE_ASPEED_WDT,
.instance_size = sizeof(AspeedWDTState),
.class_init = aspeed_1030_wdt_class_init,
+ .secure = false,
};
static void aspeed_2700_wdt_class_init(ObjectClass *klass, const void *data)
@@ -456,6 +461,7 @@ static const TypeInfo aspeed_2700_wdt_info = {
.parent = TYPE_ASPEED_WDT,
.instance_size = sizeof(AspeedWDTState),
.class_init = aspeed_2700_wdt_class_init,
+ .secure = false,
};
static void wdt_aspeed_register_types(void)
diff --git a/hw/watchdog/wdt_diag288.c b/hw/watchdog/wdt_diag288.c
index 1275353e8e..ec41a92337 100644
--- a/hw/watchdog/wdt_diag288.c
+++ b/hw/watchdog/wdt_diag288.c
@@ -129,6 +129,7 @@ static const TypeInfo wdt_diag288_info = {
.name = TYPE_WDT_DIAG288,
.instance_size = sizeof(DIAG288State),
.class_size = sizeof(DIAG288Class),
+ .secure = false,
};
static void wdt_diag288_register_types(void)
diff --git a/hw/watchdog/wdt_i6300esb.c b/hw/watchdog/wdt_i6300esb.c
index bb8a2766b6..363c36a9b5 100644
--- a/hw/watchdog/wdt_i6300esb.c
+++ b/hw/watchdog/wdt_i6300esb.c
@@ -480,6 +480,7 @@ static const TypeInfo i6300esb_info = {
.parent = TYPE_PCI_DEVICE,
.instance_size = sizeof(I6300State),
.class_init = i6300esb_class_init,
+ .secure = true,
.interfaces = (const InterfaceInfo[]) {
{ INTERFACE_CONVENTIONAL_PCI_DEVICE },
{ },
diff --git a/hw/watchdog/wdt_ib700.c b/hw/watchdog/wdt_ib700.c
index 51a26a4cbb..8bf2b2fbf9 100644
--- a/hw/watchdog/wdt_ib700.c
+++ b/hw/watchdog/wdt_ib700.c
@@ -144,6 +144,7 @@ static const TypeInfo wdt_ib700_info = {
.parent = TYPE_ISA_DEVICE,
.instance_size = sizeof(IB700State),
.class_init = wdt_ib700_class_init,
+ .secure = true,
};
static void wdt_ib700_register_types(void)
diff --git a/hw/watchdog/wdt_imx2.c b/hw/watchdog/wdt_imx2.c
index 10151a15d0..9ecb69f38b 100644
--- a/hw/watchdog/wdt_imx2.c
+++ b/hw/watchdog/wdt_imx2.c
@@ -303,6 +303,7 @@ static const TypeInfo imx2_wdt_info = {
.parent = TYPE_SYS_BUS_DEVICE,
.instance_size = sizeof(IMX2WdtState),
.class_init = imx2_wdt_class_init,
+ .secure = false,
};
static void imx2_wdt_register_type(void)
--
2.50.1
^ permalink raw reply related [flat|nested] 49+ messages in thread* [PATCH v2 27/32] hw/scsi: mark most SCSI controllers as insecure / devices as secure
2025-09-26 14:01 [PATCH v2 00/32] Encode object type security status in code Daniel P. Berrangé
` (25 preceding siblings ...)
2025-09-26 14:01 ` [PATCH v2 26/32] hw/watchdog: mark some watchdog devices " Daniel P. Berrangé
@ 2025-09-26 14:01 ` Daniel P. Berrangé
2025-09-26 14:01 ` [PATCH v2 28/32] hw/ide: mark ICH9 and ide-hd/ide-cd " Daniel P. Berrangé
` (6 subsequent siblings)
33 siblings, 0 replies; 49+ messages in thread
From: Daniel P. Berrangé @ 2025-09-26 14:01 UTC (permalink / raw)
To: qemu-devel
Cc: Thomas Huth, Stefan Hajnoczi, Philippe Mathieu-Daudé,
Peter Maydell, Markus Armbruster, Paolo Bonzini,
Michael S. Tsirkin, Daniel P. Berrangé
The scsi-block, scsi-hd, scsi-cd & scsi-generic devices can be used
with any controller including virtio-scsi, so must be considered
secure for virtualization.
All the non-virtio SCSI controllers, however, are serving emulation
use cases and are complex enough to not consider them secure.
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
---
hw/scsi/esp-pci.c | 2 ++
hw/scsi/esp.c | 2 ++
hw/scsi/lsi53c895a.c | 2 ++
hw/scsi/megasas.c | 2 ++
hw/scsi/mptsas.c | 1 +
hw/scsi/scsi-disk.c | 4 ++++
hw/scsi/scsi-generic.c | 1 +
hw/scsi/spapr_vscsi.c | 1 +
hw/scsi/vhost-scsi-common.c | 1 +
hw/scsi/vmw_pvscsi.c | 1 +
10 files changed, 17 insertions(+)
diff --git a/hw/scsi/esp-pci.c b/hw/scsi/esp-pci.c
index 12c86eb7aa..966524e3d7 100644
--- a/hw/scsi/esp-pci.c
+++ b/hw/scsi/esp-pci.c
@@ -450,6 +450,7 @@ static const TypeInfo esp_pci_info = {
.instance_init = esp_pci_init,
.instance_size = sizeof(PCIESPState),
.class_init = esp_pci_class_init,
+ .secure = false,
.interfaces = (const InterfaceInfo[]) {
{ INTERFACE_CONVENTIONAL_PCI_DEVICE },
{ },
@@ -574,6 +575,7 @@ static const TypeInfo dc390_info = {
.parent = TYPE_AM53C974_DEVICE,
.instance_size = sizeof(DC390State),
.class_init = dc390_class_init,
+ .secure = false,
};
static void esp_pci_register_types(void)
diff --git a/hw/scsi/esp.c b/hw/scsi/esp.c
index 1d264c40e5..ba9bf6ec45 100644
--- a/hw/scsi/esp.c
+++ b/hw/scsi/esp.c
@@ -1678,6 +1678,7 @@ static const TypeInfo esp_info_types[] = {
.instance_init = sysbus_esp_init,
.instance_size = sizeof(SysBusESPState),
.class_init = sysbus_esp_class_init,
+ .secure = false,
},
{
.name = TYPE_ESP,
@@ -1686,6 +1687,7 @@ static const TypeInfo esp_info_types[] = {
.instance_finalize = esp_finalize,
.instance_size = sizeof(ESPState),
.class_init = esp_class_init,
+ .secure = false,
},
};
diff --git a/hw/scsi/lsi53c895a.c b/hw/scsi/lsi53c895a.c
index 9ea4aa0a85..afdd9f0b47 100644
--- a/hw/scsi/lsi53c895a.c
+++ b/hw/scsi/lsi53c895a.c
@@ -2396,6 +2396,7 @@ static const TypeInfo lsi_info = {
.parent = TYPE_PCI_DEVICE,
.instance_size = sizeof(LSIState),
.class_init = lsi_class_init,
+ .secure = false,
.interfaces = (const InterfaceInfo[]) {
{ INTERFACE_CONVENTIONAL_PCI_DEVICE },
{ },
@@ -2413,6 +2414,7 @@ static const TypeInfo lsi53c810_info = {
.name = TYPE_LSI53C810,
.parent = TYPE_LSI53C895A,
.class_init = lsi53c810_class_init,
+ .secure = false,
};
static void lsi53c895a_register_types(void)
diff --git a/hw/scsi/megasas.c b/hw/scsi/megasas.c
index 844643d916..6e5d9b71be 100644
--- a/hw/scsi/megasas.c
+++ b/hw/scsi/megasas.c
@@ -2556,6 +2556,7 @@ static const TypeInfo megasas_info = {
.instance_size = sizeof(MegasasState),
.class_size = sizeof(MegasasBaseClass),
.abstract = true,
+ .secure = false,
};
static void megasas_register_types(void)
@@ -2572,6 +2573,7 @@ static void megasas_register_types(void)
type_info.class_data = info;
type_info.class_init = megasas_class_init;
type_info.interfaces = info->interfaces;
+ type_info.secure = false;
type_register_static(&type_info);
}
diff --git a/hw/scsi/mptsas.c b/hw/scsi/mptsas.c
index 4ada35b7ec..58388b4480 100644
--- a/hw/scsi/mptsas.c
+++ b/hw/scsi/mptsas.c
@@ -1441,6 +1441,7 @@ static const TypeInfo mptsas_info = {
.parent = TYPE_PCI_DEVICE,
.instance_size = sizeof(MPTSASState),
.class_init = mptsas1068_class_init,
+ .secure = false,
.interfaces = (const InterfaceInfo[]) {
{ INTERFACE_CONVENTIONAL_PCI_DEVICE },
{ },
diff --git a/hw/scsi/scsi-disk.c b/hw/scsi/scsi-disk.c
index b4782c6248..dd3a24da4f 100644
--- a/hw/scsi/scsi-disk.c
+++ b/hw/scsi/scsi-disk.c
@@ -3173,6 +3173,7 @@ static const TypeInfo scsi_disk_base_info = {
.instance_size = sizeof(SCSIDiskState),
.class_size = sizeof(SCSIDiskClass),
.abstract = true,
+ .secure = true,
};
#define DEFINE_SCSI_DISK_PROPERTIES() \
@@ -3244,6 +3245,7 @@ static const TypeInfo scsi_hd_info = {
.name = "scsi-hd",
.parent = TYPE_SCSI_DISK_BASE,
.class_init = scsi_hd_class_initfn,
+ .secure = true,
};
static const Property scsi_cd_properties[] = {
@@ -3285,6 +3287,7 @@ static const TypeInfo scsi_cd_info = {
.name = "scsi-cd",
.parent = TYPE_SCSI_DISK_BASE,
.class_init = scsi_cd_class_initfn,
+ .secure = true,
};
#ifdef __linux__
@@ -3325,6 +3328,7 @@ static const TypeInfo scsi_block_info = {
.name = "scsi-block",
.parent = TYPE_SCSI_DISK_BASE,
.class_init = scsi_block_class_initfn,
+ .secure = true,
};
#endif
diff --git a/hw/scsi/scsi-generic.c b/hw/scsi/scsi-generic.c
index 9e380a2109..380e3184c1 100644
--- a/hw/scsi/scsi-generic.c
+++ b/hw/scsi/scsi-generic.c
@@ -806,6 +806,7 @@ static const TypeInfo scsi_generic_info = {
.parent = TYPE_SCSI_DEVICE,
.instance_size = sizeof(SCSIDevice),
.class_init = scsi_generic_class_initfn,
+ .secure = true,
};
static void scsi_generic_register_types(void)
diff --git a/hw/scsi/spapr_vscsi.c b/hw/scsi/spapr_vscsi.c
index 20f70fb272..5560249863 100644
--- a/hw/scsi/spapr_vscsi.c
+++ b/hw/scsi/spapr_vscsi.c
@@ -1290,6 +1290,7 @@ static const TypeInfo spapr_vscsi_info = {
.parent = TYPE_VIO_SPAPR_DEVICE,
.instance_size = sizeof(VSCSIState),
.class_init = spapr_vscsi_class_init,
+ .secure = true,
};
static void spapr_vscsi_register_types(void)
diff --git a/hw/scsi/vhost-scsi-common.c b/hw/scsi/vhost-scsi-common.c
index 43525ba46d..3db2191f33 100644
--- a/hw/scsi/vhost-scsi-common.c
+++ b/hw/scsi/vhost-scsi-common.c
@@ -164,6 +164,7 @@ static const TypeInfo vhost_scsi_common_info = {
.parent = TYPE_VIRTIO_SCSI_COMMON,
.instance_size = sizeof(VHostSCSICommon),
.abstract = true,
+ .secure = true,
};
static void virtio_register_types(void)
diff --git a/hw/scsi/vmw_pvscsi.c b/hw/scsi/vmw_pvscsi.c
index 7c98b1b8ea..073e0e8b7b 100644
--- a/hw/scsi/vmw_pvscsi.c
+++ b/hw/scsi/vmw_pvscsi.c
@@ -1299,6 +1299,7 @@ static const TypeInfo pvscsi_info = {
.instance_size = sizeof(PVSCSIState),
.class_init = pvscsi_class_init,
.instance_init = pvscsi_instance_init,
+ .secure = true,
.interfaces = (const InterfaceInfo[]) {
{ TYPE_HOTPLUG_HANDLER },
{ INTERFACE_PCIE_DEVICE },
--
2.50.1
^ permalink raw reply related [flat|nested] 49+ messages in thread* [PATCH v2 28/32] hw/ide: mark ICH9 and ide-hd/ide-cd as secure
2025-09-26 14:01 [PATCH v2 00/32] Encode object type security status in code Daniel P. Berrangé
` (26 preceding siblings ...)
2025-09-26 14:01 ` [PATCH v2 27/32] hw/scsi: mark most SCSI controllers as insecure / " Daniel P. Berrangé
@ 2025-09-26 14:01 ` Daniel P. Berrangé
2025-09-26 14:01 ` [PATCH v2 29/32] hw: mark test/demo devices as insecure Daniel P. Berrangé
` (5 subsequent siblings)
33 siblings, 0 replies; 49+ messages in thread
From: Daniel P. Berrangé @ 2025-09-26 14:01 UTC (permalink / raw)
To: qemu-devel
Cc: Thomas Huth, Stefan Hajnoczi, Philippe Mathieu-Daudé,
Peter Maydell, Markus Armbruster, Paolo Bonzini,
Michael S. Tsirkin, Daniel P. Berrangé
These have a long history of usage in virtualization scenarios on
x86, for OS which lack modern virtio drivers for storage, and thus
must be considered secure.
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
---
hw/ide/ich.c | 1 +
hw/ide/ide-dev.c | 3 +++
2 files changed, 4 insertions(+)
diff --git a/hw/ide/ich.c b/hw/ide/ich.c
index b00987f08d..c7d50a15c1 100644
--- a/hw/ide/ich.c
+++ b/hw/ide/ich.c
@@ -198,6 +198,7 @@ static const TypeInfo ich_ahci_info = {
.instance_size = sizeof(AHCIPCIState),
.instance_init = pci_ich9_ahci_init,
.class_init = ich_ahci_class_init,
+ .secure = true,
.interfaces = (const InterfaceInfo[]) {
{ INTERFACE_CONVENTIONAL_PCI_DEVICE },
{ },
diff --git a/hw/ide/ide-dev.c b/hw/ide/ide-dev.c
index 5d478588c6..f555d0fb04 100644
--- a/hw/ide/ide-dev.c
+++ b/hw/ide/ide-dev.c
@@ -214,6 +214,7 @@ static const TypeInfo ide_hd_info = {
.parent = TYPE_IDE_DEVICE,
.instance_size = sizeof(IDEDrive),
.class_init = ide_hd_class_init,
+ .secure = true,
};
static const Property ide_cd_properties[] = {
@@ -236,6 +237,7 @@ static const TypeInfo ide_cd_info = {
.parent = TYPE_IDE_DEVICE,
.instance_size = sizeof(IDEDrive),
.class_init = ide_cd_class_init,
+ .secure = true,
};
static void ide_device_class_init(ObjectClass *klass, const void *data)
@@ -252,6 +254,7 @@ static const TypeInfo ide_device_type_info = {
.parent = TYPE_DEVICE,
.instance_size = sizeof(IDEDevice),
.abstract = true,
+ .secure = true,
.class_size = sizeof(IDEDeviceClass),
.class_init = ide_device_class_init,
.instance_init = ide_dev_instance_init,
--
2.50.1
^ permalink raw reply related [flat|nested] 49+ messages in thread* [PATCH v2 29/32] hw: mark test/demo devices as insecure
2025-09-26 14:01 [PATCH v2 00/32] Encode object type security status in code Daniel P. Berrangé
` (27 preceding siblings ...)
2025-09-26 14:01 ` [PATCH v2 28/32] hw/ide: mark ICH9 and ide-hd/ide-cd " Daniel P. Berrangé
@ 2025-09-26 14:01 ` Daniel P. Berrangé
2025-09-26 14:01 ` [PATCH v2 30/32] hw: define most common PCI types as secure Daniel P. Berrangé
` (4 subsequent siblings)
33 siblings, 0 replies; 49+ messages in thread
From: Daniel P. Berrangé @ 2025-09-26 14:01 UTC (permalink / raw)
To: qemu-devel
Cc: Thomas Huth, Stefan Hajnoczi, Philippe Mathieu-Daudé,
Peter Maydell, Markus Armbruster, Paolo Bonzini,
Michael S. Tsirkin, Daniel P. Berrangé
These devices are either intended for use by the test suite,
or as a demonstration for how to write devices. None of them
should be used for real guest workload deployments.
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
---
hw/hyperv/hyperv_testdev.c | 1 +
hw/misc/edu.c | 1 +
hw/misc/pc-testdev.c | 1 +
hw/misc/pci-testdev.c | 1 +
4 files changed, 4 insertions(+)
diff --git a/hw/hyperv/hyperv_testdev.c b/hw/hyperv/hyperv_testdev.c
index 2d4a63693b..e31df31207 100644
--- a/hw/hyperv/hyperv_testdev.c
+++ b/hw/hyperv/hyperv_testdev.c
@@ -316,6 +316,7 @@ static const TypeInfo hv_test_dev_info = {
.parent = TYPE_ISA_DEVICE,
.instance_size = sizeof(HypervTestDev),
.class_init = hv_test_dev_class_init,
+ .secure = false,
};
static void hv_test_dev_register_types(void)
diff --git a/hw/misc/edu.c b/hw/misc/edu.c
index cece633e11..8b7c8b9467 100644
--- a/hw/misc/edu.c
+++ b/hw/misc/edu.c
@@ -436,6 +436,7 @@ static const TypeInfo edu_types[] = {
.instance_size = sizeof(EduState),
.instance_init = edu_instance_init,
.class_init = edu_class_init,
+ .secure = false,
.interfaces = (const InterfaceInfo[]) {
{ INTERFACE_CONVENTIONAL_PCI_DEVICE },
{ },
diff --git a/hw/misc/pc-testdev.c b/hw/misc/pc-testdev.c
index 67c486f347..bae405b687 100644
--- a/hw/misc/pc-testdev.c
+++ b/hw/misc/pc-testdev.c
@@ -206,6 +206,7 @@ static const TypeInfo testdev_info = {
.parent = TYPE_ISA_DEVICE,
.instance_size = sizeof(PCTestdev),
.class_init = testdev_class_init,
+ .secure = false,
};
static void testdev_register_types(void)
diff --git a/hw/misc/pci-testdev.c b/hw/misc/pci-testdev.c
index ba71c5069f..22ca87722f 100644
--- a/hw/misc/pci-testdev.c
+++ b/hw/misc/pci-testdev.c
@@ -353,6 +353,7 @@ static const TypeInfo pci_testdev_info = {
.parent = TYPE_PCI_DEVICE,
.instance_size = sizeof(PCITestDevState),
.class_init = pci_testdev_class_init,
+ .secure = false,
.interfaces = (const InterfaceInfo[]) {
{ INTERFACE_CONVENTIONAL_PCI_DEVICE },
{ },
--
2.50.1
^ permalink raw reply related [flat|nested] 49+ messages in thread* [PATCH v2 30/32] hw: define most common PCI types as secure
2025-09-26 14:01 [PATCH v2 00/32] Encode object type security status in code Daniel P. Berrangé
` (28 preceding siblings ...)
2025-09-26 14:01 ` [PATCH v2 29/32] hw: mark test/demo devices as insecure Daniel P. Berrangé
@ 2025-09-26 14:01 ` Daniel P. Berrangé
2025-09-26 14:01 ` [PATCH v2 31/32] hw/pci-host: define some PCI hosts " Daniel P. Berrangé
` (3 subsequent siblings)
33 siblings, 0 replies; 49+ messages in thread
From: Daniel P. Berrangé @ 2025-09-26 14:01 UTC (permalink / raw)
To: qemu-devel
Cc: Thomas Huth, Stefan Hajnoczi, Philippe Mathieu-Daudé,
Peter Maydell, Markus Armbruster, Paolo Bonzini,
Michael S. Tsirkin, Daniel P. Berrangé
Everything except for the simba pci-bridge is relevant to use in
a virtualization use case, so must be considered secure.
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
---
hw/pci-bridge/cxl_downstream.c | 1 +
hw/pci-bridge/cxl_root_port.c | 1 +
hw/pci-bridge/cxl_upstream.c | 1 +
hw/pci-bridge/gen_pcie_root_port.c | 1 +
hw/pci-bridge/i82801b11.c | 1 +
hw/pci-bridge/ioh3420.c | 1 +
hw/pci-bridge/pci_bridge_dev.c | 2 ++
hw/pci-bridge/pci_expander_bridge.c | 8 ++++++++
hw/pci-bridge/pcie_pci_bridge.c | 1 +
hw/pci-bridge/pcie_root_port.c | 1 +
hw/pci-bridge/simba.c | 1 +
hw/pci-bridge/xio3130_downstream.c | 1 +
hw/pci-bridge/xio3130_upstream.c | 1 +
hw/pci/pci.c | 7 +++++++
hw/pci/pci_bridge.c | 1 +
hw/pci/pci_host.c | 1 +
hw/pci/pcie_host.c | 1 +
hw/pci/pcie_port.c | 1 +
18 files changed, 32 insertions(+)
diff --git a/hw/pci-bridge/cxl_downstream.c b/hw/pci-bridge/cxl_downstream.c
index 1065245a8b..23f6ece002 100644
--- a/hw/pci-bridge/cxl_downstream.c
+++ b/hw/pci-bridge/cxl_downstream.c
@@ -241,6 +241,7 @@ static const TypeInfo cxl_dsp_info = {
.instance_size = sizeof(CXLDownstreamPort),
.parent = TYPE_PCIE_SLOT,
.class_init = cxl_dsp_class_init,
+ .secure = true,
.interfaces = (const InterfaceInfo[]) {
{ INTERFACE_PCIE_DEVICE },
{ INTERFACE_CXL_DEVICE },
diff --git a/hw/pci-bridge/cxl_root_port.c b/hw/pci-bridge/cxl_root_port.c
index e6a4035d26..83b34330bc 100644
--- a/hw/pci-bridge/cxl_root_port.c
+++ b/hw/pci-bridge/cxl_root_port.c
@@ -294,6 +294,7 @@ static const TypeInfo cxl_root_port_info = {
.parent = TYPE_PCIE_ROOT_PORT,
.instance_size = sizeof(CXLRootPort),
.class_init = cxl_root_port_class_init,
+ .secure = true,
.interfaces = (const InterfaceInfo[]) {
{ INTERFACE_CXL_DEVICE },
{ }
diff --git a/hw/pci-bridge/cxl_upstream.c b/hw/pci-bridge/cxl_upstream.c
index 208e0c6172..eba6fe2482 100644
--- a/hw/pci-bridge/cxl_upstream.c
+++ b/hw/pci-bridge/cxl_upstream.c
@@ -394,6 +394,7 @@ static const TypeInfo cxl_usp_info = {
.parent = TYPE_PCIE_PORT,
.instance_size = sizeof(CXLUpstreamPort),
.class_init = cxl_upstream_class_init,
+ .secure = true,
.interfaces = (const InterfaceInfo[]) {
{ INTERFACE_PCIE_DEVICE },
{ INTERFACE_CXL_DEVICE },
diff --git a/hw/pci-bridge/gen_pcie_root_port.c b/hw/pci-bridge/gen_pcie_root_port.c
index d9078e783b..d9e1ce8d90 100644
--- a/hw/pci-bridge/gen_pcie_root_port.c
+++ b/hw/pci-bridge/gen_pcie_root_port.c
@@ -173,6 +173,7 @@ static const TypeInfo gen_rp_dev_info = {
.parent = TYPE_PCIE_ROOT_PORT,
.instance_size = sizeof(GenPCIERootPort),
.class_init = gen_rp_dev_class_init,
+ .secure = true,
};
static void gen_rp_register_types(void)
diff --git a/hw/pci-bridge/i82801b11.c b/hw/pci-bridge/i82801b11.c
index 1d73c14c1f..f702b20bcd 100644
--- a/hw/pci-bridge/i82801b11.c
+++ b/hw/pci-bridge/i82801b11.c
@@ -107,6 +107,7 @@ static const TypeInfo i82801b11_bridge_info = {
.parent = TYPE_PCI_BRIDGE,
.instance_size = sizeof(I82801b11Bridge),
.class_init = i82801b11_bridge_class_init,
+ .secure = true,
.interfaces = (const InterfaceInfo[]) {
{ INTERFACE_CONVENTIONAL_PCI_DEVICE },
{ },
diff --git a/hw/pci-bridge/ioh3420.c b/hw/pci-bridge/ioh3420.c
index bba640f495..2c4882c4cf 100644
--- a/hw/pci-bridge/ioh3420.c
+++ b/hw/pci-bridge/ioh3420.c
@@ -120,6 +120,7 @@ static const TypeInfo ioh3420_info = {
.name = "ioh3420",
.parent = TYPE_PCIE_ROOT_PORT,
.class_init = ioh3420_class_init,
+ .secure = true,
};
static void ioh3420_register_types(void)
diff --git a/hw/pci-bridge/pci_bridge_dev.c b/hw/pci-bridge/pci_bridge_dev.c
index b328e50ab3..04af66cc35 100644
--- a/hw/pci-bridge/pci_bridge_dev.c
+++ b/hw/pci-bridge/pci_bridge_dev.c
@@ -268,6 +268,7 @@ static const TypeInfo pci_bridge_dev_info = {
.instance_size = sizeof(PCIBridgeDev),
.class_init = pci_bridge_dev_class_init,
.instance_finalize = pci_bridge_dev_instance_finalize,
+ .secure = true,
.interfaces = (const InterfaceInfo[]) {
{ TYPE_HOTPLUG_HANDLER },
{ INTERFACE_CONVENTIONAL_PCI_DEVICE },
@@ -294,6 +295,7 @@ static const TypeInfo pci_bridge_dev_seat_info = {
.parent = TYPE_PCI_BRIDGE_DEV,
.instance_size = sizeof(PCIBridgeDev),
.class_init = pci_bridge_dev_seat_class_init,
+ .secure = true,
};
static void pci_bridge_dev_register(void)
diff --git a/hw/pci-bridge/pci_expander_bridge.c b/hw/pci-bridge/pci_expander_bridge.c
index 1bcceddbc4..4a85f62be0 100644
--- a/hw/pci-bridge/pci_expander_bridge.c
+++ b/hw/pci-bridge/pci_expander_bridge.c
@@ -109,6 +109,7 @@ static const TypeInfo pxb_bus_info = {
.parent = TYPE_PCI_BUS,
.instance_size = sizeof(PXBBus),
.class_init = pxb_bus_class_init,
+ .secure = true,
};
static const TypeInfo pxb_pcie_bus_info = {
@@ -116,6 +117,7 @@ static const TypeInfo pxb_pcie_bus_info = {
.parent = TYPE_PCIE_BUS,
.instance_size = sizeof(PXBBus),
.class_init = pxb_bus_class_init,
+ .secure = true,
};
static const TypeInfo pxb_cxl_bus_info = {
@@ -123,6 +125,7 @@ static const TypeInfo pxb_cxl_bus_info = {
.parent = TYPE_CXL_BUS,
.instance_size = sizeof(PXBBus),
.class_init = pxb_bus_class_init,
+ .secure = true,
};
static const char *pxb_host_root_bus_path(PCIHostState *host_bridge,
@@ -185,6 +188,7 @@ static const TypeInfo pxb_host_info = {
.name = TYPE_PXB_HOST,
.parent = TYPE_PCI_HOST_BRIDGE,
.class_init = pxb_host_class_init,
+ .secure = true,
};
static void pxb_cxl_realize(DeviceState *dev, Error **errp)
@@ -244,6 +248,7 @@ static const TypeInfo cxl_host_info = {
.parent = TYPE_PCI_HOST_BRIDGE,
.instance_size = sizeof(CXLHost),
.class_init = pxb_cxl_host_class_init,
+ .secure = true,
};
/*
@@ -448,6 +453,7 @@ static const TypeInfo pxb_dev_info = {
.parent = TYPE_PCI_DEVICE,
.instance_size = sizeof(PXBDev),
.class_init = pxb_dev_class_init,
+ .secure = true,
.interfaces = (const InterfaceInfo[]) {
{ INTERFACE_CONVENTIONAL_PCI_DEVICE },
{ },
@@ -485,6 +491,7 @@ static const TypeInfo pxb_pcie_dev_info = {
.parent = TYPE_PXB_DEV,
.instance_size = sizeof(PXBPCIEDev),
.class_init = pxb_pcie_dev_class_init,
+ .secure = true,
.interfaces = (const InterfaceInfo[]) {
{ INTERFACE_CONVENTIONAL_PCI_DEVICE },
{ },
@@ -535,6 +542,7 @@ static const TypeInfo pxb_cxl_dev_info = {
.parent = TYPE_PXB_PCIE_DEV,
.instance_size = sizeof(PXBCXLDev),
.class_init = pxb_cxl_dev_class_init,
+ .secure = true,
.interfaces =
(const InterfaceInfo[]){
{ INTERFACE_CONVENTIONAL_PCI_DEVICE },
diff --git a/hw/pci-bridge/pcie_pci_bridge.c b/hw/pci-bridge/pcie_pci_bridge.c
index fce292a519..620eb12a64 100644
--- a/hw/pci-bridge/pcie_pci_bridge.c
+++ b/hw/pci-bridge/pcie_pci_bridge.c
@@ -162,6 +162,7 @@ static const TypeInfo pcie_pci_bridge_info = {
.parent = TYPE_PCI_BRIDGE,
.instance_size = sizeof(PCIEPCIBridge),
.class_init = pcie_pci_bridge_class_init,
+ .secure = true,
.interfaces = (const InterfaceInfo[]) {
{ TYPE_HOTPLUG_HANDLER },
{ INTERFACE_PCIE_DEVICE },
diff --git a/hw/pci-bridge/pcie_root_port.c b/hw/pci-bridge/pcie_root_port.c
index 22c2fdb71e..c87fb91e5c 100644
--- a/hw/pci-bridge/pcie_root_port.c
+++ b/hw/pci-bridge/pcie_root_port.c
@@ -187,6 +187,7 @@ static const TypeInfo rp_info = {
.instance_post_init = rp_instance_post_init,
.class_init = rp_class_init,
.abstract = true,
+ .secure = true,
.class_size = sizeof(PCIERootPortClass),
.interfaces = (const InterfaceInfo[]) {
{ INTERFACE_PCIE_DEVICE },
diff --git a/hw/pci-bridge/simba.c b/hw/pci-bridge/simba.c
index bbae594e11..3dbb5bd9c9 100644
--- a/hw/pci-bridge/simba.c
+++ b/hw/pci-bridge/simba.c
@@ -87,6 +87,7 @@ static const TypeInfo simba_pci_bridge_info = {
.parent = TYPE_PCI_BRIDGE,
.class_init = simba_pci_bridge_class_init,
.instance_size = sizeof(SimbaPCIBridge),
+ .secure = false,
.interfaces = (const InterfaceInfo[]) {
{ INTERFACE_CONVENTIONAL_PCI_DEVICE },
{ },
diff --git a/hw/pci-bridge/xio3130_downstream.c b/hw/pci-bridge/xio3130_downstream.c
index dc7d1aa7d7..eb217dc7d9 100644
--- a/hw/pci-bridge/xio3130_downstream.c
+++ b/hw/pci-bridge/xio3130_downstream.c
@@ -175,6 +175,7 @@ static const TypeInfo xio3130_downstream_info = {
.name = TYPE_XIO3130_DOWNSTREAM,
.parent = TYPE_PCIE_SLOT,
.class_init = xio3130_downstream_class_init,
+ .secure = true,
.interfaces = (const InterfaceInfo[]) {
{ INTERFACE_PCIE_DEVICE },
{ }
diff --git a/hw/pci-bridge/xio3130_upstream.c b/hw/pci-bridge/xio3130_upstream.c
index 40057b749b..9d58105f8b 100644
--- a/hw/pci-bridge/xio3130_upstream.c
+++ b/hw/pci-bridge/xio3130_upstream.c
@@ -144,6 +144,7 @@ static const TypeInfo xio3130_upstream_info = {
.name = "x3130-upstream",
.parent = TYPE_PCIE_PORT,
.class_init = xio3130_upstream_class_init,
+ .secure = true,
.interfaces = (const InterfaceInfo[]) {
{ INTERFACE_PCIE_DEVICE },
{ }
diff --git a/hw/pci/pci.c b/hw/pci/pci.c
index c3df9d6656..6ab03074b9 100644
--- a/hw/pci/pci.c
+++ b/hw/pci/pci.c
@@ -289,6 +289,7 @@ static const TypeInfo pci_bus_info = {
.instance_size = sizeof(PCIBus),
.class_size = sizeof(PCIBusClass),
.class_init = pci_bus_class_init,
+ .secure = true,
.interfaces = (const InterfaceInfo[]) {
{ TYPE_FW_CFG_DATA_GENERATOR_INTERFACE },
{ }
@@ -298,16 +299,19 @@ static const TypeInfo pci_bus_info = {
static const TypeInfo cxl_interface_info = {
.name = INTERFACE_CXL_DEVICE,
.parent = TYPE_INTERFACE,
+ .secure = true,
};
static const TypeInfo pcie_interface_info = {
.name = INTERFACE_PCIE_DEVICE,
.parent = TYPE_INTERFACE,
+ .secure = true,
};
static const TypeInfo conventional_pci_interface_info = {
.name = INTERFACE_CONVENTIONAL_PCI_DEVICE,
.parent = TYPE_INTERFACE,
+ .secure = true,
};
static void pcie_bus_class_init(ObjectClass *klass, const void *data)
@@ -321,12 +325,14 @@ static const TypeInfo pcie_bus_info = {
.name = TYPE_PCIE_BUS,
.parent = TYPE_PCI_BUS,
.class_init = pcie_bus_class_init,
+ .secure = true,
};
static const TypeInfo cxl_bus_info = {
.name = TYPE_CXL_BUS,
.parent = TYPE_PCIE_BUS,
.class_init = pcie_bus_class_init,
+ .secure = true,
};
static void pci_update_mappings(PCIDevice *d);
@@ -3336,6 +3342,7 @@ static const TypeInfo pci_device_type_info = {
.parent = TYPE_DEVICE,
.instance_size = sizeof(PCIDevice),
.abstract = true,
+ .secure = true,
.class_size = sizeof(PCIDeviceClass),
.class_init = pci_device_class_init,
.class_base_init = pci_device_class_base_init,
diff --git a/hw/pci/pci_bridge.c b/hw/pci/pci_bridge.c
index 76255c4cd8..703160a338 100644
--- a/hw/pci/pci_bridge.c
+++ b/hw/pci/pci_bridge.c
@@ -497,6 +497,7 @@ static const TypeInfo pci_bridge_type_info = {
.instance_size = sizeof(PCIBridge),
.class_init = pci_bridge_class_init,
.abstract = true,
+ .secure = true,
.interfaces = (const InterfaceInfo[]) {
{ TYPE_ACPI_DEV_AML_IF },
{ },
diff --git a/hw/pci/pci_host.c b/hw/pci/pci_host.c
index 7179d99178..b3bbba3799 100644
--- a/hw/pci/pci_host.c
+++ b/hw/pci/pci_host.c
@@ -251,6 +251,7 @@ static const TypeInfo pci_host_type_info = {
.name = TYPE_PCI_HOST_BRIDGE,
.parent = TYPE_SYS_BUS_DEVICE,
.abstract = true,
+ .secure = true,
.class_size = sizeof(PCIHostBridgeClass),
.instance_size = sizeof(PCIHostState),
.class_init = pci_host_class_init,
diff --git a/hw/pci/pcie_host.c b/hw/pci/pcie_host.c
index 3717e1a086..3cf0769d2a 100644
--- a/hw/pci/pcie_host.c
+++ b/hw/pci/pcie_host.c
@@ -124,6 +124,7 @@ static const TypeInfo pcie_host_type_info = {
.name = TYPE_PCIE_HOST_BRIDGE,
.parent = TYPE_PCI_HOST_BRIDGE,
.abstract = true,
+ .secure = true,
.instance_size = sizeof(PCIExpressHost),
.instance_init = pcie_host_init,
};
diff --git a/hw/pci/pcie_port.c b/hw/pci/pcie_port.c
index f3841a2656..abc1dbd470 100644
--- a/hw/pci/pcie_port.c
+++ b/hw/pci/pcie_port.c
@@ -200,6 +200,7 @@ static const TypeInfo pcie_port_type_info = {
.parent = TYPE_PCI_BRIDGE,
.instance_size = sizeof(PCIEPort),
.abstract = true,
+ .secure = true,
.class_init = pcie_port_class_init,
};
--
2.50.1
^ permalink raw reply related [flat|nested] 49+ messages in thread* [PATCH v2 31/32] hw/pci-host: define some PCI hosts as secure
2025-09-26 14:01 [PATCH v2 00/32] Encode object type security status in code Daniel P. Berrangé
` (29 preceding siblings ...)
2025-09-26 14:01 ` [PATCH v2 30/32] hw: define most common PCI types as secure Daniel P. Berrangé
@ 2025-09-26 14:01 ` Daniel P. Berrangé
2025-09-26 14:01 ` [PATCH v2 32/32] hw/display: mark most display adapters as insecure Daniel P. Berrangé
` (2 subsequent siblings)
33 siblings, 0 replies; 49+ messages in thread
From: Daniel P. Berrangé @ 2025-09-26 14:01 UTC (permalink / raw)
To: qemu-devel
Cc: Thomas Huth, Stefan Hajnoczi, Philippe Mathieu-Daudé,
Peter Maydell, Markus Armbruster, Paolo Bonzini,
Michael S. Tsirkin, Daniel P. Berrangé
Most of the PCI host implementations are targetting emulation
use cases. The exceptions to this are i440fx & q35 which are
used commonly on x86, the pnv* which are used on ppc, and
gpex which is used on arm.
There is also a special case for the 'remote' type and the
Xen passthrough type.
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
---
hw/pci-host/articia.c | 3 +++
hw/pci-host/astro.c | 3 +++
hw/pci-host/bonito.c | 2 ++
hw/pci-host/designware.c | 3 +++
hw/pci-host/dino.c | 1 +
hw/pci-host/fsl_imx8m_phy.c | 1 +
hw/pci-host/gpex.c | 2 ++
hw/pci-host/grackle.c | 2 ++
hw/pci-host/gt64120.c | 2 ++
hw/pci-host/i440fx.c | 2 ++
hw/pci-host/mv64361.c | 1 +
hw/pci-host/pnv_phb.c | 2 ++
hw/pci-host/pnv_phb3.c | 3 +++
hw/pci-host/pnv_phb3_msi.c | 1 +
hw/pci-host/pnv_phb3_pbcq.c | 1 +
hw/pci-host/pnv_phb4.c | 4 ++++
hw/pci-host/pnv_phb4_pec.c | 2 ++
hw/pci-host/ppc440_pcix.c | 1 +
hw/pci-host/ppc4xx_pci.c | 2 ++
hw/pci-host/ppce500.c | 2 ++
hw/pci-host/q35.c | 2 ++
hw/pci-host/raven.c | 2 ++
hw/pci-host/remote.c | 1 +
hw/pci-host/sabre.c | 2 ++
hw/pci-host/sh_pci.c | 2 ++
hw/pci-host/uninorth.c | 2 ++
hw/pci-host/versatile.c | 3 +++
hw/pci-host/xen_igd_pt.c | 1 +
hw/pci-host/xilinx-pcie.c | 1 +
29 files changed, 56 insertions(+)
diff --git a/hw/pci-host/articia.c b/hw/pci-host/articia.c
index cc65aac2a8..b29fa98d19 100644
--- a/hw/pci-host/articia.c
+++ b/hw/pci-host/articia.c
@@ -267,12 +267,14 @@ static const TypeInfo articia_types[] = {
.parent = TYPE_PCI_HOST_BRIDGE,
.instance_size = sizeof(ArticiaState),
.class_init = articia_class_init,
+ .secure = false,
},
{
.name = TYPE_ARTICIA_PCI_HOST,
.parent = TYPE_PCI_DEVICE,
.instance_size = sizeof(ArticiaHostState),
.class_init = articia_pci_host_class_init,
+ .secure = false,
.interfaces = (const InterfaceInfo[]) {
{ INTERFACE_CONVENTIONAL_PCI_DEVICE },
{ },
@@ -283,6 +285,7 @@ static const TypeInfo articia_types[] = {
.parent = TYPE_PCI_DEVICE,
.instance_size = sizeof(PCIDevice),
.class_init = articia_pci_bridge_class_init,
+ .secure = false,
.interfaces = (const InterfaceInfo[]) {
{ INTERFACE_CONVENTIONAL_PCI_DEVICE },
{ },
diff --git a/hw/pci-host/astro.c b/hw/pci-host/astro.c
index 1024ede7b6..0685615ecd 100644
--- a/hw/pci-host/astro.c
+++ b/hw/pci-host/astro.c
@@ -498,6 +498,7 @@ static const TypeInfo elroy_pcihost_info = {
.parent = TYPE_PCI_HOST_BRIDGE,
.instance_size = sizeof(ElroyState),
.class_init = elroy_pcihost_class_init,
+ .secure = false,
};
static void elroy_register_types(void)
@@ -930,6 +931,7 @@ static const TypeInfo astro_chip_info = {
.instance_init = astro_init,
.instance_size = sizeof(AstroState),
.class_init = astro_class_init,
+ .secure = false,
};
static void astro_iommu_memory_region_class_init(ObjectClass *klass,
@@ -944,6 +946,7 @@ static const TypeInfo astro_iommu_memory_region_info = {
.parent = TYPE_IOMMU_MEMORY_REGION,
.name = TYPE_ASTRO_IOMMU_MEMORY_REGION,
.class_init = astro_iommu_memory_region_class_init,
+ .secure = false,
};
diff --git a/hw/pci-host/bonito.c b/hw/pci-host/bonito.c
index 7d6251a78d..6d02bde4ee 100644
--- a/hw/pci-host/bonito.c
+++ b/hw/pci-host/bonito.c
@@ -783,6 +783,7 @@ static const TypeInfo bonito_pci_info = {
.parent = TYPE_PCI_DEVICE,
.instance_size = sizeof(PCIBonitoState),
.class_init = bonito_pci_class_init,
+ .secure = false,
.interfaces = (const InterfaceInfo[]) {
{ INTERFACE_CONVENTIONAL_PCI_DEVICE },
{ },
@@ -801,6 +802,7 @@ static const TypeInfo bonito_host_info = {
.parent = TYPE_PCI_HOST_BRIDGE,
.instance_size = sizeof(BonitoState),
.class_init = bonito_host_class_init,
+ .secure = false,
};
static void bonito_register_types(void)
diff --git a/hw/pci-host/designware.c b/hw/pci-host/designware.c
index f6e49ce9b8..ee1205977e 100644
--- a/hw/pci-host/designware.c
+++ b/hw/pci-host/designware.c
@@ -757,17 +757,20 @@ static const TypeInfo designware_pcie_types[] = {
.parent = TYPE_PCIE_BUS,
.instance_size = sizeof(DesignwarePCIERootBus),
.class_init = designware_pcie_root_bus_class_init,
+ .secure = false,
}, {
.name = TYPE_DESIGNWARE_PCIE_HOST,
.parent = TYPE_PCI_HOST_BRIDGE,
.instance_size = sizeof(DesignwarePCIEHost),
.instance_init = designware_pcie_host_init,
.class_init = designware_pcie_host_class_init,
+ .secure = false,
}, {
.name = TYPE_DESIGNWARE_PCIE_ROOT,
.parent = TYPE_PCI_BRIDGE,
.instance_size = sizeof(DesignwarePCIERoot),
.class_init = designware_pcie_root_class_init,
+ .secure = false,
.interfaces = (const InterfaceInfo[]) {
{ INTERFACE_PCIE_DEVICE },
{ }
diff --git a/hw/pci-host/dino.c b/hw/pci-host/dino.c
index 924053499c..9b6375661d 100644
--- a/hw/pci-host/dino.c
+++ b/hw/pci-host/dino.c
@@ -506,6 +506,7 @@ static const TypeInfo dino_pcihost_info = {
.parent = TYPE_PCI_HOST_BRIDGE,
.instance_size = sizeof(DinoState),
.class_init = dino_pcihost_class_init,
+ .secure = false,
};
static void dino_register_types(void)
diff --git a/hw/pci-host/fsl_imx8m_phy.c b/hw/pci-host/fsl_imx8m_phy.c
index 04da3f99a0..0a0ed10619 100644
--- a/hw/pci-host/fsl_imx8m_phy.c
+++ b/hw/pci-host/fsl_imx8m_phy.c
@@ -92,6 +92,7 @@ static const TypeInfo fsl_imx8m_pcie_phy_types[] = {
.parent = TYPE_SYS_BUS_DEVICE,
.instance_size = sizeof(FslImx8mPciePhyState),
.class_init = fsl_imx8m_pcie_phy_class_init,
+ .secure = false,
}
};
diff --git a/hw/pci-host/gpex.c b/hw/pci-host/gpex.c
index b806a2286f..d9486c773d 100644
--- a/hw/pci-host/gpex.c
+++ b/hw/pci-host/gpex.c
@@ -221,6 +221,7 @@ static const TypeInfo gpex_host_info = {
.instance_size = sizeof(GPEXHost),
.instance_init = gpex_host_initfn,
.class_init = gpex_host_class_init,
+ .secure = true,
};
/****************************************************************************
@@ -261,6 +262,7 @@ static const TypeInfo gpex_root_info = {
.parent = TYPE_PCI_DEVICE,
.instance_size = sizeof(GPEXRootState),
.class_init = gpex_root_class_init,
+ .secure = true,
.interfaces = (const InterfaceInfo[]) {
{ INTERFACE_CONVENTIONAL_PCI_DEVICE },
{ },
diff --git a/hw/pci-host/grackle.c b/hw/pci-host/grackle.c
index f9da5a908c..eb23af9f22 100644
--- a/hw/pci-host/grackle.c
+++ b/hw/pci-host/grackle.c
@@ -116,6 +116,7 @@ static const TypeInfo grackle_pci_info = {
.parent = TYPE_PCI_DEVICE,
.instance_size = sizeof(PCIDevice),
.class_init = grackle_pci_class_init,
+ .secure = false,
.interfaces = (const InterfaceInfo[]) {
{ INTERFACE_CONVENTIONAL_PCI_DEVICE },
{ },
@@ -151,6 +152,7 @@ static const TypeInfo grackle_host_info = {
.instance_size = sizeof(GrackleState),
.instance_init = grackle_init,
.class_init = grackle_class_init,
+ .secure = false,
};
static void grackle_register_types(void)
diff --git a/hw/pci-host/gt64120.c b/hw/pci-host/gt64120.c
index b1d96f62fe..fbc763e4ef 100644
--- a/hw/pci-host/gt64120.c
+++ b/hw/pci-host/gt64120.c
@@ -1283,6 +1283,7 @@ static const TypeInfo gt64120_pci_info = {
.parent = TYPE_PCI_DEVICE,
.instance_size = sizeof(PCIDevice),
.class_init = gt64120_pci_class_init,
+ .secure = false,
.interfaces = (const InterfaceInfo[]) {
{ INTERFACE_CONVENTIONAL_PCI_DEVICE },
{ },
@@ -1310,6 +1311,7 @@ static const TypeInfo gt64120_info = {
.parent = TYPE_PCI_HOST_BRIDGE,
.instance_size = sizeof(GT64120State),
.class_init = gt64120_class_init,
+ .secure = false,
};
static void gt64120_pci_register_types(void)
diff --git a/hw/pci-host/i440fx.c b/hw/pci-host/i440fx.c
index e13bb1b53e..163d4b3ec0 100644
--- a/hw/pci-host/i440fx.c
+++ b/hw/pci-host/i440fx.c
@@ -341,6 +341,7 @@ static const TypeInfo i440fx_info = {
.parent = TYPE_PCI_DEVICE,
.instance_size = sizeof(PCII440FXState),
.class_init = i440fx_class_init,
+ .secure = true,
.interfaces = (const InterfaceInfo[]) {
{ INTERFACE_CONVENTIONAL_PCI_DEVICE },
{ },
@@ -399,6 +400,7 @@ static const TypeInfo i440fx_pcihost_info = {
.instance_size = sizeof(I440FXState),
.instance_init = i440fx_pcihost_initfn,
.class_init = i440fx_pcihost_class_init,
+ .secure = true,
};
static void i440fx_register_types(void)
diff --git a/hw/pci-host/mv64361.c b/hw/pci-host/mv64361.c
index e05b677010..5ac0f29ff2 100644
--- a/hw/pci-host/mv64361.c
+++ b/hw/pci-host/mv64361.c
@@ -46,6 +46,7 @@ static const TypeInfo mv64361_pcibridge_info = {
.parent = TYPE_PCI_DEVICE,
.instance_size = sizeof(PCIDevice),
.class_init = mv64361_pcibridge_class_init,
+ .secure = false,
.interfaces = (const InterfaceInfo[]) {
{ INTERFACE_CONVENTIONAL_PCI_DEVICE },
{ },
diff --git a/hw/pci-host/pnv_phb.c b/hw/pci-host/pnv_phb.c
index 4b0ced79b0..bd7d116720 100644
--- a/hw/pci-host/pnv_phb.c
+++ b/hw/pci-host/pnv_phb.c
@@ -334,6 +334,7 @@ static const TypeInfo pnv_phb_type_info = {
.parent = TYPE_PCIE_HOST_BRIDGE,
.instance_size = sizeof(PnvPHB),
.class_init = pnv_phb_class_init,
+ .secure = true,
};
static const TypeInfo pnv_phb_root_port_info = {
@@ -341,6 +342,7 @@ static const TypeInfo pnv_phb_root_port_info = {
.parent = TYPE_PCIE_ROOT_PORT,
.instance_size = sizeof(PnvPHBRootPort),
.class_init = pnv_phb_root_port_class_init,
+ .secure = true,
};
static void pnv_phb_register_types(void)
diff --git a/hw/pci-host/pnv_phb3.c b/hw/pci-host/pnv_phb3.c
index 5d8383fac3..ff0ee5be4d 100644
--- a/hw/pci-host/pnv_phb3.c
+++ b/hw/pci-host/pnv_phb3.c
@@ -900,6 +900,7 @@ static const TypeInfo pnv_phb3_iommu_memory_region_info = {
.parent = TYPE_IOMMU_MEMORY_REGION,
.name = TYPE_PNV_PHB3_IOMMU_MEMORY_REGION,
.class_init = pnv_phb3_iommu_memory_region_class_init,
+ .secure = true,
};
/*
@@ -1113,6 +1114,7 @@ static const TypeInfo pnv_phb3_type_info = {
.instance_size = sizeof(PnvPHB3),
.class_init = pnv_phb3_class_init,
.instance_init = pnv_phb3_instance_init,
+ .secure = true,
};
static void pnv_phb3_root_bus_get_prop(Object *obj, Visitor *v,
@@ -1176,6 +1178,7 @@ static const TypeInfo pnv_phb3_root_bus_info = {
.parent = TYPE_PCIE_BUS,
.instance_size = sizeof(PnvPHB3RootBus),
.class_init = pnv_phb3_root_bus_class_init,
+ .secure = true,
};
static void pnv_phb3_register_types(void)
diff --git a/hw/pci-host/pnv_phb3_msi.c b/hw/pci-host/pnv_phb3_msi.c
index 3a83311faf..265b6d155e 100644
--- a/hw/pci-host/pnv_phb3_msi.c
+++ b/hw/pci-host/pnv_phb3_msi.c
@@ -306,6 +306,7 @@ static const TypeInfo phb3_msi_info = {
.class_init = phb3_msi_class_init,
.class_size = sizeof(ICSStateClass),
.instance_init = phb3_msi_instance_init,
+ .secure = true,
};
static void pnv_phb3_msi_register_types(void)
diff --git a/hw/pci-host/pnv_phb3_pbcq.c b/hw/pci-host/pnv_phb3_pbcq.c
index 1f7a149580..687c832515 100644
--- a/hw/pci-host/pnv_phb3_pbcq.c
+++ b/hw/pci-host/pnv_phb3_pbcq.c
@@ -354,6 +354,7 @@ static const TypeInfo pnv_pbcq_type_info = {
.instance_size = sizeof(PnvPBCQState),
.instance_init = phb3_pbcq_instance_init,
.class_init = pnv_pbcq_class_init,
+ .secure = true,
.interfaces = (const InterfaceInfo[]) {
{ TYPE_PNV_XSCOM_INTERFACE },
{ }
diff --git a/hw/pci-host/pnv_phb4.c b/hw/pci-host/pnv_phb4.c
index 18992054e8..4dc9730740 100644
--- a/hw/pci-host/pnv_phb4.c
+++ b/hw/pci-host/pnv_phb4.c
@@ -1374,6 +1374,7 @@ static const TypeInfo pnv_phb4_iommu_memory_region_info = {
.parent = TYPE_IOMMU_MEMORY_REGION,
.name = TYPE_PNV_PHB4_IOMMU_MEMORY_REGION,
.class_init = pnv_phb4_iommu_memory_region_class_init,
+ .secure = true,
};
/*
@@ -1715,6 +1716,7 @@ static const TypeInfo pnv_phb4_type_info = {
.instance_init = pnv_phb4_instance_init,
.instance_size = sizeof(PnvPHB4),
.class_init = pnv_phb4_class_init,
+ .secure = true,
.interfaces = (const InterfaceInfo[]) {
{ TYPE_XIVE_NOTIFIER },
{ },
@@ -1725,6 +1727,7 @@ static const TypeInfo pnv_phb5_type_info = {
.name = TYPE_PNV_PHB5,
.parent = TYPE_PNV_PHB4,
.instance_size = sizeof(PnvPHB4),
+ .secure = true,
};
static void pnv_phb4_root_bus_get_prop(Object *obj, Visitor *v,
@@ -1788,6 +1791,7 @@ static const TypeInfo pnv_phb4_root_bus_info = {
.parent = TYPE_PCIE_BUS,
.instance_size = sizeof(PnvPHB4RootBus),
.class_init = pnv_phb4_root_bus_class_init,
+ .secure = true,
};
static void pnv_phb4_register_types(void)
diff --git a/hw/pci-host/pnv_phb4_pec.c b/hw/pci-host/pnv_phb4_pec.c
index 5bac1c42ed..5f437af7a6 100644
--- a/hw/pci-host/pnv_phb4_pec.c
+++ b/hw/pci-host/pnv_phb4_pec.c
@@ -388,6 +388,7 @@ static const TypeInfo pnv_pec_type_info = {
.instance_size = sizeof(PnvPhb4PecState),
.class_init = pnv_pec_class_init,
.class_size = sizeof(PnvPhb4PecClass),
+ .secure = true,
.interfaces = (const InterfaceInfo[]) {
{ TYPE_PNV_XSCOM_INTERFACE },
{ }
@@ -445,6 +446,7 @@ static const TypeInfo pnv_phb5_pec_type_info = {
.instance_size = sizeof(PnvPhb4PecState),
.class_init = pnv_phb5_pec_class_init,
.class_size = sizeof(PnvPhb4PecClass),
+ .secure = true,
.interfaces = (const InterfaceInfo[]) {
{ TYPE_PNV_XSCOM_INTERFACE },
{ }
diff --git a/hw/pci-host/ppc440_pcix.c b/hw/pci-host/ppc440_pcix.c
index 744b85e49c..189b375bfa 100644
--- a/hw/pci-host/ppc440_pcix.c
+++ b/hw/pci-host/ppc440_pcix.c
@@ -532,6 +532,7 @@ static const TypeInfo ppc440_pcix_info = {
.parent = TYPE_PCI_HOST_BRIDGE,
.instance_size = sizeof(PPC440PCIXState),
.class_init = ppc440_pcix_class_init,
+ .secure = false,
};
static void ppc440_pcix_register_types(void)
diff --git a/hw/pci-host/ppc4xx_pci.c b/hw/pci-host/ppc4xx_pci.c
index 2547817688..51fa5cbe74 100644
--- a/hw/pci-host/ppc4xx_pci.c
+++ b/hw/pci-host/ppc4xx_pci.c
@@ -370,6 +370,7 @@ static const TypeInfo ppc4xx_host_bridge_info = {
.parent = TYPE_PCI_DEVICE,
.instance_size = sizeof(PCIDevice),
.class_init = ppc4xx_host_bridge_class_init,
+ .secure = false,
.interfaces = (const InterfaceInfo[]) {
{ INTERFACE_CONVENTIONAL_PCI_DEVICE },
{ },
@@ -389,6 +390,7 @@ static const TypeInfo ppc4xx_pcihost_info = {
.parent = TYPE_PCI_HOST_BRIDGE,
.instance_size = sizeof(PPC4xxPCIState),
.class_init = ppc4xx_pcihost_class_init,
+ .secure = false,
};
static void ppc4xx_pci_register_types(void)
diff --git a/hw/pci-host/ppce500.c b/hw/pci-host/ppce500.c
index 975d191ccb..40b89af66d 100644
--- a/hw/pci-host/ppce500.c
+++ b/hw/pci-host/ppce500.c
@@ -527,6 +527,7 @@ static const TypeInfo e500_pci_types[] = {
.parent = TYPE_PCI_DEVICE,
.instance_size = sizeof(PPCE500PCIBridgeState),
.class_init = e500_host_bridge_class_init,
+ .secure = false,
.interfaces = (const InterfaceInfo[]) {
{ INTERFACE_CONVENTIONAL_PCI_DEVICE },
{ },
@@ -537,6 +538,7 @@ static const TypeInfo e500_pci_types[] = {
.parent = TYPE_PCI_HOST_BRIDGE,
.instance_size = sizeof(PPCE500PCIState),
.class_init = e500_pcihost_class_init,
+ .secure = false,
},
};
diff --git a/hw/pci-host/q35.c b/hw/pci-host/q35.c
index 1951ae440c..a5e9f2f59e 100644
--- a/hw/pci-host/q35.c
+++ b/hw/pci-host/q35.c
@@ -258,6 +258,7 @@ static const TypeInfo q35_host_info = {
.instance_size = sizeof(Q35PCIHost),
.instance_init = q35_host_initfn,
.class_init = q35_host_class_init,
+ .secure = true,
};
/****************************************************************************
@@ -703,6 +704,7 @@ static const TypeInfo mch_info = {
.parent = TYPE_PCI_DEVICE,
.instance_size = sizeof(MCHPCIState),
.class_init = mch_class_init,
+ .secure = true,
.interfaces = (const InterfaceInfo[]) {
{ INTERFACE_CONVENTIONAL_PCI_DEVICE },
{ },
diff --git a/hw/pci-host/raven.c b/hw/pci-host/raven.c
index f8c0be5d21..6fd4f4f6df 100644
--- a/hw/pci-host/raven.c
+++ b/hw/pci-host/raven.c
@@ -363,6 +363,7 @@ static const TypeInfo raven_info = {
.parent = TYPE_PCI_DEVICE,
.instance_size = sizeof(RavenPCIState),
.class_init = raven_class_init,
+ .secure = false,
.interfaces = (const InterfaceInfo[]) {
{ INTERFACE_CONVENTIONAL_PCI_DEVICE },
{ },
@@ -384,6 +385,7 @@ static const TypeInfo raven_pcihost_info = {
.instance_size = sizeof(PREPPCIState),
.instance_init = raven_pcihost_initfn,
.class_init = raven_pcihost_class_init,
+ .secure = false,
};
static void raven_register_types(void)
diff --git a/hw/pci-host/remote.c b/hw/pci-host/remote.c
index e6d2af4502..b17a4da6fe 100644
--- a/hw/pci-host/remote.c
+++ b/hw/pci-host/remote.c
@@ -64,6 +64,7 @@ static const TypeInfo remote_pcihost_info = {
.parent = TYPE_PCIE_HOST_BRIDGE,
.instance_size = sizeof(RemotePCIHost),
.class_init = remote_pcihost_class_init,
+ .secure = true,
};
static void remote_pcihost_register(void)
diff --git a/hw/pci-host/sabre.c b/hw/pci-host/sabre.c
index 538624c507..d2ae46695c 100644
--- a/hw/pci-host/sabre.c
+++ b/hw/pci-host/sabre.c
@@ -477,6 +477,7 @@ static const TypeInfo sabre_pci_info = {
.parent = TYPE_PCI_DEVICE,
.instance_size = sizeof(SabrePCIState),
.class_init = sabre_pci_class_init,
+ .secure = false,
.interfaces = (const InterfaceInfo[]) {
{ INTERFACE_CONVENTIONAL_PCI_DEVICE },
{ },
@@ -516,6 +517,7 @@ static const TypeInfo sabre_info = {
.instance_size = sizeof(SabreState),
.instance_init = sabre_init,
.class_init = sabre_class_init,
+ .secure = false,
};
static void sabre_register_types(void)
diff --git a/hw/pci-host/sh_pci.c b/hw/pci-host/sh_pci.c
index 62fb945075..d18832ac98 100644
--- a/hw/pci-host/sh_pci.c
+++ b/hw/pci-host/sh_pci.c
@@ -180,11 +180,13 @@ static const TypeInfo sh_pcic_types[] = {
.parent = TYPE_PCI_HOST_BRIDGE,
.instance_size = sizeof(SHPCIState),
.class_init = sh_pcic_host_class_init,
+ .secure = false,
}, {
.name = "sh_pci_host",
.parent = TYPE_PCI_DEVICE,
.instance_size = sizeof(PCIDevice),
.class_init = sh_pcic_pci_class_init,
+ .secure = false,
.interfaces = (const InterfaceInfo[]) {
{ INTERFACE_CONVENTIONAL_PCI_DEVICE },
{ },
diff --git a/hw/pci-host/uninorth.c b/hw/pci-host/uninorth.c
index 194037d6e7..1aeb008845 100644
--- a/hw/pci-host/uninorth.c
+++ b/hw/pci-host/uninorth.c
@@ -333,6 +333,7 @@ static const TypeInfo unin_main_pci_host_info = {
.parent = TYPE_PCI_DEVICE,
.instance_size = sizeof(PCIDevice),
.class_init = unin_main_pci_host_class_init,
+ .secure = false,
.interfaces = (const InterfaceInfo[]) {
{ INTERFACE_CONVENTIONAL_PCI_DEVICE },
{ },
@@ -361,6 +362,7 @@ static const TypeInfo u3_agp_pci_host_info = {
.parent = TYPE_PCI_DEVICE,
.instance_size = sizeof(PCIDevice),
.class_init = u3_agp_pci_host_class_init,
+ .secure = false,
.interfaces = (const InterfaceInfo[]) {
{ INTERFACE_CONVENTIONAL_PCI_DEVICE },
{ },
diff --git a/hw/pci-host/versatile.c b/hw/pci-host/versatile.c
index 8ea26e3ff0..a991c21a19 100644
--- a/hw/pci-host/versatile.c
+++ b/hw/pci-host/versatile.c
@@ -492,6 +492,7 @@ static const TypeInfo versatile_pci_host_info = {
.parent = TYPE_PCI_DEVICE,
.instance_size = sizeof(PCIDevice),
.class_init = versatile_pci_host_class_init,
+ .secure = false,
.interfaces = (const InterfaceInfo[]) {
{ INTERFACE_CONVENTIONAL_PCI_DEVICE },
{ },
@@ -519,6 +520,7 @@ static const TypeInfo pci_vpb_info = {
.instance_size = sizeof(PCIVPBState),
.instance_init = pci_vpb_init,
.class_init = pci_vpb_class_init,
+ .secure = false,
};
static void pci_realview_init(Object *obj)
@@ -536,6 +538,7 @@ static const TypeInfo pci_realview_info = {
.name = "realview_pci",
.parent = TYPE_VERSATILE_PCI,
.instance_init = pci_realview_init,
+ .secure = false,
};
static void versatile_pci_register_types(void)
diff --git a/hw/pci-host/xen_igd_pt.c b/hw/pci-host/xen_igd_pt.c
index 5dd17ef236..892e27e32f 100644
--- a/hw/pci-host/xen_igd_pt.c
+++ b/hw/pci-host/xen_igd_pt.c
@@ -110,6 +110,7 @@ static const TypeInfo igd_passthrough_i440fx_info = {
.parent = TYPE_I440FX_PCI_DEVICE,
.instance_size = sizeof(PCII440FXState),
.class_init = igd_passthrough_i440fx_class_init,
+ .secure = true,
};
static void igd_pt_i440fx_register_types(void)
diff --git a/hw/pci-host/xilinx-pcie.c b/hw/pci-host/xilinx-pcie.c
index c71492de9e..4e88c51ff9 100644
--- a/hw/pci-host/xilinx-pcie.c
+++ b/hw/pci-host/xilinx-pcie.c
@@ -183,6 +183,7 @@ static const TypeInfo xilinx_pcie_host_info = {
.instance_size = sizeof(XilinxPCIEHost),
.instance_init = xilinx_pcie_host_init,
.class_init = xilinx_pcie_host_class_init,
+ .secure = false,
};
static uint32_t xilinx_pcie_root_config_read(PCIDevice *d,
--
2.50.1
^ permalink raw reply related [flat|nested] 49+ messages in thread* [PATCH v2 32/32] hw/display: mark most display adapters as insecure
2025-09-26 14:01 [PATCH v2 00/32] Encode object type security status in code Daniel P. Berrangé
` (30 preceding siblings ...)
2025-09-26 14:01 ` [PATCH v2 31/32] hw/pci-host: define some PCI hosts " Daniel P. Berrangé
@ 2025-09-26 14:01 ` Daniel P. Berrangé
2025-10-23 7:23 ` [PATCH v2 00/32] Encode object type security status in code Markus Armbruster
2025-10-23 12:38 ` Markus Armbruster
33 siblings, 0 replies; 49+ messages in thread
From: Daniel P. Berrangé @ 2025-09-26 14:01 UTC (permalink / raw)
To: qemu-devel
Cc: Thomas Huth, Stefan Hajnoczi, Philippe Mathieu-Daudé,
Peter Maydell, Markus Armbruster, Paolo Bonzini,
Michael S. Tsirkin, Daniel P. Berrangé
Most of thte display adapters are emulating old hardware which is not
relevant to virtualization use cases.
The exceptions that should be considered secure are Cirrus (PCI, not
ISA), Bochs, QXL, RAMFB, VGA (PCI, MMIO, not ISA) and VMWare VGA.
The Cirrus PCI decision is borderline. It has been heavily used with
virtualization in the past, but these days VGA / RAMFB are strongly
recommended instead. Due to its historical usage though, we can
consider the code fairly mature, even if no longer hugely relevant
to virtualization use cases.
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
---
hw/display/artist.c | 1 +
hw/display/ati.c | 1 +
hw/display/bcm2835_fb.c | 1 +
hw/display/bochs-display.c | 1 +
hw/display/cg3.c | 1 +
hw/display/cirrus_vga.c | 1 +
hw/display/cirrus_vga_isa.c | 1 +
hw/display/dm163.c | 1 +
hw/display/dpcd.c | 1 +
hw/display/exynos4210_fimd.c | 1 +
hw/display/g364fb.c | 1 +
hw/display/i2c-ddc.c | 3 ++-
hw/display/jazz_led.c | 1 +
hw/display/macfb.c | 2 ++
hw/display/next-fb.c | 1 +
hw/display/pl110.c | 3 +++
hw/display/qxl.c | 4 ++++
hw/display/ramfb-standalone.c | 1 +
hw/display/sii9022.c | 1 +
hw/display/sm501.c | 1 +
hw/display/ssd0303.c | 1 +
hw/display/ssd0323.c | 1 +
hw/display/tcx.c | 1 +
hw/display/vga-isa.c | 1 +
hw/display/vga-mmio.c | 1 +
hw/display/vga-pci.c | 3 +++
hw/display/vmware_vga.c | 1 +
hw/display/xlnx_dp.c | 1 +
28 files changed, 37 insertions(+), 1 deletion(-)
diff --git a/hw/display/artist.c b/hw/display/artist.c
index 3c884c9243..caab4d1d4c 100644
--- a/hw/display/artist.c
+++ b/hw/display/artist.c
@@ -1504,6 +1504,7 @@ static const TypeInfo artist_info = {
.instance_size = sizeof(ARTISTState),
.instance_init = artist_initfn,
.class_init = artist_class_init,
+ .secure = false,
};
static void artist_register_types(void)
diff --git a/hw/display/ati.c b/hw/display/ati.c
index f7c0006a87..6e332e02d2 100644
--- a/hw/display/ati.c
+++ b/hw/display/ati.c
@@ -1080,6 +1080,7 @@ static const TypeInfo ati_vga_info = {
.instance_size = sizeof(ATIVGAState),
.class_init = ati_vga_class_init,
.instance_init = ati_vga_init,
+ .secure = false,
.interfaces = (const InterfaceInfo[]) {
{ INTERFACE_CONVENTIONAL_PCI_DEVICE },
{ },
diff --git a/hw/display/bcm2835_fb.c b/hw/display/bcm2835_fb.c
index 1bb2ee45a0..bb6c986fb8 100644
--- a/hw/display/bcm2835_fb.c
+++ b/hw/display/bcm2835_fb.c
@@ -459,6 +459,7 @@ static const TypeInfo bcm2835_fb_info = {
.instance_size = sizeof(BCM2835FBState),
.class_init = bcm2835_fb_class_init,
.instance_init = bcm2835_fb_init,
+ .secure = false,
};
static void bcm2835_fb_register_types(void)
diff --git a/hw/display/bochs-display.c b/hw/display/bochs-display.c
index ad2821c974..0495d900f6 100644
--- a/hw/display/bochs-display.c
+++ b/hw/display/bochs-display.c
@@ -374,6 +374,7 @@ static const TypeInfo bochs_display_type_info = {
.instance_size = sizeof(BochsDisplayState),
.instance_init = bochs_display_init,
.class_init = bochs_display_class_init,
+ .secure = true,
.interfaces = (const InterfaceInfo[]) {
{ INTERFACE_PCIE_DEVICE },
{ INTERFACE_CONVENTIONAL_PCI_DEVICE },
diff --git a/hw/display/cg3.c b/hw/display/cg3.c
index daeef15217..f437921a7e 100644
--- a/hw/display/cg3.c
+++ b/hw/display/cg3.c
@@ -384,6 +384,7 @@ static const TypeInfo cg3_info = {
.instance_size = sizeof(CG3State),
.instance_init = cg3_initfn,
.class_init = cg3_class_init,
+ .secure = false,
};
static void cg3_register_types(void)
diff --git a/hw/display/cirrus_vga.c b/hw/display/cirrus_vga.c
index ef08694626..d9403ccb57 100644
--- a/hw/display/cirrus_vga.c
+++ b/hw/display/cirrus_vga.c
@@ -3013,6 +3013,7 @@ static const TypeInfo cirrus_vga_info = {
.parent = TYPE_PCI_DEVICE,
.instance_size = sizeof(PCICirrusVGAState),
.class_init = cirrus_vga_class_init,
+ .secure = true,
.interfaces = (const InterfaceInfo[]) {
{ INTERFACE_CONVENTIONAL_PCI_DEVICE },
{ },
diff --git a/hw/display/cirrus_vga_isa.c b/hw/display/cirrus_vga_isa.c
index 4b55c48eff..7b38e6c33a 100644
--- a/hw/display/cirrus_vga_isa.c
+++ b/hw/display/cirrus_vga_isa.c
@@ -91,6 +91,7 @@ static const TypeInfo isa_cirrus_vga_info = {
.parent = TYPE_ISA_DEVICE,
.instance_size = sizeof(ISACirrusVGAState),
.class_init = isa_cirrus_vga_class_init,
+ .secure = false,
};
static void cirrus_vga_isa_register_types(void)
diff --git a/hw/display/dm163.c b/hw/display/dm163.c
index f8340d8275..f043786775 100644
--- a/hw/display/dm163.c
+++ b/hw/display/dm163.c
@@ -343,6 +343,7 @@ static const TypeInfo dm163_types[] = {
.parent = TYPE_DEVICE,
.instance_size = sizeof(DM163State),
.class_init = dm163_class_init
+ .secure = false,
}
};
diff --git a/hw/display/dpcd.c b/hw/display/dpcd.c
index a157dc64e7..733f643375 100644
--- a/hw/display/dpcd.c
+++ b/hw/display/dpcd.c
@@ -155,6 +155,7 @@ static const TypeInfo dpcd_info = {
.instance_size = sizeof(DPCDState),
.class_init = dpcd_class_init,
.instance_init = dpcd_init,
+ .secure = false,
};
static void dpcd_register_types(void)
diff --git a/hw/display/exynos4210_fimd.c b/hw/display/exynos4210_fimd.c
index c61e0280a7..85e32e8700 100644
--- a/hw/display/exynos4210_fimd.c
+++ b/hw/display/exynos4210_fimd.c
@@ -1974,6 +1974,7 @@ static const TypeInfo exynos4210_fimd_info = {
.instance_size = sizeof(Exynos4210fimdState),
.instance_init = exynos4210_fimd_init,
.class_init = exynos4210_fimd_class_init,
+ .secure = false,
};
static void exynos4210_fimd_register_types(void)
diff --git a/hw/display/g364fb.c b/hw/display/g364fb.c
index a6ddc21d3e..c23d584684 100644
--- a/hw/display/g364fb.c
+++ b/hw/display/g364fb.c
@@ -543,6 +543,7 @@ static const TypeInfo g364fb_sysbus_info = {
.parent = TYPE_SYS_BUS_DEVICE,
.instance_size = sizeof(G364SysBusState),
.class_init = g364fb_sysbus_class_init,
+ .secure = false,
};
static void g364fb_register_types(void)
diff --git a/hw/display/i2c-ddc.c b/hw/display/i2c-ddc.c
index 2adfc1a147..525479aa49 100644
--- a/hw/display/i2c-ddc.c
+++ b/hw/display/i2c-ddc.c
@@ -117,7 +117,8 @@ static const TypeInfo i2c_ddc_info = {
.parent = TYPE_I2C_SLAVE,
.instance_size = sizeof(I2CDDCState),
.instance_init = i2c_ddc_init,
- .class_init = i2c_ddc_class_init
+ .class_init = i2c_ddc_class_init,
+ .secure = false,
};
static void ddc_register_devices(void)
diff --git a/hw/display/jazz_led.c b/hw/display/jazz_led.c
index 90e82b58be..946f78306e 100644
--- a/hw/display/jazz_led.c
+++ b/hw/display/jazz_led.c
@@ -310,6 +310,7 @@ static const TypeInfo jazz_led_info = {
.instance_size = sizeof(LedState),
.instance_init = jazz_led_init,
.class_init = jazz_led_class_init,
+ .secure = false,
};
static void jazz_led_register(void)
diff --git a/hw/display/macfb.c b/hw/display/macfb.c
index 574d667173..b80ce26d9b 100644
--- a/hw/display/macfb.c
+++ b/hw/display/macfb.c
@@ -825,6 +825,7 @@ static const TypeInfo macfb_sysbus_info = {
.parent = TYPE_SYS_BUS_DEVICE,
.instance_size = sizeof(MacfbSysBusState),
.class_init = macfb_sysbus_class_init,
+ .secure = false,
};
static const TypeInfo macfb_nubus_info = {
@@ -833,6 +834,7 @@ static const TypeInfo macfb_nubus_info = {
.instance_size = sizeof(MacfbNubusState),
.class_init = macfb_nubus_class_init,
.class_size = sizeof(MacfbNubusDeviceClass),
+ .secure = false,
};
static void macfb_register_types(void)
diff --git a/hw/display/next-fb.c b/hw/display/next-fb.c
index ec81b766a7..9ddbd13ba3 100644
--- a/hw/display/next-fb.c
+++ b/hw/display/next-fb.c
@@ -134,6 +134,7 @@ static const TypeInfo nextfb_info = {
.parent = TYPE_SYS_BUS_DEVICE,
.instance_size = sizeof(NeXTFbState),
.class_init = nextfb_class_init,
+ .secure = false,
};
static void nextfb_register_types(void)
diff --git a/hw/display/pl110.c b/hw/display/pl110.c
index 09c3c59e0e..ce33d4c68c 100644
--- a/hw/display/pl110.c
+++ b/hw/display/pl110.c
@@ -596,18 +596,21 @@ static const TypeInfo pl110_info = {
.instance_size = sizeof(PL110State),
.instance_init = pl110_init,
.class_init = pl110_class_init,
+ .secure = false,
};
static const TypeInfo pl110_versatile_info = {
.name = "pl110_versatile",
.parent = TYPE_PL110,
.instance_init = pl110_versatile_init,
+ .secure = false,
};
static const TypeInfo pl111_info = {
.name = "pl111",
.parent = TYPE_PL110,
.instance_init = pl111_init,
+ .secure = false,
};
static void pl110_register_types(void)
diff --git a/hw/display/qxl.c b/hw/display/qxl.c
index 18f482ca7f..8f876c872a 100644
--- a/hw/display/qxl.c
+++ b/hw/display/qxl.c
@@ -2516,7 +2516,9 @@ static const TypeInfo qxl_pci_type_info = {
.parent = TYPE_PCI_DEVICE,
.instance_size = sizeof(PCIQXLDevice),
.abstract = true,
+ .secure = true,
.class_init = qxl_pci_class_init,
+ .secure = true,
.interfaces = (const InterfaceInfo[]) {
{ INTERFACE_CONVENTIONAL_PCI_DEVICE },
{ },
@@ -2539,6 +2541,7 @@ static const TypeInfo qxl_primary_info = {
.name = "qxl-vga",
.parent = TYPE_PCI_QXL,
.class_init = qxl_primary_class_init,
+ .secure = true,
};
module_obj("qxl-vga");
module_kconfig(QXL);
@@ -2557,6 +2560,7 @@ static const TypeInfo qxl_secondary_info = {
.name = "qxl",
.parent = TYPE_PCI_QXL,
.class_init = qxl_secondary_class_init,
+ .secure = true,
};
module_obj("qxl");
diff --git a/hw/display/ramfb-standalone.c b/hw/display/ramfb-standalone.c
index 72b2071aed..6fbb90d74c 100644
--- a/hw/display/ramfb-standalone.c
+++ b/hw/display/ramfb-standalone.c
@@ -83,6 +83,7 @@ static const TypeInfo ramfb_info = {
.parent = TYPE_DYNAMIC_SYS_BUS_DEVICE,
.instance_size = sizeof(RAMFBStandaloneState),
.class_init = ramfb_class_initfn,
+ .secure = true,
};
static void ramfb_register_types(void)
diff --git a/hw/display/sii9022.c b/hw/display/sii9022.c
index d00d3e9fc5..06d7863a9e 100644
--- a/hw/display/sii9022.c
+++ b/hw/display/sii9022.c
@@ -185,6 +185,7 @@ static const TypeInfo sii9022_info = {
.parent = TYPE_I2C_SLAVE,
.instance_size = sizeof(sii9022_state),
.class_init = sii9022_class_init,
+ .secure = false,
};
static void sii9022_register_types(void)
diff --git a/hw/display/sm501.c b/hw/display/sm501.c
index bc091b3c9f..abbb78ea3e 100644
--- a/hw/display/sm501.c
+++ b/hw/display/sm501.c
@@ -2114,6 +2114,7 @@ static const TypeInfo sm501_sysbus_info = {
.instance_size = sizeof(SM501SysBusState),
.class_init = sm501_sysbus_class_init,
.instance_init = sm501_sysbus_init,
+ .secure = false,
};
#define TYPE_PCI_SM501 "sm501"
diff --git a/hw/display/ssd0303.c b/hw/display/ssd0303.c
index 87781438cd..4be9d3bcc5 100644
--- a/hw/display/ssd0303.c
+++ b/hw/display/ssd0303.c
@@ -328,6 +328,7 @@ static const TypeInfo ssd0303_info = {
.parent = TYPE_I2C_SLAVE,
.instance_size = sizeof(ssd0303_state),
.class_init = ssd0303_class_init,
+ .secure = false,
};
static void ssd0303_register_types(void)
diff --git a/hw/display/ssd0323.c b/hw/display/ssd0323.c
index af5ff4fecd..8deddf2f47 100644
--- a/hw/display/ssd0323.c
+++ b/hw/display/ssd0323.c
@@ -378,6 +378,7 @@ static const TypeInfo ssd0323_info = {
.parent = TYPE_SSI_PERIPHERAL,
.instance_size = sizeof(ssd0323_state),
.class_init = ssd0323_class_init,
+ .secure = false,
};
static void ssd03232_register_types(void)
diff --git a/hw/display/tcx.c b/hw/display/tcx.c
index 4853c5e142..1bbbc670dd 100644
--- a/hw/display/tcx.c
+++ b/hw/display/tcx.c
@@ -901,6 +901,7 @@ static const TypeInfo tcx_info = {
.instance_size = sizeof(TCXState),
.instance_init = tcx_initfn,
.class_init = tcx_class_init,
+ .secure = false,
};
static void tcx_register_types(void)
diff --git a/hw/display/vga-isa.c b/hw/display/vga-isa.c
index 3618913b3b..d01d73ddb0 100644
--- a/hw/display/vga-isa.c
+++ b/hw/display/vga-isa.c
@@ -108,6 +108,7 @@ static const TypeInfo vga_isa_info = {
.parent = TYPE_ISA_DEVICE,
.instance_size = sizeof(ISAVGAState),
.class_init = vga_isa_class_initfn,
+ .secure = false,
};
static void vga_isa_register_types(void)
diff --git a/hw/display/vga-mmio.c b/hw/display/vga-mmio.c
index 33263856b7..1c53422b59 100644
--- a/hw/display/vga-mmio.c
+++ b/hw/display/vga-mmio.c
@@ -132,6 +132,7 @@ static const TypeInfo vga_mmio_info = {
.parent = TYPE_SYS_BUS_DEVICE,
.instance_size = sizeof(VGAMmioState),
.class_init = vga_mmio_class_initfn,
+ .secure = true,
};
static void vga_mmio_register_types(void)
diff --git a/hw/display/vga-pci.c b/hw/display/vga-pci.c
index b81f7fd2d0..acd59865d3 100644
--- a/hw/display/vga-pci.c
+++ b/hw/display/vga-pci.c
@@ -368,6 +368,7 @@ static const TypeInfo vga_pci_type_info = {
.parent = TYPE_PCI_DEVICE,
.instance_size = sizeof(PCIVGAState),
.abstract = true,
+ .secure = true,
.class_init = vga_pci_class_init,
.interfaces = (const InterfaceInfo[]) {
{ INTERFACE_CONVENTIONAL_PCI_DEVICE },
@@ -408,6 +409,7 @@ static const TypeInfo vga_info = {
.name = "VGA",
.parent = TYPE_PCI_VGA,
.class_init = vga_class_init,
+ .secure = true,
};
static const TypeInfo secondary_info = {
@@ -415,6 +417,7 @@ static const TypeInfo secondary_info = {
.parent = TYPE_PCI_VGA,
.instance_init = pci_secondary_vga_init,
.class_init = secondary_class_init,
+ .secure = true,
};
static void vga_register_types(void)
diff --git a/hw/display/vmware_vga.c b/hw/display/vmware_vga.c
index bc1a8ed466..8734da1175 100644
--- a/hw/display/vmware_vga.c
+++ b/hw/display/vmware_vga.c
@@ -1363,6 +1363,7 @@ static const TypeInfo vmsvga_info = {
.parent = TYPE_PCI_DEVICE,
.instance_size = sizeof(struct pci_vmsvga_state_s),
.class_init = vmsvga_class_init,
+ .secure = true,
.interfaces = (const InterfaceInfo[]) {
{ INTERFACE_CONVENTIONAL_PCI_DEVICE },
{ },
diff --git a/hw/display/xlnx_dp.c b/hw/display/xlnx_dp.c
index ef73e1815f..dc239537a9 100644
--- a/hw/display/xlnx_dp.c
+++ b/hw/display/xlnx_dp.c
@@ -1412,6 +1412,7 @@ static const TypeInfo xlnx_dp_info = {
.instance_init = xlnx_dp_init,
.instance_finalize = xlnx_dp_finalize,
.class_init = xlnx_dp_class_init,
+ .secure = false,
};
static void xlnx_dp_register_types(void)
--
2.50.1
^ permalink raw reply related [flat|nested] 49+ messages in thread* Re: [PATCH v2 00/32] Encode object type security status in code
2025-09-26 14:01 [PATCH v2 00/32] Encode object type security status in code Daniel P. Berrangé
` (31 preceding siblings ...)
2025-09-26 14:01 ` [PATCH v2 32/32] hw/display: mark most display adapters as insecure Daniel P. Berrangé
@ 2025-10-23 7:23 ` Markus Armbruster
2025-10-23 9:00 ` Daniel P. Berrangé
2025-10-23 12:38 ` Markus Armbruster
33 siblings, 1 reply; 49+ messages in thread
From: Markus Armbruster @ 2025-10-23 7:23 UTC (permalink / raw)
To: Daniel P. Berrangé
Cc: qemu-devel, Thomas Huth, Stefan Hajnoczi,
Philippe Mathieu-Daudé, Peter Maydell, Paolo Bonzini,
Michael S. Tsirkin
Doesn't apply cleanly for me. I fetched it from patchew[*], doesn't
rebase cleanly. Not a blocker for me.
[*] https://github.com/patchew-project/qemu tags/patchew/20250926140144.1998694-1-berrange@redhat.com
^ permalink raw reply [flat|nested] 49+ messages in thread* Re: [PATCH v2 00/32] Encode object type security status in code
2025-10-23 7:23 ` [PATCH v2 00/32] Encode object type security status in code Markus Armbruster
@ 2025-10-23 9:00 ` Daniel P. Berrangé
0 siblings, 0 replies; 49+ messages in thread
From: Daniel P. Berrangé @ 2025-10-23 9:00 UTC (permalink / raw)
To: Markus Armbruster
Cc: qemu-devel, Thomas Huth, Stefan Hajnoczi,
Philippe Mathieu-Daudé, Peter Maydell, Paolo Bonzini,
Michael S. Tsirkin
On Thu, Oct 23, 2025 at 09:23:01AM +0200, Markus Armbruster wrote:
> Doesn't apply cleanly for me. I fetched it from patchew[*], doesn't
> rebase cleanly. Not a blocker for me.
>
> [*] https://github.com/patchew-project/qemu tags/patchew/20250926140144.1998694-1-berrange@redhat.com
FYI, I've pushed a rebase to:
https://gitlab.com/berrange/qemu/-/tree/docs-security-status
which fixes the conflict in VFIO files.
With regards,
Daniel
--
|: https://berrange.com -o- https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org -o- https://fstop138.berrange.com :|
|: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|
^ permalink raw reply [flat|nested] 49+ messages in thread
* Re: [PATCH v2 00/32] Encode object type security status in code
2025-09-26 14:01 [PATCH v2 00/32] Encode object type security status in code Daniel P. Berrangé
` (32 preceding siblings ...)
2025-10-23 7:23 ` [PATCH v2 00/32] Encode object type security status in code Markus Armbruster
@ 2025-10-23 12:38 ` Markus Armbruster
33 siblings, 0 replies; 49+ messages in thread
From: Markus Armbruster @ 2025-10-23 12:38 UTC (permalink / raw)
To: Daniel P. Berrangé
Cc: qemu-devel, Thomas Huth, Stefan Hajnoczi,
Philippe Mathieu-Daudé, Peter Maydell, Paolo Bonzini,
Michael S. Tsirkin
Daniel P. Berrangé <berrange@redhat.com> writes:
> Our docs/system/security.rst file loosely classifies code into that
> applicable for 'virtualization' vs 'non-virtualization' use cases.
> Only code relevant to the former group is eligible for security
> bug handling. Peter's recent proposal pointed out that we are
> increasingly hitting the limits of such a crude classification
>
> Michael suggested that with the increased complexity, docs are not
> going to be an effective way to convey the information, and we
> need to re-consider embedding this info in code. This also allows
> users to validate a configuration's security status when starting
> a guest, or modifying a running guest.
>
> This series is an attempt to start the embedding process.
>
> Probably I should split in multiple series. One introducing the
> overall framework, and then multiple series doing type annotations,
> as the latter really need to be CC'd to maintainers, but the CC
> list would be way too huge on this combined series. At least this
> combined series shows what the real world implictions of this code
> approach will be though.
I appreciate seeing the entire work. We can split later if it helps
with review.
> It starts with QOM, adding a "bool secure" property to the
> TypeInfo struct, which get turned into a flag on the Type
> struct. This enables querying any ObjectClass to ask whether or
> not it is declared secure.
>
> By only using a single boolean flag, at runtime we are unable
> to distinguish between "marked insecure" and "no decision,
> implicitly insecure". As such, all our existing code is
> initially considered insecure, except for that which gets
> explicit annotation.
>
> The "-compat" argument gains a new parameter
>
> * insecure-types=accept|reject|warn
>
> The default 'accept' preserves historical behaviour of
> anything being permissible. The other two options both
> identify use of types that are not explicitly marked
> as secure.
>
> The code annotations are useful immediately, but to make the
> new -compat switch useful, we need to annotate as much as is
> possible. This series makes a strong attempt to do that across
> a large subset of the codebase. My guidance was to mark enough
> as being 'secure', that a downstream RHEL build of QEMU would
> have explicit anntation of most of its devices, with most being
> secure given they target virtualization use cases.
>
> This annotation is 90% complete for the x86 target, but more
> work is needed to finish it and then address the arch specific
> devices for arm, ppc, s390.
>
> Example: TCG is explicitly insecure, KVM is explicitly secure:
[...]
> 281 files changed, 632 insertions(+), 38 deletions(-)
PATCH 01..13, i.e. just the infrastructure:
docs/system/security.rst | 43 +++++++++++++++++++++++++++++++++++++++++++
qapi/compat.json | 24 +++++++++++++++++++++++-
qapi/machine.json | 8 +++++++-
qapi/qom.json | 10 ++++++++--
include/hw/boards.h | 12 +++++++++++-
include/hw/i386/pc.h | 13 ++++++++++++-
include/qapi/compat-policy.h | 5 +++++
include/qom/object.h | 13 +++++++++++++
hw/core/machine-qmp-cmds.c | 1 +
qapi/qapi-util.c | 30 ++++++++++++++++++++++++++++++
qom/object.c | 30 +++++++++++++++++++++++-------
qom/qom-qmp-cmds.c | 30 ++++++++++++++++++++++++------
system/qdev-monitor.c | 12 ++++++++++++
system/vl.c | 35 ++++++++++++++++++++++++++++++-----
14 files changed, 242 insertions(+), 24 deletions(-)
Quite tractable.
The remainder is purely declarative:
$ git-diff -U0 3f6db27c42..review | egrep '^[-+][^-+]'| sed 's/ */ /g' | sort -u
+ .abstract = true,
+ .class_init = i2c_ddc_class_init,
+ .instance_init = aw_emac_init,
+ .instance_init = xhci_sysbus_instance_init,
+ .secure = false,
+ .secure = true,
+ .secure = true, \
+ isapc_machine_options);
+ type_info.secure = false,
+ type_info.secure = false;
+ type_info.secure = true,
+ xenfv_machine_3_1_options);
+ xenfv_machine_4_2_options);
+DEFINE_INSECURE_MACHINE("none", machine_none_machine_init)
+DEFINE_INSECURE_PC_MACHINE(isapc, "isapc", pc_init_isa,
+DEFINE_SECURE_MACHINE("xenpv", xenpv_machine_init)
+DEFINE_SECURE_PC_MACHINE(xenfv, "xenfv-3.1", pc_xen_hvm_init,
+DEFINE_SECURE_PC_MACHINE(xenfv_4_2, "xenfv-4.2", pc_xen_hvm_init,
- .abstract = true
- .class_init = i2c_ddc_class_init
- .instance_init = aw_emac_init,
- .instance_init = xhci_sysbus_instance_init
- isapc_machine_options);
- xenfv_machine_3_1_options);
- xenfv_machine_4_2_options);
-DEFINE_MACHINE("none", machine_none_machine_init)
-DEFINE_MACHINE("xenpv", xenpv_machine_init)
-DEFINE_PC_MACHINE(isapc, "isapc", pc_init_isa,
-DEFINE_PC_MACHINE(xenfv, "xenfv-3.1", pc_xen_hvm_init,
-DEFINE_PC_MACHINE(xenfv_4_2, "xenfv-4.2", pc_xen_hvm_init,
I like it.
^ permalink raw reply [flat|nested] 49+ messages in thread