From: "Daniel P. Berrangé" <berrange@redhat.com>
To: qemu-devel@nongnu.org
Cc: "Michael S. Tsirkin" <mst@redhat.com>,
Paolo Bonzini <pbonzini@redhat.com>,
Peter Maydell <peter.maydell@linaro.org>,
Stefan Hajnoczi <stefanha@redhat.com>,
Markus Armbruster <armbru@redhat.com>,
Thomas Huth <thuth@redhat.com>
Subject: Re: [PATCH <RFC> 00/15] Encode object type security status in code
Date: Tue, 16 Sep 2025 17:43:48 +0100 [thread overview]
Message-ID: <aMmTxNB2eq6hSS9o@redhat.com> (raw)
In-Reply-To: <20250909165726.3814465-1-berrange@redhat.com>
Ping: anyone have thoughts on this idea of annotating security
status of our code against QOM classes ?
On Tue, Sep 09, 2025 at 05:57:11PM +0100, Daniel P. Berrangé wrote:
> Our docs/system/security.rst file loosely classifies code into that
> applicable for 'virtualization' vs 'non-virtualization' use cases.
> Only code relevant to the former group is eligible for security
> bug handling. Peter's recent proposal pointed out that we are
> increasingly hitting the limits of such a crude classification:
>
> https://lists.nongnu.org/archive/html/qemu-devel/2025-09/msg01520.html
>
> Michael suggested that with the increased complexity, docs are not
> going to be an effective way to convey the information, and we
> need to re-consider embedding this info in code:
>
> https://lists.nongnu.org/archive/html/qemu-devel/2025-09/msg01566.html
>
> This also allows users to validate a configuration's security status
> when starting a guest, or modifying a running guest. This series is
> an attempt to start the embedding process.
>
> It starts with QOM, adding "bool secure" and "bool insecure"
> properties to the TypeInfo struct, which get turned into flags
> on the Type struct. This enables querying any ObjectClass to
> ask whether or not it is declared secure or insecure.
>
> By default no statement will be made about whether a class is
> secure or insecure, reflecting our historical defaults. Over
> time we should annotate as many classes as possible with an
> explicit statement.
>
> The "-machine" argument gains two new parameters
>
> * prohibit-insecure=yes|no - a weak security boundary, only
> excluding stuff that is explicitly declared insecure,
> permiting stuff that is secure & anything without a stetement
>
> * require-secure=yes|no - a strong security boundary, only
> permitting stuff that is explicitly declared secure,
> excluding insecure stuff & anything without a statement
>
> As illustration, I have added explicit annotations for many machine
> types, some accelerators, all NICs (all insecure except xen,
> e1000(e) and virtio), and all PCI virtio devices (all secure).
>
> Example: TCG is explicitly insecure, KVM is explicitly secure,
> qtest has no statement:
>
> $ qemu-system-x86_64 -display none -machine pc,prohibit-insecure=yes -accel tcg
> qemu-system-x86_64: Type 'tcg-accel' is declared as insecure
>
> $ qemu-system-x86_64 -display none -machine pc,require-secure=yes -accel tcg
> qemu-system-x86_64: Type 'tcg-accel' is not declared as secure
>
> $ qemu-system-x86_64 -display none -machine pc,prohibit-insecure=yes -accel kvm
> ^Cqemu-system-x86_64: terminating on signal 2
>
> $ qemu-system-x86_64 -display none -machine pc,require-secure=yes -accel kvm
> ^Cqemu-system-x86_64: terminating on signal 2
>
> $ qemu-system-x86_64 -display none -machine pc,prohibit-insecure=yes -accel qtest
> ^Cqemu-system-x86_64: terminating on signal 2
>
> $ qemu-system-x86_64 -display none -machine pc,require-secure=yes -accel qtest
> qemu-system-x86_64: Type 'qtest-accel' is not declared as secure
>
> Example: isapc machine type is explicitly insecure
>
> $ qemu-system-x86_64 -display none -machine isapc,require-secure=yes -accel kvm
> qemu-system-x86_64: Type 'isapc-machine' is not declared as secure
>
> Example: devices which have no security statement are allowed if
> merely excluding insecure devices:
>
> $ qemu-system-x86_64 -display none -machine pc,prohibit-insecure=yes -accel kvm -device i6300esb
> ^Cqemu-system-x86_64: terminating on signal 2
>
> Example: devices which have no security statement are rejected if
> requiring explicit security:
>
> $ qemu-system-x86_64 -display none -machine pc,require-secure=yes -accel kvm -device i6300esb
> qemu-system-x86_64: -device i6300esb: Type 'i6300esb' is not declared as secure
>
> Example: checks also apply in HMP, rtl8139 is explicitly insecure,
> virtio is explicitly secure
>
> $ qemu-system-x86_64 -display none -machine pc,require-secure=yes -accel kvm -monitor stdio
> QEMU 10.1.50 monitor - type 'help' for more information
> (qemu) device_add rtl8139
> Error: Type 'rtl8139' is not declared as secure
> (qemu) device_add virtio-net
>
> Example: checks also apply in QMP:
>
> $ ./scripts/qmp/qmp-shell-wrap qemu-system-x86_64 -display none -machine pc,require-secure=yes -accel kvm
> Welcome to the QMP low-level shell!
> Connected
> (QEMU) device_add driver=rtl8139
> {"error": {"class": "GenericError", "desc": "Type 'rtl8139' is not declared as secure"}}
> (QEMU) device_add driver=virtio-net
> {"return": {}}
>
> Some questions....
>
> * Is using '-machine' the right place to express the policy ?
>
> * Can we change '-accel help' to report 'secure' / 'insecure'
> as we did for '-machine help' and '-device help'.
>
> * Should we have 'query-devices' for QMP to allow the 'secure'
> or 'insecure' status to be queried for every device.
>
> * Should we have 'query-accel' for QMP to allow the 'secure'
> or 'insecure' status to be queried for every accelerator.
>
> * Should we enforce checks for -object & object_add too ?
> Easy to add code for this, but do we need the ability to
> exclude some object backends of dubious code quality ?
>
> * Likewise for -chardev / -netdev / etc which are
> conceptual specializations of -object
>
> * BlockDriver structs don't use QOM, so we can't mark
> 'vvfat' block backend as insecure
>
> The first one about '-machine' is probably the main blocker
> from a design POV. Other things are just potential future
> incremental work.
>
> This series has had only 1/2 a day's work / thought put into
> it, hence RFC status. It has been compiled and minimally tested
> with the examples shown above. I have not pushed this through
> CI nor considered tests yet. Still it gives a good illustration
> of what's involved in recording security info in code.
>
> Daniel P. Berrangé (15):
> qom: replace 'abstract' with 'flags'
> qom: add tracking of security state of object types
> machine: add 'require-secure' and 'prohibit-insecure' properties
> machine: check security for machine and accelerator types
> system: report machine security status in help output
> system: check security of device types
> system: report device security status in help output
> hw/core: report secure/insecure status in query-machines
> accel: mark 'kvm' as secure and 'tcg' as insecure
> hw/virtio: mark all virtio PCI devices as secure
> hw: mark x86, s390, ppc, arm versioned machine types as secure
> hw: declare Xen & microvm machines as secure, isapc as insecure
> hw/core: declare 'none' machine to be insecure
> hw/net: mark all NICs as insecure except e1000, e1000e & xen
> docs: expand security docs with info about secure/insecure markers
>
> accel/kvm/kvm-all.c | 1 +
> accel/tcg/tcg-all.c | 1 +
> docs/system/security.rst | 41 +++++++++++++++++++++
> hw/arm/virt.c | 1 +
> hw/arm/xen-pvh.c | 1 +
> hw/core/machine-qmp-cmds.c | 2 ++
> hw/core/machine.c | 66 ++++++++++++++++++++++++++++++++++
> hw/core/null-machine.c | 2 +-
> hw/i386/isapc.c | 2 +-
> hw/i386/microvm.c | 1 +
> hw/i386/pc_piix.c | 4 +--
> hw/i386/xen/xen-pvh.c | 1 +
> hw/i386/xen/xen_pvdevice.c | 1 +
> hw/net/allwinner-sun8i-emac.c | 1 +
> hw/net/allwinner_emac.c | 3 +-
> hw/net/cadence_gem.c | 1 +
> hw/net/can/can_kvaser_pci.c | 1 +
> hw/net/can/can_mioe3680_pci.c | 1 +
> hw/net/can/can_pcm3680_pci.c | 1 +
> hw/net/can/ctucan_pci.c | 1 +
> hw/net/can/xlnx-versal-canfd.c | 1 +
> hw/net/can/xlnx-zynqmp-can.c | 1 +
> hw/net/dp8393x.c | 1 +
> hw/net/e1000.c | 1 +
> hw/net/e1000e.c | 1 +
> hw/net/eepro100.c | 1 +
> hw/net/fsl_etsec/etsec.c | 1 +
> hw/net/ftgmac100.c | 1 +
> hw/net/igb.c | 1 +
> hw/net/igbvf.c | 1 +
> hw/net/imx_fec.c | 2 ++
> hw/net/lan9118.c | 1 +
> hw/net/lan9118_phy.c | 1 +
> hw/net/lance.c | 1 +
> hw/net/lasi_i82596.c | 1 +
> hw/net/mcf_fec.c | 1 +
> hw/net/msf2-emac.c | 1 +
> hw/net/mv88w8618_eth.c | 1 +
> hw/net/ne2000-isa.c | 1 +
> hw/net/ne2000-pci.c | 1 +
> hw/net/npcm7xx_emc.c | 1 +
> hw/net/npcm_gmac.c | 1 +
> hw/net/npcm_pcs.c | 1 +
> hw/net/opencores_eth.c | 1 +
> hw/net/pcnet-pci.c | 1 +
> hw/net/rocker/rocker.c | 1 +
> hw/net/rtl8139.c | 1 +
> hw/net/smc91c111.c | 1 +
> hw/net/spapr_llan.c | 1 +
> hw/net/stellaris_enet.c | 1 +
> hw/net/sungem.c | 1 +
> hw/net/sunhme.c | 1 +
> hw/net/tulip.c | 1 +
> hw/net/virtio-net.c | 1 +
> hw/net/vmxnet3.c | 1 +
> hw/net/xen_nic.c | 1 +
> hw/net/xgmac.c | 1 +
> hw/net/xilinx_axienet.c | 1 +
> hw/net/xilinx_ethlite.c | 1 +
> hw/ppc/spapr.c | 1 +
> hw/s390x/s390-virtio-ccw.c | 1 +
> hw/virtio/virtio-pci.c | 3 ++
> hw/xen/xen-pvh-common.c | 1 +
> hw/xenpv/xen_machine_pv.c | 2 +-
> include/hw/boards.h | 18 +++++++++-
> include/hw/i386/pc.h | 5 ++-
> include/qom/object.h | 24 +++++++++++++
> qapi/machine.json | 9 ++++-
> qom/object.c | 40 +++++++++++++++++----
> system/qdev-monitor.c | 10 ++++++
> system/vl.c | 6 ++--
> 71 files changed, 275 insertions(+), 18 deletions(-)
>
> --
> 2.50.1
>
With regards,
Daniel
--
|: https://berrange.com -o- https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org -o- https://fstop138.berrange.com :|
|: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|
next prev parent reply other threads:[~2025-09-16 16:44 UTC|newest]
Thread overview: 23+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-09-09 16:57 [PATCH <RFC> 00/15] Encode object type security status in code Daniel P. Berrangé
2025-09-09 16:57 ` [PATCH 01/15] qom: replace 'abstract' with 'flags' Daniel P. Berrangé
2025-09-09 16:57 ` [PATCH 02/15] qom: add tracking of security state of object types Daniel P. Berrangé
2025-09-22 21:33 ` Eric Blake
2025-09-09 16:57 ` [PATCH 03/15] machine: add 'require-secure' and 'prohibit-insecure' properties Daniel P. Berrangé
2025-09-09 16:57 ` [PATCH 04/15] machine: check security for machine and accelerator types Daniel P. Berrangé
2025-09-09 16:57 ` [PATCH 05/15] system: report machine security status in help output Daniel P. Berrangé
2025-09-09 16:57 ` [PATCH 06/15] system: check security of device types Daniel P. Berrangé
2025-09-09 16:57 ` [PATCH 07/15] system: report device security status in help output Daniel P. Berrangé
2025-09-09 16:57 ` [PATCH 08/15] hw/core: report secure/insecure status in query-machines Daniel P. Berrangé
2025-09-09 16:57 ` [PATCH 09/15] accel: mark 'kvm' as secure and 'tcg' as insecure Daniel P. Berrangé
2025-09-09 16:57 ` [PATCH 10/15] hw/virtio: mark all virtio PCI devices as secure Daniel P. Berrangé
2025-09-09 16:57 ` [PATCH 11/15] hw: mark x86, s390, ppc, arm versioned machine types " Daniel P. Berrangé
2025-09-09 16:57 ` [PATCH 12/15] hw: declare Xen & microvm machines as secure, isapc as insecure Daniel P. Berrangé
2025-09-09 16:57 ` [PATCH 13/15] hw/core: declare 'none' machine to be insecure Daniel P. Berrangé
2025-09-09 16:57 ` [PATCH 14/15] hw/net: mark all NICs as insecure except e1000, e1000e & xen Daniel P. Berrangé
2025-09-09 16:57 ` [PATCH 15/15] docs: expand security docs with info about secure/insecure markers Daniel P. Berrangé
2025-09-16 16:43 ` Daniel P. Berrangé [this message]
2025-09-16 16:51 ` [PATCH <RFC> 00/15] Encode object type security status in code Peter Maydell
2025-09-18 11:35 ` Markus Armbruster
2025-09-18 12:29 ` Daniel P. Berrangé
2025-09-18 14:44 ` Markus Armbruster
2025-09-18 14:51 ` Daniel P. Berrangé
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=aMmTxNB2eq6hSS9o@redhat.com \
--to=berrange@redhat.com \
--cc=armbru@redhat.com \
--cc=mst@redhat.com \
--cc=pbonzini@redhat.com \
--cc=peter.maydell@linaro.org \
--cc=qemu-devel@nongnu.org \
--cc=stefanha@redhat.com \
--cc=thuth@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).