From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.lore.kernel.org (Postfix) with ESMTPS id 89584CCD195 for ; Fri, 17 Oct 2025 07:08:20 +0000 (UTC) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1v9eYL-0006tZ-AN; Fri, 17 Oct 2025 03:07:05 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1v9eYJ-0006tR-JH for qemu-devel@nongnu.org; Fri, 17 Oct 2025 03:07:03 -0400 Received: from us-smtp-delivery-124.mimecast.com ([170.10.129.124]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1v9eYG-0006dq-LL for qemu-devel@nongnu.org; Fri, 17 Oct 2025 03:07:03 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1760684818; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:autocrypt:autocrypt; bh=JrVoIejruhskipD3vPDcUrVd7qwR3pPHBdPh8hMLd2E=; b=bkiuElG0V8xIsWrZCH8HcdqBODJ8xu5nz9r3ANCQedpL/m86ZzU+dplmQPvEdNYlRts2QF fQA13cjAluBx/9nZ4hUs+I/pk2xHo+7Mwzhp8dAP4tCCmL255kitLWF3Nyml9E/2qPmVAv T6XjT4HCRLAKEV6uWEOA+Al4gbQH7Mg= Received: from mail-wr1-f69.google.com (mail-wr1-f69.google.com [209.85.221.69]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-461-qlXz_4wMODqnjVSdP5j4_w-1; Fri, 17 Oct 2025 03:06:56 -0400 X-MC-Unique: qlXz_4wMODqnjVSdP5j4_w-1 X-Mimecast-MFC-AGG-ID: qlXz_4wMODqnjVSdP5j4_w_1760684815 Received: by mail-wr1-f69.google.com with SMTP id ffacd0b85a97d-42700099ff5so956790f8f.2 for ; Fri, 17 Oct 2025 00:06:55 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1760684815; x=1761289615; h=content-transfer-encoding:in-reply-to:autocrypt:content-language :from:references:cc:to:subject:user-agent:mime-version:date :message-id:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=JrVoIejruhskipD3vPDcUrVd7qwR3pPHBdPh8hMLd2E=; b=tS8PmCASonUi4eqVVKqJq1qFGpEDGct0dF8YqzXxoFiWxyd1nlZhqddlShA2Pokhm4 tz2BU4VwSpI1nL7Ckp8eVLyu1FWMdQ48E1VE9gh1Tqv8VHWFopq+BHFWiq7K/vFgUYmQ jce2Sf15TBFP6j+JN8BAApK/TfscB3Hc1zffNv4v5FIKuvvgcz+yWPCeylGlfbB53PN4 48dWNARRJslJDF4u/YlLG+y7x0oMj9fo2oexoNxBNodfGbrvCkqsQyTB7AExJJwk3RJW 4ldkPd2L4VkamuJu6K7YBnPPT2PvhQ7rj8Od75RcHne1rLW+q+JDyDqpoj02wi6ccEBW LN/g== X-Forwarded-Encrypted: i=1; AJvYcCW+Knm01Bfu+1unzvQbX7bf7QYWR4jRhjjSsl9wzXz8OqSRXrrcjhh+s8Qwfa1lsxif8FeTsjPetRgi@nongnu.org X-Gm-Message-State: AOJu0Yxbqbnt9jGMeiq/qBmmtPSPJon7Zb8Q3tjgwaDChBWYiQpDVmyl 8ja0zKihDHbC535x9EV9rJM5MuP7d1G+5TO1H6HML93zLadVvb4SUdMH+lNDKRhyrO1wg1TDjh3 GLQ3kFFWx4WQYciq4FR2McUvGVgPx/lEYKvlYUxDdZ1aGHzbPgFDySbl4 X-Gm-Gg: ASbGncu89GxxXz9h62txCIQPQPvGKUwgVuxRz8RZCVIrKt+8W0+8JlFZdtD/gE/dgK4 UqPfL6H/WbX7w4cl++l13xBNk0oYdJnleUGqibwrWrYylId+GgOe3clpCVnyywU9IBWcjj6SeM/ W7BfOiacVlgEjd34FwARBv5/7hUSL3bYV9Qa9c63W0qojHwfCERxJg11GTIr8QYxBykeGE9uQFJ JjaansJKn0YHdlR1Ji92NN0jhiX25wztCgvIIUWY8XxQQIk5kyBl5wPTpamYul54APgo7OCKtlz TR0P6P1pf1TPHfqKVNGfr+kUCrZ264VF7YKsmECAMyHI43LD+zb67kQpGvLwJ4OBA+8NCBl4EWQ B8k3OTLdNigcYRwrdaR5c5cm1kSbFcZVpjvOrWR2j X-Received: by 2002:a05:6000:186d:b0:425:76e3:81c5 with SMTP id ffacd0b85a97d-42704d86bb1mr1734811f8f.17.1760684814798; Fri, 17 Oct 2025 00:06:54 -0700 (PDT) X-Google-Smtp-Source: AGHT+IHQPeNBFSHOmcRkJ4c2fikclxE4T8sgFRB2XdOjrWWXUi+tz/Hd5p729fL+he6VdISzPVpr9g== X-Received: by 2002:a05:6000:186d:b0:425:76e3:81c5 with SMTP id ffacd0b85a97d-42704d86bb1mr1734787f8f.17.1760684814359; Fri, 17 Oct 2025 00:06:54 -0700 (PDT) Received: from [192.168.0.7] (ltea-047-064-114-135.pools.arcor-ip.net. [47.64.114.135]) by smtp.gmail.com with ESMTPSA id ffacd0b85a97d-426ce5e10e8sm39171975f8f.39.2025.10.17.00.06.52 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Fri, 17 Oct 2025 00:06:53 -0700 (PDT) Message-ID: Date: Fri, 17 Oct 2025 09:06:51 +0200 MIME-Version: 1.0 User-Agent: Mozilla Thunderbird Subject: Re: [PATCH v2] docs/system/security: Restrict "virtualization use case" to specific machines To: Peter Maydell , qemu-devel@nongnu.org Cc: Stefan Hajnoczi , Bernhard Beschow , =?UTF-8?Q?Philippe_Mathieu-Daud=C3=A9?= , Jiaxun Yang , Paolo Bonzini , "Michael S . Tsirkin" , Marcel Apfelbaum , Alistair Francis , Palmer Dabbelt , qemu-riscv@nongnu.org, qemu-ppc@nongnu.org, Huacai Chen , qemu-s390x@nongnu.org, Halil Pasic , Christian Borntraeger , Song Gao , Bibo Mao References: <20251016131159.750480-1-peter.maydell@linaro.org> From: Thomas Huth Content-Language: en-US Autocrypt: addr=thuth@redhat.com; keydata= xsFNBFH7eUwBEACzyOXKU+5Pcs6wNpKzrlJwzRl3VGZt95VCdb+FgoU9g11m7FWcOafrVRwU yYkTm9+7zBUc0sW5AuPGR/dp3pSLX/yFWsA/UB4nJsHqgDvDU7BImSeiTrnpMOTXb7Arw2a2 4CflIyFqjCpfDM4MuTmzTjXq4Uov1giGE9X6viNo1pxyEpd7PanlKNnf4PqEQp06X4IgUacW tSGj6Gcns1bCuHV8OPWLkf4hkRnu8hdL6i60Yxz4E6TqlrpxsfYwLXgEeswPHOA6Mn4Cso9O 0lewVYfFfsmokfAVMKWzOl1Sr0KGI5T9CpmRfAiSHpthhHWnECcJFwl72NTi6kUcUzG4se81 O6n9d/kTj7pzTmBdfwuOZ0YUSqcqs0W+l1NcASSYZQaDoD3/SLk+nqVeCBB4OnYOGhgmIHNW 0CwMRO/GK+20alxzk//V9GmIM2ACElbfF8+Uug3pqiHkVnKqM7W9/S1NH2qmxB6zMiJUHlTH gnVeZX0dgH27mzstcF786uPcdEqS0KJuxh2kk5IvUSL3Qn3ZgmgdxBMyCPciD/1cb7/Ahazr 3ThHQXSHXkH/aDXdfLsKVuwDzHLVSkdSnZdt5HHh75/NFHxwaTlydgfHmFFwodK8y/TjyiGZ zg2Kje38xnz8zKn9iesFBCcONXS7txENTzX0z80WKBhK+XSFJwARAQABzR5UaG9tYXMgSHV0 aCA8dGh1dGhAcmVkaGF0LmNvbT7CwXgEEwECACIFAlVgX6oCGwMGCwkIBwMCBhUIAgkKCwQW AgMBAh4BAheAAAoJEC7Z13T+cC21EbIP/ii9cvT2HHGbFRl8HqGT6+7Wkb+XLMqJBMAIGiQK QIP3xk1HPTsLfVG0ao4hy/oYkGNOP8+ubLnZen6Yq3zAFiMhQ44lvgigDYJo3Ve59gfe99KX EbtB+X95ODARkq0McR6OAsPNJ7gpEUzfkQUUJTXRDQXfG/FX303Gvk+YU0spm2tsIKPl6AmV 1CegDljzjycyfJbk418MQmMu2T82kjrkEofUO2a24ed3VGC0/Uz//XCR2ZTo+vBoBUQl41BD eFFtoCSrzo3yPFS+w5fkH9NT8ChdpSlbNS32NhYQhJtr9zjWyFRf0Zk+T/1P7ECn6gTEkp5k ofFIA4MFBc/fXbaDRtBmPB0N9pqTFApIUI4vuFPPO0JDrII9dLwZ6lO9EKiwuVlvr1wwzsgq zJTPBU3qHaUO4d/8G+gD7AL/6T4zi8Jo/GmjBsnYaTzbm94lf0CjXjsOX3seMhaE6WAZOQQG tZHAO1kAPWpaxne+wtgMKthyPLNwelLf+xzGvrIKvLX6QuLoWMnWldu22z2ICVnLQChlR9d6 WW8QFEpo/FK7omuS8KvvopFcOOdlbFMM8Y/8vBgVMSsK6fsYUhruny/PahprPbYGiNIhKqz7 UvgyZVl4pBFjTaz/SbimTk210vIlkDyy1WuS8Zsn0htv4+jQPgo9rqFE4mipJjy/iboDzsFN BFH7eUwBEAC2nzfUeeI8dv0C4qrfCPze6NkryUflEut9WwHhfXCLjtvCjnoGqFelH/PE9NF4 4VPSCdvD1SSmFVzu6T9qWdcwMSaC+e7G/z0/AhBfqTeosAF5XvKQlAb9ZPkdDr7YN0a1XDfa +NgA+JZB4ROyBZFFAwNHT+HCnyzy0v9Sh3BgJJwfpXHH2l3LfncvV8rgFv0bvdr70U+On2XH 5bApOyW1WpIG5KPJlDdzcQTyptOJ1dnEHfwnABEfzI3dNf63rlxsGouX/NFRRRNqkdClQR3K gCwciaXfZ7ir7fF0u1N2UuLsWA8Ei1JrNypk+MRxhbvdQC4tyZCZ8mVDk+QOK6pyK2f4rMf/ WmqxNTtAVmNuZIwnJdjRMMSs4W4w6N/bRvpqtykSqx7VXcgqtv6eqoDZrNuhGbekQA0sAnCJ VPArerAZGArm63o39me/bRUQeQVSxEBmg66yshF9HkcUPGVeC4B0TPwz+HFcVhheo6hoJjLq knFOPLRj+0h+ZL+D0GenyqD3CyuyeTT5dGcNU9qT74bdSr20k/CklvI7S9yoQje8BeQAHtdV cvO8XCLrpGuw9SgOS7OP5oI26a0548M4KldAY+kqX6XVphEw3/6U1KTf7WxW5zYLTtadjISB X9xsRWSU+Yqs3C7oN5TIPSoj9tXMoxZkCIHWvnqGwZ7JhwARAQABwsFfBBgBAgAJBQJR+3lM AhsMAAoJEC7Z13T+cC21hPAQAIsBL9MdGpdEpvXs9CYrBkd6tS9mbaSWj6XBDfA1AEdQkBOn ZH1Qt7HJesk+qNSnLv6+jP4VwqK5AFMrKJ6IjE7jqgzGxtcZnvSjeDGPF1h2CKZQPpTw890k fy18AvgFHkVk2Oylyexw3aOBsXg6ukN44vIFqPoc+YSU0+0QIdYJp/XFsgWxnFIMYwDpxSHS 5fdDxUjsk3UBHZx+IhFjs2siVZi5wnHIqM7eK9abr2cK2weInTBwXwqVWjsXZ4tq5+jQrwDK cvxIcwXdUTLGxc4/Z/VRH1PZSvfQxdxMGmNTGaXVNfdFZjm4fz0mz+OUi6AHC4CZpwnsliGV ODqwX8Y1zic9viSTbKS01ZNp175POyWViUk9qisPZB7ypfSIVSEULrL347qY/hm9ahhqmn17 Ng255syASv3ehvX7iwWDfzXbA0/TVaqwa1YIkec+/8miicV0zMP9siRcYQkyTqSzaTFBBmqD oiT+z+/E59qj/EKfyce3sbC9XLjXv3mHMrq1tKX4G7IJGnS989E/fg6crv6NHae9Ckm7+lSs IQu4bBP2GxiRQ+NV3iV/KU3ebMRzqIC//DCOxzQNFNJAKldPe/bKZMCxEqtVoRkuJtNdp/5a yXFZ6TfE1hGKrDBYAm4vrnZ4CXFSBDllL59cFFOJCkn4Xboj/aVxxJxF30bn In-Reply-To: <20251016131159.750480-1-peter.maydell@linaro.org> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit Received-SPF: pass client-ip=170.10.129.124; envelope-from=thuth@redhat.com; helo=us-smtp-delivery-124.mimecast.com X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_VALIDITY_CERTIFIED_BLOCKED=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+qemu-devel=archiver.kernel.org@nongnu.org Sender: qemu-devel-bounces+qemu-devel=archiver.kernel.org@nongnu.org On 16/10/2025 15.11, Peter Maydell wrote: > Currently our security policy defines a "virtualization use case" > where we consider bugs to be security issues, and a > "non-virtualization use case" where we do not make any security > guarantees and don't consider bugs to be security issues. > > The rationale for this split is that much code in QEMU is older and > was not written with malicious guests in mind, and we don't have the > resources to audit, fix and defend it. So instead we inform users > about what the can in practice rely on as a security barrier, and > what they can't. > > We don't currently restrict the "virtualization use case" to any > particular set of machine types. This means that we have effectively > barred ourselves from adding KVM support to any machine type that we > don't want to put into the "bugs are security issues" category, even > if it would be useful for users to be able to get better performance > with a trusted guest by enabling KVM. This seems an unnecessary > restriction, and in practice the set of machine types it makes > sense to use for untrusted-guest virtualization is quite small. > > Specifically, we would like to be able to enable the use of > KVM with the imx8 development board machine types, but we don't > want to commit ourselves to having to support those SoC models > and device models as part of QEMU's security boundary: > https://lore.kernel.org/qemu-devel/20250629204851.1778-3-shentey@gmail.com/ (FWIW, I think this was already a ambiguous on ppc where some of the other old machine types like mac99 or ppce500 could be used with KVM, too, so it's good that we finally get some proper wording here) > This patch updates the security policy to explicitly list the > machine types we consider to be useful for the "virtualization > use case". > > Signed-off-by: Peter Maydell > --- > changes v1->v2: updated the list: > * remove isapc > * remove ppc, mips, mips64 (no machines supported) > * list pseries as only supported ppc64 machine > * list virt as only supported riscv32, riscv64 machine > > I believe the list to now be correct, and I think we generally > had some consensus about the idea on the v1 patch discussion, so > this one is a non-RFC patch. Looks good to me now, thanks for tackling this! Reviewed-by: Thomas Huth