[RFC PATCH 00/10] security: Introduce qemu_security_policy_taint() API - Philippe Mathieu-Daudé

From: "Philippe Mathieu-Daudé" <philmd@redhat.com>
To: qemu-devel@nongnu.org
Cc: "Thomas Huth" <thuth@redhat.com>,
	"Prasad J Pandit" <pjp@fedoraproject.org>,
	"Michael S. Tsirkin" <mst@redhat.com>,
	"Markus Armbruster" <armbru@redhat.com>,
	"Paolo Bonzini" <pbonzini@redhat.com>,
	"Eduardo Habkost" <ehabkost@redhat.com>,
	"Philippe Mathieu-Daudé" <f4bug@amsat.org>,
	"Daniel P. Berrangé" <berrange@redhat.com>,
	"Eric Blake" <eblake@redhat.com>,
	"Richard Henderson" <richard.henderson@linaro.org>,
	qemu-block@nongnu.org, "Peter Maydell" <peter.maydell@linaro.org>,
	xen-devel@lists.xenproject.org,
	"Philippe Mathieu-Daudé" <philmd@redhat.com>
Subject: [RFC PATCH 00/10] security: Introduce qemu_security_policy_taint() API
Date: Thu,  9 Sep 2021 01:20:14 +0200	[thread overview]
Message-ID: <20210908232024.2399215-1-philmd@redhat.com> (raw)

Hi,

This series is experimental! The goal is to better limit the
boundary of what code is considerated security critical, and
what is less critical (but still important!).

This approach was quickly discussed few months ago with Markus
then Daniel. Instead of classifying the code on a file path
basis (see [1]), we insert (runtime) hints into the code
(which survive code movement). Offending unsafe code can
taint the global security policy. By default this policy
is 'none': the current behavior. It can be changed on the
command line to 'warn' to display warnings, and to 'strict'
to prohibit QEMU running with a tainted policy.

As examples I started implementing unsafe code taint from
3 different pieces of code:
- accelerators (KVM and Xen in allow-list)
- block drivers (vvfat and parcial null-co in deny-list)
- qdev (hobbyist devices regularly hit by fuzzer)

I don't want the security researchers to not fuzz QEMU unsafe
areas, but I'd like to make it clearer what the community
priority is (currently 47 opened issues on [3]).

Regards,

Phil.

[1] https://lore.kernel.org/qemu-devel/20200714083631.888605-2-ppandit@redhat.com/
[2] https://www.qemu.org/contribute/security-process/
[3] https://gitlab.com/qemu-project/qemu/-/issues?label_name[]=Fuzzer

Philippe Mathieu-Daudé (10):
  sysemu: Introduce qemu_security_policy_taint() API
  accel: Use qemu_security_policy_taint(), mark KVM and Xen as safe
  block: Use qemu_security_policy_taint() API
  block/vvfat: Mark the driver as unsafe
  block/null: Mark 'read-zeroes=off' option as unsafe
  qdev: Use qemu_security_policy_taint() API
  hw/display: Mark ATI and Artist devices as unsafe
  hw/misc: Mark testdev devices as unsafe
  hw/net: Mark Tulip device as unsafe
  hw/sd: Mark sdhci-pci device as unsafe

 qapi/run-state.json        | 16 +++++++++
 include/block/block_int.h  |  6 +++-
 include/hw/qdev-core.h     |  6 ++++
 include/qemu-common.h      | 19 +++++++++++
 include/qemu/accel.h       |  5 +++
 accel/kvm/kvm-all.c        |  1 +
 accel/xen/xen-all.c        |  1 +
 block.c                    |  6 ++++
 block/null.c               |  8 +++++
 block/vvfat.c              |  6 ++++
 hw/core/qdev.c             | 11 ++++++
 hw/display/artist.c        |  1 +
 hw/display/ati.c           |  1 +
 hw/hyperv/hyperv_testdev.c |  1 +
 hw/misc/pc-testdev.c       |  1 +
 hw/misc/pci-testdev.c      |  1 +
 hw/net/tulip.c             |  1 +
 hw/sd/sdhci-pci.c          |  1 +
 softmmu/vl.c               | 70 ++++++++++++++++++++++++++++++++++++++
 qemu-options.hx            | 17 +++++++++
 20 files changed, 178 insertions(+), 1 deletion(-)

-- 
2.31.1