From: "Philippe Mathieu-Daudé" <philmd@redhat.com> To: qemu-devel@nongnu.org Cc: "Thomas Huth" <thuth@redhat.com>, "Prasad J Pandit" <pjp@fedoraproject.org>, "Michael S. Tsirkin" <mst@redhat.com>, "Markus Armbruster" <armbru@redhat.com>, "Paolo Bonzini" <pbonzini@redhat.com>, "Eduardo Habkost" <ehabkost@redhat.com>, "Philippe Mathieu-Daudé" <f4bug@amsat.org>, "Daniel P. Berrangé" <berrange@redhat.com>, "Eric Blake" <eblake@redhat.com>, "Richard Henderson" <richard.henderson@linaro.org>, qemu-block@nongnu.org, "Peter Maydell" <peter.maydell@linaro.org>, xen-devel@lists.xenproject.org, "Philippe Mathieu-Daudé" <philmd@redhat.com> Subject: [RFC PATCH 00/10] security: Introduce qemu_security_policy_taint() API Date: Thu, 9 Sep 2021 01:20:14 +0200 [thread overview] Message-ID: <20210908232024.2399215-1-philmd@redhat.com> (raw) Hi, This series is experimental! The goal is to better limit the boundary of what code is considerated security critical, and what is less critical (but still important!). This approach was quickly discussed few months ago with Markus then Daniel. Instead of classifying the code on a file path basis (see [1]), we insert (runtime) hints into the code (which survive code movement). Offending unsafe code can taint the global security policy. By default this policy is 'none': the current behavior. It can be changed on the command line to 'warn' to display warnings, and to 'strict' to prohibit QEMU running with a tainted policy. As examples I started implementing unsafe code taint from 3 different pieces of code: - accelerators (KVM and Xen in allow-list) - block drivers (vvfat and parcial null-co in deny-list) - qdev (hobbyist devices regularly hit by fuzzer) I don't want the security researchers to not fuzz QEMU unsafe areas, but I'd like to make it clearer what the community priority is (currently 47 opened issues on [3]). Regards, Phil. [1] https://lore.kernel.org/qemu-devel/20200714083631.888605-2-ppandit@redhat.com/ [2] https://www.qemu.org/contribute/security-process/ [3] https://gitlab.com/qemu-project/qemu/-/issues?label_name[]=Fuzzer Philippe Mathieu-Daudé (10): sysemu: Introduce qemu_security_policy_taint() API accel: Use qemu_security_policy_taint(), mark KVM and Xen as safe block: Use qemu_security_policy_taint() API block/vvfat: Mark the driver as unsafe block/null: Mark 'read-zeroes=off' option as unsafe qdev: Use qemu_security_policy_taint() API hw/display: Mark ATI and Artist devices as unsafe hw/misc: Mark testdev devices as unsafe hw/net: Mark Tulip device as unsafe hw/sd: Mark sdhci-pci device as unsafe qapi/run-state.json | 16 +++++++++ include/block/block_int.h | 6 +++- include/hw/qdev-core.h | 6 ++++ include/qemu-common.h | 19 +++++++++++ include/qemu/accel.h | 5 +++ accel/kvm/kvm-all.c | 1 + accel/xen/xen-all.c | 1 + block.c | 6 ++++ block/null.c | 8 +++++ block/vvfat.c | 6 ++++ hw/core/qdev.c | 11 ++++++ hw/display/artist.c | 1 + hw/display/ati.c | 1 + hw/hyperv/hyperv_testdev.c | 1 + hw/misc/pc-testdev.c | 1 + hw/misc/pci-testdev.c | 1 + hw/net/tulip.c | 1 + hw/sd/sdhci-pci.c | 1 + softmmu/vl.c | 70 ++++++++++++++++++++++++++++++++++++++ qemu-options.hx | 17 +++++++++ 20 files changed, 178 insertions(+), 1 deletion(-) -- 2.31.1
WARNING: multiple messages have this Message-ID (diff)
From: "Philippe Mathieu-Daudé" <philmd@redhat.com> To: qemu-devel@nongnu.org Cc: "Peter Maydell" <peter.maydell@linaro.org>, "Thomas Huth" <thuth@redhat.com>, "Daniel P. Berrangé" <berrange@redhat.com>, "Prasad J Pandit" <pjp@fedoraproject.org>, qemu-block@nongnu.org, "Michael S. Tsirkin" <mst@redhat.com>, "Philippe Mathieu-Daudé" <philmd@redhat.com>, "Richard Henderson" <richard.henderson@linaro.org>, "Markus Armbruster" <armbru@redhat.com>, "Philippe Mathieu-Daudé" <f4bug@amsat.org>, xen-devel@lists.xenproject.org, "Paolo Bonzini" <pbonzini@redhat.com>, "Eric Blake" <eblake@redhat.com>, "Eduardo Habkost" <ehabkost@redhat.com> Subject: [RFC PATCH 00/10] security: Introduce qemu_security_policy_taint() API Date: Thu, 9 Sep 2021 01:20:14 +0200 [thread overview] Message-ID: <20210908232024.2399215-1-philmd@redhat.com> (raw) Hi, This series is experimental! The goal is to better limit the boundary of what code is considerated security critical, and what is less critical (but still important!). This approach was quickly discussed few months ago with Markus then Daniel. Instead of classifying the code on a file path basis (see [1]), we insert (runtime) hints into the code (which survive code movement). Offending unsafe code can taint the global security policy. By default this policy is 'none': the current behavior. It can be changed on the command line to 'warn' to display warnings, and to 'strict' to prohibit QEMU running with a tainted policy. As examples I started implementing unsafe code taint from 3 different pieces of code: - accelerators (KVM and Xen in allow-list) - block drivers (vvfat and parcial null-co in deny-list) - qdev (hobbyist devices regularly hit by fuzzer) I don't want the security researchers to not fuzz QEMU unsafe areas, but I'd like to make it clearer what the community priority is (currently 47 opened issues on [3]). Regards, Phil. [1] https://lore.kernel.org/qemu-devel/20200714083631.888605-2-ppandit@redhat.com/ [2] https://www.qemu.org/contribute/security-process/ [3] https://gitlab.com/qemu-project/qemu/-/issues?label_name[]=Fuzzer Philippe Mathieu-Daudé (10): sysemu: Introduce qemu_security_policy_taint() API accel: Use qemu_security_policy_taint(), mark KVM and Xen as safe block: Use qemu_security_policy_taint() API block/vvfat: Mark the driver as unsafe block/null: Mark 'read-zeroes=off' option as unsafe qdev: Use qemu_security_policy_taint() API hw/display: Mark ATI and Artist devices as unsafe hw/misc: Mark testdev devices as unsafe hw/net: Mark Tulip device as unsafe hw/sd: Mark sdhci-pci device as unsafe qapi/run-state.json | 16 +++++++++ include/block/block_int.h | 6 +++- include/hw/qdev-core.h | 6 ++++ include/qemu-common.h | 19 +++++++++++ include/qemu/accel.h | 5 +++ accel/kvm/kvm-all.c | 1 + accel/xen/xen-all.c | 1 + block.c | 6 ++++ block/null.c | 8 +++++ block/vvfat.c | 6 ++++ hw/core/qdev.c | 11 ++++++ hw/display/artist.c | 1 + hw/display/ati.c | 1 + hw/hyperv/hyperv_testdev.c | 1 + hw/misc/pc-testdev.c | 1 + hw/misc/pci-testdev.c | 1 + hw/net/tulip.c | 1 + hw/sd/sdhci-pci.c | 1 + softmmu/vl.c | 70 ++++++++++++++++++++++++++++++++++++++ qemu-options.hx | 17 +++++++++ 20 files changed, 178 insertions(+), 1 deletion(-) -- 2.31.1
next reply other threads:[~2021-09-08 23:20 UTC|newest] Thread overview: 50+ messages / expand[flat|nested] mbox.gz Atom feed top 2021-09-08 23:20 Philippe Mathieu-Daudé [this message] 2021-09-08 23:20 ` [RFC PATCH 00/10] security: Introduce qemu_security_policy_taint() API Philippe Mathieu-Daudé 2021-09-08 23:20 ` [RFC PATCH 01/10] sysemu: " Philippe Mathieu-Daudé 2021-09-08 23:20 ` Philippe Mathieu-Daudé 2021-09-09 10:01 ` Paolo Bonzini 2021-09-09 18:45 ` Eric Blake 2021-09-09 18:45 ` Eric Blake 2021-09-08 23:20 ` [RFC PATCH 02/10] accel: Use qemu_security_policy_taint(), mark KVM and Xen as safe Philippe Mathieu-Daudé 2021-09-08 23:20 ` Philippe Mathieu-Daudé 2021-09-09 10:37 ` Daniel P. Berrangé 2021-09-09 10:37 ` Daniel P. Berrangé 2021-10-21 14:47 ` Markus Armbruster 2021-10-21 14:47 ` Markus Armbruster 2021-09-09 18:46 ` Eric Blake 2021-09-09 18:46 ` Eric Blake 2021-09-08 23:20 ` [RFC PATCH 03/10] block: Use qemu_security_policy_taint() API Philippe Mathieu-Daudé 2021-09-08 23:20 ` Philippe Mathieu-Daudé 2021-09-09 9:53 ` Philippe Mathieu-Daudé 2021-09-09 9:53 ` Philippe Mathieu-Daudé 2021-09-09 10:40 ` Daniel P. Berrangé 2021-09-09 10:40 ` Daniel P. Berrangé 2021-09-09 10:55 ` Daniel P. Berrangé 2021-09-09 19:05 ` Eric Blake 2021-09-09 19:05 ` Eric Blake 2021-09-08 23:20 ` [RFC PATCH 04/10] block/vvfat: Mark the driver as unsafe Philippe Mathieu-Daudé 2021-09-08 23:20 ` Philippe Mathieu-Daudé 2021-09-08 23:20 ` [RFC PATCH 05/10] block/null: Mark 'read-zeroes=off' option " Philippe Mathieu-Daudé 2021-09-08 23:20 ` Philippe Mathieu-Daudé 2021-09-08 23:20 ` [RFC PATCH 06/10] qdev: Use qemu_security_policy_taint() API Philippe Mathieu-Daudé 2021-09-08 23:20 ` Philippe Mathieu-Daudé 2021-09-09 11:03 ` Daniel P. Berrangé 2021-09-09 11:03 ` Daniel P. Berrangé 2021-09-08 23:20 ` [RFC PATCH 07/10] hw/display: Mark ATI and Artist devices as unsafe Philippe Mathieu-Daudé 2021-09-08 23:20 ` Philippe Mathieu-Daudé 2021-09-08 23:20 ` [RFC PATCH 08/10] hw/misc: Mark testdev " Philippe Mathieu-Daudé 2021-09-08 23:20 ` Philippe Mathieu-Daudé 2021-09-08 23:20 ` [RFC PATCH 09/10] hw/net: Mark Tulip device " Philippe Mathieu-Daudé 2021-09-08 23:20 ` Philippe Mathieu-Daudé 2021-09-08 23:20 ` [RFC PATCH 10/10] hw/sd: Mark sdhci-pci " Philippe Mathieu-Daudé 2021-09-08 23:20 ` Philippe Mathieu-Daudé 2021-09-09 10:28 ` [RFC PATCH 00/10] security: Introduce qemu_security_policy_taint() API Daniel P. Berrangé 2021-09-09 10:28 ` Daniel P. Berrangé 2021-09-14 13:30 ` P J P 2021-09-14 13:30 ` P J P 2021-09-28 11:39 ` P J P 2021-09-28 11:39 ` P J P 2021-09-30 10:30 ` Daniel P. Berrangé 2021-09-30 10:30 ` Daniel P. Berrangé 2021-09-09 12:03 ` Alexander Bulekov 2021-09-09 12:03 ` Alexander Bulekov
Reply instructions: You may reply publicly to this message via plain-text email using any one of the following methods: * Save the following mbox file, import it into your mail client, and reply-to-all from there: mbox Avoid top-posting and favor interleaved quoting: https://en.wikipedia.org/wiki/Posting_style#Interleaved_style * Reply using the --to, --cc, and --in-reply-to switches of git-send-email(1): git send-email \ --in-reply-to=20210908232024.2399215-1-philmd@redhat.com \ --to=philmd@redhat.com \ --cc=armbru@redhat.com \ --cc=berrange@redhat.com \ --cc=eblake@redhat.com \ --cc=ehabkost@redhat.com \ --cc=f4bug@amsat.org \ --cc=mst@redhat.com \ --cc=pbonzini@redhat.com \ --cc=peter.maydell@linaro.org \ --cc=pjp@fedoraproject.org \ --cc=qemu-block@nongnu.org \ --cc=qemu-devel@nongnu.org \ --cc=richard.henderson@linaro.org \ --cc=thuth@redhat.com \ --cc=xen-devel@lists.xenproject.org \ /path/to/YOUR_REPLY https://kernel.org/pub/software/scm/git/docs/git-send-email.html * If your mail client supports setting the In-Reply-To header via mailto: links, try the mailto: linkBe sure your reply has a Subject: header at the top and a blank line before the message body.
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.