From: Andrew Cooper <andrew.cooper3@citrix.com>
To: Stefano Stabellini <stefano.stabellini@eu.citrix.com>
Cc: Kevin Tian <kevin.tian@intel.com>, Wei Liu <wei.liu2@citrix.com>,
Ian Campbell <ian.campbell@citrix.com>,
Jun Nakajima <jun.nakajima@intel.com>,
Ian Jackson <ian.jackson@eu.citrix.com>,
xen-devel@lists.xen.org, Jan Beulich <JBeulich@suse.com>,
Xiao Guangrong <guangrong.xiao@linux.intel.com>,
Keir Fraser <keir@xen.org>
Subject: Re: [PATCH 4/4] hvmloader: add support to load extra ACPI tables from qemu
Date: Wed, 20 Jan 2016 18:14:46 +0000 [thread overview]
Message-ID: <569FCE96.1080901@citrix.com> (raw)
In-Reply-To: <alpine.DEB.2.02.1601201450190.9400@kaball.uk.xensource.com>
On 20/01/16 15:05, Stefano Stabellini wrote:
> On Wed, 20 Jan 2016, Andrew Cooper wrote:
>> On 20/01/16 14:29, Stefano Stabellini wrote:
>>> On Wed, 20 Jan 2016, Andrew Cooper wrote:
>>>>
>>> I wouldn't encourage the introduction of anything else that requires
>>> root privileges in QEMU. With QEMU running as non-root by default in
>>> 4.7, the feature will not be available unless users explicitly ask to
>>> run QEMU as root (which they shouldn't really).
>> This isn't how design works.
>>
>> First, design a feature in an architecturally correct way, and then
>> design an security policy to fit.
>>
>> We should not stunt design based on an existing implementation. In
>> particular, if design shows that being a root only feature is the only
>> sane way of doing this, it should be a root only feature. (I hope this
>> is not the case, but it shouldn't cloud the judgement of a design).
> I would argue that security is an integral part of the architecture and
> should not be retrofitted into it.
There is no retrofitting - it is all part of the same overall design
before coding starts happen.
>
> Is it really a good design if the only sane way to implement it is
> making it a root-only feature? I think not.
Then you have missed the point.
If you fail at architecting the feature in the first place, someone else
is going to have to come along and reimplement it properly, then provide
some form of compatibility with the old one.
Security is an important consideration in the design; I do not wish to
understate that. However, if the only way for a feature to be
architected properly is for the feature to be a root-only feature, then
it should be a root-only feature.
> Designing security policies
> for pieces of software that don't have the infrastructure for them is
> costly and that cost should be accounted as part of the overall cost of
> the solution rather than added to it in a second stage.
That cost is far better spent designing it properly in the first place,
rather than having to come along and reimplement a v2 because v1 was broken.
>
>
>> (note, both before implement happens).
> That is ideal but realistically in many cases nobody is able to produce
> a design before the implementation happens.
It is perfectly easy. This is the difference between software
engineering and software hacking.
There has been a lot of positive feedback from on-list design
documents. It is a trend which needs to continue.
~Andrew
next prev parent reply other threads:[~2016-01-20 18:14 UTC|newest]
Thread overview: 88+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-12-29 11:31 [PATCH 0/4] add support for vNVDIMM Haozhong Zhang
2015-12-29 11:31 ` [PATCH 1/4] x86/hvm: allow guest to use clflushopt and clwb Haozhong Zhang
2015-12-29 15:46 ` Andrew Cooper
2015-12-30 1:35 ` Haozhong Zhang
2015-12-30 2:16 ` Haozhong Zhang
2015-12-30 10:33 ` Andrew Cooper
2015-12-29 11:31 ` [PATCH 2/4] x86/hvm: add support for pcommit instruction Haozhong Zhang
2015-12-29 11:31 ` [PATCH 3/4] tools/xl: add a new xl configuration 'nvdimm' Haozhong Zhang
2016-01-04 11:16 ` Wei Liu
2016-01-06 12:40 ` Jan Beulich
2016-01-06 15:28 ` Haozhong Zhang
2015-12-29 11:31 ` [PATCH 4/4] hvmloader: add support to load extra ACPI tables from qemu Haozhong Zhang
2016-01-15 17:10 ` Jan Beulich
2016-01-18 0:52 ` Haozhong Zhang
2016-01-18 8:46 ` Jan Beulich
2016-01-19 11:37 ` Wei Liu
2016-01-19 11:46 ` Jan Beulich
2016-01-20 5:14 ` Tian, Kevin
2016-01-20 5:58 ` Zhang, Haozhong
2016-01-20 5:31 ` Haozhong Zhang
2016-01-20 8:46 ` Jan Beulich
2016-01-20 8:58 ` Andrew Cooper
2016-01-20 10:15 ` Haozhong Zhang
2016-01-20 10:36 ` Xiao Guangrong
2016-01-20 13:16 ` Andrew Cooper
2016-01-20 14:29 ` Stefano Stabellini
2016-01-20 14:42 ` Haozhong Zhang
2016-01-20 14:45 ` Andrew Cooper
2016-01-20 14:53 ` Haozhong Zhang
2016-01-20 15:13 ` Konrad Rzeszutek Wilk
2016-01-20 15:29 ` Haozhong Zhang
2016-01-20 15:41 ` Konrad Rzeszutek Wilk
2016-01-20 15:54 ` Haozhong Zhang
2016-01-21 3:35 ` Bob Liu
2016-01-20 15:05 ` Stefano Stabellini
2016-01-20 18:14 ` Andrew Cooper [this message]
2016-01-20 14:38 ` Haozhong Zhang
2016-01-20 11:04 ` Haozhong Zhang
2016-01-20 11:20 ` Jan Beulich
2016-01-20 15:29 ` Xiao Guangrong
2016-01-20 15:47 ` Konrad Rzeszutek Wilk
2016-01-20 16:25 ` Xiao Guangrong
2016-01-20 16:47 ` Konrad Rzeszutek Wilk
2016-01-20 16:55 ` Xiao Guangrong
2016-01-20 17:18 ` Konrad Rzeszutek Wilk
2016-01-20 17:23 ` Xiao Guangrong
2016-01-20 17:48 ` Konrad Rzeszutek Wilk
2016-01-21 3:12 ` Haozhong Zhang
2016-01-20 17:07 ` Jan Beulich
2016-01-20 17:17 ` Xiao Guangrong
2016-01-21 8:18 ` Jan Beulich
2016-01-21 8:25 ` Xiao Guangrong
2016-01-21 8:53 ` Jan Beulich
2016-01-21 9:10 ` Xiao Guangrong
2016-01-21 9:29 ` Andrew Cooper
2016-01-21 10:26 ` Jan Beulich
2016-01-21 10:25 ` Jan Beulich
2016-01-21 14:01 ` Haozhong Zhang
2016-01-21 14:52 ` Jan Beulich
2016-01-22 2:43 ` Haozhong Zhang
2016-01-26 11:44 ` George Dunlap
2016-01-26 12:44 ` Jan Beulich
2016-01-26 12:54 ` Juergen Gross
2016-01-26 14:44 ` Konrad Rzeszutek Wilk
2016-01-26 15:37 ` Jan Beulich
2016-01-26 15:57 ` Haozhong Zhang
2016-01-26 16:34 ` Jan Beulich
2016-01-26 19:32 ` Konrad Rzeszutek Wilk
2016-01-27 7:22 ` Haozhong Zhang
2016-01-27 10:16 ` Jan Beulich
2016-01-27 14:50 ` Konrad Rzeszutek Wilk
2016-01-27 10:55 ` George Dunlap
2016-01-26 13:58 ` George Dunlap
2016-01-26 14:46 ` Konrad Rzeszutek Wilk
2016-01-26 15:30 ` Haozhong Zhang
2016-01-26 15:33 ` Haozhong Zhang
2016-01-26 15:57 ` Jan Beulich
2016-01-27 2:23 ` Haozhong Zhang
2016-01-20 15:07 ` Konrad Rzeszutek Wilk
2016-01-06 15:37 ` [PATCH 0/4] add support for vNVDIMM Ian Campbell
2016-01-06 15:47 ` Haozhong Zhang
2016-01-20 3:28 ` Tian, Kevin
2016-01-20 12:43 ` Stefano Stabellini
2016-01-20 14:26 ` Zhang, Haozhong
2016-01-20 14:35 ` Stefano Stabellini
2016-01-20 14:47 ` Zhang, Haozhong
2016-01-20 14:54 ` Andrew Cooper
2016-01-20 15:59 ` Haozhong Zhang
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=569FCE96.1080901@citrix.com \
--to=andrew.cooper3@citrix.com \
--cc=JBeulich@suse.com \
--cc=guangrong.xiao@linux.intel.com \
--cc=ian.campbell@citrix.com \
--cc=ian.jackson@eu.citrix.com \
--cc=jun.nakajima@intel.com \
--cc=keir@xen.org \
--cc=kevin.tian@intel.com \
--cc=stefano.stabellini@eu.citrix.com \
--cc=wei.liu2@citrix.com \
--cc=xen-devel@lists.xen.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.