From: Sander Eikelenboom <linux@eikelenboom.it> To: Paolo Bonzini <pbonzini@redhat.com> Cc: Kevin Wolf <kwolf@redhat.com>, xen-devel@lists.xensource.com, mst@redhat.com, Stefano Stabellini <stefano.stabellini@eu.citrix.com>, Markus Armbruster <armbru@redhat.com>, qemu-devel@nongnu.org, John Snow <jsnow@redhat.com>, rth@twiddle.net Subject: Re: [Qemu-devel] [Xen-devel] [PATCH] Do not emulate a floppy drive when -nodefaults Date: Thu, 14 May 2015 15:25:39 +0200 [thread overview] Message-ID: <908546719.20150514152539@eikelenboom.it> (raw) In-Reply-To: <55549ABD.2050202@redhat.com> Thursday, May 14, 2015, 2:53:17 PM, you wrote: > On 14/05/2015 14:45, Markus Armbruster wrote: >> Paolo Bonzini <pbonzini@redhat.com> writes: >> >>> On 14/05/2015 14:02, Markus Armbruster wrote: >>>> It should certainly be off for pc-q35-2.4 and newer. Real Q35 boards >>>> commonly don't have an FDC (depends on the Super I/O chip used). >>>> >>>> We may want to keep it off for pc-i440fx-2.4 and newer. I doubt >>>> there's a real i440FX without an FDC, but our virtual i440FX is quite >>>> unlike a real one in other ways already. >>> >>> That would break libvirt for people upgrading from 2.3 to 2.4. So it's >>> more like pc-i440fx-3.0 and pc-q35-3.0. >> >> What exactly breaks when? > libvirt expects "-nodefaults -drive if=none,id=fdd0,... -global > isa-fdc.driveA=fdd0" to result in a machine with a working FDD. It > doesn't know that it has to add "-machine fdc=on". > Besides, adding a new machine option is not the best we can do. If the > default is "no FDC", all that is needed to add one back is -device. An > FDC is yet another ISA device, it is possible to create one with -device. >> add the magic to make -global isa-fdc... auto-set the option to on. > That would be ugly magic. > The more I think about this, the more I think this is just a kneejerk > reaction to a sensationalist announcement. The effect of this > vulnerability on properly configured data centers (running > non-prehistoric versions of Xen or KVM and using > stubdom/SELinux/AppArmor properly) should be really close to zero. > It's a storm in a tea cup. > Paolo I tend to kindly disagree if you look at the broader perspective, yes it's could be a storm in a tea cup, but there seems to be a pattern. From a "cmdline user" / "platform emulation" point of view i can imagine that some sort of auto configuration / bundling in platforms is necessary (to limit the length of the cmdline to be supplied). But from a library / toolstack point of view it's quite nasty if *all* more or less obscure options have to actively disabled. It's quite undoable, not to mention what happens when new ones get added. From this PoV it would be better to have to actively enable all the stuff you want. At least Xen seemed to have taken the "no-defaults" as the best option to get there so far, but that doesn't seem to It's not the first CVE that has come from this "you have to actively disable all you don't want to happen" and probably won't be the last. So a "-no-defaults-now-for-real" option/mode for libraries / toolstacks, that requires them to be very verbose, explicit and specific in what they actually want, could be valuable. -- Sander >>> Unless for q35 we decide to >>> break everything and retroactively nuke the controller. >>> >>> (I'm still not sure why we have backwards-compatible machine types for q35). >> >> Beats me :) >> >> [...] >>
WARNING: multiple messages have this Message-ID (diff)
From: Sander Eikelenboom <linux@eikelenboom.it> To: Paolo Bonzini <pbonzini@redhat.com> Cc: Kevin Wolf <kwolf@redhat.com>, xen-devel@lists.xensource.com, mst@redhat.com, Stefano Stabellini <stefano.stabellini@eu.citrix.com>, Markus Armbruster <armbru@redhat.com>, qemu-devel@nongnu.org, John Snow <jsnow@redhat.com>, rth@twiddle.net Subject: Re: [Xen-devel] [PATCH] Do not emulate a floppy drive when -nodefaults Date: Thu, 14 May 2015 15:25:39 +0200 [thread overview] Message-ID: <908546719.20150514152539@eikelenboom.it> (raw) In-Reply-To: <55549ABD.2050202@redhat.com> Thursday, May 14, 2015, 2:53:17 PM, you wrote: > On 14/05/2015 14:45, Markus Armbruster wrote: >> Paolo Bonzini <pbonzini@redhat.com> writes: >> >>> On 14/05/2015 14:02, Markus Armbruster wrote: >>>> It should certainly be off for pc-q35-2.4 and newer. Real Q35 boards >>>> commonly don't have an FDC (depends on the Super I/O chip used). >>>> >>>> We may want to keep it off for pc-i440fx-2.4 and newer. I doubt >>>> there's a real i440FX without an FDC, but our virtual i440FX is quite >>>> unlike a real one in other ways already. >>> >>> That would break libvirt for people upgrading from 2.3 to 2.4. So it's >>> more like pc-i440fx-3.0 and pc-q35-3.0. >> >> What exactly breaks when? > libvirt expects "-nodefaults -drive if=none,id=fdd0,... -global > isa-fdc.driveA=fdd0" to result in a machine with a working FDD. It > doesn't know that it has to add "-machine fdc=on". > Besides, adding a new machine option is not the best we can do. If the > default is "no FDC", all that is needed to add one back is -device. An > FDC is yet another ISA device, it is possible to create one with -device. >> add the magic to make -global isa-fdc... auto-set the option to on. > That would be ugly magic. > The more I think about this, the more I think this is just a kneejerk > reaction to a sensationalist announcement. The effect of this > vulnerability on properly configured data centers (running > non-prehistoric versions of Xen or KVM and using > stubdom/SELinux/AppArmor properly) should be really close to zero. > It's a storm in a tea cup. > Paolo I tend to kindly disagree if you look at the broader perspective, yes it's could be a storm in a tea cup, but there seems to be a pattern. From a "cmdline user" / "platform emulation" point of view i can imagine that some sort of auto configuration / bundling in platforms is necessary (to limit the length of the cmdline to be supplied). But from a library / toolstack point of view it's quite nasty if *all* more or less obscure options have to actively disabled. It's quite undoable, not to mention what happens when new ones get added. From this PoV it would be better to have to actively enable all the stuff you want. At least Xen seemed to have taken the "no-defaults" as the best option to get there so far, but that doesn't seem to It's not the first CVE that has come from this "you have to actively disable all you don't want to happen" and probably won't be the last. So a "-no-defaults-now-for-real" option/mode for libraries / toolstacks, that requires them to be very verbose, explicit and specific in what they actually want, could be valuable. -- Sander >>> Unless for q35 we decide to >>> break everything and retroactively nuke the controller. >>> >>> (I'm still not sure why we have backwards-compatible machine types for q35). >> >> Beats me :) >> >> [...] >>
next prev parent reply other threads:[~2015-05-14 13:25 UTC|newest] Thread overview: 64+ messages / expand[flat|nested] mbox.gz Atom feed top 2015-05-13 17:29 [Qemu-devel] [PATCH] Do not emulate a floppy drive when -nodefaults Stefano Stabellini 2015-05-13 17:29 ` Stefano Stabellini 2015-05-13 17:42 ` [Qemu-devel] " Daniel P. Berrange 2015-05-13 17:42 ` Daniel P. Berrange 2015-05-13 18:15 ` [Qemu-devel] " Stefano Stabellini 2015-05-13 18:15 ` Stefano Stabellini 2015-05-13 21:46 ` [Qemu-devel] " John Snow 2015-05-13 21:46 ` John Snow 2015-05-14 11:12 ` [Qemu-devel] " Stefano Stabellini 2015-05-14 11:12 ` Stefano Stabellini 2015-05-14 11:18 ` [Qemu-devel] " Daniel P. Berrange 2015-05-14 11:18 ` Daniel P. Berrange 2015-05-14 11:46 ` [Qemu-devel] " Michael S. Tsirkin 2015-05-14 11:46 ` Michael S. Tsirkin 2015-05-14 12:02 ` [Qemu-devel] " Markus Armbruster 2015-05-14 12:02 ` Markus Armbruster 2015-05-14 12:11 ` [Qemu-devel] " Paolo Bonzini 2015-05-14 12:11 ` Paolo Bonzini 2015-05-14 12:45 ` [Qemu-devel] " Markus Armbruster 2015-05-14 12:45 ` Markus Armbruster 2015-05-14 12:48 ` [Qemu-devel] " Daniel P. Berrange 2015-05-14 12:48 ` Daniel P. Berrange 2015-05-14 12:53 ` [Qemu-devel] " Paolo Bonzini 2015-05-14 12:53 ` Paolo Bonzini 2015-05-14 13:25 ` Sander Eikelenboom [this message] 2015-05-14 13:25 ` [Xen-devel] " Sander Eikelenboom 2015-05-14 13:41 ` [Qemu-devel] " Daniel P. Berrange 2015-05-14 13:41 ` Daniel P. Berrange 2015-05-14 13:55 ` [Qemu-devel] " Paolo Bonzini 2015-05-14 13:55 ` Paolo Bonzini 2015-05-14 14:39 ` [Qemu-devel] " Stefano Stabellini 2015-05-14 14:39 ` Stefano Stabellini 2015-05-14 14:44 ` [Qemu-devel] " Paolo Bonzini 2015-05-14 14:44 ` Paolo Bonzini 2015-05-14 14:52 ` [Qemu-devel] " Stefano Stabellini 2015-05-14 14:52 ` Stefano Stabellini 2015-05-14 13:57 ` [Qemu-devel] " Michael S. Tsirkin 2015-05-14 13:57 ` Michael S. Tsirkin 2015-05-14 14:07 ` [Qemu-devel] " Michael S. Tsirkin 2015-05-14 14:07 ` Michael S. Tsirkin 2015-05-14 17:54 ` [Qemu-devel] " John Snow 2015-05-14 17:54 ` John Snow 2015-05-15 7:50 ` [Qemu-devel] " Markus Armbruster 2015-05-15 7:50 ` Markus Armbruster 2015-05-15 8:19 ` [Qemu-devel] " Paolo Bonzini 2015-05-15 8:19 ` Paolo Bonzini 2015-05-15 10:20 ` [Qemu-devel] " Stefano Stabellini 2015-05-15 10:20 ` Stefano Stabellini 2015-05-18 9:19 ` [Qemu-devel] " Kevin Wolf 2015-05-18 9:19 ` Kevin Wolf 2015-05-14 11:47 ` [Qemu-devel] " Michael S. Tsirkin 2015-05-14 11:47 ` Michael S. Tsirkin 2015-05-14 11:54 ` [Qemu-devel] " Paolo Bonzini 2015-05-14 11:54 ` Paolo Bonzini 2015-05-14 11:56 ` [Qemu-devel] " Michael S. Tsirkin 2015-05-14 11:56 ` Michael S. Tsirkin 2015-05-14 12:47 ` [Qemu-devel] " Markus Armbruster 2015-05-14 12:47 ` Markus Armbruster 2015-05-14 4:38 ` [Qemu-devel] " Stefan Weil 2015-05-14 4:38 ` Stefan Weil 2015-05-14 5:45 ` [Qemu-devel] " Michael S. Tsirkin 2015-05-14 5:45 ` Michael S. Tsirkin 2015-05-13 21:44 ` [Qemu-devel] " Michael S. Tsirkin 2015-05-13 21:44 ` Michael S. Tsirkin
Reply instructions: You may reply publicly to this message via plain-text email using any one of the following methods: * Save the following mbox file, import it into your mail client, and reply-to-all from there: mbox Avoid top-posting and favor interleaved quoting: https://en.wikipedia.org/wiki/Posting_style#Interleaved_style * Reply using the --to, --cc, and --in-reply-to switches of git-send-email(1): git send-email \ --in-reply-to=908546719.20150514152539@eikelenboom.it \ --to=linux@eikelenboom.it \ --cc=armbru@redhat.com \ --cc=jsnow@redhat.com \ --cc=kwolf@redhat.com \ --cc=mst@redhat.com \ --cc=pbonzini@redhat.com \ --cc=qemu-devel@nongnu.org \ --cc=rth@twiddle.net \ --cc=stefano.stabellini@eu.citrix.com \ --cc=xen-devel@lists.xensource.com \ /path/to/YOUR_REPLY https://kernel.org/pub/software/scm/git/docs/git-send-email.html * If your mail client supports setting the In-Reply-To header via mailto: links, try the mailto: linkBe sure your reply has a Subject: header at the top and a blank line before the message body.
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.