Re: [Qemu-devel] [PATCH] security.rst: add Security Guide to developer d

qemu-devel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Qemu-devel] [PATCH] security.rst: add Security Guide to developer d

From:	Stefan Hajnoczi
Subject:	Re: [Qemu-devel] [PATCH] security.rst: add Security Guide to developer docs
Date:	Tue, 23 Apr 2019 09:43:49 +0100
User-agent:	Mutt/1.11.3 (2019-02-01)

On Thu, Apr 18, 2019 at 06:47:18PM +0200, Philippe Mathieu-Daudé wrote:
> On 4/18/19 6:13 PM, Stefan Hajnoczi wrote:
> > +Virtualization Use Case
> > +~~~~~~~~~~~~~~~~~~~~~~~
> > +The virtualization use case covers cloud and virtual private server (VPS)
> > +hosting, as well as traditional data center and desktop virtualization.  
> > These
> > +use cases rely on hardware virtualization extensions to execute guest code
> > +safely on the physical CPU at close-to-native speed.
> > +
> > +The following entities are **untrusted**, meaning that they may be buggy or
> > +malicious:
> > +
> > +* Guest
> > +* User-facing interfaces (e.g. VNC, SPICE, WebSocket)
> > +* Network protocols (e.g. NBD, live migration)
> > +* User-supplied files (e.g. disk images, kernels, device trees)
> 
> What about pass-thru USB/PCI devices?

Can you give a real-world example?

> > +Guest Isolation
> > +~~~~~~~~~~~~~~~
> > +Guest isolation is the confinement of guest code to the virtual machine.  
> > When
> > +guest code gains control of execution on the host this is called escaping 
> > the
> > +virtual machine.  Isolation also includes resource limits such as CPU, 
> > memory,
> > +disk, or network throttling.  Guests must be unable to exceed their 
> > resource
> 
> I'm unsure but I'd have written "... such as throttling of CPU, memory,
> disk or network".

Will change in v2.

> > +Unexpected Device Accesses
> > +~~~~~~~~~~~~~~~~~~~~~~~~~~
> > +The guest may access device registers in unusual orders or at unexpected
> > +moments.  Device emulation code must not assume that the guest follows the
> > +typical "theory of operation" presented in driver writer manuals.  The 
> > guest
> > +may make nonsense accesses to device registers such as starting operations
> > +before the device has been fully initialized.
> > +
> > +A related issue is that device emulation code must be prepared for 
> > unexpected
> > +device register accesses while asynchronous operations are in progress.  A
> > +well-behaved guest might wait for a completion interrupt before accessing
> > +certain device registers.  Device emulation code must handle the case 
> > where the
> > +guest overwrites registers or submits further requests before an ongoing
> > +request completes.  Unexpected accesses must not cause memory corruption or
> > +leaks in QEMU.
> 
> Might worth to tell such unexpected accesses might be logged with
> 'qemu_log_mask(LOG_GUEST_ERROR, ...) and audited with -d guest_errors?

Will add in v2.

Stefan

signature.asc
Description: PGP signature

[Prev in Thread]

Current Thread

[Next in Thread]

[Qemu-devel] [PATCH] security.rst: add Security Guide to developer docs, Stefan Hajnoczi, 2019/04/18
- Re: [Qemu-devel] [PATCH] security.rst: add Security Guide to developer docs, Philippe Mathieu-Daudé, 2019/04/18
  - Re: [Qemu-devel] [PATCH] security.rst: add Security Guide to developer docs, Stefan Hajnoczi <=
    - Re: [Qemu-devel] [PATCH] security.rst: add Security Guide to developer docs, Li Qiang, 2019/04/23

Prev by Date: Re: [Qemu-devel] [PATCH RFC 1/1] block/rbd: increase dynamically the image size
Next by Date: Re: [Qemu-devel] [PATCH 05/38] tcg: Allow add_vec, sub_vec, neg_vec, not_vec to be expanded
Previous by thread: Re: [Qemu-devel] [PATCH] security.rst: add Security Guide to developer docs
Next by thread: Re: [Qemu-devel] [PATCH] security.rst: add Security Guide to developer docs
Index(es):
- Date
- Thread