[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Qemu-commits] [qemu/qemu] ab4587: block: better document SSH host key f
From: |
Peter Maydell |
Subject: |
[Qemu-commits] [qemu/qemu] ab4587: block: better document SSH host key fingerprint ch... |
Date: |
Thu, 24 Feb 2022 04:47:49 -0800 |
Branch: refs/heads/master
Home: https://github.com/qemu/qemu
Commit: ab458750d06bc5dec241722df8b2d5cd2456f66d
https://github.com/qemu/qemu/commit/ab458750d06bc5dec241722df8b2d5cd2456f66d
Author: Daniel P. Berrangé <berrange@redhat.com>
Date: 2022-02-16 (Wed, 16 Feb 2022)
Changed paths:
M docs/system/qemu-block-drivers.rst.inc
Log Message:
-----------
block: better document SSH host key fingerprint checking
The docs still illustrate host key fingerprint checking using the old
md5 hashes which are considered insecure and obsolete. Change it to
illustrate using a sha256 hash. Also show how to extract the hash
value from the known_hosts file.
Reviewed-by: Hanna Reitz <hreitz@redhat.com>
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
Commit: ea0f60e6f274ca8ecb45296272b2561e088b6fc8
https://github.com/qemu/qemu/commit/ea0f60e6f274ca8ecb45296272b2561e088b6fc8
Author: Daniel P. Berrangé <berrange@redhat.com>
Date: 2022-02-16 (Wed, 16 Feb 2022)
Changed paths:
M block/ssh.c
Log Message:
-----------
block: support sha256 fingerprint with pre-blockdev options
When support for sha256 fingerprint checking was aded in
commit bf783261f0aee6e81af3916bff7606d71ccdc153
Author: Daniel P. Berrangé <berrange@redhat.com>
Date: Tue Jun 22 12:51:56 2021 +0100
block/ssh: add support for sha256 host key fingerprints
it was only made to work with -blockdev. Getting it working with
-drive requires some extra custom parsing.
Reviewed-by: Hanna Reitz <hreitz@redhat.com>
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
Commit: e3296cc796aeaf319f3ed4e064ec309baf5e4da4
https://github.com/qemu/qemu/commit/e3296cc796aeaf319f3ed4e064ec309baf5e4da4
Author: Daniel P. Berrangé <berrange@redhat.com>
Date: 2022-02-16 (Wed, 16 Feb 2022)
Changed paths:
M block/ssh.c
Log Message:
-----------
block: print the server key type and fingerprint on failure
When validating the server key fingerprint fails, it is difficult for
the user to know what they got wrong. The fingerprint accepted by QEMU
is received in a different format than OpenSSH displays. There can also
be keys for multiple different ciphers in known_hosts. It may not be
obvious which cipher QEMU will use and whether it will be the same
as OpenSSH. Address this by printing the server key type and its
corresponding fingerprint in the format QEMU accepts.
Reviewed-by: Hanna Reitz <hreitz@redhat.com>
Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
Commit: 8f46f56260cb7eaf1bcc77366c8ce69af9bd5bec
https://github.com/qemu/qemu/commit/8f46f56260cb7eaf1bcc77366c8ce69af9bd5bec
Author: Daniel P. Berrangé <berrange@redhat.com>
Date: 2022-02-16 (Wed, 16 Feb 2022)
Changed paths:
M softmmu/qemu-seccomp.c
Log Message:
-----------
seccomp: allow action to be customized per syscall
We're currently tailoring whether to use kill process or return EPERM
based on the syscall set. This is not flexible enough for future
requirements where we also need to be able to return a variety of
actions on a per-syscall granularity.
Acked-by: Eduardo Otubo <otubo@redhat.com>
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
Commit: d2ea8dac705fe9bca9b6b26a7aeb063d1a406f7a
https://github.com/qemu/qemu/commit/d2ea8dac705fe9bca9b6b26a7aeb063d1a406f7a
Author: Daniel P. Berrangé <berrange@redhat.com>
Date: 2022-02-16 (Wed, 16 Feb 2022)
Changed paths:
M MAINTAINERS
M tests/unit/meson.build
A tests/unit/test-seccomp.c
Log Message:
-----------
seccomp: add unit test for seccomp filtering
The handling of some syscalls / libc function is quite subtle. For
example, 'fork' at a libc level doesn't always correspond to 'fork'
at a syscall level, since the 'clone' syscall is preferred usually.
The unit test will help to detect these kind of problems. A point of
difficulty in writing a test though is that the QEMU build process may
already be confined by seccomp. For example, if running inside a
container. Since we can't predict what filtering might have been applied
already, we are quite conservative and skip all tests if we see any kind
of seccomp filter active.
Acked-by: Eduardo Otubo <otubo@redhat.com>
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
Commit: 5a2f693f07a1e93ada5277b2fb1530b2698be0fa
https://github.com/qemu/qemu/commit/5a2f693f07a1e93ada5277b2fb1530b2698be0fa
Author: Daniel P. Berrangé <berrange@redhat.com>
Date: 2022-02-16 (Wed, 16 Feb 2022)
Changed paths:
M softmmu/qemu-seccomp.c
M tests/unit/test-seccomp.c
Log Message:
-----------
seccomp: fix blocking of process spawning
When '-sandbox on,spawn=deny' is given, we are supposed to block the
ability to spawn processes. We naively blocked the 'fork' syscall,
forgetting that any modern libc will use the 'clone' syscall instead.
We can't simply block the 'clone' syscall though, as that will break
thread creation. We thus list the set of flags used to create threads
and block anything that doesn't match this exactly.
Acked-by: Eduardo Otubo <otubo@redhat.com>
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
Commit: c542b302707628609f2a33bcbd3e442282806b8e
https://github.com/qemu/qemu/commit/c542b302707628609f2a33bcbd3e442282806b8e
Author: Daniel P. Berrangé <berrange@redhat.com>
Date: 2022-02-16 (Wed, 16 Feb 2022)
Changed paths:
M softmmu/qemu-seccomp.c
Log Message:
-----------
seccomp: block use of clone3 syscall
Modern glibc will use clone3 instead of clone, when it detects that it
is available. We need to compare flags in order to decide whether to
allow clone (thread create vs process fork), but in clone3 the flags
are hidden inside a struct. Seccomp can't currently match on data inside
a struct, so our only option is to block clone3 entirely. If we use
ENOSYS to block it, then glibc transparently falls back to clone.
This may need to be revisited if Linux adds a new architecture in
future and only provides clone3, without clone.
Acked-by: Eduardo Otubo <otubo@redhat.com>
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
Commit: 463805711056b431a74917a75cda75ec67fec3d2
https://github.com/qemu/qemu/commit/463805711056b431a74917a75cda75ec67fec3d2
Author: Daniel P. Berrangé <berrange@redhat.com>
Date: 2022-02-16 (Wed, 16 Feb 2022)
Changed paths:
M softmmu/qemu-seccomp.c
Log Message:
-----------
seccomp: block setns, unshare and execveat syscalls
setns/unshare are used to change namespaces which is not something QEMU
needs to be able todo.
execveat is a new variant of execve so should be blocked just like
execve already is.
Acked-by: Eduardo Otubo <otubo@redhat.com>
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
Commit: e3160dea5dccfca7b5dd19ebb7bbd069c58c0ea6
https://github.com/qemu/qemu/commit/e3160dea5dccfca7b5dd19ebb7bbd069c58c0ea6
Author: Daniel P. Berrangé <berrange@redhat.com>
Date: 2022-02-16 (Wed, 16 Feb 2022)
Changed paths:
M MAINTAINERS
Log Message:
-----------
MAINTAINERS: take over seccomp from Eduardo Otubo
Eduardo has indicated that he no longer has time to be involved in
a QEMU maintainership role. As one of the more frequent contributors
of patches and design ideas to seccomp, I'll take over in an "Odd
Fixes" role.
Acked-by: Eduardo Otubo <otubo@redhat.com>
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
Commit: 2720ceda0521bc43139cfdf45e3e470559e11ce3
https://github.com/qemu/qemu/commit/2720ceda0521bc43139cfdf45e3e470559e11ce3
Author: Daniel P. Berrangé <berrange@redhat.com>
Date: 2022-02-16 (Wed, 16 Feb 2022)
Changed paths:
M docs/interop/firmware.json
Log Message:
-----------
docs: expand firmware descriptor to allow flash without NVRAM
The current firmware descriptor schema for flash requires that both the
executable to NVRAM template paths be provided. This is fine for the
most common usage of EDK2 builds in virtualization where the separate
_CODE and _VARS files are provided.
With confidential computing technology like AMD SEV, persistent storage
of variables may be completely disabled because the firmware requires a
known clean state on every cold boot. There is no way to express this
in the firmware descriptor today.
Even with regular EDK2 builds it is possible to create a firmware that
has both executable code and variable persistence in a single file. This
hasn't been commonly used, since it would mean every guest bootup would
need to clone the full firmware file, leading to redundant duplicate
storage of the code portion. In some scenarios this may not matter and
might even be beneficial. For example if a public cloud allows users to
bring their own firmware, such that the user can pre-enroll their own
secure boot keys, you're going to have this copied on disk for each
tenant already. At this point the it can be simpler to just deal with
a single file rather than split builds. The firmware descriptor ought
to be able to express this combined firmware model too.
This all points towards expanding the schema for flash with a 'mode'
concept:
- "split" - the current implicit behaviour with separate files
for code and variables.
- "combined" - the alternate behaviour where a single file contains
both code and variables.
- "stateless" - the confidential computing use case where storage
of variables is completely disable, leaving only the code.
Reviewed-by: Kashyap Chamarthy <kchamart@redhat.com>
Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
Commit: 4aa2e497a98bafe962e72997f67a369e4b52d9c1
https://github.com/qemu/qemu/commit/4aa2e497a98bafe962e72997f67a369e4b52d9c1
Author: Peter Maydell <peter.maydell@linaro.org>
Date: 2022-02-23 (Wed, 23 Feb 2022)
Changed paths:
M MAINTAINERS
M block/ssh.c
M docs/interop/firmware.json
M docs/system/qemu-block-drivers.rst.inc
M softmmu/qemu-seccomp.c
M tests/unit/meson.build
A tests/unit/test-seccomp.c
Log Message:
-----------
Merge remote-tracking branch
'remotes/berrange-gitlab/tags/misc-next-pull-request' into staging
This misc series of changes:
- Improves documentation of SSH fingerprint checking
- Fixes SHA256 fingerprints with non-blockdev usage
- Blocks the clone3, setns, unshare & execveat syscalls
with seccomp
- Blocks process spawning via clone syscall, but allows
threads, with seccomp
- Takes over seccomp maintainer role
- Expands firmware descriptor spec to allow flash
without NVRAM
# gpg: Signature made Thu 17 Feb 2022 11:57:13 GMT
# gpg: using RSA key DAF3A6FDB26B62912D0E8E3FBE86EBB415104FDF
# gpg: Good signature from "Daniel P. Berrange <dan@berrange.com>" [full]
# gpg: aka "Daniel P. Berrange <berrange@redhat.com>" [full]
# Primary key fingerprint: DAF3 A6FD B26B 6291 2D0E 8E3F BE86 EBB4 1510 4FDF
* remotes/berrange-gitlab/tags/misc-next-pull-request:
docs: expand firmware descriptor to allow flash without NVRAM
MAINTAINERS: take over seccomp from Eduardo Otubo
seccomp: block setns, unshare and execveat syscalls
seccomp: block use of clone3 syscall
seccomp: fix blocking of process spawning
seccomp: add unit test for seccomp filtering
seccomp: allow action to be customized per syscall
block: print the server key type and fingerprint on failure
block: support sha256 fingerprint with pre-blockdev options
block: better document SSH host key fingerprint checking
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Compare: https://github.com/qemu/qemu/compare/31e3caf21b6c...4aa2e497a98b