[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[RFC PATCH 00/10] security: Introduce qemu_security_policy_taint() API
From: |
Philippe Mathieu-Daudé |
Subject: |
[RFC PATCH 00/10] security: Introduce qemu_security_policy_taint() API |
Date: |
Thu, 9 Sep 2021 01:20:14 +0200 |
Hi,
This series is experimental! The goal is to better limit the
boundary of what code is considerated security critical, and
what is less critical (but still important!).
This approach was quickly discussed few months ago with Markus
then Daniel. Instead of classifying the code on a file path
basis (see [1]), we insert (runtime) hints into the code
(which survive code movement). Offending unsafe code can
taint the global security policy. By default this policy
is 'none': the current behavior. It can be changed on the
command line to 'warn' to display warnings, and to 'strict'
to prohibit QEMU running with a tainted policy.
As examples I started implementing unsafe code taint from
3 different pieces of code:
- accelerators (KVM and Xen in allow-list)
- block drivers (vvfat and parcial null-co in deny-list)
- qdev (hobbyist devices regularly hit by fuzzer)
I don't want the security researchers to not fuzz QEMU unsafe
areas, but I'd like to make it clearer what the community
priority is (currently 47 opened issues on [3]).
Regards,
Phil.
[1]
https://lore.kernel.org/qemu-devel/20200714083631.888605-2-ppandit@redhat.com/
[2] https://www.qemu.org/contribute/security-process/
[3] https://gitlab.com/qemu-project/qemu/-/issues?label_name[]=Fuzzer
Philippe Mathieu-Daudé (10):
sysemu: Introduce qemu_security_policy_taint() API
accel: Use qemu_security_policy_taint(), mark KVM and Xen as safe
block: Use qemu_security_policy_taint() API
block/vvfat: Mark the driver as unsafe
block/null: Mark 'read-zeroes=off' option as unsafe
qdev: Use qemu_security_policy_taint() API
hw/display: Mark ATI and Artist devices as unsafe
hw/misc: Mark testdev devices as unsafe
hw/net: Mark Tulip device as unsafe
hw/sd: Mark sdhci-pci device as unsafe
qapi/run-state.json | 16 +++++++++
include/block/block_int.h | 6 +++-
include/hw/qdev-core.h | 6 ++++
include/qemu-common.h | 19 +++++++++++
include/qemu/accel.h | 5 +++
accel/kvm/kvm-all.c | 1 +
accel/xen/xen-all.c | 1 +
block.c | 6 ++++
block/null.c | 8 +++++
block/vvfat.c | 6 ++++
hw/core/qdev.c | 11 ++++++
hw/display/artist.c | 1 +
hw/display/ati.c | 1 +
hw/hyperv/hyperv_testdev.c | 1 +
hw/misc/pc-testdev.c | 1 +
hw/misc/pci-testdev.c | 1 +
hw/net/tulip.c | 1 +
hw/sd/sdhci-pci.c | 1 +
softmmu/vl.c | 70 ++++++++++++++++++++++++++++++++++++++
qemu-options.hx | 17 +++++++++
20 files changed, 178 insertions(+), 1 deletion(-)
--
2.31.1
- [RFC PATCH 00/10] security: Introduce qemu_security_policy_taint() API,
Philippe Mathieu-Daudé <=