[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[RFC PATCH 02/10] accel: Use qemu_security_policy_taint(), mark KVM and
From: |
Philippe Mathieu-Daudé |
Subject: |
[RFC PATCH 02/10] accel: Use qemu_security_policy_taint(), mark KVM and Xen as safe |
Date: |
Thu, 9 Sep 2021 01:20:16 +0200 |
Add the AccelClass::secure_policy_supported field to classify
safe (within security boundary) vs unsafe accelerators.
Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
---
include/qemu/accel.h | 5 +++++
accel/kvm/kvm-all.c | 1 +
accel/xen/xen-all.c | 1 +
softmmu/vl.c | 3 +++
4 files changed, 10 insertions(+)
diff --git a/include/qemu/accel.h b/include/qemu/accel.h
index 4f4c283f6fc..895e30be0de 100644
--- a/include/qemu/accel.h
+++ b/include/qemu/accel.h
@@ -44,6 +44,11 @@ typedef struct AccelClass {
hwaddr start_addr, hwaddr size);
#endif
bool *allowed;
+ /*
+ * Whether the accelerator is withing QEMU security policy boundary.
+ * See: https://www.qemu.org/contribute/security-process/
+ */
+ bool secure_policy_supported;
/*
* Array of global properties that would be applied when specific
* accelerator is chosen. It works like MachineClass.compat_props
diff --git a/accel/kvm/kvm-all.c b/accel/kvm/kvm-all.c
index 0125c17edb8..eb6b9e44df2 100644
--- a/accel/kvm/kvm-all.c
+++ b/accel/kvm/kvm-all.c
@@ -3623,6 +3623,7 @@ static void kvm_accel_class_init(ObjectClass *oc, void
*data)
ac->init_machine = kvm_init;
ac->has_memory = kvm_accel_has_memory;
ac->allowed = &kvm_allowed;
+ ac->secure_policy_supported = true;
object_class_property_add(oc, "kernel-irqchip", "on|off|split",
NULL, kvm_set_kernel_irqchip,
diff --git a/accel/xen/xen-all.c b/accel/xen/xen-all.c
index 69aa7d018b2..57867af5faf 100644
--- a/accel/xen/xen-all.c
+++ b/accel/xen/xen-all.c
@@ -198,6 +198,7 @@ static void xen_accel_class_init(ObjectClass *oc, void
*data)
ac->setup_post = xen_setup_post;
ac->allowed = &xen_allowed;
ac->compat_props = g_ptr_array_new();
+ ac->secure_policy_supported = true;
compat_props_add(ac->compat_props, compat, G_N_ELEMENTS(compat));
diff --git a/softmmu/vl.c b/softmmu/vl.c
index 92c05ac97ee..e4f94e159c3 100644
--- a/softmmu/vl.c
+++ b/softmmu/vl.c
@@ -2388,6 +2388,9 @@ static int do_configure_accelerator(void *opaque,
QemuOpts *opts, Error **errp)
return 0;
}
+ qemu_security_policy_taint(!ac->secure_policy_supported,
+ "%s accelerator", acc);
+
return 1;
}
--
2.31.1
- [RFC PATCH 00/10] security: Introduce qemu_security_policy_taint() API, Philippe Mathieu-Daudé, 2021/09/08
- [RFC PATCH 01/10] sysemu: Introduce qemu_security_policy_taint() API, Philippe Mathieu-Daudé, 2021/09/08
- [RFC PATCH 02/10] accel: Use qemu_security_policy_taint(), mark KVM and Xen as safe,
Philippe Mathieu-Daudé <=
- [RFC PATCH 03/10] block: Use qemu_security_policy_taint() API, Philippe Mathieu-Daudé, 2021/09/08
- [RFC PATCH 04/10] block/vvfat: Mark the driver as unsafe, Philippe Mathieu-Daudé, 2021/09/08
- [RFC PATCH 05/10] block/null: Mark 'read-zeroes=off' option as unsafe, Philippe Mathieu-Daudé, 2021/09/08
- [RFC PATCH 06/10] qdev: Use qemu_security_policy_taint() API, Philippe Mathieu-Daudé, 2021/09/08