[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Qemu-ppc] [PATCH for-4.0] spapr: Simplify handling of host-serial a
|
From: |
Daniel P . Berrangé |
|
Subject: |
Re: [Qemu-ppc] [PATCH for-4.0] spapr: Simplify handling of host-serial and host-model values |
|
Date: |
Thu, 28 Mar 2019 09:55:24 +0000 |
|
User-agent: |
Mutt/1.11.3 (2019-02-01) |
On Thu, Mar 28, 2019 at 03:40:25PM +1100, David Gibson wrote:
> 27461d69a0f "ppc: add host-serial and host-model machine attributes
> (CVE-2019-8934)" introduced 'host-serial' and 'host-model' machine
> properties for spapr to explicitly control the values advertised to the
> guest in device tree properties with the same names.
>
> The previous behaviour on KVM was to unconditionally populate the device
> tree with the real host serial number and model, which leaks possibly
> sensitive information about the host to the guest.
>
> To maintain compatibility for old machine types, we allowed those props
> to be set to "passthrough" to take the value from the host as before. Or
> they could be set to "none" to explicitly omit the device tree items.
>
> Special casing specific values on what's otherwise a user supplied string
> is very ugly. So, this patch simplifies things by implementing the
> backwards compatibility in a different way: we have a machine class flag
> set for the older machines, and we only load the host values into the
> device tree if A) they're not set by the user and B) we have that flag set.
>
> This does mean that the "passthrough" functionality is no longer available
> with the current machine type. That's ok though: if a user or management
> layer really wants the information passed through they can read it
> themselves (OpenStack Nova already does something similar for x86).
>
> It also means the user can't explicitly ask for the values to be omitted
> on the old machine types. I think that's an acceptable trade-off: if you
> care enough about not leaking the host information you can either move to
> the new machine type, or use a dummy value for the properties.
>
> This also removes an odd inconsistency between running on a POWER and
> non-POWER (or non-Linux) hosts: if the host information couldn't be read
> from where we expect (in the host's device tree as exposed by Linux), we'd
> fallback to omitting the guest device tree items.
>
> While we're there, improve some poorly worded comments, and the help text
> for the properties.
So IIUC, the two properties now only accept an opaque string which
will be exposes as-is in the guest fields. Old machine types, only,
will do passthrough of the host values (if not overriden by the
properties) & there's no way to request this for new machine types
>
> Signed-off-by: David Gibson <address@hidden>
> ---
>
> I've (tentatively) put this into my ppc-for-4.0 tree already, which I
> hope to push in the next few days. I realize it's very late to make
> such a cleanup in 4.0, however I'd like to clean up the interface
> before it goes into a released version which we have to support for
> ages.
Indeed, we must clean it before release if we want this, otherwise
it is an incompatible change.
>
> hw/ppc/spapr.c | 57 ++++++++++++++----------------------------
> include/hw/ppc/spapr.h | 1 +
> 2 files changed, 20 insertions(+), 38 deletions(-)
Reviewed-by: Daniel P. Berrangé <address@hidden>
Regards,
Daniel
--
|: https://berrange.com -o- https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org -o- https://fstop138.berrange.com :|
|: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|