From patchwork Wed Sep 8 23:20:14 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Philippe_Mathieu-Daud=C3=A9?= X-Patchwork-Id: 12481997 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-19.1 required=3.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS, INCLUDES_PATCH,MAILING_LIST_MULTI,MENTIONS_GIT_HOSTING,SPF_HELO_NONE,SPF_PASS, USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id D2641C4332F for ; Wed, 8 Sep 2021 23:20:48 +0000 (UTC) Received: from lists.xenproject.org (lists.xenproject.org [192.237.175.120]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id 7E77861108 for ; Wed, 8 Sep 2021 23:20:48 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.4.1 mail.kernel.org 7E77861108 Authentication-Results: mail.kernel.org; dmarc=fail (p=none dis=none) header.from=redhat.com Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=lists.xenproject.org Received: from list by lists.xenproject.org with outflank-mailman.182404.329932 (Exim 4.92) (envelope-from ) id 1mO6rp-00050j-63; Wed, 08 Sep 2021 23:20:33 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 182404.329932; Wed, 08 Sep 2021 23:20:33 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1mO6rp-00050c-2z; Wed, 08 Sep 2021 23:20:33 +0000 Received: by outflank-mailman (input) for mailman id 182404; Wed, 08 Sep 2021 23:20:32 +0000 Received: from all-amaz-eas1.inumbo.com ([34.197.232.57] helo=us1-amaz-eas2.inumbo.com) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1mO6rn-00050U-Vj for xen-devel@lists.xenproject.org; Wed, 08 Sep 2021 23:20:32 +0000 Received: from us-smtp-delivery-124.mimecast.com (unknown [216.205.24.124]) by us1-amaz-eas2.inumbo.com (Halon) with ESMTP id 5b4f9728-10fb-11ec-b18c-12813bfff9fa; Wed, 08 Sep 2021 23:20:29 +0000 (UTC) Received: from mail-wm1-f71.google.com (mail-wm1-f71.google.com [209.85.128.71]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-313-k9Fk0EiOM2OnB9yNGWAc7Q-1; Wed, 08 Sep 2021 19:20:27 -0400 Received: by mail-wm1-f71.google.com with SMTP id r4-20020a1c4404000000b002e728beb9fbso30514wma.9 for ; Wed, 08 Sep 2021 16:20:27 -0700 (PDT) Received: from x1w.. (21.red-83-52-55.dynamicip.rima-tde.net. [83.52.55.21]) by smtp.gmail.com with ESMTPSA id s7sm16447wra.75.2021.09.08.16.20.25 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 08 Sep 2021 16:20:25 -0700 (PDT) X-BeenThere: xen-devel@lists.xenproject.org List-Id: Xen developer discussion List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-devel-bounces@lists.xenproject.org Precedence: list Sender: "Xen-devel" X-Inumbo-ID: 5b4f9728-10fb-11ec-b18c-12813bfff9fa DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1631143229; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=vRoi5WrTbIXmM4WjAcv/SppS1KuoM6iQfhbpZ457xYQ=; b=ZgpUEbRQi5VpwPemN4cpd8DV4KvE0Qt0ufwHkVeS8WMItrjXojAB+Lt1b+6uESLbvqbxUv fvDuhgmgQyVRDCceaJ90JNkn2hSlHRZz1ibd1ZYtAkYJ3q8Ns72anq9kGrPzY6Cg/PNX19 tzeKJoOKQ3w85uH3sCirjGThqrgnc/M= X-MC-Unique: k9Fk0EiOM2OnB9yNGWAc7Q-1 X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=1ByN3Of2ZgwJxeRnuvE2fFlKqpGdp9A80ERs6ZdUaDo=; b=Qos5RLMvNCe+978ZrzCEkh/589yrXoJ7/OaBEZYQ5vLC2Z7HEGfcdzUnvOP60NIVvH RcQuwC61xTMx+84jBqvI1mzJwtqUO5MFqtyqnhJFHFMzs0f9sDjjlnDIrcCpfYCEfC9f bIKXjnrWOeM2gEEiBdgPYCC/Fo9xzC2IIqeJ3bLZlVSv1zIdnPdOAJhtwNfDthmAIbsC ntCOCLmWS9TWOQzQiXpxoOvNG4rUocGwJZl3im5ZBKp2Psuo05CEFeh6VRRd8qYGLVOJ Kg2cmSIPWYQm7dmH2cXaejI/Hp9dM7pgXQC2uKX6e5QyA1vYjLCz7UBn9+CCODruWWYo y+ng== X-Gm-Message-State: AOAM530Oa0fhUgqDSyS8lCeRFXYSS/kiFPp0WB3qYTRwX1L5daLoVUa8 zFowBQj8G2MpVNuYVTvnJMYT4LqiJ+Ew1Lx7oESVqSBP+1Y6URXpIFDb95lihgdcL7GtUJDVt/h Eo2eOGKG+LEwr3+U1rdTNtd+eRUM= X-Received: by 2002:adf:cf0b:: with SMTP id o11mr116905wrj.72.1631143226207; Wed, 08 Sep 2021 16:20:26 -0700 (PDT) X-Google-Smtp-Source: ABdhPJwJzCKhor1xK77PrKMQ04S9HdElVG3wG7IduY7aZzH1YZcWGdPgvZWSbOwy0GcAZECXsMDD+g== X-Received: by 2002:adf:cf0b:: with SMTP id o11mr116900wrj.72.1631143226045; Wed, 08 Sep 2021 16:20:26 -0700 (PDT) From: =?utf-8?q?Philippe_Mathieu-Daud=C3=A9?= To: qemu-devel@nongnu.org Cc: Thomas Huth , Prasad J Pandit , "Michael S. Tsirkin" , Markus Armbruster , Paolo Bonzini , Eduardo Habkost , =?utf-8?q?Philippe_Mathieu-Daud=C3=A9?= , =?utf-8?q?Daniel?= =?utf-8?q?_P=2E_Berrang=C3=A9?= , Eric Blake , Richard Henderson , qemu-block@nongnu.org, Peter Maydell , xen-devel@lists.xenproject.org, =?utf-8?q?Philippe_Mathieu-Daud=C3=A9?= Subject: [RFC PATCH 00/10] security: Introduce qemu_security_policy_taint() API Date: Thu, 9 Sep 2021 01:20:14 +0200 Message-Id: <20210908232024.2399215-1-philmd@redhat.com> X-Mailer: git-send-email 2.31.1 MIME-Version: 1.0 Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=philmd@redhat.com X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Hi, This series is experimental! The goal is to better limit the boundary of what code is considerated security critical, and what is less critical (but still important!). This approach was quickly discussed few months ago with Markus then Daniel. Instead of classifying the code on a file path basis (see [1]), we insert (runtime) hints into the code (which survive code movement). Offending unsafe code can taint the global security policy. By default this policy is 'none': the current behavior. It can be changed on the command line to 'warn' to display warnings, and to 'strict' to prohibit QEMU running with a tainted policy. As examples I started implementing unsafe code taint from 3 different pieces of code: - accelerators (KVM and Xen in allow-list) - block drivers (vvfat and parcial null-co in deny-list) - qdev (hobbyist devices regularly hit by fuzzer) I don't want the security researchers to not fuzz QEMU unsafe areas, but I'd like to make it clearer what the community priority is (currently 47 opened issues on [3]). Regards, Phil. [1] https://lore.kernel.org/qemu-devel/20200714083631.888605-2-ppandit@redhat.com/ [2] https://www.qemu.org/contribute/security-process/ [3] https://gitlab.com/qemu-project/qemu/-/issues?label_name[]=Fuzzer Philippe Mathieu-Daudé (10): sysemu: Introduce qemu_security_policy_taint() API accel: Use qemu_security_policy_taint(), mark KVM and Xen as safe block: Use qemu_security_policy_taint() API block/vvfat: Mark the driver as unsafe block/null: Mark 'read-zeroes=off' option as unsafe qdev: Use qemu_security_policy_taint() API hw/display: Mark ATI and Artist devices as unsafe hw/misc: Mark testdev devices as unsafe hw/net: Mark Tulip device as unsafe hw/sd: Mark sdhci-pci device as unsafe qapi/run-state.json | 16 +++++++++ include/block/block_int.h | 6 +++- include/hw/qdev-core.h | 6 ++++ include/qemu-common.h | 19 +++++++++++ include/qemu/accel.h | 5 +++ accel/kvm/kvm-all.c | 1 + accel/xen/xen-all.c | 1 + block.c | 6 ++++ block/null.c | 8 +++++ block/vvfat.c | 6 ++++ hw/core/qdev.c | 11 ++++++ hw/display/artist.c | 1 + hw/display/ati.c | 1 + hw/hyperv/hyperv_testdev.c | 1 + hw/misc/pc-testdev.c | 1 + hw/misc/pci-testdev.c | 1 + hw/net/tulip.c | 1 + hw/sd/sdhci-pci.c | 1 + softmmu/vl.c | 70 ++++++++++++++++++++++++++++++++++++++ qemu-options.hx | 17 +++++++++ 20 files changed, 178 insertions(+), 1 deletion(-)