From patchwork Wed Sep 8 23:20:14 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Philippe_Mathieu-Daud=C3=A9?= X-Patchwork-Id: 12481985 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-16.6 required=3.0 tests=BAYES_00,DKIM_INVALID, DKIM_SIGNED,HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_PATCH,MAILING_LIST_MULTI, MENTIONS_GIT_HOSTING,SPF_HELO_NONE,SPF_PASS,USER_AGENT_GIT autolearn=unavailable autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id E62B7C433F5 for ; Wed, 8 Sep 2021 23:21:52 +0000 (UTC) Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id 52B2461108 for ; Wed, 8 Sep 2021 23:21:52 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.4.1 mail.kernel.org 52B2461108 Authentication-Results: mail.kernel.org; dmarc=fail (p=none dis=none) header.from=redhat.com Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=nongnu.org Received: from localhost ([::1]:51806 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1mO6t5-0000xC-2H for qemu-devel@archiver.kernel.org; Wed, 08 Sep 2021 19:21:51 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:36048) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1mO6rr-0006J0-4g for qemu-devel@nongnu.org; Wed, 08 Sep 2021 19:20:35 -0400 Received: from us-smtp-delivery-124.mimecast.com ([216.205.24.124]:29977) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1mO6rn-0002Zd-Ki for qemu-devel@nongnu.org; Wed, 08 Sep 2021 19:20:33 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1631143230; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=vRoi5WrTbIXmM4WjAcv/SppS1KuoM6iQfhbpZ457xYQ=; b=HQg7d0MiI9KKf1ZJfzKidCQ3bPkjQUPjoDWnTjnhkUEhGga/ja1xmeJLE2zI8sd/9ljaxE kdtndDdPGGgyqP726wFtEzhLC8noFieWqIVyNSdR/mW1gyNXSIs1VdKkMKmESsbFDyEM5f dyNfhH3ykBV+5GbwP3auV2oXFMH+4n4= Received: from mail-wm1-f70.google.com (mail-wm1-f70.google.com [209.85.128.70]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-391-_64VRjGaOs65aJF5fH3skA-1; Wed, 08 Sep 2021 19:20:28 -0400 X-MC-Unique: _64VRjGaOs65aJF5fH3skA-1 Received: by mail-wm1-f70.google.com with SMTP id v2-20020a7bcb420000b02902e6b108fcf1so31883wmj.8 for ; Wed, 08 Sep 2021 16:20:27 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=1ByN3Of2ZgwJxeRnuvE2fFlKqpGdp9A80ERs6ZdUaDo=; b=mgo8ZodGVGo5H2Pc82d/yiUamLOOCdMM86Af37j0P6AN76ctrdNQxOe1HL++pAwohP KqKhbETk6/IGrHiJwVvnFxaSEySTJj5jzII5NI+yyCFpTMxeJc0+I+juuUu5KnmJEDec ctO0Q3tuNB3yT8hGUQdqd1dDyUnuYSB7W28Nko7WjbF7c8lDGex1Rp193QnPiOYbqaV2 B8FpmY/QPJa02TtlecZcCW0Q/jEZoy13JdoYlBwoJ2ozExl+facV+InK3Ge2aHsfm2OO mHqgscBoEtUVC9W165k8pUEuSi+J0v5BlQWWNYdAEFLYVqdjORAKD7ATZo+ubiBXusjC vaZw== X-Gm-Message-State: AOAM531zJL/5sEccNigoVzMsja8UFs8B0JIto6yaf/898DJdCVkbaMbC ev5X0yXg21W6nQ15QQQ3bX0RAsW2/dLdwEc5QQFq1bhtTRX0q6UE38OkNSCgSZt9JcT+khNgJUX uTouoLNHe0up6smms9nBhkpkK1we+HRegCiDsCbjbRvPd2+Ro+sK8Et38zbCHP8LP X-Received: by 2002:adf:cf0b:: with SMTP id o11mr116931wrj.72.1631143226372; Wed, 08 Sep 2021 16:20:26 -0700 (PDT) X-Google-Smtp-Source: ABdhPJwJzCKhor1xK77PrKMQ04S9HdElVG3wG7IduY7aZzH1YZcWGdPgvZWSbOwy0GcAZECXsMDD+g== X-Received: by 2002:adf:cf0b:: with SMTP id o11mr116900wrj.72.1631143226045; Wed, 08 Sep 2021 16:20:26 -0700 (PDT) Received: from x1w.. (21.red-83-52-55.dynamicip.rima-tde.net. [83.52.55.21]) by smtp.gmail.com with ESMTPSA id s7sm16447wra.75.2021.09.08.16.20.25 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 08 Sep 2021 16:20:25 -0700 (PDT) From: =?utf-8?q?Philippe_Mathieu-Daud=C3=A9?= To: qemu-devel@nongnu.org Subject: [RFC PATCH 00/10] security: Introduce qemu_security_policy_taint() API Date: Thu, 9 Sep 2021 01:20:14 +0200 Message-Id: <20210908232024.2399215-1-philmd@redhat.com> X-Mailer: git-send-email 2.31.1 MIME-Version: 1.0 Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=philmd@redhat.com X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Received-SPF: pass client-ip=216.205.24.124; envelope-from=philmd@redhat.com; helo=us-smtp-delivery-124.mimecast.com X-Spam_score_int: -31 X-Spam_score: -3.2 X-Spam_bar: --- X-Spam_report: (-3.2 / 5.0 requ) BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.393, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=unavailable autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Peter Maydell , Thomas Huth , =?utf-8?q?Daniel_P=2E_Berrang=C3=A9?= , Prasad J Pandit , qemu-block@nongnu.org, "Michael S. Tsirkin" , =?utf-8?q?Philippe_Mathieu-Daud?= =?utf-8?q?=C3=A9?= , Richard Henderson , Markus Armbruster , =?utf-8?q?Philippe_Mathieu-Daud?= =?utf-8?q?=C3=A9?= , xen-devel@lists.xenproject.org, Paolo Bonzini , Eric Blake , Eduardo Habkost Errors-To: qemu-devel-bounces+qemu-devel=archiver.kernel.org@nongnu.org Sender: "Qemu-devel" Hi, This series is experimental! The goal is to better limit the boundary of what code is considerated security critical, and what is less critical (but still important!). This approach was quickly discussed few months ago with Markus then Daniel. Instead of classifying the code on a file path basis (see [1]), we insert (runtime) hints into the code (which survive code movement). Offending unsafe code can taint the global security policy. By default this policy is 'none': the current behavior. It can be changed on the command line to 'warn' to display warnings, and to 'strict' to prohibit QEMU running with a tainted policy. As examples I started implementing unsafe code taint from 3 different pieces of code: - accelerators (KVM and Xen in allow-list) - block drivers (vvfat and parcial null-co in deny-list) - qdev (hobbyist devices regularly hit by fuzzer) I don't want the security researchers to not fuzz QEMU unsafe areas, but I'd like to make it clearer what the community priority is (currently 47 opened issues on [3]). Regards, Phil. [1] https://lore.kernel.org/qemu-devel/20200714083631.888605-2-ppandit@redhat.com/ [2] https://www.qemu.org/contribute/security-process/ [3] https://gitlab.com/qemu-project/qemu/-/issues?label_name[]=Fuzzer Philippe Mathieu-Daudé (10): sysemu: Introduce qemu_security_policy_taint() API accel: Use qemu_security_policy_taint(), mark KVM and Xen as safe block: Use qemu_security_policy_taint() API block/vvfat: Mark the driver as unsafe block/null: Mark 'read-zeroes=off' option as unsafe qdev: Use qemu_security_policy_taint() API hw/display: Mark ATI and Artist devices as unsafe hw/misc: Mark testdev devices as unsafe hw/net: Mark Tulip device as unsafe hw/sd: Mark sdhci-pci device as unsafe qapi/run-state.json | 16 +++++++++ include/block/block_int.h | 6 +++- include/hw/qdev-core.h | 6 ++++ include/qemu-common.h | 19 +++++++++++ include/qemu/accel.h | 5 +++ accel/kvm/kvm-all.c | 1 + accel/xen/xen-all.c | 1 + block.c | 6 ++++ block/null.c | 8 +++++ block/vvfat.c | 6 ++++ hw/core/qdev.c | 11 ++++++ hw/display/artist.c | 1 + hw/display/ati.c | 1 + hw/hyperv/hyperv_testdev.c | 1 + hw/misc/pc-testdev.c | 1 + hw/misc/pci-testdev.c | 1 + hw/net/tulip.c | 1 + hw/sd/sdhci-pci.c | 1 + softmmu/vl.c | 70 ++++++++++++++++++++++++++++++++++++++ qemu-options.hx | 17 +++++++++ 20 files changed, 178 insertions(+), 1 deletion(-)