[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Qemu-devel] [PATCH for-4.0] spapr: Simplify handling of host-serial
|
From: |
David Gibson |
|
Subject: |
Re: [Qemu-devel] [PATCH for-4.0] spapr: Simplify handling of host-serial and host-model values |
|
Date: |
Thu, 28 Mar 2019 21:33:19 +1100 |
|
User-agent: |
Mutt/1.11.3 (2019-02-01) |
On Thu, Mar 28, 2019 at 09:55:24AM +0000, Daniel P. Berrangé wrote:
> On Thu, Mar 28, 2019 at 03:40:25PM +1100, David Gibson wrote:
> > 27461d69a0f "ppc: add host-serial and host-model machine attributes
> > (CVE-2019-8934)" introduced 'host-serial' and 'host-model' machine
> > properties for spapr to explicitly control the values advertised to the
> > guest in device tree properties with the same names.
> >
> > The previous behaviour on KVM was to unconditionally populate the device
> > tree with the real host serial number and model, which leaks possibly
> > sensitive information about the host to the guest.
> >
> > To maintain compatibility for old machine types, we allowed those props
> > to be set to "passthrough" to take the value from the host as before. Or
> > they could be set to "none" to explicitly omit the device tree items.
> >
> > Special casing specific values on what's otherwise a user supplied string
> > is very ugly. So, this patch simplifies things by implementing the
> > backwards compatibility in a different way: we have a machine class flag
> > set for the older machines, and we only load the host values into the
> > device tree if A) they're not set by the user and B) we have that flag set.
> >
> > This does mean that the "passthrough" functionality is no longer available
> > with the current machine type. That's ok though: if a user or management
> > layer really wants the information passed through they can read it
> > themselves (OpenStack Nova already does something similar for x86).
> >
> > It also means the user can't explicitly ask for the values to be omitted
> > on the old machine types. I think that's an acceptable trade-off: if you
> > care enough about not leaking the host information you can either move to
> > the new machine type, or use a dummy value for the properties.
> >
> > This also removes an odd inconsistency between running on a POWER and
> > non-POWER (or non-Linux) hosts: if the host information couldn't be read
> > from where we expect (in the host's device tree as exposed by Linux), we'd
> > fallback to omitting the guest device tree items.
> >
> > While we're there, improve some poorly worded comments, and the help text
> > for the properties.
>
> So IIUC, the two properties now only accept an opaque string which
> will be exposes as-is in the guest fields. Old machine types, only,
> will do passthrough of the host values (if not overriden by the
> properties) & there's no way to request this for new machine types
Correct.
> >
> > Signed-off-by: David Gibson <address@hidden>
> > ---
> >
> > I've (tentatively) put this into my ppc-for-4.0 tree already, which I
> > hope to push in the next few days. I realize it's very late to make
> > such a cleanup in 4.0, however I'd like to clean up the interface
> > before it goes into a released version which we have to support for
> > ages.
>
> Indeed, we must clean it before release if we want this, otherwise
> it is an incompatible change.
>
> >
> > hw/ppc/spapr.c | 57 ++++++++++++++----------------------------
> > include/hw/ppc/spapr.h | 1 +
> > 2 files changed, 20 insertions(+), 38 deletions(-)
>
> Reviewed-by: Daniel P. Berrangé <address@hidden>
>
>
> Regards,
> Daniel
--
David Gibson | I'll have my music baroque, and my code
david AT gibson.dropbear.id.au | minimalist, thank you. NOT _the_ _other_
| _way_ _around_!
http://www.ozlabs.org/~dgibson
signature.asc
Description: PGP signature