From nobody Sun May 5 23:04:41 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Authentication-Results: mx.zohomail.com; dkim=fail; spf=pass (zoho.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1553748187728338.28736245369225; Wed, 27 Mar 2019 21:43:07 -0700 (PDT) Received: from localhost ([127.0.0.1]:57967 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1h9MsZ-00075q-3T for importer@patchew.org; Thu, 28 Mar 2019 00:43:03 -0400 Received: from eggs.gnu.org ([209.51.188.92]:43518) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1h9MrC-00067I-Nk for qemu-devel@nongnu.org; Thu, 28 Mar 2019 00:41:40 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1h9MqL-00073n-5b for qemu-devel@nongnu.org; Thu, 28 Mar 2019 00:40:46 -0400 Received: from ozlabs.org ([2401:3900:2:1::2]:55961) by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1h9MqI-00072e-EY; Thu, 28 Mar 2019 00:40:45 -0400 Received: by ozlabs.org (Postfix, from userid 1007) id 44VBxr4MfCz9sR3; Thu, 28 Mar 2019 15:40:32 +1100 (AEDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=gibson.dropbear.id.au; s=201602; t=1553748032; bh=6xvllppM0B6snk/YyJ3aMNV09D7XvyCYdSHl01Y76Ac=; h=From:To:Cc:Subject:Date:From; b=UNTArr2zv/XVFMvThJF4uYt/Ay/sUxehS3ZTaezdJ/Otl11/kgAmGQa8q4CJBZ2Nw kyg9ScqYp8HArJzEvHxQKIHgG0TJ2I0DyFrkgkKF1iPP/j9ZmilwiQn07FVB/lVIVH dDqwmt2pWB+TOF2f9REqmK+Woj6+x8XKckBSFAe8= From: David Gibson To: pjp@fedoraproject.org, armbru@redhat.com, berrange@redhat.com, groug@kaod.org Date: Thu, 28 Mar 2019 15:40:25 +1100 Message-Id: <20190328044025.20114-1-david@gibson.dropbear.id.au> X-Mailer: git-send-email 2.20.1 MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-detected-operating-system: by eggs.gnu.org: Genre and OS details not recognized. X-Received-From: 2401:3900:2:1::2 Subject: [Qemu-devel] [PATCH for-4.0] spapr: Simplify handling of host-serial and host-model values X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: qemu-ppc@nongnu.org, qemu-devel@nongnu.org, David Gibson Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: "Qemu-devel" X-ZohoMail-DKIM: fail (Header signature does not verify) Content-Type: text/plain; charset="utf-8" 27461d69a0f "ppc: add host-serial and host-model machine attributes (CVE-2019-8934)" introduced 'host-serial' and 'host-model' machine properties for spapr to explicitly control the values advertised to the guest in device tree properties with the same names. The previous behaviour on KVM was to unconditionally populate the device tree with the real host serial number and model, which leaks possibly sensitive information about the host to the guest. To maintain compatibility for old machine types, we allowed those props to be set to "passthrough" to take the value from the host as before. Or they could be set to "none" to explicitly omit the device tree items. Special casing specific values on what's otherwise a user supplied string is very ugly. So, this patch simplifies things by implementing the backwards compatibility in a different way: we have a machine class flag set for the older machines, and we only load the host values into the device tree if A) they're not set by the user and B) we have that flag set. This does mean that the "passthrough" functionality is no longer available with the current machine type. That's ok though: if a user or management layer really wants the information passed through they can read it themselves (OpenStack Nova already does something similar for x86). It also means the user can't explicitly ask for the values to be omitted on the old machine types. I think that's an acceptable trade-off: if you care enough about not leaking the host information you can either move to the new machine type, or use a dummy value for the properties. This also removes an odd inconsistency between running on a POWER and non-POWER (or non-Linux) hosts: if the host information couldn't be read from where we expect (in the host's device tree as exposed by Linux), we'd fallback to omitting the guest device tree items. While we're there, improve some poorly worded comments, and the help text for the properties. Signed-off-by: David Gibson Reviewed-by: Daniel P. Berrang=C3=A9 Reviewed-by: Greg Kurz Tested-by: Greg Kurz --- I've (tentatively) put this into my ppc-for-4.0 tree already, which I hope to push in the next few days. I realize it's very late to make such a cleanup in 4.0, however I'd like to clean up the interface before it goes into a released version which we have to support for ages. hw/ppc/spapr.c | 57 ++++++++++++++---------------------------- include/hw/ppc/spapr.h | 1 + 2 files changed, 20 insertions(+), 38 deletions(-) diff --git a/hw/ppc/spapr.c b/hw/ppc/spapr.c index 6c16d6cfaf..c46c6e2670 100644 --- a/hw/ppc/spapr.c +++ b/hw/ppc/spapr.c @@ -1252,38 +1252,8 @@ static void *spapr_build_fdt(SpaprMachineState *spap= r) _FDT(fdt_setprop_string(fdt, 0, "model", "IBM pSeries (emulated by qem= u)")); _FDT(fdt_setprop_string(fdt, 0, "compatible", "qemu,pseries")); =20 - /* - * Add info to guest to indentify which host is it being run on - * and what is the uuid of the guest - */ - if (spapr->host_model && !g_str_equal(spapr->host_model, "none")) { - if (g_str_equal(spapr->host_model, "passthrough")) { - /* -M host-model=3Dpassthrough */ - if (kvmppc_get_host_model(&buf)) { - _FDT(fdt_setprop_string(fdt, 0, "host-model", buf)); - g_free(buf); - } - } else { - /* -M host-model=3D */ - _FDT(fdt_setprop_string(fdt, 0, "host-model", spapr->host_mode= l)); - } - } - - if (spapr->host_serial && !g_str_equal(spapr->host_serial, "none")) { - if (g_str_equal(spapr->host_serial, "passthrough")) { - /* -M host-serial=3Dpassthrough */ - if (kvmppc_get_host_serial(&buf)) { - _FDT(fdt_setprop_string(fdt, 0, "host-serial", buf)); - g_free(buf); - } - } else { - /* -M host-serial=3D */ - _FDT(fdt_setprop_string(fdt, 0, "host-serial", spapr->host_ser= ial)); - } - } - + /* Guest UUID & Name*/ buf =3D qemu_uuid_unparse_strdup(&qemu_uuid); - _FDT(fdt_setprop_string(fdt, 0, "vm,uuid", buf)); if (qemu_uuid_set) { _FDT(fdt_setprop_string(fdt, 0, "system-id", buf)); @@ -1295,6 +1265,21 @@ static void *spapr_build_fdt(SpaprMachineState *spap= r) qemu_get_vm_name())); } =20 + /* Host Model & Serial Number */ + if (spapr->host_model) { + _FDT(fdt_setprop_string(fdt, 0, "host-model", spapr->host_model)); + } else if (smc->broken_host_serial_model && kvmppc_get_host_model(&buf= )) { + _FDT(fdt_setprop_string(fdt, 0, "host-model", buf)); + g_free(buf); + } + + if (spapr->host_serial) { + _FDT(fdt_setprop_string(fdt, 0, "host-serial", spapr->host_serial)= ); + } else if (smc->broken_host_serial_model && kvmppc_get_host_serial(&bu= f)) { + _FDT(fdt_setprop_string(fdt, 0, "host-serial", buf)); + g_free(buf); + } + _FDT(fdt_setprop_cell(fdt, 0, "#address-cells", 2)); _FDT(fdt_setprop_cell(fdt, 0, "#size-cells", 2)); =20 @@ -3352,12 +3337,12 @@ static void spapr_instance_init(Object *obj) spapr_get_host_model, spapr_set_host_model, &error_abort); object_property_set_description(obj, "host-model", - "Set host's model-id to use - none|passthrough|string", &error_abo= rt); + "Host model to advertise in guest device tree", &error_abort); object_property_add_str(obj, "host-serial", spapr_get_host_serial, spapr_set_host_serial, &error_abort); object_property_set_description(obj, "host-serial", - "Set host's system-id to use - none|passthrough|string", &error_ab= ort); + "Host serial number to advertise in guest deivce tree", &error_abo= rt); } =20 static void spapr_machine_finalizefn(Object *obj) @@ -4381,18 +4366,14 @@ DEFINE_SPAPR_MACHINE(4_0, "4.0", true); static void spapr_machine_3_1_class_options(MachineClass *mc) { SpaprMachineClass *smc =3D SPAPR_MACHINE_CLASS(mc); - static GlobalProperty compat[] =3D { - { TYPE_SPAPR_MACHINE, "host-model", "passthrough" }, - { TYPE_SPAPR_MACHINE, "host-serial", "passthrough" }, - }; =20 spapr_machine_4_0_class_options(mc); compat_props_add(mc->compat_props, hw_compat_3_1, hw_compat_3_1_len); - compat_props_add(mc->compat_props, compat, G_N_ELEMENTS(compat)); =20 mc->default_cpu_type =3D POWERPC_CPU_TYPE_NAME("power8_v2.0"); smc->update_dt_enabled =3D false; smc->dr_phb_enabled =3D false; + smc->broken_host_serial_model =3D true; smc->default_caps.caps[SPAPR_CAP_CFPC] =3D SPAPR_CAP_BROKEN; smc->default_caps.caps[SPAPR_CAP_SBBC] =3D SPAPR_CAP_BROKEN; smc->default_caps.caps[SPAPR_CAP_IBS] =3D SPAPR_CAP_BROKEN; diff --git a/include/hw/ppc/spapr.h b/include/hw/ppc/spapr.h index 2b4c05a2ec..5ea8081041 100644 --- a/include/hw/ppc/spapr.h +++ b/include/hw/ppc/spapr.h @@ -118,6 +118,7 @@ struct SpaprMachineClass { bool use_ohci_by_default; /* use USB-OHCI instead of XHCI */ bool pre_2_10_has_unused_icps; bool legacy_irq_allocation; + bool broken_host_serial_model; /* present real host info to the guest = */ =20 void (*phb_placement)(SpaprMachineState *spapr, uint32_t index, uint64_t *buid, hwaddr *pio,=20 --=20 2.20.1