1. Patchew
  2. QEMU
  3. View series

[PATCH v2 00/32] Encode object type security status in code

Daniel P. Berrangé posted 32 patches 2 days ago
Patches applied successfully (tree, apply log)
git fetch https://github.com/patchew-project/qemu tags/patchew/20250926140144.1998694-1-berrange@redhat.com
Maintainers: Richard Henderson <richard.henderson@linaro.org>, Paolo Bonzini <pbonzini@redhat.com>, "Philippe Mathieu-Daudé" <philmd@linaro.org>, Cameron Esfahani <dirty@apple.com>, Roman Bolshakov <rbolshakov@ddn.com>, Phil Dennis-Jordan <phil@philjordan.eu>, Mads Ynddal <mads@ynddal.dk>, Fabiano Rosas <farosas@suse.de>, Laurent Vivier <lvivier@redhat.com>, Stefano Stabellini <sstabellini@kernel.org>, Anthony PERARD <anthony@xenproject.org>, Paul Durrant <paul@xen.org>, "Edgar E. Iglesias" <edgar.iglesias@gmail.com>, "Michael S. Tsirkin" <mst@redhat.com>, Christian Schoenebeck <qemu_oss@crudebyte.com>, Greg Kurz <groug@kaod.org>, Peter Maydell <peter.maydell@linaro.org>, Gerd Hoffmann <kraxel@redhat.com>, Manos Pitsidianakis <manos.pitsidianakis@linaro.org>, Stefano Garzarella <sgarzare@redhat.com>, Raphael Norwitz <raphael@enfabrica.net>, Kevin Wolf <kwolf@redhat.com>, Hanna Reitz <hreitz@redhat.com>, Stefan Hajnoczi <stefanha@redhat.com>, Amit Shah <amit@kernel.org>, "Marc-André Lureau" <marcandre.lureau@redhat.com>, Eduardo Habkost <eduardo@habkost.net>, Marcel Apfelbaum <marcel.apfelbaum@gmail.com>, Yanan Wang <wangyanan55@huawei.com>, Zhao Liu <zhao1.liu@intel.com>, Helge Deller <deller@gmx.de>, Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk>, Samuel Tardieu <sam@rfc1149.net>, Alistair Francis <alistair@alistair23.me>, Igor Mitsyanko <i.mitsyanko@gmail.com>, "Hervé Poussineau" <hpoussin@reactos.org>, Aleksandar Rikalo <arikalo@gmail.com>, Thomas Huth <huth@tuxfamily.org>, BALATON Zoltan <balaton@eik.bme.hu>, "Alex Bennée" <alex.bennee@linaro.org>, Akihiko Odaki <odaki@rsg.ci.i.u-tokyo.ac.jp>, Dmitry Osipenko <dmitry.osipenko@collabora.com>, Dmitry Fleytman <dmitry.fleytman@gmail.com>, Sergio Lopez <slp@redhat.com>, John Snow <jsnow@redhat.com>, Jiri Slaby <jslaby@suse.cz>, Beniamino Galvani <b.galvani@gmail.com>, Strahinja Jankovic <strahinja.p.jankovic@gmail.com>, Jason Wang <jasowang@redhat.com>, Pavel Pisa <pisa@cmp.felk.cvut.cz>, Francisco Iglesias <francisco.iglesias@amd.com>, Vikram Garhwal <vikram.garhwal@bytedance.com>, Stefan Weil <sw@weilnetz.de>, Bernhard Beschow <shentey@gmail.com>, "Cédric Le Goater" <clg@kaod.org>, Steven Lee <steven_lee@aspeedtech.com>, Troy Lee <leetroy@gmail.com>, Jamin Lin <jamin_lin@aspeedtech.com>, Andrew Jeffery <andrew@codeconstruct.com.au>, Joel Stanley <joel@jms.id.au>, Sriram Yagnaraman <sriram.yagnaraman@ericsson.com>, Subbaraya Sundeep <sundeep.lkml@gmail.com>, Jan Kiszka <jan.kiszka@web.de>, Tyrone Ting <kfting@nuvoton.com>, Hao Wu <wuhaotsh@google.com>, Max Filippov <jcmvbkbc@gmail.com>, Jiri Pirko <jiri@resnulli.us>, Nicholas Piggin <npiggin@gmail.com>, Harsh Prateek Bora <harshpb@linux.ibm.com>, Sven Schnelle <svens@stackframe.org>, Rob Herring <robh@kernel.org>, Huacai Chen <chenhuacai@kernel.org>, Jiaxun Yang <jiaxun.yang@flygoat.com>, Andrey Smirnov <andrew.smirnov@gmail.com>, Aurelien Jarno <aurelien@aurel32.net>, Aditya Gupta <adityag@linux.ibm.com>, Glenn Miles <milesg@linux.ibm.com>, Elena Ufimtseva <elena.ufimtseva@oracle.com>, Jagannathan Raman <jag.raman@oracle.com>, Yoshinori Sato <yoshinori.sato@nifty.com>, Magnus Damm <magnus.damm@gmail.com>, Paul Burton <paulburton@kernel.org>, Halil Pasic <pasic@linux.ibm.com>, Christian Borntraeger <borntraeger@linux.ibm.com>, Eric Farman <farman@linux.ibm.com>, Matthew Rosato <mjrosato@linux.ibm.com>, David Hildenbrand <david@redhat.com>, Ilya Leoshkevich <iii@linux.ibm.com>, Cornelia Huck <cohuck@redhat.com>, Fam Zheng <fam@euphon.net>, Hannes Reinecke <hare@suse.com>, Samuel Thibault <samuel.thibault@ens-lyon.org>, Tony Krowiak <akrowiak@linux.ibm.com>, Jason Herne <jjherne@linux.ibm.com>, Alex Williamson <alex.williamson@redhat.com>, Tomita Moeko <tomitamoeko@gmail.com>, Viresh Kumar <viresh.kumar@linaro.org>, Mathieu Poirier <mathieu.poirier@linaro.org>, "Gonglei (Arei)" <arei.gonglei@huawei.com>, Eric Auger <eric.auger@redhat.com>, Alexander Graf <graf@amazon.com>, Dorjoy Chowdhury <dorjoychy111@gmail.com>, Radoslaw Biernacki <rad@semihalf.com>, Leif Lindholm <leif.lindholm@oss.qualcomm.com>, "Collin L. Walling" <walling@linux.ibm.com>, Jean-Christophe Dubois <jcd@tribudubois.net>, Markus Armbruster <armbru@redhat.com>, Michael Roth <michael.roth@amd.com>, "Daniel P. Berrangé" <berrange@redhat.com>, Eric Blake <eblake@redhat.com>
accel/accel-common.c                 |  1 +
accel/accel-system.c                 |  1 +
accel/accel-target.c                 |  1 +
accel/hvf/hvf-accel-ops.c            |  1 +
accel/hvf/hvf-all.c                  |  1 +
accel/kvm/kvm-accel-ops.c            |  1 +
accel/kvm/kvm-all.c                  |  1 +
accel/qtest/qtest.c                  |  2 ++
accel/tcg/tcg-accel-ops.c            |  1 +
accel/tcg/tcg-all.c                  |  1 +
accel/xen/xen-all.c                  |  2 ++
docs/system/security.rst             | 43 ++++++++++++++++++++++++++++
hw/9pfs/virtio-9p-device.c           |  1 +
hw/arm/virt.c                        |  1 +
hw/arm/xen-pvh.c                     |  1 +
hw/audio/virtio-snd.c                |  1 +
hw/block/vhost-user-blk.c            |  1 +
hw/block/virtio-blk.c                |  1 +
hw/block/xen-block.c                 |  3 ++
hw/char/virtio-console.c             |  2 ++
hw/char/virtio-serial-bus.c          |  3 ++
hw/char/xen_console.c                |  1 +
hw/core/machine-qmp-cmds.c           |  1 +
hw/core/null-machine.c               |  2 +-
hw/display/artist.c                  |  1 +
hw/display/ati.c                     |  1 +
hw/display/bcm2835_fb.c              |  1 +
hw/display/bochs-display.c           |  1 +
hw/display/cg3.c                     |  1 +
hw/display/cirrus_vga.c              |  1 +
hw/display/cirrus_vga_isa.c          |  1 +
hw/display/dm163.c                   |  1 +
hw/display/dpcd.c                    |  1 +
hw/display/exynos4210_fimd.c         |  1 +
hw/display/g364fb.c                  |  1 +
hw/display/i2c-ddc.c                 |  3 +-
hw/display/jazz_led.c                |  1 +
hw/display/macfb.c                   |  2 ++
hw/display/next-fb.c                 |  1 +
hw/display/pl110.c                   |  3 ++
hw/display/qxl.c                     |  4 +++
hw/display/ramfb-standalone.c        |  1 +
hw/display/sii9022.c                 |  1 +
hw/display/sm501.c                   |  1 +
hw/display/ssd0303.c                 |  1 +
hw/display/ssd0323.c                 |  1 +
hw/display/tcx.c                     |  1 +
hw/display/vga-isa.c                 |  1 +
hw/display/vga-mmio.c                |  1 +
hw/display/vga-pci.c                 |  3 ++
hw/display/vhost-user-gpu.c          |  1 +
hw/display/virtio-gpu-base.c         |  3 +-
hw/display/virtio-gpu-gl.c           |  1 +
hw/display/virtio-gpu-pci-rutabaga.c |  1 +
hw/display/virtio-gpu-pci.c          |  3 +-
hw/display/virtio-gpu-rutabaga.c     |  1 +
hw/display/virtio-gpu.c              |  1 +
hw/display/vmware_vga.c              |  1 +
hw/display/xlnx_dp.c                 |  1 +
hw/hyperv/hyperv_testdev.c           |  1 +
hw/i386/isapc.c                      |  4 +--
hw/i386/microvm.c                    |  1 +
hw/i386/pc_piix.c                    |  8 +++---
hw/i386/xen/xen-pvh.c                |  1 +
hw/i386/xen/xen_platform.c           |  1 +
hw/i386/xen/xen_pvdevice.c           |  1 +
hw/ide/ich.c                         |  1 +
hw/ide/ide-dev.c                     |  3 ++
hw/input/virtio-input-hid.c          |  5 ++++
hw/input/virtio-input-host.c         |  1 +
hw/input/virtio-input.c              |  1 +
hw/misc/edu.c                        |  1 +
hw/misc/pc-testdev.c                 |  1 +
hw/misc/pci-testdev.c                |  1 +
hw/net/allwinner-sun8i-emac.c        |  1 +
hw/net/allwinner_emac.c              |  3 +-
hw/net/cadence_gem.c                 |  1 +
hw/net/can/can_kvaser_pci.c          |  1 +
hw/net/can/can_mioe3680_pci.c        |  1 +
hw/net/can/can_pcm3680_pci.c         |  1 +
hw/net/can/ctucan_pci.c              |  1 +
hw/net/can/xlnx-versal-canfd.c       |  1 +
hw/net/can/xlnx-zynqmp-can.c         |  1 +
hw/net/dp8393x.c                     |  1 +
hw/net/e1000.c                       |  1 +
hw/net/e1000e.c                      |  1 +
hw/net/eepro100.c                    |  1 +
hw/net/fsl_etsec/etsec.c             |  1 +
hw/net/ftgmac100.c                   |  1 +
hw/net/igb.c                         |  1 +
hw/net/igbvf.c                       |  1 +
hw/net/imx_fec.c                     |  2 ++
hw/net/lan9118.c                     |  1 +
hw/net/lan9118_phy.c                 |  1 +
hw/net/lance.c                       |  1 +
hw/net/lasi_i82596.c                 |  1 +
hw/net/mcf_fec.c                     |  1 +
hw/net/msf2-emac.c                   |  1 +
hw/net/mv88w8618_eth.c               |  1 +
hw/net/ne2000-isa.c                  |  1 +
hw/net/ne2000-pci.c                  |  1 +
hw/net/npcm7xx_emc.c                 |  1 +
hw/net/npcm_gmac.c                   |  1 +
hw/net/npcm_pcs.c                    |  1 +
hw/net/opencores_eth.c               |  1 +
hw/net/pcnet-pci.c                   |  1 +
hw/net/rocker/rocker.c               |  1 +
hw/net/rtl8139.c                     |  1 +
hw/net/smc91c111.c                   |  1 +
hw/net/spapr_llan.c                  |  1 +
hw/net/stellaris_enet.c              |  1 +
hw/net/sungem.c                      |  1 +
hw/net/sunhme.c                      |  1 +
hw/net/tulip.c                       |  1 +
hw/net/virtio-net.c                  |  1 +
hw/net/vmxnet3.c                     |  1 +
hw/net/xen_nic.c                     |  1 +
hw/net/xgmac.c                       |  1 +
hw/net/xilinx_axienet.c              |  1 +
hw/net/xilinx_ethlite.c              |  1 +
hw/pci-bridge/cxl_downstream.c       |  1 +
hw/pci-bridge/cxl_root_port.c        |  1 +
hw/pci-bridge/cxl_upstream.c         |  1 +
hw/pci-bridge/gen_pcie_root_port.c   |  1 +
hw/pci-bridge/i82801b11.c            |  1 +
hw/pci-bridge/ioh3420.c              |  1 +
hw/pci-bridge/pci_bridge_dev.c       |  2 ++
hw/pci-bridge/pci_expander_bridge.c  |  8 ++++++
hw/pci-bridge/pcie_pci_bridge.c      |  1 +
hw/pci-bridge/pcie_root_port.c       |  1 +
hw/pci-bridge/simba.c                |  1 +
hw/pci-bridge/xio3130_downstream.c   |  1 +
hw/pci-bridge/xio3130_upstream.c     |  1 +
hw/pci-host/articia.c                |  3 ++
hw/pci-host/astro.c                  |  3 ++
hw/pci-host/bonito.c                 |  2 ++
hw/pci-host/designware.c             |  3 ++
hw/pci-host/dino.c                   |  1 +
hw/pci-host/fsl_imx8m_phy.c          |  1 +
hw/pci-host/gpex.c                   |  2 ++
hw/pci-host/grackle.c                |  2 ++
hw/pci-host/gt64120.c                |  2 ++
hw/pci-host/i440fx.c                 |  2 ++
hw/pci-host/mv64361.c                |  1 +
hw/pci-host/pnv_phb.c                |  2 ++
hw/pci-host/pnv_phb3.c               |  3 ++
hw/pci-host/pnv_phb3_msi.c           |  1 +
hw/pci-host/pnv_phb3_pbcq.c          |  1 +
hw/pci-host/pnv_phb4.c               |  4 +++
hw/pci-host/pnv_phb4_pec.c           |  2 ++
hw/pci-host/ppc440_pcix.c            |  1 +
hw/pci-host/ppc4xx_pci.c             |  2 ++
hw/pci-host/ppce500.c                |  2 ++
hw/pci-host/q35.c                    |  2 ++
hw/pci-host/raven.c                  |  2 ++
hw/pci-host/remote.c                 |  1 +
hw/pci-host/sabre.c                  |  2 ++
hw/pci-host/sh_pci.c                 |  2 ++
hw/pci-host/uninorth.c               |  2 ++
hw/pci-host/versatile.c              |  3 ++
hw/pci-host/xen_igd_pt.c             |  1 +
hw/pci-host/xilinx-pcie.c            |  1 +
hw/pci/pci.c                         |  7 +++++
hw/pci/pci_bridge.c                  |  1 +
hw/pci/pci_host.c                    |  1 +
hw/pci/pcie_host.c                   |  1 +
hw/pci/pcie_port.c                   |  1 +
hw/ppc/spapr.c                       |  1 +
hw/s390x/s390-virtio-ccw.c           |  1 +
hw/s390x/vhost-scsi-ccw.c            |  1 +
hw/s390x/vhost-user-fs-ccw.c         |  1 +
hw/s390x/vhost-vsock-ccw.c           |  1 +
hw/s390x/virtio-ccw-9p.c             |  1 +
hw/s390x/virtio-ccw-balloon.c        |  1 +
hw/s390x/virtio-ccw-blk.c            |  1 +
hw/s390x/virtio-ccw-crypto.c         |  1 +
hw/s390x/virtio-ccw-gpu.c            |  1 +
hw/s390x/virtio-ccw-input.c          |  5 ++++
hw/s390x/virtio-ccw-md.c             |  1 +
hw/s390x/virtio-ccw-mem.c            |  1 +
hw/s390x/virtio-ccw-net.c            |  1 +
hw/s390x/virtio-ccw-rng.c            |  1 +
hw/s390x/virtio-ccw-scsi.c           |  1 +
hw/s390x/virtio-ccw-serial.c         |  1 +
hw/s390x/virtio-ccw.c                |  1 +
hw/scsi/esp-pci.c                    |  2 ++
hw/scsi/esp.c                        |  2 ++
hw/scsi/lsi53c895a.c                 |  2 ++
hw/scsi/megasas.c                    |  2 ++
hw/scsi/mptsas.c                     |  1 +
hw/scsi/scsi-disk.c                  |  4 +++
hw/scsi/scsi-generic.c               |  1 +
hw/scsi/spapr_vscsi.c                |  1 +
hw/scsi/vhost-scsi-common.c          |  1 +
hw/scsi/vhost-scsi.c                 |  1 +
hw/scsi/vhost-user-scsi.c            |  1 +
hw/scsi/virtio-scsi.c                |  2 ++
hw/scsi/vmw_pvscsi.c                 |  1 +
hw/usb/dev-audio.c                   |  1 +
hw/usb/dev-hid.c                     |  4 +++
hw/usb/dev-hub.c                     |  1 +
hw/usb/dev-mtp.c                     |  1 +
hw/usb/dev-network.c                 |  1 +
hw/usb/dev-serial.c                  |  3 ++
hw/usb/dev-smartcard-reader.c        |  3 ++
hw/usb/dev-storage-bot.c             |  1 +
hw/usb/dev-storage-classic.c         |  1 +
hw/usb/dev-storage.c                 |  1 +
hw/usb/dev-uas.c                     |  1 +
hw/usb/dev-wacom.c                   |  1 +
hw/usb/hcd-dwc2.c                    |  1 +
hw/usb/hcd-dwc3.c                    |  1 +
hw/usb/hcd-ehci-pci.c                |  2 ++
hw/usb/hcd-ehci-sysbus.c             |  8 ++++++
hw/usb/hcd-ohci-pci.c                |  1 +
hw/usb/hcd-ohci-sysbus.c             |  1 +
hw/usb/hcd-uhci.c                    |  2 ++
hw/usb/hcd-xhci-nec.c                |  1 +
hw/usb/hcd-xhci-pci.c                |  2 ++
hw/usb/hcd-xhci-sysbus.c             |  3 +-
hw/usb/hcd-xhci.c                    |  1 +
hw/usb/host-libusb.c                 |  1 +
hw/usb/redirect.c                    |  1 +
hw/vfio/ap.c                         |  1 +
hw/vfio/ccw.c                        |  1 +
hw/vfio/container.c                  |  2 ++
hw/vfio/igd.c                        |  1 +
hw/vfio/iommufd.c                    |  2 ++
hw/vfio/pci.c                        |  3 ++
hw/vfio/spapr.c                      |  1 +
hw/virtio/vdpa-dev.c                 |  1 +
hw/virtio/vhost-user-base.c          |  3 +-
hw/virtio/vhost-user-device.c        |  1 +
hw/virtio/vhost-user-fs.c            |  1 +
hw/virtio/vhost-user-gpio.c          |  1 +
hw/virtio/vhost-user-i2c.c           |  1 +
hw/virtio/vhost-user-input.c         |  1 +
hw/virtio/vhost-user-rng.c           |  1 +
hw/virtio/vhost-user-scmi.c          |  1 +
hw/virtio/vhost-user-snd.c           |  1 +
hw/virtio/vhost-user-vsock.c         |  1 +
hw/virtio/vhost-vsock-common.c       |  1 +
hw/virtio/vhost-vsock.c              |  1 +
hw/virtio/virtio-balloon.c           |  1 +
hw/virtio/virtio-bus.c               |  1 +
hw/virtio/virtio-crypto.c            |  1 +
hw/virtio/virtio-input-pci.c         |  2 ++
hw/virtio/virtio-iommu.c             |  2 ++
hw/virtio/virtio-md-pci.c            |  1 +
hw/virtio/virtio-mem.c               |  1 +
hw/virtio/virtio-mmio.c              |  2 ++
hw/virtio/virtio-nsm.c               |  1 +
hw/virtio/virtio-pci.c               |  3 ++
hw/virtio/virtio-pmem.c              |  1 +
hw/virtio/virtio-rng.c               |  1 +
hw/watchdog/allwinner-wdt.c          |  3 ++
hw/watchdog/cmsdk-apb-watchdog.c     |  1 +
hw/watchdog/sbsa_gwdt.c              |  1 +
hw/watchdog/spapr_watchdog.c         |  1 +
hw/watchdog/wdt_aspeed.c             |  6 ++++
hw/watchdog/wdt_diag288.c            |  1 +
hw/watchdog/wdt_i6300esb.c           |  1 +
hw/watchdog/wdt_ib700.c              |  1 +
hw/watchdog/wdt_imx2.c               |  1 +
hw/xen/xen-bus.c                     |  3 ++
hw/xen/xen-legacy-backend.c          |  3 ++
hw/xen/xen-pvh-common.c              |  1 +
hw/xen/xen_pt.c                      |  1 +
hw/xenpv/xen_machine_pv.c            |  2 +-
include/hw/boards.h                  | 12 +++++++-
include/hw/i386/pc.h                 | 14 ++++++++-
include/qapi/compat-policy.h         |  5 ++++
include/qom/object.h                 | 13 +++++++++
qapi/compat.json                     | 24 +++++++++++++++-
qapi/machine.json                    |  8 +++++-
qapi/qapi-util.c                     | 30 +++++++++++++++++++
qapi/qom.json                        | 10 +++++--
qom/object.c                         | 30 ++++++++++++++-----
qom/qom-qmp-cmds.c                   | 30 +++++++++++++++----
system/qdev-monitor.c                | 12 ++++++++
system/vl.c                          | 35 ++++++++++++++++++----
281 files changed, 632 insertions(+), 38 deletions(-)
[PATCH v2 00/32] Encode object type security status in code
Posted by Daniel P. Berrangé 2 days ago 
Our docs/system/security.rst file loosely classifies code into that
applicable for 'virtualization' vs 'non-virtualization' use cases.
Only code relevant to the former group is eligible for security
bug handling. Peter's recent proposal pointed out that we are
increasingly hitting the limits of such a crude classification

Michael suggested that with the increased complexity, docs are not
going to be an effective way to convey the information, and we
need to re-consider embedding this info in code.  This also allows
users to validate a configuration's security status when starting
a guest, or modifying a running guest.

This series is an attempt to start the embedding process.

Probably I should split in multiple series. One introducing the
overall framework, and then multiple series doing type annotations,
as the latter really need to be CC'd to maintainers, but the CC
list would be way too huge on this combined series. At least this
combined series shows what the real world implictions of this code
approach will be though.


It starts with QOM, adding a "bool secure" property to the
TypeInfo struct, which get turned into a flag on the Type
struct. This enables querying any ObjectClass to ask whether or
not it is declared secure.

By only using a single boolean flag, at runtime we are unable
to distinguish between "marked insecure" and "no decision,
implicitly insecure". As such, all our existing code is
initially considered insecure, except for that which gets
explicit annotation.

The "-compat" argument gains a new parameter

  * insecure-types=accept|reject|warn

    The default 'accept' preserves historical behaviour of
    anything being permissible. The other two options both
    identify use of types that are not explicitly marked
    as secure.

The code annotations are useful immediately, but to make the
new -compat switch useful, we need to annotate as much as is
possible. This series makes a strong attempt to do that across
a large subset of the codebase. My guidance was to mark enough
as being 'secure', that a downstream RHEL build of QEMU would
have explicit anntation of most of its devices, with most being
secure given they target virtualization use cases.

This annotation is 90% complete for the x86 target, but more
work is needed to finish it and then address the arch specific
devices for arm, ppc, s390.

Example: TCG is explicitly insecure, KVM is explicitly secure:

  $ qemu-system-x86_64 -display none -compat insecure-types=reject -accel tcg
  qemu-system-x86_64: -accel tcg: Type 'tcg-accel' does not provide a security boundary to protect against untrusted workloads
  $ qemu-system-x86_64 -display none -compat insecure-types=reject -accel kvm
  ^C

Example: isapc machine type is explicitly insecure

  $ qemu-system-x86_64 -display none -compat insecure-types=reject -machine isapc
  qemu-system-x86_64: Type 'isapc-machine' does not provide a security boundary to protect against untrusted workloads

Example: checks also apply in HMP, ne2k_pci is insecure

  $ ./build/qemu-system-x86_64 -display none -compat insecure-types=reject -monitor stdio -accel kvm
  QEMU 10.1.50 monitor - type 'help' for more information
  (qemu) device_add ne2k_pci
  Error: Type 'ne2k_pci' does not provide a security boundary to protect against untrusted workloads

Example: checks also apply in QMP:

  $ ./scripts/qmp/qmp-shell-wrap qemu-system-x86_64 -display none -compat insecure-types=reject -accel kvm
  Welcome to the QMP low-level shell!
  Connected
  (QEMU) device_add driver=ne2k_oci
  {"error": {"class": "GenericError", "desc": "Type 'ne2k_pci' does not provide a security boundary to protect against untrusted workloads"}}
  (QEMU) device_add driver=virtio-net
  {"return": {}}

Changes in v2:

 * Report security status in qom-list-types
 * Allow qom-list-types to filter on secure types
 * Remove 'bool insecure' on TypeInfo, assume that no specified
   data is equivalent to '.secure = false'
 * Annotate a massive number of object types

Daniel P. Berrangé (32):
  qom: replace 'abstract' with 'flags'
  qom: add tracking of security state of object types
  qapi: add 'insecure-types' option for -compat argument
  system: check security for accelerator types
  system: report acclerator security status in help output
  system: check security for machine types
  system: report machine security status in help output
  system: check security of device types
  system: report device security status in help output
  hw/core: report security status in query-machines
  qom: report & filter on security status in qom-list-types
  docs: expand security docs with info about security status
  machine: add helpers for declaring secure/insecure machine types
  hw: mark x86, s390, ppc, arm versioned machine types as secure
  hw: declare Xen & microvm machines as secure, isapc as insecure
  hw/core: declare 'none' machine to be insecure
  accel: mark kvm, xen & hvf as secure; tcg & qtest as insecure
  hw: mark all virtio PCI devices as secure
  hw: mark all virtio CCW devices as secure
  hw: mark all vhost devices a secure
  hw: mark all remaining virtio object types as secure
  hw/vfio: mark all VFIO object classes as secure
  hw/xen: mark all Xen related object types as being secure
  hw/net: mark most non-virtio NICs as insecure
  hw/usb: mark most USB devices/hosts as secure
  hw/watchdog: mark some watchdog devices as secure
  hw/scsi: mark most SCSI controllers as insecure / devices as secure
  hw/ide: mark ICH9 and ide-hd/ide-cd as secure
  hw: mark test/demo devices as insecure
  hw: define most common PCI types as secure
  hw/pci-host: define some PCI hosts as secure
  hw/display: mark most display adapters as insecure

 accel/accel-common.c                 |  1 +
 accel/accel-system.c                 |  1 +
 accel/accel-target.c                 |  1 +
 accel/hvf/hvf-accel-ops.c            |  1 +
 accel/hvf/hvf-all.c                  |  1 +
 accel/kvm/kvm-accel-ops.c            |  1 +
 accel/kvm/kvm-all.c                  |  1 +
 accel/qtest/qtest.c                  |  2 ++
 accel/tcg/tcg-accel-ops.c            |  1 +
 accel/tcg/tcg-all.c                  |  1 +
 accel/xen/xen-all.c                  |  2 ++
 docs/system/security.rst             | 43 ++++++++++++++++++++++++++++
 hw/9pfs/virtio-9p-device.c           |  1 +
 hw/arm/virt.c                        |  1 +
 hw/arm/xen-pvh.c                     |  1 +
 hw/audio/virtio-snd.c                |  1 +
 hw/block/vhost-user-blk.c            |  1 +
 hw/block/virtio-blk.c                |  1 +
 hw/block/xen-block.c                 |  3 ++
 hw/char/virtio-console.c             |  2 ++
 hw/char/virtio-serial-bus.c          |  3 ++
 hw/char/xen_console.c                |  1 +
 hw/core/machine-qmp-cmds.c           |  1 +
 hw/core/null-machine.c               |  2 +-
 hw/display/artist.c                  |  1 +
 hw/display/ati.c                     |  1 +
 hw/display/bcm2835_fb.c              |  1 +
 hw/display/bochs-display.c           |  1 +
 hw/display/cg3.c                     |  1 +
 hw/display/cirrus_vga.c              |  1 +
 hw/display/cirrus_vga_isa.c          |  1 +
 hw/display/dm163.c                   |  1 +
 hw/display/dpcd.c                    |  1 +
 hw/display/exynos4210_fimd.c         |  1 +
 hw/display/g364fb.c                  |  1 +
 hw/display/i2c-ddc.c                 |  3 +-
 hw/display/jazz_led.c                |  1 +
 hw/display/macfb.c                   |  2 ++
 hw/display/next-fb.c                 |  1 +
 hw/display/pl110.c                   |  3 ++
 hw/display/qxl.c                     |  4 +++
 hw/display/ramfb-standalone.c        |  1 +
 hw/display/sii9022.c                 |  1 +
 hw/display/sm501.c                   |  1 +
 hw/display/ssd0303.c                 |  1 +
 hw/display/ssd0323.c                 |  1 +
 hw/display/tcx.c                     |  1 +
 hw/display/vga-isa.c                 |  1 +
 hw/display/vga-mmio.c                |  1 +
 hw/display/vga-pci.c                 |  3 ++
 hw/display/vhost-user-gpu.c          |  1 +
 hw/display/virtio-gpu-base.c         |  3 +-
 hw/display/virtio-gpu-gl.c           |  1 +
 hw/display/virtio-gpu-pci-rutabaga.c |  1 +
 hw/display/virtio-gpu-pci.c          |  3 +-
 hw/display/virtio-gpu-rutabaga.c     |  1 +
 hw/display/virtio-gpu.c              |  1 +
 hw/display/vmware_vga.c              |  1 +
 hw/display/xlnx_dp.c                 |  1 +
 hw/hyperv/hyperv_testdev.c           |  1 +
 hw/i386/isapc.c                      |  4 +--
 hw/i386/microvm.c                    |  1 +
 hw/i386/pc_piix.c                    |  8 +++---
 hw/i386/xen/xen-pvh.c                |  1 +
 hw/i386/xen/xen_platform.c           |  1 +
 hw/i386/xen/xen_pvdevice.c           |  1 +
 hw/ide/ich.c                         |  1 +
 hw/ide/ide-dev.c                     |  3 ++
 hw/input/virtio-input-hid.c          |  5 ++++
 hw/input/virtio-input-host.c         |  1 +
 hw/input/virtio-input.c              |  1 +
 hw/misc/edu.c                        |  1 +
 hw/misc/pc-testdev.c                 |  1 +
 hw/misc/pci-testdev.c                |  1 +
 hw/net/allwinner-sun8i-emac.c        |  1 +
 hw/net/allwinner_emac.c              |  3 +-
 hw/net/cadence_gem.c                 |  1 +
 hw/net/can/can_kvaser_pci.c          |  1 +
 hw/net/can/can_mioe3680_pci.c        |  1 +
 hw/net/can/can_pcm3680_pci.c         |  1 +
 hw/net/can/ctucan_pci.c              |  1 +
 hw/net/can/xlnx-versal-canfd.c       |  1 +
 hw/net/can/xlnx-zynqmp-can.c         |  1 +
 hw/net/dp8393x.c                     |  1 +
 hw/net/e1000.c                       |  1 +
 hw/net/e1000e.c                      |  1 +
 hw/net/eepro100.c                    |  1 +
 hw/net/fsl_etsec/etsec.c             |  1 +
 hw/net/ftgmac100.c                   |  1 +
 hw/net/igb.c                         |  1 +
 hw/net/igbvf.c                       |  1 +
 hw/net/imx_fec.c                     |  2 ++
 hw/net/lan9118.c                     |  1 +
 hw/net/lan9118_phy.c                 |  1 +
 hw/net/lance.c                       |  1 +
 hw/net/lasi_i82596.c                 |  1 +
 hw/net/mcf_fec.c                     |  1 +
 hw/net/msf2-emac.c                   |  1 +
 hw/net/mv88w8618_eth.c               |  1 +
 hw/net/ne2000-isa.c                  |  1 +
 hw/net/ne2000-pci.c                  |  1 +
 hw/net/npcm7xx_emc.c                 |  1 +
 hw/net/npcm_gmac.c                   |  1 +
 hw/net/npcm_pcs.c                    |  1 +
 hw/net/opencores_eth.c               |  1 +
 hw/net/pcnet-pci.c                   |  1 +
 hw/net/rocker/rocker.c               |  1 +
 hw/net/rtl8139.c                     |  1 +
 hw/net/smc91c111.c                   |  1 +
 hw/net/spapr_llan.c                  |  1 +
 hw/net/stellaris_enet.c              |  1 +
 hw/net/sungem.c                      |  1 +
 hw/net/sunhme.c                      |  1 +
 hw/net/tulip.c                       |  1 +
 hw/net/virtio-net.c                  |  1 +
 hw/net/vmxnet3.c                     |  1 +
 hw/net/xen_nic.c                     |  1 +
 hw/net/xgmac.c                       |  1 +
 hw/net/xilinx_axienet.c              |  1 +
 hw/net/xilinx_ethlite.c              |  1 +
 hw/pci-bridge/cxl_downstream.c       |  1 +
 hw/pci-bridge/cxl_root_port.c        |  1 +
 hw/pci-bridge/cxl_upstream.c         |  1 +
 hw/pci-bridge/gen_pcie_root_port.c   |  1 +
 hw/pci-bridge/i82801b11.c            |  1 +
 hw/pci-bridge/ioh3420.c              |  1 +
 hw/pci-bridge/pci_bridge_dev.c       |  2 ++
 hw/pci-bridge/pci_expander_bridge.c  |  8 ++++++
 hw/pci-bridge/pcie_pci_bridge.c      |  1 +
 hw/pci-bridge/pcie_root_port.c       |  1 +
 hw/pci-bridge/simba.c                |  1 +
 hw/pci-bridge/xio3130_downstream.c   |  1 +
 hw/pci-bridge/xio3130_upstream.c     |  1 +
 hw/pci-host/articia.c                |  3 ++
 hw/pci-host/astro.c                  |  3 ++
 hw/pci-host/bonito.c                 |  2 ++
 hw/pci-host/designware.c             |  3 ++
 hw/pci-host/dino.c                   |  1 +
 hw/pci-host/fsl_imx8m_phy.c          |  1 +
 hw/pci-host/gpex.c                   |  2 ++
 hw/pci-host/grackle.c                |  2 ++
 hw/pci-host/gt64120.c                |  2 ++
 hw/pci-host/i440fx.c                 |  2 ++
 hw/pci-host/mv64361.c                |  1 +
 hw/pci-host/pnv_phb.c                |  2 ++
 hw/pci-host/pnv_phb3.c               |  3 ++
 hw/pci-host/pnv_phb3_msi.c           |  1 +
 hw/pci-host/pnv_phb3_pbcq.c          |  1 +
 hw/pci-host/pnv_phb4.c               |  4 +++
 hw/pci-host/pnv_phb4_pec.c           |  2 ++
 hw/pci-host/ppc440_pcix.c            |  1 +
 hw/pci-host/ppc4xx_pci.c             |  2 ++
 hw/pci-host/ppce500.c                |  2 ++
 hw/pci-host/q35.c                    |  2 ++
 hw/pci-host/raven.c                  |  2 ++
 hw/pci-host/remote.c                 |  1 +
 hw/pci-host/sabre.c                  |  2 ++
 hw/pci-host/sh_pci.c                 |  2 ++
 hw/pci-host/uninorth.c               |  2 ++
 hw/pci-host/versatile.c              |  3 ++
 hw/pci-host/xen_igd_pt.c             |  1 +
 hw/pci-host/xilinx-pcie.c            |  1 +
 hw/pci/pci.c                         |  7 +++++
 hw/pci/pci_bridge.c                  |  1 +
 hw/pci/pci_host.c                    |  1 +
 hw/pci/pcie_host.c                   |  1 +
 hw/pci/pcie_port.c                   |  1 +
 hw/ppc/spapr.c                       |  1 +
 hw/s390x/s390-virtio-ccw.c           |  1 +
 hw/s390x/vhost-scsi-ccw.c            |  1 +
 hw/s390x/vhost-user-fs-ccw.c         |  1 +
 hw/s390x/vhost-vsock-ccw.c           |  1 +
 hw/s390x/virtio-ccw-9p.c             |  1 +
 hw/s390x/virtio-ccw-balloon.c        |  1 +
 hw/s390x/virtio-ccw-blk.c            |  1 +
 hw/s390x/virtio-ccw-crypto.c         |  1 +
 hw/s390x/virtio-ccw-gpu.c            |  1 +
 hw/s390x/virtio-ccw-input.c          |  5 ++++
 hw/s390x/virtio-ccw-md.c             |  1 +
 hw/s390x/virtio-ccw-mem.c            |  1 +
 hw/s390x/virtio-ccw-net.c            |  1 +
 hw/s390x/virtio-ccw-rng.c            |  1 +
 hw/s390x/virtio-ccw-scsi.c           |  1 +
 hw/s390x/virtio-ccw-serial.c         |  1 +
 hw/s390x/virtio-ccw.c                |  1 +
 hw/scsi/esp-pci.c                    |  2 ++
 hw/scsi/esp.c                        |  2 ++
 hw/scsi/lsi53c895a.c                 |  2 ++
 hw/scsi/megasas.c                    |  2 ++
 hw/scsi/mptsas.c                     |  1 +
 hw/scsi/scsi-disk.c                  |  4 +++
 hw/scsi/scsi-generic.c               |  1 +
 hw/scsi/spapr_vscsi.c                |  1 +
 hw/scsi/vhost-scsi-common.c          |  1 +
 hw/scsi/vhost-scsi.c                 |  1 +
 hw/scsi/vhost-user-scsi.c            |  1 +
 hw/scsi/virtio-scsi.c                |  2 ++
 hw/scsi/vmw_pvscsi.c                 |  1 +
 hw/usb/dev-audio.c                   |  1 +
 hw/usb/dev-hid.c                     |  4 +++
 hw/usb/dev-hub.c                     |  1 +
 hw/usb/dev-mtp.c                     |  1 +
 hw/usb/dev-network.c                 |  1 +
 hw/usb/dev-serial.c                  |  3 ++
 hw/usb/dev-smartcard-reader.c        |  3 ++
 hw/usb/dev-storage-bot.c             |  1 +
 hw/usb/dev-storage-classic.c         |  1 +
 hw/usb/dev-storage.c                 |  1 +
 hw/usb/dev-uas.c                     |  1 +
 hw/usb/dev-wacom.c                   |  1 +
 hw/usb/hcd-dwc2.c                    |  1 +
 hw/usb/hcd-dwc3.c                    |  1 +
 hw/usb/hcd-ehci-pci.c                |  2 ++
 hw/usb/hcd-ehci-sysbus.c             |  8 ++++++
 hw/usb/hcd-ohci-pci.c                |  1 +
 hw/usb/hcd-ohci-sysbus.c             |  1 +
 hw/usb/hcd-uhci.c                    |  2 ++
 hw/usb/hcd-xhci-nec.c                |  1 +
 hw/usb/hcd-xhci-pci.c                |  2 ++
 hw/usb/hcd-xhci-sysbus.c             |  3 +-
 hw/usb/hcd-xhci.c                    |  1 +
 hw/usb/host-libusb.c                 |  1 +
 hw/usb/redirect.c                    |  1 +
 hw/vfio/ap.c                         |  1 +
 hw/vfio/ccw.c                        |  1 +
 hw/vfio/container.c                  |  2 ++
 hw/vfio/igd.c                        |  1 +
 hw/vfio/iommufd.c                    |  2 ++
 hw/vfio/pci.c                        |  3 ++
 hw/vfio/spapr.c                      |  1 +
 hw/virtio/vdpa-dev.c                 |  1 +
 hw/virtio/vhost-user-base.c          |  3 +-
 hw/virtio/vhost-user-device.c        |  1 +
 hw/virtio/vhost-user-fs.c            |  1 +
 hw/virtio/vhost-user-gpio.c          |  1 +
 hw/virtio/vhost-user-i2c.c           |  1 +
 hw/virtio/vhost-user-input.c         |  1 +
 hw/virtio/vhost-user-rng.c           |  1 +
 hw/virtio/vhost-user-scmi.c          |  1 +
 hw/virtio/vhost-user-snd.c           |  1 +
 hw/virtio/vhost-user-vsock.c         |  1 +
 hw/virtio/vhost-vsock-common.c       |  1 +
 hw/virtio/vhost-vsock.c              |  1 +
 hw/virtio/virtio-balloon.c           |  1 +
 hw/virtio/virtio-bus.c               |  1 +
 hw/virtio/virtio-crypto.c            |  1 +
 hw/virtio/virtio-input-pci.c         |  2 ++
 hw/virtio/virtio-iommu.c             |  2 ++
 hw/virtio/virtio-md-pci.c            |  1 +
 hw/virtio/virtio-mem.c               |  1 +
 hw/virtio/virtio-mmio.c              |  2 ++
 hw/virtio/virtio-nsm.c               |  1 +
 hw/virtio/virtio-pci.c               |  3 ++
 hw/virtio/virtio-pmem.c              |  1 +
 hw/virtio/virtio-rng.c               |  1 +
 hw/watchdog/allwinner-wdt.c          |  3 ++
 hw/watchdog/cmsdk-apb-watchdog.c     |  1 +
 hw/watchdog/sbsa_gwdt.c              |  1 +
 hw/watchdog/spapr_watchdog.c         |  1 +
 hw/watchdog/wdt_aspeed.c             |  6 ++++
 hw/watchdog/wdt_diag288.c            |  1 +
 hw/watchdog/wdt_i6300esb.c           |  1 +
 hw/watchdog/wdt_ib700.c              |  1 +
 hw/watchdog/wdt_imx2.c               |  1 +
 hw/xen/xen-bus.c                     |  3 ++
 hw/xen/xen-legacy-backend.c          |  3 ++
 hw/xen/xen-pvh-common.c              |  1 +
 hw/xen/xen_pt.c                      |  1 +
 hw/xenpv/xen_machine_pv.c            |  2 +-
 include/hw/boards.h                  | 12 +++++++-
 include/hw/i386/pc.h                 | 14 ++++++++-
 include/qapi/compat-policy.h         |  5 ++++
 include/qom/object.h                 | 13 +++++++++
 qapi/compat.json                     | 24 +++++++++++++++-
 qapi/machine.json                    |  8 +++++-
 qapi/qapi-util.c                     | 30 +++++++++++++++++++
 qapi/qom.json                        | 10 +++++--
 qom/object.c                         | 30 ++++++++++++++-----
 qom/qom-qmp-cmds.c                   | 30 +++++++++++++++----
 system/qdev-monitor.c                | 12 ++++++++
 system/vl.c                          | 35 ++++++++++++++++++----
 281 files changed, 632 insertions(+), 38 deletions(-)

-- 
2.50.1

Patchew 2.1-devel-b67e4c2

© 2016 - 2025 Red Hat, Inc.