[v2] Encode object type security status in code

[PATCH v2 10/32] hw/core: report security status in query-machines

Daniel P. Berrangé posted 32 patches 4 months, 2 weeks ago

Diff against v1
Download mbox

Maintainers: Richard Henderson <richard.henderson@linaro.org>, Paolo Bonzini <pbonzini@redhat.com>, "Philippe Mathieu-Daudé" <philmd@linaro.org>, Cameron Esfahani <dirty@apple.com>, Roman Bolshakov <rbolshakov@ddn.com>, Phil Dennis-Jordan <phil@philjordan.eu>, Mads Ynddal <mads@ynddal.dk>, Fabiano Rosas <farosas@suse.de>, Laurent Vivier <lvivier@redhat.com>, Stefano Stabellini <sstabellini@kernel.org>, Anthony PERARD <anthony@xenproject.org>, Paul Durrant <paul@xen.org>, "Edgar E. Iglesias" <edgar.iglesias@gmail.com>, "Michael S. Tsirkin" <mst@redhat.com>, Christian Schoenebeck <qemu_oss@crudebyte.com>, Greg Kurz <groug@kaod.org>, Peter Maydell <peter.maydell@linaro.org>, Gerd Hoffmann <kraxel@redhat.com>, Manos Pitsidianakis <manos.pitsidianakis@linaro.org>, Stefano Garzarella <sgarzare@redhat.com>, Raphael Norwitz <raphael@enfabrica.net>, Kevin Wolf <kwolf@redhat.com>, Hanna Reitz <hreitz@redhat.com>, Stefan Hajnoczi <stefanha@redhat.com>, Amit Shah <amit@kernel.org>, "Marc-André Lureau" <marcandre.lureau@redhat.com>, Eduardo Habkost <eduardo@habkost.net>, Marcel Apfelbaum <marcel.apfelbaum@gmail.com>, Yanan Wang <wangyanan55@huawei.com>, Zhao Liu <zhao1.liu@intel.com>, Helge Deller <deller@gmx.de>, Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk>, Samuel Tardieu <sam@rfc1149.net>, Alistair Francis <alistair@alistair23.me>, Igor Mitsyanko <i.mitsyanko@gmail.com>, "Hervé Poussineau" <hpoussin@reactos.org>, Aleksandar Rikalo <arikalo@gmail.com>, Thomas Huth <huth@tuxfamily.org>, BALATON Zoltan <balaton@eik.bme.hu>, "Alex Bennée" <alex.bennee@linaro.org>, Akihiko Odaki <odaki@rsg.ci.i.u-tokyo.ac.jp>, Dmitry Osipenko <dmitry.osipenko@collabora.com>, Dmitry Fleytman <dmitry.fleytman@gmail.com>, Sergio Lopez <slp@redhat.com>, John Snow <jsnow@redhat.com>, Jiri Slaby <jslaby@suse.cz>, Beniamino Galvani <b.galvani@gmail.com>, Strahinja Jankovic <strahinja.p.jankovic@gmail.com>, Jason Wang <jasowang@redhat.com>, Pavel Pisa <pisa@cmp.felk.cvut.cz>, Francisco Iglesias <francisco.iglesias@amd.com>, Vikram Garhwal <vikram.garhwal@bytedance.com>, Stefan Weil <sw@weilnetz.de>, Bernhard Beschow <shentey@gmail.com>, "Cédric Le Goater" <clg@kaod.org>, Steven Lee <steven_lee@aspeedtech.com>, Troy Lee <leetroy@gmail.com>, Jamin Lin <jamin_lin@aspeedtech.com>, Andrew Jeffery <andrew@codeconstruct.com.au>, Joel Stanley <joel@jms.id.au>, Sriram Yagnaraman <sriram.yagnaraman@ericsson.com>, Subbaraya Sundeep <sundeep.lkml@gmail.com>, Jan Kiszka <jan.kiszka@web.de>, Tyrone Ting <kfting@nuvoton.com>, Hao Wu <wuhaotsh@google.com>, Max Filippov <jcmvbkbc@gmail.com>, Jiri Pirko <jiri@resnulli.us>, Nicholas Piggin <npiggin@gmail.com>, Harsh Prateek Bora <harshpb@linux.ibm.com>, Sven Schnelle <svens@stackframe.org>, Rob Herring <robh@kernel.org>, Huacai Chen <chenhuacai@kernel.org>, Jiaxun Yang <jiaxun.yang@flygoat.com>, Andrey Smirnov <andrew.smirnov@gmail.com>, Aurelien Jarno <aurelien@aurel32.net>, Aditya Gupta <adityag@linux.ibm.com>, Glenn Miles <milesg@linux.ibm.com>, Elena Ufimtseva <elena.ufimtseva@oracle.com>, Jagannathan Raman <jag.raman@oracle.com>, Yoshinori Sato <yoshinori.sato@nifty.com>, Magnus Damm <magnus.damm@gmail.com>, Paul Burton <paulburton@kernel.org>, Halil Pasic <pasic@linux.ibm.com>, Christian Borntraeger <borntraeger@linux.ibm.com>, Eric Farman <farman@linux.ibm.com>, Matthew Rosato <mjrosato@linux.ibm.com>, David Hildenbrand <david@redhat.com>, Ilya Leoshkevich <iii@linux.ibm.com>, Cornelia Huck <cohuck@redhat.com>, Fam Zheng <fam@euphon.net>, Hannes Reinecke <hare@suse.com>, Samuel Thibault <samuel.thibault@ens-lyon.org>, Tony Krowiak <akrowiak@linux.ibm.com>, Jason Herne <jjherne@linux.ibm.com>, Alex Williamson <alex.williamson@redhat.com>, Tomita Moeko <tomitamoeko@gmail.com>, Viresh Kumar <viresh.kumar@linaro.org>, Mathieu Poirier <mathieu.poirier@linaro.org>, "Gonglei (Arei)" <arei.gonglei@huawei.com>, Eric Auger <eric.auger@redhat.com>, Alexander Graf <graf@amazon.com>, Dorjoy Chowdhury <dorjoychy111@gmail.com>, Radoslaw Biernacki <rad@semihalf.com>, Leif Lindholm <leif.lindholm@oss.qualcomm.com>, "Collin L. Walling" <walling@linux.ibm.com>, Jean-Christophe Dubois <jcd@tribudubois.net>, Markus Armbruster <armbru@redhat.com>, Michael Roth <michael.roth@amd.com>, "Daniel P. Berrangé" <berrange@redhat.com>, Eric Blake <eblake@redhat.com>

Expand all Fold all

[PATCH v2 10/32] hw/core: report security status in query-machines

Posted by Daniel P. Berrangé 4 months, 2 weeks ago

Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
---
 hw/core/machine-qmp-cmds.c | 1 +
 qapi/machine.json          | 8 +++++++-
 2 files changed, 8 insertions(+), 1 deletion(-)

diff --git a/hw/core/machine-qmp-cmds.c b/hw/core/machine-qmp-cmds.c
index 6aca1a626e..4d9906f64a 100644
--- a/hw/core/machine-qmp-cmds.c
+++ b/hw/core/machine-qmp-cmds.c
@@ -100,6 +100,7 @@ MachineInfoList *qmp_query_machines(bool has_compat_props, bool compat_props,
         if (mc->default_ram_id) {
             info->default_ram_id = g_strdup(mc->default_ram_id);
         }
+        info->secure = object_class_is_secure(OBJECT_CLASS(mc));
 
         if (compat_props && mc->compat_props) {
             int i;
diff --git a/qapi/machine.json b/qapi/machine.json
index 038eab281c..bb2b308ccd 100644
--- a/qapi/machine.json
+++ b/qapi/machine.json
@@ -194,6 +194,11 @@
 #     present when `query-machines` argument @compat-props is true.
 #     (since 9.1)
 #
+# @secure: If true, the machine is declared to provide a security
+#     boundary from the guest; if false the machine is either
+#     not providing a security boundary, or its status is undefined.
+#     (since 10.2)
+#
 # Features:
 #
 # @unstable: Member @compat-props is experimental.
@@ -207,7 +212,8 @@
             'deprecated': 'bool', '*default-cpu-type': 'str',
             '*default-ram-id': 'str', 'acpi': 'bool',
             '*compat-props': { 'type': ['CompatProperty'],
-                               'features': ['unstable'] } } }
+                               'features': ['unstable'] },
+            'secure': 'bool' } }
 
 ##
 # @query-machines:
-- 
2.50.1

Re: [PATCH v2 10/32] hw/core: report security status in query-machines

Posted by Markus Armbruster 3 months, 2 weeks ago

Daniel P. Berrangé <berrange@redhat.com> writes:

> Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
> ---
>  hw/core/machine-qmp-cmds.c | 1 +
>  qapi/machine.json          | 8 +++++++-
>  2 files changed, 8 insertions(+), 1 deletion(-)
>
> diff --git a/hw/core/machine-qmp-cmds.c b/hw/core/machine-qmp-cmds.c
> index 6aca1a626e..4d9906f64a 100644
> --- a/hw/core/machine-qmp-cmds.c
> +++ b/hw/core/machine-qmp-cmds.c
> @@ -100,6 +100,7 @@ MachineInfoList *qmp_query_machines(bool has_compat_props, bool compat_props,
>          if (mc->default_ram_id) {
>              info->default_ram_id = g_strdup(mc->default_ram_id);
>          }
> +        info->secure = object_class_is_secure(OBJECT_CLASS(mc));
>  
>          if (compat_props && mc->compat_props) {
>              int i;
> diff --git a/qapi/machine.json b/qapi/machine.json
> index 038eab281c..bb2b308ccd 100644
> --- a/qapi/machine.json
> +++ b/qapi/machine.json
> @@ -194,6 +194,11 @@
>  #     present when `query-machines` argument @compat-props is true.
>  #     (since 9.1)
>  #
> +# @secure: If true, the machine is declared to provide a security
> +#     boundary from the guest; if false the machine is either
> +#     not providing a security boundary, or its status is undefined.
> +#     (since 10.2)
> +#
>  # Features:
>  #
>  # @unstable: Member @compat-props is experimental.
> @@ -207,7 +212,8 @@
>              'deprecated': 'bool', '*default-cpu-type': 'str',
>              '*default-ram-id': 'str', 'acpi': 'bool',
>              '*compat-props': { 'type': ['CompatProperty'],
> -                               'features': ['unstable'] } } }
> +                               'features': ['unstable'] },
> +            'secure': 'bool' } }
>  
>  ##
>  # @query-machines:

Isn't this redundant with qom-list-types?

{"execute": "qom-list-types", "arguments": {"implements": "machine"}}

Re: [PATCH v2 10/32] hw/core: report security status in query-machines

Posted by Daniel P. Berrangé 3 months, 2 weeks ago

On Thu, Oct 23, 2025 at 02:17:42PM +0200, Markus Armbruster wrote:
> Daniel P. Berrangé <berrange@redhat.com> writes:
> 
> > Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
> > ---
> >  hw/core/machine-qmp-cmds.c | 1 +
> >  qapi/machine.json          | 8 +++++++-
> >  2 files changed, 8 insertions(+), 1 deletion(-)
> >
> > diff --git a/hw/core/machine-qmp-cmds.c b/hw/core/machine-qmp-cmds.c
> > index 6aca1a626e..4d9906f64a 100644
> > --- a/hw/core/machine-qmp-cmds.c
> > +++ b/hw/core/machine-qmp-cmds.c
> > @@ -100,6 +100,7 @@ MachineInfoList *qmp_query_machines(bool has_compat_props, bool compat_props,
> >          if (mc->default_ram_id) {
> >              info->default_ram_id = g_strdup(mc->default_ram_id);
> >          }
> > +        info->secure = object_class_is_secure(OBJECT_CLASS(mc));
> >  
> >          if (compat_props && mc->compat_props) {
> >              int i;
> > diff --git a/qapi/machine.json b/qapi/machine.json
> > index 038eab281c..bb2b308ccd 100644
> > --- a/qapi/machine.json
> > +++ b/qapi/machine.json
> > @@ -194,6 +194,11 @@
> >  #     present when `query-machines` argument @compat-props is true.
> >  #     (since 9.1)
> >  #
> > +# @secure: If true, the machine is declared to provide a security
> > +#     boundary from the guest; if false the machine is either
> > +#     not providing a security boundary, or its status is undefined.
> > +#     (since 10.2)
> > +#
> >  # Features:
> >  #
> >  # @unstable: Member @compat-props is experimental.
> > @@ -207,7 +212,8 @@
> >              'deprecated': 'bool', '*default-cpu-type': 'str',
> >              '*default-ram-id': 'str', 'acpi': 'bool',
> >              '*compat-props': { 'type': ['CompatProperty'],
> > -                               'features': ['unstable'] } } }
> > +                               'features': ['unstable'] },
> > +            'secure': 'bool' } }
> >  
> >  ##
> >  # @query-machines:
> 
> Isn't this redundant with qom-list-types?
> 
> {"execute": "qom-list-types", "arguments": {"implements": "machine"}}

Well if the mgmt app is already using 'query-machines' for other reasons,
and doesn't currently use 'qom-list-types', then it is useful to have
the info reported in the former too.  Also I viewed the 'secure' flag
as being conceptually twinned with the 'deprecated' flag which is also
here in 'query-machines'.


With regards,
Daniel
-- 
|: https://berrange.com      -o-    https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org         -o-            https://fstop138.berrange.com :|
|: https://entangle-photo.org    -o-    https://www.instagram.com/dberrange :|