On 11/18/16, 3:32 PM, "Stefan Hajnoczi" <stefa...@gmail.com> wrote:
>On Fri, Nov 18, 2016 at 02:26:21AM -0500, Jeff Cody wrote:
>> * Daniel pointed out that there is no authentication method for taking to a
>> remote server. This seems a bit scary. Maybe all that is needed here is
>> some clarification of the security scheme for authentication? My
>> impression from above is that you are relying on the networks being
>> private to provide some sort of implicit authentication, though, and this
>> seems fragile (and doesn't protect against a compromised guest or other
>> process on the server, for one).
>
>Exactly, from the QEMU trust model you must assume that QEMU has been
>compromised by the guest. The escaped guest can connect to the VxHS
>server since it controls the QEMU process.
>
>An escaped guest must not have access to other guests' volumes.
>Therefore authentication is necessary.
Just so I am clear on this, how will such an escaped guest get to know the
other guest vdisk IDs?
>
>By the way, QEMU has a secrets API for providing passwords and other
>sensistive data without passing them on the command-line. The
>command-line is vulnerable to snooping by other processes so using this
>API is mandatory. Please see include/crypto/secret.h.
>
>Stefan
