On Thu, Mar 28, 2019 at 09:55:24AM +0000, Daniel P. Berrangé wrote: > On Thu, Mar 28, 2019 at 03:40:25PM +1100, David Gibson wrote: > > 27461d69a0f "ppc: add host-serial and host-model machine attributes > > (CVE-2019-8934)" introduced 'host-serial' and 'host-model' machine > > properties for spapr to explicitly control the values advertised to the > > guest in device tree properties with the same names. > > > > The previous behaviour on KVM was to unconditionally populate the device > > tree with the real host serial number and model, which leaks possibly > > sensitive information about the host to the guest. > > > > To maintain compatibility for old machine types, we allowed those props > > to be set to "passthrough" to take the value from the host as before. Or > > they could be set to "none" to explicitly omit the device tree items. > > > > Special casing specific values on what's otherwise a user supplied string > > is very ugly. So, this patch simplifies things by implementing the > > backwards compatibility in a different way: we have a machine class flag > > set for the older machines, and we only load the host values into the > > device tree if A) they're not set by the user and B) we have that flag set. > > > > This does mean that the "passthrough" functionality is no longer available > > with the current machine type. That's ok though: if a user or management > > layer really wants the information passed through they can read it > > themselves (OpenStack Nova already does something similar for x86). > > > > It also means the user can't explicitly ask for the values to be omitted > > on the old machine types. I think that's an acceptable trade-off: if you > > care enough about not leaking the host information you can either move to > > the new machine type, or use a dummy value for the properties. > > > > This also removes an odd inconsistency between running on a POWER and > > non-POWER (or non-Linux) hosts: if the host information couldn't be read > > from where we expect (in the host's device tree as exposed by Linux), we'd > > fallback to omitting the guest device tree items. > > > > While we're there, improve some poorly worded comments, and the help text > > for the properties. > > So IIUC, the two properties now only accept an opaque string which > will be exposes as-is in the guest fields. Old machine types, only, > will do passthrough of the host values (if not overriden by the > properties) & there's no way to request this for new machine types
Correct.
> >
> > Signed-off-by: David Gibson <da...@gibson.dropbear.id.au>
> > ---
> >
> > I've (tentatively) put this into my ppc-for-4.0 tree already, which I
> > hope to push in the next few days. I realize it's very late to make
> > such a cleanup in 4.0, however I'd like to clean up the interface
> > before it goes into a released version which we have to support for
> > ages.
>
> Indeed, we must clean it before release if we want this, otherwise
> it is an incompatible change.
>
> >
> > hw/ppc/spapr.c | 57 ++++++++++++++----------------------------
> > include/hw/ppc/spapr.h | 1 +
> > 2 files changed, 20 insertions(+), 38 deletions(-)
>
> Reviewed-by: Daniel P. Berrangé <berra...@redhat.com>
>
>
> Regards,
> Daniel
--
David Gibson | I'll have my music baroque, and my code
david AT gibson.dropbear.id.au | minimalist, thank you. NOT _the_ _other_
| _way_ _around_!
http://www.ozlabs.org/~dgibson
signature.asc
Description: PGP signature
