On 4/12/20 10:57 PM, Peter Maydell wrote: > On Sun, 12 Apr 2020 at 21:53, Philippe Mathieu-Daudé <f4...@amsat.org> wrote: >> "VMs using KVM" as security boundary is very clear, thanks. >> >> Note 1: This this doesn't appear on the QEMU security process >> description: https://www.qemu.org/contribute/security-process/ > > It's part of the list of how to decide whether an issue is > security sensitive: > "Is QEMU used in conjunction with a hypervisor (as opposed > to TCG binary translation)?"
Indeed I missed this. This bug correctly matches the example described: "The ‘generic-sdhci’ interface, instead, had only one user in ‘Xilinx Zynq Baseboard emulation’ (hw/arm/xilinx_zynq.c). Xilinx Zynq is a programmable systems on chip (SoC) device. While QEMU does emulate this device, in practice it is used to facilitate cross-platform developmental efforts, i.e. QEMU is used to write programs for the SoC device. In such developer environments, it is generally assumed that the guest is trusted." > > We also document it in the user manuals now (a relatively > recent improvement): > > https://www.qemu.org/docs/master/system/security.html#non-virtualization-use-case > >> Note 2: If a reported bug is not in security boundary, it should be >> reported as a bug to mainstream QEMU, to give the community a chance to >> fix it. > > Yes; bugs are still bugs. > > thanks > -- PMM >
