On 2/22/21 6:35 PM, Fam Zheng wrote: > On 2021-02-19 15:09, Philippe Mathieu-Daudé wrote: >> On 2/19/21 12:07 PM, Max Reitz wrote: >>> On 13.02.21 22:54, Fam Zheng wrote: >>>> On 2021-02-11 15:26, Philippe Mathieu-Daudé wrote: >>>>> The null-co driver doesn't zeroize buffer in its default config, >>>>> because it is designed for testing and tests want to run fast. >>>>> However this confuses security researchers (access to uninit >>>>> buffers). >>>> >>>> I'm a little surprised. >>>> >>>> Is changing default the only way to fix this? I'm not opposed to >>>> changing the default but I'm not convinced this is the easiest way. >>>> block/nvme.c also doesn't touch the memory, but defers to the device >>>> DMA, why doesn't that confuse the security checker? >> >> Generally speaking, there is a balance between security and performance. >> We try to provide both, but when we can't, my understanding is security >> is more important. > > Why is hiding the code path behind a non-default more secure? What is > not secure now?
Se we are back to the problem of having default values. I'd like to remove the default and have the option explicit, but qemu_opt_get_bool() expects a 'default' value. Should we rename qemu_opt_get_bool() -> qemu_opt_get_bool_with_default() and add a simpler qemu_opt_get_bool()?
