On Tue, May 16, 2023 at 12:23:28PM +0200, Markus Armbruster wrote: > Daniel P. Berrangé <berra...@redhat.com> writes: > > > On Tue, May 16, 2023 at 10:47:52AM +0200, Markus Armbruster wrote: > > [...] > > >> So, this is basically a way to retrieve an eBPF program by some > >> well-known name. > >> > >> Ignorant question: how are these programs desposited? > > > > The eBPF code blob is linked into QEMU at build time. THis API lets > > libvirt fetch it from QEMU, in base64 format. When libvirt later > > creates NICs, it can attach the eBPF code blob to the TAP device (which > > requires elevated privilleges that QEMU lacks). NB, libvirt would fetch > > the eBPF code from QEMU when probing capabilities, as once a VM is > > running it is untrusted. > > Okay, I can see how that helps. I trust the blob is in a read-only > segment. Ideally, libvirt fetches it before the guest runs.
Whether the blob is in a read-only segment or not isn't important, because it transits writable memory in the QMP command marshalling. IOW, if we're trying to mitigate against compromised QEMU, we *must* fetch it before vCPUs are started. If we're super paranoid, we would want to fetch it before even opening untrusted disk images too. It might push towards fetching it while probing capabilities from a throw-away QEMU with "-m none" > Please improve the QAPI schema doc comments to explain why and how the > feature is to be used in a bit more detail. The existing text > > Function returns eBPF object that can be loaded with libbpf. > Management applications (g.e. libvirt) may load it and pass file > descriptors to QEMU. Which allows running QEMU without BPF capabilities. > > is too terse. > With regards, Daniel -- |: https://berrange.com -o- https://www.flickr.com/photos/dberrange :| |: https://libvirt.org -o- https://fstop138.berrange.com :| |: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|
