Am 27. Oktober 2025 12:48:29 UTC schrieb Peter Maydell
<[email protected]>:
>On Thu, 16 Oct 2025 at 14:12, Peter Maydell <[email protected]> wrote:
>>
>> Currently our security policy defines a "virtualization use case"
>> where we consider bugs to be security issues, and a
>> "non-virtualization use case" where we do not make any security
>> guarantees and don't consider bugs to be security issues.
>>
>> The rationale for this split is that much code in QEMU is older and
>> was not written with malicious guests in mind, and we don't have the
>> resources to audit, fix and defend it. So instead we inform users
>> about what the can in practice rely on as a security barrier, and
>> what they can't.
>>
>> We don't currently restrict the "virtualization use case" to any
>> particular set of machine types. This means that we have effectively
>> barred ourselves from adding KVM support to any machine type that we
>> don't want to put into the "bugs are security issues" category, even
>> if it would be useful for users to be able to get better performance
>> with a trusted guest by enabling KVM. This seems an unnecessary
>> restriction, and in practice the set of machine types it makes
>> sense to use for untrusted-guest virtualization is quite small.
>>
>> Specifically, we would like to be able to enable the use of
>> KVM with the imx8 development board machine types, but we don't
>> want to commit ourselves to having to support those SoC models
>> and device models as part of QEMU's security boundary:
>> https://lore.kernel.org/qemu-devel/[email protected]/
>>
>> This patch updates the security policy to explicitly list the
>> machine types we consider to be useful for the "virtualization
>> use case".
>>
>> Signed-off-by: Peter Maydell <[email protected]>
>> ---
>> changes v1->v2: updated the list:
>> * remove isapc
>> * remove ppc, mips, mips64 (no machines supported)
>> * list pseries as only supported ppc64 machine
>> * list virt as only supported riscv32, riscv64 machine
>>
>> I believe the list to now be correct, and I think we generally
>> had some consensus about the idea on the v1 patch discussion, so
>> this one is a non-RFC patch.
>
>This has now had various reviews and acks, and no
>suggestions for further revision. I propose to take
>this via target-arm.next, unless anybody has any
>objections.
Sounds good, I'm looking forward to it.
Maybe we could then also merge
https://lore.kernel.org/qemu-devel/[email protected]/
which had some technical comments and no follow-up.
Best regards,
Bernhard
>
>thanks
>-- PMM
