On Fri, Oct 26, 2018 at 12:03:35PM +0200, Paolo Bonzini wrote: > On 26/10/2018 11:59, Daniel P. Berrangé wrote: > > I should also say that QEMU as an upstream project has multiple goals. > > Running KVM guests with modern PV hardware is only one of them, albeit > > a widely used one. Being able to run old legacy OS with old hardware, > > and running arbitrary embedded boards/devices with emulation are both > > use cases that QEMU project aims to address. To eliminate all the old > > "crufty" device emulation in name of improving security for KVM, would > > be to eliminate core use cases of the project. THis is why we're trying > > to persue the direction of making it easier for vendors to disable > > features and devices they don't wish to support & thus limit their > > downstream CVE exposure. > > Indeed. If we had to deprecate a feature just because it had an > off-by-one bug, no C program would grow beyond 1000 lines of code...
One thing we should do, however, is to make it clear which of the device models we consider secure, and which we consider only usable in a friendly guest environment, as we have very different code maintainership & quality standards for different parts of QEMU. Essentially virtio devices, and then only a handful of the emulated devices are things we consider suitable for usage in secure envs. Likewise for machine types probably. Regards, Daniel -- |: https://berrange.com -o- https://www.flickr.com/photos/dberrange :| |: https://libvirt.org -o- https://fstop138.berrange.com :| |: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|