I'll try to explain all solutions fairly. Isn't easy when you're as
biased towards one of them as I am. Please bear with me.
= The trust boundary between image contents and meta-data =
A disk image consists of image contents and meta-data.
Example: all of a raw image's contents is image conte
On Tue, Nov 04, 2014 at 07:45:38PM +0100, Markus Armbruster wrote:
> I'll try to explain all solutions fairly. Isn't easy when you're as
> biased towards one of them as I am. Please bear with me.
>
>
> = The trust boundary between image contents and meta-data =
>
> A disk image consists of ima
Jeff Cody writes:
> On Tue, Nov 04, 2014 at 07:45:38PM +0100, Markus Armbruster wrote:
[...]
>> == Don't guess format from untrusted image contents ==
>>
>> Several variations of the theme.
>>
>> Guessing only happens when the user doesn't specify a format, so the
>> simplest way to avoid it wo
Markus Armbruster writes:
[...]
> = How can we better guard the trust boundary in QEMU? =
>
> The guest can violate the trust boundary only because
>
> (a) QEMU supports both raw images and image formats, and
>
> (b) QEMU guesses image format from raw image contents, and
>
> (c) given a raw image
On 2014-11-04 at 19:45, Markus Armbruster wrote:
I'll try to explain all solutions fairly. Isn't easy when you're as
biased towards one of them as I am. Please bear with me.
= The trust boundary between image contents and meta-data =
A disk image consists of image contents and meta-data.
Ex
Hi,
> My proposal to ditch image contents probing entirely has more serious
> compatibility issues. In particular, we'd have to forgo sugared
> convenience syntax for a number of less common things. It definitely
> needs a grace period where all usage we're going to break warns. On the
> up s
On 11/05/2014 09:38 AM, Max Reitz wrote:
>> Note that specifying just the top image's format is not enough, you also
>> have to specify any backing images' formats. QCOW2 can optionally store
>> the backing image format in the image. The other COW formats can't.
>
> Well, they can, with "json:"
On 11/04/2014 07:45 PM, Markus Armbruster wrote:
> I'll try to explain all solutions fairly. Isn't easy when you're as
> biased towards one of them as I am. Please bear with me.
>
Thanks for this write-up. I'll probably reply again, but for now I'm
focusing on just one thing I think you missed
Am 04.11.2014 um 19:45 hat Markus Armbruster geschrieben:
> I'll try to explain all solutions fairly. Isn't easy when you're as
> biased towards one of them as I am. Please bear with me.
>
>
> = The trust boundary between image contents and meta-data =
>
> A disk image consists of image conten
Am 05.11.2014 um 09:38 hat Max Reitz geschrieben:
> My conclusion: Don't ditch probing. It increases entropy, why would
> you ditch probing? Just combine it with the extension and if both
> don't seem to match, that's an error.
I actually kind of like this (in addition to preventing bad writes). I
* Markus Armbruster (arm...@redhat.com) wrote:
> I'll try to explain all solutions fairly. Isn't easy when you're as
> biased towards one of them as I am. Please bear with me.
>
>
> = The trust boundary between image contents and meta-data =
>
> A disk image consists of image contents and meta
Max Reitz writes:
> On 2014-11-04 at 19:45, Markus Armbruster wrote:
>> I'll try to explain all solutions fairly. Isn't easy when you're as
>> biased towards one of them as I am. Please bear with me.
>>
>>
>> = The trust boundary between image contents and meta-data =
>>
>> A disk image consist
Eric Blake writes:
> On 11/05/2014 09:38 AM, Max Reitz wrote:
>
>>> Note that specifying just the top image's format is not enough, you also
>>> have to specify any backing images' formats. QCOW2 can optionally store
>>> the backing image format in the image. The other COW formats can't.
>>
>>
Eric Blake writes:
> On 11/04/2014 07:45 PM, Markus Armbruster wrote:
>> I'll try to explain all solutions fairly. Isn't easy when you're as
>> biased towards one of them as I am. Please bear with me.
>>
>
> Thanks for this write-up. I'll probably reply again, but for now I'm
> focusing on ju
On 2014-11-06 at 13:26, Markus Armbruster wrote:
Max Reitz writes:
On 2014-11-04 at 19:45, Markus Armbruster wrote:
I'll try to explain all solutions fairly. Isn't easy when you're as
biased towards one of them as I am. Please bear with me.
= The trust boundary between image contents and
On 11/06/2014 01:43 PM, Markus Armbruster wrote:
>> Actually, qed requires the backing format to be recorded (it is
>> non-optional) and is therefore immune to probing problems of backing
>> files. That's one thing it got right.
>
> If I read the code correctly:
>
> QED has a feature bit QED_F_
Am 06.11.2014 um 13:26 hat Markus Armbruster geschrieben:
> >> * Reuse the image *without* specifying the raw format. QEMU guesses the
> >>format based on untrusted image contents. Now QEMU guesses a format
> >>chosen by the guest, with meta-data chosen by the guest. By
> >>controlli
"Dr. David Alan Gilbert" writes:
> * Markus Armbruster (arm...@redhat.com) wrote:
>> I'll try to explain all solutions fairly. Isn't easy when you're as
>> biased towards one of them as I am. Please bear with me.
>>
>>
>> = The trust boundary between image contents and meta-data =
>>
>> A di
Kevin Wolf writes:
> Am 04.11.2014 um 19:45 hat Markus Armbruster geschrieben:
>> I'll try to explain all solutions fairly. Isn't easy when you're as
>> biased towards one of them as I am. Please bear with me.
>>
>>
>> = The trust boundary between image contents and meta-data =
>>
>> A disk
On 11/06/2014 02:57 PM, Markus Armbruster wrote:
>> Yes, you can override the backing file driver (backing.driver=raw should
>> do the trick). Not really user-friendly, especially with long backing
>> file chains, but it happens to be there.
>>
>> And of course, libvirt should be using it for non-
On Thu, Nov 06, 2014 at 02:57:07PM +0100, Markus Armbruster wrote:
> Kevin Wolf writes:
>
> > Am 04.11.2014 um 19:45 hat Markus Armbruster geschrieben:
[...]
> >> I proposed something less radical, namely to keep guessing the image
> >> format, but base the guess on trusted meta-data only: file
On Thu, Nov 06, 2014 at 01:53:35PM +0100, Max Reitz wrote:
> On 2014-11-06 at 13:26, Markus Armbruster wrote:
> >Max Reitz writes:
> >
> >>On 2014-11-04 at 19:45, Markus Armbruster wrote:
> >>>I'll try to explain all solutions fairly. Isn't easy when you're as
> >>>biased towards one of them as I
On 2014-11-06 at 15:56, Jeff Cody wrote:
On Thu, Nov 06, 2014 at 01:53:35PM +0100, Max Reitz wrote:
On 2014-11-06 at 13:26, Markus Armbruster wrote:
Max Reitz writes:
On 2014-11-04 at 19:45, Markus Armbruster wrote:
I'll try to explain all solutions fairly. Isn't easy when you're as
biased
Am 06.11.2014 um 14:57 hat Markus Armbruster geschrieben:
> Kevin Wolf writes:
>
> > Am 04.11.2014 um 19:45 hat Markus Armbruster geschrieben:
> >> I'll try to explain all solutions fairly. Isn't easy when you're as
> >> biased towards one of them as I am. Please bear with me.
> >>
> >>
> >>
On Thu, Nov 06, 2014 at 03:14:19PM +0100, Eric Blake wrote:
> On 11/06/2014 02:57 PM, Markus Armbruster wrote:
>
> >> Yes, you can override the backing file driver (backing.driver=raw should
> >> do the trick). Not really user-friendly, especially with long backing
> >> file chains, but it happens
Max Reitz writes:
> On 2014-11-06 at 13:26, Markus Armbruster wrote:
>> Max Reitz writes:
>>
>>> On 2014-11-04 at 19:45, Markus Armbruster wrote:
I'll try to explain all solutions fairly. Isn't easy when you're as
biased towards one of them as I am. Please bear with me.
>>>
Kevin Wolf writes:
> Am 06.11.2014 um 13:26 hat Markus Armbruster geschrieben:
>> >> * Reuse the image *without* specifying the raw format. QEMU guesses the
>> >>format based on untrusted image contents. Now QEMU guesses a format
>> >>chosen by the guest, with meta-data chosen by the gu
Max Reitz writes:
> On 2014-11-06 at 15:56, Jeff Cody wrote:
>> On Thu, Nov 06, 2014 at 01:53:35PM +0100, Max Reitz wrote:
>>> On 2014-11-06 at 13:26, Markus Armbruster wrote:
Max Reitz writes:
> On 2014-11-04 at 19:45, Markus Armbruster wrote:
[...]
>> = How this lets the gues
On 2014-11-07 at 15:52, Markus Armbruster wrote:
Max Reitz writes:
On 2014-11-06 at 15:56, Jeff Cody wrote:
On Thu, Nov 06, 2014 at 01:53:35PM +0100, Max Reitz wrote:
On 2014-11-06 at 13:26, Markus Armbruster wrote:
Max Reitz writes:
On 2014-11-04 at 19:45, Markus Armbruster wrote:
[...
Kevin Wolf writes:
> Am 06.11.2014 um 14:57 hat Markus Armbruster geschrieben:
>> Kevin Wolf writes:
>>
>> > Am 04.11.2014 um 19:45 hat Markus Armbruster geschrieben:
>> >> I'll try to explain all solutions fairly. Isn't easy when you're as
>> >> biased towards one of them as I am. Please bea
On Fri, Nov 07, 2014 at 04:21:38PM +0100, Markus Armbruster wrote:
> Kevin Wolf writes:
>
> > Am 06.11.2014 um 14:57 hat Markus Armbruster geschrieben:
> >> Kevin Wolf writes:
> >>
> >> > Am 04.11.2014 um 19:45 hat Markus Armbruster geschrieben:
> >> >> I'll try to explain all solutions fairly.
Max Reitz writes:
> On 2014-11-07 at 15:52, Markus Armbruster wrote:
>> Max Reitz writes:
>>
>>> On 2014-11-06 at 15:56, Jeff Cody wrote:
On Thu, Nov 06, 2014 at 01:53:35PM +0100, Max Reitz wrote:
> On 2014-11-06 at 13:26, Markus Armbruster wrote:
>> Max Reitz writes:
>>
>>
Jeff Cody writes:
> On Fri, Nov 07, 2014 at 04:21:38PM +0100, Markus Armbruster wrote:
[...]
>>let me refine / vary the hybrid approach I mentioned
>> under " Don't guess format from untrusted image contents" some. I think
>> I can trace some inspiration to Max here.
>>
>> Say w
Markus Armbruster writes:
[...]
>let me refine / vary the hybrid approach I mentioned
> under " Don't guess format from untrusted image contents" some. I think
> I can trace some inspiration to Max here.
>
> Say we use trusted meta-data to compute a set of admissible formats, and
Am 10.11.2014 um 09:12 hat Markus Armbruster geschrieben:
> Jeff Cody writes:
> > So that would mean .img would always require format=, right?
> >
> > That also implies to me that the only extensions for raw that might
> > not require format= would be .iso and .raw.
>
> .img means what we choose
Kevin Wolf writes:
> Am 10.11.2014 um 09:12 hat Markus Armbruster geschrieben:
>> Jeff Cody writes:
>> > So that would mean .img would always require format=, right?
>> >
>> > That also implies to me that the only extensions for raw that might
>> > not require format= would be .iso and .raw.
>>
On Mon, Nov 10, 2014 at 11:30:25AM +0100, Markus Armbruster wrote:
> Kevin Wolf writes:
>
> > Am 10.11.2014 um 09:12 hat Markus Armbruster geschrieben:
> >> Jeff Cody writes:
> >> > So that would mean .img would always require format=, right?
> >> >
> >> > That also implies to me that the only e
Jeff Cody writes:
> On Mon, Nov 10, 2014 at 11:30:25AM +0100, Markus Armbruster wrote:
>> Kevin Wolf writes:
>>
>> > Am 10.11.2014 um 09:12 hat Markus Armbruster geschrieben:
>> >> Jeff Cody writes:
>> >> > So that would mean .img would always require format=, right?
>> >> >
>> >> > That also
38 matches
Mail list logo
