On Wed, 13 May 2026 at 10:23, Daniel P. Berrangé <berrange@redhat.com> wrote:
QEMU has implemented four generic USB controllers
* UHCI - USB 1.0 only * OHCI - USB 1.0 only * EHCI - USB 2.0 only (must have UHCI companions for 1.0 compat) * XHCI - All of USB 3.0, 2.0, 1.0 in one controller
Thus to reduce our maint burden around security bug handling, it is proposed henceforth to classify UHCI, OHCI and EHCI under the non- virtualization use case and thus be excluded from security bug triage processes. No CVEs would be assigned, bugs would be reported publically in gitlab:
The XHCI controller (specifically the hcd-xhci.c variant) would remain as our only option for the virtualization use case, with security process applied to bugs & eligible for CVE assignment:
I support this; I don't think there's any reason to use anything except XHCI in a modern VM, and the others are useful now largely in the emulation and retrocomputing areas. I guess my question is how we communicate this to users, and whether there's some sort of timescale or if it's just "effective immediately". If we're fairly confident nobody's really using the old controllers in production then I guess we can just commit the policy update to security.rst and that then appears on the website ? -- PMM