Daniel P. Berrangé <berrange(a)redhat.com> writes:
On Tue, Oct 08, 2019 at 01:46:57PM -0300, Fabiano Rosas wrote:
> Since QEMU v4.0.0, the host's model is no longer automatically exposed
> to the guest via /proc/device-tree/host-model. There is now a machine
> option 'host-model' that allows an arbitrary string to be used as the
> host model [1].
>
> This patch adds support for exposing the real host model string from
> /proc/cpuinfo (also found on /proc/device-tree/model) to the guest via
> -machine pseries,host-model=<model> by setting in the domain XML file:
>
> <features>
> <host_model_passthrough state='on'/>
> <features/>
I definitely don't want to see that. A mgmt app which used this
would be re-exposing the security risk that the QEMU change was
intended to fix. That might be ok in some cases, but in the
general case we need the ability for the mgmt app to supply the
actual data to expose. This is how we deal with SMBIOS - we allow
<smbios mode="emulate|host|sysinfo"/>, where 'sysinfo' option
lets
the mgmt app have full control over what's exposed.
Ok, fair enough
My ideia of only allowing either the vulnerable behavior or none at
all (the default) was to encourage users to find another solution,
instead of having them alter the management applications and continue
relying on (some sort of) host information exposure.
So do you suggest something like <host-model mode="none|sysinfo"/> ?
Because having "host" as well (like smbios has) would have the same
effect as this patch.
Thanks