On Wed, Jun 12, 2024 at 01:07:44PM +0200, Markus Armbruster wrote:
> Gerd Hoffmann <kra...@redhat.com> writes:
>
> > Add flags to ObjectClass for objects which are deprecated or not secure.
> > Add 'deprecated' and 'not-secure' bools to ObjectTypeInfo, report in
> > 'qom-list-types'. Print the flags when listing devices via '-device
> > help'.
> >
> > Signed-off-by: Gerd Hoffmann <kra...@redhat.com>
> > ---
> > include/qom/object.h | 3 +++
> > qom/qom-qmp-cmds.c | 8 ++++++++
> > system/qdev-monitor.c | 8 ++++++++
> > qapi/qom.json | 8 +++++++-
> > 4 files changed, 26 insertions(+), 1 deletion(-)
> >
> > diff --git a/include/qom/object.h b/include/qom/object.h
> > index 13d3a655ddf9..419bd9a4b219 100644
> > --- a/include/qom/object.h
> > +++ b/include/qom/object.h
> > @@ -136,6 +136,9 @@ struct ObjectClass
> > ObjectUnparent *unparent;
> >
> > GHashTable *properties;
> > +
> > + bool deprecated;
> > + bool not_secure;
> > };
>
> Ignorant question: should this be in struct TypeImpl instead?
>
> >
> > /**
> > diff --git a/qom/qom-qmp-cmds.c b/qom/qom-qmp-cmds.c
> > index e91a2353472a..325ff0ba2a25 100644
> > --- a/qom/qom-qmp-cmds.c
> > +++ b/qom/qom-qmp-cmds.c
> > @@ -101,6 +101,14 @@ static void qom_list_types_tramp(ObjectClass *klass,
> > void *data)
> > if (parent) {
> > info->parent = g_strdup(object_class_get_name(parent));
> > }
> > + if (klass->deprecated) {
> > + info->has_deprecated = true;
> > + info->deprecated = true;
> > + }
> > + if (klass->not_secure) {
> > + info->has_not_secure = true;
> > + info->not_secure = true;
> > + }
> >
> > QAPI_LIST_PREPEND(*pret, info);
> > }
> > diff --git a/system/qdev-monitor.c b/system/qdev-monitor.c
> > index 6af6ef7d667f..effdc95d21d3 100644
> > --- a/system/qdev-monitor.c
> > +++ b/system/qdev-monitor.c
> > @@ -144,6 +144,8 @@ static bool qdev_class_has_alias(DeviceClass *dc)
> >
> > static void qdev_print_devinfo(DeviceClass *dc)
> > {
> > + ObjectClass *klass = OBJECT_CLASS(dc);
> > +
> > qemu_printf("name \"%s\"", object_class_get_name(OBJECT_CLASS(dc)));
> > if (dc->bus_type) {
> > qemu_printf(", bus %s", dc->bus_type);
> > @@ -157,6 +159,12 @@ static void qdev_print_devinfo(DeviceClass *dc)
> > if (!dc->user_creatable) {
> > qemu_printf(", no-user");
> > }
> > + if (klass->deprecated) {
> > + qemu_printf(", deprecated");
> > + }
> > + if (klass->not_secure) {
> > + qemu_printf(", not-secure");
> > + }
> > qemu_printf("\n");
> > }
> >
> > diff --git a/qapi/qom.json b/qapi/qom.json
> > index 8bd299265e39..3f20d4c6413b 100644
> > --- a/qapi/qom.json
> > +++ b/qapi/qom.json
> > @@ -163,10 +163,16 @@
> > #
> > # @parent: Name of parent type, if any (since 2.10)
> > #
> > +# @deprecated: the type is deprecated (since 9.1)
> > +#
> > +# @not-secure: the type (typically a device) is not considered
> > +# a security boundary (since 9.1)
>
> What does this mean? Does it mean "do not add an instance of this
> device the guest unless you trust the guest"?
Essentially yes. This ties to our security doc where we declare
we won't consider non-virtualization use cases as being security
bugs (CVEs) as large parts of QEMU haven't been designed to
provide a guest security boundary
https://www.qemu.org/docs/master/system/security.html
With regards,
Daniel
--
|: https://berrange.com -o- https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org -o- https://fstop138.berrange.com :|
|: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|
