[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Qemu-block] [Qemu-devel] [PATCH 0/2] block: Introduce "json-file:"

From: Fam Zheng
Subject: Re: [Qemu-block] [Qemu-devel] [PATCH 0/2] block: Introduce "json-file:" protocol
Date: Tue, 3 Nov 2015 15:56:11 +0800
User-agent: Mutt/1.5.21 (2010-09-15)

On Tue, 11/03 07:35, Daniel P. Berrange wrote:
> On Tue, Nov 03, 2015 at 03:01:16PM +0800, Fam Zheng wrote:
> > This would be a safer channel when we want to provide block options that
> > contain sensitive information, such as fields for authentication.
> If passing of security sensitive data is the motivation for this,
> then I don't think we want it really. This approach merely avoids
> the config being visible in the process listing, which is really just
> one problem. When people file bugs they are going to need to provide
> the block device config, and that still going to contain sensitive
> info and thus leak. Similarly apps generating block config like libvirt
> are still going to be logging the block config they generate, which is
> again going to leak secrets. Finally, we need the ability to pass
> security sensitive data to QEMU in many other areas besides block devices
> so need a more general mechanism
> I've proposed a way to provide secrets to QEMU in a way that is
> usable across all QEMU backends, that I think is a much better
> approach because it totally decouples the sensitive data from
> the rest of the config data, rather than having it inline
>   https://lists.gnu.org/archive/html/qemu-devel/2015-10/msg04365.html

Apparently I've overlooked your post, thanks for pointing out. I think your
solution covers everything this series has to do.


reply via email to

[Prev in Thread] Current Thread [Next in Thread]