[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Qemu-devel] [PATCH v2] vl.c: disallow command line fw cfg without o

From: Markus Armbruster
Subject: Re: [Qemu-devel] [PATCH v2] vl.c: disallow command line fw cfg without opt/
Date: Thu, 17 Mar 2016 11:09:24 +0100
User-agent: Gnus/5.13 (Gnus v5.13) Emacs/24.5 (gnu/linux)

Top level reply, because this isn't in reply to any specific message in
the thread, more like in reply to all of them.

FW CFG's primary user is QEMU, which uses it to expose configuration
information (in the widest sense) to Firmware.  Thus the name FW CFG.

FW CFG can also be used by others for their own purposes.  QEMU is
merely acting as transport then.

I think there are actually three separate questions that should not be
mixed up.

1. Is it a good idea to offer FW CFG as a transport to others?

   I have no opinion on this myself, but I trust Gerd's and Laszlo's
   judgement.  Their answer seems to be a clear yes.

2. Is it a good idea to let users mess with QEMU's use of FW CFG?

   I think this is a special case of a more general question: should we
   try to protect the user from himself?

   We should definitely try not to trap the user.  Obvious usage should
   be as safe as we can make it.  Risky usage should be marked in the
   docs and/or warn on use.

   However, we should not try to stop our users from doing stupid
   things, as that would also stop them from doing clever things.

3. How should the FW CFG name space be shared among its users?

   Bad things can happen if others use the namespace in ways that
   conflict with QEMU's use, or conflict with another "other".

   This isn't an issue specific to FW CFG.  For instance, upstream QEMU
   and the various downstream QEMUs all use the QMP command name space,
   and bad things can happen if they conflict.  The difference is they'd
   conflict at compile time.  Conflicts are easier to detect, but just
   as hard to resolve.

   QMP's solution is to reserve part of the name space for "others"
   (downstreams), and subdivide the reserved part further via RFQDN:
   owning a DNS domain name makes you own that RFQDN subdivision.

   For FW CFG, we did only the first half, namely reserving part of the
   name space for others: /opt/.  We neglected to spell out rules for
   its safe sharing, i.e. the second part.

   I don't think it's too late to fix that: amend the specification to
   stipulate that owning a DNS domain name makes you own /opt/RFQDN/.
   Throw in known existing uses like /opt/ovmf/ as special cases.

reply via email to

[Prev in Thread] Current Thread [Next in Thread]