From patchwork Fri Jun 30 18:04:22 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Alex_Benn=C3=A9e?= X-Patchwork-Id: 697985 Delivered-To: patch@linaro.org Received: by 2002:adf:fcc5:0:0:0:0:0 with SMTP id f5csp598561wrs; Fri, 30 Jun 2023 11:17:58 -0700 (PDT) X-Google-Smtp-Source: APBJJlFPuDEoqFU90FalQsyu4Zph0vl6uSsOshbaj3wrbFhI9DFkIJs5qZRGihYSpbW5s3+mtBxw X-Received: by 2002:ad4:574a:0:b0:632:1da6:986a with SMTP id q10-20020ad4574a000000b006321da6986amr5194828qvx.17.1688149077584; Fri, 30 Jun 2023 11:17:57 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1688149077; cv=none; d=google.com; s=arc-20160816; b=N3cI8t7BswC3gUJRinYMUXQDYBiINcF9WZtxzqlexII9I7Moe4t4KzEPRelFCTX6FT UooQsRgqKKlzicTDstFCjl77xo3EddV4WSqg0pmdc81o5uqs/M9WioFci/VcfYx8hEvQ 1/c2Vmixm+anNVwWKZpfjs70GH8zcYwhWJpgmwNrWFoFQ7tQSnDg4OwtPmMkAdwHnxso NO531URaMaK37Selhp1er83xiXRZVA0wpavtpHmuB3dRFsgeRE8UzaqaPK0ranUTipe6 wDyQ0YjYqBy4xoVfbr6ktcaVr9P97XuGyQN2qrLiQP32ou6I0lu6Tqj2kWBXE5iq/bR4 ZPXw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:list-subscribe:list-help:list-post:list-archive :list-unsubscribe:list-id:precedence:content-transfer-encoding :mime-version:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=7t6FYLyWy431w3wryjlf0ss7bOMa2KXvVFdEtFrGEiI=; fh=WuTBZDcfojtFbKfkJjfEwZ/JCpHxFhyq5cXQ7fdJG7M=; b=X9XJ7dQ5ryyarz1AnUb82nT975Jb2qbHw8kOvy31krs7ZsTlW1Ocp3/VLO7PxQ37+/ vOP0vRwpnqsrxeqXCeZmEtFFhRttlv5OOj6PAjg9vLdCMPM138RSyjNw8qCfE66YZaRR W7f12PbsWeDs8nm7v2zmx8Ha/5g/DyceThml8K8fiicpV/H+X2DLFi6WJhOkYe4EuDT1 02E6rkI74vrfeVxkd95my9Q8yVHZTG85EkU7xkB1Zit3zqU38R9JqujmUgMgxrXFP+n0 URJTRLcTkZk9OTQwcDVxoOJwoYqgTdQR8hyESiq1fC7O4KYrtQhWK4+1CyAKr0voZMLf x1Cg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=s3JFjpZw; spf=pass (google.com: domain of qemu-devel-bounces+patch=linaro.org@nongnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom="qemu-devel-bounces+patch=linaro.org@nongnu.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from lists.gnu.org (lists.gnu.org. [209.51.188.17]) by mx.google.com with ESMTPS id im13-20020a056214246d00b0062b6a5ee017si8442587qvb.157.2023.06.30.11.17.57 for (version=TLS1_2 cipher=ECDHE-ECDSA-CHACHA20-POLY1305 bits=256/256); Fri, 30 Jun 2023 11:17:57 -0700 (PDT) Received-SPF: pass (google.com: domain of qemu-devel-bounces+patch=linaro.org@nongnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; Authentication-Results: mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=s3JFjpZw; spf=pass (google.com: domain of qemu-devel-bounces+patch=linaro.org@nongnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom="qemu-devel-bounces+patch=linaro.org@nongnu.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1qFIch-0005Om-K2; Fri, 30 Jun 2023 14:13:35 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1qFIcf-0005Mz-EX for qemu-devel@nongnu.org; Fri, 30 Jun 2023 14:13:33 -0400 Received: from mail-wm1-x32f.google.com ([2a00:1450:4864:20::32f]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1qFIcc-0003Vm-Gj for qemu-devel@nongnu.org; Fri, 30 Jun 2023 14:13:33 -0400 Received: by mail-wm1-x32f.google.com with SMTP id 5b1f17b1804b1-3fbc656873eso12230555e9.1 for ; Fri, 30 Jun 2023 11:13:30 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; t=1688148809; x=1690740809; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=7t6FYLyWy431w3wryjlf0ss7bOMa2KXvVFdEtFrGEiI=; b=s3JFjpZw+RNiazG9hTe3HKM9400YXzQw9NPtXnhtUmCb1jBU7AXQrUOVrvefsI+6/g SmpF5cwZZQ+Y/lbOIo6/mfDbRhiVw/tkn9mWedjuES95xENVvLpIs8qufu0OjjEyWNvY irguLNjBtt35MFgRw3n/TvSgcdFgf9Y9wt1u9sz5iWhIo/2ekxZBAszUrBQeoehE7Cdm AmB3t4U4mqYZvoieChrFih25YNKuaT2jLitwlRyr+Bpr7X9jodjMfslYC0N9PJc/GMAy gqZjyB0rSeznq93bbZTJkFKEubNDlS31IgE6yWGEKKijT/6ur8zwlkDr9YetUtrufZWJ eZig== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1688148809; x=1690740809; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=7t6FYLyWy431w3wryjlf0ss7bOMa2KXvVFdEtFrGEiI=; b=IskMdat2snc0bN6fC8z6w9AaZCLGjd4jHTnYZ6IXjKO5okLweWgVc8YHcMest5PDUS 67Z3KR3X6tXOMB1o8Qe0qGHR2YNSbzXQZc0689CALlZrn0noI6pHwhjo96Y9TpJB77Y1 HS/4ryavFtao++gr0V8YURBcs4An4Wg+DLPIfom+4jWiiMTFS3/ON3AimBuw6Y9RKWiT dwMfQMM8OggoPs7JXgnKLgLJhL599Vzsf94QNq2+zmMw8MTJ1G6cj9mhOnXKHijHLFf0 /OGaYy6ukdJWlkSNpAY+X+L765CQbnP2KT6PaubT+gfZPAr5qbla7hHpyqyteRZbTKKM u1Pg== X-Gm-Message-State: ABy/qLaptT/L+T2lv3e2aAmw/943bSGINi6fOhyWK7wD1DItUx8wI3wI DVQPyOW6fII8Nk/lx6MAQi4SAw== X-Received: by 2002:adf:ee51:0:b0:313:e520:936f with SMTP id w17-20020adfee51000000b00313e520936fmr3790842wro.17.1688148809192; Fri, 30 Jun 2023 11:13:29 -0700 (PDT) Received: from zen.linaroharston ([85.9.250.243]) by smtp.gmail.com with ESMTPSA id n5-20020adfe345000000b0030e5bd253aasm18865146wrj.39.2023.06.30.11.13.27 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 30 Jun 2023 11:13:28 -0700 (PDT) Received: from zen.lan (localhost [127.0.0.1]) by zen.linaroharston (Postfix) with ESMTP id 355CA1FFE4; Fri, 30 Jun 2023 19:04:28 +0100 (BST) From: =?utf-8?q?Alex_Benn=C3=A9e?= To: qemu-devel@nongnu.org Cc: =?utf-8?q?Daniel_P=2E_Berrang=C3=A9?= , Paolo Bonzini , Stefan Hajnoczi , Leonardo Bras , Laurent Vivier , Peter Xu , Juan Quintela , Beraldo Leal , Radoslaw Biernacki , Qiuhao Li , Peter Maydell , Yanan Wang , Riku Voipio , Wainer dos Santos Moschetta , Mahmoud Mandour , Alexandre Iooss , =?utf-8?q?Alex_Benn=C3=A9e?= , =?utf-8?q?Philippe_M?= =?utf-8?q?athieu-Daud=C3=A9?= , Eduardo Habkost , Thomas Huth , Laurent Vivier , Bin Meng , Marcel Apfelbaum , Bandan Das , Cleber Rosa , Richard Henderson , Leif Lindholm , Marcin Juszkiewicz , qemu-arm@nongnu.org, Darren Kenny , Alexander Bulekov , Ilya Leoshkevich Subject: [PATCH v4 37/38] docs: Document security implications of debugging Date: Fri, 30 Jun 2023 19:04:22 +0100 Message-Id: <20230630180423.558337-38-alex.bennee@linaro.org> X-Mailer: git-send-email 2.39.2 In-Reply-To: <20230630180423.558337-1-alex.bennee@linaro.org> References: <20230630180423.558337-1-alex.bennee@linaro.org> MIME-Version: 1.0 Received-SPF: pass client-ip=2a00:1450:4864:20::32f; envelope-from=alex.bennee@linaro.org; helo=mail-wm1-x32f.google.com X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+patch=linaro.org@nongnu.org Sender: qemu-devel-bounces+patch=linaro.org@nongnu.org From: Ilya Leoshkevich Now that the GDB stub explicitly implements reading host files (note that it was already possible by changing the emulated code to open and read those files), concerns may arise that it undermines security. Document the status quo, which is that the users are already responsible for securing the GDB connection themselves. Reviewed-by: Alex Bennée Signed-off-by: Ilya Leoshkevich Reviewed-by: Philippe Mathieu-Daudé Message-Id: <20230627160943.2956928-36-alex.bennee@linaro.org> Message-Id: <20230621203627.1808446-8-iii@linux.ibm.com> Signed-off-by: Alex Bennée --- docs/system/gdb.rst | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/docs/system/gdb.rst b/docs/system/gdb.rst index 7d3718deef..9906991b84 100644 --- a/docs/system/gdb.rst +++ b/docs/system/gdb.rst @@ -214,3 +214,18 @@ The memory mode can be checked by sending the following command: ``maintenance packet Qqemu.PhyMemMode:0`` This will change it back to normal memory mode. + +Security considerations +======================= + +Connecting to the GDB socket allows running arbitrary code inside the guest; +in case of the TCG emulation, which is not considered a security boundary, this +also means running arbitrary code on the host. Additionally, when debugging +qemu-user, it allows directly downloading any file readable by QEMU from the +host. + +The GDB socket is not protected by authentication, authorization or encryption. +It is therefore a responsibility of the user to make sure that only authorized +clients can connect to it, e.g., by using a unix socket with proper +permissions, or by opening a TCP socket only on interfaces that are not +reachable by potential attackers.