From patchwork Mon Jul 3 13:44:26 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Alex_Benn=C3=A9e?= X-Patchwork-Id: 698697 Delivered-To: patch@linaro.org Received: by 2002:adf:fcc5:0:0:0:0:0 with SMTP id f5csp1761310wrs; Mon, 3 Jul 2023 06:51:21 -0700 (PDT) X-Google-Smtp-Source: ACHHUZ7/9OYbymUKK3eZBOHdlIJHKhGvbiMdle31xh5EUMPAGPxkIL5UcKQa0qxkigeFGtMFsmA6 X-Received: by 2002:a05:622a:d3:b0:402:3dbf:85fb with SMTP id p19-20020a05622a00d300b004023dbf85fbmr18436438qtw.33.1688392281745; Mon, 03 Jul 2023 06:51:21 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1688392281; cv=none; d=google.com; s=arc-20160816; b=XT4nI50eFtD3Y6oQ51mFvsXWHEA39BNmt47AMV72vKRbFrTimezSWj3WqBo5mftJCh yTgjOFgfmxsQUiTIQnSAJF6GWeA7Tis174KXsQGv7a4qAo3Ni92S/u6Wsd1jKnkvURSV YJTZegBLi2nomOwi9a/cB6fsYPbfqS9dhG6ilLElocg8442Aj3GqzE1D3LVCUs2V+2Z3 cupaRqGZ8ulcMs4FcrSSXUZnDDWaJaTqEwRpDbEyay7A/LLN27IebhgQCOI1BX7NKWbx 0FnM+eBpGfI0VPqVJnx9Ftp7su9MPB7LxlRA5pL57sQHunh4cof4TMZUqbFZBJZd0T31 18RA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:list-subscribe:list-help:list-post:list-archive :list-unsubscribe:list-id:precedence:content-transfer-encoding :mime-version:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=9GVtKOcv/SO0Bd9fPGHoO3oydZ4Ss+XbZE8K/rNAROI=; fh=nJoHa+TEz/Iqgejv5tq02EzBq7KB5/EaExtjL3TSfSM=; b=uGSOurS9mNoIViQwNtMJpgerMrb0FS5GmUs8bFuNiZePs1ZMvjUCgoXgAamTi9xd/r 7pS8hHs/uyFACMlNtUDp8n9AtkRByoHhFmRRr2hFADpP9YlS0XFBcXI4kzBKCU0CQq14 DDtKpMHEVk+oXHMB1s6BL8pR05mM1xIukS+ssw+pgzxBckftg8M/XXAElayDsxVrProc PP+PSahv33YjJDvleI/CBgIuyuSR0GjCh2IAt7Mzdb5ogTBdsx/DSJNhewoecV37VXlf sYe/X2h5NGni7aoSUn2qn1F0zHjmUYNBqyPJ+uAZFy59Y7DOloLRevcMoNvgxLNcdobh Bqlg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=ulBqrqnI; spf=pass (google.com: domain of qemu-devel-bounces+patch=linaro.org@nongnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom="qemu-devel-bounces+patch=linaro.org@nongnu.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from lists.gnu.org (lists.gnu.org. [209.51.188.17]) by mx.google.com with ESMTPS id 21-20020ac85915000000b004009ecafcb5si11209202qty.131.2023.07.03.06.51.21 for (version=TLS1_2 cipher=ECDHE-ECDSA-CHACHA20-POLY1305 bits=256/256); Mon, 03 Jul 2023 06:51:21 -0700 (PDT) Received-SPF: pass (google.com: domain of qemu-devel-bounces+patch=linaro.org@nongnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; Authentication-Results: mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=ulBqrqnI; spf=pass (google.com: domain of qemu-devel-bounces+patch=linaro.org@nongnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom="qemu-devel-bounces+patch=linaro.org@nongnu.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1qGJrh-0008Gs-Cv; Mon, 03 Jul 2023 09:45:17 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1qGJrA-0007Zy-M8 for qemu-devel@nongnu.org; Mon, 03 Jul 2023 09:44:44 -0400 Received: from mail-wr1-x42e.google.com ([2a00:1450:4864:20::42e]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1qGJr3-0005jF-VE for qemu-devel@nongnu.org; Mon, 03 Jul 2023 09:44:42 -0400 Received: by mail-wr1-x42e.google.com with SMTP id ffacd0b85a97d-307d20548adso4964207f8f.0 for ; Mon, 03 Jul 2023 06:44:37 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; t=1688391876; x=1690983876; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=9GVtKOcv/SO0Bd9fPGHoO3oydZ4Ss+XbZE8K/rNAROI=; b=ulBqrqnIHNwslD8BYQYozsIYKhArQG13LS7wlZBbbKCmASC2bGAnTC6zs++DRrFcSh vi5lpxEK22WLrtqbo4SM2rB2y8faZ61ewqO8+HCgf6wIidzd6YL8fBMajy3nCE/yhf4x S1bxAXlsVXoDU0JNdYCxZo0lkDJrpQbzTBrBhWnofLEvinJlauKjRov2ks3SomwV0IyP wNRHVMFXOcp7iBlk02kJdlVxU35cS6qVZv4J8ABFs+Rgdn6RfTfMlH75WhMPYEKUUxvC Ty03ddKgo8Eal9Fha6KLggrCGFUGE31b+jUFlNTuPsVkYBFXdf8tPzST3DErBel0o7UJ ebXg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1688391876; x=1690983876; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=9GVtKOcv/SO0Bd9fPGHoO3oydZ4Ss+XbZE8K/rNAROI=; b=GJJgjGkSOW8itHG5niT+WkvSe0mmDqN9Xkl05B2Xi5cVpgJ2HJ1ixVeCyTMLzvKzxp +hjgzRZHhyDAgzOovnq7ruvpbr3XIeQ7SyAoQ5BCd//Z/W48LhaCzoGFcd6mhN2Gal6a Cjgds2RE3ALjYuyljatyDtLERKqvzltWyZOTu1Vx2UvgYBVAHjx6QLnwE0j5Mm4MqcG2 SxxPK8J/XegR0eIUT6Yz2rp0HMK4RDtC82PzBS1a2y71pk1nfsbdsb0hGOpLNxPOqoYi 5q6EImWnR7VFCvsYnI+jNlbnl8fyQyKgtrAKa1ME0NJlWp4F1ZQ03/dv770aJe6N9H+P 4LZQ== X-Gm-Message-State: ABy/qLbfpIIkhEVpfGmPp89sRJJvRc9MsprN66qajB9Wmj7LikBP8hb3 daNF+aTk7wEzqST+dy2YdPQZ5Q== X-Received: by 2002:adf:de0b:0:b0:314:32b6:af3 with SMTP id b11-20020adfde0b000000b0031432b60af3mr3993166wrm.5.1688391876660; Mon, 03 Jul 2023 06:44:36 -0700 (PDT) Received: from zen.linaroharston ([85.9.250.243]) by smtp.gmail.com with ESMTPSA id o10-20020a1c750a000000b003fbc0ea491dsm11258914wmc.40.2023.07.03.06.44.32 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 03 Jul 2023 06:44:35 -0700 (PDT) Received: from zen.lan (localhost [127.0.0.1]) by zen.linaroharston (Postfix) with ESMTP id 0BA161FFE2; Mon, 3 Jul 2023 14:44:32 +0100 (BST) From: =?utf-8?q?Alex_Benn=C3=A9e?= To: qemu-devel@nongnu.org Cc: richard.henderson@linaro.org, Ilya Leoshkevich , =?utf-8?q?Alex_Benn=C3=A9e?= , =?utf-8?q?Philippe_M?= =?utf-8?q?athieu-Daud=C3=A9?= Subject: [PULL 37/38] docs: Document security implications of debugging Date: Mon, 3 Jul 2023 14:44:26 +0100 Message-Id: <20230703134427.1389440-38-alex.bennee@linaro.org> X-Mailer: git-send-email 2.39.2 In-Reply-To: <20230703134427.1389440-1-alex.bennee@linaro.org> References: <20230703134427.1389440-1-alex.bennee@linaro.org> MIME-Version: 1.0 Received-SPF: pass client-ip=2a00:1450:4864:20::42e; envelope-from=alex.bennee@linaro.org; helo=mail-wr1-x42e.google.com X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+patch=linaro.org@nongnu.org Sender: qemu-devel-bounces+patch=linaro.org@nongnu.org From: Ilya Leoshkevich Now that the GDB stub explicitly implements reading host files (note that it was already possible by changing the emulated code to open and read those files), concerns may arise that it undermines security. Document the status quo, which is that the users are already responsible for securing the GDB connection themselves. Reviewed-by: Alex Bennée Signed-off-by: Ilya Leoshkevich Reviewed-by: Philippe Mathieu-Daudé Message-Id: <20230621203627.1808446-8-iii@linux.ibm.com> Signed-off-by: Alex Bennée Message-Id: <20230630180423.558337-38-alex.bennee@linaro.org> diff --git a/docs/system/gdb.rst b/docs/system/gdb.rst index 7d3718deef..9906991b84 100644 --- a/docs/system/gdb.rst +++ b/docs/system/gdb.rst @@ -214,3 +214,18 @@ The memory mode can be checked by sending the following command: ``maintenance packet Qqemu.PhyMemMode:0`` This will change it back to normal memory mode. + +Security considerations +======================= + +Connecting to the GDB socket allows running arbitrary code inside the guest; +in case of the TCG emulation, which is not considered a security boundary, this +also means running arbitrary code on the host. Additionally, when debugging +qemu-user, it allows directly downloading any file readable by QEMU from the +host. + +The GDB socket is not protected by authentication, authorization or encryption. +It is therefore a responsibility of the user to make sure that only authorized +clients can connect to it, e.g., by using a unix socket with proper +permissions, or by opening a TCP socket only on interfaces that are not +reachable by potential attackers.