From patchwork Tue Jun 27 16:09:42 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Alex_Benn=C3=A9e?= X-Patchwork-Id: 696882 Delivered-To: patch@linaro.org Received: by 2002:adf:e885:0:0:0:0:0 with SMTP id d5csp3867639wrm; Tue, 27 Jun 2023 09:16:35 -0700 (PDT) X-Google-Smtp-Source: ACHHUZ4gYI7Joq4bs9Pe2ic00cRsFybr6Vlpppknb41zpWgpkDRMAy6kJKPk7GeqlePKelbSjnuw X-Received: by 2002:a05:6808:120a:b0:39e:b985:b47e with SMTP id a10-20020a056808120a00b0039eb985b47emr37797046oil.36.1687882595617; Tue, 27 Jun 2023 09:16:35 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1687882595; cv=none; d=google.com; s=arc-20160816; b=fBXFYoUqabrrbfpe0ysl77ruwYzRGZBbJKrA2AqBDrNY6b9ee6NK0Fnxn8LXWLBmp+ TybDolyOi2q2+P/xzYUt1JCY5NdZREuYqdMtyoi+OVxgf3ez1hi1v0gE4gB8TpcRnck3 ++/1VZ6m6fzphLfv0fU3tlmQ4iU0MzVAl3ShouK6a5X+nYvRUMSlv24x8f4WCqILZzFd ltJhK0UmoYaVHfNIsdovOWOmZG3wWWDMauANPym0p0PpzM2g4yMz2iy5dDFgvQLwHoMG SEnWz+3rXa5frCNyy1Uyk26ol+jN7kZ+d9l1RBhnHwgcdm3kheBViVFk+svxX1ocpF4Z 59IQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:list-subscribe:list-help:list-post:list-archive :list-unsubscribe:list-id:precedence:content-transfer-encoding :mime-version:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=E+S/2xF0HXkyXAmhdbBZi2PQMRaPK50oTftei6f5iso=; fh=B6/adVaiTRj/g/M/QPigvyXZO+x+u/FNsaNX2Qo1+tw=; b=AE3dSGYIC1LaGwMaTm5bgaJYxEGw2hforjSo1pQVmgca58dgtLczNOSroHw4rEgmBN yoNCwi2hhix1+6XjSA+mIDof6la5rrDYxuVoYZPzrOavG+vTu4AOgXxK8FHSfp1rVlCG Mim+RFDtmRFdWzyN9MgzO/gb4mAvdbQI3UJjN82c7qxVY+H6Z/gVzfTybG5Oj8I1q4v2 3M7tjTWTSFJVCl2ToKpd/VHummuqc381wrmaQGWTpgRAwrhN6Vv2eFguVVVT3vfxtMvR IMIL5XNCovFvm4qQFXYuv7/H1NHeKPZ0Lk7mSNB3mFzWUqpNXuOhK6OkpSBLJVjG75VE Xb4A== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=BV7BhM8O; spf=pass (google.com: domain of qemu-devel-bounces+patch=linaro.org@nongnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom="qemu-devel-bounces+patch=linaro.org@nongnu.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from lists.gnu.org (lists.gnu.org. [209.51.188.17]) by mx.google.com with ESMTPS id o3-20020ac85a43000000b003f2b900c2adsi3315478qta.179.2023.06.27.09.16.35 for (version=TLS1_2 cipher=ECDHE-ECDSA-CHACHA20-POLY1305 bits=256/256); Tue, 27 Jun 2023 09:16:35 -0700 (PDT) Received-SPF: pass (google.com: domain of qemu-devel-bounces+patch=linaro.org@nongnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; Authentication-Results: mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=BV7BhM8O; spf=pass (google.com: domain of qemu-devel-bounces+patch=linaro.org@nongnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom="qemu-devel-bounces+patch=linaro.org@nongnu.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1qEBMJ-00014g-O2; Tue, 27 Jun 2023 12:16:03 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1qEBMG-00011F-Tb for qemu-devel@nongnu.org; Tue, 27 Jun 2023 12:16:00 -0400 Received: from mail-wr1-x42c.google.com ([2a00:1450:4864:20::42c]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1qEBMA-000887-Gx for qemu-devel@nongnu.org; Tue, 27 Jun 2023 12:16:00 -0400 Received: by mail-wr1-x42c.google.com with SMTP id ffacd0b85a97d-307d20548adso4306759f8f.0 for ; Tue, 27 Jun 2023 09:15:52 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; t=1687882551; x=1690474551; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=E+S/2xF0HXkyXAmhdbBZi2PQMRaPK50oTftei6f5iso=; b=BV7BhM8Ovfh2OFs128IggTGFRSjkSCL0R1igGCXlxO4X0Lownl8Pm+ZzUOI0/FOXp/ vwNsLsoxEZmQM3zgf7K821zL0E+I96IRnwMsXDXk8zWD+WsfRFoIu+5w4+j+4oiBjZOc KhjbS6tbtdOVJETWApXJqWyrsiJJowKvO9h0jsDsgA0izHIdoVuU2fh4WNUDm7XDo2Dw jsk8zHPM/tmFgFcZ7mvWejaFQFgLg6HobxOOeOU4WSVte3lQBhqn1VoIJ4ltsTGEGeMs OsXDJBsFbInS+liPfgdAFejUcssEUci7o5vQbQqg8V4Q832WnsweFHJX+KBfv+Ew3nDL 9UFg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1687882551; x=1690474551; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=E+S/2xF0HXkyXAmhdbBZi2PQMRaPK50oTftei6f5iso=; b=isvjdch04FX5vTK+fs/CgJEnqTOM2Ol3/8MlVGzaY792LDUQivj1gmmqRXQrAGu80n cXql7Jg5R2PUzKIe+nBPcF6OGESFHnTLCb8fnWfsVPvvZot4qMFS1jClsiz3o1K0p/Qb eBkrEzsNrJR9ub4SbyzwvCqhc5iW1cNxNtJFK+ddNiVARdKA6e1GadA/A0STy2vcjtoa Q2w58tCxNpGaNQjtRSy0VVJJBPiDoXgVlzhe0dIw5rIEivqkG0up9/Wnr/78iubU49EI wVZFygrXH6C2znQsRVQEQ7DvL5t28v/ywWWLxXuvrI0BFPVkTv4TnLca6GHoeKu72bMw sfJw== X-Gm-Message-State: AC+VfDx8YEhfi2FvgvqNXvnPF0FUCwM3uBOOvRKId5dbsi/gv+TSVhKT 26hce58Q+gq/9OLIN/WXkAxQyQ== X-Received: by 2002:adf:f24c:0:b0:313:f152:d7f2 with SMTP id b12-20020adff24c000000b00313f152d7f2mr4395926wrp.36.1687882550883; Tue, 27 Jun 2023 09:15:50 -0700 (PDT) Received: from zen.linaroharston ([85.9.250.243]) by smtp.gmail.com with ESMTPSA id f13-20020a5d50cd000000b0030647d1f34bsm10970498wrt.1.2023.06.27.09.15.49 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 27 Jun 2023 09:15:50 -0700 (PDT) Received: from zen.lan (localhost [127.0.0.1]) by zen.linaroharston (Postfix) with ESMTP id 1058E1FFE1; Tue, 27 Jun 2023 17:09:48 +0100 (BST) From: =?utf-8?q?Alex_Benn=C3=A9e?= To: qemu-devel@nongnu.org Cc: Wainer dos Santos Moschetta , Juan Quintela , Thomas Huth , Cleber Rosa , Leonardo Bras , Beraldo Leal , Peter Maydell , Bin Meng , Yanan Wang , Darren Kenny , Alexander Bulekov , Marcel Apfelbaum , Peter Xu , Radoslaw Biernacki , Laurent Vivier , Paolo Bonzini , Eduardo Habkost , qemu-arm@nongnu.org, Stefan Hajnoczi , Richard Henderson , Bandan Das , =?utf-8?q?Philippe_Mathieu-Daud=C3=A9?= , =?utf-8?q?Dani?= =?utf-8?q?el_P=2E_Berrang=C3=A9?= , Alexandre Iooss , Marcin Juszkiewicz , Leif Lindholm , Laurent Vivier , Qiuhao Li , Mahmoud Mandour , Riku Voipio , =?utf-8?q?Alex_Benn=C3=A9e?= , Ilya Leoshkevich Subject: [PATCH v3 35/36] docs: Document security implications of debugging Date: Tue, 27 Jun 2023 17:09:42 +0100 Message-Id: <20230627160943.2956928-36-alex.bennee@linaro.org> X-Mailer: git-send-email 2.39.2 In-Reply-To: <20230627160943.2956928-1-alex.bennee@linaro.org> References: <20230627160943.2956928-1-alex.bennee@linaro.org> MIME-Version: 1.0 Received-SPF: pass client-ip=2a00:1450:4864:20::42c; envelope-from=alex.bennee@linaro.org; helo=mail-wr1-x42c.google.com X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+patch=linaro.org@nongnu.org Sender: qemu-devel-bounces+patch=linaro.org@nongnu.org From: Ilya Leoshkevich Now that the GDB stub explicitly implements reading host files (note that it was already possible by changing the emulated code to open and read those files), concerns may arise that it undermines security. Document the status quo, which is that the users are already responsible for securing the GDB connection themselves. Reviewed-by: Alex Bennée Signed-off-by: Ilya Leoshkevich Message-Id: <20230621203627.1808446-8-iii@linux.ibm.com> Signed-off-by: Alex Bennée Reviewed-by: Philippe Mathieu-Daudé --- docs/system/gdb.rst | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/docs/system/gdb.rst b/docs/system/gdb.rst index 7d3718deef..9906991b84 100644 --- a/docs/system/gdb.rst +++ b/docs/system/gdb.rst @@ -214,3 +214,18 @@ The memory mode can be checked by sending the following command: ``maintenance packet Qqemu.PhyMemMode:0`` This will change it back to normal memory mode. + +Security considerations +======================= + +Connecting to the GDB socket allows running arbitrary code inside the guest; +in case of the TCG emulation, which is not considered a security boundary, this +also means running arbitrary code on the host. Additionally, when debugging +qemu-user, it allows directly downloading any file readable by QEMU from the +host. + +The GDB socket is not protected by authentication, authorization or encryption. +It is therefore a responsibility of the user to make sure that only authorized +clients can connect to it, e.g., by using a unix socket with proper +permissions, or by opening a TCP socket only on interfaces that are not +reachable by potential attackers.