| Message ID | 20240606143010.1318226-2-kraxel@redhat.com |
|---|---|
| State | New |
| Headers | show |
| Series | allow to deprecate objects and devices | expand |
On Thu, Jun 06, 2024 at 04:30:07PM +0200, Gerd Hoffmann wrote: > Add flags to ObjectClass for objects which are deprecated or not secure. > Add 'deprecated' and 'not-secure' bools to ObjectTypeInfo, report in > 'qom-list-types'. Print the flags when listing devices via '-device > help'. > > Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> > --- > include/qom/object.h | 3 +++ > qom/qom-qmp-cmds.c | 8 ++++++++ > system/qdev-monitor.c | 8 ++++++++ > qapi/qom.json | 8 +++++++- > 4 files changed, 26 insertions(+), 1 deletion(-) Reviewed-by: Daniel P. Berrangé <berrange@redhat.com> With regards, Daniel
On 6/6/24 16:30, Gerd Hoffmann wrote: > Add flags to ObjectClass for objects which are deprecated or not secure. > Add 'deprecated' and 'not-secure' bools to ObjectTypeInfo, report in > 'qom-list-types'. Print the flags when listing devices via '-device > help'. > > Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> > --- > include/qom/object.h | 3 +++ > qom/qom-qmp-cmds.c | 8 ++++++++ > system/qdev-monitor.c | 8 ++++++++ > qapi/qom.json | 8 +++++++- > 4 files changed, 26 insertions(+), 1 deletion(-) > > diff --git a/include/qom/object.h b/include/qom/object.h > index 13d3a655ddf9..419bd9a4b219 100644 > --- a/include/qom/object.h > +++ b/include/qom/object.h > @@ -136,6 +136,9 @@ struct ObjectClass > ObjectUnparent *unparent; > > GHashTable *properties; > + > + bool deprecated; > + bool not_secure; LGTM but I'd rather use a reason string instead of a boolean, so we are forced to justify. That would be in line with MachineClass::deprecation_reason: * MachineClass: * @deprecation_reason: If set, the machine is marked as deprecated. * The string should provide some clear information about what to * use instead. > }; > > /** > diff --git a/qom/qom-qmp-cmds.c b/qom/qom-qmp-cmds.c > index e91a2353472a..325ff0ba2a25 100644 > --- a/qom/qom-qmp-cmds.c > +++ b/qom/qom-qmp-cmds.c > @@ -101,6 +101,14 @@ static void qom_list_types_tramp(ObjectClass *klass, void *data) > if (parent) { > info->parent = g_strdup(object_class_get_name(parent)); > } > + if (klass->deprecated) { > + info->has_deprecated = true; > + info->deprecated = true; > + } > + if (klass->not_secure) { > + info->has_not_secure = true; > + info->not_secure = true; > + } > > QAPI_LIST_PREPEND(*pret, info); > } > diff --git a/system/qdev-monitor.c b/system/qdev-monitor.c > index 6af6ef7d667f..effdc95d21d3 100644 > --- a/system/qdev-monitor.c > +++ b/system/qdev-monitor.c > @@ -144,6 +144,8 @@ static bool qdev_class_has_alias(DeviceClass *dc) > > static void qdev_print_devinfo(DeviceClass *dc) > { > + ObjectClass *klass = OBJECT_CLASS(dc); > + > qemu_printf("name \"%s\"", object_class_get_name(OBJECT_CLASS(dc))); > if (dc->bus_type) { > qemu_printf(", bus %s", dc->bus_type); > @@ -157,6 +159,12 @@ static void qdev_print_devinfo(DeviceClass *dc) > if (!dc->user_creatable) { > qemu_printf(", no-user"); > } > + if (klass->deprecated) { > + qemu_printf(", deprecated"); > + } > + if (klass->not_secure) { > + qemu_printf(", not-secure"); > + } > qemu_printf("\n"); > } > > diff --git a/qapi/qom.json b/qapi/qom.json > index 8bd299265e39..3f20d4c6413b 100644 > --- a/qapi/qom.json > +++ b/qapi/qom.json > @@ -163,10 +163,16 @@ > # > # @parent: Name of parent type, if any (since 2.10) > # > +# @deprecated: the type is deprecated (since 9.1) > +# > +# @not-secure: the type (typically a device) is not considered > +# a security boundary (since 9.1) > +# > # Since: 1.1 > ## > { 'struct': 'ObjectTypeInfo', > - 'data': { 'name': 'str', '*abstract': 'bool', '*parent': 'str' } } > + 'data': { 'name': 'str', '*abstract': 'bool', '*parent': 'str', > + '*deprecated': 'bool', '*not-secure': 'bool' } } > > ## > # @qom-list-types:
Gerd Hoffmann <kraxel@redhat.com> writes: > Add flags to ObjectClass for objects which are deprecated or not secure. > Add 'deprecated' and 'not-secure' bools to ObjectTypeInfo, report in > 'qom-list-types'. Print the flags when listing devices via '-device > help'. > > Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> > --- > include/qom/object.h | 3 +++ > qom/qom-qmp-cmds.c | 8 ++++++++ > system/qdev-monitor.c | 8 ++++++++ > qapi/qom.json | 8 +++++++- > 4 files changed, 26 insertions(+), 1 deletion(-) > > diff --git a/include/qom/object.h b/include/qom/object.h > index 13d3a655ddf9..419bd9a4b219 100644 > --- a/include/qom/object.h > +++ b/include/qom/object.h > @@ -136,6 +136,9 @@ struct ObjectClass > ObjectUnparent *unparent; > > GHashTable *properties; > + > + bool deprecated; > + bool not_secure; > }; Ignorant question: should this be in struct TypeImpl instead? > > /** > diff --git a/qom/qom-qmp-cmds.c b/qom/qom-qmp-cmds.c > index e91a2353472a..325ff0ba2a25 100644 > --- a/qom/qom-qmp-cmds.c > +++ b/qom/qom-qmp-cmds.c > @@ -101,6 +101,14 @@ static void qom_list_types_tramp(ObjectClass *klass, void *data) > if (parent) { > info->parent = g_strdup(object_class_get_name(parent)); > } > + if (klass->deprecated) { > + info->has_deprecated = true; > + info->deprecated = true; > + } > + if (klass->not_secure) { > + info->has_not_secure = true; > + info->not_secure = true; > + } > > QAPI_LIST_PREPEND(*pret, info); > } > diff --git a/system/qdev-monitor.c b/system/qdev-monitor.c > index 6af6ef7d667f..effdc95d21d3 100644 > --- a/system/qdev-monitor.c > +++ b/system/qdev-monitor.c > @@ -144,6 +144,8 @@ static bool qdev_class_has_alias(DeviceClass *dc) > > static void qdev_print_devinfo(DeviceClass *dc) > { > + ObjectClass *klass = OBJECT_CLASS(dc); > + > qemu_printf("name \"%s\"", object_class_get_name(OBJECT_CLASS(dc))); > if (dc->bus_type) { > qemu_printf(", bus %s", dc->bus_type); > @@ -157,6 +159,12 @@ static void qdev_print_devinfo(DeviceClass *dc) > if (!dc->user_creatable) { > qemu_printf(", no-user"); > } > + if (klass->deprecated) { > + qemu_printf(", deprecated"); > + } > + if (klass->not_secure) { > + qemu_printf(", not-secure"); > + } > qemu_printf("\n"); > } > > diff --git a/qapi/qom.json b/qapi/qom.json > index 8bd299265e39..3f20d4c6413b 100644 > --- a/qapi/qom.json > +++ b/qapi/qom.json > @@ -163,10 +163,16 @@ > # > # @parent: Name of parent type, if any (since 2.10) > # > +# @deprecated: the type is deprecated (since 9.1) > +# > +# @not-secure: the type (typically a device) is not considered > +# a security boundary (since 9.1) What does this mean? Does it mean "do not add an instance of this device the guest unless you trust the guest"? > +# > # Since: 1.1 > ## > { 'struct': 'ObjectTypeInfo', > - 'data': { 'name': 'str', '*abstract': 'bool', '*parent': 'str' } } > + 'data': { 'name': 'str', '*abstract': 'bool', '*parent': 'str', > + '*deprecated': 'bool', '*not-secure': 'bool' } } > > ## > # @qom-list-types: I dislike booleans named "no-FOO" or "not-FOO", because they lead to double-negation.
On Wed, Jun 12, 2024 at 01:07:44PM +0200, Markus Armbruster wrote: > Gerd Hoffmann <kraxel@redhat.com> writes: > > > Add flags to ObjectClass for objects which are deprecated or not secure. > > Add 'deprecated' and 'not-secure' bools to ObjectTypeInfo, report in > > 'qom-list-types'. Print the flags when listing devices via '-device > > help'. > > > > Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> > > --- > > include/qom/object.h | 3 +++ > > qom/qom-qmp-cmds.c | 8 ++++++++ > > system/qdev-monitor.c | 8 ++++++++ > > qapi/qom.json | 8 +++++++- > > 4 files changed, 26 insertions(+), 1 deletion(-) > > > > diff --git a/include/qom/object.h b/include/qom/object.h > > index 13d3a655ddf9..419bd9a4b219 100644 > > --- a/include/qom/object.h > > +++ b/include/qom/object.h > > @@ -136,6 +136,9 @@ struct ObjectClass > > ObjectUnparent *unparent; > > > > GHashTable *properties; > > + > > + bool deprecated; > > + bool not_secure; > > }; > > Ignorant question: should this be in struct TypeImpl instead? > > > > > /** > > diff --git a/qom/qom-qmp-cmds.c b/qom/qom-qmp-cmds.c > > index e91a2353472a..325ff0ba2a25 100644 > > --- a/qom/qom-qmp-cmds.c > > +++ b/qom/qom-qmp-cmds.c > > @@ -101,6 +101,14 @@ static void qom_list_types_tramp(ObjectClass *klass, void *data) > > if (parent) { > > info->parent = g_strdup(object_class_get_name(parent)); > > } > > + if (klass->deprecated) { > > + info->has_deprecated = true; > > + info->deprecated = true; > > + } > > + if (klass->not_secure) { > > + info->has_not_secure = true; > > + info->not_secure = true; > > + } > > > > QAPI_LIST_PREPEND(*pret, info); > > } > > diff --git a/system/qdev-monitor.c b/system/qdev-monitor.c > > index 6af6ef7d667f..effdc95d21d3 100644 > > --- a/system/qdev-monitor.c > > +++ b/system/qdev-monitor.c > > @@ -144,6 +144,8 @@ static bool qdev_class_has_alias(DeviceClass *dc) > > > > static void qdev_print_devinfo(DeviceClass *dc) > > { > > + ObjectClass *klass = OBJECT_CLASS(dc); > > + > > qemu_printf("name \"%s\"", object_class_get_name(OBJECT_CLASS(dc))); > > if (dc->bus_type) { > > qemu_printf(", bus %s", dc->bus_type); > > @@ -157,6 +159,12 @@ static void qdev_print_devinfo(DeviceClass *dc) > > if (!dc->user_creatable) { > > qemu_printf(", no-user"); > > } > > + if (klass->deprecated) { > > + qemu_printf(", deprecated"); > > + } > > + if (klass->not_secure) { > > + qemu_printf(", not-secure"); > > + } > > qemu_printf("\n"); > > } > > > > diff --git a/qapi/qom.json b/qapi/qom.json > > index 8bd299265e39..3f20d4c6413b 100644 > > --- a/qapi/qom.json > > +++ b/qapi/qom.json > > @@ -163,10 +163,16 @@ > > # > > # @parent: Name of parent type, if any (since 2.10) > > # > > +# @deprecated: the type is deprecated (since 9.1) > > +# > > +# @not-secure: the type (typically a device) is not considered > > +# a security boundary (since 9.1) > > What does this mean? Does it mean "do not add an instance of this > device the guest unless you trust the guest"? Essentially yes. This ties to our security doc where we declare we won't consider non-virtualization use cases as being security bugs (CVEs) as large parts of QEMU haven't been designed to provide a guest security boundary https://www.qemu.org/docs/master/system/security.html With regards, Daniel
Daniel P. Berrangé <berrange@redhat.com> writes: > On Wed, Jun 12, 2024 at 01:07:44PM +0200, Markus Armbruster wrote: >> Gerd Hoffmann <kraxel@redhat.com> writes: >> >> > Add flags to ObjectClass for objects which are deprecated or not secure. >> > Add 'deprecated' and 'not-secure' bools to ObjectTypeInfo, report in >> > 'qom-list-types'. Print the flags when listing devices via '-device >> > help'. >> > >> > Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> [...] >> > diff --git a/qapi/qom.json b/qapi/qom.json >> > index 8bd299265e39..3f20d4c6413b 100644 >> > --- a/qapi/qom.json >> > +++ b/qapi/qom.json >> > @@ -163,10 +163,16 @@ >> > # >> > # @parent: Name of parent type, if any (since 2.10) >> > # >> > +# @deprecated: the type is deprecated (since 9.1) >> > +# >> > +# @not-secure: the type (typically a device) is not considered >> > +# a security boundary (since 9.1) >> >> What does this mean? Does it mean "do not add an instance of this >> device the guest unless you trust the guest"? > > Essentially yes. This ties to our security doc where we declare > we won't consider non-virtualization use cases as being security > bugs (CVEs) as large parts of QEMU haven't been designed to > provide a guest security boundary > > https://www.qemu.org/docs/master/system/security.html Would it make sense to add a suitable pointer to the doc comment?
diff --git a/include/qom/object.h b/include/qom/object.h index 13d3a655ddf9..419bd9a4b219 100644 --- a/include/qom/object.h +++ b/include/qom/object.h @@ -136,6 +136,9 @@ struct ObjectClass ObjectUnparent *unparent; GHashTable *properties; + + bool deprecated; + bool not_secure; }; /** diff --git a/qom/qom-qmp-cmds.c b/qom/qom-qmp-cmds.c index e91a2353472a..325ff0ba2a25 100644 --- a/qom/qom-qmp-cmds.c +++ b/qom/qom-qmp-cmds.c @@ -101,6 +101,14 @@ static void qom_list_types_tramp(ObjectClass *klass, void *data) if (parent) { info->parent = g_strdup(object_class_get_name(parent)); } + if (klass->deprecated) { + info->has_deprecated = true; + info->deprecated = true; + } + if (klass->not_secure) { + info->has_not_secure = true; + info->not_secure = true; + } QAPI_LIST_PREPEND(*pret, info); } diff --git a/system/qdev-monitor.c b/system/qdev-monitor.c index 6af6ef7d667f..effdc95d21d3 100644 --- a/system/qdev-monitor.c +++ b/system/qdev-monitor.c @@ -144,6 +144,8 @@ static bool qdev_class_has_alias(DeviceClass *dc) static void qdev_print_devinfo(DeviceClass *dc) { + ObjectClass *klass = OBJECT_CLASS(dc); + qemu_printf("name \"%s\"", object_class_get_name(OBJECT_CLASS(dc))); if (dc->bus_type) { qemu_printf(", bus %s", dc->bus_type); @@ -157,6 +159,12 @@ static void qdev_print_devinfo(DeviceClass *dc) if (!dc->user_creatable) { qemu_printf(", no-user"); } + if (klass->deprecated) { + qemu_printf(", deprecated"); + } + if (klass->not_secure) { + qemu_printf(", not-secure"); + } qemu_printf("\n"); } diff --git a/qapi/qom.json b/qapi/qom.json index 8bd299265e39..3f20d4c6413b 100644 --- a/qapi/qom.json +++ b/qapi/qom.json @@ -163,10 +163,16 @@ # # @parent: Name of parent type, if any (since 2.10) # +# @deprecated: the type is deprecated (since 9.1) +# +# @not-secure: the type (typically a device) is not considered +# a security boundary (since 9.1) +# # Since: 1.1 ## { 'struct': 'ObjectTypeInfo', - 'data': { 'name': 'str', '*abstract': 'bool', '*parent': 'str' } } + 'data': { 'name': 'str', '*abstract': 'bool', '*parent': 'str', + '*deprecated': 'bool', '*not-secure': 'bool' } } ## # @qom-list-types:
Add flags to ObjectClass for objects which are deprecated or not secure. Add 'deprecated' and 'not-secure' bools to ObjectTypeInfo, report in 'qom-list-types'. Print the flags when listing devices via '-device help'. Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> --- include/qom/object.h | 3 +++ qom/qom-qmp-cmds.c | 8 ++++++++ system/qdev-monitor.c | 8 ++++++++ qapi/qom.json | 8 +++++++- 4 files changed, 26 insertions(+), 1 deletion(-)