[libvirt] [PATCH] security: Do not restore kernel and initrd labels
Andrea Bolognani
abologna at redhat.com
Fri Jan 15 12:34:58 UTC 2016
On Fri, 2016-01-15 at 11:50 +0100, Jiri Denemark wrote:
> > > > but I'm wondering if the nvram and dtb lines before & after would
> > > > potentially suffer the same problem
> > >
> > > Yeah, I was wondering about that too, but I wasn't quite sure whether
> > > they are similar or not.
> >
> > Could Rich's test be tweaked some way in order to find out?
>
> Well, it could, but the question is whether it would be correct usage
> :-)
>
> And it seems nvram is actually different:
>
> /* This is different than kernel or initrd. The nvram store
> * is really a disk, qemu can read and write to it. */
>
> and we use imagelabel for nvram.
>
> However, dtb (whatever that is used for) gets the same label we use for
> kernel/initrd so it looks like it could be similar. However, I have no
> idea what this beast is all about :-)
AFAICT the Device Tree (which is contained in the file pointed to by
the <dtb> element) is copied into the guest memory at startup and only
used by the kernel to collect information about the hardware, so it
should be safe to treat it the same way as kernel and initrd.
Cheers.
--
Andrea Bolognani
Software Engineer - Virtualization Team
More information about the libvir-list
mailing list