Comment by bonzini - Hacker Neue

bonzini Mar 22, 2017 parent

Zero. TCG is not considered secure/trusted by any means by the QEMU team, unlike KVM or Xen. It has never received a serious security audit.

omribahumi Mar 22, 2017

That doesn't mean people don't use it.

Is what you're saying here documented anywhere?

pm215 Mar 22, 2017

It is documented here, but you're right that ideally we could mention it somewhere more prominent.

http://wiki.qemu-project.org/SecurityProcess#How_impact_and_...

robryk Mar 22, 2017

Is this the correct link? I can find nothing about TCG nor about "tiny code generator" there.

It would be nice to warn about lack of security properties of TCG in some of these places: http://git.qemu-project.org/?p=qemu.git;a=blob_plain;f=tcg/R... http://wiki.qemu-project.org/Documentation/TCG

pm215 Mar 22, 2017

It's the bit where it says 'is it used in conjunction with a hypervisor?'. That's how we define the use cases that count as defendable against malicious guests.

This covers more than just the TCG cpu emulation because it also means that any device model that can only be used with an emulated CPU is also out of scope for CVEs and hasn't been audited to confirm it has no VM-escape bugs. So the internal documentation of TCG itself isn't really the right place to document this I think.

i336_ Mar 22, 2017

Hi, wanted to quickly ask a slightly offtopic question about TCG that I've wondered about for a few years. I was never sure who to ask.

Rob Landley made some small noises about the possibility of leveraging TCG as a successor to tcc (I read about the tinycc/tcc debacle (http://www.landley.net/code/tinycc/) - really sad). I was just curious if such an idea - turning QEMU's code generator into a standalone compiler - is technically feasible in terms of architectural sanity and practical maintainability.

3 More Comments →

This item has no comments currently.