Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add support for Qcow2 disk images #237

Merged
merged 3 commits into from
Nov 29, 2024
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
132 changes: 132 additions & 0 deletions Cargo.lock

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

63 changes: 60 additions & 3 deletions include/libkrun.h
Original file line number Diff line number Diff line change
Expand Up @@ -95,16 +95,20 @@ int32_t krun_set_root_disk(uint32_t ctx_id, const char *disk_path);
int32_t krun_set_data_disk(uint32_t ctx_id, const char *disk_path);

/**
* Adds a disk image to be used as a general partition for the microVM.
* Adds a disk image to be used as a general partition for the microVM. The only supported image
* format is "raw".
*
* This API is mutually exclusive with the deprecated krun_set_root_disk and
* krun_set_data_disk methods and must not be used together.
*
* This function deliberately only handles images in the Raw format, because it doesn't allow
* specifying an image format, and probing an image's format is dangerous. For more information,
* see the security note on `krun_add_disk2`, which allows opening non-Raw images.
*
* Arguments:
* "ctx_id" - the configuration context ID.
* "block_id" - a null-terminated string representing the partition.
* "disk_path" - a null-terminated string representing the path leading to the disk image that
* contains the root file-system.
* "disk_path" - a null-terminated string representing the path leading to the disk image.
* "read_only" - whether the mount should be read-only. Required if the caller does not have
* write permissions (for disk images in /usr/share).
*
Expand All @@ -113,6 +117,59 @@ int32_t krun_set_data_disk(uint32_t ctx_id, const char *disk_path);
*/
int32_t krun_add_disk(uint32_t ctx_id, const char *block_id, const char *disk_path, bool read_only);

/* Supported disk image formats */
#define KRUN_DISK_FORMAT_RAW 0
#define KRUN_DISK_FORMAT_QCOW2 1
/**
* Adds a disk image to be used as a general partition for the microVM. The supported
* image formats are: "raw" and "qcow2".
*
* This API is mutually exclusive with the deprecated krun_set_root_disk and
* krun_set_data_disk methods and must not be used together.
*
* SECURITY NOTE:
* Non-Raw images can reference other files, which libkrun will automatically open, and to which the
* guest will have access. Libkrun should therefore never be asked to open an image in a non-Raw
* format when it doesn't come from a fully trustworthy source.
*
* Consequently, probing an image's format is quite dangerous and to be avoided if at all possible,
* which is why libkrun provides no facilities for doing so. If it's not clear what format an image
* has, it may also not be clear whether it can be trusted to not reference files to which the guest
* shouldn't have access.
*
* If probing absolutely can't be avoided, it must only be done on images that are fully trusted, i.e.
* before a potentially untrusted guest had write access to it. Specifically, consider that a guest has
* full access to all of a Raw image, and can therefore turn it into a file in an arbitrary format, for
* example, into a Qcow2 image, referencing and granting a malicious guest access to arbitrary files.
* To hand a Raw image to an untrusted and potentially malicious guest, and then to re-probe it after
* the guest was able to write to it (when it can no longer be trusted), would therefore be a severe
* security vulnerability.
*
* Therefore, after having probed a yet fully trusted image once, the result must be remembered so the
* image will from then on always be opened in the format that was detected originally. When adhering
* to this, a guest can write anything they want to a Raw image, it's always going to be opened as a
* Raw image, preventing the security vulnerability outlined above.
*
* However, if at all possible, the image format should be explicitly selected based on knowledge
* obtained separately from the pure image data, for example by the user.
*
* Arguments:
* "ctx_id" - the configuration context ID.
* "block_id" - a null-terminated string representing the partition.
* "disk_path" - a null-terminated string representing the path leading to the disk image.
* "disk_format" - the disk image format (i.e. KRUN_DISK_FORMAT_{RAW, QCOW2})
* "read_only" - whether the mount should be read-only. Required if the caller does not have
* write permissions (for disk images in /usr/share).
*
* Returns:
* Zero on success or a negative error number on failure.
*/
int32_t krun_add_disk2(uint32_t ctx_id,
jakecorrenti marked this conversation as resolved.
Show resolved Hide resolved
const char *block_id,
const char *disk_path,
uint32_t disk_format,
bool read_only);

/**
* NO LONGER SUPPORTED. DO NOT USE.
*
Expand Down
2 changes: 2 additions & 0 deletions src/devices/Cargo.toml
Original file line number Diff line number Diff line change
Expand Up @@ -34,6 +34,8 @@ utils = { path = "../utils" }
polly = { path = "../polly" }
rutabaga_gfx = { path = "../rutabaga_gfx", features = ["virgl_renderer", "virgl_renderer_next"], optional = true }

imago = { version = "0.1.2", features = ["sync-wrappers", "vm-memory"] }

[target.'cfg(target_os = "macos")'.dependencies]
hvf = { path = "../hvf" }
lru = ">=0.9"
Expand Down
Loading
Loading