aboutsummaryrefslogtreecommitdiff
path: root/docs/system
diff options
context:
space:
mode:
authorIlya Leoshkevich <iii@linux.ibm.com>2023-06-30 19:04:22 +0100
committerAlex Bennée <alex.bennee@linaro.org>2023-07-03 12:52:34 +0100
commitabf7ba310b7b0c13b4fe936621bbb8e416754c0c (patch)
treee5171daad16af50480ee6f3c99a0bd7f5c4d13ca /docs/system
parente282010b2e1e34e1579c933cadf278833d527812 (diff)
downloadqemu-abf7ba310b7b0c13b4fe936621bbb8e416754c0c.zip
qemu-abf7ba310b7b0c13b4fe936621bbb8e416754c0c.tar.gz
qemu-abf7ba310b7b0c13b4fe936621bbb8e416754c0c.tar.bz2
docs: Document security implications of debugging
Now that the GDB stub explicitly implements reading host files (note that it was already possible by changing the emulated code to open and read those files), concerns may arise that it undermines security. Document the status quo, which is that the users are already responsible for securing the GDB connection themselves. Reviewed-by: Alex Bennée <alex.bennee@linaro.org> Signed-off-by: Ilya Leoshkevich <iii@linux.ibm.com> Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org> Message-Id: <20230621203627.1808446-8-iii@linux.ibm.com> Signed-off-by: Alex Bennée <alex.bennee@linaro.org> Message-Id: <20230630180423.558337-38-alex.bennee@linaro.org>
Diffstat (limited to 'docs/system')
-rw-r--r--docs/system/gdb.rst15
1 files changed, 15 insertions, 0 deletions
diff --git a/docs/system/gdb.rst b/docs/system/gdb.rst
index 7d3718d..9906991 100644
--- a/docs/system/gdb.rst
+++ b/docs/system/gdb.rst
@@ -214,3 +214,18 @@ The memory mode can be checked by sending the following command:
``maintenance packet Qqemu.PhyMemMode:0``
This will change it back to normal memory mode.
+
+Security considerations
+=======================
+
+Connecting to the GDB socket allows running arbitrary code inside the guest;
+in case of the TCG emulation, which is not considered a security boundary, this
+also means running arbitrary code on the host. Additionally, when debugging
+qemu-user, it allows directly downloading any file readable by QEMU from the
+host.
+
+The GDB socket is not protected by authentication, authorization or encryption.
+It is therefore a responsibility of the user to make sure that only authorized
+clients can connect to it, e.g., by using a unix socket with proper
+permissions, or by opening a TCP socket only on interfaces that are not
+reachable by potential attackers.