In this post I will explore compiling QEMU with less option/drivers, thereby removing some code to theoretically make QEMU more secure.
First off I want to note that this is an experiment. I'm not working on this for a production system, and I haven't worked a lot with QEMU compilation nor what code is necessary or unnecessary for my particular application. I'm just messing around, trying to learn some things about qemu, what code is in it by default, and what code could be removed via compile options.
Having said that, the OpenStack Security Guide does talk about compiling a custom QEMU so that it can be "hardened," which includes turning off options/drivers that aren't needed.
I'm going to try this out on Ubuntu Trusty 14.04 using a Vagrant box.
First, we need git.
root# apt-get install git -y
Next clone the QEMU project code.
root# git clone git://git.qemu-project.org/qemu.git
Get all the other things you need to compile QEMU.
root# apt-get build-dep qemu -y
./configure --help we can see there are all kinds of things we can disable and thus probably break QEMU. :)
root# cd qemu/ root# ./configure --help | grep disable --disable-debug-tcg disable TCG debugging (default) --disable-debug-info disable debugging information --disable-sparse disable sparse checker (default) --disable-strip disable stripping binaries --disable-werror disable compilation abort on warning --disable-stack-protector disable compiler-provided stack protection --disable-sdl disable SDL --disable-gtk disable gtk UI --disable-virtfs disable VirtFS --disable-vnc disable VNC --disable-cocoa disable Cocoa (Mac OS X only) --disable-xen disable xen backend driver support --disable-xen-pci-passthrough --disable-brlapi disable BrlAPI --disable-vnc-tls disable TLS encryption for VNC server --disable-vnc-sasl disable SASL encryption for VNC server --disable-vnc-jpeg disable JPEG lossy compression for VNC server --disable-vnc-png disable PNG compression for VNC server (default) --disable-vnc-ws disable Websockets support for VNC server --disable-curses disable curses output --disable-curl disable curl connectivity --disable-fdt disable fdt device tree --disable-bluez disable bluez stack connectivity --disable-slirp disable SLIRP userspace network connectivity --disable-kvm disable KVM acceleration support --disable-rdma disable RDMA-based migration support --disable-system disable all system emulation targets --disable-user disable all user emulation targets --disable-linux-user disable all linux usermode emulation targets --disable-bsd-user disable all BSD usermode emulation targets --disable-guest-base disable GUEST_BASE support --disable-pie do not build Position Independent Executables --disable-uuid disable uuid support --disable-vde disable support for vde network --disable-netmap disable support for netmap network --disable-linux-aio disable Linux AIO support --disable-cap-ng disable libcap-ng support --disable-attr disable attr and xattr support --disable-blobs disable installing provided firmware blobs --disable-docs disable documentation build --disable-vhost-net disable vhost-net acceleration support --disable-spice disable spice --disable-libiscsi disable iscsi support --disable-libnfs disable nfs support --disable-smartcard-nss disable smartcard nss support --disable-libusb disable libusb (for usb passthrough) --disable-usb-redir disable usb network redirection support --disable-guest-agent disable building of the QEMU Guest Agent --disable-seccomp disable seccomp support --disable-coroutine-pool disable coroutine freelist (worse performance) --disable-glusterfs disable GlusterFS backend --disable-archipelago disable Archipelago backend --disable-tpm disable TPM support --disable-libssh2 disable ssh block device support --disable-vhdx disable support for the Microsoft VHDX image format --disable-quorum disable quorum block filter support --disable-numa disable libnuma support
If I run configure with only the
--target-list=x86_64-softmmu option, it outputs what is turned on and off by default.
root# ./configure --target-list=x86_64-softmmu Disabling libtool due to broken toolchain support Install prefix /usr/local BIOS directory /usr/local/share/QEMU binary directory /usr/local/bin library directory /usr/local/lib module directory /usr/local/lib/QEMU libexec directory /usr/local/libexec include directory /usr/local/include config directory /usr/local/etc local state directory /usr/local/var Manual directory /usr/local/share/man ELF interp prefix /usr/gnemul/QEMU-%M Source path /home/vagrant/QEMU C compiler cc Host C compiler cc C++ compiler c++ Objective-C compiler cc ARFLAGS rv CFLAGS -O2 -U_FORTIFY_SOURCE -D_FORTIFY_SOURCE=2 -pthread -I/usr/include/glib-2.0 -I/usr/lib/x86_64-linux-gnu/glib-2.0/include -g QEMU_CFLAGS -I/usr/include/pixman-1 -Werror -fPIE -DPIE -m64 -D_GNU_SOURCE -D_FILE_OFFSET_BITS=64 -D_LARGEFILE_SOURCE -Wstrict-prototypes -Wredundant-decls -Wall -Wundef -Wwrite-strings -Wmissing-prototypes -fno-strict-aliasing -fno-common -Wendif-labels -Wmissing-include-dirs -Wempty-body -Wnested-externs -Wformat-security -Wformat-y2k -Winit-self -Wignored-qualifiers -Wold-style-declaration -Wold-style-definition -Wtype-limits -fstack-protector-all -I/usr/include/p11-kit-1 -I/usr/include/p11-kit-1 -I/usr/include/libpng12 -I/usr/include/spice-server -I/usr/include/glib-2.0 -I/usr/lib/x86_64-linux-gnu/glib-2.0/include -I/usr/include/pixman-1 -I/usr/include/spice-1 -I/usr/include/libusb-1.0 LDFLAGS -Wl,--warn-common -Wl,-z,relro -Wl,-z,now -pie -m64 -g make make install install python python -B smbd /usr/sbin/smbd module support no host CPU x86_64 host big endian no target list x86_64-softmmu tcg debug enabled no gprof enabled no sparse enabled no strip binaries yes profiler no static build no pixman system SDL support yes GTK support no VTE support no curses support yes curl support yes mingw32 support no Audio drivers oss Block whitelist (rw) Block whitelist (ro) VirtFS support yes VNC support yes VNC TLS support yes VNC SASL support yes VNC JPEG support no VNC PNG support yes VNC WS support yes xen support yes brlapi support yes bluez support yes Documentation yes GUEST_BASE yes PIE yes vde support no netmap support no Linux AIO support yes ATTR/XATTR support yes Install blobs yes KVM support yes RDMA support no TCG interpreter no fdt support yes preadv support yes fdatasync yes madvise yes posix_madvise yes sigev_thread_id yes uuid support yes libcap-ng support yes vhost-net support yes vhost-scsi support yes Trace backends nop spice support yes (0.12.6/0.12.4) rbd support yes xfsctl support yes nss used no libusb yes usb net redir yes GLX support yes libiscsi support no libnfs support no build guest agent yes QGA VSS support no seccomp support yes coroutine backend ucontext coroutine pool yes GlusterFS support no Archipelago support no gcov gcov gcov enabled no TPM support yes libssh2 support no TPM passthrough yes QOM debugging yes vhdx yes Quorum yes lzo support no snappy support no NUMA host support no
bluez there, guessing that is something to do with bluetooth (apparently it is the official bluetooth linux stack). Trying not to make a joke about QEMU having the "bluez." Why would we need bluetooth in QEMU? There is probably a good reason, but let's pick on it anyways and disable it.
root# ./configure --target-list=x86_64-softmmu --disable-bluez | grep bluez bluez support no
If I run
make install QEMU will be installed to the default locations.
root# /usr/local/bin/qemu-system-x86_64 -version QEMU emulator version 2.1.50, Copyright (c) 2003-2008 Fabrice Bellard
If you don't want to install it, the QEMU binary is in:
root# ./x86_64-softmmu/qemu-system-x86_64 -version QEMU emulator version 2.1.50, Copyright (c) 2003-2008 Fabrice Bellard
We don't always have to run a stock system. In some cases it may be completely valid to work towards enhancing security by reducing the attack surface of the QEMU system through disabling drivers and options. In fact the OpenStack security guide mentions doing just that, as well as other compile time options to harden QEMU. Of course knowing what to leave in and what to take out, as well as being able to support that decision in production, is where all the real work is.
In future posts I hope to continue to explore reducing the attack surface of QEMU.