[12/16] SUPPORT.md: Add Security-releated features
diff mbox

Message ID 20171113154126.13038-12-george.dunlap@citrix.com
State New, archived
Headers show

Commit Message

George Dunlap Nov. 13, 2017, 3:41 p.m. UTC
With the exception of driver domains, which depend on PCI passthrough,
and will be introduced later.

Signed-off-by: George Dunlap <george.dunlap@citrix.com>
---
CC: Ian Jackson <ian.jackson@citrix.com>
CC: Wei Liu <wei.liu2@citrix.com>
CC: Andrew Cooper <andrew.cooper3@citrix.com>
CC: Jan Beulich <jbeulich@suse.com>
CC: Stefano Stabellini <sstabellini@kernel.org>
CC: Konrad Wilk <konrad.wilk@oracle.com>
CC: Tim Deegan <tim@xen.org>
CC: Tamas K Lengyel <tamas.lengyel@zentific.com>
CC: Rich Persaud <persaur@gmail.com>
---
 SUPPORT.md | 34 ++++++++++++++++++++++++++++++++++
 1 file changed, 34 insertions(+)

Comments

Konrad Rzeszutek Wilk Nov. 16, 2017, 4:23 p.m. UTC | #1
On Mon, Nov 13, 2017 at 03:41:22PM +0000, George Dunlap wrote:
> With the exception of driver domains, which depend on PCI passthrough,
> and will be introduced later.
> 
> Signed-off-by: George Dunlap <george.dunlap@citrix.com>
> ---
> CC: Ian Jackson <ian.jackson@citrix.com>
> CC: Wei Liu <wei.liu2@citrix.com>
> CC: Andrew Cooper <andrew.cooper3@citrix.com>
> CC: Jan Beulich <jbeulich@suse.com>
> CC: Stefano Stabellini <sstabellini@kernel.org>
> CC: Konrad Wilk <konrad.wilk@oracle.com>

Reviewed-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
[the livepatching part]

> CC: Tim Deegan <tim@xen.org>
> CC: Tamas K Lengyel <tamas.lengyel@zentific.com>
> CC: Rich Persaud <persaur@gmail.com>
> ---
>  SUPPORT.md | 34 ++++++++++++++++++++++++++++++++++
>  1 file changed, 34 insertions(+)
> 
> diff --git a/SUPPORT.md b/SUPPORT.md
> index 722a29fec5..0f7426593e 100644
> --- a/SUPPORT.md
> +++ b/SUPPORT.md
> @@ -421,6 +421,40 @@ there is currently no xl support.
>  
>      Status: Supported
>  
> +## Security
> +
> +### Device Model Stub Domains
> +
> +    Status: Supported
> +
> +### KCONFIG Expert
> +
> +    Status: Experimental
> +
> +### Live Patching
> +
> +    Status, x86: Supported
> +    Status, ARM: Experimental
> +
> +Compile time disabled for ARM
> +
> +### Virtual Machine Introspection
> +
> +    Status, x86: Supported, not security supported
> +
> +### XSM & FLASK
> +
> +    Status: Experimental
> +
> +Compile time disabled
> +
> +### FLASK default policy
> +
> +    Status: Experimental
> +    
> +The default policy includes FLASK labels and roles for a "typical" Xen-based system
> +with dom0, driver domains, stub domains, domUs, and so on.
> +
>  ## Virtual Hardware, Hypervisor
>  
>  ### x86/Nested PV
> -- 
> 2.15.0
>
Jan Beulich Nov. 21, 2017, 8:52 a.m. UTC | #2
>>> On 13.11.17 at 16:41, <george.dunlap@citrix.com> wrote:
> With the exception of driver domains, which depend on PCI passthrough,
> and will be introduced later.
> 
> Signed-off-by: George Dunlap <george.dunlap@citrix.com>

Shouldn't we also explicitly exclude tool stack disaggregation here,
with reference to XSA-77?

Jan
George Dunlap Nov. 22, 2017, 5:13 p.m. UTC | #3
On 11/21/2017 08:52 AM, Jan Beulich wrote:
>>>> On 13.11.17 at 16:41, <george.dunlap@citrix.com> wrote:
>> With the exception of driver domains, which depend on PCI passthrough,
>> and will be introduced later.
>>
>> Signed-off-by: George Dunlap <george.dunlap@citrix.com>
> 
> Shouldn't we also explicitly exclude tool stack disaggregation here,
> with reference to XSA-77?

Well in this document, we already consider XSM "experimental"; that
would seem to subsume the specific exclusions listed in XSA-77.

I've modified the "XSM & FLASK" as below; let me know what you think.

The other option would be to make separate entries for specific uses of
XSM (i.e., "for simple domain restriction" vs "for domain disaggregation").

 -George


### XSM & FLASK

    Status: Experimental

Compile time disabled.

Also note that using XSM
to delegate various domain control hypercalls
to particular other domains, rather than only permitting use by dom0,
is also specifically excluded from security support for many hypercalls.
Please see XSA-77 for more details.

Patch
diff mbox

diff --git a/SUPPORT.md b/SUPPORT.md
index 722a29fec5..0f7426593e 100644
--- a/SUPPORT.md
+++ b/SUPPORT.md
@@ -421,6 +421,40 @@  there is currently no xl support.
 
     Status: Supported
 
+## Security
+
+### Device Model Stub Domains
+
+    Status: Supported
+
+### KCONFIG Expert
+
+    Status: Experimental
+
+### Live Patching
+
+    Status, x86: Supported
+    Status, ARM: Experimental
+
+Compile time disabled for ARM
+
+### Virtual Machine Introspection
+
+    Status, x86: Supported, not security supported
+
+### XSM & FLASK
+
+    Status: Experimental
+
+Compile time disabled
+
+### FLASK default policy
+
+    Status: Experimental
+    
+The default policy includes FLASK labels and roles for a "typical" Xen-based system
+with dom0, driver domains, stub domains, domUs, and so on.
+
 ## Virtual Hardware, Hypervisor
 
 ### x86/Nested PV