From patchwork Wed Nov 22 19:20:21 2017
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Patchwork-Submitter: George Dunlap <george.dunlap@citrix.com>
X-Patchwork-Id: 10070839
Return-Path: <xen-devel-bounces@lists.xen.org>
Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org
	[172.30.200.125])
	by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id
	8AC4F6038F for <patchwork-xen-devel@patchwork.kernel.org>;
	Wed, 22 Nov 2017 19:31:01 +0000 (UTC)
Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 7E82C29DA5
	for <patchwork-xen-devel@patchwork.kernel.org>;
	Wed, 22 Nov 2017 19:31:01 +0000 (UTC)
Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486)
	id 735A729DCC; Wed, 22 Nov 2017 19:31:01 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	pdx-wl-mail.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-4.2 required=2.0 tests=BAYES_00, RCVD_IN_DNSWL_MED
	autolearn=ham version=3.3.1
Received: from lists.xenproject.org (lists.xenproject.org [192.237.175.120])
	(using TLSv1.2 with cipher AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by mail.wl.linuxfoundation.org (Postfix) with ESMTPS id 242A829DA5
	for <patchwork-xen-devel@patchwork.kernel.org>;
	Wed, 22 Nov 2017 19:31:00 +0000 (UTC)
Received: from localhost ([127.0.0.1] helo=lists.xenproject.org)
	by lists.xenproject.org with esmtp (Exim 4.84_2)
	(envelope-from <xen-devel-bounces@lists.xen.org>)
	id 1eHah5-0000AY-JZ; Wed, 22 Nov 2017 19:28:23 +0000
Received: from mail6.bemta5.messagelabs.com ([195.245.231.135])
	by lists.xenproject.org with esmtp (Exim 4.84_2)
	(envelope-from <prvs=49202577f=George.Dunlap@citrix.com>)
	id 1eHah4-0000AL-3T
	for xen-devel@lists.xenproject.org; Wed, 22 Nov 2017 19:28:22 +0000
Received: from [85.158.139.211] by server-9.bemta-5.messagelabs.com id
	95/4F-27390-5DFC51A5; Wed, 22 Nov 2017 19:28:21 +0000
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFtrKIsWRWlGSWpSXmKPExsXitHSDve6V86J
	RBhNnGlh83zKZyYHR4/CHKywBjFGsmXlJ+RUJrBkrjl1gLugUqTi88g1jA2OnYBcjJ4eEgL/E
	hm132EBsNgE9iXnHv7J0MXJwiAioSNzea9DFyMXBLNDCIrHvzw12kBphATeJvS8Ws4LYLAKqE
	u1fjjGC2LwCdhLXjjWyQMyUl1j8fSfYTE6g+KPJ88FsIQFbiVNb5zJD1AtKnJz5BKyeWUBTon
	X7b3YIW16ieetsZoh6VYnFD46yT2Dkm4WkZRaSlllIWhYwMq9i1ChOLSpLLdI1NNJLKspMzyj
	JTczM0TU0MNXLTS0uTkxPzUlMKtZLzs/dxAgMNgYg2MHYN8v5EKMkB5OSKG/wcpEoIb6k/JTK
	jMTijPii0pzU4kOMMhwcShK8osDgFRIsSk1PrUjLzAGGPUxagoNHSYT3+DmgNG9xQWJucWY6R
	OoUoyXHsU2X/zBxPJv5uoGZY9rV1iZmIZa8/LxUKXHecyANAiANGaV5cONgsXmJUVZKmJcR6E
	AhnoLUotzMElT5V4ziHIxKwrxvQKbwZOaVwG19BXQQE9BBP48LgxxUkoiQkmpg7LI+v3rl89r
	8t4IfFZ8VNn9fLvEvzufPhNMvfUoEPjiw5e+9xNEX0T/lKe+eCTu2SFgt+rVBbmp9//sHEVO3
	rS5IPXdY7sGmg9NvmG6TWbz/8Q3VvCy3+I0B+24ctg7Vz2kwuNBTcZR/cXLwlZlL36pFuddfM
	H7F4WeemG21bG3ISjvZTnej6UosxRmJhlrMRcWJAHUhd1TIAgAA
X-Env-Sender: prvs=49202577f=George.Dunlap@citrix.com
X-Msg-Ref: server-14.tower-206.messagelabs.com!1511378899!69560426!1
X-Originating-IP: [66.165.176.63]
X-SpamReason: No, hits=0.0 required=7.0 tests=sa_preprocessor:
	VHJ1c3RlZCBJUDogNjYuMTY1LjE3Ni42MyA9PiAzMDYwNDg=\n,
	received_headers: No Received headers
X-StarScan-Received: 
X-StarScan-Version: 9.4.45; banners=-,-,-
X-VirusChecked: Checked
Received: (qmail 2188 invoked from network); 22 Nov 2017 19:28:20 -0000
Received: from smtp02.citrix.com (HELO SMTP02.CITRIX.COM) (66.165.176.63)
	by server-14.tower-206.messagelabs.com with RC4-SHA encrypted SMTP;
	22 Nov 2017 19:28:20 -0000
X-IronPort-AV: E=Sophos;i="5.44,436,1505779200"; d="scan'208";a="460304770"
From: George Dunlap <george.dunlap@citrix.com>
To: <xen-devel@lists.xenproject.org>
Date: Wed, 22 Nov 2017 19:20:21 +0000
Message-ID: <20171122192024.21187-14-george.dunlap@citrix.com>
X-Mailer: git-send-email 2.15.0
In-Reply-To: <20171122192024.21187-1-george.dunlap@citrix.com>
References: <20171122192024.21187-1-george.dunlap@citrix.com>
MIME-Version: 1.0
Cc: James McKenzie <james.mckenzie@bromium.com>,
	Christopher Clark <christopher.w.clark@gmail.com>,
	Stefano Stabellini <sstabellini@kernel.org>,
	Wei Liu <wei.liu2@citrix.com>, Konrad Wilk <konrad.wilk@oracle.com>,
	Andrew Cooper <andrew.cooper3@citrix.com>, Tim Deegan <tim@xen.org>,
	George Dunlap <george.dunlap@citrix.com>,
	=?UTF-8?q?Marek=20Marczykowski-G=C3=B3recki?=
	<marmarek@invisiblethingslab.com>, Rich Persaud <persaur@gmail.com>,
	Jan Beulich <jbeulich@suse.com>, Ian Jackson <ian.jackson@citrix.com>
Subject: [Xen-devel] [PATCH v3 14/17] SUPPORT.md: Add statement on PCI
	passthrough
X-BeenThere: xen-devel@lists.xen.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: Xen developer discussion <xen-devel.lists.xen.org>
List-Unsubscribe: <https://lists.xen.org/cgi-bin/mailman/options/xen-devel>,
	<mailto:xen-devel-request@lists.xen.org?subject=unsubscribe>
List-Post: <mailto:xen-devel@lists.xen.org>
List-Help: <mailto:xen-devel-request@lists.xen.org?subject=help>
List-Subscribe: <https://lists.xen.org/cgi-bin/mailman/listinfo/xen-devel>,
	<mailto:xen-devel-request@lists.xen.org?subject=subscribe>
Errors-To: xen-devel-bounces@lists.xen.org
Sender: "Xen-devel" <xen-devel-bounces@lists.xen.org>
X-Virus-Scanned: ClamAV using ClamSMTP

Signed-off-by: George Dunlap <george.dunlap@citrix.com>
---
Changes since v2:
- Separate PV and HVM passthrough (excluding PVH by implication)
- + not compatible with PoD
- 'will be' -> 'are'

NB that we don't seem to have the referenced file yet; left as a reference.

CC: Ian Jackson <ian.jackson@citrix.com>
CC: Wei Liu <wei.liu2@citrix.com>
CC: Andrew Cooper <andrew.cooper3@citrix.com>
CC: Jan Beulich <jbeulich@suse.com>
CC: Stefano Stabellini <sstabellini@kernel.org>
CC: Konrad Wilk <konrad.wilk@oracle.com>
CC: Tim Deegan <tim@xen.org>
CC: Rich Persaud <persaur@gmail.com>
CC: Marek Marczykowski-Górecki <marmarek@invisiblethingslab.com>
CC: Christopher Clark <christopher.w.clark@gmail.com>
CC: James McKenzie <james.mckenzie@bromium.com>
---
 SUPPORT.md | 36 +++++++++++++++++++++++++++++++++++-
 1 file changed, 35 insertions(+), 1 deletion(-)

diff --git a/SUPPORT.md b/SUPPORT.md
index 63f6a6d127..c8fec4daa8 100644
--- a/SUPPORT.md
+++ b/SUPPORT.md
@@ -486,9 +486,23 @@ but has no xl support.
 
 ## Security
 
+### Driver Domains
+
+    Status: Supported, with caveats
+
+"Driver domains" means allowing non-Domain 0 domains
+with access to physical devices to act as back-ends.
+
+See the appropriate "Device Passthrough" section
+for more information about security support.
+
 ### Device Model Stub Domains
 
-    Status: Supported
+    Status: Supported, with caveats
+
+Vulnerabilities of a device model stub domain
+to a hostile driver domain (either compromised or untrusted)
+are excluded from security support.
 
 ### KCONFIG Expert
 
@@ -559,6 +573,26 @@ Virtual Performance Management Unit for HVM guests
 Disabled by default (enable with hypervisor command line option).
 This feature is not security supported: see http://xenbits.xen.org/xsa/advisory-163.html
 
+### x86/PCI Device Passthrough
+
+    Status, x86 PV: Supported, with caveats
+    Status, x86 HVM: Supported, with caveats
+
+Only systems using IOMMUs are supported.
+
+Not compatible with migration, populate-on-demand, altp2m,
+introspection, memory sharing, or memory paging.
+
+Because of hardware limitations
+(affecting any operating system or hypervisor),
+it is generally not safe to use this feature
+to expose a physical device to completely untrusted guests.
+However, this feature can still confer significant security benefit
+when used to remove drivers and backends from domain 0
+(i.e., Driver Domains).
+
+XXX See docs/PCI-IOMMU-bugs.txt for more information.
+
 ### ARM/Non-PCI device passthrough
 
     Status: Supported, not security supported