[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] [PATCH 12/16] SUPPORT.md: Add Security-releated features

To: Jan Beulich <JBeulich@xxxxxxxx>
From: George Dunlap <george.dunlap@xxxxxxxxxx>
Date: Wed, 22 Nov 2017 17:13:13 +0000
Cc: Tamas K Lengyel <tamas.lengyel@xxxxxxxxxxxx>, StefanoStabellini <sstabellini@xxxxxxxxxx>, Wei Liu <wei.liu2@xxxxxxxxxx>, Konrad Wilk <konrad.wilk@xxxxxxxxxx>, Andrew Cooper <andrew.cooper3@xxxxxxxxxx>, Tim Deegan <tim@xxxxxxx>, RichPersaud <persaur@xxxxxxxxx>, Ian Jackson <ian.jackson@xxxxxxxxxx>, xen-devel@xxxxxxxxxxxxxxxxxxxx
Delivery-date: Wed, 22 Nov 2017 17:13:26 +0000
List-id: Xen developer discussion <xen-devel.lists.xen.org>

On 11/21/2017 08:52 AM, Jan Beulich wrote:
>>>> On 13.11.17 at 16:41, <george.dunlap@xxxxxxxxxx> wrote:
>> With the exception of driver domains, which depend on PCI passthrough,
>> and will be introduced later.
>>
>> Signed-off-by: George Dunlap <george.dunlap@xxxxxxxxxx>
> 
> Shouldn't we also explicitly exclude tool stack disaggregation here,
> with reference to XSA-77?

Well in this document, we already consider XSM "experimental"; that
would seem to subsume the specific exclusions listed in XSA-77.

I've modified the "XSM & FLASK" as below; let me know what you think.

The other option would be to make separate entries for specific uses of
XSM (i.e., "for simple domain restriction" vs "for domain disaggregation").

 -George

### XSM & FLASK

    Status: Experimental

Compile time disabled.

Also note that using XSM
to delegate various domain control hypercalls
to particular other domains, rather than only permitting use by dom0,
is also specifically excluded from security support for many hypercalls.
Please see XSA-77 for more details.

_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxx
https://lists.xen.org/xen-devel

Follow-Ups:
- Re: [Xen-devel] [PATCH 12/16] SUPPORT.md: Add Security-releated features
  - From: Jan Beulich

References:
- [Xen-devel] [PATCH 01/16] Introduce skeleton SUPPORT.md
  - From: George Dunlap
- [Xen-devel] [PATCH 12/16] SUPPORT.md: Add Security-releated features
  - From: George Dunlap
- Re: [Xen-devel] [PATCH 12/16] SUPPORT.md: Add Security-releated features
  - From: Jan Beulich

Prev by Date: Re: [Xen-devel] [PATCH 10/16] SUPPORT.md: Add Debugging, analysis, crash post-portem
Next by Date: Re: [Xen-devel] [PATCH 13/16] SUPPORT.md: Add secondary memory management features
Previous by thread: Re: [Xen-devel] [PATCH 12/16] SUPPORT.md: Add Security-releated features
Next by thread: Re: [Xen-devel] [PATCH 12/16] SUPPORT.md: Add Security-releated features
Index(es):
- Date
- Thread

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.