|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [Xen-devel] [PATCH 14/16] SUPPORT.md: Add statement on PCI passthrough
On Nov 22, 2017, at 13:58, George Dunlap <george.dunlap@xxxxxxxxxx> wrote: > >> On 11/16/2017 03:43 PM, Julien Grall wrote: >> Hi George, >> >>> On 13/11/17 15:41, George Dunlap wrote: >>> Signed-off-by: George Dunlap <george.dunlap@xxxxxxxxxx> >>> --- >>> CC: Ian Jackson <ian.jackson@xxxxxxxxxx> >>> CC: Wei Liu <wei.liu2@xxxxxxxxxx> >>> CC: Andrew Cooper <andrew.cooper3@xxxxxxxxxx> >>> CC: Jan Beulich <jbeulich@xxxxxxxx> >>> CC: Stefano Stabellini <sstabellini@xxxxxxxxxx> >>> CC: Konrad Wilk <konrad.wilk@xxxxxxxxxx> >>> CC: Tim Deegan <tim@xxxxxxx> >>> CC: Rich Persaud <persaur@xxxxxxxxx> >>> CC: Marek Marczykowski-Górecki <marmarek@xxxxxxxxxxxxxxxxxxxxxx> >>> CC: Christopher Clark <christopher.w.clark@xxxxxxxxx> >>> CC: James McKenzie <james.mckenzie@xxxxxxxxxxx> >>> --- >>> SUPPORT.md | 33 ++++++++++++++++++++++++++++++++- >>> 1 file changed, 32 insertions(+), 1 deletion(-) >>> >>> diff --git a/SUPPORT.md b/SUPPORT.md >>> index 3e352198ce..a8388f3dc5 100644 >>> --- a/SUPPORT.md >>> +++ b/SUPPORT.md >>> @@ -454,9 +454,23 @@ there is currently no xl support. >>> ## Security >>> +### Driver Domains >>> + >>> + Status: Supported, with caveats >>> + >>> +"Driver domains" means allowing non-Domain 0 domains >>> +with access to physical devices to act as back-ends. >>> + >>> +See the appropriate "Device Passthrough" section >>> +for more information about security support. >>> + >>> ### Device Model Stub Domains >>> - Status: Supported >>> + Status: Supported, with caveats >>> + >>> +Vulnerabilities of a device model stub domain >>> +to a hostile driver domain (either compromised or untrusted) >>> +are excluded from security support. >>> ### KCONFIG Expert >>> @@ -522,6 +536,23 @@ Virtual Performance Management Unit for HVM guests >>> Disabled by default (enable with hypervisor command line option). >>> This feature is not security supported: see >>> http://xenbits.xen.org/xsa/advisory-163.html >>> +### x86/PCI Device Passthrough >>> + >>> + Status: Supported, with caveats >>> + >>> +Only systems using IOMMUs will be supported. >>> + >>> +Not compatible with migration, altp2m, introspection, memory sharing, >>> or memory paging. >>> + >>> +Because of hardware limitations >>> +(affecting any operating system or hypervisor), >>> +it is generally not safe to use this feature >>> +to expose a physical device to completely untrusted guests. >>> +However, this feature can still confer significant security benefit >>> +when used to remove drivers and backends from domain 0 >>> +(i.e., Driver Domains). >>> +See docs/PCI-IOMMU-bugs.txt for more information. >> >> Where can I find this file? Is it in staging? > > No, I took this from a recommendation made to me, without checking. > > Rich, are you going to send a patch adding this file, or did you mean to > point to a different file? Yes, I’ll send a patch to add this file. Rich _______________________________________________ Xen-devel mailing list Xen-devel@xxxxxxxxxxxxx https://lists.xen.org/xen-devel
|
 |
Lists.xenproject.org is hosted with RackSpace, monitoring our |