[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] [PATCH v7 12/12] xen: clarify the security-support status of Kconfig options on ARM


On 07/07/18 00:14, Stefano Stabellini wrote:
Signed-off-by: Stefano Stabellini <sstabellini@xxxxxxxxxx>
CC: George.Dunlap@xxxxxxxxxxxxx
CC: Ian.Jackson@xxxxxxxxxxxxx
CC: jbeulich@xxxxxxxx
CC: andrew.cooper3@xxxxxxxxxx
  SUPPORT.md | 10 ++++++++++
  1 file changed, 10 insertions(+)

diff --git a/SUPPORT.md b/SUPPORT.md
index e3e49e2..151a63d 100644
--- a/SUPPORT.md
+++ b/SUPPORT.md
@@ -22,6 +22,16 @@ EXPERT and DEBUG Kconfig options are not security supported. 
  Kconfig options are supported, if the related features are marked as
  supported in this document.
+On ARM, a wider range of Kconfig configurations is available to enable
+very small lines of code counts in the hypervisor. Not all possible
+combinations of kconfig options are security supported. Instead, a few

NIT: s/kconfig/Kconfig/

+pre-canned configurations have been added to xen/arch/arm/configs: they
+are security suppored. Configurations derived from the pre-canned files


+by adding non-listed options with their default values, or by enabling
+any of the platform options under "Platform Support" (and their
+dependent options) are security supported, unless stated

I am not entirely sure to understand the implications the paragraph.

For instance, if I choose arm64_defconfig, memaccess will be enabled by default but any use of it is not security supported. What will be the state of the security support for that .config?

I also think an Ack from the security team will probably more meaningful than mine here. After all they are the one dealing with the security issues :).


  ## Host Architecture
### x86-64

Julien Grall

Xen-devel mailing list



Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.