Xen project Mailing List

Re: [PATCH] SUPPORT.md: split XSM from Flask

From: Daniel Smith <dpsmith@xxxxxxxxxxxxxxxxxxxx>

Date: Tue, 30 Jul 2024 09:04:52 -0400

Arc-authentication-results: i=1; mx.zohomail.com; dkim=pass header.i=apertussolutions.com; spf=pass smtp.mailfrom=dpsmith@xxxxxxxxxxxxxxxxxxxx; dmarc=pass header.from=<dpsmith@xxxxxxxxxxxxxxxxxxxx>

Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1722344698; h=Content-Type:Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:MIME-Version:Message-ID:References:Subject:Subject:To:To:Message-Id:Reply-To; bh=LG6hTwZMBajHC9FvMj4T2Cg++P96TzpsiyX7lAr8+CI=; b=GwRK5IH9be8c9XnH8Bgt1/58FwirTUXYxH0bd6T9tBPdHhwTwXKEGKaqBm5AVFQsuiS/Xb3WiWc7pXzrIZt+MlcaHkpzrpB6dXksBe7ExHNddfQBvFN8rup7dvkqstZn77XSnCsz2rkmkbbB5/0bJgHoN6sM0XHjz4uUsYNQNjo=

Arc-seal: i=1; a=rsa-sha256; t=1722344698; cv=none; d=zohomail.com; s=zohoarc; b=i9I8YiHxqEMhTLbBc5hIGgEQM5GnxIhu7aI46qF1LzafDHb83wHERKp765P6S/2DVzppKmhkdyV4wK9beGgJSXaZwJaKs/SC+lVnqD9sDCUlaZm9lnKI4h492D1jlh5dp+RyqsONHsgflEhE9hEEJITMrZt0jweOhiCg8a58z18=

Cc: "Andrew Cooper" <andrew.cooper3@xxxxxxxxxx>, "Julien Grall" <julien@xxxxxxx>, "Stefano Stabellini" <sstabellini@xxxxxxxxxx>, "xen-devel@xxxxxxxxxxxxxxxxxxxx" <xen-devel@xxxxxxxxxxxxxxxxxxxx>

Delivery-date: Tue, 30 Jul 2024 13:05:06 +0000

Importance: Medium

List-id: Xen developer discussion <xen-devel.lists.xenproject.org>

---- On Tue, 30 Jul 2024 08:58:03 -0400 Jan Beulich wrote --- > On 30.07.2024 14:35, Andrew Cooper wrote: > > On 30/07/2024 11:57 am, Jan Beulich wrote: > >> XSM is a generic framework, which in particular is also used by SILO. > >> With this it can't really be experimental: Arm enables SILO by default. > > > > It's stronger than this. > > > > XSA-295 makes SILO the only security supported configuration for ARM. > > Okay, switched to "Arm mandates SILO for having a security supported > configuration." > > >> --- a/SUPPORT.md > >> +++ b/SUPPORT.md > >> @@ -768,13 +768,20 @@ Compile time disabled for ARM by default > >> > >> Status, x86: Supported, not security supported > >> > >> -### XSM & FLASK > >> +### XSM > >> + > >> + Status: Supported > >> + > >> +See below for use with FLASK and SILO. The dummy implementation is > >> covered here > >> +as well. > > > > This feels weird, although I can't suggest a better option. > > > > XSM isn't optional; it can't be compiled out, > > How can it not be? There's an "XSM" Kconfig control. > > > nor can the dummy policy, > > In a way. Yet how the dummy policy is instantiated is quite different > between XSM=y and XSM=n. I have pointed this out a few times, the difference between XSM=y vs XSM=n determines how the dummy policy is embedded into the hypervisor. XSM=n, causes the dummy policy hooks to be included directly for the xsm_* hooks. When XSM=y, then the callback wrapper functions are used for the xsm_* hooks with dummy policy set for the callbacks. > > so it's weird to call out what literally cannot have a statement > > different to the rest of Xen. > > > > Combined with ... > > > >> + > >> +### XSM + FLASK > > > > ... this wanting to say "Flask (XSM module/policy)" IMO, maybe what we > > really want is: > > > > ---%<--- > > ### XSM (Xen Security Modules) > > > > Base XSM is a security policy framework used in Xen. The dummy policy > > implements a basic "dom0 all powerful, domUs all unprivileged" policy". > > ---%<--- > > > > intentionally without giving a Status. > > As per above, imo XSM=y wants security status named. That's, after all, > part of what was missing / ambiguous so far. > > > Then, the two blocks below are clearly alternative modules which have > > optionality and different support statuses. > > I'll change the wording there some, to be closer to what you and also > Daniel ask for. Thank you. dps

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.