[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] [PATCH 12/16] SUPPORT.md: Add Security-releated features



On 11/21/2017 08:52 AM, Jan Beulich wrote:
>>>> On 13.11.17 at 16:41, <george.dunlap@xxxxxxxxxx> wrote:
>> With the exception of driver domains, which depend on PCI passthrough,
>> and will be introduced later.
>>
>> Signed-off-by: George Dunlap <george.dunlap@xxxxxxxxxx>
> 
> Shouldn't we also explicitly exclude tool stack disaggregation here,
> with reference to XSA-77?

Well in this document, we already consider XSM "experimental"; that
would seem to subsume the specific exclusions listed in XSA-77.

I've modified the "XSM & FLASK" as below; let me know what you think.

The other option would be to make separate entries for specific uses of
XSM (i.e., "for simple domain restriction" vs "for domain disaggregation").

 -George


### XSM & FLASK

    Status: Experimental

Compile time disabled.

Also note that using XSM
to delegate various domain control hypercalls
to particular other domains, rather than only permitting use by dom0,
is also specifically excluded from security support for many hypercalls.
Please see XSA-77 for more details.


_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxx
https://lists.xen.org/xen-devel

 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.