[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] [PATCH 12/16] SUPPORT.md: Add Security-releated features

To: "George Dunlap" <george.dunlap@xxxxxxxxxx>
From: "Jan Beulich" <JBeulich@xxxxxxxx>
Date: Thu, 23 Nov 2017 03:13:51 -0700
Cc: Tamas K Lengyel <tamas.lengyel@xxxxxxxxxxxx>, StefanoStabellini <sstabellini@xxxxxxxxxx>, Wei Liu <wei.liu2@xxxxxxxxxx>, Konrad Wilk <konrad.wilk@xxxxxxxxxx>, Andrew Cooper <andrew.cooper3@xxxxxxxxxx>, TimDeegan <tim@xxxxxxx>, RichPersaud <persaur@xxxxxxxxx>, Ian Jackson <ian.jackson@xxxxxxxxxx>, xen-devel@xxxxxxxxxxxxxxxxxxxx
Delivery-date: Thu, 23 Nov 2017 10:14:11 +0000
List-id: Xen developer discussion <xen-devel.lists.xenproject.org>

>>> On 22.11.17 at 18:13, <george.dunlap@xxxxxxxxxx> wrote:
> On 11/21/2017 08:52 AM, Jan Beulich wrote:
>>>>> On 13.11.17 at 16:41, <george.dunlap@xxxxxxxxxx> wrote:
>>> With the exception of driver domains, which depend on PCI passthrough,
>>> and will be introduced later.
>>>
>>> Signed-off-by: George Dunlap <george.dunlap@xxxxxxxxxx>
>> 
>> Shouldn't we also explicitly exclude tool stack disaggregation here,
>> with reference to XSA-77?
> 
> Well in this document, we already consider XSM "experimental"; that
> would seem to subsume the specific exclusions listed in XSA-77.
> 
> I've modified the "XSM & FLASK" as below; let me know what you think.
> 
> The other option would be to make separate entries for specific uses of
> XSM (i.e., "for simple domain restriction" vs "for domain disaggregation").
> 
>  -George
> 
> 
> ### XSM & FLASK
> 
>     Status: Experimental
> 
> Compile time disabled.
> 
> Also note that using XSM
> to delegate various domain control hypercalls
> to particular other domains, rather than only permitting use by dom0,
> is also specifically excluded from security support for many hypercalls.
> Please see XSA-77 for more details.

That's fine with mel.

Jan


_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxxx
https://lists.xenproject.org/mailman/listinfo/xen-devel

References:
- [Xen-devel] [PATCH 01/16] Introduce skeleton SUPPORT.md
  - From: George Dunlap
- [Xen-devel] [PATCH 12/16] SUPPORT.md: Add Security-releated features
  - From: George Dunlap
- Re: [Xen-devel] [PATCH 12/16] SUPPORT.md: Add Security-releated features
  - From: Jan Beulich
- Re: [Xen-devel] [PATCH 12/16] SUPPORT.md: Add Security-releated features
  - From: George Dunlap

Prev by Date: Re: [Xen-devel] Linux as 32-bit Dom0?
Next by Date: Re: [Xen-devel] [PATCH 16/16] SUPPORT.md: Add limits RFC
Previous by thread: Re: [Xen-devel] [PATCH 12/16] SUPPORT.md: Add Security-releated features
Next by thread: [Xen-devel] [PATCH 11/16] SUPPORT.md: Add 'easy' HA / FT features
Index(es):
- Date
- Thread

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.