Xen project Mailing List

Re: [PATCH v2] SUPPORT.md: add Dom0less as Supported

To: Stefano Stabellini <sstabellini@xxxxxxxxxx>

Date: Mon, 19 Jul 2021 08:57:20 +0200

Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=suse.com; dmarc=pass action=none header.from=suse.com; dkim=pass header.d=suse.com; arc=none

Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=fsOJPk43X+/SkGFLXa5zYu8a4ypDo/757j3yAEj0ocI=; b=mqG8URYZVQ4Y1hq+sfRPnEB+5KMTKx/5EIHhLSbt0kGEi9BkjvPSJkVR8Gnmlsg/cAAiHeFtBK3FvYKa6vLL4qhiVTknrtMrJtAwlvrD5xuEqBP6n69yK/wrAgL8L7fOPl07rkFUt03M4LBBnW7DwDB9F2H91GX+A4dQkI7ANvn/6rvn9JNM3hXtXFE/mAAxt1vKOQ9Av1CYzzUCaS8pzwZ5GiHIszOkbwHdI/TkNM86+lNiH25ZaUjdYE4ZISHdiN/wqwr8Q/dIFnXcAlWle5vB3hulIwXnPf02HH4hmLlG437Eb++oLgoKf7azZDEvx4/7YGji943YONeVbgy4pw==

Arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=YhIDPtIHK5E4MIq+Hl3ksn34A/bbvcx7BJM5zms4hK7aagINv9YxWD4TRlwoBsvdrM4U+1XEId6ppMT7tspWl++N8RDF7DU9FhRrJ8uRfgvzkbe9JPxIymkj+C4xK0EIZt+09+ne9csJaN9SPtnE/vdODdx27cPdkSVJi/ZITrY3dK6PfR2soQ5TetPwWZQRv34kAGr1BpQH6Fky89WwCH89MlZzXdSWUt31FlZW11lmHQzu2MbVc1uG6evy9fLDE8fEpWH8fxPmIhd4JGsj7BgZ1fGTqe3xy1PaWTbOp+n2Gbu/J0I72XZFhETGpJyvf54I33Qpa3jdqna0kHUg2A==

Authentication-results: xen.org; dkim=none (message not signed) header.d=none;xen.org; dmarc=none action=none header.from=suse.com;

Cc: xen-devel@xxxxxxxxxxxxxxxxxxxx, andrew.cooper3@xxxxxxxxxx, george.dunlap@xxxxxxxxxx, iwj@xxxxxxxxxxxxxx, wl@xxxxxxx, Stefano Stabellini <stefano.stabellini@xxxxxxxxxx>, Julien Grall <julien@xxxxxxx>

Delivery-date: Mon, 19 Jul 2021 06:57:33 +0000

List-id: Xen developer discussion <xen-devel.lists.xenproject.org>

On 16.07.2021 22:29, Stefano Stabellini wrote: > On Thu, 15 Jul 2021, Julien Grall wrote: >> Hi Stefano, >> >> On 15/07/2021 00:48, Stefano Stabellini wrote: >>> Add Dom0less to SUPPORT.md to clarify its support status. The feature is >>> mature enough and small enough to make it security supported. >> >> I would suggest to explain the restriction in the commit message (and give a >> link to XSA-372 commit). >> >>> Signed-off-by: Stefano Stabellini <stefano.stabellini@xxxxxxxxxx> >>> --- >>> Changes in v2: >>> - clarify memory scrubbing >>> --- >>> SUPPORT.md | 9 +++++++++ >>> 1 file changed, 9 insertions(+) >>> >>> diff --git a/SUPPORT.md b/SUPPORT.md >>> index 317392d8f3..524cab9c8d 100644 >>> --- a/SUPPORT.md >>> +++ b/SUPPORT.md >>> @@ -832,6 +832,15 @@ OVMF firmware implements the UEFI boot protocol. >>> Status, qemu-xen: Supported >>> +## Dom0less >>> + >>> +Guest creation from the hypervisor at boot without Dom0 intervention. >>> + >>> + Status, ARM: Supported >>> + >>> +Memory of dom0less DomUs is not scrubbed at boot (even with >>> +bootscrub=on); no XSAs will be issues due to unscrubbed memory. >> >> The memory will not be scrubbed for bootscrub=on and bootscrub=off. However, >> it should be scrubbed for bootscrub=idle (the default). > > With bootscrub=idle, do you know if it is guaranteed to complete the > scrubbing before dom0less domUs start? I assumed it wasn't guaranteed, > but if it is, then we should rephrase the statement. Idle scrubbing never touches pages already owned by a domain. Hence the question isn't whether scrubbing happens before these DomU-s start, but whether they have their memory scrubbed before or while being allocated / assigned to them. init_heap_pages() has if ( system_state < SYS_STATE_active && opt_bootscrub == BOOTSCRUB_IDLE ) idle_scrub = true; i.e. all memory given to the page allocator early enough will be _marked_ for scrubbing. If idle scrubbing didn't make it far enough, alloc_heap_pages() will recognize this and scrub the page(s) synchronously (of course unless passed MEMF_no_scrub). Jan

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.