[PATCH v2] SUPPORT.md: add Dom0less as Supported

[PATCH v2] SUPPORT.md: add Dom0less as Supported

[Stefano Stabellini]

Add Dom0less to SUPPORT.md to clarify its support status. The feature is
mature enough and small enough to make it security supported.

Signed-off-by: Stefano Stabellini <stefano.stabellini@xilinx.com>
---
Changes in v2:
- clarify memory scrubbing
---
 SUPPORT.md | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/SUPPORT.md b/SUPPORT.md
index 317392d8f3..524cab9c8d 100644
--- a/SUPPORT.md
+++ b/SUPPORT.md
@@ -832,6 +832,15 @@ OVMF firmware implements the UEFI boot protocol.
 
     Status, qemu-xen: Supported
 
+## Dom0less
+
+Guest creation from the hypervisor at boot without Dom0 intervention.
+
+    Status, ARM: Supported
+
+Memory of dom0less DomUs is not scrubbed at boot (even with
+bootscrub=on); no XSAs will be issues due to unscrubbed memory.
+
 # Format and definitions
 
 This file contains prose, and machine-readable fragments.
-- 
2.17.1

Re: [PATCH v2] SUPPORT.md: add Dom0less as Supported

[Bertrand Marquis]

Hi Stefano,


> On 15 Jul 2021, at 00:48, Stefano Stabellini <sstabellini@kernel.org> wrote:
> 
> Add Dom0less to SUPPORT.md to clarify its support status. The feature is
> mature enough and small enough to make it security supported.
> 
> Signed-off-by: Stefano Stabellini <stefano.stabellini@xilinx.com>
Reviewed-by: Bertrand Marquis <bertrand.marquis@arm.com>

Cheers
Bertrand

> ---
> Changes in v2:
> - clarify memory scrubbing
> ---
> SUPPORT.md | 9 +++++++++
> 1 file changed, 9 insertions(+)
> 
> diff --git a/SUPPORT.md b/SUPPORT.md
> index 317392d8f3..524cab9c8d 100644
> --- a/SUPPORT.md
> +++ b/SUPPORT.md
> @@ -832,6 +832,15 @@ OVMF firmware implements the UEFI boot protocol.
> 
>     Status, qemu-xen: Supported
> 
> +## Dom0less
> +
> +Guest creation from the hypervisor at boot without Dom0 intervention.
> +
> +    Status, ARM: Supported
> +
> +Memory of dom0less DomUs is not scrubbed at boot (even with
> +bootscrub=on); no XSAs will be issues due to unscrubbed memory.
> +
> # Format and definitions
> 
> This file contains prose, and machine-readable fragments.
> -- 
> 2.17.1
> 
> 

Re: [PATCH v2] SUPPORT.md: add Dom0less as Supported

[Julien Grall]

Hi Stefano,

On 15/07/2021 00:48, Stefano Stabellini wrote:
> Add Dom0less to SUPPORT.md to clarify its support status. The feature is
> mature enough and small enough to make it security supported.

I would suggest to explain the restriction in the commit message (and 
give a link to XSA-372 commit).

> Signed-off-by: Stefano Stabellini <stefano.stabellini@xilinx.com>
> ---
> Changes in v2:
> - clarify memory scrubbing
> ---
>   SUPPORT.md | 9 +++++++++
>   1 file changed, 9 insertions(+)
> 
> diff --git a/SUPPORT.md b/SUPPORT.md
> index 317392d8f3..524cab9c8d 100644
> --- a/SUPPORT.md
> +++ b/SUPPORT.md
> @@ -832,6 +832,15 @@ OVMF firmware implements the UEFI boot protocol.
>   
>       Status, qemu-xen: Supported
>   
> +## Dom0less
> +
> +Guest creation from the hypervisor at boot without Dom0 intervention.
> +
> +    Status, ARM: Supported
> +
> +Memory of dom0less DomUs is not scrubbed at boot (even with
> +bootscrub=on); no XSAs will be issues due to unscrubbed memory.

The memory will not be scrubbed for bootscrub=on and bootscrub=off. 
However, it should be scrubbed for bootscrub=idle (the default).

Cheers,

-- 
Julien Grall

Re: [PATCH v2] SUPPORT.md: add Dom0less as Supported

[Stefano Stabellini]

On Thu, 15 Jul 2021, Julien Grall wrote:
> Hi Stefano,
> 
> On 15/07/2021 00:48, Stefano Stabellini wrote:
> > Add Dom0less to SUPPORT.md to clarify its support status. The feature is
> > mature enough and small enough to make it security supported.
> 
> I would suggest to explain the restriction in the commit message (and give a
> link to XSA-372 commit).
> 
> > Signed-off-by: Stefano Stabellini <stefano.stabellini@xilinx.com>
> > ---
> > Changes in v2:
> > - clarify memory scrubbing
> > ---
> >   SUPPORT.md | 9 +++++++++
> >   1 file changed, 9 insertions(+)
> > 
> > diff --git a/SUPPORT.md b/SUPPORT.md
> > index 317392d8f3..524cab9c8d 100644
> > --- a/SUPPORT.md
> > +++ b/SUPPORT.md
> > @@ -832,6 +832,15 @@ OVMF firmware implements the UEFI boot protocol.
> >         Status, qemu-xen: Supported
> >   +## Dom0less
> > +
> > +Guest creation from the hypervisor at boot without Dom0 intervention.
> > +
> > +    Status, ARM: Supported
> > +
> > +Memory of dom0less DomUs is not scrubbed at boot (even with
> > +bootscrub=on); no XSAs will be issues due to unscrubbed memory.
> 
> The memory will not be scrubbed for bootscrub=on and bootscrub=off. However,
> it should be scrubbed for bootscrub=idle (the default).

With bootscrub=idle, do you know if it is guaranteed to complete the
scrubbing before dom0less domUs start? I assumed it wasn't guaranteed,
but if it is, then we should rephrase the statement.

Re: [PATCH v2] SUPPORT.md: add Dom0less as Supported

[Jan Beulich]

On 16.07.2021 22:29, Stefano Stabellini wrote:
> On Thu, 15 Jul 2021, Julien Grall wrote:
>> Hi Stefano,
>>
>> On 15/07/2021 00:48, Stefano Stabellini wrote:
>>> Add Dom0less to SUPPORT.md to clarify its support status. The feature is
>>> mature enough and small enough to make it security supported.
>>
>> I would suggest to explain the restriction in the commit message (and give a
>> link to XSA-372 commit).
>>
>>> Signed-off-by: Stefano Stabellini <stefano.stabellini@xilinx.com>
>>> ---
>>> Changes in v2:
>>> - clarify memory scrubbing
>>> ---
>>>   SUPPORT.md | 9 +++++++++
>>>   1 file changed, 9 insertions(+)
>>>
>>> diff --git a/SUPPORT.md b/SUPPORT.md
>>> index 317392d8f3..524cab9c8d 100644
>>> --- a/SUPPORT.md
>>> +++ b/SUPPORT.md
>>> @@ -832,6 +832,15 @@ OVMF firmware implements the UEFI boot protocol.
>>>         Status, qemu-xen: Supported
>>>   +## Dom0less
>>> +
>>> +Guest creation from the hypervisor at boot without Dom0 intervention.
>>> +
>>> +    Status, ARM: Supported
>>> +
>>> +Memory of dom0less DomUs is not scrubbed at boot (even with
>>> +bootscrub=on); no XSAs will be issues due to unscrubbed memory.
>>
>> The memory will not be scrubbed for bootscrub=on and bootscrub=off. However,
>> it should be scrubbed for bootscrub=idle (the default).
> 
> With bootscrub=idle, do you know if it is guaranteed to complete the
> scrubbing before dom0less domUs start? I assumed it wasn't guaranteed,
> but if it is, then we should rephrase the statement.

Idle scrubbing never touches pages already owned by a domain. Hence the
question isn't whether scrubbing happens before these DomU-s start, but
whether they have their memory scrubbed before or while being allocated /
assigned to them. init_heap_pages() has

    if ( system_state < SYS_STATE_active && opt_bootscrub == BOOTSCRUB_IDLE )
        idle_scrub = true;

i.e. all memory given to the page allocator early enough will be _marked_
for scrubbing. If idle scrubbing didn't make it far enough,
alloc_heap_pages() will recognize this and scrub the page(s) synchronously
(of course unless passed MEMF_no_scrub).

Jan

Re: [PATCH v2] SUPPORT.md: add Dom0less as Supported

[Julien Grall]

Hi Stefano,

On 15/07/2021 00:48, Stefano Stabellini wrote:
> Add Dom0less to SUPPORT.md to clarify its support status. The feature is
> mature enough and small enough to make it security supported.
> 
> Signed-off-by: Stefano Stabellini <stefano.stabellini@xilinx.com>

I was going through my inbox and notice this was no follow-up. Dom0less 
is getting more traction, so I think it would be good for us to have a 
support statement.

Is it still under your radar?

Cheers,

-- 
Julien Grall

Re: [PATCH v2] SUPPORT.md: add Dom0less as Supported

[Stefano Stabellini]

On Thu, 7 Apr 2022, Julien Grall wrote:
> Hi Stefano,
> 
> On 15/07/2021 00:48, Stefano Stabellini wrote:
> > Add Dom0less to SUPPORT.md to clarify its support status. The feature is
> > mature enough and small enough to make it security supported.
> > 
> > Signed-off-by: Stefano Stabellini <stefano.stabellini@xilinx.com>
> 
> I was going through my inbox and notice this was no follow-up. Dom0less is
> getting more traction, so I think it would be good for us to have a support
> statement.
> 
> Is it still under your radar?

Totally fell through the cracks. I'll resend.