All of lore.kernel.org
 help / color / mirror / Atom feed
From: George Dunlap <george.dunlap@citrix.com>
To: xen-devel@lists.xenproject.org
Cc: Stefano Stabellini <sstabellini@kernel.org>,
	Wei Liu <wei.liu2@citrix.com>,
	Konrad Wilk <konrad.wilk@oracle.com>,
	Andrew Cooper <andrew.cooper3@citrix.com>,
	Tim Deegan <tim@xen.org>,
	George Dunlap <george.dunlap@citrix.com>,
	Rich Persaud <persaur@gmail.com>, Jan Beulich <jbeulich@suse.com>,
	Tamas K Lengyel <tamas.lengyel@zentific.com>,
	Ian Jackson <ian.jackson@citrix.com>
Subject: [PATCH v3 12/17] SUPPORT.md: Add Security-releated features
Date: Wed, 22 Nov 2017 19:20:19 +0000	[thread overview]
Message-ID: <20171122192024.21187-12-george.dunlap@citrix.com> (raw)
In-Reply-To: <20171122192024.21187-1-george.dunlap@citrix.com>

With the exception of driver domains, which depend on PCI passthrough,
and will be introduced later.

Signed-off-by: George Dunlap <george.dunlap@citrix.com>
Reviewed-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
---
Changes since v2:
- Reference XSA-77 as well under the XSM & FLASK section

CC: Ian Jackson <ian.jackson@citrix.com>
CC: Wei Liu <wei.liu2@citrix.com>
CC: Andrew Cooper <andrew.cooper3@citrix.com>
CC: Jan Beulich <jbeulich@suse.com>
CC: Stefano Stabellini <sstabellini@kernel.org>
CC: Konrad Wilk <konrad.wilk@oracle.com>
CC: Tim Deegan <tim@xen.org>
CC: Tamas K Lengyel <tamas.lengyel@zentific.com>
CC: Rich Persaud <persaur@gmail.com>
---
 SUPPORT.md | 40 ++++++++++++++++++++++++++++++++++++++++
 1 file changed, 40 insertions(+)

diff --git a/SUPPORT.md b/SUPPORT.md
index cc8b754749..2d4386ad68 100644
--- a/SUPPORT.md
+++ b/SUPPORT.md
@@ -447,6 +447,46 @@ but has no xl support.
 
     Status: Supported
 
+## Security
+
+### Device Model Stub Domains
+
+    Status: Supported
+
+### KCONFIG Expert
+
+    Status: Experimental
+
+### Live Patching
+
+    Status, x86: Supported
+    Status, ARM: Experimental
+
+Compile time disabled for ARM
+
+### Virtual Machine Introspection
+
+    Status, x86: Supported, not security supported
+
+### XSM & FLASK
+
+    Status: Experimental
+
+Compile time disabled.
+
+Also note that using XSM
+to delegate various domain control hypercalls
+to particular other domains, rather than only permitting use by dom0,
+is also specifically excluded from security support for many hypercalls.
+Please see XSA-77 for more details.
+
+### FLASK default policy
+
+    Status: Experimental
+
+The default policy includes FLASK labels and roles for a "typical" Xen-based system
+with dom0, driver domains, stub domains, domUs, and so on.
+
 ## Virtual Hardware, Hypervisor
 
 ### x86/Nested PV
-- 
2.15.0


_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
https://lists.xen.org/xen-devel

  parent reply	other threads:[~2017-11-22 19:28 UTC|newest]

Thread overview: 58+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2017-11-22 19:20 [PATCH v3 01/17] Introduce skeleton SUPPORT.md George Dunlap
2017-11-22 19:20 ` [PATCH v3 02/17] SUPPORT.md: Add core functionality George Dunlap
2017-11-23 10:46   ` Jan Beulich
2017-11-22 19:20 ` [PATCH v3 03/17] SUPPORT.md: Add some x86 features George Dunlap
2017-11-23 10:47   ` Jan Beulich
2017-11-22 19:20 ` [PATCH v3 04/17] SUPPORT.md: Add core ARM features George Dunlap
2017-11-23 11:11   ` Julien Grall
2017-11-23 11:13     ` George Dunlap
2017-11-23 11:15       ` Julien Grall
2017-11-22 19:20 ` [PATCH v3 05/17] SUPPORT.md: Toolstack core George Dunlap
2017-11-24 16:26   ` Ian Jackson
2017-11-27 10:27     ` George Dunlap
2017-11-27 11:43   ` Roger Pau Monné
2017-11-27 14:12     ` George Dunlap
2017-11-27 14:39       ` Roger Pau Monné
2017-11-27 14:40         ` George Dunlap
2017-11-27 14:58         ` George Dunlap
2017-11-27 15:02           ` Roger Pau Monné
2017-11-27 14:15     ` George Dunlap
2017-11-27 14:36       ` Roger Pau Monné
2017-11-22 19:20 ` [PATCH v3 06/17] SUPPORT.md: Add scalability features George Dunlap
2017-11-23 10:50   ` Jan Beulich
2017-11-23 16:52     ` George Dunlap
2017-11-23 11:12   ` Julien Grall
2017-11-22 19:20 ` [PATCH v3 07/17] SUPPORT.md: Add virtual devices common to ARM and x86 George Dunlap
2017-11-23  8:50   ` Paul Durrant
2017-11-23 10:59   ` Jan Beulich
2017-11-23 17:02     ` George Dunlap
2017-11-22 19:20 ` [PATCH v3 08/17] SUPPORT.md: Add x86-specific virtual hardware George Dunlap
2017-11-23 11:07   ` Jan Beulich
2017-11-27 15:12   ` Anthony PERARD
2017-11-27 16:30     ` George Dunlap
2017-11-27 16:43       ` Anthony PERARD
2017-11-22 19:20 ` [PATCH v3 09/17] SUPPORT.md: Add ARM-specific " George Dunlap
2017-11-23 11:14   ` Julien Grall
2017-11-22 19:20 ` [PATCH v3 10/17] SUPPORT.md: Add Debugging, analysis, crash post-portem George Dunlap
2017-11-23 11:15   ` Jan Beulich
2017-11-23 17:08     ` George Dunlap
2017-11-24  8:04       ` Jan Beulich
2017-11-27 14:18         ` George Dunlap
2017-11-22 19:20 ` [PATCH v3 11/17] SUPPORT.md: Add 'easy' HA / FT features George Dunlap
2017-11-22 19:20 ` George Dunlap [this message]
2017-11-23 11:16   ` [PATCH v3 12/17] SUPPORT.md: Add Security-releated features Jan Beulich
2017-11-23 17:14     ` George Dunlap
2017-11-22 19:20 ` [PATCH v3 13/17] SUPPORT.md: Add secondary memory management features George Dunlap
2017-11-22 19:20 ` [PATCH v3 14/17] SUPPORT.md: Add statement on PCI passthrough George Dunlap
2017-11-23 11:17   ` Jan Beulich
2017-11-27 14:48     ` George Dunlap
2017-11-27 15:04       ` Jan Beulich
2017-11-27 15:05         ` George Dunlap
2017-11-22 19:20 ` [PATCH v3 15/17] SUPPORT.md: Add statement on migration RFC George Dunlap
2017-11-23 11:19   ` Jan Beulich
2017-11-22 19:20 ` [PATCH v3 16/17] SUPPORT.md: Add limits RFC George Dunlap
2017-11-23 11:21   ` Jan Beulich
2017-11-23 17:21     ` George Dunlap
2017-11-24  8:14       ` Jan Beulich
2017-11-27 14:35         ` George Dunlap
2017-11-22 19:20 ` [PATCH v3 17/17] SUPPORT.md: Miscellaneous additions George Dunlap

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20171122192024.21187-12-george.dunlap@citrix.com \
    --to=george.dunlap@citrix.com \
    --cc=andrew.cooper3@citrix.com \
    --cc=ian.jackson@citrix.com \
    --cc=jbeulich@suse.com \
    --cc=konrad.wilk@oracle.com \
    --cc=persaur@gmail.com \
    --cc=sstabellini@kernel.org \
    --cc=tamas.lengyel@zentific.com \
    --cc=tim@xen.org \
    --cc=wei.liu2@citrix.com \
    --cc=xen-devel@lists.xenproject.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.