|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [Xen-devel] [PATCH 14/16] SUPPORT.md: Add statement on PCI passthrough
Hi George, On 13/11/17 15:41, George Dunlap wrote: Signed-off-by: George Dunlap <george.dunlap@xxxxxxxxxx> --- CC: Ian Jackson <ian.jackson@xxxxxxxxxx> CC: Wei Liu <wei.liu2@xxxxxxxxxx> CC: Andrew Cooper <andrew.cooper3@xxxxxxxxxx> CC: Jan Beulich <jbeulich@xxxxxxxx> CC: Stefano Stabellini <sstabellini@xxxxxxxxxx> CC: Konrad Wilk <konrad.wilk@xxxxxxxxxx> CC: Tim Deegan <tim@xxxxxxx> CC: Rich Persaud <persaur@xxxxxxxxx> CC: Marek Marczykowski-Górecki <marmarek@xxxxxxxxxxxxxxxxxxxxxx> CC: Christopher Clark <christopher.w.clark@xxxxxxxxx> CC: James McKenzie <james.mckenzie@xxxxxxxxxxx> --- SUPPORT.md | 33 ++++++++++++++++++++++++++++++++- 1 file changed, 32 insertions(+), 1 deletion(-) diff --git a/SUPPORT.md b/SUPPORT.md index 3e352198ce..a8388f3dc5 100644 --- a/SUPPORT.md +++ b/SUPPORT.md @@ -454,9 +454,23 @@ there is currently no xl support.## Security +### Driver Domains+ + Status: Supported, with caveats + +"Driver domains" means allowing non-Domain 0 domains +with access to physical devices to act as back-ends. + +See the appropriate "Device Passthrough" section +for more information about security support. + ### Device Model Stub Domains- Status: Supported+ Status: Supported, with caveats + +Vulnerabilities of a device model stub domain +to a hostile driver domain (either compromised or untrusted) +are excluded from security support.### KCONFIG Expert @@ -522,6 +536,23 @@ Virtual Performance Management Unit for HVM guestsDisabled by default (enable with hypervisor command line option). This feature is not security supported: see http://xenbits.xen.org/xsa/advisory-163.html+### x86/PCI Device Passthrough+ + Status: Supported, with caveats + +Only systems using IOMMUs will be supported. + +Not compatible with migration, altp2m, introspection, memory sharing, or memory paging. + +Because of hardware limitations +(affecting any operating system or hypervisor), +it is generally not safe to use this feature +to expose a physical device to completely untrusted guests. +However, this feature can still confer significant security benefit +when used to remove drivers and backends from domain 0 +(i.e., Driver Domains). +See docs/PCI-IOMMU-bugs.txt for more information. Where can I find this file? Is it in staging? Cheers, -- Julien Grall _______________________________________________ Xen-devel mailing list Xen-devel@xxxxxxxxxxxxx https://lists.xen.org/xen-devel
|
 |
Lists.xenproject.org is hosted with RackSpace, monitoring our |