[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Xen-devel] [PATCH v3 12/17] SUPPORT.md: Add Security-releated features



With the exception of driver domains, which depend on PCI passthrough,
and will be introduced later.

Signed-off-by: George Dunlap <george.dunlap@xxxxxxxxxx>
Reviewed-by: Konrad Rzeszutek Wilk <konrad.wilk@xxxxxxxxxx>
---
Changes since v2:
- Reference XSA-77 as well under the XSM & FLASK section

CC: Ian Jackson <ian.jackson@xxxxxxxxxx>
CC: Wei Liu <wei.liu2@xxxxxxxxxx>
CC: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>
CC: Jan Beulich <jbeulich@xxxxxxxx>
CC: Stefano Stabellini <sstabellini@xxxxxxxxxx>
CC: Konrad Wilk <konrad.wilk@xxxxxxxxxx>
CC: Tim Deegan <tim@xxxxxxx>
CC: Tamas K Lengyel <tamas.lengyel@xxxxxxxxxxxx>
CC: Rich Persaud <persaur@xxxxxxxxx>
---
 SUPPORT.md | 40 ++++++++++++++++++++++++++++++++++++++++
 1 file changed, 40 insertions(+)

diff --git a/SUPPORT.md b/SUPPORT.md
index cc8b754749..2d4386ad68 100644
--- a/SUPPORT.md
+++ b/SUPPORT.md
@@ -447,6 +447,46 @@ but has no xl support.
 
     Status: Supported
 
+## Security
+
+### Device Model Stub Domains
+
+    Status: Supported
+
+### KCONFIG Expert
+
+    Status: Experimental
+
+### Live Patching
+
+    Status, x86: Supported
+    Status, ARM: Experimental
+
+Compile time disabled for ARM
+
+### Virtual Machine Introspection
+
+    Status, x86: Supported, not security supported
+
+### XSM & FLASK
+
+    Status: Experimental
+
+Compile time disabled.
+
+Also note that using XSM
+to delegate various domain control hypercalls
+to particular other domains, rather than only permitting use by dom0,
+is also specifically excluded from security support for many hypercalls.
+Please see XSA-77 for more details.
+
+### FLASK default policy
+
+    Status: Experimental
+
+The default policy includes FLASK labels and roles for a "typical" Xen-based 
system
+with dom0, driver domains, stub domains, domUs, and so on.
+
 ## Virtual Hardware, Hypervisor
 
 ### x86/Nested PV
-- 
2.15.0


_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxx
https://lists.xen.org/xen-devel

 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.