Re: [PATCH v3] SUPPORT.md: split XSM from Flask

[Roger Pau Monné <roger.pau@xxxxxxxxxx>]

On Wed, Aug 14, 2024 at 09:44:11AM +0200, Jan Beulich wrote:
> XSM is a generic framework, which in particular is also used by SILO.
> With this it can't really be experimental: Arm mandates SILO for having
> a security supported configuration.
> 
> Signed-off-by: Jan Beulich <jbeulich@xxxxxxxx>

Reviewed-by: Roger Pau Monné <roger.pau@xxxxxxxxxx>

> ---
> v3: Add explanations. Another terminology adjustment.
> v2: Terminology adjustments. Stronger description.
> 
> --- a/SUPPORT.md
> +++ b/SUPPORT.md
> @@ -769,13 +769,21 @@ Compile time disabled for ARM by default
>  
>      Status, x86: Supported, not security supported
>  
> -### XSM & FLASK
> +### XSM (Xen Security Module) Framework
> +
> +XSM is a security policy framework.  The dummy implementation is covered by 
> this
> +statement, and implements a policy whereby dom0 is all powerful.  See below 
> for
> +alternative modules (FLASK, SILO).
> +
> +    Status: Supported
> +
> +### FLASK XSM Module
>  
>      Status: Experimental
>  
>  Compile time disabled by default.
>  
> -Also note that using XSM
> +Also note that using FLASK
>  to delegate various domain control hypercalls
>  to particular other domains, rather than only permitting use by dom0,
>  is also specifically excluded from security support for many hypercalls.
> @@ -788,6 +796,13 @@ Please see XSA-77 for more details.
>  The default policy includes FLASK labels and roles for a "typical" Xen-based 
> system
>  with dom0, driver domains, stub domains, domUs, and so on.
>  
> +### SILO XSM Module
> +
> +SILO implements a policy whereby DomU-s can only communicate with Dom0, yet 
> not
> +with each other.

Might be good to clarify SILO is just like the dummy XSM
implementation without allowing inter-domain communication, ie:

"SILO extends the dummy XSM policy by enforcing that DomU-s can only
communicate with Dom0, yet not with each other."

Or similar.

Thanks, Roger.