> -----Original Message----- > From: Xen-devel [mailto:xen-devel-boun...@lists.xenproject.org] On Behalf > Of George Dunlap > Sent: 05 November 2018 18:07 > To: xen-devel@lists.xenproject.org > Cc: Stefano Stabellini <sstabell...@kernel.org>; Wei Liu > <wei.l...@citrix.com>; Konrad Wilk <konrad.w...@oracle.com>; Andrew Cooper > <andrew.coop...@citrix.com>; Tim (Xen.org) <t...@xen.org>; George Dunlap > <george.dun...@citrix.com>; Ross Lagerwall <ross.lagerw...@citrix.com>; > Julien Grall <julien.gr...@arm.com>; Jan Beulich <jbeul...@suse.com>; > Anthony Perard <anthony.per...@citrix.com>; Ian Jackson > <ian.jack...@citrix.com> > Subject: [Xen-devel] [PATCH v4 2/6] SUPPORT.md: Add qemu-depriv section > > Signed-off-by: George Dunlap <george.dun...@citrix.com> > --- > Changes since v3: > - Moved from the qemu-depriv doc patches. > - Reword to include the possibility of having a non-dom0 "devicemodel" > domain which may want to be protected > - Specify `Linux dom0` as the currently-tech-supported window > > CC: Ian Jackson <ian.jack...@citrix.com> > CC: Wei Liu <wei.l...@citrix.com> > CC: Andrew Cooper <andrew.coop...@citrix.com> > CC: Jan Beulich <jbeul...@suse.com> > CC: Tim Deegan <t...@xen.org> > CC: Konrad Wilk <konrad.w...@oracle.com> > CC: Stefano Stabellini <sstabell...@kernel.org> > CC: Julien Grall <julien.gr...@arm.com> > CC: Anthony Perard <anthony.per...@citrix.com> > CC: Ross Lagerwall <ross.lagerw...@citrix.com> > --- > SUPPORT.md | 20 ++++++++++++++++++++ > 1 file changed, 20 insertions(+) > > diff --git a/SUPPORT.md b/SUPPORT.md > index 4f203da84a..1f0f5857a7 100644 > --- a/SUPPORT.md > +++ b/SUPPORT.md > @@ -525,6 +525,26 @@ Vulnerabilities of a device model stub domain > to a hostile driver domain (either compromised or untrusted) > are excluded from security support. > > +### Device Model Deprivileging > + > + Status, Linux dom0: Tech Preview, with limited support > + > +This means adding extra restrictions to a device model in order to > +prevent a compromised device model from attack the rest of the domain
s/attack/attacking/ Paul > +it's running in (normally dom0). > + > +"Tech preview with limited support" means we will not issue XSAs for > +the _additional_ functionality provided by the feature; but we will > +issue XSAs in the event that enabling this feature opens up a security > +hole that would not be present without the feature disabled. > + > +For example, while this is classified as tech preview, a bug in libxl > +which failed to change the user ID of QEMU would not receive an XSA, > +since without this feature the user ID wouldn't be changed. But a > +change which made it possible for a compromised guest to read > +arbitrary files on the host filesystem without compromising QEMU would > +be issued an XSA, since that does weaken security. > + > ### KCONFIG Expert > > Status: Experimental > -- > 2.19.1 > > > _______________________________________________ > Xen-devel mailing list > Xen-devel@lists.xenproject.org > https://lists.xenproject.org/mailman/listinfo/xen-devel _______________________________________________ Xen-devel mailing list Xen-devel@lists.xenproject.org https://lists.xenproject.org/mailman/listinfo/xen-devel
