diff mbox series

[v2] SUPPORT.md: split XSM from Flask

Message ID 121c2612-c255-4051-8d7c-315df6b3d348@suse.com (mailing list archive)
State Superseded
Headers show
Series [v2] SUPPORT.md: split XSM from Flask | expand

Commit Message

Jan Beulich July 31, 2024, 2:28 p.m. UTC
XSM is a generic framework, which in particular is also used by SILO.
With this it can't really be experimental: Arm mandates SILO for having
a security supported configuration.

Signed-off-by: Jan Beulich <jbeulich@suse.com>
---
v2: Terminology adjustments. Stronger description.

Comments

Andrew Cooper July 31, 2024, 2:59 p.m. UTC | #1
On 31/07/2024 3:28 pm, Jan Beulich wrote:
> XSM is a generic framework, which in particular is also used by SILO.
> With this it can't really be experimental: Arm mandates SILO for having
> a security supported configuration.
>
> Signed-off-by: Jan Beulich <jbeulich@suse.com>
> ---
> v2: Terminology adjustments. Stronger description.
>
> --- a/SUPPORT.md
> +++ b/SUPPORT.md
> @@ -768,13 +768,20 @@ Compile time disabled for ARM by default
>  
>      Status, x86: Supported, not security supported
>  
> -### XSM & FLASK
> +### XSM (Xen Security Module)

I'd suggest using Modules (plural) here.

> +
> +    Status: Supported
> +
> +See below for use with FLASK and SILO.  The dummy implementation is covered here
> +as well.

I still think we want a one-line description of what "dummy" is.

"XSM is a security policy framework.  The dummy implementation is
covered by this statement, and implements a policy whereby dom0 is all
powerful.  See below for alternative modules (FLASK, SILO)."

?


> +
> +### FLASK XSM Module
>  
>      Status: Experimental
>  
>  Compile time disabled by default.
>  
> -Also note that using XSM
> +Also note that using FLASK
>  to delegate various domain control hypercalls
>  to particular other domains, rather than only permitting use by dom0,
>  is also specifically excluded from security support for many hypercalls.
> @@ -787,6 +794,10 @@ Please see XSA-77 for more details.
>  The default policy includes FLASK labels and roles for a "typical" Xen-based system
>  with dom0, driver domains, stub domains, domUs, and so on.
>  
> +### SILO XSM Module
> +
> +    Status: Supported

"SILO implements a policy whereby domUs can only communicate with dom0,
and not with each other"

?

~Andrew
Jan Beulich July 31, 2024, 3:14 p.m. UTC | #2
On 31.07.2024 16:59, Andrew Cooper wrote:
> On 31/07/2024 3:28 pm, Jan Beulich wrote:
>> XSM is a generic framework, which in particular is also used by SILO.
>> With this it can't really be experimental: Arm mandates SILO for having
>> a security supported configuration.
>>
>> Signed-off-by: Jan Beulich <jbeulich@suse.com>
>> ---
>> v2: Terminology adjustments. Stronger description.
>>
>> --- a/SUPPORT.md
>> +++ b/SUPPORT.md
>> @@ -768,13 +768,20 @@ Compile time disabled for ARM by default
>>  
>>      Status, x86: Supported, not security supported
>>  
>> -### XSM & FLASK
>> +### XSM (Xen Security Module)
> 
> I'd suggest using Modules (plural) here.

But XSM itself is just one thing?

>> +
>> +    Status: Supported
>> +
>> +See below for use with FLASK and SILO.  The dummy implementation is covered here
>> +as well.
> 
> I still think we want a one-line description of what "dummy" is.
> 
> "XSM is a security policy framework.  The dummy implementation is
> covered by this statement, and implements a policy whereby dom0 is all
> powerful.  See below for alternative modules (FLASK, SILO)."
> 
> ?

Hmm, can do. Looking around in some cases we indeed have such explanations.

Jan
Andrew Cooper July 31, 2024, 4:13 p.m. UTC | #3
On 31/07/2024 4:14 pm, Jan Beulich wrote:
> On 31.07.2024 16:59, Andrew Cooper wrote:
>> On 31/07/2024 3:28 pm, Jan Beulich wrote:
>>> XSM is a generic framework, which in particular is also used by SILO.
>>> With this it can't really be experimental: Arm mandates SILO for having
>>> a security supported configuration.
>>>
>>> Signed-off-by: Jan Beulich <jbeulich@suse.com>
>>> ---
>>> v2: Terminology adjustments. Stronger description.
>>>
>>> --- a/SUPPORT.md
>>> +++ b/SUPPORT.md
>>> @@ -768,13 +768,20 @@ Compile time disabled for ARM by default
>>>  
>>>      Status, x86: Supported, not security supported
>>>  
>>> -### XSM & FLASK
>>> +### XSM (Xen Security Module)
>> I'd suggest using Modules (plural) here.
> But XSM itself is just one thing?

In which case "XSM (Xen Security Module) Framework" ?

>
>>> +
>>> +    Status: Supported
>>> +
>>> +See below for use with FLASK and SILO.  The dummy implementation is covered here
>>> +as well.
>> I still think we want a one-line description of what "dummy" is.
>>
>> "XSM is a security policy framework.  The dummy implementation is
>> covered by this statement, and implements a policy whereby dom0 is all
>> powerful.  See below for alternative modules (FLASK, SILO)."
>>
>> ?
> Hmm, can do. Looking around in some cases we indeed have such explanations.

Everything which isn't entirely obvious should come with a oneliner
explanation.  Otherwise, SUPPORT.md is useless to non-Xen developers.

~Andrew
diff mbox series

Patch

--- a/SUPPORT.md
+++ b/SUPPORT.md
@@ -768,13 +768,20 @@  Compile time disabled for ARM by default
 
     Status, x86: Supported, not security supported
 
-### XSM & FLASK
+### XSM (Xen Security Module)
+
+    Status: Supported
+
+See below for use with FLASK and SILO.  The dummy implementation is covered here
+as well.
+
+### FLASK XSM Module
 
     Status: Experimental
 
 Compile time disabled by default.
 
-Also note that using XSM
+Also note that using FLASK
 to delegate various domain control hypercalls
 to particular other domains, rather than only permitting use by dom0,
 is also specifically excluded from security support for many hypercalls.
@@ -787,6 +794,10 @@  Please see XSA-77 for more details.
 The default policy includes FLASK labels and roles for a "typical" Xen-based system
 with dom0, driver domains, stub domains, domUs, and so on.
 
+### SILO XSM Module
+
+    Status: Supported
+
 ## Virtual Hardware, Hypervisor
 
 ### x86/Nested PV