SUPPORT.md | 9 +++++++++ 1 file changed, 9 insertions(+)
Add Dom0less to SUPPORT.md to clarify its support status. The feature is
mature enough and small enough to make it security supported.
Signed-off-by: Stefano Stabellini <stefano.stabellini@xilinx.com>
---
Changes in v2:
- clarify memory scrubbing
---
SUPPORT.md | 9 +++++++++
1 file changed, 9 insertions(+)
diff --git a/SUPPORT.md b/SUPPORT.md
index 317392d8f3..524cab9c8d 100644
--- a/SUPPORT.md
+++ b/SUPPORT.md
@@ -832,6 +832,15 @@ OVMF firmware implements the UEFI boot protocol.
Status, qemu-xen: Supported
+## Dom0less
+
+Guest creation from the hypervisor at boot without Dom0 intervention.
+
+ Status, ARM: Supported
+
+Memory of dom0less DomUs is not scrubbed at boot (even with
+bootscrub=on); no XSAs will be issues due to unscrubbed memory.
+
# Format and definitions
This file contains prose, and machine-readable fragments.
--
2.17.1
Hi Stefano, > On 15 Jul 2021, at 00:48, Stefano Stabellini <sstabellini@kernel.org> wrote: > > Add Dom0less to SUPPORT.md to clarify its support status. The feature is > mature enough and small enough to make it security supported. > > Signed-off-by: Stefano Stabellini <stefano.stabellini@xilinx.com> Reviewed-by: Bertrand Marquis <bertrand.marquis@arm.com> Cheers Bertrand > --- > Changes in v2: > - clarify memory scrubbing > --- > SUPPORT.md | 9 +++++++++ > 1 file changed, 9 insertions(+) > > diff --git a/SUPPORT.md b/SUPPORT.md > index 317392d8f3..524cab9c8d 100644 > --- a/SUPPORT.md > +++ b/SUPPORT.md > @@ -832,6 +832,15 @@ OVMF firmware implements the UEFI boot protocol. > > Status, qemu-xen: Supported > > +## Dom0less > + > +Guest creation from the hypervisor at boot without Dom0 intervention. > + > + Status, ARM: Supported > + > +Memory of dom0less DomUs is not scrubbed at boot (even with > +bootscrub=on); no XSAs will be issues due to unscrubbed memory. > + > # Format and definitions > > This file contains prose, and machine-readable fragments. > -- > 2.17.1 > >
Hi Stefano, On 15/07/2021 00:48, Stefano Stabellini wrote: > Add Dom0less to SUPPORT.md to clarify its support status. The feature is > mature enough and small enough to make it security supported. I would suggest to explain the restriction in the commit message (and give a link to XSA-372 commit). > Signed-off-by: Stefano Stabellini <stefano.stabellini@xilinx.com> > --- > Changes in v2: > - clarify memory scrubbing > --- > SUPPORT.md | 9 +++++++++ > 1 file changed, 9 insertions(+) > > diff --git a/SUPPORT.md b/SUPPORT.md > index 317392d8f3..524cab9c8d 100644 > --- a/SUPPORT.md > +++ b/SUPPORT.md > @@ -832,6 +832,15 @@ OVMF firmware implements the UEFI boot protocol. > > Status, qemu-xen: Supported > > +## Dom0less > + > +Guest creation from the hypervisor at boot without Dom0 intervention. > + > + Status, ARM: Supported > + > +Memory of dom0less DomUs is not scrubbed at boot (even with > +bootscrub=on); no XSAs will be issues due to unscrubbed memory. The memory will not be scrubbed for bootscrub=on and bootscrub=off. However, it should be scrubbed for bootscrub=idle (the default). Cheers, -- Julien Grall
On Thu, 15 Jul 2021, Julien Grall wrote: > Hi Stefano, > > On 15/07/2021 00:48, Stefano Stabellini wrote: > > Add Dom0less to SUPPORT.md to clarify its support status. The feature is > > mature enough and small enough to make it security supported. > > I would suggest to explain the restriction in the commit message (and give a > link to XSA-372 commit). > > > Signed-off-by: Stefano Stabellini <stefano.stabellini@xilinx.com> > > --- > > Changes in v2: > > - clarify memory scrubbing > > --- > > SUPPORT.md | 9 +++++++++ > > 1 file changed, 9 insertions(+) > > > > diff --git a/SUPPORT.md b/SUPPORT.md > > index 317392d8f3..524cab9c8d 100644 > > --- a/SUPPORT.md > > +++ b/SUPPORT.md > > @@ -832,6 +832,15 @@ OVMF firmware implements the UEFI boot protocol. > > Status, qemu-xen: Supported > > +## Dom0less > > + > > +Guest creation from the hypervisor at boot without Dom0 intervention. > > + > > + Status, ARM: Supported > > + > > +Memory of dom0less DomUs is not scrubbed at boot (even with > > +bootscrub=on); no XSAs will be issues due to unscrubbed memory. > > The memory will not be scrubbed for bootscrub=on and bootscrub=off. However, > it should be scrubbed for bootscrub=idle (the default). With bootscrub=idle, do you know if it is guaranteed to complete the scrubbing before dom0less domUs start? I assumed it wasn't guaranteed, but if it is, then we should rephrase the statement.
On 16.07.2021 22:29, Stefano Stabellini wrote: > On Thu, 15 Jul 2021, Julien Grall wrote: >> Hi Stefano, >> >> On 15/07/2021 00:48, Stefano Stabellini wrote: >>> Add Dom0less to SUPPORT.md to clarify its support status. The feature is >>> mature enough and small enough to make it security supported. >> >> I would suggest to explain the restriction in the commit message (and give a >> link to XSA-372 commit). >> >>> Signed-off-by: Stefano Stabellini <stefano.stabellini@xilinx.com> >>> --- >>> Changes in v2: >>> - clarify memory scrubbing >>> --- >>> SUPPORT.md | 9 +++++++++ >>> 1 file changed, 9 insertions(+) >>> >>> diff --git a/SUPPORT.md b/SUPPORT.md >>> index 317392d8f3..524cab9c8d 100644 >>> --- a/SUPPORT.md >>> +++ b/SUPPORT.md >>> @@ -832,6 +832,15 @@ OVMF firmware implements the UEFI boot protocol. >>> Status, qemu-xen: Supported >>> +## Dom0less >>> + >>> +Guest creation from the hypervisor at boot without Dom0 intervention. >>> + >>> + Status, ARM: Supported >>> + >>> +Memory of dom0less DomUs is not scrubbed at boot (even with >>> +bootscrub=on); no XSAs will be issues due to unscrubbed memory. >> >> The memory will not be scrubbed for bootscrub=on and bootscrub=off. However, >> it should be scrubbed for bootscrub=idle (the default). > > With bootscrub=idle, do you know if it is guaranteed to complete the > scrubbing before dom0less domUs start? I assumed it wasn't guaranteed, > but if it is, then we should rephrase the statement. Idle scrubbing never touches pages already owned by a domain. Hence the question isn't whether scrubbing happens before these DomU-s start, but whether they have their memory scrubbed before or while being allocated / assigned to them. init_heap_pages() has if ( system_state < SYS_STATE_active && opt_bootscrub == BOOTSCRUB_IDLE ) idle_scrub = true; i.e. all memory given to the page allocator early enough will be _marked_ for scrubbing. If idle scrubbing didn't make it far enough, alloc_heap_pages() will recognize this and scrub the page(s) synchronously (of course unless passed MEMF_no_scrub). Jan
Hi Stefano, On 15/07/2021 00:48, Stefano Stabellini wrote: > Add Dom0less to SUPPORT.md to clarify its support status. The feature is > mature enough and small enough to make it security supported. > > Signed-off-by: Stefano Stabellini <stefano.stabellini@xilinx.com> I was going through my inbox and notice this was no follow-up. Dom0less is getting more traction, so I think it would be good for us to have a support statement. Is it still under your radar? Cheers, -- Julien Grall
On Thu, 7 Apr 2022, Julien Grall wrote: > Hi Stefano, > > On 15/07/2021 00:48, Stefano Stabellini wrote: > > Add Dom0less to SUPPORT.md to clarify its support status. The feature is > > mature enough and small enough to make it security supported. > > > > Signed-off-by: Stefano Stabellini <stefano.stabellini@xilinx.com> > > I was going through my inbox and notice this was no follow-up. Dom0less is > getting more traction, so I think it would be good for us to have a support > statement. > > Is it still under your radar? Totally fell through the cracks. I'll resend.
© 2016 - 2024 Red Hat, Inc.