SUPPORT.md | 9 +++++++++ 1 file changed, 9 insertions(+)
Add Dom0less to SUPPORT.md to clarify its support status. The feature is
mature enough and small enough to make it security supported.
Signed-off-by: Stefano Stabellini <stefano.stabellini@xilinx.com>
---
Changes in v2:
- clarify memory scrubbing
---
SUPPORT.md | 9 +++++++++
1 file changed, 9 insertions(+)
diff --git a/SUPPORT.md b/SUPPORT.md
index 317392d8f3..524cab9c8d 100644
--- a/SUPPORT.md
+++ b/SUPPORT.md
@@ -832,6 +832,15 @@ OVMF firmware implements the UEFI boot protocol.
Status, qemu-xen: Supported
+## Dom0less
+
+Guest creation from the hypervisor at boot without Dom0 intervention.
+
+ Status, ARM: Supported
+
+Memory of dom0less DomUs is not scrubbed at boot (even with
+bootscrub=on); no XSAs will be issues due to unscrubbed memory.
+
# Format and definitions
This file contains prose, and machine-readable fragments.
--
2.17.1
Hi Stefano, > On 15 Jul 2021, at 00:48, Stefano Stabellini <sstabellini@kernel.org> wrote: > > Add Dom0less to SUPPORT.md to clarify its support status. The feature is > mature enough and small enough to make it security supported. > > Signed-off-by: Stefano Stabellini <stefano.stabellini@xilinx.com> Reviewed-by: Bertrand Marquis <bertrand.marquis@arm.com> Cheers Bertrand > --- > Changes in v2: > - clarify memory scrubbing > --- > SUPPORT.md | 9 +++++++++ > 1 file changed, 9 insertions(+) > > diff --git a/SUPPORT.md b/SUPPORT.md > index 317392d8f3..524cab9c8d 100644 > --- a/SUPPORT.md > +++ b/SUPPORT.md > @@ -832,6 +832,15 @@ OVMF firmware implements the UEFI boot protocol. > > Status, qemu-xen: Supported > > +## Dom0less > + > +Guest creation from the hypervisor at boot without Dom0 intervention. > + > + Status, ARM: Supported > + > +Memory of dom0less DomUs is not scrubbed at boot (even with > +bootscrub=on); no XSAs will be issues due to unscrubbed memory. > + > # Format and definitions > > This file contains prose, and machine-readable fragments. > -- > 2.17.1 > >
Hi Stefano, On 15/07/2021 00:48, Stefano Stabellini wrote: > Add Dom0less to SUPPORT.md to clarify its support status. The feature is > mature enough and small enough to make it security supported. I would suggest to explain the restriction in the commit message (and give a link to XSA-372 commit). > Signed-off-by: Stefano Stabellini <stefano.stabellini@xilinx.com> > --- > Changes in v2: > - clarify memory scrubbing > --- > SUPPORT.md | 9 +++++++++ > 1 file changed, 9 insertions(+) > > diff --git a/SUPPORT.md b/SUPPORT.md > index 317392d8f3..524cab9c8d 100644 > --- a/SUPPORT.md > +++ b/SUPPORT.md > @@ -832,6 +832,15 @@ OVMF firmware implements the UEFI boot protocol. > > Status, qemu-xen: Supported > > +## Dom0less > + > +Guest creation from the hypervisor at boot without Dom0 intervention. > + > + Status, ARM: Supported > + > +Memory of dom0less DomUs is not scrubbed at boot (even with > +bootscrub=on); no XSAs will be issues due to unscrubbed memory. The memory will not be scrubbed for bootscrub=on and bootscrub=off. However, it should be scrubbed for bootscrub=idle (the default). Cheers, -- Julien Grall
On Thu, 15 Jul 2021, Julien Grall wrote: > Hi Stefano, > > On 15/07/2021 00:48, Stefano Stabellini wrote: > > Add Dom0less to SUPPORT.md to clarify its support status. The feature is > > mature enough and small enough to make it security supported. > > I would suggest to explain the restriction in the commit message (and give a > link to XSA-372 commit). > > > Signed-off-by: Stefano Stabellini <stefano.stabellini@xilinx.com> > > --- > > Changes in v2: > > - clarify memory scrubbing > > --- > > SUPPORT.md | 9 +++++++++ > > 1 file changed, 9 insertions(+) > > > > diff --git a/SUPPORT.md b/SUPPORT.md > > index 317392d8f3..524cab9c8d 100644 > > --- a/SUPPORT.md > > +++ b/SUPPORT.md > > @@ -832,6 +832,15 @@ OVMF firmware implements the UEFI boot protocol. > > Status, qemu-xen: Supported > > +## Dom0less > > + > > +Guest creation from the hypervisor at boot without Dom0 intervention. > > + > > + Status, ARM: Supported > > + > > +Memory of dom0less DomUs is not scrubbed at boot (even with > > +bootscrub=on); no XSAs will be issues due to unscrubbed memory. > > The memory will not be scrubbed for bootscrub=on and bootscrub=off. However, > it should be scrubbed for bootscrub=idle (the default). With bootscrub=idle, do you know if it is guaranteed to complete the scrubbing before dom0less domUs start? I assumed it wasn't guaranteed, but if it is, then we should rephrase the statement.
On 16.07.2021 22:29, Stefano Stabellini wrote:
> On Thu, 15 Jul 2021, Julien Grall wrote:
>> Hi Stefano,
>>
>> On 15/07/2021 00:48, Stefano Stabellini wrote:
>>> Add Dom0less to SUPPORT.md to clarify its support status. The feature is
>>> mature enough and small enough to make it security supported.
>>
>> I would suggest to explain the restriction in the commit message (and give a
>> link to XSA-372 commit).
>>
>>> Signed-off-by: Stefano Stabellini <stefano.stabellini@xilinx.com>
>>> ---
>>> Changes in v2:
>>> - clarify memory scrubbing
>>> ---
>>> SUPPORT.md | 9 +++++++++
>>> 1 file changed, 9 insertions(+)
>>>
>>> diff --git a/SUPPORT.md b/SUPPORT.md
>>> index 317392d8f3..524cab9c8d 100644
>>> --- a/SUPPORT.md
>>> +++ b/SUPPORT.md
>>> @@ -832,6 +832,15 @@ OVMF firmware implements the UEFI boot protocol.
>>> Status, qemu-xen: Supported
>>> +## Dom0less
>>> +
>>> +Guest creation from the hypervisor at boot without Dom0 intervention.
>>> +
>>> + Status, ARM: Supported
>>> +
>>> +Memory of dom0less DomUs is not scrubbed at boot (even with
>>> +bootscrub=on); no XSAs will be issues due to unscrubbed memory.
>>
>> The memory will not be scrubbed for bootscrub=on and bootscrub=off. However,
>> it should be scrubbed for bootscrub=idle (the default).
>
> With bootscrub=idle, do you know if it is guaranteed to complete the
> scrubbing before dom0less domUs start? I assumed it wasn't guaranteed,
> but if it is, then we should rephrase the statement.
Idle scrubbing never touches pages already owned by a domain. Hence the
question isn't whether scrubbing happens before these DomU-s start, but
whether they have their memory scrubbed before or while being allocated /
assigned to them. init_heap_pages() has
if ( system_state < SYS_STATE_active && opt_bootscrub == BOOTSCRUB_IDLE )
idle_scrub = true;
i.e. all memory given to the page allocator early enough will be _marked_
for scrubbing. If idle scrubbing didn't make it far enough,
alloc_heap_pages() will recognize this and scrub the page(s) synchronously
(of course unless passed MEMF_no_scrub).
Jan
Hi Stefano, On 15/07/2021 00:48, Stefano Stabellini wrote: > Add Dom0less to SUPPORT.md to clarify its support status. The feature is > mature enough and small enough to make it security supported. > > Signed-off-by: Stefano Stabellini <stefano.stabellini@xilinx.com> I was going through my inbox and notice this was no follow-up. Dom0less is getting more traction, so I think it would be good for us to have a support statement. Is it still under your radar? Cheers, -- Julien Grall
On Thu, 7 Apr 2022, Julien Grall wrote: > Hi Stefano, > > On 15/07/2021 00:48, Stefano Stabellini wrote: > > Add Dom0less to SUPPORT.md to clarify its support status. The feature is > > mature enough and small enough to make it security supported. > > > > Signed-off-by: Stefano Stabellini <stefano.stabellini@xilinx.com> > > I was going through my inbox and notice this was no follow-up. Dom0less is > getting more traction, so I think it would be good for us to have a support > statement. > > Is it still under your radar? Totally fell through the cracks. I'll resend.
© 2016 - 2024 Red Hat, Inc.