1. Patchew
  2. Xen
  3. View series

[PATCH v3] SUPPORT.md: split XSM from Flask

Jan Beulich posted 1 patch 3 months, 1 week ago
Failed in applying to current master (apply log)
[PATCH v3] SUPPORT.md: split XSM from Flask
Posted by Jan Beulich 3 months, 1 week ago 
XSM is a generic framework, which in particular is also used by SILO.
With this it can't really be experimental: Arm mandates SILO for having
a security supported configuration.

Signed-off-by: Jan Beulich <jbeulich@suse.com>
---
v3: Add explanations. Another terminology adjustment.
v2: Terminology adjustments. Stronger description.

--- a/SUPPORT.md
+++ b/SUPPORT.md
@@ -769,13 +769,21 @@ Compile time disabled for ARM by default
 
     Status, x86: Supported, not security supported
 
-### XSM & FLASK
+### XSM (Xen Security Module) Framework
+
+XSM is a security policy framework.  The dummy implementation is covered by this
+statement, and implements a policy whereby dom0 is all powerful.  See below for
+alternative modules (FLASK, SILO).
+
+    Status: Supported
+
+### FLASK XSM Module
 
     Status: Experimental
 
 Compile time disabled by default.
 
-Also note that using XSM
+Also note that using FLASK
 to delegate various domain control hypercalls
 to particular other domains, rather than only permitting use by dom0,
 is also specifically excluded from security support for many hypercalls.
@@ -788,6 +796,13 @@ Please see XSA-77 for more details.
 The default policy includes FLASK labels and roles for a "typical" Xen-based system
 with dom0, driver domains, stub domains, domUs, and so on.
 
+### SILO XSM Module
+
+SILO implements a policy whereby DomU-s can only communicate with Dom0, yet not
+with each other.
+
+    Status: Supported
+
 ## Virtual Hardware, Hypervisor
 
 ### x86/Nested PV
Re: [PATCH v3] SUPPORT.md: split XSM from Flask
Posted by Daniel P. Smith 2 months, 2 weeks ago 
On 8/14/24 03:44, Jan Beulich wrote:
> XSM is a generic framework, which in particular is also used by SILO.
> With this it can't really be experimental: Arm mandates SILO for having
> a security supported configuration.
> 
> Signed-off-by: Jan Beulich <jbeulich@suse.com>

Reviewed-by: Daniel P. Smith <dpsmith@apertussolutions.com>
Re: [PATCH v3] SUPPORT.md: split XSM from Flask
Posted by Roger Pau Monné 2 months, 2 weeks ago 
On Wed, Aug 14, 2024 at 09:44:11AM +0200, Jan Beulich wrote:
> XSM is a generic framework, which in particular is also used by SILO.
> With this it can't really be experimental: Arm mandates SILO for having
> a security supported configuration.
> 
> Signed-off-by: Jan Beulich <jbeulich@suse.com>

Reviewed-by: Roger Pau Monné <roger.pau@citrix.com>

> ---
> v3: Add explanations. Another terminology adjustment.
> v2: Terminology adjustments. Stronger description.
> 
> --- a/SUPPORT.md
> +++ b/SUPPORT.md
> @@ -769,13 +769,21 @@ Compile time disabled for ARM by default
>  
>      Status, x86: Supported, not security supported
>  
> -### XSM & FLASK
> +### XSM (Xen Security Module) Framework
> +
> +XSM is a security policy framework.  The dummy implementation is covered by this
> +statement, and implements a policy whereby dom0 is all powerful.  See below for
> +alternative modules (FLASK, SILO).
> +
> +    Status: Supported
> +
> +### FLASK XSM Module
>  
>      Status: Experimental
>  
>  Compile time disabled by default.
>  
> -Also note that using XSM
> +Also note that using FLASK
>  to delegate various domain control hypercalls
>  to particular other domains, rather than only permitting use by dom0,
>  is also specifically excluded from security support for many hypercalls.
> @@ -788,6 +796,13 @@ Please see XSA-77 for more details.
>  The default policy includes FLASK labels and roles for a "typical" Xen-based system
>  with dom0, driver domains, stub domains, domUs, and so on.
>  
> +### SILO XSM Module
> +
> +SILO implements a policy whereby DomU-s can only communicate with Dom0, yet not
> +with each other.

Might be good to clarify SILO is just like the dummy XSM
implementation without allowing inter-domain communication, ie:

"SILO extends the dummy XSM policy by enforcing that DomU-s can only
communicate with Dom0, yet not with each other."

Or similar.

Thanks, Roger.
Re: [PATCH v3] SUPPORT.md: split XSM from Flask
Posted by Jan Beulich 2 months, 2 weeks ago 
On 04.09.2024 11:21, Roger Pau Monné wrote:
> On Wed, Aug 14, 2024 at 09:44:11AM +0200, Jan Beulich wrote:
>> XSM is a generic framework, which in particular is also used by SILO.
>> With this it can't really be experimental: Arm mandates SILO for having
>> a security supported configuration.
>>
>> Signed-off-by: Jan Beulich <jbeulich@suse.com>
> 
> Reviewed-by: Roger Pau Monné <roger.pau@citrix.com>

Thanks.

>> @@ -788,6 +796,13 @@ Please see XSA-77 for more details.
>>  The default policy includes FLASK labels and roles for a "typical" Xen-based system
>>  with dom0, driver domains, stub domains, domUs, and so on.
>>  
>> +### SILO XSM Module
>> +
>> +SILO implements a policy whereby DomU-s can only communicate with Dom0, yet not
>> +with each other.
> 
> Might be good to clarify SILO is just like the dummy XSM
> implementation without allowing inter-domain communication, ie:
> 
> "SILO extends the dummy XSM policy by enforcing that DomU-s can only
> communicate with Dom0, yet not with each other."
> 
> Or similar.

Fine with me - adjusted.

Jan
Ping: [PATCH v3] SUPPORT.md: split XSM from Flask
Posted by Jan Beulich 2 months, 2 weeks ago 
On 14.08.2024 09:44, Jan Beulich wrote:
> XSM is a generic framework, which in particular is also used by SILO.
> With this it can't really be experimental: Arm mandates SILO for having
> a security supported configuration.
> 
> Signed-off-by: Jan Beulich <jbeulich@suse.com>
> ---
> v3: Add explanations. Another terminology adjustment.
> v2: Terminology adjustments. Stronger description.

Are yet further adjustments needed?

Jan

> --- a/SUPPORT.md
> +++ b/SUPPORT.md
> @@ -769,13 +769,21 @@ Compile time disabled for ARM by default
>  
>      Status, x86: Supported, not security supported
>  
> -### XSM & FLASK
> +### XSM (Xen Security Module) Framework
> +
> +XSM is a security policy framework.  The dummy implementation is covered by this
> +statement, and implements a policy whereby dom0 is all powerful.  See below for
> +alternative modules (FLASK, SILO).
> +
> +    Status: Supported
> +
> +### FLASK XSM Module
>  
>      Status: Experimental
>  
>  Compile time disabled by default.
>  
> -Also note that using XSM
> +Also note that using FLASK
>  to delegate various domain control hypercalls
>  to particular other domains, rather than only permitting use by dom0,
>  is also specifically excluded from security support for many hypercalls.
> @@ -788,6 +796,13 @@ Please see XSA-77 for more details.
>  The default policy includes FLASK labels and roles for a "typical" Xen-based system
>  with dom0, driver domains, stub domains, domUs, and so on.
>  
> +### SILO XSM Module
> +
> +SILO implements a policy whereby DomU-s can only communicate with Dom0, yet not
> +with each other.
> +
> +    Status: Supported
> +
>  ## Virtual Hardware, Hypervisor
>  
>  ### x86/Nested PV

Patchew 2.1-devel-b67e4c2

© 2016 - 2024 Red Hat, Inc.