Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
home:dirkmueller:branches:openSUSE:Factory:Rings:1-MinimalX
xen
66d8690f-SUPPORT-split-XSM-from-Flask.patch
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File 66d8690f-SUPPORT-split-XSM-from-Flask.patch of Package xen
# Commit d7c18b8720824d7efc39ffa7296751e1812865a9 # Date 2024-09-04 16:05:03 +0200 # Author Jan Beulich <jbeulich@suse.com> # Committer Jan Beulich <jbeulich@suse.com> SUPPORT.md: split XSM from Flask XSM is a generic framework, which in particular is also used by SILO. With this it can't really be experimental: Arm mandates SILO for having a security supported configuration. Signed-off-by: Jan Beulich <jbeulich@suse.com> Reviewed-by: Roger Pau Monné <roger.pau@citrix.com> Reviewed-by: Daniel P. Smith <dpsmith@apertussolutions.com> --- a/SUPPORT.md +++ b/SUPPORT.md @@ -768,13 +768,21 @@ Compile time disabled for ARM by default Status, x86: Supported, not security supported -### XSM & FLASK +### XSM (Xen Security Module) Framework + +XSM is a security policy framework. The dummy implementation is covered by this +statement, and implements a policy whereby dom0 is all powerful. See below for +alternative modules (FLASK, SILO). + + Status: Supported + +### FLASK XSM Module Status: Experimental Compile time disabled by default. -Also note that using XSM +Also note that using FLASK to delegate various domain control hypercalls to particular other domains, rather than only permitting use by dom0, is also specifically excluded from security support for many hypercalls. @@ -787,6 +795,13 @@ Please see XSA-77 for more details. The default policy includes FLASK labels and roles for a "typical" Xen-based system with dom0, driver domains, stub domains, domUs, and so on. +### SILO XSM Module + +SILO extends the dummy policy by enforcing that DomU-s can only communicate +with Dom0, yet not with each other. + + Status: Supported + ## Virtual Hardware, Hypervisor ### x86/Nested PV
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor