From 2c224f4c518113c6f38d583b5b3b1da0fc92d022 Mon Sep 17 00:00:00 2001 From: George Dunlap Date: Tue, 6 Nov 2018 15:41:22 +0000 Subject: [PATCH] SUPPORT.md: Add qemu-depriv section Signed-off-by: George Dunlap Acked-by: Ian Jackson --- Changes since v4: - Fix some grammar (s/attack/attacking/;) Changes since v3: - Moved from the qemu-depriv doc patches. - Reword to include the possibility of having a non-dom0 "devicemodel" domain which may want to be protected - Specify `Linux dom0` as the currently-tech-supported window CC: Ian Jackson CC: Wei Liu CC: Andrew Cooper CC: Jan Beulich CC: Tim Deegan CC: Konrad Wilk CC: Stefano Stabellini CC: Julien Grall CC: Anthony Perard CC: Ross Lagerwall --- SUPPORT.md | 20 ++++++++++++++++++++ 1 file changed, 20 insertions(+) diff --git a/SUPPORT.md b/SUPPORT.md index b398976f5c..42577d0243 100644 --- a/SUPPORT.md +++ b/SUPPORT.md @@ -526,6 +526,26 @@ Vulnerabilities of a device model stub domain to a hostile driver domain (either compromised or untrusted) are excluded from security support. +### Device Model Deprivileging + + Status, Linux dom0: Tech Preview, with limited support + +This means adding extra restrictions to a device model in order to +prevent a compromised device model from attacking the rest of the +domain it's running in (normally dom0). + +"Tech preview with limited support" means we will not issue XSAs for +the _additional_ functionality provided by the feature; but we will +issue XSAs in the event that enabling this feature opens up a security +hole that would not be present without the feature disabled. + +For example, while this is classified as tech preview, a bug in libxl +which failed to change the user ID of QEMU would not receive an XSA, +since without this feature the user ID wouldn't be changed. But a +change which made it possible for a compromised guest to read +arbitrary files on the host filesystem without compromising QEMU would +be issued an XSA, since that does weaken security. + ### KCONFIG Expert Status: Experimental -- 2.30.2