SUPPORT.md: Un-shimmed 32-bit PV guests are no longer supported

The support status of 32-bit guests doesn't seem particularly useful.

With it changed to fully unsupported outside of PV-shim, adjust the PV32
Kconfig default accordingly.

Reported-by: Jann Horn <jannh@google.com>
Signed-off-by: George Dunlap <george.dunlap@citrix.com>
Signed-off-by: Jan Beulich <jbeulich@suse.com>

diff --git a/SUPPORT.md b/SUPPORT.md
index 7a53635c9e8e145132f9097e8aa6acb79dbedaed..317392d8f3d193a3cdf2d13d0673cdc7ec69df73 100644 (file)
--- a/SUPPORT.md
+++ b/SUPPORT.md
@@ -86,14 +86,7 @@ No hardware requirements
 
     Status, x86_64: Supported
     Status, x86_32, shim: Supported
-    Status, x86_32, without shim: Supported, with caveats
-
-Due to architectural limitations,
-32-bit PV guests must be assumed to be able to read arbitrary host memory
-using speculative execution attacks.
-Advisories will continue to be issued
-for new vulnerabilities related to un-shimmed 32-bit PV guests
-enabling denial-of-service attacks or privilege escalation attacks.
+    Status, x86_32, without shim: Supported, not security supported
 
 ### x86/HVM
 

diff --git a/xen/arch/x86/Kconfig b/xen/arch/x86/Kconfig
index e55e029b797a73ea8270c03c76358784f1ddf653..9b164db641871db202fe1aeff9c3106f3761b5e9 100644 (file)
--- a/xen/arch/x86/Kconfig
+++ b/xen/arch/x86/Kconfig
@@ -55,7 +55,7 @@ config PV
 config PV32
        bool "Support for 32bit PV guests"
        depends on PV
-       default y
+       default PV_SHIM
        select COMPAT
        ---help---
          The 32bit PV ABI uses Ring1, an area of the x86 architecture which
@@ -67,7 +67,10 @@ config PV32
          reduction, or performance reasons.  Backwards compatibility can be
          provided via the PV Shim mechanism.
 
-         If unsure, say Y.
+         Note that outside of PV Shim, 32-bit PV guests are not security
+         supported anymore.
+
+         If unsure, use the default setting.
 
 config PV_LINEAR_PT
        bool "Support for PV linear pagetables"