SUPPORT.md: Desupport qemu trad except stub dm

While investigating XSA-335 we discovered that many upstream security
fixes were missing.  It is not practical to backport them.  There is
no good reason to be running this very ancient version of qemu, except
that it is the only way to run a stub dm which is currently supported
by upstream.

Signed-off-by: Ian Jackson <ian.jackson@eu.citrix.com>
master commit: 8587160b3e2951b722d395a0346bb17c3c22152f
master date: 2020-11-04 09:22:37 +0100

diff --git a/SUPPORT.md b/SUPPORT.md
index 88a182ac31f52cefc37a31908c90dad718f685a2..55a65ae13632fdd97cc1804ae0d15c40116562a5 100644 (file)
--- a/SUPPORT.md
+++ b/SUPPORT.md
@@ -758,6 +758,21 @@ See the section **Blkback** for image formats supported by QEMU.
 
     Status: Supported, not security supported
 
+### qemu-xen-traditional ###
+
+The Xen Project provides an old version of qemu with modifications
+which enable use as a device model stub domain.  The old version is
+normally selected by default only in a stub dm configuration, but it
+can be requested explicitly in other configurations, for example in
+`xl` with `device_model_version="QEMU_XEN_TRADITIONAL"`.
+
+    Status, Device Model Stub Domains: Supported, with caveats
+    Status, as host process device model: No security support, not recommended
+
+qemu-xen-traditional is security supported only for those available
+devices which are supported for mainstream QEMU (see above), with
+trusted driver domains (see Device Model Stub Domains).
+
 ## Virtual Firmware
 
 ### x86/HVM iPXE