SUPPORT.md: add Dom0less as Supported

Add Dom0less to SUPPORT.md to clarify its support status. The feature is
mature enough and small enough to make it security supported.

Clarify that dom0less DomUs memory is not scrubbed at boot when
bootscrub=on or bootscrub=off are passed as Xen command line parameters,
and no XSAs will be issued for that.

Also see XSA-372: 371347c5b64da and fd5dc41ceaed.

Signed-off-by: Stefano Stabellini <stefano.stabellini@xilinx.com>
Reviewed-by: Bertrand Marquis <bertrand.marquis@arm.com>
Acked-by: Julien Grall <jgrall@amazon.com>

diff --git a/SUPPORT.md b/SUPPORT.md
index 32fb0aa8de1896c77005960f4dfca5d8c11b5295..088dda9561c1696bf53e9b4068b1baac1b62b49a 100644 (file)
--- a/SUPPORT.md
+++ b/SUPPORT.md
@@ -882,6 +882,17 @@ OVMF firmware implements the UEFI boot protocol.
 
     Status, qemu-xen: Supported
 
+## Dom0less
+
+Guest creation from the hypervisor at boot without Dom0 intervention.
+
+    Status, ARM: Supported
+
+Memory of dom0less DomUs is not scrubbed at boot when bootscrub=on or
+bootscrub=off are passed as Xen command line parameters. (Memory should
+be scrubbed with bootscrub=idle.) No XSAs will be issues due to
+unscrubbed memory.
+
 # Format and definitions
 
 This file contains prose, and machine-readable fragments.