diff mbox series

[v6,09/10] kconfig: update xsm config to reflect reality

Message ID 20210910201305.32526-10-dpsmith@apertussolutions.com (mailing list archive)
State New, archived
Headers show
Series xsm: refactoring xsm hooks | expand

Commit Message

Daniel P. Smith Sept. 10, 2021, 8:13 p.m. UTC
It has been a very long time since XSM Flask was the only XSM module, yet the
concenpt of turning XSM on/off continues to be synonymous with enabling and
disabling XSM Flask. Even when XSM Flask was the only module, turning XSM
on/off did not disable or remove the XSM hooks but simply controlled whether
they were implemented as direct inline functions or dispatch calls.

This commit updates XSM kconfig to ensure that it is clear in the code as well
to the user, via the help messages, that the option is about configuring which
XSM policy module(s) are available and which is the default.

Signed-off-by: Daniel P. Smith <dpsmith@apertussolutions.com>
---
 xen/common/Kconfig         | 49 ++++++++++++++++++--------------------
 xen/include/xen/sched.h    |  2 +-
 xen/include/xsm/dummy.h    | 23 +++++++++---------
 xen/include/xsm/xsm-core.h |  6 ++---
 xen/include/xsm/xsm.h      |  6 ++---
 xen/xsm/Makefile           |  4 ++--
 xen/xsm/xsm_core.c         |  4 ++--
 7 files changed, 46 insertions(+), 48 deletions(-)

Comments

Jan Beulich Sept. 17, 2021, 12:09 p.m. UTC | #1
On 10.09.2021 22:13, Daniel P. Smith wrote:
> --- a/xen/common/Kconfig
> +++ b/xen/common/Kconfig
> @@ -200,23 +200,20 @@ config XENOPROF
>  
>  	  If unsure, say Y.
>  
> -config XSM
> -	bool "Xen Security Modules support"
> +config XSM_CONFIGURABLE
> +	bool "Configure Xen Security Modules"
>  	default ARM
> -	---help---
> -	  Enables the security framework known as Xen Security Modules which
> -	  allows administrators fine-grained control over a Xen domain and
> -	  its capabilities by defining permissible interactions between domains,
> -	  the hypervisor itself, and related resources such as memory and
> -	  devices.
> +	help
> +	  Allows for configuring the Xen Security Modules (XSM) policy or policies
> +	  modules that will be availble and which will be the default.
>  
>  	  If unsure, say N.
>  
>  config XSM_FLASK
> -	def_bool y
> -	prompt "FLux Advanced Security Kernel support"
> -	depends on XSM
> -	---help---
> +	bool "FLux Advanced Security Kernel support"
> +	depends on XSM_CONFIGURABLE
> +	select XSM_EVTCHN_LABELING
> +	help
>  	  Enables FLASK (FLux Advanced Security Kernel) as the access control
>  	  mechanism used by the XSM framework.  This provides a mandatory access
>  	  control framework by which security enforcement, isolation, and

I continue to think that the default here and ...

> @@ -253,10 +250,10 @@ config XSM_FLASK_POLICY
>  	  If unsure, say Y.
>  
>  config XSM_SILO
> -	def_bool y
> -	prompt "SILO support"
> -	depends on XSM
> -	---help---
> +	bool "SILO support"
> +	default y if ARM
> +	depends on XSM_CONFIGURABLE
> +	help
>  	  Enables SILO as the access control mechanism used by the XSM framework.
>  	  This is not the default module, add boot parameter xsm=silo to choose
>  	  it. This will deny any unmediated communication channels (grant tables

... here should not change. If it changes, the change needs justifying
in the description.

> @@ -282,15 +279,15 @@ endchoice
>  config LATE_HWDOM
>  	bool "Dedicated hardware domain"
>  	default n
> -	depends on XSM && X86
> -	---help---
> +	depends on XSM_FLASK && X86
> +	help
>  	  Allows the creation of a dedicated hardware domain distinct from
>  	  domain 0 that manages devices without needing access to other
>  	  privileged functionality such as the ability to manage domains.
>  	  This requires that the actual domain 0 be a stub domain that
>  	  constructs the actual hardware domain instead of initializing the
>  	  hardware itself.  Because the hardware domain needs access to
> -	  hypercalls not available to unprivileged guests, an XSM policy
> +	  hypercalls not available to unprivileged guests, an XSM Flask policy
>  	  is required to properly define the privilege of these domains.

I also continue to think that this would better be a separate change.
Or if not, the seemingly unrelated change needs mentioning in the
description (to make clear it's not a stray change).

Jan
Daniel P. Smith Sept. 17, 2021, 1:19 p.m. UTC | #2
On 9/17/21 8:09 AM, Jan Beulich wrote:
> On 10.09.2021 22:13, Daniel P. Smith wrote:
>> --- a/xen/common/Kconfig
>> +++ b/xen/common/Kconfig
>> @@ -200,23 +200,20 @@ config XENOPROF
>>  
>>  	  If unsure, say Y.
>>  
>> -config XSM
>> -	bool "Xen Security Modules support"
>> +config XSM_CONFIGURABLE
>> +	bool "Configure Xen Security Modules"
>>  	default ARM
>> -	---help---
>> -	  Enables the security framework known as Xen Security Modules which
>> -	  allows administrators fine-grained control over a Xen domain and
>> -	  its capabilities by defining permissible interactions between domains,
>> -	  the hypervisor itself, and related resources such as memory and
>> -	  devices.
>> +	help
>> +	  Allows for configuring the Xen Security Modules (XSM) policy or policies
>> +	  modules that will be availble and which will be the default.
>>  
>>  	  If unsure, say N.
>>  
>>  config XSM_FLASK
>> -	def_bool y
>> -	prompt "FLux Advanced Security Kernel support"
>> -	depends on XSM
>> -	---help---
>> +	bool "FLux Advanced Security Kernel support"
>> +	depends on XSM_CONFIGURABLE
>> +	select XSM_EVTCHN_LABELING
>> +	help
>>  	  Enables FLASK (FLux Advanced Security Kernel) as the access control
>>  	  mechanism used by the XSM framework.  This provides a mandatory access
>>  	  control framework by which security enforcement, isolation, and
> 
> I continue to think that the default here and ...
> 
>> @@ -253,10 +250,10 @@ config XSM_FLASK_POLICY
>>  	  If unsure, say Y.
>>  
>>  config XSM_SILO
>> -	def_bool y
>> -	prompt "SILO support"
>> -	depends on XSM
>> -	---help---
>> +	bool "SILO support"
>> +	default y if ARM
>> +	depends on XSM_CONFIGURABLE
>> +	help
>>  	  Enables SILO as the access control mechanism used by the XSM framework.
>>  	  This is not the default module, add boot parameter xsm=silo to choose
>>  	  it. This will deny any unmediated communication channels (grant tables
> 
> ... here should not change. If it changes, the change needs justifying
> in the description.

IMHO the configure system should not presumptuously assume that if a
user selects XSM_CONFIGURABLE that the Flask module, which is not
currently security supported, should be enabled. I would agree that we
could turn on the SILO module since it is security supported. Later when
I am able to get Flask into a security supported state, I would be all
for enabling it as well. A more roadmap-ish idea is to see SILO subsumed
as a select-able policy under Flask, but that is a bit of a digression.

I will add to the commit message to clarify this position that is being
encoded.

>> @@ -282,15 +279,15 @@ endchoice
>>  config LATE_HWDOM
>>  	bool "Dedicated hardware domain"
>>  	default n
>> -	depends on XSM && X86
>> -	---help---
>> +	depends on XSM_FLASK && X86
>> +	help
>>  	  Allows the creation of a dedicated hardware domain distinct from
>>  	  domain 0 that manages devices without needing access to other
>>  	  privileged functionality such as the ability to manage domains.
>>  	  This requires that the actual domain 0 be a stub domain that
>>  	  constructs the actual hardware domain instead of initializing the
>>  	  hardware itself.  Because the hardware domain needs access to
>> -	  hypercalls not available to unprivileged guests, an XSM policy
>> +	  hypercalls not available to unprivileged guests, an XSM Flask policy
>>  	  is required to properly define the privilege of these domains.
> 
> I also continue to think that this would better be a separate change.
> Or if not, the seemingly unrelated change needs mentioning in the
> description (to make clear it's not a stray change).

Apologies that I missed the suggestion to break this out. Since this
really is more of a general clean-up over being part of the intended
improvement for this patch set, I will break it out and move it to the
front of the patch set.

v/r,
dps
diff mbox series

Patch

diff --git a/xen/common/Kconfig b/xen/common/Kconfig
index ac5491b1cc..2f85538920 100644
--- a/xen/common/Kconfig
+++ b/xen/common/Kconfig
@@ -200,23 +200,20 @@  config XENOPROF
 
 	  If unsure, say Y.
 
-config XSM
-	bool "Xen Security Modules support"
+config XSM_CONFIGURABLE
+	bool "Configure Xen Security Modules"
 	default ARM
-	---help---
-	  Enables the security framework known as Xen Security Modules which
-	  allows administrators fine-grained control over a Xen domain and
-	  its capabilities by defining permissible interactions between domains,
-	  the hypervisor itself, and related resources such as memory and
-	  devices.
+	help
+	  Allows for configuring the Xen Security Modules (XSM) policy or policies
+	  modules that will be availble and which will be the default.
 
 	  If unsure, say N.
 
 config XSM_FLASK
-	def_bool y
-	prompt "FLux Advanced Security Kernel support"
-	depends on XSM
-	---help---
+	bool "FLux Advanced Security Kernel support"
+	depends on XSM_CONFIGURABLE
+	select XSM_EVTCHN_LABELING
+	help
 	  Enables FLASK (FLux Advanced Security Kernel) as the access control
 	  mechanism used by the XSM framework.  This provides a mandatory access
 	  control framework by which security enforcement, isolation, and
@@ -226,10 +223,10 @@  config XSM_FLASK
 	  If unsure, say Y.
 
 config XSM_FLASK_AVC_STATS
-	def_bool y
-	prompt "Maintain statistics on the FLASK access vector cache" if EXPERT
+	bool "Maintain statistics on the FLASK access vector cache" if EXPERT
+	default y
 	depends on XSM_FLASK
-	---help---
+	help
 	  Maintain counters on the access vector cache that can be viewed using
 	  the FLASK_AVC_CACHESTATS sub-op of the xsm_op hypercall.  Disabling
 	  this will save a tiny amount of memory and time to update the stats.
@@ -240,7 +237,7 @@  config XSM_FLASK_POLICY
 	bool "Compile Xen with a built-in FLASK security policy"
 	default y if "$(XEN_HAS_CHECKPOLICY)" = "y"
 	depends on XSM_FLASK
-	---help---
+	help
 	  This includes a default XSM policy in the hypervisor so that the
 	  bootloader does not need to load a policy to get sane behavior from an
 	  XSM-enabled hypervisor.  If this is disabled, a policy must be
@@ -253,10 +250,10 @@  config XSM_FLASK_POLICY
 	  If unsure, say Y.
 
 config XSM_SILO
-	def_bool y
-	prompt "SILO support"
-	depends on XSM
-	---help---
+	bool "SILO support"
+	default y if ARM
+	depends on XSM_CONFIGURABLE
+	help
 	  Enables SILO as the access control mechanism used by the XSM framework.
 	  This is not the default module, add boot parameter xsm=silo to choose
 	  it. This will deny any unmediated communication channels (grant tables
@@ -265,14 +262,14 @@  config XSM_SILO
 	  If unsure, say Y.
 
 choice
-	prompt "Default XSM implementation"
-	depends on XSM
+	prompt "Default XSM module"
+	depends on XSM_CONFIGURABLE
 	default XSM_SILO_DEFAULT if XSM_SILO && ARM
 	default XSM_FLASK_DEFAULT if XSM_FLASK
 	default XSM_SILO_DEFAULT if XSM_SILO
 	default XSM_DUMMY_DEFAULT
 	config XSM_DUMMY_DEFAULT
-		bool "Match non-XSM behavior"
+		bool "Classic Dom0 behavior"
 	config XSM_FLASK_DEFAULT
 		bool "FLux Advanced Security Kernel" if XSM_FLASK
 	config XSM_SILO_DEFAULT
@@ -282,15 +279,15 @@  endchoice
 config LATE_HWDOM
 	bool "Dedicated hardware domain"
 	default n
-	depends on XSM && X86
-	---help---
+	depends on XSM_FLASK && X86
+	help
 	  Allows the creation of a dedicated hardware domain distinct from
 	  domain 0 that manages devices without needing access to other
 	  privileged functionality such as the ability to manage domains.
 	  This requires that the actual domain 0 be a stub domain that
 	  constructs the actual hardware domain instead of initializing the
 	  hardware itself.  Because the hardware domain needs access to
-	  hypercalls not available to unprivileged guests, an XSM policy
+	  hypercalls not available to unprivileged guests, an XSM Flask policy
 	  is required to properly define the privilege of these domains.
 
 	  This feature does nothing if the "hardware_dom" boot parameter is
diff --git a/xen/include/xen/sched.h b/xen/include/xen/sched.h
index 28146ee404..7f4bfa855b 100644
--- a/xen/include/xen/sched.h
+++ b/xen/include/xen/sched.h
@@ -120,7 +120,7 @@  struct evtchn
     unsigned short notify_vcpu_id; /* VCPU for local delivery notification */
     uint32_t fifo_lastq;           /* Data for identifying last queue. */
 
-#ifdef CONFIG_XSM
+#ifdef CONFIG_XSM_CONFIGURABLE
     union {
 #ifdef XSM_NEED_GENERIC_EVTCHN_SSID
         /*
diff --git a/xen/include/xsm/dummy.h b/xen/include/xsm/dummy.h
index be8877a195..a0fe257b8e 100644
--- a/xen/include/xsm/dummy.h
+++ b/xen/include/xsm/dummy.h
@@ -43,13 +43,13 @@  static inline void __xsm_action_mismatch_detected(void)
 void __xsm_action_mismatch_detected(void);
 #endif
 
-#ifdef CONFIG_XSM
+#ifdef CONFIG_XSM_CONFIGURABLE
 
 /*
- * In CONFIG_XSM builds, this header file is included from xsm/dummy.c, and
- * contains static (not inline) functions compiled to the dummy XSM module.
- * There is no xsm_default_t argument available, so the value from the assertion
- * is used to initialize the variable.
+ * In CONFIG_XSM_CONFIGURABLE builds, this header file is included from
+ * xsm/dummy.c, and contains static (not inline) functions compiled to the
+ * dummy XSM module.  There is no xsm_default_t argument available, so the
+ * value from the assertion is used to initialize the variable.
  */
 #define XSM_INLINE __maybe_unused
 
@@ -57,20 +57,21 @@  void __xsm_action_mismatch_detected(void);
 #define XSM_DEFAULT_VOID void
 #define XSM_ASSERT_ACTION(def) xsm_default_t action = def; (void)action
 
-#else /* CONFIG_XSM */
+#else /* CONFIG_XSM_CONFIGURABLE */
 
 /*
- * In !CONFIG_XSM builds, this header file is included from xsm/xsm.h, and
- * contains inline functions for each XSM hook. These functions also perform
- * compile-time checks on the xsm_default_t argument to ensure that the behavior
- * of the dummy XSM module is the same as the behavior with XSM disabled.
+ * In !CONFIG_XSM_CONFIGURABLE builds, this header file is included from
+ * xsm/xsm.h, and contains inline functions for each XSM hook. These functions
+ * also perform compile-time checks on the xsm_default_t argument to ensure
+ * that the behavior of the dummy XSM module is the same as the behavior with
+ * XSM disabled.
  */
 #define XSM_INLINE always_inline
 #define XSM_DEFAULT_ARG xsm_default_t action,
 #define XSM_DEFAULT_VOID xsm_default_t action
 #define XSM_ASSERT_ACTION(def) LINKER_BUG_ON(def != action)
 
-#endif /* CONFIG_XSM */
+#endif /* CONFIG_XSM_CONFIGURABLE */
 
 static always_inline int xsm_default_action(
     xsm_default_t action, struct domain *src, struct domain *target)
diff --git a/xen/include/xsm/xsm-core.h b/xen/include/xsm/xsm-core.h
index 3c4a25d7fc..59355937ef 100644
--- a/xen/include/xsm/xsm-core.h
+++ b/xen/include/xsm/xsm-core.h
@@ -199,7 +199,7 @@  struct xsm_ops {
 
 void xsm_fixup_ops(struct xsm_ops *ops);
 
-#ifdef CONFIG_XSM
+#ifdef CONFIG_XSM_CONFIGURABLE
 
 #ifdef CONFIG_MULTIBOOT
 int xsm_multiboot_init(
@@ -240,7 +240,7 @@  static const inline struct xsm_ops *silo_init(void)
 }
 #endif
 
-#else /* CONFIG_XSM */
+#else /* CONFIG_XSM_CONFIGURABLE */
 
 #ifdef CONFIG_MULTIBOOT
 static inline int xsm_multiboot_init(
@@ -262,6 +262,6 @@  static inline bool has_xsm_magic(paddr_t start)
 }
 #endif /* CONFIG_HAS_DEVICE_TREE */
 
-#endif /* CONFIG_XSM */
+#endif /* CONFIG_XSM_CONFIGURABLE */
 
 #endif /* __XSM_CORE_H */
diff --git a/xen/include/xsm/xsm.h b/xen/include/xsm/xsm.h
index 7b1611d10b..14f039673e 100644
--- a/xen/include/xsm/xsm.h
+++ b/xen/include/xsm/xsm.h
@@ -20,7 +20,7 @@ 
 #include <xen/multiboot.h>
 #include <xsm/xsm-core.h>
 
-#ifdef CONFIG_XSM
+#ifdef CONFIG_XSM_CONFIGURABLE
 
 extern struct xsm_ops xsm_ops;
 
@@ -590,10 +590,10 @@  static inline int xsm_argo_send(const struct domain *d, const struct domain *t)
 
 #endif /* CONFIG_ARGO */
 
-#else /* CONFIG_XSM */
+#else /* CONFIG_XSM_CONFIGURABLE */
 
 #include <xsm/dummy.h>
 
-#endif /* CONFIG_XSM */
+#endif /* CONFIG_XSM_CONFIGURABLE */
 
 #endif /* __XSM_H */
diff --git a/xen/xsm/Makefile b/xen/xsm/Makefile
index cf0a728f1c..09b9311b1d 100644
--- a/xen/xsm/Makefile
+++ b/xen/xsm/Makefile
@@ -1,6 +1,6 @@ 
 obj-y += xsm_core.o
-obj-$(CONFIG_XSM) += xsm_policy.o
-obj-$(CONFIG_XSM) += dummy.o
+obj-$(CONFIG_XSM_CONFIGURABLE) += xsm_policy.o
+obj-$(CONFIG_XSM_CONFIGURABLE) += dummy.o
 obj-$(CONFIG_XSM_SILO) += silo.o
 
 obj-$(CONFIG_XSM_FLASK) += flask/
diff --git a/xen/xsm/xsm_core.c b/xen/xsm/xsm_core.c
index e1fe4e66a7..8fd2f6e180 100644
--- a/xen/xsm/xsm_core.c
+++ b/xen/xsm/xsm_core.c
@@ -18,7 +18,7 @@ 
 #include <xen/hypercall.h>
 #include <xsm/xsm.h>
 
-#ifdef CONFIG_XSM
+#ifdef CONFIG_XSM_CONFIGURABLE
 
 #ifdef CONFIG_MULTIBOOT
 #include <asm/setup.h>
@@ -222,7 +222,7 @@  bool __init has_xsm_magic(paddr_t start)
 }
 #endif
 
-#endif
+#endif /* CONFIG_XSM_CONFIGURABLE */
 
 long do_xsm_op(XEN_GUEST_HANDLE_PARAM(void) op)
 {