[0/2] Introduce XSM ability for domain privilege escalation

Message

Daniel P. Smith March 30, 2022, 11:05 p.m. UTC

This series introduces a pair of functions that allow a domain to be escalated to
is_privileged or demoted. Internally the functions enforce the policy that this
is only allowed for system domains, the idle domain in particular.

As for the implementation, there is a desire that the logic does not persist after
__init code is jettison after setup. This has to be balanced with the fact there is no
.c unit files for XSM when only the default policy is in use, i.e. CONFIG_XSM is not
set. To balance this the functions were implemented as always_inline functions in xsm.h.
This should ensure that if the only usage of these functions are in __init code, there
should be no instances of this logic present after __init code is jettisoned. Since
this introduces the ability to elevate the idle domain to is_privileged, this should
not be left in place when transitioning into the running state. As such, a pair of
ASSERTs were introduced, one each, for x86 and Arm to ensure that the idle domain
isn't inadvertently left with is_privileged being true.

Daniel P. Smith (2):
  xsm: add ability to elevate a domain to privileged
  arch: ensure idle domain is not left privileged

 xen/arch/arm/setup.c  |  3 +++
 xen/arch/x86/setup.c  |  3 +++
 xen/include/xsm/xsm.h | 22 ++++++++++++++++++++++
 3 files changed, 28 insertions(+)