@@ -214,7 +214,6 @@ EMBEDDED_EXTRA_CFLAGS += -fno-exceptions
# Enable XSM security module (by default, Flask).
XSM_ENABLE ?= n
-FLASK_ENABLE ?= $(XSM_ENABLE)
XEN_EXTFILES_URL ?= http://xenbits.xen.org/xen-extfiles
# All the files at that location were downloaded from elsewhere on
@@ -278,7 +278,11 @@ PYTHON_PREFIX_ARG=
The hypervisor may be build with XSM support, which can be changed with
the following variables.
XSM_ENABLE=y
-FLASK_ENABLE=y
+
+The hypervisor may be build with Flask support, which can be changed
+by running:
+make -C xen menuconfig
+and enabling Flask in the 'Common Features' menu.
Do a build for coverage.
coverage=y
@@ -172,8 +172,9 @@ Setting up FLASK
----------------
Xen must be compiled with XSM and FLASK enabled; by default, the security
-framework is disabled. Edit Config.mk or the .config file to set XSM_ENABLE and
-FLASK_ENABLE to "y"; this change requires a make clean and rebuild.
+framework is disabled. Edit Config.mk or the .config file to set XSM_ENABLE to
+"y" and running 'make -C xen menuconfig' and enabling FLASK inside 'Common
+Features'; this change requires a make clean and rebuild.
FLASK uses only one domain configuration parameter (seclabel) defining the
full security label of the newly created domain. If using the example policy,
@@ -53,7 +53,6 @@ CFLAGS += -pipe -g -D__XEN__ -include $(BASEDIR)/include/xen/config.h
CFLAGS += '-D__OBJECT_FILE__="$@"'
CFLAGS-$(XSM_ENABLE) += -DXSM_ENABLE
-CFLAGS-$(FLASK_ENABLE) += -DFLASK_ENABLE
CFLAGS-$(verbose) += -DVERBOSE
CFLAGS-$(crash_debug) += -DCRASH_DEBUG
CFLAGS-$(perfc) += -DPERF_COUNTERS
@@ -8,6 +8,17 @@ config COMPAT
HVM and PV guests. HVMLoader makes 32-bit hypercalls irrespective
of the destination runmode of the guest.
+config FLASK
+ bool "FLux Advanced Security Kernel support"
+ default n
+ ---help---
+ Enables the FLASK (FLux Advanced Security Kernel) support which
+ provides a mandatory access control framework by which security
+ enforcement, isolation, and auditing can be achieved with fine
+ granular control via a security policy.
+
+ If unsure, say N.
+
# Select HAS_DEVICE_TREE if device tree is supported
config HAS_DEVICE_TREE
bool
@@ -28,7 +28,7 @@ headers-$(CONFIG_X86) += compat/arch-x86/xen.h
headers-$(CONFIG_X86) += compat/arch-x86/xen-$(compat-arch-y).h
headers-$(CONFIG_X86) += compat/hvm/hvm_vcpu.h
headers-y += compat/arch-$(compat-arch-y).h compat/pmu.h compat/xlat.h
-headers-$(FLASK_ENABLE) += compat/xsm/flask_op.h
+headers-$(CONFIG_FLASK) += compat/xsm/flask_op.h
cppflags-y := -include public/xen-compat.h
cppflags-$(CONFIG_X86) += -m32
@@ -86,7 +86,7 @@
#define mk_unsigned_long(x) x
#endif /* !__ASSEMBLY__ */
-#ifdef FLASK_ENABLE
+#ifdef CONFIG_FLASK
#define XSM_MAGIC 0xf97cff8c
/* Maintain statistics on the access vector cache */
#define FLASK_AVC_STATS 1
@@ -119,7 +119,7 @@ struct evtchn
*/
void *generic;
#endif
-#ifdef FLASK_ENABLE
+#ifdef CONFIG_FLASK
/*
* Inlining the contents of the structure for FLASK avoids unneeded
* allocations, and on 64-bit platforms with only FLASK enabled,
@@ -4,4 +4,4 @@ obj-y += xsm_policy.o
obj-y += dummy.o
endif
-subdir-$(FLASK_ENABLE) += flask
+subdir-$(CONFIG_FLASK) += flask
Converts the Config.mk option of FLASK_ENABLE into a Kconfig option for the hypervisor called CONFIG_FLASK. This commit knowingly breaks the dependent relationship on XSM_ENABLE which is addressed when XSM_ENABLE is converted to Kconfig. CC: Daniel De Graaf <dgdegra@tycho.nsa.gov> Signed-off-by: Doug Goldstein <cardoe@cardoe.com> --- Config.mk | 1 - INSTALL | 6 +++++- docs/misc/xsm-flask.txt | 5 +++-- xen/Rules.mk | 1 - xen/common/Kconfig | 11 +++++++++++ xen/include/Makefile | 2 +- xen/include/xen/config.h | 2 +- xen/include/xen/sched.h | 2 +- xen/xsm/Makefile | 2 +- 9 files changed, 23 insertions(+), 9 deletions(-)