Message ID | 1450819607-3763-2-git-send-email-cardoe@cardoe.com (mailing list archive) |
---|---|
State | New, archived |
Headers | show |
On 22/12/2015 21:26, Doug Goldstein wrote: > diff --git a/INSTALL b/INSTALL > index c51447b..3d2e86a 100644 > --- a/INSTALL > +++ b/INSTALL > @@ -275,14 +275,10 @@ Building the python tools may fail unless certain options are passed to > setup.py. Config.mk contains additional info how to use this variable. > PYTHON_PREFIX_ARG= > > -The hypervisor may be build with XSM support, which can be changed with > -the following variables. > -XSM_ENABLE=y > - > -The hypervisor may be build with Flask support, which can be changed > +he hypervisor may be build with XSM/Flask support, which can be changed Missing a T. The x86 bits appear to be entirely mechanical, so Acked-by: Andrew Cooper <andrew.cooper3@citrix.com>
On 22/12/15 16:26, Doug Goldstein wrote: > Converts the existing XSM_ENABLE flag from Config.mk to CONFIG_XSM > within Kconfig. This also re-adds the dependency of CONFIG_FLASK on > CONFIG_XSM. > > CC: Keir Fraser <keir@xen.org> > CC: Jan Beulich <jbeulich@suse.com> > CC: Andrew Cooper <andrew.cooper3@citrix.com> > Signed-off-by: Doug Goldstein <cardoe@cardoe.com> The dependencies for LATE_HWDOM are backwards: it is an optional X86-only feature (which probably should be off by default) that depends on XSM to work properly. How about this for the help text: Allows the creation of a dedicated hardware domain distinct from domain 0 that manages devices without needing access to other privileged functionality such as the ability to manage domains. This requires that the actual domain 0 be a stub domain that constructs the actual hardware domain instead of initializing the hardware itself. Because the hardware domain needs access to hypercalls not available to unprivileged guests, an XSM policy is required to properly define the privilege of these domains. This feature does nothing if the "hardware_dom" boot parameter is not present. If this feature is being used for security, it should be combined with an IOMMU in strict mode. If unsure, say N.
On 1/4/16 2:01 PM, Daniel De Graaf wrote: > On 22/12/15 16:26, Doug Goldstein wrote: >> Converts the existing XSM_ENABLE flag from Config.mk to CONFIG_XSM >> within Kconfig. This also re-adds the dependency of CONFIG_FLASK on >> CONFIG_XSM. >> >> CC: Keir Fraser <keir@xen.org> >> CC: Jan Beulich <jbeulich@suse.com> >> CC: Andrew Cooper <andrew.cooper3@citrix.com> >> Signed-off-by: Doug Goldstein <cardoe@cardoe.com> > > The dependencies for LATE_HWDOM are backwards: it is an optional X86-only > feature (which probably should be off by default) that depends on XSM to > work properly. Currently its always enabled if XSM_ENABLE is set. But if you are comfortable I'll tweak the patch to make this adjustable. Are you ok keeping your Ack-by as well? > > How about this for the help text: > > Allows the creation of a dedicated hardware domain distinct from > domain 0 that manages devices without needing access to other > privileged functionality such as the ability to manage domains. > This requires that the actual domain 0 be a stub domain that > constructs the actual hardware domain instead of initializing the > hardware itself. Because the hardware domain needs access to > hypercalls not available to unprivileged guests, an XSM policy > is required to properly define the privilege of these domains. > > This feature does nothing if the "hardware_dom" boot parameter is > not present. If this feature is being used for security, it should > be combined with an IOMMU in strict mode. > > If unsure, say N. Perfect! This is what I'm looking for from the various maintainers to help improve the documentation of different flags.
On 04/01/16 15:33, Doug Goldstein wrote: > On 1/4/16 2:01 PM, Daniel De Graaf wrote: >> On 22/12/15 16:26, Doug Goldstein wrote: >>> Converts the existing XSM_ENABLE flag from Config.mk to CONFIG_XSM >>> within Kconfig. This also re-adds the dependency of CONFIG_FLASK on >>> CONFIG_XSM. >>> >>> CC: Keir Fraser <keir@xen.org> >>> CC: Jan Beulich <jbeulich@suse.com> >>> CC: Andrew Cooper <andrew.cooper3@citrix.com> >>> Signed-off-by: Doug Goldstein <cardoe@cardoe.com> >> >> The dependencies for LATE_HWDOM are backwards: it is an optional X86-only >> feature (which probably should be off by default) that depends on XSM to >> work properly. > > Currently its always enabled if XSM_ENABLE is set. But if you are > comfortable I'll tweak the patch to make this adjustable. Are you ok > keeping your Ack-by as well? Yes; Acked-by: Daniel De Graaf <dgdegra@tycho.nsa.gov>
diff --git a/Config.mk b/Config.mk index 7e56b48..8e58c36 100644 --- a/Config.mk +++ b/Config.mk @@ -212,9 +212,6 @@ APPEND_CFLAGS += $(foreach i, $(APPEND_INCLUDES), -I$(i)) EMBEDDED_EXTRA_CFLAGS := -nopie -fno-stack-protector -fno-stack-protector-all EMBEDDED_EXTRA_CFLAGS += -fno-exceptions -# Enable XSM security module (by default, Flask). -XSM_ENABLE ?= n - XEN_EXTFILES_URL ?= http://xenbits.xen.org/xen-extfiles # All the files at that location were downloaded from elsewhere on # the internet. The original download URL is preserved as a comment diff --git a/INSTALL b/INSTALL index c51447b..3d2e86a 100644 --- a/INSTALL +++ b/INSTALL @@ -275,14 +275,10 @@ Building the python tools may fail unless certain options are passed to setup.py. Config.mk contains additional info how to use this variable. PYTHON_PREFIX_ARG= -The hypervisor may be build with XSM support, which can be changed with -the following variables. -XSM_ENABLE=y - -The hypervisor may be build with Flask support, which can be changed +he hypervisor may be build with XSM/Flask support, which can be changed by running: make -C xen menuconfig -and enabling Flask in the 'Common Features' menu. +and enabling XSM/Flask in the 'Common Features' menu. Do a build for coverage. coverage=y diff --git a/docs/misc/xsm-flask.txt b/docs/misc/xsm-flask.txt index f2f0fd4..fb2fe9f 100644 --- a/docs/misc/xsm-flask.txt +++ b/docs/misc/xsm-flask.txt @@ -172,9 +172,9 @@ Setting up FLASK ---------------- Xen must be compiled with XSM and FLASK enabled; by default, the security -framework is disabled. Edit Config.mk or the .config file to set XSM_ENABLE to -"y" and running 'make -C xen menuconfig' and enabling FLASK inside 'Common -Features'; this change requires a make clean and rebuild. +framework is disabled. Running 'make -C xen menuconfig' and enabling XSM +and FLASK inside 'Common Features'; this change requires a make clean and +rebuild. FLASK uses only one domain configuration parameter (seclabel) defining the full security label of the newly created domain. If using the example policy, diff --git a/xen/Rules.mk b/xen/Rules.mk index 489cfd1..bdd8ccf 100644 --- a/xen/Rules.mk +++ b/xen/Rules.mk @@ -52,7 +52,6 @@ CFLAGS += -Werror -Wredundant-decls -Wno-pointer-arith CFLAGS += -pipe -g -D__XEN__ -include $(BASEDIR)/include/xen/config.h CFLAGS += '-D__OBJECT_FILE__="$@"' -CFLAGS-$(XSM_ENABLE) += -DXSM_ENABLE CFLAGS-$(verbose) += -DVERBOSE CFLAGS-$(crash_debug) += -DCRASH_DEBUG CFLAGS-$(perfc) += -DPERF_COUNTERS diff --git a/xen/common/Kconfig b/xen/common/Kconfig index 3419816..dea01eb 100644 --- a/xen/common/Kconfig +++ b/xen/common/Kconfig @@ -10,7 +10,8 @@ config COMPAT config FLASK bool "FLux Advanced Security Kernel support" - default n + default y + depends on XSM ---help--- Enables the FLASK (FLux Advanced Security Kernel) support which provides a mandatory access control framework by which security @@ -62,4 +63,24 @@ config KEXEC If unsure, say Y. +# Allows "late" initialization of the hardware domain +config LATE_HWDOM + bool + ---help--- + Late hardware domain initialization + +# Enable/Disable XSM support +config XSM + bool "Xen Security Modules support" + default n + select LATE_HWDOM if X86 + ---help--- + Enables the security framework known as Xen Security Modules which + allows administrators fine-grained control over a Xen domain and + its capabilities by defining permissible interactions between domains, + the hypervisor itself, and related resources such as memory and + devices. + + If unsure, say N. + endmenu diff --git a/xen/include/asm-x86/config.h b/xen/include/asm-x86/config.h index f25d92e..3305a75 100644 --- a/xen/include/asm-x86/config.h +++ b/xen/include/asm-x86/config.h @@ -52,10 +52,6 @@ #define CONFIG_MULTIBOOT 1 -#ifdef XSM_ENABLE -#define CONFIG_LATE_HWDOM 1 -#endif - #define HZ 100 #define OPT_CONSOLE_STR "vga" diff --git a/xen/include/xen/sched.h b/xen/include/xen/sched.h index 6ea3cc7..e1428f7 100644 --- a/xen/include/xen/sched.h +++ b/xen/include/xen/sched.h @@ -110,7 +110,7 @@ struct evtchn u8 priority; u8 last_priority; u16 last_vcpu_id; -#ifdef XSM_ENABLE +#ifdef CONFIG_XSM union { #ifdef XSM_NEED_GENERIC_EVTCHN_SSID /* diff --git a/xen/include/xsm/dummy.h b/xen/include/xsm/dummy.h index 81fba40..55b84f0 100644 --- a/xen/include/xsm/dummy.h +++ b/xen/include/xsm/dummy.h @@ -27,9 +27,9 @@ /* DO NOT implement this function; it is supposed to trigger link errors */ void __xsm_action_mismatch_detected(void); -#ifdef XSM_ENABLE +#ifdef CONFIG_XSM -/* In XSM_ENABLE builds, this header file is included from xsm/dummy.c, and +/* In CONFIG_XSM builds, this header file is included from xsm/dummy.c, and * contains static (not inline) functions compiled to the dummy XSM module. * There is no xsm_default_t argument available, so the value from the assertion * is used to initialize the variable. @@ -39,9 +39,9 @@ void __xsm_action_mismatch_detected(void); #define XSM_DEFAULT_VOID void #define XSM_ASSERT_ACTION(def) xsm_default_t action = def; (void)action -#else /* XSM_ENABLE */ +#else /* CONFIG_XSM */ -/* In !XSM_ENABLE builds, this header file is included from xsm/xsm.h, and +/* In !CONFIG_XSM builds, this header file is included from xsm/xsm.h, and * contains inline functions for each XSM hook. These functions also perform * compile-time checks on the xsm_default_t argument to ensure that the behavior * of the dummy XSM module is the same as the behavior with XSM disabled. @@ -51,7 +51,7 @@ void __xsm_action_mismatch_detected(void); #define XSM_DEFAULT_VOID xsm_default_t action #define XSM_ASSERT_ACTION(def) LINKER_BUG_ON(def != action) -#endif /* XSM_ENABLE */ +#endif /* CONFIG_XSM */ static always_inline int xsm_default_action( xsm_default_t action, struct domain *src, struct domain *target) diff --git a/xen/include/xsm/xsm.h b/xen/include/xsm/xsm.h index 3fc3824..2c365cd 100644 --- a/xen/include/xsm/xsm.h +++ b/xen/include/xsm/xsm.h @@ -194,7 +194,7 @@ struct xsm_operations { #endif }; -#ifdef XSM_ENABLE +#ifdef CONFIG_XSM extern struct xsm_operations *xsm_ops; @@ -752,7 +752,7 @@ extern int unregister_xsm(struct xsm_operations *ops); extern struct xsm_operations dummy_xsm_ops; extern void xsm_fixup_ops(struct xsm_operations *ops); -#else /* XSM_ENABLE */ +#else /* CONFIG_XSM */ #include <xsm/dummy.h> @@ -772,6 +772,6 @@ static inline int xsm_dt_init(void) } #endif -#endif /* XSM_ENABLE */ +#endif /* CONFIG_XSM */ #endif /* __XSM_H */ diff --git a/xen/xsm/Makefile b/xen/xsm/Makefile index d29e71c..3252c46 100644 --- a/xen/xsm/Makefile +++ b/xen/xsm/Makefile @@ -1,7 +1,5 @@ obj-y += xsm_core.o -ifeq ($(XSM_ENABLE),y) -obj-y += xsm_policy.o -obj-y += dummy.o -endif +obj-$(CONFIG_XSM) += xsm_policy.o +obj-$(CONFIG_XSM) += dummy.o subdir-$(CONFIG_FLASK) += flask
Converts the existing XSM_ENABLE flag from Config.mk to CONFIG_XSM within Kconfig. This also re-adds the dependency of CONFIG_FLASK on CONFIG_XSM. CC: Daniel De Graaf <dgdegra@tycho.nsa.gov> CC: Keir Fraser <keir@xen.org> CC: Jan Beulich <jbeulich@suse.com> CC: Andrew Cooper <andrew.cooper3@citrix.com> Signed-off-by: Doug Goldstein <cardoe@cardoe.com> --- Config.mk | 3 --- INSTALL | 8 ++------ docs/misc/xsm-flask.txt | 6 +++--- xen/Rules.mk | 1 - xen/common/Kconfig | 23 ++++++++++++++++++++++- xen/include/asm-x86/config.h | 4 ---- xen/include/xen/sched.h | 2 +- xen/include/xsm/dummy.h | 10 +++++----- xen/include/xsm/xsm.h | 6 +++--- xen/xsm/Makefile | 6 ++---- 10 files changed, 38 insertions(+), 31 deletions(-)