diff mbox

[v2,2/2] xen: convert XSM_ENABLE to Kconfig

Message ID 1451963180-11784-1-git-send-email-cardoe@cardoe.com (mailing list archive)
State New, archived
Headers show

Commit Message

Doug Goldstein Jan. 5, 2016, 3:06 a.m. UTC
Converts the existing XSM_ENABLE flag from Config.mk to CONFIG_XSM
within Kconfig. This also re-adds the dependency of CONFIG_FLASK on

CC: Daniel De Graaf <dgdegra@tycho.nsa.gov>
CC: Keir Fraser <keir@xen.org>
CC: Jan Beulich <jbeulich@suse.com>
CC: Andrew Cooper <andrew.cooper3@citrix.com>
Signed-off-by: Doug Goldstein <cardoe@cardoe.com>
Acked-by: Daniel De Graaf <dgdegra@tycho.nsa.gov>
Change from v2:
- adopt wording from Daniel De Graaf about the dedicated hardware domain
- make the dedicated hardware domain feature optional
 Config.mk                    |  3 ---
 INSTALL                      |  8 ++------
 docs/misc/xsm-flask.txt      |  6 +++---
 xen/Rules.mk                 |  1 -
 xen/common/Kconfig           | 37 ++++++++++++++++++++++++++++++++++++-
 xen/include/asm-x86/config.h |  4 ----
 xen/include/xen/sched.h      |  2 +-
 xen/include/xsm/dummy.h      | 10 +++++-----
 xen/include/xsm/xsm.h        |  6 +++---
 xen/xsm/Makefile             |  6 ++----
 10 files changed, 52 insertions(+), 31 deletions(-)


Ian Jackson Jan. 11, 2016, 11:44 a.m. UTC | #1
Doug Goldstein writes ("[Xen-devel] [PATCH v2 2/2] xen: convert XSM_ENABLE to Kconfig"):
> Converts the existing XSM_ENABLE flag from Config.mk to CONFIG_XSM
> within Kconfig. This also re-adds the dependency of CONFIG_FLASK on

Some version of these patches were applied to xen.git#staging last
week as:
  b36bf230 "convert FLASK_ENABLE to Kconfig"
  2b2ab5d8 "convert XSM_ENABLE to Kconfig"
  9754544a "fix missing XSM_ENABLE change"

They made it through to xen.git#smoke.  However, osstest was not
ready, so that old osstest would generate non-XSM tests when it
intended to test XSM.  To avoid XSM-related regressions sneaking in,
these patches were referted in xen.git [1].

The corresponding osstest.git change, which is (we think) compatible
with both old and new xen.git, has now made it through the osstest

We can reapply the xen.git XSM/FLASK Kconfig patches now.  We should
check the first test report on a xen-unstable containing the
reapplication, to verify that XSM is actually enabled in the XSM

For the future, it would be really good if the osstest XSM tests
attempted some forbidden operations and verified that they failed.  If
we had that at the start of all this then the config
regression/incompatibility would have been caught by those tests.

Such patches to osstest would be very welcome and I'd be happy to


[1] Also, the osstest push gate from xen.git#smoke to xen.git#master
was stopped.  Since the xen.git reverts have made it to #smoke it is
now fine to restart the xen.git#smoke to xen.git#master push gate.
diff mbox


diff --git a/Config.mk b/Config.mk
index 7e56b48..8e58c36 100644
--- a/Config.mk
+++ b/Config.mk
@@ -212,9 +212,6 @@  APPEND_CFLAGS += $(foreach i, $(APPEND_INCLUDES), -I$(i))
 EMBEDDED_EXTRA_CFLAGS := -nopie -fno-stack-protector -fno-stack-protector-all
 EMBEDDED_EXTRA_CFLAGS += -fno-exceptions
-# Enable XSM security module (by default, Flask).
 XEN_EXTFILES_URL ?= http://xenbits.xen.org/xen-extfiles
 # All the files at that location were downloaded from elsewhere on
 # the internet.  The original download URL is preserved as a comment
diff --git a/INSTALL b/INSTALL
index c51447b..3d2e86a 100644
@@ -275,14 +275,10 @@  Building the python tools may fail unless certain options are passed to
 setup.py. Config.mk contains additional info how to use this variable.
-The hypervisor may be build with XSM support, which can be changed with
-the following variables.
-The hypervisor may be build with Flask support, which can be changed
+he hypervisor may be build with XSM/Flask support, which can be changed
 by running:
 make -C xen menuconfig
-and enabling Flask in the 'Common Features' menu.
+and enabling XSM/Flask in the 'Common Features' menu.
 Do a build for coverage.
diff --git a/docs/misc/xsm-flask.txt b/docs/misc/xsm-flask.txt
index f2f0fd4..fb2fe9f 100644
--- a/docs/misc/xsm-flask.txt
+++ b/docs/misc/xsm-flask.txt
@@ -172,9 +172,9 @@  Setting up FLASK
 Xen must be compiled with XSM and FLASK enabled; by default, the security
-framework is disabled. Edit Config.mk or the .config file to set XSM_ENABLE to
-"y" and running 'make -C xen menuconfig' and enabling FLASK inside 'Common
-Features'; this change requires a make clean and rebuild.
+framework is disabled. Running 'make -C xen menuconfig' and enabling XSM
+and FLASK inside 'Common Features'; this change requires a make clean and
 FLASK uses only one domain configuration parameter (seclabel) defining the
 full security label of the newly created domain. If using the example policy,
diff --git a/xen/Rules.mk b/xen/Rules.mk
index 489cfd1..bdd8ccf 100644
--- a/xen/Rules.mk
+++ b/xen/Rules.mk
@@ -52,7 +52,6 @@  CFLAGS += -Werror -Wredundant-decls -Wno-pointer-arith
 CFLAGS += -pipe -g -D__XEN__ -include $(BASEDIR)/include/xen/config.h
 CFLAGS += '-D__OBJECT_FILE__="$@"'
 CFLAGS-$(verbose)       += -DVERBOSE
 CFLAGS-$(crash_debug)   += -DCRASH_DEBUG
 CFLAGS-$(perfc)         += -DPERF_COUNTERS
diff --git a/xen/common/Kconfig b/xen/common/Kconfig
index 3419816..eadfc3b 100644
--- a/xen/common/Kconfig
+++ b/xen/common/Kconfig
@@ -10,7 +10,8 @@  config COMPAT
 config FLASK
 	bool "FLux Advanced Security Kernel support"
-	default n
+	default y
+	depends on XSM
 	  Enables the FLASK (FLux Advanced Security Kernel) support which
 	  provides a mandatory access control framework by which security
@@ -62,4 +63,38 @@  config KEXEC
 	  If unsure, say Y.
+# Allows "late" initialization of the hardware domain
+config LATE_HWDOM
+	bool "dedicated hardware domain"
+	default n
+	depends on XSM && X86
+	---help---
+	  Allows the creation of a dedicated hardware domain distinct from
+	  domain 0 that manages devices without needing access to other
+	  privileged functionality such as the ability to manage domains.
+	  This requires that the actual domain 0 be a stub domain that
+	  constructs the actual hardware domain instead of initializing the
+	  hardware itself.  Because the hardware domain needs access to
+	  hypercalls not available to unprivileged guests, an XSM policy
+	  is required to properly define the privilege of these domains.
+	  This feature does nothing if the "hardware_dom" boot parameter is
+	  not present.  If this feature is being used for security, it should
+	  be combined with an IOMMU in strict mode.
+	  If unsure, say N.
+# Enable/Disable XSM support
+config XSM
+	bool "Xen Security Modules support"
+	default n
+	---help---
+	  Enables the security framework known as Xen Security Modules which
+	  allows administrators fine-grained control over a Xen domain and
+	  its capabilities by defining permissible interactions between domains,
+	  the hypervisor itself, and related resources such as memory and
+	  devices.
+	  If unsure, say N.
diff --git a/xen/include/asm-x86/config.h b/xen/include/asm-x86/config.h
index f25d92e..3305a75 100644
--- a/xen/include/asm-x86/config.h
+++ b/xen/include/asm-x86/config.h
@@ -52,10 +52,6 @@ 
-#ifdef XSM_ENABLE
 #define HZ 100
 #define OPT_CONSOLE_STR "vga"
diff --git a/xen/include/xen/sched.h b/xen/include/xen/sched.h
index 6ea3cc7..e1428f7 100644
--- a/xen/include/xen/sched.h
+++ b/xen/include/xen/sched.h
@@ -110,7 +110,7 @@  struct evtchn
     u8 priority;
     u8 last_priority;
     u16 last_vcpu_id;
-#ifdef XSM_ENABLE
+#ifdef CONFIG_XSM
     union {
diff --git a/xen/include/xsm/dummy.h b/xen/include/xsm/dummy.h
index 81fba40..55b84f0 100644
--- a/xen/include/xsm/dummy.h
+++ b/xen/include/xsm/dummy.h
@@ -27,9 +27,9 @@ 
 /* DO NOT implement this function; it is supposed to trigger link errors */
 void __xsm_action_mismatch_detected(void);
-#ifdef XSM_ENABLE
+#ifdef CONFIG_XSM
-/* In XSM_ENABLE builds, this header file is included from xsm/dummy.c, and
+/* In CONFIG_XSM builds, this header file is included from xsm/dummy.c, and
  * contains static (not inline) functions compiled to the dummy XSM module.
  * There is no xsm_default_t argument available, so the value from the assertion
  * is used to initialize the variable.
@@ -39,9 +39,9 @@  void __xsm_action_mismatch_detected(void);
 #define XSM_DEFAULT_VOID void
 #define XSM_ASSERT_ACTION(def) xsm_default_t action = def; (void)action
-#else /* XSM_ENABLE */
+#else /* CONFIG_XSM */
-/* In !XSM_ENABLE builds, this header file is included from xsm/xsm.h, and
+/* In !CONFIG_XSM builds, this header file is included from xsm/xsm.h, and
  * contains inline functions for each XSM hook. These functions also perform
  * compile-time checks on the xsm_default_t argument to ensure that the behavior
  * of the dummy XSM module is the same as the behavior with XSM disabled.
@@ -51,7 +51,7 @@  void __xsm_action_mismatch_detected(void);
 #define XSM_DEFAULT_VOID xsm_default_t action
 #define XSM_ASSERT_ACTION(def) LINKER_BUG_ON(def != action)
-#endif /* XSM_ENABLE */
+#endif /* CONFIG_XSM */
 static always_inline int xsm_default_action(
     xsm_default_t action, struct domain *src, struct domain *target)
diff --git a/xen/include/xsm/xsm.h b/xen/include/xsm/xsm.h
index 3fc3824..2c365cd 100644
--- a/xen/include/xsm/xsm.h
+++ b/xen/include/xsm/xsm.h
@@ -194,7 +194,7 @@  struct xsm_operations {
-#ifdef XSM_ENABLE
+#ifdef CONFIG_XSM
 extern struct xsm_operations *xsm_ops;
@@ -752,7 +752,7 @@  extern int unregister_xsm(struct xsm_operations *ops);
 extern struct xsm_operations dummy_xsm_ops;
 extern void xsm_fixup_ops(struct xsm_operations *ops);
-#else /* XSM_ENABLE */
+#else /* CONFIG_XSM */
 #include <xsm/dummy.h>
@@ -772,6 +772,6 @@  static inline int xsm_dt_init(void)
-#endif /* XSM_ENABLE */
+#endif /* CONFIG_XSM */
 #endif /* __XSM_H */
diff --git a/xen/xsm/Makefile b/xen/xsm/Makefile
index d29e71c..3252c46 100644
--- a/xen/xsm/Makefile
+++ b/xen/xsm/Makefile
@@ -1,7 +1,5 @@ 
 obj-y += xsm_core.o
-ifeq ($(XSM_ENABLE),y)
-obj-y += xsm_policy.o
-obj-y += dummy.o
+obj-$(CONFIG_XSM) += xsm_policy.o
+obj-$(CONFIG_XSM) += dummy.o
 subdir-$(CONFIG_FLASK) += flask