From patchwork Tue Jan  5 03:06:20 2016
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Douglas Goldstein <cardoe@cardoe.com>
X-Patchwork-Id: 7952541
Return-Path: <xen-devel-bounces@lists.xen.org>
X-Original-To: patchwork-xen-devel@patchwork.kernel.org
Delivered-To: patchwork-parsemail@patchwork2.web.kernel.org
Received: from mail.kernel.org (mail.kernel.org [198.145.29.136])
	by patchwork2.web.kernel.org (Postfix) with ESMTP id CCB65BEEE5
	for <patchwork-xen-devel@patchwork.kernel.org>;
	Tue,  5 Jan 2016 03:10:13 +0000 (UTC)
Received: from mail.kernel.org (localhost [127.0.0.1])
	by mail.kernel.org (Postfix) with ESMTP id 3CAF62034E
	for <patchwork-xen-devel@patchwork.kernel.org>;
	Tue,  5 Jan 2016 03:10:09 +0000 (UTC)
Received: from lists.xen.org (lists.xenproject.org [50.57.142.19])
	(using TLSv1 with cipher AES256-SHA (256/256 bits))
	(No client certificate requested)
	by mail.kernel.org (Postfix) with ESMTPS id DF7082014A
	for <patchwork-xen-devel@patchwork.kernel.org>;
	Tue,  5 Jan 2016 03:10:07 +0000 (UTC)
Received: from localhost ([127.0.0.1] helo=lists.xen.org)
	by lists.xen.org with esmtp (Exim 4.72)
	(envelope-from <xen-devel-bounces@lists.xen.org>)
	id 1aGHxJ-0005vS-Ua; Tue, 05 Jan 2016 03:06:41 +0000
Received: from mail6.bemta4.messagelabs.com ([85.158.143.247])
	by lists.xen.org with esmtp (Exim 4.72)
	(envelope-from <cardoe@cardoe.com>) id 1aGHxI-0005vN-A9
	for xen-devel@lists.xen.org; Tue, 05 Jan 2016 03:06:40 +0000
Received: from [85.158.143.35] by server-3.bemta-4.messagelabs.com id
	C9/78-31122-F333B865; Tue, 05 Jan 2016 03:06:39 +0000
X-Env-Sender: cardoe@cardoe.com
X-Msg-Ref: server-3.tower-21.messagelabs.com!1451963197!7964885!1
X-Originating-IP: [209.85.160.174]
X-SpamReason: No, hits=0.5 required=7.0 tests=BODY_RANDOM_LONG
X-StarScan-Received: 
X-StarScan-Version: 7.35.1; banners=-,-,-
X-VirusChecked: Checked
Received: (qmail 45079 invoked from network); 5 Jan 2016 03:06:38 -0000
Received: from mail-yk0-f174.google.com (HELO mail-yk0-f174.google.com)
	(209.85.160.174)
	by server-3.tower-21.messagelabs.com with AES128-GCM-SHA256 encrypted
	SMTP; 5 Jan 2016 03:06:38 -0000
Received: by mail-yk0-f174.google.com with SMTP id a85so191523152ykb.1
	for <xen-devel@lists.xen.org>; Mon, 04 Jan 2016 19:06:38 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=cardoe-com.20150623.gappssmtp.com; s=20150623;
	h=from:to:cc:subject:date:message-id:in-reply-to:references;
	bh=I4zW9sjy/9AYMQhmP81vN4fgQKyUOJYpcbfvxe/QR74=;
	b=ZgPStc1JkuUbEwLg49ZJSe4jyqkBU4LU15I0mNsZAJM3Ip72bpF5BTYGOw5k8IwrmJ
	mzNMUiLI8UsBx21ZR1XM0azY6Le5CWBEjneI+Qbqrrq/SBmef2unAgXA1vffhtFrtZU1
	FcXVqpa6ufwPhr0dDWRyzqMwY+fRdWsu8lw2XyZqATEenVAvBr6SoyRrH0w6VujyUpUq
	FrtFE4du4X13cwGyLEpS9GZWxe1mbZ676f2GSuP38dIRgFEE2kq1JRNFJmqUDxTGSQG0
	Iry4dcEa9akeA4usZqL9eaxwrONx9DkXjAvV8yjO0rSJ4iDRyq3YVnBoVuVU05zt4zmy
	m80A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=1e100.net; s=20130820;
	h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to
	:references;
	bh=I4zW9sjy/9AYMQhmP81vN4fgQKyUOJYpcbfvxe/QR74=;
	b=de6iBKkxEa+WMgbAx8OfvfGwenesDCLyp8vwH+3Nx3rDcBx7dUQG8TQ9n/6rJaTopz
	JzzvLx49QvUno9ZUi+4Ayxk2glJ1KXWIh9/nX2iX+w/1Ou/0yqccPp/LjGavfyqeRJXE
	ZedsMmrcZoUP39R5eHZ2USsZGMrW2HForvknrKAu1MlZvraei13Tc7weAY88U7QtU7MA
	wLhM286HRmocxqM5aV8MVe1v7p572vCzrHASoytq53ZVji00Yk9kb9FLoLdmfNV/CIyu
	4k22nSiLOZHEXzFyMxqzetjsw66oLd14MQyXahGkIIZjDKzIc4i13MbTxnjQrL3Wu0OW
	Xwmg==
X-Gm-Message-State: 
 ALoCoQmnS/7cVWRSBMt+4AWP3lllrydM5n+k+gaDRc+Yy39tPINFrLtDwv9HZUs01F9fjnZ8wN7FMRh5v4QmzxQ42N57fRh8+w==
X-Received: by 10.13.213.193 with SMTP id
	x184mr76640578ywd.339.1451963197580;
	Mon, 04 Jan 2016 19:06:37 -0800 (PST)
Received: from swanson.lan (c-68-46-196-185.hsd1.al.comcast.net.
	[68.46.196.185]) by smtp.gmail.com with ESMTPSA id
	i143sm46964547ywg.48.2016.01.04.19.06.36
	(version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128);
	Mon, 04 Jan 2016 19:06:36 -0800 (PST)
From: Doug Goldstein <cardoe@cardoe.com>
To: xen-devel@lists.xen.org
Date: Mon,  4 Jan 2016 21:06:20 -0600
Message-Id: <1451963180-11784-1-git-send-email-cardoe@cardoe.com>
X-Mailer: git-send-email 2.4.10
In-Reply-To: <568ADA4A.308@tycho.nsa.gov>
References: <568ADA4A.308@tycho.nsa.gov>
Cc: Keir Fraser <keir@xen.org>, Daniel De Graaf <dgdegra@tycho.nsa.gov>,
	Doug Goldstein <cardoe@cardoe.com>, Jan Beulich <jbeulich@suse.com>,
	Andrew Cooper <andrew.cooper3@citrix.com>
Subject: [Xen-devel] [PATCH v2 2/2] xen: convert XSM_ENABLE to Kconfig
X-BeenThere: xen-devel@lists.xen.org
X-Mailman-Version: 2.1.13
Precedence: list
List-Id: Xen developer discussion <xen-devel.lists.xen.org>
List-Unsubscribe: <http://lists.xen.org/cgi-bin/mailman/options/xen-devel>,
	<mailto:xen-devel-request@lists.xen.org?subject=unsubscribe>
List-Post: <mailto:xen-devel@lists.xen.org>
List-Help: <mailto:xen-devel-request@lists.xen.org?subject=help>
List-Subscribe: <http://lists.xen.org/cgi-bin/mailman/listinfo/xen-devel>,
	<mailto:xen-devel-request@lists.xen.org?subject=subscribe>
MIME-Version: 1.0
Sender: xen-devel-bounces@lists.xen.org
Errors-To: xen-devel-bounces@lists.xen.org
X-Spam-Status: No, score=-4.1 required=5.0 tests=BAYES_00,DKIM_SIGNED,
	RCVD_IN_DNSWL_MED, T_DKIM_INVALID,
	UNPARSEABLE_RELAY autolearn=unavailable version=3.3.1
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on mail.kernel.org
X-Virus-Scanned: ClamAV using ClamSMTP

Converts the existing XSM_ENABLE flag from Config.mk to CONFIG_XSM
within Kconfig. This also re-adds the dependency of CONFIG_FLASK on
CONFIG_XSM.

CC: Daniel De Graaf <dgdegra@tycho.nsa.gov>
CC: Keir Fraser <keir@xen.org>
CC: Jan Beulich <jbeulich@suse.com>
CC: Andrew Cooper <andrew.cooper3@citrix.com>
Signed-off-by: Doug Goldstein <cardoe@cardoe.com>
Acked-by: Daniel De Graaf <dgdegra@tycho.nsa.gov>
---
Change from v2:
- adopt wording from Daniel De Graaf about the dedicated hardware domain
- make the dedicated hardware domain feature optional
---
 Config.mk                    |  3 ---
 INSTALL                      |  8 ++------
 docs/misc/xsm-flask.txt      |  6 +++---
 xen/Rules.mk                 |  1 -
 xen/common/Kconfig           | 37 ++++++++++++++++++++++++++++++++++++-
 xen/include/asm-x86/config.h |  4 ----
 xen/include/xen/sched.h      |  2 +-
 xen/include/xsm/dummy.h      | 10 +++++-----
 xen/include/xsm/xsm.h        |  6 +++---
 xen/xsm/Makefile             |  6 ++----
 10 files changed, 52 insertions(+), 31 deletions(-)

diff --git a/Config.mk b/Config.mk
index 7e56b48..8e58c36 100644
--- a/Config.mk
+++ b/Config.mk
@@ -212,9 +212,6 @@ APPEND_CFLAGS += $(foreach i, $(APPEND_INCLUDES), -I$(i))
 EMBEDDED_EXTRA_CFLAGS := -nopie -fno-stack-protector -fno-stack-protector-all
 EMBEDDED_EXTRA_CFLAGS += -fno-exceptions
 
-# Enable XSM security module (by default, Flask).
-XSM_ENABLE ?= n
-
 XEN_EXTFILES_URL ?= http://xenbits.xen.org/xen-extfiles
 # All the files at that location were downloaded from elsewhere on
 # the internet.  The original download URL is preserved as a comment
diff --git a/INSTALL b/INSTALL
index c51447b..3d2e86a 100644
--- a/INSTALL
+++ b/INSTALL
@@ -275,14 +275,10 @@ Building the python tools may fail unless certain options are passed to
 setup.py. Config.mk contains additional info how to use this variable.
 PYTHON_PREFIX_ARG=
 
-The hypervisor may be build with XSM support, which can be changed with
-the following variables.
-XSM_ENABLE=y
-
-The hypervisor may be build with Flask support, which can be changed
+he hypervisor may be build with XSM/Flask support, which can be changed
 by running:
 make -C xen menuconfig
-and enabling Flask in the 'Common Features' menu.
+and enabling XSM/Flask in the 'Common Features' menu.
 
 Do a build for coverage.
 coverage=y
diff --git a/docs/misc/xsm-flask.txt b/docs/misc/xsm-flask.txt
index f2f0fd4..fb2fe9f 100644
--- a/docs/misc/xsm-flask.txt
+++ b/docs/misc/xsm-flask.txt
@@ -172,9 +172,9 @@ Setting up FLASK
 ----------------
 
 Xen must be compiled with XSM and FLASK enabled; by default, the security
-framework is disabled. Edit Config.mk or the .config file to set XSM_ENABLE to
-"y" and running 'make -C xen menuconfig' and enabling FLASK inside 'Common
-Features'; this change requires a make clean and rebuild.
+framework is disabled. Running 'make -C xen menuconfig' and enabling XSM
+and FLASK inside 'Common Features'; this change requires a make clean and
+rebuild.
 
 FLASK uses only one domain configuration parameter (seclabel) defining the
 full security label of the newly created domain. If using the example policy,
diff --git a/xen/Rules.mk b/xen/Rules.mk
index 489cfd1..bdd8ccf 100644
--- a/xen/Rules.mk
+++ b/xen/Rules.mk
@@ -52,7 +52,6 @@ CFLAGS += -Werror -Wredundant-decls -Wno-pointer-arith
 CFLAGS += -pipe -g -D__XEN__ -include $(BASEDIR)/include/xen/config.h
 CFLAGS += '-D__OBJECT_FILE__="$@"'
 
-CFLAGS-$(XSM_ENABLE)    += -DXSM_ENABLE
 CFLAGS-$(verbose)       += -DVERBOSE
 CFLAGS-$(crash_debug)   += -DCRASH_DEBUG
 CFLAGS-$(perfc)         += -DPERF_COUNTERS
diff --git a/xen/common/Kconfig b/xen/common/Kconfig
index 3419816..eadfc3b 100644
--- a/xen/common/Kconfig
+++ b/xen/common/Kconfig
@@ -10,7 +10,8 @@ config COMPAT
 
 config FLASK
 	bool "FLux Advanced Security Kernel support"
-	default n
+	default y
+	depends on XSM
 	---help---
 	  Enables the FLASK (FLux Advanced Security Kernel) support which
 	  provides a mandatory access control framework by which security
@@ -62,4 +63,38 @@ config KEXEC
 
 	  If unsure, say Y.
 
+# Allows "late" initialization of the hardware domain
+config LATE_HWDOM
+	bool "dedicated hardware domain"
+	default n
+	depends on XSM && X86
+	---help---
+	  Allows the creation of a dedicated hardware domain distinct from
+	  domain 0 that manages devices without needing access to other
+	  privileged functionality such as the ability to manage domains.
+	  This requires that the actual domain 0 be a stub domain that
+	  constructs the actual hardware domain instead of initializing the
+	  hardware itself.  Because the hardware domain needs access to
+	  hypercalls not available to unprivileged guests, an XSM policy
+	  is required to properly define the privilege of these domains.
+
+	  This feature does nothing if the "hardware_dom" boot parameter is
+	  not present.  If this feature is being used for security, it should
+	  be combined with an IOMMU in strict mode.
+
+	  If unsure, say N.
+
+# Enable/Disable XSM support
+config XSM
+	bool "Xen Security Modules support"
+	default n
+	---help---
+	  Enables the security framework known as Xen Security Modules which
+	  allows administrators fine-grained control over a Xen domain and
+	  its capabilities by defining permissible interactions between domains,
+	  the hypervisor itself, and related resources such as memory and
+	  devices.
+
+	  If unsure, say N.
+
 endmenu
diff --git a/xen/include/asm-x86/config.h b/xen/include/asm-x86/config.h
index f25d92e..3305a75 100644
--- a/xen/include/asm-x86/config.h
+++ b/xen/include/asm-x86/config.h
@@ -52,10 +52,6 @@
 
 #define CONFIG_MULTIBOOT 1
 
-#ifdef XSM_ENABLE
-#define CONFIG_LATE_HWDOM 1
-#endif
-
 #define HZ 100
 
 #define OPT_CONSOLE_STR "vga"
diff --git a/xen/include/xen/sched.h b/xen/include/xen/sched.h
index 6ea3cc7..e1428f7 100644
--- a/xen/include/xen/sched.h
+++ b/xen/include/xen/sched.h
@@ -110,7 +110,7 @@ struct evtchn
     u8 priority;
     u8 last_priority;
     u16 last_vcpu_id;
-#ifdef XSM_ENABLE
+#ifdef CONFIG_XSM
     union {
 #ifdef XSM_NEED_GENERIC_EVTCHN_SSID
         /*
diff --git a/xen/include/xsm/dummy.h b/xen/include/xsm/dummy.h
index 81fba40..55b84f0 100644
--- a/xen/include/xsm/dummy.h
+++ b/xen/include/xsm/dummy.h
@@ -27,9 +27,9 @@
 /* DO NOT implement this function; it is supposed to trigger link errors */
 void __xsm_action_mismatch_detected(void);
 
-#ifdef XSM_ENABLE
+#ifdef CONFIG_XSM
 
-/* In XSM_ENABLE builds, this header file is included from xsm/dummy.c, and
+/* In CONFIG_XSM builds, this header file is included from xsm/dummy.c, and
  * contains static (not inline) functions compiled to the dummy XSM module.
  * There is no xsm_default_t argument available, so the value from the assertion
  * is used to initialize the variable.
@@ -39,9 +39,9 @@ void __xsm_action_mismatch_detected(void);
 #define XSM_DEFAULT_VOID void
 #define XSM_ASSERT_ACTION(def) xsm_default_t action = def; (void)action
 
-#else /* XSM_ENABLE */
+#else /* CONFIG_XSM */
 
-/* In !XSM_ENABLE builds, this header file is included from xsm/xsm.h, and
+/* In !CONFIG_XSM builds, this header file is included from xsm/xsm.h, and
  * contains inline functions for each XSM hook. These functions also perform
  * compile-time checks on the xsm_default_t argument to ensure that the behavior
  * of the dummy XSM module is the same as the behavior with XSM disabled.
@@ -51,7 +51,7 @@ void __xsm_action_mismatch_detected(void);
 #define XSM_DEFAULT_VOID xsm_default_t action
 #define XSM_ASSERT_ACTION(def) LINKER_BUG_ON(def != action)
 
-#endif /* XSM_ENABLE */
+#endif /* CONFIG_XSM */
 
 static always_inline int xsm_default_action(
     xsm_default_t action, struct domain *src, struct domain *target)
diff --git a/xen/include/xsm/xsm.h b/xen/include/xsm/xsm.h
index 3fc3824..2c365cd 100644
--- a/xen/include/xsm/xsm.h
+++ b/xen/include/xsm/xsm.h
@@ -194,7 +194,7 @@ struct xsm_operations {
 #endif
 };
 
-#ifdef XSM_ENABLE
+#ifdef CONFIG_XSM
 
 extern struct xsm_operations *xsm_ops;
 
@@ -752,7 +752,7 @@ extern int unregister_xsm(struct xsm_operations *ops);
 extern struct xsm_operations dummy_xsm_ops;
 extern void xsm_fixup_ops(struct xsm_operations *ops);
 
-#else /* XSM_ENABLE */
+#else /* CONFIG_XSM */
 
 #include <xsm/dummy.h>
 
@@ -772,6 +772,6 @@ static inline int xsm_dt_init(void)
 }
 #endif
 
-#endif /* XSM_ENABLE */
+#endif /* CONFIG_XSM */
 
 #endif /* __XSM_H */
diff --git a/xen/xsm/Makefile b/xen/xsm/Makefile
index d29e71c..3252c46 100644
--- a/xen/xsm/Makefile
+++ b/xen/xsm/Makefile
@@ -1,7 +1,5 @@
 obj-y += xsm_core.o
-ifeq ($(XSM_ENABLE),y)
-obj-y += xsm_policy.o
-obj-y += dummy.o
-endif
+obj-$(CONFIG_XSM) += xsm_policy.o
+obj-$(CONFIG_XSM) += dummy.o
 
 subdir-$(CONFIG_FLASK) += flask