| Message ID | 20230804060000.27710-2-jgross@suse.com (mailing list archive) |
|---|---|
| State | Superseded |
| Headers | show |
| Series | tools: add some more configure options | expand |
On Fri, Aug 04, 2023 at 07:59:59AM +0200, Juergen Gross wrote: > Add a "--disable-pygrub" option for being able to disable the build > and installation of pygrub. > > There are two main reasons to do so: > > - A main reason to use pygrub is to allow a PV guest to choose its > bitness (32- or 64-bit). Pygrub allows that by looking into the boot > image and to start the guest in the correct mode depending on the > kernel selected. With 32-bit PV guests being deprecated and the > possibility to even build a hypervisor without 32-bit PV support, > this use case is gone for at least some configurations. > > - Pygrub is running in dom0 with root privileges. As it is operating > on guest controlled data (the boot image) and taking decisions based > on this data, there is a possible security issue. Not being possible > to use pygrub is thus a step towards more security. > > Default is still to build and install pygrub. > > Signed-off-by: Juergen Gross <jgross@suse.com> Acked-by: Anthony PERARD <anthony.perard@citrix.com> Thanks,
On 04/08/2023 6:59 am, Juergen Gross wrote: > Add a "--disable-pygrub" option for being able to disable the build > and installation of pygrub. > > There are two main reasons to do so: > > - A main reason to use pygrub is to allow a PV guest to choose its > bitness (32- or 64-bit). Pygrub allows that by looking into the boot > image and to start the guest in the correct mode depending on the > kernel selected. With 32-bit PV guests being deprecated and the > possibility to even build a hypervisor without 32-bit PV support, > this use case is gone for at least some configurations. > > - Pygrub is running in dom0 with root privileges. As it is operating > on guest controlled data (the boot image) and taking decisions based > on this data, there is a possible security issue. This isn't really a possible security issue. It's a high(er) security risk. Pygrub is still security supported, so falls under the usual security process if an issue were to be found. > Not being possible > to use pygrub is thus a step towards more security. IMO, the phrase you want to use here is "reduction in attack surface". > Default is still to build and install pygrub. > > Signed-off-by: Juergen Gross <jgross@suse.com> > --- > config/Tools.mk.in | 1 + > tools/Makefile | 2 +- > tools/configure | 26 ++++++++++++++++++++++++++ > tools/configure.ac | 1 + > 4 files changed, 29 insertions(+), 1 deletion(-) Shouldn't we have a patch to (lib)xl which provides a clean error message (rather than -ESRCH/etc) when the user selects bootloader=pygrub ? Fine to be a separate patch, but not something which wants forgetting. ~Andrew
On 08.08.23 12:56, Andrew Cooper wrote: > On 04/08/2023 6:59 am, Juergen Gross wrote: >> Add a "--disable-pygrub" option for being able to disable the build >> and installation of pygrub. >> >> There are two main reasons to do so: >> >> - A main reason to use pygrub is to allow a PV guest to choose its >> bitness (32- or 64-bit). Pygrub allows that by looking into the boot >> image and to start the guest in the correct mode depending on the >> kernel selected. With 32-bit PV guests being deprecated and the >> possibility to even build a hypervisor without 32-bit PV support, >> this use case is gone for at least some configurations. >> >> - Pygrub is running in dom0 with root privileges. As it is operating >> on guest controlled data (the boot image) and taking decisions based >> on this data, there is a possible security issue. > > This isn't really a possible security issue. It's a high(er) security risk. True. I'll s/possible security issue/higher security risk/. > > Pygrub is still security supported, so falls under the usual security > process if an issue were to be found. > >> Not being possible >> to use pygrub is thus a step towards more security. > > IMO, the phrase you want to use here is "reduction in attack surface". Thanks. I'll use that. > >> Default is still to build and install pygrub. >> >> Signed-off-by: Juergen Gross <jgross@suse.com> >> --- >> config/Tools.mk.in | 1 + >> tools/Makefile | 2 +- >> tools/configure | 26 ++++++++++++++++++++++++++ >> tools/configure.ac | 1 + >> 4 files changed, 29 insertions(+), 1 deletion(-) > > Shouldn't we have a patch to (lib)xl which provides a clean error > message (rather than -ESRCH/etc) when the user selects bootloader=pygrub ? > > Fine to be a separate patch, but not something which wants forgetting. I'll add it. Juergen
diff --git a/config/Tools.mk.in b/config/Tools.mk.in index b7cc2961d8..432d7496f1 100644 --- a/config/Tools.mk.in +++ b/config/Tools.mk.in @@ -48,6 +48,7 @@ CONFIG_QEMU_XEN := @qemu_xen@ CONFIG_QEMUU_EXTRA_ARGS:= @EXTRA_QEMUU_CONFIGURE_ARGS@ CONFIG_LIBNL := @libnl@ CONFIG_GOLANG := @golang@ +CONFIG_PYGRUB := @pygrub@ CONFIG_SYSTEMD := @systemd@ SYSTEMD_CFLAGS := @SYSTEMD_CFLAGS@ diff --git a/tools/Makefile b/tools/Makefile index 1ff90ddfa0..bbd75ebc1a 100644 --- a/tools/Makefile +++ b/tools/Makefile @@ -36,7 +36,7 @@ SUBDIRS-$(CONFIG_X86) += debugger SUBDIRS-$(CONFIG_TESTS) += tests SUBDIRS-y += python -SUBDIRS-y += pygrub +SUBDIRS-$(CONFIG_PYGRUB) += pygrub SUBDIRS-$(OCAML_TOOLS) += ocaml ifeq ($(CONFIG_RUMP),y) diff --git a/tools/configure b/tools/configure index 52b4717d01..130e0d9abf 100755 --- a/tools/configure +++ b/tools/configure @@ -707,6 +707,7 @@ AS86 ipxe qemu_traditional LINUX_BACKEND_MODULES +pygrub golang seabios ovmf @@ -811,6 +812,7 @@ enable_xsmpolicy enable_ovmf enable_seabios enable_golang +enable_pygrub with_linux_backend_modules enable_qemu_traditional enable_ipxe @@ -1498,6 +1500,7 @@ Optional Features: --enable-ovmf Enable OVMF (default is DISABLED) --disable-seabios Disable SeaBIOS (default is ENABLED) --disable-golang Disable Go tools (default is ENABLED) + --disable-pygrub Disable pygrub (default is ENABLED) --enable-qemu-traditional Enable qemu traditional device model, (DEFAULT is off) @@ -4287,6 +4290,29 @@ golang=$ax_cv_golang +# Check whether --enable-pygrub was given. +if test "${enable_pygrub+set}" = set; then : + enableval=$enable_pygrub; +fi + + +if test "x$enable_pygrub" = "xno"; then : + + ax_cv_pygrub="n" + +elif test "x$enable_pygrub" = "xyes"; then : + + ax_cv_pygrub="y" + +elif test -z $ax_cv_pygrub; then : + + ax_cv_pygrub="y" + +fi +pygrub=$ax_cv_pygrub + + + # Check whether --with-linux-backend-modules was given. if test "${with_linux_backend_modules+set}" = set; then : diff --git a/tools/configure.ac b/tools/configure.ac index 3cccf41960..9947bcefc6 100644 --- a/tools/configure.ac +++ b/tools/configure.ac @@ -89,6 +89,7 @@ AX_ARG_DEFAULT_ENABLE([xsmpolicy], [Disable XSM policy compilation]) AX_ARG_DEFAULT_DISABLE([ovmf], [Enable OVMF]) AX_ARG_DEFAULT_ENABLE([seabios], [Disable SeaBIOS]) AX_ARG_DEFAULT_ENABLE([golang], [Disable Go tools]) +AX_ARG_DEFAULT_ENABLE([pygrub], [Disable pygrub]) AC_ARG_WITH([linux-backend-modules], AS_HELP_STRING([--with-linux-backend-modules="mod1 mod2"],
Add a "--disable-pygrub" option for being able to disable the build and installation of pygrub. There are two main reasons to do so: - A main reason to use pygrub is to allow a PV guest to choose its bitness (32- or 64-bit). Pygrub allows that by looking into the boot image and to start the guest in the correct mode depending on the kernel selected. With 32-bit PV guests being deprecated and the possibility to even build a hypervisor without 32-bit PV support, this use case is gone for at least some configurations. - Pygrub is running in dom0 with root privileges. As it is operating on guest controlled data (the boot image) and taking decisions based on this data, there is a possible security issue. Not being possible to use pygrub is thus a step towards more security. Default is still to build and install pygrub. Signed-off-by: Juergen Gross <jgross@suse.com> --- config/Tools.mk.in | 1 + tools/Makefile | 2 +- tools/configure | 26 ++++++++++++++++++++++++++ tools/configure.ac | 1 + 4 files changed, 29 insertions(+), 1 deletion(-)