From patchwork Fri Aug 4 05:59:59 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: =?utf-8?b?SsO8cmdlbiBHcm/Dnw==?= X-Patchwork-Id: 13341291 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from lists.xenproject.org (lists.xenproject.org [192.237.175.120]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.lore.kernel.org (Postfix) with ESMTPS id ECF0FC001DE for ; Fri, 4 Aug 2023 06:00:25 +0000 (UTC) Received: from list by lists.xenproject.org with outflank-mailman.576830.903409 (Exim 4.92) (envelope-from ) id 1qRnrB-0003iQ-Ct; Fri, 04 Aug 2023 06:00:13 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 576830.903409; Fri, 04 Aug 2023 06:00:13 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1qRnrB-0003iH-A9; Fri, 04 Aug 2023 06:00:13 +0000 Received: by outflank-mailman (input) for mailman id 576830; Fri, 04 Aug 2023 06:00:09 +0000 Received: from se1-gles-sth1-in.inumbo.com ([159.253.27.254] helo=se1-gles-sth1.inumbo.com) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1qRnr7-0003E0-Fo for xen-devel@lists.xenproject.org; Fri, 04 Aug 2023 06:00:09 +0000 Received: from smtp-out1.suse.de (smtp-out1.suse.de [195.135.220.28]) by se1-gles-sth1.inumbo.com (Halon) with ESMTPS id 2ab71d6d-328c-11ee-b26a-6b7b168915f2; Fri, 04 Aug 2023 08:00:09 +0200 (CEST) Received: from imap2.suse-dmz.suse.de (imap2.suse-dmz.suse.de [192.168.254.74]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-521) server-digest SHA512) (No client certificate requested) by smtp-out1.suse.de (Postfix) with ESMTPS id C5AA821870; Fri, 4 Aug 2023 06:00:08 +0000 (UTC) Received: from imap2.suse-dmz.suse.de (imap2.suse-dmz.suse.de [192.168.254.74]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-521) server-digest SHA512) (No client certificate requested) by imap2.suse-dmz.suse.de (Postfix) with ESMTPS id 9CDF3133B5; Fri, 4 Aug 2023 06:00:08 +0000 (UTC) Received: from dovecot-director2.suse.de ([192.168.254.65]) by imap2.suse-dmz.suse.de with ESMTPSA id 0dv3JOiTzGRwMQAAMHmgww (envelope-from ); Fri, 04 Aug 2023 06:00:08 +0000 X-BeenThere: xen-devel@lists.xenproject.org List-Id: Xen developer discussion List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-devel-bounces@lists.xenproject.org Precedence: list Sender: "Xen-devel" X-Inumbo-ID: 2ab71d6d-328c-11ee-b26a-6b7b168915f2 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.com; s=susede1; t=1691128808; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=3lY3SIuVkWF2aYitFeP1w+X45FAECaznTjuW2uDVbFM=; b=tWqmlujgIyMbifW6nkPJCknlhHCYxlY1bE7VXSC1Opgp+ckF2QA5RAB9//kvLkFnY1krmD V6eIJZj8JWchrvjfoTBMxjWQZWJh0bcVkjMubDqIFeok2KP9VAaWyM+qvbKM6Ijac943tF JcR8V4+dMHRz4jIu7EZSyRrF7LvNMns= From: Juergen Gross To: xen-devel@lists.xenproject.org Cc: Juergen Gross , Wei Liu , Anthony PERARD Subject: [PATCH 1/2] tools: add configure option for disabling pygrub Date: Fri, 4 Aug 2023 07:59:59 +0200 Message-Id: <20230804060000.27710-2-jgross@suse.com> X-Mailer: git-send-email 2.35.3 In-Reply-To: <20230804060000.27710-1-jgross@suse.com> References: <20230804060000.27710-1-jgross@suse.com> MIME-Version: 1.0 Add a "--disable-pygrub" option for being able to disable the build and installation of pygrub. There are two main reasons to do so: - A main reason to use pygrub is to allow a PV guest to choose its bitness (32- or 64-bit). Pygrub allows that by looking into the boot image and to start the guest in the correct mode depending on the kernel selected. With 32-bit PV guests being deprecated and the possibility to even build a hypervisor without 32-bit PV support, this use case is gone for at least some configurations. - Pygrub is running in dom0 with root privileges. As it is operating on guest controlled data (the boot image) and taking decisions based on this data, there is a possible security issue. Not being possible to use pygrub is thus a step towards more security. Default is still to build and install pygrub. Signed-off-by: Juergen Gross Acked-by: Anthony PERARD --- config/Tools.mk.in | 1 + tools/Makefile | 2 +- tools/configure | 26 ++++++++++++++++++++++++++ tools/configure.ac | 1 + 4 files changed, 29 insertions(+), 1 deletion(-) diff --git a/config/Tools.mk.in b/config/Tools.mk.in index b7cc2961d8..432d7496f1 100644 --- a/config/Tools.mk.in +++ b/config/Tools.mk.in @@ -48,6 +48,7 @@ CONFIG_QEMU_XEN := @qemu_xen@ CONFIG_QEMUU_EXTRA_ARGS:= @EXTRA_QEMUU_CONFIGURE_ARGS@ CONFIG_LIBNL := @libnl@ CONFIG_GOLANG := @golang@ +CONFIG_PYGRUB := @pygrub@ CONFIG_SYSTEMD := @systemd@ SYSTEMD_CFLAGS := @SYSTEMD_CFLAGS@ diff --git a/tools/Makefile b/tools/Makefile index 1ff90ddfa0..bbd75ebc1a 100644 --- a/tools/Makefile +++ b/tools/Makefile @@ -36,7 +36,7 @@ SUBDIRS-$(CONFIG_X86) += debugger SUBDIRS-$(CONFIG_TESTS) += tests SUBDIRS-y += python -SUBDIRS-y += pygrub +SUBDIRS-$(CONFIG_PYGRUB) += pygrub SUBDIRS-$(OCAML_TOOLS) += ocaml ifeq ($(CONFIG_RUMP),y) diff --git a/tools/configure b/tools/configure index 52b4717d01..130e0d9abf 100755 --- a/tools/configure +++ b/tools/configure @@ -707,6 +707,7 @@ AS86 ipxe qemu_traditional LINUX_BACKEND_MODULES +pygrub golang seabios ovmf @@ -811,6 +812,7 @@ enable_xsmpolicy enable_ovmf enable_seabios enable_golang +enable_pygrub with_linux_backend_modules enable_qemu_traditional enable_ipxe @@ -1498,6 +1500,7 @@ Optional Features: --enable-ovmf Enable OVMF (default is DISABLED) --disable-seabios Disable SeaBIOS (default is ENABLED) --disable-golang Disable Go tools (default is ENABLED) + --disable-pygrub Disable pygrub (default is ENABLED) --enable-qemu-traditional Enable qemu traditional device model, (DEFAULT is off) @@ -4287,6 +4290,29 @@ golang=$ax_cv_golang +# Check whether --enable-pygrub was given. +if test "${enable_pygrub+set}" = set; then : + enableval=$enable_pygrub; +fi + + +if test "x$enable_pygrub" = "xno"; then : + + ax_cv_pygrub="n" + +elif test "x$enable_pygrub" = "xyes"; then : + + ax_cv_pygrub="y" + +elif test -z $ax_cv_pygrub; then : + + ax_cv_pygrub="y" + +fi +pygrub=$ax_cv_pygrub + + + # Check whether --with-linux-backend-modules was given. if test "${with_linux_backend_modules+set}" = set; then : diff --git a/tools/configure.ac b/tools/configure.ac index 3cccf41960..9947bcefc6 100644 --- a/tools/configure.ac +++ b/tools/configure.ac @@ -89,6 +89,7 @@ AX_ARG_DEFAULT_ENABLE([xsmpolicy], [Disable XSM policy compilation]) AX_ARG_DEFAULT_DISABLE([ovmf], [Enable OVMF]) AX_ARG_DEFAULT_ENABLE([seabios], [Disable SeaBIOS]) AX_ARG_DEFAULT_ENABLE([golang], [Disable Go tools]) +AX_ARG_DEFAULT_ENABLE([pygrub], [Disable pygrub]) AC_ARG_WITH([linux-backend-modules], AS_HELP_STRING([--with-linux-backend-modules="mod1 mod2"], From patchwork Fri Aug 4 06:00:00 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: =?utf-8?b?SsO8cmdlbiBHcm/Dnw==?= X-Patchwork-Id: 13341293 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from lists.xenproject.org (lists.xenproject.org [192.237.175.120]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.lore.kernel.org (Postfix) with ESMTPS id 02EBDC04A6A for ; Fri, 4 Aug 2023 06:00:27 +0000 (UTC) Received: from list by lists.xenproject.org with outflank-mailman.576832.903429 (Exim 4.92) (envelope-from ) id 1qRnrG-0004FW-SI; Fri, 04 Aug 2023 06:00:18 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 576832.903429; Fri, 04 Aug 2023 06:00:18 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1qRnrG-0004FP-PG; Fri, 04 Aug 2023 06:00:18 +0000 Received: by outflank-mailman (input) for mailman id 576832; Fri, 04 Aug 2023 06:00:17 +0000 Received: from se1-gles-flk1-in.inumbo.com ([94.247.172.50] helo=se1-gles-flk1.inumbo.com) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1qRnrF-0004DM-6L for xen-devel@lists.xenproject.org; Fri, 04 Aug 2023 06:00:17 +0000 Received: from smtp-out2.suse.de (smtp-out2.suse.de [195.135.220.29]) by se1-gles-flk1.inumbo.com (Halon) with ESMTPS id 2e52605d-328c-11ee-8613-37d641c3527e; Fri, 04 Aug 2023 08:00:15 +0200 (CEST) Received: from imap2.suse-dmz.suse.de (imap2.suse-dmz.suse.de [192.168.254.74]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-521) server-digest SHA512) (No client certificate requested) by smtp-out2.suse.de (Postfix) with ESMTPS id C926E1F8A3; Fri, 4 Aug 2023 06:00:14 +0000 (UTC) Received: from imap2.suse-dmz.suse.de (imap2.suse-dmz.suse.de [192.168.254.74]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-521) server-digest SHA512) (No client certificate requested) by imap2.suse-dmz.suse.de (Postfix) with ESMTPS id A1202133B5; Fri, 4 Aug 2023 06:00:14 +0000 (UTC) Received: from dovecot-director2.suse.de ([192.168.254.65]) by imap2.suse-dmz.suse.de with ESMTPSA id lr/uJe6TzGR8MQAAMHmgww (envelope-from ); Fri, 04 Aug 2023 06:00:14 +0000 X-BeenThere: xen-devel@lists.xenproject.org List-Id: Xen developer discussion List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-devel-bounces@lists.xenproject.org Precedence: list Sender: "Xen-devel" X-Inumbo-ID: 2e52605d-328c-11ee-8613-37d641c3527e DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.com; s=susede1; t=1691128814; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=EzluZzjBGFWytrE7XLiRjbQBObqzhDXzMAFkA/Hykgo=; b=TitJxUkm236pFFRaEFGa6ewz80M0Tq1NoRvoD47zqt+1lKPnokiSyoH+DIwGo14WBlBAKr s9EfqNHRpgUs75VPa8WTz3mitH6K4hsP6AAxmbo9gvXq2w0vkQSAffp8ko4PFcITPmPhbc /NNizLNHdkrQlrCUTZW5nPJ7DLf/Y10= From: Juergen Gross To: xen-devel@lists.xenproject.org Cc: Juergen Gross , Wei Liu , Anthony PERARD Subject: [PATCH 2/2] tools: add configure option for libfsimage Date: Fri, 4 Aug 2023 08:00:00 +0200 Message-Id: <20230804060000.27710-3-jgross@suse.com> X-Mailer: git-send-email 2.35.3 In-Reply-To: <20230804060000.27710-1-jgross@suse.com> References: <20230804060000.27710-1-jgross@suse.com> MIME-Version: 1.0 The only in-tree user of libfsimage is pygrub. Now that it is possible to disable the build of pygrub, the same should be possible for libfsimage. Add an option for controlling the build of libfsimage. The default is on if pygrub is being built, and off if it isn't. Without pygrub the build of libfsimage can be enabled via --enable-libfsimage. Signed-off-by: Juergen Gross --- config/Tools.mk.in | 1 + tools/Makefile | 2 +- tools/configure | 28 ++++++++++++++++++++++++++++ tools/configure.ac | 13 +++++++++++++ 4 files changed, 43 insertions(+), 1 deletion(-) diff --git a/config/Tools.mk.in b/config/Tools.mk.in index 432d7496f1..b54ab21f96 100644 --- a/config/Tools.mk.in +++ b/config/Tools.mk.in @@ -49,6 +49,7 @@ CONFIG_QEMUU_EXTRA_ARGS:= @EXTRA_QEMUU_CONFIGURE_ARGS@ CONFIG_LIBNL := @libnl@ CONFIG_GOLANG := @golang@ CONFIG_PYGRUB := @pygrub@ +CONFIG_LIBFSIMAGE := @libfsimage@ CONFIG_SYSTEMD := @systemd@ SYSTEMD_CFLAGS := @SYSTEMD_CFLAGS@ diff --git a/tools/Makefile b/tools/Makefile index bbd75ebc1a..311a9098d7 100644 --- a/tools/Makefile +++ b/tools/Makefile @@ -18,7 +18,7 @@ SUBDIRS-$(CONFIG_X86) += firmware SUBDIRS-y += console SUBDIRS-y += xenmon SUBDIRS-$(XENSTAT_XENTOP) += xentop -SUBDIRS-y += libfsimage +SUBDIRS-$(CONFIG_LIBFSIMAGE) += libfsimage SUBDIRS-$(CONFIG_Linux) += vchan # do not recurse in to a dir we are about to delete diff --git a/tools/configure b/tools/configure index 130e0d9abf..60dca366ca 100755 --- a/tools/configure +++ b/tools/configure @@ -700,6 +700,7 @@ EXTRA_QEMUU_CONFIGURE_ARGS qemu_xen_systemd qemu_xen_path qemu_xen +libfsimage rombios BCC LD86 @@ -818,6 +819,7 @@ enable_qemu_traditional enable_ipxe with_system_ipxe enable_rombios +enable_libfsimage with_system_qemu with_stubdom_qmp_proxy with_system_seabios @@ -1508,6 +1510,8 @@ Optional Features: --with-system-ipxe) --enable-rombios Enable ROMBIOS, (DEFAULT is on if qemu-traditional or ipxe is enabled, otherwise off) + --enable-libfsimage Enable libfsimage, (DEFAULT is on if pygrub is + enabled, otherwise off) --enable-systemd Enable systemd support (default is DISABLED) --enable-9pfs Explicitly enable 9pfs support in QEMU build (default is to defer to QEMU configure default) @@ -4621,6 +4625,30 @@ else fi +# Check whether --enable-libfsimage was given. +if test "${enable_libfsimage+set}" = set; then : + enableval=$enable_libfsimage; +else + + if test "x$enable_pygrub" = "xno"; then : + + enable_libfsimage="no" + +else + + enable_libfsimage="yes" + +fi + +fi + +if test "x$enable_libfsimage" = "xyes"; then : + libfsimage=y +else + libfsimage=n +fi + + # Check whether --with-system-qemu was given. if test "${with_system_qemu+set}" = set; then : diff --git a/tools/configure.ac b/tools/configure.ac index 9947bcefc6..aea24eb982 100644 --- a/tools/configure.ac +++ b/tools/configure.ac @@ -185,6 +185,19 @@ AS_IF([test "x$enable_rombios" = "xyes"], [ ]) AC_SUBST(rombios) +AC_ARG_ENABLE([libfsimage], + AS_HELP_STRING([--enable-libfsimage], + [Enable libfsimage, (DEFAULT is on if pygrub is enabled, + otherwise off)]),,[ + AS_IF([test "x$enable_pygrub" = "xno"], [ + enable_libfsimage="no" + ], [ + enable_libfsimage="yes" + ]) +]) +AS_IF([test "x$enable_libfsimage" = "xyes"], [libfsimage=y], [libfsimage=n]) +AC_SUBST(libfsimage) + AC_ARG_WITH([system-qemu], AS_HELP_STRING([--with-system-qemu@<:@=PATH@:>@], [Use system supplied qemu PATH or qemu (taken from $PATH) as qemu-xen