[Xen-changelog] [xen-unstable] txt: Xen per-domain S3 integrity config

[Xen patchbot-unstable <patchbot-unstable@xxxxxxxxxxxxxxxxxxx>]

# HG changeset patch
# User Keir Fraser <keir.fraser@xxxxxxxxxx>
# Date 1236081164 0
# Node ID 43019597f85c8bf98a3d8ca8f8a34e27a6e89e8d
# Parent  9c5b4efc934d7ce0f5750670b73e20a98a6ca5b0
txt: Xen per-domain S3 integrity config

This patch adds a per-domain flag to specify whether a domain will be
S3 integrity protected when Xen is launched using tboot/TXT.

The tools now support an integer domain configuration parameter called
's3_integrity', which defaults to 1, to enable S3 integrity protection.

The struct arch_domain structure has been extended to have an
's3_integrity' field that represents this setting.

Signed-off-by: Shane Wang <shane.wang@xxxxxxxxx>
Signed-off-by: Joseph Cihula <joseph.cihula@xxxxxxxxx>
---
 tools/python/xen/xend/XendConfig.py     |    1 +
 tools/python/xen/xend/XendDomainInfo.py |    5 ++++-
 tools/python/xen/xm/create.py           |   10 ++++++++++
 tools/python/xen/xm/xenapi_create.py    |    4 ++++
 xen/arch/x86/domain.c                   |    2 ++
 xen/arch/x86/setup.c                    |    4 ++--
 xen/common/domctl.c                     |    5 ++++-
 xen/include/asm-x86/domain.h            |    2 ++
 xen/include/public/domctl.h             |   11 +++++++----
 xen/include/xen/sched.h                 |   16 ++++++++++------
 10 files changed, 46 insertions(+), 14 deletions(-)

diff -r 9c5b4efc934d -r 43019597f85c tools/python/xen/xend/XendConfig.py
--- a/tools/python/xen/xend/XendConfig.py       Tue Mar 03 11:46:52 2009 +0000
+++ b/tools/python/xen/xend/XendConfig.py       Tue Mar 03 11:52:44 2009 +0000
@@ -216,6 +216,7 @@ XENAPI_CFG_TYPES = {
     'cpuid_check' : dict,
     'machine_address_size': int,
     'suppress_spurious_page_faults': bool0,
+    's3_integrity' : int,
 }
 
 # List of legacy configuration keys that have no equivalent in the
diff -r 9c5b4efc934d -r 43019597f85c tools/python/xen/xend/XendDomainInfo.py
--- a/tools/python/xen/xend/XendDomainInfo.py   Tue Mar 03 11:46:52 2009 +0000
+++ b/tools/python/xen/xend/XendDomainInfo.py   Tue Mar 03 11:52:44 2009 +0000
@@ -2212,12 +2212,15 @@ class XendDomainInfo:
             if security.has_authorization(ssidref) == False:
                 raise VmError("VM is not authorized to run.")
 
+        s3_integrity = self.info['s3_integrity']
+        flags = (int(hvm) << 0) | (int(hap) << 1) | (int(s3_integrity) << 2)
+
         try:
             self.domid = xc.domain_create(
                 domid = 0,
                 ssidref = ssidref,
                 handle = uuid.fromString(self.info['uuid']),
-                flags = (int(hvm) << 0) | (int(hap) << 1),
+                flags = flags,
                 target = self.info.target())
         except Exception, e:
             # may get here if due to ACM the operation is not permitted
diff -r 9c5b4efc934d -r 43019597f85c tools/python/xen/xm/create.py
--- a/tools/python/xen/xm/create.py     Tue Mar 03 11:46:52 2009 +0000
+++ b/tools/python/xen/xm/create.py     Tue Mar 03 11:52:44 2009 +0000
@@ -578,6 +578,11 @@ gopts.var('hap', val='HAP',
           fn=set_int, default=1,
           use="""Hap status (0=hap is disabled;
           1=hap is enabled.""")
+
+gopts.var('s3_integrity', val='TBOOT_MEMORY_PROTECT',
+          fn=set_int, default=1,
+          use="""Should domain memory integrity be verified during S3?
+          (0=protection is disabled; 1=protection is enabled.""")
 
 gopts.var('cpuid', val="IN[,SIN]:eax=EAX,ebx=EBX,ecx=ECX,edx=EDX",
           fn=append_value, default=[],
@@ -832,6 +837,10 @@ def configure_security(config, vals):
     elif num > 1:
         err("VM config error: Multiple access_control definitions!")
 
+def configure_mem_prot(config_image, vals):
+    """Create the config for S3 memory integrity verification under tboot.
+    """
+    config_image.append(['s3_integrity', vals.s3_integrity])
 
 def configure_vtpm(config_devs, vals):
     """Create the config for virtual TPM interfaces.
@@ -964,6 +973,7 @@ def make_config(vals):
             else:
                 config.append(['bootloader_args', '-q'])
     config.append(['image', config_image])
+    configure_mem_prot(config, vals);
 
     config_devs = []
     configure_disks(config_devs, vals)
diff -r 9c5b4efc934d -r 43019597f85c tools/python/xen/xm/xenapi_create.py
--- a/tools/python/xen/xm/xenapi_create.py      Tue Mar 03 11:46:52 2009 +0000
+++ b/tools/python/xen/xm/xenapi_create.py      Tue Mar 03 11:52:44 2009 +0000
@@ -269,6 +269,8 @@ class xenapi_create:
                 vm.attributes["is_a_template"].value == 'true',
             "auto_power_on":
                 vm.attributes["auto_power_on"].value == 'true',
+            "s3_integrity":
+                vm.attributes["s3_integrity"].value,
             "memory_static_max":
                 get_child_node_attribute(vm, "memory", "static_max"),
             "memory_static_min":
@@ -650,6 +652,8 @@ class sxp2xml:
             = str(get_child_by_name(config, "vcpus", 1))
         vm.attributes["vcpus_at_startup"] \
             = str(get_child_by_name(config, "vcpus", 1))
+        vm.attributes["s3_integrity"] \
+            = str(get_child_by_name(config, "s3_integrity", 0))
 
         sec_data = get_child_by_name(config, "security")
         if sec_data:
diff -r 9c5b4efc934d -r 43019597f85c xen/arch/x86/domain.c
--- a/xen/arch/x86/domain.c     Tue Mar 03 11:46:52 2009 +0000
+++ b/xen/arch/x86/domain.c     Tue Mar 03 11:52:44 2009 +0000
@@ -386,6 +386,8 @@ int arch_domain_create(struct domain *d,
         hvm_funcs.hap_supported &&
         (domcr_flags & DOMCRF_hap);
 
+    d->arch.s3_integrity = !!(domcr_flags & DOMCRF_s3_integrity);
+
     INIT_LIST_HEAD(&d->arch.pdev_list);
 
     d->arch.relmem = RELMEM_not_started;
diff -r 9c5b4efc934d -r 43019597f85c xen/arch/x86/setup.c
--- a/xen/arch/x86/setup.c      Tue Mar 03 11:46:52 2009 +0000
+++ b/xen/arch/x86/setup.c      Tue Mar 03 11:52:44 2009 +0000
@@ -97,6 +97,7 @@ cpumask_t cpu_present_map;
 cpumask_t cpu_present_map;
 
 unsigned long xen_phys_start;
+unsigned long allocator_bitmap_end;
 
 #ifdef CONFIG_X86_32
 /* Limits of Xen heap, used to initialise the allocator. */
@@ -418,7 +419,6 @@ void __init __start_xen(unsigned long mb
     multiboot_info_t *mbi = __va(mbi_p);
     module_t *mod = (module_t *)__va(mbi->mods_addr);
     unsigned long nr_pages, modules_length, modules_headroom;
-    unsigned long allocator_bitmap_end;
     int i, e820_warn = 0, bytes = 0;
     struct ns16550_defaults ns16550 = {
         .data_bits = 8,
@@ -990,7 +990,7 @@ void __init __start_xen(unsigned long mb
         panic("Could not protect TXT memory regions\n");
 
     /* Create initial domain 0. */
-    dom0 = domain_create(0, 0, DOM0_SSIDREF);
+    dom0 = domain_create(0, DOMCRF_s3_integrity, DOM0_SSIDREF);
     if ( (dom0 == NULL) || (alloc_vcpu(dom0, 0, 0) == NULL) )
         panic("Error creating domain 0\n");
 
diff -r 9c5b4efc934d -r 43019597f85c xen/common/domctl.c
--- a/xen/common/domctl.c       Tue Mar 03 11:46:52 2009 +0000
+++ b/xen/common/domctl.c       Tue Mar 03 11:52:44 2009 +0000
@@ -339,7 +339,8 @@ long do_domctl(XEN_GUEST_HANDLE(xen_domc
         ret = -EINVAL;
         if ( supervisor_mode_kernel ||
              (op->u.createdomain.flags &
-             ~(XEN_DOMCTL_CDF_hvm_guest | XEN_DOMCTL_CDF_hap)) )
+             ~(XEN_DOMCTL_CDF_hvm_guest | XEN_DOMCTL_CDF_hap |
+               XEN_DOMCTL_CDF_s3_integrity)) )
             break;
 
         dom = op->domain;
@@ -371,6 +372,8 @@ long do_domctl(XEN_GUEST_HANDLE(xen_domc
             domcr_flags |= DOMCRF_hvm;
         if ( op->u.createdomain.flags & XEN_DOMCTL_CDF_hap )
             domcr_flags |= DOMCRF_hap;
+        if ( op->u.createdomain.flags & XEN_DOMCTL_CDF_s3_integrity )
+            domcr_flags |= DOMCRF_s3_integrity;
 
         ret = -ENOMEM;
         d = domain_create(dom, domcr_flags, op->u.createdomain.ssidref);
diff -r 9c5b4efc934d -r 43019597f85c xen/include/asm-x86/domain.h
--- a/xen/include/asm-x86/domain.h      Tue Mar 03 11:46:52 2009 +0000
+++ b/xen/include/asm-x86/domain.h      Tue Mar 03 11:52:44 2009 +0000
@@ -220,6 +220,8 @@ struct arch_domain
 #ifdef CONFIG_COMPAT
     unsigned int hv_compat_vstart;
 #endif
+
+    bool_t s3_integrity;
 
     /* I/O-port admin-specified access capabilities. */
     struct rangeset *ioport_caps;
diff -r 9c5b4efc934d -r 43019597f85c xen/include/public/domctl.h
--- a/xen/include/public/domctl.h       Tue Mar 03 11:46:52 2009 +0000
+++ b/xen/include/public/domctl.h       Tue Mar 03 11:52:44 2009 +0000
@@ -51,11 +51,14 @@ struct xen_domctl_createdomain {
     uint32_t ssidref;
     xen_domain_handle_t handle;
  /* Is this an HVM guest (as opposed to a PV guest)? */
-#define _XEN_DOMCTL_CDF_hvm_guest 0
-#define XEN_DOMCTL_CDF_hvm_guest  (1U<<_XEN_DOMCTL_CDF_hvm_guest)
+#define _XEN_DOMCTL_CDF_hvm_guest     0
+#define XEN_DOMCTL_CDF_hvm_guest      (1U<<_XEN_DOMCTL_CDF_hvm_guest)
  /* Use hardware-assisted paging if available? */
-#define _XEN_DOMCTL_CDF_hap       1
-#define XEN_DOMCTL_CDF_hap        (1U<<_XEN_DOMCTL_CDF_hap)
+#define _XEN_DOMCTL_CDF_hap           1
+#define XEN_DOMCTL_CDF_hap            (1U<<_XEN_DOMCTL_CDF_hap)
+ /* Should domain memory integrity be verifed by tboot during Sx? */
+#define _XEN_DOMCTL_CDF_s3_integrity  2
+#define XEN_DOMCTL_CDF_s3_integrity   (1U<<_XEN_DOMCTL_CDF_s3_integrity)
     uint32_t flags;
 };
 typedef struct xen_domctl_createdomain xen_domctl_createdomain_t;
diff -r 9c5b4efc934d -r 43019597f85c xen/include/xen/sched.h
--- a/xen/include/xen/sched.h   Tue Mar 03 11:46:52 2009 +0000
+++ b/xen/include/xen/sched.h   Tue Mar 03 11:52:44 2009 +0000
@@ -341,14 +341,18 @@ struct domain *domain_create(
 struct domain *domain_create(
     domid_t domid, unsigned int domcr_flags, ssidref_t ssidref);
  /* DOMCRF_hvm: Create an HVM domain, as opposed to a PV domain. */
-#define _DOMCRF_hvm   0
-#define DOMCRF_hvm    (1U<<_DOMCRF_hvm)
+#define _DOMCRF_hvm           0
+#define DOMCRF_hvm            (1U<<_DOMCRF_hvm)
  /* DOMCRF_hap: Create a domain with hardware-assisted paging. */
-#define _DOMCRF_hap   1
-#define DOMCRF_hap    (1U<<_DOMCRF_hap)
+#define _DOMCRF_hap           1
+#define DOMCRF_hap            (1U<<_DOMCRF_hap)
+ /* DOMCRF_s3_integrity: Create a domain with tboot memory integrity protection
+                        by tboot */
+#define _DOMCRF_s3_integrity  2
+#define DOMCRF_s3_integrity   (1U<<_DOMCRF_s3_integrity)
  /* DOMCRF_dummy: Create a dummy domain (not scheduled; not on domain list) */
-#define _DOMCRF_dummy 2
-#define DOMCRF_dummy  (1U<<_DOMCRF_dummy)
+#define _DOMCRF_dummy         3
+#define DOMCRF_dummy          (1U<<_DOMCRF_dummy)
 
 /*
  * rcu_lock_domain_by_id() is more efficient than get_domain_by_id().

_______________________________________________
Xen-changelog mailing list
Xen-changelog@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-changelog