[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] [PATCH 17/17] xsm: add a default policy to .init.data

To: Daniel De Graaf <dgdegra@xxxxxxxxxxxxx>, xen-devel@xxxxxxxxxxxxx, Stefano Stabellini <sstabellini@xxxxxxxxxx>
From: Julien Grall <julien.grall@xxxxxxx>
Date: Fri, 24 Jun 2016 17:30:32 +0100
Cc: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>, Wei Liu <wei.liu2@xxxxxxxxxx>, George Dunlap <george.dunlap@xxxxxxxxxx>, Jan Beulich <JBeulich@xxxxxxxx>
Delivery-date: Fri, 24 Jun 2016 16:30:39 +0000
List-id: Xen developer discussion <xen-devel.lists.xen.org>

Hello Daniel,

Please try to CC relevant maintainers on your patch. I would have missedit if Andrew did not ping me on IRC.


On 20/06/16 15:04, Daniel De Graaf wrote:

This adds a Kconfig option and support for including the XSM policy from
tools/flask/policy in the hypervisor so that the bootloader does not
need to provide a policy to get sane behavior from an XSM-enabled
hypervisor.  The policy provided by the bootloader, if present, will
override the built-in policy.

Enabling this option only builds the policy if checkpolicy is available
during compilation of the hypervisor; otherwise, it does nothing.  The
XSM policy is not moved out of tools because that remains the primary
location for installing and configuring the policy.

Signed-off-by: Daniel De Graaf <dgdegra@xxxxxxxxxxxxx>
Reviewed-by: Konrad Rzeszutek Wilk <konrad.wilk@xxxxxxxxxx>


For ARM bits:

Acked-by: Julien Grall <julien.grall@xxxxxxx>

Although, I one a question below.

[...]

diff --git a/xen/xsm/flask/Makefile b/xen/xsm/flask/Makefile
index 12fc3a9..eefd37c 100644
--- a/xen/xsm/flask/Makefile
+++ b/xen/xsm/flask/Makefile
@@ -27,6 +27,23 @@ $(FLASK_H_FILES): $(FLASK_H_DEPEND)
  $(AV_H_FILES): $(AV_H_DEPEND)
        $(CONFIG_SHELL) policy/mkaccess_vector.sh $(AWK) $(AV_H_DEPEND)

+ifeq ($(CONFIG_XSM_POLICY),y)
+HAS_CHECKPOLICY := $(shell checkpolicy -h 2>&1 | grep -q xen && echo y || echo 
n)
+
+obj-$(HAS_CHECKPOLICY) += policy.o

I would have expect a warning (if not an error) here to tell the userthat checkpolicy is not available. Otherwise it may take some time tothe user to understand why the policy is not loaded/present. Because ifyou enable XSM, you don't necessarily check which other options havebeen enabled by default.

+endif


Regards,

--
Julien Grall

_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxx
http://lists.xen.org/xen-devel

Follow-Ups:
- Re: [Xen-devel] [PATCH 17/17] xsm: add a default policy to .init.data
  - From: Konrad Rzeszutek Wilk

References:
- [Xen-devel] [PATCH v2 00/17] XSM/FLASK updates for 4.8
  - From: Daniel De Graaf
- [Xen-devel] [PATCH 17/17] xsm: add a default policy to .init.data
  - From: Daniel De Graaf

Prev by Date: Re: [Xen-devel] [PATCH v6 5/5] x86/vm_event: Add HVM debug exception vm_events
Next by Date: Re: [Xen-devel] [PATCH 17/17] xsm: add a default policy to .init.data
Previous by thread: Re: [Xen-devel] [PATCH 17/17] xsm: add a default policy to .init.data
Next by thread: Re: [Xen-devel] [PATCH 17/17] xsm: add a default policy to .init.data
Index(es):
- Date
- Thread

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.