[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] [PATCH] XSM: add Kconfig option to override bootloader provided policy



On 28/11/17 18:06, Tamas K Lengyel wrote:
> From: Tamas K Lengyel <lengyelt@xxxxxxxxxxxx>
>
> Currently the built-in XSM policy only gets used if there is no other policy
> specified during boot. In this patch we add a Kconfig option to specify to 
> only
> use built-in policy during boot. This is particularly important when booting
> Xen through the shim to ensure the XSM policy gets measured and that it can't
> be replaced by another unmeasured policy by the bootloader. Note that the XSM
> policy can still be updated after boot (from dom0 for example) if the built-in
> policy allows it.
>
> Signed-off-by: Tamas K Lengyel <lengyelt@xxxxxxxxxxxx>
> ---
> Cc: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>
> Cc: George Dunlap <George.Dunlap@xxxxxxxxxxxxx>
> Cc: Ian Jackson <ian.jackson@xxxxxxxxxxxxx>
> Cc: Jan Beulich <jbeulich@xxxxxxxx>
> Cc: Konrad Rzeszutek Wilk <konrad.wilk@xxxxxxxxxx>
> Cc: Stefano Stabellini <sstabellini@xxxxxxxxxx>
> Cc: Tim Deegan <tim@xxxxxxx>
> Cc: Wei Liu <wei.liu2@xxxxxxxxxx>
> Cc: Daniel De Graaf <dgdegra@xxxxxxxxxxxxx>
> Cc: openxt@xxxxxxxxxxxxxxxx
> ---
>  xen/common/Kconfig | 14 ++++++++++++++
>  xen/xsm/xsm_core.c |  2 ++
>  2 files changed, 16 insertions(+)
>
> diff --git a/xen/common/Kconfig b/xen/common/Kconfig
> index 103ef44cb5..5ad0d03f37 100644
> --- a/xen/common/Kconfig
> +++ b/xen/common/Kconfig
> @@ -140,6 +140,20 @@ config XSM_POLICY
>  
>         If unsure, say Y.
>  
> +config XSM_POLICY_OVERRIDE
> +     bool "Built-in security policy overrides bootloader provided policy"

The overall change certainly looks good and it is obvious why it is a
benefit.  However, text/functionality like this is cognitively hard to
follow, and _OVERRIDE isn't obviously as to its functionality at a glance.

Wouldn't it be better to have XSM_BOOTLOADER_POLICY (or possibly
XSM_ALLOW_?), which defaults to y, and can be forced off for extra security?

~Andrew

> +     default n
> +     depends on XSM && XSM_POLICY
> +     ---help---
> +       Set this option to 'Y' to have the hypervisor ignore the security
> +       policy provided by the bootloader, and use ONLY the built-in
> +       security policy.
> +
> +       This can be used to ensure only verified security policies are
> +       loaded during boot time.
> +
> +       If unsure, say N.
> +
>  config LATE_HWDOM
>       bool "Dedicated hardware domain"
>       default n
>


_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxxx
https://lists.xenproject.org/mailman/listinfo/xen-devel

 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.