[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Xen XSM/FLASK policy, grub defaults, etc.
The Xen tools build system builds a FLASK policy by default. It does this even if the hypervisor build for XSM is disabled. I recently sent patches upstream to grub to support XSM in update-grub. update-grub is the program which examines your /boot and generates appropriate bootloader entries. My merge request https://salsa.debian.org/grub-team/grub/-/merge_requests/18 finds XSM policy files, and when theya are found, generates "XSM enabled" bootloader entries. [1] The result of these two things together is that a default build of grub will result in these "XSM enabled" bootloader entries. In practice I think these entries will boot because everything ignores the additional XSM policy file (!) and Xen ignores the "flask=enforcing" option (!!) This is not particularly good. Offering people an "XSM enabled" option which does nothing is poor because it might think they have the extra security but actually significantly more steps are needed. But there doesn't appear to be any way for update-grub to tell whether a particular hypervisor does support XSM or not. I think the following changes would be good: 1. Xen should reject "flask=enforcing" if it is built without FLASK support, rather than ignoring it. This will ensure users are not misled by these boot options since they will be broken. 2. Xen should disable the XSM policy build when FLASK is disabled. This is unfortunately not so simple because the XSM policy build is a tools option and FLASK is a Xen option and the configuration systems are disjoint. But at the very least a default build, which has no XSM support, should not build an XSM policy file either. 3. Failing that, Xen should provide some other mechanism which would enable something like update-grub to determine whether a particular hypervisor can sensibly be run with a policy file and flask=enforcing. Opinions? Thanks, Ian. [1] osstest has been doing this approximately forever. Due to accidents of boot config ordering, these entries have not been used by default.
|
Lists.xenproject.org is hosted with RackSpace, monitoring our |