Xen project Mailing List

Re: Xen XSM/FLASK policy, grub defaults, etc.

To: Ian Jackson <Ian.Jackson@xxxxxxxxxx>

From: George Dunlap <George.Dunlap@xxxxxxxxxx>

Date: Wed, 27 May 2020 16:08:49 +0000

Accept-language: en-GB, en-US

Authentication-results: esa4.hc3370-68.iphmx.com; dkim=none (message not signed) header.i=none

Cc: Stefano Stabellini <sstabellini@xxxxxxxxxx>, Julien Grall <julien@xxxxxxx>, "cjwatson@xxxxxxxxxx" <cjwatson@xxxxxxxxxx>, Wei Liu <wl@xxxxxxx>, Andrew Cooper <Andrew.Cooper3@xxxxxxxxxx>, Jan Beulich <jbeulich@xxxxxxxx>, "xen-devel@xxxxxxxxxxxxxxxxxxxx" <xen-devel@xxxxxxxxxxxxxxxxxxxx>, Daniel De Graaf <dgdegra@xxxxxxxxxxxxx>

Delivery-date: Wed, 27 May 2020 16:09:25 +0000

Ironport-sdr: ab1vbUrLt58hHPy86AVpIv4KbwTkL82ierfDBVPOjQhlKWj+usgWJnLuzlJimpA3Y7maq0moBI w9VozM3hH44pXHO5+Mjcl+C7u5Scn0AnLveJePrGwCgNABonoOzcpDJDq0CE5B9JesppDnoEBi dQq9dO2nHJZsAanrtfPy60wSCwOcKtmgnTh+4zWvRk8armB+BNTdF429mDk4g4eqn088tNjOku e66WS6Jr3MyWuW7q14pq9N6hQkP6LQa2pAyOI7p7Cx3n2xxAYAIRqUYhYdkhgWFDtIX4dkIU9S Gjs=

List-id: Xen developer discussion <xen-devel.lists.xenproject.org>

Thread-index: AQHWND0/xSJFUOR5YU28XikgbPuX46i7+DWA

Thread-topic: Xen XSM/FLASK policy, grub defaults, etc.

> On May 27, 2020, at 4:41 PM, Ian Jackson <ian.jackson@xxxxxxxxxx> wrote: > > The Xen tools build system builds a FLASK policy by default. It does > this even if the hypervisor build for XSM is disabled. > > I recently sent patches upstream to grub to support XSM in > update-grub. update-grub is the program which examines your /boot and > generates appropriate bootloader entries. My merge request > https://salsa.debian.org/grub-team/grub/-/merge_requests/18 > finds XSM policy files, and when theya are found, generates "XSM > enabled" bootloader entries. [1] > > The result of these two things together is that a default build of > grub will result in these "XSM enabled" bootloader entries. In > practice I think these entries will boot because everything ignores > the additional XSM policy file (!) and Xen ignores the > "flask=enforcing" option (!!) > > This is not particularly good. Offering people an "XSM enabled" > option which does nothing is poor because it might think they have the > extra security but actually significantly more steps are needed. But > there doesn't appear to be any way for update-grub to tell whether a > particular hypervisor does support XSM or not. > > I think the following changes would be good: > > 1. Xen should reject "flask=enforcing" if it is built without FLASK > support, rather than ignoring it. This will ensure users are not > misled by these boot options since they will be broken. +1 > 2. Xen should disable the XSM policy build when FLASK is disabled. > This is unfortunately not so simple because the XSM policy build is a > tools option and FLASK is a Xen option and the configuration systems > are disjoint. But at the very least a default build, which has no XSM > support, should not build an XSM policy file either. A simple thing to do here would be to have the flask policy controlled by a configure --flask option. If neither --flask nor --no-flask is specified, we could maybe have configure also check the contents of xen/.config to see if CONFIG_XSM_FLASK is enabled? > 3. Failing that, Xen should provide some other mechanism which would > enable something like update-grub to determine whether a particular > hypervisor can sensibly be run with a policy file and flask=enforcing. So you want update-grub to check whether *the Xen binary it’s creating entries for* has FLASK enabled. We generally include the Xen config used to build the hypervisor — could we have it check for CONFIG_XSM_FLASK? -George

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.