Xen project Mailing List

Re: Xen XSM/FLASK policy, grub defaults, etc.

To: Ian Jackson <Ian.Jackson@xxxxxxxxxx>

From: George Dunlap <George.Dunlap@xxxxxxxxxx>

Date: Fri, 29 May 2020 10:58:30 +0000

Accept-language: en-GB, en-US

Authentication-results: esa2.hc3370-68.iphmx.com; dkim=none (message not signed) header.i=none

Cc: Stefano Stabellini <sstabellini@xxxxxxxxxx>, Julien Grall <julien@xxxxxxx>, "cjwatson@xxxxxxxxxx" <cjwatson@xxxxxxxxxx>, Wei Liu <wl@xxxxxxx>, Andrew Cooper <Andrew.Cooper3@xxxxxxxxxx>, Jan Beulich <jbeulich@xxxxxxxx>, "xen-devel@xxxxxxxxxxxxxxxxxxxx" <xen-devel@xxxxxxxxxxxxxxxxxxxx>, Daniel De Graaf <dgdegra@xxxxxxxxxxxxx>

Delivery-date: Fri, 29 May 2020 10:58:37 +0000

Ironport-sdr: 1NFytPxIw25jPXcWDGl2CV7si/0dB4EPPX9WJk1Eu9998TMB8wpwiwKpd6EJVAut/MhZjt5si1 WhgTrUt+JD9OQ6idUX4Vxe67WhXY1DYODeEQWvIUky26OGLS/y0uaVxBbKq7kNodqKaJIZDjIT b7/jld0cB6ydLPWKAYSId4UVNeW3oMBbTLw/GKQ2hlwh64dY5LfNz+WpZiC7L1qXo4X192skRB XCLtPKer+ffonrDdy0j+QPGNeKgiLMGTBPEeukBXVv43aJWyvFfcdn85SG6oIgw5CEM2kXhGFU vIU=

List-id: Xen developer discussion <xen-devel.lists.xenproject.org>

Thread-index: AQHWND0/xSJFUOR5YU28XikgbPuX46i7+DWAgALLwwCAAAIzAA==

Thread-topic: Xen XSM/FLASK policy, grub defaults, etc.

> On May 29, 2020, at 11:50 AM, Ian Jackson <ian.jackson@xxxxxxxxxx> wrote: > > George Dunlap writes ("Re: Xen XSM/FLASK policy, grub defaults, etc."): >>> On May 27, 2020, at 4:41 PM, Ian Jackson <ian.jackson@xxxxxxxxxx> wrote: >>> 3. Failing that, Xen should provide some other mechanism which would >>> enable something like update-grub to determine whether a particular >>> hypervisor can sensibly be run with a policy file and flask=enforcing. >> >> So you want update-grub to check whether *the Xen binary it’s creating >> entries for* has FLASK enabled. We generally include the Xen config used to >> build the hypervisor — could we have it check for CONFIG_XSM_FLASK? > > That would be a possibility. Including kernel configs has gone out of > fashion but I think most distros ship them. > > Are we confident that this config name will remain stable ? Before taking this approach, we should probably agree to declare it stable, and write a comment to that effect in the Kconfig files. > > And I guess if the .config can't be found then the XSM boot entry > should be included ? It looks like at the moment experimental config entries are “unpersons” without CONFIG_EXPERIMENTAL=y; at least, `rm .config && make defconfig && grep -i flask` doesn’t turn up anything for me. -George

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.