[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Xen XSM/FLASK policy, grub defaults, etc.

To: Ian Jackson <ian.jackson@xxxxxxxxxx>
From: Jan Beulich <jbeulich@xxxxxxxx>
Date: Fri, 29 May 2020 13:02:20 +0200
Cc: Stefano Stabellini <sstabellini@xxxxxxxxxx>, Julien Grall <julien@xxxxxxx>, "cjwatson@xxxxxxxxxx" <cjwatson@xxxxxxxxxx>, Wei Liu <wl@xxxxxxx>, Andrew Cooper <Andrew.Cooper3@xxxxxxxxxx>, George Dunlap <George.Dunlap@xxxxxxxxxx>, "xen-devel@xxxxxxxxxxxxxxxxxxxx" <xen-devel@xxxxxxxxxxxxxxxxxxxx>, Daniel De Graaf <dgdegra@xxxxxxxxxxxxx>
Delivery-date: Fri, 29 May 2020 11:02:29 +0000
List-id: Xen developer discussion <xen-devel.lists.xenproject.org>

On 29.05.2020 12:50, Ian Jackson wrote:
> George Dunlap writes ("Re: Xen XSM/FLASK policy, grub defaults, etc."):
>>> On May 27, 2020, at 4:41 PM, Ian Jackson <ian.jackson@xxxxxxxxxx> wrote:
>>> 3. Failing that, Xen should provide some other mechanism which would
>>> enable something like update-grub to determine whether a particular
>>> hypervisor can sensibly be run with a policy file and flask=enforcing.
>>
>> So you want update-grub to check whether *the Xen binary it’s creating 
>> entries for* has FLASK enabled.  We generally include the Xen config used to 
>> build the hypervisor — could we have it check for CONFIG_XSM_FLASK?
> 
> That would be a possibility.  Including kernel configs has gone out of
> fashion but I think most distros ship them.
> 
> Are we confident that this config name will remain stable ?

Well, if it's to be used like this, then we'll have to keep it
stable if at all possible. But that's the reason why I dislike
the .config grep-ing approach (not just for Xen, also for
Linux). It would imo be better if the binary included something
that can be queried. Such a "something" is then much more
logical to keep stable, imo. This "something" could be an ELF
note, for example (assuming a similar problem to the one here
doesn't exist for xen.efi, or else we'd need to find a solution
there, too).

Jan

Follow-Ups:
- Re: Xen XSM/FLASK policy, grub defaults, etc.
  - From: George Dunlap

References:
- Xen XSM/FLASK policy, grub defaults, etc.
  - From: Ian Jackson
- Re: Xen XSM/FLASK policy, grub defaults, etc.
  - From: George Dunlap
- Re: Xen XSM/FLASK policy, grub defaults, etc.
  - From: Ian Jackson

Prev by Date: Re: [RFC PATCH 1/1] xen: Use a global mapping for runstate
Next by Date: [PATCH v7 00/15] switch to domheap for Xen page tables
Previous by thread: Re: Xen XSM/FLASK policy, grub defaults, etc.
Next by thread: Re: Xen XSM/FLASK policy, grub defaults, etc.
Index(es):
- Date
- Thread

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.