Re: Xen XSM/FLASK policy, grub defaults, etc.

[George Dunlap <George.Dunlap@xxxxxxxxxx>]

> On May 29, 2020, at 12:02 PM, Jan Beulich <jbeulich@xxxxxxxx> wrote:
> 
> On 29.05.2020 12:50, Ian Jackson wrote:
>> George Dunlap writes ("Re: Xen XSM/FLASK policy, grub defaults, etc."):
>>>> On May 27, 2020, at 4:41 PM, Ian Jackson <ian.jackson@xxxxxxxxxx> wrote:
>>>> 3. Failing that, Xen should provide some other mechanism which would
>>>> enable something like update-grub to determine whether a particular
>>>> hypervisor can sensibly be run with a policy file and flask=enforcing.
>>> 
>>> So you want update-grub to check whether *the Xen binary it’s creating 
>>> entries for* has FLASK enabled.  We generally include the Xen config used 
>>> to build the hypervisor — could we have it check for CONFIG_XSM_FLASK?
>> 
>> That would be a possibility.  Including kernel configs has gone out of
>> fashion but I think most distros ship them.
>> 
>> Are we confident that this config name will remain stable ?
> 
> Well, if it's to be used like this, then we'll have to keep it
> stable if at all possible. But that's the reason why I dislike
> the .config grep-ing approach (not just for Xen, also for
> Linux). It would imo be better if the binary included something
> that can be queried. Such a "something" is then much more
> logical to keep stable, imo. This "something" could be an ELF
> note, for example (assuming a similar problem to the one here
> doesn't exist for xen.efi, or else we'd need to find a solution
> there, too).

I think an elf note on the binary would be nice; but it won’t help until all 
the distros pick up Xen 4.15.

Which isn’t to say we shouldn’t do it; but it might be nice to also have an 
intermediate solution that works right now, even if it’s not optimal.

 -George