[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Xen XSM/FLASK policy, grub defaults, etc.

> On May 29, 2020, at 12:02 PM, Jan Beulich <jbeulich@xxxxxxxx> wrote:
> On 29.05.2020 12:50, Ian Jackson wrote:
>> George Dunlap writes ("Re: Xen XSM/FLASK policy, grub defaults, etc."):
>>>> On May 27, 2020, at 4:41 PM, Ian Jackson <ian.jackson@xxxxxxxxxx> wrote:
>>>> 3. Failing that, Xen should provide some other mechanism which would
>>>> enable something like update-grub to determine whether a particular
>>>> hypervisor can sensibly be run with a policy file and flask=enforcing.
>>> So you want update-grub to check whether *the Xen binary it’s creating 
>>> entries for* has FLASK enabled.  We generally include the Xen config used 
>>> to build the hypervisor — could we have it check for CONFIG_XSM_FLASK?
>> That would be a possibility.  Including kernel configs has gone out of
>> fashion but I think most distros ship them.
>> Are we confident that this config name will remain stable ?
> Well, if it's to be used like this, then we'll have to keep it
> stable if at all possible. But that's the reason why I dislike
> the .config grep-ing approach (not just for Xen, also for
> Linux). It would imo be better if the binary included something
> that can be queried. Such a "something" is then much more
> logical to keep stable, imo. This "something" could be an ELF
> note, for example (assuming a similar problem to the one here
> doesn't exist for xen.efi, or else we'd need to find a solution
> there, too).

I think an elf note on the binary would be nice; but it won’t help until all 
the distros pick up Xen 4.15.

Which isn’t to say we shouldn’t do it; but it might be nice to also have an 
intermediate solution that works right now, even if it’s not optimal.




Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.