Xen project Mailing List

Re: [PATCH v6 09/10] kconfig: update xsm config to reflect reality

To: "Daniel P. Smith" <dpsmith@xxxxxxxxxxxxxxxxxxxx>

Date: Fri, 17 Sep 2021 14:09:33 +0200

Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=suse.com; dmarc=pass action=none header.from=suse.com; dkim=pass header.d=suse.com; arc=none

Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=mgKqa1a2alCeEDcpSkSE04vyMAsol14/hENrc2dKKfQ=; b=UVWnfE8R9p7s37vjS6/ZKavpzPc04WJKxXMuEb9P+8zmYfLEImk7LhNumBEH1ob30E55e6qLfV2k/UnVpa4LH8pt3ecqMm9c/A4Aj1DRgTmnDMVr3yVrjUn8UKhNj5/oYmeeUM4YmbcyCGElerCpAYT7JwmjbFNdpha2IoxGFOFBPQuaA3LLrVj8uPHve9DdPvoxmbd1eTPjCtiKoJF5dQMrvlloNUeh226ynb/q9KdVKOEb4S2cF84fklJgYTLe41zaTe7I9iBwmAC773wg67ndg7g8usyhC1bcJa/Bk0kgYFnvA/iC0xN87r3K7l0OD7jz5bKDKO6cAyJq7emqRw==

Arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=WvuHhOIOXfGqJP49vGk2rmdXQUCQHhzOGiVru4g6pgswX0/ioGJVcDfSe0NtS8h2R32L1wPI6UOKGnVzxGJdHESDzbyhU0sCOL6MpJI3E18wsVsbYBLg3QglCeEmXW2ogTaAT4Wsr+9Kbfv5QCv3L6ZzLl7Y0Ab4zjLt5KZpPA5BIg/+xEoyYoejvdNxQV6Ls0f8FXPzw2auoxVuFQ/Nu7c1ijGKiYVgrBQw0zocI3Fyls+Pw2ga4WlxEavIyFzGZOqR8BO3vJzLT/m8AYwd4wvMNMaIQUR00FxU9T1IdJ+He32akbB+2+ok+Gx980mUIEr6y3fCv6Fl+4Dc4QaDfA==

Authentication-results: lists.xenproject.org; dkim=none (message not signed) header.d=none;lists.xenproject.org; dmarc=none action=none header.from=suse.com;

Cc: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>, George Dunlap <george.dunlap@xxxxxxxxxx>, Ian Jackson <iwj@xxxxxxxxxxxxxx>, Julien Grall <julien@xxxxxxx>, Stefano Stabellini <sstabellini@xxxxxxxxxx>, Wei Liu <wl@xxxxxxx>, Daniel De Graaf <dgdegra@xxxxxxxxxxxxx>, xen-devel@xxxxxxxxxxxxxxxxxxxx

Delivery-date: Fri, 17 Sep 2021 12:09:59 +0000

List-id: Xen developer discussion <xen-devel.lists.xenproject.org>

On 10.09.2021 22:13, Daniel P. Smith wrote: > --- a/xen/common/Kconfig > +++ b/xen/common/Kconfig > @@ -200,23 +200,20 @@ config XENOPROF > > If unsure, say Y. > > -config XSM > - bool "Xen Security Modules support" > +config XSM_CONFIGURABLE > + bool "Configure Xen Security Modules" > default ARM > - ---help--- > - Enables the security framework known as Xen Security Modules which > - allows administrators fine-grained control over a Xen domain and > - its capabilities by defining permissible interactions between domains, > - the hypervisor itself, and related resources such as memory and > - devices. > + help > + Allows for configuring the Xen Security Modules (XSM) policy or > policies > + modules that will be availble and which will be the default. > > If unsure, say N. > > config XSM_FLASK > - def_bool y > - prompt "FLux Advanced Security Kernel support" > - depends on XSM > - ---help--- > + bool "FLux Advanced Security Kernel support" > + depends on XSM_CONFIGURABLE > + select XSM_EVTCHN_LABELING > + help > Enables FLASK (FLux Advanced Security Kernel) as the access control > mechanism used by the XSM framework. This provides a mandatory access > control framework by which security enforcement, isolation, and I continue to think that the default here and ... > @@ -253,10 +250,10 @@ config XSM_FLASK_POLICY > If unsure, say Y. > > config XSM_SILO > - def_bool y > - prompt "SILO support" > - depends on XSM > - ---help--- > + bool "SILO support" > + default y if ARM > + depends on XSM_CONFIGURABLE > + help > Enables SILO as the access control mechanism used by the XSM > framework. > This is not the default module, add boot parameter xsm=silo to choose > it. This will deny any unmediated communication channels (grant tables ... here should not change. If it changes, the change needs justifying in the description. > @@ -282,15 +279,15 @@ endchoice > config LATE_HWDOM > bool "Dedicated hardware domain" > default n > - depends on XSM && X86 > - ---help--- > + depends on XSM_FLASK && X86 > + help > Allows the creation of a dedicated hardware domain distinct from > domain 0 that manages devices without needing access to other > privileged functionality such as the ability to manage domains. > This requires that the actual domain 0 be a stub domain that > constructs the actual hardware domain instead of initializing the > hardware itself. Because the hardware domain needs access to > - hypercalls not available to unprivileged guests, an XSM policy > + hypercalls not available to unprivileged guests, an XSM Flask policy > is required to properly define the privilege of these domains. I also continue to think that this would better be a separate change. Or if not, the seemingly unrelated change needs mentioning in the description (to make clear it's not a stray change). Jan

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.