|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [Xen-changelog] Enable the Xen hypervisor ACM security policy to be determined at boot
# HG changeset patch # User kaf24@xxxxxxxxxxxxxxxxxxxx # Node ID cc1d77bba4b05aebdd9bf9a158dc48d02cc266fc # Parent f5dafee503ba35c2135ca464cbb389756a92a2e7 Enable the Xen hypervisor ACM security policy to be determined at boot time (instead of at compile time). Allows a single xen.gz binary to run under different security policy types, which simplifies distributions considerably. To this end, we replace the current single compile switch in Config.mk with the following two: 1. ACM_SECURITY (y/n) if "n", then the ACM is not compiled and no security policies can be configured at boot time. If "y", then the ACM is compiled and can be configured into any of the available policy types (null, chwall, ste, chwall_ste) by specifying a valid boot policy .bin file in the grub boot configuration. 2. ACM_DEFAULT_SECURITY_POLICY (null / chwall / ste / chwall_ste) specifies the policy into which Xen defaults in the case that security is enabled but no boot policy file is specified, or the specified policy file is invalid (wrong version, magic, corrupted, ...) While the type of the enabled policy (null, ste, ...) is decided once during boot for the whole boot cycle, the policy instantiation can be changed during operation as usual with the security tools. Signed-off by: Tomas Lendacky <toml@xxxxxxxxxx> Signed-off by: Reiner Sailer <sailer@xxxxxxxxxx> diff -r f5dafee503ba -r cc1d77bba4b0 Config.mk --- a/Config.mk Sat Nov 19 09:29:28 2005 +++ b/Config.mk Sat Nov 19 09:35:38 2005 @@ -44,13 +44,21 @@ # Choose the best mirror to download linux kernel KERNEL_REPO = http://www.kernel.org -# ACM_USE_SECURITY_POLICY is set to security policy of Xen +# If ACM_SECURITY = y, then the access control module is compiled +# into Xen and the policy type can be set by the boot policy file +# y - Build the Xen ACM framework +# n - Do not build the Xen ACM framework +ACM_SECURITY ?= n + +# If ACM_SECURITY = y and no boot policy file is installed, +# then the ACM defaults to the security policy set by +# ACM_DEFAULT_SECURITY_POLICY # Supported models are: -# ACM_NULL_POLICY (ACM will not be built with this policy) +# ACM_NULL_POLICY # ACM_CHINESE_WALL_POLICY # ACM_SIMPLE_TYPE_ENFORCEMENT_POLICY # ACM_CHINESE_WALL_AND_SIMPLE_TYPE_ENFORCEMENT_POLICY -ACM_USE_SECURITY_POLICY ?= ACM_NULL_POLICY +ACM_DEFAULT_SECURITY_POLICY ?= ACM_NULL_POLICY # Optional components XENSTAT_XENTOP ?= y diff -r f5dafee503ba -r cc1d77bba4b0 tools/security/Makefile --- a/tools/security/Makefile Sat Nov 19 09:29:28 2005 +++ b/tools/security/Makefile Sat Nov 19 09:35:38 2005 @@ -12,21 +12,21 @@ XML2VERSION = $(shell xml2-config --version ) VALIDATE_SCHEMA=$(shell if [[ $(XML2VERSION) < 2.6.20 ]]; then echo ""; else echo "-DVALIDATE_SCHEMA"; fi; ) -ifeq ($(ACM_USE_SECURITY_POLICY),ACM_NULL_POLICY) +ifeq ($(ACM_DEFAULT_SECURITY_POLICY),ACM_NULL_POLICY) POLICY=null endif -ifeq ($(ACM_USE_SECURITY_POLICY),ACM_CHINESE_WALL_POLICY) +ifeq ($(ACM_DEFAULT_SECURITY_POLICY),ACM_CHINESE_WALL_POLICY) POLICY=chwall endif -ifeq ($(ACM_USE_SECURITY_POLICY),ACM_SIMPLE_TYPE_ENFORCEMENT_POLICY) +ifeq ($(ACM_DEFAULT_SECURITY_POLICY),ACM_SIMPLE_TYPE_ENFORCEMENT_POLICY) POLICY=ste endif -ifeq ($(ACM_USE_SECURITY_POLICY),ACM_CHINESE_WALL_AND_SIMPLE_TYPE_ENFORCEMENT_POLICY) +ifeq ($(ACM_DEFAULT_SECURITY_POLICY),ACM_CHINESE_WALL_AND_SIMPLE_TYPE_ENFORCEMENT_POLICY) POLICY=chwall_ste endif POLICYFILE=./policies/$(POLICY)/$(POLICY).bin -ifneq ($(ACM_USE_SECURITY_POLICY), ACM_NULL_POLICY) +ifeq ($(ACM_SECURITY),y) all: build install:all @@ -55,7 +55,7 @@ $(CC) $(CPPFLAGS) $(CFLAGS) $(CFLAGS_XML2BIN) $(VALIDATE_SCHEMA) -o $@ $< clean: - rm -rf secpol_tool secpol_xml2bin xen + rm -rf secpol_tool secpol_xml2bin xen get_decision policy_clean: rm -rf policies/*/*.bin policies/*/*.map diff -r f5dafee503ba -r cc1d77bba4b0 tools/security/install.txt --- a/tools/security/install.txt Sat Nov 19 09:29:28 2005 +++ b/tools/security/install.txt Sat Nov 19 09:35:38 2005 @@ -24,11 +24,13 @@ # cd "xen_root" # edit/xemacs/vi Config.mk - change the line: - ACM_USE_SECURITY_POLICY ?= ACM_NULL_POLICY + change the lines: + ACM_SECURITY ?= n + ACM_DEFAULT_SECURITY_POLICY ?= ACM_NULL_POLICY to: - ACM_USE_SECURITY_POLICY ?= ACM_CHINESE_WALL_AND_SIMPLE_TYPE_ENFORCEMENT_POLICY + ACM_SECURITY ?= y + ACM_DEFAULT_SECURITY_POLICY ?= ACM_CHINESE_WALL_AND_SIMPLE_TYPE_ENFORCEMENT_POLICY # make all # ./install.sh diff -r f5dafee503ba -r cc1d77bba4b0 xen/Makefile --- a/xen/Makefile Sat Nov 19 09:29:28 2005 +++ b/xen/Makefile Sat Nov 19 09:35:38 2005 @@ -57,7 +57,7 @@ $(MAKE) include/asm-$(TARGET_ARCH)/asm-offsets.h $(MAKE) -C common $(MAKE) -C drivers -ifneq ($(ACM_USE_SECURITY_POLICY),ACM_NULL_POLICY) +ifeq ($(ACM_SECURITY),y) $(MAKE) -C acm endif $(MAKE) -C arch/$(TARGET_ARCH) @@ -79,8 +79,8 @@ echo " *"; \ echo " */"; \ echo ""; \ - echo "#ifndef ACM_USE_SECURITY_POLICY"; \ - echo "#define ACM_USE_SECURITY_POLICY $(ACM_USE_SECURITY_POLICY)"; \ + echo "#ifndef ACM_DEFAULT_SECURITY_POLICY"; \ + echo "#define ACM_DEFAULT_SECURITY_POLICY $(ACM_DEFAULT_SECURITY_POLICY)"; \ echo "#endif") >$@ # compile.h contains dynamic build info. Rebuilt on every 'make' invocation. diff -r f5dafee503ba -r cc1d77bba4b0 xen/Rules.mk --- a/xen/Rules.mk Sat Nov 19 09:29:28 2005 +++ b/xen/Rules.mk Sat Nov 19 09:35:38 2005 @@ -37,8 +37,9 @@ ALL_OBJS := $(BASEDIR)/common/common.o ALL_OBJS += $(BASEDIR)/drivers/char/driver.o ALL_OBJS += $(BASEDIR)/drivers/acpi/driver.o -ifneq ($(ACM_USE_SECURITY_POLICY),ACM_NULL_POLICY) +ifeq ($(ACM_SECURITY),y) ALL_OBJS += $(BASEDIR)/acm/acm.o +CFLAGS += -DACM_SECURITY endif ALL_OBJS += $(BASEDIR)/arch/$(TARGET_ARCH)/arch.o diff -r f5dafee503ba -r cc1d77bba4b0 xen/acm/acm_core.c --- a/xen/acm/acm_core.c Sat Nov 19 09:29:28 2005 +++ b/xen/acm/acm_core.c Sat Nov 19 09:35:38 2005 @@ -49,6 +49,9 @@ extern struct acm_operations acm_chinesewall_ops, acm_simple_type_enforcement_ops, acm_null_ops; +/* global ACM policy (now dynamically determined at boot time) */ +u16 acm_active_security_policy = ACM_POLICY_UNDEFINED; + /* global ops structs called by the hooks */ struct acm_operations *acm_primary_ops = NULL; /* called in hook if-and-only-if primary succeeds */ @@ -61,7 +64,8 @@ /* until we have endian support in Xen, we discover it at runtime */ u8 little_endian = 1; -void acm_set_endian(void) +void +acm_set_endian(void) { u32 test = 1; if (*((u8 *)&test) == 1) @@ -76,14 +80,82 @@ } } -/* initialize global security policy for Xen; policy write-locked already */ -static void -acm_init_binary_policy(void *primary, void *secondary) -{ - acm_bin_pol.primary_policy_code = 0; - acm_bin_pol.secondary_policy_code = 0; - acm_bin_pol.primary_binary_policy = primary; - acm_bin_pol.secondary_binary_policy = secondary; +int +acm_init_binary_policy(u32 policy_code) +{ + int ret = ACM_OK; + + acm_bin_pol.primary_policy_code = (policy_code & 0x0f); + acm_bin_pol.secondary_policy_code = (policy_code >> 4) & 0x0f; + + write_lock(&acm_bin_pol_rwlock); + + /* set primary policy component */ + switch ((policy_code) & 0x0f) + { + + case ACM_CHINESE_WALL_POLICY: + acm_init_chwall_policy(); + acm_bin_pol.primary_policy_code = ACM_CHINESE_WALL_POLICY; + acm_primary_ops = &acm_chinesewall_ops; + break; + + case ACM_SIMPLE_TYPE_ENFORCEMENT_POLICY: + acm_init_ste_policy(); + acm_bin_pol.primary_policy_code = ACM_SIMPLE_TYPE_ENFORCEMENT_POLICY; + acm_primary_ops = &acm_simple_type_enforcement_ops; + break; + + case ACM_NULL_POLICY: + acm_bin_pol.primary_policy_code = ACM_NULL_POLICY; + acm_primary_ops = &acm_null_ops; + break; + + default: + /* Unknown policy not allowed primary */ + ret = -EINVAL; + goto out; + } + + /* secondary policy component part */ + switch ((policy_code) >> 4) + { + + case ACM_NULL_POLICY: + acm_bin_pol.secondary_policy_code = ACM_NULL_POLICY; + acm_secondary_ops = &acm_null_ops; + break; + + case ACM_CHINESE_WALL_POLICY: + if (acm_bin_pol.primary_policy_code == ACM_CHINESE_WALL_POLICY) + { /* not a valid combination */ + ret = -EINVAL; + goto out; + } + acm_init_chwall_policy(); + acm_bin_pol.secondary_policy_code = ACM_CHINESE_WALL_POLICY; + acm_secondary_ops = &acm_chinesewall_ops; + break; + + case ACM_SIMPLE_TYPE_ENFORCEMENT_POLICY: + if (acm_bin_pol.primary_policy_code == ACM_SIMPLE_TYPE_ENFORCEMENT_POLICY) + { /* not a valid combination */ + ret = -EINVAL; + goto out; + } + acm_init_ste_policy(); + acm_bin_pol.secondary_policy_code = ACM_SIMPLE_TYPE_ENFORCEMENT_POLICY; + acm_secondary_ops = &acm_simple_type_enforcement_ops; + break; + + default: + ret = -EINVAL; + goto out; + } + + out: + write_unlock(&acm_bin_pol_rwlock); + return ret; } static int @@ -161,83 +233,35 @@ int ret = ACM_OK; acm_set_endian(); - write_lock(&acm_bin_pol_rwlock); - acm_init_binary_policy(NULL, NULL); - - /* set primary policy component */ - switch ((ACM_USE_SECURITY_POLICY) & 0x0f) - { - - case ACM_CHINESE_WALL_POLICY: - acm_init_chwall_policy(); - acm_bin_pol.primary_policy_code = ACM_CHINESE_WALL_POLICY; - acm_primary_ops = &acm_chinesewall_ops; - break; - - case ACM_SIMPLE_TYPE_ENFORCEMENT_POLICY: - acm_init_ste_policy(); - acm_bin_pol.primary_policy_code = ACM_SIMPLE_TYPE_ENFORCEMENT_POLICY; - acm_primary_ops = &acm_simple_type_enforcement_ops; - break; - - default: - /* NULL or Unknown policy not allowed primary; - * NULL/NULL will not compile this code */ + + /* first try to load the boot policy (uses its own locks) */ + acm_setup(initrdidx, mbi, initial_images_start); + + if (acm_active_security_policy != ACM_POLICY_UNDEFINED) + { + printk("%s: Boot-Policy. Enforcing %s: Primary %s, Secondary %s.\n", __func__, + ACM_POLICY_NAME(acm_active_security_policy), + ACM_POLICY_NAME(acm_bin_pol.primary_policy_code), + ACM_POLICY_NAME(acm_bin_pol.secondary_policy_code)); + goto out; + } + /* else continue with the minimal hardcoded default startup policy */ + printk("%s: Loading default policy (%s).\n", + __func__, ACM_POLICY_NAME(ACM_DEFAULT_SECURITY_POLICY)); + + if (acm_init_binary_policy(ACM_DEFAULT_SECURITY_POLICY)) { ret = -EINVAL; goto out; } - - /* secondary policy component part */ - switch ((ACM_USE_SECURITY_POLICY) >> 4) { - case ACM_NULL_POLICY: - acm_bin_pol.secondary_policy_code = ACM_NULL_POLICY; - acm_secondary_ops = &acm_null_ops; - break; - - case ACM_CHINESE_WALL_POLICY: - if (acm_bin_pol.primary_policy_code == ACM_CHINESE_WALL_POLICY) - { /* not a valid combination */ - ret = -EINVAL; - goto out; - } - acm_init_chwall_policy(); - acm_bin_pol.secondary_policy_code = ACM_CHINESE_WALL_POLICY; - acm_secondary_ops = &acm_chinesewall_ops; - break; - - case ACM_SIMPLE_TYPE_ENFORCEMENT_POLICY: - if (acm_bin_pol.primary_policy_code == ACM_SIMPLE_TYPE_ENFORCEMENT_POLICY) - { /* not a valid combination */ - ret = -EINVAL; - goto out; - } - acm_init_ste_policy(); - acm_bin_pol.secondary_policy_code = ACM_SIMPLE_TYPE_ENFORCEMENT_POLICY; - acm_secondary_ops = &acm_simple_type_enforcement_ops; - break; - - default: - ret = -EINVAL; - goto out; - } + acm_active_security_policy = ACM_DEFAULT_SECURITY_POLICY; out: - write_unlock(&acm_bin_pol_rwlock); - if (ret != ACM_OK) { printk("%s: Error initializing policies.\n", __func__); /* here one could imagine a clean panic */ return -EINVAL; } - if (acm_setup(initrdidx, mbi, initial_images_start) != ACM_OK) - { - printk("%s: Error loading policy at boot time.\n", __func__); - /* ignore, just continue with the minimal hardcoded startup policy */ - } - printk("%s: Enforcing Primary %s, Secondary %s.\n", __func__, - ACM_POLICY_NAME(acm_bin_pol.primary_policy_code), - ACM_POLICY_NAME(acm_bin_pol.secondary_policy_code)); return ret; } @@ -265,7 +289,7 @@ ssid->primary_ssid = NULL; ssid->secondary_ssid = NULL; - if (ACM_USE_SECURITY_POLICY != ACM_NULL_POLICY) + if (acm_active_security_policy != ACM_NULL_POLICY) ssid->ssidref = ssidref; else ssid->ssidref = ACM_DEFAULT_SSID; diff -r f5dafee503ba -r cc1d77bba4b0 xen/acm/acm_policy.c --- a/xen/acm/acm_policy.c Sat Nov 19 09:29:28 2005 +++ b/xen/acm/acm_policy.c Sat Nov 19 09:35:38 2005 @@ -56,17 +56,29 @@ /* 2. some sanity checking */ pol = (struct acm_policy_buffer *)policy_buffer; - if ((ntohl(pol->magic) != ACM_MAGIC) || - (ntohl(pol->policy_version) != ACM_POLICY_VERSION) || - (ntohl(pol->primary_policy_code) != acm_bin_pol.primary_policy_code) || + if ((ntohl(pol->magic) != ACM_MAGIC) || + (buf_size != ntohl(pol->len)) || + (ntohl(pol->policy_version) != ACM_POLICY_VERSION)) + { + printk("%s: ERROR in Magic, Version, or buf size.\n", __func__); + goto error_free; + } + + if (acm_active_security_policy == ACM_POLICY_UNDEFINED) { + /* setup the policy with the boot policy */ + if (acm_init_binary_policy((ntohl(pol->secondary_policy_code) << 4) | + ntohl(pol->primary_policy_code))) { + goto error_free; + } + acm_active_security_policy = + (acm_bin_pol.secondary_policy_code << 4) | acm_bin_pol.primary_policy_code; + } + + /* once acm_active_security_policy is set, it cannot be changed */ + if ((ntohl(pol->primary_policy_code) != acm_bin_pol.primary_policy_code) || (ntohl(pol->secondary_policy_code) != acm_bin_pol.secondary_policy_code)) { - printkd("%s: Wrong policy magics or versions!\n", __func__); - goto error_free; - } - if (buf_size != ntohl(pol->len)) - { - printk("%s: ERROR in buf size.\n", __func__); + printkd("%s: Wrong policy type in boot policy!\n", __func__); goto error_free; } diff -r f5dafee503ba -r cc1d77bba4b0 xen/common/acm_ops.c --- a/xen/common/acm_ops.c Sat Nov 19 09:29:28 2005 +++ b/xen/common/acm_ops.c Sat Nov 19 09:35:38 2005 @@ -29,7 +29,7 @@ #include <public/sched_ctl.h> #include <acm/acm_hooks.h> -#if (ACM_USE_SECURITY_POLICY == ACM_NULL_POLICY) +#ifndef ACM_SECURITY long do_acm_op(struct acm_op * u_acm_op) { diff -r f5dafee503ba -r cc1d77bba4b0 xen/include/acm/acm_core.h --- a/xen/include/acm/acm_core.h Sat Nov 19 09:29:28 2005 +++ b/xen/include/acm/acm_core.h Sat Nov 19 09:35:38 2005 @@ -28,9 +28,6 @@ struct acm_binary_policy { u16 primary_policy_code; u16 secondary_policy_code; - void *primary_binary_policy; - void *secondary_binary_policy; - }; struct chwall_binary_policy { @@ -53,6 +50,7 @@ }; /* global acm policy */ +extern u16 acm_active_security_policy; extern struct acm_binary_policy acm_bin_pol; extern struct chwall_binary_policy chwall_bin_pol; extern struct ste_binary_policy ste_bin_pol; @@ -120,6 +118,7 @@ /* protos */ int acm_init_domain_ssid(domid_t id, ssidref_t ssidref); void acm_free_domain_ssid(struct acm_ssid_domain *ssid); +int acm_init_binary_policy(u32 policy_code); int acm_set_policy(void *buf, u32 buf_size, int isuserbuffer); int acm_get_policy(void *buf, u32 buf_size); int acm_dump_statistics(void *buf, u16 buf_size); diff -r f5dafee503ba -r cc1d77bba4b0 xen/include/acm/acm_hooks.h --- a/xen/include/acm/acm_hooks.h Sat Nov 19 09:29:28 2005 +++ b/xen/include/acm/acm_hooks.h Sat Nov 19 09:35:38 2005 @@ -127,7 +127,7 @@ # define traceprintk(fmt, args...) #endif -#if (ACM_USE_SECURITY_POLICY == ACM_NULL_POLICY) +#ifndef ACM_SECURITY static inline int acm_pre_dom0_op(dom0_op_t *op, void **ssid) { return 0; } diff -r f5dafee503ba -r cc1d77bba4b0 xen/include/public/acm.h --- a/xen/include/public/acm.h Sat Nov 19 09:29:28 2005 +++ b/xen/include/public/acm.h Sat Nov 19 09:35:38 2005 @@ -60,6 +60,7 @@ #define ACM_NULL_POLICY 0 #define ACM_CHINESE_WALL_POLICY 1 #define ACM_SIMPLE_TYPE_ENFORCEMENT_POLICY 2 +#define ACM_POLICY_UNDEFINED 15 /* combinations have secondary policy component in higher 4bit */ #define ACM_CHINESE_WALL_AND_SIMPLE_TYPE_ENFORCEMENT_POLICY \ _______________________________________________ Xen-changelog mailing list Xen-changelog@xxxxxxxxxxxxxxxxxxx http://lists.xensource.com/xen-changelog
|
 |
Lists.xenproject.org is hosted with RackSpace, monitoring our |