[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Xen-changelog] Enable the Xen hypervisor ACM security policy to be determined at boot



# HG changeset patch
# User kaf24@xxxxxxxxxxxxxxxxxxxx
# Node ID cc1d77bba4b05aebdd9bf9a158dc48d02cc266fc
# Parent  f5dafee503ba35c2135ca464cbb389756a92a2e7
Enable the Xen hypervisor ACM security policy to be determined at boot
time (instead of at compile time). Allows a single xen.gz binary to
run under different security policy types, which simplifies
distributions considerably. To this end, we replace the current single
compile switch in Config.mk with the following two:

1. ACM_SECURITY (y/n) if "n", then the ACM is not compiled and no security 
policies can be configured at boot time. If "y", then the ACM is compiled 
and can be configured into any of the available policy types (null, 
chwall, ste, chwall_ste) by specifying a valid boot policy .bin file in 
the grub boot configuration.

2. ACM_DEFAULT_SECURITY_POLICY (null / chwall / ste / chwall_ste) 
specifies the policy into which Xen defaults in the case that security is 
enabled but no boot policy file is specified, or the specified policy file 
is invalid (wrong version, magic, corrupted, ...)

While the type of the enabled policy (null, ste, ...) is decided once 
during boot for the whole boot cycle, the policy instantiation can be 
changed during operation as usual with the security tools.

Signed-off by: Tomas Lendacky <toml@xxxxxxxxxx>
Signed-off by: Reiner Sailer <sailer@xxxxxxxxxx>

diff -r f5dafee503ba -r cc1d77bba4b0 Config.mk
--- a/Config.mk Sat Nov 19 09:29:28 2005
+++ b/Config.mk Sat Nov 19 09:35:38 2005
@@ -44,13 +44,21 @@
 # Choose the best mirror to download linux kernel
 KERNEL_REPO = http://www.kernel.org
 
-# ACM_USE_SECURITY_POLICY is set to security policy of Xen
+# If ACM_SECURITY = y, then the access control module is compiled
+# into Xen and the policy type can be set by the boot policy file
+#        y - Build the Xen ACM framework
+#        n - Do not build the Xen ACM framework
+ACM_SECURITY ?= n
+
+# If ACM_SECURITY = y and no boot policy file is installed,
+# then the ACM defaults to the security policy set by
+# ACM_DEFAULT_SECURITY_POLICY
 # Supported models are:
-#      ACM_NULL_POLICY (ACM will not be built with this policy)
+#      ACM_NULL_POLICY
 #      ACM_CHINESE_WALL_POLICY
 #      ACM_SIMPLE_TYPE_ENFORCEMENT_POLICY
 #      ACM_CHINESE_WALL_AND_SIMPLE_TYPE_ENFORCEMENT_POLICY
-ACM_USE_SECURITY_POLICY ?= ACM_NULL_POLICY
+ACM_DEFAULT_SECURITY_POLICY ?= ACM_NULL_POLICY
 
 # Optional components
 XENSTAT_XENTOP ?= y
diff -r f5dafee503ba -r cc1d77bba4b0 tools/security/Makefile
--- a/tools/security/Makefile   Sat Nov 19 09:29:28 2005
+++ b/tools/security/Makefile   Sat Nov 19 09:35:38 2005
@@ -12,21 +12,21 @@
 XML2VERSION = $(shell xml2-config --version )
 VALIDATE_SCHEMA=$(shell if [[ $(XML2VERSION) < 2.6.20 ]]; then echo ""; else 
echo "-DVALIDATE_SCHEMA"; fi; )
 
-ifeq ($(ACM_USE_SECURITY_POLICY),ACM_NULL_POLICY)
+ifeq ($(ACM_DEFAULT_SECURITY_POLICY),ACM_NULL_POLICY)
 POLICY=null
 endif
-ifeq ($(ACM_USE_SECURITY_POLICY),ACM_CHINESE_WALL_POLICY)
+ifeq ($(ACM_DEFAULT_SECURITY_POLICY),ACM_CHINESE_WALL_POLICY)
 POLICY=chwall
 endif
-ifeq ($(ACM_USE_SECURITY_POLICY),ACM_SIMPLE_TYPE_ENFORCEMENT_POLICY)
+ifeq ($(ACM_DEFAULT_SECURITY_POLICY),ACM_SIMPLE_TYPE_ENFORCEMENT_POLICY)
 POLICY=ste
 endif
-ifeq 
($(ACM_USE_SECURITY_POLICY),ACM_CHINESE_WALL_AND_SIMPLE_TYPE_ENFORCEMENT_POLICY)
+ifeq 
($(ACM_DEFAULT_SECURITY_POLICY),ACM_CHINESE_WALL_AND_SIMPLE_TYPE_ENFORCEMENT_POLICY)
 POLICY=chwall_ste
 endif
 POLICYFILE=./policies/$(POLICY)/$(POLICY).bin
 
-ifneq ($(ACM_USE_SECURITY_POLICY), ACM_NULL_POLICY)
+ifeq ($(ACM_SECURITY),y)
 all: build
 
 install:all
@@ -55,7 +55,7 @@
        $(CC) $(CPPFLAGS) $(CFLAGS) $(CFLAGS_XML2BIN) $(VALIDATE_SCHEMA) -o $@ 
$<
 
 clean:
-       rm -rf secpol_tool secpol_xml2bin xen
+       rm -rf secpol_tool secpol_xml2bin xen get_decision
 
 policy_clean:
        rm -rf policies/*/*.bin policies/*/*.map
diff -r f5dafee503ba -r cc1d77bba4b0 tools/security/install.txt
--- a/tools/security/install.txt        Sat Nov 19 09:29:28 2005
+++ b/tools/security/install.txt        Sat Nov 19 09:35:38 2005
@@ -24,11 +24,13 @@
        # cd "xen_root"
        # edit/xemacs/vi Config.mk
 
-       change the line:
-       ACM_USE_SECURITY_POLICY ?= ACM_NULL_POLICY
+       change the lines:
+       ACM_SECURITY ?= n
+       ACM_DEFAULT_SECURITY_POLICY ?= ACM_NULL_POLICY
 
        to:
-       ACM_USE_SECURITY_POLICY ?= 
ACM_CHINESE_WALL_AND_SIMPLE_TYPE_ENFORCEMENT_POLICY
+       ACM_SECURITY ?= y
+       ACM_DEFAULT_SECURITY_POLICY ?= 
ACM_CHINESE_WALL_AND_SIMPLE_TYPE_ENFORCEMENT_POLICY
 
        # make all
        # ./install.sh
diff -r f5dafee503ba -r cc1d77bba4b0 xen/Makefile
--- a/xen/Makefile      Sat Nov 19 09:29:28 2005
+++ b/xen/Makefile      Sat Nov 19 09:35:38 2005
@@ -57,7 +57,7 @@
        $(MAKE) include/asm-$(TARGET_ARCH)/asm-offsets.h
        $(MAKE) -C common
        $(MAKE) -C drivers
-ifneq ($(ACM_USE_SECURITY_POLICY),ACM_NULL_POLICY)
+ifeq ($(ACM_SECURITY),y)
        $(MAKE) -C acm
 endif
        $(MAKE) -C arch/$(TARGET_ARCH)
@@ -79,8 +79,8 @@
          echo " *"; \
          echo " */"; \
          echo ""; \
-         echo "#ifndef ACM_USE_SECURITY_POLICY"; \
-         echo "#define ACM_USE_SECURITY_POLICY $(ACM_USE_SECURITY_POLICY)"; \
+         echo "#ifndef ACM_DEFAULT_SECURITY_POLICY"; \
+         echo "#define ACM_DEFAULT_SECURITY_POLICY 
$(ACM_DEFAULT_SECURITY_POLICY)"; \
          echo "#endif") >$@
 
 # compile.h contains dynamic build info. Rebuilt on every 'make' invocation.
diff -r f5dafee503ba -r cc1d77bba4b0 xen/Rules.mk
--- a/xen/Rules.mk      Sat Nov 19 09:29:28 2005
+++ b/xen/Rules.mk      Sat Nov 19 09:35:38 2005
@@ -37,8 +37,9 @@
 ALL_OBJS := $(BASEDIR)/common/common.o
 ALL_OBJS += $(BASEDIR)/drivers/char/driver.o
 ALL_OBJS += $(BASEDIR)/drivers/acpi/driver.o
-ifneq ($(ACM_USE_SECURITY_POLICY),ACM_NULL_POLICY)
+ifeq ($(ACM_SECURITY),y)
 ALL_OBJS += $(BASEDIR)/acm/acm.o
+CFLAGS += -DACM_SECURITY
 endif
 ALL_OBJS += $(BASEDIR)/arch/$(TARGET_ARCH)/arch.o
 
diff -r f5dafee503ba -r cc1d77bba4b0 xen/acm/acm_core.c
--- a/xen/acm/acm_core.c        Sat Nov 19 09:29:28 2005
+++ b/xen/acm/acm_core.c        Sat Nov 19 09:35:38 2005
@@ -49,6 +49,9 @@
 extern struct acm_operations acm_chinesewall_ops, 
     acm_simple_type_enforcement_ops, acm_null_ops;
 
+/* global ACM policy  (now dynamically determined at boot time) */
+u16 acm_active_security_policy = ACM_POLICY_UNDEFINED;
+
 /* global ops structs called by the hooks */
 struct acm_operations *acm_primary_ops = NULL;
 /* called in hook if-and-only-if primary succeeds */
@@ -61,7 +64,8 @@
 
 /* until we have endian support in Xen, we discover it at runtime */
 u8 little_endian = 1;
-void acm_set_endian(void)
+void
+acm_set_endian(void)
 {
     u32 test = 1;
     if (*((u8 *)&test) == 1)
@@ -76,14 +80,82 @@
     }
 }
 
-/* initialize global security policy for Xen; policy write-locked already */
-static void
-acm_init_binary_policy(void *primary, void *secondary)
-{
-    acm_bin_pol.primary_policy_code = 0;
-    acm_bin_pol.secondary_policy_code = 0;
-    acm_bin_pol.primary_binary_policy = primary;
-    acm_bin_pol.secondary_binary_policy = secondary;
+int
+acm_init_binary_policy(u32 policy_code)
+{
+    int ret = ACM_OK;
+
+    acm_bin_pol.primary_policy_code = (policy_code & 0x0f);
+    acm_bin_pol.secondary_policy_code = (policy_code >> 4) & 0x0f;
+
+    write_lock(&acm_bin_pol_rwlock);
+
+    /* set primary policy component */
+    switch ((policy_code) & 0x0f)
+    {
+
+    case ACM_CHINESE_WALL_POLICY:
+        acm_init_chwall_policy();
+        acm_bin_pol.primary_policy_code = ACM_CHINESE_WALL_POLICY;
+        acm_primary_ops = &acm_chinesewall_ops;
+        break;
+
+    case ACM_SIMPLE_TYPE_ENFORCEMENT_POLICY:
+        acm_init_ste_policy();
+        acm_bin_pol.primary_policy_code = ACM_SIMPLE_TYPE_ENFORCEMENT_POLICY;
+        acm_primary_ops = &acm_simple_type_enforcement_ops;
+        break;
+
+    case ACM_NULL_POLICY:
+        acm_bin_pol.primary_policy_code = ACM_NULL_POLICY;
+        acm_primary_ops = &acm_null_ops;
+        break;
+
+    default:
+        /* Unknown policy not allowed primary */
+        ret = -EINVAL;
+        goto out;
+    }
+
+    /* secondary policy component part */
+    switch ((policy_code) >> 4)
+    {
+
+    case ACM_NULL_POLICY:
+        acm_bin_pol.secondary_policy_code = ACM_NULL_POLICY;
+        acm_secondary_ops = &acm_null_ops;
+        break;
+
+    case ACM_CHINESE_WALL_POLICY:
+        if (acm_bin_pol.primary_policy_code == ACM_CHINESE_WALL_POLICY)
+        {   /* not a valid combination */
+            ret = -EINVAL;
+            goto out;
+        }
+        acm_init_chwall_policy();
+        acm_bin_pol.secondary_policy_code = ACM_CHINESE_WALL_POLICY;
+        acm_secondary_ops = &acm_chinesewall_ops;
+        break;
+
+    case ACM_SIMPLE_TYPE_ENFORCEMENT_POLICY:
+        if (acm_bin_pol.primary_policy_code == 
ACM_SIMPLE_TYPE_ENFORCEMENT_POLICY)
+        {   /* not a valid combination */
+            ret = -EINVAL;
+            goto out;
+        }
+        acm_init_ste_policy();
+        acm_bin_pol.secondary_policy_code = ACM_SIMPLE_TYPE_ENFORCEMENT_POLICY;
+        acm_secondary_ops = &acm_simple_type_enforcement_ops;
+        break;
+
+    default:
+        ret = -EINVAL;
+        goto out;
+    }
+
+ out:
+    write_unlock(&acm_bin_pol_rwlock);
+    return ret;
 }
 
 static int
@@ -161,83 +233,35 @@
     int ret = ACM_OK;
 
     acm_set_endian();
-    write_lock(&acm_bin_pol_rwlock);
-    acm_init_binary_policy(NULL, NULL);
-
-    /* set primary policy component */
-    switch ((ACM_USE_SECURITY_POLICY) & 0x0f)
-    {
-
-    case ACM_CHINESE_WALL_POLICY:
-        acm_init_chwall_policy();
-        acm_bin_pol.primary_policy_code = ACM_CHINESE_WALL_POLICY;
-        acm_primary_ops = &acm_chinesewall_ops;
-        break;
-
-    case ACM_SIMPLE_TYPE_ENFORCEMENT_POLICY:
-        acm_init_ste_policy();
-        acm_bin_pol.primary_policy_code = ACM_SIMPLE_TYPE_ENFORCEMENT_POLICY;
-        acm_primary_ops = &acm_simple_type_enforcement_ops;
-        break;
-
-    default:
-        /* NULL or Unknown policy not allowed primary;
-         * NULL/NULL will not compile this code */
+
+    /* first try to load the boot policy (uses its own locks) */
+    acm_setup(initrdidx, mbi, initial_images_start);
+
+    if (acm_active_security_policy != ACM_POLICY_UNDEFINED)
+    {
+        printk("%s: Boot-Policy. Enforcing %s: Primary %s, Secondary %s.\n", 
__func__,
+               ACM_POLICY_NAME(acm_active_security_policy),
+               ACM_POLICY_NAME(acm_bin_pol.primary_policy_code),
+               ACM_POLICY_NAME(acm_bin_pol.secondary_policy_code));
+        goto out;
+    }
+    /* else continue with the minimal hardcoded default startup policy */
+    printk("%s: Loading default policy (%s).\n",
+           __func__, ACM_POLICY_NAME(ACM_DEFAULT_SECURITY_POLICY));
+
+    if (acm_init_binary_policy(ACM_DEFAULT_SECURITY_POLICY)) {
         ret = -EINVAL;
         goto out;
     }
-
-    /* secondary policy component part */
-    switch ((ACM_USE_SECURITY_POLICY) >> 4) {
-    case ACM_NULL_POLICY:
-        acm_bin_pol.secondary_policy_code = ACM_NULL_POLICY;
-        acm_secondary_ops = &acm_null_ops;
-        break;
-
-    case ACM_CHINESE_WALL_POLICY:
-        if (acm_bin_pol.primary_policy_code == ACM_CHINESE_WALL_POLICY)
-        {   /* not a valid combination */
-            ret = -EINVAL;
-            goto out;
-        }
-        acm_init_chwall_policy();
-        acm_bin_pol.secondary_policy_code = ACM_CHINESE_WALL_POLICY;
-        acm_secondary_ops = &acm_chinesewall_ops;
-        break;
-
-    case ACM_SIMPLE_TYPE_ENFORCEMENT_POLICY:
-        if (acm_bin_pol.primary_policy_code == 
ACM_SIMPLE_TYPE_ENFORCEMENT_POLICY)
-        {   /* not a valid combination */
-            ret = -EINVAL;
-            goto out;
-        }
-        acm_init_ste_policy();
-        acm_bin_pol.secondary_policy_code = ACM_SIMPLE_TYPE_ENFORCEMENT_POLICY;
-        acm_secondary_ops = &acm_simple_type_enforcement_ops;
-        break;
-
-    default:
-        ret = -EINVAL;
-        goto out;
-    }
+    acm_active_security_policy = ACM_DEFAULT_SECURITY_POLICY;
 
  out:
-    write_unlock(&acm_bin_pol_rwlock);
-
     if (ret != ACM_OK)
     {
         printk("%s: Error initializing policies.\n", __func__);
         /* here one could imagine a clean panic */
         return -EINVAL;
     }
-    if (acm_setup(initrdidx, mbi, initial_images_start) != ACM_OK)
-    {
-        printk("%s: Error loading policy at boot time.\n", __func__);
-        /* ignore, just continue with the minimal hardcoded startup policy */
-    }
-    printk("%s: Enforcing Primary %s, Secondary %s.\n", __func__, 
-           ACM_POLICY_NAME(acm_bin_pol.primary_policy_code),
-           ACM_POLICY_NAME(acm_bin_pol.secondary_policy_code));
     return ret;
 }
 
@@ -265,7 +289,7 @@
     ssid->primary_ssid   = NULL;
     ssid->secondary_ssid = NULL;
 
-    if (ACM_USE_SECURITY_POLICY != ACM_NULL_POLICY)
+    if (acm_active_security_policy != ACM_NULL_POLICY)
         ssid->ssidref = ssidref;
     else
         ssid->ssidref = ACM_DEFAULT_SSID;
diff -r f5dafee503ba -r cc1d77bba4b0 xen/acm/acm_policy.c
--- a/xen/acm/acm_policy.c      Sat Nov 19 09:29:28 2005
+++ b/xen/acm/acm_policy.c      Sat Nov 19 09:35:38 2005
@@ -56,17 +56,29 @@
     /* 2. some sanity checking */
     pol = (struct acm_policy_buffer *)policy_buffer;
 
-    if ((ntohl(pol->magic) != ACM_MAGIC) || 
-        (ntohl(pol->policy_version) != ACM_POLICY_VERSION) ||
-        (ntohl(pol->primary_policy_code) != acm_bin_pol.primary_policy_code) ||
+    if ((ntohl(pol->magic) != ACM_MAGIC) ||
+        (buf_size != ntohl(pol->len)) ||
+        (ntohl(pol->policy_version) != ACM_POLICY_VERSION))
+    {
+        printk("%s: ERROR in Magic, Version, or buf size.\n", __func__);
+        goto error_free;
+    }
+
+    if (acm_active_security_policy == ACM_POLICY_UNDEFINED) {
+        /* setup the policy with the boot policy */
+        if (acm_init_binary_policy((ntohl(pol->secondary_policy_code) << 4) |
+                                   ntohl(pol->primary_policy_code))) {
+            goto error_free;
+        }
+        acm_active_security_policy =
+            (acm_bin_pol.secondary_policy_code << 4) | 
acm_bin_pol.primary_policy_code;
+    }
+
+    /* once acm_active_security_policy is set, it cannot be changed */
+    if ((ntohl(pol->primary_policy_code) != acm_bin_pol.primary_policy_code) ||
         (ntohl(pol->secondary_policy_code) != 
acm_bin_pol.secondary_policy_code))
     {
-        printkd("%s: Wrong policy magics or versions!\n", __func__);
-        goto error_free;
-    }
-    if (buf_size != ntohl(pol->len))
-    {
-        printk("%s: ERROR in buf size.\n", __func__);
+        printkd("%s: Wrong policy type in boot policy!\n", __func__);
         goto error_free;
     }
 
diff -r f5dafee503ba -r cc1d77bba4b0 xen/common/acm_ops.c
--- a/xen/common/acm_ops.c      Sat Nov 19 09:29:28 2005
+++ b/xen/common/acm_ops.c      Sat Nov 19 09:35:38 2005
@@ -29,7 +29,7 @@
 #include <public/sched_ctl.h>
 #include <acm/acm_hooks.h>
 
-#if (ACM_USE_SECURITY_POLICY == ACM_NULL_POLICY)
+#ifndef ACM_SECURITY
 
 long do_acm_op(struct acm_op * u_acm_op)
 {
diff -r f5dafee503ba -r cc1d77bba4b0 xen/include/acm/acm_core.h
--- a/xen/include/acm/acm_core.h        Sat Nov 19 09:29:28 2005
+++ b/xen/include/acm/acm_core.h        Sat Nov 19 09:35:38 2005
@@ -28,9 +28,6 @@
 struct acm_binary_policy {
     u16 primary_policy_code;
     u16 secondary_policy_code;
-    void *primary_binary_policy;                                 
-    void *secondary_binary_policy;
- 
 };
 
 struct chwall_binary_policy {
@@ -53,6 +50,7 @@
 };
 
 /* global acm policy */
+extern u16 acm_active_security_policy;
 extern struct acm_binary_policy acm_bin_pol;
 extern struct chwall_binary_policy chwall_bin_pol;
 extern struct ste_binary_policy ste_bin_pol;
@@ -120,6 +118,7 @@
 /* protos */
 int acm_init_domain_ssid(domid_t id, ssidref_t ssidref);
 void acm_free_domain_ssid(struct acm_ssid_domain *ssid);
+int acm_init_binary_policy(u32 policy_code);
 int acm_set_policy(void *buf, u32 buf_size, int isuserbuffer);
 int acm_get_policy(void *buf, u32 buf_size);
 int acm_dump_statistics(void *buf, u16 buf_size);
diff -r f5dafee503ba -r cc1d77bba4b0 xen/include/acm/acm_hooks.h
--- a/xen/include/acm/acm_hooks.h       Sat Nov 19 09:29:28 2005
+++ b/xen/include/acm/acm_hooks.h       Sat Nov 19 09:35:38 2005
@@ -127,7 +127,7 @@
 # define traceprintk(fmt, args...)
 #endif
 
-#if (ACM_USE_SECURITY_POLICY == ACM_NULL_POLICY)
+#ifndef ACM_SECURITY
 
 static inline int acm_pre_dom0_op(dom0_op_t *op, void **ssid) 
 { return 0; }
diff -r f5dafee503ba -r cc1d77bba4b0 xen/include/public/acm.h
--- a/xen/include/public/acm.h  Sat Nov 19 09:29:28 2005
+++ b/xen/include/public/acm.h  Sat Nov 19 09:35:38 2005
@@ -60,6 +60,7 @@
 #define ACM_NULL_POLICY 0
 #define ACM_CHINESE_WALL_POLICY 1
 #define ACM_SIMPLE_TYPE_ENFORCEMENT_POLICY 2
+#define ACM_POLICY_UNDEFINED 15
 
 /* combinations have secondary policy component in higher 4bit */
 #define ACM_CHINESE_WALL_AND_SIMPLE_TYPE_ENFORCEMENT_POLICY \

_______________________________________________
Xen-changelog mailing list
Xen-changelog@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-changelog


 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.