[Top] [All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Xen-changelog] [xen master] Revert "convert XSM_ENABLE to Kconfig"

commit a307566bb563f1f25c1c262d45a4150490c8a01e
Author:     Jan Beulich <jbeulich@xxxxxxxx>
AuthorDate: Fri Jan 8 17:34:53 2016 +0100
Commit:     Jan Beulich <jbeulich@xxxxxxxx>
CommitDate: Fri Jan 8 17:34:53 2016 +0100

    Revert "convert XSM_ENABLE to Kconfig"
    
    This reverts commit 2b2ab5d88b2d2ab0155101a0a6922025064061af,
    as osstest needs to be ready first.
---
 Config.mk                    |    3 +++
 INSTALL                      |    8 ++++++--
 docs/misc/xsm-flask.txt      |    6 +++---
 xen/Rules.mk                 |    1 +
 xen/common/Kconfig           |   39 ++-------------------------------------
 xen/include/asm-x86/config.h |    4 ++++
 xen/include/xen/sched.h      |    2 +-
 xen/include/xsm/dummy.h      |   10 +++++-----
 xen/include/xsm/xsm.h        |    6 +++---
 xen/xsm/Makefile             |    6 ++++--
 10 files changed, 32 insertions(+), 53 deletions(-)

diff --git a/Config.mk b/Config.mk
index 62f8209..1315918 100644
--- a/Config.mk
+++ b/Config.mk
@@ -212,6 +212,9 @@ APPEND_CFLAGS += $(foreach i, $(APPEND_INCLUDES), -I$(i))
 EMBEDDED_EXTRA_CFLAGS := -nopie -fno-stack-protector -fno-stack-protector-all
 EMBEDDED_EXTRA_CFLAGS += -fno-exceptions
 
+# Enable XSM security module (by default, Flask).
+XSM_ENABLE ?= n
+
 XEN_EXTFILES_URL ?= http://xenbits.xen.org/xen-extfiles
 # All the files at that location were downloaded from elsewhere on
 # the internet.  The original download URL is preserved as a comment
diff --git a/INSTALL b/INSTALL
index 3d2e86a..c51447b 100644
--- a/INSTALL
+++ b/INSTALL
@@ -275,10 +275,14 @@ Building the python tools may fail unless certain options 
are passed to
 setup.py. Config.mk contains additional info how to use this variable.
 PYTHON_PREFIX_ARG=
 
-he hypervisor may be build with XSM/Flask support, which can be changed
+The hypervisor may be build with XSM support, which can be changed with
+the following variables.
+XSM_ENABLE=y
+
+The hypervisor may be build with Flask support, which can be changed
 by running:
 make -C xen menuconfig
-and enabling XSM/Flask in the 'Common Features' menu.
+and enabling Flask in the 'Common Features' menu.
 
 Do a build for coverage.
 coverage=y
diff --git a/docs/misc/xsm-flask.txt b/docs/misc/xsm-flask.txt
index fb2fe9f..f2f0fd4 100644
--- a/docs/misc/xsm-flask.txt
+++ b/docs/misc/xsm-flask.txt
@@ -172,9 +172,9 @@ Setting up FLASK
 ----------------
 
 Xen must be compiled with XSM and FLASK enabled; by default, the security
-framework is disabled. Running 'make -C xen menuconfig' and enabling XSM
-and FLASK inside 'Common Features'; this change requires a make clean and
-rebuild.
+framework is disabled. Edit Config.mk or the .config file to set XSM_ENABLE to
+"y" and running 'make -C xen menuconfig' and enabling FLASK inside 'Common
+Features'; this change requires a make clean and rebuild.
 
 FLASK uses only one domain configuration parameter (seclabel) defining the
 full security label of the newly created domain. If using the example policy,
diff --git a/xen/Rules.mk b/xen/Rules.mk
index 8bd1098..9e4e6ff 100644
--- a/xen/Rules.mk
+++ b/xen/Rules.mk
@@ -52,6 +52,7 @@ CFLAGS += -Werror -Wredundant-decls -Wno-pointer-arith
 CFLAGS += -pipe -g -D__XEN__ -include $(BASEDIR)/include/xen/config.h
 CFLAGS += '-D__OBJECT_FILE__="$@"'
 
+CFLAGS-$(XSM_ENABLE)    += -DXSM_ENABLE
 CFLAGS-$(verbose)       += -DVERBOSE
 CFLAGS-$(crash_debug)   += -DCRASH_DEBUG
 CFLAGS-$(perfc)         += -DPERF_COUNTERS
diff --git a/xen/common/Kconfig b/xen/common/Kconfig
index eadfc3b..6373b7f 100644
--- a/xen/common/Kconfig
+++ b/xen/common/Kconfig
@@ -10,9 +10,8 @@ config COMPAT
 
 config FLASK
        bool "FLux Advanced Security Kernel support"
-       default y
-       depends on XSM
-       ---help---
+       default n
+       --help---
          Enables the FLASK (FLux Advanced Security Kernel) support which
          provides a mandatory access control framework by which security
          enforcement, isolation, and auditing can be achieved with fine
@@ -63,38 +62,4 @@ config KEXEC
 
          If unsure, say Y.
 
-# Allows "late" initialization of the hardware domain
-config LATE_HWDOM
-       bool "dedicated hardware domain"
-       default n
-       depends on XSM && X86
-       ---help---
-         Allows the creation of a dedicated hardware domain distinct from
-         domain 0 that manages devices without needing access to other
-         privileged functionality such as the ability to manage domains.
-         This requires that the actual domain 0 be a stub domain that
-         constructs the actual hardware domain instead of initializing the
-         hardware itself.  Because the hardware domain needs access to
-         hypercalls not available to unprivileged guests, an XSM policy
-         is required to properly define the privilege of these domains.
-
-         This feature does nothing if the "hardware_dom" boot parameter is
-         not present.  If this feature is being used for security, it should
-         be combined with an IOMMU in strict mode.
-
-         If unsure, say N.
-
-# Enable/Disable XSM support
-config XSM
-       bool "Xen Security Modules support"
-       default n
-       ---help---
-         Enables the security framework known as Xen Security Modules which
-         allows administrators fine-grained control over a Xen domain and
-         its capabilities by defining permissible interactions between domains,
-         the hypervisor itself, and related resources such as memory and
-         devices.
-
-         If unsure, say N.
-
 endmenu
diff --git a/xen/include/asm-x86/config.h b/xen/include/asm-x86/config.h
index 3305a75..f25d92e 100644
--- a/xen/include/asm-x86/config.h
+++ b/xen/include/asm-x86/config.h
@@ -52,6 +52,10 @@
 
 #define CONFIG_MULTIBOOT 1
 
+#ifdef XSM_ENABLE
+#define CONFIG_LATE_HWDOM 1
+#endif
+
 #define HZ 100
 
 #define OPT_CONSOLE_STR "vga"
diff --git a/xen/include/xen/sched.h b/xen/include/xen/sched.h
index e1428f7..6ea3cc7 100644
--- a/xen/include/xen/sched.h
+++ b/xen/include/xen/sched.h
@@ -110,7 +110,7 @@ struct evtchn
     u8 priority;
     u8 last_priority;
     u16 last_vcpu_id;
-#ifdef CONFIG_XSM
+#ifdef XSM_ENABLE
     union {
 #ifdef XSM_NEED_GENERIC_EVTCHN_SSID
         /*
diff --git a/xen/include/xsm/dummy.h b/xen/include/xsm/dummy.h
index 55b84f0..81fba40 100644
--- a/xen/include/xsm/dummy.h
+++ b/xen/include/xsm/dummy.h
@@ -27,9 +27,9 @@
 /* DO NOT implement this function; it is supposed to trigger link errors */
 void __xsm_action_mismatch_detected(void);
 
-#ifdef CONFIG_XSM
+#ifdef XSM_ENABLE
 
-/* In CONFIG_XSM builds, this header file is included from xsm/dummy.c, and
+/* In XSM_ENABLE builds, this header file is included from xsm/dummy.c, and
  * contains static (not inline) functions compiled to the dummy XSM module.
  * There is no xsm_default_t argument available, so the value from the 
assertion
  * is used to initialize the variable.
@@ -39,9 +39,9 @@ void __xsm_action_mismatch_detected(void);
 #define XSM_DEFAULT_VOID void
 #define XSM_ASSERT_ACTION(def) xsm_default_t action = def; (void)action
 
-#else /* CONFIG_XSM */
+#else /* XSM_ENABLE */
 
-/* In !CONFIG_XSM builds, this header file is included from xsm/xsm.h, and
+/* In !XSM_ENABLE builds, this header file is included from xsm/xsm.h, and
  * contains inline functions for each XSM hook. These functions also perform
  * compile-time checks on the xsm_default_t argument to ensure that the 
behavior
  * of the dummy XSM module is the same as the behavior with XSM disabled.
@@ -51,7 +51,7 @@ void __xsm_action_mismatch_detected(void);
 #define XSM_DEFAULT_VOID xsm_default_t action
 #define XSM_ASSERT_ACTION(def) LINKER_BUG_ON(def != action)
 
-#endif /* CONFIG_XSM */
+#endif /* XSM_ENABLE */
 
 static always_inline int xsm_default_action(
     xsm_default_t action, struct domain *src, struct domain *target)
diff --git a/xen/include/xsm/xsm.h b/xen/include/xsm/xsm.h
index 2c365cd..3fc3824 100644
--- a/xen/include/xsm/xsm.h
+++ b/xen/include/xsm/xsm.h
@@ -194,7 +194,7 @@ struct xsm_operations {
 #endif
 };
 
-#ifdef CONFIG_XSM
+#ifdef XSM_ENABLE
 
 extern struct xsm_operations *xsm_ops;
 
@@ -752,7 +752,7 @@ extern int unregister_xsm(struct xsm_operations *ops);
 extern struct xsm_operations dummy_xsm_ops;
 extern void xsm_fixup_ops(struct xsm_operations *ops);
 
-#else /* CONFIG_XSM */
+#else /* XSM_ENABLE */
 
 #include <xsm/dummy.h>
 
@@ -772,6 +772,6 @@ static inline int xsm_dt_init(void)
 }
 #endif
 
-#endif /* CONFIG_XSM */
+#endif /* XSM_ENABLE */
 
 #endif /* __XSM_H */
diff --git a/xen/xsm/Makefile b/xen/xsm/Makefile
index 3252c46..d29e71c 100644
--- a/xen/xsm/Makefile
+++ b/xen/xsm/Makefile
@@ -1,5 +1,7 @@
 obj-y += xsm_core.o
-obj-$(CONFIG_XSM) += xsm_policy.o
-obj-$(CONFIG_XSM) += dummy.o
+ifeq ($(XSM_ENABLE),y)
+obj-y += xsm_policy.o
+obj-y += dummy.o
+endif
 
 subdir-$(CONFIG_FLASK) += flask
--
generated by git-patchbot for /home/xen/git/xen.git#master

_______________________________________________
Xen-changelog mailing list
Xen-changelog@xxxxxxxxxxxxx
http://lists.xensource.com/xen-changelog

 

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.

Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.