[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [Xen-devel] [PATCH 1/2] xen/xsm: Introduce new boot parameter xsm
Introduce new boot parameter xsm to choose which xsm module is enabled, and set default to dummy. Signed-off-by: Xin Li <xin.li@xxxxxxxxxx> --- CC: Daniel De Graaf <dgdegra@xxxxxxxxxxxxx> CC: George Dunlap <George.Dunlap@xxxxxxxxxxxxx> CC: Jan Beulich <JBeulich@xxxxxxxx> CC: Konrad Rzeszutek Wilk <konrad.wilk@xxxxxxxxxx> CC: Stefano Stabellini <sstabellini@xxxxxxxxxx> CC: Tim Deegan <tim@xxxxxxx> CC: Wei Liu <wei.liu2@xxxxxxxxxx> CC: Sergey Dyasli <sergey.dyasli@xxxxxxxxxx> CC: Andrew Cooper <andrew.cooper3@xxxxxxxxxx> CC: Ming Lu <ming.lu@xxxxxxxxxx> v4: 1. change the default XSM boot parameter name from "default" to "dummy". 2. Kconfig, remove XSM_FLASK from EXPERT. 3. Kconfig, add new choice to select the default XSM module. --- docs/misc/xen-command-line.markdown | 13 ++++++++ xen/common/Kconfig | 13 +++++++- xen/xsm/xsm_core.c | 46 ++++++++++++++++++++++++++++- 3 files changed, 70 insertions(+), 2 deletions(-) diff --git a/docs/misc/xen-command-line.markdown b/docs/misc/xen-command-line.markdown index 1ffd586224..cf9924f53f 100644 --- a/docs/misc/xen-command-line.markdown +++ b/docs/misc/xen-command-line.markdown @@ -899,6 +899,19 @@ hardware domain is architecture dependent. Note that specifying zero as domU value means zero, while for dom0 it means to use the default. +### xsm +> `= dummy | flask` + +> Default: `dummy` + +Specify which XSM module should be enabled. This option is only available if +the hypervisor was compiled with XSM support. + +* `dummy`: this is the default choice. Basic restriction for common deployment + (the dummy module) will be applied. it's also used when XSM is compiled out. +* `flask`: this is the policy based access control. To choose this, the + separated option in kconfig must also be enabled. + ### flask > `= permissive | enforcing | late | disabled` diff --git a/xen/common/Kconfig b/xen/common/Kconfig index 1a6d6281c1..f802efb625 100644 --- a/xen/common/Kconfig +++ b/xen/common/Kconfig @@ -116,7 +116,7 @@ config XSM config XSM_FLASK def_bool y - prompt "FLux Advanced Security Kernel support" if EXPERT = "y" + prompt "FLux Advanced Security Kernel support" depends on XSM ---help--- Enables FLASK (FLux Advanced Security Kernel) as the access control @@ -154,6 +154,17 @@ config XSM_FLASK_POLICY If unsure, say Y. +choice + prompt "Default XSM implementation" + depends on XSM + default XSM_FLASK_DEFAULT if XSM_FLASK + default XSM_DUMMY_DEFAULT + config XSM_DUMMY_DEFAULT + bool "Match non-XSM behavior" + config XSM_FLASK_DEFAULT + bool "FLux Advanced Security Kernel" if XSM_FLASK +endchoice + config LATE_HWDOM bool "Dedicated hardware domain" default n diff --git a/xen/xsm/xsm_core.c b/xen/xsm/xsm_core.c index 9645e244c3..df284ec463 100644 --- a/xen/xsm/xsm_core.c +++ b/xen/xsm/xsm_core.c @@ -31,6 +31,37 @@ struct xsm_operations *xsm_ops; +enum xsm_bootparam { + XSM_BOOTPARAM_DUMMY, + XSM_BOOTPARAM_FLASK, +}; + +static enum xsm_bootparam __initdata xsm_bootparam = +#ifdef CONFIG_XSM_FLASK_DEFAULT + XSM_BOOTPARAM_FLASK; +#else + XSM_BOOTPARAM_DUMMY; +#endif + +static int __init parse_xsm_param(const char *s) +{ + int rc = 0; + + if ( !strcmp(s, "dummy") ) + xsm_bootparam = XSM_BOOTPARAM_DUMMY; +#ifdef CONFIG_XSM_FLASK + else if ( !strcmp(s, "flask") ) + xsm_bootparam = XSM_BOOTPARAM_FLASK; +#endif + else { + printk("XSM: can't parse boot parameter xsm=%s\n", s); + rc = -EINVAL; + } + + return rc; +} +custom_param("xsm", parse_xsm_param); + static inline int verify(struct xsm_operations *ops) { /* verify the security_operations structure exists */ @@ -57,7 +88,20 @@ static int __init xsm_core_init(const void *policy_buffer, size_t policy_size) } xsm_ops = &dummy_xsm_ops; - flask_init(policy_buffer, policy_size); + + switch ( xsm_bootparam ) + { + case XSM_BOOTPARAM_DUMMY: + break; + + case XSM_BOOTPARAM_FLASK: + flask_init(policy_buffer, policy_size); + break; + + default: + printk("XSM: Invalid value for xsm= boot parameter\n"); + break; + } return 0; } -- 2.18.0 _______________________________________________ Xen-devel mailing list Xen-devel@xxxxxxxxxxxxxxxxxxxx https://lists.xenproject.org/mailman/listinfo/xen-devel
|
Lists.xenproject.org is hosted with RackSpace, monitoring our |