[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Xen XSM/FLASK policy, grub defaults, etc.



The Xen tools build system builds a FLASK policy by default.  It does
this even if the hypervisor build for XSM is disabled.

I recently sent patches upstream to grub to support XSM in
update-grub.  update-grub is the program which examines your /boot and
generates appropriate bootloader entries.  My merge request
  https://salsa.debian.org/grub-team/grub/-/merge_requests/18
finds XSM policy files, and when theya are found, generates "XSM
enabled" bootloader entries. [1]

The result of these two things together is that a default build of
grub will result in these "XSM enabled" bootloader entries.  In
practice I think these entries will boot because everything ignores
the additional XSM policy file (!) and Xen ignores the
"flask=enforcing" option (!!)

This is not particularly good.  Offering people an "XSM enabled"
option which does nothing is poor because it might think they have the
extra security but actually significantly more steps are needed.  But
there doesn't appear to be any way for update-grub to tell whether a
particular hypervisor does support XSM or not.

I think the following changes would be good:

1. Xen should reject "flask=enforcing" if it is built without FLASK
support, rather than ignoring it.  This will ensure users are not
misled by these boot options since they will be broken.

2. Xen should disable the XSM policy build when FLASK is disabled.
This is unfortunately not so simple because the XSM policy build is a
tools option and FLASK is a Xen option and the configuration systems
are disjoint.  But at the very least a default build, which has no XSM
support, should not build an XSM policy file either.

3. Failing that, Xen should provide some other mechanism which would
enable something like update-grub to determine whether a particular
hypervisor can sensibly be run with a policy file and flask=enforcing.

Opinions?

Thanks,
Ian.

[1] osstest has been doing this approximately forever.  Due to
accidents of boot config ordering, these entries have not been used by
default.



 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.