[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Xen XSM/FLASK policy, grub defaults, etc.

> On May 27, 2020, at 4:41 PM, Ian Jackson <ian.jackson@xxxxxxxxxx> wrote:
> The Xen tools build system builds a FLASK policy by default.  It does
> this even if the hypervisor build for XSM is disabled.
> I recently sent patches upstream to grub to support XSM in
> update-grub.  update-grub is the program which examines your /boot and
> generates appropriate bootloader entries.  My merge request
>  https://salsa.debian.org/grub-team/grub/-/merge_requests/18
> finds XSM policy files, and when theya are found, generates "XSM
> enabled" bootloader entries. [1]
> The result of these two things together is that a default build of
> grub will result in these "XSM enabled" bootloader entries.  In
> practice I think these entries will boot because everything ignores
> the additional XSM policy file (!) and Xen ignores the
> "flask=enforcing" option (!!)
> This is not particularly good.  Offering people an "XSM enabled"
> option which does nothing is poor because it might think they have the
> extra security but actually significantly more steps are needed.  But
> there doesn't appear to be any way for update-grub to tell whether a
> particular hypervisor does support XSM or not.
> I think the following changes would be good:
> 1. Xen should reject "flask=enforcing" if it is built without FLASK
> support, rather than ignoring it.  This will ensure users are not
> misled by these boot options since they will be broken.


> 2. Xen should disable the XSM policy build when FLASK is disabled.
> This is unfortunately not so simple because the XSM policy build is a
> tools option and FLASK is a Xen option and the configuration systems
> are disjoint.  But at the very least a default build, which has no XSM
> support, should not build an XSM policy file either.

A simple thing to do here would be to have the flask policy controlled by a 
configure --flask option.  If neither --flask nor --no-flask is specified, we 
could maybe have configure also check the contents of xen/.config to see if 
CONFIG_XSM_FLASK is enabled?

> 3. Failing that, Xen should provide some other mechanism which would
> enable something like update-grub to determine whether a particular
> hypervisor can sensibly be run with a policy file and flask=enforcing.

So you want update-grub to check whether *the Xen binary it’s creating entries 
for* has FLASK enabled.  We generally include the Xen config used to build the 
hypervisor — could we have it check for CONFIG_XSM_FLASK?




Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.