[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Xen XSM/FLASK policy, grub defaults, etc.

To: George Dunlap <George.Dunlap@xxxxxxxxxx>, Ian Jackson <Ian.Jackson@xxxxxxxxxx>
From: Jan Beulich <jbeulich@xxxxxxxx>
Date: Fri, 29 May 2020 11:02:11 +0200
Cc: Stefano Stabellini <sstabellini@xxxxxxxxxx>, Julien Grall <julien@xxxxxxx>, "cjwatson@xxxxxxxxxx" <cjwatson@xxxxxxxxxx>, Wei Liu <wl@xxxxxxx>, Andrew Cooper <Andrew.Cooper3@xxxxxxxxxx>, "xen-devel@xxxxxxxxxxxxxxxxxxxx" <xen-devel@xxxxxxxxxxxxxxxxxxxx>, Daniel De Graaf <dgdegra@xxxxxxxxxxxxx>
Delivery-date: Fri, 29 May 2020 09:02:31 +0000
List-id: Xen developer discussion <xen-devel.lists.xenproject.org>

On 27.05.2020 18:08, George Dunlap wrote:
>> On May 27, 2020, at 4:41 PM, Ian Jackson <ian.jackson@xxxxxxxxxx> wrote:
>>
>> The Xen tools build system builds a FLASK policy by default.  It does
>> this even if the hypervisor build for XSM is disabled.
>>
>> I recently sent patches upstream to grub to support XSM in
>> update-grub.  update-grub is the program which examines your /boot and
>> generates appropriate bootloader entries.  My merge request
>>  https://salsa.debian.org/grub-team/grub/-/merge_requests/18
>> finds XSM policy files, and when theya are found, generates "XSM
>> enabled" bootloader entries. [1]
>>
>> The result of these two things together is that a default build of
>> grub will result in these "XSM enabled" bootloader entries.  In
>> practice I think these entries will boot because everything ignores
>> the additional XSM policy file (!) and Xen ignores the
>> "flask=enforcing" option (!!)
>>
>> This is not particularly good.  Offering people an "XSM enabled"
>> option which does nothing is poor because it might think they have the
>> extra security but actually significantly more steps are needed.  But
>> there doesn't appear to be any way for update-grub to tell whether a
>> particular hypervisor does support XSM or not.
>>
>> I think the following changes would be good:
>>
>> 1. Xen should reject "flask=enforcing" if it is built without FLASK
>> support, rather than ignoring it.  This will ensure users are not
>> misled by these boot options since they will be broken.
> 
> +1

Yeah, probably better indeed, despite the current behavior being
documented correctly. I'll make a patch.

Jan

References:
- Xen XSM/FLASK policy, grub defaults, etc.
  - From: Ian Jackson
- Re: Xen XSM/FLASK policy, grub defaults, etc.
  - From: George Dunlap

Prev by Date: [linux-linus test] 150432: tolerable trouble: fail/pass/starved - PUSHED
Next by Date: Re: [RFC PATCH 1/1] xen: Use a global mapping for runstate
Previous by thread: Re: Xen XSM/FLASK policy, grub defaults, etc.
Next by thread: Re: Xen XSM/FLASK policy, grub defaults, etc.
Index(es):
- Date
- Thread

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.