[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[RFC PATCH 00/10] xsm: introducing domain roles



During the hyperlaunch design sessions a request was made to come up with a
formal definition of the roles a domain was allowed to take on. In particular
the primary focus was to answer what is the control domain and what is the
hardware domain. Another comment came up during the discussion on PCI pass
through and how it would work in a disaggregated platform as what was being
proposed as a primary use case for hyperlaunch. Based on these concerns, the
hyperlaunch team took a hard look at what were all the roles that were either
explicitly defined in code, loosely defined in code, as well as those that were
more conceptual or required a solutions like Flask.

The result is that a set of seven explicitly assignable domain roles and three
implied domain roles were identified and defined. To provide for and enforce
these domain roles, it was identified that the core XSM system in fact existed
in this pseudo unsupported but supported existance. Depending on whether XSM
was turned on or off did not turn on or off the XSM hooks, it only deterimined
if the base "dummy policy module" was inlined in for the XSM hooks or if they
were made availble through the xsm_ops op dispatch structure.

This patch set starts with converting the existing security controls to using
the identified domain roles. It then moves to making the domain roles the core
enforcement mechanism for XSM and merging the split state of existance into an
equivalent of its supported form. With the conversion of XSM, the SILO policy
module is refactored to achieve its security goal as an extension of the domain
roles mechanism. The necessary adjustments are made to Flask and the Kconfig
system to support this work.

Due to the impact of this change, every effort was made to ensure the patch set
is bisectable and the features can be tested incrementally. This is an RFC with
limited building and testing completed against it, therefore one may find build
configurations and runtime configurations that do not work.

Daniel P. Smith (10):
  headers: introduce new default privilege model
  control domain: refactor is_control_domain
  xenstore: migrate to default privilege model
  xsm: convert rewrite privilege check function
  hardware domain: convert to domain roles
  xsm-roles: covert the dummy system to roles
  xsm-roles: adjusting core xsm
  xsm-silo: convert silo over to domain roles
  xsm-flask: clean up for domain roles conversion
  common/Kconfig: updating Kconfig for domain roles

 xen/arch/arm/dm.c                     |   2 +-
 xen/arch/arm/domctl.c                 |   6 +-
 xen/arch/arm/hvm.c                    |   2 +-
 xen/arch/arm/mm.c                     |   2 +-
 xen/arch/arm/platform_hypercall.c     |   2 +-
 xen/arch/x86/acpi/cpu_idle.c          |   3 +-
 xen/arch/x86/cpu/mcheck/mce.c         |   2 +-
 xen/arch/x86/cpu/mcheck/vmce.h        |   3 +-
 xen/arch/x86/cpu/vpmu.c               |   9 +-
 xen/arch/x86/crash.c                  |   2 +-
 xen/arch/x86/domctl.c                 |   8 +-
 xen/arch/x86/hvm/dm.c                 |   2 +-
 xen/arch/x86/hvm/hvm.c                |  12 +-
 xen/arch/x86/io_apic.c                |   9 +-
 xen/arch/x86/irq.c                    |   4 +-
 xen/arch/x86/mm.c                     |  22 +-
 xen/arch/x86/mm/mem_paging.c          |   2 +-
 xen/arch/x86/mm/mem_sharing.c         |   8 +-
 xen/arch/x86/mm/p2m.c                 |   2 +-
 xen/arch/x86/mm/paging.c              |   4 +-
 xen/arch/x86/mm/shadow/set.c          |   2 +-
 xen/arch/x86/msi.c                    |   6 +-
 xen/arch/x86/nmi.c                    |   3 +-
 xen/arch/x86/pci.c                    |   2 +-
 xen/arch/x86/physdev.c                |  16 +-
 xen/arch/x86/platform_hypercall.c     |  10 +-
 xen/arch/x86/pv/emul-priv-op.c        |   2 +-
 xen/arch/x86/setup.c                  |   3 +
 xen/arch/x86/sysctl.c                 |   4 +-
 xen/arch/x86/traps.c                  |   2 +-
 xen/arch/x86/x86_64/mm.c              |  11 +-
 xen/common/Kconfig                    |  14 +-
 xen/common/domain.c                   | 120 ++++-
 xen/common/domctl.c                   |  12 +-
 xen/common/event_channel.c            |  15 +-
 xen/common/grant_table.c              |  16 +-
 xen/common/hypfs.c                    |   2 +-
 xen/common/kernel.c                   |   2 +-
 xen/common/kexec.c                    |   4 +-
 xen/common/keyhandler.c               |   4 +-
 xen/common/mem_access.c               |   2 +-
 xen/common/memory.c                   |  16 +-
 xen/common/monitor.c                  |   2 +-
 xen/common/sched/core.c               |   6 +-
 xen/common/shutdown.c                 |  14 +-
 xen/common/sysctl.c                   |   8 +-
 xen/common/vm_event.c                 |   7 +-
 xen/common/xenoprof.c                 |   5 +-
 xen/drivers/char/console.c            |   2 +-
 xen/drivers/char/ns16550.c            |   3 +-
 xen/drivers/passthrough/device_tree.c |   4 +-
 xen/drivers/passthrough/pci.c         |  24 +-
 xen/drivers/passthrough/vtd/iommu.c   |   2 +-
 xen/include/xen/sched.h               |  30 +-
 xen/include/xsm/dummy.h               | 256 +++++-----
 xen/include/xsm/roles.h               |  70 +++
 xen/include/xsm/xsm.h                 | 710 +++++++++++++++++---------
 xen/xsm/Makefile                      |   3 +-
 xen/xsm/dummy.c                       | 160 ------
 xen/xsm/flask/flask_op.c              |   2 +-
 xen/xsm/silo.c                        |  22 +-
 xen/xsm/xsm_core.c                    |  46 +-
 62 files changed, 991 insertions(+), 759 deletions(-)
 create mode 100644 xen/include/xsm/roles.h
 delete mode 100644 xen/xsm/dummy.c

-- 
2.20.1




 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.