Xen project Mailing List

Re: [PATCH 3/6] xsm: enabling xsm to always be included

To: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>

Date: Mon, 21 Jun 2021 09:03:49 +0200

Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=suse.com; dmarc=pass action=none header.from=suse.com; dkim=pass header.d=suse.com; arc=none

Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=cjDrlNUQDeor/lDlEup/fopOtBtExPBqffBIyfG2bLo=; b=lO72+jRxQxp/jZe4Oo/zKXnrZIra+BBrbLRO1oElxjm+DGRzmJGTR6s22KKD/jmX8c2b7PMjhaY54c4q2UDQ6BjfDEDef+sz+k8Tk7CwvR9NSlTiI/jJLhfIEpyX8buHweKavLT6i5fRcoMxGeqSRyxjLQqJlDSFDH0CB9pmVMqkLw1T1DZwaVcMz5pgxKB/wIeBJogXmezbwF7jjAMqVWB5cPbNGEnMNArfCMw4iGsFay8A19ZvBE8EmorM9pISxwIh9kGGlbUWHB9SwdFk63poKXZOTn9vnWyOZItMAp3mSf9LS8fvYWDwIa18fN4g9DUrtaNVRHaN9jxbuQhPNg==

Arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=JwZt/kNfVy0daiv1Hjqjjg7Psq5m04TOBmhnME2kPaZ7uk70V3NBHz5KEdCQM+AYa0XLGWE/fT32Ci5tAvRf+hXyiNZF4RhaOMZNaPhMYu8ctMx0A2xFu09/17wf63+7bMwKlOiXz074DGmdlz2VFzG4NT9q/6dZwJ5wb0x2cSQ8PpR/nqgpboK+UaOgCzGlZ2diQICYERqzhdObrDr58vE2aj8Dh5lirbrk46Jf35KNPVD/a3ockhnqbe9/3eDp3tlAnwCFgwwY4POI/UIzyZIrH42Xni3ZzZhk4ApVVpBvgxNPx3a/tTo25ooPUeuSFCHZHwONWBj9IrNJDiMwnw==

Authentication-results: apertussolutions.com; dkim=none (message not signed) header.d=none;apertussolutions.com; dmarc=none action=none header.from=suse.com;

Cc: Stefano Stabellini <sstabellini@xxxxxxxxxx>, Julien Grall <julien@xxxxxxx>, Volodymyr Babchuk <Volodymyr_Babchuk@xxxxxxxx>, George Dunlap <george.dunlap@xxxxxxxxxx>, Ian Jackson <iwj@xxxxxxxxxxxxxx>, Wei Liu <wl@xxxxxxx>, Roger Pau Monné <roger.pau@xxxxxxxxxx>, Tamas K Lengyel <tamas@xxxxxxxxxxxxx>, Tim Deegan <tim@xxxxxxx>, Juergen Gross <jgross@xxxxxxxx>, Alexandru Isaila <aisaila@xxxxxxxxxxxxxxx>, Petre Pircalabu <ppircalabu@xxxxxxxxxxxxxxx>, Dario Faggioli <dfaggioli@xxxxxxxx>, Paul Durrant <paul@xxxxxxx>, Daniel De Graaf <dgdegra@xxxxxxxxxxxxx>, persaur@xxxxxxxxx, christopher.w.clark@xxxxxxxxx, adam.schwalm@xxxxxxxxxx, scott.davis@xxxxxxxxxx, xen-devel@xxxxxxxxxxxxxxxxxxxx, "Daniel P. Smith" <dpsmith@xxxxxxxxxxxxxxxxxxxx>

Delivery-date: Mon, 21 Jun 2021 07:04:08 +0000

List-id: Xen developer discussion <xen-devel.lists.xenproject.org>

On 18.06.2021 23:20, Andrew Cooper wrote: > On 18/06/2021 13:26, Jan Beulich wrote: >> On 18.06.2021 01:39, Daniel P. Smith wrote: >>> The only difference between !CONFIG_XSM and CONFIG_XSM with >>> !CONFIG_XSM_SILO and !CONFIG_XSM_FLASK >>> is whether the XSM hooks in dummy.h are called as static inline functions >>> or as function >>> pointers to static functions. As such this commit, >>> * eliminates CONFIG_XSM >> Following from what Andrew has said (including him mentioning your >> changing of certain Kconfig option defaults), I'm not convinced this is >> a good move. This still ought to serve as the overall XSM-yes-or-no >> setting. If internally you make said two variants match in behavior, >> that's a different thing. > > I firmly disagree. There is no such thing as !XSM even in staging right now. > > All over Xen, we have calls to xsm_*() functions which, even in the !XSM > case, contain a non-trivial security policy. Compared with the full-fledged XSM, I view the present xsm_default_action() as sufficiently trivial. The inline wrappers of it really only exist to allow #ifdef-ary at all the use sites to be avoided, and for the code to act like before XSM got introduced. Whether you call this !XSM or XSM_HWDOM_ALL_POWERFUL is secondary to me. > The fact that under the hood, XSM vs !XSM creates two very different > implementations of "the dom0-all-powerful model" is an error needing > correcting, as it contributes a massive quantity of code complexity. > > This series of Daniel's takes steps to make the code match reality, and > getting rid of CONFIG_XSM is absolutely the right thing to do. XSM is > never actually absent from a build of Xen, even if you choose CONFIG_XSM=n. As said, what you discuss is just how to call the child. What I point out as undesirable is the going away of the inline functions, replaced by real function calls (not indirect ones thanks to alternatives patching, but still not clearly on par with the current model in terms of overhead). Jan

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.