Xen project Mailing List

Re: [PATCH v2 08/10] xsm: remove xsm_default_t from hook definitions

To: Jan Beulich <jbeulich@xxxxxxxx>, "Daniel P. Smith" <dpsmith@xxxxxxxxxxxxxxxxxxxx>

From: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>

Date: Fri, 16 Jul 2021 15:15:38 +0100

Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=citrix.com; dmarc=pass action=none header.from=citrix.com; dkim=pass header.d=citrix.com; arc=none

Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=OZ+Q5EtAxnV48hN2u9N8RBoeZR0G3nzW8MVs4RnvMKo=; b=U6LopQiy5gD+wgKPy0DCiiBeoW32ZXKfL5UN9OZgqz1vTqL6oW0OufVX51gZ3cS6AQ7VllebU78voNNqM3zm7Gce8m9M+IHTNPrN6gc2VaOZeUB10cxHgAZURnpZzqjZjnJ5Mgw3LEDGZCgszYj8tMVNgCCISortbyu4UGEcS82nCmUJ+ZoS7DsGEawgxxuxlLWbryfN9Ni/D9SEnpU7degz/I7O9l/7Up4qKKWe3tZ/ESuoQY2j6aAD94lKLce1lOnEf+W28uezp/y7Vx6envqHTT+Ftjwl0XbuXA6aDWRlCfVWlIB2EpoaYnSSVPJDM5Z6Ap8KPgzk5tI+3aLRYg==

Arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=H0BusTKYztdyGIBDDDUPFVZRd3mepYonPMOykV65shtlyrrjoDs3OJlOHsFPK/z/VnNM3o7TkXyuAOsN05SQNZUT6qUqzkunhe6rNDYop5/lnz4yW7p4j39igeO1zpSgtZKwp92XrPSG+nidf1N0NRfkixKWoFYRLmmkCnOjVOK/UHrmPYCFziAu6van6YANBzyxn3oPzutKg/ZfDJxQgXuGzwRoWpEt61dD07Cq6LK7+1oDtM250nWst6M0IM2AGwlyf+bD6s3npDsWfmfUUseIjdjcnf0clCY/iHTxbbzvHygprncokMWm+YxpUzkRFt543ANkOPgykhxnFCxz9w==

Authentication-results: esa4.hc3370-68.iphmx.com; dkim=pass (signature verified) header.i=@citrix.onmicrosoft.com

Cc: Stefano Stabellini <sstabellini@xxxxxxxxxx>, Julien Grall <julien@xxxxxxx>, Ian Jackson <iwj@xxxxxxxxxxxxxx>, Roger Pau Monné <roger.pau@xxxxxxxxxx>, Tamas K Lengyel <tamas@xxxxxxxxxxxxx>, Juergen Gross <jgross@xxxxxxxx>, Dario Faggioli <dfaggioli@xxxxxxxx>, Petre Pircalabu <ppircalabu@xxxxxxxxxxxxxxx>, "Paul Durrant" <paul@xxxxxxx>, Daniel De Graaf <dgdegra@xxxxxxxxxxxxx>, <xen-devel@xxxxxxxxxxxxxxxxxxxx>, Tim Deegan <tim@xxxxxxx>, Alexandru Isaila <aisaila@xxxxxxxxxxxxxxx>, Volodymyr Babchuk <Volodymyr_Babchuk@xxxxxxxx>, Wei Liu <wl@xxxxxxx>, George Dunlap <george.dunlap@xxxxxxxxxx>

Delivery-date: Fri, 16 Jul 2021 14:16:04 +0000

Ironport-hdrordr: A9a23:8nr0V62Fp6Dyg5I8jbj1sgqjBR5yeYIsimQD101hICG9Lfb0qy n+pp4mPEHP4wr5AEtQ4uxpOMG7MBDhHO1OkPMs1NaZLUXbUQ6TQL2KgrGSpAEIdxeeygcZ79 YZT0EcMqy+MbEZt7ed3ODQKb9Jr7e6GeKT9J7jJhxWPGNXgtRbnmNE43GgYyhLrWd9ZaYRJd 653I5qtjCgcXMYYoCQHX8eRdXOoNXNidbPfQMGLwRP0njOsRqYrJrBVzSI1BYXVD1ChZ0493 LergD/7qK/99mm1x7n0XPJ5Zg+oqqg9jIDPr3OtiEmEESotu+aXvUkZ1REhkFznAib0idprD ALmWZnAy080QKJQoj/m2qQ5+Cp6kdQ11bSjXuVhmbip8viLQhKdvapw7gpPCcxonBQwu1Uwe ZF2XmUuIFQCg6FlCPh58LQXxUvjUasp2E++NRjxEC3fLFuIYO5l7ZvtH+90a1waR7S+cQiCq 1jHcvc7PFZfReTaG3YpHBmxJipUm4oFhmLT0AesojNugIm0UxR3g8d3ogSj30A/JUyR91N4P nFKL1hkPVLQtUNZaxwCe8dSY+8C3DLQxjLLGWOSG6XXp0vKjbIsdr68b817OaldNgBy4Yzgo 3IVBdCuWs7ayvVeLuzNV1wg2fwqUCGLEbQI+1lluhEU4zHNc7W2He4OSETeuOb0oYiPvE=

Ironport-sdr: bE6kt66LMfYa/WRigHPcLI17i+G1nT0rX84zHW3hO5TkSomAH7fQgXHwNWC8LWa6A2ePr5hBYJ FbaE5t8Hg3cCF4dCrih8Bytg4W7j085MxkMN28eZbwTppvpkGG0ZOSkqUIZUmkblrp27+3HKH5 W3byEHZlmd66CkM5uxo2glqCKjYDLRyLvDRiBD9XWN1t+U4ze8rAVEinlEfCTA6P1EWuvlJJz3 J7uDhDmw81hdXyqige4mcdFXgvFBADHVTZrqqpOmKKJqK18MEUB6YBOYDaQ4/gI53Vl3Fy+MyJ zxg=

List-id: Xen developer discussion <xen-devel.lists.xenproject.org>

On 16/07/2021 08:23, Jan Beulich wrote: > On 12.07.2021 22:32, Daniel P. Smith wrote: >> The passing of an xsm_default_t at each of the xsm hook call sites >> served different functions depending on whether XSM was enabled or not. >> When XSM was not enabled it attempted to function as a link-time check >> that declared default action at the call site matched the default >> declared action for that hook in the dummy policy. When XSM was enabled, >> it would just drop the parameter. >> >> The removal of these values is two fold. They are a redundancy that >> provides little context, especially when the value is XSM_OTHER. > For XSM_OTHER I may agree, but in general I find the call-site uses > helpful to know at least the rough level of intended restriction. > E.g. ... > >> --- a/xen/arch/x86/cpu/mcheck/mce.c >> +++ b/xen/arch/x86/cpu/mcheck/mce.c >> @@ -1376,7 +1376,7 @@ long do_mca(XEN_GUEST_HANDLE_PARAM(xen_mc_t) u_xen_mc) >> struct xen_mc_msrinject *mc_msrinject; >> struct xen_mc_mceinject *mc_mceinject; >> >> - ret = xsm_do_mca(XSM_PRIV); >> + ret = xsm_do_mca(); > ... to now understand what this enforces (or not) I have to go to > the actual implementation, even if I only want to know the trivial > dummy incarnation of it. This effectively extends the "provides > little context" from XSM_OTHER to all hooks. The old scheme was even worse because it was only a plausible approximation for the !XSM case while being actively wrong for SILO and FLASK. Furthermore, someone reading the code could be forgiven for thinking that XSM_HOOK was something other than dead code. ~Andrew

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.