Xen project Mailing List

Re: [PATCH 1/2] tools: add configure option for disabling pygrub

From: Anthony PERARD <anthony.perard@xxxxxxxxxx>

Date: Tue, 8 Aug 2023 11:16:44 +0100

Authentication-results: esa1.hc3370-68.iphmx.com; dkim=none (message not signed) header.i=none

Cc: <xen-devel@xxxxxxxxxxxxxxxxxxxx>, Wei Liu <wl@xxxxxxx>

Delivery-date: Tue, 08 Aug 2023 10:17:02 +0000

Ironport-data: A9a23:JIoRIqoyAnznWcYmqFoi4S6qEXFeBmI5ZRIvgKrLsJaIsI4StFCzt garIBnSafuNZ2r9cownPoWw8x5Vu5TWy4VqGVQ6qiA1EHsapJuZCYyVIHmrMnLJJKUvbq7FA +Y2MYCccZ9uHhcwgj/3b9ANeFEljfngqoLUUbKCYWYpA1c/Ek/NsDo788YhmIlknNOlNA2Ev NL2sqX3NUSsnjV5KQr40YrawP9UlKq04GpwUmAWP6gR5weOzyZNVvrzGInqR5fGatgMdgKFb 76rIIGRpgvx4xorA9W5pbf3GmVirmn6ZFXmZtJ+AsBOszAazsAA+v9T2Mk0MC+7vw6hjdFpo OihgLTrIesf0g8gr8xGO/VQO3kW0aSrY9YrK1Dn2SCY5xWun3cBX5yCpaz5VGEV0r8fPI1Ay RAXACFWP02M2LPm+uKyT8tKrN8RFfDJDLpK7xmMzRmBZRonaZXKQqGM7t5ExjYgwMtJGJ4yZ eJAN2ApNk6ZJUQSZBFOUslWcOSA3xETdxVRrk6VoqwmpXDe1gVr3JDmMcbPe8zMTsJQ9qqdj jufrj6nX0tAabRzzxK4o0/2vsXvmB/Ze79DGZ6fxvVro0+Mkzl75Bo+CgLg/KjRZlSFc9BQM UsP4QI1sLM/skesS7HVTxC+5XKJoBMYc95RCPEhrhGAzLLO5ASUDXRCSSROAPQ5sOcmSDps0 UWG9/vgHTF1uaeZYW6c/LyT6zi1PEAowXQqPHFeC1Ffup+6/d9110iUJjp+LEKrpsyuSGz/n GHalng3gpc1p9U57pyZzWmS1lpAuaP1ZgIy4wzWWEes4QV4eJOpauSU1LTL0RpTBN3HFwfc5 RDoj+DbtblTVs/VyERhVc1XRNmUC+C53CowaLKFN70o7HyT9nGqZui8CxkudR4yYq7oldIEC XI/WD+9BrcJZBNGjoctOepd7vjGKoC+fekJrtiOMrJzjmFZLWdrBh1Ga0+KxHzKm0Mxi6w5M przWZ/yXC9GUv89nWbmHrd1PVoXKscWnzq7eHwG507/jer2iIC9Ft/pz2dinshmtfjZ8W05A v5UNteQygU3bQENSnC/zGLnFnhTdSJTLcmv+6RqmhurflIO9JcJV6WAntvMuuVNw8xoqws/1 irgBhEBkAKl1CGvxMfjQikLVY4DlK1X9RoTVRHA937ys5T/Se5DNJsiSqY=

Ironport-hdrordr: A9a23:K4UO2qvSjbKcTpHGPQMx7r1i7skDstV00zEX/kB9WHVpm6yj+v xG/c5rsCMc7Qx6ZJhOo7+90cW7L080lqQFg7X5X43DYOCOggLBQL2KhbGI/9SKIVycygcy78 Zdm6gVMqyLMbB55/yKnTVRxbwbsaW6GKPDv5ag8590JzsaD52Jd21Ce36m+ksdfnggObMJUK Cyy+BgvDSadXEefq2AdwI4t7iqnaysqHr+CyR2fiIa1A==

List-id: Xen developer discussion <xen-devel.lists.xenproject.org>

On Fri, Aug 04, 2023 at 07:59:59AM +0200, Juergen Gross wrote: > Add a "--disable-pygrub" option for being able to disable the build > and installation of pygrub. > > There are two main reasons to do so: > > - A main reason to use pygrub is to allow a PV guest to choose its > bitness (32- or 64-bit). Pygrub allows that by looking into the boot > image and to start the guest in the correct mode depending on the > kernel selected. With 32-bit PV guests being deprecated and the > possibility to even build a hypervisor without 32-bit PV support, > this use case is gone for at least some configurations. > > - Pygrub is running in dom0 with root privileges. As it is operating > on guest controlled data (the boot image) and taking decisions based > on this data, there is a possible security issue. Not being possible > to use pygrub is thus a step towards more security. > > Default is still to build and install pygrub. > > Signed-off-by: Juergen Gross <jgross@xxxxxxxx> Acked-by: Anthony PERARD <anthony.perard@xxxxxxxxxx> Thanks, -- Anthony PERARD

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.