[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [PATCH v2 1/3] tools: add configure option for disabling pygrub
- To: Juergen Gross <jgross@xxxxxxxx>
- From: Anthony PERARD <anthony.perard@xxxxxxxxxx>
- Date: Tue, 8 Aug 2023 14:39:09 +0100
- Authentication-results: esa3.hc3370-68.iphmx.com; dkim=none (message not signed) header.i=none
- Cc: <xen-devel@xxxxxxxxxxxxxxxxxxxx>, Wei Liu <wl@xxxxxxx>
- Delivery-date: Tue, 08 Aug 2023 13:39:24 +0000
- Ironport-data: A9a23:V5V9Gqo5QsA6bNdPmkAFd/MU/OpeBmI+ZRIvgKrLsJaIsI4StFCzt garIBnTPa2OYmKgct5+O4vk8hsEupDSx9NhTFNvqSAyF35G9puZCYyVIHmrMnLJJKUvbq7FA +Y2MYCccZ9uHhcwgj/3b9ANeFEljfngqoLUUbKCYWYpA1c/Ek/NsDo788YhmIlknNOlNA2Ev NL2sqX3NUSsnjV5KQr40YrawP9UlKq04GpwUmAWP6gR5weOzylNVfrzGInqR5fGatgMdgKFb 76rIIGRpgvx4xorA9W5pbf3GmVirmn6ZFXmZtJ+AsBOszAazsAA+v9T2Mk0MC+7vw6hjdFpo OihgLTrIesf0g8gr8xGO/VQO3kW0aSrY9YrK1Dn2SCY5xWun3cBX5yCpaz5VGEV0r8fPI1Ay RAXACoGUAGyo8Sm/Le+QMdSqpUTL/moZ7pK7xmMzRmBZRonaZXKQqGM7t5ExjYgwMtJGJ4yZ eJAN2ApNk6ZJUQSZBFOUslWcOSA3xETdxVRrk6VoqwmpXDe1gVr3JDmMcbPe8zMTsJQ9qqdj jufrzSmWk9BbrRzzxK54Civ27DDlx/4UbIrMvqf1tJBuXKMkzl75Bo+CgLg/KjRZlSFc9BQM UsP4QI1sLM/skesS7HVTxC+5XKJoBMYc95RCPEhrhGAzLLO5ASUDXRCSSROAPQ5sOcmSDps0 UWG9/vgHTF1uaeZYW6c/LyT6zi1PEAowXQqPHFeC1Ffup+6/d9110iUJjp+LEKrpsf+JyDB5 xaakC07jZstoZ871JX4pmmS1lpAuaP1ZgIy4wzWWEes4QV4eJOpauSU1LTL0RpTBN3HFwfc5 RDoj+DbtblTVs/VyERhVc1XRNmUC+C53CowaLKFN70o7HyT9nGqZui8CxkudR4yYq7oldIEC XI/WD+9BrcJZBNGjoctOepd7vjGKoC+fekJrtiOMrJzjmFZLWdrBh1Ga0+KxHzKm0Mxi6w5M przWZ/yXC9GUv89nWbmHrd1PVoXKscWnzq7eHwG507/jer2iIC9Ft/pz2dinshmtfjZ8W05A v5UNteQygU3bQENSnC/zGLnFnhTdSJTLcmv+6RqmhurflIO9JcJV6WAntvMuuVNw8xoqws/1 i3hCxYHlQeu3xUq62yiMxheVV8mZr4nxVpTAMDmFQ3AN6QLCWp30JoiSg==
- Ironport-hdrordr: A9a23:nnY7KKutZkHtMDEM7668U4dD7skDTNV00zEX/kB9WHVpm5qj5q eTdZMgpHzJYVcqOE3I9urqBEDtexnhHP1OgLX5X43MYOC8ghrNEGgK1+KL/9SHIUDDH4Vmu5 uIHZITNDVeZ2IK6/oTTGODYrQdKHjsytHMudvj
- List-id: Xen developer discussion <xen-devel.lists.xenproject.org>
On Tue, Aug 08, 2023 at 03:22:17PM +0200, Juergen Gross wrote:
> Add a "--disable-pygrub" option for being able to disable the build
> and installation of pygrub.
>
> There are two main reasons to do so:
>
> - A main reason to use pygrub is to allow a PV guest to choose its
> bitness (32- or 64-bit). Pygrub allows that by looking into the boot
> image and to start the guest in the correct mode depending on the
> kernel selected. With 32-bit PV guests being deprecated and the
> possibility to even build a hypervisor without 32-bit PV support,
> this use case is gone for at least some configurations.
>
> - Pygrub is running in dom0 with root privileges. As it is operating
> on guest controlled data (the boot image) and taking decisions based
> on this data, there is a higher security risk. Not being possible
> to use pygrub is thus a step towards a reduction of attack surface.
>
> Default is still to build and install pygrub.
>
> Signed-off-by: Juergen Gross <jgross@xxxxxxxx>
Acked-by: Anthony PERARD <anthony.perard@xxxxxxxxxx>
Thanks,
--
Anthony PERARD
|