[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [RFC PATCH] xsm/flask: add AVC pre-allocation boot parameter
- To: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>, xen-devel@xxxxxxxxxxxxxxxxxxxx
- From: Sergiy Kibrik <sergiy_kibrik@xxxxxxxx>
- Date: Mon, 18 Aug 2025 14:05:30 +0300
- Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=epam.com; dmarc=pass action=none header.from=epam.com; dkim=pass header.d=epam.com; arc=none
- Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=tUENUuEQjChbl8u4LhrlpSG4vRnO6ZMwkiesRPYgKjk=; b=AeWcu25NX/1owpPQIf98drsl/pKaC0A9upJjtRPNtUwKYVYDEf9qmeVNhYKoQbCCr10YIsAabQ3ct9ODXE50xUXhHrRMp3RgiQNj5eKRPRvF57fUP8oruW8ubuOsDL9E/ZlNeuqC+euxjEiQIYer4R/G6k6RbwW+PkId/0yZhhPoh3Wp0VcusUTZ8lwRYnhYiXoLNAjDybrj8XJ+OMLtplp5nSIBc8hUsE0FHu5jCtUq3Vrnf3RUor10n/7P2obaZUTzHKNdOamZCrZMPv6kcjDPdef+99/FDa+rGEKzK6lh1p+gdbtBWjUc7MV3G/t/P6qfHehI8OboPxBeONAxhg==
- Arc-seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=WP7e2pm2qcM3QUs/pVeq2lT0B+1YyY3OlEXTpQLM3Ll+vJfJqbmQj+dLJsYVwcMpaevEIiYAQYHmyiLPKg0p4Yz42eLR+mHX1M2TukIETpoeCeo0Isr1jLKK3X2qG9y7XA/1VdSlqjA++O0HUgtmgCMNl0vjVGyY92Ov3CVwn1z31t5SF2bBQEsR//ga/xLKyROyxTZ/doNdbFSbfDZHbsfqKyW9g6zqsni+hFJoTonaOZYXNVojitt3pKivomFa9g29sTWCk+e7jMQXVD6HOqWn0kgeE1/uJ+slUhZ3X4YxJXQ3Ol4igVv6NOz6LXFbEW1jzZy48rZzdJET6l8iyg==
- Authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=epam.com;
- Cc: Anthony PERARD <anthony.perard@xxxxxxxxxx>, Michal Orzel <michal.orzel@xxxxxxx>, Jan Beulich <jbeulich@xxxxxxxx>, Julien Grall <julien@xxxxxxx>, Roger Pau Monné <roger.pau@xxxxxxxxxx>, Stefano Stabellini <sstabellini@xxxxxxxxxx>, "Daniel P. Smith" <dpsmith@xxxxxxxxxxxxxxxxxxxx>, Stefano Stabellini <stefano.stabellini@xxxxxxx>
- Delivery-date: Mon, 18 Aug 2025 11:05:35 +0000
- List-id: Xen developer discussion <xen-devel.lists.xenproject.org>
15.08.25 14:43, Andrew Cooper:
On 15/08/2025 12:21 pm, Andrew Cooper wrote:
On 15/08/2025 11:23 am, Sergiy Kibrik wrote:
diff --git a/docs/misc/xen-command-line.pandoc
b/docs/misc/xen-command-line.pandoc
index a75b6c9301..9044827e78 100644
--- a/docs/misc/xen-command-line.pandoc
+++ b/docs/misc/xen-command-line.pandoc
@@ -238,6 +238,15 @@ loops for Queued Invalidation completions.**
Specify a maximum amount of available memory, to which Xen will clamp
the e820 table.
+### avc_prealloc
+> `= <boolean>`
+
+> Default: `false`
+
+Allocate XSM Access Vector Cache at boot. This forbids runtime dynamic
+allocation of AVC nodes from Xen heap and changing AVC size via
+FLASK_SETAVC_THRESHOLD hypercall.
I don't have any input on memory allocation side of things, but this
needs to be a sub-option under the existing flask=, and it looks like
you're going to need to turn it into a comma separated list.
Also, if you actually want to use Flask in a safety system, Flask needs
to become security supported in Xen.
Sorry, sent a little too early. x86's dom0= is probably the closes good
example to follow, having both comma separated booleans and a choice-of-$N.
yes, I'll try to integrate that option into flask=
-Sergiy
|
