On 2/15/19 4:35 AM, George Dunlap wrote:
>
>
>> On Feb 13, 2019, at 7:11 PM, Stefano Stabellini
>> wrote:
>>
>> On Wed, 13 Feb 2019, Wei Liu wrote:
>>> On Tue, Feb 12, 2019 at 09:34:25PM -0500, Daniel P. Smith wrote:
>>>> The initial focus wi
are interested in participating in this effort, please reply to
this thread to outline possible use cases, design constraints and other
considerations for improving Xen's Kconfig infrastructure to support
tailoring for specific use cases.
V/r,
Daniel P. Smith
Apertus Solutions, LLC
This deals with two casting issues for compiling under go 1.11:
- explicitly cast to *C.xentoollog_logger for Ctx.logger pointer
- add cast to unsafe.Pointer for the C string cpath
Signed-off-by: Daniel P. Smith
---
tools/golang/xenlight/xenlight.go | 8
1 file changed, 4 insertions
On 4/18/19 9:11 AM, George Dunlap wrote:
> On 4/18/19 2:52 AM, Daniel P. Smith wrote:
>> This deals with two casting issues for compiling under go 1.11:
>> - explicitly cast to *C.xentoollog_logger for Ctx.logger pointer
>> - add cast to unsafe.Pointer for the C string c
On 5/26/20 1:57 PM, Roger Pau Monné wrote:
>
> Keep in mind that strncmp will return 0 if the signature matches, and
> hence doing this won't allow any table, as it would require a
> signature to match both the DSDT and the FACS one (you would require
> strncmp to return 0 in both cases).
>
>
On 10/21/20 10:34 AM, Hongyan Xia wrote:
Hi,
A while ago there was a quick chat on IRC about how XSM interacts with
the idle domain. The conversation did not reach any clear conclusions
so it might be a good idea to summarise the questions in an email.
Basically there were two questions in
On 11/3/20 4:15 PM, Stefano Stabellini wrote:
> On Tue, 3 Nov 2020, Rich Persaud wrote:
>> On Nov 3, 2020, at 14:37, Stefano Stabellini wrote:
>>>
>>> On Tue, 3 Nov 2020, Jan Beulich wrote:
> On 02.11.2020 22:41, Stefano Stabellini wrote:
> On Mon, 2 Nov 2020, Jan Beulich wrote:
>>
Details on the DomB boot domain can be found on Xen wiki:
https://wiki.xenproject.org/wiki/DomB_mode_of_dom0less
Signed-off-by: Daniel P. Smith
Signed-off-by: Christopher Clark
---
docs/designs/boot-domain-device-tree.rst | 163 +++
1 file changed, 163 insertions
should be idempotent.
For this case, the compiler can drop the check from both callsites, and
its safer if the structure of the callers change in the future.
But even if you want to keep the duplication
Reviewed-by: Jan Beulich
Thanks.
You can add,
Reviewed-by: Daniel P. Smith
One further
the
80 column wrapping style, all function definitions were aligned with the
predominate style that is used in the hypervisor code.
Signed-off-by: Daniel P. Smith
---
xen/xsm/dummy.h | 274 +++-
1 file changed, 153 insertions(+), 121 deletions(-)
diff
With the eliminations of default priv from all the XSM hook call sites, this
renders the XSM_ASSERT_ACTION macro unneeded. This commit cleans up all the
dummy hooks, removing the macro.
Signed-off-by: Daniel P. Smith
---
xen/xsm/dummy.h | 253 +++-
1
from the wrapper functions which remain in xsm.h and
dummy.h.
Signed-off-by: Daniel P. Smith
---
xen/include/xsm/dummy.h| 2 +-
xen/include/xsm/xsm-core.h | 262 +
xen/include/xsm/xsm.h | 240 +
xen/xsm/dummy.c
Would like to add myself as a reviewer for XSM.
Signed-off-by: Daniel P. Smith
---
MAINTAINERS | 1 +
1 file changed, 1 insertion(+)
diff --git a/MAINTAINERS b/MAINTAINERS
index d46b08a0d2..4f759867dc 100644
--- a/MAINTAINERS
+++ b/MAINTAINERS
@@ -622,6 +622,7 @@ F: xen/include/xen/trace.h
The assignment and setup of xsm_ops structure was refactored to make it a
one-time assignment. The calling of the xsm_ops were refactored to use the
alternate_call framework to reduce the need for retpolines.
Signed-off-by: Daniel P. Smith
---
xen/include/xsm/xsm.h| 206
the alternative_call
infrastructure. Then proceeds to move and realign the headers to remove the
psuedo is/is not enable implementation. The remainder of the changes are clean
up
and removing no longer necessary abstractions.
Daniel P. Smith (6):
xsm: refactor xsm_ops handling
xsm: decouple xsm header
-by: Daniel P. Smith
---
xen/arch/arm/dm.c | 2 +-
xen/arch/arm/domctl.c | 6 +-
xen/arch/arm/hvm.c| 2 +-
xen/arch/arm/mm.c | 2 +-
xen/arch/arm/platform_hypercall.c | 2 +-
xen/arch/x86/cpu/mcheck/mce.c
CONFIG_XSM_EVTCHN_LABELING as replacement for enabling event
channel labels
* makes CONFIG_XSM_SILO AND CONFIG_XSM_FLASK default to no
Signed-off-by: Daniel P. Smith
---
xen/common/Kconfig| 55 -
xen/include/xen/sched.h | 2 +-
xen/include/xsm/xsm-core.h| 26
xen/include
On 6/21/21 2:53 AM, Jan Beulich wrote:
On 18.06.2021 18:35, Daniel P. Smith wrote:
On 6/18/21 7:53 AM, Andrew Cooper wrote:
On 18/06/2021 00:39, Daniel P. Smith wrote:
@@ -250,9 +261,8 @@ config XSM_FLASK_POLICY
If unsure, say Y.
config XSM_SILO
- def_bool y
On 6/18/21 7:34 AM, Andrew Cooper wrote:
> On 18/06/2021 00:39, Daniel P. Smith wrote:
>> The assignment and setup of xsm_ops structure was refactored to make it a
>> one-time assignment. The calling of the xsm_ops were refactored to use the
>> alternate_call framewo
On 6/18/21 7:56 AM, Andrew Cooper wrote:
> On 18/06/2021 00:39, Daniel P. Smith wrote:
>> With the conversion of making XSM always enabled even the dummy XSM module is
>> being invoked through the xsm_ops dispatch which does not use passing of the
>> default privilege
On 6/18/21 7:53 AM, Andrew Cooper wrote:
> On 18/06/2021 00:39, Daniel P. Smith wrote:
>> The only difference between !CONFIG_XSM and CONFIG_XSM with !CONFIG_XSM_SILO
>> and !CONFIG_XSM_FLASK
>> is whether the XSM hooks in dummy.h are called as static inline functio
On 6/18/21 8:26 AM, Jan Beulich wrote:
> On 18.06.2021 01:39, Daniel P. Smith wrote:
>> The only difference between !CONFIG_XSM and CONFIG_XSM with !CONFIG_XSM_SILO
>> and !CONFIG_XSM_FLASK
>> is whether the XSM hooks in dummy.h are called as static inline functions or
>&
On 6/18/21 8:03 AM, Andrew Cooper wrote:
> On 18/06/2021 00:39, Daniel P. Smith wrote:
>> diff --git a/xen/xsm/dummy.h b/xen/xsm/dummy.h
>> index 7e2bb09dac..0f8ea163af 100644
>> --- a/xen/xsm/dummy.h
>> +++ b/xen/xsm/dummy.h
>> @@ -9,7 +9,7 @@
>> *
&g
On 6/18/21 6:14 AM, Andrew Cooper wrote:
> On 18/06/2021 00:39, Daniel P. Smith wrote:
>> Based on feedback from 2021 Xen Developers Summit the xsm-roles RFC
>> patch set is being split into two separate patch sets. This is the first
>> patch set and is focused p
On 6/18/21 7:44 AM, Jan Beulich wrote:
> On 18.06.2021 13:34, Andrew Cooper wrote:
>> On 18/06/2021 00:39, Daniel P. Smith wrote:
>>> @@ -197,16 +204,21 @@ bool __init has_xsm_magic(paddr_t start)
>>>
>>> int __init register_xsm(struct xsm_operations *
On 6/18/21 8:44 AM, Jan Beulich wrote:
> On 18.06.2021 14:40, Jan Beulich wrote:
>> On 18.06.2021 14:03, Andrew Cooper wrote:
>>> On 18/06/2021 00:39, Daniel P. Smith wrote:
>>>> diff --git a/xen/xsm/dummy.h b/xen/xsm/dummy.h
>>>> index 7e2bb09dac..0f
eplacing those rules with well
defined roles by moving away from pseudo is or is not XSM and formalizing the
roles checks as the core security framework.
Signed-off-by: Daniel P. Smith
---
xen/include/xen/sched.h | 9 -
xen/include/xsm/roles.h | 70
xen/inclu
This refactors the hardware_domain so that it is works within the
new domain roles construct.
Signed-off-by: Daniel P. Smith
---
xen/arch/x86/acpi/cpu_idle.c| 3 +-
xen/arch/x86/cpu/mcheck/vmce.h | 3 +-
xen/arch/x86/cpu/vpmu.c | 7 +-
xen/arch/x86/crash.c
This converts the previous XSM hook dummy checks over to using equivalent
domain role privileges.
Signed-off-by: Daniel P. Smith
---
xen/arch/arm/dm.c | 2 +-
xen/arch/arm/domctl.c | 6 +-
xen/arch/arm/hvm.c| 2 +-
xen/arch/arm/mm.c
The domain roles approach changed the idea of how the default XSM policy module
is configured. This makes the minor adjustment for that change.
Signed-off-by: Daniel P. Smith
---
xen/xsm/flask/flask_op.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/xen/xsm/flask
Move to using a check for the Xenstore Domain role for the is_xenstore_domain
check.
Signed-off-by: Daniel P. Smith
---
xen/common/domain.c | 3 +++
xen/include/xen/sched.h | 2 +-
2 files changed, 4 insertions(+), 1 deletion(-)
diff --git a/xen/common/domain.c b/xen/common/domain.c
index
This adjusts the Kconfig system for the reorganizing of XSM by the introduction
of domain roles.
Signed-off-by: Daniel P. Smith
---
xen/common/Kconfig | 14 --
1 file changed, 8 insertions(+), 6 deletions(-)
diff --git a/xen/common/Kconfig b/xen/common/Kconfig
index 3064bf6b89
This is adjustments and clean ups to the core of xsm for adoption of the domain
roles.
Signed-off-by: Daniel P. Smith
---
xen/include/xen/sched.h | 2 +-
xen/include/xsm/xsm.h | 26 ---
xen/xsm/Makefile| 3 +-
xen/xsm/dummy.c | 160
This converts the SILO XSM module to function as an extension to the domain
roles system to implement an extended enforcement policy.
Signed-off-by: Daniel P. Smith
---
xen/xsm/silo.c | 22 +-
1 file changed, 13 insertions(+), 9 deletions(-)
diff --git a/xen/xsm/silo.c b
bisectable and the features can be tested incrementally. This is an RFC with
limited building and testing completed against it, therefore one may find build
configurations and runtime configurations that do not work.
Daniel P. Smith (10):
headers: introduce new default privilege model
cont
Move to using the new Domain Control role as the backing to the
is_control_domain check.
Signed-off-by: Daniel P. Smith
---
xen/common/domain.c | 3 +++
xen/include/xen/sched.h | 4 +++-
2 files changed, 6 insertions(+), 1 deletion(-)
diff --git a/xen/common/domain.c b/xen/common/domain.c
This defines the new privilege roles that a domain may be assigned.
Signed-off-by: Daniel P. Smith
---
xen/include/xen/sched.h | 18 ++
1 file changed, 18 insertions(+)
diff --git a/xen/include/xen/sched.h b/xen/include/xen/sched.h
index cc633fdc07..9b2c277ede 100644
--- a/xen
shutdown is one step in that direction, but vtpmmgr will most
> likely be waiting in tpmback_req_any. We need to call shutdown_tpmback
> to cancel the wait inside tpmback and perform the shutdown.
>
> Signed-off-by: Jason Andryuk
> Reviewed-by: Samuel Thibault
> ---
Reviewed
; Add bounds and size checks
> Whitespace fixup
> ---
Reviewed by: Daniel P. Smith
> stubdom/vtpmmgr/marshal.h | 15
> stubdom/vtpmmgr/vtpm_cmd_handler.c | 61 +-
> 2 files changed, 75 insertions(+), 1 deletion(-)
>
> diff --git a/stubdom
On 5/6/21 9:59 AM, Jason Andryuk wrote:
> Remove our key so it isn't left in the TPM for someone to come along
> after vtpmmgr shutsdown.
>
> Signed-off-by: Jason Andryuk
> Reviewed-by: Samuel Thibault
> ---
Reviewed-by: Daniel P. Smith
> stubdom/vtpmmgr/init.c |
t. And assignment of handles is assumed to be
> sequential from the minimum. That may not be guaranteed, but seems okay
> with my tpm2.
>
> Signed-off-by: Jason Andryuk
> Reviewed-by: Samuel Thibault
> ---
> v2 add "since TRANSIENT_LAST is inclusive" to co
timeouts, but not low durations. The second
> patch allows commands to complete that often timeout with the lower
> command durations.
>
> Signed-off-by: Jason Andryuk
> ---
Reviewed-by: Daniel P. Smith
> stubdom/Makefile| 2 +
> st
ot;=". The man page documented "="
> and the other tpm.* arguments already use "=". Since it didn't work
> before, we don't need to worry about backwards compatibility.
>
> Signed-off-by: Jason Andryuk
> ---
Reviewed-by: Daniel P. Smith
> stubdom/vt
is tricky since abort_egress wants to rely with a
> corresponding tag. Just hardcode TPM_TAG_RQU_COMMAND since the vtpm is
> sending in malformed commands in the first place.
>
> Signed-off-by: Jason Andryuk
> ---
Reviewed-by: Daniel P. Smith
> stubdom/vtpmmgr/vtpm_cmd_handler.
On 5/6/21 9:59 AM, Jason Andryuk wrote:
> The UINT32 <-> UINT16 casting in TPM2_GetRandom is incorrect. Use a
> local UINT16 as needed for the TPM hardware command and assign the
> result.
>
> Suggested-by: Samuel Thibault
> Signed-off-by: Jason Andryuk
> ---
R
On 5/6/21 9:59 AM, Jason Andryuk wrote:
> Bypass taking ownership of the TPM2 if an srk_handle is specified.
>
> This srk_handle must be usable with Null auth for the time being.
>
> Signed-off-by: Jason Andryuk
> ---
Reviewed-by: Daniel P. Smith
> v2: Use "="
On 5/4/21 8:48 AM, Jason Andryuk wrote:
> The vtpmmgr TPM 2.0 support is incomplete. Add a warning about that to
> the documentation so others don't have to work through discovering it is
> broken.
>
> Signed-off-by: Jason Andryuk
> ---
Reviewed-by: Daniel P. Smith
> d
o callers always print the error code so it is always
> available.
>
> Signed-off-by: Jason Andryuk
> ---
Reviewed-by: Daniel P. Smith
> stubdom/vtpmmgr/tpm.c | 2 +-
> stubdom/vtpmmgr/tpm2.c | 2 +-
> 2 files changed, 2 insertions(+), 2 deletions(-)
>
> diff --gi
On 5/6/21 9:59 AM, Jason Andryuk wrote:
> Reposition vtpmmgr_shutdown so it can call flush_tpm2 without a forward
> declaration.
>
> Signed-off-by: Jason Andryuk
> Reviewed-by: Samuel Thibault
> ---
Reviewed-by: Daniel P. Smith
> stubdom/vtpmmgr/init.c | 28
On 5/7/21 5:20 AM, Jan Beulich wrote:
> In SILO mode restrictions for inter-domain communication should apply
> here along the lines of those for evtchn and gnttab.
>
> Signed-off-by: Jan Beulich
Reviewed-by: Daniel P. Smith
> ---
> Really I was first thinking about t
; Signed-off-by: Jason Andryuk
> ---
Reviewed-by: Daniel P. Smith
> I haven't tried, but the other option would be to cast size_t and avoid
> %z. Since this seems to be the only mini-os use of %z, that may be
> better than building a larger newlib.
> ---
> stubdom/Make
This converts the global xsm_ops from being a pointer to a struct xsm_ops to
being an
explicit instance. It then reworks the XSM modules init function to
return their xsm_ops struct which is copied in to the global xsm_ops.
Signed-off-by: Daniel P. Smith
---
xen/include/xsm/xsm.h| 215
as replacement for enabling event
channel labels
* makes CONFIG_XSM_SILO AND CONFIG_XSM_FLASK default to no
Signed-off-by: Daniel P. Smith
---
xen/common/Kconfig| 51
xen/include/xen/sched.h | 2 +-
xen/include/xsm/xsm-core.h| 26
xen/include/xsm/xsm.h
The flask XSM module provided the ability to switch from flask back to
the dummy XSM module during runtime. With this removal the only way to
switch between XSM modules is at boot time.
Signed-off-by: Daniel P. Smith
---
xen/xsm/flask/flask_op.c | 32
1 file
To reduce retpolines convert all the pointer function calls of the
xsm_ops hooks over to the alternative_call infrastructure.
Signed-off-by: Daniel P. Smith
---
xen/include/xsm/xsm.h | 195 +-
1 file changed, 99 insertions(+), 96 deletions(-)
diff --git
from the wrapper functions which remain in xsm.h and
dummy.h.
Signed-off-by: Daniel P. Smith
---
xen/include/xsm/dummy.h| 2 +-
xen/include/xsm/xsm-core.h | 263 +
xen/include/xsm/xsm.h | 241 +
xen/xsm/dummy.c
-call.h for use in common code
Daniel P. Smith (9):
xsm: refactor xsm_ops handling
xsm: remove the ability to disable flask
xsm: convert xsm_ops hook calls to alternative call
xsm: decouple xsm header inclusion selection
xsm: enable xsm to always be included
xsm: drop generic event
From: Andrew Cooper
The alternative call infrastructure is x86-only for now, but the common iommu
code has a variant and more common code wants to use the infrastructure.
Introduce CONFIG_ALTERNATIVE_CALL and a conditional implemetnation so common
code can use the optimisation when available,
The generic event channel labeling has not been used by any XSM module since
its introduction. This commit removes the capability leaving FLASK labeling
field always present. In the future if a new XSM module needs to have its own
channel label, this or a new form can be introduced.
---
the
80 column wrapping style, all function definitions were aligned with the
predominate style found in core hypervisor code.
Signed-off-by: Daniel P. Smith
---
xen/xsm/dummy.h | 275 +++-
1 file changed, 153 insertions(+), 122 deletions(-)
diff --git
With the eliminations of default priv from all the XSM hook call sites, this
renders the XSM_ASSERT_ACTION macro unneeded. This commit cleans up all the
dummy hooks, removing the macro.
Signed-off-by: Daniel P. Smith
---
xen/xsm/dummy.h | 253 +++-
1
should provide reasoning of the default value when it is not clear. Next
is that with the change to make XSM always enabled is the case where the
parameter is completely ignored. Thus it is logical to remove them from
the hook call sites.
Signed-off-by: Daniel P. Smith
---
xen/arch/arm/dm.c
=sharing
Details on the DomB boot domain can be found on Xen wiki:
https://wiki.xenproject.org/wiki/DomB_mode_of_dom0less
Signed-off-by: Daniel P. Smith
Signed-off-by: Christopher Clark
Version 2
-
- cleaned up wording
- updated example to reflect a real configuration
- add explanation
>
> Bobby Eshleman
> SE at Vates SAS
>
Yes, please count me in since it will definitely overlap with the work I
am doing under DomB/Hyperlaunch as well as planned work under the
TrenchBoot project.
V/r,
Daniel P. Smith
Adds a design document for hyperlaunch, formerly DomB mode of dom0less.
Signed-off-by: Christopher Clark
Signed-off by: Daniel P. Smith
Reviewed-by: Rich Persaud
---
docs/designs/launch/hyperlaunch.rst | 900
1 file changed, 900 insertions(+)
create mode 100644
Adds a design document for hyperlaunch device tree structure.
Signed-off-by: Christopher Clark
Signed-off by: Daniel P. Smith
---
.../designs/launch/hyperlaunch-devicetree.rst | 343 ++
1 file changed, 343 insertions(+)
create mode 100644 docs/designs/launch/hyperlaunch
a flexible and security-minded means to launch a
variety of VM configurations as part of the startup of Xen.
Signed-off-by: Christopher Clark
Signed-off by: Daniel P. Smith
Daniel P. Smith (2):
docs/designs/launch: hyperlaunch design document
docs/designs/launch: hyperlaunch device tree
All,
We have posted[1][2] the design documents for hyperlaunch and would
invite attendance at a working group call to discuss two agenda items.
The first item is a review of the documents and the second is a
discussion about bringing production-ready revisions of our previous
prototype in as
On 3/16/21 12:09 AM, Daniel P. Smith wrote:
> All,
>
> We have posted[1][2] the design documents for hyperlaunch and would
> invite attendance at a working group call to discuss two agenda items.
> The first item is a review of the documents and the second is a
> discuss
): 0 800 60 9135
United Kingdom (Toll Free): 0 800 169 0432
New to GoToMeeting? Get the app now and be ready when your first meeting
starts: https://global.gotomeeting.com/install/691818141
V/r,
Daniel P. Smith
Apertus Solutions, LLC
On 2/5/21 2:12 PM, Daniel P. Smith wrote:
> Greetings,
>
> Per the community call on Feb. 4 I would like to get the working group
> started that will be reviewing the major design decisions for the DomB
> implementation. A summary of the discussion around the two primary
On 8/25/21 11:22 AM, Jan Beulich wrote:
> On 05.08.2021 16:06, Daniel P. Smith wrote:
>> On Linux when SELinux is put into permissive mode the descretionary access
>> controls are still in place. Whereas for Xen when the enforcing state of
>> flask
>> is set to permiss
On 8/25/21 11:16 AM, Jan Beulich wrote:
> On 05.08.2021 16:06, Daniel P. Smith wrote:
>> @@ -747,16 +747,16 @@ extern int xsm_dt_policy_init(void **policy_buffer,
>> size_t *policy_size);
>> extern bool has_xsm_magic(paddr_t);
>> #endif
>>
>> -extern
On 8/26/21 4:13 AM, Jan Beulich wrote:
> On 05.08.2021 16:06, Daniel P. Smith wrote:
>> --- /dev/null
>> +++ b/xen/include/xsm/xsm-core.h
>> @@ -0,0 +1,273 @@
>> +/*
>> + * This file contains the XSM hook definitions for Xen.
>> + *
>> + * This wor
On 8/25/21 11:44 AM, Jan Beulich wrote:
> On 05.08.2021 16:06, Daniel P. Smith wrote:
>> The internal define flag is not used by any XSM module, removing the #ifdef
>> leaving the generic event channel labeling as always present.
>
> With this description ...
>
>>
map_domain_pirq (struct domain *d)
> static int flask_unmap_domain_msi (struct domain *d, int irq, const void
> *data,
> u32 *sid, struct avc_audit_data *ad)
> {
> -#ifdef CONFIG_HAS_PCI
> +#ifdef CONFIG_HAS_PCI_MSI
> const struct pci_dev *pdev = data;
> u32 machine_bdf = (pdev->seg << 16) | (pdev->bus << 8) | pdev->devfn;
>
>
Straightforward, so I see no issue with the flask related changes.
Reviewed-by: Daniel P. Smith
v/r
dps
On 8/26/21 5:37 AM, Jan Beulich wrote:
> On 05.08.2021 16:06, Daniel P. Smith wrote:
>> The XSM facilities are always in use by Xen with the facade of being able to
>> turn XSM on and off. This option is in fact about allowing the selection of
>> which policies are availab
On 8/30/21 9:24 AM, Jan Beulich wrote:
> On 27.08.2021 16:06, Daniel P. Smith wrote:
>> On 8/26/21 4:13 AM, Jan Beulich wrote:
>>> On 05.08.2021 16:06, Daniel P. Smith wrote:
>>>> --- /dev/null
>>>> +++ b/xen/include/xsm/xsm-core.h
>>>> @
On 8/30/21 9:46 AM, Jan Beulich wrote:
> On 30.08.2021 15:41, Daniel P. Smith wrote:
>> On 8/30/21 9:24 AM, Jan Beulich wrote:
>>> On 27.08.2021 16:06, Daniel P. Smith wrote:
>>>> On 8/26/21 4:13 AM, Jan Beulich wrote:
>>>>> On 05.08.2021 16:06
The type xsm_op_t masks the use of void pointers. This commit drops the
xsm_op_t type and
replaces it and all its uses with an explicit void.
Signed-off-by: Daniel P. Smith
---
xen/include/xen/hypercall.h | 4 ++--
xen/include/xsm/dummy.h | 4 ++--
xen/include/xsm/xsm.h | 11
- ensuring proper indentation for 80 char wrapping
- covert u32 type statements to uint32_t
- remove space between closing and opening parens
- drop extern on function declarations
Signed-off-by: Daniel P. Smith
---
xen/include/xsm/dummy.h | 173 +-
xen/include/xsm/xsm.h | 494
instance.
Signed-off-by: Daniel P. Smith
---
xen/include/xsm/xsm.h | 222 +-
xen/xsm/dummy.c | 4 +-
xen/xsm/flask/hooks.c | 12 +--
xen/xsm/silo.c| 7 +-
xen/xsm/xsm_core.c| 77 ---
5 files changed, 167 insertions(+), 155
To reduce retpolines convert all the pointer function calls of the
xsm_ops hooks over to the alternative_call infrastructure.
Signed-off-by: Daniel P. Smith
Acked-by: Andrew Cooper
---
xen/include/xsm/xsm.h | 193 +-
1 file changed, 97 insertions(+), 96
away from
the wrapper functions which remain in xsm.h and dummy.h.
Signed-off-by: Daniel P. Smith
---
xen/include/xsm/dummy.h| 2 +-
xen/include/xsm/xsm-core.h | 274 +
xen/include/xsm/xsm.h | 255 +-
xen/xsm/dummy.c
and
additional risk for securit-relevant bugs.
This patch removes this additional interface, making Xen's security framework
have a single, consistent interface that works in a single and consistent
manner regardless of which XSM policy is in use.
Signed-off-by: Daniel P. Smith
---
xen/include/xsm
.
Signed-off-by: Daniel P. Smith
---
xen/common/Kconfig | 49 ++
xen/include/xen/sched.h| 2 +-
xen/include/xsm/dummy.h| 23 +-
xen/include/xsm/xsm-core.h | 6 ++---
xen/include/xsm/xsm.h | 6 ++---
xen/xsm/Makefile
, xsm_default_action().
Signed-off-by: Daniel P. Smith
---
xen/xsm/silo.c | 15 ---
1 file changed, 8 insertions(+), 7 deletions(-)
diff --git a/xen/xsm/silo.c b/xen/xsm/silo.c
index 6db793f35c..56a330a831 100644
--- a/xen/xsm/silo.c
+++ b/xen/xsm/silo.c
@@ -17,6 +17,7 @@
* You should
The internal define flag is not used by any XSM module, removing the #ifdef
leaving the generic event channel labeling as always present.
Signed-off-by: Daniel P. Smith
---
xen/include/xen/sched.h | 2 --
1 file changed, 2 deletions(-)
diff --git a/xen/include/xen/sched.h b/xen/include/xen
grouping
- moved extern references to built in policy to where they are used
- Added back in the #ifdef CONFIG_XSM into struct evtchn
- split the patch removing the duplicate interface up further
Andrew Cooper (1):
xen: Implement xen/alternative-call.h for use in common code
Daniel P. Smith (10
Beulich
CC: Roger Pau Monné
CC: Wei Liu
CC: Stefano Stabellini
CC: Julien Grall
CC: Volodymyr Babchuk
CC: Bob Eshleman
CC: Alistair Francis
CC: Connor Davis
CC: Daniel P. Smith
v3:
* Drop __alt_call_maybe_initconst
This is a pre-requisite to "xsm: refactor xsm_ops handling"
k is being enforced after boot.
This patch removes the flask op to enforce the desired XSM usage model
requiring a reboot of Xen to change the XSM policy module in use.
Signed-off-by: Daniel P. Smith
---
xen/include/public/xsm/flask_op.h | 2 +-
xen/xsm/flask/flask_op.c
On 9/6/21 2:31 PM, Andrew Cooper wrote:
On 03/09/2021 20:06, Daniel P. Smith wrote:
This renames the `struct xsm_operations` to the shorter `struct xsm_ops` and
converts the global xsm_ops from being a pointer to an explicit instance. As
part of this conversion, it reworks the XSM modules
On 9/6/21 2:55 PM, Andrew Cooper wrote:
On 03/09/2021 20:06, Daniel P. Smith wrote:
SILO implements a few XSM hooks to extended the decision logic beyond
what is defined in the dummy/default policy. For each of the hooks, it
falls back to the dummy/default policy. The fall back is done a slight
On 9/6/21 2:17 PM, Andrew Cooper wrote:
On 03/09/2021 20:06, Daniel P. Smith wrote:
Instead of intermixing coding style changes with code changes as they
are come upon in this patch set, moving all coding style changes
into a single commit. The focus of coding style changes here are,
- move
On 9/6/21 2:47 PM, Andrew Cooper wrote:
On 03/09/2021 20:06, Daniel P. Smith wrote:
diff --git a/xen/include/xsm/xsm-core.h b/xen/include/xsm/xsm-core.h
new file mode 100644
index 00..4555e111dc
--- /dev/null
+++ b/xen/include/xsm/xsm-core.h
@@ -0,0 +1,274 @@
+/*
+ * This file contains
On 9/7/21 10:27 AM, Jan Beulich wrote:
> On 07.09.2021 16:09, Daniel P. Smith wrote:
>> On 9/7/21 9:50 AM, Jan Beulich wrote:
>>> On 07.09.2021 15:41, Daniel P. Smith wrote:
>>>> On 9/6/21 2:17 PM, Andrew Cooper wrote:
>>>>> On 03/09/2021 20:06, Daniel
On 9/6/21 3:18 PM, Andrew Cooper wrote:
On 03/09/2021 20:06, Daniel P. Smith wrote:
-static inline int xsm_memtype(xsm_default_t def, uint32_t access)
+#if 0
+/* Could not find any usages */
+static inline int xsm_memtype(xsm_default_t action, uint32_t access)
{
return alternative_call
On 9/7/21 9:50 AM, Jan Beulich wrote:
On 07.09.2021 15:41, Daniel P. Smith wrote:
On 9/6/21 2:17 PM, Andrew Cooper wrote:
On 03/09/2021 20:06, Daniel P. Smith wrote:
--- a/xen/include/xsm/dummy.h
+++ b/xen/include/xsm/dummy.h
@@ -69,8 +69,9 @@ void __xsm_action_mismatch_detected(void
On 9/9/21 11:35 AM, Jan Beulich wrote:
> On 03.09.2021 21:06, Daniel P. Smith wrote:
>> The internal define flag is not used by any XSM module, removing the #ifdef
>> leaving the generic event channel labeling as always present.
>
> Already on v2 I did ask
>
&g
On 9/9/21 11:45 AM, Jan Beulich wrote:
> On 03.09.2021 21:06, Daniel P. Smith wrote:
>> SILO implements a few XSM hooks to extended the decision logic beyond
>> what is defined in the dummy/default policy. For each of the hooks, it
>> falls back to the dummy/default policy.
1 - 100 of 526 matches
Mail list logo