Re: [Xen-devel] [PATCH v4] xsm: add a default policy to .init.data
>>> On 07.07.16 at 16:44,wrote: > On 07/07/2016 06:30 AM, Jan Beulich wrote: > On 05.07.16 at 19:44, wrote: >>> +static inline void xsm_policy_init(void) >>> +{ >>> +#ifdef CONFIG_XSM_POLICY >>> +if ( policy_size == 0 ) >>> +{ >>> +policy_buffer = (char*)xsm_init_policy; >> >> Can't xsm_init_policy by of type const char[] then, avoiding the need >> for a cast (you certainly shouldn't be casting away constness)? If not, >> besides adding the const please also add a blank before the *. > > The policy_buffer global cannot be a const char* because it is passed to > xfree() below (only in ARM); the cast would only be moved. The buffer is > never modified, if that's what you are asking. > > The reason that xsm_init_policy is unsigned is to avoid compiler warnings > resulting from assigning values such as 0xF3 to a signed character. This is all ugly, but you're the maintainer, so you know best. Jan ___ Xen-devel mailing list Xen-devel@lists.xen.org https://lists.xen.org/xen-devel
Re: [Xen-devel] [PATCH v4] xsm: add a default policy to .init.data
On 07/07/2016 06:30 AM, Jan Beulich wrote: On 05.07.16 at 19:44,wrote: --- a/xen/include/xsm/xsm.h +++ b/xen/include/xsm/xsm.h @@ -762,6 +762,13 @@ static inline void flask_init(void) } #endif +#ifdef CONFIG_XSM_POLICY +extern const unsigned char xsm_init_policy[]; +extern const int xsm_init_policy_size; unsigned int or size_t please. --- a/xen/xsm/flask/Makefile +++ b/xen/xsm/flask/Makefile @@ -27,6 +27,17 @@ $(FLASK_H_FILES): $(FLASK_H_DEPEND) $(AV_H_FILES): $(AV_H_DEPEND) $(CONFIG_SHELL) policy/mkaccess_vector.sh $(AWK) $(AV_H_DEPEND) +obj-$(CONFIG_XSM_POLICY) += policy.o + +POLICY_SRC := $(XEN_ROOT)/tools/flask/policy/xenpolicy-$(XEN_FULLVERSION) + +policy.bin: FORCE + $(MAKE) -C $(XEN_ROOT)/tools/flask/policy + cmp -s $(POLICY_SRC) $@ || cp $(POLICY_SRC) $@ + +policy.c: policy.bin gen-policy.py + $(PYTHON) gen-policy.py < $< > $@ + .PHONY: clean clean:: rm -f $(ALL_H_FILES) *.o $(DEPS) I suppose the clean target then also needs adjustment? Yes, it does. +static inline void xsm_policy_init(void) +{ +#ifdef CONFIG_XSM_POLICY +if ( policy_size == 0 ) +{ +policy_buffer = (char*)xsm_init_policy; Can't xsm_init_policy by of type const char[] then, avoiding the need for a cast (you certainly shouldn't be casting away constness)? If not, besides adding the const please also add a blank before the *. The policy_buffer global cannot be a const char* because it is passed to xfree() below (only in ARM); the cast would only be moved. The buffer is never modified, if that's what you are asking. The reason that xsm_init_policy is unsigned is to avoid compiler warnings resulting from assigning values such as 0xF3 to a signed character. -- Daniel De Graaf National Security Agency ___ Xen-devel mailing list Xen-devel@lists.xen.org https://lists.xen.org/xen-devel
Re: [Xen-devel] [PATCH v4] xsm: add a default policy to .init.data
>>> On 05.07.16 at 19:44,wrote: > --- a/xen/include/xsm/xsm.h > +++ b/xen/include/xsm/xsm.h > @@ -762,6 +762,13 @@ static inline void flask_init(void) > } > #endif > > +#ifdef CONFIG_XSM_POLICY > +extern const unsigned char xsm_init_policy[]; > +extern const int xsm_init_policy_size; unsigned int or size_t please. > --- a/xen/xsm/flask/Makefile > +++ b/xen/xsm/flask/Makefile > @@ -27,6 +27,17 @@ $(FLASK_H_FILES): $(FLASK_H_DEPEND) > $(AV_H_FILES): $(AV_H_DEPEND) > $(CONFIG_SHELL) policy/mkaccess_vector.sh $(AWK) $(AV_H_DEPEND) > > +obj-$(CONFIG_XSM_POLICY) += policy.o > + > +POLICY_SRC := $(XEN_ROOT)/tools/flask/policy/xenpolicy-$(XEN_FULLVERSION) > + > +policy.bin: FORCE > + $(MAKE) -C $(XEN_ROOT)/tools/flask/policy > + cmp -s $(POLICY_SRC) $@ || cp $(POLICY_SRC) $@ > + > +policy.c: policy.bin gen-policy.py > + $(PYTHON) gen-policy.py < $< > $@ > + > .PHONY: clean > clean:: > rm -f $(ALL_H_FILES) *.o $(DEPS) I suppose the clean target then also needs adjustment? > +static inline void xsm_policy_init(void) > +{ > +#ifdef CONFIG_XSM_POLICY > +if ( policy_size == 0 ) > +{ > +policy_buffer = (char*)xsm_init_policy; Can't xsm_init_policy by of type const char[] then, avoiding the need for a cast (you certainly shouldn't be casting away constness)? If not, besides adding the const please also add a blank before the *. Jan ___ Xen-devel mailing list Xen-devel@lists.xen.org https://lists.xen.org/xen-devel
Re: [Xen-devel] [PATCH v4] xsm: add a default policy to .init.data
On Tue, Jul 05, 2016 at 01:44:43PM -0400, Daniel De Graaf wrote: > This adds a Kconfig option and support for including the XSM policy from > tools/flask/policy in the hypervisor so that the bootloader does not > need to provide a policy to get sane behavior from an XSM-enabled > hypervisor. The policy provided by the bootloader, if present, will > override the built-in policy. > > The XSM policy is not moved out of tools because that remains the > primary location for installing and configuring the policy. > > Signed-off-by: Daniel De GraafReviewed-by: Konrad Rzeszutek Wilk ___ Xen-devel mailing list Xen-devel@lists.xen.org https://lists.xen.org/xen-devel
[Xen-devel] [PATCH v4] xsm: add a default policy to .init.data
This adds a Kconfig option and support for including the XSM policy from tools/flask/policy in the hypervisor so that the bootloader does not need to provide a policy to get sane behavior from an XSM-enabled hypervisor. The policy provided by the bootloader, if present, will override the built-in policy. The XSM policy is not moved out of tools because that remains the primary location for installing and configuring the policy. Signed-off-by: Daniel De Graaf--- Changes from v3: - Make default Kconfig value depend on the presence of checkpolicy - Use proper __initconst label on generated data - Place generated symbols in xsm.h to enforce type matching Config.mk | 6 ++ INSTALL | 10 -- docs/misc/xen-command-line.markdown | 16 +--- docs/misc/xsm-flask.txt | 30 +++--- xen/common/Kconfig | 20 xen/include/xsm/xsm.h | 7 +++ xen/xsm/flask/.gitignore| 1 + xen/xsm/flask/Makefile | 11 +++ xen/xsm/flask/gen-policy.py | 23 +++ xen/xsm/xsm_core.c | 15 ++- 10 files changed, 114 insertions(+), 25 deletions(-) create mode 100644 xen/xsm/flask/.gitignore create mode 100644 xen/xsm/flask/gen-policy.py diff --git a/Config.mk b/Config.mk index 723e129..01316ae 100644 --- a/Config.mk +++ b/Config.mk @@ -147,6 +147,12 @@ export XEN_HAS_BUILD_ID=y build_id_linker := --build-id=sha1 endif +ifndef XEN_HAS_CHECKPOLICY +CHECKPOLICY ?= checkpolicy +XEN_HAS_CHECKPOLICY := $(shell $(CHECKPOLICY) -h 2>&1 | grep -q xen && echo y || echo n) +export XEN_HAS_CHECKPOLICY +endif + # as-insn: Check whether assembler supports an instruction. # Usage: cflags-y += $(call as-insn "insn",option-yes,option-no) as-insn = $(if $(shell echo 'void _(void) { asm volatile ( $(2) ); }' \ diff --git a/INSTALL b/INSTALL index 616a67a..9759354 100644 --- a/INSTALL +++ b/INSTALL @@ -269,10 +269,16 @@ Building the python tools may fail unless certain options are passed to setup.py. Config.mk contains additional info how to use this variable. PYTHON_PREFIX_ARG= -The hypervisor may be build with XSM/Flask support, which can be changed +The hypervisor may be built with XSM/Flask support, which can be changed by running: make -C xen menuconfig -and enabling XSM/Flask in the 'Common Features' menu. +and enabling XSM/Flask in the 'Common Features' menu. A security policy +is required to use XSM/Flask; if the SELinux policy compiler is +available, the policy from tools can be included in the hypervisor. +This option is enabled by default if XSM is enabled and the compiler +(checkpolicy) is found. The location of this executable can be set +using the environment variable. +CHECKPOLICY= Do a build for coverage. coverage=y diff --git a/docs/misc/xen-command-line.markdown b/docs/misc/xen-command-line.markdown index 2a088ca..5500242 100644 --- a/docs/misc/xen-command-line.markdown +++ b/docs/misc/xen-command-line.markdown @@ -712,13 +712,15 @@ enabled by running either: with untrusted guests. If a policy is provided by the bootloader, it will be loaded; errors will be reported to the ring buffer but will not prevent booting. The policy can be changed to enforcing mode using "xl setenforce". -* `enforcing`: This requires a security policy to be provided by the bootloader - and will enter enforcing mode prior to the creation of domain 0. If a valid - policy is not provided, the hypervisor will not continue booting. -* `late`: This disables loading of the security policy from the bootloader. - FLASK will be enabled but will not enforce access controls until a policy is - loaded by a domain using "xl loadpolicy". Once a policy is loaded, FLASK will - run in enforcing mode unless "xl setenforce" has changed that setting. +* `enforcing`: This will cause the security server to enter enforcing mode prior + to the creation of domain 0. If an valid policy is not provided by the + bootloader and no built-in policy is present, the hypervisor will not continue + booting. +* `late`: This disables loading of the built-in security policy or the policy + provided by the bootloader. FLASK will be enabled but will not enforce access + controls until a policy is loaded by a domain using "xl loadpolicy". Once a + policy is loaded, FLASK will run in enforcing mode unless "xl setenforce" has + changed that setting. * `disabled`: This causes the XSM framework to revert to the dummy module. The dummy module provides the same security policy as is used when compiling the hypervisor without support for XSM. The xsm\_op hypercall can also be used to diff --git a/docs/misc/xsm-flask.txt b/docs/misc/xsm-flask.txt index 2f42585..62f15dd 100644 --- a/docs/misc/xsm-flask.txt +++ b/docs/misc/xsm-flask.txt @@ -141,21 +141,21 @@