Re: [Xen-devel] [PATCH 15/15] xsm: add a default policy to .init.data

On Thu, Jun 09, 2016 at 10:47:18AM -0400, Daniel De Graaf wrote: > This adds a Kconfig option and support for including the XSM policy from > tools/flask/policy in the hypervisor so that the bootloader does not > need to provide a policy to get sane behavior from an XSM-enabled > hypervisor. The p

Re: [Xen-devel] [PATCH 15/15] xsm: add a default policy to .init.data

On 06/09/2016 05:54 PM, Doug Goldstein wrote: On 6/9/16 11:53 AM, Daniel De Graaf wrote: On 06/09/2016 12:15 PM, Jan Beulich wrote: On 09.06.16 at 16:47, wrote: --- a/xen/common/Kconfig +++ b/xen/common/Kconfig @@ -132,6 +132,23 @@ config FLASK If unsure, say Y. +config XSM_POLICY +

Re: [Xen-devel] [PATCH 15/15] xsm: add a default policy to .init.data

>>> On 09.06.16 at 18:58, wrote: > On 06/09/2016 11:30 AM, Andrew Cooper wrote: >> On 09/06/16 15:47, Daniel De Graaf wrote: >>> diff --git a/xen/xsm/xsm_core.c b/xen/xsm/xsm_core.c >>> index 4a264c2..6ffccb2 100644 >>> --- a/xen/xsm/xsm_core.c >>> +++ b/xen/xsm/xsm_core.c >>> @@ -36,6 +36,17 @@ s

Re: [Xen-devel] [PATCH 15/15] xsm: add a default policy to .init.data

>>> On 09.06.16 at 18:53, wrote: > On 06/09/2016 12:15 PM, Jan Beulich wrote: > On 09.06.16 at 16:47, wrote: >>> --- a/xen/common/Kconfig >>> +++ b/xen/common/Kconfig >>> @@ -132,6 +132,23 @@ config FLASK >>> >>> If unsure, say Y. >>> >>> +config XSM_POLICY >>> + bool "Compile Xen wit

Re: [Xen-devel] [PATCH 15/15] xsm: add a default policy to .init.data

On 6/9/16 11:53 AM, Daniel De Graaf wrote: > On 06/09/2016 12:15 PM, Jan Beulich wrote: > On 09.06.16 at 16:47, wrote: >>> --- a/xen/common/Kconfig >>> +++ b/xen/common/Kconfig >>> @@ -132,6 +132,23 @@ config FLASK >>> >>>If unsure, say Y. >>> >>> +config XSM_POLICY >>> +bool "Comp

Re: [Xen-devel] [PATCH 15/15] xsm: add a default policy to .init.data

On 06/09/2016 11:30 AM, Andrew Cooper wrote: On 09/06/16 15:47, Daniel De Graaf wrote: diff --git a/xen/xsm/xsm_core.c b/xen/xsm/xsm_core.c index 4a264c2..6ffccb2 100644 --- a/xen/xsm/xsm_core.c +++ b/xen/xsm/xsm_core.c @@ -36,6 +36,17 @@ static inline int verify(struct xsm_operations *ops)

Re: [Xen-devel] [PATCH 15/15] xsm: add a default policy to .init.data

On 06/09/2016 12:15 PM, Jan Beulich wrote: On 09.06.16 at 16:47, wrote: --- a/xen/common/Kconfig +++ b/xen/common/Kconfig @@ -132,6 +132,23 @@ config FLASK If unsure, say Y. +config XSM_POLICY + bool "Compile Xen with a built-in security policy" + default y + depen

Re: [Xen-devel] [PATCH 15/15] xsm: add a default policy to .init.data

>>> On 09.06.16 at 16:47, wrote: > --- a/xen/common/Kconfig > +++ b/xen/common/Kconfig > @@ -132,6 +132,23 @@ config FLASK > > If unsure, say Y. > > +config XSM_POLICY > + bool "Compile Xen with a built-in security policy" > + default y > + depends on XSM > + ---help---

Re: [Xen-devel] [PATCH 15/15] xsm: add a default policy to .init.data

On 09/06/16 15:47, Daniel De Graaf wrote: > diff --git a/xen/xsm/xsm_core.c b/xen/xsm/xsm_core.c > index 4a264c2..6ffccb2 100644 > --- a/xen/xsm/xsm_core.c > +++ b/xen/xsm/xsm_core.c > @@ -36,6 +36,17 @@ static inline int verify(struct xsm_operations *ops) > return 0; > } > > +extern char _

[Xen-devel] [PATCH 15/15] xsm: add a default policy to .init.data

This adds a Kconfig option and support for including the XSM policy from tools/flask/policy in the hypervisor so that the bootloader does not need to provide a policy to get sane behavior from an XSM-enabled hypervisor. The policy provided by the bootloader, if present, will override the built-in