Hi Daniel, On 18/12/2024 02:17, Daniel P. Smith wrote: > > >> On 17/12/2024 11:47, Sergiy Kibrik wrote: >>> Allow to build ARM configuration with support for initializing >>> hardware domain. >>> On ARM it is only possible to start hardware domain in multiboot mode, so >>> dom0less support is required. This is reflected by dependency on >>> DOM0LESS_BOOT >>> instead of directly depending on ARM config option. > > > Just to make sure my assumption is correct, you are looking to do a > multi-domain construction at boot time, with at least two domains. One > of those two domains is the "control domain" and one is the "hardware > domain", aka late hwdom except it's not constructed "late". > > If you want such a configuration, I would highly recommend you first > enable setting flask labels via dom0less (assuming it is not there) Speaking about dom0less and FLASK. A year ago, I did sent you (privately, through AMD hyperlaunch collab) my attempt to add minimal steps to enable setting FLASK policy for dom0less domUs. You then told me that you have a slightly different vision on how it should be done. Any update with that regard? TBH I though that you're going to add this support together with other hyperlaunch patches.
For others reference, I attach my patch created back then allowing to specify FLASK labels for boot-time domUs, which I used to assign different FLASK roles for them. ~Michal
From fae75e940641d1248d2cffde9ed568f121a755f5 Mon Sep 17 00:00:00 2001 From: Michal Orzel <[email protected]> Date: Tue, 12 Mar 2024 13:03:42 +0100 Subject: [PATCH] xen: Add support for specifying XSM FLASK label for dom0less domUs At the moment, it is not possible to create dom0less domUs with XSM FLASK policy (enforcing). This is because they are not being assigned any usable default label (neither in flask_domain_alloc_security() nor by setting initial ssidref in domain creation flags) and as such, they are of type unlabeled_t. Introduce a new XSM op called seclabel_to_sid together with hooks xsm_seclabel_to_sid() and flask_seclabel_to_sid(). In the latter case, this results in calling security_context_to_sid() that converts a security label into SID. Add support for specifying a security label (just like in xl.cfg) for dom0less domUs by adding a new device tree string property 'seclabel'. Signed-off-by: Michal Orzel <[email protected]> --- docs/misc/arm/device-tree/booting.txt | 6 ++++++ xen/arch/arm/dom0less-build.c | 12 ++++++++++++ xen/include/xsm/dummy.h | 6 ++++++ xen/include/xsm/xsm.h | 7 +++++++ xen/xsm/dummy.c | 1 + xen/xsm/flask/hooks.c | 7 +++++++ 6 files changed, 39 insertions(+) diff --git a/docs/misc/arm/device-tree/booting.txt b/docs/misc/arm/device-tree/booting.txt index bbd955e9c2f6..4eba0524ad41 100644 --- a/docs/misc/arm/device-tree/booting.txt +++ b/docs/misc/arm/device-tree/booting.txt @@ -260,6 +260,12 @@ with the following properties: value specified by Xen command line parameter gnttab_max_maptrack_frames (or its default value if unspecified, i.e. 1024) is used. +- seclabel + + Optional. A string property specifying XSM FLASK security label for + the domain in format user:role:type (e.g. system_u:system_r:domU_t). + If this property is missing, the domain will be of type unlabeled_t. + Under the "xen,domain" compatible node, one or more sub-nodes are present for the DomU kernel and ramdisk. diff --git a/xen/arch/arm/dom0less-build.c b/xen/arch/arm/dom0less-build.c index fb63ec6fd111..b6c762d6ee3d 100644 --- a/xen/arch/arm/dom0less-build.c +++ b/xen/arch/arm/dom0less-build.c @@ -10,6 +10,8 @@ #include <xen/sizes.h> #include <xen/vmap.h> +#include <xsm/xsm.h> + #include <asm/arm64/sve.h> #include <asm/dom0less-build.h> #include <asm/domain_build.h> @@ -869,6 +871,7 @@ void __init create_domUs(void) .grant_opts = XEN_DOMCTL_GRANT_version(opt_gnttab_max_version), }; unsigned int flags = 0U; + const char *seclabel; uint32_t val; int rc; @@ -987,6 +990,15 @@ void __init create_domUs(void) #endif } + if ( !dt_property_read_string(node, "seclabel", &seclabel) ) + { + rc = xsm_seclabel_to_sid(seclabel, strlen(seclabel), + &d_cfg.ssidref); + if ( rc ) + panic("Could not convert seclabel \"%s\" to sid (%d)\n", + seclabel, rc); + } + /* * The variable max_init_domid is initialized with zero, so here it's * very important to use the pre-increment operator to call diff --git a/xen/include/xsm/dummy.h b/xen/include/xsm/dummy.h index 8671af1ba4d3..4b63b6c36241 100644 --- a/xen/include/xsm/dummy.h +++ b/xen/include/xsm/dummy.h @@ -815,6 +815,12 @@ static XSM_INLINE int cf_check xsm_argo_send( #endif /* CONFIG_ARGO */ +static XSM_INLINE int cf_check xsm_seclabel_to_sid( + const char *seclabel, size_t len, uint32_t *sid) +{ + return -ENOSYS; +} + #include <public/version.h> static XSM_INLINE int cf_check xsm_xen_version(XSM_DEFAULT_ARG uint32_t op) { diff --git a/xen/include/xsm/xsm.h b/xen/include/xsm/xsm.h index 8dad03fd3d45..575a141ee26a 100644 --- a/xen/include/xsm/xsm.h +++ b/xen/include/xsm/xsm.h @@ -201,6 +201,7 @@ struct xsm_ops { int (*argo_register_any_source)(const struct domain *d); int (*argo_send)(const struct domain *d, const struct domain *t); #endif + int (*seclabel_to_sid)(const char *seclabel, size_t len, uint32_t *sid); }; #ifdef CONFIG_XSM @@ -774,6 +775,12 @@ static inline int xsm_argo_send(const struct domain *d, const struct domain *t) #endif /* CONFIG_ARGO */ +static inline int xsm_seclabel_to_sid( + const char *seclabel, size_t len, uint32_t *sid) +{ + return alternative_call(xsm_ops.seclabel_to_sid, seclabel, len, sid); +} + #endif /* XSM_NO_WRAPPERS */ #ifdef CONFIG_MULTIBOOT diff --git a/xen/xsm/dummy.c b/xen/xsm/dummy.c index e6ffa948f7c5..ba1b3def52db 100644 --- a/xen/xsm/dummy.c +++ b/xen/xsm/dummy.c @@ -148,6 +148,7 @@ static const struct xsm_ops __initconst_cf_clobber dummy_ops = { .argo_register_any_source = xsm_argo_register_any_source, .argo_send = xsm_argo_send, #endif + .seclabel_to_sid = xsm_seclabel_to_sid, }; void __init xsm_fixup_ops(struct xsm_ops *ops) diff --git a/xen/xsm/flask/hooks.c b/xen/xsm/flask/hooks.c index 78225f68c15c..bc1520b4b5dd 100644 --- a/xen/xsm/flask/hooks.c +++ b/xen/xsm/flask/hooks.c @@ -1838,6 +1838,12 @@ static int cf_check flask_argo_send( #endif +static int cf_check flask_seclabel_to_sid( + const char *seclabel, size_t len, uint32_t *sid) +{ + return security_context_to_sid((char *)seclabel, len, sid); +} + static const struct xsm_ops __initconst_cf_clobber flask_ops = { .set_system_active = flask_set_system_active, .security_domaininfo = flask_security_domaininfo, @@ -1974,6 +1980,7 @@ static const struct xsm_ops __initconst_cf_clobber flask_ops = { .argo_register_any_source = flask_argo_register_any_source, .argo_send = flask_argo_send, #endif + .seclabel_to_sid = flask_seclabel_to_sid, }; const struct xsm_ops *__init flask_init( -- 2.25.1
