From mboxrd@z Thu Jan 1 00:00:00 1970 From: Doug Goldstein Subject: [PATCH 1/2] xen: convert FLASK_ENABLE to Kconfig Date: Tue, 22 Dec 2015 15:26:46 -0600 Message-ID: <1450819607-3763-1-git-send-email-cardoe@cardoe.com> References: <1450759603-24249-1-git-send-email-cardoe@cardoe.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Return-path: In-Reply-To: <1450759603-24249-1-git-send-email-cardoe@cardoe.com> List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Sender: xen-devel-bounces@lists.xen.org Errors-To: xen-devel-bounces@lists.xen.org To: xen-devel@lists.xen.org Cc: Daniel De Graaf , Doug Goldstein List-Id: xen-devel@lists.xenproject.org Converts the Config.mk option of FLASK_ENABLE into a Kconfig option for the hypervisor called CONFIG_FLASK. This commit knowingly breaks the dependent relationship on XSM_ENABLE which is addressed when XSM_ENABLE is converted to Kconfig. CC: Daniel De Graaf Signed-off-by: Doug Goldstein --- Config.mk | 1 - INSTALL | 6 +++++- docs/misc/xsm-flask.txt | 5 +++-- xen/Rules.mk | 1 - xen/common/Kconfig | 11 +++++++++++ xen/include/Makefile | 2 +- xen/include/xen/config.h | 2 +- xen/include/xen/sched.h | 2 +- xen/xsm/Makefile | 2 +- 9 files changed, 23 insertions(+), 9 deletions(-) diff --git a/Config.mk b/Config.mk index 7b2aa07..7e56b48 100644 --- a/Config.mk +++ b/Config.mk @@ -214,7 +214,6 @@ EMBEDDED_EXTRA_CFLAGS += -fno-exceptions # Enable XSM security module (by default, Flask). XSM_ENABLE ?= n -FLASK_ENABLE ?= $(XSM_ENABLE) XEN_EXTFILES_URL ?= http://xenbits.xen.org/xen-extfiles # All the files at that location were downloaded from elsewhere on diff --git a/INSTALL b/INSTALL index b7e426c..c51447b 100644 --- a/INSTALL +++ b/INSTALL @@ -278,7 +278,11 @@ PYTHON_PREFIX_ARG= The hypervisor may be build with XSM support, which can be changed with the following variables. XSM_ENABLE=y -FLASK_ENABLE=y + +The hypervisor may be build with Flask support, which can be changed +by running: +make -C xen menuconfig +and enabling Flask in the 'Common Features' menu. Do a build for coverage. coverage=y diff --git a/docs/misc/xsm-flask.txt b/docs/misc/xsm-flask.txt index 7249f40..f2f0fd4 100644 --- a/docs/misc/xsm-flask.txt +++ b/docs/misc/xsm-flask.txt @@ -172,8 +172,9 @@ Setting up FLASK ---------------- Xen must be compiled with XSM and FLASK enabled; by default, the security -framework is disabled. Edit Config.mk or the .config file to set XSM_ENABLE and -FLASK_ENABLE to "y"; this change requires a make clean and rebuild. +framework is disabled. Edit Config.mk or the .config file to set XSM_ENABLE to +"y" and running 'make -C xen menuconfig' and enabling FLASK inside 'Common +Features'; this change requires a make clean and rebuild. FLASK uses only one domain configuration parameter (seclabel) defining the full security label of the newly created domain. If using the example policy, diff --git a/xen/Rules.mk b/xen/Rules.mk index 8839dca..489cfd1 100644 --- a/xen/Rules.mk +++ b/xen/Rules.mk @@ -53,7 +53,6 @@ CFLAGS += -pipe -g -D__XEN__ -include $(BASEDIR)/include/xen/config.h CFLAGS += '-D__OBJECT_FILE__="$@"' CFLAGS-$(XSM_ENABLE) += -DXSM_ENABLE -CFLAGS-$(FLASK_ENABLE) += -DFLASK_ENABLE CFLAGS-$(verbose) += -DVERBOSE CFLAGS-$(crash_debug) += -DCRASH_DEBUG CFLAGS-$(perfc) += -DPERF_COUNTERS diff --git a/xen/common/Kconfig b/xen/common/Kconfig index 046e257..3419816 100644 --- a/xen/common/Kconfig +++ b/xen/common/Kconfig @@ -8,6 +8,17 @@ config COMPAT HVM and PV guests. HVMLoader makes 32-bit hypercalls irrespective of the destination runmode of the guest. +config FLASK + bool "FLux Advanced Security Kernel support" + default n + ---help--- + Enables the FLASK (FLux Advanced Security Kernel) support which + provides a mandatory access control framework by which security + enforcement, isolation, and auditing can be achieved with fine + granular control via a security policy. + + If unsure, say N. + # Select HAS_DEVICE_TREE if device tree is supported config HAS_DEVICE_TREE bool diff --git a/xen/include/Makefile b/xen/include/Makefile index 94ba3d8..9c8188b 100644 --- a/xen/include/Makefile +++ b/xen/include/Makefile @@ -28,7 +28,7 @@ headers-$(CONFIG_X86) += compat/arch-x86/xen.h headers-$(CONFIG_X86) += compat/arch-x86/xen-$(compat-arch-y).h headers-$(CONFIG_X86) += compat/hvm/hvm_vcpu.h headers-y += compat/arch-$(compat-arch-y).h compat/pmu.h compat/xlat.h -headers-$(FLASK_ENABLE) += compat/xsm/flask_op.h +headers-$(CONFIG_FLASK) += compat/xsm/flask_op.h cppflags-y := -include public/xen-compat.h cppflags-$(CONFIG_X86) += -m32 diff --git a/xen/include/xen/config.h b/xen/include/xen/config.h index 7595599..bba015a 100644 --- a/xen/include/xen/config.h +++ b/xen/include/xen/config.h @@ -86,7 +86,7 @@ #define mk_unsigned_long(x) x #endif /* !__ASSEMBLY__ */ -#ifdef FLASK_ENABLE +#ifdef CONFIG_FLASK #define XSM_MAGIC 0xf97cff8c /* Maintain statistics on the access vector cache */ #define FLASK_AVC_STATS 1 diff --git a/xen/include/xen/sched.h b/xen/include/xen/sched.h index fc61fc3..6ea3cc7 100644 --- a/xen/include/xen/sched.h +++ b/xen/include/xen/sched.h @@ -119,7 +119,7 @@ struct evtchn */ void *generic; #endif -#ifdef FLASK_ENABLE +#ifdef CONFIG_FLASK /* * Inlining the contents of the structure for FLASK avoids unneeded * allocations, and on 64-bit platforms with only FLASK enabled, diff --git a/xen/xsm/Makefile b/xen/xsm/Makefile index 16c13b5..d29e71c 100644 --- a/xen/xsm/Makefile +++ b/xen/xsm/Makefile @@ -4,4 +4,4 @@ obj-y += xsm_policy.o obj-y += dummy.o endif -subdir-$(FLASK_ENABLE) += flask +subdir-$(CONFIG_FLASK) += flask -- 2.4.10