[PATCH 1/2] xen: convert FLASK_ENABLE to Kconfig

From: Doug Goldstein <cardoe@cardoe.com>
To: xen-devel@lists.xen.org
Cc: Daniel De Graaf <dgdegra@tycho.nsa.gov>,
	Doug Goldstein <cardoe@cardoe.com>
Subject: [PATCH 1/2] xen: convert FLASK_ENABLE to Kconfig
Date: Tue, 22 Dec 2015 15:26:46 -0600	[thread overview]
Message-ID: <1450819607-3763-1-git-send-email-cardoe@cardoe.com> (raw)
In-Reply-To: <1450759603-24249-1-git-send-email-cardoe@cardoe.com>

Converts the Config.mk option of FLASK_ENABLE into a Kconfig option for
the hypervisor called CONFIG_FLASK. This commit knowingly breaks the
dependent relationship on XSM_ENABLE which is addressed when XSM_ENABLE
is converted to Kconfig.

CC: Daniel De Graaf <dgdegra@tycho.nsa.gov>
Signed-off-by: Doug Goldstein <cardoe@cardoe.com>
---
 Config.mk                |  1 -
 INSTALL                  |  6 +++++-
 docs/misc/xsm-flask.txt  |  5 +++--
 xen/Rules.mk             |  1 -
 xen/common/Kconfig       | 11 +++++++++++
 xen/include/Makefile     |  2 +-
 xen/include/xen/config.h |  2 +-
 xen/include/xen/sched.h  |  2 +-
 xen/xsm/Makefile         |  2 +-
 9 files changed, 23 insertions(+), 9 deletions(-)

diff --git a/Config.mk b/Config.mk
index 7b2aa07..7e56b48 100644
--- a/Config.mk
+++ b/Config.mk
@@ -214,7 +214,6 @@ EMBEDDED_EXTRA_CFLAGS += -fno-exceptions
 
 # Enable XSM security module (by default, Flask).
 XSM_ENABLE ?= n
-FLASK_ENABLE ?= $(XSM_ENABLE)
 
 XEN_EXTFILES_URL ?= http://xenbits.xen.org/xen-extfiles
 # All the files at that location were downloaded from elsewhere on
diff --git a/INSTALL b/INSTALL
index b7e426c..c51447b 100644
--- a/INSTALL
+++ b/INSTALL
@@ -278,7 +278,11 @@ PYTHON_PREFIX_ARG=
 The hypervisor may be build with XSM support, which can be changed with
 the following variables.
 XSM_ENABLE=y
-FLASK_ENABLE=y
+
+The hypervisor may be build with Flask support, which can be changed
+by running:
+make -C xen menuconfig
+and enabling Flask in the 'Common Features' menu.
 
 Do a build for coverage.
 coverage=y
diff --git a/docs/misc/xsm-flask.txt b/docs/misc/xsm-flask.txt
index 7249f40..f2f0fd4 100644
--- a/docs/misc/xsm-flask.txt
+++ b/docs/misc/xsm-flask.txt
@@ -172,8 +172,9 @@ Setting up FLASK
 ----------------
 
 Xen must be compiled with XSM and FLASK enabled; by default, the security
-framework is disabled. Edit Config.mk or the .config file to set XSM_ENABLE and
-FLASK_ENABLE to "y"; this change requires a make clean and rebuild.
+framework is disabled. Edit Config.mk or the .config file to set XSM_ENABLE to
+"y" and running 'make -C xen menuconfig' and enabling FLASK inside 'Common
+Features'; this change requires a make clean and rebuild.
 
 FLASK uses only one domain configuration parameter (seclabel) defining the
 full security label of the newly created domain. If using the example policy,
diff --git a/xen/Rules.mk b/xen/Rules.mk
index 8839dca..489cfd1 100644
--- a/xen/Rules.mk
+++ b/xen/Rules.mk
@@ -53,7 +53,6 @@ CFLAGS += -pipe -g -D__XEN__ -include $(BASEDIR)/include/xen/config.h
 CFLAGS += '-D__OBJECT_FILE__="$@"'
 
 CFLAGS-$(XSM_ENABLE)    += -DXSM_ENABLE
-CFLAGS-$(FLASK_ENABLE)  += -DFLASK_ENABLE
 CFLAGS-$(verbose)       += -DVERBOSE
 CFLAGS-$(crash_debug)   += -DCRASH_DEBUG
 CFLAGS-$(perfc)         += -DPERF_COUNTERS
diff --git a/xen/common/Kconfig b/xen/common/Kconfig
index 046e257..3419816 100644
--- a/xen/common/Kconfig
+++ b/xen/common/Kconfig
@@ -8,6 +8,17 @@ config COMPAT
 	  HVM and PV guests. HVMLoader makes 32-bit hypercalls irrespective
 	  of the destination runmode of the guest.
 
+config FLASK
+	bool "FLux Advanced Security Kernel support"
+	default n
+	---help---
+	  Enables the FLASK (FLux Advanced Security Kernel) support which
+	  provides a mandatory access control framework by which security
+	  enforcement, isolation, and auditing can be achieved with fine
+	  granular control via a security policy.
+
+	  If unsure, say N.
+
 # Select HAS_DEVICE_TREE if device tree is supported
 config HAS_DEVICE_TREE
 	bool
diff --git a/xen/include/Makefile b/xen/include/Makefile
index 94ba3d8..9c8188b 100644
--- a/xen/include/Makefile
+++ b/xen/include/Makefile
@@ -28,7 +28,7 @@ headers-$(CONFIG_X86)     += compat/arch-x86/xen.h
 headers-$(CONFIG_X86)     += compat/arch-x86/xen-$(compat-arch-y).h
 headers-$(CONFIG_X86)     += compat/hvm/hvm_vcpu.h
 headers-y                 += compat/arch-$(compat-arch-y).h compat/pmu.h compat/xlat.h
-headers-$(FLASK_ENABLE)   += compat/xsm/flask_op.h
+headers-$(CONFIG_FLASK)   += compat/xsm/flask_op.h
 
 cppflags-y                := -include public/xen-compat.h
 cppflags-$(CONFIG_X86)    += -m32
diff --git a/xen/include/xen/config.h b/xen/include/xen/config.h
index 7595599..bba015a 100644
--- a/xen/include/xen/config.h
+++ b/xen/include/xen/config.h
@@ -86,7 +86,7 @@
 #define mk_unsigned_long(x) x
 #endif /* !__ASSEMBLY__ */
 
-#ifdef FLASK_ENABLE
+#ifdef CONFIG_FLASK
 #define XSM_MAGIC 0xf97cff8c
 /* Maintain statistics on the access vector cache */
 #define FLASK_AVC_STATS 1
diff --git a/xen/include/xen/sched.h b/xen/include/xen/sched.h
index fc61fc3..6ea3cc7 100644
--- a/xen/include/xen/sched.h
+++ b/xen/include/xen/sched.h
@@ -119,7 +119,7 @@ struct evtchn
          */
         void *generic;
 #endif
-#ifdef FLASK_ENABLE
+#ifdef CONFIG_FLASK
         /*
          * Inlining the contents of the structure for FLASK avoids unneeded
          * allocations, and on 64-bit platforms with only FLASK enabled,
diff --git a/xen/xsm/Makefile b/xen/xsm/Makefile
index 16c13b5..d29e71c 100644
--- a/xen/xsm/Makefile
+++ b/xen/xsm/Makefile
@@ -4,4 +4,4 @@ obj-y += xsm_policy.o
 obj-y += dummy.o
 endif
 
-subdir-$(FLASK_ENABLE) += flask
+subdir-$(CONFIG_FLASK) += flask
-- 
2.4.10
