Re: [PATCH v3] xsm: add a default policy to .init.data

From: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
To: Daniel De Graaf <dgdegra@tycho.nsa.gov>
Cc: xen-devel@lists.xenproject.org,
	Doug Goldstein <cardoe@cardoe.com>,
	Ian Jackson <ian.jackson@eu.citrix.com>,
	Jan Beulich <JBeulich@suse.com>
Subject: Re: [PATCH v3] xsm: add a default policy to .init.data
Date: Thu, 30 Jun 2016 09:45:29 -0400	[thread overview]
Message-ID: <20160630134528.GB6428@char.us.oracle.com> (raw)
In-Reply-To: <1467212941-8265-1-git-send-email-dgdegra@tycho.nsa.gov>

On Wed, Jun 29, 2016 at 11:09:01AM -0400, Daniel De Graaf wrote:
> This adds a Kconfig option and support for including the XSM policy from
> tools/flask/policy in the hypervisor so that the bootloader does not
> need to provide a policy to get sane behavior from an XSM-enabled
> hypervisor.  The policy provided by the bootloader, if present, will
> override the built-in policy.
> 
> The XSM policy is not moved out of tools because that remains the
> primary location for installing and configuring the policy.
> 
> Signed-off-by: Daniel De Graaf <dgdegra@tycho.nsa.gov>
> ---
> 
> Changes from v2 (dropped acks and reviewed-by):
>  - Drop linker script changes, use python binary-to-C file script
>  - Make the config option always include the policy if selected
>  - Note the new conditional dependency on checkpolicy in INSTALL

I liked the previous patch of putting in it in __init section.
Is that something this patch could do? Ah, n/m. I see that
the python script generates the binary with __init!

Secondly I was wondering why the suggestion I had - which was to check
of the 'checkpolicy' availability - and if not found - then
hide the Kconfig option was not mentioned?
.. snip...
> +sys.stdout.write("\n};\nconst int __init xsm_init_policy_size = %d;\n" % policy_size)
> diff --git a/xen/xsm/xsm_core.c b/xen/xsm/xsm_core.c
> index 8df1a3c..93c7d43 100644
> --- a/xen/xsm/xsm_core.c
> +++ b/xen/xsm/xsm_core.c
> @@ -36,6 +36,24 @@ static inline int verify(struct xsm_operations *ops)
>      return 0;
>  }
>  
> +#ifdef CONFIG_XSM_POLICY
> +extern char xsm_init_policy[];

> +extern int xsm_init_policy_size;
> +#else
> +#define xsm_init_policy 0
> +#endif
> +
> +static void __init xsm_policy_init(void)
> +{
> +#ifdef CONFIG_XSM_POLICY
> +    if ( policy_size == 0 )
> +    {
> +        policy_buffer = xsm_init_policy;
> +        policy_size = xsm_init_policy_size;
> +    }
> +#endif
> +}
> +

This all looks like it could go in a header file?

>  static int __init xsm_core_init(void)
>  {
>      if ( verify(&dummy_xsm_ops) )
> @@ -46,6 +64,7 @@ static int __init xsm_core_init(void)
>      }
>  
>      xsm_ops = &dummy_xsm_ops;
> +    xsm_policy_init();
>      flask_init();
>  
>      return 0;
> @@ -98,7 +117,8 @@ int __init xsm_dt_init(void)
>  
>      ret = xsm_core_init();
>  
> -    xfree(policy_buffer);
> +    if ( policy_buffer != xsm_init_policy )
> +        xfree(policy_buffer);
>  
>      return ret;
>  }
> -- 
> 2.7.4
> 
> 
> _______________________________________________
> Xen-devel mailing list
> Xen-devel@lists.xen.org
> http://lists.xen.org/xen-devel

_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
http://lists.xen.org/xen-devel