xen-devel.lists.xenproject.org archive mirror
 help / color / mirror / Atom feed
* [GRUB PATCH 0/2] Better Xen support
@ 2020-05-20 12:14 Ian Jackson
  2020-05-20 12:14 ` [GRUB PATCH 1/2] 20_linux_xen: Ignore xenpolicy and config files too Ian Jackson
                   ` (2 more replies)
  0 siblings, 3 replies; 4+ messages in thread
From: Ian Jackson @ 2020-05-20 12:14 UTC (permalink / raw)
  To: grub-devel; +Cc: xen-devel, Ian Jackson

Hi. As maintainer of the Xen Project upstream CI, I do testing of
upstream Xen builds onto Debian systems.

We use grub's 20_linux_xen to do the bootloader setup.  However, it is
missing some features so we are carrying some patches.  Here they are
for your consideration.

Regards, Ian.

Ian Jackson (2):
  20_linux_xen: Ignore xenpolicy and config files too
  20_linux_xen: Support Xen Security Modules (XSM/FLASK)

 util/grub.d/20_linux_xen.in | 32 ++++++++++++++++++++++++++++++--
 1 file changed, 30 insertions(+), 2 deletions(-)

-- 
2.20.1



^ permalink raw reply	[flat|nested] 4+ messages in thread
* [GRUB PATCH 1/2] 20_linux_xen: Ignore xenpolicy and config files too
  2020-05-20 12:14 [GRUB PATCH 0/2] Better Xen support Ian Jackson
@ 2020-05-20 12:14 ` Ian Jackson
  2020-05-20 12:14 ` [GRUB PATCH 2/2] 20_linux_xen: Support Xen Security Modules (XSM/FLASK) Ian Jackson
  2020-05-20 13:40 ` [GRUB PATCH 0/2] Better Xen support Daniel Kiper
  2 siblings, 0 replies; 4+ messages in thread
From: Ian Jackson @ 2020-05-20 12:14 UTC (permalink / raw)
  To: grub-devel; +Cc: xen-devel, Ian Jackson

"file_is_not_sym" currently only checks for xen-syms.  Extend it to
disregard xenpolicy (XSM policy files) and files ending .config (which
are built by the Xen upstream build system in some configurations and
can therefore end up in /boot).

Rename the function accordingly, to "file_is_not_xen_garbage".

Signed-off-by: Ian Jackson <ian.jackson@eu.citrix.com>
---
 util/grub.d/20_linux_xen.in | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/util/grub.d/20_linux_xen.in b/util/grub.d/20_linux_xen.in
index 81e5f0d7e..30da49d66 100644
--- a/util/grub.d/20_linux_xen.in
+++ b/util/grub.d/20_linux_xen.in
@@ -181,10 +181,14 @@ if [ "x${linux_list}" = "x" ] ; then
     exit 0
 fi
 
-file_is_not_sym () {
+file_is_not_xen_garbage () {
     case "$1" in
 	*/xen-syms-*)
 	    return 1;;
+	*/xenpolicy-*)
+	    return 1;;
+	*/*.config)
+	    return 1;;
 	*)
 	    return 0;;
     esac
@@ -192,7 +196,7 @@ file_is_not_sym () {
 
 xen_list=
 for i in /boot/xen*; do
-    if grub_file_is_not_garbage "$i" && file_is_not_sym "$i" ; then xen_list="$xen_list $i" ; fi
+    if grub_file_is_not_garbage "$i" && file_is_not_xen_garbage "$i" ; then xen_list="$xen_list $i" ; fi
 done
 prepare_boot_cache=
 boot_device_id=
-- 
2.20.1



^ permalink raw reply related	[flat|nested] 4+ messages in thread
* [GRUB PATCH 2/2] 20_linux_xen: Support Xen Security Modules (XSM/FLASK)
  2020-05-20 12:14 [GRUB PATCH 0/2] Better Xen support Ian Jackson
  2020-05-20 12:14 ` [GRUB PATCH 1/2] 20_linux_xen: Ignore xenpolicy and config files too Ian Jackson
@ 2020-05-20 12:14 ` Ian Jackson
  2020-05-20 13:40 ` [GRUB PATCH 0/2] Better Xen support Daniel Kiper
  2 siblings, 0 replies; 4+ messages in thread
From: Ian Jackson @ 2020-05-20 12:14 UTC (permalink / raw)
  To: grub-devel; +Cc: xen-devel, Ian Jackson

XSM is enabled by adding "flask=enforcing" as a Xen command line
argument, and providing the policy file as a grub module.

We make entries for both with and without XSM.  If XSM is not compiled
into Xen, then there are no policy files, so no change to the boot
options.

Signed-off-by: Ian Jackson <ian.jackson@eu.citrix.com>
---
 util/grub.d/20_linux_xen.in | 24 ++++++++++++++++++++++++
 1 file changed, 24 insertions(+)

diff --git a/util/grub.d/20_linux_xen.in b/util/grub.d/20_linux_xen.in
index 30da49d66..7a092b898 100644
--- a/util/grub.d/20_linux_xen.in
+++ b/util/grub.d/20_linux_xen.in
@@ -94,6 +94,11 @@ esac
 title_correction_code=
 
 linux_entry ()
+{
+  linux_entry_xsm "$@" false
+  linux_entry_xsm "$@" true
+}
+linux_entry_xsm ()
 {
   os="$1"
   version="$2"
@@ -101,6 +106,18 @@ linux_entry ()
   type="$4"
   args="$5"
   xen_args="$6"
+  xsm="$7"
+  # If user wants to enable XSM support, make sure there's
+  # corresponding policy file.
+  if ${xsm} ; then
+      xenpolicy="xenpolicy-$xen_version"
+      if test ! -e "${xen_dirname}/${xenpolicy}" ; then
+	  return
+      fi
+      xen_args="$xen_args flask=enforcing"
+      xen_version="$(gettext_printf "%s (XSM enabled)" "$xen_version")"
+      # xen_version is used for messages only; actual file is xen_basename
+  fi
   if [ -z "$boot_device_id" ]; then
       boot_device_id="$(grub_get_device_id "${GRUB_DEVICE}")"
   fi
@@ -154,6 +171,13 @@ EOF
     sed "s/^/$submenu_indentation/" << EOF
 	echo	'$(echo "$message" | grub_quote)'
 	${module_loader}	--nounzip   $(echo $initrd_path)
+EOF
+  fi
+  if test -n "${xenpolicy}" ; then
+    message="$(gettext_printf "Loading XSM policy ...")"
+    sed "s/^/$submenu_indentation/" << EOF
+	echo	'$(echo "$message" | grub_quote)'
+	${module_loader}     ${rel_dirname}/${xenpolicy}
 EOF
   fi
   sed "s/^/$submenu_indentation/" << EOF
-- 
2.20.1



^ permalink raw reply related	[flat|nested] 4+ messages in thread
* Re: [GRUB PATCH 0/2] Better Xen support
  2020-05-20 12:14 [GRUB PATCH 0/2] Better Xen support Ian Jackson
  2020-05-20 12:14 ` [GRUB PATCH 1/2] 20_linux_xen: Ignore xenpolicy and config files too Ian Jackson
  2020-05-20 12:14 ` [GRUB PATCH 2/2] 20_linux_xen: Support Xen Security Modules (XSM/FLASK) Ian Jackson
@ 2020-05-20 13:40 ` Daniel Kiper
  2 siblings, 0 replies; 4+ messages in thread
From: Daniel Kiper @ 2020-05-20 13:40 UTC (permalink / raw)
  To: Ian Jackson; +Cc: grub-devel, xen-devel

On Wed, May 20, 2020 at 01:14:18PM +0100, Ian Jackson wrote:
> Hi. As maintainer of the Xen Project upstream CI, I do testing of
> upstream Xen builds onto Debian systems.
>
> We use grub's 20_linux_xen to do the bootloader setup.  However, it is
> missing some features so we are carrying some patches.  Here they are
> for your consideration.
>
> Regards, Ian.
>
> Ian Jackson (2):
>   20_linux_xen: Ignore xenpolicy and config files too
>   20_linux_xen: Support Xen Security Modules (XSM/FLASK)

Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>

Daniel


^ permalink raw reply	[flat|nested] 4+ messages in thread
end of thread, other threads:[~2020-05-20 14:14 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-05-20 12:14 [GRUB PATCH 0/2] Better Xen support Ian Jackson
2020-05-20 12:14 ` [GRUB PATCH 1/2] 20_linux_xen: Ignore xenpolicy and config files too Ian Jackson
2020-05-20 12:14 ` [GRUB PATCH 2/2] 20_linux_xen: Support Xen Security Modules (XSM/FLASK) Ian Jackson
2020-05-20 13:40 ` [GRUB PATCH 0/2] Better Xen support Daniel Kiper

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).