xen-devel.lists.xenproject.org archive mirror
 help / color / mirror / Atom feed
From: "Daniel P. Smith" <dpsmith@apertussolutions.com>
To: xen-devel@lists.xenproject.org
Cc: sstabellini@kernel.org, julien@xen.org,
	Volodymyr_Babchuk@epam.com, andrew.cooper3@citrix.com,
	george.dunlap@citrix.com, iwj@xenproject.org, jbeulich@suse.com,
	wl@xen.org, roger.pau@citrix.com, tamas@tklengyel.com,
	tim@xen.org, jgross@suse.com, aisaila@bitdefender.com,
	ppircalabu@bitdefender.com, dfaggioli@suse.com, paul@xen.org,
	kevin.tian@intel.com, dgdegra@tycho.nsa.gov,
	adam.schwalm@starlab.io, scott.davis@starlab.io
Subject: [RFC PATCH 00/10] xsm: introducing domain roles
Date: Fri, 14 May 2021 16:54:27 -0400	[thread overview]
Message-ID: <20210514205437.13661-1-dpsmith@apertussolutions.com> (raw)

During the hyperlaunch design sessions a request was made to come up with a
formal definition of the roles a domain was allowed to take on. In particular
the primary focus was to answer what is the control domain and what is the
hardware domain. Another comment came up during the discussion on PCI pass
through and how it would work in a disaggregated platform as what was being
proposed as a primary use case for hyperlaunch. Based on these concerns, the
hyperlaunch team took a hard look at what were all the roles that were either
explicitly defined in code, loosely defined in code, as well as those that were
more conceptual or required a solutions like Flask.

The result is that a set of seven explicitly assignable domain roles and three
implied domain roles were identified and defined. To provide for and enforce
these domain roles, it was identified that the core XSM system in fact existed
in this pseudo unsupported but supported existance. Depending on whether XSM
was turned on or off did not turn on or off the XSM hooks, it only deterimined
if the base "dummy policy module" was inlined in for the XSM hooks or if they
were made availble through the xsm_ops op dispatch structure.

This patch set starts with converting the existing security controls to using
the identified domain roles. It then moves to making the domain roles the core
enforcement mechanism for XSM and merging the split state of existance into an
equivalent of its supported form. With the conversion of XSM, the SILO policy
module is refactored to achieve its security goal as an extension of the domain
roles mechanism. The necessary adjustments are made to Flask and the Kconfig
system to support this work.

Due to the impact of this change, every effort was made to ensure the patch set
is bisectable and the features can be tested incrementally. This is an RFC with
limited building and testing completed against it, therefore one may find build
configurations and runtime configurations that do not work.

Daniel P. Smith (10):
  headers: introduce new default privilege model
  control domain: refactor is_control_domain
  xenstore: migrate to default privilege model
  xsm: convert rewrite privilege check function
  hardware domain: convert to domain roles
  xsm-roles: covert the dummy system to roles
  xsm-roles: adjusting core xsm
  xsm-silo: convert silo over to domain roles
  xsm-flask: clean up for domain roles conversion
  common/Kconfig: updating Kconfig for domain roles

 xen/arch/arm/dm.c                     |   2 +-
 xen/arch/arm/domctl.c                 |   6 +-
 xen/arch/arm/hvm.c                    |   2 +-
 xen/arch/arm/mm.c                     |   2 +-
 xen/arch/arm/platform_hypercall.c     |   2 +-
 xen/arch/x86/acpi/cpu_idle.c          |   3 +-
 xen/arch/x86/cpu/mcheck/mce.c         |   2 +-
 xen/arch/x86/cpu/mcheck/vmce.h        |   3 +-
 xen/arch/x86/cpu/vpmu.c               |   9 +-
 xen/arch/x86/crash.c                  |   2 +-
 xen/arch/x86/domctl.c                 |   8 +-
 xen/arch/x86/hvm/dm.c                 |   2 +-
 xen/arch/x86/hvm/hvm.c                |  12 +-
 xen/arch/x86/io_apic.c                |   9 +-
 xen/arch/x86/irq.c                    |   4 +-
 xen/arch/x86/mm.c                     |  22 +-
 xen/arch/x86/mm/mem_paging.c          |   2 +-
 xen/arch/x86/mm/mem_sharing.c         |   8 +-
 xen/arch/x86/mm/p2m.c                 |   2 +-
 xen/arch/x86/mm/paging.c              |   4 +-
 xen/arch/x86/mm/shadow/set.c          |   2 +-
 xen/arch/x86/msi.c                    |   6 +-
 xen/arch/x86/nmi.c                    |   3 +-
 xen/arch/x86/pci.c                    |   2 +-
 xen/arch/x86/physdev.c                |  16 +-
 xen/arch/x86/platform_hypercall.c     |  10 +-
 xen/arch/x86/pv/emul-priv-op.c        |   2 +-
 xen/arch/x86/setup.c                  |   3 +
 xen/arch/x86/sysctl.c                 |   4 +-
 xen/arch/x86/traps.c                  |   2 +-
 xen/arch/x86/x86_64/mm.c              |  11 +-
 xen/common/Kconfig                    |  14 +-
 xen/common/domain.c                   | 120 ++++-
 xen/common/domctl.c                   |  12 +-
 xen/common/event_channel.c            |  15 +-
 xen/common/grant_table.c              |  16 +-
 xen/common/hypfs.c                    |   2 +-
 xen/common/kernel.c                   |   2 +-
 xen/common/kexec.c                    |   4 +-
 xen/common/keyhandler.c               |   4 +-
 xen/common/mem_access.c               |   2 +-
 xen/common/memory.c                   |  16 +-
 xen/common/monitor.c                  |   2 +-
 xen/common/sched/core.c               |   6 +-
 xen/common/shutdown.c                 |  14 +-
 xen/common/sysctl.c                   |   8 +-
 xen/common/vm_event.c                 |   7 +-
 xen/common/xenoprof.c                 |   5 +-
 xen/drivers/char/console.c            |   2 +-
 xen/drivers/char/ns16550.c            |   3 +-
 xen/drivers/passthrough/device_tree.c |   4 +-
 xen/drivers/passthrough/pci.c         |  24 +-
 xen/drivers/passthrough/vtd/iommu.c   |   2 +-
 xen/include/xen/sched.h               |  30 +-
 xen/include/xsm/dummy.h               | 256 +++++-----
 xen/include/xsm/roles.h               |  70 +++
 xen/include/xsm/xsm.h                 | 710 +++++++++++++++++---------
 xen/xsm/Makefile                      |   3 +-
 xen/xsm/dummy.c                       | 160 ------
 xen/xsm/flask/flask_op.c              |   2 +-
 xen/xsm/silo.c                        |  22 +-
 xen/xsm/xsm_core.c                    |  46 +-
 62 files changed, 991 insertions(+), 759 deletions(-)
 create mode 100644 xen/include/xsm/roles.h
 delete mode 100644 xen/xsm/dummy.c

-- 
2.20.1



             reply	other threads:[~2021-05-14 20:46 UTC|newest]

Thread overview: 16+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2021-05-14 20:54 Daniel P. Smith [this message]
2021-05-14 20:54 ` [RFC PATCH 01/10] headers: introduce new default privilege model Daniel P. Smith
2021-06-18 13:56   ` Jan Beulich
2021-05-14 20:54 ` [RFC PATCH 02/10] control domain: refactor is_control_domain Daniel P. Smith
2021-06-18 14:02   ` Jan Beulich
2021-05-14 20:54 ` [RFC PATCH 03/10] xenstore: migrate to default privilege model Daniel P. Smith
2021-05-14 20:54 ` [RFC PATCH 04/10] xsm: convert rewrite privilege check function Daniel P. Smith
2021-06-18 14:14   ` Jan Beulich
2021-05-14 20:54 ` [RFC PATCH 05/10] hardware domain: convert to domain roles Daniel P. Smith
2021-06-18 14:47   ` Jan Beulich
2021-05-14 20:54 ` [RFC PATCH 06/10] xsm-roles: covert the dummy system to roles Daniel P. Smith
2021-05-14 20:54 ` [RFC PATCH 07/10] xsm-roles: adjusting core xsm Daniel P. Smith
2021-05-14 20:54 ` [RFC PATCH 08/10] xsm-silo: convert silo over to domain roles Daniel P. Smith
2021-07-08 13:17   ` Jan Beulich
2021-05-14 20:54 ` [RFC PATCH 09/10] xsm-flask: clean up for domain roles conversion Daniel P. Smith
2021-05-14 20:54 ` [RFC PATCH 10/10] common/Kconfig: updating Kconfig for domain roles Daniel P. Smith

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20210514205437.13661-1-dpsmith@apertussolutions.com \
    --to=dpsmith@apertussolutions.com \
    --cc=Volodymyr_Babchuk@epam.com \
    --cc=adam.schwalm@starlab.io \
    --cc=aisaila@bitdefender.com \
    --cc=andrew.cooper3@citrix.com \
    --cc=dfaggioli@suse.com \
    --cc=dgdegra@tycho.nsa.gov \
    --cc=george.dunlap@citrix.com \
    --cc=iwj@xenproject.org \
    --cc=jbeulich@suse.com \
    --cc=jgross@suse.com \
    --cc=julien@xen.org \
    --cc=kevin.tian@intel.com \
    --cc=paul@xen.org \
    --cc=ppircalabu@bitdefender.com \
    --cc=roger.pau@citrix.com \
    --cc=scott.davis@starlab.io \
    --cc=sstabellini@kernel.org \
    --cc=tamas@tklengyel.com \
    --cc=tim@xen.org \
    --cc=wl@xen.org \
    --cc=xen-devel@lists.xenproject.org \
    --subject='Re: [RFC PATCH 00/10] xsm: introducing domain roles' \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).