* [PATCH] [RFC] xsm: add a default policy to .init.data
@ 2016-05-23 14:51 Daniel De Graaf
2016-05-23 15:08 ` Wei Liu
` (3 more replies)
0 siblings, 4 replies; 7+ messages in thread
From: Daniel De Graaf @ 2016-05-23 14:51 UTC (permalink / raw)
To: konrad.wilk, cardoe; +Cc: xen-devel, Daniel De Graaf
This includes the policy in tools/flask/policy in the hypervisor so that
the bootloader does not need to load a policy to get sane behavior from
an XSM-enabled hypervisor.
RFC because this adds a binding between xen's build and the tools build.
The inclusion of policy.o could be made conditional on a Kconfig option
(the code handles omission of the policy properly) to disable it. ARM
build is also untested.
Moving the entire FLASK policy to live under the hypervisor would also
work, but this loses the ./configure support for detecting checkpolicy.
---
xen/arch/arm/xen.lds.S | 4 ++++
xen/arch/x86/xen.lds.S | 5 +++++
xen/xsm/flask/Makefile | 21 +++++++++++++++++++++
xen/xsm/xsm_core.c | 12 ++++++++++++
4 files changed, 42 insertions(+)
diff --git a/xen/arch/arm/xen.lds.S b/xen/arch/arm/xen.lds.S
index 1f010bd..61dd278 100644
--- a/xen/arch/arm/xen.lds.S
+++ b/xen/arch/arm/xen.lds.S
@@ -139,6 +139,10 @@ SECTIONS
*(.init.data.rel)
*(.init.data.rel.*)
+ __xsm_init_policy_start = .;
+ *(.init.xsm_policy)
+ __xsm_init_policy_end = .;
+
. = ALIGN(8);
__ctors_start = .;
*(.init_array)
diff --git a/xen/arch/x86/xen.lds.S b/xen/arch/x86/xen.lds.S
index b14bcd2..004c55f 100644
--- a/xen/arch/x86/xen.lds.S
+++ b/xen/arch/x86/xen.lds.S
@@ -155,6 +155,11 @@ SECTIONS
*(.init.data)
*(.init.data.rel)
*(.init.data.rel.*)
+
+ __xsm_init_policy_start = .;
+ *(.init.xsm_policy)
+ __xsm_init_policy_end = .;
+
. = ALIGN(4);
__trampoline_rel_start = .;
*(.trampoline_rel)
diff --git a/xen/xsm/flask/Makefile b/xen/xsm/flask/Makefile
index 12fc3a9..16c9474 100644
--- a/xen/xsm/flask/Makefile
+++ b/xen/xsm/flask/Makefile
@@ -27,6 +27,27 @@ $(FLASK_H_FILES): $(FLASK_H_DEPEND)
$(AV_H_FILES): $(AV_H_DEPEND)
$(CONFIG_SHELL) policy/mkaccess_vector.sh $(AWK) $(AV_H_DEPEND)
+obj-y += policy.o
+
+ifeq ($(XEN_TARGET_ARCH),x86_64)
+ OBJCOPY_ARGS := -I binary -O elf64-x86-64 -B i386:x86-64
+else ifeq ($(XEN_TARGET_ARCH),arm32)
+ OBJCOPY_ARGS := -I binary -O elf32-littlearm -B arm
+else ifeq ($(XEN_TARGET_ARCH),arm64)
+ OBJCOPY_ARGS := -I binary -O elf64-littleaarch64 -B aarch64
+else
+ $(error "Unknown XEN_TARGET_ARCH: $(XEN_TARGET_ARCH)")
+endif
+
+POLICY_SRC := $(XEN_ROOT)/tools/flask/policy/xenpolicy-$(XEN_FULLVERSION)
+
+policy.bin: FORCE
+ $(MAKE) -C $(XEN_ROOT)/tools/flask/policy
+ cmp -s $(POLICY_SRC) $@ || cp $(POLICY_SRC) $@
+
+policy.o: policy.bin
+ $(OBJCOPY) $(OBJCOPY_ARGS) --rename-section=.data=.init.xsm_policy policy.bin $@
+
.PHONY: clean
clean::
rm -f $(ALL_H_FILES) *.o $(DEPS)
diff --git a/xen/xsm/xsm_core.c b/xen/xsm/xsm_core.c
index 634ec98..af1d86f 100644
--- a/xen/xsm/xsm_core.c
+++ b/xen/xsm/xsm_core.c
@@ -47,6 +47,17 @@ static void __init do_xsm_initcalls(void)
}
}
+extern char __xsm_init_policy_start[], __xsm_init_policy_end[];
+
+static void __init xsm_policy_init(void)
+{
+ if ( policy_size == 0 )
+ {
+ policy_buffer = __xsm_init_policy_start;
+ policy_size = __xsm_init_policy_end - __xsm_init_policy_start;
+ }
+}
+
static int __init xsm_core_init(void)
{
if ( verify(&dummy_xsm_ops) )
@@ -57,6 +68,7 @@ static int __init xsm_core_init(void)
}
xsm_ops = &dummy_xsm_ops;
+ xsm_policy_init();
do_xsm_initcalls();
return 0;
--
2.5.5
_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
http://lists.xen.org/xen-devel
^ permalink raw reply related [flat|nested] 7+ messages in thread* Re: [PATCH] [RFC] xsm: add a default policy to .init.data
2016-05-23 14:51 [PATCH] [RFC] xsm: add a default policy to .init.data Daniel De Graaf
@ 2016-05-23 15:08 ` Wei Liu
2016-05-23 15:25 ` Andrew Cooper
` (2 subsequent siblings)
3 siblings, 0 replies; 7+ messages in thread
From: Wei Liu @ 2016-05-23 15:08 UTC (permalink / raw)
To: Daniel De Graaf; +Cc: xen-devel, cardoe, Wei Liu
On Mon, May 23, 2016 at 10:51:29AM -0400, Daniel De Graaf wrote:
> This includes the policy in tools/flask/policy in the hypervisor so that
> the bootloader does not need to load a policy to get sane behavior from
> an XSM-enabled hypervisor.
>
> RFC because this adds a binding between xen's build and the tools build.
> The inclusion of policy.o could be made conditional on a Kconfig option
> (the code handles omission of the policy properly) to disable it. ARM
> build is also untested.
>
[...]
> +POLICY_SRC := $(XEN_ROOT)/tools/flask/policy/xenpolicy-$(XEN_FULLVERSION)
This (hypervisor build now depends on tools build) needs to be reflected
in Makfile target dependency if we're really going to do it. But I think
it would make sense to just move the policy directory to hypervisor
directory as well, leaving only flask/utils under tools.
Just my 2 cents.
Wei.
_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
http://lists.xen.org/xen-devel
^ permalink raw reply [flat|nested] 7+ messages in thread* Re: [PATCH] [RFC] xsm: add a default policy to .init.data
2016-05-23 14:51 [PATCH] [RFC] xsm: add a default policy to .init.data Daniel De Graaf
2016-05-23 15:08 ` Wei Liu
@ 2016-05-23 15:25 ` Andrew Cooper
2016-05-23 15:32 ` Daniel De Graaf
2016-05-23 15:34 ` Jan Beulich
2016-06-07 20:19 ` Konrad Rzeszutek Wilk
3 siblings, 1 reply; 7+ messages in thread
From: Andrew Cooper @ 2016-05-23 15:25 UTC (permalink / raw)
To: Daniel De Graaf, konrad.wilk, cardoe; +Cc: xen-devel
On 23/05/16 15:51, Daniel De Graaf wrote:
> diff --git a/xen/xsm/xsm_core.c b/xen/xsm/xsm_core.c
> index 634ec98..af1d86f 100644
> --- a/xen/xsm/xsm_core.c
> +++ b/xen/xsm/xsm_core.c
> @@ -47,6 +47,17 @@ static void __init do_xsm_initcalls(void)
> }
> }
>
> +extern char __xsm_init_policy_start[], __xsm_init_policy_end[];
> +
> +static void __init xsm_policy_init(void)
> +{
> + if ( policy_size == 0 )
> + {
> + policy_buffer = __xsm_init_policy_start;
> + policy_size = __xsm_init_policy_end - __xsm_init_policy_start;
> + }
Logic like this is slightly problematic if there is no policy.
With these changes, we presumably always expect to have an embedded policy.
It would be cleaner to have a linker ASSERT(__xsm_init_policy_start !=
__xsm_init_policy_end) to guarentee that something is present, at which
point policy_buffer can unilaterally point at __xsm_init_policy_start,
and size can be initialised to __xsm_init_policy_end -
__xsm_init_policy_start.
~Andrew
_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
http://lists.xen.org/xen-devel
^ permalink raw reply [flat|nested] 7+ messages in thread* Re: [PATCH] [RFC] xsm: add a default policy to .init.data
2016-05-23 15:25 ` Andrew Cooper
@ 2016-05-23 15:32 ` Daniel De Graaf
0 siblings, 0 replies; 7+ messages in thread
From: Daniel De Graaf @ 2016-05-23 15:32 UTC (permalink / raw)
To: Andrew Cooper; +Cc: xen-devel, cardoe
On 05/23/2016 11:25 AM, Andrew Cooper wrote:
> On 23/05/16 15:51, Daniel De Graaf wrote:
>> diff --git a/xen/xsm/xsm_core.c b/xen/xsm/xsm_core.c
>> index 634ec98..af1d86f 100644
>> --- a/xen/xsm/xsm_core.c
>> +++ b/xen/xsm/xsm_core.c
>> @@ -47,6 +47,17 @@ static void __init do_xsm_initcalls(void)
>> }
>> }
>>
>> +extern char __xsm_init_policy_start[], __xsm_init_policy_end[];
>> +
>> +static void __init xsm_policy_init(void)
>> +{
>> + if ( policy_size == 0 )
>> + {
>> + policy_buffer = __xsm_init_policy_start;
>> + policy_size = __xsm_init_policy_end - __xsm_init_policy_start;
>> + }
>
> Logic like this is slightly problematic if there is no policy.
>
> With these changes, we presumably always expect to have an embedded policy.
People who already have the policy specified in the bootloader may want
to omit the built-in policy. I'm not sure that this should be excluded
completely, although this patch doesn't support it (it would require the
Kconfig option I mentioned).
> It would be cleaner to have a linker ASSERT(__xsm_init_policy_start !=
> __xsm_init_policy_end) to guarentee that something is present, at which
> point policy_buffer can unilaterally point at __xsm_init_policy_start,
> and size can be initialised to __xsm_init_policy_end -
> __xsm_init_policy_start.
No, because this would break the ability to specify a policy module in
GRUB. If there is no built-in policy present, this code will work
correctly: policy_size will remain set to zero, and that is the
condition checked (in flask_init) when the policy itself is used.
--
Daniel De Graaf
National Security Agency
_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
http://lists.xen.org/xen-devel
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [PATCH] [RFC] xsm: add a default policy to .init.data
2016-05-23 14:51 [PATCH] [RFC] xsm: add a default policy to .init.data Daniel De Graaf
2016-05-23 15:08 ` Wei Liu
2016-05-23 15:25 ` Andrew Cooper
@ 2016-05-23 15:34 ` Jan Beulich
2016-05-23 16:00 ` Daniel De Graaf
2016-06-07 20:19 ` Konrad Rzeszutek Wilk
3 siblings, 1 reply; 7+ messages in thread
From: Jan Beulich @ 2016-05-23 15:34 UTC (permalink / raw)
To: Daniel De Graaf; +Cc: xen-devel, cardoe
>>> On 23.05.16 at 16:51, <dgdegra@tycho.nsa.gov> wrote:
> --- a/xen/xsm/flask/Makefile
> +++ b/xen/xsm/flask/Makefile
> @@ -27,6 +27,27 @@ $(FLASK_H_FILES): $(FLASK_H_DEPEND)
> $(AV_H_FILES): $(AV_H_DEPEND)
> $(CONFIG_SHELL) policy/mkaccess_vector.sh $(AWK) $(AV_H_DEPEND)
>
> +obj-y += policy.o
> +
> +ifeq ($(XEN_TARGET_ARCH),x86_64)
> + OBJCOPY_ARGS := -I binary -O elf64-x86-64 -B i386:x86-64
> +else ifeq ($(XEN_TARGET_ARCH),arm32)
> + OBJCOPY_ARGS := -I binary -O elf32-littlearm -B arm
> +else ifeq ($(XEN_TARGET_ARCH),arm64)
> + OBJCOPY_ARGS := -I binary -O elf64-littleaarch64 -B aarch64
> +else
> + $(error "Unknown XEN_TARGET_ARCH: $(XEN_TARGET_ARCH)")
> +endif
As this is kind of ugly - did you try whether binutils can be talked
into generating an architecture neutral ELF object (using EM_NONE
as the architecture in the ELF header), and whether that could
then be linked? Of course that would be of limited use of the blob
was other than a plain stream of bytes (i.e. endian independent).
Jan
_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
http://lists.xen.org/xen-devel
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [PATCH] [RFC] xsm: add a default policy to .init.data
2016-05-23 15:34 ` Jan Beulich
@ 2016-05-23 16:00 ` Daniel De Graaf
0 siblings, 0 replies; 7+ messages in thread
From: Daniel De Graaf @ 2016-05-23 16:00 UTC (permalink / raw)
To: Jan Beulich; +Cc: xen-devel, cardoe
On 05/23/2016 11:34 AM, Jan Beulich wrote:
>>>> On 23.05.16 at 16:51, <dgdegra@tycho.nsa.gov> wrote:
>> --- a/xen/xsm/flask/Makefile
>> +++ b/xen/xsm/flask/Makefile
>> @@ -27,6 +27,27 @@ $(FLASK_H_FILES): $(FLASK_H_DEPEND)
>> $(AV_H_FILES): $(AV_H_DEPEND)
>> $(CONFIG_SHELL) policy/mkaccess_vector.sh $(AWK) $(AV_H_DEPEND)
>>
>> +obj-y += policy.o
>> +
>> +ifeq ($(XEN_TARGET_ARCH),x86_64)
>> + OBJCOPY_ARGS := -I binary -O elf64-x86-64 -B i386:x86-64
>> +else ifeq ($(XEN_TARGET_ARCH),arm32)
>> + OBJCOPY_ARGS := -I binary -O elf32-littlearm -B arm
>> +else ifeq ($(XEN_TARGET_ARCH),arm64)
>> + OBJCOPY_ARGS := -I binary -O elf64-littleaarch64 -B aarch64
>> +else
>> + $(error "Unknown XEN_TARGET_ARCH: $(XEN_TARGET_ARCH)")
>> +endif
>
> As this is kind of ugly - did you try whether binutils can be talked
> into generating an architecture neutral ELF object (using EM_NONE
> as the architecture in the ELF header), and whether that could
> then be linked? Of course that would be of limited use of the blob
> was other than a plain stream of bytes (i.e. endian independent).
>
> Jan
You get EM_NONE when you omit the -B argument, but the linker refuses
to accept this as an input unless passed --accept-unknown-input-arch.
With this flag enabled, the built_in.o is binary equal.
--
Daniel De Graaf
National Security Agency
_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
http://lists.xen.org/xen-devel
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [PATCH] [RFC] xsm: add a default policy to .init.data
2016-05-23 14:51 [PATCH] [RFC] xsm: add a default policy to .init.data Daniel De Graaf
` (2 preceding siblings ...)
2016-05-23 15:34 ` Jan Beulich
@ 2016-06-07 20:19 ` Konrad Rzeszutek Wilk
3 siblings, 0 replies; 7+ messages in thread
From: Konrad Rzeszutek Wilk @ 2016-06-07 20:19 UTC (permalink / raw)
To: Daniel De Graaf; +Cc: xen-devel, cardoe
On Mon, May 23, 2016 at 10:51:29AM -0400, Daniel De Graaf wrote:
> This includes the policy in tools/flask/policy in the hypervisor so that
> the bootloader does not need to load a policy to get sane behavior from
> an XSM-enabled hypervisor.
>
> RFC because this adds a binding between xen's build and the tools build.
> The inclusion of policy.o could be made conditional on a Kconfig option
> (the code handles omission of the policy properly) to disable it. ARM
And probably also a document update. To mention that the if you have
an policy built-in, you can always over-write if if you include
the policy as the last multiboot argument?
> build is also untested.
>
> Moving the entire FLASK policy to live under the hypervisor would also
> work, but this loses the ./configure support for detecting checkpolicy.
You could do a check for checkpolicy existing like the ld-ver-build-id
does in the ./Config.mk - which then exports XEN_HAS_BUILD_ID=y.
Similary do the check and then export CHECKPOLICY=y ?
> ---
> xen/arch/arm/xen.lds.S | 4 ++++
> xen/arch/x86/xen.lds.S | 5 +++++
> xen/xsm/flask/Makefile | 21 +++++++++++++++++++++
> xen/xsm/xsm_core.c | 12 ++++++++++++
> 4 files changed, 42 insertions(+)
>
> diff --git a/xen/arch/arm/xen.lds.S b/xen/arch/arm/xen.lds.S
> index 1f010bd..61dd278 100644
> --- a/xen/arch/arm/xen.lds.S
> +++ b/xen/arch/arm/xen.lds.S
> @@ -139,6 +139,10 @@ SECTIONS
> *(.init.data.rel)
> *(.init.data.rel.*)
>
> + __xsm_init_policy_start = .;
> + *(.init.xsm_policy)
> + __xsm_init_policy_end = .;
> +
> . = ALIGN(8);
> __ctors_start = .;
> *(.init_array)
> diff --git a/xen/arch/x86/xen.lds.S b/xen/arch/x86/xen.lds.S
> index b14bcd2..004c55f 100644
> --- a/xen/arch/x86/xen.lds.S
> +++ b/xen/arch/x86/xen.lds.S
> @@ -155,6 +155,11 @@ SECTIONS
> *(.init.data)
> *(.init.data.rel)
> *(.init.data.rel.*)
> +
> + __xsm_init_policy_start = .;
> + *(.init.xsm_policy)
> + __xsm_init_policy_end = .;
> +
> . = ALIGN(4);
> __trampoline_rel_start = .;
> *(.trampoline_rel)
> diff --git a/xen/xsm/flask/Makefile b/xen/xsm/flask/Makefile
> index 12fc3a9..16c9474 100644
> --- a/xen/xsm/flask/Makefile
> +++ b/xen/xsm/flask/Makefile
> @@ -27,6 +27,27 @@ $(FLASK_H_FILES): $(FLASK_H_DEPEND)
> $(AV_H_FILES): $(AV_H_DEPEND)
> $(CONFIG_SHELL) policy/mkaccess_vector.sh $(AWK) $(AV_H_DEPEND)
>
> +obj-y += policy.o
> +
> +ifeq ($(XEN_TARGET_ARCH),x86_64)
> + OBJCOPY_ARGS := -I binary -O elf64-x86-64 -B i386:x86-64
> +else ifeq ($(XEN_TARGET_ARCH),arm32)
> + OBJCOPY_ARGS := -I binary -O elf32-littlearm -B arm
> +else ifeq ($(XEN_TARGET_ARCH),arm64)
> + OBJCOPY_ARGS := -I binary -O elf64-littleaarch64 -B aarch64
> +else
> + $(error "Unknown XEN_TARGET_ARCH: $(XEN_TARGET_ARCH)")
> +endif
> +
> +POLICY_SRC := $(XEN_ROOT)/tools/flask/policy/xenpolicy-$(XEN_FULLVERSION)
> +
> +policy.bin: FORCE
> + $(MAKE) -C $(XEN_ROOT)/tools/flask/policy
> + cmp -s $(POLICY_SRC) $@ || cp $(POLICY_SRC) $@
> +
> +policy.o: policy.bin
> + $(OBJCOPY) $(OBJCOPY_ARGS) --rename-section=.data=.init.xsm_policy policy.bin $@
> +
> .PHONY: clean
> clean::
> rm -f $(ALL_H_FILES) *.o $(DEPS)
> diff --git a/xen/xsm/xsm_core.c b/xen/xsm/xsm_core.c
> index 634ec98..af1d86f 100644
> --- a/xen/xsm/xsm_core.c
> +++ b/xen/xsm/xsm_core.c
> @@ -47,6 +47,17 @@ static void __init do_xsm_initcalls(void)
> }
> }
>
> +extern char __xsm_init_policy_start[], __xsm_init_policy_end[];
> +
> +static void __init xsm_policy_init(void)
> +{
> + if ( policy_size == 0 )
> + {
> + policy_buffer = __xsm_init_policy_start;
> + policy_size = __xsm_init_policy_end - __xsm_init_policy_start;
> + }
If there are no XSM built (and policy_size is zero), do you need to
set policy_buffer to NULL? I guess it does not hurt as
xsm_multiboot_init had already been called and didn't set policy_size.
And all code checks policy_size and ignores policy_buffer. But maybe
if somebody in the future redoes this code it may be good idea to
just set it to NULL? Or do something like:
if ( !policy_size )
{
policy_size = __xsm_init_policy_end - __xsm_init_policy_start;
if ( policy_size )
policy_buffer = __xsm_init_policy_start;
}
?
> +}
> +
> static int __init xsm_core_init(void)
> {
> if ( verify(&dummy_xsm_ops) )
> @@ -57,6 +68,7 @@ static int __init xsm_core_init(void)
> }
>
> xsm_ops = &dummy_xsm_ops;
> + xsm_policy_init();
> do_xsm_initcalls();
>
> return 0;
> --
> 2.5.5
>
>
> _______________________________________________
> Xen-devel mailing list
> Xen-devel@lists.xen.org
> http://lists.xen.org/xen-devel
_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
http://lists.xen.org/xen-devel
^ permalink raw reply [flat|nested] 7+ messages in thread
end of thread, other threads:[~2016-06-07 20:19 UTC | newest]
Thread overview: 7+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2016-05-23 14:51 [PATCH] [RFC] xsm: add a default policy to .init.data Daniel De Graaf
2016-05-23 15:08 ` Wei Liu
2016-05-23 15:25 ` Andrew Cooper
2016-05-23 15:32 ` Daniel De Graaf
2016-05-23 15:34 ` Jan Beulich
2016-05-23 16:00 ` Daniel De Graaf
2016-06-07 20:19 ` Konrad Rzeszutek Wilk
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).