From mboxrd@z Thu Jan  1 00:00:00 1970
From: Ian Campbell <ian.campbell@citrix.com>
Subject: Re: [PATCH] xsm/flask: Handle policy load failures
 properly
Date: Mon, 2 Mar 2015 14:06:43 +0000
Message-ID: <1425305203.21151.37.camel@citrix.com>
References: <1424707899-18101-1-git-send-email-dgdegra@tycho.nsa.gov>
	<20150223164823.GD20083@zion.uk.xensource.com>
	<54EB6930.2040703@tycho.nsa.gov> <1424767648.32223.3.camel@citrix.com>
	<54EC44FA.2090005@linaro.org> <1424770748.27930.266.camel@citrix.com>
	<54EC4999.6000505@linaro.org> <1424773294.27930.296.camel@citrix.com>
	<54EC9E94.1050105@tycho.nsa.gov> <54F0792E.6060503@linaro.org>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Return-path: <xen-devel-bounces@lists.xen.org>
Received: from mail6.bemta3.messagelabs.com ([195.245.230.39])
	by lists.xen.org with esmtp (Exim 4.72)
	(envelope-from <Ian.Campbell@citrix.com>) id 1YSR0N-0000aA-P0
	for xen-devel@lists.xenproject.org; Mon, 02 Mar 2015 14:07:31 +0000
In-Reply-To: <54F0792E.6060503@linaro.org>
List-Unsubscribe: <http://lists.xen.org/cgi-bin/mailman/options/xen-devel>,
	<mailto:xen-devel-request@lists.xen.org?subject=unsubscribe>
List-Post: <mailto:xen-devel@lists.xen.org>
List-Help: <mailto:xen-devel-request@lists.xen.org?subject=help>
List-Subscribe: <http://lists.xen.org/cgi-bin/mailman/listinfo/xen-devel>,
	<mailto:xen-devel-request@lists.xen.org?subject=subscribe>
Sender: xen-devel-bounces@lists.xen.org
Errors-To: xen-devel-bounces@lists.xen.org
To: Julien Grall <julien.grall@linaro.org>
Cc: xen-devel@lists.xenproject.org, Daniel De Graaf <dgdegra@tycho.nsa.gov>, Wei Liu <wei.liu2@citrix.com>
List-Id: xen-devel@lists.xenproject.org

On Fri, 2015-02-27 at 14:03 +0000, Julien Grall wrote:
> Hi Daniel,
> 
> On 24/02/15 15:53, Daniel De Graaf wrote:
> > This seems a reasonable solution if we don't want to change how the boot
> > parameters are set up.
> > 
> > Another alternative would be to change flask_enforcing/flask_enabled to
> > a single "flask=" parameter with options:
> >  disabled - revert to dummy (no XSM) policy, same as flask_enabled=0
> >  develop/permissive - a missing or broken policy does not panic
> >  enforce/enforcing/force - require policy to be loaded at boot time
> >  late/load - bootloader policy is not used; later loadpolicy is enforcing
> > 
> > The default would be "permissive" as in the existing hypervisor.  This
> > would be more flexible, but I'm not sure it is worth breaking existing
> > command lines and changing documentation to implement.
> 
> This look a good solution, having flask_enforcing without flask_enable
> doesn't make much sense.
> 
> Although I don't know what is the policy about xen parameters. Maybe Ian
> or Jan have an idea about it.

I don't think we generally shy away from making such changes where we
have a good reason.

It might be nice to keep the old options as aliases for the equivalent
new behaviour, I don't know if that should be mandatory thoguh.

Ian.