[OSSTEST PATCH v2 08/12] ts-xen-install: install Xen with XSM support if requested

[Wei Liu <wei.liu2@citrix.com>]

Signed-off-by: Wei Liu <wei.liu2@citrix.com>
---
 ts-xen-install |  115 +++++++++++++++++++++++++++++++++++++++++++++++++++++++-
 1 file changed, 114 insertions(+), 1 deletion(-)

diff --git a/ts-xen-install b/ts-xen-install
index 4d34d1f..3bc4d2e 100755
--- a/ts-xen-install
+++ b/ts-xen-install
@@ -46,6 +46,8 @@ if (@ARGV and $ARGV[0] eq '--check') {
 
 our $ho;
 
+my $enable_xsm = $r{enable_xsm} =~ m/y/ ? 1 : 0;
+
 my %distpath;
 
 sub packages () {
@@ -73,6 +75,15 @@ sub extract () {
 				   $r{"${part}buildjob"}, \%distpath);
     }
     target_cmd_root($ho, '/sbin/ldconfig');
+    if ($enable_xsm) {
+        my $flaskpolicy = target_cmd_output_root($ho,
+            'find /boot -name \'xenpolicy-*\' -exec basename {} \;');
+	# there should only be one xenpolicy file for a clean install
+	my $c = () = $flaskpolicy =~ /xenpolicy/g;
+	die "Too many XSM policy files $c" if $c > 1;
+	die "XSM policy file is required" if $c == 0;
+	store_runvar("flaskpolicy", $flaskpolicy);
+    }
 }
 
 sub adjustconfig () {
@@ -133,6 +144,86 @@ sub adjustconfig () {
     setup_cxfabric($ho);
 }
 
+
+sub grub_patch () {
+    return << 'END';
+--- /etc/grub.d/20_linux_xen.orig	2014-09-22 11:39:09.120630051 +0100
++++ /etc/grub.d/20_linux_xen	2014-09-22 11:43:07.069802099 +0100
+@@ -63,10 +63,27 @@
+   recovery="$4"
+   args="$5"
+   xen_args="$6"
+-  if ${recovery} ; then
+-    title="$(gettext_quoted "%s, with Linux %s and XEN %s (recovery mode)")"
++  xsm="$7"
++  # If user want to enable XSM support, make sure there's corresponding
++  # policy file.
++  if ${xsm} ; then
++      xenpolicy=`echo xenpolicy-$xen_version`
++      if test ! -e "${xen_dirname}/${xenpolicy}" ; then
++          return
++      fi
++      xen_args=`echo $xen_args flask_enabled=1 flask_enforcing=1`
++      if ${recovery} ; then
++          title="$(gettext_quoted "%s, with Xen %s (XSM enabled) and Linux %s (recovery mode)")"
++      else
++          title="$(gettext_quoted "%s, with Xen %s (XSM enabled) and Linux %s")"
++      fi
+   else
+-    title="$(gettext_quoted "%s, with Linux %s and XEN %s")"
++      xenpolicy=""
++      if ${recovery} ; then
++	  title="$(gettext_quoted "%s, with Linux %s and XEN %s (recovery mode)")"
++      else
++	  title="$(gettext_quoted "%s, with Linux %s and XEN %s")"
++      fi
+   fi
+   printf "menuentry '${title}' ${CLASS} {\n" "${os}" "${version}" "${xen_version}"
+   save_default_entry | sed -e "s/^/\t/"
+@@ -88,6 +105,13 @@
+ 	module	${rel_dirname}/${initrd}
+ EOF
+   fi
++  if test -n "${xenpolicy}" ; then
++    message="$(gettext_printf "Loading XSM policy ...")"
++    cat << EOF
++	echo	'$message'
++	module	${rel_dirname}/${xenpolicy}
++EOF
++  fi
+   cat << EOF
+ }
+ EOF
+@@ -98,7 +122,7 @@
+ 	version=$(echo $basename | sed -e "s,^[^0-9]*-,,g")
+         if grub_file_is_not_garbage "$i" && grep -qx 'CONFIG_XEN_\(DOM0\|PRIVILEGED_GUEST\)=y' /boot/config-${version} 2> /dev/null ; then echo -n "$i " ; fi
+       done`
+-xen_list=`for i in /boot/xen*; do
++xen_list=`for i in /boot/xen[-.]*; do
+         if grub_file_is_not_garbage "$i" ; then echo -n "$i " ; fi
+       done`
+ prepare_boot_cache=
+@@ -137,10 +161,14 @@
+ 	fi
+ 
+ 	linux_entry "${OS}" "${version}" "${xen_version}" false \
+-	    "${GRUB_CMDLINE_LINUX} ${GRUB_CMDLINE_LINUX_DEFAULT}" "${GRUB_CMDLINE_XEN} ${GRUB_CMDLINE_XEN_DEFAULT}"
++	    "${GRUB_CMDLINE_LINUX} ${GRUB_CMDLINE_LINUX_DEFAULT}" "${GRUB_CMDLINE_XEN} ${GRUB_CMDLINE_XEN_DEFAULT}" false
++	linux_entry "${OS}" "${version}" "${xen_version}" false \
++	    "${GRUB_CMDLINE_LINUX} ${GRUB_CMDLINE_LINUX_DEFAULT}" "${GRUB_CMDLINE_XEN} ${GRUB_CMDLINE_XEN_DEFAULT}" true
+ 	if [ "x${GRUB_DISABLE_LINUX_RECOVERY}" != "xtrue" ]; then
+ 	    linux_entry "${OS}" "${version}" "${xen_version}" true \
+-		"single ${GRUB_CMDLINE_LINUX}" "${GRUB_CMDLINE_XEN}"
++		"single ${GRUB_CMDLINE_LINUX}" "${GRUB_CMDLINE_XEN}" false
++	    linux_entry "${OS}" "${version}" "${xen_version}" true \
++		"single ${GRUB_CMDLINE_LINUX}" "${GRUB_CMDLINE_XEN}" true
+ 	fi
+ 
+ 	list=`echo $list | tr ' ' '\n' | grep -vx $linux | tr '\n' ' '`
+
+END
+}
+
 sub setupboot () {
     my $xenhopt= "conswitch=x watchdog";
 
@@ -170,8 +261,30 @@ sub setupboot () {
         };
     }
 
+    if ($enable_xsm) {
+	die if !defined($r{flaskpolicy});
+	target_putfilecontents_root_stash($ho, 10, grub_patch(), "grub.patch");
+	target_cmd_root($ho, << 'END');
+if test ! -e /etc/grub.d/20_linux_xen ; then
+  case `uname -m` in
+    x86*) echo '/etc/grub.d/20_linux_xen doesn't exist, abort'
+          exit 1 ;;
+    arm*) echo '/etc/grub.d/20_linux_xen doesn't exist on ARM, not patching'
+          exit 0 ;;
+    *)    echo 'unknown architecture, abort'
+          exit 1;;
+  esac
+elif ! grep -q -- xenpolicy /etc/grub.d/20_linux_xen ; then
+  patch -p0 /etc/grub.d/20_linux_xen  < grub.patch
+else
+  echo 'Grub script already supports XSM, not patching'
+  exit 1
+fi
+END
+    }
+
     my $want_kernver = get_runvar('kernel_ver',$r{'kernbuildjob'});
-    debian_boot_setup($ho, $want_kernver, $xenhopt, \%distpath, \@hooks);
+    debian_boot_setup($ho, $want_kernver, $enable_xsm, $xenhopt, \%distpath, \@hooks);
 
     logm("ready to boot Xen");
 }
-- 
1.7.10.4