xen-devel.lists.xenproject.org archive mirror
 help / color / mirror / Atom feed
From: Tamas K Lengyel <tamas@tklengyel.com>
To: Andrew Cooper <andrew.cooper3@citrix.com>
Cc: Stefano Stabellini <sstabellini@kernel.org>,
	Wei Liu <wei.liu2@citrix.com>,
	Tamas K Lengyel <lengyelt@ainfosec.com>,
	George Dunlap <George.Dunlap@eu.citrix.com>,
	Tim Deegan <tim@xen.org>, openxt <openxt@googlegroups.com>,
	Ian Jackson <ian.jackson@eu.citrix.com>,
	Jan Beulich <jbeulich@suse.com>,
	Xen-devel <xen-devel@lists.xenproject.org>,
	Daniel De Graaf <dgdegra@tycho.nsa.gov>
Subject: Re: [PATCH] XSM: add Kconfig option to override bootloader provided policy
Date: Tue, 28 Nov 2017 12:04:56 -0700	[thread overview]
Message-ID: <CABfawhka4GL26-OnMm0mGH0Xby_SbcbnKyV2YDXQ+_8F1yB6Bg@mail.gmail.com> (raw)
In-Reply-To: <bb763744-f9a3-8741-c39b-68b21997afe2@citrix.com>

On Tue, Nov 28, 2017 at 12:00 PM, Andrew Cooper
<andrew.cooper3@citrix.com> wrote:
> On 28/11/17 18:06, Tamas K Lengyel wrote:
>> From: Tamas K Lengyel <lengyelt@ainfosec.com>
>>
>> Currently the built-in XSM policy only gets used if there is no other policy
>> specified during boot. In this patch we add a Kconfig option to specify to only
>> use built-in policy during boot. This is particularly important when booting
>> Xen through the shim to ensure the XSM policy gets measured and that it can't
>> be replaced by another unmeasured policy by the bootloader. Note that the XSM
>> policy can still be updated after boot (from dom0 for example) if the built-in
>> policy allows it.
>>
>> Signed-off-by: Tamas K Lengyel <lengyelt@ainfosec.com>
>> ---
>> Cc: Andrew Cooper <andrew.cooper3@citrix.com>
>> Cc: George Dunlap <George.Dunlap@eu.citrix.com>
>> Cc: Ian Jackson <ian.jackson@eu.citrix.com>
>> Cc: Jan Beulich <jbeulich@suse.com>
>> Cc: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
>> Cc: Stefano Stabellini <sstabellini@kernel.org>
>> Cc: Tim Deegan <tim@xen.org>
>> Cc: Wei Liu <wei.liu2@citrix.com>
>> Cc: Daniel De Graaf <dgdegra@tycho.nsa.gov>
>> Cc: openxt@googlegroups.com
>> ---
>>  xen/common/Kconfig | 14 ++++++++++++++
>>  xen/xsm/xsm_core.c |  2 ++
>>  2 files changed, 16 insertions(+)
>>
>> diff --git a/xen/common/Kconfig b/xen/common/Kconfig
>> index 103ef44cb5..5ad0d03f37 100644
>> --- a/xen/common/Kconfig
>> +++ b/xen/common/Kconfig
>> @@ -140,6 +140,20 @@ config XSM_POLICY
>>
>>         If unsure, say Y.
>>
>> +config XSM_POLICY_OVERRIDE
>> +     bool "Built-in security policy overrides bootloader provided policy"
>
> The overall change certainly looks good and it is obvious why it is a
> benefit.  However, text/functionality like this is cognitively hard to
> follow, and _OVERRIDE isn't obviously as to its functionality at a glance.
>
> Wouldn't it be better to have XSM_BOOTLOADER_POLICY (or possibly
> XSM_ALLOW_?), which defaults to y, and can be forced off for extra security?
>

I'm certainly open to alternate naming suggestions. The current one is
based on an existing option that implements a similar feature with
this naming (CMDLINE_OVERRIDE), while the XSM_POLICY part is from the
existing XSM_POLICY option.

Tamas

_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xenproject.org
https://lists.xenproject.org/mailman/listinfo/xen-devel

  reply	other threads:[~2017-11-28 19:05 UTC|newest]

Thread overview: 9+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2017-11-28 18:06 [PATCH] XSM: add Kconfig option to override bootloader provided policy Tamas K Lengyel
2017-11-28 18:51 ` Daniel De Graaf
2017-11-28 19:00 ` Andrew Cooper
2017-11-28 19:04   ` Tamas K Lengyel [this message]
2017-11-29 12:29     ` George Dunlap
2017-11-29 15:32       ` Tamas K Lengyel
2017-11-29  8:19 ` Jan Beulich
2017-11-29 15:33   ` Tamas K Lengyel
2017-11-29 15:38     ` Jan Beulich

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=CABfawhka4GL26-OnMm0mGH0Xby_SbcbnKyV2YDXQ+_8F1yB6Bg@mail.gmail.com \
    --to=tamas@tklengyel.com \
    --cc=George.Dunlap@eu.citrix.com \
    --cc=andrew.cooper3@citrix.com \
    --cc=dgdegra@tycho.nsa.gov \
    --cc=ian.jackson@eu.citrix.com \
    --cc=jbeulich@suse.com \
    --cc=lengyelt@ainfosec.com \
    --cc=openxt@googlegroups.com \
    --cc=sstabellini@kernel.org \
    --cc=tim@xen.org \
    --cc=wei.liu2@citrix.com \
    --cc=xen-devel@lists.xenproject.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).