On Tue, Nov 28, 2017 at 12:00 PM, Andrew Cooper <[email protected]> wrote: > On 28/11/17 18:06, Tamas K Lengyel wrote: >> From: Tamas K Lengyel <[email protected]> >> >> Currently the built-in XSM policy only gets used if there is no other policy >> specified during boot. In this patch we add a Kconfig option to specify to >> only >> use built-in policy during boot. This is particularly important when booting >> Xen through the shim to ensure the XSM policy gets measured and that it can't >> be replaced by another unmeasured policy by the bootloader. Note that the XSM >> policy can still be updated after boot (from dom0 for example) if the >> built-in >> policy allows it. >> >> Signed-off-by: Tamas K Lengyel <[email protected]> >> --- >> Cc: Andrew Cooper <[email protected]> >> Cc: George Dunlap <[email protected]> >> Cc: Ian Jackson <[email protected]> >> Cc: Jan Beulich <[email protected]> >> Cc: Konrad Rzeszutek Wilk <[email protected]> >> Cc: Stefano Stabellini <[email protected]> >> Cc: Tim Deegan <[email protected]> >> Cc: Wei Liu <[email protected]> >> Cc: Daniel De Graaf <[email protected]> >> Cc: [email protected] >> --- >> xen/common/Kconfig | 14 ++++++++++++++ >> xen/xsm/xsm_core.c | 2 ++ >> 2 files changed, 16 insertions(+) >> >> diff --git a/xen/common/Kconfig b/xen/common/Kconfig >> index 103ef44cb5..5ad0d03f37 100644 >> --- a/xen/common/Kconfig >> +++ b/xen/common/Kconfig >> @@ -140,6 +140,20 @@ config XSM_POLICY >> >> If unsure, say Y. >> >> +config XSM_POLICY_OVERRIDE >> + bool "Built-in security policy overrides bootloader provided policy" > > The overall change certainly looks good and it is obvious why it is a > benefit. However, text/functionality like this is cognitively hard to > follow, and _OVERRIDE isn't obviously as to its functionality at a glance. > > Wouldn't it be better to have XSM_BOOTLOADER_POLICY (or possibly > XSM_ALLOW_?), which defaults to y, and can be forced off for extra security? >
I'm certainly open to alternate naming suggestions. The current one is based on an existing option that implements a similar feature with this naming (CMDLINE_OVERRIDE), while the XSM_POLICY part is from the existing XSM_POLICY option. Tamas _______________________________________________ Xen-devel mailing list [email protected] https://lists.xenproject.org/mailman/listinfo/xen-devel
