Introduce new boot parameter xsm to choose which xsm module is enabled, and set default to dummy.
Signed-off-by: Xin Li <[email protected]> --- CC: Daniel De Graaf <[email protected]> CC: George Dunlap <[email protected]> CC: Jan Beulich <[email protected]> CC: Konrad Rzeszutek Wilk <[email protected]> CC: Stefano Stabellini <[email protected]> CC: Tim Deegan <[email protected]> CC: Wei Liu <[email protected]> CC: Sergey Dyasli <[email protected]> CC: Andrew Cooper <[email protected]> CC: Ming Lu <[email protected]> --- docs/misc/xen-command-line.markdown | 13 ++++++++++ xen/xsm/xsm_core.c | 39 ++++++++++++++++++++++++++++- 2 files changed, 51 insertions(+), 1 deletion(-) diff --git a/docs/misc/xen-command-line.markdown b/docs/misc/xen-command-line.markdown index 075e5ea159..7c689b8225 100644 --- a/docs/misc/xen-command-line.markdown +++ b/docs/misc/xen-command-line.markdown @@ -865,6 +865,19 @@ hardware domain is architecture dependent. Note that specifying zero as domU value means zero, while for dom0 it means to use the default. +### xsm +> `= dummy | silo | flask` + +> Default: `dummy` + +Specify which XSM module should be enabled. This option is only available if +the hypervisor was compiled with XSM support. + +* `dummy`: this is the default choice. No special restriction will be applied. + it's also used when XSM is compiled out. +* `flask`: this is the policy based access control. To choose this, the + separated option in kconfig must also be enabled. + ### flask > `= permissive | enforcing | late | disabled` diff --git a/xen/xsm/xsm_core.c b/xen/xsm/xsm_core.c index cddcf7aa51..e002200578 100644 --- a/xen/xsm/xsm_core.c +++ b/xen/xsm/xsm_core.c @@ -31,6 +31,30 @@ struct xsm_operations *xsm_ops; +enum xsm_bootparam { + XSM_BOOTPARAM_DUMMY, + XSM_BOOTPARAM_FLASK, + XSM_BOOTPARAM_INVALID, +}; + +enum xsm_bootparam __read_mostly xsm_bootparam = XSM_BOOTPARAM_DUMMY; + +static int __init parse_xsm_param(const char *s) +{ + if ( !strcmp(s, "dummy") ) + xsm_bootparam = XSM_BOOTPARAM_DUMMY; +#ifdef CONFIG_XSM_FLASK + else if ( !strcmp(s, "flask") ) + xsm_bootparam = XSM_BOOTPARAM_FLASK; +#endif + else + xsm_bootparam = XSM_BOOTPARAM_INVALID; + + return 0; +} + +custom_param("xsm", parse_xsm_param); + static inline int verify(struct xsm_operations *ops) { /* verify the security_operations structure exists */ @@ -57,7 +81,20 @@ static int __init xsm_core_init(const void *policy_buffer, size_t policy_size) } xsm_ops = &dummy_xsm_ops; - flask_init(policy_buffer, policy_size); + + switch ( xsm_bootparam ) + { + case XSM_BOOTPARAM_DUMMY: + /* empty */ + break; + + case XSM_BOOTPARAM_FLASK: + flask_init(policy_buffer, policy_size); + break; + + default: + printk("XSM: Invalid value for xsm= boot parameter.\n"); + } return 0; } -- 2.18.0 _______________________________________________ Xen-devel mailing list [email protected] https://lists.xenproject.org/mailman/listinfo/xen-devel
