> -----Original Message-----
> From: Xin Li [mailto:[email protected]]
> Sent: Tuesday, July 3, 2018 9:26 AM
> To: [email protected]
> Cc: Xin Li (Talons) <[email protected]>; Daniel De Graaf
> <[email protected]>; George Dunlap <[email protected]>; Jan
> Beulich <[email protected]>; Konrad Rzeszutek Wilk
> <[email protected]>; Stefano Stabellini <[email protected]>; Tim
> (Xen.org) <[email protected]>; Wei Liu <[email protected]>; Sergey Dyasli
> <[email protected]>; Andrew Cooper <[email protected]>;
> Ming Lu <[email protected]>
> Subject: [PATCH 1/2] xen/xsm: Introduce new boot parameter xsm
>
> Introduce new boot parameter xsm to choose which xsm module is enabled,
> and set default to dummy.
>
> Signed-off-by: Xin Li <[email protected]>
>
> ---
> CC: Daniel De Graaf <[email protected]>
> CC: George Dunlap <[email protected]>
> CC: Jan Beulich <[email protected]>
> CC: Konrad Rzeszutek Wilk <[email protected]>
> CC: Stefano Stabellini <[email protected]>
> CC: Tim Deegan <[email protected]>
> CC: Wei Liu <[email protected]>
> CC: Sergey Dyasli <[email protected]>
> CC: Andrew Cooper <[email protected]>
> CC: Ming Lu <[email protected]>
>
> v2
> To further discuss:
> 1) is "dummy" a good command line option?
> other choices: basic", "trivial", or "simple"
>
> ---
> docs/misc/xen-command-line.markdown | 13 ++++++++++
> xen/xsm/xsm_core.c | 39 ++++++++++++++++++++++++++++-
> 2 files changed, 51 insertions(+), 1 deletion(-)
>
> diff --git a/docs/misc/xen-command-line.markdown b/docs/misc/xen-
> command-line.markdown
> index 075e5ea159..7ca34aa273 100644
> --- a/docs/misc/xen-command-line.markdown
> +++ b/docs/misc/xen-command-line.markdown
> @@ -865,6 +865,19 @@ hardware domain is architecture dependent.
> Note that specifying zero as domU value means zero, while for dom0 it means
> to use the default.
>
> +### xsm
> +> `= dummy | flask`
> +
> +> Default: `dummy`
> +
> +Specify which XSM module should be enabled. This option is only
> +available if the hypervisor was compiled with XSM support.
> +
> +* `dummy`: this is the default choice. No special restriction will be
> applied.
> + it's also used when XSM is compiled out.
> +* `flask`: this is the policy based access control. To choose this,
> +the
> + separated option in kconfig must also be enabled.
> +
> ### flask
> > `= permissive | enforcing | late | disabled`
>
> diff --git a/xen/xsm/xsm_core.c b/xen/xsm/xsm_core.c index
> cddcf7aa51..d4668edad7 100644
> --- a/xen/xsm/xsm_core.c
> +++ b/xen/xsm/xsm_core.c
> @@ -31,6 +31,30 @@
>
> struct xsm_operations *xsm_ops;
>
> +enum xsm_bootparam {
> + XSM_BOOTPARAM_DUMMY,
> + XSM_BOOTPARAM_FLASK,
> +};
> +
> +static enum xsm_bootparam __initdata xsm_bootparam = XSM_BOOTPARAM_DUMMY;
New line here.
>+static int __init parse_xsm_param(const char *s)
> {
> + int rc = 0;
> +
> + if ( !strcmp(s, "dummy") )
> + xsm_bootparam = XSM_BOOTPARAM_DUMMY; #ifdef
> CONFIG_XSM_FLASK
> + else if ( !strcmp(s, "flask") )
> + xsm_bootparam = XSM_BOOTPARAM_FLASK; #endif
> + else
> + rc = -EINVAL;
> +
> + return rc;
> +}
No new line here.
> +custom_param("xsm", parse_xsm_param);
> +
> static inline int verify(struct xsm_operations *ops) {
> /* verify the security_operations structure exists */ @@ -57,7 +81,20 @@
> static int __init xsm_core_init(const void *policy_buffer, size_t policy_size)
> }
>
> xsm_ops = &dummy_xsm_ops;
> - flask_init(policy_buffer, policy_size);
> +
> + switch ( xsm_bootparam )
> + {
> + case XSM_BOOTPARAM_DUMMY:
> + break;
> +
> + case XSM_BOOTPARAM_FLASK:
> + flask_init(policy_buffer, policy_size);
> + break;
> +
> + default:
> + printk("XSM: Invalid value for xsm= boot parameter.\n");
> + break;
> + }
>
> return 0;
> }
> --
> 2.18.0
_______________________________________________
Xen-devel mailing list
[email protected]
https://lists.xenproject.org/mailman/listinfo/xen-devel
