ia64/xen-unstable

changeset 9850:ae709b250f43

merge with xen-unstable.hg
author awilliam@xenbuild.aw
date Tue Apr 25 23:35:55 2006 -0600 (2006-04-25)
parents 9a915e2828f3 1ad06bd6832d
children 83f7dfe273a0
files tools/examples/xmexample.vti tools/security/get_decision.c tools/security/getlabel.sh tools/security/labelfuncs.sh tools/security/policies/chwall/chwall-security_label_template.xml tools/security/policies/chwall/chwall-security_policy.xml tools/security/policies/chwall_ste/chwall_ste-security_label_template.xml tools/security/policies/chwall_ste/chwall_ste-security_policy.xml tools/security/policies/null/null-security_label_template.xml tools/security/policies/null/null-security_policy.xml tools/security/policies/ste/ste-security_label_template.xml tools/security/policies/ste/ste-security_policy.xml tools/security/python/xensec_gen/cgi-bin/policylabel.cgi tools/security/setlabel.sh tools/security/updategrub.sh
line diff
     1.1 --- a/README	Tue Apr 25 22:55:22 2006 -0600
     1.2 +++ b/README	Tue Apr 25 23:35:55 2006 -0600
     1.3 @@ -1,176 +1,176 @@
     1.4 -################################
     1.5 - __  __            _____  ___  
     1.6 - \ \/ /___ _ __   |___ / / _ \ 
     1.7 -  \  // _ \ '_ \    |_ \| | | |
     1.8 -  /  \  __/ | | |  ___) | |_| |
     1.9 - /_/\_\___|_| |_| |____(_)___/ 
    1.10 -
    1.11 -################################
    1.12 -
    1.13 -http://www.xensource.com/xen/about.html
    1.14 -
    1.15 -What is Xen?
    1.16 -============
    1.17 -
    1.18 -Xen is a Virtual Machine Monitor (VMM) originally developed by the
    1.19 -Systems Research Group of the University of Cambridge Computer
    1.20 -Laboratory, as part of the UK-EPSRC funded XenoServers project.  Xen
    1.21 -is freely-distributable Open Source software, released under the GNU
    1.22 -GPL. Since its initial public release, Xen has grown a large
    1.23 -development community, spearheaded by XenSource Inc, a company created
    1.24 -by the original Xen development team to build enterprise products
    1.25 -around Xen.
    1.26 -
    1.27 -The 3.0 release offers excellent performance, hardware support and
    1.28 -enterprise-grade features such as x86_32-PAE, x86_64, SMP guests and
    1.29 -live relocation of VMs. This install tree contains source for a Linux
    1.30 -2.6 guest; ports to Linux 2.4, NetBSD, FreeBSD and Solaris will follow
    1.31 -later (and are already available for previous Xen releases).
    1.32 -
    1.33 -This file contains some quick-start instructions to install Xen on
    1.34 -your system. For full documentation, see the Xen User Manual. If this
    1.35 -is a pre-built release then you can find the manual at:
    1.36 - dist/install/usr/share/doc/xen/pdf/user.pdf
    1.37 -If you have a source release, then 'make -C docs' will build the
    1.38 -manual at docs/pdf/user.pdf.
    1.39 -
    1.40 -Quick-Start Guide - Pre-Built Binary Release
    1.41 -============================================
    1.42 -
    1.43 -[NB. Unless noted otherwise, all the following steps should be
    1.44 -performed with root privileges.]
    1.45 -
    1.46 -1. Install the binary distribution onto your filesystem:
    1.47 -
    1.48 -    # sh ./install.sh
    1.49 -
    1.50 -   Among other things, this will install Xen and Xen-ready Linux
    1.51 -   kernel files in /boot, kernel modules and Python packages in /lib,
    1.52 -   and various control tools in standard 'bin' directories.
    1.53 -
    1.54 -2. Configure your bootloader to boot Xen and an initial Linux virtual
    1.55 -   machine. Note that Xen currently only works with GRUB and pxelinux
    1.56 -   derived boot loaders: less common alternatives such as LILO are
    1.57 -   *not* supported. You can most likely find your GRUB menu file at
    1.58 -   /boot/grub/menu.lst: edit this file to include an entry like the
    1.59 -   following:
    1.60 -
    1.61 -    title Xen 3.0 / XenLinux 2.6
    1.62 -       kernel /boot/xen-3.0.gz console=vga
    1.63 -       module /boot/vmlinuz-2.6-xen root=<root-dev> ro console=tty0
    1.64 -       module /boot/initrd-2.6-xen.img
    1.65 -
    1.66 -   NB: Not all kernel configs need an initial ram disk (initrd), but
    1.67 -   if you do specify one you'll need to use the 'module' grub directive
    1.68 -   rather than 'initrd'.
    1.69 -
    1.70 -   The linux command line takes all the usual options, such as
    1.71 -   root=<root-dev> to specify your usual root partition (e.g.,
    1.72 -   /dev/hda1).  
    1.73 -
    1.74 -   The Xen command line takes a number of optional arguments described
    1.75 -   in the manual. The most common is 'dom0_mem=xxxM' which sets the
    1.76 -   amount of memory to allocate for use by your initial virtual
    1.77 -   machine (known as domain 0). Note that Xen itself reserves about
    1.78 -   32MB memory for internal use, which is not available for allocation
    1.79 -   to virtual machines.  
    1.80 -
    1.81 -3. Reboot your system and select the "Xen 3.0 / XenLinux 2.6" menu
    1.82 -   option. After booting Xen, Linux will start and your initialisation
    1.83 -   scripts should execute in the usual way.
    1.84 -
    1.85 -Quick-Start Guide - Source Release
    1.86 -==================================
    1.87 -
    1.88 -First, there are a number of prerequisites for building a Xen source
    1.89 -release. Make sure you have all the following installed, either by
    1.90 -visiting the project webpage or installing a pre-built package
    1.91 -provided by your Linux distributor:
    1.92 -    * GCC (preferably v3.2.x or v3.3.x; older versions are unsupported) 
    1.93 -    * GNU Make
    1.94 -    * GNU Binutils
    1.95 -    * Development install of zlib (e.g., zlib-dev)
    1.96 -    * Development install of Python v2.3 or later (e.g., python-dev)
    1.97 -    * bridge-utils package (/sbin/brctl)
    1.98 -    * iproute package (/sbin/ip)
    1.99 -    * hotplug or udev
   1.100 -
   1.101 -[NB. Unless noted otherwise, all the following steps should be
   1.102 -performed with root privileges.]
   1.103 -
   1.104 -1. Download and untar the source tarball file. This will be a
   1.105 -   file named xen-unstable-src.tgz, or xen-$version-src.tgz.
   1.106 -   You can also pull the current version from the SCMS
   1.107 -   that is being used (Bitkeeper, scheduled to change shortly).
   1.108 -
   1.109 -    # tar xzf xen-unstable-src.tgz
   1.110 -
   1.111 -   Assuming you are using the unstable tree, this will
   1.112 -   untar into xen-unstable. The rest of the instructions
   1.113 -   use the unstable tree as an example, substitute the
   1.114 -   version for unstable.
   1.115 -
   1.116 -2. cd to xen-unstable (or whatever you sensibly rename it to).
   1.117 -   The Linux, netbsd and freebsd kernel source trees are in
   1.118 -   the $os-$version-xen-sparse directories.
   1.119 -
   1.120 -On Linux:
   1.121 -
   1.122 -3. For the very first build, or if you want to destroy existing
   1.123 -   .configs and build trees, perform the following steps:
   1.124 -
   1.125 -    # make world
   1.126 -    # make install
   1.127 -
   1.128 -   This will create and install onto the local machine. It will build 
   1.129 -   the xen binary (xen.gz), and a linux kernel and modules that can be
   1.130 -   used in both dom0 and an unprivileged guest kernel (vmlinuz-2.6.x-xen),
   1.131 -   the tools and the documentation.
   1.132 -
   1.133 -   You can override the destination for make install by setting DESTDIR 
   1.134 -   to some value.
   1.135 -
   1.136 -   The make command line defaults to building the kernel vmlinuz-2.6.x-xen. 
   1.137 -   You can override this default by specifying KERNELS=kernelname. For 
   1.138 -   example, you can make two kernels - linux-2.6-xen0 
   1.139 -   and linux-2.6-xenU - which are smaller builds containing only selected 
   1.140 -   modules, intended primarily for developers that don't like to wait 
   1.141 -   for a full -xen kernel to build. The -xenU kernel is particularly small,
   1.142 -   as it does not contain any physical device drivers, and hence is
   1.143 -   only useful for guest domains.
   1.144 -
   1.145 -   To make these two kernels, simply specify
   1.146 -
   1.147 -   KERNELS="linux-2.6-xen0 linux-2.6-xenU"
   1.148 -
   1.149 -   in the make command line.
   1.150 -
   1.151 -   If you want to build an x86_32 PAE capable xen and kernel to work
   1.152 -   on machines with >= 4GB of memory, use XEN_TARGET_X86_PAE=y on the
   1.153 -   make command line.
   1.154 -
   1.155 -4. To rebuild an existing tree without modifying the config:
   1.156 -    # make dist
   1.157 -
   1.158 -   This will build and install xen, kernels, tools, and
   1.159 -   docs into the local dist/ directory. 
   1.160 -
   1.161 -   You can override the destination for make install by setting DISTDIR 
   1.162 -   to some value.
   1.163 -
   1.164 -   make install and make dist differ in that make install does the 
   1.165 -   right things for your local machine (installing the appropriate 
   1.166 -   version of hotplug or udev scripts, for example), but make dist 
   1.167 -   includes all versions of those scripts, so that you can copy the dist 
   1.168 -   directory to another machine and install from that distribution.
   1.169 -
   1.170 -5. To rebuild a kernel with a modified config:
   1.171 -
   1.172 -    # make linux-2.6-xen-config CONFIGMODE=menuconfig     (or xconfig)
   1.173 -    # make linux-2.6-xen-build
   1.174 -    # make linux-2.6-xen-install
   1.175 -
   1.176 -   Depending on your config, you may need to use 'mkinitrd' to create
   1.177 -   an initial ram disk, just like a native system e.g. 
   1.178 -    # depmod 2.6.16-xen
   1.179 -    # mkinitrd -v -f --with=aacraid --with=sd_mod --with=scsi_mod initrd-2.6.16-xen.img 2.6.16-xen
   1.180 +################################
   1.181 + __  __            _____  ___  
   1.182 + \ \/ /___ _ __   |___ / / _ \ 
   1.183 +  \  // _ \ '_ \    |_ \| | | |
   1.184 +  /  \  __/ | | |  ___) | |_| |
   1.185 + /_/\_\___|_| |_| |____(_)___/ 
   1.186 +
   1.187 +################################
   1.188 +
   1.189 +http://www.xensource.com/xen/about.html
   1.190 +
   1.191 +What is Xen?
   1.192 +============
   1.193 +
   1.194 +Xen is a Virtual Machine Monitor (VMM) originally developed by the
   1.195 +Systems Research Group of the University of Cambridge Computer
   1.196 +Laboratory, as part of the UK-EPSRC funded XenoServers project.  Xen
   1.197 +is freely-distributable Open Source software, released under the GNU
   1.198 +GPL. Since its initial public release, Xen has grown a large
   1.199 +development community, spearheaded by XenSource Inc, a company created
   1.200 +by the original Xen development team to build enterprise products
   1.201 +around Xen.
   1.202 +
   1.203 +The 3.0 release offers excellent performance, hardware support and
   1.204 +enterprise-grade features such as x86_32-PAE, x86_64, SMP guests and
   1.205 +live relocation of VMs. This install tree contains source for a Linux
   1.206 +2.6 guest; ports to Linux 2.4, NetBSD, FreeBSD and Solaris will follow
   1.207 +later (and are already available for previous Xen releases).
   1.208 +
   1.209 +This file contains some quick-start instructions to install Xen on
   1.210 +your system. For full documentation, see the Xen User Manual. If this
   1.211 +is a pre-built release then you can find the manual at:
   1.212 + dist/install/usr/share/doc/xen/pdf/user.pdf
   1.213 +If you have a source release, then 'make -C docs' will build the
   1.214 +manual at docs/pdf/user.pdf.
   1.215 +
   1.216 +Quick-Start Guide - Pre-Built Binary Release
   1.217 +============================================
   1.218 +
   1.219 +[NB. Unless noted otherwise, all the following steps should be
   1.220 +performed with root privileges.]
   1.221 +
   1.222 +1. Install the binary distribution onto your filesystem:
   1.223 +
   1.224 +    # sh ./install.sh
   1.225 +
   1.226 +   Among other things, this will install Xen and Xen-ready Linux
   1.227 +   kernel files in /boot, kernel modules and Python packages in /lib,
   1.228 +   and various control tools in standard 'bin' directories.
   1.229 +
   1.230 +2. Configure your bootloader to boot Xen and an initial Linux virtual
   1.231 +   machine. Note that Xen currently only works with GRUB and pxelinux
   1.232 +   derived boot loaders: less common alternatives such as LILO are
   1.233 +   *not* supported. You can most likely find your GRUB menu file at
   1.234 +   /boot/grub/menu.lst: edit this file to include an entry like the
   1.235 +   following:
   1.236 +
   1.237 +    title Xen 3.0 / XenLinux 2.6
   1.238 +       kernel /boot/xen-3.0.gz console=vga
   1.239 +       module /boot/vmlinuz-2.6-xen root=<root-dev> ro console=tty0
   1.240 +       module /boot/initrd-2.6-xen.img
   1.241 +
   1.242 +   NB: Not all kernel configs need an initial ram disk (initrd), but
   1.243 +   if you do specify one you'll need to use the 'module' grub directive
   1.244 +   rather than 'initrd'.
   1.245 +
   1.246 +   The linux command line takes all the usual options, such as
   1.247 +   root=<root-dev> to specify your usual root partition (e.g.,
   1.248 +   /dev/hda1).  
   1.249 +
   1.250 +   The Xen command line takes a number of optional arguments described
   1.251 +   in the manual. The most common is 'dom0_mem=xxxM' which sets the
   1.252 +   amount of memory to allocate for use by your initial virtual
   1.253 +   machine (known as domain 0). Note that Xen itself reserves about
   1.254 +   32MB memory for internal use, which is not available for allocation
   1.255 +   to virtual machines.  
   1.256 +
   1.257 +3. Reboot your system and select the "Xen 3.0 / XenLinux 2.6" menu
   1.258 +   option. After booting Xen, Linux will start and your initialisation
   1.259 +   scripts should execute in the usual way.
   1.260 +
   1.261 +Quick-Start Guide - Source Release
   1.262 +==================================
   1.263 +
   1.264 +First, there are a number of prerequisites for building a Xen source
   1.265 +release. Make sure you have all the following installed, either by
   1.266 +visiting the project webpage or installing a pre-built package
   1.267 +provided by your Linux distributor:
   1.268 +    * GCC (preferably v3.2.x or v3.3.x; older versions are unsupported) 
   1.269 +    * GNU Make
   1.270 +    * GNU Binutils
   1.271 +    * Development install of zlib (e.g., zlib-dev)
   1.272 +    * Development install of Python v2.3 or later (e.g., python-dev)
   1.273 +    * bridge-utils package (/sbin/brctl)
   1.274 +    * iproute package (/sbin/ip)
   1.275 +    * hotplug or udev
   1.276 +
   1.277 +[NB. Unless noted otherwise, all the following steps should be
   1.278 +performed with root privileges.]
   1.279 +
   1.280 +1. Download and untar the source tarball file. This will be a
   1.281 +   file named xen-unstable-src.tgz, or xen-$version-src.tgz.
   1.282 +   You can also pull the current version from the SCMS
   1.283 +   that is being used (Bitkeeper, scheduled to change shortly).
   1.284 +
   1.285 +    # tar xzf xen-unstable-src.tgz
   1.286 +
   1.287 +   Assuming you are using the unstable tree, this will
   1.288 +   untar into xen-unstable. The rest of the instructions
   1.289 +   use the unstable tree as an example, substitute the
   1.290 +   version for unstable.
   1.291 +
   1.292 +2. cd to xen-unstable (or whatever you sensibly rename it to).
   1.293 +   The Linux, netbsd and freebsd kernel source trees are in
   1.294 +   the $os-$version-xen-sparse directories.
   1.295 +
   1.296 +On Linux:
   1.297 +
   1.298 +3. For the very first build, or if you want to destroy existing
   1.299 +   .configs and build trees, perform the following steps:
   1.300 +
   1.301 +    # make world
   1.302 +    # make install
   1.303 +
   1.304 +   This will create and install onto the local machine. It will build 
   1.305 +   the xen binary (xen.gz), and a linux kernel and modules that can be
   1.306 +   used in both dom0 and an unprivileged guest kernel (vmlinuz-2.6.x-xen),
   1.307 +   the tools and the documentation.
   1.308 +
   1.309 +   You can override the destination for make install by setting DESTDIR 
   1.310 +   to some value.
   1.311 +
   1.312 +   The make command line defaults to building the kernel vmlinuz-2.6.x-xen. 
   1.313 +   You can override this default by specifying KERNELS=kernelname. For 
   1.314 +   example, you can make two kernels - linux-2.6-xen0 
   1.315 +   and linux-2.6-xenU - which are smaller builds containing only selected 
   1.316 +   modules, intended primarily for developers that don't like to wait 
   1.317 +   for a full -xen kernel to build. The -xenU kernel is particularly small,
   1.318 +   as it does not contain any physical device drivers, and hence is
   1.319 +   only useful for guest domains.
   1.320 +
   1.321 +   To make these two kernels, simply specify
   1.322 +
   1.323 +   KERNELS="linux-2.6-xen0 linux-2.6-xenU"
   1.324 +
   1.325 +   in the make command line.
   1.326 +
   1.327 +   If you want to build an x86_32 PAE capable xen and kernel to work
   1.328 +   on machines with >= 4GB of memory, use XEN_TARGET_X86_PAE=y on the
   1.329 +   make command line.
   1.330 +
   1.331 +4. To rebuild an existing tree without modifying the config:
   1.332 +    # make dist
   1.333 +
   1.334 +   This will build and install xen, kernels, tools, and
   1.335 +   docs into the local dist/ directory. 
   1.336 +
   1.337 +   You can override the destination for make install by setting DISTDIR 
   1.338 +   to some value.
   1.339 +
   1.340 +   make install and make dist differ in that make install does the 
   1.341 +   right things for your local machine (installing the appropriate 
   1.342 +   version of hotplug or udev scripts, for example), but make dist 
   1.343 +   includes all versions of those scripts, so that you can copy the dist 
   1.344 +   directory to another machine and install from that distribution.
   1.345 +
   1.346 +5. To rebuild a kernel with a modified config:
   1.347 +
   1.348 +    # make linux-2.6-xen-config CONFIGMODE=menuconfig     (or xconfig)
   1.349 +    # make linux-2.6-xen-build
   1.350 +    # make linux-2.6-xen-install
   1.351 +
   1.352 +   Depending on your config, you may need to use 'mkinitrd' to create
   1.353 +   an initial ram disk, just like a native system e.g. 
   1.354 +    # depmod 2.6.16-xen
   1.355 +    # mkinitrd -v -f --with=aacraid --with=sd_mod --with=scsi_mod initrd-2.6.16-xen.img 2.6.16-xen
     2.1 --- a/buildconfigs/linux-defconfig_xen_x86_32	Tue Apr 25 22:55:22 2006 -0600
     2.2 +++ b/buildconfigs/linux-defconfig_xen_x86_32	Tue Apr 25 23:35:55 2006 -0600
     2.3 @@ -1,7 +1,7 @@
     2.4  #
     2.5  # Automatically generated make config: don't edit
     2.6 -# Linux kernel version: 2.6.16-rc3-xen0
     2.7 -# Thu Feb 16 22:54:14 2006
     2.8 +# Linux kernel version: 2.6.16-xen
     2.9 +# Thu Apr 20 17:07:18 2006
    2.10  #
    2.11  CONFIG_X86_32=y
    2.12  CONFIG_SEMAPHORE_SLEEPERS=y
    2.13 @@ -28,16 +28,18 @@ CONFIG_SWAP=y
    2.14  CONFIG_SYSVIPC=y
    2.15  CONFIG_POSIX_MQUEUE=y
    2.16  CONFIG_BSD_PROCESS_ACCT=y
    2.17 -# CONFIG_BSD_PROCESS_ACCT_V3 is not set
    2.18 +CONFIG_BSD_PROCESS_ACCT_V3=y
    2.19  CONFIG_SYSCTL=y
    2.20 -# CONFIG_AUDIT is not set
    2.21 -# CONFIG_IKCONFIG is not set
    2.22 -# CONFIG_CPUSETS is not set
    2.23 +CONFIG_AUDIT=y
    2.24 +CONFIG_AUDITSYSCALL=y
    2.25 +CONFIG_IKCONFIG=y
    2.26 +CONFIG_IKCONFIG_PROC=y
    2.27 +CONFIG_CPUSETS=y
    2.28  CONFIG_INITRAMFS_SOURCE=""
    2.29  CONFIG_UID16=y
    2.30  CONFIG_VM86=y
    2.31  # CONFIG_CC_OPTIMIZE_FOR_SIZE is not set
    2.32 -CONFIG_EMBEDDED=y
    2.33 +# CONFIG_EMBEDDED is not set
    2.34  CONFIG_KALLSYMS=y
    2.35  # CONFIG_KALLSYMS_ALL is not set
    2.36  # CONFIG_KALLSYMS_EXTRA_PASS is not set
    2.37 @@ -67,7 +69,7 @@ CONFIG_MODULE_UNLOAD=y
    2.38  CONFIG_MODULE_FORCE_UNLOAD=y
    2.39  CONFIG_OBSOLETE_MODPARM=y
    2.40  CONFIG_MODVERSIONS=y
    2.41 -# CONFIG_MODULE_SRCVERSION_ALL is not set
    2.42 +CONFIG_MODULE_SRCVERSION_ALL=y
    2.43  CONFIG_KMOD=y
    2.44  CONFIG_STOP_MACHINE=y
    2.45  
    2.46 @@ -83,11 +85,11 @@ CONFIG_IOSCHED_NOOP=y
    2.47  CONFIG_IOSCHED_AS=y
    2.48  CONFIG_IOSCHED_DEADLINE=y
    2.49  CONFIG_IOSCHED_CFQ=y
    2.50 -CONFIG_DEFAULT_AS=y
    2.51 +# CONFIG_DEFAULT_AS is not set
    2.52  # CONFIG_DEFAULT_DEADLINE is not set
    2.53 -# CONFIG_DEFAULT_CFQ is not set
    2.54 +CONFIG_DEFAULT_CFQ=y
    2.55  # CONFIG_DEFAULT_NOOP is not set
    2.56 -CONFIG_DEFAULT_IOSCHED="anticipatory"
    2.57 +CONFIG_DEFAULT_IOSCHED="cfq"
    2.58  
    2.59  #
    2.60  # Processor type and features
    2.61 @@ -124,10 +126,10 @@ CONFIG_M686=y
    2.62  # CONFIG_MGEODE_LX is not set
    2.63  # CONFIG_MCYRIXIII is not set
    2.64  # CONFIG_MVIAC3_2 is not set
    2.65 -# CONFIG_X86_GENERIC is not set
    2.66 +CONFIG_X86_GENERIC=y
    2.67  CONFIG_X86_CMPXCHG=y
    2.68  CONFIG_X86_XADD=y
    2.69 -CONFIG_X86_L1_CACHE_SHIFT=5
    2.70 +CONFIG_X86_L1_CACHE_SHIFT=7
    2.71  CONFIG_RWSEM_XCHGADD_ALGORITHM=y
    2.72  CONFIG_GENERIC_CALIBRATE_DELAY=y
    2.73  CONFIG_X86_PPRO_FENCE=y
    2.74 @@ -137,13 +139,14 @@ CONFIG_X86_BSWAP=y
    2.75  CONFIG_X86_POPAD_OK=y
    2.76  CONFIG_X86_CMPXCHG64=y
    2.77  CONFIG_X86_GOOD_APIC=y
    2.78 +CONFIG_X86_INTEL_USERCOPY=y
    2.79  CONFIG_X86_USE_PPRO_CHECKSUM=y
    2.80  CONFIG_X86_TSC=y
    2.81  CONFIG_SMP=y
    2.82  CONFIG_SMP_ALTERNATIVES=y
    2.83 -CONFIG_NR_CPUS=8
    2.84 -CONFIG_PREEMPT_NONE=y
    2.85 -# CONFIG_PREEMPT_VOLUNTARY is not set
    2.86 +CONFIG_NR_CPUS=32
    2.87 +# CONFIG_PREEMPT_NONE is not set
    2.88 +CONFIG_PREEMPT_VOLUNTARY=y
    2.89  # CONFIG_PREEMPT is not set
    2.90  CONFIG_PREEMPT_BKL=y
    2.91  CONFIG_X86_LOCAL_APIC=y
    2.92 @@ -178,7 +181,7 @@ CONFIG_FLAT_NODE_MEM_MAP=y
    2.93  # CONFIG_SPARSEMEM_STATIC is not set
    2.94  CONFIG_SPLIT_PTLOCK_CPUS=4096
    2.95  CONFIG_MTRR=y
    2.96 -# CONFIG_REGPARM is not set
    2.97 +CONFIG_REGPARM=y
    2.98  CONFIG_SECCOMP=y
    2.99  CONFIG_HZ_100=y
   2.100  # CONFIG_HZ_250 is not set
   2.101 @@ -214,7 +217,6 @@ CONFIG_ACPI_BLACKLIST_YEAR=0
   2.102  CONFIG_ACPI_EC=y
   2.103  CONFIG_ACPI_POWER=y
   2.104  CONFIG_ACPI_SYSTEM=y
   2.105 -# CONFIG_X86_PM_TIMER is not set
   2.106  CONFIG_ACPI_CONTAINER=m
   2.107  
   2.108  #
   2.109 @@ -269,7 +271,8 @@ CONFIG_PCCARD_NONSTATIC=m
   2.110  #
   2.111  CONFIG_HOTPLUG_PCI=m
   2.112  CONFIG_HOTPLUG_PCI_FAKE=m
   2.113 -# CONFIG_HOTPLUG_PCI_ACPI is not set
   2.114 +CONFIG_HOTPLUG_PCI_ACPI=m
   2.115 +CONFIG_HOTPLUG_PCI_ACPI_IBM=m
   2.116  CONFIG_HOTPLUG_PCI_CPCI=y
   2.117  CONFIG_HOTPLUG_PCI_CPCI_ZT5550=m
   2.118  CONFIG_HOTPLUG_PCI_CPCI_GENERIC=m
   2.119 @@ -296,7 +299,7 @@ CONFIG_PACKET=y
   2.120  CONFIG_PACKET_MMAP=y
   2.121  CONFIG_UNIX=y
   2.122  CONFIG_XFRM=y
   2.123 -CONFIG_XFRM_USER=y
   2.124 +CONFIG_XFRM_USER=m
   2.125  CONFIG_NET_KEY=m
   2.126  CONFIG_INET=y
   2.127  CONFIG_IP_MULTICAST=y
   2.128 @@ -518,7 +521,7 @@ CONFIG_BRIDGE_EBT_MARK_T=m
   2.129  CONFIG_BRIDGE_EBT_REDIRECT=m
   2.130  CONFIG_BRIDGE_EBT_SNAT=m
   2.131  CONFIG_BRIDGE_EBT_LOG=m
   2.132 -# CONFIG_BRIDGE_EBT_ULOG is not set
   2.133 +CONFIG_BRIDGE_EBT_ULOG=m
   2.134  
   2.135  #
   2.136  # DCCP Configuration (EXPERIMENTAL)
   2.137 @@ -551,18 +554,10 @@ CONFIG_SCTP_HMAC_MD5=y
   2.138  #
   2.139  # TIPC Configuration (EXPERIMENTAL)
   2.140  #
   2.141 -CONFIG_TIPC=m
   2.142 -CONFIG_TIPC_ADVANCED=y
   2.143 -CONFIG_TIPC_ZONES=3
   2.144 -CONFIG_TIPC_CLUSTERS=1
   2.145 -CONFIG_TIPC_NODES=255
   2.146 -CONFIG_TIPC_SLAVE_NODES=0
   2.147 -CONFIG_TIPC_PORTS=8191
   2.148 -CONFIG_TIPC_LOG=0
   2.149 -# CONFIG_TIPC_DEBUG is not set
   2.150 -CONFIG_ATM=y
   2.151 -CONFIG_ATM_CLIP=y
   2.152 -# CONFIG_ATM_CLIP_NO_ICMP is not set
   2.153 +# CONFIG_TIPC is not set
   2.154 +CONFIG_ATM=m
   2.155 +CONFIG_ATM_CLIP=m
   2.156 +CONFIG_ATM_CLIP_NO_ICMP=y
   2.157  CONFIG_ATM_LANE=m
   2.158  CONFIG_ATM_MPOA=m
   2.159  CONFIG_ATM_BR2684=m
   2.160 @@ -570,7 +565,8 @@ CONFIG_ATM_BR2684=m
   2.161  CONFIG_BRIDGE=m
   2.162  CONFIG_VLAN_8021Q=m
   2.163  CONFIG_DECNET=m
   2.164 -# CONFIG_DECNET_ROUTER is not set
   2.165 +CONFIG_DECNET_ROUTER=y
   2.166 +CONFIG_DECNET_ROUTE_FWMARK=y
   2.167  CONFIG_LLC=y
   2.168  CONFIG_LLC2=m
   2.169  CONFIG_IPX=m
   2.170 @@ -623,8 +619,8 @@ CONFIG_NET_CLS_ROUTE4=m
   2.171  CONFIG_NET_CLS_ROUTE=y
   2.172  CONFIG_NET_CLS_FW=m
   2.173  CONFIG_NET_CLS_U32=m
   2.174 -# CONFIG_CLS_U32_PERF is not set
   2.175 -# CONFIG_CLS_U32_MARK is not set
   2.176 +CONFIG_CLS_U32_PERF=y
   2.177 +CONFIG_CLS_U32_MARK=y
   2.178  CONFIG_NET_CLS_RSVP=m
   2.179  CONFIG_NET_CLS_RSVP6=m
   2.180  CONFIG_NET_EMATCH=y
   2.181 @@ -717,13 +713,13 @@ CONFIG_ACT200L_DONGLE=m
   2.182  #
   2.183  CONFIG_USB_IRDA=m
   2.184  CONFIG_SIGMATEL_FIR=m
   2.185 -# CONFIG_NSC_FIR is not set
   2.186 -# CONFIG_WINBOND_FIR is not set
   2.187 -# CONFIG_TOSHIBA_FIR is not set
   2.188 -# CONFIG_SMC_IRCC_FIR is not set
   2.189 -# CONFIG_ALI_FIR is not set
   2.190 +CONFIG_NSC_FIR=m
   2.191 +CONFIG_WINBOND_FIR=m
   2.192 +CONFIG_TOSHIBA_FIR=m
   2.193 +CONFIG_SMC_IRCC_FIR=m
   2.194 +CONFIG_ALI_FIR=m
   2.195  CONFIG_VLSI_FIR=m
   2.196 -# CONFIG_VIA_FIR is not set
   2.197 +CONFIG_VIA_FIR=m
   2.198  CONFIG_BT=m
   2.199  CONFIG_BT_L2CAP=m
   2.200  CONFIG_BT_SCO=m
   2.201 @@ -744,7 +740,7 @@ CONFIG_BT_HCIUART=m
   2.202  CONFIG_BT_HCIUART_H4=y
   2.203  CONFIG_BT_HCIUART_BCSP=y
   2.204  CONFIG_BT_HCIBCM203X=m
   2.205 -# CONFIG_BT_HCIBPA10X is not set
   2.206 +CONFIG_BT_HCIBPA10X=m
   2.207  CONFIG_BT_HCIBFUSB=m
   2.208  CONFIG_BT_HCIDTL1=m
   2.209  CONFIG_BT_HCIBT3C=m
   2.210 @@ -805,7 +801,11 @@ CONFIG_RFD_FTL=m
   2.211  CONFIG_MTD_CFI=m
   2.212  CONFIG_MTD_JEDECPROBE=m
   2.213  CONFIG_MTD_GEN_PROBE=m
   2.214 -# CONFIG_MTD_CFI_ADV_OPTIONS is not set
   2.215 +CONFIG_MTD_CFI_ADV_OPTIONS=y
   2.216 +CONFIG_MTD_CFI_NOSWAP=y
   2.217 +# CONFIG_MTD_CFI_BE_BYTE_SWAP is not set
   2.218 +# CONFIG_MTD_CFI_LE_BYTE_SWAP is not set
   2.219 +# CONFIG_MTD_CFI_GEOMETRY is not set
   2.220  CONFIG_MTD_MAP_BANK_WIDTH_1=y
   2.221  CONFIG_MTD_MAP_BANK_WIDTH_2=y
   2.222  CONFIG_MTD_MAP_BANK_WIDTH_4=y
   2.223 @@ -816,6 +816,7 @@ CONFIG_MTD_CFI_I1=y
   2.224  CONFIG_MTD_CFI_I2=y
   2.225  # CONFIG_MTD_CFI_I4 is not set
   2.226  # CONFIG_MTD_CFI_I8 is not set
   2.227 +# CONFIG_MTD_OTP is not set
   2.228  CONFIG_MTD_CFI_INTELEXT=m
   2.229  CONFIG_MTD_CFI_AMDSTD=m
   2.230  CONFIG_MTD_CFI_AMDSTD_RETRY=0
   2.231 @@ -840,13 +841,13 @@ CONFIG_MTD_NETSC520=m
   2.232  CONFIG_MTD_TS5500=m
   2.233  CONFIG_MTD_SBC_GXX=m
   2.234  CONFIG_MTD_SCx200_DOCFLASH=m
   2.235 -# CONFIG_MTD_AMD76XROM is not set
   2.236 -# CONFIG_MTD_ICHXROM is not set
   2.237 -# CONFIG_MTD_SCB2_FLASH is not set
   2.238 +CONFIG_MTD_AMD76XROM=m
   2.239 +CONFIG_MTD_ICHXROM=m
   2.240 +CONFIG_MTD_SCB2_FLASH=m
   2.241  CONFIG_MTD_NETtel=m
   2.242  CONFIG_MTD_DILNETPC=m
   2.243  CONFIG_MTD_DILNETPC_BOOTSIZE=0x80000
   2.244 -# CONFIG_MTD_L440GX is not set
   2.245 +CONFIG_MTD_L440GX=m
   2.246  CONFIG_MTD_PCI=m
   2.247  CONFIG_MTD_PLATRAM=m
   2.248  
   2.249 @@ -864,7 +865,7 @@ CONFIG_MTD_MTDRAM=m
   2.250  CONFIG_MTDRAM_TOTAL_SIZE=4096
   2.251  CONFIG_MTDRAM_ERASE_SIZE=128
   2.252  CONFIG_MTD_BLKMTD=m
   2.253 -# CONFIG_MTD_BLOCK2MTD is not set
   2.254 +CONFIG_MTD_BLOCK2MTD=m
   2.255  
   2.256  #
   2.257  # Disk-On-Chip Device Drivers
   2.258 @@ -886,8 +887,8 @@ CONFIG_MTD_NAND_IDS=m
   2.259  CONFIG_MTD_NAND_DISKONCHIP=m
   2.260  # CONFIG_MTD_NAND_DISKONCHIP_PROBE_ADVANCED is not set
   2.261  CONFIG_MTD_NAND_DISKONCHIP_PROBE_ADDRESS=0
   2.262 -# CONFIG_MTD_NAND_DISKONCHIP_BBTWRITE is not set
   2.263 -# CONFIG_MTD_NAND_NANDSIM is not set
   2.264 +CONFIG_MTD_NAND_DISKONCHIP_BBTWRITE=y
   2.265 +CONFIG_MTD_NAND_NANDSIM=y
   2.266  
   2.267  #
   2.268  # OneNAND Flash Device Drivers
   2.269 @@ -902,7 +903,7 @@ CONFIG_PARPORT=m
   2.270  CONFIG_PARPORT_PC=m
   2.271  CONFIG_PARPORT_SERIAL=m
   2.272  CONFIG_PARPORT_PC_FIFO=y
   2.273 -# CONFIG_PARPORT_PC_SUPERIO is not set
   2.274 +CONFIG_PARPORT_PC_SUPERIO=y
   2.275  CONFIG_PARPORT_PC_PCMCIA=m
   2.276  CONFIG_PARPORT_NOT_PC=y
   2.277  # CONFIG_PARPORT_GSC is not set
   2.278 @@ -912,7 +913,7 @@ CONFIG_PARPORT_1284=y
   2.279  # Plug and Play support
   2.280  #
   2.281  CONFIG_PNP=y
   2.282 -CONFIG_PNP_DEBUG=y
   2.283 +# CONFIG_PNP_DEBUG is not set
   2.284  
   2.285  #
   2.286  # Protocols
   2.287 @@ -922,7 +923,7 @@ CONFIG_PNPACPI=y
   2.288  #
   2.289  # Block devices
   2.290  #
   2.291 -CONFIG_BLK_DEV_FD=m
   2.292 +CONFIG_BLK_DEV_FD=y
   2.293  CONFIG_PARIDE=m
   2.294  CONFIG_PARIDE_PARPORT=m
   2.295  
   2.296 @@ -946,7 +947,7 @@ CONFIG_PARIDE_DSTR=m
   2.297  CONFIG_PARIDE_FIT2=m
   2.298  CONFIG_PARIDE_FIT3=m
   2.299  CONFIG_PARIDE_EPAT=m
   2.300 -# CONFIG_PARIDE_EPATC8 is not set
   2.301 +CONFIG_PARIDE_EPATC8=y
   2.302  CONFIG_PARIDE_EPIA=m
   2.303  CONFIG_PARIDE_FRIQ=m
   2.304  CONFIG_PARIDE_FRPW=m
   2.305 @@ -960,7 +961,7 @@ CONFIG_CISS_SCSI_TAPE=y
   2.306  CONFIG_BLK_DEV_DAC960=m
   2.307  CONFIG_BLK_DEV_UMEM=m
   2.308  # CONFIG_BLK_DEV_COW_COMMON is not set
   2.309 -CONFIG_BLK_DEV_LOOP=m
   2.310 +CONFIG_BLK_DEV_LOOP=y
   2.311  CONFIG_BLK_DEV_CRYPTOLOOP=m
   2.312  CONFIG_BLK_DEV_NBD=m
   2.313  CONFIG_BLK_DEV_SX8=m
   2.314 @@ -971,7 +972,7 @@ CONFIG_BLK_DEV_RAM_SIZE=16384
   2.315  CONFIG_BLK_DEV_INITRD=y
   2.316  CONFIG_CDROM_PKTCDVD=m
   2.317  CONFIG_CDROM_PKTCDVD_BUFFERS=8
   2.318 -# CONFIG_CDROM_PKTCDVD_WCACHE is not set
   2.319 +CONFIG_CDROM_PKTCDVD_WCACHE=y
   2.320  CONFIG_ATA_OVER_ETH=m
   2.321  
   2.322  #
   2.323 @@ -985,59 +986,59 @@ CONFIG_BLK_DEV_IDE=y
   2.324  #
   2.325  # CONFIG_BLK_DEV_IDE_SATA is not set
   2.326  # CONFIG_BLK_DEV_HD_IDE is not set
   2.327 -CONFIG_BLK_DEV_IDEDISK=y
   2.328 +CONFIG_BLK_DEV_IDEDISK=m
   2.329  CONFIG_IDEDISK_MULTI_MODE=y
   2.330  CONFIG_BLK_DEV_IDECS=m
   2.331 -CONFIG_BLK_DEV_IDECD=y
   2.332 +CONFIG_BLK_DEV_IDECD=m
   2.333  CONFIG_BLK_DEV_IDETAPE=m
   2.334 -CONFIG_BLK_DEV_IDEFLOPPY=y
   2.335 +CONFIG_BLK_DEV_IDEFLOPPY=m
   2.336  CONFIG_BLK_DEV_IDESCSI=m
   2.337  # CONFIG_IDE_TASK_IOCTL is not set
   2.338  
   2.339  #
   2.340  # IDE chipset support/bugfixes
   2.341  #
   2.342 -CONFIG_IDE_GENERIC=y
   2.343 +CONFIG_IDE_GENERIC=m
   2.344  CONFIG_BLK_DEV_CMD640=y
   2.345  CONFIG_BLK_DEV_CMD640_ENHANCED=y
   2.346  CONFIG_BLK_DEV_IDEPNP=y
   2.347  CONFIG_BLK_DEV_IDEPCI=y
   2.348  CONFIG_IDEPCI_SHARE_IRQ=y
   2.349 -# CONFIG_BLK_DEV_OFFBOARD is not set
   2.350 +CONFIG_BLK_DEV_OFFBOARD=y
   2.351  CONFIG_BLK_DEV_GENERIC=y
   2.352  CONFIG_BLK_DEV_OPTI621=m
   2.353 -CONFIG_BLK_DEV_RZ1000=y
   2.354 +CONFIG_BLK_DEV_RZ1000=m
   2.355  CONFIG_BLK_DEV_IDEDMA_PCI=y
   2.356  # CONFIG_BLK_DEV_IDEDMA_FORCED is not set
   2.357  CONFIG_IDEDMA_PCI_AUTO=y
   2.358  # CONFIG_IDEDMA_ONLYDISK is not set
   2.359 -CONFIG_BLK_DEV_AEC62XX=y
   2.360 -CONFIG_BLK_DEV_ALI15X3=y
   2.361 +CONFIG_BLK_DEV_AEC62XX=m
   2.362 +CONFIG_BLK_DEV_ALI15X3=m
   2.363  # CONFIG_WDC_ALI15X3 is not set
   2.364 -CONFIG_BLK_DEV_AMD74XX=y
   2.365 -CONFIG_BLK_DEV_ATIIXP=y
   2.366 -CONFIG_BLK_DEV_CMD64X=y
   2.367 -CONFIG_BLK_DEV_TRIFLEX=y
   2.368 -CONFIG_BLK_DEV_CY82C693=y
   2.369 -CONFIG_BLK_DEV_CS5520=y
   2.370 -CONFIG_BLK_DEV_CS5530=y
   2.371 +CONFIG_BLK_DEV_AMD74XX=m
   2.372 +CONFIG_BLK_DEV_ATIIXP=m
   2.373 +CONFIG_BLK_DEV_CMD64X=m
   2.374 +CONFIG_BLK_DEV_TRIFLEX=m
   2.375 +CONFIG_BLK_DEV_CY82C693=m
   2.376 +CONFIG_BLK_DEV_CS5520=m
   2.377 +CONFIG_BLK_DEV_CS5530=m
   2.378  CONFIG_BLK_DEV_CS5535=m
   2.379 -CONFIG_BLK_DEV_HPT34X=y
   2.380 -# CONFIG_HPT34X_AUTODMA is not set
   2.381 -CONFIG_BLK_DEV_HPT366=y
   2.382 +CONFIG_BLK_DEV_HPT34X=m
   2.383 +CONFIG_HPT34X_AUTODMA=y
   2.384 +CONFIG_BLK_DEV_HPT366=m
   2.385  CONFIG_BLK_DEV_SC1200=m
   2.386 -CONFIG_BLK_DEV_PIIX=y
   2.387 +CONFIG_BLK_DEV_PIIX=m
   2.388  CONFIG_BLK_DEV_IT821X=m
   2.389  CONFIG_BLK_DEV_NS87415=m
   2.390 -CONFIG_BLK_DEV_PDC202XX_OLD=y
   2.391 +CONFIG_BLK_DEV_PDC202XX_OLD=m
   2.392  CONFIG_PDC202XX_BURST=y
   2.393 -CONFIG_BLK_DEV_PDC202XX_NEW=y
   2.394 -CONFIG_BLK_DEV_SVWKS=y
   2.395 -CONFIG_BLK_DEV_SIIMAGE=y
   2.396 -CONFIG_BLK_DEV_SIS5513=y
   2.397 -CONFIG_BLK_DEV_SLC90E66=y
   2.398 +CONFIG_BLK_DEV_PDC202XX_NEW=m
   2.399 +CONFIG_BLK_DEV_SVWKS=m
   2.400 +CONFIG_BLK_DEV_SIIMAGE=m
   2.401 +CONFIG_BLK_DEV_SIS5513=m
   2.402 +CONFIG_BLK_DEV_SLC90E66=m
   2.403  CONFIG_BLK_DEV_TRM290=m
   2.404 -CONFIG_BLK_DEV_VIA82CXXX=y
   2.405 +CONFIG_BLK_DEV_VIA82CXXX=m
   2.406  # CONFIG_IDE_ARM is not set
   2.407  CONFIG_BLK_DEV_IDEDMA=y
   2.408  # CONFIG_IDEDMA_IVB is not set
   2.409 @@ -1112,7 +1113,7 @@ CONFIG_SCSI_ATA_PIIX=m
   2.410  CONFIG_SCSI_SATA_MV=m
   2.411  CONFIG_SCSI_SATA_NV=m
   2.412  CONFIG_SCSI_PDC_ADMA=m
   2.413 -# CONFIG_SCSI_SATA_QSTOR is not set
   2.414 +CONFIG_SCSI_SATA_QSTOR=m
   2.415  CONFIG_SCSI_SATA_PROMISE=m
   2.416  CONFIG_SCSI_SATA_SX4=m
   2.417  CONFIG_SCSI_SATA_SIL=m
   2.418 @@ -1122,14 +1123,18 @@ CONFIG_SCSI_SATA_ULI=m
   2.419  CONFIG_SCSI_SATA_VIA=m
   2.420  CONFIG_SCSI_SATA_VITESSE=m
   2.421  CONFIG_SCSI_SATA_INTEL_COMBINED=y
   2.422 -# CONFIG_SCSI_BUSLOGIC is not set
   2.423 +CONFIG_SCSI_BUSLOGIC=m
   2.424 +# CONFIG_SCSI_OMIT_FLASHPOINT is not set
   2.425  CONFIG_SCSI_DMX3191D=m
   2.426 -# CONFIG_SCSI_EATA is not set
   2.427 +CONFIG_SCSI_EATA=m
   2.428 +CONFIG_SCSI_EATA_TAGGED_QUEUE=y
   2.429 +CONFIG_SCSI_EATA_LINKED_COMMANDS=y
   2.430 +CONFIG_SCSI_EATA_MAX_TAGS=16
   2.431  CONFIG_SCSI_FUTURE_DOMAIN=m
   2.432 -# CONFIG_SCSI_GDTH is not set
   2.433 +CONFIG_SCSI_GDTH=m
   2.434  CONFIG_SCSI_IPS=m
   2.435 -# CONFIG_SCSI_INITIO is not set
   2.436 -# CONFIG_SCSI_INIA100 is not set
   2.437 +CONFIG_SCSI_INITIO=m
   2.438 +CONFIG_SCSI_INIA100=m
   2.439  CONFIG_SCSI_PPA=m
   2.440  CONFIG_SCSI_IMM=m
   2.441  # CONFIG_SCSI_IZIP_EPP16 is not set
   2.442 @@ -1140,8 +1145,8 @@ CONFIG_SCSI_SYM53C8XX_DEFAULT_TAGS=16
   2.443  CONFIG_SCSI_SYM53C8XX_MAX_TAGS=64
   2.444  # CONFIG_SCSI_SYM53C8XX_IOMAPPED is not set
   2.445  CONFIG_SCSI_IPR=m
   2.446 -# CONFIG_SCSI_IPR_TRACE is not set
   2.447 -# CONFIG_SCSI_IPR_DUMP is not set
   2.448 +CONFIG_SCSI_IPR_TRACE=y
   2.449 +CONFIG_SCSI_IPR_DUMP=y
   2.450  CONFIG_SCSI_QLOGIC_FC=m
   2.451  CONFIG_SCSI_QLOGIC_FC_FIRMWARE=y
   2.452  CONFIG_SCSI_QLOGIC_1280=m
   2.453 @@ -1166,7 +1171,7 @@ CONFIG_PCMCIA_SYM53C500=m
   2.454  # Multi-device support (RAID and LVM)
   2.455  #
   2.456  CONFIG_MD=y
   2.457 -CONFIG_BLK_DEV_MD=m
   2.458 +CONFIG_BLK_DEV_MD=y
   2.459  CONFIG_MD_LINEAR=m
   2.460  CONFIG_MD_RAID0=m
   2.461  CONFIG_MD_RAID1=m
   2.462 @@ -1206,7 +1211,7 @@ CONFIG_IEEE1394=m
   2.463  # CONFIG_IEEE1394_OUI_DB is not set
   2.464  CONFIG_IEEE1394_EXTRA_CONFIG_ROMS=y
   2.465  CONFIG_IEEE1394_CONFIG_ROM_IP1394=y
   2.466 -# CONFIG_IEEE1394_EXPORT_FULL_API is not set
   2.467 +CONFIG_IEEE1394_EXPORT_FULL_API=y
   2.468  
   2.469  #
   2.470  # Device Drivers
   2.471 @@ -1254,12 +1259,11 @@ CONFIG_ARCNET=m
   2.472  CONFIG_ARCNET_1201=m
   2.473  CONFIG_ARCNET_1051=m
   2.474  CONFIG_ARCNET_RAW=m
   2.475 -# CONFIG_ARCNET_CAP is not set
   2.476 +CONFIG_ARCNET_CAP=m
   2.477  CONFIG_ARCNET_COM90xx=m
   2.478  CONFIG_ARCNET_COM90xxIO=m
   2.479  CONFIG_ARCNET_RIM_I=m
   2.480 -CONFIG_ARCNET_COM20020=m
   2.481 -CONFIG_ARCNET_COM20020_PCI=m
   2.482 +# CONFIG_ARCNET_COM20020 is not set
   2.483  
   2.484  #
   2.485  # PHY device support
   2.486 @@ -1295,7 +1299,8 @@ CONFIG_DE2104X=m
   2.487  CONFIG_TULIP=m
   2.488  # CONFIG_TULIP_MWI is not set
   2.489  # CONFIG_TULIP_MMIO is not set
   2.490 -# CONFIG_TULIP_NAPI is not set
   2.491 +CONFIG_TULIP_NAPI=y
   2.492 +CONFIG_TULIP_NAPI_HW_MITIGATION=y
   2.493  CONFIG_DE4X5=m
   2.494  CONFIG_WINBOND_840=m
   2.495  CONFIG_DM9102=m
   2.496 @@ -1307,10 +1312,10 @@ CONFIG_PCNET32=m
   2.497  CONFIG_AMD8111_ETH=m
   2.498  # CONFIG_AMD8111E_NAPI is not set
   2.499  CONFIG_ADAPTEC_STARFIRE=m
   2.500 -# CONFIG_ADAPTEC_STARFIRE_NAPI is not set
   2.501 +CONFIG_ADAPTEC_STARFIRE_NAPI=y
   2.502  CONFIG_B44=m
   2.503  CONFIG_FORCEDETH=m
   2.504 -# CONFIG_DGRS is not set
   2.505 +CONFIG_DGRS=m
   2.506  CONFIG_EEPRO100=m
   2.507  CONFIG_E100=m
   2.508  CONFIG_FEALNX=m
   2.509 @@ -1318,8 +1323,8 @@ CONFIG_NATSEMI=m
   2.510  CONFIG_NE2K_PCI=m
   2.511  CONFIG_8139CP=m
   2.512  CONFIG_8139TOO=m
   2.513 -CONFIG_8139TOO_PIO=y
   2.514 -CONFIG_8139TOO_TUNE_TWISTER=y
   2.515 +# CONFIG_8139TOO_PIO is not set
   2.516 +# CONFIG_8139TOO_TUNE_TWISTER is not set
   2.517  CONFIG_8139TOO_8129=y
   2.518  # CONFIG_8139_OLD_RX_RESET is not set
   2.519  CONFIG_SIS900=m
   2.520 @@ -1329,22 +1334,26 @@ CONFIG_SUNDANCE=m
   2.521  CONFIG_TLAN=m
   2.522  CONFIG_VIA_RHINE=m
   2.523  # CONFIG_VIA_RHINE_MMIO is not set
   2.524 -# CONFIG_NET_POCKET is not set
   2.525 +CONFIG_NET_POCKET=y
   2.526 +CONFIG_ATP=m
   2.527 +CONFIG_DE600=m
   2.528 +CONFIG_DE620=m
   2.529  
   2.530  #
   2.531  # Ethernet (1000 Mbit)
   2.532  #
   2.533 -# CONFIG_ACENIC is not set
   2.534 +CONFIG_ACENIC=m
   2.535 +# CONFIG_ACENIC_OMIT_TIGON_I is not set
   2.536  CONFIG_DL2K=m
   2.537  CONFIG_E1000=m
   2.538 -# CONFIG_E1000_NAPI is not set
   2.539 +CONFIG_E1000_NAPI=y
   2.540  # CONFIG_E1000_DISABLE_PACKET_SPLIT is not set
   2.541  CONFIG_NS83820=m
   2.542  CONFIG_HAMACHI=m
   2.543  CONFIG_YELLOWFIN=m
   2.544  CONFIG_R8169=m
   2.545  # CONFIG_R8169_NAPI is not set
   2.546 -# CONFIG_R8169_VLAN is not set
   2.547 +CONFIG_R8169_VLAN=y
   2.548  CONFIG_SIS190=m
   2.549  CONFIG_SKGE=m
   2.550  CONFIG_SKY2=m
   2.551 @@ -1358,9 +1367,9 @@ CONFIG_BNX2=m
   2.552  #
   2.553  CONFIG_CHELSIO_T1=m
   2.554  CONFIG_IXGB=m
   2.555 -# CONFIG_IXGB_NAPI is not set
   2.556 +CONFIG_IXGB_NAPI=y
   2.557  CONFIG_S2IO=m
   2.558 -# CONFIG_S2IO_NAPI is not set
   2.559 +CONFIG_S2IO_NAPI=y
   2.560  
   2.561  #
   2.562  # Token Ring devices
   2.563 @@ -1398,7 +1407,7 @@ CONFIG_IPW2100_MONITOR=y
   2.564  # CONFIG_IPW2100_DEBUG is not set
   2.565  CONFIG_IPW2200=m
   2.566  # CONFIG_IPW2200_DEBUG is not set
   2.567 -# CONFIG_AIRO is not set
   2.568 +CONFIG_AIRO=m
   2.569  CONFIG_HERMES=m
   2.570  CONFIG_PLX_HERMES=m
   2.571  CONFIG_TMD_HERMES=m
   2.572 @@ -1421,7 +1430,8 @@ CONFIG_PCMCIA_WL3501=m
   2.573  #
   2.574  CONFIG_PRISM54=m
   2.575  CONFIG_HOSTAP=m
   2.576 -# CONFIG_HOSTAP_FIRMWARE is not set
   2.577 +CONFIG_HOSTAP_FIRMWARE=y
   2.578 +CONFIG_HOSTAP_FIRMWARE_NVRAM=y
   2.579  CONFIG_HOSTAP_PLX=m
   2.580  CONFIG_HOSTAP_PCI=m
   2.581  CONFIG_HOSTAP_CS=m
   2.582 @@ -1439,7 +1449,6 @@ CONFIG_PCMCIA_NMCLAN=m
   2.583  CONFIG_PCMCIA_SMC91C92=m
   2.584  CONFIG_PCMCIA_XIRC2PS=m
   2.585  CONFIG_PCMCIA_AXNET=m
   2.586 -CONFIG_ARCNET_COM20020_CS=m
   2.587  CONFIG_PCMCIA_IBMTR=m
   2.588  
   2.589  #
   2.590 @@ -1487,11 +1496,11 @@ CONFIG_ATM_FIRESTREAM=m
   2.591  CONFIG_ATM_ZATM=m
   2.592  # CONFIG_ATM_ZATM_DEBUG is not set
   2.593  CONFIG_ATM_NICSTAR=m
   2.594 -# CONFIG_ATM_NICSTAR_USE_SUNI is not set
   2.595 -# CONFIG_ATM_NICSTAR_USE_IDT77105 is not set
   2.596 +CONFIG_ATM_NICSTAR_USE_SUNI=y
   2.597 +CONFIG_ATM_NICSTAR_USE_IDT77105=y
   2.598  CONFIG_ATM_IDT77252=m
   2.599  # CONFIG_ATM_IDT77252_DEBUG is not set
   2.600 -# CONFIG_ATM_IDT77252_RCV_ALL is not set
   2.601 +CONFIG_ATM_IDT77252_RCV_ALL=y
   2.602  CONFIG_ATM_IDT77252_USE_SUNI=y
   2.603  CONFIG_ATM_AMBASSADOR=m
   2.604  # CONFIG_ATM_AMBASSADOR_DEBUG is not set
   2.605 @@ -1502,18 +1511,18 @@ CONFIG_ATM_IA=m
   2.606  CONFIG_ATM_FORE200E_MAYBE=m
   2.607  CONFIG_ATM_FORE200E_PCA=y
   2.608  CONFIG_ATM_FORE200E_PCA_DEFAULT_FW=y
   2.609 -# CONFIG_ATM_FORE200E_USE_TASKLET is not set
   2.610 +CONFIG_ATM_FORE200E_USE_TASKLET=y
   2.611  CONFIG_ATM_FORE200E_TX_RETRY=16
   2.612  CONFIG_ATM_FORE200E_DEBUG=0
   2.613  CONFIG_ATM_FORE200E=m
   2.614  CONFIG_ATM_HE=m
   2.615  CONFIG_ATM_HE_USE_SUNI=y
   2.616  CONFIG_FDDI=y
   2.617 -CONFIG_DEFXX=m
   2.618 +# CONFIG_DEFXX is not set
   2.619  CONFIG_SKFP=m
   2.620  CONFIG_HIPPI=y
   2.621  CONFIG_ROADRUNNER=m
   2.622 -# CONFIG_ROADRUNNER_LARGE_RINGS is not set
   2.623 +CONFIG_ROADRUNNER_LARGE_RINGS=y
   2.624  CONFIG_PLIP=m
   2.625  CONFIG_PPP=m
   2.626  CONFIG_PPP_MULTILINK=y
   2.627 @@ -1533,8 +1542,8 @@ CONFIG_NET_FC=y
   2.628  CONFIG_SHAPER=m
   2.629  CONFIG_NETCONSOLE=m
   2.630  CONFIG_NETPOLL=y
   2.631 -# CONFIG_NETPOLL_RX is not set
   2.632 -# CONFIG_NETPOLL_TRAP is not set
   2.633 +CONFIG_NETPOLL_RX=y
   2.634 +CONFIG_NETPOLL_TRAP=y
   2.635  CONFIG_NET_POLL_CONTROLLER=y
   2.636  
   2.637  #
   2.638 @@ -1558,7 +1567,7 @@ CONFIG_ISDN_X25=y
   2.639  #
   2.640  # ISDN feature submodules
   2.641  #
   2.642 -# CONFIG_ISDN_DIVERSION is not set
   2.643 +CONFIG_ISDN_DIVERSION=m
   2.644  
   2.645  #
   2.646  # ISDN4Linux hardware drivers
   2.647 @@ -1775,7 +1784,8 @@ CONFIG_SERIAL_8250_RUNTIME_UARTS=4
   2.648  #
   2.649  # Non-8250 serial port support
   2.650  #
   2.651 -# CONFIG_SERIAL_JSM is not set
   2.652 +CONFIG_SERIAL_CORE=m
   2.653 +CONFIG_SERIAL_JSM=m
   2.654  CONFIG_UNIX98_PTYS=y
   2.655  CONFIG_LEGACY_PTYS=y
   2.656  CONFIG_LEGACY_PTY_COUNT=256
   2.657 @@ -1890,7 +1900,11 @@ CONFIG_HANGCHECK_TIMER=m
   2.658  #
   2.659  # TPM devices
   2.660  #
   2.661 -# CONFIG_TCG_TPM is not set
   2.662 +CONFIG_TCG_TPM=m
   2.663 +CONFIG_TCG_NSC=m
   2.664 +CONFIG_TCG_ATMEL=m
   2.665 +CONFIG_TCG_INFINEON=m
   2.666 +CONFIG_TCG_XEN=m
   2.667  CONFIG_TELCLOCK=m
   2.668  
   2.669  #
   2.670 @@ -1981,7 +1995,7 @@ CONFIG_W1_DS9490_BRIDGE=m
   2.671  CONFIG_W1_THERM=m
   2.672  CONFIG_W1_SMEM=m
   2.673  CONFIG_W1_DS2433=m
   2.674 -# CONFIG_W1_DS2433_CRC is not set
   2.675 +CONFIG_W1_DS2433_CRC=y
   2.676  
   2.677  #
   2.678  # Hardware Monitoring support
   2.679 @@ -2016,7 +2030,7 @@ CONFIG_SENSORS_MAX1619=m
   2.680  CONFIG_SENSORS_PC87360=m
   2.681  CONFIG_SENSORS_SIS5595=m
   2.682  CONFIG_SENSORS_SMSC47M1=m
   2.683 -# CONFIG_SENSORS_SMSC47B397 is not set
   2.684 +CONFIG_SENSORS_SMSC47B397=m
   2.685  CONFIG_SENSORS_VIA686A=m
   2.686  CONFIG_SENSORS_VT8231=m
   2.687  CONFIG_SENSORS_W83781D=m
   2.688 @@ -2050,7 +2064,7 @@ CONFIG_VIDEO_DEV=m
   2.689  #
   2.690  # CONFIG_VIDEO_ADV_DEBUG is not set
   2.691  CONFIG_VIDEO_BT848=m
   2.692 -# CONFIG_VIDEO_BT848_DVB is not set
   2.693 +CONFIG_VIDEO_BT848_DVB=y
   2.694  CONFIG_VIDEO_SAA6588=m
   2.695  CONFIG_VIDEO_BWQCAM=m
   2.696  CONFIG_VIDEO_CQCAM=m
   2.697 @@ -2069,14 +2083,19 @@ CONFIG_VIDEO_ZORAN_DC30=m
   2.698  CONFIG_VIDEO_ZORAN_LML33=m
   2.699  CONFIG_VIDEO_ZORAN_LML33R10=m
   2.700  CONFIG_VIDEO_MEYE=m
   2.701 -# CONFIG_VIDEO_SAA7134 is not set
   2.702 +CONFIG_VIDEO_SAA7134=m
   2.703 +CONFIG_VIDEO_SAA7134_ALSA=m
   2.704 +# CONFIG_VIDEO_SAA7134_OSS is not set
   2.705 +CONFIG_VIDEO_SAA7134_DVB=m
   2.706 +CONFIG_VIDEO_SAA7134_DVB_ALL_FRONTENDS=y
   2.707  CONFIG_VIDEO_MXB=m
   2.708  CONFIG_VIDEO_DPC=m
   2.709  CONFIG_VIDEO_HEXIUM_ORION=m
   2.710  CONFIG_VIDEO_HEXIUM_GEMINI=m
   2.711  CONFIG_VIDEO_CX88=m
   2.712 -# CONFIG_VIDEO_CX88_DVB is not set
   2.713  CONFIG_VIDEO_CX88_ALSA=m
   2.714 +CONFIG_VIDEO_CX88_DVB=m
   2.715 +CONFIG_VIDEO_CX88_DVB_ALL_FRONTENDS=y
   2.716  CONFIG_VIDEO_CX88_VP3054=m
   2.717  CONFIG_VIDEO_EM28XX=m
   2.718  CONFIG_VIDEO_OVCAMCHIP=m
   2.719 @@ -2100,7 +2119,7 @@ CONFIG_DVB_CORE=m
   2.720  # Supported SAA7146 based PCI Adapters
   2.721  #
   2.722  CONFIG_DVB_AV7110=m
   2.723 -# CONFIG_DVB_AV7110_OSD is not set
   2.724 +CONFIG_DVB_AV7110_OSD=y
   2.725  CONFIG_DVB_BUDGET=m
   2.726  CONFIG_DVB_BUDGET_CI=m
   2.727  CONFIG_DVB_BUDGET_AV=m
   2.728 @@ -2198,6 +2217,7 @@ CONFIG_VIDEO_SAA7146_VV=m
   2.729  CONFIG_VIDEO_VIDEOBUF=m
   2.730  CONFIG_VIDEO_TUNER=m
   2.731  CONFIG_VIDEO_BUF=m
   2.732 +CONFIG_VIDEO_BUF_DVB=m
   2.733  CONFIG_VIDEO_BTCX=m
   2.734  CONFIG_VIDEO_IR=m
   2.735  CONFIG_VIDEO_TVEEPROM=m
   2.736 @@ -2206,9 +2226,9 @@ CONFIG_VIDEO_TVEEPROM=m
   2.737  # Graphics support
   2.738  #
   2.739  CONFIG_FB=y
   2.740 -CONFIG_FB_CFB_FILLRECT=m
   2.741 -CONFIG_FB_CFB_COPYAREA=m
   2.742 -CONFIG_FB_CFB_IMAGEBLIT=m
   2.743 +CONFIG_FB_CFB_FILLRECT=y
   2.744 +CONFIG_FB_CFB_COPYAREA=y
   2.745 +CONFIG_FB_CFB_IMAGEBLIT=y
   2.746  # CONFIG_FB_MACMODES is not set
   2.747  CONFIG_FB_MODE_HELPERS=y
   2.748  CONFIG_FB_TILEBLITTING=y
   2.749 @@ -2220,7 +2240,7 @@ CONFIG_FB_ARC=m
   2.750  # CONFIG_FB_ASILIANT is not set
   2.751  # CONFIG_FB_IMSTT is not set
   2.752  CONFIG_FB_VGA16=m
   2.753 -# CONFIG_FB_VESA is not set
   2.754 +CONFIG_FB_VESA=y
   2.755  CONFIG_VIDEO_SELECT=y
   2.756  CONFIG_FB_HGA=m
   2.757  # CONFIG_FB_HGA_ACCEL is not set
   2.758 @@ -2237,10 +2257,10 @@ CONFIG_FB_INTEL=m
   2.759  CONFIG_FB_MATROX=m
   2.760  CONFIG_FB_MATROX_MILLENIUM=y
   2.761  CONFIG_FB_MATROX_MYSTIQUE=y
   2.762 -# CONFIG_FB_MATROX_G is not set
   2.763 -CONFIG_FB_MATROX_I2C=m
   2.764 +CONFIG_FB_MATROX_G=y
   2.765 +# CONFIG_FB_MATROX_I2C is not set
   2.766  CONFIG_FB_MATROX_MULTIHEAD=y
   2.767 -CONFIG_FB_RADEON_OLD=m
   2.768 +# CONFIG_FB_RADEON_OLD is not set
   2.769  CONFIG_FB_RADEON=m
   2.770  CONFIG_FB_RADEON_I2C=y
   2.771  # CONFIG_FB_RADEON_DEBUG is not set
   2.772 @@ -2282,7 +2302,11 @@ CONFIG_FONT_8x16=y
   2.773  # Logo configuration
   2.774  #
   2.775  # CONFIG_LOGO is not set
   2.776 -# CONFIG_BACKLIGHT_LCD_SUPPORT is not set
   2.777 +CONFIG_BACKLIGHT_LCD_SUPPORT=y
   2.778 +CONFIG_BACKLIGHT_CLASS_DEVICE=m
   2.779 +CONFIG_BACKLIGHT_DEVICE=y
   2.780 +CONFIG_LCD_CLASS_DEVICE=m
   2.781 +CONFIG_LCD_DEVICE=y
   2.782  
   2.783  #
   2.784  # Sound
   2.785 @@ -2328,7 +2352,7 @@ CONFIG_SND_MPU401=m
   2.786  # PCI devices
   2.787  #
   2.788  CONFIG_SND_AD1889=m
   2.789 -# CONFIG_SND_ALS4000 is not set
   2.790 +CONFIG_SND_ALS4000=m
   2.791  CONFIG_SND_ALI5451=m
   2.792  CONFIG_SND_ATIIXP=m
   2.793  CONFIG_SND_ATIIXP_MODEM=m
   2.794 @@ -2345,7 +2369,7 @@ CONFIG_SND_CS46XX=m
   2.795  CONFIG_SND_CS46XX_NEW_DSP=y
   2.796  CONFIG_SND_CS5535AUDIO=m
   2.797  CONFIG_SND_EMU10K1=m
   2.798 -# CONFIG_SND_EMU10K1X is not set
   2.799 +CONFIG_SND_EMU10K1X=m
   2.800  CONFIG_SND_ENS1370=m
   2.801  CONFIG_SND_ENS1371=m
   2.802  CONFIG_SND_ES1938=m
   2.803 @@ -2402,7 +2426,7 @@ CONFIG_SOUND_TVMIXER=m
   2.804  #
   2.805  CONFIG_USB_ARCH_HAS_HCD=y
   2.806  CONFIG_USB_ARCH_HAS_OHCI=y
   2.807 -CONFIG_USB=y
   2.808 +CONFIG_USB=m
   2.809  # CONFIG_USB_DEBUG is not set
   2.810  
   2.811  #
   2.812 @@ -2417,7 +2441,7 @@ CONFIG_USB_BANDWIDTH=y
   2.813  #
   2.814  # USB Host Controller Drivers
   2.815  #
   2.816 -CONFIG_USB_EHCI_HCD=y
   2.817 +CONFIG_USB_EHCI_HCD=m
   2.818  CONFIG_USB_EHCI_SPLIT_ISO=y
   2.819  CONFIG_USB_EHCI_ROOT_HUB_TT=y
   2.820  CONFIG_USB_ISP116X_HCD=m
   2.821 @@ -2461,14 +2485,17 @@ CONFIG_USB_LIBUSUAL=y
   2.822  CONFIG_USB_HID=m
   2.823  CONFIG_USB_HIDINPUT=y
   2.824  # CONFIG_USB_HIDINPUT_POWERBOOK is not set
   2.825 -# CONFIG_HID_FF is not set
   2.826 +CONFIG_HID_FF=y
   2.827 +CONFIG_HID_PID=y
   2.828 +CONFIG_LOGITECH_FF=y
   2.829 +CONFIG_THRUSTMASTER_FF=y
   2.830  CONFIG_USB_HIDDEV=y
   2.831  
   2.832  #
   2.833  # USB HID Boot Protocol drivers
   2.834  #
   2.835 -CONFIG_USB_KBD=m
   2.836 -CONFIG_USB_MOUSE=m
   2.837 +# CONFIG_USB_KBD is not set
   2.838 +# CONFIG_USB_MOUSE is not set
   2.839  CONFIG_USB_AIPTEK=m
   2.840  CONFIG_USB_WACOM=m
   2.841  CONFIG_USB_ACECAD=m
   2.842 @@ -2493,7 +2520,7 @@ CONFIG_USB_MICROTEK=m
   2.843  #
   2.844  # USB Multimedia devices
   2.845  #
   2.846 -# CONFIG_USB_DABUSB is not set
   2.847 +CONFIG_USB_DABUSB=m
   2.848  CONFIG_USB_VICAM=m
   2.849  CONFIG_USB_DSBR=m
   2.850  CONFIG_USB_ET61X251=m
   2.851 @@ -2554,30 +2581,30 @@ CONFIG_USB_SERIAL_IPAQ=m
   2.852  CONFIG_USB_SERIAL_IR=m
   2.853  CONFIG_USB_SERIAL_EDGEPORT=m
   2.854  CONFIG_USB_SERIAL_EDGEPORT_TI=m
   2.855 -# CONFIG_USB_SERIAL_GARMIN is not set
   2.856 +CONFIG_USB_SERIAL_GARMIN=m
   2.857  CONFIG_USB_SERIAL_IPW=m
   2.858  CONFIG_USB_SERIAL_KEYSPAN_PDA=m
   2.859  CONFIG_USB_SERIAL_KEYSPAN=m
   2.860 -# CONFIG_USB_SERIAL_KEYSPAN_MPR is not set
   2.861 -# CONFIG_USB_SERIAL_KEYSPAN_USA28 is not set
   2.862 -# CONFIG_USB_SERIAL_KEYSPAN_USA28X is not set
   2.863 -# CONFIG_USB_SERIAL_KEYSPAN_USA28XA is not set
   2.864 -# CONFIG_USB_SERIAL_KEYSPAN_USA28XB is not set
   2.865 -# CONFIG_USB_SERIAL_KEYSPAN_USA19 is not set
   2.866 -# CONFIG_USB_SERIAL_KEYSPAN_USA18X is not set
   2.867 -# CONFIG_USB_SERIAL_KEYSPAN_USA19W is not set
   2.868 -# CONFIG_USB_SERIAL_KEYSPAN_USA19QW is not set
   2.869 -# CONFIG_USB_SERIAL_KEYSPAN_USA19QI is not set
   2.870 -# CONFIG_USB_SERIAL_KEYSPAN_USA49W is not set
   2.871 -# CONFIG_USB_SERIAL_KEYSPAN_USA49WLC is not set
   2.872 +CONFIG_USB_SERIAL_KEYSPAN_MPR=y
   2.873 +CONFIG_USB_SERIAL_KEYSPAN_USA28=y
   2.874 +CONFIG_USB_SERIAL_KEYSPAN_USA28X=y
   2.875 +CONFIG_USB_SERIAL_KEYSPAN_USA28XA=y
   2.876 +CONFIG_USB_SERIAL_KEYSPAN_USA28XB=y
   2.877 +CONFIG_USB_SERIAL_KEYSPAN_USA19=y
   2.878 +CONFIG_USB_SERIAL_KEYSPAN_USA18X=y
   2.879 +CONFIG_USB_SERIAL_KEYSPAN_USA19W=y
   2.880 +CONFIG_USB_SERIAL_KEYSPAN_USA19QW=y
   2.881 +CONFIG_USB_SERIAL_KEYSPAN_USA19QI=y
   2.882 +CONFIG_USB_SERIAL_KEYSPAN_USA49W=y
   2.883 +CONFIG_USB_SERIAL_KEYSPAN_USA49WLC=y
   2.884  CONFIG_USB_SERIAL_KLSI=m
   2.885  CONFIG_USB_SERIAL_KOBIL_SCT=m
   2.886  CONFIG_USB_SERIAL_MCT_U232=m
   2.887  CONFIG_USB_SERIAL_PL2303=m
   2.888  CONFIG_USB_SERIAL_HP4X=m
   2.889  CONFIG_USB_SERIAL_SAFE=m
   2.890 -# CONFIG_USB_SERIAL_SAFE_PADDED is not set
   2.891 -# CONFIG_USB_SERIAL_TI is not set
   2.892 +CONFIG_USB_SERIAL_SAFE_PADDED=y
   2.893 +CONFIG_USB_SERIAL_TI=m
   2.894  CONFIG_USB_SERIAL_CYBERJACK=m
   2.895  CONFIG_USB_SERIAL_XIRCOM=m
   2.896  CONFIG_USB_SERIAL_OPTION=m
   2.897 @@ -2587,8 +2614,8 @@ CONFIG_USB_EZUSB=y
   2.898  #
   2.899  # USB Miscellaneous drivers
   2.900  #
   2.901 -# CONFIG_USB_EMI62 is not set
   2.902 -# CONFIG_USB_EMI26 is not set
   2.903 +CONFIG_USB_EMI62=m
   2.904 +CONFIG_USB_EMI26=m
   2.905  CONFIG_USB_AUERSWALD=m
   2.906  CONFIG_USB_RIO500=m
   2.907  CONFIG_USB_LEGOTOWER=m
   2.908 @@ -2597,9 +2624,9 @@ CONFIG_USB_LED=m
   2.909  CONFIG_USB_CYTHERM=m
   2.910  CONFIG_USB_PHIDGETKIT=m
   2.911  CONFIG_USB_PHIDGETSERVO=m
   2.912 -# CONFIG_USB_IDMOUSE is not set
   2.913 +CONFIG_USB_IDMOUSE=m
   2.914  CONFIG_USB_SISUSBVGA=m
   2.915 -# CONFIG_USB_SISUSBVGA_CON is not set
   2.916 +CONFIG_USB_SISUSBVGA_CON=y
   2.917  CONFIG_USB_LD=m
   2.918  CONFIG_USB_TEST=m
   2.919  
   2.920 @@ -2637,19 +2664,25 @@ CONFIG_USB_G_SERIAL=m
   2.921  #
   2.922  # MMC/SD Card support
   2.923  #
   2.924 -# CONFIG_MMC is not set
   2.925 +CONFIG_MMC=m
   2.926 +# CONFIG_MMC_DEBUG is not set
   2.927 +CONFIG_MMC_BLOCK=m
   2.928 +CONFIG_MMC_WBSD=m
   2.929  
   2.930  #
   2.931  # InfiniBand support
   2.932  #
   2.933 -# CONFIG_INFINIBAND is not set
   2.934 +CONFIG_INFINIBAND=m
   2.935 +CONFIG_INFINIBAND_USER_MAD=m
   2.936 +CONFIG_INFINIBAND_USER_ACCESS=m
   2.937 +CONFIG_INFINIBAND_MTHCA=m
   2.938 +# CONFIG_INFINIBAND_MTHCA_DEBUG is not set
   2.939 +CONFIG_INFINIBAND_IPOIB=m
   2.940 +# CONFIG_INFINIBAND_IPOIB_DEBUG is not set
   2.941 +CONFIG_INFINIBAND_SRP=m
   2.942  
   2.943  #
   2.944 -# SN Devices
   2.945 -#
   2.946 -
   2.947 -#
   2.948 -# EDAC - error detection and reporting (RAS)
   2.949 +# EDAC - error detection and reporting (RAS) (EXPERIMENTAL)
   2.950  #
   2.951  CONFIG_EDAC=m
   2.952  
   2.953 @@ -2685,7 +2718,9 @@ CONFIG_FS_MBCACHE=y
   2.954  CONFIG_REISERFS_FS=m
   2.955  # CONFIG_REISERFS_CHECK is not set
   2.956  # CONFIG_REISERFS_PROC_INFO is not set
   2.957 -# CONFIG_REISERFS_FS_XATTR is not set
   2.958 +CONFIG_REISERFS_FS_XATTR=y
   2.959 +CONFIG_REISERFS_FS_POSIX_ACL=y
   2.960 +CONFIG_REISERFS_FS_SECURITY=y
   2.961  CONFIG_JFS_FS=m
   2.962  CONFIG_JFS_POSIX_ACL=y
   2.963  # CONFIG_JFS_SECURITY is not set
   2.964 @@ -2694,7 +2729,7 @@ CONFIG_JFS_STATISTICS=y
   2.965  CONFIG_FS_POSIX_ACL=y
   2.966  CONFIG_XFS_FS=m
   2.967  CONFIG_XFS_EXPORT=y
   2.968 -# CONFIG_XFS_QUOTA is not set
   2.969 +CONFIG_XFS_QUOTA=y
   2.970  CONFIG_XFS_SECURITY=y
   2.971  CONFIG_XFS_POSIX_ACL=y
   2.972  CONFIG_XFS_RT=y
   2.973 @@ -2768,7 +2803,7 @@ CONFIG_JFFS2_FS_WRITEBUFFER=y
   2.974  CONFIG_JFFS2_ZLIB=y
   2.975  CONFIG_JFFS2_RTIME=y
   2.976  # CONFIG_JFFS2_RUBIN is not set
   2.977 -CONFIG_CRAMFS=y
   2.978 +CONFIG_CRAMFS=m
   2.979  CONFIG_VXFS_FS=m
   2.980  CONFIG_HPFS_FS=m
   2.981  CONFIG_QNX4FS_FS=m
   2.982 @@ -2780,27 +2815,32 @@ CONFIG_UFS_FS=m
   2.983  #
   2.984  CONFIG_NFS_FS=m
   2.985  CONFIG_NFS_V3=y
   2.986 -# CONFIG_NFS_V3_ACL is not set
   2.987 +CONFIG_NFS_V3_ACL=y
   2.988  CONFIG_NFS_V4=y
   2.989  CONFIG_NFS_DIRECTIO=y
   2.990  CONFIG_NFSD=m
   2.991 +CONFIG_NFSD_V2_ACL=y
   2.992  CONFIG_NFSD_V3=y
   2.993 -# CONFIG_NFSD_V3_ACL is not set
   2.994 +CONFIG_NFSD_V3_ACL=y
   2.995  CONFIG_NFSD_V4=y
   2.996  CONFIG_NFSD_TCP=y
   2.997  CONFIG_LOCKD=m
   2.998  CONFIG_LOCKD_V4=y
   2.999  CONFIG_EXPORTFS=m
  2.1000 +CONFIG_NFS_ACL_SUPPORT=m
  2.1001  CONFIG_NFS_COMMON=y
  2.1002  CONFIG_SUNRPC=m
  2.1003  CONFIG_SUNRPC_GSS=m
  2.1004  CONFIG_RPCSEC_GSS_KRB5=m
  2.1005  CONFIG_RPCSEC_GSS_SPKM3=m
  2.1006  CONFIG_SMB_FS=m
  2.1007 -# CONFIG_SMB_NLS_DEFAULT is not set
  2.1008 +CONFIG_SMB_NLS_DEFAULT=y
  2.1009 +CONFIG_SMB_NLS_REMOTE="cp850"
  2.1010  CONFIG_CIFS=m
  2.1011 -# CONFIG_CIFS_STATS is not set
  2.1012 -# CONFIG_CIFS_XATTR is not set
  2.1013 +CONFIG_CIFS_STATS=y
  2.1014 +CONFIG_CIFS_STATS2=y
  2.1015 +CONFIG_CIFS_XATTR=y
  2.1016 +# CONFIG_CIFS_POSIX is not set
  2.1017  # CONFIG_CIFS_EXPERIMENTAL is not set
  2.1018  CONFIG_NCP_FS=m
  2.1019  CONFIG_NCPFS_PACKET_SIGNING=y
  2.1020 @@ -2821,20 +2861,14 @@ CONFIG_9P_FS=m
  2.1021  # Partition Types
  2.1022  #
  2.1023  CONFIG_PARTITION_ADVANCED=y
  2.1024 -CONFIG_ACORN_PARTITION=y
  2.1025 -CONFIG_ACORN_PARTITION_CUMANA=y
  2.1026 -# CONFIG_ACORN_PARTITION_EESOX is not set
  2.1027 -CONFIG_ACORN_PARTITION_ICS=y
  2.1028 -# CONFIG_ACORN_PARTITION_ADFS is not set
  2.1029 -# CONFIG_ACORN_PARTITION_POWERTEC is not set
  2.1030 -CONFIG_ACORN_PARTITION_RISCIX=y
  2.1031 +# CONFIG_ACORN_PARTITION is not set
  2.1032  CONFIG_OSF_PARTITION=y
  2.1033 -CONFIG_AMIGA_PARTITION=y
  2.1034 +# CONFIG_AMIGA_PARTITION is not set
  2.1035  CONFIG_ATARI_PARTITION=y
  2.1036  CONFIG_MAC_PARTITION=y
  2.1037  CONFIG_MSDOS_PARTITION=y
  2.1038  CONFIG_BSD_DISKLABEL=y
  2.1039 -CONFIG_MINIX_SUBPARTITION=y
  2.1040 +# CONFIG_MINIX_SUBPARTITION is not set
  2.1041  CONFIG_SOLARIS_X86_PARTITION=y
  2.1042  CONFIG_UNIXWARE_DISKLABEL=y
  2.1043  CONFIG_LDM_PARTITION=y
  2.1044 @@ -2849,7 +2883,7 @@ CONFIG_EFI_PARTITION=y
  2.1045  # Native Language Support
  2.1046  #
  2.1047  CONFIG_NLS=y
  2.1048 -CONFIG_NLS_DEFAULT="cp437"
  2.1049 +CONFIG_NLS_DEFAULT="utf8"
  2.1050  CONFIG_NLS_CODEPAGE_437=m
  2.1051  CONFIG_NLS_CODEPAGE_737=m
  2.1052  CONFIG_NLS_CODEPAGE_775=m
  2.1053 @@ -2910,15 +2944,15 @@ CONFIG_DETECT_SOFTLOCKUP=y
  2.1054  # CONFIG_DEBUG_SPINLOCK_SLEEP is not set
  2.1055  # CONFIG_DEBUG_KOBJECT is not set
  2.1056  # CONFIG_DEBUG_HIGHMEM is not set
  2.1057 -# CONFIG_DEBUG_BUGVERBOSE is not set
  2.1058 +CONFIG_DEBUG_BUGVERBOSE=y
  2.1059  # CONFIG_DEBUG_INFO is not set
  2.1060  # CONFIG_DEBUG_FS is not set
  2.1061  # CONFIG_DEBUG_VM is not set
  2.1062  # CONFIG_FRAME_POINTER is not set
  2.1063  CONFIG_FORCED_INLINING=y
  2.1064  # CONFIG_RCU_TORTURE_TEST is not set
  2.1065 -# CONFIG_EARLY_PRINTK is not set
  2.1066 -# CONFIG_DEBUG_STACKOVERFLOW is not set
  2.1067 +CONFIG_EARLY_PRINTK=y
  2.1068 +CONFIG_DEBUG_STACKOVERFLOW=y
  2.1069  # CONFIG_DEBUG_STACK_USAGE is not set
  2.1070  # CONFIG_DEBUG_PAGEALLOC is not set
  2.1071  # CONFIG_DEBUG_RODATA is not set
  2.1072 @@ -2932,10 +2966,12 @@ CONFIG_X86_MPPARSE=y
  2.1073  CONFIG_KEYS=y
  2.1074  # CONFIG_KEYS_DEBUG_PROC_KEYS is not set
  2.1075  CONFIG_SECURITY=y
  2.1076 -# CONFIG_SECURITY_NETWORK is not set
  2.1077 +CONFIG_SECURITY_NETWORK=y
  2.1078 +# CONFIG_SECURITY_NETWORK_XFRM is not set
  2.1079  CONFIG_SECURITY_CAPABILITIES=y
  2.1080  CONFIG_SECURITY_ROOTPLUG=m
  2.1081  CONFIG_SECURITY_SECLVL=m
  2.1082 +# CONFIG_SECURITY_SELINUX is not set
  2.1083  
  2.1084  #
  2.1085  # Cryptographic options
  2.1086 @@ -2972,7 +3008,7 @@ CONFIG_CRYPTO_TEST=m
  2.1087  #
  2.1088  # CONFIG_CRYPTO_DEV_PADLOCK is not set
  2.1089  CONFIG_XEN=y
  2.1090 -CONFIG_NO_IDLE_HZ=y
  2.1091 +CONFIG_XEN_INTERFACE_VERSION=0x00030101
  2.1092  
  2.1093  #
  2.1094  # XEN
  2.1095 @@ -2980,9 +3016,9 @@ CONFIG_NO_IDLE_HZ=y
  2.1096  CONFIG_XEN_PRIVILEGED_GUEST=y
  2.1097  # CONFIG_XEN_UNPRIVILEGED_GUEST is not set
  2.1098  CONFIG_XEN_BACKEND=y
  2.1099 -CONFIG_XEN_PCIDEV_BACKEND=y
  2.1100 -# CONFIG_XEN_PCIDEV_BACKEND_VPCI is not set
  2.1101 -CONFIG_XEN_PCIDEV_BACKEND_PASS=y
  2.1102 +CONFIG_XEN_PCIDEV_BACKEND=m
  2.1103 +CONFIG_XEN_PCIDEV_BACKEND_VPCI=y
  2.1104 +# CONFIG_XEN_PCIDEV_BACKEND_PASS is not set
  2.1105  # CONFIG_XEN_PCIDEV_BE_DEBUG is not set
  2.1106  CONFIG_XEN_BLKDEV_BACKEND=y
  2.1107  # CONFIG_XEN_BLKDEV_TAP_BE is not set
  2.1108 @@ -2993,12 +3029,13 @@ CONFIG_XEN_NETDEV_LOOPBACK=y
  2.1109  CONFIG_XEN_BLKDEV_FRONTEND=y
  2.1110  CONFIG_XEN_NETDEV_FRONTEND=y
  2.1111  # CONFIG_XEN_BLKDEV_TAP is not set
  2.1112 -# CONFIG_XEN_TPMDEV_FRONTEND is not set
  2.1113 +CONFIG_XEN_TPMDEV_FRONTEND=m
  2.1114  CONFIG_XEN_SCRUB_PAGES=y
  2.1115  CONFIG_XEN_DISABLE_SERIAL=y
  2.1116 -CONFIG_XEN_SYSFS=m
  2.1117 +CONFIG_XEN_SYSFS=y
  2.1118  CONFIG_HAVE_ARCH_ALLOC_SKB=y
  2.1119  CONFIG_HAVE_ARCH_DEV_ALLOC_SKB=y
  2.1120 +CONFIG_NO_IDLE_HZ=y
  2.1121  
  2.1122  #
  2.1123  # Library routines
  2.1124 @@ -3007,7 +3044,7 @@ CONFIG_CRC_CCITT=m
  2.1125  CONFIG_CRC16=m
  2.1126  CONFIG_CRC32=y
  2.1127  CONFIG_LIBCRC32C=m
  2.1128 -CONFIG_ZLIB_INFLATE=y
  2.1129 +CONFIG_ZLIB_INFLATE=m
  2.1130  CONFIG_ZLIB_DEFLATE=m
  2.1131  CONFIG_REED_SOLOMON=m
  2.1132  CONFIG_REED_SOLOMON_DEC16=y
  2.1133 @@ -3021,4 +3058,6 @@ CONFIG_GENERIC_PENDING_IRQ=y
  2.1134  CONFIG_X86_SMP=y
  2.1135  CONFIG_X86_BIOS_REBOOT=y
  2.1136  CONFIG_X86_TRAMPOLINE=y
  2.1137 +CONFIG_X86_NO_TSS=y
  2.1138 +CONFIG_X86_NO_IDT=y
  2.1139  CONFIG_KTIME_SCALAR=y
     3.1 --- a/buildconfigs/linux-defconfig_xen_x86_64	Tue Apr 25 22:55:22 2006 -0600
     3.2 +++ b/buildconfigs/linux-defconfig_xen_x86_64	Tue Apr 25 23:35:55 2006 -0600
     3.3 @@ -1,7 +1,7 @@
     3.4  #
     3.5  # Automatically generated make config: don't edit
     3.6  # Linux kernel version: 2.6.16-xen
     3.7 -# Thu Apr 13 15:01:04 2006
     3.8 +# Thu Apr 20 17:05:48 2006
     3.9  #
    3.10  CONFIG_X86_64=y
    3.11  CONFIG_64BIT=y
    3.12 @@ -31,16 +31,19 @@ CONFIG_LOCALVERSION=""
    3.13  # CONFIG_LOCALVERSION_AUTO is not set
    3.14  CONFIG_SWAP=y
    3.15  CONFIG_SYSVIPC=y
    3.16 -# CONFIG_POSIX_MQUEUE is not set
    3.17 -# CONFIG_BSD_PROCESS_ACCT is not set
    3.18 +CONFIG_POSIX_MQUEUE=y
    3.19 +CONFIG_BSD_PROCESS_ACCT=y
    3.20 +CONFIG_BSD_PROCESS_ACCT_V3=y
    3.21  CONFIG_SYSCTL=y
    3.22 -# CONFIG_AUDIT is not set
    3.23 -# CONFIG_IKCONFIG is not set
    3.24 -# CONFIG_CPUSETS is not set
    3.25 +CONFIG_AUDIT=y
    3.26 +CONFIG_AUDITSYSCALL=y
    3.27 +CONFIG_IKCONFIG=y
    3.28 +CONFIG_IKCONFIG_PROC=y
    3.29 +CONFIG_CPUSETS=y
    3.30  CONFIG_INITRAMFS_SOURCE=""
    3.31  CONFIG_UID16=y
    3.32  CONFIG_VM86=y
    3.33 -# CONFIG_CC_OPTIMIZE_FOR_SIZE is not set
    3.34 +CONFIG_CC_OPTIMIZE_FOR_SIZE=y
    3.35  # CONFIG_EMBEDDED is not set
    3.36  CONFIG_KALLSYMS=y
    3.37  # CONFIG_KALLSYMS_ALL is not set
    3.38 @@ -68,9 +71,9 @@ CONFIG_OBSOLETE_INTERMODULE=m
    3.39  #
    3.40  CONFIG_MODULES=y
    3.41  CONFIG_MODULE_UNLOAD=y
    3.42 -# CONFIG_MODULE_FORCE_UNLOAD is not set
    3.43 +CONFIG_MODULE_FORCE_UNLOAD=y
    3.44  CONFIG_OBSOLETE_MODPARM=y
    3.45 -# CONFIG_MODVERSIONS is not set
    3.46 +CONFIG_MODVERSIONS=y
    3.47  CONFIG_MODULE_SRCVERSION_ALL=y
    3.48  CONFIG_KMOD=y
    3.49  CONFIG_STOP_MACHINE=y
    3.50 @@ -87,11 +90,11 @@ CONFIG_IOSCHED_NOOP=y
    3.51  CONFIG_IOSCHED_AS=y
    3.52  CONFIG_IOSCHED_DEADLINE=y
    3.53  CONFIG_IOSCHED_CFQ=y
    3.54 -CONFIG_DEFAULT_AS=y
    3.55 +# CONFIG_DEFAULT_AS is not set
    3.56  # CONFIG_DEFAULT_DEADLINE is not set
    3.57 -# CONFIG_DEFAULT_CFQ is not set
    3.58 +CONFIG_DEFAULT_CFQ=y
    3.59  # CONFIG_DEFAULT_NOOP is not set
    3.60 -CONFIG_DEFAULT_IOSCHED="anticipatory"
    3.61 +CONFIG_DEFAULT_IOSCHED="cfq"
    3.62  
    3.63  #
    3.64  # Processor type and features
    3.65 @@ -108,15 +111,15 @@ CONFIG_X86_L1_CACHE_BYTES=128
    3.66  CONFIG_X86_L1_CACHE_SHIFT=7
    3.67  CONFIG_X86_GOOD_APIC=y
    3.68  CONFIG_MICROCODE=y
    3.69 -# CONFIG_X86_MSR is not set
    3.70 -# CONFIG_X86_CPUID is not set
    3.71 +CONFIG_X86_MSR=m
    3.72 +CONFIG_X86_CPUID=m
    3.73  CONFIG_X86_IO_APIC=y
    3.74  CONFIG_X86_XEN_GENAPIC=y
    3.75  CONFIG_X86_LOCAL_APIC=y
    3.76  CONFIG_MTRR=y
    3.77  CONFIG_SMP=y
    3.78 -CONFIG_PREEMPT_NONE=y
    3.79 -# CONFIG_PREEMPT_VOLUNTARY is not set
    3.80 +# CONFIG_PREEMPT_NONE is not set
    3.81 +CONFIG_PREEMPT_VOLUNTARY=y
    3.82  # CONFIG_PREEMPT is not set
    3.83  CONFIG_PREEMPT_BKL=y
    3.84  CONFIG_ARCH_SPARSEMEM_ENABLE=y
    3.85 @@ -129,7 +132,7 @@ CONFIG_FLATMEM=y
    3.86  CONFIG_FLAT_NODE_MEM_MAP=y
    3.87  # CONFIG_SPARSEMEM_STATIC is not set
    3.88  CONFIG_SPLIT_PTLOCK_CPUS=4096
    3.89 -CONFIG_NR_CPUS=8
    3.90 +CONFIG_NR_CPUS=32
    3.91  CONFIG_HOTPLUG_CPU=y
    3.92  CONFIG_SWIOTLB=y
    3.93  # CONFIG_CRASH_DUMP is not set
    3.94 @@ -226,9 +229,9 @@ CONFIG_HOTPLUG_PCI=m
    3.95  # Executable file formats / Emulations
    3.96  #
    3.97  CONFIG_BINFMT_ELF=y
    3.98 -CONFIG_BINFMT_MISC=y
    3.99 +CONFIG_BINFMT_MISC=m
   3.100  CONFIG_IA32_EMULATION=y
   3.101 -# CONFIG_IA32_AOUT is not set
   3.102 +CONFIG_IA32_AOUT=y
   3.103  CONFIG_COMPAT=y
   3.104  CONFIG_SYSVIPC_COMPAT=y
   3.105  
   3.106 @@ -245,7 +248,7 @@ CONFIG_PACKET=y
   3.107  CONFIG_PACKET_MMAP=y
   3.108  CONFIG_UNIX=y
   3.109  CONFIG_XFRM=y
   3.110 -CONFIG_XFRM_USER=y
   3.111 +CONFIG_XFRM_USER=m
   3.112  CONFIG_NET_KEY=m
   3.113  CONFIG_INET=y
   3.114  CONFIG_IP_MULTICAST=y
   3.115 @@ -258,7 +261,10 @@ CONFIG_IP_ROUTE_FWMARK=y
   3.116  CONFIG_IP_ROUTE_MULTIPATH=y
   3.117  # CONFIG_IP_ROUTE_MULTIPATH_CACHED is not set
   3.118  CONFIG_IP_ROUTE_VERBOSE=y
   3.119 -# CONFIG_IP_PNP is not set
   3.120 +CONFIG_IP_PNP=y
   3.121 +CONFIG_IP_PNP_DHCP=y
   3.122 +CONFIG_IP_PNP_BOOTP=y
   3.123 +CONFIG_IP_PNP_RARP=y
   3.124  CONFIG_NET_IPIP=m
   3.125  CONFIG_NET_IPGRE=m
   3.126  CONFIG_NET_IPGRE_BROADCAST=y
   3.127 @@ -441,6 +447,11 @@ CONFIG_IP6_NF_TARGET_HL=m
   3.128  CONFIG_IP6_NF_RAW=m
   3.129  
   3.130  #
   3.131 +# DECnet: Netfilter Configuration
   3.132 +#
   3.133 +# CONFIG_DECNET_NF_GRABULATOR is not set
   3.134 +
   3.135 +#
   3.136  # Bridge: Netfilter Configuration
   3.137  #
   3.138  CONFIG_BRIDGE_NF_EBTABLES=m
   3.139 @@ -507,20 +518,23 @@ CONFIG_ATM_BR2684=m
   3.140  # CONFIG_ATM_BR2684_IPFILTER is not set
   3.141  CONFIG_BRIDGE=m
   3.142  CONFIG_VLAN_8021Q=m
   3.143 -# CONFIG_DECNET is not set
   3.144 +CONFIG_DECNET=m
   3.145 +# CONFIG_DECNET_ROUTER is not set
   3.146  CONFIG_LLC=y
   3.147 -# CONFIG_LLC2 is not set
   3.148 +CONFIG_LLC2=m
   3.149  CONFIG_IPX=m
   3.150 -# CONFIG_IPX_INTERN is not set
   3.151 +CONFIG_IPX_INTERN=y
   3.152  CONFIG_ATALK=m
   3.153  CONFIG_DEV_APPLETALK=y
   3.154  CONFIG_IPDDP=m
   3.155  CONFIG_IPDDP_ENCAP=y
   3.156  CONFIG_IPDDP_DECAP=y
   3.157 -# CONFIG_X25 is not set
   3.158 -# CONFIG_LAPB is not set
   3.159 +CONFIG_X25=m
   3.160 +CONFIG_LAPB=m
   3.161  CONFIG_NET_DIVERT=y
   3.162 -# CONFIG_ECONET is not set
   3.163 +CONFIG_ECONET=m
   3.164 +# CONFIG_ECONET_AUNUDP is not set
   3.165 +# CONFIG_ECONET_NATIVE is not set
   3.166  CONFIG_WAN_ROUTER=m
   3.167  
   3.168  #
   3.169 @@ -577,8 +591,27 @@ CONFIG_NET_ESTIMATOR=y
   3.170  #
   3.171  # Network testing
   3.172  #
   3.173 -# CONFIG_NET_PKTGEN is not set
   3.174 -# CONFIG_HAMRADIO is not set
   3.175 +CONFIG_NET_PKTGEN=m
   3.176 +CONFIG_HAMRADIO=y
   3.177 +
   3.178 +#
   3.179 +# Packet Radio protocols
   3.180 +#
   3.181 +CONFIG_AX25=m
   3.182 +CONFIG_AX25_DAMA_SLAVE=y
   3.183 +CONFIG_NETROM=m
   3.184 +CONFIG_ROSE=m
   3.185 +
   3.186 +#
   3.187 +# AX.25 network device drivers
   3.188 +#
   3.189 +CONFIG_MKISS=m
   3.190 +CONFIG_6PACK=m
   3.191 +CONFIG_BPQETHER=m
   3.192 +CONFIG_BAYCOM_SER_FDX=m
   3.193 +CONFIG_BAYCOM_SER_HDX=m
   3.194 +CONFIG_BAYCOM_PAR=m
   3.195 +CONFIG_YAM=m
   3.196  CONFIG_IRDA=m
   3.197  
   3.198  #
   3.199 @@ -587,7 +620,7 @@ CONFIG_IRDA=m
   3.200  CONFIG_IRLAN=m
   3.201  CONFIG_IRNET=m
   3.202  CONFIG_IRCOMM=m
   3.203 -# CONFIG_IRDA_ULTRA is not set
   3.204 +CONFIG_IRDA_ULTRA=y
   3.205  
   3.206  #
   3.207  # IrDA options
   3.208 @@ -680,13 +713,14 @@ CONFIG_IEEE80211_CRYPT_TKIP=m
   3.209  #
   3.210  CONFIG_STANDALONE=y
   3.211  CONFIG_PREVENT_FIRMWARE_BUILD=y
   3.212 -CONFIG_FW_LOADER=y
   3.213 +CONFIG_FW_LOADER=m
   3.214  # CONFIG_DEBUG_DRIVER is not set
   3.215  
   3.216  #
   3.217  # Connector - unified userspace <-> kernelspace linker
   3.218  #
   3.219 -CONFIG_CONNECTOR=m
   3.220 +CONFIG_CONNECTOR=y
   3.221 +CONFIG_PROC_EVENTS=y
   3.222  
   3.223  #
   3.224  # Memory Technology Devices (MTD)
   3.225 @@ -719,7 +753,11 @@ CONFIG_RFD_FTL=m
   3.226  CONFIG_MTD_CFI=m
   3.227  CONFIG_MTD_JEDECPROBE=m
   3.228  CONFIG_MTD_GEN_PROBE=m
   3.229 -# CONFIG_MTD_CFI_ADV_OPTIONS is not set
   3.230 +CONFIG_MTD_CFI_ADV_OPTIONS=y
   3.231 +CONFIG_MTD_CFI_NOSWAP=y
   3.232 +# CONFIG_MTD_CFI_BE_BYTE_SWAP is not set
   3.233 +# CONFIG_MTD_CFI_LE_BYTE_SWAP is not set
   3.234 +# CONFIG_MTD_CFI_GEOMETRY is not set
   3.235  CONFIG_MTD_MAP_BANK_WIDTH_1=y
   3.236  CONFIG_MTD_MAP_BANK_WIDTH_2=y
   3.237  CONFIG_MTD_MAP_BANK_WIDTH_4=y
   3.238 @@ -730,13 +768,14 @@ CONFIG_MTD_CFI_I1=y
   3.239  CONFIG_MTD_CFI_I2=y
   3.240  # CONFIG_MTD_CFI_I4 is not set
   3.241  # CONFIG_MTD_CFI_I8 is not set
   3.242 +# CONFIG_MTD_OTP is not set
   3.243  CONFIG_MTD_CFI_INTELEXT=m
   3.244  CONFIG_MTD_CFI_AMDSTD=m
   3.245  CONFIG_MTD_CFI_AMDSTD_RETRY=3
   3.246  CONFIG_MTD_CFI_STAA=m
   3.247  CONFIG_MTD_CFI_UTIL=m
   3.248  CONFIG_MTD_RAM=m
   3.249 -CONFIG_MTD_ROM=m
   3.250 +# CONFIG_MTD_ROM is not set
   3.251  CONFIG_MTD_ABSENT=m
   3.252  # CONFIG_MTD_OBSOLETE_CHIPS is not set
   3.253  
   3.254 @@ -744,7 +783,10 @@ CONFIG_MTD_ABSENT=m
   3.255  # Mapping drivers for chip access
   3.256  #
   3.257  CONFIG_MTD_COMPLEX_MAPPINGS=y
   3.258 -# CONFIG_MTD_PHYSMAP is not set
   3.259 +CONFIG_MTD_PHYSMAP=m
   3.260 +CONFIG_MTD_PHYSMAP_START=0x8000000
   3.261 +CONFIG_MTD_PHYSMAP_LEN=0x4000000
   3.262 +CONFIG_MTD_PHYSMAP_BANKWIDTH=2
   3.263  # CONFIG_MTD_PNC2000 is not set
   3.264  CONFIG_MTD_SC520CDP=m
   3.265  CONFIG_MTD_NETSC520=m
   3.266 @@ -779,12 +821,14 @@ CONFIG_MTD_BLOCK2MTD=m
   3.267  # Disk-On-Chip Device Drivers
   3.268  #
   3.269  CONFIG_MTD_DOC2000=m
   3.270 -# CONFIG_MTD_DOC2001 is not set
   3.271 +CONFIG_MTD_DOC2001=m
   3.272  CONFIG_MTD_DOC2001PLUS=m
   3.273  CONFIG_MTD_DOCPROBE=m
   3.274  CONFIG_MTD_DOCECC=m
   3.275 -# CONFIG_MTD_DOCPROBE_ADVANCED is not set
   3.276 -CONFIG_MTD_DOCPROBE_ADDRESS=0
   3.277 +CONFIG_MTD_DOCPROBE_ADVANCED=y
   3.278 +CONFIG_MTD_DOCPROBE_ADDRESS=0x0000
   3.279 +CONFIG_MTD_DOCPROBE_HIGH=y
   3.280 +CONFIG_MTD_DOCPROBE_55AA=y
   3.281  
   3.282  #
   3.283  # NAND Flash Device Drivers
   3.284 @@ -792,8 +836,11 @@ CONFIG_MTD_DOCPROBE_ADDRESS=0
   3.285  CONFIG_MTD_NAND=m
   3.286  # CONFIG_MTD_NAND_VERIFY_WRITE is not set
   3.287  CONFIG_MTD_NAND_IDS=m
   3.288 -# CONFIG_MTD_NAND_DISKONCHIP is not set
   3.289 -# CONFIG_MTD_NAND_NANDSIM is not set
   3.290 +CONFIG_MTD_NAND_DISKONCHIP=m
   3.291 +# CONFIG_MTD_NAND_DISKONCHIP_PROBE_ADVANCED is not set
   3.292 +CONFIG_MTD_NAND_DISKONCHIP_PROBE_ADDRESS=0
   3.293 +CONFIG_MTD_NAND_DISKONCHIP_BBTWRITE=y
   3.294 +CONFIG_MTD_NAND_NANDSIM=y
   3.295  
   3.296  #
   3.297  # OneNAND Flash Device Drivers
   3.298 @@ -864,7 +911,7 @@ CONFIG_CISS_SCSI_TAPE=y
   3.299  CONFIG_BLK_DEV_DAC960=m
   3.300  CONFIG_BLK_DEV_UMEM=m
   3.301  # CONFIG_BLK_DEV_COW_COMMON is not set
   3.302 -CONFIG_BLK_DEV_LOOP=m
   3.303 +CONFIG_BLK_DEV_LOOP=y
   3.304  CONFIG_BLK_DEV_CRYPTOLOOP=m
   3.305  CONFIG_BLK_DEV_NBD=m
   3.306  CONFIG_BLK_DEV_SX8=m
   3.307 @@ -889,58 +936,58 @@ CONFIG_BLK_DEV_IDE=y
   3.308  #
   3.309  # CONFIG_BLK_DEV_IDE_SATA is not set
   3.310  # CONFIG_BLK_DEV_HD_IDE is not set
   3.311 -CONFIG_BLK_DEV_IDEDISK=y
   3.312 +CONFIG_BLK_DEV_IDEDISK=m
   3.313  CONFIG_IDEDISK_MULTI_MODE=y
   3.314  # CONFIG_BLK_DEV_IDECS is not set
   3.315 -CONFIG_BLK_DEV_IDECD=y
   3.316 -# CONFIG_BLK_DEV_IDETAPE is not set
   3.317 -CONFIG_BLK_DEV_IDEFLOPPY=y
   3.318 +CONFIG_BLK_DEV_IDECD=m
   3.319 +CONFIG_BLK_DEV_IDETAPE=m
   3.320 +CONFIG_BLK_DEV_IDEFLOPPY=m
   3.321  CONFIG_BLK_DEV_IDESCSI=m
   3.322  # CONFIG_IDE_TASK_IOCTL is not set
   3.323  
   3.324  #
   3.325  # IDE chipset support/bugfixes
   3.326  #
   3.327 -CONFIG_IDE_GENERIC=y
   3.328 +CONFIG_IDE_GENERIC=m
   3.329  CONFIG_BLK_DEV_CMD640=y
   3.330  CONFIG_BLK_DEV_CMD640_ENHANCED=y
   3.331  CONFIG_BLK_DEV_IDEPNP=y
   3.332  CONFIG_BLK_DEV_IDEPCI=y
   3.333  CONFIG_IDEPCI_SHARE_IRQ=y
   3.334 -# CONFIG_BLK_DEV_OFFBOARD is not set
   3.335 +CONFIG_BLK_DEV_OFFBOARD=y
   3.336  CONFIG_BLK_DEV_GENERIC=y
   3.337  # CONFIG_BLK_DEV_OPTI621 is not set
   3.338 -CONFIG_BLK_DEV_RZ1000=y
   3.339 +CONFIG_BLK_DEV_RZ1000=m
   3.340  CONFIG_BLK_DEV_IDEDMA_PCI=y
   3.341  # CONFIG_BLK_DEV_IDEDMA_FORCED is not set
   3.342  CONFIG_IDEDMA_PCI_AUTO=y
   3.343  # CONFIG_IDEDMA_ONLYDISK is not set
   3.344 -CONFIG_BLK_DEV_AEC62XX=y
   3.345 -CONFIG_BLK_DEV_ALI15X3=y
   3.346 +CONFIG_BLK_DEV_AEC62XX=m
   3.347 +CONFIG_BLK_DEV_ALI15X3=m
   3.348  # CONFIG_WDC_ALI15X3 is not set
   3.349 -CONFIG_BLK_DEV_AMD74XX=y
   3.350 -CONFIG_BLK_DEV_ATIIXP=y
   3.351 -CONFIG_BLK_DEV_CMD64X=y
   3.352 -CONFIG_BLK_DEV_TRIFLEX=y
   3.353 -CONFIG_BLK_DEV_CY82C693=y
   3.354 -CONFIG_BLK_DEV_CS5520=y
   3.355 -CONFIG_BLK_DEV_CS5530=y
   3.356 -CONFIG_BLK_DEV_HPT34X=y
   3.357 -# CONFIG_HPT34X_AUTODMA is not set
   3.358 -CONFIG_BLK_DEV_HPT366=y
   3.359 -# CONFIG_BLK_DEV_SC1200 is not set
   3.360 -CONFIG_BLK_DEV_PIIX=y
   3.361 +CONFIG_BLK_DEV_AMD74XX=m
   3.362 +CONFIG_BLK_DEV_ATIIXP=m
   3.363 +CONFIG_BLK_DEV_CMD64X=m
   3.364 +CONFIG_BLK_DEV_TRIFLEX=m
   3.365 +CONFIG_BLK_DEV_CY82C693=m
   3.366 +CONFIG_BLK_DEV_CS5520=m
   3.367 +CONFIG_BLK_DEV_CS5530=m
   3.368 +CONFIG_BLK_DEV_HPT34X=m
   3.369 +CONFIG_HPT34X_AUTODMA=y
   3.370 +CONFIG_BLK_DEV_HPT366=m
   3.371 +CONFIG_BLK_DEV_SC1200=m
   3.372 +CONFIG_BLK_DEV_PIIX=m
   3.373  CONFIG_BLK_DEV_IT821X=m
   3.374 -# CONFIG_BLK_DEV_NS87415 is not set
   3.375 -CONFIG_BLK_DEV_PDC202XX_OLD=y
   3.376 -# CONFIG_PDC202XX_BURST is not set
   3.377 -CONFIG_BLK_DEV_PDC202XX_NEW=y
   3.378 -CONFIG_BLK_DEV_SVWKS=y
   3.379 -CONFIG_BLK_DEV_SIIMAGE=y
   3.380 -CONFIG_BLK_DEV_SIS5513=y
   3.381 -CONFIG_BLK_DEV_SLC90E66=y
   3.382 +CONFIG_BLK_DEV_NS87415=m
   3.383 +CONFIG_BLK_DEV_PDC202XX_OLD=m
   3.384 +CONFIG_PDC202XX_BURST=y
   3.385 +CONFIG_BLK_DEV_PDC202XX_NEW=m
   3.386 +CONFIG_BLK_DEV_SVWKS=m
   3.387 +CONFIG_BLK_DEV_SIIMAGE=m
   3.388 +CONFIG_BLK_DEV_SIS5513=m
   3.389 +CONFIG_BLK_DEV_SLC90E66=m
   3.390  # CONFIG_BLK_DEV_TRM290 is not set
   3.391 -CONFIG_BLK_DEV_VIA82CXXX=y
   3.392 +CONFIG_BLK_DEV_VIA82CXXX=m
   3.393  # CONFIG_IDE_ARM is not set
   3.394  CONFIG_BLK_DEV_IDEDMA=y
   3.395  # CONFIG_IDEDMA_IVB is not set
   3.396 @@ -951,13 +998,13 @@ CONFIG_IDEDMA_AUTO=y
   3.397  # SCSI device support
   3.398  #
   3.399  CONFIG_RAID_ATTRS=m
   3.400 -CONFIG_SCSI=y
   3.401 +CONFIG_SCSI=m
   3.402  CONFIG_SCSI_PROC_FS=y
   3.403  
   3.404  #
   3.405  # SCSI support type (disk, tape, CD-ROM)
   3.406  #
   3.407 -CONFIG_BLK_DEV_SD=y
   3.408 +CONFIG_BLK_DEV_SD=m
   3.409  CONFIG_CHR_DEV_ST=m
   3.410  CONFIG_CHR_DEV_OSST=m
   3.411  CONFIG_BLK_DEV_SR=m
   3.412 @@ -1007,10 +1054,10 @@ CONFIG_MEGARAID_MM=m
   3.413  CONFIG_MEGARAID_MAILBOX=m
   3.414  CONFIG_MEGARAID_LEGACY=m
   3.415  CONFIG_MEGARAID_SAS=m
   3.416 -CONFIG_SCSI_SATA=y
   3.417 +CONFIG_SCSI_SATA=m
   3.418  CONFIG_SCSI_SATA_AHCI=m
   3.419  CONFIG_SCSI_SATA_SVW=m
   3.420 -CONFIG_SCSI_ATA_PIIX=y
   3.421 +CONFIG_SCSI_ATA_PIIX=m
   3.422  CONFIG_SCSI_SATA_MV=m
   3.423  CONFIG_SCSI_SATA_NV=m
   3.424  CONFIG_SCSI_PDC_ADMA=m
   3.425 @@ -1026,9 +1073,12 @@ CONFIG_SCSI_SATA_VITESSE=m
   3.426  CONFIG_SCSI_SATA_INTEL_COMBINED=y
   3.427  CONFIG_SCSI_BUSLOGIC=m
   3.428  # CONFIG_SCSI_OMIT_FLASHPOINT is not set
   3.429 -# CONFIG_SCSI_DMX3191D is not set
   3.430 -# CONFIG_SCSI_EATA is not set
   3.431 -# CONFIG_SCSI_FUTURE_DOMAIN is not set
   3.432 +CONFIG_SCSI_DMX3191D=m
   3.433 +CONFIG_SCSI_EATA=m
   3.434 +CONFIG_SCSI_EATA_TAGGED_QUEUE=y
   3.435 +CONFIG_SCSI_EATA_LINKED_COMMANDS=y
   3.436 +CONFIG_SCSI_EATA_MAX_TAGS=16
   3.437 +CONFIG_SCSI_FUTURE_DOMAIN=m
   3.438  CONFIG_SCSI_GDTH=m
   3.439  CONFIG_SCSI_IPS=m
   3.440  CONFIG_SCSI_INITIO=m
   3.441 @@ -1043,7 +1093,8 @@ CONFIG_SCSI_SYM53C8XX_DEFAULT_TAGS=16
   3.442  CONFIG_SCSI_SYM53C8XX_MAX_TAGS=64
   3.443  # CONFIG_SCSI_SYM53C8XX_IOMAPPED is not set
   3.444  # CONFIG_SCSI_IPR is not set
   3.445 -# CONFIG_SCSI_QLOGIC_FC is not set
   3.446 +CONFIG_SCSI_QLOGIC_FC=m
   3.447 +CONFIG_SCSI_QLOGIC_FC_FIRMWARE=y
   3.448  CONFIG_SCSI_QLOGIC_1280=m
   3.449  CONFIG_SCSI_QLA_FC=m
   3.450  # CONFIG_SCSI_QLA2XXX_EMBEDDED_FIRMWARE is not set
   3.451 @@ -1148,7 +1199,15 @@ CONFIG_NET_SB1000=m
   3.452  #
   3.453  # ARCnet devices
   3.454  #
   3.455 -# CONFIG_ARCNET is not set
   3.456 +CONFIG_ARCNET=m
   3.457 +CONFIG_ARCNET_1201=m
   3.458 +CONFIG_ARCNET_1051=m
   3.459 +CONFIG_ARCNET_RAW=m
   3.460 +CONFIG_ARCNET_CAP=m
   3.461 +CONFIG_ARCNET_COM90xx=m
   3.462 +CONFIG_ARCNET_COM90xxIO=m
   3.463 +CONFIG_ARCNET_RIM_I=m
   3.464 +# CONFIG_ARCNET_COM20020 is not set
   3.465  
   3.466  #
   3.467  # PHY device support
   3.468 @@ -1183,21 +1242,22 @@ CONFIG_NET_TULIP=y
   3.469  CONFIG_DE2104X=m
   3.470  CONFIG_TULIP=m
   3.471  # CONFIG_TULIP_MWI is not set
   3.472 -CONFIG_TULIP_MMIO=y
   3.473 -# CONFIG_TULIP_NAPI is not set
   3.474 +# CONFIG_TULIP_MMIO is not set
   3.475 +CONFIG_TULIP_NAPI=y
   3.476 +CONFIG_TULIP_NAPI_HW_MITIGATION=y
   3.477  CONFIG_DE4X5=m
   3.478  CONFIG_WINBOND_840=m
   3.479  CONFIG_DM9102=m
   3.480  CONFIG_ULI526X=m
   3.481 -# CONFIG_PCMCIA_XIRCOM is not set
   3.482 -# CONFIG_HP100 is not set
   3.483 +CONFIG_PCMCIA_XIRCOM=m
   3.484 +CONFIG_HP100=m
   3.485  CONFIG_NET_PCI=y
   3.486  CONFIG_PCNET32=m
   3.487  CONFIG_AMD8111_ETH=m
   3.488  CONFIG_AMD8111E_NAPI=y
   3.489  CONFIG_ADAPTEC_STARFIRE=m
   3.490  CONFIG_ADAPTEC_STARFIRE_NAPI=y
   3.491 -# CONFIG_B44 is not set
   3.492 +CONFIG_B44=m
   3.493  CONFIG_FORCEDETH=m
   3.494  CONFIG_DGRS=m
   3.495  CONFIG_EEPRO100=m
   3.496 @@ -1207,7 +1267,7 @@ CONFIG_NATSEMI=m
   3.497  CONFIG_NE2K_PCI=m
   3.498  CONFIG_8139CP=m
   3.499  CONFIG_8139TOO=m
   3.500 -CONFIG_8139TOO_PIO=y
   3.501 +# CONFIG_8139TOO_PIO is not set
   3.502  # CONFIG_8139TOO_TUNE_TWISTER is not set
   3.503  CONFIG_8139TOO_8129=y
   3.504  # CONFIG_8139_OLD_RX_RESET is not set
   3.505 @@ -1216,11 +1276,8 @@ CONFIG_EPIC100=m
   3.506  CONFIG_SUNDANCE=m
   3.507  # CONFIG_SUNDANCE_MMIO is not set
   3.508  CONFIG_VIA_RHINE=m
   3.509 -CONFIG_VIA_RHINE_MMIO=y
   3.510 -CONFIG_NET_POCKET=y
   3.511 -CONFIG_ATP=m
   3.512 -CONFIG_DE600=m
   3.513 -CONFIG_DE620=m
   3.514 +# CONFIG_VIA_RHINE_MMIO is not set
   3.515 +# CONFIG_NET_POCKET is not set
   3.516  
   3.517  #
   3.518  # Ethernet (1000 Mbit)
   3.519 @@ -1272,14 +1329,14 @@ CONFIG_NET_RADIO=y
   3.520  #
   3.521  # Obsolete Wireless cards support (pre-802.11)
   3.522  #
   3.523 -# CONFIG_STRIP is not set
   3.524 -# CONFIG_PCMCIA_WAVELAN is not set
   3.525 -# CONFIG_PCMCIA_NETWAVE is not set
   3.526 +CONFIG_STRIP=m
   3.527 +CONFIG_PCMCIA_WAVELAN=m
   3.528 +CONFIG_PCMCIA_NETWAVE=m
   3.529  
   3.530  #
   3.531  # Wireless 802.11 Frequency Hopping cards support
   3.532  #
   3.533 -# CONFIG_PCMCIA_RAYCS is not set
   3.534 +CONFIG_PCMCIA_RAYCS=m
   3.535  
   3.536  #
   3.537  # Wireless 802.11b ISA/PCI cards support
   3.538 @@ -1312,7 +1369,8 @@ CONFIG_PCI_ATMEL=m
   3.539  #
   3.540  CONFIG_PRISM54=m
   3.541  CONFIG_HOSTAP=m
   3.542 -# CONFIG_HOSTAP_FIRMWARE is not set
   3.543 +CONFIG_HOSTAP_FIRMWARE=y
   3.544 +CONFIG_HOSTAP_FIRMWARE_NVRAM=y
   3.545  CONFIG_HOSTAP_PLX=m
   3.546  CONFIG_HOSTAP_PCI=m
   3.547  # CONFIG_HOSTAP_CS is not set
   3.548 @@ -1354,7 +1412,9 @@ CONFIG_ATM_HE=m
   3.549  CONFIG_FDDI=y
   3.550  # CONFIG_DEFXX is not set
   3.551  CONFIG_SKFP=m
   3.552 -# CONFIG_HIPPI is not set
   3.553 +CONFIG_HIPPI=y
   3.554 +CONFIG_ROADRUNNER=m
   3.555 +CONFIG_ROADRUNNER_LARGE_RINGS=y
   3.556  CONFIG_PLIP=m
   3.557  CONFIG_PPP=m
   3.558  CONFIG_PPP_MULTILINK=y
   3.559 @@ -1362,19 +1422,19 @@ CONFIG_PPP_FILTER=y
   3.560  CONFIG_PPP_ASYNC=m
   3.561  CONFIG_PPP_SYNC_TTY=m
   3.562  CONFIG_PPP_DEFLATE=m
   3.563 -# CONFIG_PPP_BSDCOMP is not set
   3.564 +CONFIG_PPP_BSDCOMP=m
   3.565  CONFIG_PPP_MPPE=m
   3.566  CONFIG_PPPOE=m
   3.567  CONFIG_PPPOATM=m
   3.568  CONFIG_SLIP=m
   3.569  CONFIG_SLIP_COMPRESSED=y
   3.570  CONFIG_SLIP_SMART=y
   3.571 -# CONFIG_SLIP_MODE_SLIP6 is not set
   3.572 +CONFIG_SLIP_MODE_SLIP6=y
   3.573  CONFIG_NET_FC=y
   3.574 -# CONFIG_SHAPER is not set
   3.575 +CONFIG_SHAPER=m
   3.576  CONFIG_NETCONSOLE=m
   3.577  CONFIG_NETPOLL=y
   3.578 -# CONFIG_NETPOLL_RX is not set
   3.579 +CONFIG_NETPOLL_RX=y
   3.580  CONFIG_NETPOLL_TRAP=y
   3.581  CONFIG_NET_POLL_CONTROLLER=y
   3.582  
   3.583 @@ -1391,9 +1451,10 @@ CONFIG_ISDN_PPP=y
   3.584  CONFIG_ISDN_PPP_VJ=y
   3.585  CONFIG_ISDN_MPP=y
   3.586  CONFIG_IPPP_FILTER=y
   3.587 -# CONFIG_ISDN_PPP_BSDCOMP is not set
   3.588 +CONFIG_ISDN_PPP_BSDCOMP=m
   3.589  CONFIG_ISDN_AUDIO=y
   3.590  CONFIG_ISDN_TTY_FAX=y
   3.591 +CONFIG_ISDN_X25=y
   3.592  
   3.593  #
   3.594  # ISDN feature submodules
   3.595 @@ -1499,7 +1560,9 @@ CONFIG_ISDN_DRV_AVMB1_C4=m
   3.596  #
   3.597  # Telephony Support
   3.598  #
   3.599 -# CONFIG_PHONE is not set
   3.600 +CONFIG_PHONE=m
   3.601 +CONFIG_PHONE_IXJ=m
   3.602 +CONFIG_PHONE_IXJ_PCMCIA=m
   3.603  
   3.604  #
   3.605  # Input device support
   3.606 @@ -1510,11 +1573,13 @@ CONFIG_INPUT=y
   3.607  # Userland interfaces
   3.608  #
   3.609  CONFIG_INPUT_MOUSEDEV=y
   3.610 -# CONFIG_INPUT_MOUSEDEV_PSAUX is not set
   3.611 +CONFIG_INPUT_MOUSEDEV_PSAUX=y
   3.612  CONFIG_INPUT_MOUSEDEV_SCREEN_X=1024
   3.613  CONFIG_INPUT_MOUSEDEV_SCREEN_Y=768
   3.614  CONFIG_INPUT_JOYDEV=m
   3.615 -# CONFIG_INPUT_TSDEV is not set
   3.616 +CONFIG_INPUT_TSDEV=m
   3.617 +CONFIG_INPUT_TSDEV_SCREEN_X=240
   3.618 +CONFIG_INPUT_TSDEV_SCREEN_Y=320
   3.619  CONFIG_INPUT_EVDEV=y
   3.620  # CONFIG_INPUT_EVBUG is not set
   3.621  
   3.622 @@ -1523,14 +1588,14 @@ CONFIG_INPUT_EVDEV=y
   3.623  #
   3.624  CONFIG_INPUT_KEYBOARD=y
   3.625  CONFIG_KEYBOARD_ATKBD=y
   3.626 -# CONFIG_KEYBOARD_SUNKBD is not set
   3.627 +CONFIG_KEYBOARD_SUNKBD=m
   3.628  # CONFIG_KEYBOARD_LKKBD is not set
   3.629 -# CONFIG_KEYBOARD_XTKBD is not set
   3.630 -# CONFIG_KEYBOARD_NEWTON is not set
   3.631 +CONFIG_KEYBOARD_XTKBD=m
   3.632 +CONFIG_KEYBOARD_NEWTON=m
   3.633  CONFIG_INPUT_MOUSE=y
   3.634  CONFIG_MOUSE_PS2=y
   3.635  CONFIG_MOUSE_SERIAL=m
   3.636 -CONFIG_MOUSE_VSXXXAA=m
   3.637 +# CONFIG_MOUSE_VSXXXAA is not set
   3.638  CONFIG_INPUT_JOYSTICK=y
   3.639  CONFIG_JOYSTICK_ANALOG=m
   3.640  CONFIG_JOYSTICK_A3D=m
   3.641 @@ -1571,12 +1636,12 @@ CONFIG_INPUT_UINPUT=m
   3.642  #
   3.643  CONFIG_SERIO=y
   3.644  CONFIG_SERIO_I8042=y
   3.645 -CONFIG_SERIO_SERPORT=y
   3.646 -# CONFIG_SERIO_CT82C710 is not set
   3.647 -# CONFIG_SERIO_PARKBD is not set
   3.648 -# CONFIG_SERIO_PCIPS2 is not set
   3.649 +CONFIG_SERIO_SERPORT=m
   3.650 +CONFIG_SERIO_CT82C710=m
   3.651 +CONFIG_SERIO_PARKBD=m
   3.652 +CONFIG_SERIO_PCIPS2=m
   3.653  CONFIG_SERIO_LIBPS2=y
   3.654 -# CONFIG_SERIO_RAW is not set
   3.655 +CONFIG_SERIO_RAW=m
   3.656  CONFIG_GAMEPORT=m
   3.657  CONFIG_GAMEPORT_NS558=m
   3.658  CONFIG_GAMEPORT_L4=m
   3.659 @@ -1600,7 +1665,8 @@ CONFIG_HW_CONSOLE=y
   3.660  #
   3.661  # CONFIG_SERIAL_JSM is not set
   3.662  CONFIG_UNIX98_PTYS=y
   3.663 -# CONFIG_LEGACY_PTYS is not set
   3.664 +CONFIG_LEGACY_PTYS=y
   3.665 +CONFIG_LEGACY_PTY_COUNT=64
   3.666  CONFIG_PRINTER=m
   3.667  CONFIG_LP_CONSOLE=y
   3.668  CONFIG_PPDEV=m
   3.669 @@ -1610,7 +1676,8 @@ CONFIG_TIPAR=m
   3.670  # IPMI
   3.671  #
   3.672  CONFIG_IPMI_HANDLER=m
   3.673 -# CONFIG_IPMI_PANIC_EVENT is not set
   3.674 +CONFIG_IPMI_PANIC_EVENT=y
   3.675 +# CONFIG_IPMI_PANIC_STRING is not set
   3.676  CONFIG_IPMI_DEVICE_INTERFACE=m
   3.677  CONFIG_IPMI_SI=m
   3.678  CONFIG_IPMI_WATCHDOG=m
   3.679 @@ -1638,7 +1705,7 @@ CONFIG_WAFER_WDT=m
   3.680  CONFIG_I6300ESB_WDT=m
   3.681  CONFIG_I8XX_TCO=m
   3.682  CONFIG_SC1200_WDT=m
   3.683 -# CONFIG_60XX_WDT is not set
   3.684 +CONFIG_60XX_WDT=m
   3.685  CONFIG_SBC8360_WDT=m
   3.686  CONFIG_CPU5_WDT=m
   3.687  CONFIG_W83627HF_WDT=m
   3.688 @@ -1659,21 +1726,27 @@ CONFIG_WDT_501_PCI=y
   3.689  #
   3.690  CONFIG_USBPCWATCHDOG=m
   3.691  CONFIG_HW_RANDOM=m
   3.692 -# CONFIG_NVRAM is not set
   3.693 +CONFIG_NVRAM=y
   3.694  CONFIG_RTC=y
   3.695  CONFIG_DTLK=m
   3.696  CONFIG_R3964=m
   3.697 -# CONFIG_APPLICOM is not set
   3.698 +CONFIG_APPLICOM=m
   3.699  
   3.700  #
   3.701  # Ftape, the floppy tape device driver
   3.702  #
   3.703 -# CONFIG_AGP is not set
   3.704 +CONFIG_AGP=m
   3.705 +CONFIG_AGP_AMD64=m
   3.706 +CONFIG_AGP_INTEL=m
   3.707  CONFIG_DRM=m
   3.708  CONFIG_DRM_TDFX=m
   3.709  CONFIG_DRM_R128=m
   3.710  CONFIG_DRM_RADEON=m
   3.711 +CONFIG_DRM_I810=m
   3.712 +# CONFIG_DRM_I830 is not set
   3.713 +CONFIG_DRM_I915=m
   3.714  CONFIG_DRM_MGA=m
   3.715 +# CONFIG_DRM_SIS is not set
   3.716  CONFIG_DRM_VIA=m
   3.717  CONFIG_DRM_SAVAGE=m
   3.718  
   3.719 @@ -1691,7 +1764,11 @@ CONFIG_HANGCHECK_TIMER=m
   3.720  #
   3.721  # TPM devices
   3.722  #
   3.723 -# CONFIG_TCG_TPM is not set
   3.724 +CONFIG_TCG_TPM=m
   3.725 +CONFIG_TCG_NSC=m
   3.726 +CONFIG_TCG_ATMEL=m
   3.727 +CONFIG_TCG_INFINEON=m
   3.728 +CONFIG_TCG_XEN=m
   3.729  CONFIG_TELCLOCK=m
   3.730  
   3.731  #
   3.732 @@ -1710,24 +1787,24 @@ CONFIG_I2C_ALGOPCA=m
   3.733  #
   3.734  # I2C Hardware Bus support
   3.735  #
   3.736 -# CONFIG_I2C_ALI1535 is not set
   3.737 -# CONFIG_I2C_ALI1563 is not set
   3.738 -# CONFIG_I2C_ALI15X3 is not set
   3.739 +CONFIG_I2C_ALI1535=m
   3.740 +CONFIG_I2C_ALI1563=m
   3.741 +CONFIG_I2C_ALI15X3=m
   3.742  CONFIG_I2C_AMD756=m
   3.743  CONFIG_I2C_AMD756_S4882=m
   3.744  CONFIG_I2C_AMD8111=m
   3.745 -# CONFIG_I2C_I801 is not set
   3.746 -# CONFIG_I2C_I810 is not set
   3.747 -# CONFIG_I2C_PIIX4 is not set
   3.748 +CONFIG_I2C_I801=m
   3.749 +CONFIG_I2C_I810=m
   3.750 +CONFIG_I2C_PIIX4=m
   3.751  CONFIG_I2C_ISA=m
   3.752  CONFIG_I2C_NFORCE2=m
   3.753 -# CONFIG_I2C_PARPORT is not set
   3.754 -# CONFIG_I2C_PARPORT_LIGHT is not set
   3.755 +CONFIG_I2C_PARPORT=m
   3.756 +CONFIG_I2C_PARPORT_LIGHT=m
   3.757  CONFIG_I2C_PROSAVAGE=m
   3.758  CONFIG_I2C_SAVAGE4=m
   3.759 -# CONFIG_SCx200_ACB is not set
   3.760 -# CONFIG_I2C_SIS5595 is not set
   3.761 -# CONFIG_I2C_SIS630 is not set
   3.762 +CONFIG_SCx200_ACB=m
   3.763 +CONFIG_I2C_SIS5595=m
   3.764 +CONFIG_I2C_SIS630=m
   3.765  CONFIG_I2C_SIS96X=m
   3.766  CONFIG_I2C_STUB=m
   3.767  CONFIG_I2C_VIA=m
   3.768 @@ -1779,7 +1856,7 @@ CONFIG_W1_DS9490_BRIDGE=m
   3.769  CONFIG_W1_THERM=m
   3.770  CONFIG_W1_SMEM=m
   3.771  CONFIG_W1_DS2433=m
   3.772 -# CONFIG_W1_DS2433_CRC is not set
   3.773 +CONFIG_W1_DS2433_CRC=y
   3.774  
   3.775  #
   3.776  # Hardware Monitoring support
   3.777 @@ -1828,7 +1905,7 @@ CONFIG_SENSORS_HDAPS=m
   3.778  #
   3.779  # Misc devices
   3.780  #
   3.781 -# CONFIG_IBM_ASM is not set
   3.782 +CONFIG_IBM_ASM=m
   3.783  
   3.784  #
   3.785  # Multimedia Capabilities Port drivers
   3.786 @@ -1848,7 +1925,7 @@ CONFIG_VIDEO_DEV=m
   3.787  #
   3.788  # CONFIG_VIDEO_ADV_DEBUG is not set
   3.789  CONFIG_VIDEO_BT848=m
   3.790 -# CONFIG_VIDEO_BT848_DVB is not set
   3.791 +CONFIG_VIDEO_BT848_DVB=y
   3.792  CONFIG_VIDEO_SAA6588=m
   3.793  CONFIG_VIDEO_BWQCAM=m
   3.794  CONFIG_VIDEO_CQCAM=m
   3.795 @@ -2021,18 +2098,20 @@ CONFIG_FB_MODE_HELPERS=y
   3.796  CONFIG_FB_TILEBLITTING=y
   3.797  CONFIG_FB_CIRRUS=m
   3.798  # CONFIG_FB_PM2 is not set
   3.799 -# CONFIG_FB_CYBER2000 is not set
   3.800 +CONFIG_FB_CYBER2000=m
   3.801  CONFIG_FB_ARC=m
   3.802  # CONFIG_FB_ASILIANT is not set
   3.803  # CONFIG_FB_IMSTT is not set
   3.804  CONFIG_FB_VGA16=m
   3.805  CONFIG_FB_VESA=y
   3.806  CONFIG_VIDEO_SELECT=y
   3.807 -# CONFIG_FB_HGA is not set
   3.808 -# CONFIG_FB_S1D13XXX is not set
   3.809 -# CONFIG_FB_NVIDIA is not set
   3.810 +CONFIG_FB_HGA=m
   3.811 +CONFIG_FB_HGA_ACCEL=y
   3.812 +CONFIG_FB_S1D13XXX=m
   3.813 +CONFIG_FB_NVIDIA=m
   3.814 +CONFIG_FB_NVIDIA_I2C=y
   3.815  CONFIG_FB_RIVA=m
   3.816 -# CONFIG_FB_RIVA_I2C is not set
   3.817 +CONFIG_FB_RIVA_I2C=y
   3.818  # CONFIG_FB_RIVA_DEBUG is not set
   3.819  CONFIG_FB_MATROX=m
   3.820  CONFIG_FB_MATROX_MILLENIUM=y
   3.821 @@ -2053,7 +2132,9 @@ CONFIG_FB_ATY_GX=y
   3.822  CONFIG_FB_SAVAGE=m
   3.823  CONFIG_FB_SAVAGE_I2C=y
   3.824  CONFIG_FB_SAVAGE_ACCEL=y
   3.825 -# CONFIG_FB_SIS is not set
   3.826 +CONFIG_FB_SIS=m
   3.827 +CONFIG_FB_SIS_300=y
   3.828 +CONFIG_FB_SIS_315=y
   3.829  CONFIG_FB_NEOMAGIC=m
   3.830  CONFIG_FB_KYRO=m
   3.831  CONFIG_FB_3DFX=m
   3.832 @@ -2061,8 +2142,9 @@ CONFIG_FB_3DFX_ACCEL=y
   3.833  CONFIG_FB_VOODOO1=m
   3.834  CONFIG_FB_TRIDENT=m
   3.835  CONFIG_FB_TRIDENT_ACCEL=y
   3.836 -# CONFIG_FB_GEODE is not set
   3.837 -# CONFIG_FB_VIRTUAL is not set
   3.838 +CONFIG_FB_GEODE=y
   3.839 +CONFIG_FB_GEODE_GX1=m
   3.840 +CONFIG_FB_VIRTUAL=m
   3.841  
   3.842  #
   3.843  # Console display driver support
   3.844 @@ -2070,7 +2152,7 @@ CONFIG_FB_TRIDENT_ACCEL=y
   3.845  CONFIG_VGA_CONSOLE=y
   3.846  CONFIG_DUMMY_CONSOLE=y
   3.847  CONFIG_FRAMEBUFFER_CONSOLE=y
   3.848 -# CONFIG_FRAMEBUFFER_CONSOLE_ROTATION is not set
   3.849 +CONFIG_FRAMEBUFFER_CONSOLE_ROTATION=y
   3.850  # CONFIG_FONTS is not set
   3.851  CONFIG_FONT_8x8=y
   3.852  CONFIG_FONT_8x16=y
   3.853 @@ -2109,7 +2191,7 @@ CONFIG_SND_PCM_OSS=m
   3.854  CONFIG_SND_SEQUENCER_OSS=y
   3.855  CONFIG_SND_RTCTIMER=m
   3.856  CONFIG_SND_SEQ_RTCTIMER_DEFAULT=y
   3.857 -# CONFIG_SND_DYNAMIC_MINORS is not set
   3.858 +CONFIG_SND_DYNAMIC_MINORS=y
   3.859  CONFIG_SND_SUPPORT_OLD_API=y
   3.860  # CONFIG_SND_VERBOSE_PRINTK is not set
   3.861  # CONFIG_SND_DEBUG is not set
   3.862 @@ -2125,7 +2207,7 @@ CONFIG_SND_AC97_BUS=m
   3.863  CONFIG_SND_DUMMY=m
   3.864  CONFIG_SND_VIRMIDI=m
   3.865  CONFIG_SND_MTPAV=m
   3.866 -# CONFIG_SND_SERIAL_U16550 is not set
   3.867 +CONFIG_SND_SERIAL_U16550=m
   3.868  CONFIG_SND_MPU401=m
   3.869  
   3.870  #
   3.871 @@ -2197,7 +2279,7 @@ CONFIG_SND_USB_USX2Y=m
   3.872  #
   3.873  CONFIG_USB_ARCH_HAS_HCD=y
   3.874  CONFIG_USB_ARCH_HAS_OHCI=y
   3.875 -CONFIG_USB=y
   3.876 +CONFIG_USB=m
   3.877  # CONFIG_USB_DEBUG is not set
   3.878  
   3.879  #
   3.880 @@ -2253,7 +2335,7 @@ CONFIG_USB_STORAGE_JUMPSHOT=y
   3.881  #
   3.882  # USB Input Devices
   3.883  #
   3.884 -CONFIG_USB_HID=y
   3.885 +CONFIG_USB_HID=m
   3.886  CONFIG_USB_HIDINPUT=y
   3.887  # CONFIG_USB_HIDINPUT_POWERBOOK is not set
   3.888  CONFIG_HID_FF=y
   3.889 @@ -2261,6 +2343,12 @@ CONFIG_HID_PID=y
   3.890  CONFIG_LOGITECH_FF=y
   3.891  CONFIG_THRUSTMASTER_FF=y
   3.892  CONFIG_USB_HIDDEV=y
   3.893 +
   3.894 +#
   3.895 +# USB HID Boot Protocol drivers
   3.896 +#
   3.897 +CONFIG_USB_KBD=m
   3.898 +CONFIG_USB_MOUSE=m
   3.899  CONFIG_USB_AIPTEK=m
   3.900  CONFIG_USB_WACOM=m
   3.901  CONFIG_USB_ACECAD=m
   3.902 @@ -2317,7 +2405,7 @@ CONFIG_USB_ALI_M5632=y
   3.903  CONFIG_USB_AN2720=y
   3.904  CONFIG_USB_BELKIN=y
   3.905  CONFIG_USB_ARMLINUX=y
   3.906 -# CONFIG_USB_EPSON2888 is not set
   3.907 +CONFIG_USB_EPSON2888=y
   3.908  CONFIG_USB_NET_ZAURUS=m
   3.909  CONFIG_USB_ZD1201=m
   3.910  CONFIG_USB_MON=y
   3.911 @@ -2380,18 +2468,18 @@ CONFIG_USB_EZUSB=y
   3.912  # USB Miscellaneous drivers
   3.913  #
   3.914  CONFIG_USB_EMI62=m
   3.915 -# CONFIG_USB_EMI26 is not set
   3.916 +CONFIG_USB_EMI26=m
   3.917  CONFIG_USB_AUERSWALD=m
   3.918  CONFIG_USB_RIO500=m
   3.919  CONFIG_USB_LEGOTOWER=m
   3.920  CONFIG_USB_LCD=m
   3.921  CONFIG_USB_LED=m
   3.922 -# CONFIG_USB_CYTHERM is not set
   3.923 +CONFIG_USB_CYTHERM=m
   3.924  CONFIG_USB_PHIDGETKIT=m
   3.925  CONFIG_USB_PHIDGETSERVO=m
   3.926  CONFIG_USB_IDMOUSE=m
   3.927  CONFIG_USB_SISUSBVGA=m
   3.928 -# CONFIG_USB_SISUSBVGA_CON is not set
   3.929 +CONFIG_USB_SISUSBVGA_CON=y
   3.930  CONFIG_USB_LD=m
   3.931  CONFIG_USB_TEST=m
   3.932  
   3.933 @@ -2482,17 +2570,17 @@ CONFIG_JFS_SECURITY=y
   3.934  CONFIG_FS_POSIX_ACL=y
   3.935  CONFIG_XFS_FS=m
   3.936  CONFIG_XFS_EXPORT=y
   3.937 -# CONFIG_XFS_QUOTA is not set
   3.938 +CONFIG_XFS_QUOTA=y
   3.939  CONFIG_XFS_SECURITY=y
   3.940  CONFIG_XFS_POSIX_ACL=y
   3.941 -# CONFIG_XFS_RT is not set
   3.942 +CONFIG_XFS_RT=y
   3.943  CONFIG_OCFS2_FS=m
   3.944  CONFIG_MINIX_FS=m
   3.945  CONFIG_ROMFS_FS=m
   3.946  CONFIG_INOTIFY=y
   3.947  CONFIG_QUOTA=y
   3.948  # CONFIG_QFMT_V1 is not set
   3.949 -CONFIG_QFMT_V2=y
   3.950 +CONFIG_QFMT_V2=m
   3.951  CONFIG_QUOTACTL=y
   3.952  CONFIG_DNOTIFY=y
   3.953  CONFIG_AUTOFS_FS=m
   3.954 @@ -2516,8 +2604,10 @@ CONFIG_FAT_FS=m
   3.955  CONFIG_MSDOS_FS=m
   3.956  CONFIG_VFAT_FS=m
   3.957  CONFIG_FAT_DEFAULT_CODEPAGE=437
   3.958 -CONFIG_FAT_DEFAULT_IOCHARSET="ascii"
   3.959 -# CONFIG_NTFS_FS is not set
   3.960 +CONFIG_FAT_DEFAULT_IOCHARSET="iso8859-1"
   3.961 +CONFIG_NTFS_FS=m
   3.962 +# CONFIG_NTFS_DEBUG is not set
   3.963 +# CONFIG_NTFS_RW is not set
   3.964  
   3.965  #
   3.966  # Pseudo filesystems
   3.967 @@ -2534,7 +2624,8 @@ CONFIG_CONFIGFS_FS=m
   3.968  #
   3.969  # Miscellaneous filesystems
   3.970  #
   3.971 -# CONFIG_ADFS_FS is not set
   3.972 +CONFIG_ADFS_FS=m
   3.973 +# CONFIG_ADFS_FS_RW is not set
   3.974  CONFIG_AFFS_FS=m
   3.975  CONFIG_HFS_FS=m
   3.976  CONFIG_HFSPLUS_FS=m
   3.977 @@ -2542,18 +2633,23 @@ CONFIG_BEFS_FS=m
   3.978  # CONFIG_BEFS_DEBUG is not set
   3.979  CONFIG_BFS_FS=m
   3.980  CONFIG_EFS_FS=m
   3.981 -# CONFIG_JFFS_FS is not set
   3.982 +CONFIG_JFFS_FS=m
   3.983 +CONFIG_JFFS_FS_VERBOSE=0
   3.984 +CONFIG_JFFS_PROC_FS=y
   3.985  CONFIG_JFFS2_FS=m
   3.986  CONFIG_JFFS2_FS_DEBUG=0
   3.987  CONFIG_JFFS2_FS_WRITEBUFFER=y
   3.988 -# CONFIG_JFFS2_SUMMARY is not set
   3.989 -# CONFIG_JFFS2_COMPRESSION_OPTIONS is not set
   3.990 +CONFIG_JFFS2_SUMMARY=y
   3.991 +CONFIG_JFFS2_COMPRESSION_OPTIONS=y
   3.992  CONFIG_JFFS2_ZLIB=y
   3.993  CONFIG_JFFS2_RTIME=y
   3.994  # CONFIG_JFFS2_RUBIN is not set
   3.995 -CONFIG_CRAMFS=y
   3.996 +# CONFIG_JFFS2_CMODE_NONE is not set
   3.997 +CONFIG_JFFS2_CMODE_PRIORITY=y
   3.998 +# CONFIG_JFFS2_CMODE_SIZE is not set
   3.999 +CONFIG_CRAMFS=m
  3.1000  CONFIG_VXFS_FS=m
  3.1001 -# CONFIG_HPFS_FS is not set
  3.1002 +CONFIG_HPFS_FS=m
  3.1003  CONFIG_QNX4FS_FS=m
  3.1004  CONFIG_SYSV_FS=m
  3.1005  CONFIG_UFS_FS=m
  3.1006 @@ -2563,26 +2659,30 @@ CONFIG_UFS_FS=m
  3.1007  #
  3.1008  CONFIG_NFS_FS=m
  3.1009  CONFIG_NFS_V3=y
  3.1010 -# CONFIG_NFS_V3_ACL is not set
  3.1011 +CONFIG_NFS_V3_ACL=y
  3.1012  CONFIG_NFS_V4=y
  3.1013  CONFIG_NFS_DIRECTIO=y
  3.1014  CONFIG_NFSD=m
  3.1015 +CONFIG_NFSD_V2_ACL=y
  3.1016  CONFIG_NFSD_V3=y
  3.1017 -# CONFIG_NFSD_V3_ACL is not set
  3.1018 +CONFIG_NFSD_V3_ACL=y
  3.1019  CONFIG_NFSD_V4=y
  3.1020  CONFIG_NFSD_TCP=y
  3.1021  CONFIG_LOCKD=m
  3.1022  CONFIG_LOCKD_V4=y
  3.1023  CONFIG_EXPORTFS=m
  3.1024 +CONFIG_NFS_ACL_SUPPORT=m
  3.1025  CONFIG_NFS_COMMON=y
  3.1026  CONFIG_SUNRPC=m
  3.1027  CONFIG_SUNRPC_GSS=m
  3.1028  CONFIG_RPCSEC_GSS_KRB5=m
  3.1029  CONFIG_RPCSEC_GSS_SPKM3=m
  3.1030  CONFIG_SMB_FS=m
  3.1031 -# CONFIG_SMB_NLS_DEFAULT is not set
  3.1032 +CONFIG_SMB_NLS_DEFAULT=y
  3.1033 +CONFIG_SMB_NLS_REMOTE="cp850"
  3.1034  CONFIG_CIFS=m
  3.1035 -# CONFIG_CIFS_STATS is not set
  3.1036 +CONFIG_CIFS_STATS=y
  3.1037 +# CONFIG_CIFS_STATS2 is not set
  3.1038  CONFIG_CIFS_XATTR=y
  3.1039  CONFIG_CIFS_POSIX=y
  3.1040  # CONFIG_CIFS_EXPERIMENTAL is not set
  3.1041 @@ -2595,8 +2695,10 @@ CONFIG_NCPFS_OS2_NS=y
  3.1042  CONFIG_NCPFS_SMALLDOS=y
  3.1043  CONFIG_NCPFS_NLS=y
  3.1044  CONFIG_NCPFS_EXTRAS=y
  3.1045 -# CONFIG_CODA_FS is not set
  3.1046 -# CONFIG_AFS_FS is not set
  3.1047 +CONFIG_CODA_FS=m
  3.1048 +# CONFIG_CODA_FS_OLD_API is not set
  3.1049 +CONFIG_AFS_FS=m
  3.1050 +CONFIG_RXRPC=m
  3.1051  CONFIG_9P_FS=m
  3.1052  
  3.1053  #
  3.1054 @@ -2625,7 +2727,7 @@ CONFIG_EFI_PARTITION=y
  3.1055  #
  3.1056  CONFIG_NLS=y
  3.1057  CONFIG_NLS_DEFAULT="utf8"
  3.1058 -CONFIG_NLS_CODEPAGE_437=y
  3.1059 +CONFIG_NLS_CODEPAGE_437=m
  3.1060  CONFIG_NLS_CODEPAGE_737=m
  3.1061  CONFIG_NLS_CODEPAGE_775=m
  3.1062  CONFIG_NLS_CODEPAGE_850=m
  3.1063 @@ -2648,7 +2750,7 @@ CONFIG_NLS_CODEPAGE_874=m
  3.1064  CONFIG_NLS_ISO8859_8=m
  3.1065  CONFIG_NLS_CODEPAGE_1250=m
  3.1066  CONFIG_NLS_CODEPAGE_1251=m
  3.1067 -CONFIG_NLS_ASCII=y
  3.1068 +CONFIG_NLS_ASCII=m
  3.1069  CONFIG_NLS_ISO8859_1=m
  3.1070  CONFIG_NLS_ISO8859_2=m
  3.1071  CONFIG_NLS_ISO8859_3=m
  3.1072 @@ -2699,10 +2801,11 @@ CONFIG_KEYS=y
  3.1073  CONFIG_KEYS_DEBUG_PROC_KEYS=y
  3.1074  CONFIG_SECURITY=y
  3.1075  CONFIG_SECURITY_NETWORK=y
  3.1076 -CONFIG_SECURITY_NETWORK_XFRM=y
  3.1077 +# CONFIG_SECURITY_NETWORK_XFRM is not set
  3.1078  CONFIG_SECURITY_CAPABILITIES=y
  3.1079 -# CONFIG_SECURITY_ROOTPLUG is not set
  3.1080 -# CONFIG_SECURITY_SECLVL is not set
  3.1081 +CONFIG_SECURITY_ROOTPLUG=m
  3.1082 +CONFIG_SECURITY_SECLVL=m
  3.1083 +# CONFIG_SECURITY_SELINUX is not set
  3.1084  
  3.1085  #
  3.1086  # Cryptographic options
  3.1087 @@ -2712,7 +2815,7 @@ CONFIG_CRYPTO_HMAC=y
  3.1088  CONFIG_CRYPTO_NULL=m
  3.1089  CONFIG_CRYPTO_MD4=m
  3.1090  CONFIG_CRYPTO_MD5=y
  3.1091 -CONFIG_CRYPTO_SHA1=y
  3.1092 +CONFIG_CRYPTO_SHA1=m
  3.1093  CONFIG_CRYPTO_SHA256=m
  3.1094  CONFIG_CRYPTO_SHA512=m
  3.1095  CONFIG_CRYPTO_WP512=m
  3.1096 @@ -2732,7 +2835,7 @@ CONFIG_CRYPTO_ANUBIS=m
  3.1097  CONFIG_CRYPTO_DEFLATE=m
  3.1098  CONFIG_CRYPTO_MICHAEL_MIC=m
  3.1099  CONFIG_CRYPTO_CRC32C=m
  3.1100 -# CONFIG_CRYPTO_TEST is not set
  3.1101 +CONFIG_CRYPTO_TEST=m
  3.1102  
  3.1103  #
  3.1104  # Hardware crypto devices
  3.1105 @@ -2746,7 +2849,7 @@ CONFIG_XEN_INTERFACE_VERSION=0x00030101
  3.1106  CONFIG_XEN_PRIVILEGED_GUEST=y
  3.1107  # CONFIG_XEN_UNPRIVILEGED_GUEST is not set
  3.1108  CONFIG_XEN_BACKEND=y
  3.1109 -CONFIG_XEN_PCIDEV_BACKEND=y
  3.1110 +CONFIG_XEN_PCIDEV_BACKEND=m
  3.1111  # CONFIG_XEN_PCIDEV_BACKEND_VPCI is not set
  3.1112  CONFIG_XEN_PCIDEV_BACKEND_PASS=y
  3.1113  # CONFIG_XEN_PCIDEV_BE_DEBUG is not set
  3.1114 @@ -2755,14 +2858,15 @@ CONFIG_XEN_BLKDEV_BACKEND=y
  3.1115  CONFIG_XEN_NETDEV_BACKEND=y
  3.1116  # CONFIG_XEN_NETDEV_PIPELINED_TRANSMITTER is not set
  3.1117  CONFIG_XEN_NETDEV_LOOPBACK=y
  3.1118 -# CONFIG_XEN_TPMDEV_BACKEND is not set
  3.1119 +CONFIG_XEN_TPMDEV_BACKEND=m
  3.1120 +# CONFIG_XEN_TPMDEV_CLOSE_IF_VTPM_FAILS is not set
  3.1121  CONFIG_XEN_BLKDEV_FRONTEND=y
  3.1122  CONFIG_XEN_NETDEV_FRONTEND=y
  3.1123  # CONFIG_XEN_BLKDEV_TAP is not set
  3.1124 -# CONFIG_XEN_TPMDEV_FRONTEND is not set
  3.1125 +CONFIG_XEN_TPMDEV_FRONTEND=m
  3.1126  CONFIG_XEN_SCRUB_PAGES=y
  3.1127  CONFIG_XEN_DISABLE_SERIAL=y
  3.1128 -CONFIG_XEN_SYSFS=m
  3.1129 +CONFIG_XEN_SYSFS=y
  3.1130  CONFIG_HAVE_ARCH_ALLOC_SKB=y
  3.1131  CONFIG_HAVE_ARCH_DEV_ALLOC_SKB=y
  3.1132  CONFIG_NO_IDLE_HZ=y
  3.1133 @@ -2776,6 +2880,8 @@ CONFIG_CRC32=y
  3.1134  CONFIG_LIBCRC32C=m
  3.1135  CONFIG_ZLIB_INFLATE=y
  3.1136  CONFIG_ZLIB_DEFLATE=m
  3.1137 +CONFIG_REED_SOLOMON=m
  3.1138 +CONFIG_REED_SOLOMON_DEC16=y
  3.1139  CONFIG_TEXTSEARCH=y
  3.1140  CONFIG_TEXTSEARCH_KMP=m
  3.1141  CONFIG_TEXTSEARCH_BM=m
     4.1 --- a/docs/man/xend-config.sxp.pod.5	Tue Apr 25 22:55:22 2006 -0600
     4.2 +++ b/docs/man/xend-config.sxp.pod.5	Tue Apr 25 23:35:55 2006 -0600
     4.3 @@ -109,6 +109,12 @@ If the value is 0, all available CPUs wi
     4.4  A boolean value that tells xend whether or not core dumps of guest
     4.5  domains should be saved when a crash occurrs.  Defaults to I<no>.
     4.6  
     4.7 +=item I<external-migration-tool>
     4.8 +
     4.9 +The name of an application or script that can handle external device
    4.10 +migration, such as for example virtual TPM migration. An example
    4.11 +script is I</etc/xen/scripts/external-device-migrate>.
    4.12 +
    4.13  =back
    4.14  
    4.15  =head1 EXAMPLES
     5.1 --- a/docs/man/xm.pod.1	Tue Apr 25 22:55:22 2006 -0600
     5.2 +++ b/docs/man/xm.pod.1	Tue Apr 25 23:35:55 2006 -0600
     5.3 @@ -136,7 +136,7 @@ Displays the short help message (i.e. co
     5.4  The I<--long> option prints out the complete set of B<xm> subcommands,
     5.5  grouped by function.
     5.6  
     5.7 -=item B<list> I<[--long]> I<[domain-id, ...]>
     5.8 +=item B<list> I<[--long | --label]> I<[domain-id, ...]>
     5.9  
    5.10  Prints information about one or more domains.  If no domains are
    5.11  specified it prints out information about all domains.
    5.12 @@ -213,6 +213,18 @@ Use at your own risk.
    5.13  
    5.14  =back
    5.15  
    5.16 +B<LABEL OUTPUT>
    5.17 +
    5.18 +=over 4
    5.19 +
    5.20 +If I<--label> is specified, the security labels are added to the
    5.21 +output of xm list and the lines are sorted by the labels (ignoring
    5.22 +case). The I<--long> option prints the labels by default and cannot be
    5.23 +combined with I<--label>. See the ACCESS CONTROL SUBCOMMAND section of
    5.24 +this man page for more information about labels.
    5.25 +
    5.26 +==back
    5.27 +
    5.28  B<NOTES>
    5.29  
    5.30  =over 4
    5.31 @@ -775,6 +787,262 @@ Delete a vnet.
    5.32  
    5.33  =back
    5.34  
    5.35 +=head1 ACCESS CONTROL SUBCOMMANDS
    5.36 +
    5.37 +Access Control in Xen consists of two components: (i) The Access
    5.38 +Control Policy (ACP) defines security labels and access rules based on
    5.39 +these labels. (ii) The Access Control Module (ACM) makes access control
    5.40 +decisions by interpreting the policy when domains require to
    5.41 +communicate or to access resources. The Xen access control has
    5.42 +sufficient mechanisms in place to enforce the access decisions even
    5.43 +against maliciously acting user domains (mandatory access control).
    5.44 +
    5.45 +Access rights for domains in Xen are determined by the domain security
    5.46 +label only and not based on the domain Name or ID. The ACP specifies
    5.47 +security labels that can then be assigned to domains and
    5.48 +resources. Every domain must be assigned exactly one security label,
    5.49 +otherwise access control decisions could become indeterministic. ACPs
    5.50 +are distinguished by their name, which is a parameter to most of the
    5.51 +subcommands described below. Currently, the ACP specifies two ways to
    5.52 +interpret labels:
    5.53 +
    5.54 +(1) Simple Type Enforcement: Labels are interpreted to decide access
    5.55 +of domains to comunication means and virtual or physical
    5.56 +resources. Communication between domains as well as access to
    5.57 +resources are forbidden by default and can only take place if they are
    5.58 +explicitly allowed by the security policy. The proper assignment of
    5.59 +labels to domains controls the sharing of information (directly
    5.60 +through communication or indirectly through shared resources) between
    5.61 +domains. This interpretation allows to control the overt (intended)
    5.62 +communication channels in Xen.
    5.63 +
    5.64 +(2) Chinese Wall: Labels are interpreted to decide which domains can
    5.65 +co-exist (be run simultaneously) on the same system. This
    5.66 +interpretation allows to prevent direct covert (unintended) channels
    5.67 +and mitigates risks caused by imperfect core domain isolation
    5.68 +(trade-off between security and other system requirements). For a
    5.69 +short introduction to covert channels, please refer to
    5.70 +http://www.multicians.org/timing-chn.html.
    5.71 +
    5.72 +The following subcommands help you to manage security policies in Xen
    5.73 +and to assign security labels to domains. To enable access control
    5.74 +security in Xen, you must compile Xen with ACM support enabled as
    5.75 +described under "Configuring Security" below. There, you will find
    5.76 +also examples of each subcommand described here.
    5.77 +
    5.78 +=item B<makepolicy> I<policy>
    5.79 +
    5.80 +Compiles the XML source representation of the security I<policy>. It
    5.81 +creates a mapping (.map) as well as a binary (.bin) version of the
    5.82 +policy. The compiled policy can be loaded into Xen with the
    5.83 +B<loadpolicy> subcommand or can be configured to be loaded at boot
    5.84 +time with the B<cfgbootpolicy> subcommand.
    5.85 +
    5.86 +=over 4
    5.87 +
    5.88 +I<policy> is a dot-separated list of names. The last part is the file
    5.89 +name pre-fix for the policy xml file. The preceding name parts are
    5.90 +translated into the local path pointing to the policy xml file
    5.91 +relative to the global policy root directory
    5.92 +(/etc/xen/acm-security/policies). For example,
    5.93 +example.chwall_ste.client_v1 denotes the policy file
    5.94 +example/chwall_ste/client_v1-security_policy.xml relative to the
    5.95 +global policy root directory.
    5.96 +
    5.97 +=back
    5.98 +
    5.99 +=item B<loadpolicy> I<policy>
   5.100 +
   5.101 +Loads the binary representation of the I<policy> into Xen. The binary
   5.102 +representation can be created with the B<makepolicy> subcommand.
   5.103 +
   5.104 +=item B<cfgbootpolicy> I<policy> [I<kernelversion>]
   5.105 +
   5.106 +Configures I<policy> as the boot policy for Xen. It copies the binary
   5.107 +policy representation into the /boot directory and adds a module line
   5.108 +specifying the binary policy to the /boot/grub/menu.lst file. If your
   5.109 +boot configuration includes multiple Xen boot titles, then use the
   5.110 +I<kernelversion> parameter to select the proper title.
   5.111 +
   5.112 +=item B<dumppolicy>
   5.113 +
   5.114 +Prints the current security policy state information of Xen.
   5.115 +
   5.116 +=item B<labels> [I<policy>] [I<type>=dom|res|any]
   5.117 +
   5.118 +Lists all labels of a I<type> (domain, resource, or both) that are
   5.119 +defined in the I<policy>. Unless specified, the default I<policy> is
   5.120 +the currently enforced access control policy. The default for I<type>
   5.121 +is 'dom'. The labels are arranged in alphabetical order.
   5.122 +
   5.123 +=item B<addlabel> I<configfile> I<label> [I<policy>]
   5.124 +
   5.125 +Adds the security label with name I<label> to a domain
   5.126 +I<configfile>. Unless specified, the default I<policy> is the
   5.127 +currently enforced access control policy. This subcommand also
   5.128 +verifies that the I<policy> definition supports the specified I<label>
   5.129 +name.
   5.130 +
   5.131 +B<CONFIGURING SECURITY>
   5.132 +
   5.133 +=over 4
   5.134 +
   5.135 +In xen_source_dir/Config.mk set the following parameters:
   5.136 +
   5.137 +    ACM_SECURITY ?= y
   5.138 +    ACM_DEFAULT_SECURITY_POLICY ?= \
   5.139 +        ACM_CHINESE_WALL_AND_SIMPLE_TYPE_ENFORCEMENT_POLICY
   5.140 +
   5.141 +Then recompile and install xen and the security tools and then reboot:
   5.142 +
   5.143 +    cd xen_source_dir/xen; make clean; make; cp xen.gz /boot;
   5.144 +    cd xen_source_dir/tools/security; make install;
   5.145 +    reboot into xen
   5.146 +
   5.147 +=back
   5.148 +
   5.149 +B<COMPILING A SECURITY POLICY>
   5.150 +
   5.151 +=over 4
   5.152 +
   5.153 +This step creates client_v1.map and client_v1.bin files in
   5.154 +/etc/xen/acm-security/policies/example/chwall_ste.
   5.155 +
   5.156 +    xm makepolicy example.chwall_ste.client_v1
   5.157 +
   5.158 +=back
   5.159 +
   5.160 +B<LOADING A SECURITY POLICY>
   5.161 +
   5.162 +=over 4
   5.163 +
   5.164 +This step activates client_v1.bin as new security policy in Xen. You
   5.165 +can use the dumppolicy subcommand before and afterwards to see the
   5.166 +change in the Xen policy state.
   5.167 +
   5.168 +    xm loadpolicy example.chwall_ste.client_v1
   5.169 +
   5.170 +=back
   5.171 +
   5.172 +B<CONFIGURING A BOOT SECURITY POLICY>
   5.173 +
   5.174 +=over 4
   5.175 +
   5.176 +This configures the boot loader to load client_v1.bin at boot
   5.177 +time. During system start, the ACM configures Xen with this policy and
   5.178 +Xen enforces this policy from then on.
   5.179 +
   5.180 +    xm cfgbootpolicy example.chwall_ste.client_v1
   5.181 +
   5.182 +=back
   5.183 +
   5.184 +B<LISTING SECURITY LABELS>
   5.185 +
   5.186 +=over 4
   5.187 +
   5.188 +This subcommand shows all labels that are defined and which can be
   5.189 +attached to domains.
   5.190 +
   5.191 +    xm labels example.chwall_ste.client_v1 type=dom
   5.192 +
   5.193 +will print for our example policy:
   5.194 +
   5.195 +        dom_BoincClient
   5.196 +        dom_Fun
   5.197 +        dom_HomeBanking
   5.198 +        dom_NetworkDomain
   5.199 +        dom_StorageDomain
   5.200 +        dom_SystemManagement
   5.201 +
   5.202 +=back
   5.203 +
   5.204 +B<ATTACHING A SECURITY LABEL TO A DOMAIN>
   5.205 +
   5.206 +=over 4
   5.207 +
   5.208 +This subcommand attaches a security label to a domain configuration
   5.209 +file, here a HomeBanking label. The example policy ensures that this
   5.210 +domain does not share information with other non-hombanking user
   5.211 +domains (i.e., domains labeled as dom_Fun or dom_Boinc) and that it
   5.212 +will not run simultaneously with domains labeled as dom_Fun.
   5.213 +
   5.214 +We assume that the specified myconfig.xm configuration file actually
   5.215 +instantiates a domain that runs workloads related to home-banking,
   5.216 +probably just a browser environment for online-banking.
   5.217 +
   5.218 +    xm addlabel myconfig.xm dom_HomeBanking
   5.219 +
   5.220 +The very simple configuration file might now look as printed
   5.221 +below. The I<addlabel> subcommand added the B<access_control> entry at
   5.222 +the end of the file, consisting of a label name and the policy that
   5.223 +specifies this label name:
   5.224 +
   5.225 +    kernel = "/boot/vmlinuz-2.6.16-xen"
   5.226 +    ramdisk="/boot/U1_home_banking_ramdisk.img"
   5.227 +    memory = 164
   5.228 +    name = "homebanking"
   5.229 +    vif = [ '' ]
   5.230 +    dhcp = "dhcp"
   5.231 +    access_control = ['policy=example.chwall_ste.client_v1,
   5.232 +                       label=dom_HomeBanking']
   5.233 +
   5.234 +Security labels must be assigned to domain configurations because
   5.235 +these labels are essential for making access control decisions as
   5.236 +early as during the configuration phase of a newly instantiated
   5.237 +domain. Consequently, a security-enabled Xen hypervisor will only
   5.238 +start domains that have a security label configured and whose security
   5.239 +label is consistent with the currently enforced policy. Otherwise,
   5.240 +starting the domain will fail with the error condition "operation not
   5.241 +permitted".
   5.242 +
   5.243 +=back
   5.244 +
   5.245 +B<STARTING AND LISTING LABELED DOMAINS>
   5.246 +
   5.247 +=over 4
   5.248 +
   5.249 +    xm create myconfig.xm
   5.250 +
   5.251 +    xm list --label
   5.252 +
   5.253 +      Name         ID ...  Time(s)  Label
   5.254 +      homebanking  23 ...      4.4  dom_HomeBanking
   5.255 +      Domain-0      0 ...   2658.8  dom_SystemManagement
   5.256 +
   5.257 +=back
   5.258 +
   5.259 +B<POLICY REPRESENTATIONS>
   5.260 +
   5.261 +=over 4
   5.262 +
   5.263 +We distinguish three representations of the Xen access control policy:
   5.264 +the I<source XML> version, its I<binary> counterpart, and a I<mapping>
   5.265 +representation that enables the tools to deterministically translate
   5.266 +back and forth between label names of the XML policy and label
   5.267 +identifiers of the binary policy. All three versions must be kept
   5.268 +consistent to achieve predictable security guarantees.
   5.269 +
   5.270 +The XML version is the version that users are supposed to create or
   5.271 +change, either by manually editing the XML file or by using the Xen
   5.272 +policy generation tool (B<xensec_gen>). After changing the XML file,
   5.273 +run the B<makepolicy> subcommand to ensure that these changes are
   5.274 +reflected in the other versions. Use, for example, the subcommand
   5.275 +B<cfgbootpolicy> to activate the changes during the next system
   5.276 +reboot.
   5.277 +
   5.278 +The binary version of the policy is derived from the XML policy by
   5.279 +tokenizing the specified labels and is used inside Xen only. It is
   5.280 +created with the B<makepolicy> subcommand. Essentially, the binary
   5.281 +version is much more compact than the XML version and is easier to
   5.282 +evaluate during access control decisions.
   5.283 +
   5.284 +The mapping version of the policy is created during the XML-to-binary
   5.285 +policy translation (B<makepolicy>) and is used by the Xen management
   5.286 +tools to translate between label names used as input to the tools and
   5.287 +their binary identifiers (ssidrefs) used inside Xen.
   5.288 +
   5.289 +=back
   5.290 +
   5.291  =head1 EXAMPLES
   5.292  
   5.293  =head1 SEE ALSO
   5.294 @@ -791,5 +1059,6 @@ Operating Systems Review, pages 261-267
   5.295  
   5.296    Sean Dague <sean at dague dot net>
   5.297    Daniel Stekloff <dsteklof at us dot ibm dot com>
   5.298 +  Reiner Sailer <sailer at us dot ibm dot com>
   5.299  
   5.300  =head1 BUGS
     6.1 --- a/docs/misc/vtpm.txt	Tue Apr 25 22:55:22 2006 -0600
     6.2 +++ b/docs/misc/vtpm.txt	Tue Apr 25 23:35:55 2006 -0600
     6.3 @@ -17,13 +17,8 @@ Development Prerequisites: An emulator f
     6.4  Compiling XEN tree:
     6.5  -------------------
     6.6  
     6.7 -Compile the XEN tree as usual.
     6.8 -
     6.9 -make uninstall; make mrproper; make install 
    6.10 -
    6.11 -After compiling the tree, verify that in the linux-2.6.XX-xen0/.config 
    6.12 -file at least the following entries are set as below (they should be set
    6.13 -by default):
    6.14 +Compile the XEN tree as usual after the following lines set in the
    6.15 +linux-2.6.??-xen/.config file:
    6.16  
    6.17  CONFIG_XEN_TPMDEV_BACKEND=y
    6.18  CONFIG_XEN_TPMDEV_GRANT=y
    6.19 @@ -32,18 +27,20 @@ CONFIG_TCG_TPM=m
    6.20  CONFIG_TCG_NSC=m
    6.21  CONFIG_TCG_ATMEL=m
    6.22  
    6.23 +You must also enable the virtual TPM to be built:
    6.24  
    6.25 -Verify that in the linux-2.6.XX-xenU/.config file at least the 
    6.26 -Following entries are set as below (they should be set by default):
    6.27 +In Config.mk in the Xen root directory set the line
    6.28  
    6.29 -CONFIG_XEN_TPMDEV_FRONTEND=y
    6.30 -CONFIG_XEN_TPMDEV_GRANT=y
    6.31 +VTPM_TOOLS ?= y
    6.32  
    6.33 -CONFIG_TCG_TPM=y
    6.34 -CONFIG_TCG_XEN=y
    6.35 +Now build the Xen sources from Xen's root directory:
    6.36 +
    6.37 +make install
    6.38  
    6.39  
    6.40 -Reboot the machine with the created XEN-0 kernel.
    6.41 +Also build the initial RAM disk if necessary.
    6.42 +
    6.43 +Reboot the machine with the created Xen kernel.
    6.44  
    6.45  Note: If you do not want any TPM-related code compiled into your
    6.46  kernel or built as module then comment all the above lines like
     7.1 --- a/docs/src/user.tex	Tue Apr 25 22:55:22 2006 -0600
     7.2 +++ b/docs/src/user.tex	Tue Apr 25 23:35:55 2006 -0600
     7.3 @@ -1983,8 +1983,7 @@ editing \path{grub.conf}.
     7.4    kilobytes. In previous versions of Xen, suffixes were not supported
     7.5    and the value is always interpreted as kilobytes.
     7.6  \item [ tbuf\_size=xxx ] Set the size of the per-cpu trace buffers, in
     7.7 -  pages (default 1).  Note that the trace buffers are only enabled in
     7.8 -  debug builds.  Most users can ignore this feature completely.
     7.9 +  pages (default 0).  
    7.10  \item [ sched=xxx ] Select the CPU scheduler Xen should use.  The
    7.11    current possibilities are `sedf' (default) and `bvt'.
    7.12  \item [ apic\_verbosity=debug,verbose ] Print more detailed
     8.1 --- a/linux-2.6-xen-sparse/arch/i386/Kconfig	Tue Apr 25 22:55:22 2006 -0600
     8.2 +++ b/linux-2.6-xen-sparse/arch/i386/Kconfig	Tue Apr 25 23:35:55 2006 -0600
     8.3 @@ -1180,11 +1180,6 @@ config X86_NO_TSS
     8.4  	depends on X86_XEN
     8.5  	default y
     8.6  
     8.7 -config X86_SYSENTER
     8.8 -	bool
     8.9 -	depends on !X86_NO_TSS
    8.10 -	default y
    8.11 -
    8.12  config X86_NO_IDT
    8.13  	bool
    8.14  	depends on X86_XEN
     9.1 --- a/linux-2.6-xen-sparse/arch/i386/kernel/Makefile	Tue Apr 25 22:55:22 2006 -0600
     9.2 +++ b/linux-2.6-xen-sparse/arch/i386/kernel/Makefile	Tue Apr 25 23:35:55 2006 -0600
     9.3 @@ -49,14 +49,12 @@ else
     9.4  vsyscall_note := vsyscall-note.o
     9.5  endif
     9.6  
     9.7 -VSYSCALL_TYPES-y			:= int80
     9.8 -VSYSCALL_TYPES-$(CONFIG_X86_SYSENTER)	+= sysenter
     9.9  # vsyscall.o contains the vsyscall DSO images as __initdata.
    9.10  # We must build both images before we can assemble it.
    9.11  # Note: kbuild does not track this dependency due to usage of .incbin
    9.12 -$(obj)/vsyscall.o: $(foreach F,$(VSYSCALL_TYPES-y),$(obj)/vsyscall-$F.so)
    9.13 -targets += $(foreach F,$(VSYSCALL_TYPES-y),vsyscall-$F.o vsyscall-$F.so)
    9.14 -targets += $(vsyscall_note) vsyscall.lds
    9.15 +$(obj)/vsyscall.o: $(obj)/vsyscall-int80.so $(obj)/vsyscall-sysenter.so
    9.16 +targets += $(foreach F,int80 sysenter,vsyscall-$F.o vsyscall-$F.so)
    9.17 +targets += vsyscall-note.o vsyscall.lds
    9.18  
    9.19  # The DSO images are built using a special linker script.
    9.20  quiet_cmd_syscall = SYSCALL $@
    9.21 @@ -83,8 +81,7 @@ extra-y += vsyscall-syms.o
    9.22  
    9.23  SYSCFLAGS_vsyscall-syms.o = -r
    9.24  $(obj)/vsyscall-syms.o: $(src)/vsyscall.lds \
    9.25 -			$(foreach F,$(VSYSCALL_TYPES-y),$(obj)/vsyscall-$F.o) \
    9.26 -			$(obj)/$(vsyscall_note) FORCE
    9.27 +			$(obj)/vsyscall-sysenter.o $(obj)/$(vsyscall_note) FORCE
    9.28  	$(call if_changed,syscall)
    9.29  
    9.30  ifdef CONFIG_XEN
    10.1 --- a/linux-2.6-xen-sparse/arch/i386/kernel/asm-offsets.c	Tue Apr 25 22:55:22 2006 -0600
    10.2 +++ b/linux-2.6-xen-sparse/arch/i386/kernel/asm-offsets.c	Tue Apr 25 23:35:55 2006 -0600
    10.3 @@ -64,10 +64,13 @@ void foo(void)
    10.4  	OFFSET(pbe_orig_address, pbe, orig_address);
    10.5  	OFFSET(pbe_next, pbe, next);
    10.6  
    10.7 -#ifdef CONFIG_X86_SYSENTER
    10.8 +#ifndef CONFIG_X86_NO_TSS
    10.9  	/* Offset from the sysenter stack to tss.esp0 */
   10.10 -	DEFINE(TSS_sysenter_esp0, offsetof(struct tss_struct, esp0) -
   10.11 +	DEFINE(SYSENTER_stack_esp0, offsetof(struct tss_struct, esp0) -
   10.12  		 sizeof(struct tss_struct));
   10.13 +#else
   10.14 +	/* sysenter stack points directly to esp0 */
   10.15 +	DEFINE(SYSENTER_stack_esp0, 0);
   10.16  #endif
   10.17  
   10.18  	DEFINE(PAGE_SIZE_asm, PAGE_SIZE);
    11.1 --- a/linux-2.6-xen-sparse/arch/i386/kernel/entry-xen.S	Tue Apr 25 22:55:22 2006 -0600
    11.2 +++ b/linux-2.6-xen-sparse/arch/i386/kernel/entry-xen.S	Tue Apr 25 23:35:55 2006 -0600
    11.3 @@ -202,13 +202,12 @@ need_resched:
    11.4  	jmp need_resched
    11.5  #endif
    11.6  
    11.7 -#ifdef CONFIG_X86_SYSENTER
    11.8  /* SYSENTER_RETURN points to after the "sysenter" instruction in
    11.9     the vsyscall page.  See vsyscall-sysentry.S, which defines the symbol.  */
   11.10  
   11.11  	# sysenter call handler stub
   11.12  ENTRY(sysenter_entry)
   11.13 -	movl TSS_sysenter_esp0(%esp),%esp
   11.14 +	movl SYSENTER_stack_esp0(%esp),%esp
   11.15  sysenter_past_esp:
   11.16  	sti
   11.17  	pushl $(__USER_DS)
   11.18 @@ -240,7 +239,7 @@ 1:	movl (%ebp),%ebp
   11.19  	jae syscall_badsys
   11.20  	call *sys_call_table(,%eax,4)
   11.21  	movl %eax,EAX(%esp)
   11.22 -	cli
   11.23 +	DISABLE_INTERRUPTS
   11.24  	movl TI_flags(%ebp), %ecx
   11.25  	testw $_TIF_ALLWORK_MASK, %cx
   11.26  	jne syscall_exit_work
   11.27 @@ -248,9 +247,23 @@ 1:	movl (%ebp),%ebp
   11.28  	movl EIP(%esp), %edx
   11.29  	movl OLDESP(%esp), %ecx
   11.30  	xorl %ebp,%ebp
   11.31 +#ifdef CONFIG_XEN
   11.32 +	__ENABLE_INTERRUPTS
   11.33 +sysexit_scrit:	/**** START OF SYSEXIT CRITICAL REGION ****/
   11.34 +	__TEST_PENDING
   11.35 +	jnz  14f			# process more events if necessary...
   11.36 +	movl ESI(%esp), %esi
   11.37 +	sysexit
   11.38 +14:	__DISABLE_INTERRUPTS
   11.39 +sysexit_ecrit:	/**** END OF SYSEXIT CRITICAL REGION ****/
   11.40 +	push %esp
   11.41 +	call evtchn_do_upcall
   11.42 +	add  $4,%esp
   11.43 +	jmp  ret_from_intr
   11.44 +#else
   11.45  	sti
   11.46  	sysexit
   11.47 -#endif /* CONFIG_X86_SYSENTER */
   11.48 +#endif /* !CONFIG_XEN */
   11.49  
   11.50  
   11.51  	# system call handler stub
   11.52 @@ -532,6 +545,11 @@ error_code:
   11.53  # So, on entry to the handler we detect whether we interrupted an
   11.54  # existing activation in its critical region -- if so, we pop the current
   11.55  # activation and restart the handler using the previous one.
   11.56 +#
   11.57 +# The sysexit critical region is slightly different. sysexit
   11.58 +# atomically removes the entire stack frame. If we interrupt in the
   11.59 +# critical region we know that the entire frame is present and correct
   11.60 +# so we can simply throw away the new one.
   11.61  ENTRY(hypervisor_callback)
   11.62  	pushl %eax
   11.63  	SAVE_ALL
   11.64 @@ -540,6 +558,11 @@ ENTRY(hypervisor_callback)
   11.65  	jb   11f
   11.66  	cmpl $ecrit,%eax
   11.67  	jb   critical_region_fixup
   11.68 +	cmpl $sysexit_scrit,%eax
   11.69 +	jb   11f
   11.70 +	cmpl $sysexit_ecrit,%eax
   11.71 +	ja   11f
   11.72 +	addl $0x34,%esp			# Remove cs...ebx from stack frame.
   11.73  11:	push %esp
   11.74  	call evtchn_do_upcall
   11.75  	add  $4,%esp
   11.76 @@ -683,13 +706,13 @@ device_available_emulate:
   11.77  	call math_state_restore
   11.78  	jmp ret_from_exception
   11.79  
   11.80 -#ifdef CONFIG_X86_SYSENTER
   11.81 +#ifndef CONFIG_XEN
   11.82  /*
   11.83   * Debug traps and NMI can happen at the one SYSENTER instruction
   11.84   * that sets up the real kernel stack. Check here, since we can't
   11.85   * allow the wrong stack to be used.
   11.86   *
   11.87 - * "TSS_sysenter_esp0+12" is because the NMI/debug handler will have
   11.88 + * "SYSENTER_stack_esp0+12" is because the NMI/debug handler will have
   11.89   * already pushed 3 words if it hits on the sysenter instruction:
   11.90   * eflags, cs and eip.
   11.91   *
   11.92 @@ -701,19 +724,19 @@ device_available_emulate:
   11.93  	cmpw $__KERNEL_CS,4(%esp);		\
   11.94  	jne ok;					\
   11.95  label:						\
   11.96 -	movl TSS_sysenter_esp0+offset(%esp),%esp;	\
   11.97 +	movl SYSENTER_stack_esp0+offset(%esp),%esp;	\
   11.98  	pushfl;					\
   11.99  	pushl $__KERNEL_CS;			\
  11.100  	pushl $sysenter_past_esp
  11.101 -#endif /* CONFIG_X86_SYSENTER */
  11.102 +#endif /* CONFIG_XEN */
  11.103  
  11.104  KPROBE_ENTRY(debug)
  11.105 -#ifdef CONFIG_X86_SYSENTER
  11.106 +#ifndef CONFIG_XEN
  11.107  	cmpl $sysenter_entry,(%esp)
  11.108  	jne debug_stack_correct
  11.109  	FIX_STACK(12, debug_stack_correct, debug_esp_fix_insn)
  11.110  debug_stack_correct:
  11.111 -#endif /* !CONFIG_X86_SYSENTER */
  11.112 +#endif /* !CONFIG_XEN */
  11.113  	pushl $-1			# mark this as an int
  11.114  	SAVE_ALL
  11.115  	xorl %edx,%edx			# error code 0
    12.1 --- a/linux-2.6-xen-sparse/arch/i386/kernel/io_apic-xen.c	Tue Apr 25 22:55:22 2006 -0600
    12.2 +++ b/linux-2.6-xen-sparse/arch/i386/kernel/io_apic-xen.c	Tue Apr 25 23:35:55 2006 -0600
    12.3 @@ -1205,7 +1205,6 @@ u8 irq_vector[NR_IRQ_VECTORS] __read_mos
    12.4  
    12.5  int assign_irq_vector(int irq)
    12.6  {
    12.7 -	static int current_vector = FIRST_DEVICE_VECTOR;
    12.8  	physdev_op_t op;
    12.9  
   12.10  	BUG_ON(irq >= NR_IRQ_VECTORS);
   12.11 @@ -1216,13 +1215,12 @@ int assign_irq_vector(int irq)
   12.12  	op.u.irq_op.irq = irq;
   12.13  	if (HYPERVISOR_physdev_op(&op))
   12.14  		return -ENOSPC;
   12.15 -	current_vector = op.u.irq_op.vector;
   12.16 -
   12.17 -	vector_irq[current_vector] = irq;
   12.18 +
   12.19 +	vector_irq[op.u.irq_op.vector] = irq;
   12.20  	if (irq != AUTO_ASSIGN)
   12.21 -		IO_APIC_VECTOR(irq) = current_vector;
   12.22 -
   12.23 -	return current_vector;
   12.24 +		IO_APIC_VECTOR(irq) = op.u.irq_op.vector;
   12.25 +
   12.26 +	return op.u.irq_op.vector;
   12.27  }
   12.28  
   12.29  #ifndef CONFIG_XEN
   12.30 @@ -2485,6 +2483,12 @@ static int __init io_apic_bug_finalize(v
   12.31  {
   12.32  	if(sis_apic_bug == -1)
   12.33  		sis_apic_bug = 0;
   12.34 +	if (xen_start_info->flags & SIF_INITDOMAIN) {
   12.35 +		dom0_op_t op = { .cmd = DOM0_PLATFORM_QUIRK };
   12.36 +		op.u.platform_quirk.quirk_id = sis_apic_bug ?
   12.37 +			QUIRK_IOAPIC_BAD_REGSEL : QUIRK_IOAPIC_GOOD_REGSEL;
   12.38 +		HYPERVISOR_dom0_op(&op);
   12.39 +	}
   12.40  	return 0;
   12.41  }
   12.42  
    13.1 --- a/linux-2.6-xen-sparse/arch/i386/kernel/sysenter.c	Tue Apr 25 22:55:22 2006 -0600
    13.2 +++ b/linux-2.6-xen-sparse/arch/i386/kernel/sysenter.c	Tue Apr 25 23:35:55 2006 -0600
    13.3 @@ -20,11 +20,15 @@
    13.4  #include <asm/pgtable.h>
    13.5  #include <asm/unistd.h>
    13.6  
    13.7 +#ifdef CONFIG_XEN
    13.8 +#include <xen/interface/callback.h>
    13.9 +#endif
   13.10 +
   13.11  extern asmlinkage void sysenter_entry(void);
   13.12  
   13.13  void enable_sep_cpu(void)
   13.14  {
   13.15 -#ifdef CONFIG_X86_SYSENTER
   13.16 +#ifndef CONFIG_X86_NO_TSS
   13.17  	int cpu = get_cpu();
   13.18  	struct tss_struct *tss = &per_cpu(init_tss, cpu);
   13.19  
   13.20 @@ -54,14 +58,24 @@ int __init sysenter_setup(void)
   13.21  {
   13.22  	syscall_page = (void *)get_zeroed_page(GFP_ATOMIC);
   13.23  
   13.24 -#ifdef CONFIG_X86_SYSENTER
   13.25 +#ifdef CONFIG_XEN
   13.26 +	if (boot_cpu_has(X86_FEATURE_SEP)) {
   13.27 +		struct callback_register sysenter = {
   13.28 +			.type = CALLBACKTYPE_sysenter,
   13.29 +			.address = { __KERNEL_CS, (unsigned long)sysenter_entry },
   13.30 +		};
   13.31 +
   13.32 +		if (HYPERVISOR_callback_op(CALLBACKOP_register, &sysenter) < 0)
   13.33 +			clear_bit(X86_FEATURE_SEP, boot_cpu_data.x86_capability);
   13.34 +	}
   13.35 +#endif
   13.36 +
   13.37  	if (boot_cpu_has(X86_FEATURE_SEP)) {
   13.38  		memcpy(syscall_page,
   13.39  		       &vsyscall_sysenter_start,
   13.40  		       &vsyscall_sysenter_end - &vsyscall_sysenter_start);
   13.41  		return 0;
   13.42  	}
   13.43 -#endif
   13.44  
   13.45  	memcpy(syscall_page,
   13.46  	       &vsyscall_int80_start,
    14.1 --- a/linux-2.6-xen-sparse/arch/i386/kernel/vsyscall.S	Tue Apr 25 22:55:22 2006 -0600
    14.2 +++ b/linux-2.6-xen-sparse/arch/i386/kernel/vsyscall.S	Tue Apr 25 23:35:55 2006 -0600
    14.3 @@ -7,11 +7,9 @@ vsyscall_int80_start:
    14.4  	.incbin "arch/i386/kernel/vsyscall-int80.so"
    14.5  vsyscall_int80_end:
    14.6  
    14.7 -#ifdef CONFIG_X86_SYSENTER
    14.8  	.globl vsyscall_sysenter_start, vsyscall_sysenter_end
    14.9  vsyscall_sysenter_start:
   14.10  	.incbin "arch/i386/kernel/vsyscall-sysenter.so"
   14.11  vsyscall_sysenter_end:
   14.12 -#endif
   14.13  
   14.14  __FINIT
    15.1 --- a/linux-2.6-xen-sparse/arch/i386/mm/pgtable-xen.c	Tue Apr 25 22:55:22 2006 -0600
    15.2 +++ b/linux-2.6-xen-sparse/arch/i386/mm/pgtable-xen.c	Tue Apr 25 23:35:55 2006 -0600
    15.3 @@ -306,14 +306,14 @@ void pgd_ctor(void *pgd, kmem_cache_t *c
    15.4  			BUG_ON(rc);
    15.5  		}
    15.6  		if (HAVE_SHARED_KERNEL_PMD)
    15.7 -			memcpy((pgd_t *)pgd + USER_PTRS_PER_PGD,
    15.8 -			       swapper_pg_dir + USER_PTRS_PER_PGD,
    15.9 -			       (PTRS_PER_PGD - USER_PTRS_PER_PGD) * sizeof(pgd_t));
   15.10 +			clone_pgd_range((pgd_t *)pgd + USER_PTRS_PER_PGD,
   15.11 +					swapper_pg_dir + USER_PTRS_PER_PGD,
   15.12 +					KERNEL_PGD_PTRS);
   15.13  	} else {
   15.14  		spin_lock_irqsave(&pgd_lock, flags);
   15.15 -		memcpy((pgd_t *)pgd + USER_PTRS_PER_PGD,
   15.16 -		       swapper_pg_dir + USER_PTRS_PER_PGD,
   15.17 -		       (PTRS_PER_PGD - USER_PTRS_PER_PGD) * sizeof(pgd_t));
   15.18 +		clone_pgd_range((pgd_t *)pgd + USER_PTRS_PER_PGD,
   15.19 +				swapper_pg_dir + USER_PTRS_PER_PGD,
   15.20 +				KERNEL_PGD_PTRS);
   15.21  		memset(pgd, 0, USER_PTRS_PER_PGD*sizeof(pgd_t));
   15.22  		pgd_list_add(pgd);
   15.23  		spin_unlock_irqrestore(&pgd_lock, flags);
   15.24 @@ -360,7 +360,7 @@ pgd_t *pgd_alloc(struct mm_struct *mm)
   15.25  			pmd_t *pmd = kmem_cache_alloc(pmd_cache, GFP_KERNEL);
   15.26  			if (!pmd)
   15.27  				goto out_oom;
   15.28 -			set_pgd(&pgd[USER_PTRS_PER_PGD], __pgd(1 + __pa(pmd)));
   15.29 +			set_pgd(&pgd[i], __pgd(1 + __pa(pmd)));
   15.30  		}
   15.31  
   15.32  		spin_lock_irqsave(&pgd_lock, flags);
    16.1 --- a/linux-2.6-xen-sparse/arch/i386/oprofile/xenoprof.c	Tue Apr 25 22:55:22 2006 -0600
    16.2 +++ b/linux-2.6-xen-sparse/arch/i386/oprofile/xenoprof.c	Tue Apr 25 23:35:55 2006 -0600
    16.3 @@ -35,8 +35,9 @@ static void xenoprof_stop(void);
    16.4  void * vm_map_xen_pages(unsigned long maddr, int vm_size, pgprot_t prot);
    16.5  
    16.6  static int xenoprof_enabled = 0;
    16.7 -static int num_events = 0;
    16.8 +static unsigned int num_events = 0;
    16.9  static int is_primary = 0;
   16.10 +static int active_defined;
   16.11  
   16.12  /* sample buffers shared with Xen */
   16.13  xenoprof_buf_t * xenoprof_buf[MAX_VIRT_CPUS];
   16.14 @@ -106,7 +107,7 @@ static irqreturn_t
   16.15  xenoprof_ovf_interrupt(int irq, void * dev_id, struct pt_regs * regs)
   16.16  {
   16.17  	int head, tail, size;
   16.18 -	xenoprof_buf_t * buf;
   16.19 +	struct xenoprof_buf * buf;
   16.20  	int cpu;
   16.21  
   16.22  	cpu = smp_processor_id();
   16.23 @@ -196,28 +197,49 @@ static int bind_virq(void)
   16.24  static int xenoprof_setup(void)
   16.25  {
   16.26  	int ret;
   16.27 +	int i;
   16.28  
   16.29  	ret = bind_virq();
   16.30  	if (ret)
   16.31  		return ret;
   16.32  
   16.33  	if (is_primary) {
   16.34 -		ret = HYPERVISOR_xenoprof_op(XENOPROF_reserve_counters,
   16.35 -					     (unsigned long)NULL,
   16.36 -					     (unsigned long)NULL);
   16.37 +		struct xenoprof_counter counter;
   16.38 +
   16.39 +		/* Define dom0 as an active domain if not done yet */
   16.40 +		if (!active_defined) {
   16.41 +			domid_t domid;
   16.42 +			ret = HYPERVISOR_xenoprof_op(XENOPROF_reset_active_list, NULL);
   16.43 +			if (ret)
   16.44 +				goto err;
   16.45 +			domid = 0;
   16.46 +			ret = HYPERVISOR_xenoprof_op(XENOPROF_set_active, &domid);
   16.47 +			if (ret)
   16.48 +				goto err;
   16.49 +			active_defined = 1;
   16.50 +		}
   16.51 +
   16.52 +		ret = HYPERVISOR_xenoprof_op(XENOPROF_reserve_counters, NULL);
   16.53  		if (ret)
   16.54  			goto err;
   16.55 +		for (i=0; i<num_events; i++) {
   16.56 +			counter.ind       = i;
   16.57 +			counter.count     = (uint64_t)counter_config[i].count;
   16.58 +			counter.enabled   = (uint32_t)counter_config[i].enabled;
   16.59 +			counter.event     = (uint32_t)counter_config[i].event;
   16.60 +			counter.kernel    = (uint32_t)counter_config[i].kernel;
   16.61 +			counter.user      = (uint32_t)counter_config[i].user;
   16.62 +			counter.unit_mask = (uint64_t)counter_config[i].unit_mask;
   16.63 +			HYPERVISOR_xenoprof_op(XENOPROF_counter, 
   16.64 +					       &counter);
   16.65 +		}
   16.66 +		ret = HYPERVISOR_xenoprof_op(XENOPROF_setup_events, NULL);
   16.67  
   16.68 -		ret = HYPERVISOR_xenoprof_op(XENOPROF_setup_events,
   16.69 -					     (unsigned long)&counter_config,
   16.70 -					     (unsigned long)num_events);
   16.71  		if (ret)
   16.72  			goto err;
   16.73  	}
   16.74  
   16.75 -	ret = HYPERVISOR_xenoprof_op(XENOPROF_enable_virq,
   16.76 -				     (unsigned long)NULL,
   16.77 -				     (unsigned long)NULL);
   16.78 +	ret = HYPERVISOR_xenoprof_op(XENOPROF_enable_virq, NULL);
   16.79  	if (ret)
   16.80  		goto err;
   16.81  
   16.82 @@ -233,17 +255,15 @@ static void xenoprof_shutdown(void)
   16.83  {
   16.84  	xenoprof_enabled = 0;
   16.85  
   16.86 -	HYPERVISOR_xenoprof_op(XENOPROF_disable_virq,
   16.87 -			       (unsigned long)NULL,
   16.88 -			       (unsigned long)NULL);
   16.89 +	HYPERVISOR_xenoprof_op(XENOPROF_disable_virq, NULL);
   16.90  
   16.91  	if (is_primary) {
   16.92 -		HYPERVISOR_xenoprof_op(XENOPROF_release_counters,
   16.93 -				       (unsigned long)NULL,
   16.94 -				       (unsigned long)NULL);
   16.95 +		HYPERVISOR_xenoprof_op(XENOPROF_release_counters, NULL);
   16.96 +		active_defined = 0;
   16.97  	}
   16.98  
   16.99  	unbind_virq();
  16.100 +
  16.101  }
  16.102  
  16.103  
  16.104 @@ -252,9 +272,8 @@ static int xenoprof_start(void)
  16.105  	int ret = 0;
  16.106  
  16.107  	if (is_primary)
  16.108 -		ret = HYPERVISOR_xenoprof_op(XENOPROF_start,
  16.109 -					     (unsigned long)NULL,
  16.110 -					     (unsigned long)NULL);
  16.111 +		ret = HYPERVISOR_xenoprof_op(XENOPROF_start, NULL);
  16.112 +
  16.113  	return ret;
  16.114  }
  16.115  
  16.116 @@ -262,20 +281,43 @@ static int xenoprof_start(void)
  16.117  static void xenoprof_stop(void)
  16.118  {
  16.119  	if (is_primary)
  16.120 -		HYPERVISOR_xenoprof_op(XENOPROF_stop,
  16.121 -				       (unsigned long)NULL,
  16.122 -				       (unsigned long)NULL);
  16.123 +		HYPERVISOR_xenoprof_op(XENOPROF_stop, NULL);
  16.124  }
  16.125  
  16.126  
  16.127  static int xenoprof_set_active(int * active_domains,
  16.128 -			  unsigned int adomains)
  16.129 +			       unsigned int adomains)
  16.130  {
  16.131  	int ret = 0;
  16.132 -	if (is_primary)
  16.133 -		ret = HYPERVISOR_xenoprof_op(XENOPROF_set_active,
  16.134 -					     (unsigned long)active_domains,
  16.135 -					     (unsigned long)adomains);
  16.136 +	int i;
  16.137 +	int set_dom0 = 0;
  16.138 +	domid_t domid;
  16.139 +
  16.140 +	if (!is_primary)
  16.141 +		return 0;
  16.142 +
  16.143 +	if (adomains > MAX_OPROF_DOMAINS)
  16.144 +		return -E2BIG;
  16.145 +
  16.146 +	ret = HYPERVISOR_xenoprof_op(XENOPROF_reset_active_list, NULL);
  16.147 +	if (ret)
  16.148 +		return ret;
  16.149 +
  16.150 +	for (i=0; i<adomains; i++) {
  16.151 +		domid = active_domains[i];
  16.152 +		ret = HYPERVISOR_xenoprof_op(XENOPROF_set_active, &domid);
  16.153 +		if (ret)
  16.154 +			return (ret);
  16.155 +		if (active_domains[i] == 0)
  16.156 +			set_dom0 = 1;
  16.157 +	}
  16.158 +	/* dom0 must always be active but may not be in the list */ 
  16.159 +	if (!set_dom0) {
  16.160 +		domid = 0;
  16.161 +		ret = HYPERVISOR_xenoprof_op(XENOPROF_set_active, &domid);
  16.162 +	}
  16.163 +	
  16.164 +	active_defined = 1;
  16.165  	return ret;
  16.166  }
  16.167  
  16.168 @@ -325,44 +367,48 @@ static int using_xenoprof;
  16.169  
  16.170  int __init oprofile_arch_init(struct oprofile_operations * ops)
  16.171  {
  16.172 -	xenoprof_init_result_t result;
  16.173 -	xenoprof_buf_t * buf;
  16.174 -	int max_samples = 16;
  16.175 +	struct xenoprof_init init;
  16.176 +	struct xenoprof_buf * buf;
  16.177  	int vm_size;
  16.178  	int npages;
  16.179 +	int ret;
  16.180  	int i;
  16.181  
  16.182 -	int ret = HYPERVISOR_xenoprof_op(XENOPROF_init,
  16.183 -					 (unsigned long)max_samples,
  16.184 -					 (unsigned long)&result);
  16.185 +	init.max_samples = 16;
  16.186 +	ret = HYPERVISOR_xenoprof_op(XENOPROF_init, &init);
  16.187  
  16.188  	if (!ret) {
  16.189  		pgprot_t prot = __pgprot(_KERNPG_TABLE);
  16.190  
  16.191 -		num_events = result.num_events;
  16.192 -		is_primary = result.is_primary;
  16.193 -		nbuf = result.nbuf;
  16.194 +		num_events = init.num_events;
  16.195 +		is_primary = init.is_primary;
  16.196 +		nbuf = init.nbuf;
  16.197  
  16.198 -		npages = (result.bufsize * nbuf - 1) / PAGE_SIZE + 1;
  16.199 +		/* just in case - make sure we do not overflow event list 
  16.200 +                   (i.e. counter_config list) */
  16.201 +		if (num_events > OP_MAX_COUNTER)
  16.202 +			num_events = OP_MAX_COUNTER;
  16.203 +
  16.204 +		npages = (init.bufsize * nbuf - 1) / PAGE_SIZE + 1;
  16.205  		vm_size = npages * PAGE_SIZE;
  16.206  
  16.207 -		shared_buffer = (char *) vm_map_xen_pages(result.buf_maddr,
  16.208 -							  vm_size, prot);
  16.209 +		shared_buffer = (char *)vm_map_xen_pages(init.buf_maddr,
  16.210 +							 vm_size, prot);
  16.211  		if (!shared_buffer) {
  16.212  			ret = -ENOMEM;
  16.213  			goto out;
  16.214  		}
  16.215  
  16.216  		for (i=0; i< nbuf; i++) {
  16.217 -			buf = (xenoprof_buf_t*) 
  16.218 -				&shared_buffer[i * result.bufsize];
  16.219 +			buf = (struct xenoprof_buf*) 
  16.220 +				&shared_buffer[i * init.bufsize];
  16.221  			BUG_ON(buf->vcpu_id >= MAX_VIRT_CPUS);
  16.222  			xenoprof_buf[buf->vcpu_id] = buf;
  16.223  		}
  16.224  
  16.225  		/*  cpu_type is detected by Xen */
  16.226  		cpu_type[XENOPROF_CPU_TYPE_SIZE-1] = 0;
  16.227 -		strncpy(cpu_type, result.cpu_type, XENOPROF_CPU_TYPE_SIZE - 1);
  16.228 +		strncpy(cpu_type, init.cpu_type, XENOPROF_CPU_TYPE_SIZE - 1);
  16.229  		xenoprof_ops.cpu_type = cpu_type;
  16.230  
  16.231  		init_driverfs();
  16.232 @@ -371,6 +417,8 @@ int __init oprofile_arch_init(struct opr
  16.233  
  16.234  		for (i=0; i<NR_CPUS; i++)
  16.235  			ovf_irq[i] = -1;
  16.236 +
  16.237 +		active_defined = 0;
  16.238  	}
  16.239   out:
  16.240  	printk(KERN_INFO "oprofile_arch_init: ret %d, events %d, "
  16.241 @@ -389,7 +437,5 @@ void __exit oprofile_arch_exit(void)
  16.242  		shared_buffer = NULL;
  16.243  	}
  16.244  	if (is_primary)
  16.245 -		HYPERVISOR_xenoprof_op(XENOPROF_shutdown,
  16.246 -				       (unsigned long)NULL,
  16.247 -				       (unsigned long)NULL);
  16.248 +		HYPERVISOR_xenoprof_op(XENOPROF_shutdown, NULL);
  16.249  }
    17.1 --- a/linux-2.6-xen-sparse/arch/x86_64/kernel/io_apic-xen.c	Tue Apr 25 22:55:22 2006 -0600
    17.2 +++ b/linux-2.6-xen-sparse/arch/x86_64/kernel/io_apic-xen.c	Tue Apr 25 23:35:55 2006 -0600
    17.3 @@ -869,7 +869,6 @@ u8 irq_vector[NR_IRQ_VECTORS] __read_mos
    17.4  
    17.5  int assign_irq_vector(int irq)
    17.6  {
    17.7 -	static int current_vector = FIRST_DEVICE_VECTOR;
    17.8  	physdev_op_t op;
    17.9    
   17.10    	BUG_ON(irq != AUTO_ASSIGN && (unsigned)irq >= NR_IRQ_VECTORS);
   17.11 @@ -880,13 +879,12 @@ int assign_irq_vector(int irq)
   17.12  	op.u.irq_op.irq = irq;
   17.13  	if (HYPERVISOR_physdev_op(&op))
   17.14  		return -ENOSPC;
   17.15 -	current_vector = op.u.irq_op.vector;
   17.16  
   17.17 -	vector_irq[current_vector] = irq;
   17.18 +	vector_irq[op.u.irq_op.vector] = irq;
   17.19  	if (irq != AUTO_ASSIGN)
   17.20 -		IO_APIC_VECTOR(irq) = current_vector;
   17.21 +		IO_APIC_VECTOR(irq) = op.u.irq_op.vector;
   17.22  
   17.23 -	return current_vector;
   17.24 +	return op.u.irq_op.vector;
   17.25  }
   17.26  
   17.27  extern void (*interrupt[NR_IRQS])(void);
    18.1 --- a/linux-2.6-xen-sparse/drivers/xen/pciback/pciback.h	Tue Apr 25 22:55:22 2006 -0600
    18.2 +++ b/linux-2.6-xen-sparse/drivers/xen/pciback/pciback.h	Tue Apr 25 23:35:55 2006 -0600
    18.3 @@ -11,6 +11,8 @@
    18.4  #include <xen/xenbus.h>
    18.5  #include <linux/list.h>
    18.6  #include <linux/spinlock.h>
    18.7 +#include <linux/workqueue.h>
    18.8 +#include <asm/atomic.h>
    18.9  #include <xen/interface/io/pciif.h>
   18.10  
   18.11  struct pci_dev_entry {
   18.12 @@ -18,6 +20,9 @@ struct pci_dev_entry {
   18.13  	struct pci_dev *dev;
   18.14  };
   18.15  
   18.16 +#define _PDEVF_op_active 	(0)
   18.17 +#define PDEVF_op_active 	(1<<(_PDEVF_op_active))
   18.18 +
   18.19  struct pciback_device {
   18.20  	void *pci_dev_data;
   18.21  	spinlock_t dev_lock;
   18.22 @@ -29,7 +34,12 @@ struct pciback_device {
   18.23  
   18.24  	int evtchn_irq;
   18.25  
   18.26 +	struct vm_struct *sh_area;
   18.27  	struct xen_pci_sharedinfo *sh_info;
   18.28 +
   18.29 +	unsigned long flags;
   18.30 +
   18.31 +	struct work_struct op_work;
   18.32  };
   18.33  
   18.34  struct pciback_dev_data {
   18.35 @@ -70,6 +80,7 @@ void pciback_release_devices(struct pcib
   18.36  
   18.37  /* Handles events from front-end */
   18.38  irqreturn_t pciback_handle_event(int irq, void *dev_id, struct pt_regs *regs);
   18.39 +void pciback_do_op(void *data);
   18.40  
   18.41  int pciback_xenbus_register(void);
   18.42  void pciback_xenbus_unregister(void);
    19.1 --- a/linux-2.6-xen-sparse/drivers/xen/pciback/pciback_ops.c	Tue Apr 25 22:55:22 2006 -0600
    19.2 +++ b/linux-2.6-xen-sparse/drivers/xen/pciback/pciback_ops.c	Tue Apr 25 23:35:55 2006 -0600
    19.3 @@ -40,18 +40,25 @@ void pciback_reset_device(struct pci_dev
    19.4  	pciback_config_reset(dev);
    19.5  }
    19.6  
    19.7 -irqreturn_t pciback_handle_event(int irq, void *dev_id, struct pt_regs *regs)
    19.8 +static inline void test_and_schedule_op(struct pciback_device *pdev)
    19.9  {
   19.10 -	struct pciback_device *pdev = dev_id;
   19.11 +	/* Check that frontend is requesting an operation and that we are not
   19.12 +	 * already processing a request */
   19.13 +	if (test_bit(_XEN_PCIF_active, (unsigned long *)&pdev->sh_info->flags)
   19.14 +	    && !test_and_set_bit(_PDEVF_op_active, &pdev->flags))
   19.15 +		schedule_work(&pdev->op_work);
   19.16 +}
   19.17 +
   19.18 +/* Performing the configuration space reads/writes must not be done in atomic
   19.19 + * context because some of the pci_* functions can sleep (mostly due to ACPI
   19.20 + * use of semaphores). This function is intended to be called from a work
   19.21 + * queue in process context taking a struct pciback_device as a parameter */
   19.22 +void pciback_do_op(void *data)
   19.23 +{
   19.24 +	struct pciback_device *pdev = data;
   19.25  	struct pci_dev *dev;
   19.26  	struct xen_pci_op *op = &pdev->sh_info->op;
   19.27  
   19.28 -	if (unlikely(!test_bit(_XEN_PCIF_active,
   19.29 -			       (unsigned long *)&pdev->sh_info->flags))) {
   19.30 -		pr_debug("pciback: interrupt, but no active operation\n");
   19.31 -		goto out;
   19.32 -	}
   19.33 -
   19.34  	dev = pciback_get_pci_dev(pdev, op->domain, op->bus, op->devfn);
   19.35  
   19.36  	if (dev == NULL)
   19.37 @@ -65,10 +72,26 @@ irqreturn_t pciback_handle_event(int irq
   19.38  	else
   19.39  		op->err = XEN_PCI_ERR_not_implemented;
   19.40  
   19.41 +	/* Tell the driver domain that we're done. */ 
   19.42  	wmb();
   19.43  	clear_bit(_XEN_PCIF_active, (unsigned long *)&pdev->sh_info->flags);
   19.44  	notify_remote_via_irq(pdev->evtchn_irq);
   19.45  
   19.46 -      out:
   19.47 +	/* Mark that we're done. */
   19.48 +	smp_mb__before_clear_bit(); /* /after/ clearing PCIF_active */
   19.49 +	clear_bit(_PDEVF_op_active, &pdev->flags);
   19.50 +	smp_mb__after_clear_bit(); /* /before/ final check for work */
   19.51 +
   19.52 +	/* Check to see if the driver domain tried to start another request in
   19.53 +	 * between clearing _XEN_PCIF_active and clearing _PDEVF_op_active. */
   19.54 +	test_and_schedule_op(pdev);
   19.55 +}
   19.56 +
   19.57 +irqreturn_t pciback_handle_event(int irq, void *dev_id, struct pt_regs *regs)
   19.58 +{
   19.59 +	struct pciback_device *pdev = dev_id;
   19.60 +
   19.61 +	test_and_schedule_op(pdev);
   19.62 +
   19.63  	return IRQ_HANDLED;
   19.64  }
    20.1 --- a/linux-2.6-xen-sparse/drivers/xen/pciback/xenbus.c	Tue Apr 25 22:55:22 2006 -0600
    20.2 +++ b/linux-2.6-xen-sparse/drivers/xen/pciback/xenbus.c	Tue Apr 25 23:35:55 2006 -0600
    20.3 @@ -26,10 +26,13 @@ static struct pciback_device *alloc_pdev
    20.4  
    20.5  	spin_lock_init(&pdev->dev_lock);
    20.6  
    20.7 +	pdev->sh_area = NULL;
    20.8  	pdev->sh_info = NULL;
    20.9  	pdev->evtchn_irq = INVALID_EVTCHN_IRQ;
   20.10  	pdev->be_watching = 0;
   20.11  
   20.12 +	INIT_WORK(&pdev->op_work, pciback_do_op, pdev);
   20.13 +
   20.14  	if (pciback_init_devices(pdev)) {
   20.15  		kfree(pdev);
   20.16  		pdev = NULL;
   20.17 @@ -47,8 +50,13 @@ static void free_pdev(struct pciback_dev
   20.18  	if (pdev->evtchn_irq != INVALID_EVTCHN_IRQ)
   20.19  		unbind_from_irqhandler(pdev->evtchn_irq, pdev);
   20.20  
   20.21 +	/* If the driver domain started an op, make sure we complete it or
   20.22 +	 * delete it before releasing the shared memory */
   20.23 +	cancel_delayed_work(&pdev->op_work);
   20.24 +	flush_scheduled_work();
   20.25 +
   20.26  	if (pdev->sh_info)
   20.27 -		xenbus_unmap_ring_vfree(pdev->xdev, pdev->sh_info);
   20.28 +		xenbus_unmap_ring_vfree(pdev->xdev, pdev->sh_area);
   20.29  
   20.30  	pciback_release_devices(pdev);
   20.31  
   20.32 @@ -63,15 +71,19 @@ static int pciback_do_attach(struct pcib
   20.33  {
   20.34  	int err = 0;
   20.35  	int evtchn;
   20.36 +	struct vm_struct *area;
   20.37 +
   20.38  	dev_dbg(&pdev->xdev->dev,
   20.39  		"Attaching to frontend resources - gnt_ref=%d evtchn=%d\n",
   20.40  		gnt_ref, remote_evtchn);
   20.41  
   20.42 -	err =
   20.43 -	    xenbus_map_ring_valloc(pdev->xdev, gnt_ref,
   20.44 -				   (void **)&pdev->sh_info);
   20.45 -	if (err)
   20.46 +	area = xenbus_map_ring_valloc(pdev->xdev, gnt_ref);
   20.47 +	if (IS_ERR(area)) {
   20.48 +		err = PTR_ERR(area);
   20.49  		goto out;
   20.50 +	}
   20.51 +	pdev->sh_area = area;
   20.52 +	pdev->sh_info = area->addr;
   20.53  
   20.54  	err = xenbus_bind_evtchn(pdev->xdev, remote_evtchn, &evtchn);
   20.55  	if (err)
    21.1 --- a/linux-2.6-xen-sparse/drivers/xen/tpmback/common.h	Tue Apr 25 22:55:22 2006 -0600
    21.2 +++ b/linux-2.6-xen-sparse/drivers/xen/tpmback/common.h	Tue Apr 25 23:35:55 2006 -0600
    21.3 @@ -49,6 +49,7 @@ typedef struct tpmif_st {
    21.4  
    21.5  	grant_handle_t shmem_handle;
    21.6  	grant_ref_t shmem_ref;
    21.7 +	struct page *pagerange;
    21.8  } tpmif_t;
    21.9  
   21.10  void tpmif_disconnect_complete(tpmif_t * tpmif);
    22.1 --- a/linux-2.6-xen-sparse/drivers/xen/tpmback/interface.c	Tue Apr 25 22:55:22 2006 -0600
    22.2 +++ b/linux-2.6-xen-sparse/drivers/xen/tpmback/interface.c	Tue Apr 25 23:35:55 2006 -0600
    22.3 @@ -22,7 +22,6 @@ LIST_HEAD(tpmif_list);
    22.4  
    22.5  static tpmif_t *alloc_tpmif(domid_t domid, long int instance)
    22.6  {
    22.7 -	struct page *page;
    22.8  	tpmif_t *tpmif;
    22.9  
   22.10  	tpmif = kmem_cache_alloc(tpmif_cachep, GFP_KERNEL);
   22.11 @@ -35,9 +34,10 @@ static tpmif_t *alloc_tpmif(domid_t domi
   22.12  	tpmif->tpm_instance = instance;
   22.13  	atomic_set(&tpmif->refcnt, 1);
   22.14  
   22.15 -	page = balloon_alloc_empty_page_range(TPMIF_TX_RING_SIZE);
   22.16 -	BUG_ON(page == NULL);
   22.17 -	tpmif->mmap_vstart = (unsigned long)pfn_to_kaddr(page_to_pfn(page));
   22.18 +	tpmif->pagerange = balloon_alloc_empty_page_range(TPMIF_TX_RING_SIZE);
   22.19 +	BUG_ON(tpmif->pagerange == NULL);
   22.20 +	tpmif->mmap_vstart = (unsigned long)pfn_to_kaddr(
   22.21 +	                                    page_to_pfn(tpmif->pagerange));
   22.22  
   22.23  	list_add(&tpmif->tpmif_list, &tpmif_list);
   22.24  	num_frontends++;
   22.25 @@ -49,6 +49,7 @@ static void free_tpmif(tpmif_t * tpmif)
   22.26  {
   22.27  	num_frontends--;
   22.28  	list_del(&tpmif->tpmif_list);
   22.29 +	balloon_dealloc_empty_page_range(tpmif->pagerange, TPMIF_TX_RING_SIZE);
   22.30  	kmem_cache_free(tpmif_cachep, tpmif);
   22.31  }
   22.32  
   22.33 @@ -115,11 +116,11 @@ int tpmif_map(tpmif_t *tpmif, unsigned l
   22.34  		.cmd = EVTCHNOP_bind_interdomain,
   22.35  		.u.bind_interdomain.remote_dom = tpmif->domid,
   22.36  		.u.bind_interdomain.remote_port = evtchn,
   22.37 -        };
   22.38 +	};
   22.39  
   22.40 -        if (tpmif->irq) {
   22.41 -                return 0;
   22.42 -        }
   22.43 +	if (tpmif->irq) {
   22.44 +		return 0;
   22.45 +	}
   22.46  
   22.47  	if ((tpmif->tx_area = alloc_vm_area(PAGE_SIZE)) == NULL)
   22.48  		return -ENOMEM;
    23.1 --- a/linux-2.6-xen-sparse/drivers/xen/tpmback/tpmback.c	Tue Apr 25 22:55:22 2006 -0600
    23.2 +++ b/linux-2.6-xen-sparse/drivers/xen/tpmback/tpmback.c	Tue Apr 25 23:35:55 2006 -0600
    23.3 @@ -271,6 +271,7 @@ int _packet_write(struct packet *pak,
    23.4  		struct gnttab_map_grant_ref map_op;
    23.5  		struct gnttab_unmap_grant_ref unmap_op;
    23.6  		tpmif_tx_request_t *tx;
    23.7 +		unsigned long pfn, mfn, mfn_orig;
    23.8  
    23.9  		tx = &tpmif->tx->ring[i].req;
   23.10  
   23.11 @@ -293,9 +294,12 @@ int _packet_write(struct packet *pak,
   23.12  			DPRINTK(" Grant table operation failure !\n");
   23.13  			return 0;
   23.14  		}
   23.15 -		set_phys_to_machine(__pa(MMAP_VADDR(tpmif, i)) >> PAGE_SHIFT,
   23.16 -				    FOREIGN_FRAME(map_op.
   23.17 -						  dev_bus_addr >> PAGE_SHIFT));
   23.18 +
   23.19 +		pfn = __pa(MMAP_VADDR(tpmif, i)) >> PAGE_SHIFT;
   23.20 +		mfn = FOREIGN_FRAME(map_op.dev_bus_addr >> PAGE_SHIFT);
   23.21 +		mfn_orig = phys_to_machine_mapping[pfn];
   23.22 +
   23.23 +		set_phys_to_machine(pfn, mfn);
   23.24  
   23.25  		tocopy = MIN(size - offset, PAGE_SIZE);
   23.26  
   23.27 @@ -307,6 +311,8 @@ int _packet_write(struct packet *pak,
   23.28  		}
   23.29  		tx->size = tocopy;
   23.30  
   23.31 +		set_phys_to_machine(pfn, mfn_orig);
   23.32 +
   23.33  		gnttab_set_unmap_op(&unmap_op, MMAP_VADDR(tpmif, i),
   23.34  				    GNTMAP_host_map, handle);
   23.35  
    24.1 --- a/linux-2.6-xen-sparse/drivers/xen/tpmback/xenbus.c	Tue Apr 25 22:55:22 2006 -0600
    24.2 +++ b/linux-2.6-xen-sparse/drivers/xen/tpmback/xenbus.c	Tue Apr 25 23:35:55 2006 -0600
    24.3 @@ -49,6 +49,8 @@ static int tpmback_remove(struct xenbus_
    24.4  {
    24.5  	struct backend_info *be = dev->data;
    24.6  
    24.7 +	if (!be) return 0;
    24.8 +
    24.9  	if (be->backend_watch.node) {
   24.10  		unregister_xenbus_watch(&be->backend_watch);
   24.11  		kfree(be->backend_watch.node);
   24.12 @@ -119,37 +121,9 @@ static void backend_changed(struct xenbu
   24.13  		return;
   24.14  	}
   24.15  
   24.16 -	if (be->is_instance_set != 0 && be->instance != instance) {
   24.17 -		printk(KERN_WARNING
   24.18 -		       "tpmback: changing instance (from %ld to %ld) "
   24.19 -		       "not allowed.\n",
   24.20 -		       be->instance, instance);
   24.21 -		return;
   24.22 -	}
   24.23 -
   24.24  	if (be->is_instance_set == 0) {
   24.25 -		be->tpmif = tpmif_find(dev->otherend_id,
   24.26 -		                       instance);
   24.27 -		if (IS_ERR(be->tpmif)) {
   24.28 -			err = PTR_ERR(be->tpmif);
   24.29 -			be->tpmif = NULL;
   24.30 -			xenbus_dev_fatal(dev,err,"creating block interface");
   24.31 -			return;
   24.32 -		}
   24.33  		be->instance = instance;
   24.34  		be->is_instance_set = 1;
   24.35 -
   24.36 -		/*
   24.37 -		 * There's an unfortunate problem:
   24.38 -		 * Sometimes after a suspend/resume the
   24.39 -		 * state switch to XenbusStateInitialised happens
   24.40 -		 * *before* I get to this point here. Since then
   24.41 -		 * the connect_ring() must have failed (be->tpmif is
   24.42 -		 * still NULL), I just call it here again indirectly.
   24.43 -		 */
   24.44 -		if (be->frontend_state == XenbusStateInitialised) {
   24.45 -			frontend_changed(dev, be->frontend_state);
   24.46 -		}
   24.47  	}
   24.48  }
   24.49  
   24.50 @@ -186,6 +160,7 @@ static void frontend_changed(struct xenb
   24.51  		 */
   24.52  		tpmif_vtpm_close(be->instance);
   24.53  		device_unregister(&be->dev->dev);
   24.54 +		tpmback_remove(dev);
   24.55  		break;
   24.56  
   24.57  	case XenbusStateUnknown:
   24.58 @@ -279,6 +254,18 @@ static int connect_ring(struct backend_i
   24.59  				 dev->otherend);
   24.60  		return err;
   24.61  	}
   24.62 +
   24.63 +	if (!be->tpmif) {
   24.64 +		be->tpmif = tpmif_find(dev->otherend_id,
   24.65 +		                       be->instance);
   24.66 +		if (IS_ERR(be->tpmif)) {
   24.67 +			err = PTR_ERR(be->tpmif);
   24.68 +			be->tpmif = NULL;
   24.69 +			xenbus_dev_fatal(dev,err,"creating vtpm interface");
   24.70 +			return err;
   24.71 +		}
   24.72 +	}
   24.73 +
   24.74  	if (be->tpmif != NULL) {
   24.75  		err = tpmif_map(be->tpmif, ring_ref, evtchn);
   24.76  		if (err) {
    25.1 --- a/linux-2.6-xen-sparse/drivers/xen/xenbus/xenbus_backend_client.c	Tue Apr 25 22:55:22 2006 -0600
    25.2 +++ b/linux-2.6-xen-sparse/drivers/xen/xenbus/xenbus_backend_client.c	Tue Apr 25 23:35:55 2006 -0600
    25.3 @@ -30,21 +30,20 @@
    25.4   * IN THE SOFTWARE.
    25.5   */
    25.6  
    25.7 +#include <linux/err.h>
    25.8  #include <xen/gnttab.h>
    25.9  #include <xen/xenbus.h>
   25.10  #include <xen/driver_util.h>
   25.11  
   25.12  /* Based on Rusty Russell's skeleton driver's map_page */
   25.13 -int xenbus_map_ring_valloc(struct xenbus_device *dev, int gnt_ref, void **vaddr)
   25.14 +struct vm_struct *xenbus_map_ring_valloc(struct xenbus_device *dev, int gnt_ref)
   25.15  {
   25.16  	struct gnttab_map_grant_ref op;
   25.17  	struct vm_struct *area;
   25.18  
   25.19 -	*vaddr = NULL;
   25.20 -
   25.21  	area = alloc_vm_area(PAGE_SIZE);
   25.22  	if (!area)
   25.23 -		return -ENOMEM;
   25.24 +		return ERR_PTR(-ENOMEM);
   25.25  
   25.26  	gnttab_set_map_op(&op, (unsigned long)area->addr, GNTMAP_host_map,
   25.27  			  gnt_ref, dev->otherend_id);
   25.28 @@ -58,14 +57,14 @@ int xenbus_map_ring_valloc(struct xenbus
   25.29  		xenbus_dev_fatal(dev, op.status,
   25.30  				 "mapping in shared page %d from domain %d",
   25.31  				 gnt_ref, dev->otherend_id);
   25.32 -		return op.status;
   25.33 +		BUG_ON(!IS_ERR(ERR_PTR(op.status)));
   25.34 +		return ERR_PTR(op.status);
   25.35  	}
   25.36  
   25.37  	/* Stuff the handle in an unused field */
   25.38  	area->phys_addr = (unsigned long)op.handle;
   25.39  
   25.40 -	*vaddr = area->addr;
   25.41 -	return 0;
   25.42 +	return area;
   25.43  }
   25.44  EXPORT_SYMBOL_GPL(xenbus_map_ring_valloc);
   25.45  
   25.46 @@ -92,31 +91,11 @@ EXPORT_SYMBOL_GPL(xenbus_map_ring);
   25.47  
   25.48  
   25.49  /* Based on Rusty Russell's skeleton driver's unmap_page */
   25.50 -int xenbus_unmap_ring_vfree(struct xenbus_device *dev, void *vaddr)
   25.51 +int xenbus_unmap_ring_vfree(struct xenbus_device *dev, struct vm_struct *area)
   25.52  {
   25.53 -	struct vm_struct *area;
   25.54  	struct gnttab_unmap_grant_ref op;
   25.55  
   25.56 -	/* It'd be nice if linux/vmalloc.h provided a find_vm_area(void *addr)
   25.57 -	 * method so that we don't have to muck with vmalloc internals here.
   25.58 -	 * We could force the user to hang on to their struct vm_struct from
   25.59 -	 * xenbus_map_ring_valloc, but these 6 lines considerably simplify
   25.60 -	 * this API.
   25.61 -	 */
   25.62 -	read_lock(&vmlist_lock);
   25.63 -	for (area = vmlist; area != NULL; area = area->next) {
   25.64 -		if (area->addr == vaddr)
   25.65 -			break;
   25.66 -	}
   25.67 -	read_unlock(&vmlist_lock);
   25.68 -
   25.69 -	if (!area) {
   25.70 -		xenbus_dev_error(dev, -ENOENT,
   25.71 -				 "can't find mapped virtual address %p", vaddr);
   25.72 -		return GNTST_bad_virt_addr;
   25.73 -	}
   25.74 -
   25.75 -	gnttab_set_unmap_op(&op, (unsigned long)vaddr, GNTMAP_host_map,
   25.76 +	gnttab_set_unmap_op(&op, (unsigned long)area->addr, GNTMAP_host_map,
   25.77  			    (grant_handle_t)area->phys_addr);
   25.78  
   25.79  	lock_vm_area(area);
    26.1 --- a/linux-2.6-xen-sparse/include/asm-i386/mach-xen/asm/hypercall.h	Tue Apr 25 22:55:22 2006 -0600
    26.2 +++ b/linux-2.6-xen-sparse/include/asm-i386/mach-xen/asm/hypercall.h	Tue Apr 25 23:35:55 2006 -0600
    26.3 @@ -338,9 +338,9 @@ HYPERVISOR_callback_op(
    26.4  
    26.5  static inline int
    26.6  HYPERVISOR_xenoprof_op(
    26.7 -	int op, unsigned long arg1, unsigned long arg2)
    26.8 +	int op, void *arg)
    26.9  {
   26.10 -	return _hypercall3(int, xenoprof_op, op, arg1, arg2);
   26.11 +	return _hypercall2(int, xenoprof_op, op, arg);
   26.12  }
   26.13  
   26.14  
    27.1 --- a/linux-2.6-xen-sparse/include/asm-i386/mach-xen/asm/processor.h	Tue Apr 25 22:55:22 2006 -0600
    27.2 +++ b/linux-2.6-xen-sparse/include/asm-i386/mach-xen/asm/processor.h	Tue Apr 25 23:35:55 2006 -0600
    27.3 @@ -497,13 +497,11 @@ struct thread_struct {
    27.4  static inline void __load_esp0(struct tss_struct *tss, struct thread_struct *thread)
    27.5  {
    27.6  	tss->esp0 = thread->esp0;
    27.7 -#ifdef CONFIG_X86_SYSENTER
    27.8  	/* This can only happen when SEP is enabled, no need to test "SEP"arately */
    27.9  	if (unlikely(tss->ss1 != thread->sysenter_cs)) {
   27.10  		tss->ss1 = thread->sysenter_cs;
   27.11  		wrmsr(MSR_IA32_SYSENTER_CS, thread->sysenter_cs, 0);
   27.12  	}
   27.13 -#endif
   27.14  }
   27.15  #define load_esp0(tss, thread) \
   27.16  	__load_esp0(tss, thread)
    28.1 --- a/linux-2.6-xen-sparse/include/asm-i386/mach-xen/setup_arch_post.h	Tue Apr 25 22:55:22 2006 -0600
    28.2 +++ b/linux-2.6-xen-sparse/include/asm-i386/mach-xen/setup_arch_post.h	Tue Apr 25 23:35:55 2006 -0600
    28.3 @@ -24,6 +24,7 @@ extern void nmi(void);
    28.4  
    28.5  static void __init machine_specific_arch_setup(void)
    28.6  {
    28.7 +	int ret;
    28.8  	struct xen_platform_parameters pp;
    28.9  	struct callback_register event = {
   28.10  		.type = CALLBACKTYPE_event,
   28.11 @@ -33,7 +34,10 @@ static void __init machine_specific_arch
   28.12  		.type = CALLBACKTYPE_failsafe,
   28.13  		.address = { __KERNEL_CS, (unsigned long)failsafe_callback },
   28.14  	};
   28.15 -	struct xennmi_callback cb;
   28.16 +	struct callback_register nmi_cb = {
   28.17 +		.type = CALLBACKTYPE_nmi,
   28.18 +		.address = { __KERNEL_CS, (unsigned long)nmi },
   28.19 +	};
   28.20  
   28.21  	if (xen_feature(XENFEAT_auto_translated_physmap) &&
   28.22  	    xen_start_info->shared_info < xen_start_info->nr_pages) {
   28.23 @@ -42,11 +46,22 @@ static void __init machine_specific_arch
   28.24  		memset(empty_zero_page, 0, sizeof(empty_zero_page));
   28.25  	}
   28.26  
   28.27 -	HYPERVISOR_callback_op(CALLBACKOP_register, &event);
   28.28 -	HYPERVISOR_callback_op(CALLBACKOP_register, &failsafe);
   28.29 +	ret = HYPERVISOR_callback_op(CALLBACKOP_register, &event);
   28.30 +	if (ret == 0)
   28.31 +		ret = HYPERVISOR_callback_op(CALLBACKOP_register, &failsafe);
   28.32 +	if (ret == -ENOSYS)
   28.33 +		ret = HYPERVISOR_set_callbacks(
   28.34 +			event.address.cs, event.address.eip,
   28.35 +			failsafe.address.cs, failsafe.address.eip);
   28.36 +	BUG_ON(ret);
   28.37  
   28.38 -	cb.handler_address = (unsigned long)&nmi;
   28.39 -	HYPERVISOR_nmi_op(XENNMI_register_callback, &cb);
   28.40 +	ret = HYPERVISOR_callback_op(CALLBACKOP_register, &nmi_cb);
   28.41 +	if (ret == -ENOSYS) {
   28.42 +		struct xennmi_callback cb;
   28.43 +
   28.44 +		cb.handler_address = nmi_cb.address.eip;
   28.45 +		HYPERVISOR_nmi_op(XENNMI_register_callback, &cb);
   28.46 +	}
   28.47  
   28.48  	if (HYPERVISOR_xen_version(XENVER_platform_parameters,
   28.49  				   &pp) == 0)
    29.1 --- a/linux-2.6-xen-sparse/include/asm-x86_64/mach-xen/setup_arch_post.h	Tue Apr 25 22:55:22 2006 -0600
    29.2 +++ b/linux-2.6-xen-sparse/include/asm-x86_64/mach-xen/setup_arch_post.h	Tue Apr 25 23:35:55 2006 -0600
    29.3 @@ -14,6 +14,7 @@ extern void nmi(void);
    29.4  
    29.5  static void __init machine_specific_arch_setup(void)
    29.6  {
    29.7 +	int ret;
    29.8  	struct callback_register event = {
    29.9  		.type = CALLBACKTYPE_event,
   29.10  		.address = (unsigned long) hypervisor_callback,
   29.11 @@ -27,15 +28,31 @@ static void __init machine_specific_arch
   29.12  		.address = (unsigned long)system_call,
   29.13  	};
   29.14  #ifdef CONFIG_X86_LOCAL_APIC
   29.15 -	struct xennmi_callback cb;
   29.16 +	struct callback_register nmi_cb = {
   29.17 +		.type = CALLBACKTYPE_nmi,
   29.18 +		.address = (unsigned long)nmi,
   29.19 +	};
   29.20  #endif
   29.21  
   29.22 -	HYPERVISOR_callback_op(CALLBACKOP_register, &event);
   29.23 -	HYPERVISOR_callback_op(CALLBACKOP_register, &failsafe);
   29.24 -	HYPERVISOR_callback_op(CALLBACKOP_register, &syscall);
   29.25 +	ret = HYPERVISOR_callback_op(CALLBACKOP_register, &event);
   29.26 +	if (ret == 0)
   29.27 +		ret = HYPERVISOR_callback_op(CALLBACKOP_register, &failsafe);
   29.28 +	if (ret == 0)
   29.29 +		ret = HYPERVISOR_callback_op(CALLBACKOP_register, &syscall);
   29.30 +	if (ret == -ENOSYS)
   29.31 +		ret = HYPERVISOR_set_callbacks(
   29.32 +			event.address,
   29.33 +			failsafe.address,
   29.34 +			syscall.address);
   29.35 +	BUG_ON(ret);
   29.36  
   29.37  #ifdef CONFIG_X86_LOCAL_APIC
   29.38 -	cb.handler_address = (unsigned long)&nmi;
   29.39 -	HYPERVISOR_nmi_op(XENNMI_register_callback, &cb);
   29.40 +	ret = HYPERVISOR_callback_op(CALLBACKOP_register, &nmi_cb);
   29.41 +	if (ret == -ENOSYS) {
   29.42 +		struct xennmi_callback cb;
   29.43 +
   29.44 +		cb.handler_address = nmi_cb.address;
   29.45 +		HYPERVISOR_nmi_op(XENNMI_register_callback, &cb);
   29.46 +	}
   29.47  #endif
   29.48  }
    30.1 --- a/linux-2.6-xen-sparse/include/xen/xenbus.h	Tue Apr 25 22:55:22 2006 -0600
    30.2 +++ b/linux-2.6-xen-sparse/include/xen/xenbus.h	Tue Apr 25 23:35:55 2006 -0600
    30.3 @@ -228,8 +228,8 @@ int xenbus_grant_ring(struct xenbus_devi
    30.4   * or -ENOMEM on error. If an error is returned, device will switch to
    30.5   * XenbusStateClosing and the error message will be saved in XenStore.
    30.6   */
    30.7 -int xenbus_map_ring_valloc(struct xenbus_device *dev,
    30.8 -			   int gnt_ref, void **vaddr);
    30.9 +struct vm_struct *xenbus_map_ring_valloc(struct xenbus_device *dev,
   30.10 +					 int gnt_ref);
   30.11  int xenbus_map_ring(struct xenbus_device *dev, int gnt_ref,
   30.12  			   grant_handle_t *handle, void *vaddr);
   30.13  
   30.14 @@ -241,7 +241,7 @@ int xenbus_map_ring(struct xenbus_device
   30.15   * Returns 0 on success and returns GNTST_* on error
   30.16   * (see xen/include/interface/grant_table.h).
   30.17   */
   30.18 -int xenbus_unmap_ring_vfree(struct xenbus_device *dev, void *vaddr);
   30.19 +int xenbus_unmap_ring_vfree(struct xenbus_device *dev, struct vm_struct *);
   30.20  int xenbus_unmap_ring(struct xenbus_device *dev,
   30.21  		      grant_handle_t handle, void *vaddr);
   30.22  
    31.1 --- a/linux-2.6-xen-sparse/mm/memory.c	Tue Apr 25 22:55:22 2006 -0600
    31.2 +++ b/linux-2.6-xen-sparse/mm/memory.c	Tue Apr 25 23:35:55 2006 -0600
    31.3 @@ -405,7 +405,7 @@ struct page *vm_normal_page(struct vm_ar
    31.4  	 * Remove this test eventually!
    31.5  	 */
    31.6  	if (unlikely(!pfn_valid(pfn))) {
    31.7 -		if (!vma->vm_flags & VM_RESERVED)
    31.8 +		if (!(vma->vm_flags & VM_RESERVED))
    31.9  			print_bad_pte(vma, pte, addr);
   31.10  		return NULL;
   31.11  	}
    32.1 --- a/linux-2.6-xen-sparse/net/core/dev.c	Tue Apr 25 22:55:22 2006 -0600
    32.2 +++ b/linux-2.6-xen-sparse/net/core/dev.c	Tue Apr 25 23:35:55 2006 -0600
    32.3 @@ -1220,6 +1220,43 @@ int __skb_linearize(struct sk_buff *skb,
    32.4  	}						\
    32.5  }
    32.6  
    32.7 +#ifdef CONFIG_XEN
    32.8 +inline int skb_checksum_setup(struct sk_buff *skb)
    32.9 +{
   32.10 +	if (skb->proto_csum_blank) {
   32.11 +		if (skb->protocol != htons(ETH_P_IP))
   32.12 +			goto out;
   32.13 +		skb->h.raw = (unsigned char *)skb->nh.iph + 4*skb->nh.iph->ihl;
   32.14 +		if (skb->h.raw >= skb->tail)
   32.15 +			goto out;
   32.16 +		switch (skb->nh.iph->protocol) {
   32.17 +		case IPPROTO_TCP:
   32.18 +			skb->csum = offsetof(struct tcphdr, check);
   32.19 +			break;
   32.20 +		case IPPROTO_UDP:
   32.21 +			skb->csum = offsetof(struct udphdr, check);
   32.22 +			break;
   32.23 +		default:
   32.24 +			if (net_ratelimit())
   32.25 +				printk(KERN_ERR "Attempting to checksum a non-"
   32.26 +				       "TCP/UDP packet, dropping a protocol"
   32.27 +				       " %d packet", skb->nh.iph->protocol);
   32.28 +			goto out;
   32.29 +		}
   32.30 +		if ((skb->h.raw + skb->csum + 2) > skb->tail)
   32.31 +			goto out;
   32.32 +		skb->ip_summed = CHECKSUM_HW;
   32.33 +		skb->proto_csum_blank = 0;
   32.34 +	}
   32.35 +	return 0;
   32.36 +out:
   32.37 +	return -EPROTO;
   32.38 +}
   32.39 +#else
   32.40 +inline int skb_checksum_setup(struct sk_buff *skb) { return 0; }
   32.41 +#endif
   32.42 +
   32.43 +
   32.44  /**
   32.45   *	dev_queue_xmit - transmit a buffer
   32.46   *	@skb: buffer to transmit
   32.47 @@ -1266,38 +1303,12 @@ int dev_queue_xmit(struct sk_buff *skb)
   32.48  	    __skb_linearize(skb, GFP_ATOMIC))
   32.49  		goto out_kfree_skb;
   32.50  
   32.51 -#ifdef CONFIG_XEN
   32.52 -	/* If a checksum-deferred packet is forwarded to a device that needs a
   32.53 -	 * checksum, correct the pointers and force checksumming.
   32.54 -	 */
   32.55 -	if (skb->proto_csum_blank) {
   32.56 -		if (skb->protocol != htons(ETH_P_IP))
   32.57 -			goto out_kfree_skb;
   32.58 -		skb->h.raw = (unsigned char *)skb->nh.iph + 4*skb->nh.iph->ihl;
   32.59 -		if (skb->h.raw >= skb->tail)
   32.60 -			goto out_kfree_skb;
   32.61 -		switch (skb->nh.iph->protocol) {
   32.62 -		case IPPROTO_TCP:
   32.63 -			skb->csum = offsetof(struct tcphdr, check);
   32.64 -			break;
   32.65 -		case IPPROTO_UDP:
   32.66 -			skb->csum = offsetof(struct udphdr, check);
   32.67 -			break;
   32.68 -		default:
   32.69 -			if (net_ratelimit())
   32.70 -				printk(KERN_ERR "Attempting to checksum a non-"
   32.71 -				       "TCP/UDP packet, dropping a protocol"
   32.72 -				       " %d packet", skb->nh.iph->protocol);
   32.73 -			rc = -EPROTO;
   32.74 -			goto out_kfree_skb;
   32.75 -		}
   32.76 -		if ((skb->h.raw + skb->csum + 2) > skb->tail)
   32.77 -			goto out_kfree_skb;
   32.78 -		skb->ip_summed = CHECKSUM_HW;
   32.79 -		skb->proto_csum_blank = 0;
   32.80 -	}
   32.81 -#endif
   32.82 -
   32.83 + 	/* If a checksum-deferred packet is forwarded to a device that needs a
   32.84 + 	 * checksum, correct the pointers and force checksumming.
   32.85 + 	 */
   32.86 + 	if(skb_checksum_setup(skb))
   32.87 + 		goto out_kfree_skb;
   32.88 +  
   32.89  	/* If packet is not checksummed and device does not support
   32.90  	 * checksumming for this protocol, complete checksumming here.
   32.91  	 */
   32.92 @@ -3351,6 +3362,7 @@ EXPORT_SYMBOL(unregister_netdevice_notif
   32.93  EXPORT_SYMBOL(net_enable_timestamp);
   32.94  EXPORT_SYMBOL(net_disable_timestamp);
   32.95  EXPORT_SYMBOL(dev_get_flags);
   32.96 +EXPORT_SYMBOL(skb_checksum_setup);
   32.97  
   32.98  #if defined(CONFIG_BRIDGE) || defined(CONFIG_BRIDGE_MODULE)
   32.99  EXPORT_SYMBOL(br_handle_frame_hook);
    33.1 --- a/patches/linux-2.6.16/net-csum.patch	Tue Apr 25 22:55:22 2006 -0600
    33.2 +++ b/patches/linux-2.6.16/net-csum.patch	Tue Apr 25 23:35:55 2006 -0600
    33.3 @@ -39,3 +39,26 @@ diff -pruN ../pristine-linux-2.6.16/net/
    33.4   	*portptr = newport;
    33.5   	return 1;
    33.6   }
    33.7 +diff -r 601fa226a761 net/ipv4/xfrm4_output.c
    33.8 +--- a/net/ipv4/xfrm4_output.c	Wed Apr 19 18:52:30 2006
    33.9 ++++ b/net/ipv4/xfrm4_output.c	Thu Apr 20 15:49:40 2006
   33.10 +@@ -16,6 +16,8 @@
   33.11 + #include <net/ip.h>
   33.12 + #include <net/xfrm.h>
   33.13 + #include <net/icmp.h>
   33.14 ++
   33.15 ++extern int skb_checksum_setup(struct sk_buff *skb);
   33.16 + 
   33.17 + /* Add encapsulation header.
   33.18 +  *
   33.19 +@@ -103,6 +105,10 @@
   33.20 + 	struct xfrm_state *x = dst->xfrm;
   33.21 + 	int err;
   33.22 + 	
   33.23 ++	err = skb_checksum_setup(skb);
   33.24 ++	if (err)
   33.25 ++		goto error_nolock;
   33.26 ++
   33.27 + 	if (skb->ip_summed == CHECKSUM_HW) {
   33.28 + 		err = skb_checksum_help(skb, 0);
   33.29 + 		if (err)
    34.1 --- /dev/null	Thu Jan 01 00:00:00 1970 +0000
    34.2 +++ b/patches/linux-2.6.16/rename-TSS_sysenter_esp0-SYSENTER_stack_esp0.patch	Tue Apr 25 23:35:55 2006 -0600
    34.3 @@ -0,0 +1,31 @@
    34.4 +Index: sysenter/linux-2.6-xen-sparse/arch/i386/kernel/entry.S
    34.5 +===================================================================
    34.6 +--- linux-2.6.16.orig/arch/i386/kernel/entry.S	2006-04-05 11:12:51.000000000 +0100
    34.7 ++++ linux-2.6.16/arch/i386/kernel/entry.S	2006-04-05 11:12:52.000000000 +0100
    34.8 +@@ -177,7 +177,7 @@
    34.9 + 
   34.10 + 	# sysenter call handler stub
   34.11 + ENTRY(sysenter_entry)
   34.12 +-	movl TSS_sysenter_esp0(%esp),%esp
   34.13 ++	movl SYSENTER_stack_esp0(%esp),%esp
   34.14 + sysenter_past_esp:
   34.15 + 	sti
   34.16 + 	pushl $(__USER_DS)
   34.17 +@@ -492,7 +492,7 @@
   34.18 +  * that sets up the real kernel stack. Check here, since we can't
   34.19 +  * allow the wrong stack to be used.
   34.20 +  *
   34.21 +- * "TSS_sysenter_esp0+12" is because the NMI/debug handler will have
   34.22 ++ * "SYSENTER_stack_esp0+12" is because the NMI/debug handler will have
   34.23 +  * already pushed 3 words if it hits on the sysenter instruction:
   34.24 +  * eflags, cs and eip.
   34.25 +  *
   34.26 +@@ -504,7 +504,7 @@
   34.27 + 	cmpw $__KERNEL_CS,4(%esp);		\
   34.28 + 	jne ok;					\
   34.29 + label:						\
   34.30 +-	movl TSS_sysenter_esp0+offset(%esp),%esp;	\
   34.31 ++	movl SYSENTER_stack_esp0+offset(%esp),%esp;	\
   34.32 + 	pushfl;					\
   34.33 + 	pushl $__KERNEL_CS;			\
   34.34 + 	pushl $sysenter_past_esp
    35.1 --- a/tools/debugger/gdb/gdb-6.2.1-xen-sparse/gdb/gdbserver/server.c	Tue Apr 25 22:55:22 2006 -0600
    35.2 +++ b/tools/debugger/gdb/gdb-6.2.1-xen-sparse/gdb/gdbserver/server.c	Tue Apr 25 23:35:55 2006 -0600
    35.3 @@ -664,17 +664,13 @@ main (int argc, char *argv[])
    35.4  
    35.5           For the traditional remote protocol close the connection,
    35.6           and re-open it at the top of the loop.  */
    35.7 -      if (extended_protocol)
    35.8 -	{
    35.9 -	  remote_close ();
   35.10 +    detach_inferior ();
   35.11 +    remote_close ();
   35.12 +    if (extended_protocol)
   35.13  	  exit (0);
   35.14 -	}
   35.15 -      else
   35.16 -	{
   35.17 +    else
   35.18  	  fprintf (stderr, "Remote side has terminated connection.  "
   35.19  			   "GDBserver will reopen the connection.\n");
   35.20 -	  remote_close ();
   35.21 -	}
   35.22      sigaction(SIGINT, &old_sigaction, NULL);
   35.23      }
   35.24  }
    36.1 --- a/tools/examples/Makefile	Tue Apr 25 22:55:22 2006 -0600
    36.2 +++ b/tools/examples/Makefile	Tue Apr 25 23:35:55 2006 -0600
    36.3 @@ -28,9 +28,11 @@ XEN_SCRIPTS += block
    36.4  XEN_SCRIPTS += block-enbd block-nbd
    36.5  XEN_SCRIPTS += vtpm vtpm-delete
    36.6  XEN_SCRIPTS += xen-hotplug-cleanup
    36.7 +XEN_SCRIPTS += external-device-migrate
    36.8  XEN_SCRIPT_DATA = xen-script-common.sh locking.sh logging.sh
    36.9  XEN_SCRIPT_DATA += xen-hotplug-common.sh xen-network-common.sh vif-common.sh
   36.10  XEN_SCRIPT_DATA += block-common.sh vtpm-common.sh vtpm-hotplug-common.sh
   36.11 +XEN_SCRIPT_DATA += vtpm-migration.sh
   36.12  
   36.13  XEN_HOTPLUG_DIR = /etc/hotplug
   36.14  XEN_HOTPLUG_SCRIPTS = xen-backend.agent
    37.1 --- /dev/null	Thu Jan 01 00:00:00 1970 +0000
    37.2 +++ b/tools/examples/external-device-migrate	Tue Apr 25 23:35:55 2006 -0600
    37.3 @@ -0,0 +1,85 @@
    37.4 +#!/bin/sh
    37.5 +
    37.6 +# Copyright (c) 2005 IBM Corporation
    37.7 +#
    37.8 +# This library is free software; you can redistribute it and/or
    37.9 +# modify it under the terms of version 2.1 of the GNU Lesser General Public
   37.10 +# License as published by the Free Software Foundation.
   37.11 +#
   37.12 +# This library is distributed in the hope that it will be useful,
   37.13 +# but WITHOUT ANY WARRANTY; without even the implied warranty of
   37.14 +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
   37.15 +# Lesser General Public License for more details.
   37.16 +#
   37.17 +# You should have received a copy of the GNU Lesser General Public
   37.18 +# License along with this library; if not, write to the Free Software
   37.19 +# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
   37.20 +#
   37.21 +
   37.22 +
   37.23 +# This script is called by XenD for migration of external devices
   37.24 +# It does not handle the migration of those devices itself, but
   37.25 +# passes the requests on to further applications
   37.26 +# It handles the low-level command line parsing and some of the
   37.27 +# synchronization
   37.28 +
   37.29 +dir=$(dirname "$0")
   37.30 +. "$dir/logging.sh"
   37.31 +
   37.32 +
   37.33 +function usage() {
   37.34 +	echo " Pass the following command line paremeters to the script:"
   37.35 +	echo ""
   37.36 +	echo "-step <n>     : n-th migration step"
   37.37 +	echo "-host <host>  : the destination host"
   37.38 +	echo "-domname <domain name> : name of the domain that is migrating"
   37.39 +	echo "-type <device type>    : the type of device that is migrating"
   37.40 +	echo "-recover               : indicates recovery request; an error"
   37.41 +	echo "                         occurred during migration"
   37.42 +	echo "-help                  : display this help screen"
   37.43 +}
   37.44 +
   37.45 +while [ 1 ]; do
   37.46 +	if [ "$1" == "-step" ]; then
   37.47 +		shift
   37.48 +		step=$1
   37.49 +	elif [ "$1" == "-host" ]; then
   37.50 +		shift
   37.51 +		host=$1
   37.52 +	elif [ "$1" == "-domname" ]; then
   37.53 +		shift
   37.54 +		domname=$1
   37.55 +	elif [ "$1" == "-type" ]; then
   37.56 +		shift
   37.57 +		typ=$1
   37.58 +	elif [ "$1" == "-recover" ]; then
   37.59 +		recover=1
   37.60 +	elif [ "$1" == "-help" ]; then
   37.61 +		usage
   37.62 +		exit
   37.63 +	else
   37.64 +		break
   37.65 +	fi
   37.66 +	shift
   37.67 +done
   37.68 +
   37.69 +if [ "$step"    == "" -o \
   37.70 +     "$host"    == "" -o \
   37.71 +     "$typ"     == "" -o \
   37.72 +     "$domname" == "" ]; then
   37.73 +	echo "Error: Parameter(s) missing (-step/-host/-type/-domname)"
   37.74 +set
   37.75 +	echo ""
   37.76 +	echo "$0 --help for usage."
   37.77 +	exit
   37.78 +fi
   37.79 +
   37.80 +. "$dir/$typ-migration.sh"
   37.81 +
   37.82 +if [ "$recover" == "1" ]; then
   37.83 +	func="$typ"_recover
   37.84 +	eval $func $host $domname $step
   37.85 +else
   37.86 +	func="$typ"_migration_step
   37.87 +	eval $func $host $domname $step
   37.88 +fi
    38.1 --- a/tools/examples/vtpm-common.sh	Tue Apr 25 22:55:22 2006 -0600
    38.2 +++ b/tools/examples/vtpm-common.sh	Tue Apr 25 23:35:55 2006 -0600
    38.3 @@ -48,6 +48,12 @@ if [ -z "$VTPM_IMPL_DEFINED" ]; then
    38.4  	function vtpm_delete() {
    38.5  		true
    38.6  	}
    38.7 +	function vtpm_migrate() {
    38.8 +		echo "Error: vTPM migration accross machines not implemented."
    38.9 +	}
   38.10 +	function vtpm_migrate_recover() {
   38.11 +		true
   38.12 +	}
   38.13  fi
   38.14  
   38.15  
   38.16 @@ -60,7 +66,7 @@ fi
   38.17  function vtpmdb_find_instance () {
   38.18  	local vmname=$1
   38.19  	local ret=0
   38.20 -	instance=`cat $VTPMDB |                    \
   38.21 +	instance=$(cat $VTPMDB |                   \
   38.22  	          awk -vvmname=$vmname             \
   38.23  	          '{                               \
   38.24  	             if ( 1 != index($1,"#")) {    \
   38.25 @@ -69,7 +75,7 @@ function vtpmdb_find_instance () {
   38.26  	                 exit;                     \
   38.27  	               }                           \
   38.28  	             }                             \
   38.29 -	           }'`
   38.30 +	           }')
   38.31  	if [ "$instance" != "" ]; then
   38.32  		ret=$instance
   38.33  	fi
   38.34 @@ -86,13 +92,13 @@ function vtpmdb_is_free_instancenum () {
   38.35  	if [ $instance -eq 0 -o $instance -gt 255 ]; then
   38.36  		avail=0
   38.37  	else
   38.38 -		instances=`cat $VTPMDB |                 \
   38.39 +		instances=$(cat $VTPMDB |                \
   38.40  		           gawk                          \
   38.41  		           '{                            \
   38.42  		               if (1 != index($1,"#")) { \
   38.43  		                 printf("%s ",$2);       \
   38.44  		               }                         \
   38.45 -		            }'`
   38.46 +		            }')
   38.47  		for i in $instances; do
   38.48  			if [ $i -eq $instance ]; then
   38.49  				avail=0
   38.50 @@ -110,13 +116,13 @@ function vtpmdb_get_free_instancenum () 
   38.51  	local ctr
   38.52  	local instances
   38.53  	local don
   38.54 -	instances=`cat $VTPMDB |                 \
   38.55 +	instances=$(cat $VTPMDB |                \
   38.56  	           gawk                          \
   38.57  	           '{                            \
   38.58  	               if (1 != index($1,"#")) { \
   38.59  	                 printf("%s ",$2);       \
   38.60  	               }                         \
   38.61 -	            }'`
   38.62 +	            }')
   38.63  	ctr=1
   38.64  	don=0
   38.65  	while [ $don -eq 0 ]; do
   38.66 @@ -163,7 +169,7 @@ function vtpmdb_validate_entry () {
   38.67  	local vmname=$1
   38.68  	local inst=$2
   38.69  
   38.70 -	res=`cat $VTPMDB |             \
   38.71 +	res=$(cat $VTPMDB |            \
   38.72  	     gawk -vvmname=$vmname     \
   38.73  	          -vinst=$inst         \
   38.74  	     '{                        \
   38.75 @@ -179,7 +185,7 @@ function vtpmdb_validate_entry () {
   38.76  	            printf("2");       \
   38.77  	            exit;              \
   38.78  	         }                     \
   38.79 -	     }'`
   38.80 +	     }')
   38.81  
   38.82  	if [ "$res" == "1" ]; then
   38.83  		let rc=1
   38.84 @@ -196,13 +202,13 @@ function vtpmdb_remove_entry () {
   38.85  	local vmname=$1
   38.86  	local instance=$2
   38.87  	local VTPMDB_TMP="$VTPMDB".tmp
   38.88 -	`cat $VTPMDB |             \
   38.89 +	$(cat $VTPMDB |            \
   38.90  	 gawk -vvmname=$vmname     \
   38.91  	 '{                        \
   38.92  	    if ( $1 != vmname ) {  \
   38.93  	      print $0;            \
   38.94  	    }                      \
   38.95 -	 '} > $VTPMDB_TMP`
   38.96 +	 '} > $VTPMDB_TMP)
   38.97  	if [ -e $VTPMDB_TMP ]; then
   38.98  		mv -f $VTPMDB_TMP $VTPMDB
   38.99  		vtpm_delete $instance
  38.100 @@ -300,3 +306,62 @@ function vtpm_delete_instance () {
  38.101  
  38.102  	release_lock vtpmdb
  38.103  }
  38.104 +
  38.105 +# Determine whether the given address is local to this machine
  38.106 +# Return values:
  38.107 +#  "-1" : the given machine name is invalid
  38.108 +#  "0"  : this is not an address of this machine
  38.109 +#  "1"  : this is an address local to this machine
  38.110 +function isLocalAddress() {
  38.111 +	local addr=$(ping $1 -c 1 |  \
  38.112 +	             gawk '{ print substr($3,2,length($3)-2); exit }')
  38.113 +	if [ "$addr" == "" ]; then
  38.114 +		echo "-1"
  38.115 +		return
  38.116 +	fi
  38.117 +	local res=$(ifconfig | grep "inet addr" |  \
  38.118 +	           gawk -vaddr=$addr               \
  38.119 +	           '{                              \
  38.120 +	              if ( addr == substr($2, 6)) {\
  38.121 +	                print "1";                 \
  38.122 +	              }                            \
  38.123 +	           }'                              \
  38.124 +	          )
  38.125 +	if [ "$res" == "" ]; then
  38.126 +		echo "0"
  38.127 +		return
  38.128 +	fi
  38.129 +	echo "1"
  38.130 +}
  38.131 +
  38.132 +# Perform a migration step. This function differentiates between migration
  38.133 +# to the local host or to a remote machine.
  38.134 +# Parameters:
  38.135 +# 1st: destination host to migrate to
  38.136 +# 2nd: name of the domain to migrate
  38.137 +# 3rd: the migration step to perform
  38.138 +function vtpm_migration_step() {
  38.139 +	local instance=$(vtpmdb_find_instance $2)
  38.140 +	if [ "$instance" == "" ]; then
  38.141 +		echo "Error: Translation of domain name ($2) to instance failed. Check /etc/xen/vtpm.db"
  38.142 +		log err "Error during translation of domain name"
  38.143 +	else
  38.144 +		res=$(isLocalAddress $1)
  38.145 +		if [ "$res" == "0" ]; then
  38.146 +			vtpm_migrate $1 $2 $3
  38.147 +		fi
  38.148 +	fi
  38.149 +}
  38.150 +
  38.151 +# Recover from migration due to an error. This function differentiates
  38.152 +# between migration to the local host or to a remote machine.
  38.153 +# Parameters:
  38.154 +# 1st: destination host the migration was going to
  38.155 +# 2nd: name of the domain that was to be migrated
  38.156 +# 3rd: the last successful migration step that was done
  38.157 +function vtpm_recover() {
  38.158 +	res=$(isLocalAddress $1)
  38.159 +	if [ "$res" == "0" ]; then
  38.160 +		vtpm_migrate_recover $1 $2 $3
  38.161 +	fi
  38.162 +}
    39.1 --- /dev/null	Thu Jan 01 00:00:00 1970 +0000
    39.2 +++ b/tools/examples/vtpm-migration.sh	Tue Apr 25 23:35:55 2006 -0600
    39.3 @@ -0,0 +1,19 @@
    39.4 +#
    39.5 +# Copyright (c) 2005 IBM Corporation
    39.6 +#
    39.7 +# This library is free software; you can redistribute it and/or
    39.8 +# modify it under the terms of version 2.1 of the GNU Lesser General Public
    39.9 +# License as published by the Free Software Foundation.
   39.10 +#
   39.11 +# This library is distributed in the hope that it will be useful,
   39.12 +# but WITHOUT ANY WARRANTY; without even the implied warranty of
   39.13 +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
   39.14 +# Lesser General Public License for more details.
   39.15 +#
   39.16 +# You should have received a copy of the GNU Lesser General Public
   39.17 +# License along with this library; if not, write to the Free Software
   39.18 +# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
   39.19 +#
   39.20 +
   39.21 +dir=$(dirname "$0")
   39.22 +. "$dir/vtpm-common.sh"
    40.1 --- a/tools/examples/xmexample.hvm	Tue Apr 25 22:55:22 2006 -0600
    40.2 +++ b/tools/examples/xmexample.hvm	Tue Apr 25 23:35:55 2006 -0600
    40.3 @@ -21,6 +21,10 @@ kernel = "/usr/lib/xen/boot/hvmloader"
    40.4  builder='hvm'
    40.5  
    40.6  # Initial memory allocation (in megabytes) for the new domain.
    40.7 +#
    40.8 +# WARNING: Creating a domain with insufficient memory may cause out of
    40.9 +#          memory errors. The domain needs enough memory to boot kernel
   40.10 +#          and modules. Allocating less than 32MBs is not recommended.
   40.11  memory = 128
   40.12  
   40.13  # A name for your domain. All domains must have different names.
    41.1 --- a/tools/examples/xmexample.nbd	Tue Apr 25 22:55:22 2006 -0600
    41.2 +++ b/tools/examples/xmexample.nbd	Tue Apr 25 23:35:55 2006 -0600
    41.3 @@ -10,7 +10,12 @@
    41.4  
    41.5  kernel = "/boot/vmlinuz-2.6.13-15b-xen"
    41.6  ramdisk = "/boot/initrd-2.6.13-15b-xen"
    41.7 +
    41.8 +# WARNING: Creating a domain with insufficient memory may cause out of
    41.9 +#          memory errors. The domain needs enough memory to boot kernel
   41.10 +#          and modules. Allocating less than 32MBs is not recommended.
   41.11  memory = 128
   41.12 +
   41.13  name = "nbd4"
   41.14  vif = [ '' ]
   41.15  # Please change PORT
    42.1 --- a/tools/examples/xmexample.vti	Tue Apr 25 22:55:22 2006 -0600
    42.2 +++ b/tools/examples/xmexample.vti	Tue Apr 25 23:35:55 2006 -0600
    42.3 @@ -18,6 +18,10 @@ kernel = "/boot/Flash.fd"
    42.4  builder='hvm'
    42.5  
    42.6  # Initial memory allocation (in megabytes) for the new domain.
    42.7 +#
    42.8 +# WARNING: Creating a domain with insufficient memory may cause out of
    42.9 +#          memory errors. The domain needs enough memory to boot kernel
   42.10 +#          and modules. Allocating less than 32MBs is not recommended.
   42.11  memory = 256
   42.12  
   42.13  # A name for your domain. All domains must have different names.
    43.1 --- a/tools/examples/xmexample1	Tue Apr 25 22:55:22 2006 -0600
    43.2 +++ b/tools/examples/xmexample1	Tue Apr 25 23:35:55 2006 -0600
    43.3 @@ -17,6 +17,10 @@ kernel = "/boot/vmlinuz-2.6.10-xenU"
    43.4  #builder='linux'
    43.5  
    43.6  # Initial memory allocation (in megabytes) for the new domain.
    43.7 +#
    43.8 +# WARNING: Creating a domain with insufficient memory may cause out of
    43.9 +#          memory errors. The domain needs enough memory to boot kernel
   43.10 +#          and modules. Allocating less than 32MBs is not recommended.
   43.11  memory = 64
   43.12  
   43.13  # A name for your domain. All domains must have different names.
    44.1 --- a/tools/examples/xmexample2	Tue Apr 25 22:55:22 2006 -0600
    44.2 +++ b/tools/examples/xmexample2	Tue Apr 25 23:35:55 2006 -0600
    44.3 @@ -45,6 +45,10 @@ kernel = "/boot/vmlinuz-2.6.10-xenU"
    44.4  #builder='linux'
    44.5  
    44.6  # Initial memory allocation (in megabytes) for the new domain.
    44.7 +#
    44.8 +# WARNING: Creating a domain with insufficient memory may cause out of
    44.9 +#          memory errors. The domain needs enough memory to boot kernel
   44.10 +#          and modules. Allocating less than 32MBs is not recommended.
   44.11  memory = 64
   44.12  
   44.13  # A name for the new domain. All domains have to have different names,
    45.1 --- a/tools/examples/xmexample3	Tue Apr 25 22:55:22 2006 -0600
    45.2 +++ b/tools/examples/xmexample3	Tue Apr 25 23:35:55 2006 -0600
    45.3 @@ -45,6 +45,10 @@ kernel = "/path/to/domU/kernel"
    45.4  #builder='linux'
    45.5  
    45.6  # Initial memory allocation (in megabytes) for the new domain.
    45.7 +#
    45.8 +# WARNING: Creating a domain with insufficient memory may cause out of
    45.9 +#          memory errors. The domain needs enough memory to boot kernel
   45.10 +#          and modules. Allocating less than 32MBs is not recommended.
   45.11  memory = 64
   45.12  
   45.13  # A name for the new domain. All domains have to have different names,
    46.1 --- a/tools/ioemu/hw/pc.c	Tue Apr 25 22:55:22 2006 -0600
    46.2 +++ b/tools/ioemu/hw/pc.c	Tue Apr 25 23:35:55 2006 -0600
    46.3 @@ -40,7 +40,6 @@ int speaker_data_on;
    46.4  int dummy_refresh_clock;
    46.5  static fdctrl_t *floppy_controller;
    46.6  static RTCState *rtc_state;
    46.7 -static PITState *pit;
    46.8  
    46.9  static void ioport80_write(void *opaque, uint32_t addr, uint32_t data)
   46.10  {
   46.11 @@ -243,17 +242,13 @@ static void cmos_init(uint64_t ram_size,
   46.12  
   46.13  static void speaker_ioport_write(void *opaque, uint32_t addr, uint32_t val)
   46.14  {
   46.15 -    speaker_data_on = (val >> 1) & 1;
   46.16 -    pit_set_gate(pit, 2, val & 1);
   46.17 +    fprintf(stderr, "speaker port should not be handled in DM!\n");
   46.18  }
   46.19  
   46.20  static uint32_t speaker_ioport_read(void *opaque, uint32_t addr)
   46.21  {
   46.22 -    int out;
   46.23 -    out = pit_get_out(pit, 2, qemu_get_clock(vm_clock));
   46.24 -    dummy_refresh_clock ^= 1;
   46.25 -    return (speaker_data_on << 1) | pit_get_gate(pit, 2) | (out << 5) |
   46.26 -      (dummy_refresh_clock << 4);
   46.27 +    fprintf(stderr, "speaker port should not be handled in DM!\n");
   46.28 +    return 0;
   46.29  }
   46.30  
   46.31  static void ioport92_write(void *opaque, uint32_t addr, uint32_t val)
   46.32 @@ -529,7 +524,6 @@ void pc_init(uint64_t ram_size, int vga_
   46.33      register_ioport_write(0x92, 1, 1, ioport92_write, NULL);
   46.34  
   46.35      pic_init();
   46.36 -    pit = pit_init(0x40, 0);
   46.37  
   46.38      for(i = 0; i < MAX_SERIAL_PORTS; i++) {
   46.39          if (serial_hds[i]) {
    47.1 --- a/tools/ioemu/keyboard_rdesktop.c	Tue Apr 25 22:55:22 2006 -0600
    47.2 +++ b/tools/ioemu/keyboard_rdesktop.c	Tue Apr 25 23:35:55 2006 -0600
    47.3 @@ -75,7 +75,7 @@ static kbd_layout_t* parse_keyboard_layo
    47.4      char* file_name=malloc(strlen(prefix)+strlen(language)+strlen(bios_dir)+1);
    47.5  
    47.6  	if(!k)
    47.7 -		k=calloc(sizeof(kbd_layout_t),1);
    47.8 +		k=calloc(1, sizeof(kbd_layout_t));
    47.9  	strcpy(file_name,bios_dir);
   47.10  	strcat(file_name,prefix);
   47.11  	strcat(file_name,language);
    48.1 --- a/tools/ioemu/target-i386-dm/Makefile	Tue Apr 25 22:55:22 2006 -0600
    48.2 +++ b/tools/ioemu/target-i386-dm/Makefile	Tue Apr 25 23:35:55 2006 -0600
    48.3 @@ -277,7 +277,7 @@ endif
    48.4  
    48.5  # Hardware support
    48.6  VL_OBJS+= ide.o ne2000.o pckbd.o vga.o dma.o
    48.7 -VL_OBJS+= fdc.o mc146818rtc.o serial.o i8259_stub.o i8254.o pc.o port-e9.o
    48.8 +VL_OBJS+= fdc.o mc146818rtc.o serial.o i8259_stub.o pc.o port-e9.o
    48.9  VL_OBJS+= cirrus_vga.o pcnet.o
   48.10  VL_OBJS+= $(SOUND_HW) $(AUDIODRV) mixeng.o
   48.11  
    49.1 --- a/tools/libxc/xc_linux_restore.c	Tue Apr 25 22:55:22 2006 -0600
    49.2 +++ b/tools/libxc/xc_linux_restore.c	Tue Apr 25 23:35:55 2006 -0600
    49.3 @@ -183,9 +183,9 @@ int xc_linux_restore(int xc_handle, int 
    49.4  
    49.5  
    49.6      /* We want zeroed memory so use calloc rather than malloc. */
    49.7 -    p2m        = calloc(sizeof(unsigned long), max_pfn);
    49.8 -    pfn_type   = calloc(sizeof(unsigned long), max_pfn);
    49.9 -    region_mfn = calloc(sizeof(unsigned long), MAX_BATCH_SIZE);
   49.10 +    p2m        = calloc(max_pfn, sizeof(unsigned long));
   49.11 +    pfn_type   = calloc(max_pfn, sizeof(unsigned long));
   49.12 +    region_mfn = calloc(MAX_BATCH_SIZE, sizeof(unsigned long));
   49.13  
   49.14      if ((p2m == NULL) || (pfn_type == NULL) || (region_mfn == NULL)) {
   49.15          ERR("memory alloc failed");
    50.1 --- a/tools/pygrub/Makefile	Tue Apr 25 22:55:22 2006 -0600
    50.2 +++ b/tools/pygrub/Makefile	Tue Apr 25 23:35:55 2006 -0600
    50.3 @@ -11,7 +11,7 @@ build:
    50.4  .PHONY: install
    50.5  ifndef XEN_PYTHON_NATIVE_INSTALL
    50.6  install: all
    50.7 -	CFLAGS="$(CFLAGS)" python setup.py install --home="$(DESTDIR)/usr"
    50.8 +	CFLAGS="$(CFLAGS)" python setup.py install --home="$(DESTDIR)/usr" --prefix=""
    50.9  else
   50.10  install: all
   50.11  	CFLAGS="$(CFLAGS)" python setup.py install --root="$(DESTDIR)"
    51.1 --- a/tools/python/Makefile	Tue Apr 25 22:55:22 2006 -0600
    51.2 +++ b/tools/python/Makefile	Tue Apr 25 23:35:55 2006 -0600
    51.3 @@ -11,7 +11,7 @@ build:
    51.4  .PHONY: install
    51.5  ifndef XEN_PYTHON_NATIVE_INSTALL
    51.6  install: all
    51.7 -	CFLAGS="$(CFLAGS)" python setup.py install --home="$(DESTDIR)/usr" --force
    51.8 +	CFLAGS="$(CFLAGS)" python setup.py install --home="$(DESTDIR)/usr" --prefix="" --force
    51.9  else
   51.10  install: all
   51.11  	CFLAGS="$(CFLAGS)" python setup.py install --root="$(DESTDIR)" --force
    52.1 --- a/tools/python/setup.py	Tue Apr 25 22:55:22 2006 -0600
    52.2 +++ b/tools/python/setup.py	Tue Apr 25 23:35:55 2006 -0600
    52.3 @@ -31,6 +31,13 @@ xs = Extension("xs",
    52.4                 libraries          = libraries,
    52.5                 sources            = [ "xen/lowlevel/xs/xs.c" ])
    52.6  
    52.7 +acm = Extension("acm",
    52.8 +               extra_compile_args = extra_compile_args,
    52.9 +               include_dirs       = include_dirs + [ "xen/lowlevel/acm" ],
   52.10 +               library_dirs       = library_dirs,
   52.11 +               libraries          = libraries,
   52.12 +               sources            = [ "xen/lowlevel/acm/acm.c" ])
   52.13 +
   52.14  setup(name            = 'xen',
   52.15        version         = '3.0',
   52.16        description     = 'Xen',
   52.17 @@ -50,7 +57,7 @@ setup(name            = 'xen',
   52.18                           'xen.xm.tests'
   52.19                           ],
   52.20        ext_package = "xen.lowlevel",
   52.21 -      ext_modules = [ xc, xs ]
   52.22 +      ext_modules = [ xc, xs, acm ]
   52.23        )
   52.24  
   52.25  os.chdir('logging')
    53.1 --- /dev/null	Thu Jan 01 00:00:00 1970 +0000
    53.2 +++ b/tools/python/xen/lowlevel/acm/acm.c	Tue Apr 25 23:35:55 2006 -0600
    53.3 @@ -0,0 +1,237 @@
    53.4 +/****************************************************************
    53.5 + * acm.c
    53.6 + *
    53.7 + * Copyright (C) 2006 IBM Corporation
    53.8 + *
    53.9 + * Authors:
   53.10 + * Reiner Sailer <sailer@watson.ibm.com>
   53.11 + *
   53.12 + * This program is free software; you can redistribute it and/or
   53.13 + * modify it under the terms of the GNU General Public License as
   53.14 + * published by the Free Software Foundation, version 2 of the
   53.15 + * License.
   53.16 + *
   53.17 + * ACM low-level code that allows Python control code to leverage
   53.18 + * the ACM hypercall interface to retrieve real-time information
   53.19 + * from the Xen hypervisor security module.
   53.20 + *
   53.21 + * indent -i4 -kr -nut
   53.22 + */
   53.23 +#include <Python.h>
   53.24 +
   53.25 +#include <stdio.h>
   53.26 +#include <fcntl.h>
   53.27 +#include <sys/mman.h>
   53.28 +#include <sys/types.h>
   53.29 +#include <stdlib.h>
   53.30 +#include <sys/ioctl.h>
   53.31 +#include <netinet/in.h>
   53.32 +#include <xen/acm.h>
   53.33 +#include <xen/acm_ops.h>
   53.34 +#include <xen/linux/privcmd.h>
   53.35 +
   53.36 +#define PERROR(_m, _a...) \
   53.37 +fprintf(stderr, "ERROR: " _m " (%d = %s)\n" , ## _a ,    \
   53.38 +    errno, strerror(errno))
   53.39 +
   53.40 +
   53.41 +
   53.42 +static inline int do_acm_op(int xc_handle, struct acm_op *op)
   53.43 +{
   53.44 +    int ret = -1;
   53.45 +    privcmd_hypercall_t hypercall;
   53.46 +
   53.47 +    op->interface_version = ACM_INTERFACE_VERSION;
   53.48 +
   53.49 +    hypercall.op = __HYPERVISOR_acm_op;
   53.50 +    hypercall.arg[0] = (unsigned long) op;
   53.51 +
   53.52 +    if (mlock(op, sizeof(*op)) != 0) {
   53.53 +        PERROR("Could not lock memory for Xen policy hypercall");
   53.54 +        goto out1;
   53.55 +    }
   53.56 +    ret = ioctl(xc_handle, IOCTL_PRIVCMD_HYPERCALL, &hypercall);
   53.57 +    if (ret < 0) {
   53.58 +        if (errno == EACCES)
   53.59 +            PERROR("ACM operation failed.");
   53.60 +        goto out2;
   53.61 +    }
   53.62 + out2:
   53.63 +    munlock(op, sizeof(*op));
   53.64 + out1:
   53.65 +    return ret;
   53.66 +}
   53.67 +
   53.68 +
   53.69 +
   53.70 +/* generic shared function */
   53.71 +void * __getssid(int domid, uint32_t *buflen)
   53.72 +{
   53.73 +    struct acm_op op;
   53.74 +    int acm_cmd_fd;
   53.75 +    #define SSID_BUFFER_SIZE    4096
   53.76 +    void *buf = NULL;
   53.77 +
   53.78 +    if ((acm_cmd_fd = open("/proc/xen/privcmd", O_RDONLY)) < 0) {
   53.79 +        goto out1;
   53.80 +    }
   53.81 +    if ((buf = malloc(SSID_BUFFER_SIZE)) == NULL) {
   53.82 +        PERROR("acm.policytype: Could not allocate ssid buffer!\n");
   53.83 +        goto out2;
   53.84 +    }
   53.85 +    memset(buf, 0, SSID_BUFFER_SIZE);
   53.86 +    op.cmd = ACM_GETSSID;
   53.87 +    op.interface_version = ACM_INTERFACE_VERSION;
   53.88 +    op.u.getssid.ssidbuf = buf;
   53.89 +    op.u.getssid.ssidbuf_size = SSID_BUFFER_SIZE;
   53.90 +    op.u.getssid.get_ssid_by = DOMAINID;
   53.91 +    op.u.getssid.id.domainid = domid;
   53.92 +
   53.93 +    if (do_acm_op(acm_cmd_fd, &op) < 0) {
   53.94 +        free(buf);
   53.95 +        buf = NULL;
   53.96 +        goto out2;
   53.97 +    } else {
   53.98 +        *buflen = SSID_BUFFER_SIZE;
   53.99 +        goto out2;
  53.100 +    }
  53.101 + out2:
  53.102 +    close(acm_cmd_fd);
  53.103 + out1:
  53.104 +    return buf;
  53.105 +}
  53.106 +
  53.107 +
  53.108 +/* retrieve the policytype indirectly by retrieving the
  53.109 + * ssidref for domain 0 (always exists) */
  53.110 +static PyObject *policy(PyObject * self, PyObject * args)
  53.111 +{
  53.112 +    /* out */
  53.113 +    char *policyreference;
  53.114 +    PyObject *ret = NULL;
  53.115 +    void *ssid_buffer;
  53.116 +    uint32_t buf_len;
  53.117 +
  53.118 +    if (!PyArg_ParseTuple(args, "", NULL)) {
  53.119 +    goto out1;
  53.120 +    }
  53.121 +    ssid_buffer =  __getssid(0, &buf_len);
  53.122 +    if (ssid_buffer == NULL) {
  53.123 +        goto out1;
  53.124 +    } else if (buf_len < sizeof(struct acm_ssid_buffer)) {
  53.125 +        goto out2;
  53.126 +    } else {
  53.127 +        struct acm_ssid_buffer *ssid = (struct acm_ssid_buffer *)ssid_buffer;
  53.128 +        policyreference = (char *)(ssid_buffer + ssid->policy_reference_offset
  53.129 +                       + sizeof (struct acm_policy_reference_buffer));
  53.130 +    }
  53.131 +    ret = Py_BuildValue("s", policyreference);
  53.132 + out2:
  53.133 +    free(ssid_buffer);
  53.134 + out1:
  53.135 +    return ret;
  53.136 +}
  53.137 +
  53.138 +
  53.139 +/* retrieve ssid info for a domain domid*/
  53.140 +static PyObject *getssid(PyObject * self, PyObject * args)
  53.141 +{
  53.142 +    /* in */
  53.143 +    uint32_t    domid;
  53.144 +    /* out */
  53.145 +    char *policytype, *policyreference;
  53.146 +    uint32_t    ssidref;
  53.147 +
  53.148 +    void *ssid_buffer;
  53.149 +    uint32_t buf_len;
  53.150 +
  53.151 +    if (!PyArg_ParseTuple(args, "i", &domid)) {
  53.152 +        return NULL;
  53.153 +    }
  53.154 +    ssid_buffer =  __getssid(domid, &buf_len);
  53.155 +    if (ssid_buffer == NULL) {
  53.156 +        return NULL;
  53.157 +    } else if (buf_len < sizeof(struct acm_ssid_buffer)) {
  53.158 +        free(ssid_buffer);
  53.159 +        return NULL;
  53.160 +    } else {
  53.161 +        struct acm_ssid_buffer *ssid = (struct acm_ssid_buffer *) ssid_buffer;
  53.162 +        policytype = ACM_POLICY_NAME(ssid->secondary_policy_code << 4 |
  53.163 +                     ssid->primary_policy_code);
  53.164 +        ssidref = ssid->ssidref;
  53.165 +        policyreference = (char *)(ssid_buffer + ssid->policy_reference_offset
  53.166 +                       + sizeof (struct acm_policy_reference_buffer));
  53.167 +    }
  53.168 +    free(ssid_buffer);
  53.169 +    return Py_BuildValue("{s:s,s:s,s:i}",
  53.170 +             "policyreference",   policyreference,
  53.171 +             "policytype",        policytype,
  53.172 +             "ssidref",           ssidref);
  53.173 +}
  53.174 +
  53.175 +
  53.176 +/* retrieve access decision based on domain ids or ssidrefs */
  53.177 +static PyObject *getdecision(PyObject * self, PyObject * args)
  53.178 +{
  53.179 +    char *arg1_name, *arg1, *arg2_name, *arg2, *decision = NULL;
  53.180 +    struct acm_op op;
  53.181 +    int acm_cmd_fd, ret;
  53.182 +
  53.183 +    if (!PyArg_ParseTuple(args, "ssss", &arg1_name, &arg1, &arg2_name, &arg2)) {
  53.184 +        return NULL;
  53.185 +    }
  53.186 +
  53.187 +    if ((acm_cmd_fd = open("/proc/xen/privcmd", O_RDONLY)) <= 0) {
  53.188 +        PERROR("Could not open xen privcmd device!\n");
  53.189 +        return NULL;
  53.190 +    }
  53.191 +
  53.192 +    if ((strcmp(arg1_name, "domid") && strcmp(arg1_name, "ssidref")) ||
  53.193 +    (strcmp(arg2_name, "domid") && strcmp(arg2_name, "ssidref")))
  53.194 +        return NULL;
  53.195 +
  53.196 +    op.cmd = ACM_GETDECISION;
  53.197 +    op.interface_version = ACM_INTERFACE_VERSION;
  53.198 +    op.u.getdecision.hook = SHARING;
  53.199 +    if (!strcmp(arg1_name, "domid")) {
  53.200 +        op.u.getdecision.get_decision_by1 = DOMAINID;
  53.201 +        op.u.getdecision.id1.domainid = atoi(arg1);
  53.202 +    } else {
  53.203 +        op.u.getdecision.get_decision_by1 = SSIDREF;
  53.204 +        op.u.getdecision.id1.ssidref = atol(arg1);
  53.205 +    }
  53.206 +    if (!strcmp(arg2_name, "domid")) {
  53.207 +        op.u.getdecision.get_decision_by2 = DOMAINID;
  53.208 +        op.u.getdecision.id2.domainid = atoi(arg2);
  53.209 +    } else {
  53.210 +        op.u.getdecision.get_decision_by2 = SSIDREF;
  53.211 +        op.u.getdecision.id2.ssidref = atol(arg2);
  53.212 +    }
  53.213 +
  53.214 +    ret = do_acm_op(acm_cmd_fd, &op);
  53.215 +    close(acm_cmd_fd);
  53.216 +
  53.217 +    if (op.u.getdecision.acm_decision == ACM_ACCESS_PERMITTED)
  53.218 +        decision = "PERMITTED";
  53.219 +    else if (op.u.getdecision.acm_decision == ACM_ACCESS_DENIED)
  53.220 +        decision = "DENIED";
  53.221 +
  53.222 +    return Py_BuildValue("s", decision);
  53.223 +}
  53.224 +
  53.225 +/*=================General Python Extension Declarations=================*/
  53.226 +
  53.227 +/* methods */
  53.228 +static PyMethodDef acmMethods[] = {
  53.229 +    {"policy", policy, METH_VARARGS, "Retrieve Active ACM Policy Reference Name"},
  53.230 +    {"getssid", getssid, METH_VARARGS, "Retrieve label information and ssidref for a domain"},
  53.231 +    {"getdecision", getdecision, METH_VARARGS, "Retrieve ACM access control decision"},
  53.232 +    /* end of list (extend list above this line) */
  53.233 +    {NULL, NULL, 0, NULL}
  53.234 +};
  53.235 +
  53.236 +/* inits */
  53.237 +PyMODINIT_FUNC initacm(void)
  53.238 +{
  53.239 +    Py_InitModule("acm", acmMethods);
  53.240 +}
    54.1 --- a/tools/python/xen/util/diagnose.py	Tue Apr 25 22:55:22 2006 -0600
    54.2 +++ b/tools/python/xen/util/diagnose.py	Tue Apr 25 23:35:55 2006 -0600
    54.3 @@ -11,10 +11,11 @@
    54.4  # License along with this library; if not, write to the Free Software
    54.5  # Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
    54.6  #
    54.7 -# Copyright (c) 2005 XenSource Ltd
    54.8 +# Copyright (c) 2005-2006 XenSource Inc
    54.9  
   54.10  
   54.11  import re
   54.12 +import socket
   54.13  import sys
   54.14  
   54.15  from xen.xend import sxp
   54.16 @@ -45,7 +46,6 @@ def diagnose(dom):
   54.17          state = sxp.child_value(domain, 'state')
   54.18          domid = int(sxp.child_value(domain, 'domid'))
   54.19          name = sxp.child_value(domain, 'name')
   54.20 -        dompath = '/local/domain/%d' % domid
   54.21  
   54.22          print "Domain ID is %d." % domid
   54.23          print "Domain name is %s." % name
   54.24 @@ -55,12 +55,23 @@ def diagnose(dom):
   54.25  
   54.26          if state.find('c') != -1:
   54.27              print "Domain has crashed."
   54.28 +    except socket.error, exn:
   54.29 +        print "Cannot contact Xend."
   54.30  
   54.31 -        diagnose_console()
   54.32 -
   54.33 -        diagnose_devices()
   54.34 +        try:
   54.35 +            domid = int(dom)
   54.36 +            name = dom
   54.37 +        except ValueError:
   54.38 +            print \
   54.39 +"Without Xend, you will have to specify the domain ID, not the domain name."
   54.40 +            sys.exit(1)
   54.41      except xen.xend.XendProtocol.XendError, exn:
   54.42          print exn
   54.43 +        sys.exit(1)
   54.44 +
   54.45 +    dompath = '/local/domain/%d' % domid
   54.46 +    diagnose_console()
   54.47 +    diagnose_devices()
   54.48  
   54.49  
   54.50  def diagnose_console():
    55.1 --- /dev/null	Thu Jan 01 00:00:00 1970 +0000
    55.2 +++ b/tools/python/xen/util/security.py	Tue Apr 25 23:35:55 2006 -0600
    55.3 @@ -0,0 +1,504 @@
    55.4 +#===========================================================================
    55.5 +# This library is free software; you can redistribute it and/or
    55.6 +# modify it under the terms of version 2.1 of the GNU Lesser General Public
    55.7 +# License as published by the Free Software Foundation.
    55.8 +#
    55.9 +# This library is distributed in the hope that it will be useful,
   55.10 +# but WITHOUT ANY WARRANTY; without even the implied warranty of
   55.11 +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
   55.12 +# Lesser General Public License for more details.
   55.13 +#
   55.14 +# You should have received a copy of the GNU Lesser General Public
   55.15 +# License along with this library; if not, write to the Free Software
   55.16 +# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
   55.17 +#============================================================================
   55.18 +# Copyright (C) 2006 International Business Machines Corp.
   55.19 +# Author: Reiner Sailer
   55.20 +#============================================================================
   55.21 +
   55.22 +import commands
   55.23 +import logging
   55.24 +import sys, os, string, re
   55.25 +import traceback
   55.26 +import shutil
   55.27 +from xen.lowlevel import acm
   55.28 +from xen.xend import sxp
   55.29 +
   55.30 +#global directories and tools for security management
   55.31 +policy_dir_prefix = "/etc/xen/acm-security/policies"
   55.32 +boot_filename = "/boot/grub/menu.lst"
   55.33 +xensec_xml2bin = "/usr/sbin/xensec_xml2bin"
   55.34 +xensec_tool = "/usr/sbin/xensec_tool"
   55.35 +
   55.36 +#global patterns for map file
   55.37 +#police_reference_tagname = "POLICYREFERENCENAME"
   55.38 +primary_entry_re = re.compile("\s*PRIMARY\s+.*", re.IGNORECASE)
   55.39 +secondary_entry_re = re.compile("\s*SECONDARY\s+.*", re.IGNORECASE)
   55.40 +label_template_re =  re.compile(".*security_label_template.xml", re.IGNORECASE)
   55.41 +mapping_filename_re = re.compile(".*\.map", re.IGNORECASE)
   55.42 +policy_reference_entry_re = re.compile("\s*POLICYREFERENCENAME\s+.*", re.IGNORECASE)
   55.43 +vm_label_re = re.compile("\s*LABEL->SSID\s+VM\s+.*", re.IGNORECASE)
   55.44 +res_label_re = re.compile("\s*LABEL->SSID\s+RES\s+.*", re.IGNORECASE)
   55.45 +all_label_re = re.compile("\s*LABEL->SSID\s+.*", re.IGNORECASE)
   55.46 +access_control_re = re.compile("\s*access_control\s*=", re.IGNORECASE)
   55.47 +
   55.48 +#global patterns for boot configuration file
   55.49 +xen_title_re = re.compile("\s*title\s+XEN", re.IGNORECASE)
   55.50 +any_title_re = re.compile("\s*title\s", re.IGNORECASE)
   55.51 +xen_kernel_re = re.compile("\s*kernel.*xen.*\.gz", re.IGNORECASE)
   55.52 +kernel_ver_re = re.compile("\s*module.*vmlinuz", re.IGNORECASE)
   55.53 +any_module_re = re.compile("\s*module\s", re.IGNORECASE)
   55.54 +empty_line_re = re.compile("^\s*$")
   55.55 +binary_name_re = re.compile(".*[chwall|ste|chwall_ste].*\.bin", re.IGNORECASE)
   55.56 +policy_name_re = re.compile(".*[chwall|ste|chwall_ste].*", re.IGNORECASE)
   55.57 +
   55.58 +
   55.59 +
   55.60 +log = logging.getLogger("xend.util.security")
   55.61 +
   55.62 +# Our own exception definition. It is masked (pass) if raised and
   55.63 +# whoever raises this exception must provide error information.
   55.64 +class ACMError(Exception):
   55.65 +    def __init__(self,value):
   55.66 +        self.value = value
   55.67 +    def __str__(self):
   55.68 +        return repr(self.value)
   55.69 +
   55.70 +
   55.71 +
   55.72 +def err(msg):
   55.73 +    """Raise ACM exception.
   55.74 +    """
   55.75 +    sys.stderr.write("ACMError: " + msg + "\n")
   55.76 +    raise ACMError(msg)
   55.77 +
   55.78 +
   55.79 +
   55.80 +active_policy = None
   55.81 +
   55.82 +
   55.83 +def refresh_security_policy():
   55.84 +    """
   55.85 +    retrieves security policy
   55.86 +    """
   55.87 +    global active_policy
   55.88 +
   55.89 +    try:
   55.90 +        active_policy = acm.policy()
   55.91 +    except:
   55.92 +        active_policy = "INACTIVE"
   55.93 +
   55.94 +# now set active_policy
   55.95 +refresh_security_policy()
   55.96 +
   55.97 +def on():
   55.98 +    """
   55.99 +    returns none if security policy is off (not compiled),
  55.100 +    any string otherwise, use it: if not security.on() ...
  55.101 +    """
  55.102 +    refresh_security_policy()
  55.103 +    return (active_policy not in ['INACTIVE', 'NULL'])
  55.104 +
  55.105 +
  55.106 +
  55.107 +# Assumes a 'security' info  [security access_control ...] [ssidref ...]
  55.108 +def get_security_info(info, field):
  55.109 +    """retrieves security field from self.info['security'])
  55.110 +    allowed search fields: ssidref, label, policy
  55.111 +    """
  55.112 +    if isinstance(info, dict):
  55.113 +        security = info['security']
  55.114 +    elif isinstance(info, list):
  55.115 +        security = sxp.child_value(info, 'security', )
  55.116 +    if not security:
  55.117 +        if field == 'ssidref':
  55.118 +            #return default ssid
  55.119 +            return 0
  55.120 +        else:
  55.121 +            err("Security information not found in info struct.")
  55.122 +
  55.123 +    if field == 'ssidref':
  55.124 +        search = 'ssidref'
  55.125 +    elif field in ['policy', 'label']:
  55.126 +            search = 'access_control'
  55.127 +    else:
  55.128 +        err("Illegal field in get_security_info.")
  55.129 +
  55.130 +    for idx in range(0, len(security)):
  55.131 +        if search != security[idx][0]:
  55.132 +            continue
  55.133 +        if search == 'ssidref':
  55.134 +            return int(security[idx][1])
  55.135 +        else:
  55.136 +            for aidx in range(0, len(security[idx])):
  55.137 +                if security[idx][aidx][0] == field:
  55.138 +                    return str(security[idx][aidx][1])
  55.139 +
  55.140 +    if search == 'ssidref':
  55.141 +        return 0
  55.142 +    else:
  55.143 +        return None
  55.144 +
  55.145 +
  55.146 +
  55.147 +def get_security_printlabel(info):
  55.148 +    """retrieves printable security label from self.info['security']),
  55.149 +    preferably the label name and otherwise (if label is not specified
  55.150 +    in config and cannot be found in mapping file) a hex string of the
  55.151 +    ssidref or none if both not available
  55.152 +    """
  55.153 +    try:
  55.154 +        if not on():
  55.155 +            return "INACTIVE"
  55.156 +        if active_policy in ["DEFAULT"]:
  55.157 +            return "DEFAULT"
  55.158 +
  55.159 +        printlabel = get_security_info(info, 'label')
  55.160 +        if printlabel:
  55.161 +            return printlabel
  55.162 +        ssidref = get_security_info(info, 'ssidref')
  55.163 +        if not ssidref:
  55.164 +            return None
  55.165 +        #try to translate ssidref to a label
  55.166 +        result = ssidref2label(ssidref)
  55.167 +        if not result:
  55.168 +            printlabel = "0x%08x" % ssidref
  55.169 +        else:
  55.170 +            printlabel = result
  55.171 +        return printlabel
  55.172 +    except ACMError:
  55.173 +        #don't throw an exception in xm list
  55.174 +        return "ERROR"
  55.175 +
  55.176 +
  55.177 +
  55.178 +def getmapfile(policyname):
  55.179 +    """
  55.180 +    in: if policyname is None then the currently
  55.181 +    active hypervisor policy is used
  55.182 +    out: 1. primary policy, 2. secondary policy,
  55.183 +    3. open file descriptor for mapping file, and
  55.184 +    4. True if policy file is available, False otherwise
  55.185 +    """
  55.186 +    if not policyname:
  55.187 +        policyname = active_policy
  55.188 +    map_file_ok = False
  55.189 +    primary = None
  55.190 +    secondary = None
  55.191 +    #strip last part of policy as file name part
  55.192 +    policy_dir_list = string.split(policyname, ".")
  55.193 +    policy_file = policy_dir_list.pop()
  55.194 +    if len(policy_dir_list) > 0:
  55.195 +        policy_dir = string.join(policy_dir_list, "/") + "/"
  55.196 +    else:
  55.197 +        policy_dir = ""
  55.198 +
  55.199 +    map_filename = policy_dir_prefix + "/" + policy_dir + policy_file + ".map"
  55.200 +    # check if it is there, if not check if policy file is there
  55.201 +    if not os.path.isfile(map_filename):
  55.202 +        policy_filename =  policy_dir_prefix + "/" + policy_dir + policy_file + "-security_policy.xml"
  55.203 +        if not os.path.isfile(policy_filename):
  55.204 +            err("Policy file \'" + policy_filename + "\' not found.")
  55.205 +        else:
  55.206 +            err("Mapping file \'" + map_filename + "\' not found." +
  55.207 +                " Use xm makepolicy to create it.")
  55.208 +
  55.209 +    f = open(map_filename)
  55.210 +    for line in f:
  55.211 +        if policy_reference_entry_re.match(line):
  55.212 +            l = line.split()
  55.213 +            if (len(l) == 2) and (l[1] == policyname):
  55.214 +                map_file_ok = True
  55.215 +        elif primary_entry_re.match(line):
  55.216 +            l = line.split()
  55.217 +            if len(l) == 2:
  55.218 +                primary = l[1]
  55.219 +        elif secondary_entry_re.match(line):
  55.220 +            l = line.split()
  55.221 +            if len(l) == 2:
  55.222 +                secondary = l[1]
  55.223 +    f.close()
  55.224 +    f = open(map_filename)
  55.225 +    if map_file_ok and primary and secondary:
  55.226 +        return (primary, secondary, f, True)
  55.227 +    else:
  55.228 +        err("Mapping file inconsistencies found. Try makepolicy to create a new one.")
  55.229 +
  55.230 +
  55.231 +
  55.232 +def ssidref2label(ssidref_var):
  55.233 +    """
  55.234 +    returns labelname corresponding to ssidref;
  55.235 +    maps current policy to default directory
  55.236 +    to find mapping file
  55.237 +    """
  55.238 +    #1. translated permitted input formats
  55.239 +    if isinstance(ssidref_var, str):
  55.240 +        ssidref_var.strip()
  55.241 +        if ssidref_var[0:2] == "0x":
  55.242 +            ssidref = int(ssidref_var[2:], 16)
  55.243 +        else:
  55.244 +            ssidref = int(ssidref_var)
  55.245 +    elif isinstance(ssidref_var, int):
  55.246 +        ssidref = ssidref_var
  55.247 +    else:
  55.248 +        err("Instance type of ssidref not supported (must be of type 'str' or 'int')")
  55.249 +
  55.250 +    (primary, secondary, f, pol_exists) = getmapfile(None)
  55.251 +    if not f:
  55.252 +        if (pol_exists):
  55.253 +            err("Mapping file for policy \'" + policyname + "\' not found.\n" +
  55.254 +                "Please use makepolicy command to create mapping file!")
  55.255 +        else:
  55.256 +            err("Policy file for \'" + active_policy + "\' not found.")
  55.257 +
  55.258 +    #2. get labelnames for both ssidref parts
  55.259 +    pri_ssid = ssidref & 0xffff
  55.260 +    sec_ssid = ssidref >> 16
  55.261 +    pri_labels = []
  55.262 +    sec_labels = []
  55.263 +    labels = []
  55.264 +
  55.265 +    for line in f:
  55.266 +        l = line.split()
  55.267 +        if (len(l) < 5) or (l[0] != "LABEL->SSID"):
  55.268 +            continue
  55.269 +        if primary and (l[2] == primary) and (int(l[4], 16) == pri_ssid):
  55.270 +            pri_labels.append(l[3])
  55.271 +        if secondary and (l[2] == secondary) and (int(l[4], 16) == sec_ssid):
  55.272 +            sec_labels.append(l[3])
  55.273 +    f.close()
  55.274 +
  55.275 +    #3. get the label that is in both lists (combination must be a single label)
  55.276 +    if secondary == "NULL":
  55.277 +        labels = pri_labels
  55.278 +    else:
  55.279 +        for i in pri_labels:
  55.280 +            for j in sec_labels:
  55.281 +                if (i==j):
  55.282 +                    labels.append(i)
  55.283 +    if len(labels) != 1:
  55.284 +        err("Label for ssidref \'" +  str(ssidref) +
  55.285 +            "\' unknown or not unique in policy \'" + active_policy + "\'")
  55.286 +
  55.287 +    return labels[0]
  55.288 +
  55.289 +
  55.290 +
  55.291 +def label2ssidref(labelname, policyname):
  55.292 +    """
  55.293 +    returns ssidref corresponding to labelname;
  55.294 +    maps current policy to default directory
  55.295 +    to find mapping file    """
  55.296 +
  55.297 +    if policyname in ['NULL', 'INACTIVE', 'DEFAULT']:
  55.298 +        err("Cannot translate labels for \'" + policyname + "\' policy.")
  55.299 +
  55.300 +    (primary, secondary, f, pol_exists) = getmapfile(policyname)
  55.301 +
  55.302 +    #2. get labelnames for ssidref parts and find a common label
  55.303 +    pri_ssid = []
  55.304 +    sec_ssid = []
  55.305 +    for line in f:
  55.306 +        l = line.split()
  55.307 +        if (len(l) < 5) or (l[0] != "LABEL->SSID"):
  55.308 +            continue
  55.309 +        if primary and (l[2] == primary) and (l[3] == labelname):
  55.310 +            pri_ssid.append(int(l[4], 16))
  55.311 +        if secondary and (l[2] == secondary) and (l[3] == labelname):
  55.312 +            sec_ssid.append(int(l[4], 16))
  55.313 +    f.close()
  55.314 +
  55.315 +    #3. sanity check and composition of ssidref
  55.316 +    if (len(pri_ssid) == 0) or ((len(sec_ssid) == 0) and (secondary != "NULL")):
  55.317 +        err("Label \'" + labelname + "\' not found.")
  55.318 +    elif (len(pri_ssid) > 1) or (len(sec_ssid) > 1):
  55.319 +        err("Label \'" + labelname + "\' not unique in policy (policy error)")
  55.320 +    if secondary == "NULL":
  55.321 +        return pri_ssid[0]
  55.322 +    else:
  55.323 +        return (sec_ssid[0] << 16) | pri_ssid[0]
  55.324 +
  55.325 +
  55.326 +
  55.327 +def refresh_ssidref(config):
  55.328 +    """
  55.329 +    looks up ssidref from security field
  55.330 +    and refreshes the value if label exists
  55.331 +    """
  55.332 +    #called by dom0, policy could have changed after xen.utils.security was initialized
  55.333 +    refresh_security_policy()
  55.334 +
  55.335 +    security = None
  55.336 +    if isinstance(config, dict):
  55.337 +        security = config['security']
  55.338 +    elif isinstance(config, list):
  55.339 +        security = sxp.child_value(config, 'security',)
  55.340 +    else:
  55.341 +        err("Instance type of config parameter not supported.")
  55.342 +    if not security:
  55.343 +        #nothing to do (no security label attached)
  55.344 +        return config
  55.345 +
  55.346 +    policyname = None
  55.347 +    labelname = None
  55.348 +    # compose new security field
  55.349 +    for idx in range(0, len(security)):
  55.350 +        if security[idx][0] == 'ssidref':
  55.351 +            security.pop(idx)
  55.352 +            break
  55.353 +        elif security[idx][0] == 'access_control':
  55.354 +            for jdx in [1, 2]:
  55.355 +                if security[idx][jdx][0] == 'label':
  55.356 +                    labelname = security[idx][jdx][1]
  55.357 +                elif security[idx][jdx][0] == 'policy':
  55.358 +                    policyname = security[idx][jdx][1]
  55.359 +                else:
  55.360 +                    err("Illegal field in access_control")
  55.361 +    #verify policy is correct
  55.362 +    if active_policy != policyname:
  55.363 +        err("Policy \'" + policyname + "\' in label does not match active policy \'"
  55.364 +            + active_policy +"\'!")
  55.365 +
  55.366 +    new_ssidref = label2ssidref(labelname, policyname)
  55.367 +    if not new_ssidref:
  55.368 +        err("SSIDREF refresh failed!")
  55.369 +
  55.370 +    security.append([ 'ssidref',str(new_ssidref)])
  55.371 +    security = ['security', security ]
  55.372 +
  55.373 +    for idx in range(0,len(config)):
  55.374 +        if config[idx][0] == 'security':
  55.375 +            config.pop(idx)
  55.376 +            break
  55.377 +        config.append(security)
  55.378 +
  55.379 +
  55.380 +
  55.381 +def get_ssid(domain):
  55.382 +    """
  55.383 +    enables domains to retrieve the label / ssidref of a running domain
  55.384 +    """
  55.385 +    if not on():
  55.386 +        err("No policy active.")
  55.387 +
  55.388 +    if isinstance(domain, str):
  55.389 +        domain_int = int(domain)
  55.390 +    elif isinstance(domain, int):
  55.391 +        domain_int = domain
  55.392 +    else:
  55.393 +        err("Illegal parameter type.")
  55.394 +    try:
  55.395 +        ssid_info = acm.getssid(int(domain_int))
  55.396 +    except:
  55.397 +        err("Cannot determine security information.")
  55.398 +
  55.399 +    if active_policy in ["DEFAULT"]:
  55.400 +        label = "DEFAULT"
  55.401 +    else:
  55.402 +        label = ssidref2label(ssid_info["ssidref"])
  55.403 +    return(ssid_info["policyreference"],
  55.404 +           label,
  55.405 +           ssid_info["policytype"],
  55.406 +           ssid_info["ssidref"])
  55.407 +
  55.408 +
  55.409 +
  55.410 +def get_decision(arg1, arg2):
  55.411 +    """
  55.412 +    enables domains to retrieve access control decisions from
  55.413 +    the hypervisor Access Control Module.
  55.414 +    IN: args format = ['domid', id] or ['ssidref', ssidref]
  55.415 +    or ['access_control', ['policy', policy], ['label', label]]
  55.416 +    """
  55.417 +
  55.418 +    if not on():
  55.419 +        err("No policy active.")
  55.420 +
  55.421 +    #translate labels before calling low-level function
  55.422 +    if arg1[0] == 'access_control':
  55.423 +        if (arg1[1][0] != 'policy') or (arg1[2][0] != 'label') :
  55.424 +            err("Argument type not supported.")
  55.425 +        ssidref = label2ssidref(arg1[2][1], arg1[1][1])
  55.426 +        arg1 = ['ssidref', str(ssidref)]
  55.427 +    if arg2[0] == 'access_control':
  55.428 +        if (arg2[1][0] != 'policy') or (arg2[2][0] != 'label') :
  55.429 +            err("Argument type not supported.")
  55.430 +        ssidref = label2ssidref(arg2[2][1], arg2[1][1])
  55.431 +        arg2 = ['ssidref', str(ssidref)]
  55.432 +    try:
  55.433 +        decision = acm.getdecision(arg1[0], arg1[1], arg2[0], arg2[1])
  55.434 +    except:
  55.435 +        err("Cannot determine decision.")
  55.436 +
  55.437 +    if decision:
  55.438 +        return decision
  55.439 +    else:
  55.440 +        err("Cannot determine decision (Invalid parameter).")
  55.441 +
  55.442 +
  55.443 +
  55.444 +def make_policy(policy_name):
  55.445 +    policy_file = string.join(string.split(policy_name, "."), "/")
  55.446 +    if not os.path.isfile(policy_dir_prefix + "/" + policy_file + "-security_policy.xml"):
  55.447 +        err("Unknown policy \'" + policy_name + "\'")
  55.448 +
  55.449 +    (ret, output) = commands.getstatusoutput(xensec_xml2bin + " -d " + policy_dir_prefix + " " + policy_file)
  55.450 +    if ret:
  55.451 +        err("Creating policy failed:\n" + output)
  55.452 +
  55.453 +
  55.454 +
  55.455 +def load_policy(policy_name):
  55.456 +    global active_policy
  55.457 +    policy_file = policy_dir_prefix + "/" + string.join(string.split(policy_name, "."), "/")
  55.458 +    if not os.path.isfile(policy_file + ".bin"):
  55.459 +        if os.path.isfile(policy_file + "-security_policy.xml"):
  55.460 +            err("Binary file does not exist." +
  55.461 +                "Please use makepolicy to build the policy binary.")
  55.462 +        else:
  55.463 +            err("Unknown Policy " + policy_name)
  55.464 +
  55.465 +    #require this policy to be the first or the same as installed
  55.466 +    if active_policy not in ['DEFAULT', policy_name]:
  55.467 +        err("Active policy \'" + active_policy +
  55.468 +            "\' incompatible with new policy \'" + policy_name + "\'")
  55.469 +    (ret, output) = commands.getstatusoutput(xensec_tool + " loadpolicy " + policy_file + ".bin")
  55.470 +    if ret:
  55.471 +        err("Loading policy failed:\n" + output)
  55.472 +    else:
  55.473 +        # refresh active policy
  55.474 +        refresh_security_policy()
  55.475 +
  55.476 +
  55.477 +
  55.478 +def dump_policy():
  55.479 +    if active_policy in ['NULL', 'INACTIVE']:
  55.480 +        err("\'" + active_policy + "\' policy. Nothing to dump.")
  55.481 +
  55.482 +    (ret, output) = commands.getstatusoutput(xensec_tool + " getpolicy")
  55.483 +    if ret:
  55.484 +       err("Dumping hypervisor policy failed:\n" + output)
  55.485 +    print output
  55.486 +
  55.487 +
  55.488 +
  55.489 +def list_labels(policy_name, condition):
  55.490 +    if (not policy_name) and (active_policy) in ["NULL", "INACTIVE", "DEFAULT"]:
  55.491 +        err("Current policy \'" + active_policy + "\' has no labels defined.\n")
  55.492 +
  55.493 +    (primary, secondary, f, pol_exists) = getmapfile(policy_name)
  55.494 +    if not f:
  55.495 +        if pol_exists:
  55.496 +            err("Cannot find mapfile for policy \'" + policy_name +
  55.497 +                "\'.\nPlease use makepolicy to create mapping file.")
  55.498 +        else:
  55.499 +            err("Unknown policy \'" + policy_name + "\'")
  55.500 +
  55.501 +    labels = []
  55.502 +    for line in f:
  55.503 +        if condition.match(line):
  55.504 +            label = line.split()[3]
  55.505 +            if label not in labels:
  55.506 +                labels.append(label)
  55.507 +    return labels
    56.1 --- a/tools/python/xen/xend/XendCheckpoint.py	Tue Apr 25 22:55:22 2006 -0600
    56.2 +++ b/tools/python/xen/xend/XendCheckpoint.py	Tue Apr 25 23:35:55 2006 -0600
    56.3 @@ -21,7 +21,8 @@ import xen.lowlevel.xc
    56.4  import balloon
    56.5  from XendError import XendError
    56.6  from XendLogging import log
    56.7 -
    56.8 +from XendDomainInfo import DEV_MIGRATE_STEP1, DEV_MIGRATE_STEP2
    56.9 +from XendDomainInfo import DEV_MIGRATE_STEP3
   56.10  
   56.11  SIGNATURE = "LinuxGuestRecord"
   56.12  XC_SAVE = "xc_save"
   56.13 @@ -65,7 +66,7 @@ def save(fd, dominfo, live, dst):
   56.14      dominfo.setName('migrating-' + domain_name)
   56.15  
   56.16      try:
   56.17 -        dominfo.migrateDevices(live, dst, 1, domain_name)
   56.18 +        dominfo.migrateDevices(live, dst, DEV_MIGRATE_STEP1, domain_name)
   56.19  
   56.20          write_exact(fd, pack("!i", len(config)),
   56.21                      "could not write guest state file: config len")
   56.22 @@ -87,9 +88,11 @@ def save(fd, dominfo, live, dst):
   56.23                  log.debug("Suspending %d ...", dominfo.getDomid())
   56.24                  dominfo.shutdown('suspend')
   56.25                  dominfo.waitForShutdown()
   56.26 -                dominfo.migrateDevices(live, dst, 2, domain_name)
   56.27 +                dominfo.migrateDevices(live, dst, DEV_MIGRATE_STEP2,
   56.28 +                                       domain_name)
   56.29                  log.info("Domain %d suspended.", dominfo.getDomid())
   56.30 -                dominfo.migrateDevices(live, dst, 3, domain_name)
   56.31 +                dominfo.migrateDevices(live, dst, DEV_MIGRATE_STEP3,
   56.32 +                                       domain_name)
   56.33                  tochild.write("done\n")
   56.34                  tochild.flush()
   56.35                  log.debug('Written done')
    57.1 --- a/tools/python/xen/xend/XendDomain.py	Tue Apr 25 22:55:22 2006 -0600
    57.2 +++ b/tools/python/xen/xend/XendDomain.py	Tue Apr 25 23:35:55 2006 -0600
    57.3 @@ -38,6 +38,7 @@ from xen.xend.XendError import XendError
    57.4  from xen.xend.XendLogging import log
    57.5  from xen.xend.xenstore.xstransact import xstransact
    57.6  from xen.xend.xenstore.xswatch import xswatch
    57.7 +from xen.util import security
    57.8  
    57.9  
   57.10  xc = xen.lowlevel.xc.xc()
   57.11 @@ -265,7 +266,7 @@ class XendDomain:
   57.12              # handling in the relocation-socket handling code (relocate.py) is
   57.13              # poor, so we need to log this for debugging.
   57.14              log.exception("Restore failed")
   57.15 -            raise
   57.16 +            raise XendError("Restore failed")
   57.17  
   57.18  
   57.19      def restore_(self, config):
   57.20 @@ -283,6 +284,7 @@ class XendDomain:
   57.21          """
   57.22          self.domains_lock.acquire()
   57.23          try:
   57.24 +            security.refresh_ssidref(config)
   57.25              dominfo = XendDomainInfo.restore(config)
   57.26              self._add_domain(dominfo)
   57.27              return dominfo
    58.1 --- a/tools/python/xen/xend/XendDomainInfo.py	Tue Apr 25 22:55:22 2006 -0600
    58.2 +++ b/tools/python/xen/xend/XendDomainInfo.py	Tue Apr 25 23:35:55 2006 -0600
    58.3 @@ -33,7 +33,7 @@ import threading
    58.4  import xen.lowlevel.xc
    58.5  from xen.util import asserts
    58.6  from xen.util.blkif import blkdev_uname_to_file
    58.7 -
    58.8 +from xen.util import security
    58.9  import balloon
   58.10  import image
   58.11  import sxp
   58.12 @@ -87,6 +87,12 @@ SHUTDOWN_TIMEOUT = 30.0
   58.13  
   58.14  ZOMBIE_PREFIX = 'Zombie-'
   58.15  
   58.16 +"""Constants for the different stages of ext. device migration """
   58.17 +DEV_MIGRATE_TEST  = 0
   58.18 +DEV_MIGRATE_STEP1 = 1
   58.19 +DEV_MIGRATE_STEP2 = 2
   58.20 +DEV_MIGRATE_STEP3 = 3
   58.21 +
   58.22  """Minimum time between domain restarts in seconds."""
   58.23  MINIMUM_RESTART_TIME = 20
   58.24  
   58.25 @@ -120,7 +126,6 @@ VM_CONFIG_PARAMS = [
   58.26  # file, so those are handled separately.
   58.27  ROUNDTRIPPING_CONFIG_ENTRIES = [
   58.28      ('uuid',       str),
   58.29 -    ('ssidref',    int),
   58.30      ('vcpus',      int),
   58.31      ('vcpu_avail', int),
   58.32      ('cpu_weight', float),
   58.33 @@ -138,7 +143,6 @@ ROUNDTRIPPING_CONFIG_ENTRIES += VM_CONFI
   58.34  #
   58.35  VM_STORE_ENTRIES = [
   58.36      ('uuid',       str),
   58.37 -    ('ssidref',    int),
   58.38      ('vcpus',      int),
   58.39      ('vcpu_avail', int),
   58.40      ('memory',     int),
   58.41 @@ -291,6 +295,9 @@ def parseConfig(config):
   58.42      result['cpu']   = get_cfg('cpu',  int)
   58.43      result['cpus']  = get_cfg('cpus', str)
   58.44      result['image'] = get_cfg('image')
   58.45 +    tmp_security = get_cfg('security')
   58.46 +    if tmp_security:
   58.47 +        result['security'] = tmp_security
   58.48  
   58.49      try:
   58.50          if result['image']:
   58.51 @@ -437,7 +444,7 @@ class XendDomainInfo:
   58.52          self.validateInfo()
   58.53  
   58.54          self.image = None
   58.55 -
   58.56 +        self.security = None
   58.57          self.store_port = None
   58.58          self.store_mfn = None
   58.59          self.console_port = None
   58.60 @@ -515,6 +522,7 @@ class XendDomainInfo:
   58.61          else:
   58.62              entries = VM_STORE_ENTRIES
   58.63          entries.append(('image', str))
   58.64 +        entries.append(('security', str))
   58.65  
   58.66          map(lambda x, y: useIfNeeded(x[0], y), entries,
   58.67              self.readVMDetails(entries))
   58.68 @@ -538,7 +546,6 @@ class XendDomainInfo:
   58.69  
   58.70          try:
   58.71              defaultInfo('name',         lambda: "Domain-%d" % self.domid)
   58.72 -            defaultInfo('ssidref',      lambda: 0)
   58.73              defaultInfo('on_poweroff',  lambda: "destroy")
   58.74              defaultInfo('on_reboot',    lambda: "restart")
   58.75              defaultInfo('on_crash',     lambda: "restart")
   58.76 @@ -565,12 +572,16 @@ class XendDomainInfo:
   58.77              defaultInfo('backend',      lambda: [])
   58.78              defaultInfo('device',       lambda: [])
   58.79              defaultInfo('image',        lambda: None)
   58.80 +            defaultInfo('security',     lambda: None)
   58.81  
   58.82              self.check_name(self.info['name'])
   58.83  
   58.84              if isinstance(self.info['image'], str):
   58.85                  self.info['image'] = sxp.from_string(self.info['image'])
   58.86  
   58.87 +            if isinstance(self.info['security'], str):
   58.88 +                self.info['security'] = sxp.from_string(self.info['security'])
   58.89 +
   58.90              if self.info['memory'] == 0:
   58.91                  if self.infoIsSet('mem_kb'):
   58.92                      self.info['memory'] = (self.info['mem_kb'] + 1023) / 1024
   58.93 @@ -668,6 +679,20 @@ class XendDomainInfo:
   58.94          if self.infoIsSet('image'):
   58.95              to_store['image'] = sxp.to_string(self.info['image'])
   58.96  
   58.97 +        if self.infoIsSet('security'):
   58.98 +            security = self.info['security']
   58.99 +            to_store['security'] = sxp.to_string(security)
  58.100 +            for idx in range(0, len(security)):
  58.101 +                if security[idx][0] == 'access_control':
  58.102 +                    to_store['security/access_control'] = sxp.to_string([ security[idx][1] , security[idx][2] ])
  58.103 +                    for aidx in range(1, len(security[idx])):
  58.104 +                        if security[idx][aidx][0] == 'label':
  58.105 +                            to_store['security/access_control/label'] = security[idx][aidx][1]
  58.106 +                        if security[idx][aidx][0] == 'policy':
  58.107 +                            to_store['security/access_control/policy'] = security[idx][aidx][1]
  58.108 +                if security[idx][0] == 'ssidref':
  58.109 +                    to_store['security/ssidref'] = str(security[idx][1])
  58.110 +
  58.111          log.debug("Storing VM details: %s", to_store)
  58.112  
  58.113          self.writeVm(to_store)
  58.114 @@ -760,9 +785,8 @@ class XendDomainInfo:
  58.115          self.storeVm('vcpu_avail', self.info['vcpu_avail'])
  58.116          self.writeDom(self.vcpuDomDetails())
  58.117  
  58.118 -
  58.119 -    def getSsidref(self):
  58.120 -        return self.info['ssidref']
  58.121 +    def getLabel(self):
  58.122 +        return security.get_security_info(self.info, 'label')
  58.123  
  58.124      def getMemoryTarget(self):
  58.125          """Get this domain's target memory size, in KB."""
  58.126 @@ -954,12 +978,21 @@ class XendDomainInfo:
  58.127          """
  58.128  
  58.129          log.trace("XendDomainInfo.update(%s) on domain %d", info, self.domid)
  58.130 -
  58.131          if not info:
  58.132              info = dom_get(self.domid)
  58.133              if not info:
  58.134                  return
  58.135              
  58.136 +        #manually update ssidref / security fields
  58.137 +        if security.on() and info.has_key('ssidref'):
  58.138 +            if (info['ssidref'] != 0) and self.info.has_key('security'):
  58.139 +                security_field = self.info['security']
  58.140 +                if not security_field:
  58.141 +                    #create new security element
  58.142 +                    self.info.update({'security': [['ssidref', str(info['ssidref'])]]})
  58.143 +            #ssidref field not used any longer
  58.144 +        info.pop('ssidref')
  58.145 +
  58.146          self.info.update(info)
  58.147          self.validateInfo()
  58.148          self.refreshShutdown(info)
  58.149 @@ -996,7 +1029,6 @@ class XendDomainInfo:
  58.150          s += " id=" + str(self.domid)
  58.151          s += " name=" + self.info['name']
  58.152          s += " memory=" + str(self.info['memory'])
  58.153 -        s += " ssidref=" + str(self.info['ssidref'])
  58.154          s += ">"
  58.155          return s
  58.156  
  58.157 @@ -1058,6 +1090,9 @@ class XendDomainInfo:
  58.158          if self.infoIsSet('image'):
  58.159              sxpr.append(['image', self.info['image']])
  58.160  
  58.161 +        if self.infoIsSet('security'):
  58.162 +            sxpr.append(['security', self.info['security']])
  58.163 +
  58.164          for cls in controllerClasses:
  58.165              for config in self.getDeviceConfigurations(cls):
  58.166                  sxpr.append(['device', config])
  58.167 @@ -1159,12 +1194,11 @@ class XendDomainInfo:
  58.168          @raise: VmError on error
  58.169          """
  58.170  
  58.171 -        log.debug('XendDomainInfo.construct: %s %s',
  58.172 -                  self.domid,
  58.173 -                  self.info['ssidref'])
  58.174 +        log.debug('XendDomainInfo.construct: %s',
  58.175 +                  self.domid)
  58.176  
  58.177          self.domid = xc.domain_create(
  58.178 -            dom = 0, ssidref = self.info['ssidref'],
  58.179 +            dom = 0, ssidref = security.get_security_info(self.info, 'ssidref'),
  58.180              handle = uuid.fromString(self.info['uuid']))
  58.181  
  58.182          if self.domid < 0:
  58.183 @@ -1402,7 +1436,7 @@ class XendDomainInfo:
  58.184          @raise: XendError for a device that cannot be migrated
  58.185          """
  58.186          for (n, c) in self.info['device']:
  58.187 -            rc = self.migrateDevice(n, c, live, dst, 0)
  58.188 +            rc = self.migrateDevice(n, c, live, dst, DEV_MIGRATE_TEST)
  58.189              if rc != 0:
  58.190                  raise XendError("Device of type '%s' refuses migration." % n)
  58.191  
    59.1 --- a/tools/python/xen/xend/server/tpmif.py	Tue Apr 25 22:55:22 2006 -0600
    59.2 +++ b/tools/python/xen/xend/server/tpmif.py	Tue Apr 25 23:35:55 2006 -0600
    59.3 @@ -25,6 +25,7 @@ from xen.xend import sxp
    59.4  from xen.xend.XendLogging import log
    59.5  from xen.xend.XendError import XendError
    59.6  from xen.xend import XendRoot
    59.7 +from xen.xend.XendDomainInfo import DEV_MIGRATE_TEST
    59.8  
    59.9  from xen.xend.server.DevController import DevController
   59.10  
   59.11 @@ -78,7 +79,7 @@ class TPMifController(DevController):
   59.12                  log.info("Request to live-migrate device to %s. step=%d.",
   59.13                           dst, step)
   59.14  
   59.15 -                if step == 0:
   59.16 +                if step == DEV_MIGRATE_TEST:
   59.17                      """Assuming for now that everything is ok and migration
   59.18                         with the given tool can proceed.
   59.19                      """
   59.20 @@ -90,8 +91,8 @@ class TPMifController(DevController):
   59.21                      for line in fd.readlines():
   59.22                          mo = re.search('Error', line)
   59.23                          if mo:
   59.24 -                            raise XendError("vtpm: Fatal error in migration step %d." %
   59.25 -                                            step)
   59.26 +                            raise XendError("vtpm: Fatal error in migration step %d: %s" %
   59.27 +                                            (step, line))
   59.28                      return 0
   59.29              else:
   59.30                  log.debug("External migration tool not in configuration.")
    60.1 --- /dev/null	Thu Jan 01 00:00:00 1970 +0000
    60.2 +++ b/tools/python/xen/xm/addlabel.py	Tue Apr 25 23:35:55 2006 -0600
    60.3 @@ -0,0 +1,76 @@
    60.4 +#============================================================================
    60.5 +# This library is free software; you can redistribute it and/or
    60.6 +# modify it under the terms of version 2.1 of the GNU Lesser General Public
    60.7 +# License as published by the Free Software Foundation.
    60.8 +#
    60.9 +# This library is distributed in the hope that it will be useful,
   60.10 +# but WITHOUT ANY WARRANTY; without even the implied warranty of
   60.11 +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
   60.12 +# Lesser General Public License for more details.
   60.13 +#
   60.14 +# You should have received a copy of the GNU Lesser General Public
   60.15 +# License along with this library; if not, write to the Free Software
   60.16 +# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
   60.17 +#============================================================================
   60.18 +# Copyright (C) 2006 International Business Machines Corp.
   60.19 +# Author: Reiner Sailer <sailer@us.ibm.com>
   60.20 +#============================================================================
   60.21 +
   60.22 +"""Labeling a domain configuration file.
   60.23 +"""
   60.24 +import sys, os
   60.25 +import traceback
   60.26 +
   60.27 +
   60.28 +from xen.util.security import ACMError, err, active_policy, label2ssidref, on, access_control_re
   60.29 +
   60.30 +
   60.31 +def usage():
   60.32 +    print "\nUsage: xm addlabel <configfile> <label> [<policy>]\n"
   60.33 +    print "  This program adds an acm_label entry into the 'configfile'."
   60.34 +    print "  It derives the policy from the running hypervisor if it"
   60.35 +    print "  is not given (optional parameter). If the configfile is"
   60.36 +    print "  already labeled, then addlabel fails.\n"
   60.37 +    err("Usage")
   60.38 +
   60.39 +
   60.40 +def main(argv):
   60.41 +    try:
   60.42 +        policyref = None
   60.43 +        if len(argv) not in [3,4]:
   60.44 +            usage()
   60.45 +        configfile = argv[1]
   60.46 +        label = argv[2]
   60.47 +
   60.48 +        if len(argv) == 4:
   60.49 +            policyref = argv[3]
   60.50 +        elif on():
   60.51 +            policyref = active_policy
   60.52 +        else:
   60.53 +            err("No active policy. Policy must be specified in command line.")
   60.54 +
   60.55 +        #sanity checks: make sure this label can be instantiated later on
   60.56 +        ssidref = label2ssidref(label, policyref)
   60.57 +
   60.58 +        new_label = "access_control = ['policy=%s,label=%s']\n" % (policyref, label)
   60.59 +        if not os.path.isfile(configfile):
   60.60 +            err("Configuration file \'" + configfile + "\' not found.")
   60.61 +        config_fd = open(configfile, "ra+")
   60.62 +        for line in config_fd:
   60.63 +            if not access_control_re.match(line):
   60.64 +                continue
   60.65 +            config_fd.close()
   60.66 +            err("Config file \'" + configfile + "\' is already labeled.")
   60.67 +        config_fd.write(new_label)
   60.68 +        config_fd.close()
   60.69 +
   60.70 +    except ACMError:
   60.71 +        pass
   60.72 +    except:
   60.73 +        traceback.print_exc(limit=1)
   60.74 +
   60.75 +
   60.76 +if __name__ == '__main__':
   60.77 +    main(sys.argv)
   60.78 +
   60.79 +
    61.1 --- /dev/null	Thu Jan 01 00:00:00 1970 +0000
    61.2 +++ b/tools/python/xen/xm/cfgbootpolicy.py	Tue Apr 25 23:35:55 2006 -0600
    61.3 @@ -0,0 +1,188 @@
    61.4 +#============================================================================
    61.5 +# This library is free software; you can redistribute it and/or
    61.6 +# modify it under the terms of version 2.1 of the GNU Lesser General Public
    61.7 +# License as published by the Free Software Foundation.
    61.8 +#
    61.9 +# This library is distributed in the hope that it will be useful,
   61.10 +# but WITHOUT ANY WARRANTY; without even the implied warranty of
   61.11 +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
   61.12 +# Lesser General Public License for more details.
   61.13 +#
   61.14 +# You should have received a copy of the GNU Lesser General Public
   61.15 +# License along with this library; if not, write to the Free Software
   61.16 +# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
   61.17 +#============================================================================
   61.18 +# Copyright (C) 2006 International Business Machines Corp.
   61.19 +# Author: Reiner Sailer <sailer@us.ibm.com>
   61.20 +#============================================================================
   61.21 +"""Configuring a security policy into the boot configuration
   61.22 +"""
   61.23 +
   61.24 +import sys
   61.25 +import traceback
   61.26 +import tempfile
   61.27 +import os, stat
   61.28 +import re
   61.29 +import commands
   61.30 +import shutil
   61.31 +import string
   61.32 +from xen.util.security import ACMError, err
   61.33 +from xen.util.security import policy_dir_prefix, boot_filename, xen_title_re
   61.34 +from xen.util.security import any_title_re, xen_kernel_re, kernel_ver_re, any_module_re
   61.35 +from xen.util.security import empty_line_re, binary_name_re, policy_name_re
   61.36 +
   61.37 +
   61.38 +def usage():
   61.39 +    print "\nUsage: xm cfgbootpolicy <policy> [<kernelversion>]\n"
   61.40 +    print "  Adds a 'module' line to the Xen grub.conf entry"
   61.41 +    print "  so that xen boots into a specific access control"
   61.42 +    print "  policy. If kernelversion is not given, then this"
   61.43 +    print "  script tries to determine it by looking for a grub"
   61.44 +    print "  entry with a line kernel xen.* If there are multiple"
   61.45 +    print "  Xen entries, then it must be called with an explicit"
   61.46 +    print "  version (it will fail otherwise).\n"
   61.47 +    err("Usage")
   61.48 +
   61.49 +
   61.50 +
   61.51 +def determine_kernelversion(user_specified):
   61.52 +    within_xen_title = 0
   61.53 +    within_xen_entry = 0
   61.54 +    version_list = []
   61.55 +    guess_version = None
   61.56 +
   61.57 +    grub_fd = open(boot_filename)
   61.58 +    for line in grub_fd:
   61.59 +        if xen_title_re.match(line):
   61.60 +            within_xen_title = 1
   61.61 +        elif within_xen_title and xen_kernel_re.match(line):
   61.62 +            within_xen_entry = 1
   61.63 +        elif within_xen_title and within_xen_entry and kernel_ver_re.match(line):
   61.64 +            for i in line.split():
   61.65 +                if (i.find("vmlinuz-") >= 0):
   61.66 +                    # skip start until "vmlinuz-"
   61.67 +                    guess_version = i[i.find("vmlinuz-") + len("vmlinuz-"):]
   61.68 +                    if user_specified:
   61.69 +                        if (guess_version == user_specified):
   61.70 +                            version_list.append(guess_version)
   61.71 +                    else:
   61.72 +                        version_list.append(guess_version)
   61.73 +        elif len(line.split()) > 0:
   61.74 +            if line.split()[0] == "title":
   61.75 +                within_xen_title = 0
   61.76 +                within_xen_entry = 0
   61.77 +    if len(version_list) > 1:
   61.78 +        err("Cannot decide between entries for kernels: " + version_list)
   61.79 +    elif len(version_list) == 0:
   61.80 +        err("Cannot find a boot entry candidate (please create a Xen boot entry first).")
   61.81 +    else:
   61.82 +        return version_list[0]
   61.83 +
   61.84 +
   61.85 +
   61.86 +def insert_policy(boot_file, kernel_version, policy_name):
   61.87 +    """
   61.88 +    inserts policy binary file as last line of the grub entry
   61.89 +    matching the kernel_version version
   61.90 +    """
   61.91 +    within_xen_title = 0
   61.92 +    within_xen_entry = 0
   61.93 +    insert_at_end_of_entry = 0
   61.94 +    path_prefix = ''
   61.95 +    done = False
   61.96 +    (tmp_fd, tmp_grub) = tempfile.mkstemp()
   61.97 +    #follow symlink since menue.lst might be linked to grub.conf
   61.98 +    if stat.S_ISLNK(os.lstat(boot_file)[stat.ST_MODE]):
   61.99 +        new_name = os.readlink(boot_file)
  61.100 +        if new_name[0] == "/":
  61.101 +            boot_file = new_name
  61.102 +        else:
  61.103 +            path = boot_file.split('/')
  61.104 +            path[len(path)-1] = new_name
  61.105 +            boot_file = '/'.join(path)
  61.106 +        if not os.path.exists(boot_file):
  61.107 +            err("Boot file \'" + boot_file + "\' not found.")
  61.108 +    grub_fd = open(boot_file)
  61.109 +    for line in grub_fd:
  61.110 +        if xen_title_re.match(line):
  61.111 +            within_xen_title = 1
  61.112 +        elif within_xen_title and xen_kernel_re.match(line):
  61.113 +            within_xen_entry = 1
  61.114 +        elif within_xen_title and within_xen_entry and kernel_ver_re.match(line):
  61.115 +            for i in line.split():
  61.116 +                if (i.find("vmlinuz-") >= 0):
  61.117 +                    if  kernel_version == i[i.find("vmlinuz-") + len("vmlinuz-"):]:
  61.118 +                        insert_at_end_of_entry = 1
  61.119 +                        path_prefix = i[0:i.find("vmlinuz-")]
  61.120 +        elif any_module_re.match(line) and insert_at_end_of_entry:
  61.121 +            if binary_name_re.match(line):
  61.122 +                #delete existing policy module line
  61.123 +                line=''
  61.124 +        elif any_title_re.match(line):
  61.125 +            within_xen_title = 0
  61.126 +            within_xen_entry = 0
  61.127 +
  61.128 +        if (empty_line_re.match(line) or any_title_re.match(line)) and insert_at_end_of_entry:
  61.129 +            #newline or new title: we insert the policy module line here
  61.130 +            os.write(tmp_fd, "\tmodule " + path_prefix + policy_name + ".bin\n")
  61.131 +            insert_at_end_of_entry = 0
  61.132 +        #write the line that was read (except potential existing policy entry)
  61.133 +        os.write(tmp_fd, line)
  61.134 +
  61.135 +    if insert_at_end_of_entry:
  61.136 +        #last entry, no empty line at end of file
  61.137 +        os.write(tmp_fd, "\tmodule " + path_prefix + policy_name + ".bin\n")
  61.138 +
  61.139 +    #temp file might be destroyed when closing it, first copy ...
  61.140 +    shutil.move(boot_file, boot_file+"_save")
  61.141 +    shutil.copyfile(tmp_grub, boot_file)
  61.142 +    os.close(tmp_fd)
  61.143 +    #temp file did not disappear on my system ...
  61.144 +    try:
  61.145 +        os.remove(tmp_grub)
  61.146 +    except:
  61.147 +        pass
  61.148 +
  61.149 +
  61.150 +
  61.151 +def main(argv):
  61.152 +    try:
  61.153 +        user_kver = None
  61.154 +        policy = None
  61.155 +        if len(argv) == 2:
  61.156 +            policy = argv[1]
  61.157 +        elif len(argv) == 3:
  61.158 +            policy = argv[1]
  61.159 +            user_kver = argv[2]
  61.160 +        else:
  61.161 +            usage()
  61.162 +
  61.163 +        if not policy_name_re.match(policy):
  61.164 +            err("Illegal policy name \'" + policy + "\'")
  61.165 +
  61.166 +        policy_file = policy_dir_prefix + "/" + string.join(string.split(policy, "."), "/")
  61.167 +        src_binary_policy_file = policy_file + ".bin"
  61.168 +        #check if .bin exists or if policy file exists
  61.169 +        if not os.path.isfile(src_binary_policy_file):
  61.170 +            if not os.path.isfile(policy_file + "-security_policy.xml"):
  61.171 +                err("Unknown policy \'" + policy +"\'")
  61.172 +            else:
  61.173 +                err("Cannot find binary file for policy \'" + policy +
  61.174 +                    "\'. Please use makepolicy to create binary file.")
  61.175 +        dst_binary_policy_file = "/boot/" + policy + ".bin"
  61.176 +        shutil.copyfile(src_binary_policy_file, dst_binary_policy_file)
  61.177 +
  61.178 +        kernel_version = determine_kernelversion(user_kver)
  61.179 +        insert_policy(boot_filename, kernel_version, policy)
  61.180 +        print "Boot entry created and \'%s\' copied to /boot" % (policy + ".bin")
  61.181 +
  61.182 +    except ACMError:
  61.183 +        pass
  61.184 +    except:
  61.185 +        traceback.print_exc(limit=1)
  61.186 +
  61.187 +
  61.188 +
  61.189 +if __name__ == '__main__':
  61.190 +    main(sys.argv)
  61.191 +
    62.1 --- a/tools/python/xen/xm/create.py	Tue Apr 25 22:55:22 2006 -0600
    62.2 +++ b/tools/python/xen/xm/create.py	Tue Apr 25 23:35:55 2006 -0600
    62.3 @@ -35,6 +35,7 @@ import xen.xend.XendClient
    62.4  from xen.xend.XendClient import server
    62.5  from xen.xend.XendBootloader import bootloader
    62.6  from xen.util import blkif
    62.7 +from xen.util import security
    62.8  
    62.9  from xen.xm.opts import *
   62.10  
   62.11 @@ -145,10 +146,6 @@ gopts.var('memory', val='MEMORY',
   62.12            fn=set_int, default=128,
   62.13            use="Domain memory in MB.")
   62.14  
   62.15 -gopts.var('ssidref', val='SSIDREF',
   62.16 -          fn=set_u32, default=0, 
   62.17 -          use="Security Identifier.")
   62.18 -
   62.19  gopts.var('maxmem', val='MEMORY',
   62.20            fn=set_int, default=None,
   62.21            use="Maximum domain memory in MB.")
   62.22 @@ -293,6 +290,14 @@ gopts.var('vtpm', val="instance=INSTANCE
   62.23            number can be found in /etc/xen/vtpm.db. Use the backend in the
   62.24            given domain.""")
   62.25  
   62.26 +gopts.var('access_control', val="policy=POLICY,label=LABEL",
   62.27 +          fn=append_value, default=[],
   62.28 +          use="""Add a security label and the security policy reference that defines it.
   62.29 +          The local ssid reference is calculated when starting/resuming the domain. At
   62.30 +          this time, the policy is checked against the active policy as well. This way,
   62.31 +          migrating through save/restore is covered and local labels are automatically
   62.32 +          created correctly on the system where a domain is started / resumed.""")
   62.33 +
   62.34  gopts.var('nics', val="NUM",
   62.35            fn=set_int, default=-1,
   62.36            use="""DEPRECATED.  Use empty vif entries instead.
   62.37 @@ -502,6 +507,43 @@ def configure_usb(config_devs, vals):
   62.38          config_usb = ['usb', ['path', path]]
   62.39          config_devs.append(['device', config_usb])
   62.40  
   62.41 +
   62.42 +def configure_security(config, vals):
   62.43 +    """Create the config for ACM security labels.
   62.44 +    """
   62.45 +    access_control = vals.access_control
   62.46 +    num = len(access_control)
   62.47 +    if num == 1:
   62.48 +        d = access_control[0]
   62.49 +        policy = d.get('policy')
   62.50 +        label = d.get('label')
   62.51 +        if policy != security.active_policy:
   62.52 +            err("Security policy (" + policy + ") incompatible with enforced policy ("
   62.53 +                + security.active_policy + ")." )
   62.54 +        config_access_control = ['access_control',
   62.55 +                                 ['policy', policy],
   62.56 +                                 ['label', label] ]
   62.57 +
   62.58 +        #ssidref cannot be specified together with access_control
   62.59 +        if sxp.child_value(config, 'ssidref'):
   62.60 +            err("ERROR: SSIDREF and access_control are mutually exclusive but both specified!")
   62.61 +        #else calculate ssidre from label
   62.62 +        ssidref = security.label2ssidref(label, policy)
   62.63 +        if not ssidref :
   62.64 +            err("ERROR calculating ssidref from access_control.")
   62.65 +        security_label = ['security', [ config_access_control, ['ssidref' , ssidref ] ] ]
   62.66 +        config.append(security_label)
   62.67 +    elif num == 0:
   62.68 +        if hasattr(vals, 'ssidref'):
   62.69 +            if not security.on():
   62.70 +                err("ERROR: Security ssidref specified but no policy active.")
   62.71 +            ssidref = getattr(vals, 'ssidref')
   62.72 +            security_label = ['security', [ [ 'ssidref' , int(ssidref) ] ] ]
   62.73 +            config.append(security_label)
   62.74 +    elif num > 1:
   62.75 +        err("VM config error: Multiple access_control definitions!")
   62.76 +
   62.77 +
   62.78  def configure_vtpm(config_devs, vals):
   62.79      """Create the config for virtual TPM interfaces.
   62.80      """
   62.81 @@ -595,9 +637,9 @@ def make_config(vals):
   62.82              if v:
   62.83                  config.append([n, v])
   62.84  
   62.85 -    map(add_conf, ['name', 'memory', 'ssidref', 'maxmem', 'restart',
   62.86 -                   'on_poweroff', 'on_reboot', 'on_crash', 'vcpus'])
   62.87 -    
   62.88 +    map(add_conf, ['name', 'memory', 'maxmem', 'restart', 'on_poweroff',
   62.89 +                   'on_reboot', 'on_crash', 'vcpus'])
   62.90 +
   62.91      if vals.uuid is not None:
   62.92          config.append(['uuid', vals.uuid])
   62.93      if vals.cpu is not None:
   62.94 @@ -628,6 +670,7 @@ def make_config(vals):
   62.95      configure_vifs(config_devs, vals)
   62.96      configure_usb(config_devs, vals)
   62.97      configure_vtpm(config_devs, vals)
   62.98 +    configure_security(config, vals)
   62.99      config += config_devs
  62.100  
  62.101      return config
  62.102 @@ -696,6 +739,29 @@ def preprocess_vtpm(vals):
  62.103          vtpms.append(d)
  62.104      vals.vtpm = vtpms
  62.105  
  62.106 +def preprocess_access_control(vals):
  62.107 +    if not vals.access_control:
  62.108 +        return
  62.109 +    access_controls = []
  62.110 +    num = len(vals.access_control)
  62.111 +    if num == 1:
  62.112 +        access_control = (vals.access_control)[0]
  62.113 +        d = {}
  62.114 +        a = access_control.split(',')
  62.115 +        if len(a) > 2:
  62.116 +            err('Too many elements in access_control specifier: ' + access_control)
  62.117 +        for b in a:
  62.118 +            (k, v) = b.strip().split('=', 1)
  62.119 +            k = k.strip()
  62.120 +            v = v.strip()
  62.121 +            if k not in ['policy','label']:
  62.122 +                err('Invalid access_control specifier: ' + access_control)
  62.123 +            d[k] = v
  62.124 +        access_controls.append(d)
  62.125 +        vals.access_control = access_controls
  62.126 +    elif num > 1:
  62.127 +        err('Multiple access_control definitions.')
  62.128 +
  62.129  def preprocess_ip(vals):
  62.130      if vals.ip or vals.dhcp != 'off':
  62.131          dummy_nfs_server = '1.2.3.4'
  62.132 @@ -785,6 +851,7 @@ def preprocess(vals):
  62.133      preprocess_nfs(vals)
  62.134      preprocess_vnc(vals)
  62.135      preprocess_vtpm(vals)
  62.136 +    preprocess_access_control(vals)
  62.137  
  62.138  
  62.139  def comma_sep_kv_to_dict(c):
    63.1 --- /dev/null	Thu Jan 01 00:00:00 1970 +0000
    63.2 +++ b/tools/python/xen/xm/dumppolicy.py	Tue Apr 25 23:35:55 2006 -0600
    63.3 @@ -0,0 +1,49 @@
    63.4 +#============================================================================
    63.5 +# This library is free software; you can redistribute it and/or
    63.6 +# modify it under the terms of version 2.1 of the GNU Lesser General Public
    63.7 +# License as published by the Free Software Foundation.
    63.8 +#
    63.9 +# This library is distributed in the hope that it will be useful,
   63.10 +# but WITHOUT ANY WARRANTY; without even the implied warranty of
   63.11 +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
   63.12 +# Lesser General Public License for more details.
   63.13 +#
   63.14 +# You should have received a copy of the GNU Lesser General Public
   63.15 +# License along with this library; if not, write to the Free Software
   63.16 +# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
   63.17 +#============================================================================
   63.18 +# Copyright (C) 2006 International Business Machines Corp.
   63.19 +# Author: Reiner Sailer <sailer@us.ibm.com>
   63.20 +#============================================================================
   63.21 +"""Display currently enforced policy (low-level hypervisor representation).
   63.22 +"""
   63.23 +import sys
   63.24 +import traceback
   63.25 +import os
   63.26 +import commands
   63.27 +import shutil
   63.28 +import string
   63.29 +from xen.util.security import ACMError, err, dump_policy
   63.30 +
   63.31 +
   63.32 +def usage():
   63.33 +    print "\nUsage: xm dumppolicy\n"
   63.34 +    print " Retrieve and print currently enforced"
   63.35 +    print " hypervisor policy information (low-level).\n"
   63.36 +    err("Usage")
   63.37 +
   63.38 +
   63.39 +def main(argv):
   63.40 +    try:
   63.41 +        dump_policy()
   63.42 +
   63.43 +    except ACMError:
   63.44 +        pass
   63.45 +    except:
   63.46 +        traceback.print_exc(limit=1)
   63.47 +
   63.48 +
   63.49 +if __name__ == '__main__':
   63.50 +    main(sys.argv)
   63.51 +
   63.52 +
    64.1 --- /dev/null	Thu Jan 01 00:00:00 1970 +0000
    64.2 +++ b/tools/python/xen/xm/labels.py	Tue Apr 25 23:35:55 2006 -0600
    64.3 @@ -0,0 +1,85 @@
    64.4 +#============================================================================
    64.5 +# This library is free software; you can redistribute it and/or
    64.6 +# modify it under the terms of version 2.1 of the GNU Lesser General Public
    64.7 +# License as published by the Free Software Foundation.
    64.8 +#
    64.9 +# This library is distributed in the hope that it will be useful,
   64.10 +# but WITHOUT ANY WARRANTY; without even the implied warranty of
   64.11 +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
   64.12 +# Lesser General Public License for more details.
   64.13 +#
   64.14 +# You should have received a copy of the GNU Lesser General Public
   64.15 +# License along with this library; if not, write to the Free Software
   64.16 +# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
   64.17 +#============================================================================
   64.18 +# Copyright (C) 2006 International Business Machines Corp.
   64.19 +# Author: Reiner Sailer <sailer@us.ibm.com>
   64.20 +#============================================================================
   64.21 +
   64.22 +"""Listing available labels for a policy.
   64.23 +"""
   64.24 +import sys
   64.25 +import traceback
   64.26 +import os
   64.27 +import commands
   64.28 +import shutil
   64.29 +import string
   64.30 +from xen.util.security import ACMError, err, list_labels, active_policy
   64.31 +from xen.util.security import vm_label_re, res_label_re, all_label_re
   64.32 +
   64.33 +def usage():
   64.34 +    print "\nUsage: xm labels [<policy>] [<type=dom|res|any>]\n"
   64.35 +    print " Prints labels of the specified type (default is dom)"
   64.36 +    print " that are defined in policy (default is current"
   64.37 +    print " hypervisor policy).\n"
   64.38 +    err("Usage")
   64.39 +
   64.40 +
   64.41 +def main(argv):
   64.42 +    try:
   64.43 +        policy = None
   64.44 +        type = None
   64.45 +        for i in argv[1:]:
   64.46 +            i_s = string.split(i, '=')
   64.47 +            if len(i_s) > 1:
   64.48 +                if (i_s[0] == 'type') and (len(i_s) == 2):
   64.49 +                    if not type:
   64.50 +                        type = i_s[1]
   64.51 +                    else:
   64.52 +                        usage()
   64.53 +                else:
   64.54 +                    usage()
   64.55 +            else:
   64.56 +                if not policy:
   64.57 +                    policy = i
   64.58 +                else:
   64.59 +                    usage()
   64.60 +
   64.61 +        if not policy:
   64.62 +            policy = active_policy
   64.63 +            if active_policy in ['NULL', 'INACTIVE', 'DEFAULT']:
   64.64 +                err("No policy active. Please specify the <policy> parameter.")
   64.65 +
   64.66 +        if not type or (type in ['DOM', 'dom']):
   64.67 +            condition = vm_label_re
   64.68 +        elif type in ['RES', 'res']:
   64.69 +            condition = res_label_re
   64.70 +        elif type in ['ANY', 'any']:
   64.71 +            condition = all_label_re
   64.72 +        else:
   64.73 +            err("Unknown label type \'" + type + "\'")
   64.74 +
   64.75 +        labels = list_labels(policy, condition)
   64.76 +        labels.sort()
   64.77 +        for label in labels:
   64.78 +            print label
   64.79 +    except ACMError:
   64.80 +        pass
   64.81 +    except:
   64.82 +        traceback.print_exc(limit=1)
   64.83 +
   64.84 +
   64.85 +if __name__ == '__main__':
   64.86 +    main(sys.argv)
   64.87 +
   64.88 +
    65.1 --- /dev/null	Thu Jan 01 00:00:00 1970 +0000
    65.2 +++ b/tools/python/xen/xm/loadpolicy.py	Tue Apr 25 23:35:55 2006 -0600
    65.3 @@ -0,0 +1,51 @@
    65.4 +#============================================================================
    65.5 +# This library is free software; you can redistribute it and/or
    65.6 +# modify it under the terms of version 2.1 of the GNU Lesser General Public
    65.7 +# License as published by the Free Software Foundation.
    65.8 +#
    65.9 +# This library is distributed in the hope that it will be useful,
   65.10 +# but WITHOUT ANY WARRANTY; without even the implied warranty of
   65.11 +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
   65.12 +# Lesser General Public License for more details.
   65.13 +#
   65.14 +# You should have received a copy of the GNU Lesser General Public
   65.15 +# License along with this library; if not, write to the Free Software
   65.16 +# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
   65.17 +#============================================================================
   65.18 +# Copyright (C) 2006 International Business Machines Corp.
   65.19 +# Author: Reiner Sailer <sailer@us.ibm.com>
   65.20 +#============================================================================
   65.21 +
   65.22 +"""Loading a compiled binary policy into the hypervisor.
   65.23 +"""
   65.24 +import sys
   65.25 +import traceback
   65.26 +import os
   65.27 +import commands
   65.28 +import shutil
   65.29 +import string
   65.30 +from xen.util.security import ACMError, err, load_policy
   65.31 +
   65.32 +
   65.33 +def usage():
   65.34 +    print "\nUsage: xm loadpolicy <policy>\n"
   65.35 +    print " Load the compiled binary (.bin) policy"
   65.36 +    print " into the running hypervisor.\n"
   65.37 +    err("Usage")
   65.38 +
   65.39 +def main(argv):
   65.40 +    try:
   65.41 +        if len(argv) != 2:
   65.42 +            usage()
   65.43 +        load_policy(argv[1])
   65.44 +    except ACMError:
   65.45 +        pass
   65.46 +    except:
   65.47 +        traceback.print_exc(limit=1)
   65.48 +
   65.49 +
   65.50 +
   65.51 +if __name__ == '__main__':
   65.52 +    main(sys.argv)
   65.53 +
   65.54 +
    66.1 --- a/tools/python/xen/xm/main.py	Tue Apr 25 22:55:22 2006 -0600
    66.2 +++ b/tools/python/xen/xm/main.py	Tue Apr 25 23:35:55 2006 -0600
    66.3 @@ -40,6 +40,7 @@ from xen.xm.opts import *
    66.4  import console
    66.5  import xen.xend.XendClient
    66.6  from xen.xend.XendClient import server
    66.7 +from xen.util import security
    66.8  
    66.9  # getopt.gnu_getopt is better, but only exists in Python 2.3+.  Use
   66.10  # getopt.getopt if gnu_getopt is not available.  This will mean that options
   66.11 @@ -55,6 +56,8 @@ create_help =  """create [-c] <ConfigFil
   66.12  destroy_help = "destroy <DomId>                  Terminate a domain immediately"
   66.13  help_help =    "help                             Display this message"
   66.14  list_help =    "list [--long] [DomId, ...]       List information about domains"
   66.15 +list_label_help = "list [--label] [DomId, ...]      List information about domains including their labels"
   66.16 +
   66.17  mem_max_help = "mem-max <DomId> <Mem>            Set maximum memory reservation for a domain"
   66.18  mem_set_help = "mem-set <DomId> <Mem>            Adjust the current memory usage for a domain"
   66.19  migrate_help = "migrate <DomId> <Host>           Migrate a domain to another machine"
   66.20 @@ -114,6 +117,12 @@ vnet_list_help = "vnet-list [-l|--long] 
   66.21  vnet_create_help = "vnet-create <config>             create a vnet from a config file"
   66.22  vnet_delete_help = "vnet-delete <vnetid>             delete a vnet"
   66.23  vtpm_list_help = "vtpm-list <DomId> [--long]       list virtual TPM devices"
   66.24 +addlabel_help =  "addlabel <ConfigFile> <label>    Add security label to ConfigFile"
   66.25 +cfgbootpolicy_help = "cfgbootpolicy <policy>           Add policy to boot configuration "
   66.26 +dumppolicy_help = "dumppolicy                       Print hypervisor ACM state information"
   66.27 +loadpolicy_help = "loadpolicy <policy>              Load binary policy into hypervisor"
   66.28 +makepolicy_help = "makepolicy <policy>              Build policy and create .bin/.map files"
   66.29 +labels_help     = "labels [policy] [type=DOM|..]    List <type> labels for (active) policy."
   66.30  
   66.31  short_command_list = [
   66.32      "console",
   66.33 @@ -140,6 +149,7 @@ domain_commands = [
   66.34      "domid",
   66.35      "domname",
   66.36      "list",
   66.37 +    "list_label",
   66.38      "mem-max",
   66.39      "mem-set",
   66.40      "migrate",
   66.41 @@ -185,8 +195,17 @@ vnet_commands = [
   66.42      "vnet-delete",
   66.43      ]
   66.44  
   66.45 +acm_commands = [
   66.46 +    "labels",
   66.47 +    "addlabel",
   66.48 +    "makepolicy",
   66.49 +    "loadpolicy",
   66.50 +    "cfgbootpolicy",
   66.51 +    "dumppolicy"
   66.52 +    ]
   66.53 +
   66.54  all_commands = (domain_commands + host_commands + scheduler_commands +
   66.55 -                device_commands + vnet_commands)
   66.56 +                device_commands + vnet_commands + acm_commands)
   66.57  
   66.58  
   66.59  def commandToHelp(cmd):
   66.60 @@ -225,6 +244,9 @@ xm full list of subcommands:
   66.61    Vnet commands:
   66.62     """ + help_spacer.join(map(commandToHelp,  vnet_commands)) + """
   66.63  
   66.64 +  Access Control commands:
   66.65 +   """ + help_spacer.join(map(commandToHelp,  acm_commands)) + """
   66.66 +
   66.67  <DomName> can be substituted for <DomId> in xm subcommands.
   66.68  
   66.69  For a short list of subcommands run 'xm help'
   66.70 @@ -332,8 +354,9 @@ def getDomains(domain_names):
   66.71  def xm_list(args):
   66.72      use_long = 0
   66.73      show_vcpus = 0
   66.74 +    show_labels = 0
   66.75      try:
   66.76 -        (options, params) = getopt.gnu_getopt(args, 'lv', ['long','vcpus'])
   66.77 +        (options, params) = getopt.gnu_getopt(args, 'lv', ['long','vcpus','label'])
   66.78      except getopt.GetoptError, opterr:
   66.79          err(opterr)
   66.80          sys.exit(1)
   66.81 @@ -343,6 +366,8 @@ def xm_list(args):
   66.82              use_long = 1
   66.83          if k in ['-v', '--vcpus']:
   66.84              show_vcpus = 1
   66.85 +        if k in ['--label']:
   66.86 +            show_labels = 1
   66.87  
   66.88      if show_vcpus:
   66.89          print >>sys.stderr, (
   66.90 @@ -354,6 +379,8 @@ def xm_list(args):
   66.91  
   66.92      if use_long:
   66.93          map(PrettyPrint.prettyprint, doms)
   66.94 +    elif show_labels:
   66.95 +        xm_label_list(doms)
   66.96      else:
   66.97          xm_brief_list(doms)
   66.98  
   66.99 @@ -369,7 +396,7 @@ def parse_doms_info(info):
  66.100          'vcpus'    : get_info('online_vcpus', int,   0),
  66.101          'state'    : get_info('state',        str,   '??'),
  66.102          'cpu_time' : get_info('cpu_time',     float, 0),
  66.103 -        'ssidref'  : get_info('ssidref',      int,   0),
  66.104 +        'seclabel' : security.get_security_printlabel(info),
  66.105          }
  66.106  
  66.107  
  66.108 @@ -391,13 +418,29 @@ def xm_brief_list(doms):
  66.109      print 'Name                              ID Mem(MiB) VCPUs State  Time(s)'
  66.110      for dom in doms:
  66.111          d = parse_doms_info(dom)
  66.112 -        if (d['ssidref'] != 0):
  66.113 -            d['ssidstr'] = (" s:%04x/p:%04x" % 
  66.114 -                            ((d['ssidref'] >> 16) & 0xffff,
  66.115 -                              d['ssidref']        & 0xffff))
  66.116 +        print ("%(name)-32s %(dom)3d %(mem)8d %(vcpus)5d %(state)5s %(cpu_time)7.1f" % d)
  66.117 +
  66.118 +
  66.119 +def xm_label_list(doms):
  66.120 +    output = []
  66.121 +    print 'Name                              ID Mem(MiB) VCPUs State  Time(s)  Label'
  66.122 +    for dom in doms:
  66.123 +        d = parse_doms_info(dom)
  66.124 +        l = "%(name)-32s %(dom)3d %(mem)8d %(vcpus)5d %(state)5s %(cpu_time)7.1f  " % d
  66.125 +        if security.active_policy not in ['INACTIVE', 'NULL', 'DEFAULT']:
  66.126 +            if d['seclabel']:
  66.127 +                line = (l, d['seclabel'])
  66.128 +            else:
  66.129 +                line = (l, "ERROR")
  66.130 +        elif security.active_policy in ['DEFAULT']:
  66.131 +            line = (l, "DEFAULT")
  66.132          else:
  66.133 -            d['ssidstr'] = ""
  66.134 -        print ("%(name)-32s %(dom)3d %(mem)8d %(vcpus)5d %(state)5s %(cpu_time)7.1f%(ssidstr)s" % d)
  66.135 +            line = (l, "INACTIVE")
  66.136 +        output.append(line)
  66.137 +    #sort by labels
  66.138 +    output.sort(lambda x,y: cmp( x[1].lower(), y[1].lower()))
  66.139 +    for l in output:
  66.140 +        print l[0] + l[1]
  66.141  
  66.142  
  66.143  def xm_vcpu_list(args):
  66.144 @@ -1010,7 +1053,13 @@ subcommands = [
  66.145      'create',
  66.146      'migrate',
  66.147      'sysrq',
  66.148 -    'shutdown'
  66.149 +    'shutdown',
  66.150 +    'labels',
  66.151 +    'addlabel',
  66.152 +    'cfgbootpolicy',
  66.153 +    'makepolicy',
  66.154 +    'loadpolicy',
  66.155 +    'dumppolicy'
  66.156      ]
  66.157  
  66.158  for c in subcommands:
    67.1 --- /dev/null	Thu Jan 01 00:00:00 1970 +0000
    67.2 +++ b/tools/python/xen/xm/makepolicy.py	Tue Apr 25 23:35:55 2006 -0600
    67.3 @@ -0,0 +1,53 @@
    67.4 +#============================================================================
    67.5 +# This library is free software; you can redistribute it and/or
    67.6 +# modify it under the terms of version 2.1 of the GNU Lesser General Public
    67.7 +# License as published by the Free Software Foundation.
    67.8 +#
    67.9 +# This library is distributed in the hope that it will be useful,
   67.10 +# but WITHOUT ANY WARRANTY; without even the implied warranty of
   67.11 +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
   67.12 +# Lesser General Public License for more details.
   67.13 +#
   67.14 +# You should have received a copy of the GNU Lesser General Public
   67.15 +# License along with this library; if not, write to the Free Software
   67.16 +# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
   67.17 +#============================================================================
   67.18 +# Copyright (C) 2006 International Business Machines Corp.
   67.19 +# Author: Reiner Sailer <sailer@us.ibm.com>
   67.20 +#============================================================================
   67.21 +"""Compiling a XML source policy file into mapping and binary versions.
   67.22 +"""
   67.23 +import sys
   67.24 +import traceback
   67.25 +import os
   67.26 +import commands
   67.27 +import shutil
   67.28 +import string
   67.29 +from xen.util.security import ACMError, err, make_policy
   67.30 +
   67.31 +
   67.32 +def usage():
   67.33 +    print "\nUsage: xm makepolicy <policy>\n"
   67.34 +    print " Translate an XML source policy and create"
   67.35 +    print " mapping file and binary policy.\n"
   67.36 +    err("Usage")
   67.37 +
   67.38 +
   67.39 +
   67.40 +def main(argv):
   67.41 +    try:
   67.42 +        if len(argv) != 2:
   67.43 +            usage()
   67.44 +        make_policy(argv[1])
   67.45 +
   67.46 +    except ACMError:
   67.47 +        pass
   67.48 +    except:
   67.49 +        traceback.print_exc(limit=1)
   67.50 +
   67.51 +
   67.52 +
   67.53 +if __name__ == '__main__':
   67.54 +    main(sys.argv)
   67.55 +
   67.56 +
    68.1 --- a/tools/security/Makefile	Tue Apr 25 22:55:22 2006 -0600
    68.2 +++ b/tools/security/Makefile	Tue Apr 25 23:35:55 2006 -0600
    68.3 @@ -30,28 +30,23 @@ SRCS_TOOL     = secpol_tool.c
    68.4  OBJS_TOOL    := $(patsubst %.c,%.o,$(filter %.c,$(SRCS_TOOL)))
    68.5  SRCS_XML2BIN  = secpol_xml2bin.c secpol_xml2bin.h
    68.6  OBJS_XML2BIN := $(patsubst %.c,%.o,$(filter %.c,$(SRCS_XML2BIN)))
    68.7 -SRCS_GETD     = get_decision.c
    68.8 -OBJS_GETD    := $(patsubst %.c,%.o,$(filter %.c,$(SRCS_GETD)))
    68.9  
   68.10  ACM_INST_TOOLS    = xensec_tool xensec_xml2bin xensec_gen
   68.11 -ACM_NOINST_TOOLS  = get_decision
   68.12  ACM_OBJS          = $(OBJS_TOOL) $(OBJS_XML2BIN) $(OBJS_GETD)
   68.13 -ACM_SCRIPTS       = getlabel.sh setlabel.sh updategrub.sh labelfuncs.sh
   68.14 +ACM_SCRIPTS       = python/xensec_tools/acm_getlabel python/xensec_tools/acm_getdecision
   68.15  
   68.16  ACM_CONFIG_DIR    = /etc/xen/acm-security
   68.17  ACM_POLICY_DIR    = $(ACM_CONFIG_DIR)/policies
   68.18  ACM_SCRIPT_DIR    = $(ACM_CONFIG_DIR)/scripts
   68.19  
   68.20  ACM_INST_HTML     = python/xensec_gen/index.html
   68.21 -ACM_INST_CGI      = python/xensec_gen/cgi-bin/policy.cgi \
   68.22 -                    python/xensec_gen/cgi-bin/policylabel.cgi
   68.23 +ACM_INST_CGI      = python/xensec_gen/cgi-bin/policy.cgi
   68.24  ACM_SECGEN_HTMLDIR= /var/lib/xensec_gen
   68.25  ACM_SECGEN_CGIDIR = $(ACM_SECGEN_HTMLDIR)/cgi-bin
   68.26  
   68.27  ACM_SCHEMA        = security_policy.xsd
   68.28 -ACM_EXAMPLES      = null chwall ste chwall_ste
   68.29 +ACM_EXAMPLES      = chwall ste chwall_ste
   68.30  ACM_POLICY_SUFFIX = security_policy.xml
   68.31 -ACM_LABEL_SUFFIX  = security_label_template.xml
   68.32  
   68.33  ifeq ($(ACM_SECURITY),y)
   68.34  .PHONY: all
   68.35 @@ -64,10 +59,10 @@ install: all $(ACM_CONFIG_FILE)
   68.36  	$(INSTALL_DIR) -p $(DESTDIR)$(ACM_CONFIG_DIR)
   68.37  	$(INSTALL_DIR) -p $(DESTDIR)$(ACM_POLICY_DIR)
   68.38  	$(INSTALL_DATA) -p policies/$(ACM_SCHEMA) $(DESTDIR)$(ACM_POLICY_DIR)
   68.39 +	$(INSTALL_DIR) -p $(DESTDIR)$(ACM_POLICY_DIR)/example
   68.40  	for i in $(ACM_EXAMPLES); do \
   68.41 -		$(INSTALL_DIR) -p $(DESTDIR)$(ACM_POLICY_DIR)/$$i; \
   68.42 -		$(INSTALL_DATA) -p policies/$$i/$$i-$(ACM_POLICY_SUFFIX) $(DESTDIR)$(ACM_POLICY_DIR)/$$i; \
   68.43 -		$(INSTALL_DATA) -p policies/$$i/$$i-$(ACM_LABEL_SUFFIX) $(DESTDIR)$(ACM_POLICY_DIR)/$$i; \
   68.44 +		$(INSTALL_DIR) -p $(DESTDIR)$(ACM_POLICY_DIR)/example/$$i; \
   68.45 +		$(INSTALL_DATA) -p policies/example/$$i/client_v1-$(ACM_POLICY_SUFFIX) $(DESTDIR)$(ACM_POLICY_DIR)/example/$$i; \
   68.46  	done
   68.47  	$(INSTALL_DIR) -p $(DESTDIR)$(ACM_SCRIPT_DIR)
   68.48  	$(INSTALL_PROG) -p $(ACM_SCRIPTS) $(DESTDIR)$(ACM_SCRIPT_DIR)
   68.49 @@ -99,9 +94,6 @@ xensec_tool: $(OBJS_TOOL)
   68.50  xensec_xml2bin: $(OBJS_XML2BIN)
   68.51  	$(CC) $(CFLAGS) $(LDFLAGS) -o $@ $^
   68.52  
   68.53 -get_decision: $(OBJS_GETD)
   68.54 -	$(CC) $(CFLAGS) $(LDFLAGS) -o $@ $^
   68.55 -
   68.56  xensec_gen: xensec_gen.py
   68.57  	cp -f $^ $@
   68.58  
   68.59 @@ -116,8 +108,4 @@ clean:
   68.60  .PHONY: mrproper
   68.61  mrproper: clean
   68.62  
   68.63 -.PHONY: boot_install
   68.64 -boot_install: install
   68.65 -	$(ACM_SCRIPT_DIR)/updategrub.sh $(POLICY) $(KERNEL_VERSION)
   68.66 -
   68.67  -include $(PROG_DEPS)
    69.1 --- a/tools/security/example.txt	Tue Apr 25 22:55:22 2006 -0600
    69.2 +++ b/tools/security/example.txt	Tue Apr 25 23:35:55 2006 -0600
    69.3 @@ -3,119 +3,79 @@
    69.4  #
    69.5  # Author:
    69.6  # Reiner Sailer 08/15/2005 <sailer@watson.ibm.com>
    69.7 +#               04/07/2006 update to using labels instead of ssidref
    69.8  #
    69.9  #
   69.10  # This file introduces into the tools to manage policies
   69.11  # and to label domains and resources.
   69.12  ##
   69.13  
   69.14 -We will show how to install and use the example chwall_ste policy.
   69.15 -Other policies work similarly. Feedback welcome!
   69.16 +We will show how to install and use the example one of the client_v1
   69.17 +policies. Other policies work similarly. Feedback welcome!
   69.18  
   69.19  
   69.20  
   69.21 -1. Using xensec_xml2bin to translate the chwall_ste policy:
   69.22 -===========================================================
   69.23 -
   69.24 -#xensec_xml2bin chwall_ste
   69.25 -
   69.26 -Successful execution should print:
   69.27 +1. Using xm tools to translate example.chwall_ste.client_v1 policy:
   69.28 +===================================================================
   69.29  
   69.30 -    [root@laptopxn security]# xensec_xml2bin chwall_ste
   69.31 -    Validating label file /etc/xen/acm-security/policies/chwall_ste/chwall_ste-security_label_template.xml...
   69.32 -    XML Schema /etc/xen/acm-security/policies/security_policy.xsd valid.
   69.33 -    Validating policy file /etc/xen/acm-security/policies/chwall_ste/chwall_ste-security_policy.xml...
   69.34 -    XML Schema /etc/xen/acm-security/policies/security_policy.xsd valid.
   69.35 -    Creating ssid mappings ...
   69.36 -    Creating label mappings ...
   69.37 -    Max chwall labels:  7
   69.38 -    Max chwall-types:   4
   69.39 -    Max chwall-ssids:   5
   69.40 -    Max ste labels:     14
   69.41 -    Max ste-types:      6
   69.42 -    Max ste-ssids:      10
   69.43 +#xm makepolicy example.chwall_ste.client_v1
   69.44  
   69.45  By default, the tool looks in directory /etc/xen/acm-security/policies
   69.46 -for a directory that matches the policy name (i.e. chwall_ste) to find
   69.47 -the label and policy files.
   69.48 -The '-d' option can be used to override the /etc/xen/acm-security/policies
   69.49 -directory, for example if running the tool in the Xen security tool build
   69.50 -directory.
   69.51 +for a directory that matches the policy name
   69.52 +(here:example/chwall_ste/client_v1-security_policy.xml) to find the
   69.53 +policy files.  The '-d' option can be used to override the default
   69.54 +/etc/xen/acm-security/policies policy-root directory.
   69.55  
   69.56  The default policy directory structure under /etc/xen/acm-security (and
   69.57  the Xen security tool build directory - tools/security) looks like:
   69.58  
   69.59  policies
   69.60  |-- security_policy.xsd
   69.61 -|-- chwall
   69.62 -|   |-- chwall-security_label_template.xml
   69.63 -|   `-- chwall-security_policy.xml
   69.64 -|-- chwall_ste
   69.65 -|   |-- chwall_ste-security_label_template.xml
   69.66 -|   `-- chwall_ste-security_policy.xml
   69.67 -|-- null
   69.68 -|   |-- null-security_label_template.xml
   69.69 -|   `-- null-security_policy.xml
   69.70 -`-- ste
   69.71 -    |-- ste-security_label_template.xml
   69.72 -    `-- ste-security_policy.xml
   69.73 +|-- example
   69.74 +    |-- chwall
   69.75 +    |   |-- client_v1-security_policy.xml
   69.76 +    |
   69.77 +    |-- chwall_ste
   69.78 +    |   |-- client_v1-security_policy.xml
   69.79 +    |
   69.80 +    |-- ste
   69.81 +        |-- client_v1-security_policy.xml
   69.82  
   69.83 -The security_policy.xsd file contains the schema against which both the
   69.84 -label-template and the policy files must validate during translation.
   69.85 -
   69.86 -The files ending in -security_policy.xml define the policies and the
   69.87 -types known to the policies.
   69.88 +The security_policy.xsd file contains the schema against which the
   69.89 +policy files must validate during translation.
   69.90  
   69.91 -The files ending in -security_label_template.xml contain the label
   69.92 -definitions that group types together and make them easier to use for
   69.93 -users.
   69.94 +The policy files, ending in -security_policy.xml, define the policies,
   69.95 +the types known to the policies, and the label definitions that group
   69.96 +types together and make them easier to use for users.
   69.97  
   69.98 -After executing the above xensec_xml2bin command, you will find 2 new
   69.99 -files in the /etc/xen/acm-security/policies/chwall_ste sub-directory:
  69.100 +After executing the above 'xm makepolicy' command, you will find 2 new
  69.101 +files in the /etc/xen/acm-security/policies/example/chwall_ste
  69.102 +sub-directory:
  69.103  
  69.104 -  chwall_ste.map ... this file includes the mapping
  69.105 +  client_v1.map ... this file includes the mapping
  69.106      of names from the xml files into their binary code representation.
  69.107  
  69.108 -  chwall_ste.bin ... this is the binary policy file,
  69.109 -    the result of parsing the xml files and using the mapping to extract a
  69.110 -    binary version that can be loaded into the hypervisor.
  69.111 +  client_v1.bin ... this is the binary policy file, the result of
  69.112 +    parsing the xml files and using the mapping to create a binary
  69.113 +    version that can be loaded into the hypervisor.
  69.114  
  69.115  
  69.116  
  69.117  2. Loading and activating the policy:
  69.118  =====================================
  69.119  
  69.120 -We assume that xen is already configured to use the chwall_ste policy;
  69.121 +We assume that xen is already configured for security;
  69.122  please refer to install.txt for instructions.
  69.123  
  69.124 -To activate the policy from the command line (assuming that the
  69.125 -currently established policy is the minimal boot-policy that is
  69.126 -hard-coded into the hypervisor):
  69.127 -
  69.128 -# xensec_tool loadpolicy /etc/xen/acm-security/policies/chwall_ste/chwall_ste.bin
  69.129 +To activate the policy from the command line:
  69.130  
  69.131 -To activate the policy at next reboot:
  69.132 -
  69.133 -# cp /etc/xen/acm-security/policies/chwall_ste/chwall_ste.bin /boot
  69.134 -
  69.135 -Add a module line to your /boot/grub/grub.conf Xen entry.
  69.136 -My boot entry with chwall_ste enabled looks like this:
  69.137 +# xm loadpolicy example.chwall_ste.client_v1
  69.138  
  69.139 -    title Xen (2.6.12)
  69.140 -        root (hd0,5)
  69.141 -        kernel /boot/xen.gz dom0_mem=1200000 console=vga
  69.142 -        module /boot/vmlinuz-2.6.12-xen0 ro root=/dev/hda6 rhgb
  69.143 -        module /boot/initrd-2.6.12-xen0.img
  69.144 -        module /boot/chwall_ste.bin
  69.145 -
  69.146 -This tells the grub boot-loader to load the binary policy, which
  69.147 -the hypervisor will recognize. The hypervisor will then establish
  69.148 -this binary policy during boot instead of the minimal policy that
  69.149 -is hardcoded as default.
  69.150 -
  69.151 -If you have any trouble here, maks sure you have the access control
  69.152 -framework enabled (see: install.txt).
  69.153 -
  69.154 +See install.txt for how to install a policy at boot time. This the
  69.155 +recommended default. You can only load a policy if the currently
  69.156 +enforced policy is "DEFAULT", a minimal startup policy, or if the
  69.157 +currently enforced policy has the same name as the new one. Support
  69.158 +for dynamic policy changes at run-time are a current working item.
  69.159  
  69.160  
  69.161  3. Labeling domains:
  69.162 @@ -127,156 +87,143 @@ The chwall_ste-security_label_template.x
  69.163  "bootstrap", which is set to the label name that will be assigned to
  69.164  Dom0 (this label will be mapped to ssidref 1/1, the default for Dom0).
  69.165  
  69.166 -b) Labeling User Domains:
  69.167 -
  69.168 -Use the script tools/security/setlabel.sh to choose a label and to
  69.169 -assign labels to user domains.
  69.170 -
  69.171 -To show available labels for the chwall_ste policy:
  69.172 -
  69.173 -# /etc/xen/acm-security/scripts/setlabel.sh -l
  69.174 -
  69.175 -lists all available labels. For the default chwall_ste it should print
  69.176 -the following:
  69.177 -
  69.178 -    [root@laptopxn security]# /etc/xen/acm-security/scripts/setlabel.sh -l chwall_ste
  69.179 -    The following labels are available:
  69.180 -    dom_SystemManagement
  69.181 -    dom_HomeBanking
  69.182 -    dom_Fun
  69.183 -    dom_BoincClient
  69.184 -    dom_StorageDomain
  69.185 -    dom_NetworkDomain
  69.186 -
  69.187 -You need to have compiled the policy beforehand so that a .map file
  69.188 -exists. Setlabel.sh uses the mapping file created throughout the
  69.189 -policy translation to translate a user-friendly label string into a
  69.190 -ssidref-number that is eventually used by the Xen hypervisor.
  69.191 +b) Labeling User Domains (domains started from dom0 using xm commands):
  69.192  
  69.193  We distinguish two kinds of labels: a) VM labels (for domains) and RES
  69.194 -Labels (for resources). We are currently working on support for
  69.195 -resource labeling but will focus here on VM labels.
  69.196 +Labels (for resources). We focus here on VM labels. Resource labels
  69.197 +will be supported later.
  69.198  
  69.199 -Setlabel.sh only prints VM labels (which we have prefixed with "dom_")
  69.200 -since only those are used at this time.
  69.201 +To list all available domain labels of a policy, use:
  69.202 +   #xm labels example.chwall_ste.client_v1
  69.203  
  69.204 -If you would like to assign the dom_HomeBanking label to one of your
  69.205 -user domains (which you hopefully keep clean), look at the hypothetical
  69.206 -domain configuration contained in /etc/xen/homebanking.xm:
  69.207 +To list all available labels including resource labels (their support
  69.208 +is current work), use:
  69.209 +
  69.210 +   #xm labels example.chwall_ste.client_v1 type=any
  69.211  
  69.212 -    #------HOMEBANKING---------
  69.213 -    kernel = "/boot/vmlinuz-2.6.12-xenU"
  69.214 +The policy parameter is optional. The currently enforced hypervisor
  69.215 +policy is used by default.
  69.216 +
  69.217 +If you would like to assign the dom_HomeBanking label to one of your user domains,
  69.218 +look at the hypothetical domain configuration contained in /etc/xen/homebanking.xm:
  69.219 +
  69.220 +    #------FOR HOME/ONLINE BANKING---------
  69.221 +    kernel = "/boot/vmlinuz-2.6.16-xen"
  69.222      ramdisk="/boot/U1_ramdisk.img"
  69.223 -    memory = 65
  69.224 -    name = "test34"
  69.225 -    cpu = -1   # leave to Xen to pick
  69.226 -    # Number of network interfaces. Default is 1.
  69.227 -    nics=1
  69.228 -    dhcp="dhcp"
  69.229 +    memory = 164
  69.230 +    name = "homebanking"
  69.231 +    vif=['']
  69.232 +    dhcp = "dhcp"
  69.233      #-------------------------
  69.234  
  69.235 -Now we label this domain
  69.236 +Now we label this domain (policy name is optional, see above):
  69.237  
  69.238 -[root@laptopxn security]# /etc/xen/acm-securit/scripts/setlabel.sh /etc/xen/homebanking.xm dom_HomeBanking chwall_ste
  69.239 -Mapped label 'dom_HomeBanking' to ssidref '0x00020002'.
  69.240 +    # xm addlabel homebanking.xm dom_HomeBanking example.chwall_ste.client_v1
  69.241  
  69.242 -The domain configuration my look now like:
  69.243 +The domain configuration should look now like:
  69.244  
  69.245 -    [root@laptopxn security]# cat homebanking.xm
  69.246 -    #------HOMEBANKING---------
  69.247 -    kernel = "/boot/vmlinuz-2.6.12-xenU"
  69.248 +    # cat homebanking.xm
  69.249 +    #------FOR HOME/ONLINE BANKING---------
  69.250 +    kernel = "/boot/vmlinuz-2.6.16-xen"
  69.251      ramdisk="/boot/U1_ramdisk.img"
  69.252 -    memory = 65
  69.253 -    name = "test34"
  69.254 -    cpu = -1   # leave to Xen to pick
  69.255 -    # Number of network interfaces. Default is 1.
  69.256 -    nics=1
  69.257 -    dhcp="dhcp"
  69.258 -    #-------------------------
  69.259 -    #ACM_POLICY=chwall_ste-security_policy.xml
  69.260 -    #ACM_LABEL=dom_HomeBanking
  69.261 -    ssidref = 0x00020002
  69.262 +    memory = 164
  69.263 +    name = "homebanking"
  69.264 +    vif=['']
  69.265 +    dhcp = "dhcp"
  69.266 +    access_control = ['policy=example.chwall_ste.client_v1, label=dom_HomeBanking']
  69.267  
  69.268 -You can see 3 new entries, two of which are comments.  The only value
  69.269 -that the hypervisor cares about is the ssidref that will reference
  69.270 -those types assigned to this label. You can look them up in the
  69.271 -xml label-template file for the chwall_ste policy.
  69.272 +You can see the access_control line that was added to the
  69.273 +configuration. This label will be translated into a local ssidref when
  69.274 +a domain is created or resumed (also after migration and
  69.275 +live-migration). The ssidref is a local security reference that is
  69.276 +used inside the hypervisor instead of the security label for
  69.277 +efficiency reasons. Since the same label can be mapped onto different
  69.278 +ssidrefs in different policy translations (e.g., if the position of
  69.279 +the label definition is changed in the policy file) or on different
  69.280 +systems, the ssidref is re-calculated from the label each time a
  69.281 +domain is instantiated or re-instantiated.
  69.282  
  69.283 -This script will eventually move into the domain management and will
  69.284 -be called when the domain is instantiated. For now, the setlabel
  69.285 -script must be run on domains whenever the policy files change since
  69.286 -the mapping between label names and ssidrefs can change in this case.
  69.287 +Currently, the labels are not held in the hypervisor but only in
  69.288 +.map files in the /etc/xen/acm-security/policies subdirectories. Only
  69.289 +ssidrefs are known inside the hypervisr. This of course can change in
  69.290 +the future.
  69.291  
  69.292  
  69.293  4. Starting a labeled domain
  69.294  ============================
  69.295  
  69.296  Now, start the domain:
  69.297 -    #xm create -c homebanking.xm
  69.298 +
  69.299 +    #xm create homebanking.xm
  69.300 +    Using config file "homebanking.xm".
  69.301 +    Started domain fun
  69.302  
  69.303  
  69.304 -If you label another domain configuration as dom_Fun and try to start
  69.305 -it afterwards, its start will fail. Why?
  69.306 +[root@941e-4 VMconfigs]# xm list --label
  69.307 +
  69.308 +Name         ID Mem(MiB) VCPUs State  Time(s)  Label
  69.309 +fun           1       64     1 -b----     5.9  dom_HomeBanking
  69.310 +Domain-0      0     1954     1 r-----  1321.4  dom_SystemManagement
  69.311 +
  69.312 +
  69.313  
  69.314 -Because the running homebanking domain has the chinese wall type
  69.315 -"cw_Sensitive". The new domain dom_Fun has the chinese wall label
  69.316 -"cw_Distrusted". This domain is not allowed to run simultaneously
  69.317 -because of the defined conflict set
  69.318 +If you label another domain configuration as dom_Fun and if
  69.319 +you try to start it afterwards, this create will fail.
  69.320 +
  69.321 +Why? -- Because the running 'homebanking' domain has the chinese
  69.322 +wall type "cw_Sensitive". The new domain 'fun' has the chinese wall
  69.323 +label "cw_Distrusted". These domains are not allowed to run simultaneously
  69.324 +on the same system because of the defined conflict set
  69.325  
  69.326  			<conflictset name="Protection1">
  69.327  				<type>cw_Sensitive</type>
  69.328  				<type>cw_Distrusted</type>
  69.329  			</conflictset>
  69.330  
  69.331 -(in chwall_ste-security_policy.xml), which says that only one of the
  69.332 +(in client_v1-security_policy.xml), which says that only one of the
  69.333  types cw_Sensitive and cw_Distrusted can run at a time.
  69.334  
  69.335 -If you save or shutdown the HomeBanking domain, you will be able to
  69.336 -start the "Fun" domain. You can look into the Xen log to see if a
  69.337 +If you save or shutdown the 'homebanking' domain, you will be able to
  69.338 +start the 'fun' domain. You can look into the Xen log to see if a
  69.339  domain was denied to start because of the access control framework
  69.340  with the command 'xm dmesg'.
  69.341  
  69.342  It is important (and usually non-trivial) to define the labels in a
  69.343  way that the semantics of the labels are enforced and supported by the
  69.344 -types and the conflict sets.
  69.345 +types and the conflict sets. Usually, a workload abstraction seems
  69.346 +helpful on the hypervisor level.
  69.347  
  69.348  Note: While the chinese wall policy enforcement is complete, the type
  69.349 -enforcement is currently enforced in the Xen hypervisor
  69.350 +enforcement is currently enforced inside the Xen hypervisor
  69.351  only. Therefore, only point-to-point sharing with regard to the type
  69.352 -enforcement is currently controlled. We are working on enhancements to
  69.353 -Dom0 that enforce types also for network traffic that is routed
  69.354 -through Dom0 and on the enforcement of resource labeling when binding
  69.355 -resources to domains (e.g., enforcing types between domains and
  69.356 -hardware resources, such as disk partitions).
  69.357 +enforcement is currently controlled. Enforcing the STE policy while
  69.358 +sharing virtual resources is ongoing work and assumed to be complete
  69.359 +by year end as well as enforcing the STE policy for network traffic
  69.360 +routed through dom0.
  69.361  
  69.362  
  69.363 -4. Adding your own policies
  69.364 +5. Adding your own policies
  69.365  ===========================
  69.366  
  69.367 -Writing your own policy (e.g. "mypolicy") requires the following:
  69.368 -
  69.369 -a) the policy definition (types etc.) file
  69.370 -b) the label template definition (labels etc.) file
  69.371 +Writing your own policy (e.g. "mypolicy.chwall.test") requires the policy
  69.372 +definition (types etc.) and the label definitions. Any policy name
  69.373 +must have chwall, ste, or chwall_ste in its name. This is used by the
  69.374 +configuration tool to identify existing binary policy entries in the
  69.375 +boot configuration file (menu.lst, grub.con). This part should, of
  69.376 +course, be consistent with policy type that is defined.
  69.377  
  69.378 -If your policy name is "mypolicy", you need to create a
  69.379 -subdirectory mypolicy in /etc/xen/acm-security/policies.
  69.380 -
  69.381 -Then you create
  69.382 -/etc/xen/acm-security/policies/mypolicy/mypolicy-security_policy.xml and
  69.383 -/etc/xen/acm-security/policies/mypolicy/mypolicy-security_label_template.xml.
  69.384 +First, you create
  69.385 +/etc/xen/acm-security/policies/mypolicy/chwall/test-security_policy.xml.
  69.386  
  69.387  You need to keep to the schema as defined in
  69.388 -/etc/xen/acm-security/security_policy.xsd since the translation tool
  69.389 -xensec_xml2bin is written against this schema.
  69.390 -
  69.391 -If you keep to the security policy schema, then you can use all the
  69.392 -tools described above. Refer to install.txt to install it.
  69.393 +/etc/xen/acm-security/security_policy.xsd since the translation tools
  69.394 +are written against this schema.
  69.395  
  69.396  You can hand-edit the xml files to create your policy or you can use the
  69.397  xensec_gen utility.
  69.398  
  69.399  
  69.400 -5. Generating policy files using xensec_gen:
  69.401 +6. Generating policy files using xensec_gen:
  69.402  ============================================
  69.403  
  69.404  The xensec_gen utility starts a web-server that can be used to generate the
  69.405 @@ -290,25 +237,28 @@ to see the full list of options availabl
  69.406  Once the xensec_gen utility is running, point a browser at the host and port
  69.407  on which the utility is running (e.g. http://localhost:7777/).  You will be
  69.408  presented with a web page that allows you to create or modify the XML policy
  69.409 -files:
  69.410 +file:
  69.411  
  69.412 -  - The Security Policy section allows you to create or modify a policy
  69.413 -    definition file
  69.414 +  - The Security Policy types section allows you to create or modify
  69.415 +    the policy types and conflict set definitions
  69.416  
  69.417    - The Security Policy Labeling section allows you to create or modify a
  69.418 -    label template definition file
  69.419 +    label definitions
  69.420  
  69.421 -  Security Policy:
  69.422 -  ----------------
  69.423 -  The Security Policy section allows you to modify an existing policy definition
  69.424 -  file or create a new policy definition file.  To modify an existing policy
  69.425 -  definition, enter the full path to the existing file (the "Browse" button can
  69.426 -  be used to aid in this) in the Policy File entry field.  To create a new
  69.427 -  policy definition file leave the Policy File entry field blank.  At this point
  69.428 -  click the "Create" button to begin modifying or creating your policy definition.
  69.429 +The policy generation tool allows you to modify an existing policy
  69.430 +definition or create a new policy definition file. To modify an
  69.431 +existing policy definition, enter the full path to the existing file
  69.432 +(the "Browse" button can be used to aid in this) in the Policy File
  69.433 +entry field.  To create a new policy definition file leave the Policy
  69.434 +File entry field blank.  At this point click the "Create" button to
  69.435 +begin modifying or creating your policy definition.
  69.436  
  69.437 -  You will then be presented with a web page that will allow you to create either
  69.438 -  Simple Type Enforcement types or Chinese Wall types or both.
  69.439 +  Security Policy Types Section
  69.440 +  -----------------------------
  69.441 +
  69.442 +You will then be presented with a web page. The upper part of it will
  69.443 +allow you to create either Simple Type Enforcement types or Chinese
  69.444 +Wall types or both, as well as Chinese Wall conflict type sets.
  69.445  
  69.446    As an example:
  69.447      - To add a Simple Type Enforcement type:
  69.448 @@ -326,32 +276,13 @@ files:
  69.449    Wall Conflict Set will allow you to add Chinese Wall types from the list of
  69.450    defined Chinese Wall types.
  69.451  
  69.452 -  To create your policy definition file, click on the "Generate XML" button on
  69.453 -  the top of the page.  This will present you with a dialog box to save the
  69.454 -  generated XML file on your system.  The default name will be security_policy.xml
  69.455 -  which you should change to follow the policy file naming conventions based on
  69.456 -  the policy name that you choose to use.
  69.457 -
  69.458 -  To get a feel for the tool, you could use one of the example policy definition
  69.459 -  files from /etc/xen/acm-security/policies as input.
  69.460 -
  69.461 -
  69.462    Security Policy Labeling:
  69.463    -------------------------
  69.464 -  The Security Policy Labeling section allows you to modify an existing label
  69.465 -  template definition file or create a new label template definition file.  To
  69.466 -  modify an existing label template definition, enter the full path to the
  69.467 -  existing file (the "Browse" button can be used to aid in this) in the Policy
  69.468 -  Labeling File entry field.  Whether creating a new label template definition
  69.469 -  file or modifying an existing one, you will need to specify the policy
  69.470 -  definition file that is or will be associated with this label template
  69.471 -  definition file.  At this point click the "Create" button to begin modifying
  69.472 -  or creating your label template definition file.
  69.473  
  69.474 -  You will then be presented with a web page that will allow you to create labels
  69.475 -  for classes of virtual machines.  The input policy definition file will provide
  69.476 -  the available types (Simple Type Enforcement and/or Chinese Wall) that can be
  69.477 -  assigned to a virtual machine class.
  69.478 +  The security policy label section of the web page allows you to create labels
  69.479 +  for classes of virtual machines.  The input policy type definitions on the upper
  69.480 +  part of the web page will provide the available types (Simple Type Enforcement
  69.481 +  and/or Chinese Wall) that can be assigned to a virtual machine class.
  69.482  
  69.483    As an example:
  69.484      - To add a Virtual Machine class (the name entered will become the label
  69.485 @@ -372,11 +303,74 @@ files:
  69.486    bootstrap domain (or Dom0 domain).  By default, the first Virtual Machine class
  69.487    created will be associated as the bootstrap domain.
  69.488  
  69.489 -  To create your label template definition file, click on the "Generate XML" button
  69.490 +  To save your policy definition file, click on the "Generate XML" button
  69.491    on the top of the page.  This will present you with a dialog box to save the
  69.492    generated XML file on your system.  The default name will be
  69.493 -  security_label_template.xml which you should change to follow the policy file
  69.494 +  security_policy.xml which you should change to follow the policy file
  69.495    naming conventions based on the policy name that you choose to use.
  69.496  
  69.497 -  To get a feel for the tool, you could use one of the example policy definition
  69.498 -  and label template definition files from /etc/xen/acm-security/policies as input.
  69.499 +  To get a feel for the tool, you could use one of the example policy definitions
  69.500 +  files from /etc/xen/acm-security/policies/example as input.
  69.501 +
  69.502 +
  69.503 +7. Hypervisor - OS Security Interface
  69.504 +=====================================
  69.505 +
  69.506 +We currently provide 2 hypercalls through which user operating systems
  69.507 +can interact with the hypervisor Access Control Module. Examples of
  69.508 +using them are under "xen_root"/tools/security/python/xensec_tools:
  69.509 +
  69.510 +
  69.511 +I) acm_getdecision -i domainid -l labelname
  69.512 +   Call this example script without arguments to show its usage
  69.513 +   information.
  69.514 +
  69.515 +   This script enables a domain to retrieve an access control decision
  69.516 +   regarding the STE policy from the hypervisor. It will be used to
  69.517 +   control access to virtual/real resources in hosting domains.
  69.518 +
  69.519 +   The script can be provided with any combination of domain ids or
  69.520 +   labelnames. Before calling into the hypervisor, labels are translated
  69.521 +   into ssidrefs. The hypervisor then retrieves for any domain id
  69.522 +   paramter the ssidref before deciding access.
  69.523 +
  69.524 +   Example:
  69.525 +   #/etc/xen/acm-security/scripts/acm_getdecision -l dom_Fun
  69.526 +						 -l dom_SystemManagement
  69.527 +   PERMITTED
  69.528 +
  69.529 +   #/etc/xen/acm-security/scripts/acm_getdecision -i 0 -i 1
  69.530 +   PERMITTED
  69.531 +
  69.532 +   #/etc/xen/acm-security/scripts/acm_getdecision -i 0 -l dom_Fun
  69.533 +   PERMITTED
  69.534 +
  69.535 +   #/etc/xen/acm-security/scripts/acm_getdecision -i 0 -l no_label
  69.536 +   ACMError: Label 'nolabel' not found.
  69.537 +
  69.538 +   Now, assume domain 123454 does not exist:
  69.539 +   #/etc/xen/acm-security/scripts/acm_getdecision -i 123454 -l dom_Fun
  69.540 +   ACMError: Cannot determine decision (Invalid parameter).
  69.541 +
  69.542 +   Return values:
  69.543 +            * DENIED: access is denied based on the current hypervisor
  69.544 +                      policy
  69.545 +
  69.546 +            * PERMITTED: access is permitted based on the current
  69.547 +
  69.548 +            * Exception ACMError: one of the parameters was illegal,
  69.549 +                                  i.e. an unknown label or a
  69.550 +                                  non-existing domain id
  69.551 +
  69.552 +I) acm_getlabel -i domainid
  69.553 +   Retrieves the label of a runing domain. This function can be used
  69.554 +   by domains to determine their own label or (if authorized) the label
  69.555 +   other domains.
  69.556 +
  69.557 +   Example (result is broken up into different lines to simplify description):
  69.558 +   # /etc/xen/acm-security/scripts/acm_getlabel -i 0
  69.559 +  ('example.chwall.client_v1',         <--- policy describing labels etc.
  69.560 +   'dom_SystemManagement',             <--- label name of the domain
  69.561 +   'CHINESE WALL',                     <--- policy type
  69.562 +   65537)                              <--- hypervisor internal ssidref
  69.563 +
    70.1 --- a/tools/security/get_decision.c	Tue Apr 25 22:55:22 2006 -0600
    70.2 +++ /dev/null	Thu Jan 01 00:00:00 1970 +0000
    70.3 @@ -1,176 +0,0 @@
    70.4 -/****************************************************************
    70.5 - * get_decision.c
    70.6 - *
    70.7 - * Copyright (C) 2005 IBM Corporation
    70.8 - *
    70.9 - * Authors:
   70.10 - * Reiner Sailer <sailer@watson.ibm.com>
   70.11 - *
   70.12 - * This program is free software; you can redistribute it and/or
   70.13 - * modify it under the terms of the GNU General Public License as
   70.14 - * published by the Free Software Foundation, version 2 of the
   70.15 - * License.
   70.16 - *
   70.17 - * An example program that shows how to retrieve an access control
   70.18 - * decision from the hypervisor ACM based on the currently active policy.
   70.19 - *
   70.20 - */
   70.21 -
   70.22 -#include <unistd.h>
   70.23 -#include <stdio.h>
   70.24 -#include <errno.h>
   70.25 -#include <fcntl.h>
   70.26 -#include <getopt.h>
   70.27 -#include <sys/mman.h>
   70.28 -#include <sys/types.h>
   70.29 -#include <sys/stat.h>
   70.30 -#include <stdlib.h>
   70.31 -#include <sys/ioctl.h>
   70.32 -#include <string.h>
   70.33 -#include <netinet/in.h>
   70.34 -#include <xen/acm.h>
   70.35 -#include <xen/acm_ops.h>
   70.36 -#include <xen/linux/privcmd.h>
   70.37 -
   70.38 -#define PERROR(_m, _a...) \
   70.39 -fprintf(stderr, "ERROR: " _m " (%d = %s)\n" , ## _a ,	\
   70.40 -                errno, strerror(errno))
   70.41 -
   70.42 -void usage(char *progname)
   70.43 -{
   70.44 -    printf("Use: %s \n", progname);
   70.45 -    printf(" Test program illustrating the retrieval of\n");
   70.46 -    printf(" access control decisions from xen. At this time,\n");
   70.47 -    printf(" only sharing (STE) policy decisions are supported.\n");
   70.48 -    printf(" parameter options:\n");
   70.49 -    printf("\t -i domid -i domid\n");
   70.50 -    printf("\t -i domid -s ssidref\n");
   70.51 -    printf("\t -s ssidref -s ssidref\n\n");
   70.52 -    exit(-1);
   70.53 -}
   70.54 -
   70.55 -static inline int do_policycmd(int xc_handle, unsigned int cmd,
   70.56 -                               unsigned long data)
   70.57 -{
   70.58 -    return ioctl(xc_handle, cmd, data);
   70.59 -}
   70.60 -
   70.61 -static inline int do_xen_hypercall(int xc_handle,
   70.62 -                                   privcmd_hypercall_t * hypercall)
   70.63 -{
   70.64 -    return do_policycmd(xc_handle,
   70.65 -                        IOCTL_PRIVCMD_HYPERCALL,
   70.66 -                        (unsigned long) hypercall);
   70.67 -}
   70.68 -
   70.69 -static inline int do_acm_op(int xc_handle, struct acm_op *op)
   70.70 -{
   70.71 -    int ret = -1;
   70.72 -    privcmd_hypercall_t hypercall;
   70.73 -
   70.74 -    op->interface_version = ACM_INTERFACE_VERSION;
   70.75 -
   70.76 -    hypercall.op = __HYPERVISOR_acm_op;
   70.77 -    hypercall.arg[0] = (unsigned long) op;
   70.78 -
   70.79 -    if (mlock(op, sizeof(*op)) != 0) {
   70.80 -        PERROR("Could not lock memory for Xen policy hypercall");
   70.81 -        goto out1;
   70.82 -    }
   70.83 -
   70.84 -    if ((ret = do_xen_hypercall(xc_handle, &hypercall)) < 0) {
   70.85 -        if (errno == EACCES)
   70.86 -            fprintf(stderr, "ACM operation failed -- need to"
   70.87 -                    " rebuild the user-space tool set?\n");
   70.88 -        goto out2;
   70.89 -    }
   70.90 -
   70.91 -  out2:(void) munlock(op, sizeof(*op));
   70.92 -  out1:return ret;
   70.93 -}
   70.94 -
   70.95 -
   70.96 -/************************ get decision ******************************/
   70.97 -
   70.98 -/* this example uses two domain ids and retrieves the decision if these domains
   70.99 - * can share information (useful, i.e., to enforce policy onto network traffic in dom0
  70.100 - */
  70.101 -int acm_get_decision(int xc_handle, int argc, char *const argv[])
  70.102 -{
  70.103 -    struct acm_op op;
  70.104 -    int ret;
  70.105 -
  70.106 -    op.cmd = ACM_GETDECISION;
  70.107 -    op.interface_version = ACM_INTERFACE_VERSION;
  70.108 -    op.u.getdecision.get_decision_by1 = UNSET;
  70.109 -    op.u.getdecision.get_decision_by2 = UNSET;
  70.110 -    op.u.getdecision.hook = SHARING;
  70.111 -
  70.112 -    while (1) {
  70.113 -        int c = getopt(argc, argv, "i:s:");
  70.114 -        if (c == -1)
  70.115 -            break;
  70.116 -
  70.117 -        if (c == 'i') {
  70.118 -            if (op.u.getdecision.get_decision_by1 == UNSET) {
  70.119 -                op.u.getdecision.get_decision_by1 = DOMAINID;
  70.120 -                op.u.getdecision.id1.domainid = strtoul(optarg, NULL, 0);
  70.121 -            } else if (op.u.getdecision.get_decision_by2 == UNSET) {
  70.122 -                op.u.getdecision.get_decision_by2 = DOMAINID;
  70.123 -                op.u.getdecision.id2.domainid = strtoul(optarg, NULL, 0);
  70.124 -            } else
  70.125 -                usage(argv[0]);
  70.126 -        } else if (c == 's') {
  70.127 -            if (op.u.getdecision.get_decision_by1 == UNSET) {
  70.128 -                op.u.getdecision.get_decision_by1 = SSIDREF;
  70.129 -                op.u.getdecision.id1.ssidref = strtoul(optarg, NULL, 0);
  70.130 -            } else if (op.u.getdecision.get_decision_by2 == UNSET) {
  70.131 -                op.u.getdecision.get_decision_by2 = SSIDREF;
  70.132 -                op.u.getdecision.id2.ssidref = strtoul(optarg, NULL, 0);
  70.133 -            } else
  70.134 -                usage(argv[0]);
  70.135 -        } else
  70.136 -            usage(argv[0]);
  70.137 -    }
  70.138 -    if ((op.u.getdecision.get_decision_by1 == UNSET) ||
  70.139 -        (op.u.getdecision.get_decision_by2 == UNSET))
  70.140 -        usage(argv[0]);
  70.141 -
  70.142 -    if ((ret = do_acm_op(xc_handle, &op))) {
  70.143 -        printf("%s: Error getting decision (%d).\n", __func__, ret);
  70.144 -        printf("%s: decision = %s.\n", __func__,
  70.145 -               (op.u.getdecision.acm_decision ==
  70.146 -                ACM_ACCESS_PERMITTED) ? "PERMITTED" : ((op.u.getdecision.
  70.147 -                                                        acm_decision ==
  70.148 -                                                        ACM_ACCESS_DENIED)
  70.149 -                                                       ? "DENIED" :
  70.150 -                                                       "ERROR"));
  70.151 -        return ret;
  70.152 -    }
  70.153 -    return op.u.getdecision.acm_decision;
  70.154 -}
  70.155 -
  70.156 -/***************************** main **************************************/
  70.157 -
  70.158 -int main(int argc, char **argv)
  70.159 -{
  70.160 -
  70.161 -    int acm_cmd_fd, ret = 0;
  70.162 -
  70.163 -    if (argc < 5)
  70.164 -        usage(argv[0]);
  70.165 -
  70.166 -    if ((acm_cmd_fd = open("/proc/xen/privcmd", O_RDONLY)) <= 0) {
  70.167 -        printf("ERROR: Could not open xen privcmd device!\n");
  70.168 -        exit(-1);
  70.169 -    }
  70.170 -
  70.171 -    ret = acm_get_decision(acm_cmd_fd, argc, argv);
  70.172 -
  70.173 -    printf("Decision: %s (%d)\n",
  70.174 -           (ret == ACM_ACCESS_PERMITTED) ? "PERMITTED" :
  70.175 -           ((ret == ACM_ACCESS_DENIED) ? "DENIED" : "ERROR"), ret);
  70.176 -
  70.177 -    close(acm_cmd_fd);
  70.178 -    return ret;
  70.179 -}
    71.1 --- a/tools/security/getlabel.sh	Tue Apr 25 22:55:22 2006 -0600
    71.2 +++ /dev/null	Thu Jan 01 00:00:00 1970 +0000
    71.3 @@ -1,94 +0,0 @@
    71.4 -#!/bin/sh
    71.5 -# *
    71.6 -# * getlabel
    71.7 -# *
    71.8 -# * Copyright (C) 2005 IBM Corporation
    71.9 -# *
   71.10 -# * Authors:
   71.11 -# * Stefan Berger <stefanb@us.ibm.com>
   71.12 -# *
   71.13 -# * This program is free software; you can redistribute it and/or
   71.14 -# * modify it under the terms of the GNU General Public License as
   71.15 -# * published by the Free Software Foundation, version 2 of the
   71.16 -# * License.
   71.17 -# *
   71.18 -# * 'getlabel' tries to find the labels corresponding to the ssidref
   71.19 -# *
   71.20 -# * 'getlabel -?' shows the usage of the program
   71.21 -# *
   71.22 -# * 'getlabel -sid <ssidref> [<policy name>]' lists the label corresponding
   71.23 -# *                              to the given ssidref.
   71.24 -# *
   71.25 -# * 'getlabel -dom <domain id> [<policy name>]' lists the label of the
   71.26 -# *                              domain with given id
   71.27 -# *
   71.28 -#
   71.29 -
   71.30 -if [ -z "$runbash" ]; then
   71.31 -	runbash="1"
   71.32 -	export runbash
   71.33 -	exec sh -c "bash $0 $*"
   71.34 -fi
   71.35 -
   71.36 -
   71.37 -export PATH=$PATH:.
   71.38 -dir=`dirname $0`
   71.39 -source $dir/labelfuncs.sh
   71.40 -
   71.41 -usage ()
   71.42 -{
   71.43 -	prg=`basename $0`
   71.44 -echo "Use this tool to display the label of a domain or the label that is
   71.45 -corresponding to an ssidref given the name of the running policy.
   71.46 -
   71.47 -Usage: $prg -sid <ssidref> [<policy name> [<policy dir>]] or
   71.48 -       $prg -dom <domid>   [<policy name> [<policy dir>]]
   71.49 -
   71.50 -policy name : the name of the policy, i.e. 'chwall'
   71.51 -              If the policy name is omitted, the grub.conf
   71.52 -              entry of the running system is tried to be read
   71.53 -              and the policy name determined from there.
   71.54 -policy dir  : the directory where the <policy name> policy is located
   71.55 -              The default location is '/etc/xen/acm-security/policies'
   71.56 -ssidref     : an ssidref in hex or decimal format, i.e., '0x00010002'
   71.57 -              or '65538'
   71.58 -domid       : id of the domain, i.e., '1'; Use numbers from the 2nd
   71.59 -              column shown when invoking 'xm list'
   71.60 -"
   71.61 -}
   71.62 -
   71.63 -
   71.64 -
   71.65 -if [ "$1" == "-h" ]; then
   71.66 -	usage
   71.67 -	exit 0
   71.68 -elif [ "$1" == "-dom" ]; then
   71.69 -	mode="domid"
   71.70 -	shift
   71.71 -elif [ "$1" == "-sid" ]; then
   71.72 -	mode="sid"
   71.73 -	shift
   71.74 -else
   71.75 -	usage
   71.76 -	exit -1
   71.77 -fi
   71.78 -
   71.79 -setPolicyVars $2 $3
   71.80 -findMapFile $policy $policydir
   71.81 -ret=$?
   71.82 -if [ $ret -eq 0 ]; then
   71.83 -	echo "Could not find map file for policy '$policy'."
   71.84 -	exit -1
   71.85 -fi
   71.86 -
   71.87 -if [ "$mode" == "domid" ]; then
   71.88 -	getSSIDUsingSecpolTool $1
   71.89 -	ret=$?
   71.90 -	if [ $ret -eq 0 ]; then
   71.91 -		echo "Could not determine the SSID of the domain."
   71.92 -		exit -1
   71.93 -	fi
   71.94 -	translateSSIDREF $ssid $mapfile
   71.95 -else # mode == sid
   71.96 -	translateSSIDREF $1 $mapfile
   71.97 -fi
    72.1 --- a/tools/security/install.txt	Tue Apr 25 22:55:22 2006 -0600
    72.2 +++ b/tools/security/install.txt	Tue Apr 25 23:35:55 2006 -0600
    72.3 @@ -3,10 +3,11 @@
    72.4  #
    72.5  # Author:
    72.6  # Reiner Sailer 08/15/2005 <sailer@watson.ibm.com>
    72.7 +#               03/18/2006 update: new labeling
    72.8  #
    72.9  #
   72.10  # This file shows how to activate and install the access control
   72.11 -# framework.
   72.12 +# framework for Xen.
   72.13  ##
   72.14  
   72.15  
   72.16 @@ -20,43 +21,54 @@ Simple Type Enforcement policy. Some fil
   72.17  below to activate the Chinese Wall OR the Type Enforcement policy
   72.18  exclusively (chwall_ste --> {chwall, ste}).
   72.19  
   72.20 +0. build and install the xm man page. It includes the description of
   72.21 +   available management commands for the security policy for Xen and
   72.22 +   the labeling of domains. If not installed by default, you can make
   72.23 +   and install the xm man page as follows:
   72.24 +       # cd "xen_root"/doc
   72.25 +       # make install
   72.26 +   Then, use man xm to read it:
   72.27 +       # man xm
   72.28 +
   72.29  1. enable access control in Xen
   72.30         # cd "xen_root"
   72.31         # edit/xemacs/vi Config.mk
   72.32  
   72.33         change the lines:
   72.34         ACM_SECURITY ?= n
   72.35 -       ACM_DEFAULT_SECURITY_POLICY ?= ACM_NULL_POLICY
   72.36 -
   72.37         to:
   72.38         ACM_SECURITY ?= y
   72.39 +
   72.40 +       Now the hypervisor will boot into the policy that is specified
   72.41 +       in the grub configuration. If you would like to boot into a
   72.42 +       specific policy (even if you can't specify a boot policy but
   72.43 +       need to set the policy later using the 'xensec_tool
   72.44 +       loadpolicy'), then use the other config parameter to change
   72.45 +       from NULL to any other default policy, e.g.:
   72.46         ACM_DEFAULT_SECURITY_POLICY ?= ACM_CHINESE_WALL_AND_SIMPLE_TYPE_ENFORCEMENT_POLICY
   72.47  
   72.48 -       # make all
   72.49 +       # make dist
   72.50         # ./install.sh
   72.51  
   72.52 -2. compile the policy from xml to a binary format that can be loaded
   72.53 -   into the hypervisor for enforcement
   72.54 +2. Build acm and policy tools and create boot-able policy:
   72.55         # cd tools/security
   72.56 -       # make
   72.57 +       # make install
   72.58 +
   72.59 +       For description of the following commands, please see the xm
   72.60 +       man page (docs/man1/xm.1). If it is not built, then you can
   72.61 +       create it manually: cd "xen_root"/docs; make; man man1/xm.1
   72.62  
   72.63 -       manual steps (alternative to make boot_install):
   72.64 -       # ./xensec_xml2bin -d policies/ chwall_ste
   72.65 -       # cp policies/chwall_ste/chwall_ste.bin /boot
   72.66 -       # edit /boot/grub/grub.conf
   72.67 -        add the follwoing line to your xen boot entry:
   72.68 -       "module /boot/chwall_ste.bin"
   72.69 +       Step1: Building binary version of an example policy:
   72.70 +       # xm makepolicy example.chwall_ste.client_v1
   72.71 +       # xm cfgbootpolicy example.chwall_ste.client_v1
   72.72  
   72.73 -       alternatively, you can try our automatic translation and
   72.74 -       installation of the policy:
   72.75 -       # make boot_install
   72.76 -
   72.77 -       [we try hard to do the right thing to the right boot entry but
   72.78 -        please verify boot entry in /boot/grub/grub.conf afterwards;
   72.79 -        your xen boot entry should have an additional module line
   72.80 -        specifying a chwall_ste.bin file with the correct directory
   72.81 -        (e.g. "/" or "/boot").]
   72.82 -
   72.83 +       Please verify boot entry in /boot/grub/grub.conf (or menu.lst):
   72.84 +        title Xen (2.6.16)
   72.85 +        root (hd0,0)
   72.86 +        kernel /xen.gz dom0_mem=2000000 console=vga
   72.87 +        module /vmlinuz-2.6.16-xen ro root=/dev/VolGroup00/LogVol00 rhgb
   72.88 +        module /initrd-2.6.165-xen-U.img
   72.89 +        module /example.chwall_ste.client_v1.bin
   72.90  
   72.91  3. reboot into the newly compiled hypervisor
   72.92  
   72.93 @@ -64,6 +76,12 @@ 3. reboot into the newly compiled hyperv
   72.94  	# xm dmesg should show an entry about the policy being loaded
   72.95              during the boot process
   72.96  
   72.97 -        # xensec_tool getpolicy
   72.98 -            should print the new chwall_ste binary policy representation
   72.99 +        # xm dumppolicy
  72.100 +            should print the new binary policy representation
  72.101 +            including the policy name example.chwall_ste.client_v1
  72.102  
  72.103 +	# xm list --label
  72.104 +	    should show security label names behind the running domains
  72.105 +
  72.106 +For more information about how to use the security-enabled Xen, see
  72.107 +the examples.txt file in this directory.
    73.1 --- a/tools/security/labelfuncs.sh	Tue Apr 25 22:55:22 2006 -0600
    73.2 +++ /dev/null	Thu Jan 01 00:00:00 1970 +0000
    73.3 @@ -1,799 +0,0 @@
    73.4 -# *
    73.5 -# * labelfuncs.sh
    73.6 -# *
    73.7 -# * Copyright (C) 2005 IBM Corporation
    73.8 -# *
    73.9 -# * Authors:
   73.10 -# * Stefan Berger <stefanb@us.ibm.com>
   73.11 -# *
   73.12 -# * This program is free software; you can redistribute it and/or
   73.13 -# * modify it under the terms of the GNU General Public License as
   73.14 -# * published by the Free Software Foundation, version 2 of the
   73.15 -# * License.
   73.16 -# *
   73.17 -# *
   73.18 -# * A collection of functions to handle polcies, mapfiles,
   73.19 -# * and ssidrefs.
   73.20 -#
   73.21 -
   73.22 -
   73.23 -#Some global variables for tools using this module
   73.24 -ACM_DEFAULT_ROOT="/etc/xen/acm-security"
   73.25 -
   73.26 -# Set the policy and policydir variables
   73.27 -# Parameters:
   73.28 -# 1st : possible policy name
   73.29 -# 2nd : possible policy directory
   73.30 -# Results:
   73.31 -# The variables policy and policydir will hold the values for locating
   73.32 -# policy information
   73.33 -# If there are no errors, the functions returns a '1',
   73.34 -# a '0' otherwise.
   73.35 -setPolicyVars ()
   73.36 -{
   73.37 -	local ret
   73.38 -	# Set default values
   73.39 -	policydir="$ACM_DEFAULT_ROOT/policies"
   73.40 -	policy=""
   73.41 -
   73.42 -	if [ "$1" == "" ]; then
   73.43 -		findGrubConf
   73.44 -		ret=$?
   73.45 -		if [ $ret -eq 0 ]; then
   73.46 -			echo "Could not find grub.conf."
   73.47 -			return 0;
   73.48 -		fi
   73.49 -		findPolicyInGrub $grubconf
   73.50 -		if [ "$policy" == "" ]; then
   73.51 -			echo "Could not find policy in grub.conf. Looked for entry using kernel $linux."
   73.52 -			return 0;
   73.53 -		fi
   73.54 -		echo "Assuming policy to be '$policy'.";
   73.55 -	else
   73.56 -		policy=$1
   73.57 -		if [ "$2" != "" ]; then
   73.58 -			policydir=$2
   73.59 -		fi
   73.60 -	fi
   73.61 -
   73.62 -	return 1
   73.63 -}
   73.64 -
   73.65 -# Find the mapfile given a policy nmame
   73.66 -# Parameters:
   73.67 -# 1st : the name of the policy whose map file is to be found, i.e.,
   73.68 -#       chwall
   73.69 -# 2nd : the policy directory for locating the map file
   73.70 -# Results:
   73.71 -# The variable mapfile will hold the realtive path to the mapfile
   73.72 -# for the given policy.
   73.73 -# In case the mapfile could be found, the functions returns a '1',
   73.74 -# a '0' otherwise.
   73.75 -findMapFile ()
   73.76 -{
   73.77 -	mapfile="$2/$1/$1.map"
   73.78 -	if [ -r "$mapfile" ]; then
   73.79 -		return 1
   73.80 -	fi
   73.81 -	return 0
   73.82 -}
   73.83 -
   73.84 -
   73.85 -# Determine the name of the primary policy
   73.86 -# Parameters
   73.87 -# 1st : the path to the mapfile; the path may be relative
   73.88 -#       to the current directory
   73.89 -# Results
   73.90 -# The variable primary will hold the name of the primary policy
   73.91 -getPrimaryPolicy ()
   73.92 -{
   73.93 -	local mapfile=$1
   73.94 -	primary=`cat $mapfile  |   \
   73.95 -	         awk '             \
   73.96 -	          {                \
   73.97 -	            if ( $1 == "PRIMARY" ) { \
   73.98 -	              res=$2;                \
   73.99 -	            }                        \
  73.100 -	          } END {                    \
  73.101 -	            print res;               \
  73.102 -	          } '`
  73.103 -}
  73.104 -
  73.105 -
  73.106 -# Determine the name of the secondary policy
  73.107 -# Parameters
  73.108 -# 1st : the path to the mapfile; the path may be relative
  73.109 -#       to the current directory
  73.110 -# Results
  73.111 -# The variable secondary will hold the name of the secondary policy
  73.112 -getSecondaryPolicy ()
  73.113 -{
  73.114 -	local mapfile=$1
  73.115 -	secondary=`cat $mapfile  |   \
  73.116 -	         awk '             \
  73.117 -	          {                \
  73.118 -	            if ( $1 == "SECONDARY" ) { \
  73.119 -	              res=$2;                \
  73.120 -	            }                        \
  73.121 -	          } END {                    \
  73.122 -	            print res;               \
  73.123 -	          } '`
  73.124 -}
  73.125 -
  73.126 -
  73.127 -#Return where the grub.conf file is.
  73.128 -#I only know of one place it can be.
  73.129 -#Returns:
  73.130 -# 1 : if the file is writeable and readable
  73.131 -# 2 : if the file is only readable
  73.132 -# 0 : if the file does not exist
  73.133 -findGrubConf()
  73.134 -{
  73.135 -	grubconf="/boot/grub/grub.conf"
  73.136 -	if [ -w $grubconf ]; then
  73.137 -		return 1
  73.138 -	fi
  73.139 -	if [ -r $grubconf ]; then
  73.140 -		return 2
  73.141 -	fi
  73.142 -	return 0
  73.143 -}
  73.144 -
  73.145 -
  73.146 -# This function sets the global variable 'linux'
  73.147 -# to the name and version of the Linux kernel that was compiled
  73.148 -# for domain 0.
  73.149 -# If this variable could not be found, the variable 'linux'
  73.150 -# will hold a pattern
  73.151 -# Parameters:
  73.152 -# 1st: the path to reach the root directory of the XEN build tree
  73.153 -#      where linux-*-xen0 is located at
  73.154 -# Results:
  73.155 -# The variable linux holds then name and version of the compiled
  73.156 -# kernel, i.e., 'vmlinuz-2.6.12-xen0'
  73.157 -getLinuxVersion ()
  73.158 -{
  73.159 -	local path
  73.160 -	local versionfile
  73.161 -	local lnx
  73.162 -	if [ "$1" == "" ]; then
  73.163 -		path="/lib/modules/*-xen0"
  73.164 -	else
  73.165 -		path="/lib/modules/$1"
  73.166 -	fi
  73.167 -
  73.168 -	linux=""
  73.169 -	for f in $path/linux-*-xen0 ; do
  73.170 -		versionfile=$f/build/include/linux/version.h
  73.171 -		if [ -r $versionfile ]; then
  73.172 -			lnx=`cat $versionfile | \
  73.173 -			     grep UTS_RELEASE | \
  73.174 -			     awk '{             \
  73.175 -			       len=length($3);  \
  73.176 -			       version=substr($3,2,len-2);     \
  73.177 -			       split(version,numbers,".");     \
  73.178 -			       if (numbers[4]=="") {           \
  73.179 -			         printf("%s.%s.%s",            \
  73.180 -			                 numbers[1],           \
  73.181 -			                 numbers[2],           \
  73.182 -			                 numbers[3]);          \
  73.183 -			       } else {                        \
  73.184 -			         printf("%s.%s.%s[.0-9]*-xen0",\
  73.185 -			                numbers[1],            \
  73.186 -			                numbers[2],            \
  73.187 -			                numbers[3]);           \
  73.188 -			       }                               \
  73.189 -			     }'`
  73.190 -		fi
  73.191 -		if [ "$lnx" != "" ]; then
  73.192 -			linux="[./0-9a-zA-z]*$lnx"
  73.193 -			return;
  73.194 -		fi
  73.195 -	done
  73.196 -
  73.197 -	#Last resort.
  73.198 -	linux="vmlinuz-2.[45678].[0-9]*[.0-9]*-xen0$"
  73.199 -}
  73.200 -
  73.201 -
  73.202 -# Find out with which policy the hypervisor was booted with.
  73.203 -# Parameters
  73.204 -# 1st : The complete path to grub.conf, i.e., /boot/grub/grub.conf
  73.205 -# Result:
  73.206 -# Sets the variable 'policy' to the name of the policy
  73.207 -findPolicyInGrub ()
  73.208 -{
  73.209 -	local grubconf=$1
  73.210 -	local linux=`uname -r`
  73.211 -	policy=`cat $grubconf |                        \
  73.212 -	         awk -vlinux=$linux '{                 \
  73.213 -	           if ( $1 == "title" ) {              \
  73.214 -	             kernelfound = 0;                  \
  73.215 -	             policymaycome = 0;                \
  73.216 -	           }                                   \
  73.217 -	           else if ( $1 == "kernel" ) {        \
  73.218 -	             if ( match($2,"xen.gz$") ) {      \
  73.219 -	               pathlen=RSTART;                 \
  73.220 -	               kernelfound = 1;                \
  73.221 -	             }                                 \
  73.222 -	           }                                   \
  73.223 -	           else if ( $1 == "module" &&         \
  73.224 -	                     kernelfound == 1 &&       \
  73.225 -	                     match($2,linux) ) {       \
  73.226 -	              policymaycome = 1;               \
  73.227 -	           }                                   \
  73.228 -	           else if ( $1 == "module" &&         \
  73.229 -	                     kernelfound == 1 &&       \
  73.230 -	                     policymaycome == 1 &&     \
  73.231 -	                     match($2,"[0-9a-zA-Z_]*.bin$") ) { \
  73.232 -	              policymaycome = 0;               \
  73.233 -	              kernelfound = 0;                 \
  73.234 -	              polname = substr($2,pathlen);    \
  73.235 -	              len=length(polname);             \
  73.236 -	              polname = substr(polname,0,len-4); \
  73.237 -	           }                                   \
  73.238 -	         } END {                               \
  73.239 -	           print polname                       \
  73.240 -	         }'`
  73.241 -}
  73.242 -
  73.243 -
  73.244 -# Get the SSID of a domain
  73.245 -# Parameters:
  73.246 -# 1st : domain ID, i.e. '1'
  73.247 -# Results
  73.248 -# If the ssid could be found, the variable 'ssid' will hold
  73.249 -# the currently used ssid in the hex format, i.e., '0x00010001'.
  73.250 -# The funtion returns '1' on success, '0' on failure
  73.251 -getSSIDUsingSecpolTool ()
  73.252 -{
  73.253 -	local domid=$1
  73.254 -	export PATH=$PATH:.
  73.255 -	ssid=`xensec_tool getssid -d $domid -f | \
  73.256 -	        grep -E "SSID:" |          \
  73.257 -	        awk '{ print $4 }'`
  73.258 -
  73.259 -	if [ "$ssid" != "" ]; then
  73.260 -		return 1
  73.261 -	fi
  73.262 -	return 0
  73.263 -}
  73.264 -
  73.265 -
  73.266 -# Break the ssid identifier into its high and low values,
  73.267 -# which are equal to the secondary and primary policy references.
  73.268 -# Parameters:
  73.269 -# 1st: ssid to break into high and low value, i.e., '0x00010002'
  73.270 -# Results:
  73.271 -# The variable ssidlo_int and ssidhi_int will hold the low and
  73.272 -# high ssid values as integers.
  73.273 -getSSIDLOHI ()
  73.274 -{
  73.275 -	local ssid=$1
  73.276 -	ssidlo_int=`echo $ssid | awk          \
  73.277 -	            '{                        \
  73.278 -	               len=length($0);        \
  73.279 -	               beg=substr($0,1,2);    \
  73.280 -	               if ( beg == "0x" ) {   \
  73.281 -	                   dig = len - 2;     \
  73.282 -	                   if (dig <= 0) {    \
  73.283 -	                     exit;            \
  73.284 -	                   }                  \
  73.285 -	                   if (dig > 4) {     \
  73.286 -	                     dig=4;           \
  73.287 -	                   }                  \
  73.288 -	                   lo=sprintf("0x%s",substr($0,len-dig+1,dig)); \
  73.289 -	                   print strtonum(lo);\
  73.290 -	               } else {               \
  73.291 -	                   lo=strtonum($0);   \
  73.292 -	                   if (lo < 65536) {  \
  73.293 -	                     print lo;        \
  73.294 -	                   } else {           \
  73.295 -	                     hi=lo;           \
  73.296 -	                     hi2= (hi / 65536);\
  73.297 -	                     hi2_str=sprintf("%d",hi2); \
  73.298 -	                     hi2=strtonum(hi2_str);\
  73.299 -	                     lo=hi-(hi2*65536); \
  73.300 -	                     printf("%d",lo); \
  73.301 -	                   }                  \
  73.302 -			}                     \
  73.303 -	            }'`
  73.304 -	ssidhi_int=`echo $ssid | awk          \
  73.305 -	            '{                        \
  73.306 -	               len=length($0);        \
  73.307 -	               beg=substr($0,1,2);    \
  73.308 -	               if ( beg == "0x" ) {   \
  73.309 -	                   dig = len - 2;     \
  73.310 -	                   if (dig <= 0 ||    \
  73.311 -	                     dig >  8) {      \
  73.312 -	                     exit;            \
  73.313 -	                   }                  \
  73.314 -	                   if (dig < 4) {     \
  73.315 -	                     print 0;         \
  73.316 -	                     exit;            \
  73.317 -	                   }                  \
  73.318 -	                   dig -= 4;          \
  73.319 -	                   hi=sprintf("0x%s",substr($0,len-4-dig+1,dig)); \
  73.320 -	                   print strtonum(hi);\
  73.321 -	               } else {               \
  73.322 -	                   hi=strtonum($0);   \
  73.323 -	                   if (hi >= 65536) { \
  73.324 -	                     hi = hi / 65536; \
  73.325 -	                     printf ("%d",hi);\
  73.326 -	                   } else {           \
  73.327 -	                     printf ("0");    \
  73.328 -	                   }                  \
  73.329 -	               }                      \
  73.330 -	            }'`
  73.331 -	if [ "$ssidhi_int" == "" -o \
  73.332 -	     "$ssidlo_int" == "" ]; then
  73.333 -		return 0;
  73.334 -	fi
  73.335 -	return 1
  73.336 -}
  73.337 -
  73.338 -
  73.339 -#Update the grub configuration file.
  73.340 -#Search for existing entries and replace the current
  73.341 -#policy entry with the policy passed to this script
  73.342 -#
  73.343 -#Arguments passed to this function
  73.344 -# 1st : the grub configuration file with full path
  73.345 -# 2nd : the binary policy file name, i.e. chwall.bin
  73.346 -# 3rd : the name or pattern of the linux kernel name to match
  73.347 -#       (this determines where the module entry will be made)
  73.348 -#
  73.349 -# The algorithm here is based on pattern matching
  73.350 -# and is working correctly if
  73.351 -# - under a title a line beginning with 'kernel' is found
  73.352 -#   whose following item ends with "xen.gz"
  73.353 -#   Example:  kernel /xen.gz dom0_mem=....
  73.354 -# - a module line matching the 3rd parameter is found
  73.355 -#
  73.356 -updateGrub ()
  73.357 -{
  73.358 -	local grubconf=$1
  73.359 -	local policyfile=$2
  73.360 -	local linux=$3
  73.361 -
  73.362 -	local tmpfile="/tmp/new_grub.conf"
  73.363 -
  73.364 -	cat $grubconf |                                \
  73.365 -	         awk -vpolicy=$policyfile              \
  73.366 -	             -vlinux=$linux '{                 \
  73.367 -	           if ( $1 == "title" ) {              \
  73.368 -	             kernelfound = 0;                  \
  73.369 -	             if ( policymaycome == 1 ){        \
  73.370 -	               printf ("\tmodule %s%s\n", path, policy);      \
  73.371 -	             }                                 \
  73.372 -	             policymaycome = 0;                \
  73.373 -	           }                                   \
  73.374 -	           else if ( $1 == "kernel" ) {        \
  73.375 -	             if ( match($2,"xen.gz$") ) {      \
  73.376 -	               path=substr($2,1,RSTART-1);     \
  73.377 -	               kernelfound = 1;                \
  73.378 -	             }                                 \
  73.379 -	           }                                   \
  73.380 -	           else if ( $1 == "module" &&         \
  73.381 -	                     kernelfound == 1 &&       \
  73.382 -	                     match($2,linux) ) {       \
  73.383 -	              policymaycome = 1;               \
  73.384 -	           }                                   \
  73.385 -	           else if ( $1 == "module" &&         \
  73.386 -	                     kernelfound == 1 &&       \
  73.387 -	                     policymaycome == 1 &&     \
  73.388 -	                     match($2,"[0-9a-zA-Z]*.bin$") ) { \
  73.389 -	              printf ("\tmodule %s%s\n", path, policy); \
  73.390 -	              policymaycome = 0;               \
  73.391 -	              kernelfound = 0;                 \
  73.392 -	              dontprint = 1;                   \
  73.393 -	           }                                   \
  73.394 -	           else if ( $1 == "" &&               \
  73.395 -	                     kernelfound == 1 &&       \
  73.396 -	                     policymaycome == 1) {     \
  73.397 -	              dontprint = 1;                   \
  73.398 -	           }                                   \
  73.399 -	           if (dontprint == 0) {               \
  73.400 -	             printf ("%s\n", $0);              \
  73.401 -	           }                                   \
  73.402 -	           dontprint = 0;                      \
  73.403 -	         } END {                               \
  73.404 -	           if ( policymaycome == 1 ) {         \
  73.405 -	             printf ("\tmodule %s%s\n", path, policy);  \
  73.406 -	           }                                   \
  73.407 -	         }' > $tmpfile
  73.408 -	if [ ! -r $tmpfile ]; then
  73.409 -		echo "Could not create temporary file! Aborting."
  73.410 -		exit -1
  73.411 -	fi
  73.412 -	diff $tmpfile $grubconf > /dev/null
  73.413 -	RES=$?
  73.414 -	if [ "$RES" == "0" ]; then
  73.415 -		echo "No changes were made to $grubconf."
  73.416 -	else
  73.417 -		echo "Successfully updated $grubconf."
  73.418 -		mv -f $tmpfile $grubconf
  73.419 -	fi
  73.420 -}
  73.421 -
  73.422 -
  73.423 -#Compile a policy into its binary representation
  73.424 -# Parameters:
  73.425 -# 1st: The directory where the ./policies directory is located at
  73.426 -# 2nd: The name of the policy
  73.427 -genBinPolicy ()
  73.428 -{
  73.429 -	local root=$1
  73.430 -	local policy=$2
  73.431 -	pushd $root > /dev/null
  73.432 -	xensec_xml2bin -d policies $policy > /dev/null
  73.433 -	popd > /dev/null
  73.434 -}
  73.435 -
  73.436 -
  73.437 -# Copy the bootpolicy into the destination directory
  73.438 -# Generate the policy's .bin and .map files if necessary
  73.439 -# Parameters:
  73.440 -# 1st: Destination directory
  73.441 -# 2nd: The root directory of the security tools; this is where the
  73.442 -#      policies directory is located at
  73.443 -# 3rd: The policy name
  73.444 -# Returns  '1' on success, '0' on failure.
  73.445 -cpBootPolicy ()
  73.446 -{
  73.447 -	local dest=$1
  73.448 -	local root=$2
  73.449 -	local policy=$3
  73.450 -	local binfile=$root/policies/$policy/$policy.bin
  73.451 -	local dstfile=$dest/$policy.bin
  73.452 -	if [ ! -e $binfile ]; then
  73.453 -		genBinPolicy $root $policy
  73.454 -		if [ ! -e $binfile ]; then
  73.455 -			echo "Could not compile policy '$policy'."
  73.456 -			return 0
  73.457 -		fi
  73.458 -	fi
  73.459 -
  73.460 -	if [ ! -e $dstfile -o \
  73.461 -	     $binfile -nt $dstfile ]; then
  73.462 -		cp -f $binfile $dstfile
  73.463 -	fi
  73.464 -	return 1
  73.465 -}
  73.466 -
  73.467 -
  73.468 -# Display all the labels in a given mapfile
  73.469 -# Parameters
  73.470 -# 1st: Full or relative path to the policy's mapfile
  73.471 -showLabels ()
  73.472 -{
  73.473 -	local mapfile=$1
  73.474 -	local line
  73.475 -	local ITEM
  73.476 -	local found=0
  73.477 -
  73.478 -	if [ ! -r "$mapfile" -o "$mapfile" == "" ]; then
  73.479 -		echo "Cannot read from vm configuration file $vmfile."
  73.480 -		return -1
  73.481 -	fi
  73.482 -
  73.483 -	getPrimaryPolicy $mapfile
  73.484 -	getSecondaryPolicy $mapfile
  73.485 -
  73.486 -	echo "The following labels are available:"
  73.487 -	let line=1
  73.488 -	while [ 1 ]; do
  73.489 -		ITEM=`cat $mapfile |         \
  73.490 -		      awk -vline=$line       \
  73.491 -		          -vprimary=$primary \
  73.492 -		      '{                     \
  73.493 -		         if ($1 == "LABEL->SSID" &&  \
  73.494 -		             $2 == "VM" &&           \
  73.495 -		             $3 == primary ) {       \
  73.496 -		           ctr++;                    \
  73.497 -		           if (ctr == line) {        \
  73.498 -		             print $4;               \
  73.499 -		           }                         \
  73.500 -		         }                           \
  73.501 -		       } END {                       \
  73.502 -		       }'`
  73.503 -
  73.504 -		if [ "$ITEM" == "" ]; then
  73.505 -			break
  73.506 -		fi
  73.507 -		if [ "$secondary" != "NULL" ]; then
  73.508 -			LABEL=`cat $mapfile |     \
  73.509 -			       awk -vitem=$ITEM   \
  73.510 -			       '{
  73.511 -			          if ($1 == "LABEL->SSID" && \
  73.512 -			              $2 == "VM" &&          \
  73.513 -			              $3 == "CHWALL" &&      \
  73.514 -			              $4 == item ) {         \
  73.515 -			            result = item;           \
  73.516 -			          }                          \
  73.517 -			        } END {                      \
  73.518 -			            print result             \
  73.519 -			        }'`
  73.520 -		else
  73.521 -			LABEL=$ITEM
  73.522 -		fi
  73.523 -
  73.524 -		if [ "$LABEL" != "" ]; then
  73.525 -			echo "$LABEL"
  73.526 -			found=1
  73.527 -		fi
  73.528 -		let line=line+1
  73.529 -	done
  73.530 -	if [ "$found" != "1" ]; then
  73.531 -		echo "No labels found."
  73.532 -	fi
  73.533 -}
  73.534 -
  73.535 -
  73.536 -# Get the default SSID given a mapfile and the policy name
  73.537 -# Parameters
  73.538 -# 1st: Full or relative path to the policy's mapfile
  73.539 -# 2nd: the name of the policy
  73.540 -getDefaultSsid ()
  73.541 -{
  73.542 -	local mapfile=$1
  73.543 -	local pol=$2
  73.544 -	RES=`cat $mapfile    \
  73.545 -	     awk -vpol=$pol  \
  73.546 -	      {              \
  73.547 -	        if ($1 == "LABEL->SSID" && \
  73.548 -	            $2 == "ANY"         && \
  73.549 -	            $3 == pol           && \
  73.550 -	            $4 == "DEFAULT"       ) {\
  73.551 -	              res=$5;                \
  73.552 -	        }                            \
  73.553 -	      } END {                        \
  73.554 -	        printf "%04x", strtonum(res) \
  73.555 -	     }'`
  73.556 -	echo "default NULL mapping is $RES"
  73.557 -	defaultssid=$RES
  73.558 -}
  73.559 -
  73.560 -
  73.561 -#Relabel a VM configuration file
  73.562 -# Parameters
  73.563 -# 1st: Full or relative path to the VM configuration file
  73.564 -# 2nd: The label to translate into an ssidref
  73.565 -# 3rd: Full or relative path to the policy's map file
  73.566 -# 4th: The mode this function is supposed to operate in:
  73.567 -#      'relabel' : Relabels the file without querying the user
  73.568 -#      other     : Prompts the user whether to proceed
  73.569 -relabel ()
  73.570 -{
  73.571 -	local vmfile=$1
  73.572 -	local label=$2
  73.573 -	local mapfile=$3
  73.574 -	local mode=$4
  73.575 -	local SSIDLO
  73.576 -	local SSIDHI
  73.577 -	local RES
  73.578 -
  73.579 -	if [ ! -r "$vmfile" ]; then
  73.580 -		echo "Cannot read from vm configuration file $vmfile."
  73.581 -		return -1
  73.582 -	fi
  73.583 -
  73.584 -	if [ ! -w "$vmfile" ]; then
  73.585 -		echo "Cannot write to vm configuration file $vmfile."
  73.586 -		return -1
  73.587 -	fi
  73.588 -
  73.589 -	if [ ! -r "$mapfile" ] ; then
  73.590 -		echo "Cannot read mapping file $mapfile."
  73.591 -		return -1
  73.592 -	fi
  73.593 -
  73.594 -	# Determine which policy is primary, which sec.
  73.595 -	getPrimaryPolicy $mapfile
  73.596 -	getSecondaryPolicy $mapfile
  73.597 -
  73.598 -	# Calculate the primary policy's SSIDREF
  73.599 -	if [ "$primary" == "NULL" ]; then
  73.600 -		SSIDLO="0001"
  73.601 -	else
  73.602 -		SSIDLO=`cat $mapfile |                    \
  73.603 -		        awk -vlabel=$label                \
  73.604 -		            -vprimary=$primary            \
  73.605 -		           '{                             \
  73.606 -		              if ( $1 == "LABEL->SSID" && \
  73.607 -		                   $2 == "VM" &&          \
  73.608 -		                   $3 == primary  &&      \
  73.609 -		                   $4 == label ) {        \
  73.610 -		                result=$5                 \
  73.611 -		              }                           \
  73.612 -		           } END {                        \
  73.613 -		             if (result != "" )           \
  73.614 -		               {printf "%04x", strtonum(result)}\
  73.615 -		           }'`
  73.616 -	fi
  73.617 -
  73.618 -	# Calculate the secondary policy's SSIDREF
  73.619 -	if [ "$secondary" == "NULL" ]; then
  73.620 -		if [ "$primary" == "NULL" ]; then
  73.621 -			SSIDHI="0001"
  73.622 -		else
  73.623 -			SSIDHI="0000"
  73.624 -		fi
  73.625 -	else
  73.626 -		SSIDHI=`cat $mapfile |                    \
  73.627 -		        awk -vlabel=$label                \
  73.628 -		            -vsecondary=$secondary        \
  73.629 -		           '{                             \
  73.630 -		              if ( $1 == "LABEL->SSID" && \
  73.631 -		                   $2 == "VM"          && \
  73.632 -		                   $3 == secondary     && \
  73.633 -		                   $4 == label ) {        \
  73.634 -		                result=$5                 \
  73.635 -		              }                           \
  73.636 -		            }  END {                      \
  73.637 -		              if (result != "" )          \
  73.638 -		                {printf "%04x", strtonum(result)}\
  73.639 -		            }'`
  73.640 -	fi
  73.641 -
  73.642 -	if [ "$SSIDLO" == "" -o \
  73.643 -	     "$SSIDHI" == "" ]; then
  73.644 -		echo "Could not map the given label '$label'."
  73.645 -		return -1
  73.646 -	fi
  73.647 -
  73.648 -	ACM_POLICY=`cat $mapfile |             \
  73.649 -	    awk ' { if ( $1 == "POLICY" ) {    \
  73.650 -	              result=$2                \
  73.651 -	            }                          \
  73.652 -	          }                            \
  73.653 -	          END {                        \
  73.654 -	            if (result != "") {        \
  73.655 -	              printf result            \
  73.656 -	            }                          \
  73.657 -	          }'`
  73.658 -
  73.659 -	if [ "$ACM_POLICY" == "" ]; then
  73.660 -		echo "Could not find 'POLICY' entry in map file."
  73.661 -		return -1
  73.662 -	fi
  73.663 -
  73.664 -	SSIDREF="0x$SSIDHI$SSIDLO"
  73.665 -
  73.666 -	if [ "$mode" != "relabel" ]; then
  73.667 -		RES=`cat $vmfile |  \
  73.668 -		     awk '{         \
  73.669 -		       if ( substr($1,0,7) == "ssidref" ) {\
  73.670 -		         print $0;             \
  73.671 -		       }                       \
  73.672 -		     }'`
  73.673 -		if [ "$RES" != "" ]; then
  73.674 -			echo "Do you want to overwrite the existing mapping ($RES)? (y/N)"
  73.675 -			read user
  73.676 -			if [ "$user" != "y" -a "$user" != "Y" ]; then
  73.677 -				echo "Aborted."
  73.678 -				return 0
  73.679 -			fi
  73.680 -		fi
  73.681 -	fi
  73.682 -
  73.683 -	#Write the output
  73.684 -	local vmtmp1="/tmp/__setlabel.tmp1"
  73.685 -	local vmtmp2="/tmp/__setlabel.tmp2"
  73.686 -	touch $vmtmp1
  73.687 -	touch $vmtmp2
  73.688 -	if [ ! -w "$vmtmp1" -o ! -w "$vmtmp2" ]; then
  73.689 -		echo "Cannot create temporary files. Aborting."
  73.690 -		return -1
  73.691 -	fi
  73.692 -	RES=`sed -e '/^#ACM_POLICY/d' $vmfile > $vmtmp1`
  73.693 -	RES=`sed -e '/^#ACM_LABEL/d' $vmtmp1 > $vmtmp2`
  73.694 -	RES=`sed -e '/^ssidref/d' $vmtmp2 > $vmtmp1`
  73.695 -	echo "#ACM_POLICY=$ACM_POLICY" >> $vmtmp1
  73.696 -	echo "#ACM_LABEL=$label" >> $vmtmp1
  73.697 -	echo "ssidref = $SSIDREF" >> $vmtmp1
  73.698 -	mv -f $vmtmp1 $vmfile
  73.699 -	rm -rf $vmtmp1 $vmtmp2
  73.700 -	echo "Mapped label '$label' to ssidref '$SSIDREF'."
  73.701 -}
  73.702 -
  73.703 -
  73.704 -# Translate an ssidref into its label. This does the reverse lookup
  73.705 -# to the relabel function above.
  73.706 -# This function displays the results.
  73.707 -# Parameters:
  73.708 -# 1st: The ssidref to translate; must be in the form '0x00010002'
  73.709 -# 2nd: Full or relative path to the policy's mapfile
  73.710 -translateSSIDREF ()
  73.711 -{
  73.712 -	local ssidref=$1
  73.713 -	local mapfile=$2
  73.714 -	local line1
  73.715 -	local line2
  73.716 -
  73.717 -	if [ ! -r "$mapfile" -o "$mapfile" == "" ]; then
  73.718 -		echo "Cannot read from vm configuration file $vmfile."
  73.719 -		return -1
  73.720 -	fi
  73.721 -
  73.722 -	getPrimaryPolicy $mapfile
  73.723 -	getSecondaryPolicy $mapfile
  73.724 -
  73.725 -	if [ "$primary" == "NULL" -a "$secondary" == "NULL" ]; then
  73.726 -		echo "There are no labels for the NULL policy."
  73.727 -		return
  73.728 -	fi
  73.729 -
  73.730 -	getSSIDLOHI $ssidref
  73.731 -	ret=$?
  73.732 -	if [ $ret -ne 1 ]; then
  73.733 -		echo "Error while parsing the ssid ref number '$ssidref'."
  73.734 -	fi;
  73.735 -
  73.736 -	let line1=0
  73.737 -	let line2=0
  73.738 -	while [ 1 ]; do
  73.739 -		ITEM1=`cat $mapfile |                       \
  73.740 -		      awk -vprimary=$primary                \
  73.741 -		          -vssidlo=$ssidlo_int              \
  73.742 -		          -vline=$line1                     \
  73.743 -		      '{                                    \
  73.744 -		         if ( $1 == "LABEL->SSID" &&        \
  73.745 -		              $3 == primary &&              \
  73.746 -		              int($5) == ssidlo     ) {     \
  73.747 -		             if (l == line) {               \
  73.748 -		                 print $4;                  \
  73.749 -		                 exit;                      \
  73.750 -		             }                              \
  73.751 -		             l++;                           \
  73.752 -		         }                                  \
  73.753 -		       }'`
  73.754 -
  73.755 -		ITEM2=`cat $mapfile |                       \
  73.756 -		      awk -vsecondary=$secondary            \
  73.757 -		          -vssidhi=$ssidhi_int              \
  73.758 -		          -vline=$line2                     \
  73.759 -		      '{                                    \
  73.760 -		         if ( $1 == "LABEL->SSID" &&        \
  73.761 -		              $3 == secondary &&            \
  73.762 -		              int($5) == ssidhi     ) {     \
  73.763 -		             if (l == line) {               \
  73.764 -		                 print $4;                  \
  73.765 -		                 exit;                      \
  73.766 -		             }                              \
  73.767 -		             l++;                           \
  73.768 -		         }                                  \
  73.769 -		       }'`
  73.770 -
  73.771 -		if [ "$secondary" != "NULL" ]; then
  73.772 -			if [ "$ITEM1" == "" ]; then
  73.773 -				let line1=0
  73.774 -				let line2=line2+1
  73.775 -			else
  73.776 -				let line1=line1+1
  73.777 -			fi
  73.778 -
  73.779 -			if [ "$ITEM1" == "" -a \
  73.780 -			     "$ITEM2" == "" ]; then
  73.781 -				echo "Could not determine the referenced label."
  73.782 -				break
  73.783 -			fi
  73.784 -
  73.785 -			if [ "$ITEM1" == "$ITEM2" ]; then
  73.786 -				echo "Label: $ITEM1"
  73.787 -				break
  73.788 -			fi
  73.789 -		else
  73.790 -			if [ "$ITEM1" != "" ]; then
  73.791 -				echo "Label: $ITEM1"
  73.792 -			else
  73.793 -				if [ "$found" == "0" ]; then
  73.794 -					found=1
  73.795 -				else
  73.796 -					break
  73.797 -				fi
  73.798 -			fi
  73.799 -			let line1=line1+1
  73.800 -		fi
  73.801 -	done
  73.802 -}
    74.1 --- a/tools/security/policies/chwall/chwall-security_label_template.xml	Tue Apr 25 22:55:22 2006 -0600
    74.2 +++ /dev/null	Thu Jan 01 00:00:00 1970 +0000
    74.3 @@ -1,76 +0,0 @@
    74.4 -<?xml version="1.0"?>
    74.5 -<!-- Author: Reiner Sailer, Ray Valdez {sailer,rvaldez}@us.ibm.com  -->
    74.6 -<!--              This file defines the security labels, which can  -->
    74.7 -<!--              be attached to Domains and resources. Based on    -->
    74.8 -<!--              these labels, the access control module decides   -->
    74.9 -<!--              about sharing between Domains and about access    -->
   74.10 -<!--              of Domains to real resources.                     -->
   74.11 -
   74.12 -<SecurityLabelTemplate
   74.13 - xmlns="http://www.ibm.com"
   74.14 - xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
   74.15 - xsi:schemaLocation="http://www.ibm.com security_policy.xsd">
   74.16 -   <LabelHeader>
   74.17 -      <Name>chwall-security_label_template</Name>
   74.18 -      <Date>2005-08-10</Date>
   74.19 -      <PolicyName>
   74.20 -         <Url>chwall-security_policy.xml</Url>
   74.21 -         <Reference>abcdef123456abcdef</Reference>
   74.22 -      </PolicyName>
   74.23 -   </LabelHeader>
   74.24 -
   74.25 -   <SubjectLabels bootstrap="dom_SystemManagement">
   74.26 -      <!-- single ste typed domains            -->
   74.27 -      <!-- ACM enforces that only domains with -->
   74.28 -      <!-- the same type can share information -->
   74.29 -      <!--                                     -->
   74.30 -      <!-- Bootstrap label is assigned to Dom0 -->
   74.31 -      <VirtualMachineLabel>
   74.32 -      	<Name>dom_HomeBanking</Name>
   74.33 -         <ChineseWallTypes>
   74.34 -            <Type>cw_Sensitive</Type>
   74.35 -         </ChineseWallTypes>
   74.36 -      </VirtualMachineLabel>
   74.37 -
   74.38 -      <VirtualMachineLabel>
   74.39 -      	<Name>dom_Fun</Name>
   74.40 -         <ChineseWallTypes>
   74.41 -            <Type>cw_Distrusted</Type>
   74.42 -         </ChineseWallTypes>
   74.43 -      </VirtualMachineLabel>
   74.44 -
   74.45 -      <VirtualMachineLabel>
   74.46 -        <!-- donating some cycles to seti@home -->
   74.47 -      	<Name>dom_BoincClient</Name>
   74.48 -         <ChineseWallTypes>
   74.49 -            <Type>cw_Isolated</Type>
   74.50 -         </ChineseWallTypes>
   74.51 -      </VirtualMachineLabel>
   74.52 -
   74.53 -      <!-- Domains with multiple ste types services; such domains   -->
   74.54 -      <!-- must keep the types inside their domain safely confined. -->
   74.55 -      <VirtualMachineLabel>
   74.56 -      	<Name>dom_SystemManagement</Name>
   74.57 -         <ChineseWallTypes>
   74.58 -            <Type>cw_SystemManagement</Type>
   74.59 -         </ChineseWallTypes>
   74.60 -      </VirtualMachineLabel>
   74.61 -
   74.62 -      <VirtualMachineLabel>
   74.63 -        <!-- serves persistent storage to other domains -->
   74.64 -      	<Name>dom_StorageDomain</Name>
   74.65 -         <ChineseWallTypes>
   74.66 -            <Type>cw_SystemManagement</Type>
   74.67 -         </ChineseWallTypes>
   74.68 -      </VirtualMachineLabel>
   74.69 -
   74.70 -      <VirtualMachineLabel>
   74.71 -        <!-- serves network access to other domains -->
   74.72 -      	<Name>dom_NetworkDomain</Name>
   74.73 -         <ChineseWallTypes>
   74.74 -            <Type>cw_SystemManagement</Type>
   74.75 -         </ChineseWallTypes>
   74.76 -      </VirtualMachineLabel>
   74.77 -   </SubjectLabels>
   74.78 -</SecurityLabelTemplate>
   74.79 -
    75.1 --- a/tools/security/policies/chwall/chwall-security_policy.xml	Tue Apr 25 22:55:22 2006 -0600
    75.2 +++ /dev/null	Thu Jan 01 00:00:00 1970 +0000
    75.3 @@ -1,36 +0,0 @@
    75.4 -<?xml version="1.0" encoding="UTF-8"?>
    75.5 -<!-- Author: Reiner Sailer, Ray Valdez {sailer,rvaldez}@us.ibm.com  -->
    75.6 -<!--             This file defines the security policies, which     -->
    75.7 -<!--             can be enforced by the Xen Access Control Module.  -->
    75.8 -<!--             Currently: Chinese Wall and Simple Type Enforcement-->
    75.9 -<SecurityPolicyDefinition xmlns="http://www.ibm.com"
   75.10 - xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
   75.11 - xsi:schemaLocation="http://www.ibm.com security_policy.xsd">
   75.12 -<PolicyHeader>
   75.13 -		<Name>chwall-security_policy</Name>
   75.14 -		<Date>2005-08-10</Date>
   75.15 -</PolicyHeader>
   75.16 -<!--                                             -->
   75.17 -<!-- example of a chinese wall type definition   -->
   75.18 -<!-- along with its conflict sets                -->
   75.19 -<!-- (typse in a confict set are exclusive, i.e. -->
   75.20 -<!--  once a Domain with one type of a set is    -->
   75.21 -<!--  running, no other Domain with another type -->
   75.22 -<!--  of the same conflict set can start.)       -->
   75.23 -	<ChineseWall priority="PrimaryPolicyComponent">
   75.24 -        <ChineseWallTypes>
   75.25 -            <Type>cw_SystemManagement</Type>
   75.26 -            <Type>cw_Sensitive</Type>
   75.27 -            <Type>cw_Isolated</Type>
   75.28 -            <Type>cw_Distrusted</Type>
   75.29 -        </ChineseWallTypes>
   75.30 -
   75.31 -        <ConflictSets>
   75.32 -        <Conflict name="Protection1">
   75.33 -            <Type>cw_Sensitive</Type>
   75.34 -            <Type>cw_Distrusted</Type>
   75.35 -        </Conflict>
   75.36 -        </ConflictSets>
   75.37 -	</ChineseWall>
   75.38 -</SecurityPolicyDefinition>
   75.39 -
    76.1 --- a/tools/security/policies/chwall_ste/chwall_ste-security_label_template.xml	Tue Apr 25 22:55:22 2006 -0600
    76.2 +++ /dev/null	Thu Jan 01 00:00:00 1970 +0000
    76.3 @@ -1,167 +0,0 @@
    76.4 -<?xml version="1.0"?>
    76.5 -<!-- Author: Reiner Sailer, Ray Valdez {sailer,rvaldez}@us.ibm.com  -->
    76.6 -<!--              This file defines the security labels, which can  -->
    76.7 -<!--              be attached to Domains and resources. Based on    -->
    76.8 -<!--              these labels, the access control module decides   -->
    76.9 -<!--              about sharing between Domains and about access    -->
   76.10 -<!--              of Domains to real resources.                     -->
   76.11 -
   76.12 -<SecurityLabelTemplate
   76.13 - xmlns="http://www.ibm.com"
   76.14 - xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
   76.15 - xsi:schemaLocation="http://www.ibm.com security_policy.xsd">
   76.16 -   <LabelHeader>
   76.17 -      <Name>chwall_ste-security_label_template</Name>
   76.18 -      <Date>2005-08-10</Date>
   76.19 -      <PolicyName>
   76.20 -         <Url>chwall_ste-security_policy.xml</Url>
   76.21 -         <Reference>abcdef123456abcdef</Reference>
   76.22 -      </PolicyName>
   76.23 -   </LabelHeader>
   76.24 -
   76.25 -   <SubjectLabels bootstrap="dom_SystemManagement">
   76.26 -      <!-- single ste typed domains            -->
   76.27 -      <!-- ACM enforces that only domains with -->
   76.28 -      <!-- the same type can share information -->
   76.29 -      <!--                                     -->
   76.30 -      <!-- Bootstrap label is assigned to Dom0 -->
   76.31 -      <VirtualMachineLabel>
   76.32 -      	<Name>dom_HomeBanking</Name>
   76.33 -         <SimpleTypeEnforcementTypes>
   76.34 -            <Type>ste_PersonalFinances</Type>
   76.35 -         </SimpleTypeEnforcementTypes>
   76.36 -
   76.37 -         <ChineseWallTypes>
   76.38 -            <Type>cw_Sensitive</Type>
   76.39 -         </ChineseWallTypes>
   76.40 -      </VirtualMachineLabel>
   76.41 -
   76.42 -      <VirtualMachineLabel>
   76.43 -      	<Name>dom_Fun</Name>
   76.44 -         <SimpleTypeEnforcementTypes>
   76.45 -            <Type>ste_InternetInsecure</Type>
   76.46 -         </SimpleTypeEnforcementTypes>
   76.47 -
   76.48 -         <ChineseWallTypes>
   76.49 -            <Type>cw_Distrusted</Type>
   76.50 -         </ChineseWallTypes>
   76.51 -      </VirtualMachineLabel>
   76.52 -
   76.53 -      <VirtualMachineLabel>
   76.54 -        <!-- donating some cycles to seti@home -->
   76.55 -      	<Name>dom_BoincClient</Name>
   76.56 -         <SimpleTypeEnforcementTypes>
   76.57 -            <Type>ste_DonatedCycles</Type>
   76.58 -         </SimpleTypeEnforcementTypes>
   76.59 -
   76.60 -         <ChineseWallTypes>
   76.61 -            <Type>cw_Isolated</Type>
   76.62 -         </ChineseWallTypes>
   76.63 -      </VirtualMachineLabel>
   76.64 -
   76.65 -      <!-- Domains with multiple ste types services; such domains   -->
   76.66 -      <!-- must keep the types inside their domain safely confined. -->
   76.67 -      <VirtualMachineLabel>
   76.68 -      	<Name>dom_SystemManagement</Name>
   76.69 -         <SimpleTypeEnforcementTypes>
   76.70 -            <!-- since dom0 needs access to every domain and -->
   76.71 -            <!-- resource right now ... -->
   76.72 -            <Type>ste_SystemManagement</Type>
   76.73 -            <Type>ste_PersonalFinances</Type>
   76.74 -            <Type>ste_InternetInsecure</Type>
   76.75 -            <Type>ste_DonatedCycles</Type>
   76.76 -            <Type>ste_PersistentStorageA</Type>
   76.77 -            <Type>ste_NetworkAdapter0</Type>
   76.78 -         </SimpleTypeEnforcementTypes>
   76.79 -
   76.80 -         <ChineseWallTypes>
   76.81 -            <Type>cw_SystemManagement</Type>
   76.82 -         </ChineseWallTypes>
   76.83 -      </VirtualMachineLabel>
   76.84 -
   76.85 -      <VirtualMachineLabel>
   76.86 -        <!-- serves persistent storage to other domains -->
   76.87 -      	<Name>dom_StorageDomain</Name>
   76.88 -         <SimpleTypeEnforcementTypes>
   76.89 -            <!-- access right to the resource (hard drive a) -->
   76.90 -            <Type>ste_PersistentStorageA</Type>
   76.91 -            <!-- can serve following types -->
   76.92 -            <Type>ste_PersonalFinances</Type>
   76.93 -            <Type>ste_InternetInsecure</Type>
   76.94 -         </SimpleTypeEnforcementTypes>
   76.95 -
   76.96 -         <ChineseWallTypes>
   76.97 -            <Type>cw_SystemManagement</Type>
   76.98 -         </ChineseWallTypes>
   76.99 -      </VirtualMachineLabel>
  76.100 -
  76.101 -      <VirtualMachineLabel>
  76.102 -        <!-- serves network access to other domains -->
  76.103 -      	<Name>dom_NetworkDomain</Name>
  76.104 -         <SimpleTypeEnforcementTypes>
  76.105 -            <!-- access right to the resource (ethernet card) -->
  76.106 -            <Type>ste_NetworkAdapter0</Type>
  76.107 -            <!-- can serve following types -->
  76.108 -            <Type>ste_PersonalFinances</Type>
  76.109 -            <Type>ste_InternetInsecure</Type>
  76.110 -            <Type>ste_DonatedCycles</Type>
  76.111 -         </SimpleTypeEnforcementTypes>
  76.112 -
  76.113 -         <ChineseWallTypes>
  76.114 -            <Type>cw_SystemManagement</Type>
  76.115 -         </ChineseWallTypes>
  76.116 -      </VirtualMachineLabel>
  76.117 -   </SubjectLabels>
  76.118 -
  76.119 -   <ObjectLabels>
  76.120 -      <ResourceLabel>
  76.121 -      	<Name>res_ManagementResource</Name>
  76.122 -         <SimpleTypeEnforcementTypes>
  76.123 -            <Type>ste_SystemManagement</Type>
  76.124 -         </SimpleTypeEnforcementTypes>
  76.125 -      </ResourceLabel>
  76.126 -
  76.127 -      <ResourceLabel>
  76.128 -      	<Name>res_HardDrive (hda)</Name>
  76.129 -         <SimpleTypeEnforcementTypes>
  76.130 -            <Type>ste_PersistentStorageA</Type>
  76.131 -         </SimpleTypeEnforcementTypes>
  76.132 -      </ResourceLabel>
  76.133 -
  76.134 -      <ResourceLabel>
  76.135 -      	<Name>res_LogicalDiskPartition1 (hda1)</Name>
  76.136 -         <SimpleTypeEnforcementTypes>
  76.137 -            <Type>ste_PersonalFinances</Type>
  76.138 -         </SimpleTypeEnforcementTypes>
  76.139 -      </ResourceLabel>
  76.140 -
  76.141 -      <ResourceLabel>
  76.142 -      	<Name>res_LogicalDiskPartition2 (hda2)</Name>
  76.143 -         <SimpleTypeEnforcementTypes>
  76.144 -            <Type>ste_InternetInsecure</Type>
  76.145 -         </SimpleTypeEnforcementTypes>
  76.146 -      </ResourceLabel>
  76.147 -
  76.148 -      <ResourceLabel>
  76.149 -      	<Name>res_EthernetCard</Name>
  76.150 -         <SimpleTypeEnforcementTypes>
  76.151 -            <Type>ste_NetworkAdapter0</Type>
  76.152 -         </SimpleTypeEnforcementTypes>
  76.153 -      </ResourceLabel>
  76.154 -
  76.155 -      <ResourceLabel>
  76.156 -      	<Name>res_SecurityToken</Name>
  76.157 -         <SimpleTypeEnforcementTypes>
  76.158 -            <Type>ste_PersonalFinances</Type>
  76.159 -         </SimpleTypeEnforcementTypes>
  76.160 -      </ResourceLabel>
  76.161 -
  76.162 -      <ResourceLabel>
  76.163 -      	<Name>res_GraphicsAdapter</Name>
  76.164 -         <SimpleTypeEnforcementTypes>
  76.165 -            <Type>ste_SystemManagement</Type>
  76.166 -         </SimpleTypeEnforcementTypes>
  76.167 -      </ResourceLabel>
  76.168 -   </ObjectLabels>
  76.169 -</SecurityLabelTemplate>
  76.170 -
    77.1 --- a/tools/security/policies/chwall_ste/chwall_ste-security_policy.xml	Tue Apr 25 22:55:22 2006 -0600
    77.2 +++ /dev/null	Thu Jan 01 00:00:00 1970 +0000
    77.3 @@ -1,49 +0,0 @@
    77.4 -<?xml version="1.0" encoding="UTF-8"?>
    77.5 -<!-- Author: Reiner Sailer, Ray Valdez {sailer,rvaldez}@us.ibm.com  -->
    77.6 -<!--             This file defines the security policies, which     -->
    77.7 -<!--             can be enforced by the Xen Access Control Module.  -->
    77.8 -<!--             Currently: Chinese Wall and Simple Type Enforcement-->
    77.9 -<SecurityPolicyDefinition xmlns="http://www.ibm.com"
   77.10 - xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
   77.11 - xsi:schemaLocation="http://www.ibm.com security_policy.xsd">
   77.12 -<PolicyHeader>
   77.13 -		<Name>chwall_ste-security_policy</Name>
   77.14 -		<Date>2005-08-10</Date>
   77.15 -</PolicyHeader>
   77.16 -<!--                                                        -->
   77.17 -<!-- example of a simple type enforcement policy definition -->
   77.18 -<!--                                                        -->
   77.19 -	<SimpleTypeEnforcement>
   77.20 -        <SimpleTypeEnforcementTypes>
   77.21 -            <Type>ste_SystemManagement</Type>   <!-- machine/security management -->
   77.22 -            <Type>ste_PersonalFinances</Type>   <!-- personal finances -->
   77.23 -            <Type>ste_InternetInsecure</Type>   <!-- games, active X, etc. -->
   77.24 -            <Type>ste_DonatedCycles</Type>      <!-- donation to BOINC/seti@home -->
   77.25 -            <Type>ste_PersistentStorageA</Type> <!-- domain managing the harddrive A-->
   77.26 -            <Type>ste_NetworkAdapter0</Type>    <!-- type of the domain managing ethernet adapter 0-->
   77.27 -        </SimpleTypeEnforcementTypes>
   77.28 -	</SimpleTypeEnforcement>
   77.29 -<!--                                             -->
   77.30 -<!-- example of a chinese wall type definition   -->
   77.31 -<!-- along with its conflict sets                -->
   77.32 -<!-- (typse in a confict set are exclusive, i.e. -->
   77.33 -<!--  once a Domain with one type of a set is    -->
   77.34 -<!--  running, no other Domain with another type -->
   77.35 -<!--  of the same conflict set can start.)       -->
   77.36 -	<ChineseWall priority="PrimaryPolicyComponent">
   77.37 -        <ChineseWallTypes>
   77.38 -            <Type>cw_SystemManagement</Type>
   77.39 -            <Type>cw_Sensitive</Type>
   77.40 -            <Type>cw_Isolated</Type>
   77.41 -            <Type>cw_Distrusted</Type>
   77.42 -        </ChineseWallTypes>
   77.43 -
   77.44 -        <ConflictSets>
   77.45 -        <Conflict name="Protection1">
   77.46 -            <Type>cw_Sensitive</Type>
   77.47 -            <Type>cw_Distrusted</Type>
   77.48 -        </Conflict>
   77.49 -        </ConflictSets>
   77.50 -	</ChineseWall>
   77.51 -</SecurityPolicyDefinition>
   77.52 -
    78.1 --- /dev/null	Thu Jan 01 00:00:00 1970 +0000
    78.2 +++ b/tools/security/policies/example/chwall/client_v1-security_policy.xml	Tue Apr 25 23:35:55 2006 -0600
    78.3 @@ -0,0 +1,90 @@
    78.4 +<?xml version="1.0" encoding="UTF-8"?>
    78.5 +<!-- Author: Reiner Sailer, Ray Valdez {sailer,rvaldez}@us.ibm.com  -->
    78.6 +<!--             This file defines the security policies, which     -->
    78.7 +<!--             can be enforced by the Xen Access Control Module.  -->
    78.8 +<!--             Currently: Chinese Wall and Simple Type Enforcement-->
    78.9 +<SecurityPolicyDefinition xmlns="http://www.ibm.com" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.ibm.com ../../security_policy.xsd ">
   78.10 +	<PolicyHeader>
   78.11 +		<PolicyName>example.chwall.client_v1</PolicyName>
   78.12 +		<PolicyUrl>www.ibm.com/example/chwall/client_v1</PolicyUrl>
   78.13 +		<Date>2006-03-31</Date>
   78.14 +	</PolicyHeader>
   78.15 +	<!--                                             -->
   78.16 +	<!-- example of a chinese wall type definition   -->
   78.17 +	<!-- along with its conflict sets                -->
   78.18 +	<!-- (typse in a confict set are exclusive, i.e. -->
   78.19 +	<!--  once a Domain with one type of a set is    -->
   78.20 +	<!--  running, no other Domain with another type -->
   78.21 +	<!--  of the same conflict set can start.)       -->
   78.22 +	<ChineseWall priority="PrimaryPolicyComponent">
   78.23 +		<ChineseWallTypes>
   78.24 +			<Type>cw_SystemManagement</Type>
   78.25 +			<Type>cw_Sensitive</Type>
   78.26 +			<Type>cw_Isolated</Type>
   78.27 +			<Type>cw_Distrusted</Type>
   78.28 +		</ChineseWallTypes>
   78.29 +		<ConflictSets>
   78.30 +			<Conflict name="Protection1">
   78.31 +				<Type>cw_Sensitive</Type>
   78.32 +				<Type>cw_Distrusted</Type>
   78.33 +			</Conflict>
   78.34 +		</ConflictSets>
   78.35 +	</ChineseWall>
   78.36 +	<SecurityLabelTemplate>
   78.37 +		<SubjectLabels bootstrap="dom_SystemManagement">
   78.38 +			<!-- single ste typed domains            -->
   78.39 +			<!-- ACM enforces that only domains with -->
   78.40 +			<!-- the same type can share information -->
   78.41 +			<!--                                     -->
   78.42 +			<!-- Bootstrap label is assigned to Dom0 -->
   78.43 +			<VirtualMachineLabel>
   78.44 +				<Name>dom_HomeBanking</Name>
   78.45 +				<ChineseWallTypes>
   78.46 +					<Type>cw_Sensitive</Type>
   78.47 +				</ChineseWallTypes>
   78.48 +			</VirtualMachineLabel>
   78.49 +
   78.50 +			<VirtualMachineLabel>
   78.51 +				<Name>dom_Fun</Name>
   78.52 +				<ChineseWallTypes>
   78.53 +					<Type>cw_Distrusted</Type>
   78.54 +				</ChineseWallTypes>
   78.55 +			</VirtualMachineLabel>
   78.56 +
   78.57 +			<VirtualMachineLabel>
   78.58 +				<!-- donating some cycles to seti@home -->
   78.59 +				<Name>dom_BoincClient</Name>
   78.60 +				<ChineseWallTypes>
   78.61 +					<Type>cw_Isolated</Type>
   78.62 +				</ChineseWallTypes>
   78.63 +			</VirtualMachineLabel>
   78.64 +
   78.65 +			<!-- Domains with multiple ste types services; such domains   -->
   78.66 +			<!-- must keep the types inside their domain safely confined. -->
   78.67 +			<VirtualMachineLabel>
   78.68 +				<Name>dom_SystemManagement</Name>
   78.69 +				<ChineseWallTypes>
   78.70 +					<Type>cw_SystemManagement</Type>
   78.71 +				</ChineseWallTypes>
   78.72 +			</VirtualMachineLabel>
   78.73 +
   78.74 +			<VirtualMachineLabel>
   78.75 +				<!-- serves persistent storage to other domains -->
   78.76 +				<Name>dom_StorageDomain</Name>
   78.77 +				<ChineseWallTypes>
   78.78 +					<Type>cw_SystemManagement</Type>
   78.79 +				</ChineseWallTypes>
   78.80 +			</VirtualMachineLabel>
   78.81 +
   78.82 +			<VirtualMachineLabel>
   78.83 +				<!-- serves network access to other domains -->
   78.84 +				<Name>dom_NetworkDomain</Name>
   78.85 +				<ChineseWallTypes>
   78.86 +					<Type>cw_SystemManagement</Type>
   78.87 +				</ChineseWallTypes>
   78.88 +			</VirtualMachineLabel>
   78.89 +		</SubjectLabels>
   78.90 +	</SecurityLabelTemplate>
   78.91 +
   78.92 +</SecurityPolicyDefinition>
   78.93 +
    79.1 --- /dev/null	Thu Jan 01 00:00:00 1970 +0000
    79.2 +++ b/tools/security/policies/example/chwall_ste/client_v1-security_policy.xml	Tue Apr 25 23:35:55 2006 -0600
    79.3 @@ -0,0 +1,194 @@
    79.4 +<?xml version="1.0" encoding="UTF-8"?>
    79.5 +<!-- Author: Reiner Sailer, Ray Valdez {sailer,rvaldez}@us.ibm.com  -->
    79.6 +<!--             This file defines the security policies, which     -->
    79.7 +<!--             can be enforced by the Xen Access Control Module.  -->
    79.8 +<!--             Currently: Chinese Wall and Simple Type Enforcement-->
    79.9 +<SecurityPolicyDefinition xmlns="http://www.ibm.com" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.ibm.com ../../security_policy.xsd ">
   79.10 +	<PolicyHeader>
   79.11 +		<PolicyName>example.chwall_ste.client_v1</PolicyName>
   79.12 +		<PolicyUrl>www.ibm.com/example/chwall_ste/client_v1</PolicyUrl>
   79.13 +		<Date>2006-03-31</Date>
   79.14 +	</PolicyHeader>
   79.15 +	<!--                                                        -->
   79.16 +	<!-- example of a simple type enforcement policy definition -->
   79.17 +	<!--                                                        -->
   79.18 +	<SimpleTypeEnforcement>
   79.19 +		<SimpleTypeEnforcementTypes>
   79.20 +			<Type>ste_SystemManagement</Type><!-- machine/security management -->
   79.21 +			<Type>ste_PersonalFinances</Type><!-- personal finances -->
   79.22 +			<Type>ste_InternetInsecure</Type><!-- games, active X, etc. -->
   79.23 +			<Type>ste_DonatedCycles</Type><!-- donation to BOINC/seti@home -->
   79.24 +			<Type>ste_PersistentStorageA</Type><!-- domain managing the harddrive A-->
   79.25 +			<Type>ste_NetworkAdapter0</Type><!-- type of the domain managing ethernet adapter 0-->
   79.26 +		</SimpleTypeEnforcementTypes>
   79.27 +	</SimpleTypeEnforcement>
   79.28 +	<!--                                             -->
   79.29 +	<!-- example of a chinese wall type definition   -->
   79.30 +	<!-- along with its conflict sets                -->
   79.31 +	<!-- (typse in a confict set are exclusive, i.e. -->
   79.32 +	<!--  once a Domain with one type of a set is    -->
   79.33 +	<!--  running, no other Domain with another type -->
   79.34 +	<!--  of the same conflict set can start.)       -->
   79.35 +	<ChineseWall priority="PrimaryPolicyComponent">
   79.36 +		<ChineseWallTypes>
   79.37 +			<Type>cw_SystemManagement</Type>
   79.38 +			<Type>cw_Sensitive</Type>
   79.39 +			<Type>cw_Isolated</Type>
   79.40 +			<Type>cw_Distrusted</Type>
   79.41 +		</ChineseWallTypes>
   79.42 +
   79.43 +		<ConflictSets>
   79.44 +			<Conflict name="Protection1">
   79.45 +				<Type>cw_Sensitive</Type>
   79.46 +				<Type>cw_Distrusted</Type>
   79.47 +			</Conflict>
   79.48 +		</ConflictSets>
   79.49 +	</ChineseWall>
   79.50 +	<SecurityLabelTemplate>
   79.51 +		<SubjectLabels bootstrap="dom_SystemManagement">
   79.52 +			<!-- single ste typed domains            -->
   79.53 +			<!-- ACM enforces that only domains with -->
   79.54 +			<!-- the same type can share information -->
   79.55 +			<!--                                     -->
   79.56 +			<!-- Bootstrap label is assigned to Dom0 -->
   79.57 +			<VirtualMachineLabel>
   79.58 +				<Name>dom_HomeBanking</Name>
   79.59 +				<SimpleTypeEnforcementTypes>
   79.60 +					<Type>ste_PersonalFinances</Type>
   79.61 +				</SimpleTypeEnforcementTypes>
   79.62 +
   79.63 +				<ChineseWallTypes>
   79.64 +					<Type>cw_Sensitive</Type>
   79.65 +				</ChineseWallTypes>
   79.66 +			</VirtualMachineLabel>
   79.67 +
   79.68 +			<VirtualMachineLabel>
   79.69 +				<Name>dom_Fun</Name>
   79.70 +				<SimpleTypeEnforcementTypes>
   79.71 +					<Type>ste_InternetInsecure</Type>
   79.72 +				</SimpleTypeEnforcementTypes>
   79.73 +
   79.74 +				<ChineseWallTypes>
   79.75 +					<Type>cw_Distrusted</Type>
   79.76 +				</ChineseWallTypes>
   79.77 +			</VirtualMachineLabel>
   79.78 +
   79.79 +			<VirtualMachineLabel>
   79.80 +				<!-- donating some cycles to seti@home -->
   79.81 +				<Name>dom_BoincClient</Name>
   79.82 +				<SimpleTypeEnforcementTypes>
   79.83 +					<Type>ste_DonatedCycles</Type>
   79.84 +				</SimpleTypeEnforcementTypes>
   79.85 +
   79.86 +				<ChineseWallTypes>
   79.87 +					<Type>cw_Isolated</Type>
   79.88 +				</ChineseWallTypes>
   79.89 +			</VirtualMachineLabel>
   79.90 +
   79.91 +			<!-- Domains with multiple ste types services; such domains   -->
   79.92 +			<!-- must keep the types inside their domain safely confined. -->
   79.93 +			<VirtualMachineLabel>
   79.94 +				<Name>dom_SystemManagement</Name>
   79.95 +				<SimpleTypeEnforcementTypes>
   79.96 +					<!-- since dom0 needs access to every domain and -->
   79.97 +					<!-- resource right now ... -->
   79.98 +					<Type>ste_SystemManagement</Type>
   79.99 +					<Type>ste_PersonalFinances</Type>
  79.100 +					<Type>ste_InternetInsecure</Type>
  79.101 +					<Type>ste_DonatedCycles</Type>
  79.102 +					<Type>ste_PersistentStorageA</Type>
  79.103 +					<Type>ste_NetworkAdapter0</Type>
  79.104 +				</SimpleTypeEnforcementTypes>
  79.105 +
  79.106 +				<ChineseWallTypes>
  79.107 +					<Type>cw_SystemManagement</Type>
  79.108 +				</ChineseWallTypes>
  79.109 +			</VirtualMachineLabel>
  79.110 +
  79.111 +			<VirtualMachineLabel>
  79.112 +				<!-- serves persistent storage to other domains -->
  79.113 +				<Name>dom_StorageDomain</Name>
  79.114 +				<SimpleTypeEnforcementTypes>
  79.115 +					<!-- access right to the resource (hard drive a) -->
  79.116 +					<Type>ste_PersistentStorageA</Type>
  79.117 +					<!-- can serve following types -->
  79.118 +					<Type>ste_PersonalFinances</Type>
  79.119 +					<Type>ste_InternetInsecure</Type>
  79.120 +				</SimpleTypeEnforcementTypes>
  79.121 +
  79.122 +				<ChineseWallTypes>
  79.123 +					<Type>cw_SystemManagement</Type>
  79.124 +				</ChineseWallTypes>
  79.125 +			</VirtualMachineLabel>
  79.126 +
  79.127 +			<VirtualMachineLabel>
  79.128 +				<!-- serves network access to other domains -->
  79.129 +				<Name>dom_NetworkDomain</Name>
  79.130 +				<SimpleTypeEnforcementTypes>
  79.131 +					<!-- access right to the resource (ethernet card) -->
  79.132 +					<Type>ste_NetworkAdapter0</Type>
  79.133 +					<!-- can serve following types -->
  79.134 +					<Type>ste_PersonalFinances</Type>
  79.135 +					<Type>ste_InternetInsecure</Type>
  79.136 +					<Type>ste_DonatedCycles</Type>
  79.137 +				</SimpleTypeEnforcementTypes>
  79.138 +
  79.139 +				<ChineseWallTypes>
  79.140 +					<Type>cw_SystemManagement</Type>
  79.141 +				</ChineseWallTypes>
  79.142 +			</VirtualMachineLabel>
  79.143 +		</SubjectLabels>
  79.144 +
  79.145 +		<ObjectLabels>
  79.146 +			<ResourceLabel>
  79.147 +				<Name>res_ManagementResource</Name>
  79.148 +				<SimpleTypeEnforcementTypes>
  79.149 +					<Type>ste_SystemManagement</Type>
  79.150 +				</SimpleTypeEnforcementTypes>
  79.151 +			</ResourceLabel>
  79.152 +
  79.153 +			<ResourceLabel>
  79.154 +				<Name>res_HardDrive(hda)</Name>
  79.155 +				<SimpleTypeEnforcementTypes>
  79.156 +					<Type>ste_PersistentStorageA</Type>
  79.157 +				</SimpleTypeEnforcementTypes>
  79.158 +			</ResourceLabel>
  79.159 +
  79.160 +			<ResourceLabel>
  79.161 +				<Name>res_LogicalDiskPartition1(hda1)</Name>
  79.162 +				<SimpleTypeEnforcementTypes>
  79.163 +					<Type>ste_PersonalFinances</Type>
  79.164 +				</SimpleTypeEnforcementTypes>
  79.165 +			</ResourceLabel>
  79.166 +
  79.167 +			<ResourceLabel>
  79.168 +				<Name>res_LogicalDiskPartition2(hda2)</Name>
  79.169 +				<SimpleTypeEnforcementTypes>
  79.170 +					<Type>ste_InternetInsecure</Type>
  79.171 +				</SimpleTypeEnforcementTypes>
  79.172 +			</ResourceLabel>
  79.173 +
  79.174 +			<ResourceLabel>
  79.175 +				<Name>res_EthernetCard</Name>
  79.176 +				<SimpleTypeEnforcementTypes>
  79.177 +					<Type>ste_NetworkAdapter0</Type>
  79.178 +				</SimpleTypeEnforcementTypes>
  79.179 +			</ResourceLabel>
  79.180 +
  79.181 +			<ResourceLabel>
  79.182 +				<Name>res_SecurityToken</Name>
  79.183 +				<SimpleTypeEnforcementTypes>
  79.184 +					<Type>ste_PersonalFinances</Type>
  79.185 +				</SimpleTypeEnforcementTypes>
  79.186 +			</ResourceLabel>
  79.187 +
  79.188 +			<ResourceLabel>
  79.189 +				<Name>res_GraphicsAdapter</Name>
  79.190 +				<SimpleTypeEnforcementTypes>
  79.191 +					<Type>ste_SystemManagement</Type>
  79.192 +				</SimpleTypeEnforcementTypes>
  79.193 +			</ResourceLabel>
  79.194 +		</ObjectLabels>
  79.195 +	</SecurityLabelTemplate>
  79.196 +</SecurityPolicyDefinition>
  79.197 +
    80.1 --- /dev/null	Thu Jan 01 00:00:00 1970 +0000
    80.2 +++ b/tools/security/policies/example/ste/client_v1-security_policy.xml	Tue Apr 25 23:35:55 2006 -0600
    80.3 @@ -0,0 +1,149 @@
    80.4 +<?xml version="1.0" encoding="UTF-8"?>
    80.5 +<!-- Author: Reiner Sailer, Ray Valdez {sailer,rvaldez}@us.ibm.com  -->
    80.6 +<!--             This file defines the security policies, which     -->
    80.7 +<!--             can be enforced by the Xen Access Control Module.  -->
    80.8 +<!--             Currently: Chinese Wall and Simple Type Enforcement-->
    80.9 +<SecurityPolicyDefinition xmlns="http://www.ibm.com" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.ibm.com ../../security_policy.xsd ">
   80.10 +	<PolicyHeader>
   80.11 +		<PolicyName>example.ste.client_v1</PolicyName>
   80.12 +		<PolicyUrl>www.ibm.com/example/ste/client_v1</PolicyUrl>
   80.13 +		<Date>2006-03-31</Date>
   80.14 +	</PolicyHeader>
   80.15 +	<!--                                                        -->
   80.16 +	<!-- example of a simple type enforcement policy definition -->
   80.17 +	<!--                                                        -->
   80.18 +	<SimpleTypeEnforcement>
   80.19 +		<SimpleTypeEnforcementTypes>
   80.20 +			<Type>ste_SystemManagement</Type><!-- machine/security management -->
   80.21 +			<Type>ste_PersonalFinances</Type><!-- personal finances -->
   80.22 +			<Type>ste_InternetInsecure</Type><!-- games, active X, etc. -->
   80.23 +			<Type>ste_DonatedCycles</Type><!-- donation to BOINC/seti@home -->
   80.24 +			<Type>ste_PersistentStorageA</Type><!-- domain managing the harddrive A-->
   80.25 +			<Type>ste_NetworkAdapter0</Type><!-- type of the domain managing ethernet adapter 0-->
   80.26 +		</SimpleTypeEnforcementTypes>
   80.27 +	</SimpleTypeEnforcement>
   80.28 +	<SecurityLabelTemplate>
   80.29 +		<SubjectLabels bootstrap="dom_SystemManagement">
   80.30 +			<!-- single ste typed domains            -->
   80.31 +			<!-- ACM enforces that only domains with -->
   80.32 +			<!-- the same type can share information -->
   80.33 +			<!--                                     -->
   80.34 +			<!-- Bootstrap label is assigned to Dom0 -->
   80.35 +			<VirtualMachineLabel>
   80.36 +				<Name>dom_HomeBanking</Name>
   80.37 +				<SimpleTypeEnforcementTypes>
   80.38 +					<Type>ste_PersonalFinances</Type>
   80.39 +				</SimpleTypeEnforcementTypes>
   80.40 +			</VirtualMachineLabel>
   80.41 +
   80.42 +			<VirtualMachineLabel>
   80.43 +				<Name>dom_Fun</Name>
   80.44 +				<SimpleTypeEnforcementTypes>
   80.45 +					<Type>ste_InternetInsecure</Type>
   80.46 +				</SimpleTypeEnforcementTypes>
   80.47 +			</VirtualMachineLabel>
   80.48 +
   80.49 +			<VirtualMachineLabel>
   80.50 +				<!-- donating some cycles to seti@home -->
   80.51 +				<Name>dom_BoincClient</Name>
   80.52 +				<SimpleTypeEnforcementTypes>
   80.53 +					<Type>ste_DonatedCycles</Type>
   80.54 +				</SimpleTypeEnforcementTypes>
   80.55 +			</VirtualMachineLabel>
   80.56 +
   80.57 +			<!-- Domains with multiple ste types services; such domains   -->
   80.58 +			<!-- must keep the types inside their domain safely confined. -->
   80.59 +			<VirtualMachineLabel>
   80.60 +				<Name>dom_SystemManagement</Name>
   80.61 +				<SimpleTypeEnforcementTypes>
   80.62 +					<!-- since dom0 needs access to every domain and -->
   80.63 +					<!-- resource right now ... -->
   80.64 +					<Type>ste_SystemManagement</Type>
   80.65 +					<Type>ste_PersonalFinances</Type>
   80.66 +					<Type>ste_InternetInsecure</Type>
   80.67 +					<Type>ste_DonatedCycles</Type>
   80.68 +					<Type>ste_PersistentStorageA</Type>
   80.69 +					<Type>ste_NetworkAdapter0</Type>
   80.70 +				</SimpleTypeEnforcementTypes>
   80.71 +			</VirtualMachineLabel>
   80.72 +
   80.73 +			<VirtualMachineLabel>
   80.74 +				<!-- serves persistent storage to other domains -->
   80.75 +				<Name>dom_StorageDomain</Name>
   80.76 +				<SimpleTypeEnforcementTypes>
   80.77 +					<!-- access right to the resource (hard drive a) -->
   80.78 +					<Type>ste_PersistentStorageA</Type>
   80.79 +					<!-- can serve following types -->
   80.80 +					<Type>ste_PersonalFinances</Type>
   80.81 +					<Type>ste_InternetInsecure</Type>
   80.82 +				</SimpleTypeEnforcementTypes>
   80.83 +			</VirtualMachineLabel>
   80.84 +
   80.85 +			<VirtualMachineLabel>
   80.86 +				<!-- serves network access to other domains -->
   80.87 +				<Name>dom_NetworkDomain</Name>
   80.88 +				<SimpleTypeEnforcementTypes>
   80.89 +					<!-- access right to the resource (ethernet card) -->
   80.90 +					<Type>ste_NetworkAdapter0</Type>
   80.91 +					<!-- can serve following types -->
   80.92 +					<Type>ste_PersonalFinances</Type>
   80.93 +					<Type>ste_InternetInsecure</Type>
   80.94 +					<Type>ste_DonatedCycles</Type>
   80.95 +				</SimpleTypeEnforcementTypes>
   80.96 +			</VirtualMachineLabel>
   80.97 +		</SubjectLabels>
   80.98 +
   80.99 +		<ObjectLabels>
  80.100 +			<ResourceLabel>
  80.101 +				<Name>res_ManagementResource</Name>
  80.102 +				<SimpleTypeEnforcementTypes>
  80.103 +					<Type>ste_SystemManagement</Type>
  80.104 +				</SimpleTypeEnforcementTypes>
  80.105 +			</ResourceLabel>
  80.106 +
  80.107 +			<ResourceLabel>
  80.108 +				<Name>res_HardDrive(hda)</Name>
  80.109 +				<SimpleTypeEnforcementTypes>
  80.110 +					<Type>ste_PersistentStorageA</Type>
  80.111 +				</SimpleTypeEnforcementTypes>
  80.112 +			</ResourceLabel>
  80.113 +
  80.114 +			<ResourceLabel>
  80.115 +				<Name>res_LogicalDiskPartition1(hda1)</Name>
  80.116 +				<SimpleTypeEnforcementTypes>
  80.117 +					<Type>ste_PersonalFinances</Type>
  80.118 +				</SimpleTypeEnforcementTypes>
  80.119 +			</ResourceLabel>
  80.120 +
  80.121 +			<ResourceLabel>
  80.122 +				<Name>res_LogicalDiskPartition2(hda2)</Name>
  80.123 +				<SimpleTypeEnforcementTypes>
  80.124 +					<Type>ste_InternetInsecure</Type>
  80.125 +				</SimpleTypeEnforcementTypes>
  80.126 +			</ResourceLabel>
  80.127 +
  80.128 +			<ResourceLabel>
  80.129 +				<Name>res_EthernetCard</Name>
  80.130 +				<SimpleTypeEnforcementTypes>
  80.131 +					<Type>ste_NetworkAdapter0</Type>
  80.132 +				</SimpleTypeEnforcementTypes>
  80.133 +			</ResourceLabel>
  80.134 +
  80.135 +			<ResourceLabel>
  80.136 +				<Name>res_SecurityToken</Name>
  80.137 +				<SimpleTypeEnforcementTypes>
  80.138 +					<Type>ste_PersonalFinances</Type>
  80.139 +				</SimpleTypeEnforcementTypes>
  80.140 +			</ResourceLabel>
  80.141 +
  80.142 +			<ResourceLabel>
  80.143 +				<Name>res_GraphicsAdapter</Name>
  80.144 +				<SimpleTypeEnforcementTypes>
  80.145 +					<Type>ste_SystemManagement</Type>
  80.146 +				</SimpleTypeEnforcementTypes>
  80.147 +			</ResourceLabel>
  80.148 +		</ObjectLabels>
  80.149 +	</SecurityLabelTemplate>
  80.150 +
  80.151 +</SecurityPolicyDefinition>
  80.152 +
    81.1 --- a/tools/security/policies/null/null-security_label_template.xml	Tue Apr 25 22:55:22 2006 -0600
    81.2 +++ /dev/null	Thu Jan 01 00:00:00 1970 +0000
    81.3 @@ -1,24 +0,0 @@
    81.4 -<?xml version="1.0"?>
    81.5 -<!-- Author: Reiner Sailer, Ray Valdez {sailer,rvaldez}@us.ibm.com  -->
    81.6 -<!--              This file defines the security labels, which can  -->
    81.7 -<!--              be attached to Domains and resources. Based on    -->
    81.8 -<!--              these labels, the access control module decides   -->
    81.9 -<!--              about sharing between Domains and about access    -->
   81.10 -<!--              of Domains to real resources.                     -->
   81.11 -
   81.12 -<SecurityLabelTemplate
   81.13 - xmlns="http://www.ibm.com"
   81.14 - xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
   81.15 - xsi:schemaLocation="http://www.ibm.com security_policy.xsd">
   81.16 -   <LabelHeader>
   81.17 -      <Name>null-security_label_template</Name>
   81.18 -
   81.19 -      <Date>2005-08-10</Date>
   81.20 -      <PolicyName>
   81.21 -         <Url>null-security_policy.xml</Url>
   81.22 -
   81.23 -         <Reference>abcdef123456abcdef</Reference>
   81.24 -      </PolicyName>
   81.25 -   </LabelHeader>
   81.26 -</SecurityLabelTemplate>
   81.27 -
    82.1 --- a/tools/security/policies/null/null-security_policy.xml	Tue Apr 25 22:55:22 2006 -0600
    82.2 +++ /dev/null	Thu Jan 01 00:00:00 1970 +0000
    82.3 @@ -1,14 +0,0 @@
    82.4 -<?xml version="1.0" encoding="UTF-8"?>
    82.5 -<!-- Author: Reiner Sailer, Ray Valdez {sailer,rvaldez}@us.ibm.com  -->
    82.6 -<!--             This file defines the security policies, which     -->
    82.7 -<!--             can be enforced by the Xen Access Control Module.  -->
    82.8 -<!--             Currently: Chinese Wall and Simple Type Enforcement-->
    82.9 -<SecurityPolicyDefinition xmlns="http://www.ibm.com"
   82.10 - xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
   82.11 - xsi:schemaLocation="http://www.ibm.com security_policy.xsd">
   82.12 -<PolicyHeader>
   82.13 -		<Name>null-security_policy</Name>
   82.14 -		<Date>2005-08-10</Date>
   82.15 -</PolicyHeader>
   82.16 -</SecurityPolicyDefinition>
   82.17 -
    83.1 --- a/tools/security/policies/security_policy.xsd	Tue Apr 25 22:55:22 2006 -0600
    83.2 +++ b/tools/security/policies/security_policy.xsd	Tue Apr 25 23:35:55 2006 -0600
    83.3 @@ -1,22 +1,50 @@
    83.4  <?xml version="1.0" encoding="UTF-8"?>
    83.5  <!-- Author: Ray Valdez, Reiner Sailer {rvaldez,sailer}@us.ibm.com -->
    83.6  <!--         This file defines the schema, which is used to define -->
    83.7 -<!--         the security policy and the security labels in Xe.    -->
    83.8 +<!--         the security policy and the security labels in Xen.    -->
    83.9  
   83.10  <xsd:schema xmlns:xsd="http://www.w3.org/2001/XMLSchema" targetNamespace="http://www.ibm.com" xmlns="http://www.ibm.com" elementFormDefault="qualified">
   83.11  	<xsd:element name="SecurityPolicyDefinition">
   83.12  		<xsd:complexType>
   83.13  			<xsd:sequence>
   83.14 -				<xsd:element ref="PolicyHeader" minOccurs="0" maxOccurs="1"></xsd:element>
   83.15 +				<xsd:element ref="PolicyHeader" minOccurs="1" maxOccurs="1"></xsd:element>
   83.16  				<xsd:element ref="SimpleTypeEnforcement" minOccurs="0" maxOccurs="1"></xsd:element>
   83.17  				<xsd:element ref="ChineseWall" minOccurs="0" maxOccurs="1"></xsd:element>
   83.18 +				<xsd:element ref="SecurityLabelTemplate" minOccurs="1" maxOccurs="1"></xsd:element>
   83.19  			</xsd:sequence>
   83.20  		</xsd:complexType>
   83.21  	</xsd:element>
   83.22 +	<xsd:element name="PolicyHeader">
   83.23 +		<xsd:complexType>
   83.24 +			<xsd:sequence>
   83.25 +				<xsd:element name="PolicyName" minOccurs="1" maxOccurs="1" type="xsd:string"></xsd:element>
   83.26 +				<xsd:element name="PolicyUrl" minOccurs="0" maxOccurs="1" type="xsd:string"></xsd:element>
   83.27 +				<xsd:element name="Reference" type="xsd:string" minOccurs="0" maxOccurs="1" />
   83.28 +				<xsd:element name="Date" minOccurs="0" maxOccurs="1" type="xsd:string"></xsd:element>
   83.29 +				<xsd:element name="NameSpaceUrl" minOccurs="0" maxOccurs="1" type="xsd:string"></xsd:element>
   83.30 +			</xsd:sequence>
   83.31 +		</xsd:complexType>
   83.32 +	</xsd:element>
   83.33 +	<xsd:element name="ChineseWall">
   83.34 +		<xsd:complexType>
   83.35 +			<xsd:sequence>
   83.36 +				<xsd:element ref="ChineseWallTypes" minOccurs="1" maxOccurs="1" />
   83.37 +				<xsd:element ref="ConflictSets" minOccurs="0" maxOccurs="1" />
   83.38 +			</xsd:sequence>
   83.39 +			<xsd:attribute name="priority" type="PolicyOrder" use="optional"></xsd:attribute>
   83.40 +		</xsd:complexType>
   83.41 +	</xsd:element>
   83.42 +	<xsd:element name="SimpleTypeEnforcement">
   83.43 +		<xsd:complexType>
   83.44 +			<xsd:sequence>
   83.45 +				<xsd:element ref="SimpleTypeEnforcementTypes" />
   83.46 +			</xsd:sequence>
   83.47 +			<xsd:attribute name="priority" type="PolicyOrder" use="optional"></xsd:attribute>
   83.48 +		</xsd:complexType>
   83.49 +	</xsd:element>
   83.50  	<xsd:element name="SecurityLabelTemplate">
   83.51  		<xsd:complexType>
   83.52  			<xsd:sequence>
   83.53 -				<xsd:element ref="LabelHeader" minOccurs="1" maxOccurs="1"></xsd:element>
   83.54  				<xsd:element name="SubjectLabels" minOccurs="0" maxOccurs="1">
   83.55  					<xsd:complexType>
   83.56  						<xsd:sequence>
   83.57 @@ -35,40 +63,6 @@
   83.58  			</xsd:sequence>
   83.59  		</xsd:complexType>
   83.60  	</xsd:element>
   83.61 -	<xsd:element name="PolicyHeader">
   83.62 -		<xsd:complexType>
   83.63 -			<xsd:sequence>
   83.64 -				<xsd:element ref="Name" minOccurs="1" maxOccurs="1" />
   83.65 -				<xsd:element ref="Date" minOccurs="1" maxOccurs="1" />
   83.66 -			</xsd:sequence>
   83.67 -		</xsd:complexType>
   83.68 -	</xsd:element>
   83.69 -	<xsd:element name="LabelHeader">
   83.70 -		<xsd:complexType>
   83.71 -			<xsd:sequence>
   83.72 -				<xsd:element ref="Name"></xsd:element>
   83.73 -				<xsd:element ref="Date" minOccurs="1" maxOccurs="1"></xsd:element>
   83.74 -				<xsd:element ref="PolicyName" minOccurs="1" maxOccurs="1"></xsd:element>
   83.75 -			</xsd:sequence>
   83.76 -		</xsd:complexType>
   83.77 -	</xsd:element>
   83.78 -	<xsd:element name="SimpleTypeEnforcement">
   83.79 -		<xsd:complexType>
   83.80 -			<xsd:sequence>
   83.81 -				<xsd:element ref="SimpleTypeEnforcementTypes" />
   83.82 -			</xsd:sequence>
   83.83 -			<xsd:attribute name="priority" type="PolicyOrder" use="optional"></xsd:attribute>
   83.84 -		</xsd:complexType>
   83.85 -	</xsd:element>
   83.86 -	<xsd:element name="ChineseWall">
   83.87 -		<xsd:complexType>
   83.88 -			<xsd:sequence>
   83.89 -				<xsd:element ref="ChineseWallTypes" />
   83.90 -				<xsd:element ref="ConflictSets" />
   83.91 -			</xsd:sequence>
   83.92 -			<xsd:attribute name="priority" type="PolicyOrder" use="optional"></xsd:attribute>
   83.93 -		</xsd:complexType>
   83.94 -	</xsd:element>
   83.95  	<xsd:element name="ChineseWallTypes">
   83.96  		<xsd:complexType>
   83.97  			<xsd:sequence>
   83.98 @@ -115,24 +109,11 @@
   83.99  			</xsd:sequence>
  83.100  		</xsd:complexType>
  83.101  	</xsd:element>
  83.102 -	<xsd:element name="PolicyName">
  83.103 -		<xsd:complexType>
  83.104 -			<xsd:sequence>
  83.105 -				<xsd:element ref="Url" />
  83.106 -				<xsd:element ref="Reference" />
  83.107 -			</xsd:sequence>
  83.108 -		</xsd:complexType>
  83.109 -	</xsd:element>
  83.110 -	<xsd:element name="Date" type="xsd:string" />
  83.111  	<xsd:element name="Name" type="xsd:string" />
  83.112  	<xsd:element name="Type" type="xsd:string" />
  83.113 -	<xsd:element name="Reference" type="xsd:string" />
  83.114 -	<xsd:element name="Url"></xsd:element>
  83.115 -
  83.116  	<xsd:simpleType name="PolicyOrder">
  83.117  		<xsd:restriction base="xsd:string">
  83.118  			<xsd:enumeration value="PrimaryPolicyComponent"></xsd:enumeration>
  83.119  		</xsd:restriction>
  83.120  	</xsd:simpleType>
  83.121 -
  83.122  </xsd:schema>
    84.1 --- a/tools/security/policies/ste/ste-security_label_template.xml	Tue Apr 25 22:55:22 2006 -0600
    84.2 +++ /dev/null	Thu Jan 01 00:00:00 1970 +0000
    84.3 @@ -1,143 +0,0 @@
    84.4 -<?xml version="1.0"?>
    84.5 -<!-- Author: Reiner Sailer, Ray Valdez {sailer,rvaldez}@us.ibm.com  -->
    84.6 -<!--              This file defines the security labels, which can  -->
    84.7 -<!--              be attached to Domains and resources. Based on    -->
    84.8 -<!--              these labels, the access control module decides   -->
    84.9 -<!--              about sharing between Domains and about access    -->
   84.10 -<!--              of Domains to real resources.                     -->
   84.11 -
   84.12 -<SecurityLabelTemplate
   84.13 - xmlns="http://www.ibm.com"
   84.14 - xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
   84.15 - xsi:schemaLocation="http://www.ibm.com security_policy.xsd">
   84.16 -   <LabelHeader>
   84.17 -      <Name>ste-security_label_template</Name>
   84.18 -      <Date>2005-08-10</Date>
   84.19 -      <PolicyName>
   84.20 -         <Url>ste-security_policy.xml</Url>
   84.21 -         <Reference>abcdef123456abcdef</Reference>
   84.22 -      </PolicyName>
   84.23 -   </LabelHeader>
   84.24 -
   84.25 -   <SubjectLabels bootstrap="dom_SystemManagement">
   84.26 -      <!-- single ste typed domains            -->
   84.27 -      <!-- ACM enforces that only domains with -->
   84.28 -      <!-- the same type can share information -->
   84.29 -      <!--                                     -->
   84.30 -      <!-- Bootstrap label is assigned to Dom0 -->
   84.31 -      <VirtualMachineLabel>
   84.32 -      	<Name>dom_HomeBanking</Name>
   84.33 -         <SimpleTypeEnforcementTypes>
   84.34 -            <Type>ste_PersonalFinances</Type>
   84.35 -         </SimpleTypeEnforcementTypes>
   84.36 -      </VirtualMachineLabel>
   84.37 -
   84.38 -      <VirtualMachineLabel>
   84.39 -      	<Name>dom_Fun</Name>
   84.40 -         <SimpleTypeEnforcementTypes>
   84.41 -            <Type>ste_InternetInsecure</Type>
   84.42 -         </SimpleTypeEnforcementTypes>
   84.43 -      </VirtualMachineLabel>
   84.44 -
   84.45 -      <VirtualMachineLabel>
   84.46 -        <!-- donating some cycles to seti@home -->
   84.47 -      	<Name>dom_BoincClient</Name>
   84.48 -         <SimpleTypeEnforcementTypes>
   84.49 -            <Type>ste_DonatedCycles</Type>
   84.50 -         </SimpleTypeEnforcementTypes>
   84.51 -      </VirtualMachineLabel>
   84.52 -
   84.53 -      <!-- Domains with multiple ste types services; such domains   -->
   84.54 -      <!-- must keep the types inside their domain safely confined. -->
   84.55 -      <VirtualMachineLabel>
   84.56 -      	<Name>dom_SystemManagement</Name>
   84.57 -         <SimpleTypeEnforcementTypes>
   84.58 -            <!-- since dom0 needs access to every domain and -->
   84.59 -            <!-- resource right now ... -->
   84.60 -            <Type>ste_SystemManagement</Type>
   84.61 -            <Type>ste_PersonalFinances</Type>
   84.62 -            <Type>ste_InternetInsecure</Type>
   84.63 -            <Type>ste_DonatedCycles</Type>
   84.64 -            <Type>ste_PersistentStorageA</Type>
   84.65 -            <Type>ste_NetworkAdapter0</Type>
   84.66 -         </SimpleTypeEnforcementTypes>
   84.67 -      </VirtualMachineLabel>
   84.68 -
   84.69 -      <VirtualMachineLabel>
   84.70 -        <!-- serves persistent storage to other domains -->
   84.71 -      	<Name>dom_StorageDomain</Name>
   84.72 -         <SimpleTypeEnforcementTypes>
   84.73 -            <!-- access right to the resource (hard drive a) -->
   84.74 -            <Type>ste_PersistentStorageA</Type>
   84.75 -            <!-- can serve following types -->
   84.76 -            <Type>ste_PersonalFinances</Type>
   84.77 -            <Type>ste_InternetInsecure</Type>
   84.78 -         </SimpleTypeEnforcementTypes>
   84.79 -      </VirtualMachineLabel>
   84.80 -
   84.81 -      <VirtualMachineLabel>
   84.82 -        <!-- serves network access to other domains -->
   84.83 -      	<Name>dom_NetworkDomain</Name>
   84.84 -         <SimpleTypeEnforcementTypes>
   84.85 -            <!-- access right to the resource (ethernet card) -->
   84.86 -            <Type>ste_NetworkAdapter0</Type>
   84.87 -            <!-- can serve following types -->
   84.88 -            <Type>ste_PersonalFinances</Type>
   84.89 -            <Type>ste_InternetInsecure</Type>
   84.90 -            <Type>ste_DonatedCycles</Type>
   84.91 -         </SimpleTypeEnforcementTypes>
   84.92 -      </VirtualMachineLabel>
   84.93 -   </SubjectLabels>
   84.94 -
   84.95 -   <ObjectLabels>
   84.96 -      <ResourceLabel>
   84.97 -      	<Name>res_ManagementResource</Name>
   84.98 -         <SimpleTypeEnforcementTypes>
   84.99 -            <Type>ste_SystemManagement</Type>
  84.100 -         </SimpleTypeEnforcementTypes>
  84.101 -      </ResourceLabel>
  84.102 -
  84.103 -      <ResourceLabel>
  84.104 -      	<Name>res_HardDrive (hda)</Name>
  84.105 -         <SimpleTypeEnforcementTypes>
  84.106 -            <Type>ste_PersistentStorageA</Type>
  84.107 -         </SimpleTypeEnforcementTypes>
  84.108 -      </ResourceLabel>
  84.109 -
  84.110 -      <ResourceLabel>
  84.111 -      	<Name>res_LogicalDiskPartition1 (hda1)</Name>
  84.112 -         <SimpleTypeEnforcementTypes>
  84.113 -            <Type>ste_PersonalFinances</Type>
  84.114 -         </SimpleTypeEnforcementTypes>
  84.115 -      </ResourceLabel>
  84.116 -
  84.117 -      <ResourceLabel>
  84.118 -      	<Name>res_LogicalDiskPartition2 (hda2)</Name>
  84.119 -         <SimpleTypeEnforcementTypes>
  84.120 -            <Type>ste_InternetInsecure</Type>
  84.121 -         </SimpleTypeEnforcementTypes>
  84.122 -      </ResourceLabel>
  84.123 -
  84.124 -      <ResourceLabel>
  84.125 -      	<Name>res_EthernetCard</Name>
  84.126 -         <SimpleTypeEnforcementTypes>
  84.127 -            <Type>ste_NetworkAdapter0</Type>
  84.128 -         </SimpleTypeEnforcementTypes>
  84.129 -      </ResourceLabel>
  84.130 -
  84.131 -      <ResourceLabel>
  84.132 -      	<Name>res_SecurityToken</Name>
  84.133 -         <SimpleTypeEnforcementTypes>
  84.134 -            <Type>ste_PersonalFinances</Type>
  84.135 -         </SimpleTypeEnforcementTypes>
  84.136 -      </ResourceLabel>
  84.137 -
  84.138 -      <ResourceLabel>
  84.139 -      	<Name>res_GraphicsAdapter</Name>
  84.140 -         <SimpleTypeEnforcementTypes>
  84.141 -            <Type>ste_SystemManagement</Type>
  84.142 -         </SimpleTypeEnforcementTypes>
  84.143 -      </ResourceLabel>
  84.144 -   </ObjectLabels>
  84.145 -</SecurityLabelTemplate>
  84.146 -
    85.1 --- a/tools/security/policies/ste/ste-security_policy.xml	Tue Apr 25 22:55:22 2006 -0600
    85.2 +++ /dev/null	Thu Jan 01 00:00:00 1970 +0000
    85.3 @@ -1,27 +0,0 @@
    85.4 -<?xml version="1.0" encoding="UTF-8"?>
    85.5 -<!-- Author: Reiner Sailer, Ray Valdez {sailer,rvaldez}@us.ibm.com  -->
    85.6 -<!--             This file defines the security policies, which     -->
    85.7 -<!--             can be enforced by the Xen Access Control Module.  -->
    85.8 -<!--             Currently: Chinese Wall and Simple Type Enforcement-->
    85.9 -<SecurityPolicyDefinition xmlns="http://www.ibm.com"
   85.10 - xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
   85.11 - xsi:schemaLocation="http://www.ibm.com security_policy.xsd">
   85.12 -<PolicyHeader>
   85.13 -		<Name>ste-security_policy</Name>
   85.14 -		<Date>2005-08-10</Date>
   85.15 -</PolicyHeader>
   85.16 -<!--                                                        -->
   85.17 -<!-- example of a simple type enforcement policy definition -->
   85.18 -<!--                                                        -->
   85.19 -	<SimpleTypeEnforcement>
   85.20 -        <SimpleTypeEnforcementTypes>
   85.21 -            <Type>ste_SystemManagement</Type>   <!-- machine/security management -->
   85.22 -            <Type>ste_PersonalFinances</Type>   <!-- personal finances -->
   85.23 -            <Type>ste_InternetInsecure</Type>   <!-- games, active X, etc. -->
   85.24 -            <Type>ste_DonatedCycles</Type>      <!-- donation to BOINC/seti@home -->
   85.25 -            <Type>ste_PersistentStorageA</Type> <!-- domain managing the harddrive A-->
   85.26 -            <Type>ste_NetworkAdapter0</Type>    <!-- type of the domain managing ethernet adapter 0-->
   85.27 -        </SimpleTypeEnforcementTypes>
   85.28 -	</SimpleTypeEnforcement>
   85.29 -</SecurityPolicyDefinition>
   85.30 -
    86.1 --- a/tools/security/policy.txt	Tue Apr 25 22:55:22 2006 -0600
    86.2 +++ b/tools/security/policy.txt	Tue Apr 25 23:35:55 2006 -0600
    86.3 @@ -59,22 +59,34 @@ migrate). These controls decide based on
    86.4  configuration (see i. and ii.) if the operation proceeds of if the
    86.5  operation is aborted (denied).
    86.6  
    86.7 -
    86.8  In general, security policy instantiations in the Xen access control
    86.9 -framework are defined by two files:
   86.10 -
   86.11 -a) a single "policy-name"-security_policy.xml file that defines the
   86.12 -types known to the ACM and policy rules based on these types
   86.13 +framework are defined by XML policy files. Each security policy has
   86.14 +exactly one file including all the information the hypervisor needs to
   86.15 +enforce the policy.
   86.16  
   86.17 -b) a single "policy-name"-security_label_template.xml file that
   86.18 -defines labels based on known types
   86.19 +The name of a policy is unique and consists of a colon-separated list
   86.20 +of names, which can be translated into the location (subtree) where
   86.21 +this policy must be located. The last part of the name is the file
   86.22 +name pre-fix for the policy xml file. The preceding name parts are
   86.23 +translated into the local path relative to the global policy root
   86.24 +(/etc/xen/acm-security/policies) pointing to the policy xml file. For
   86.25 +example: example.chwall_ste.client_v1 denotes the policy file
   86.26 +example/chwall_ste/client_v1-security_policy.xml relative to the
   86.27 +global policy root directory.
   86.28  
   86.29 -Every security policy has its own sub-directory under
   86.30 -"Xen-root"/tools/security/policies in order to simplify their
   86.31 -management and the security policy tools. We will describe those files
   86.32 -for our example policy (Chinese Wall and Simple Type Enforcement) in
   86.33 -more detail as we go along. Eventually, we will move towards a system
   86.34 -installation where the policies will reside under /etc.
   86.35 +Every security policy has its own sub-directory under the global
   86.36 +policy root directory /etc/xen/acm-security/policies, which is
   86.37 +installed during the Xen installation or can be manually installed
   86.38 +(when switching from a "security disabled" Xen to a "security enabled"
   86.39 +Xen AFTER configuring security, see install.txt) by the command
   86.40 +sequence:
   86.41 +
   86.42 +   cd "Xen-root"/tools/security/policies; make install
   86.43 +
   86.44 +We will describe those files for our example policy (Chinese Wall and
   86.45 +Simple Type Enforcement) in more detail as we go along. Eventually, we
   86.46 +will move towards a system installation where the policies will reside
   86.47 +under /etc.
   86.48  
   86.49  
   86.50  CHINESE WALL
   86.51 @@ -117,9 +129,9 @@ constraints where necessary.
   86.52  Example of a Chinese Wall Policy Instantiation
   86.53  ----------------------------------------------
   86.54  
   86.55 -The file chwall-security_policy.xml defines the Chinese Wall types as
   86.56 -well as the conflict sets for our example policy (you find it in the
   86.57 -directory "xen_root"/tools/security/policies/chwall).
   86.58 +The file client_v1-security_policy.xml defines the Chinese Wall types
   86.59 +as well as the conflict sets for our example policy (you find it in
   86.60 +the directory "policy_root"/example/chwall).
   86.61  
   86.62  It defines four Chinese Wall types (prefixed with cw_) with the
   86.63  following meaning:
   86.64 @@ -168,11 +180,11 @@ policy.
   86.65  SIMPLE TYPE ENFORCEMENT
   86.66  =======================
   86.67  
   86.68 -The file ste-security_policy.xml defines the simple type enforcement
   86.69 -types for our example policy (you find it in the directory
   86.70 -"xen_root"/tools/security/policies/ste). The Simple Type Enforcement
   86.71 -policy defines which domains can share information with which other
   86.72 -domains. To this end, it controls
   86.73 +The file client_v1-security_policy.xml defines the simple type
   86.74 +enforcement types for our example policy (you find it in the directory
   86.75 +"policy_root"/example/ste). The Simple Type Enforcement policy defines
   86.76 +which domains can share information with which other domains. To this
   86.77 +end, it controls
   86.78  
   86.79  i) inter-domain communication channels (e.g., network traffic, events,
   86.80  and shared memory).
    87.1 --- a/tools/security/python/xensec_gen/cgi-bin/policy.cgi	Tue Apr 25 22:55:22 2006 -0600
    87.2 +++ b/tools/security/python/xensec_gen/cgi-bin/policy.cgi	Tue Apr 25 23:35:55 2006 -0600
    87.3 @@ -2,7 +2,7 @@
    87.4  #
    87.5  # The Initial Developer of the Original Code is International
    87.6  # Business Machines Corporation. Portions created by IBM
    87.7 -# Corporation are Copyright (C) 2005 International Business
    87.8 +# Corporation are Copyright (C) 2005, 2006 International Business
    87.9  # Machines Corporation. All Rights Reserved.
   87.10  #
   87.11  # This program is free software; you can redistribute it and/or modify
   87.12 @@ -31,9 +31,9 @@ from StringIO import StringIO
   87.13  from sets import Set
   87.14  
   87.15  def getSavedData( ):
   87.16 -	global formData, policyXml, formVariables, formCSNames
   87.17 -	global templateCSMTypes, templateCSMDel, templateCSMType, templateCSMAdd
   87.18 -	global allCSMTypes
   87.19 +	global formData, policyXml
   87.20 +	global formVariables, formCSNames, formVmNames, formResNames
   87.21 +	global allCSMTypes, allVmChWs, allVmStes, allResStes
   87.22  
   87.23  	# Process the XML upload policy file
   87.24  	if formData.has_key( 'i_policy' ):
   87.25 @@ -64,6 +64,46 @@ def getSavedData( ):
   87.26  			if len( dataList ) > 0:
   87.27  				exec 'allCSMTypes[csName][1] = ' + dataList[0]
   87.28  
   87.29 +	# The form can contain any number of "Virtual Machines"
   87.30 +	#   so update the list of form variables to include
   87.31 +	#   each virtual machine (hidden input variable)
   87.32 +	for vmName in formVmNames[1]:
   87.33 +		newVm( vmName )
   87.34 +
   87.35 +		vmFormVar = allVmChWs[vmName]
   87.36 +		if (vmFormVar[2] != '') and formData.has_key( vmFormVar[2] ):
   87.37 +			dataList = formData.getlist( vmFormVar[2] )
   87.38 +			if len( dataList ) > 0:
   87.39 +				if isinstance( vmFormVar[1], list ):
   87.40 +					exec 'vmFormVar[1] = ' + dataList[0]
   87.41 +				else:
   87.42 +					vmFormVar[1] = dataList[0]
   87.43 +
   87.44 +		vmFormVar = allVmStes[vmName]
   87.45 +		if (vmFormVar[2] != '') and formData.has_key( vmFormVar[2] ):
   87.46 +			dataList = formData.getlist( vmFormVar[2] )
   87.47 +			if len( dataList ) > 0:
   87.48 +				if isinstance( vmFormVar[1], list ):
   87.49 +					exec 'vmFormVar[1] = ' + dataList[0]
   87.50 +				else:
   87.51 +					vmFormVar[1] = dataList[0]
   87.52 +
   87.53 +	# The form can contain any number of "Resources"
   87.54 +	#   so update the list of form variables to include
   87.55 +	#   each resource (hidden input variable)
   87.56 +	for resName in formResNames[1]:
   87.57 +		newRes( resName )
   87.58 +
   87.59 +		resFormVar = allResStes[resName]
   87.60 +		if (resFormVar[2] != '') and formData.has_key( resFormVar[2] ):
   87.61 +			dataList = formData.getlist( resFormVar[2] )
   87.62 +			if len( dataList ) > 0:
   87.63 +				if isinstance( resFormVar[1], list ):
   87.64 +					exec 'resFormVar[1] = ' + dataList[0]
   87.65 +				else:
   87.66 +					resFormVar[1] = dataList[0]
   87.67 +
   87.68 +
   87.69  def getCurrentTime( ):
   87.70  	return time.strftime( '%Y-%m-%d %H:%M:%S', time.localtime( ) )
   87.71  
   87.72 @@ -77,14 +117,49 @@ def getName( domNode ):
   87.73  	for childNode in nameNodes[0].childNodes:
   87.74  		if childNode.nodeType == xml.dom.Node.TEXT_NODE:
   87.75  			name = name + childNode.data
   87.76 +	return name
   87.77 +
   87.78 +def getPolicyName( domNode ):
   87.79 +	nameNodes = domNode.getElementsByTagName( 'PolicyName' )
   87.80 +	if len( nameNodes ) == 0:
   87.81 +		formatXmlError( '"<PolicyName>" tag is missing' )
   87.82 +		return None
   87.83 +
   87.84 +	name = ''
   87.85 +	for childNode in nameNodes[0].childNodes:
   87.86 +		if childNode.nodeType == xml.dom.Node.TEXT_NODE:
   87.87 +			name = name + childNode.data
   87.88  
   87.89  	return name
   87.90  
   87.91 +def getUrl( domNode ):
   87.92 +	urlNodes = domNode.getElementsByTagName( 'PolicyUrl' )
   87.93 +	if len( urlNodes ) == 0:
   87.94 +		return ''
   87.95 +
   87.96 +	url = ''
   87.97 +	for childNode in urlNodes[0].childNodes:
   87.98 +		if childNode.nodeType == xml.dom.Node.TEXT_NODE:
   87.99 +			url = url + childNode.data
  87.100 +
  87.101 +	return url
  87.102 +
  87.103 +def getRef( domNode ):
  87.104 +	refNodes = domNode.getElementsByTagName( 'Reference' )
  87.105 +	if len( refNodes ) == 0:
  87.106 +		return ''
  87.107 +
  87.108 +	ref = ''
  87.109 +	for childNode in refNodes[0].childNodes:
  87.110 +		if childNode.nodeType == xml.dom.Node.TEXT_NODE:
  87.111 +			ref = ref + childNode.data
  87.112 +
  87.113 +	return ref
  87.114 +
  87.115  def getDate( domNode ):
  87.116  	dateNodes = domNode.getElementsByTagName( 'Date' )
  87.117  	if len( dateNodes ) == 0:
  87.118 -		formatXmlError( '"<Date>" tag is missing' )
  87.119 -		return None
  87.120 +		return ''
  87.121  
  87.122  	date = ''
  87.123  	for childNode in dateNodes[0].childNodes:
  87.124 @@ -93,6 +168,18 @@ def getDate( domNode ):
  87.125  
  87.126  	return date
  87.127  
  87.128 +def getNSUrl( domNode ):
  87.129 +	urlNodes = domNode.getElementsByTagName( 'NameSpaceUrl' )
  87.130 +	if len( urlNodes ) == 0:
  87.131 +		return ''
  87.132 +
  87.133 +	url = ''
  87.134 +	for childNode in urlNodes[0].childNodes:
  87.135 +		if childNode.nodeType == xml.dom.Node.TEXT_NODE:
  87.136 +			url = url + childNode.data
  87.137 +
  87.138 +	return url
  87.139 +
  87.140  def getSteTypes( domNode, missingIsError = 0 ):
  87.141  	steNodes = domNode.getElementsByTagName( 'SimpleTypeEnforcementTypes' )
  87.142  	if len( steNodes ) == 0:
  87.143 @@ -170,9 +257,7 @@ def formatXmlGenError( msg ):
  87.144  	xmlMessages.append( cgi.escape( msg ) )
  87.145  
  87.146  def parseXml( xmlInput ):
  87.147 -	global xmlMessages, xmlError, xmlLine, xmlColumn
  87.148 -
  87.149 -	xmlParser  = xml.sax.make_parser( )
  87.150 +	xmlParser = xml.sax.make_parser( )
  87.151  	try:
  87.152  		domDoc = xml.dom.minidom.parseString( xmlInput, xmlParser )
  87.153  
  87.154 @@ -198,14 +283,16 @@ def parseXml( xmlInput ):
  87.155  
  87.156  def parsePolicyXml( ):
  87.157  	global policyXml
  87.158 -	global formPolicyName, formPolicyDate, formPolicyOrder
  87.159 -	global formSteTypes, formChWallTypes
  87.160 -	global allCSMTypes
  87.161 +	global formPolicyName, formPolicyUrl, formPolicyRef, formPolicyDate, formPolicyNSUrl
  87.162 +	global formPolicyOrder
  87.163 +	global formSteTypes, formChWallTypes, formVmNames, formVmNameDom0
  87.164 +	global allCSMTypes, allVmStes, allVmChWs
  87.165  
  87.166  	domDoc = parseXml( policyXml )
  87.167  	if domDoc == None:
  87.168  		return
  87.169  
  87.170 +	# Process the PolicyHeader
  87.171  	domRoot    = domDoc.documentElement
  87.172  	domHeaders = domRoot.getElementsByTagName( 'PolicyHeader' )
  87.173  	if len( domHeaders ) == 0:
  87.174 @@ -215,7 +302,7 @@ def parsePolicyXml( ):
  87.175  		formatXmlError( msg )
  87.176  		return
  87.177  
  87.178 -	pName = getName( domHeaders[0] )
  87.179 +	pName = getPolicyName( domHeaders[0] )
  87.180  	if pName == None:
  87.181  		msg = ''
  87.182  		msg = msg + 'Error processing the Policy header information.\n'
  87.183 @@ -223,18 +310,13 @@ def parsePolicyXml( ):
  87.184  		formatXmlError( msg )
  87.185  		return
  87.186  
  87.187 -	formPolicyName[1] = pName
  87.188 +	formPolicyName[1]  = pName
  87.189 +	formPolicyUrl[1]   = getUrl( domHeaders[0] )
  87.190 +	formPolicyRef[1]   = getRef( domHeaders[0] )
  87.191 +	formPolicyDate[1]  = getDate( domHeaders[0] )
  87.192 +	formPolicyNSUrl[1] = getNSUrl( domHeaders[0] )
  87.193  
  87.194 -	pDate = getDate( domHeaders[0] )
  87.195 -	if pDate == None:
  87.196 -		msg = ''
  87.197 -		msg = msg + 'Error processing the Policy header information.\n'
  87.198 -		msg = msg + 'Please validate the Policy file used.'
  87.199 -		formatXmlError( msg )
  87.200 -		return
  87.201 -
  87.202 -	formPolicyDate[1] = pDate
  87.203 -
  87.204 +	# Process the STEs
  87.205  	pOrder = ''
  87.206  	domStes = domRoot.getElementsByTagName( 'SimpleTypeEnforcement' )
  87.207  	if len( domStes ) > 0:
  87.208 @@ -259,6 +341,7 @@ def parsePolicyXml( ):
  87.209  
  87.210  		formSteTypes[1] = steTypes
  87.211  
  87.212 +	# Process the ChineseWalls and Conflict Sets
  87.213  	domChWalls = domRoot.getElementsByTagName( 'ChineseWall' )
  87.214  	if len( domChWalls ) > 0:
  87.215  		if domChWalls[0].hasAttribute( 'priority' ):
  87.216 @@ -291,45 +374,39 @@ def parsePolicyXml( ):
  87.217  		formChWallTypes[1] = chwTypes
  87.218  
  87.219  		csNodes = domChWalls[0].getElementsByTagName( 'ConflictSets' )
  87.220 -		if len( csNodes ) == 0:
  87.221 -			msg = ''
  87.222 -			msg = msg + 'Required "<ConflictSets>" tag missing.\n'
  87.223 -			msg = msg + 'Please validate the Policy file used.'
  87.224 -			formatXmlError( msg )
  87.225 -			return
  87.226 -
  87.227 -		cNodes = csNodes[0].getElementsByTagName( 'Conflict' )
  87.228 -		if len( cNodes ) == 0:
  87.229 -			msg = ''
  87.230 -			msg = msg + 'Required "<Conflict>" tag missing.\n'
  87.231 -			msg = msg + 'Please validate the Policy file used.'
  87.232 -			formatXmlError( msg )
  87.233 -			return
  87.234 -
  87.235 -		for cNode in cNodes:
  87.236 -			csName = cNode.getAttribute( 'name' )
  87.237 -			newCS( csName, 1 )
  87.238 -
  87.239 -			csMemberList = getTypes( cNode )
  87.240 -			if csMemberList == None:
  87.241 +		if csNodes and (len( csNodes ) > 0):
  87.242 +			cNodes = csNodes[0].getElementsByTagName( 'Conflict' )
  87.243 +			if not cNodes or len( cNodes ) == 0:
  87.244  				msg = ''
  87.245 -				msg = msg + 'Error processing the Conflict Set members.\n'
  87.246 +				msg = msg + 'Required "<Conflict>" tag missing.\n'
  87.247  				msg = msg + 'Please validate the Policy file used.'
  87.248  				formatXmlError( msg )
  87.249  				return
  87.250  
  87.251 -			# Verify the conflict set members are valid types
  87.252 -			ctSet = Set( formChWallTypes[1] )
  87.253 -			csSet = Set( csMemberList )
  87.254 -			if not csSet.issubset( ctSet ):
  87.255 -				msg = ''
  87.256 -				msg = msg + 'Error processing Conflict Set "' + csName + '".\n'
  87.257 -				msg = msg + 'Members of the conflict set are not valid '
  87.258 -				msg = msg + 'Chinese Wall types.\n'
  87.259 -				msg = msg + 'Please validate the Policy file used.'
  87.260 -				formatXmlError( msg )
  87.261 +			for cNode in cNodes:
  87.262 +				csName = cNode.getAttribute( 'name' )
  87.263 +				newCS( csName, 1 )
  87.264 +
  87.265 +				csMemberList = getTypes( cNode )
  87.266 +				if csMemberList == None:
  87.267 +					msg = ''
  87.268 +					msg = msg + 'Error processing the Conflict Set members.\n'
  87.269 +					msg = msg + 'Please validate the Policy file used.'
  87.270 +					formatXmlError( msg )
  87.271 +					return
  87.272  
  87.273 -			allCSMTypes[csName][1] = csMemberList
  87.274 +				# Verify the conflict set members are valid types
  87.275 +				ctSet = Set( formChWallTypes[1] )
  87.276 +				csSet = Set( csMemberList )
  87.277 +				if not csSet.issubset( ctSet ):
  87.278 +					msg = ''
  87.279 +					msg = msg + 'Error processing Conflict Set "' + csName + '".\n'
  87.280 +					msg = msg + 'Members of the conflict set are not valid '
  87.281 +					msg = msg + 'Chinese Wall types.\n'
  87.282 +					msg = msg + 'Please validate the Policy file used.'
  87.283 +					formatXmlError( msg )
  87.284 +
  87.285 +					allCSMTypes[csName][1] = csMemberList
  87.286  
  87.287  	if pOrder != '':
  87.288  		formPolicyOrder[1] = pOrder
  87.289 @@ -342,6 +419,74 @@ def parsePolicyXml( ):
  87.290  			formatXmlError( msg )
  87.291  			return
  87.292  
  87.293 +	# Process the Labels
  87.294 +	domLabels = domRoot.getElementsByTagName( 'SecurityLabelTemplate' )
  87.295 +	if not domLabels or (len( domLabels ) == 0):
  87.296 +		msg = ''
  87.297 +		msg = msg + '<SecurityLabelTemplate> tag is missing.\n'
  87.298 +		msg = msg + 'Please validate the Policy file used.'
  87.299 +		formatXmlError( msg )
  87.300 +		return
  87.301 +
  87.302 +
  87.303 +	# Process the VMs
  87.304 +	domSubjects = domLabels[0].getElementsByTagName( 'SubjectLabels' )
  87.305 +	if len( domSubjects ) > 0:
  87.306 +		formVmNameDom0[1] = domSubjects[0].getAttribute( 'bootstrap' )
  87.307 +		domNodes = domSubjects[0].getElementsByTagName( 'VirtualMachineLabel' )
  87.308 +		for domNode in domNodes:
  87.309 +			vmName = getName( domNode )
  87.310 +			if vmName == None:
  87.311 +				msg = ''
  87.312 +				msg = msg + 'Error processing the VirtualMachineLabel name.\n'
  87.313 +				msg = msg + 'Please validate the Policy file used.'
  87.314 +				formatXmlError( msg )
  87.315 +				continue
  87.316 +
  87.317 +			steTypes = getSteTypes( domNode )
  87.318 +			if steTypes == None:
  87.319 +				msg = ''
  87.320 +				msg = msg + 'Error processing the SimpleTypeEnforcement types.\n'
  87.321 +				msg = msg + 'Please validate the Policy file used.'
  87.322 +				formatXmlError( msg )
  87.323 +				return
  87.324 +
  87.325 +			chwTypes = getChWTypes( domNode )
  87.326 +			if chwTypes == None:
  87.327 +				msg = ''
  87.328 +				msg = msg + 'Error processing the ChineseWall types.\n'
  87.329 +				msg = msg + 'Please validate the Policy file used.'
  87.330 +				formatXmlError( msg )
  87.331 +				return
  87.332 +
  87.333 +			newVm( vmName, 1 )
  87.334 +			allVmStes[vmName][1] = steTypes
  87.335 +			allVmChWs[vmName][1] = chwTypes
  87.336 +
  87.337 +	# Process the Resources
  87.338 +	domObjects = domLabels[0].getElementsByTagName( 'ObjectLabels' )
  87.339 +	if len( domObjects ) > 0:
  87.340 +		domNodes = domObjects[0].getElementsByTagName( 'ResourceLabel' )
  87.341 +		for domNode in domNodes:
  87.342 +			resName = getName( domNode )
  87.343 +			if resName == None:
  87.344 +				msg = ''
  87.345 +				msg = msg + 'Error processing the ResourceLabel name.\n'
  87.346 +				msg = msg + 'Please validate the Policy file used.'
  87.347 +				formatXmlError( msg )
  87.348 +				continue
  87.349 +
  87.350 +			steTypes = getSteTypes( domNode )
  87.351 +			if steTypes == None:
  87.352 +				msg = ''
  87.353 +				msg = msg + 'Error processing the SimpleTypeEnforcement types.\n'
  87.354 +				msg = msg + 'Please validate the Policy file used.'
  87.355 +				formatXmlError( msg )
  87.356 +				return
  87.357 +
  87.358 +			newRes( resName, 1 )
  87.359 +			allResStes[resName][1] = steTypes
  87.360 +
  87.361  def modFormTemplate( formTemplate, suffix ):
  87.362  	formVar = [x for x in formTemplate]
  87.363  
  87.364 @@ -383,19 +528,80 @@ def newCS( csName, addToList = 0 ):
  87.365  			formCSNames[1].append( csName )
  87.366  			formCSNames[1] = removeDups( formCSNames[1] )
  87.367  
  87.368 +def newVm( vmName, addToList = 0 ):
  87.369 +	global formVmNames
  87.370 +	global templateVmDel, allVmDel, templateVmDom0, allVmDom0
  87.371 +	global templateVmChWs, templateVmChWDel, templateVmChW, templateVmChWAdd
  87.372 +	global allVmChWs, allVmChWDel, allVmChWType, allVmChWAdd
  87.373 +	global templateVmStes, templateVmSteDel, templateVmSte, templateVmSteAdd
  87.374 +	global allVmStes, allVmSteDel, allVmSteType, allVmSteAdd
  87.375 +
  87.376 +	# Make sure we have an actual name and check one of the 'all'
  87.377 +	# variables to be sure it hasn't been previously defined
  87.378 +	if (len( vmName ) > 0) and (not allVmDom0.has_key( vmName )):
  87.379 +		vmSuffix = '_' + vmName
  87.380 +		allVmDom0[vmName]   = modFormTemplate( templateVmDom0,   vmSuffix )
  87.381 +		allVmDel[vmName]    = modFormTemplate( templateVmDel,    vmSuffix )
  87.382 +		allVmChWs[vmName]   = modFormTemplate( templateVmChWs,   vmSuffix )
  87.383 +		allVmChWDel[vmName] = modFormTemplate( templateVmChWDel, vmSuffix )
  87.384 +		allVmChW[vmName]    = modFormTemplate( templateVmChW,    vmSuffix )
  87.385 +		allVmChWAdd[vmName] = modFormTemplate( templateVmChWAdd, vmSuffix )
  87.386 +		allVmStes[vmName]   = modFormTemplate( templateVmStes,   vmSuffix )
  87.387 +		allVmSteDel[vmName] = modFormTemplate( templateVmSteDel, vmSuffix )
  87.388 +		allVmSte[vmName]    = modFormTemplate( templateVmSte,    vmSuffix )
  87.389 +		allVmSteAdd[vmName] = modFormTemplate( templateVmSteAdd, vmSuffix )
  87.390 +		if addToList == 1:
  87.391 +			formVmNames[1].append( vmName )
  87.392 +			formVmNames[1] = removeDups( formVmNames[1] )
  87.393 +
  87.394 +def newRes( resName, addToList = 0 ):
  87.395 +	global formResNames
  87.396 +	global templateResDel, allResDel
  87.397 +	global templateResStes, templateResSteDel, templateResSte, templateResSteAdd
  87.398 +	global allResStes, allResSteDel, allResSteType, allResSteAdd
  87.399 +
  87.400 +	# Make sure we have an actual name and check one of the 'all'
  87.401 +	# variables to be sure it hasn't been previously defined
  87.402 +	if (len( resName ) > 0) and (not allResDel.has_key( resName )):
  87.403 +		resSuffix = '_' + resName
  87.404 +		allResDel[resName]    = modFormTemplate( templateResDel,    resSuffix )
  87.405 +		allResStes[resName]   = modFormTemplate( templateResStes,   resSuffix )
  87.406 +		allResSteDel[resName] = modFormTemplate( templateResSteDel, resSuffix )
  87.407 +		allResSte[resName]    = modFormTemplate( templateResSte,    resSuffix )
  87.408 +		allResSteAdd[resName] = modFormTemplate( templateResSteAdd, resSuffix )
  87.409 +		if addToList == 1:
  87.410 +			formResNames[1].append( resName )
  87.411 +			formResNames[1] = removeDups( formResNames[1] )
  87.412 +
  87.413  def updateInfo( ):
  87.414 -	global formData, formPolicyName, formPolicyDate, formPolicyOrder
  87.415 +	global formData, formPolicyName, formPolicyUrl, formPolicyRef, formPolicyDate, formPolicyNSUrl
  87.416 +	global formPolicyOrder
  87.417  
  87.418  	if formData.has_key( formPolicyName[3] ):
  87.419  		formPolicyName[1] = formData[formPolicyName[3]].value
  87.420  	elif formData.has_key( formPolicyUpdate[3] ):
  87.421  		formPolicyName[1] = ''
  87.422  
  87.423 +	if formData.has_key( formPolicyUrl[3] ):
  87.424 +		formPolicyUrl[1] = formData[formPolicyUrl[3]].value
  87.425 +	elif formData.has_key( formPolicyUpdate[3] ):
  87.426 +		formPolicyUrl[1] = ''
  87.427 +
  87.428 +	if formData.has_key( formPolicyRef[3] ):
  87.429 +		formPolicyRef[1] = formData[formPolicyRef[3]].value
  87.430 +	elif formData.has_key( formPolicyUpdate[3] ):
  87.431 +		formPolicyRef[1] = ''
  87.432 +
  87.433  	if formData.has_key( formPolicyDate[3] ):
  87.434  		formPolicyDate[1] = formData[formPolicyDate[3]].value
  87.435  	elif formData.has_key( formPolicyUpdate[3] ):
  87.436  		formPolicyDate[1] = ''
  87.437  
  87.438 +	if formData.has_key( formPolicyNSUrl[3] ):
  87.439 +		formPolicyNSUrl[1] = formData[formPolicyNSUrl[3]].value
  87.440 +	elif formData.has_key( formPolicyUpdate[3] ):
  87.441 +		formPolicyNSUrl[1] = ''
  87.442 +
  87.443  	if formData.has_key( formPolicyOrder[3] ):
  87.444  		formPolicyOrder[1] = formData[formPolicyOrder[3]].value
  87.445  
  87.446 @@ -483,6 +689,136 @@ def delCSMember( csName ):
  87.447  			csm = csm.strip( )
  87.448  			formVar[1].remove( csm )
  87.449  
  87.450 +def addVm( ):
  87.451 +	global formData, fromVmName, formVmNames, formVmNameDom0
  87.452 +
  87.453 +	if (formData.has_key( formDefaultButton[3] )) or (formData.has_key( formVmAdd[3] )):
  87.454 +		if formData.has_key( formVmName[3] ):
  87.455 +			vmName = formData[formVmName[3]].value
  87.456 +			vmName = vmName.strip( )
  87.457 +			newVm( vmName, 1 )
  87.458 +			if formVmNameDom0[1] == '':
  87.459 +				formVmNameDom0[1] = vmName
  87.460 +
  87.461 +def delVm( vmName ):
  87.462 +	global formVmNames, formVmNameDom0
  87.463 +	global allVmDel, allVmDom0
  87.464 +	global allVmChWs, allVmChWDel, allVmChWType, allVmChWAdd
  87.465 +	global allVmStes, allVmSteDel, allVmSteType, allVmSteAdd
  87.466 +
  87.467 +	vmName = vmName.strip( )
  87.468 +	formVmNames[1].remove( vmName )
  87.469 +	del allVmDom0[vmName]
  87.470 +	del allVmDel[vmName]
  87.471 +	del allVmChWs[vmName]
  87.472 +	del allVmChWDel[vmName]
  87.473 +	del allVmChW[vmName]
  87.474 +	del allVmChWAdd[vmName]
  87.475 +	del allVmStes[vmName]
  87.476 +	del allVmSteDel[vmName]
  87.477 +	del allVmSte[vmName]
  87.478 +	del allVmSteAdd[vmName]
  87.479 +
  87.480 +	if formVmNameDom0[1] == vmName:
  87.481 +		if len( formVmNames[1] ) > 0:
  87.482 +			formVmNameDom0[1] = formVmNames[1][0]
  87.483 +		else:
  87.484 +			formVmNameDom0[1] = ''
  87.485 +
  87.486 +def makeVmDom0( vmName ):
  87.487 +	global formVmNameDom0
  87.488 +
  87.489 +	vmName = vmName.strip( )
  87.490 +	formVmNameDom0[1] = vmName
  87.491 +
  87.492 +def addVmChW( vmName ):
  87.493 +	global formData, allVmChW, allVmChWs
  87.494 +
  87.495 +	formVar = allVmChW[vmName]
  87.496 +	if formData.has_key( formVar[3] ):
  87.497 +		chwList = formData.getlist( formVar[3] )
  87.498 +		formVar = allVmChWs[vmName]
  87.499 +		for chw in chwList:
  87.500 +			chw = chw.strip( )
  87.501 +			formVar[1].append( chw )
  87.502 +			formVar[1] = removeDups( formVar[1] )
  87.503 +
  87.504 +def delVmChW( vmName ):
  87.505 +	global formData, allVmChWs
  87.506 +
  87.507 +	formVar = allVmChWs[vmName]
  87.508 +	if formData.has_key( formVar[3] ):
  87.509 +		chwList = formData.getlist( formVar[3] )
  87.510 +		for chw in chwList:
  87.511 +			chw = chw.strip( )
  87.512 +			formVar[1].remove( chw )
  87.513 +
  87.514 +def addVmSte( vmName ):
  87.515 +	global formData, allVmSte, allVmStes
  87.516 +
  87.517 +	formVar = allVmSte[vmName]
  87.518 +	if formData.has_key( formVar[3] ):
  87.519 +		steList = formData.getlist( formVar[3] )
  87.520 +		formVar = allVmStes[vmName]
  87.521 +		for ste in steList:
  87.522 +			ste = ste.strip( )
  87.523 +			formVar[1].append( ste )
  87.524 +			formVar[1] = removeDups( formVar[1] )
  87.525 +
  87.526 +def delVmSte( vmName ):
  87.527 +	global formData, allVmStes
  87.528 +
  87.529 +	formVar = allVmStes[vmName]
  87.530 +	if formData.has_key( formVar[3] ):
  87.531 +		steList = formData.getlist( formVar[3] )
  87.532 +		for ste in steList:
  87.533 +			ste = ste.strip( )
  87.534 +			formVar[1].remove( ste )
  87.535 +
  87.536 +def addRes( ):
  87.537 +	global formData, fromResName, formResNames
  87.538 +
  87.539 +	if (formData.has_key( formDefaultButton[3] )) or (formData.has_key( formResAdd[3] )):
  87.540 +		if formData.has_key( formResName[3] ):
  87.541 +			resName = formData[formResName[3]].value
  87.542 +			resName = resName.strip( )
  87.543 +			newRes( resName, 1 )
  87.544 +
  87.545 +def delRes( resName ):
  87.546 +	global formResNames
  87.547 +	global allResDel
  87.548 +	global allResStes, allResSteDel, allResSteType, allResSteAdd
  87.549 +
  87.550 +	resName = resName.strip( )
  87.551 +	formResNames[1].remove( resName )
  87.552 +	del allResDel[resName]
  87.553 +	del allResStes[resName]
  87.554 +	del allResSteDel[resName]
  87.555 +	del allResSte[resName]
  87.556 +	del allResSteAdd[resName]
  87.557 +
  87.558 +def addResSte( vmName ):
  87.559 +	global formData, allResSte, allResStes
  87.560 +
  87.561 +	formVar = allResSte[vmName]
  87.562 +	if formData.has_key( formVar[3] ):
  87.563 +		steList = formData.getlist( formVar[3] )
  87.564 +		formVar = allResStes[vmName]
  87.565 +		for ste