ia64/xen-unstable

changeset 5859:ecb17ef5a587

- allows to optionally boot the system with a policy already being
active at startup; this works by adding a module line into the grub
configuration file and placing the binary policy generated by the
policy tool into the boot directory; This assumes that a maximum of
one module line is used for the initrd in the grub configuration
file - Question: do users pass more than one module to the kernel?
- enables the policy hypervisor call on x86/64
- some function prototypes moved to include files
- moves the version number in the java tool up to the current
version (a better way of doing this will be submitted soon)

Signed-off-by: Stefan Berger <stefanb@us.ibm.com>
Signed-off-by: Reiner Sailer <sailer@us.ibm.com>
author kaf24@firebug.cl.cam.ac.uk
date Mon Jul 25 21:19:14 2005 +0000 (2005-07-25)
parents d6af2ea42f94
children d63b100b327a df19d43b95d0
files docs/misc/shype4xen_readme.txt tools/misc/policyprocessor/XmlToBinInterface.java xen/acm/acm_core.c xen/acm/acm_policy.c xen/arch/x86/setup.c xen/arch/x86/x86_64/entry.S xen/common/policy_ops.c xen/include/acm/acm_core.h xen/include/acm/acm_hooks.h
line diff
     1.1 --- a/docs/misc/shype4xen_readme.txt	Mon Jul 25 21:03:40 2005 +0000
     1.2 +++ b/docs/misc/shype4xen_readme.txt	Mon Jul 25 21:19:14 2005 +0000
     1.3 @@ -567,4 +567,22 @@ is that policy files/management should b
     1.4  Our policy interface enables managers to create a single binary policy file in a trusted
     1.5  environment and distributed it to multiple systems for enforcement.
     1.6  
     1.7 +5. Booting with a binary policy:
     1.8 +********************************
     1.9 +The grub configuration file can be adapted to boot the hypervisor with an
    1.10 +already active policy. To do this, a binary policy file - this can be
    1.11 +the same file as used by the policy_tool - should be placed into the boot
    1.12 +partition. The following entry from the grub configuration file shows how
    1.13 +a binary policy can be added to the system during boot time. Note that the 
    1.14 +binary policy must be of the same type that the hypervisor was compiled 
    1.15 +for. The policy module line should also only be added as the last module
    1.16 +line if XEN was compiled with the access control module (ACM).
    1.17 +
    1.18 +title XEN0 3.0 Devel
    1.19 +	kernel /xen.gz dom0_mem=400000
    1.20 +	module /vmlinuz-2.6.12-xen0 root=/dev/hda2 ro console=tty0
    1.21 +	module /initrd-2.6.12-xen0.img
    1.22 +	module /xen_sample_policy.bin
    1.23 +
    1.24 +
    1.25  ====================end-of file=======================================
     2.1 --- a/tools/misc/policyprocessor/XmlToBinInterface.java	Mon Jul 25 21:03:40 2005 +0000
     2.2 +++ b/tools/misc/policyprocessor/XmlToBinInterface.java	Mon Jul 25 21:19:14 2005 +0000
     2.3 @@ -123,7 +123,7 @@ public interface XmlToBinInterface
     2.4    final short binaryBufferHeaderSz = (3 * u32Size + 4* u16Size);
     2.5  
     2.6    /* copied directlty from policy_ops.h */
     2.7 -  final int POLICY_INTERFACE_VERSION = 0xAAAA0002;
     2.8 +  final int POLICY_INTERFACE_VERSION = 0xAAAA0003;
     2.9  
    2.10    /* copied directly from acm.h */
    2.11    final int ACM_MAGIC  =  0x0001debc;
     3.1 --- a/xen/acm/acm_core.c	Mon Jul 25 21:03:40 2005 +0000
     3.2 +++ b/xen/acm/acm_core.c	Mon Jul 25 21:19:14 2005 +0000
     3.3 @@ -6,6 +6,9 @@
     3.4   * Author:
     3.5   * Reiner Sailer <sailer@watson.ibm.com>
     3.6   *
     3.7 + * Contributors:
     3.8 + * Stefan Berger <stefanb@watson.ibm.com>
     3.9 + *
    3.10   * This program is free software; you can redistribute it and/or
    3.11   * modify it under the terms of the GNU General Public License as
    3.12   * published by the Free Software Foundation, version 2 of the
    3.13 @@ -25,6 +28,7 @@
    3.14  #include <xen/lib.h>
    3.15  #include <xen/delay.h>
    3.16  #include <xen/sched.h>
    3.17 +#include <xen/multiboot.h>
    3.18  #include <acm/acm_hooks.h>
    3.19  #include <acm/acm_endian.h>
    3.20  
    3.21 @@ -81,9 +85,68 @@ acm_init_binary_policy(void *primary, vo
    3.22  	acm_bin_pol.secondary_binary_policy = secondary;
    3.23  }
    3.24  
    3.25 +static int
    3.26 +acm_setup(unsigned int *initrdidx,
    3.27 +          const multiboot_info_t *mbi,
    3.28 +          unsigned long initial_images_start)
    3.29 +{
    3.30 +    int i;
    3.31 +    module_t *mod = (module_t *)__va(mbi->mods_addr);
    3.32 +    int rc = ACM_OK;
    3.33 +
    3.34 +    if (mbi->mods_count > 1)
    3.35 +	    *initrdidx = 1;
    3.36 +
    3.37 +    /*
    3.38 +     * Try all modules and see whichever could be the binary policy.
    3.39 +     * Adjust the initrdidx if module[1] is the binary policy.
    3.40 +     */
    3.41 +    for (i = mbi->mods_count-1; i >= 1; i--) {
    3.42 +        struct acm_policy_buffer *pol;
    3.43 +        char *_policy_start; 
    3.44 +        unsigned long _policy_len;
    3.45 +#if defined(__i386__)
    3.46 +        _policy_start = (char *)(initial_images_start + (mod[i].mod_start-mod[0].mod_start));
    3.47 +#elif defined(__x86_64__)
    3.48 +        _policy_start = __va(initial_images_start + (mod[i].mod_start-mod[0].mod_start));
    3.49 +#else
    3.50 +#error Architecture unsupported by sHype
    3.51 +#endif
    3.52 +        _policy_len   = mod[i].mod_end - mod[i].mod_start;
    3.53 +	if (_policy_len < sizeof(struct acm_policy_buffer))
    3.54 +		continue; /* not a policy */
    3.55 +
    3.56 +        pol = (struct acm_policy_buffer *)_policy_start;
    3.57 +        if (ntohl(pol->magic) == ACM_MAGIC) {
    3.58 +            rc = acm_set_policy((void *)_policy_start,
    3.59 +                                (u16)_policy_len,
    3.60 +                                ACM_USE_SECURITY_POLICY,
    3.61 +                                0);
    3.62 +            if (rc == ACM_OK) {
    3.63 +                printf("Policy len  0x%lx, start at %p.\n",_policy_len,_policy_start);
    3.64 +                if (i == 1) {
    3.65 +                    if (mbi->mods_count > 2) {
    3.66 +                        *initrdidx = 2;
    3.67 +                    } else {
    3.68 +                        *initrdidx = 0;
    3.69 +                    }
    3.70 +                } else {
    3.71 +                    *initrdidx = 1;
    3.72 +                }
    3.73 +                break;
    3.74 +            } else {
    3.75 +            	printk("Invalid policy. %d.th module line.\n", i+1);
    3.76 +            }
    3.77 +        } /* end if a binary policy definition, i.e., (ntohl(pol->magic) == ACM_MAGIC ) */
    3.78 +    }
    3.79 +    return rc;
    3.80 +}
    3.81 +
    3.82  
    3.83  int
    3.84 -acm_init(void)
    3.85 +acm_init(unsigned int *initrdidx,
    3.86 +         const multiboot_info_t *mbi,
    3.87 +         unsigned long initial_images_start)
    3.88  {
    3.89  	int ret = -EINVAL;
    3.90  
    3.91 @@ -127,11 +190,13 @@ acm_init(void)
    3.92  
    3.93  	if (ret != ACM_OK)
    3.94  		return -EINVAL;		
    3.95 +	acm_setup(initrdidx, mbi, initial_images_start);
    3.96  	printk("%s: Enforcing Primary %s, Secondary %s.\n", __func__, 
    3.97  	       ACM_POLICY_NAME(acm_bin_pol.primary_policy_code), ACM_POLICY_NAME(acm_bin_pol.secondary_policy_code));
    3.98 -	return ACM_OK;
    3.99 +	return ret;
   3.100  }
   3.101  
   3.102 +
   3.103  #endif
   3.104  
   3.105  int
     4.1 --- a/xen/acm/acm_policy.c	Mon Jul 25 21:03:40 2005 +0000
     4.2 +++ b/xen/acm/acm_policy.c	Mon Jul 25 21:19:14 2005 +0000
     4.3 @@ -33,7 +33,7 @@
     4.4  #include <acm/acm_endian.h>
     4.5  
     4.6  int
     4.7 -acm_set_policy(void *buf, u16 buf_size, u16 policy)
     4.8 +acm_set_policy(void *buf, u16 buf_size, u16 policy, int isuserbuffer)
     4.9  {
    4.10  	u8 *policy_buffer = NULL;
    4.11  	struct acm_policy_buffer *pol;
    4.12 @@ -53,16 +53,21 @@ acm_set_policy(void *buf, u16 buf_size, 
    4.13  	/* 1. copy buffer from domain */
    4.14  	if ((policy_buffer = xmalloc_array(u8, buf_size)) == NULL)
    4.15  	    goto error_free;
    4.16 -        if (copy_from_user(policy_buffer, buf, buf_size)) {
    4.17 -		printk("%s: Error copying!\n",__func__);
    4.18 -		goto error_free;
    4.19 +	if (isuserbuffer) {
    4.20 +		if (copy_from_user(policy_buffer, buf, buf_size)) {
    4.21 +			printk("%s: Error copying!\n",__func__);
    4.22 +			goto error_free;
    4.23 +		}
    4.24 +	} else {
    4.25 +		memcpy(policy_buffer, buf, buf_size);
    4.26  	}
    4.27  	/* 2. some sanity checking */
    4.28  	pol = (struct acm_policy_buffer *)policy_buffer;
    4.29  
    4.30  	if ((ntohl(pol->magic) != ACM_MAGIC) || 
    4.31  	    (ntohs(pol->primary_policy_code) != acm_bin_pol.primary_policy_code) ||
    4.32 -	    (ntohs(pol->secondary_policy_code) != acm_bin_pol.secondary_policy_code)) {
    4.33 +	    (ntohs(pol->secondary_policy_code) != acm_bin_pol.secondary_policy_code) ||
    4.34 +	    (ntohl(pol->policyversion) != POLICY_INTERFACE_VERSION)) {
    4.35  		printkd("%s: Wrong policy magics!\n", __func__);
    4.36  		goto error_free;
    4.37  	}
     5.1 --- a/xen/arch/x86/setup.c	Mon Jul 25 21:03:40 2005 +0000
     5.2 +++ b/xen/arch/x86/setup.c	Mon Jul 25 21:19:14 2005 +0000
     5.3 @@ -245,6 +245,8 @@ void __init __start_xen(multiboot_info_t
     5.4      module_t *mod = (module_t *)__va(mbi->mods_addr);
     5.5      unsigned long firsthole_start, nr_pages;
     5.6      unsigned long initial_images_start, initial_images_end;
     5.7 +    unsigned long _initrd_start = 0, _initrd_len = 0;
     5.8 +    unsigned int initrdidx = 1;
     5.9      struct e820entry e820_raw[E820MAX];
    5.10      int i, e820_raw_nr = 0, bytes = 0;
    5.11      struct ns16550_defaults ns16550 = {
    5.12 @@ -411,7 +413,7 @@ void __init __start_xen(multiboot_info_t
    5.13      shadow_mode_init();
    5.14  
    5.15      /* initialize access control security module */
    5.16 -    acm_init();
    5.17 +    acm_init(&initrdidx, mbi, initial_images_start);
    5.18  
    5.19      /* Create initial domain 0. */
    5.20      dom0 = do_createdomain(0, 0);
    5.21 @@ -450,6 +452,13 @@ void __init __start_xen(multiboot_info_t
    5.22          }
    5.23      }
    5.24  
    5.25 +    if ( (initrdidx > 0) && (initrdidx < mbi->mods_count) )
    5.26 +    {
    5.27 +        _initrd_start = initial_images_start +
    5.28 +            (mod[initrdidx].mod_start - mod[0].mod_start);
    5.29 +        _initrd_len   = mod[initrdidx].mod_end - mod[initrdidx].mod_start;
    5.30 +    }
    5.31 +
    5.32      /*
    5.33       * We're going to setup domain0 using the module(s) that we stashed safely
    5.34       * above our heap. The second module, if present, is an initrd ramdisk.
    5.35 @@ -457,11 +466,8 @@ void __init __start_xen(multiboot_info_t
    5.36      if ( construct_dom0(dom0,
    5.37                          initial_images_start, 
    5.38                          mod[0].mod_end-mod[0].mod_start,
    5.39 -                        (mbi->mods_count == 1) ? 0 :
    5.40 -                        initial_images_start + 
    5.41 -                        (mod[1].mod_start-mod[0].mod_start),
    5.42 -                        (mbi->mods_count == 1) ? 0 :
    5.43 -                        mod[mbi->mods_count-1].mod_end - mod[1].mod_start,
    5.44 +                        _initrd_start,
    5.45 +                        _initrd_len,
    5.46                          cmdline) != 0)
    5.47          panic("Could not set up DOM0 guest OS\n");
    5.48  
     6.1 --- a/xen/arch/x86/x86_64/entry.S	Mon Jul 25 21:03:40 2005 +0000
     6.2 +++ b/xen/arch/x86/x86_64/entry.S	Mon Jul 25 21:19:14 2005 +0000
     6.3 @@ -587,6 +587,7 @@ ENTRY(hypercall_table)
     6.4          .quad do_boot_vcpu
     6.5          .quad do_set_segment_base   /* 25 */
     6.6          .quad do_mmuext_op
     6.7 +        .quad do_policy_op
     6.8          .rept NR_hypercalls-((.-hypercall_table)/4)
     6.9          .quad do_ni_hypercall
    6.10          .endr
     7.1 --- a/xen/common/policy_ops.c	Mon Jul 25 21:03:40 2005 +0000
     7.2 +++ b/xen/common/policy_ops.c	Mon Jul 25 21:19:14 2005 +0000
     7.3 @@ -37,11 +37,6 @@ long do_policy_op(policy_op_t *u_policy_
     7.4  
     7.5  #else
     7.6  
     7.7 -/* function prototypes defined in acm/acm_policy.c */
     7.8 -int acm_set_policy(void *buf, u16 buf_size, u16 policy);
     7.9 -int acm_get_policy(void *buf, u16 buf_size);
    7.10 -int acm_dump_statistics(void *buf, u16 buf_size);
    7.11 -
    7.12  typedef enum policyoperation {
    7.13      POLICY,     /* access to policy interface (early drop) */
    7.14      GETPOLICY,  /* dump policy cache */
    7.15 @@ -89,7 +84,8 @@ long do_policy_op(policy_op_t *u_policy_
    7.16          ret = acm_set_policy(
    7.17              op->u.setpolicy.pushcache, 
    7.18              op->u.setpolicy.pushcache_size, 
    7.19 -            op->u.setpolicy.policy_type);
    7.20 +            op->u.setpolicy.policy_type,
    7.21 +            1);
    7.22          if (ret == ACM_OK)
    7.23              ret = 0;
    7.24          else
     8.1 --- a/xen/include/acm/acm_core.h	Mon Jul 25 21:03:40 2005 +0000
     8.2 +++ b/xen/include/acm/acm_core.h	Mon Jul 25 21:19:14 2005 +0000
     8.3 @@ -113,6 +113,9 @@ struct ste_ssid {
     8.4  /* protos */
     8.5  int acm_init_domain_ssid(domid_t id, ssidref_t ssidref);
     8.6  int acm_free_domain_ssid(struct acm_ssid_domain *ssid);
     8.7 +int acm_set_policy(void *buf, u16 buf_size, u16 policy, int isuserbuffer);
     8.8 +int acm_get_policy(void *buf, u16 buf_size);
     8.9 +int acm_dump_statistics(void *buf, u16 buf_size);
    8.10  
    8.11  #endif
    8.12  
     9.1 --- a/xen/include/acm/acm_hooks.h	Mon Jul 25 21:03:40 2005 +0000
     9.2 +++ b/xen/include/acm/acm_hooks.h	Mon Jul 25 21:19:14 2005 +0000
     9.3 @@ -24,6 +24,7 @@
     9.4  #include <xen/lib.h>
     9.5  #include <xen/delay.h>
     9.6  #include <xen/sched.h>
     9.7 +#include <xen/multiboot.h>
     9.8  #include <public/acm.h>
     9.9  #include <acm/acm_core.h>
    9.10  #include <public/dom0_ops.h>
    9.11 @@ -136,7 +137,9 @@ static inline int acm_pre_grant_map_ref(
    9.12  { return 0; }
    9.13  static inline int acm_pre_grant_setup(domid_t id) 
    9.14  { return 0; }
    9.15 -static inline int acm_init(void)
    9.16 +static inline int acm_init(unsigned int *initrdidx,
    9.17 +                           const multiboot_info_t *mbi,
    9.18 +                           unsigned long start)
    9.19  { return 0; }
    9.20  static inline void acm_post_domain0_create(domid_t domid) 
    9.21  { return; }
    9.22 @@ -337,7 +340,9 @@ static inline void acm_post_domain0_crea
    9.23      acm_post_domain_create(domid, ACM_DOM0_SSIDREF);
    9.24  }
    9.25  
    9.26 -extern int acm_init(void);
    9.27 +extern int acm_init(unsigned int *initrdidx,
    9.28 +                    const multiboot_info_t *mbi,
    9.29 +                    unsigned long start);
    9.30  
    9.31  #endif
    9.32