| Message ID | 20220531150857.19727-3-dpsmith@apertussolutions.com (mailing list archive) |
|---|---|
| State | Superseded |
| Headers | show |
| Series | xsm: refactor and optimize policy loading | expand |
On 31.05.2022 17:08, Daniel P. Smith wrote: > Previously, initializing the policy buffer was split between two functions, > xsm_{multiboot,dt}_policy_init() and xsm_core_init(). The latter for loading > the policy from boot modules and the former for falling back to built-in policy. > > This patch moves all policy buffer initialization logic under the > xsm_{multiboot,dt}_policy_init() functions. It then ensures that an error > message is printed for every error condition that may occur in the functions. > With all policy buffer init contained and only called when the policy buffer > must be populated, the respective xsm_{mb,dt}_init() functions will panic if an > error occurs attempting to populate the policy buffer. "flask=late" is also a mode where, afaict, no policy is required. I can't, however, see how you're taking care of that (but maybe I'm overlooking something); inspecting flask_bootparam in generic XSM code would actually be a layering violation. > --- a/xen/include/xsm/xsm.h > +++ b/xen/include/xsm/xsm.h > @@ -775,7 +775,7 @@ int xsm_multiboot_init( > unsigned long *module_map, const multiboot_info_t *mbi); > int xsm_multiboot_policy_init( > unsigned long *module_map, const multiboot_info_t *mbi, > - void **policy_buffer, size_t *policy_size); > + const unsigned char *policy_buffer[], size_t *policy_size); I don't think we're dealing with an array here, so const unsigned char ** would seem the more correct representation to me. Also - what about the DT counterpart function? Jan
On 5/31/22 12:05, Jan Beulich wrote: > On 31.05.2022 17:08, Daniel P. Smith wrote: >> Previously, initializing the policy buffer was split between two functions, >> xsm_{multiboot,dt}_policy_init() and xsm_core_init(). The latter for loading >> the policy from boot modules and the former for falling back to built-in policy. >> >> This patch moves all policy buffer initialization logic under the >> xsm_{multiboot,dt}_policy_init() functions. It then ensures that an error >> message is printed for every error condition that may occur in the functions. >> With all policy buffer init contained and only called when the policy buffer >> must be populated, the respective xsm_{mb,dt}_init() functions will panic if an >> error occurs attempting to populate the policy buffer. > > "flask=late" is also a mode where, afaict, no policy is required. I can't, > however, see how you're taking care of that (but maybe I'm overlooking > something); inspecting flask_bootparam in generic XSM code would actually > be a layering violation. Good point, flask=late is meant to be enforcing with a late loading of a policy file. I will address it. >> --- a/xen/include/xsm/xsm.h >> +++ b/xen/include/xsm/xsm.h >> @@ -775,7 +775,7 @@ int xsm_multiboot_init( >> unsigned long *module_map, const multiboot_info_t *mbi); >> int xsm_multiboot_policy_init( >> unsigned long *module_map, const multiboot_info_t *mbi, >> - void **policy_buffer, size_t *policy_size); >> + const unsigned char *policy_buffer[], size_t *policy_size); > > I don't think we're dealing with an array here, so const unsigned char ** > would seem the more correct representation to me. > > Also - what about the DT counterpart function? Ack. v/r dps
diff --git a/xen/include/xsm/xsm.h b/xen/include/xsm/xsm.h index 3e2b7fe3db..1676c261c9 100644 --- a/xen/include/xsm/xsm.h +++ b/xen/include/xsm/xsm.h @@ -775,7 +775,7 @@ int xsm_multiboot_init( unsigned long *module_map, const multiboot_info_t *mbi); int xsm_multiboot_policy_init( unsigned long *module_map, const multiboot_info_t *mbi, - void **policy_buffer, size_t *policy_size); + const unsigned char *policy_buffer[], size_t *policy_size); #endif #ifdef CONFIG_HAS_DEVICE_TREE diff --git a/xen/xsm/xsm_core.c b/xen/xsm/xsm_core.c index 4a29ee9558..8f6c3de8a6 100644 --- a/xen/xsm/xsm_core.c +++ b/xen/xsm/xsm_core.c @@ -92,14 +92,6 @@ static int __init xsm_core_init(const void *policy_buffer, size_t policy_size) { const struct xsm_ops *ops = NULL; -#ifdef CONFIG_XSM_FLASK_POLICY - if ( policy_size == 0 ) - { - policy_buffer = xsm_flask_init_policy; - policy_size = xsm_flask_init_policy_size; - } -#endif - if ( xsm_ops_registered != XSM_OPS_UNREGISTERED ) { printk(XENLOG_ERR @@ -155,7 +147,7 @@ int __init xsm_multiboot_init( unsigned long *module_map, const multiboot_info_t *mbi) { int ret = 0; - void *policy_buffer = NULL; + const unsigned char *policy_buffer; size_t policy_size = 0; printk("XSM Framework v" XSM_FRAMEWORK_VERSION " initialized\n"); @@ -167,8 +159,7 @@ int __init xsm_multiboot_init( if ( ret ) { bootstrap_map(NULL); - printk(XENLOG_ERR "Error %d initializing XSM policy\n", ret); - return -EINVAL; + panic(XENLOG_ERR "Error %d initializing XSM policy\n", ret); } } @@ -192,10 +183,7 @@ int __init xsm_dt_init(void) { ret = xsm_dt_policy_init(&policy_buffer, &policy_size); if ( ret ) - { - printk(XENLOG_ERR "Error %d initializing XSM policy\n", ret); - return -EINVAL; - } + panic(XENLOG_ERR "Error %d initializing XSM policy\n", ret); } ret = xsm_core_init(policy_buffer, policy_size); diff --git a/xen/xsm/xsm_policy.c b/xen/xsm/xsm_policy.c index 8dafbc9381..6a4f769aec 100644 --- a/xen/xsm/xsm_policy.c +++ b/xen/xsm/xsm_policy.c @@ -8,7 +8,7 @@ * Contributors: * Michael LeMay, <mdlemay@epoch.ncsc.mil> * George Coker, <gscoker@alpha.ncsc.mil> - * + * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License version 2, * as published by the Free Software Foundation. @@ -32,14 +32,21 @@ #ifdef CONFIG_MULTIBOOT int __init xsm_multiboot_policy_init( unsigned long *module_map, const multiboot_info_t *mbi, - void **policy_buffer, size_t *policy_size) + const unsigned char *policy_buffer[], size_t *policy_size) { int i; module_t *mod = (module_t *)__va(mbi->mods_addr); - int rc = 0; + int rc = -ENOENT; u32 *_policy_start; unsigned long _policy_len; +#ifdef CONFIG_XSM_FLASK_POLICY + /* Initially set to builtin policy, overriden if boot module is found. */ + *policy_buffer = xsm_flask_init_policy; + *policy_size = xsm_flask_init_policy_size; + rc = 0; +#endif + /* * Try all modules and see whichever could be the binary policy. * Adjust module_map for the module that is the binary policy. @@ -54,13 +61,14 @@ int __init xsm_multiboot_policy_init( if ( (xsm_magic_t)(*_policy_start) == XSM_MAGIC ) { - *policy_buffer = _policy_start; + *policy_buffer = (unsigned char *)_policy_start; *policy_size = _policy_len; printk("Policy len %#lx, start at %p.\n", _policy_len,_policy_start); __clear_bit(i, module_map); + rc = 0; break; } @@ -68,6 +76,9 @@ int __init xsm_multiboot_policy_init( bootstrap_map(NULL); } + if ( rc == -ENOENT ) + printk(XENLOG_ERR "xsm: Unable to locate policy file\n"); + return rc; } #endif @@ -79,7 +90,16 @@ int __init xsm_dt_policy_init(void **policy_buffer, size_t *policy_size) paddr_t paddr, len; if ( !mod || !mod->size ) + { +#ifdef CONFIG_XSM_FLASK_POLICY + *policy_buffer = (void *)xsm_flask_init_policy; + *policy_size = xsm_flask_init_policy_size; return 0; +#else + printk(XENLOG_ERR "xsm: Unable to locate policy file\n"); + return -ENOENT; +#endif + } paddr = mod->start; len = mod->size; @@ -95,7 +115,10 @@ int __init xsm_dt_policy_init(void **policy_buffer, size_t *policy_size) *policy_buffer = xmalloc_bytes(len); if ( !*policy_buffer ) + { + printk(XENLOG_ERR "xsm: Unable to allocate memory for XSM policy\n"); return -ENOMEM; + } copy_from_paddr(*policy_buffer, paddr, len); *policy_size = len;
Previously, initializing the policy buffer was split between two functions, xsm_{multiboot,dt}_policy_init() and xsm_core_init(). The latter for loading the policy from boot modules and the former for falling back to built-in policy. This patch moves all policy buffer initialization logic under the xsm_{multiboot,dt}_policy_init() functions. It then ensures that an error message is printed for every error condition that may occur in the functions. With all policy buffer init contained and only called when the policy buffer must be populated, the respective xsm_{mb,dt}_init() functions will panic if an error occurs attempting to populate the policy buffer. Signed-off-by: Daniel P. Smith <dpsmith@apertussolutions.com> --- xen/include/xsm/xsm.h | 2 +- xen/xsm/xsm_core.c | 18 +++--------------- xen/xsm/xsm_policy.c | 31 +++++++++++++++++++++++++++---- 3 files changed, 31 insertions(+), 20 deletions(-)