@@ -48,6 +48,7 @@ CONFIG_QEMU_XEN := @qemu_xen@
CONFIG_QEMUU_EXTRA_ARGS:= @EXTRA_QEMUU_CONFIGURE_ARGS@
CONFIG_LIBNL := @libnl@
CONFIG_GOLANG := @golang@
+CONFIG_PYGRUB := @pygrub@
CONFIG_SYSTEMD := @systemd@
SYSTEMD_CFLAGS := @SYSTEMD_CFLAGS@
@@ -36,7 +36,7 @@ SUBDIRS-$(CONFIG_X86) += debugger
SUBDIRS-$(CONFIG_TESTS) += tests
SUBDIRS-y += python
-SUBDIRS-y += pygrub
+SUBDIRS-$(CONFIG_PYGRUB) += pygrub
SUBDIRS-$(OCAML_TOOLS) += ocaml
ifeq ($(CONFIG_RUMP),y)
@@ -45,6 +45,9 @@
/* ROMBIOS enabled */
#undef HAVE_ROMBIOS
+/* pygrub enabled */
+#undef HAVE_PYGRUB
+
/* Define to 1 if you have the <stdint.h> header file. */
#undef HAVE_STDINT_H
@@ -707,6 +707,7 @@ AS86
ipxe
qemu_traditional
LINUX_BACKEND_MODULES
+pygrub
golang
seabios
ovmf
@@ -811,6 +812,7 @@ enable_xsmpolicy
enable_ovmf
enable_seabios
enable_golang
+enable_pygrub
with_linux_backend_modules
enable_qemu_traditional
enable_ipxe
@@ -1498,6 +1500,7 @@ Optional Features:
--enable-ovmf Enable OVMF (default is DISABLED)
--disable-seabios Disable SeaBIOS (default is ENABLED)
--disable-golang Disable Go tools (default is ENABLED)
+ --disable-pygrub Disable pygrub (default is ENABLED)
--enable-qemu-traditional
Enable qemu traditional device model, (DEFAULT is
off)
@@ -4287,6 +4290,29 @@ golang=$ax_cv_golang
+# Check whether --enable-pygrub was given.
+if test "${enable_pygrub+set}" = set; then :
+ enableval=$enable_pygrub;
+fi
+
+
+if test "x$enable_pygrub" = "xno"; then :
+
+ ax_cv_pygrub="n"
+
+elif test "x$enable_pygrub" = "xyes"; then :
+
+ ax_cv_pygrub="y"
+
+elif test -z $ax_cv_pygrub; then :
+
+ ax_cv_pygrub="y"
+
+fi
+pygrub=$ax_cv_pygrub
+
+
+
# Check whether --with-linux-backend-modules was given.
if test "${with_linux_backend_modules+set}" = set; then :
@@ -4595,6 +4621,14 @@ else
fi
+if test "x$pygrub" = "xy"; then :
+
+
+$as_echo "#define HAVE_PYGRUB 1" >>confdefs.h
+
+
+fi
+
# Check whether --with-system-qemu was given.
if test "${with_system_qemu+set}" = set; then :
@@ -89,6 +89,7 @@ AX_ARG_DEFAULT_ENABLE([xsmpolicy], [Disable XSM policy compilation])
AX_ARG_DEFAULT_DISABLE([ovmf], [Enable OVMF])
AX_ARG_DEFAULT_ENABLE([seabios], [Disable SeaBIOS])
AX_ARG_DEFAULT_ENABLE([golang], [Disable Go tools])
+AX_ARG_DEFAULT_ENABLE([pygrub], [Disable pygrub])
AC_ARG_WITH([linux-backend-modules],
AS_HELP_STRING([--with-linux-backend-modules="mod1 mod2"],
@@ -184,6 +185,10 @@ AS_IF([test "x$enable_rombios" = "xyes"], [
])
AC_SUBST(rombios)
+AS_IF([test "x$pygrub" = "xy"], [
+ AC_DEFINE([HAVE_PYGRUB], [1], [pygrub enabled])
+])
+
AC_ARG_WITH([system-qemu],
AS_HELP_STRING([--with-system-qemu@<:@=PATH@:>@],
[Use system supplied qemu PATH or qemu (taken from $PATH) as qemu-xen
Add a "--disable-pygrub" option for being able to disable the build and installation of pygrub. There are two main reasons to do so: - A main reason to use pygrub is to allow a PV guest to choose its bitness (32- or 64-bit). Pygrub allows that by looking into the boot image and to start the guest in the correct mode depending on the kernel selected. With 32-bit PV guests being deprecated and the possibility to even build a hypervisor without 32-bit PV support, this use case is gone for at least some configurations. - Pygrub is running in dom0 with root privileges. As it is operating on guest controlled data (the boot image) and taking decisions based on this data, there is a higher security risk. Not being possible to use pygrub is thus a step towards a reduction of attack surface. Default is still to build and install pygrub. Signed-off-by: Juergen Gross <jgross@suse.com> --- V2: - better wording regarding security aspects (Andrew Cooper) - add HAVE_PYGRUB to tools/config.h --- config/Tools.mk.in | 1 + tools/Makefile | 2 +- tools/config.h.in | 3 +++ tools/configure | 34 ++++++++++++++++++++++++++++++++++ tools/configure.ac | 5 +++++ 5 files changed, 44 insertions(+), 1 deletion(-)