diff options
| author | kaf24@firebug.cl.cam.ac.uk <kaf24@firebug.cl.cam.ac.uk> | 2005-11-19 10:35:38 +0100 |
|---|---|---|
| committer | kaf24@firebug.cl.cam.ac.uk <kaf24@firebug.cl.cam.ac.uk> | 2005-11-19 10:35:38 +0100 |
| commit | ac5d4d868f25ddd8ce58ca49c63e5aebd9d77597 (patch) | |
| tree | 166ad67e2f274dd471542028d249f9546dfda39d /Config.mk | |
| parent | afb312d146f268bbf3e1f4f7bd7ff5a9f8c335ac (diff) | |
| download | xen-ac5d4d868f25ddd8ce58ca49c63e5aebd9d77597.tar.gz xen-ac5d4d868f25ddd8ce58ca49c63e5aebd9d77597.tar.bz2 xen-ac5d4d868f25ddd8ce58ca49c63e5aebd9d77597.zip | |
Enable the Xen hypervisor ACM security policy to be determined at boot
time (instead of at compile time). Allows a single xen.gz binary to
run under different security policy types, which simplifies
distributions considerably. To this end, we replace the current single
compile switch in Config.mk with the following two:
1. ACM_SECURITY (y/n) if "n", then the ACM is not compiled and no security
policies can be configured at boot time. If "y", then the ACM is compiled
and can be configured into any of the available policy types (null,
chwall, ste, chwall_ste) by specifying a valid boot policy .bin file in
the grub boot configuration.
2. ACM_DEFAULT_SECURITY_POLICY (null / chwall / ste / chwall_ste)
specifies the policy into which Xen defaults in the case that security is
enabled but no boot policy file is specified, or the specified policy file
is invalid (wrong version, magic, corrupted, ...)
While the type of the enabled policy (null, ste, ...) is decided once
during boot for the whole boot cycle, the policy instantiation can be
changed during operation as usual with the security tools.
Signed-off by: Tomas Lendacky <toml@us.ibm.com>
Signed-off by: Reiner Sailer <sailer@us.ibm.com>
Diffstat (limited to 'Config.mk')
| -rw-r--r-- | Config.mk | 14 |
1 files changed, 11 insertions, 3 deletions
@@ -44,13 +44,21 @@ CFLAGS += $(foreach i, $(EXTRA_INCLUDES), -I$(i)) # Choose the best mirror to download linux kernel KERNEL_REPO = http://www.kernel.org -# ACM_USE_SECURITY_POLICY is set to security policy of Xen +# If ACM_SECURITY = y, then the access control module is compiled +# into Xen and the policy type can be set by the boot policy file +# y - Build the Xen ACM framework +# n - Do not build the Xen ACM framework +ACM_SECURITY ?= n + +# If ACM_SECURITY = y and no boot policy file is installed, +# then the ACM defaults to the security policy set by +# ACM_DEFAULT_SECURITY_POLICY # Supported models are: -# ACM_NULL_POLICY (ACM will not be built with this policy) +# ACM_NULL_POLICY # ACM_CHINESE_WALL_POLICY # ACM_SIMPLE_TYPE_ENFORCEMENT_POLICY # ACM_CHINESE_WALL_AND_SIMPLE_TYPE_ENFORCEMENT_POLICY -ACM_USE_SECURITY_POLICY ?= ACM_NULL_POLICY +ACM_DEFAULT_SECURITY_POLICY ?= ACM_NULL_POLICY # Optional components XENSTAT_XENTOP ?= y |