=head1 NAME

xm - Xen management user interface

=head1 SYNOPSIS

B<xm> I<subcommand> [I<args>]

=head1 DESCRIPTION

The B<xm> program is the main interface for managing Xen guest
domains. The program can be used to create, pause, and shutdown
domains. It can also be used to list current domains, enable or pin
VCPUs, and attach or detach virtual block devices.

The basic structure of every B<xm> command is almost always:

=over 2

B<xm> I<subcommand> I<domain-id> [I<OPTIONS>]

=back

Where I<subcommand> is one of the subcommands listed below, I<domain-id>
is the numeric domain id, or the domain name (which will be internally
translated to domain id), and I<OPTIONS> are subcommand specific
options.  There are a few exceptions to this rule in the cases where
the subcommand in question acts on all domains, the entire machine,
or directly on the Xen hypervisor.  Those exceptions will be clear for
each of those subcommands.

=head1 NOTES

All B<xm> operations rely upon the Xen control daemon, aka B<xend>.
For any B<xm> commands to run, xend must also be running.  For this
reason you should start xend as a service when your system first boots
using Xen.

Most B<xm> commands require root privileges to run due to the
communications channels used to talk to the hypervisor.  Running as
non root will return an error.

Most B<xm> commands act asynchronously, so just because the B<xm>
command returned doesn't mean the action is complete.  This is
important, as many operations on domains, like create and shutdown,
can take considerable time (30 seconds or more) to bring the machine
into a fully compliant state.  If you want to know when one of these
actions has finished you must poll through B<xm list> periodically.

=head1 DOMAIN SUBCOMMANDS

The following subcommands manipulate domains directly.  As stated
previously, most commands take I<domain-id> as the first parameter.

=over 4

=item B<console> I<domain-id>

Attach to domain I<domain-id>'s console.  If you've set up your domains to
have a traditional log in console this will look much like a normal
text log in screen.

This uses the back end xenconsole service which currently only
works for para-virtual domains.  

The attached console will perform much like a standard serial console,
so running curses based interfaces over the console B<is not
advised>.  Vi tends to get very odd when using it over this interface.

=item B<create> [B<-c>] I<configfile> [I<name>=I<value>]..

The create sub command requires a config file and can optionally take a
series of name value pairs that add to or override variables defined
in the config file.  See L<xmdomain.cfg> for full details of that file
format, and possible options used in either the configfile or
I<name>=I<value> combinations.

I<configfile> can either be an absolute path to a file, or a relative
path to a file located in /etc/xen.

Create will return B<as soon> as the domain is started.  This B<does
not> mean the guest OS in the domain has actually booted, or is
available for input.

B<OPTIONS>

=over 4 

=item B<-c>

Attache console to the domain as soon as it has started.  This is
useful for determining issues with crashing domains.

=back

B<EXAMPLES>

=over 4

=item I<with config file>

  xm create Fedora4

This creates a domain with the file /etc/xen/Fedora4, and returns as
soon as it is run.

=item I<without config file>
 
  xm create /dev/null ramdisk=initrd.img \
     kernel=/boot/vmlinuz-2.6.12.6-xenU \
     name=ramdisk nics=0 vcpus=1 \
     memory=64 root=/dev/ram0

This creates the domain without using a config file (more specifically
using /dev/null as an empty config file), kernel and ramdisk as
specified, setting the name of the domain to "ramdisk", also disabling
virtual networking.  (This example comes from the xm-test test suite.)

=back

=item B<destroy> I<domain-id>

Immediately terminate the domain I<domain-id>.  This doesn't give the
domain OS any chance to react, and is the equivalent of ripping the
power cord out on a physical machine.  In most cases you will want to
use the B<shutdown> command instead.

=item B<domid> I<domain-name>

Converts a domain name to a domain id using xend's internal mapping.

=item B<domname> I<domain-id>

Converts a domain id to a domain name using xend's internal mapping.

=item B<help> [B<--long>]

Displays the short help message (i.e. common commands).

The B<--long> option prints out the complete set of B<xm> subcommands,
grouped by function.

=item B<list> [B<--long> | B<--label>] [I<domain-id> ...]

Prints information about one or more domains.  If no domains are
specified it prints out information about all domains.

An example format for the list is as follows:

    Name                         ID Mem(MiB) VCPUs State  Time(s)
    Domain-0                      0       98     1 r-----  5068.6
    Fedora3                     164      128     1 r-----     7.6
    Fedora4                     165      128     1 ------     0.6
    Mandrake2006                166      128     1 -b----     3.6
    Mandrake10.2                167      128     1 ------     2.5
    Suse9.2                     168      100     1 ------     1.8

Name is the name of the domain.  ID the numeric domain id.  Mem is the
desired amount of memory to allocate to the domain (although it may
not be the currently allocated amount).  VCPUs is the number of
virtual CPUs allocated to the domain.  State is the run state (see
below).  Time is the total run time of the domain as accounted for by
Xen.

B<STATES>

=over 4

The State field lists 6 states for a Xen domain, and which ones the
current domain is in.

=item B<r - running>

The domain is currently running on a CPU.

=item B<b - blocked>

The domain is blocked, and not running or runnable.  This can be caused
because the domain is waiting on IO (a traditional wait state) or has
gone to sleep because there was nothing else for it to do.

=item B<p - paused>

The domain has been paused, usually occurring through the administrator
running B<xm pause>.  When in a paused state the domain will still
consume allocated resources like memory, but will not be eligible for
scheduling by the Xen hypervisor.

=item B<s - shutdown>

FIXME: Why would you ever see this state?

=item B<c - crashed>

The domain has crashed, which is always a violent ending.  Usually
this state can only occur if the domain has been configured not to
restart on crash.  See L<xmdomain.cfg> for more info.

=item B<d - dying>

The domain is in process of dying, but hasn't completely shutdown or
crashed.

FIXME: Is this right?

=back

B<LONG OUTPUT>

=over 4

If B<--long> is specified, the output for B<xm list> is not the table
view shown above, but instead is an S-Expression representing all
information known about all domains asked for.  This is mostly only
useful for external programs to parse the data.

B<Note:> There is no stable guarantees on the format of this data.
Use at your own risk.

=back

B<LABEL OUTPUT>

=over 4

If B<--label> is specified, the security labels are added to the
output of B<xm list> and the lines are sorted by the labels (ignoring
case). The B<--long> option prints the labels by default and cannot be
combined with B<--label>. See the ACCESS CONTROL SUBCOMMAND section of
this man page for more information about labels.

==back

B<NOTES>

=over 4

The Time column is deceptive.  Virtual IO (network and block devices)
used by domains requires coordination by Domain0, which means that
Domain0 is actually charged for much of the time that a DomainU is
doing IO.  Use of this time value to determine relative utilizations
by domains is thus very suspect, as a high IO workload may show as
less utilized than a high CPU workload.  Consider yourself warned.

=back

=item B<mem-max> I<domain-id> I<mem>

Specify the maximum amount of memory the domain is able to use.  I<mem>
is specified in megabytes. 

The mem-max value may not correspond to the actual memory used in the
domain, as it may balloon down its memory to give more back to the OS.

=item B<mem-set> I<domain-id> I<mem>

Set the domain's used memory using the balloon driver.  Because this
operation requires cooperation from the domain operating system, there
is no guarantee that it will succeed.

B<Warning:> There is no good way to know in advance how small of a
mem-set will make a domain unstable and cause it to crash.  Be very
careful when using this command on running domains.

=item B<migrate> I<domain-id> I<host> [I<OPTIONS>]

Migrate a domain to another host machine. Xend must be running on
other host machine, it must be running the same version of Xen, it
must have the migration TCP port open and accepting connections from
the source host, and there must be sufficient resources for the domain
to run (memory, disk, etc).

Migration is pretty complicated, and has many security implications.
Please read the Xen User's Guide to ensure you understand the
ramifications and limitations on migration before attempting it in
production.

B<OPTIONS>

=over 4

=item B<-l>, B<--live>

Use live migration.  This will migrate the domain between hosts
without shutting down the domain.  See the Xen User's Guide for more
information.

=item B<-r>, B<--resource> I<Mbs>

Set maximum Mbs allowed for migrating the domain.  This ensures that
the network link is not saturated with migration traffic while
attempting to do other useful work.

=back

=item B<pause> I<domain-id>

Pause a domain.  When in a paused state the domain will still consume
allocated resources such as memory, but will not be eligible for
scheduling by the Xen hypervisor.

=item B<reboot> [I<OPTIONS>] I<domain-id>

Reboot a domain.  This acts just as if the domain had the B<reboot>
command run from the console.  The command returns as soon as it has
executed the reboot action, which may be significantly before the
domain actually reboots.

The behavior of what happens to a domain when it reboots is set by the
B<on_reboot> parameter of the xmdomain.cfg file when the domain was
created.

B<OPTIONS>

=over 4

=item B<-a>, B<--all>

Reboot all domains.

=item B<-w>, B<--wait>

Wait for reboot to complete before returning.  This may take a while,
as all services in the domain will have to be shut down cleanly.

=back

=item B<restore> I<state-file>

Build a domain from an B<xm save> state file.  See B<save> for more info.

=item B<save> I<domain-id> I<state-file>

Saves a running domain to a state file so that it can be restored
later.  Once saved, the domain will no longer be running on the
system, thus the memory allocated for the domain will be free for
other domains to use.  B<xm restore> restores from this state file.

This is roughly equivalent to doing a hibernate on a running computer,
with all the same limitations.  Open network connections may be
severed upon restore, as TCP timeouts may have expired.

=item B<shutdown> [I<OPTIONS>] I<domain-id>

Gracefully shuts down a domain.  This coordinates with the domain OS
to perform graceful shutdown, so there is no guarantee that it will
succeed, and may take a variable length of time depending on what
services must be shutdown in the domain.  The command returns
immediately after signally the domain unless that B<-w> flag is used.

The behavior of what happens to a domain when it reboots is set by the
B<on_shutdown> parameter of the xmdomain.cfg file when the domain was
created.

B<OPTIONS>

=over 4

=item B<-a> 

Shutdown B<all> domains.  Often used when doing a complete shutdown of
a Xen system.

=item B<-w>

Wait for the domain to complete shutdown before returning.

=back

=item B<sysrq> I<domain-id> I<letter>

Send a I<Magic System Request> signal to the domain.  For more
information on available magic sys req operations, see sysrq.txt in
your Linux Kernel sources.

=item B<unpause> I<domain-id>

Moves a domain out of the paused state.  This will allow a previously
paused domain to now be eligible for scheduling by the Xen hypervisor.

=item B<vcpu-set> I<domain-id> I<vcpu-count>

Enables the I<vcpu-count> virtual CPUs for the domain in question.
Like mem-set, this command can only allocate up to the maximum virtual
CPU count configured at boot for the domain.

If the I<vcpu-count> is smaller than the current number of active
VCPUs, the highest number VCPUs will be hotplug removed.  This may be
important for pinning purposes.

Attempting to set the VCPUs to a number larger than the initially
configured VCPU count is an error.  Trying to set VCPUs to < 1 will be
quietly ignored.

=item B<vcpu-list> [I<domain-id>]

Lists VCPU information for a specific domain.  If no domain is
specified, VCPU information for all domains will be provided.

=item B<vcpu-pin> I<domain-id> I<vcpu> I<cpus>

Pins the the VCPU to only run on the specific CPUs.  The keyword
B<all> can be used to apply the I<cpus> list to all VCPUs in the
domain.

Normally VCPUs can float between available CPUs whenever Xen deems a
different run state is appropriate.  Pinning can be used to restrict
this, by ensuring certain VCPUs can only run on certain physical
CPUs.

=back

=head1 XEN HOST SUBCOMMANDS

=over 4

=item B<dmesg> [B<-c>]

Reads the Xen message buffer, similar to dmesg on a Linux system.  The
buffer contains informational, warning, and error messages created
during Xen's boot process.  If you are having problems with Xen, this
is one of the first places to look as part of problem determination.

B<OPTIONS>

=over 4

=item B<-c>, B<--clear>

Clears Xen's message buffer.

=back

=item B<info>

Print information about the Xen host in I<name : value> format.  When
reporting a Xen bug, please provide this information as part of the
bug report.

Sample output looks as follows (lines wrapped manually to make the man
page more readable):

 host                   : talon
 release                : 2.6.12.6-xen0
 version                : #1 Mon Nov 14 14:26:26 EST 2005
 machine                : i686
 nr_cpus                : 2
 nr_nodes               : 1
 cores_per_socket       : 1
 threads_per_core       : 1
 cpu_mhz                : 696
 hw_caps                : 0383fbff:00000000:00000000:00000040
 total_memory           : 767
 free_memory            : 37
 xen_major              : 3
 xen_minor              : 0
 xen_extra              : -devel
 xen_caps               : xen-3.0-x86_32
 xen_scheduler          : credit
 xen_pagesize           : 4096
 platform_params        : virt_start=0xfc000000
 xen_changeset          : Mon Nov 14 18:13:38 2005 +0100 
                          7793:090e44133d40
 cc_compiler            : gcc version 3.4.3 (Mandrakelinux 
                          10.2 3.4.3-7mdk)
 cc_compile_by          : sdague
 cc_compile_domain      : (none)
 cc_compile_date        : Mon Nov 14 14:16:48 EST 2005
 xend_config_format     : 3

B<FIELDS>

=over 4

Not all fields will be explained here, but some of the less obvious
ones deserve explanation:

=item B<hw_caps>

A vector showing what hardware capabilities are supported by your
processor.  This is equivalent to, though more cryptic, the flags
field in /proc/cpuinfo on a normal Linux machine.

=item B<free_memory>

Available memory (in MB) not allocated to Xen, or any other domains.

=item B<xen_caps>

The Xen version and architecture.  Architecture values can be one of:
x86_32, x86_32p (i.e. PAE enabled), x86_64, ia64.

=item B<xen_changeset>

The Xen mercurial changeset id.  Very useful for determining exactly
what version of code your Xen system was built from.

=back

=item B<log>

Print out the xend log.  This log file can be found in
/var/log/xend.log.

=item B<top>

Executes the B<xentop> command, which provides real time monitoring of
domains.  Xentop is a curses interface, and reasonably self
explanatory.

=back

=head1 SCHEDULER SUBCOMMANDS

Xen ships with a number of domain schedulers, which can be set at boot
time with the B<sched=> parameter on the Xen command line.  By
default B<credit> is used for scheduling.

FIXME: we really need a scheduler expert to write up this section.

=over 4

=item B<sched-credit> [ B<-d> I<domain-id> [ B<-w>[B<=>I<WEIGHT>] | B<-c>[B<=>I<CAP>] ] ]

Set credit scheduler parameters.  The credit scheduler is a
proportional fair share CPU scheduler built from the ground up to be
work conserving on SMP hosts.

Each domain (including Domain0) is assigned a weight and a cap.

B<PARAMETERS>

=over 4

=item I<WEIGHT>

A domain with a weight of 512 will get twice as much CPU as a domain
with a weight of 256 on a contended host. Legal weights range from 1
to 65535 and the default is 256.

=item I<CAP>

The cap optionally fixes the maximum amount of CPU a domain will be
able to consume, even if the host system has idle CPU cycles. The cap
is expressed in percentage of one physical CPU: 100 is 1 physical CPU,
50 is half a CPU, 400 is 4 CPUs, etc. The default, 0, means there is
no upper cap.

=back

=item B<sched-sedf> I<period> I<slice> I<latency-hint> I<extratime> I<weight>

Set Simple EDF (Earliest Deadline First) scheduler parameters.  This
scheduler provides weighted CPU sharing in an intuitive way and uses
realtime-algorithms to ensure time guarantees.  For more information
see docs/misc/sedf_scheduler_mini-HOWTO.txt in the Xen distribution.

B<PARAMETERS>

=over 4

=item I<period>

The normal EDF scheduling usage in nanoseconds

=item I<slice>

The normal EDF scheduling usage in nanoseconds

FIXME: these are lame, should explain more.

=item I<latency-hint>

Scaled period if domain is doing heavy I/O.

=item I<extratime>

Flag for allowing domain to run in extra time.

=item I<weight>

Another way of setting CPU slice.

=back

B<EXAMPLES>

I<normal EDF (20ms/5ms):>

    xm sched-sedf <dom-id> 20000000 5000000 0 0 0

I<best-effort domains (i.e. non-realtime):>

    xm sched-sedf <dom-id> 20000000 0 0 1 0

I<normal EDF (20ms/5ms) + share of extra-time:>

    xm sched-sedf <dom-id> 20000000 5000000 0 1 0

I<4 domains with weights 2:3:4:2>

    xm sched-sedf <d1> 0 0 0 0 2
    xm sched-sedf <d2> 0 0 0 0 3
    xm sched-sedf <d3> 0 0 0 0 4
    xm sched-sedf <d4> 0 0 0 0 2
  
I<1 fully-specified (10ms/3ms) domain, 3 other domains share available
rest in 2:7:3 ratio:>

    xm sched-sedf <d1> 10000000 3000000 0 0 0
    xm sched-sedf <d2> 0 0 0 0 2
    xm sched-sedf <d3> 0 0 0 0 7
    xm sched-sedf <d4> 0 0 0 0 3

=back

=head1 VIRTUAL DEVICE COMMANDS

Most virtual devices can be added and removed while guests are
running.  The effect to the guest OS is much the same as any hotplug
event.

=head2 BLOCK DEVICES

=over 4

=item B<block-attach> I<domain-id> I<be-dev> I<fe-dev> I<mode> [I<bedomain-id>]

Create a new virtual block device.  This will trigger a hotplug event
for the guest.

B<OPTIONS>

=over 4

=item I<domain-id>

The domain id of the guest domain that the device will be attached to.

=item I<be-dev>

The device in the backend domain (usually domain 0) to be exported.
This can be specified as a physical partition (phy:sda7) or as a file
mounted as loopback (file://path/to/loop.iso).

=item I<fe-dev>

How the device should be presented to the guest domain.  It can be
specified as either a symbolic name, such as /dev/hdc, for common
devices, or by device id, such as 0x1400 (/dev/hdc device id in hex).

=item I<mode>

The access mode for the device from the guest domain.  Supported modes
are B<w> (read/write) or B<r> (read-only).

=item I<bedomain-id>

The back end domain hosting the device.  This defaults to domain 0.

=back

B<EXAMPLES>

=over 4

=item I<Mount an ISO as a Disk>

xm block-attach guestdomain file://path/to/dsl-2.0RC2.iso /dev/hdc ro

This will mount the dsl ISO as /dev/hdc in the guestdomain as a read
only device.  This will probably not be detected as a CD-ROM by the
guest, but mounting /dev/hdc manually will work.

=back

=item B<block-detach> I<domain-id> I<devid> [B<--force>]

Detach a domain's virtual block device. I<devid> may be the symbolic
name or the numeric device id given to the device by domain 0.  You
will need to run B<xm block-list> to determine that number.

Detaching the device requires the cooperation of the domain.  If the
domain fails to release the device (perhaps because the domain is hung
or is still using the device), the detach will fail.  The B<--force>
parameter will forcefully detach the device, but may cause IO errors
in the domain.

=item B<block-list> [B<-l>|B<--long>] I<domain-id>

List virtual block devices for a domain.  The returned output is
formatted as a list or as an S-Expression if the B<--long> option was given.

=head2 NETWORK DEVICES

=item B<network-attach> I<domain-id> [B<script=>I<scriptname>] [B<ip=>I<ipaddr>]
[B<mac=>I<macaddr>] [B<bridge=>I<bridge-name>] [B<backend=>I<bedomain-id>]

Creates a new network device in the domain specified by I<domain-id>.  It
takes the following optional options:

B<OPTIONS>

=over 4

=item B<script=>I<scriptname>

Use the specified script name to bring up the network.  Defaults to
the default setting in xend-config.sxp for B<vif-script>.

=item B<ip=>I<ipaddr>

Passes the specified IP Address to the adapter on creation.  

FIXME: this currently appears to be B<broken>.  I'm not sure under what
circumstances this should actually work.

=item B<mac=>I<macaddr>

The MAC address that the domain will see on its Ethernet device.  If
the device is not specified it will be randomly generated with the
00:16:3e vendor id prefix.

=item B<bridge=>I<bridge-name>

The name of the bridge to attach the vif to, in case you have more
than one.  This defaults to xenbr0.

=item B<backend=>I<bedomain-id>

The backend domain id.  By default this is domain 0.

=back

=item B<network-detach> I<domain-id> I<devid>

Removes the network device from the domain specified by I<domain-id>.
I<devid> is the virtual interface device number within the domain
(i.e. the 3 in vif22.3).

FIXME: this is currently B<broken>.  Network devices aren't completely
removed from domain 0.

=item B<network-list> [B<-l>|B<--long>]> I<domain-id>

List virtual network interfaces for a domain.  The returned output is
formatted as a list or as an S-Expression if the B<--long> option was given.

=head2 VIRTUAL TPM DEVICES

=item B<vtpm-list> [B<-l>|B<--long>] I<domain-id>

Show the virtual TPM device for a domain.  The returned output is
formatted as a list or as an S-Expression if the B<--long> option was given.

=back

=head1 VNET COMMANDS

The Virtual Network interfaces for Xen.

FIXME: This needs a lot more explanation, or it needs to be ripped
out entirely.

=over 4

=item B<vnet-list> [B<-l>|B<--long>]

List vnets.

=item B<vnet-create> I<config>

Create a vnet from a config file.

=item B<vnet-delete> I<vnetid>

Delete a vnet.

=back

=head1 ACCESS CONTROL SUBCOMMANDS

Access Control in Xen consists of two components: (i) The Access
Control Policy (ACP) defines security labels and access rules based on
these labels. (ii) The Access Control Module (ACM) makes access control
decisions by interpreting the policy when domains require to
communicate or to access resources. The Xen access control has
sufficient mechanisms in place to enforce the access decisions even
against maliciously acting user domains (mandatory access control).

Access rights for domains in Xen are determined by the domain security
label only and not based on the domain Name or ID. The ACP specifies
security labels that can then be assigned to domains and
resources. Every domain must be assigned exactly one security label,
otherwise access control decisions could become indeterministic. ACPs
are distinguished by their name, which is a parameter to most of the
subcommands described below. Currently, the ACP specifies two ways to
interpret labels:

(1) Simple Type Enforcement: Labels are interpreted to decide access
of domains to communication means and virtual or physical
resources. Communication between domains as well as access to
resources are forbidden by default and can only take place if they are
explicitly allowed by the security policy. The proper assignment of
labels to domains controls the sharing of information (directly
through communication or indirectly through shared resources) between
domains. This interpretation allows to control the overt (intended)
communication channels in Xen.

(2) Chinese Wall: Labels are interpreted to decide which domains can
co-exist (be run simultaneously) on the same system. This
interpretation allows to prevent direct covert (unintended) channels
and mitigates risks caused by imperfect core domain isolation
(trade-off between security and other system requirements). For a
short introduction to covert channels, please refer to
http://www.multicians.org/timing-chn.html.

The following subcommands help you to manage security policies in Xen
and to assign security labels to domains. To enable access control
security in Xen, you must compile Xen with ACM support enabled as
described under "Configuring Security" below. There, you will find
also examples of each subcommand described here.

=item B<setpolicy> ACM I<policy> I<[--load|--boot]>

Makes the given ACM policy available to xend as a I<xend-managed policy>.
The policy is compiled and a mapping (.map) as well as a binary (.bin)
version of the policy is created. If the option I<--load> is provided
the policy is loaded into Xen. If the option I<--boot> is provided the
system is configure to be loaded with the policy at boot time. If these
options are not provided with the B<setpolicy> subcommand, the
B<activatepolicy> subcommand provides this functionality.

=over 4

I<policy> is a dot-separated list of names. The last part is the file
name pre-fix for the policy XML file. The preceding name parts are
translated into the local path pointing to the policy XML file
relative to the global policy root directory
(/etc/xen/acm-security/policies). For example,
example.chwall_ste.client_v1 denotes the policy file
example/chwall_ste/client_v1-security_policy.xml relative to the
global policy root directory.

=back

=item B<activatepolicy> I<[--load|--boot]>

Activates the xend-managed policy by loading it into Xen using the
I<--load> option or configures the system to boot with the
xend-managed policy during the next reboot as a result of the
I<--boot> option. The latter is only supported if the system is booted
with the grub boot loader and the default boot title is modified.
It copies the binary policy representation into the /boot directory and
adds a module line specifying the binary policy to the /boot/grub/menu.lst
or /boot/grub/grub.conf file.

=item B<getpolicy> [--dumpxml]

Displays information about the current xend-managed policy, such as
name and type of the policy, the uuid xend has assigned to it on the
local system, the version of the XML representation and the status
of the policy, such as whether it is currently loaded into Xen or
whether the policy is automatically loaded during system boot. With
the I<--dumpxml> option, the XML representation of the policy is
displayed.

=item B<dumppolicy>

Prints the current security policy state information of Xen.

=item B<labels> [I<policy>] [B<type=dom>|B<res>|B<any>]

Lists all labels of a I<type> (domain, resource, or both) that are
defined in the I<policy>. Unless specified, the default I<policy> is
the currently enforced access control policy. The default for I<type>
is 'dom'. The labels are arranged in alphabetical order.

=item B<addlabel> I<label> B<dom> I<configfile> [I<policy>]

=item B<addlabel> I<label> B<mgt> I<domain name> [I<policy type>:I<policy>]

=item B<addlabel> I<label> B<res> I<resource> [I<policy>]

=item B<addlabel> I<label> B<vif-idx> I<domain name> [I<policy type>:I<policy>]


Adds the security label with name I<label> to a domain
I<configfile> (dom), a Xend-managed domain (mgt), to the global resource label
file for the given I<resource> (res), or to a managed domain's virtual network
interface (vif) that is specified by its index. Unless specified,
the default I<policy> is the currently enforced access control policy.
This subcommand also verifies that the I<policy> definition supports the
specified I<label> name.

The only I<policy type> that is currently supported is I<ACM>.

=item B<rmlabel> B<dom> I<configfile>

=item B<rmlabel> B<mgt> I<domain name>

=item B<rmlabel> B<res> I<resource>

=item B<rmlabel> B<vif-idx> I<domain name>

Works the same as the B<addlabel> command (above), except that this
command will remove the label from the domain I<configfile> (dom),
a Xend-managed domain (mgt), the global resource label file (res),
or a managed domain's network interface (vif).

=item B<getlabel> B<dom> I<configfile>

=item B<getlabel> B<mgt> I<domain name>

=item B<getlabel> B<res> I<resource>

=item B<getlabel> B<vif-idx> I<domain name>

Shows the label for a domain's configuration in the given I<configfile>,
a xend-managed domain (mgt), a resource, or a managed domain's network
interface (vif).

=item B<resources>

Lists all resources in the global resource label file.  Each resource
is listed with its associated label and policy name.

=item B<dry-run> I<configfile>

Determines if the specified I<configfile> describes a domain with a valid
security configuration for type enforcement. The test shows the policy
decision made for each resource label against the domain label as well as
the overall decision.

B<CONFIGURING SECURITY>

=over 4

In xen_source_dir/Config.mk set the following parameter:

    ACM_SECURITY ?= y
Then recompile and install xen and the security tools and then reboot:

    cd xen_source_dir/xen; make clean; make; cp xen.gz /boot;
    cd xen_source_dir/tools/security; make install;
    reboot into Xen

=back

B<SETTING A SECURITY POLICY>

=over 4

This step makes the policy available to xend and creates the client_v1.map and
client_v1.bin files in /etc/xen/acm-security/policies/example/chwall_ste.

    xm setpolicy ACM example.client_v1

=back

B<ACTIVATING THE XEND-MANAGED SECURITY POLICY>

=over 4

This step activates the xend-manged policy as new security policy in Xen.
You can use the dumppolicy subcommand before and afterwards to see the
change in the Xen policy state.

    xm activatpolicy --load

=back

B<CONFIGURING A BOOT SECURITY POLICY>

=over 4

This configures the boot loader to load the current xend-managed policy at
boot time. During system start, the ACM configures Xen with this policy and
Xen enforces this policy from then on.

    xm activatepolicy --boot

=back

B<LISTING SECURITY LABELS>

=over 4

This subcommand shows all labels that are defined and which can be
attached to domains.

    xm labels example.client_v1 type=dom

will print for our example policy:

        dom_BoincClient
        dom_Fun
        dom_HomeBanking
        dom_NetworkDomain
        dom_StorageDomain
        dom_SystemManagement

=back

B<ATTACHING A SECURITY LABEL TO A DOMAIN>

=over 4

The B<addlabel> subcommand can attach a security label to a domain
configuration file, here a HomeBanking label. The example policy
ensures that this domain does not share information with other
non-homebanking user domains (i.e., domains labeled as dom_Fun or
dom_Boinc) and that it will not run simultaneously with domains
labeled as dom_Fun.

We assume that the specified myconfig.xm configuration file actually
instantiates a domain that runs workloads related to home-banking,
probably just a browser environment for online-banking.

    xm addlabel dom_HomeBanking dom myconfig.xm

The very simple configuration file might now look as printed
below. The B<addlabel> subcommand added the B<access_control> entry at
the end of the file, consisting of a label name and the policy that
specifies this label name:

    kernel = "/boot/vmlinuz-2.6.16-xen"
    ramdisk="/boot/U1_home_banking_ramdisk.img"
    memory = 164
    name = "homebanking"
    vif = [ '' ]
    dhcp = "dhcp"
    access_control = ['policy=example.chwall_ste.client_v1,
                       label=dom_HomeBanking']

Security labels must be assigned to domain configurations because
these labels are essential for making access control decisions as
early as during the configuration phase of a newly instantiated
domain. Consequently, a security-enabled Xen hypervisor will only
start domains that have a security label configured and whose security
label is consistent with the currently enforced policy. Otherwise,
starting the domain will fail with the error condition "operation not
permitted".

=back

B<ATTACHING A SECURITY LABEL TO A XEND-MANAGED DOMAIN>

=over 4

The addlabel subcommand supports labeling of domains that are managed
by xend. This includes domains that are currently running, such as for
example Domain-0, or those that are in a dormant state.
Depending on the state of the system, it is possible that the new label
is rejected. An example for a reason for the rejection of the relabeling
of a domain would be if a domain is currently allowed to
access its labeled resources but due to the new label would be prevented
from accessing one or more of them.

    xm addlabel dom_Fun mgt Domain-0

This changes the label of Domain-0 to dom_Fun under the condition that
this new label of Domain-0 would not prevent any other domain from
accessing its resources that are provided through Domain-0, such as for
example network or block device access.

=back

B<ATTACHING A SECURITY LABEL TO A RESOURCE>

=over 4

The B<addlabel> subcommand can also be used to attach a security
label to a resource. Following the home banking example from above,
we can label a disk resource (e.g., a physical partition or a file)
to make it accessible to the home banking domain. The example policy
provides a resource label, res_LogicalDiskPartition1(hda1), that is
compatible with the HomeBanking domain label.

    xm addlabel "res_LogicalDiskPartition1(hda1)" res phy:hda6

After labeling this disk resource, it can be attached to the domain
by adding a line to the domain configuration file. The line below
attaches this disk to the domain at boot time.

    disk = [ 'phy:hda6,sda2,w' ]

Alternatively, the resource can be attached after booting the domain
by using the B<block-attach> subcommand.

    xm block-attach homebanking phy:hda6 sda2 w

Note that labeled resources cannot be used when security is turned
off.  Any attempt to use labeled resources with security turned off
will result in a failure with a corresponding error message.  The
solution is to enable security or, if security is no longer desired,
to remove the resource label using the B<rmlabel> subcommand.

=back

B<STARTING AND LISTING LABELED DOMAINS>

=over 4

    xm create myconfig.xm

    xm list --label

      Name         ID ...  Time(s)  Label
      homebanking  23 ...      4.4  dom_HomeBanking
      Domain-0      0 ...   2658.8  dom_SystemManagement

=back

B<LISTING LABELED RESOURCES>

=over 4

    xm resources

      phy:hda6
            type: ACM
          policy: example.chwall_ste.client_v1
          label:  res_LogicalDiskPartition1(hda1)
      file:/xen/disk_image/disk.img
            type: ACM
          policy: example.chwall_ste.client_v1
          label:  res_LogicalDiskPartition2(hda2)

=back

B<POLICY REPRESENTATIONS>

=over 4

We distinguish three representations of the Xen access control policy:
the source XML version, its binary counterpart, and a mapping
representation that enables the tools to deterministically translate
back and forth between label names of the XML policy and label
identifiers of the binary policy. All three versions must be kept
consistent to achieve predictable security guarantees.

The XML version is the version that users are supposed to create or
change, either by manually editing the XML file or by using the Xen
policy generation tool (B<xensec_gen>). After changing the XML file,
run the B<setpolicy> subcommand to ensure that the new policy is
available to xend. Use, for example, the subcommand
B<activatepolicy> to activate the changes during the next system
reboot.

The binary version of the policy is derived from the XML policy by
tokenizing the specified labels and is used inside Xen only. It is
created with the B<setpolicy> subcommand. Essentially, the binary
version is much more compact than the XML version and is easier to
evaluate during access control decisions.

The mapping version of the policy is created during the XML-to-binary
policy translation (B<setpolicy>) and is used by xend and the management
tools to translate between label names used as input to the tools and
their binary identifiers (ssidrefs) used inside Xen.

=back

=head1 SEE ALSO

B<xmdomain.cfg>(5), B<xentop>(1)

=head1 AUTHOR

  Sean Dague <sean at dague dot net>
  Daniel Stekloff <dsteklof at us dot ibm dot com>
  Reiner Sailer <sailer at us dot ibm dot com>
  Stefan Berger <stefanb at us dot ibm dot com>

=head1 BUGS