From a81401ff493958e626e84f802f44434978fa4d4d Mon Sep 17 00:00:00 2001 From: Ian Jackson Date: Wed, 20 May 2020 13:14:20 +0100 Subject: [PATCH] templates/20_linux_xen: Support Xen Security Modules (XSM/FLASK) XSM is enabled by adding "flask=enforcing" as a Xen command line argument, and providing the policy file as a grub module. We make entries for both with and without XSM. If XSM is not compiled into Xen, then there are no policy files, so no change to the boot options. Signed-off-by: Ian Jackson Reviewed-by: Daniel Kiper --- util/grub.d/20_linux_xen.in | 24 ++++++++++++++++++++++++ 1 file changed, 24 insertions(+) diff --git a/util/grub.d/20_linux_xen.in b/util/grub.d/20_linux_xen.in index d633a74e6..3b1f47049 100644 --- a/util/grub.d/20_linux_xen.in +++ b/util/grub.d/20_linux_xen.in @@ -88,6 +88,11 @@ esac title_correction_code= linux_entry () +{ + linux_entry_xsm "$@" false + linux_entry_xsm "$@" true +} +linux_entry_xsm () { os="$1" version="$2" @@ -95,6 +100,18 @@ linux_entry () type="$4" args="$5" xen_args="$6" + xsm="$7" + # If user wants to enable XSM support, make sure there's + # corresponding policy file. + if ${xsm} ; then + xenpolicy="xenpolicy-$xen_version" + if test ! -e "${xen_dirname}/${xenpolicy}" ; then + return + fi + xen_args="$xen_args flask=enforcing" + xen_version="$(gettext_printf "%s (XSM enabled)" "$xen_version")" + # xen_version is used for messages only; actual file is xen_basename + fi if [ -z "$boot_device_id" ]; then boot_device_id="$(grub_get_device_id "${GRUB_DEVICE}")" fi @@ -146,6 +163,13 @@ EOF sed "s/^/$submenu_indentation/" << EOF echo '$(echo "$message" | grub_quote)' ${module_loader} --nounzip $(echo $initrd_path) +EOF + fi + if test -n "${xenpolicy}" ; then + message="$(gettext_printf "Loading XSM policy ...")" + sed "s/^/$submenu_indentation/" << EOF + echo '$(echo "$message" | grub_quote)' + ${module_loader} ${rel_dirname}/${xenpolicy} EOF fi sed "s/^/$submenu_indentation/" << EOF