[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] acm



On Tue, 2011-08-09 at 15:29 +0100, Konrad Rzeszutek Wilk wrote:
> Tim, George,
> 
> Any ideas who at might know more about the ACM flask?

Didn't Keir remove ACM support back in 23097:2aeebd5cbbad? Probably post
Xen 4.1 but on that basis I wouldn't recommend enabling it on any recent
release which happened to include it -- it was removed because it was
unmaintained.

Ian.

> 
> On Sat, Aug 06, 2011 at 04:28:37PM +0800, Windows Live wrote:
> > 
> > ------- Comment
> >           
> >             #15 From 
> >           Konrad Rzeszutek Wilk
> >           2011-08-05 19:11 
> >           
> >           [reply]
> >           -------
> >         
> >         
> > 
> > 
> > Just copy-n-paste the bug and post it on xen-devel mailing list.
> > 
> > 
> >  http://bugzilla.xensource.com/bugzilla/show_bug.cgi?id=1775
> > 
> > a reduced summary;
> > 
> > 
> > This fault renders xen unworkable, only in the packaged install of distro
> > gentoo/
> > 
> > gentoo64 grub # eix xen
> > [I] app-emulation/xen
> >      Available versions:  3.4.2-r1!t (~)4.1.0!t **9999!t {acm custom-cflags
> > debug flask pae xsm}
> >      Installed versions:  4.1.0!t(00:13:36 07/30/11)(acm debug flask pae xsm
> > -custom-cflags)
> >      Homepage:            http://xen.org/
> >      Description:         The Xen virtual machine monitor
> > 
> > This make /boot/xen-4.1.0.gz.  On booting into this installed hypervisor, I 
> > can
> > bring up virt-manager which happily lists the vms.
> > 
> > On attempting to boot a v the moment the xen equipped kernel attempts to 
> > boot
> > the vm, the system is crashed.
> > 
> > That is, it seems to trigger reboot because that is what happens, 
> > Just reboot.
> > I haven't bothered with any logs because this instantaneous crash should 
> > fail
> > to write any events to logs, correct me if I'm wrong
> > 
> > ------- Comment
> >           
> >             #1 From 
> >           IAN DELANEY
> >           2011-07-30 02:36 
> >           
> >           [reply]
> >           -------
> >         
> >         
> > 
> > 
> > should have mentioned.
> > 
> > idella@gentoo64 ~/bin $ ls /boot/
> > ...........
> > xen-4.1.0-rc7-pre.gz
> > xen-4.1.0.gz
> > ........
> > 
> > The xen-4.1.0-rc7-pre.gz is fine
> > The xen-4.1.0.gz hypervisor is broken.
> > 
> > idella@gentoo64 ~/bin $ emerge xen -pv
> > 
> > These are the packages that would be merged, in order:
> > 
> > Calculating dependencies... done!
> > [ebuild   R    ] app-emulation/xen-4.1.0  USE="acm custom-cflags* debug 
> > flask
> > pae xsm" 0 kB
> > 
> > shows the compiled in features.  What can trigger this type of system crash?
> > 
> >     
> > 
> >         
> >           ------- Comment
> >           
> >             #3 From 
> >           IAN DELANEY
> >           2011-07-30 07:31 
> >           
> >           [reply]
> >           -------
> >         
> >         
> > 
> > 
> > It seems the cause of this is in gentoo terms the use of the use flags acm 
> > and
> > xsm.  See https://bugs.gentoo.org/show_bug.cgi?id=361345.
> > It seems disabling these flags allows the hypervisor to boot vms.
> > What I need to know is where this flaw comes from.  There is a gentoo 
> > package
> > xsm, but not asm.
> > asm is a security portion of the source.
> > Is the flaw in the gentoo package xsm, is it the xensource code, and can you
> > list the step or steps to sensure xsm and acm directly in the xensource 
> > code so
> > I can replicate it;  suspect they are options manually put after make on the
> > command line.
> > 
> > ------- Comment #5 From IAN DELANEY 2011-07-30 08:01  [reply]  -------
> >         
> >         
> > 
> > 
> > Aha
> > 
> > from Config.mk
> > 
> > # Enable XSM security module.  Enabling XSM requires selection of an
> > # XSM security module (FLASK_ENABLE or ACM_SECURITY).
> > XSM_ENABLE ?= n
> > FLASK_ENABLE ?= n
> > ACM_SECURITY ?= n
> > 
> > These are the default settings, so it seems the hypervisor I am using does 
> > in
> > fact not have these set.
> > So why are they turned off, and do they have an unresolved issue?
> > 
> >     
> >   
> >         
> > 
> >         
> >           ------- Comment
> >           
> >             #6 From 
> >           Konrad Rzeszutek Wilk
> >           2011-07-30 08:26 
> >           
> >           [reply]
> >           -------
> >         
> >         
> > 
> > 
> > (In reply to comment #5)
> > > Aha
> > > 
> > > from Config.mk
> > > 
> > > # Enable XSM security module.  Enabling XSM requires selection of an
> > > # XSM security module (FLASK_ENABLE or ACM_SECURITY).
> > > XSM_ENABLE ?= n
> > > FLASK_ENABLE ?= n
> > > ACM_SECURITY ?= n
> > > 
> > > These are the default settings, so it seems the hypervisor I am using 
> > > does in
> > > fact not have these set.
> > > So why are they turned off, and do they have an unresolved issue?
> > 
> > B/c the maintainer for them is .. gone? I suspect the code is bit-rotten. 
> > You
> > might want to open a Gentoo bug to turn those off until somebody fixes 
> > whatever
> > the issue you have with ACM.
> > 
> > > 
> > 
> >     
> >   
> >         
> > 
> >         
> >           ------- Comment
> >           
> >             #7 From 
> >           IAN DELANEY
> >           2011-07-30 08:40 
> >           
> >           [reply]
> >           -------
> >         
> >         
> > 
> > 
> > Konrad;
> > 
> > 
> > I can get the use flags withdrawn, but the task at hand is to get them to 
> > work.
> > I can say that change to setting 
> > FLASK_ENABLE ?= y
> > cause the emerge or build to fail in my gentoo
> > 
> > 
> > 
> >         
> >           ------- Comment
> >           
> >             #8 From 
> >           IAN DELANEY
> >           2011-07-30 10:04 
> >           
> >           [reply]
> >           -------
> >         
> >         
> > 
> > 
> > ok I'm picking up the threads.
> > 
> > # make clean
> > # nano Config.mk
> > # emerge install-xen
> > 
> > for each alteration.
> > 
> > the build fails only for setting ACM_SECURITY ?= y.
> > 
> >     
> >   
> >         
> > 
> >         
> >           ------- Comment
> >           
> >             #9 From 
> >           Konrad Rzeszutek Wilk
> >           2011-07-31 08:14 
> >           
> >           [reply]
> >           -------
> >         
> >         
> > 
> > 
> > (In reply to comment #7)
> > > Konrad;
> > > 
> > > thanks.  When you say maintainer, do you mean a gentoo maintainer?
> > 
> > Cool. So in regards to disable ACM/FLask - that was to you. In regards to
> > actually figuring why ACM/Flask does not seem to work - that was meant for 
> > the
> > maintainer of that code in Xen - who seemed to have moved on to other 
> > things.
> > 
> > 
> > > I can get the use flags withdrawn, but the task at hand is to get them to 
> > > work.
> > 
> > Ah, then you will need to figure out why FLASK does not work - I have no
> > knowledge of that code so won't be much help. You might have better luck
> > digging up the authors of said code and emailing them.
> > 
> > > I can say that change to setting 
> > > FLASK_ENABLE ?= y
> > > cause the emerge or build to fail in my gentoo
> > > 
> > > Thanks for your important help.
> > > 
> > 
> >     
> >   
> >         
> > 
> >         
> >           ------- Comment
> >           
> >             #10 From 
> >           IAN DELANEY
> >           2011-07-31 08:49 
> >           
> >           [reply]
> >           -------
> >         
> >         
> > 
> > 
> > ok; to correct last entries.
> > 
> > It seems that flask is fine.  On repeating it a number of times, for 
> > whatever
> > reason, on compiling the xensource package xen-4.1-testing.hg, it appears 
> > that
> > entries flask and acm will in fact compile fine. It seems that setting 
> > flask on
> > its own will fail, it depends upon xsm being set. Setting xsm om its own or
> > with flask works.
> > 
> > In fact, setting all 3, the package builds. But like the gentoo emerge, the
> > hypervisor breaks the system if ACM_SECURITY is set.  Setting use=ACM
> > presumably leads to setting ACM_SECURITY ?= n in the Config.mk. simple.  So 
> > the
> > flaw isn't in gentoo, it' in the source.                                    
> >   
> 
> > _______________________________________________
> > Xen-devel mailing list
> > Xen-devel@xxxxxxxxxxxxxxxxxxx
> > http://lists.xensource.com/xen-devel
> 
> 
> _______________________________________________
> Xen-devel mailing list
> Xen-devel@xxxxxxxxxxxxxxxxxxx
> http://lists.xensource.com/xen-devel



_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-devel


 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.