[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [PATCH v2 0/3] Add lockdown mode
The intention of lockdown mode is to prevent attacks from a rogue dom0 userspace from compromising the system. Lockdown mode can be controlled by a Kconfig option and a command-line parameter. It is also enabled automatically when Secure Boot is enabled and it cannot be disabled in that case. Ross Lagerwall (2): efi: Add a function to check if Secure Boot mode is enabled Add lockdown mode Kevin Lampis (1): Disallow most command-line options when lockdown mode is enabled docs/misc/xen-command-line.pandoc | 16 ++++++++ xen/arch/arm/domain_build.c | 4 +- xen/arch/x86/acpi/cpu_idle.c | 2 +- xen/arch/x86/cpu/amd.c | 2 +- xen/arch/x86/cpu/mcheck/mce.c | 2 +- xen/arch/x86/cpu/microcode/core.c | 2 +- xen/arch/x86/dom0_build.c | 4 +- xen/arch/x86/hvm/hvm.c | 2 +- xen/arch/x86/irq.c | 2 +- xen/arch/x86/nmi.c | 2 +- xen/arch/x86/setup.c | 3 +- xen/arch/x86/traps.c | 2 +- xen/arch/x86/x86_64/mmconfig-shared.c | 2 +- xen/common/Kconfig | 8 ++++ xen/common/Makefile | 1 + xen/common/domain.c | 2 +- xen/common/efi/boot.c | 23 ++++++++++++ xen/common/efi/runtime.c | 3 ++ xen/common/kernel.c | 17 ++++++++- xen/common/kexec.c | 2 +- xen/common/lockdown.c | 54 +++++++++++++++++++++++++++ xen/common/numa.c | 2 +- xen/common/page_alloc.c | 2 +- xen/common/shutdown.c | 2 +- xen/drivers/char/console.c | 2 +- xen/drivers/char/ns16550.c | 4 +- xen/drivers/video/vga.c | 2 +- xen/include/xen/efi.h | 6 +++ xen/include/xen/lockdown.h | 11 ++++++ xen/include/xen/param.h | 49 ++++++++++++++++++------ 30 files changed, 200 insertions(+), 35 deletions(-) create mode 100644 xen/common/lockdown.c create mode 100644 xen/include/xen/lockdown.h -- 2.42.0
|
![]() |
Lists.xenproject.org is hosted with RackSpace, monitoring our |