[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[PATCH v2 0/3] Add lockdown mode

To: xen-devel@xxxxxxxxxxxxxxxxxxxx
From: Kevin Lampis <kevin.lampis@xxxxxxxxx>
Date: Mon, 2 Jun 2025 14:46:53 +0100
Cc: Kevin Lampis <kevin.lampis@xxxxxxxxx>
Delivery-date: Mon, 02 Jun 2025 13:46:57 +0000
List-id: Xen developer discussion <xen-devel.lists.xenproject.org>

The intention of lockdown mode is to prevent attacks from a rogue dom0
userspace from compromising the system. Lockdown mode can be controlled by a
Kconfig option and a command-line parameter. It is also enabled automatically
when Secure Boot is enabled and it cannot be disabled in that case.

Ross Lagerwall (2):
  efi: Add a function to check if Secure Boot mode is enabled
  Add lockdown mode

Kevin Lampis (1):
  Disallow most command-line options when lockdown mode is enabled

 docs/misc/xen-command-line.pandoc     | 16 ++++++++
 xen/arch/arm/domain_build.c           |  4 +-
 xen/arch/x86/acpi/cpu_idle.c          |  2 +-
 xen/arch/x86/cpu/amd.c                |  2 +-
 xen/arch/x86/cpu/mcheck/mce.c         |  2 +-
 xen/arch/x86/cpu/microcode/core.c     |  2 +-
 xen/arch/x86/dom0_build.c             |  4 +-
 xen/arch/x86/hvm/hvm.c                |  2 +-
 xen/arch/x86/irq.c                    |  2 +-
 xen/arch/x86/nmi.c                    |  2 +-
 xen/arch/x86/setup.c                  |  3 +-
 xen/arch/x86/traps.c                  |  2 +-
 xen/arch/x86/x86_64/mmconfig-shared.c |  2 +-
 xen/common/Kconfig                    |  8 ++++
 xen/common/Makefile                   |  1 +
 xen/common/domain.c                   |  2 +-
 xen/common/efi/boot.c                 | 23 ++++++++++++
 xen/common/efi/runtime.c              |  3 ++
 xen/common/kernel.c                   | 17 ++++++++-
 xen/common/kexec.c                    |  2 +-
 xen/common/lockdown.c                 | 54 +++++++++++++++++++++++++++
 xen/common/numa.c                     |  2 +-
 xen/common/page_alloc.c               |  2 +-
 xen/common/shutdown.c                 |  2 +-
 xen/drivers/char/console.c            |  2 +-
 xen/drivers/char/ns16550.c            |  4 +-
 xen/drivers/video/vga.c               |  2 +-
 xen/include/xen/efi.h                 |  6 +++
 xen/include/xen/lockdown.h            | 11 ++++++
 xen/include/xen/param.h               | 49 ++++++++++++++++++------
 30 files changed, 200 insertions(+), 35 deletions(-)
 create mode 100644 xen/common/lockdown.c
 create mode 100644 xen/include/xen/lockdown.h

-- 
2.42.0

Follow-Ups:
- [PATCH v2 3/3] Disallow most command-line options when lockdown mode is enabled
  - From: Kevin Lampis
- [PATCH v2 2/3] Add lockdown mode
  - From: Kevin Lampis
- [PATCH v2 1/3] efi: Add a function to check if Secure Boot mode is enabled
  - From: Kevin Lampis

Prev by Date: Re: [PATCH 02/19] x86: Add missing pci_dev forward declaration in asm/pci.h
Next by Date: [PATCH v2 1/3] efi: Add a function to check if Secure Boot mode is enabled
Previous by thread: Re: [PATCH v2 4/5] livepatch: Load built-in key during boot
Next by thread: [PATCH v2 1/3] efi: Add a function to check if Secure Boot mode is enabled
Index(es):
- Date
- Thread

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.