[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [PATCH v2 2/3] Add lockdown mode
On Tue, Jun 3, 2025 at 5:29 PM Andrew Cooper <andrew.cooper3@xxxxxxxxxx> wrote: > > On 02/06/2025 2:46 pm, Kevin Lampis wrote: > > diff --git a/xen/arch/x86/setup.c b/xen/arch/x86/setup.c > > index 1f5cb67bd0..efeed5eafc 100644 > > --- a/xen/arch/x86/setup.c > > +++ b/xen/arch/x86/setup.c > > @@ -15,6 +15,7 @@ > > #include <xen/kexec.h> > > #include <xen/keyhandler.h> > > #include <xen/lib.h> > > +#include <xen/lockdown.h> > > #include <xen/multiboot.h> > > #include <xen/nodemask.h> > > #include <xen/numa.h> > > As the only modification to setup.c, this hunk surely isn't in the right > patch. > > > diff --git a/xen/common/Kconfig b/xen/common/Kconfig > > index 0951d4c2f2..33cd669110 100644 > > --- a/xen/common/Kconfig > > +++ b/xen/common/Kconfig > > @@ -587,4 +587,12 @@ config BUDDY_ALLOCATOR_SIZE > > Amount of memory reserved for the buddy allocator to serve Xen heap, > > working alongside the colored one. > > > > +config LOCKDOWN_DEFAULT > > + bool "Enable lockdown mode by default" > > + default n > > default n is redundant. Please drop it. > > > + help > > + Lockdown mode prevents attacks from a rogue dom0 userspace from > > + compromising the system. This is automatically enabled when Secure > > + Boot is enabled. > > It's more than just rogue dom0 userspace. But, are we using lockdown > mode for anything more than just cmdline filtering? Not as part of this series, but it is expected that lockdown mode will eventually be tied into certain other functionality. E.g. requiring live patches to be signed when it is enabled. Ross
|
![]() |
Lists.xenproject.org is hosted with RackSpace, monitoring our |