[Xen-devel] Re: [PATCH] [ACM/Xen] Fix policy buffer layout changed with XSM

[Stefan Berger <stefanb@xxxxxxxxxx>]

"George S. Coker, II" <gscoker@xxxxxxxxxxxxxx>
wrote on 09/04/2007 02:29:10 PM:

> On Tue, 2007-09-04 at 10:57 -0400, Stefan Berger wrote:
> > This fixes a regression due to changes in the policy buffer layout
> > submitted by the XSM module.
> > 
> 
> Hi Stefan,
> 
> This was done to make the ACM magic number the first word in the policy
> file.  This seemed to be the logical choice to afford ACM the
greatest
> flexibility for loading policies under XSM.  In principal, under
XSM, a
> security module could be capable of loading and parsing policies over
a
> range of policy versions.

Did you adapt the tools to generate a binary policy
in that form?

> 
> Your patch reverts the ACM module to the original form where the first
> word of the policy file is the policy version - which could change
over
> time.  This is the general problem of magic numbers.

Yes, I changed it back because it was broken, at least
it did not accept the policy I tried to load.

   Stefan


> 
> A benefit of your patch is old ACM policies will not need to be
> recompiled to work under XSM with this patch, but I see there being
> future confusion and a potential loss of flexibility for ACM by making
> this change.  I would argue that the ACM policy version should
instead
> be bumped for the move to XSM since the XSM patches actually caused
a
> format change to the ACM policy binary.
> 
> Admittedly, this discussion is moot because ACM has only one policy
> version at this time.  The XSM_MAGIC number must also be updated
to
> 03000000 to ensure proper boot time policy detection under XSM with
your
> patch.
> 
> I also see that there are dups of /xsm in the includes dir.  Since
this
> was a restructuring from inclusion in xen-staging, perhaps some cleanups
> are in order.  Keir? 
> 
> George
_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-devel