WARNING - OLD ARCHIVES

This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
   
 
 
Xen 
 
Home Products Support Community News
 
   
 

xense-devel

[Xense-devel] Howto enable sHype/ACM security for Xen with FC6 Xen sourc

To: xense-devel@xxxxxxxxxxxxxxxxxxx
Subject: [Xense-devel] Howto enable sHype/ACM security for Xen with FC6 Xen sources and FC6 kernels
From: Reiner Sailer <sailer@xxxxxxxxxx>
Date: Sun, 26 Nov 2006 22:13:58 -0500
Cc: fedora-xen@xxxxxxxxxx
Delivery-date: Sun, 26 Nov 2006 19:14:07 -0800
Envelope-to: www-data@xxxxxxxxxxxxxxxxxx
List-help: <mailto:xense-devel-request@lists.xensource.com?subject=help>
List-id: "A discussion list for those developing security enhancements for Xen." <xense-devel.lists.xensource.com>
List-post: <mailto:xense-devel@lists.xensource.com>
List-subscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xense-devel>, <mailto:xense-devel-request@lists.xensource.com?subject=subscribe>
List-unsubscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xense-devel>, <mailto:xense-devel-request@lists.xensource.com?subject=unsubscribe>
Sender: xense-devel-bounces@xxxxxxxxxxxxxxxxxxx

I have been approached for help in enabling sHype/ACM for Xen on an FC6 system using Fedora sources only.  Since sHype/ACM is still disabled by default in Xen, you need to recompile and re-install Xen to enable it. I have attached a short howto, since this procedure might not be straight-forward for the general user.

sHype/ACM is part of the core Xen distribution and includes mandatory access control in the Xen hypervisor. sHype controls sharing between user domains (controls which domains can communicate with each other and which domains can access which resources) and enforces anti-collocation rules (controls which domains can run simultaneously on the same platform) with simple formal security policies. Please refer to the Xen user guide section about sHype/ACM for more details and for usage/test examples and current limitations.

You do not  need to follow this howto if you choose to install the original Xensource.com Xen version and the 2.6.16.29 Xen kernel. In this case, the Xen user guide for sHype/ACM includes all information needed for configuration,  installation, and usage examples.

Feedback / corrections / improvements are welcome (I am not an FC6 specialist!).

Regards
Reiner

=======================================HOWTO

BUILD AND INSTALL SHYPE/ACM XEN FROM FEDORA CORE 6 SOURCES
***********************************************************

Foreword: You can use the official Xen source install from Xensource.com and configure ACM (see Xen user guide). However, Xen comes with a  2.6.16.29 kernel by default. If you depend on a FC6 2.6.18 kernel running on Xen and you want the sHype ACM security extension, then the following document describes how to get there from a clean non-virtualized FC6 install.

The following step-wise description shows how to get sources, configure them, and install them so that sHype/ACM security is enabled in Xen on FC6 for the latest FC6 kernel.

Once you run sHype/ACM Xen, you can refer to the Xen user guide manual chapter (found in: ) 10 to walk through usage examples.


A) Get source Xen/Kernel for FC6 (from any FC6 mirror)
======================================================
ftp://ftp.linux.ncsu.edu/pub/fedora/linux/core/updates/6/SRPMS
download:
kernel-2.6.18-1.2849.fc6.src.rpm
ftp://ftp.linux.ncsu.edu/pub/fedora/linux/core/6/source/SRPMS
download:
xen-3.0.3-0.1.rc3.src.rpm


B) Unpack source rpm
====================
rpm -ihv kernel-2.6.18-1.2849.fc6.src.rpm
rpm -ihv xen-3.0.3-0.1.rc3.src.rpm


C) Create sources and configure sHype Access Control Module for Xen
===================================================================
(this step creates the sources into /usr/src/redhat/BUILD)
cd /usr/src/redhat/SPECS
rpmbuild -bp xen.spec
rpmbuild -bp kernel-2.6.spec


D) Build/Install Xen
====================
Note: it appears that most problems in this stage stem from inconsistent PAE settings in Xen and Kernel (must be the same).

i) Configure + install security enabled Xen and tools:
cd /usr/src/redhat/BUILD/xen-3.0.3-rc3
edit Config.mk and set following variables for PAE/no PAE:

i.a) if you DON'T want PAE support (<4GB on x386):
XEN_TARGET_X86_PAE  ?= n
ACM_SECURITY ?= y

i.b) if you DO want PAE support:
XEN_TARGET_X86_PAE  ?= y
ACM_SECURITY ?= y

ii) Now save Config.mk and exit editor.

iii) in the current xen-3.0.3-rc3 directory:
root# (cd LibVNCServer-0.8.2; make install)
root# make xen tools

Note: do not just 'make' because it will take a long time to build the kernel and you are not going to use it (see below)

iv)
root# make install-xen; make install-tools

v) Install wxPython for ez-Security Policy tool
root# yum install wxPython

Test: /usr/sbin/xensec_ezpolicy should bring up a GUI (close it)


E) BUILD/INSTALL FC6 Kernel for Xen
===================================
We only use the 2.6.18.i386 kernel from this install. Not xen.

i) Configure + install FC6 Kernel for Xen:
root# cd /usr/src/redhat/BUILD/kernel-2.6.18/linux-2.6.18.i386
root# cp configs/kernel-2.6.18.i686-xen.config .config

use 'make menuconfig' or 'make gconfig' to configure the following variables for PAE/no PAE:

i.a) if you DON'T want PAE support (<4GB on x386):
In submenu: Processor_type_and_features->High_Memory_Support
set HIMEM to 4GB

i.b) if you DO want PAE support:
In submenu: Processor_type_and_features->High_Memory_Support
set HIMEM to 64GB

ii) Compile + Install kernel (currently, the kernel is not ACM specific)
Note: If you already have a proprietary kernel installed, you might want to name the kernel by setting the LOCALVERSION config parameter.

root# make all
root# make modules_install
root# make install


F) CREATE BOOT ENTRY
====================
Mine looks as follows (using xen/kernel that were built/installed above):

title XEN sHype/ACM (2.6.18-1.2849-xen)
        root (hd0,0)
        kernel /xen-3.0.3-rc3.gz
        module /vmlinuz-2.6.18-prep ro root=/dev/hda3 rhgb
        module /initrd-2.6.18-prep.img

Make sure you have the initrd and that you have the proper file prefix for the files. This example assumes that you mount /boot. You might need to build the initrd manually if it does not show up in the /boot directory after the kernel make install:

root #cd /boot
root #mkinitrd initrd-2.6.18-prep.img 2.6.18-prep


G) WHERE DO I GO FROM HERE
==========================
If you boot into sHype/ACM XEN, then you need to label resources and domains. For this, you need a policy. Without it, you can start domain 0 but no other domains. Please refer to the Xen User Guide (currently chapter 10) for further information.

=======================================END
__________________________________________________________
Reiner Sailer, Research Staff Member, Secure Systems Department
IBM T J Watson Research Ctr, 19 Skyline Drive, Hawthorne NY 10532
Phone: 914 784 6280  (t/l 863)  Fax: 914 784 6205, sailer@xxxxxxxxxx  
http://www.research.ibm.com/people/s/sailer/
_______________________________________________
Xense-devel mailing list
Xense-devel@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xense-devel
<Prev in Thread] Current Thread [Next in Thread>
  • [Xense-devel] Howto enable sHype/ACM security for Xen with FC6 Xen sources and FC6 kernels, Reiner Sailer <=