I have been approached for help in enabling sHype/ACM for Xen on an FC6 system using Fedora sources only. Since sHype/ACM is still disabled by default in Xen, you need to recompile and re-install Xen to enable it. I have attached a short howto, since this procedure might not be straight-forward for the general user. sHype/ACM is part of the core Xen distribution and includes mandatory access control in the Xen hypervisor. sHype controls sharing between user domains (controls which domains can communicate with each other and which domains can access which resources) and enforces anti-collocation rules (controls which domains can run simultaneously on the same platform) with simple formal security policies. Please refer to the Xen user guide section about sHype/ACM for more details and for usage/test examples and current limitations. You do not need to follow this howto if you choose to install the original Xensource.com Xen version and the 2.6.16.29 Xen kernel. In this case, the Xen user guide for sHype/ACM includes all information needed for configuration, installation, and usage examples. Feedback / corrections / improvements are welcome (I am not an FC6 specialist!). Regards Reiner =======================================HOWTO BUILD AND INSTALL SHYPE/ACM XEN FROM FEDORA CORE 6 SOURCES *********************************************************** Foreword: You can use the official Xen source install from Xensource.com and configure ACM (see Xen user guide). However, Xen comes with a 2.6.16.29 kernel by default. If you depend on a FC6 2.6.18 kernel running on Xen and you want the sHype ACM security extension, then the following document describes how to get there from a clean non-virtualized FC6 install. The following step-wise description shows how to get sources, configure them, and install them so that sHype/ACM security is enabled in Xen on FC6 for the latest FC6 kernel. Once you run sHype/ACM Xen, you can refer to the Xen user guide manual chapter (found in: ) 10 to walk through usage examples. A) Get source Xen/Kernel for FC6 (from any FC6 mirror) ====================================================== ftp://ftp.linux.ncsu.edu/pub/fedora/linux/core/updates/6/SRPMS download: kernel-2.6.18-1.2849.fc6.src.rpm ftp://ftp.linux.ncsu.edu/pub/fedora/linux/core/6/source/SRPMS download: xen-3.0.3-0.1.rc3.src.rpm B) Unpack source rpm ==================== rpm -ihv kernel-2.6.18-1.2849.fc6.src.rpm rpm -ihv xen-3.0.3-0.1.rc3.src.rpm C) Create sources and configure sHype Access Control Module for Xen =================================================================== (this step creates the sources into /usr/src/redhat/BUILD) cd /usr/src/redhat/SPECS rpmbuild -bp xen.spec rpmbuild -bp kernel-2.6.spec D) Build/Install Xen ==================== Note: it appears that most problems in this stage stem from inconsistent PAE settings in Xen and Kernel (must be the same). i) Configure + install security enabled Xen and tools: cd /usr/src/redhat/BUILD/xen-3.0.3-rc3 edit Config.mk and set following variables for PAE/no PAE: i.a) if you DON'T want PAE support (<4GB on x386): XEN_TARGET_X86_PAE ?= n ACM_SECURITY ?= y i.b) if you DO want PAE support: XEN_TARGET_X86_PAE ?= y ACM_SECURITY ?= y ii) Now save Config.mk and exit editor. iii) in the current xen-3.0.3-rc3 directory: root# (cd LibVNCServer-0.8.2; make install) root# make xen tools Note: do not just 'make' because it will take a long time to build the kernel and you are not going to use it (see below) iv) root# make install-xen; make install-tools v) Install wxPython for ez-Security Policy tool root# yum install wxPython Test: /usr/sbin/xensec_ezpolicy should bring up a GUI (close it) E) BUILD/INSTALL FC6 Kernel for Xen =================================== We only use the 2.6.18.i386 kernel from this install. Not xen. i) Configure + install FC6 Kernel for Xen: root# cd /usr/src/redhat/BUILD/kernel-2.6.18/linux-2.6.18.i386 root# cp configs/kernel-2.6.18.i686-xen.config .config use 'make menuconfig' or 'make gconfig' to configure the following variables for PAE/no PAE: i.a) if you DON'T want PAE support (<4GB on x386): In submenu: Processor_type_and_features->High_Memory_Support set HIMEM to 4GB i.b) if you DO want PAE support: In submenu: Processor_type_and_features->High_Memory_Support set HIMEM to 64GB ii) Compile + Install kernel (currently, the kernel is not ACM specific) Note: If you already have a proprietary kernel installed, you might want to name the kernel by setting the LOCALVERSION config parameter. root# make all root# make modules_install root# make install F) CREATE BOOT ENTRY ==================== Mine looks as follows (using xen/kernel that were built/installed above): title XEN sHype/ACM (2.6.18-1.2849-xen) root (hd0,0) kernel /xen-3.0.3-rc3.gz module /vmlinuz-2.6.18-prep ro root=/dev/hda3 rhgb module /initrd-2.6.18-prep.img Make sure you have the initrd and that you have the proper file prefix for the files. This example assumes that you mount /boot. You might need to build the initrd manually if it does not show up in the /boot directory after the kernel make install: root #cd /boot root #mkinitrd initrd-2.6.18-prep.img 2.6.18-prep G) WHERE DO I GO FROM HERE ========================== If you boot into sHype/ACM XEN, then you need to label resources and domains. For this, you need a policy. Without it, you can start domain 0 but no other domains. Please refer to the Xen User Guide (currently chapter 10) for further information. =======================================END __________________________________________________________ Reiner Sailer, Research Staff Member, Secure Systems Department IBM T J Watson Research Ctr, 19 Skyline Drive, Hawthorne NY 10532 Phone: 914 784 6280 (t/l 863) Fax: 914 784 6205, sailer@us.ibm.com http://www.research.ibm.com/people/s/sailer/