[Fedora-xen] Howto enable sHype/ACM security for Xen with FC6 Xen sources and FC6 kernels
Reiner Sailer
sailer at us.ibm.com
Mon Nov 27 03:13:58 UTC 2006
I have been approached for help in enabling sHype/ACM for Xen on an FC6
system using Fedora sources only. Since sHype/ACM is still disabled by
default in Xen, you need to recompile and re-install Xen to enable it. I
have attached a short howto, since this procedure might not be
straight-forward for the general user.
sHype/ACM is part of the core Xen distribution and includes mandatory
access control in the Xen hypervisor. sHype controls sharing between user
domains (controls which domains can communicate with each other and which
domains can access which resources) and enforces anti-collocation rules
(controls which domains can run simultaneously on the same platform) with
simple formal security policies. Please refer to the Xen user guide
section about sHype/ACM for more details and for usage/test examples and
current limitations.
You do not need to follow this howto if you choose to install the
original Xensource.com Xen version and the 2.6.16.29 Xen kernel. In this
case, the Xen user guide for sHype/ACM includes all information needed for
configuration, installation, and usage examples.
Feedback / corrections / improvements are welcome (I am not an FC6
specialist!).
Regards
Reiner
=======================================HOWTO
BUILD AND INSTALL SHYPE/ACM XEN FROM FEDORA CORE 6 SOURCES
***********************************************************
Foreword: You can use the official Xen source install from Xensource.com
and configure ACM (see Xen user guide). However, Xen comes with a
2.6.16.29 kernel by default. If you depend on a FC6 2.6.18 kernel running
on Xen and you want the sHype ACM security extension, then the following
document describes how to get there from a clean non-virtualized FC6
install.
The following step-wise description shows how to get sources, configure
them, and install them so that sHype/ACM security is enabled in Xen on FC6
for the latest FC6 kernel.
Once you run sHype/ACM Xen, you can refer to the Xen user guide manual
chapter (found in: ) 10 to walk through usage examples.
A) Get source Xen/Kernel for FC6 (from any FC6 mirror)
======================================================
ftp://ftp.linux.ncsu.edu/pub/fedora/linux/core/updates/6/SRPMS
download:
kernel-2.6.18-1.2849.fc6.src.rpm
ftp://ftp.linux.ncsu.edu/pub/fedora/linux/core/6/source/SRPMS
download:
xen-3.0.3-0.1.rc3.src.rpm
B) Unpack source rpm
====================
rpm -ihv kernel-2.6.18-1.2849.fc6.src.rpm
rpm -ihv xen-3.0.3-0.1.rc3.src.rpm
C) Create sources and configure sHype Access Control Module for Xen
===================================================================
(this step creates the sources into /usr/src/redhat/BUILD)
cd /usr/src/redhat/SPECS
rpmbuild -bp xen.spec
rpmbuild -bp kernel-2.6.spec
D) Build/Install Xen
====================
Note: it appears that most problems in this stage stem from inconsistent
PAE settings in Xen and Kernel (must be the same).
i) Configure + install security enabled Xen and tools:
cd /usr/src/redhat/BUILD/xen-3.0.3-rc3
edit Config.mk and set following variables for PAE/no PAE:
i.a) if you DON'T want PAE support (<4GB on x386):
XEN_TARGET_X86_PAE ?= n
ACM_SECURITY ?= y
i.b) if you DO want PAE support:
XEN_TARGET_X86_PAE ?= y
ACM_SECURITY ?= y
ii) Now save Config.mk and exit editor.
iii) in the current xen-3.0.3-rc3 directory:
root# (cd LibVNCServer-0.8.2; make install)
root# make xen tools
Note: do not just 'make' because it will take a long time to build the
kernel and you are not going to use it (see below)
iv)
root# make install-xen; make install-tools
v) Install wxPython for ez-Security Policy tool
root# yum install wxPython
Test: /usr/sbin/xensec_ezpolicy should bring up a GUI (close it)
E) BUILD/INSTALL FC6 Kernel for Xen
===================================
We only use the 2.6.18.i386 kernel from this install. Not xen.
i) Configure + install FC6 Kernel for Xen:
root# cd /usr/src/redhat/BUILD/kernel-2.6.18/linux-2.6.18.i386
root# cp configs/kernel-2.6.18.i686-xen.config .config
use 'make menuconfig' or 'make gconfig' to configure the following
variables for PAE/no PAE:
i.a) if you DON'T want PAE support (<4GB on x386):
In submenu: Processor_type_and_features->High_Memory_Support
set HIMEM to 4GB
i.b) if you DO want PAE support:
In submenu: Processor_type_and_features->High_Memory_Support
set HIMEM to 64GB
ii) Compile + Install kernel (currently, the kernel is not ACM specific)
Note: If you already have a proprietary kernel installed, you might want
to name the kernel by setting the LOCALVERSION config parameter.
root# make all
root# make modules_install
root# make install
F) CREATE BOOT ENTRY
====================
Mine looks as follows (using xen/kernel that were built/installed above):
title XEN sHype/ACM (2.6.18-1.2849-xen)
root (hd0,0)
kernel /xen-3.0.3-rc3.gz
module /vmlinuz-2.6.18-prep ro root=/dev/hda3 rhgb
module /initrd-2.6.18-prep.img
Make sure you have the initrd and that you have the proper file prefix for
the files. This example assumes that you mount /boot. You might need to
build the initrd manually if it does not show up in the /boot directory
after the kernel make install:
root #cd /boot
root #mkinitrd initrd-2.6.18-prep.img 2.6.18-prep
G) WHERE DO I GO FROM HERE
==========================
If you boot into sHype/ACM XEN, then you need to label resources and
domains. For this, you need a policy. Without it, you can start domain 0
but no other domains. Please refer to the Xen User Guide (currently
chapter 10) for further information.
=======================================END
__________________________________________________________
Reiner Sailer, Research Staff Member, Secure Systems Department
IBM T J Watson Research Ctr, 19 Skyline Drive, Hawthorne NY 10532
Phone: 914 784 6280 (t/l 863) Fax: 914 784 6205, sailer at us.ibm.com
http://www.research.ibm.com/people/s/sailer/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/fedora-xen/attachments/20061126/f9d43e85/attachment.htm>
More information about the Fedora-xen
mailing list