[Fedora-xen] Howto enable sHype/ACM security for Xen with FC6 Xen sources and FC6 kernels

Reiner Sailer sailer at us.ibm.com
Mon Nov 27 03:13:58 UTC 2006 

I have been approached for help in enabling sHype/ACM for Xen on an FC6 
system using Fedora sources only.  Since sHype/ACM is still disabled by 
default in Xen, you need to recompile and re-install Xen to enable it. I 
have attached a short howto, since this procedure might not be 
straight-forward for the general user.

sHype/ACM is part of the core Xen distribution and includes mandatory 
access control in the Xen hypervisor. sHype controls sharing between user 
domains (controls which domains can communicate with each other and which 
domains can access which resources) and enforces anti-collocation rules 
(controls which domains can run simultaneously on the same platform) with 
simple formal security policies. Please refer to the Xen user guide 
section about sHype/ACM for more details and for usage/test examples and 
current limitations.

You do not  need to follow this howto if you choose to install the 
original Xensource.com Xen version and the 2.6.16.29 Xen kernel. In this 
case, the Xen user guide for sHype/ACM includes all information needed for 
configuration,  installation, and usage examples.

Feedback / corrections / improvements are welcome (I am not an FC6 
specialist!).

Regards
Reiner

=======================================HOWTO

BUILD AND INSTALL SHYPE/ACM XEN FROM FEDORA CORE 6 SOURCES
***********************************************************

Foreword: You can use the official Xen source install from Xensource.com 
and configure ACM (see Xen user guide). However, Xen comes with a 
2.6.16.29 kernel by default. If you depend on a FC6 2.6.18 kernel running 
on Xen and you want the sHype ACM security extension, then the following 
document describes how to get there from a clean non-virtualized FC6 
install.

The following step-wise description shows how to get sources, configure 
them, and install them so that sHype/ACM security is enabled in Xen on FC6 
for the latest FC6 kernel.

Once you run sHype/ACM Xen, you can refer to the Xen user guide manual 
chapter (found in: ) 10 to walk through usage examples.


A) Get source Xen/Kernel for FC6 (from any FC6 mirror)
======================================================
ftp://ftp.linux.ncsu.edu/pub/fedora/linux/core/updates/6/SRPMS
download:
kernel-2.6.18-1.2849.fc6.src.rpm
ftp://ftp.linux.ncsu.edu/pub/fedora/linux/core/6/source/SRPMS
download:
xen-3.0.3-0.1.rc3.src.rpm


B) Unpack source rpm
====================
rpm -ihv kernel-2.6.18-1.2849.fc6.src.rpm
rpm -ihv xen-3.0.3-0.1.rc3.src.rpm


C) Create sources and configure sHype Access Control Module for Xen
===================================================================
(this step creates the sources into /usr/src/redhat/BUILD)
cd /usr/src/redhat/SPECS
rpmbuild -bp xen.spec
rpmbuild -bp kernel-2.6.spec


D) Build/Install Xen
====================
Note: it appears that most problems in this stage stem from inconsistent 
PAE settings in Xen and Kernel (must be the same).

i) Configure + install security enabled Xen and tools: 
cd /usr/src/redhat/BUILD/xen-3.0.3-rc3
edit Config.mk and set following variables for PAE/no PAE:

i.a) if you DON'T want PAE support (<4GB on x386):
XEN_TARGET_X86_PAE  ?= n
ACM_SECURITY ?= y

i.b) if you DO want PAE support:
XEN_TARGET_X86_PAE  ?= y
ACM_SECURITY ?= y

ii) Now save Config.mk and exit editor.

iii) in the current xen-3.0.3-rc3 directory:
root# (cd LibVNCServer-0.8.2; make install)
root# make xen tools

Note: do not just 'make' because it will take a long time to build the 
kernel and you are not going to use it (see below)

iv) 
root# make install-xen; make install-tools

v) Install wxPython for ez-Security Policy tool
root# yum install wxPython

Test: /usr/sbin/xensec_ezpolicy should bring up a GUI (close it)


E) BUILD/INSTALL FC6 Kernel for Xen
===================================
We only use the 2.6.18.i386 kernel from this install. Not xen.

i) Configure + install FC6 Kernel for Xen: 
root# cd /usr/src/redhat/BUILD/kernel-2.6.18/linux-2.6.18.i386
root# cp configs/kernel-2.6.18.i686-xen.config .config

use 'make menuconfig' or 'make gconfig' to configure the following 
variables for PAE/no PAE:

i.a) if you DON'T want PAE support (<4GB on x386):
In submenu: Processor_type_and_features->High_Memory_Support
set HIMEM to 4GB

i.b) if you DO want PAE support:
In submenu: Processor_type_and_features->High_Memory_Support
set HIMEM to 64GB

ii) Compile + Install kernel (currently, the kernel is not ACM specific)
Note: If you already have a proprietary kernel installed, you might want 
to name the kernel by setting the LOCALVERSION config parameter.

root# make all
root# make modules_install
root# make install


F) CREATE BOOT ENTRY
====================
Mine looks as follows (using xen/kernel that were built/installed above):

title XEN sHype/ACM (2.6.18-1.2849-xen)
        root (hd0,0)
        kernel /xen-3.0.3-rc3.gz
        module /vmlinuz-2.6.18-prep ro root=/dev/hda3 rhgb
        module /initrd-2.6.18-prep.img

Make sure you have the initrd and that you have the proper file prefix for 
the files. This example assumes that you mount /boot. You might need to 
build the initrd manually if it does not show up in the /boot directory 
after the kernel make install:

root #cd /boot
root #mkinitrd initrd-2.6.18-prep.img 2.6.18-prep


G) WHERE DO I GO FROM HERE
==========================
If you boot into sHype/ACM XEN, then you need to label resources and 
domains. For this, you need a policy. Without it, you can start domain 0 
but no other domains. Please refer to the Xen User Guide (currently 
chapter 10) for further information.

=======================================END
__________________________________________________________
Reiner Sailer, Research Staff Member, Secure Systems Department
IBM T J Watson Research Ctr, 19 Skyline Drive, Hawthorne NY 10532
Phone: 914 784 6280  (t/l 863)  Fax: 914 784 6205, sailer at us.ibm.com 
http://www.research.ibm.com/people/s/sailer/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/fedora-xen/attachments/20061126/f9d43e85/attachment.htm>

More information about the Fedora-xen mailing list