On 29.05.2020 12:07, Andrew Cooper wrote:
> On 29/05/2020 10:34, Jan Beulich wrote:
>> While the behavior to ignore this option without FLASK support was
>> properly documented, it is still somewhat surprising to someone using
>> this option and then still _not_ getting the assumed security. Add a
Hi Jan,
On 29/05/2020 08:35, Jan Beulich wrote:
On 28.05.2020 20:54, Julien Grall wrote:
On 28/05/2020 16:25, Bertrand Marquis wrote:
At the moment on Arm, a Linux guest running with KTPI enabled will
cause the following error when a context switch happens in user mode:
(XEN) p2m.c:1890:
XSM is enabled by adding "flask=enforcing" as a Xen command line
argument, and providing the policy file as a grub module.
We make entries for both with and without XSM. If XSM is not compiled
into Xen, then there are no policy files, so no change to the boot
options.
Signed-off-by: Ian Jackson
In buster, it appears that specifying locale on the command line is
not sufficient. Rather than adding more things to the command line,
instead, just say `priority=critical', by defaulting $debconf_priority
to 'critical'.
I think this change should be fine for earlier suites too.
Signed-off-by:
multiboot[2] isn't supported.
Also link to the bug report.
CC: Julien Grall
CC: Stefano Stabellini
Signed-off-by: Ian Jackson
---
Osstest/Debian.pm | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/Osstest/Debian.pm b/Osstest/Debian.pm
index 3fc9e555..9f1ce1df 100644
---
Refactor this out of ts-xen-install. We are going to run it in
ts-host-install.
Signed-off-by: Ian Jackson
---
Osstest/Debian.pm | 7 ++-
ts-xen-install| 3 +--
2 files changed, 7 insertions(+), 3 deletions(-)
diff --git a/Osstest/Debian.pm b/Osstest/Debian.pm
index d51ac493..60393ca9
This makes it effect builds on Debian, too.
Signed-off-by: Ian Jackson
---
Osstest/Debian.pm | 1 +
ts-host-install | 2 ++
ts-xen-install| 2 --
3 files changed, 3 insertions(+), 2 deletions(-)
diff --git a/Osstest/Debian.pm b/Osstest/Debian.pm
index 60393ca9..2d30b3e9 100644
---
This bug affects us. Cherry pick the changes to the relevant file
from the commit in the upstream debian-installer repo:
https://salsa.debian.org/installer-team/rootskel/commit/0ee43d05b83f8ef5a856f3282e002a111809cef9
Signed-off-by: Ian Jackson
---
overlay-initrd-buster/sbin/reopen-console
This prevents us from passing an XSM policy file, and
`flask=enforcing', in supposedly-non-XSM tests.
These bootloader entries can appear because the Xen upstream build
ships XSM policy files by default even if XSM is disabled in the
hypervisor, causing update-grub to generate useless `XSM
This works like LinuxSerialConsole.
I originally wrote this to try to work around #940028, where multiple
d-i autoinstalls run in parallel leading to hard-to-debug lossage!
Explicitly specing the console causes it to run only on that one.
However, it turns out that explicitly specifying the
This lets us patch the installer more easily.
No uses yet.
Signed-off-by: Ian Jackson
---
mg-debian-installer-update | 20
1 file changed, 20 insertions(+)
diff --git a/mg-debian-installer-update b/mg-debian-installer-update
index f1e682f9..fb4fe2ab 100755
---
buster cannot boot in so little because its initramfs and kernel are
too large. Bump it to 2G.
However, our armhf test nodes have very little RAM. And the Debian
armhf does fit in them as a guest still, so use a smaller value there.
Keying this off the architecture rather than the available
When the Debian guest is not made with d-i, we must still provide this
random seed file. This can be done in ts-debian-fixup.
Signed-off-by: Ian Jackson
---
ts-debian-fixup | 6 ++
1 file changed, 6 insertions(+)
diff --git a/ts-debian-fixup b/ts-debian-fixup
index fef9836e..dfeb4d39
Signed-off-by: Ian Jackson
---
overlay-buster/etc/grub.d/20_linux_xen | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/overlay-buster/etc/grub.d/20_linux_xen
b/overlay-buster/etc/grub.d/20_linux_xen
index 4d3294a2..6f2a98ba 100755
--- a/overlay-buster/etc/grub.d/20_linux_xen
As reported here:
https://patchew.org/QEMU/20200513120147.21443-1-f4...@amsat.org/
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=960271
the kernel has broken the build of upstream qemu. This made it
into a Debian stable kernel update. This breaks our CI runs almost
completely, when they
These parsing regexps were all wrong!
Signed-off-by: Ian Jackson
---
Osstest/Debian.pm | 8
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/Osstest/Debian.pm b/Osstest/Debian.pm
index 2d30b3e9..a20569e5 100644
--- a/Osstest/Debian.pm
+++ b/Osstest/Debian.pm
@@ -529,17
This marginally reduces command line clobber. This alias has been
supported approximately forever. (And this code is currently only
used when DebconfPriority is set, which it generally isn't.)
Signed-off-by: Ian Jackson
---
Osstest/Debian.pm | 2 +-
1 file changed, 1 insertion(+), 1
src:grub2 is RFH in Debian, which is a contributory factor to these
patches in #789798 and #792547 languishing.
Signed-off-by: Ian Jackson
---
Osstest/Debian.pm | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/Osstest/Debian.pm b/Osstest/Debian.pm
index 7b311a14..9b4ef967
Signed-off-by: Ian Jackson
---
Osstest.pm | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/Osstest.pm b/Osstest.pm
index 1e381d8f..6395 100644
--- a/Osstest.pm
+++ b/Osstest.pm
@@ -87,7 +87,7 @@ our %c = qw(
Images images
-DebianSuite stretch
+DebianSuite
Otherwise we get this question:
| You may use the whole volume group for guided partitioning, or part
| of it. [...]
| Amount of volume group to use for guided partitioning:
Signed-off-by: Ian Jackson
---
Osstest/Debian.pm | 1 +
1 file changed, 1 insertion(+)
diff --git
CC: Julien Grall
CC: Stefano Stabellini
Signed-off-by: Ian Jackson
---
Osstest/Debian.pm | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/Osstest/Debian.pm b/Osstest/Debian.pm
index 71167351..3fc9e555 100644
--- a/Osstest/Debian.pm
+++ b/Osstest/Debian.pm
@@ -1064,7 +1064,7
Really we should fix this by making a .deb in Debian that we could
install. But this is a longer-term project.
Signed-off-by: Ian Jackson
---
ts-host-install | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/ts-host-install b/ts-host-install
index 7a72a867..fe26f70f 100755
So,
I felt like providing some additional thoughts about this series, from
a release point of view (adding Paul).
Timing is *beyond tight* so if this series, entirely or partly, has any
chance to go in, it would be through some form of exception, which of
course comes with some risks, etc.
I
On 25/05/2020 15:26, Jan Beulich wrote:
> First of all explain in comments what the functions' purposes are. Then
> make them actually match their comments.
>
> Note that fc6fa977be54 ("x86emul: extend x86_insn_is_mem_write()
> coverage") didn't actually fix the function's behavior for
flight 150472 xen-unstable-smoke real [real]
http://logs.test-lab.xenproject.org/osstest/logs/150472/
Regressions :-(
Tests which did not succeed and are blocking,
including tests which could not be run:
build-arm64-xsm 6 xen-buildfail REGR. vs. 150438
build-amd64
On 25/05/2020 15:26, Jan Beulich wrote:
> Unlike similarly encoded insns these don't write their memory operands,
"write to their".
> and hence x86_is_mem_write() should return false for them. However,
> rather than adding special logic there, rework how their emulation gets
> done, by making
On Fri, 2020-05-29 at 08:13 +, Bertrand Marquis wrote:
> Hi Julien,
>
> > On 28 May 2020, at 19:54, Julien Grall wrote:
> >
> > Hi Bertrand,
> >
> > Thank you for the patch.
> >
> > On 28/05/2020 16:25, Bertrand Marquis wrote:
> > > At the moment on Arm, a Linux guest running with KTPI
On 28.05.2020 16:55, Dario Faggioli wrote:
> On Wed, 2020-05-27 at 08:17 +0200, Jan Beulich wrote:
>> On 27.05.2020 00:00, Dario Faggioli wrote:
>>> Just in case, is there a
>>> way to identify them easily, like with a mask or something, in the
>>> code
>>> already?
>>
>> cpu_sibling_mask still
On Fri, 2020-05-29 at 11:58 +0200, Jan Beulich wrote:
> On 28.05.2020 16:55, Dario Faggioli wrote:
> >
> > Which means I will be treating HTs and CUs the same which, thinking
> > more about it (and thinking actually to CUs, rather than to any
> > cache
> > sharing relationship), does make sense
Andrew Cooper writes ("Re: [PATCH] xsm: also panic upon "flask=enforcing" when
XSM_FLASK=n"):
> On 29/05/2020 10:34, Jan Beulich wrote:
> > While the behavior to ignore this option without FLASK support was
> > properly documented, it is still somewhat surprising to someone using
> > this option
George Dunlap writes ("Re: Xen XSM/FLASK policy, grub defaults, etc."):
> > On May 27, 2020, at 4:41 PM, Ian Jackson wrote:
> > 3. Failing that, Xen should provide some other mechanism which would
> > enable something like update-grub to determine whether a particular
> > hypervisor can sensibly
Modern versions of update-grub like to add this. We need to spot this
so that under EFI we generate the right things in xen.cfg.
Signed-off-by: Ian Jackson
---
Osstest/Debian.pm | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/Osstest/Debian.pm b/Osstest/Debian.pm
index
This reuses all of the stuff that update-grub, etc., have put there.
In particular without this we never have flask=enforcing!
We have to do something about the ${xen_rm_opts} that appear in these
entries. In principle there might be many variable expansions, but in
practice there is only this
This installs a pam rule which causes logins to hang. It also seems
to cause some kind of udev wedge.
We are using sysvinit so this package is not desirable. Empirically,
removing it makes the system work.
Signed-off-by: Ian Jackson
---
Osstest/Debian.pm | 1 +
1 file changed, 1 insertion(+)
> -Original Message-
> From: Xen-devel On Behalf Of Juergen
> Gross
> Sent: 29 May 2020 12:37
> To: xen-devel@lists.xenproject.org
> Cc: Juergen Gross ; Stefano Stabellini
> ; Julien Grall
> ; Wei Liu ; Andrew Cooper
> ; Ian Jackson
> ; George Dunlap ; Jan
> Beulich
> Subject: [PATCH
flight 150444 xen-unstable real [real]
http://logs.test-lab.xenproject.org/osstest/logs/150444/
Failures :-/ but no regressions.
Tests which did not succeed, but are not blocking:
test-amd64-amd64-xl-rtds 18 guest-localmigrate/x10 fail blocked in 150414
test-armhf-armhf-libvirt 14
On 29.05.2020 11:18, Bertrand Marquis wrote:
> Hi Jan,
>
>> On 29 May 2020, at 09:45, Jan Beulich wrote:
>>
>> On 29.05.2020 10:13, Bertrand Marquis wrote:
On 28 May 2020, at 19:54, Julien Grall wrote:
AFAICT, there is no restriction on when the runstate hypercall can be
called.
Roman Kagan writes:
> Several block device properties related to blocksize configuration must
> be in certain relationship WRT each other: physical block must be no
> smaller than logical block; min_io_size, opt_io_size, and
> discard_granularity must be a multiple of a logical block.
>
> To
On 29.05.2020 11:19, Jürgen Groß wrote:
> On 29.05.20 10:34, Jan Beulich wrote:
>> On 19.05.2020 09:21, Juergen Gross wrote:
>>> @@ -373,6 +374,52 @@ void __init do_initcalls(void)
>>> (*call)();
>>> }
>>>
>>> +#ifdef CONFIG_HYPFS
>>> +static unsigned int __read_mostly
On Thu, 2020-05-21 at 09:43 +0200, Dario Faggioli wrote:
> On Thu, 2020-04-30 at 20:27 +0200, Dario Faggioli wrote:
> > Hello,
> >
> > This short series contains some improvements for building Xen in
> > openSUSE containers. In fact, the build dependencies inside the
> > Tumbleweed container are
Both SHDEPS_libxendevicemodel and SHDEPS_libxenhypfs have a bug by
adding $(SHLIB_xencall) instead of $(SHLIB_libxencall).
The former seems not to have any negative impact, probably because
it is not used anywhere in Xen without the correct $(SHLIB_libxencall)
being used, too.
Fixes:
Ian Jackson writes ("Re: Xen XSM/FLASK policy, grub defaults, etc."):
> George Dunlap writes ("Re: Xen XSM/FLASK policy, grub defaults, etc."):
> > > On May 27, 2020, at 4:41 PM, Ian Jackson wrote:
> > > 3. Failing that, Xen should provide some other mechanism which would
> > > enable something
Hi,
On 29/05/2020 10:18, Bertrand Marquis wrote:
On 29 May 2020, at 09:45, Jan Beulich wrote:
On 29.05.2020 10:13, Bertrand Marquis wrote:
On 28 May 2020, at 19:54, Julien Grall wrote:
AFAICT, there is no restriction on when the runstate hypercall can be called.
So this can even be called
> On May 29, 2020, at 11:39 AM, Ian Jackson wrote:
>
> Andrew Cooper writes ("Re: [PATCH] xsm: also panic upon "flask=enforcing"
> when XSM_FLASK=n"):
>> On 29/05/2020 10:34, Jan Beulich wrote:
>>> While the behavior to ignore this option without FLASK support was
>>> properly documented, it
From: Wei Liu
We will soon need to handle dynamically mapping / unmapping page
tables in the said function. Since dynamic mappings may map and unmap
pl3e in different iterations, lift pl3e out of the loop.
No functional change.
Signed-off-by: Wei Liu
Signed-off-by: Hongyan Xia
---
Changed
From: Wei Liu
After inspection ARM doesn't have alloc_xen_pagetable so this function
is x86 only, which means it is safe for us to change.
Signed-off-by: Wei Liu
Signed-off-by: Hongyan Xia
---
Changed in v7:
- hoist l3 variables out of the loop to avoid repetitive mappings.
---
From: Hongyan Xia
This series rewrites all the remaining functions and finally makes the
switch from xenheap to domheap for Xen page tables, so that they no
longer need to rely on the direct map, which is a big step towards
removing the direct map.
This series depends on the following
From: Wei Liu
Map and unmap pages instead of relying on the direct map.
Signed-off-by: Wei Liu
Signed-off-by: Hongyan Xia
---
Changed in v7:
- use the new alloc_map_clear_xen_pt() helper.
- move the unmap of pl3t up a bit.
- remove the unmaps in the nomem path.
---
xen/arch/x86/x86_64/mm.c
From: Wei Liu
We will soon rewrite the function to handle dynamically mapping and
unmapping of page tables. Since dynamic mappings may map and unmap pages
in different iterations of the while loop, we need to lift pl3e out of
the loop.
No functional change.
Signed-off-by: Wei Liu
From: Wei Liu
Avoid repetitive mapping of l2_ro_mpt by keeping it across loops, and
only unmap and map it when crossing 1G boundaries.
Signed-off-by: Wei Liu
Signed-off-by: Hongyan Xia
---
Changed in v7:
- avoid repetitive mapping of l2_ro_mpt.
- edit commit message.
- switch to
From: Wei Liu
We will soon map and unmap pages in paging_init(). Introduce pl2e so
that we can use l2_ro_mpt to point to the page table itself.
No functional change.
Signed-off-by: Wei Liu
---
Changed in v7:
- reword commit message.
---
xen/arch/x86/x86_64/mm.c | 16 +---
1 file
From: Wei Liu
Rewrite those functions to use the new APIs. Modify its callers to unmap
the pointer returned. Since alloc_xen_pagetable_new() is almost never
useful unless accompanied by page clearing and a mapping, introduce a
helper alloc_map_clear_xen_pt() for this sequence.
Note that the
From: Wei Liu
Page tables allocated in that function should be mapped and unmapped
now.
Signed-off-by: Wei Liu
Signed-off-by: Hongyan Xia
---
xen/arch/x86/mm.c | 60 ---
1 file changed, 36 insertions(+), 24 deletions(-)
diff --git
For reasons I don't propose to investigate, on buster udevd shows up
like this:
2019-11-26 18:13:48 Z LEAKED [process 2633 /lib/systemd/systemd-udevd]
process: root 2633 1555 0 18:10 ?00:00:00
/lib/systemd/systemd-udevd
This does not match our suppression. Add an additional
In buster, d-i wants when setting up the network, ie before the
preseed is loaded.
We leave it in the preseed too because why not.
I think this change should be fine for older versions of Debian.
Signed-off-by: Ian Jackson
---
Osstest/Debian.pm | 3 ++-
1 file changed, 2 insertions(+), 1
systemd does not regard the contents of the random seed file as useful
for the purposes of placating the kernel's entropy tracker. As a
result, the system hangs at boot waiting for entropy.
Fix this by providing a small program which can be used to load a seed
file into /dev/random and also call
Because systemd did something obnoxious, the kernel retaliated in the
game of Core Wars by hiding all arguments before `--' from userspace.
So use `---' instead so that all the arguments remain visible.
This in some sense now applies to host installs a change we had
already made to Debian HVM
The documentation seesm to think this is the default but empirically
it isn't. In our environment --yes is fine.
I have reported this to Debian as #953183. Also vaguely related (and
discovered by me at the same time) is #953185.
This came up while trying to get things work on buster. I don't
osstest uses this for transferring configuration, build artefacts, and
so on.
In Debian stretch and earlier, rsync happened to be pulled in by
something else.
Signed-off-by: Ian Jackson
---
ts-xen-build-prep | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/ts-xen-build-prep
Empirically some of these operations can take longer than 30s,
especially with a cold cache.
Note that because of host sharing and our on-host apt lock, the
timeout needs to be the same for every apt operation: a fast operation
could be blocked behind a slow one.
Signed-off-by: Ian Jackson
---
Hey,
Below you can find my rough idea of the bootloader log format which is
generic thing but initially will be used for TrenchBoot work. I discussed
this proposal with Ross and Daniel S. So, the idea went through initial
sanitization. Now I would like to take feedback from other folks too.
So,
From: Wei Liu
We will soon need to clean up page table mappings in the exit path.
No functional change.
Signed-off-by: Wei Liu
Signed-off-by: Hongyan Xia
---
Changed in v7:
- edit commit message.
- begin with rc = 0 and set it to -ENOMEM ahead of if().
---
xen/arch/x86/smpboot.c | 16
Hi Bertrand,
On 29/05/2020 09:13, Bertrand Marquis wrote:
Hi Julien,
On 28 May 2020, at 19:54, Julien Grall wrote:
Hi Bertrand,
Thank you for the patch.
On 28/05/2020 16:25, Bertrand Marquis wrote:
At the moment on Arm, a Linux guest running with KTPI enabled will
cause the following
> On May 29, 2020, at 9:52 AM, Jan Beulich wrote:
>
> On 27.05.2020 18:08, George Dunlap wrote:
>>> On May 27, 2020, at 4:41 PM, Ian Jackson wrote:
>>> 2. Xen should disable the XSM policy build when FLASK is disabled.
>>> This is unfortunately not so simple because the XSM policy build is a
On 29.05.20 11:53, Jan Beulich wrote:
On 29.05.2020 11:19, Jürgen Groß wrote:
On 29.05.20 10:34, Jan Beulich wrote:
On 19.05.2020 09:21, Juergen Gross wrote:
@@ -373,6 +374,52 @@ void __init do_initcalls(void)
(*call)();
}
+#ifdef CONFIG_HYPFS
+static unsigned int
On Fri, May 29, 2020 at 11:53:26AM +0200, Markus Armbruster wrote:
> Roman Kagan writes:
>
> > Several block device properties related to blocksize configuration must
> > be in certain relationship WRT each other: physical block must be no
> > smaller than logical block; min_io_size,
On 29.05.2020 12:50, Ian Jackson wrote:
> George Dunlap writes ("Re: Xen XSM/FLASK policy, grub defaults, etc."):
>>> On May 27, 2020, at 4:41 PM, Ian Jackson wrote:
>>> 3. Failing that, Xen should provide some other mechanism which would
>>> enable something like update-grub to determine whether
From: Wei Liu
Page tables allocated in that function should be mapped and unmapped
now.
Note that pl2e now maybe mapped and unmapped in different iterations, so
we need to add clean-ups for that.
Signed-off-by: Wei Liu
Signed-off-by: Hongyan Xia
---
Changed in v7:
- use normal unmap in the
> On May 29, 2020, at 12:02 PM, Jan Beulich wrote:
>
> On 29.05.2020 12:50, Ian Jackson wrote:
>> George Dunlap writes ("Re: Xen XSM/FLASK policy, grub defaults, etc."):
On May 27, 2020, at 4:41 PM, Ian Jackson wrote:
3. Failing that, Xen should provide some other mechanism which
From: Wei Liu
Signed-off-by: Wei Liu
Signed-off-by: Hongyan Xia
---
Changed in v7:
- change patch title
- remove initialiser of pl3e.
- combine the initialisation of pl3e into a single assignment.
- use the new alloc_map_clear() helper.
- use the normal map_domain_page() in the error path.
From: Hongyan Xia
Signed-off-by: Wei Liu
Signed-off-by: Hongyan Xia
---
xen/arch/x86/mm.c | 9 +
1 file changed, 5 insertions(+), 4 deletions(-)
diff --git a/xen/arch/x86/mm.c b/xen/arch/x86/mm.c
index 38cfa3ce25..16f1aa3344 100644
--- a/xen/arch/x86/mm.c
+++ b/xen/arch/x86/mm.c
@@
From: Hongyan Xia
Two sets of old APIs, alloc/free_xen_pagetable() and lXe_to_lYe(), are
now dropped to avoid the dependency on direct map.
There are two special cases which still have not been re-written into
the new APIs, thus need special treatment:
rpt in smpboot.c cannot use ephemeral
From: Wei Liu
Signed-off-by: Wei Liu
Signed-off-by: Hongyan Xia
---
Changed in v7:
- add blank line after declaration.
- rename efi_l4_pgtable into efi_l4t.
- pass the mapped efi_l4t to copy_mapping() instead of map it again.
- use the alloc_map_clear_xen_pt() API.
- unmap pl3e, pl2e, l1t
> -Original Message-
> From: Ian Jackson
> Sent: 29 May 2020 12:19
> To: xen-devel@lists.xenproject.org; Paul Durrant
> Cc: Ian Jackson ; committ...@xenproject.org
> Subject: [OSSTEST PATCH v2 00/49] Switch to Debian buster (= Debian stable)
>
> This series looks about as ready as it is
From: Wei Liu
No functional change.
Signed-off-by: Wei Liu
Signed-off-by: Hongyan Xia
Acked-by: Jan Beulich
---
xen/arch/x86/mm.c| 44
xen/arch/x86/smpboot.c | 6 +++---
xen/arch/x86/x86_64/mm.c | 2 +-
xen/include/asm-x86/mm.h | 4 ++--
Update connection record details:
- make flags common for sockets and domains (makes it easier to have a
C union for conn-spec)
- add pending incoming data (needed for handling partially read
requests when doing live update)
- add partial response length (needed for proper split to individual
On 28.05.2020 20:10, Andrew Cooper wrote:
> On 28/05/2020 11:25, Jan Beulich wrote:
>> On 27.05.2020 21:18, Andrew Cooper wrote:
>>> --- a/xen/arch/x86/Kconfig
>>> +++ b/xen/arch/x86/Kconfig
>>> @@ -34,6 +34,10 @@ config ARCH_DEFCONFIG
>>> config INDIRECT_THUNK
>>> def_bool
flight 150465 xen-unstable-smoke real [real]
http://logs.test-lab.xenproject.org/osstest/logs/150465/
Regressions :-(
Tests which did not succeed and are blocking,
including tests which could not be run:
build-arm64-xsm 6 xen-buildfail REGR. vs. 150438
build-amd64
While the behavior to ignore this option without FLASK support was
properly documented, it is still somewhat surprising to someone using
this option and then still _not_ getting the assumed security. Add a
2nd handler for the command line option for the XSM_FLASK=n case, and
invoke panic() when
On 29.05.2020 11:55, George Dunlap wrote:
>
>
>> On May 29, 2020, at 9:52 AM, Jan Beulich wrote:
>>
>> On 27.05.2020 18:08, George Dunlap wrote:
On May 27, 2020, at 4:41 PM, Ian Jackson wrote:
2. Xen should disable the XSM policy build when FLASK is disabled.
This is
On 29/05/2020 10:34, Jan Beulich wrote:
> While the behavior to ignore this option without FLASK support was
> properly documented, it is still somewhat surprising to someone using
> this option and then still _not_ getting the assumed security. Add a
> 2nd handler for the command line option for
> On May 29, 2020, at 11:50 AM, Ian Jackson wrote:
>
> George Dunlap writes ("Re: Xen XSM/FLASK policy, grub defaults, etc."):
>>> On May 27, 2020, at 4:41 PM, Ian Jackson wrote:
>>> 3. Failing that, Xen should provide some other mechanism which would
>>> enable something like update-grub to
flight 150469 xen-unstable-smoke real [real]
http://logs.test-lab.xenproject.org/osstest/logs/150469/
Regressions :-(
Tests which did not succeed and are blocking,
including tests which could not be run:
build-arm64-xsm 6 xen-buildfail REGR. vs. 150438
build-amd64
This seems mostly to affect buster but it could in principle affect
earlier releases too I think.
In principle it would be nice to fix this bug, and to have a proper
test for it, but a reliable test is hard and an unreliable one is not
useful. So I guess we are going to have this workaround
We really only used this to check how many levels deep in { we are.
That can be done by checking $#offsets, which is >0 if we are in a
submenu and not otherwise. We lose the ability to report the start
line of the submenu, but that's OK.
But as a bonus, we no longer bomb out on nested submenus:
This series looks about as ready as it is going to be. Unfortunately
there are still two issues, each of which cropped up once in my final
formal retest. See below.
What are people's opinions? Should I push this to osstest pretest
soon after the Xen codefreeze (eg, after we get the first push
This file is a template that various build-time variables get
substituted into. Make thos substitutions by hand (actually, by
copying the values our file for stretch). And rename the file.
So now we are using our file instead of the grub package's. But it is
the same...
Signed-off-by: Ian
This is a complex interaction between update-grub and the Xen build
system on ARM64. Not sure exactly who to blame but since we have our
own 20_linux_xen bodge, let's wait until we don't.
Signed-off-by: Ian Jackson
---
Osstest/Debian.pm | 12 +++-
1 file changed, 11 insertions(+), 1
Signed-off-by: Ian Jackson
---
Osstest/Debian.pm | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/Osstest/Debian.pm b/Osstest/Debian.pm
index a20569e5..615047cb 100644
--- a/Osstest/Debian.pm
+++ b/Osstest/Debian.pm
@@ -562,7 +562,7 @@ sub setupboot_grub2 () {
This is from 41e42571ebc50fa351cd63ce40044946652c5c72 in Debian's grub
package.
We are going to want to modify this to support XSM/FLASK and cope with
upstream build outputs.
In this commit we dump the exact file contents across. It's not
effective right now because of the ".in" extension. In
Signed-off-by: Ian Jackson
---
Osstest/Debian.pm | 38 ++
ts-xen-install| 36
2 files changed, 38 insertions(+), 36 deletions(-)
diff --git a/Osstest/Debian.pm b/Osstest/Debian.pm
index 49d94b9b..d51ac493 100644
---
Debian #778564 remains open.
Signed-off-by: Ian Jackson
---
ts-host-install | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/ts-host-install b/ts-host-install
index fe26f70f..253dbb5d 100755
--- a/ts-host-install
+++ b/ts-host-install
@@ -152,7 +152,7 @@ END
my
We need various fixes that are not in buster, sadly.
Signed-off-by: Ian Jackson
---
production-config | 1 +
1 file changed, 1 insertion(+)
diff --git a/production-config b/production-config
index f0ddc132..e3870d47 100644
--- a/production-config
+++ b/production-config
@@ -107,6 +107,7 @@
We are going to patch this file to work around a bug, using the new
overlay mechanism.
The first step is to include the file in our overlay so we overwrite
it. Currently, this is a no-op, so no functional change.
Signed-off-by: Ian Jackson
---
overlay-initrd-buster/sbin/reopen-console | 94
Signed-off-by: Ian Jackson
---
production-config | 3 +++
1 file changed, 3 insertions(+)
diff --git a/production-config b/production-config
index 103b8915..f0ddc132 100644
--- a/production-config
+++ b/production-config
@@ -98,6 +98,9 @@ DebianSnapshotBackports_jessie
This lets us specify the whole filename, not just a version.
This is needed because for buster we are going to use
debian-10.2.0-ARCH-xfce-CD-1.iso
Signed-off-by: Ian Jackson
---
mfi-common | 9 +
1 file changed, 9 insertions(+)
diff --git a/mfi-common b/mfi-common
index
This is going to move to Debian.pm.
Signed-off-by: Ian Jackson
---
ts-xen-install | 8
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/ts-xen-install b/ts-xen-install
index 08b4ea23..6196a890 100755
--- a/ts-xen-install
+++ b/ts-xen-install
@@ -71,8 +71,8 @@ sub packages
Signed-off-by: Ian Jackson
---
production-config | 1 +
1 file changed, 1 insertion(+)
diff --git a/production-config b/production-config
index e3870d47..6372ac9a 100644
--- a/production-config
+++ b/production-config
@@ -91,6 +91,7 @@ TftpNetbootGroup osstest
TftpDiVersion_wheezy 2016-06-08
Nothing uses this yet.
Signed-off-by: Ian Jackson
---
Osstest/Debian.pm | 5 +
1 file changed, 5 insertions(+)
diff --git a/Osstest/Debian.pm b/Osstest/Debian.pm
index 9f1ce1df..0386ff7a 100644
--- a/Osstest/Debian.pm
+++ b/Osstest/Debian.pm
@@ -448,6 +448,11 @@ sub setupboot_grub2 ()
Signed-off-by: Ian Jackson
---
make-hosts-flight | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/make-hosts-flight b/make-hosts-flight
index 92da1c7c..e2c3776a 100755
--- a/make-hosts-flight
+++ b/make-hosts-flight
@@ -26,7 +26,7 @@ blessing=$4
buildflight=$5
:
1 - 100 of 240 matches
Mail list logo