[PULL 0/1] xmon: cross build support
by Michael S. Tsirkin
The following changes since commit e8fda64dfbce67626d77b10af8c23503486807de:
removed readme.txt (2015-08-07 10:23:36 -0700)
are available in the git repository at:
git://github.com/mstsirkin/ikgt-core HEAD
for you to fetch changes up to 30143890854793e1178329fdc5bb7e4b0522de57:
xmon: support cross-build (2015-09-15 21:55:09 +0300)
Reposting as pull request, at request from Vipat Harshawardhan.
----------------------------------------------------------------
Michael S. Tsirkin (1):
xmon: support cross-build
Makefile | 7 +++----
core/Makefile | 4 ++++
2 files changed, 7 insertions(+), 4 deletions(-)
5 years, 6 months
[PULL 0/3] integrity: misc fixes
by Michael S. Tsirkin
Resending as pull request at the request from Vipat Harshawardhan.
The following changes since commit 500ba9cce9a47abea207ad57fc4f0c0ea735a987:
Release 1.1 (2015-08-07 10:13:37 -0700)
are available in the git repository at:
git://github.com/mstsirkin/ikgt-usage HEAD
for you to fetch changes up to 57f4ce25accaae128c34a7baba17389f675f0954:
integrity: use standard configfs path (2015-09-24 16:55:44 +0300)
----------------------------------------------------------------
Michael S. Tsirkin (3):
integrity: fix reproducible builds
integrity: support cross-build
integrity: use standard configfs path
policy/policy.json | 2 +-
driver/main.c | 2 +-
handler/Makefile | 8 ++++----
policy/parse_policy.py | 2 +-
4 files changed, 7 insertions(+), 7 deletions(-)
5 years, 6 months
[PULL 0/1] manifest: fix configfs path
by Michael S. Tsirkin
Reposting as a pull request, at request from Vipat Harshawardhan.
The following changes since commit 3faf877bfc56b2916a1992248d620c354c9eb80a:
Updated version for release 1.1 (2015-08-07 10:40:59 -0700)
are available in the git repository at:
git://github.com/mstsirkin/ikgt-manifest.git HEAD
for you to fetch changes up to 0934957d9f4085d64589ac9b658f1406fe0ac21e:
manifest: use standard configfs path (2015-09-17 23:50:08 +0300)
----------------------------------------------------------------
Michael S. Tsirkin (1):
manifest: use standard configfs path
readme.txt | 20 ++++++++++----------
1 file changed, 10 insertions(+), 10 deletions(-)
5 years, 6 months
Re: [iKGT] ?ikgt?debug mode
by 宋元
Dear iKGT Designer:
I’m writing to debug ikgt when ikgt executes in vmx-root ring 0(ring -1) below the kernel.
I've tried to debug ikgt following the steps in the topic "ikgt debug mode". But there is only Linux kernel messages(ring 0) not the messages in ring -1(below the kernel ) .
Is it my mistake in debugging? Or there is another way to debug?
I am looking forward to your kindly reply. Thanks!
Steven Song
Renmin University of China
5 years, 6 months
Question regarding memory handling
by sainath grandhi
Hello,
I recently came across this project on github and 01.org. I have a
question regarding how memory protection is enabled for example kernel code
pages. I have following questions.
1. What are the initial access permissions for the guest pages?
2. I could not see how a policy like config/ikgt/
memory/kernel-code/enable is processed by the handler and enabled for ept
violation upon writing to it.
Thanks
Sai
5 years, 7 months
[PATCH] integrity: fix reproducible builds
by Michael S. Tsirkin
On Fedora 22, build fails:
integrity/driver/main.c:121:68: error: macro "__DATE__" might prevent
reproducible builds [-Werror=date-time]
PRINTK_INFO("%s: Built on %s @ %s\n", __func__, __DATE__, __TIME__);
That's with:
gcc (GCC) 5.1.1 20150618 (Red Hat 5.1.1-4)
Reproducible builds are nice to have, and there's not a lot of
value in having the build date and time in the log.
Let's just drop them.
Signed-off-by: Michael S. Tsirkin <mst(a)redhat.com>
---
driver/main.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/driver/main.c b/driver/main.c
index 0dce07f..1035794 100755
--- a/driver/main.c
+++ b/driver/main.c
@@ -118,7 +118,7 @@ static void uninit_shared_regions(void)
static int __init init_agent(void)
{
- PRINTK_INFO("%s: Built on %s @ %s\n", __func__, __DATE__, __TIME__);
+ PRINTK_INFO("%s\n", __func__);
if (!init_shared_regions()) {
PRINTK_ERROR("init_shared_regions failed\n");
--
MST
5 years, 7 months
[PATCH] integrity: use standard configfs path
by Michael S. Tsirkin
Modern distros all install configfs under /sys/kernel/config.
It is thus a better default.
Note: manifest readme.txt suggests /config which is neither standard nor
consistent with example usage.
Will be fixed in a separate patch.
Change-Id: Ia3fec38364cad2eb4a818bfe776ea4da737ef581
Signed-off-by: Michael S. Tsirkin <mst(a)redhat.com>
---
policy/policy.json | 2 +-
policy/parse_policy.py | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/policy/policy.json b/policy/policy.json
index 28532ad..23be1ce 100755
--- a/policy/policy.json
+++ b/policy/policy.json
@@ -26,6 +26,6 @@
}
},
"log": {
- "log.txt": "/configfs/ikgt_agent/log/log.txt"
+ "log.txt": "/sys/kernel/config/ikgt_agent/log/log.txt"
}
}
diff --git a/policy/parse_policy.py b/policy/parse_policy.py
index 2a6886d..1bfd98e 100755
--- a/policy/parse_policy.py
+++ b/policy/parse_policy.py
@@ -75,7 +75,7 @@ def parse_and_remove_dir_structure(policy_data):
def parse_policy():
parser = argparse.ArgumentParser()
parser.add_argument("-f", "--policy_file", help="JSON file defining evmm hardening policy", required=True)
- parser.add_argument("-b", "--base_dir", help="Base directory to start from (eg. /configfs)", required=True)
+ parser.add_argument("-b", "--base_dir", help="Base directory to start from (eg. /sys/kernel/config)", required=True)
parser.add_argument("-r", "--remove_dir", action="store_true", help="Remove directory structure in policy file")
args = parser.parse_args()
--
MST
5 years, 7 months
[PATCH] manifest: use standard configfs path
by Michael S. Tsirkin
Modern distros all install configfs under /sys/kernel/config.
It is thus a better default.
Update readme.txt accordingly.
Signed-off-by: Michael S. Tsirkin <mst(a)redhat.com>
---
readme.txt | 20 ++++++++++----------
1 file changed, 10 insertions(+), 10 deletions(-)
diff --git a/readme.txt b/readme.txt
index f0559ac..9ae6b49 100644
--- a/readme.txt
+++ b/readme.txt
@@ -340,20 +340,20 @@ Use below commands to verify tboot and iKGT boot-up were successful:
Setting up configfs and installing ikgt_agent.ko
=============================================================================
-Follow these steps to set up the configfs file system under /config
+Follow these steps to set up the configfs file system under /sys/kernel/config
-(1) $ sudo mkdir /config
+(1) $ sudo mkdir //sys/kernel/config
If configfs driver is not installed:
(2) sudo insmod \
/lib/modules/<installed-kernel-version>/kernel/fs/configfs/configfs.ko
-(3) $ sudo mount -t configfs none /config
+(3) $ sudo mount -t configfs none /sys/kernel/config
(4) $ sudo insmod ikgt_agent.ko
-After successful installation, the driver will create /config/ikgt_agent as its
-configuration space. The resource to be monitored and policy actions can now
+After successful installation, the driver will create /sys/kernel/config/ikgt_agent
+as its configuration space. The resource to be monitored and policy actions can now
be specified by creating directories and files in this space.
==============================================================================
@@ -368,10 +368,10 @@ where
<base_dir> is the base directory under which the resource directories
are to be created
- $ sudo python parse_policy.py -f policy.json -b /config/ikgt_agent
+ $ sudo python parse_policy.py -f policy.json -b /sys/kernel/config/ikgt_agent
You can check the new entries in configfs by executing following command
- $ tree /config
+ $ tree /sys/kernel/config
Above command should create directories and files based on the contents
of .json file. The example policy enables monitoring of following resources
@@ -392,9 +392,9 @@ For example, if the OS tries to modify CR0:WP, the event will be logged
but will be allowed. Similarly, if the OS tries to modify EFER, the event will
be logged and the violating instruction will be skipped.
-The contents of the log can be seen in /config/ikgt-agent/log/log.txt
+The contents of the log can be seen in /sys/kernel/config/ikgt-agent/log/log.txt
-$cat /config/ikgt_agent/log/log.txt
+$cat /sys/kernel/config/ikgt_agent/log/log.txt
cpu=0, sequence-number=19, resource-name=CR0, access=write,
value=0x80050033, RIP=0x81055074, action=LOG_SKIP
@@ -402,7 +402,7 @@ $cat /config/ikgt_agent/log/log.txt
You can use the python script, parse_log.py, to get a more descriptive
output of each event log entry.
-$ sudo python parse_log.py /config/ikgt-agent/log/log.txt <output_log_file>
+$ sudo python parse_log.py /sys/kernel/config/ikgt-agent/log/log.txt <output_log_file>
Example output:
cpu=0, sequence-number=3, resource-name=msr[0xc0000080], access=write,
--
MST
5 years, 7 months
[PATCH] xmon: support cross-build
by Michael S. Tsirkin
Allow cross-build by specifying CROSS_COMPILE
Change-Id: I771b9111ae7533324cd083968f6ba4b1dc4885e1
Signed-off-by: Michael S. Tsirkin <mst(a)redhat.com>
---
Makefile | 7 +++----
core/Makefile | 4 ++++
2 files changed, 7 insertions(+), 4 deletions(-)
diff --git a/Makefile b/Makefile
index ce400da..9c413b6 100755
--- a/Makefile
+++ b/Makefile
@@ -39,10 +39,9 @@ else
LDFLAGS = -T core/linker.lds -pie -s -z max-page-size=4096 -z common-page-size=4096
endif
-export CC = gcc
-export AS = gcc
-export LD = ld
-export AR = ar
+export CC = ${CROSS_COMPILE}gcc
+export AS = ${CROSS_COMPILE}gcc
+export AR = ${CROSS_COMPILE}ar
XMON_ELF := xmon.elf
diff --git a/core/Makefile b/core/Makefile
index b2da53c..c5424be 100755
--- a/core/Makefile
+++ b/core/Makefile
@@ -13,6 +13,10 @@
# See the License for the specific language governing permissions and
# limitations under the License.
################################################################################
+export CC = ${CROSS_COMPILE}gcc
+export AS = ${CROSS_COMPILE}gcc
+export AR = ${CROSS_COMPILE}ar
+
CSOURCES = main.c
ASOURCES = mon_entry.S
include rule.linux
--
MST
5 years, 7 months