Re: [Xen-devel] [PATCH v2] xsm: hide detailed Xen version from unprivileged guests

On 13/01/2020 14:40, Andrew Cooper wrote: > On 13/01/2020 12:51, George Dunlap wrote: >> So Sergey's second patch: >> - Still denies XENVER_extraversion at the hypervisor level >> - Leaves the value returned by the hypervisor as "" >> - Filters the "" string at the hvmloader level, to prevent

Re: [Xen-devel] [PATCH v2] xsm: hide detailed Xen version from unprivileged guests

Hi, On 13/01/2020 12:51, George Dunlap wrote: On 1/12/20 6:26 PM, Doug Goldstein wrote: On 1/11/20 3:02 AM, George Dunlap wrote: 1. Block XENVER_extraversion at the hypervisor level. Change the xen_deny() string to "". (This is v1 of sergey's patch.) 2. Block XENVER_extraversion at the hype

Re: [Xen-devel] [PATCH v2] xsm: hide detailed Xen version from unprivileged guests

On 13/01/2020 12:51, George Dunlap wrote: > On 1/12/20 6:26 PM, Doug Goldstein wrote: >> On 1/11/20 3:02 AM, George Dunlap wrote: >>> On Jan 11, 2020, at 4:02 AM, Doug Goldstein wrote: On 1/10/20 4:37 AM, Sergey Dyasli wrote: > Hide the following information that can h

Re: [Xen-devel] [PATCH v2] xsm: hide detailed Xen version from unprivileged guests

On 13/01/2020 14:07, George Dunlap wrote: On 1/13/20 2:01 PM, Andrew Cooper wrote: On 13/01/2020 13:39, Julien Grall wrote: Hi George, Thank you for summarising the possibility. One question below. On 13/01/2020 12:51, George Dunlap wrote: 2. Block XENVER_extraversion at the hypervisor lev

Re: [Xen-devel] [PATCH v2] xsm: hide detailed Xen version from unprivileged guests

On 1/13/20 2:01 PM, Andrew Cooper wrote: > On 13/01/2020 13:39, Julien Grall wrote: >> Hi George, >> >> Thank you for summarising the possibility. One question below. >> >> On 13/01/2020 12:51, George Dunlap wrote: >>> 2. Block XENVER_extraversion at the hypervisor level.  Leave xen_deny() >>> as r

Re: [Xen-devel] [PATCH v2] xsm: hide detailed Xen version from unprivileged guests

On 13/01/2020 13:39, Julien Grall wrote: > Hi George, > > Thank you for summarising the possibility. One question below. > > On 13/01/2020 12:51, George Dunlap wrote: >> 2. Block XENVER_extraversion at the hypervisor level.  Leave xen_deny() >> as returning "", but replace "" with "" in hvmloader s

Re: [Xen-devel] [PATCH v2] xsm: hide detailed Xen version from unprivileged guests

Doug Goldstein writes ("Re: [Xen-devel] [PATCH v2] xsm: hide detailed Xen version from unprivileged guests"): > I'd be happy if we had a Kconfig option behind what the string is. Give > me a blank as an option but default it to whatever string like > "" t

Re: [Xen-devel] [PATCH v2] xsm: hide detailed Xen version from unprivileged guests

Hi George, Thank you for summarising the possibility. One question below. On 13/01/2020 12:51, George Dunlap wrote: 2. Block XENVER_extraversion at the hypervisor level. Leave xen_deny() as returning "", but replace "" with "" in hvmloader so it doesn't show up in the System Info and scare use

Re: [Xen-devel] [PATCH v2] xsm: hide detailed Xen version from unprivileged guests

On 1/12/20 6:26 PM, Doug Goldstein wrote: > On 1/11/20 3:02 AM, George Dunlap wrote: >> >> >>> On Jan 11, 2020, at 4:02 AM, Doug Goldstein wrote: >>> >>> >>> >>> On 1/10/20 4:37 AM, Sergey Dyasli wrote: Hide the following information that can help identify the running Xen binary version:

Re: [Xen-devel] [PATCH v2] xsm: hide detailed Xen version from unprivileged guests

On 10/01/2020 11:02, Andrew Cooper wrote: > On 10/01/2020 10:37, Sergey Dyasli wrote: >> Hide the following information that can help identify the running Xen >> binary version: XENVER_extraversion, XENVER_compile_info, XENVER_changeset. >> Add explicit cases for XENVER_commandline and XENVER_build

Re: [Xen-devel] [PATCH v2] xsm: hide detailed Xen version from unprivileged guests

On 1/11/20 3:02 AM, George Dunlap wrote: On Jan 11, 2020, at 4:02 AM, Doug Goldstein wrote: On 1/10/20 4:37 AM, Sergey Dyasli wrote: Hide the following information that can help identify the running Xen binary version: XENVER_extraversion, XENVER_compile_info, XENVER_changeset. Add explic

Re: [Xen-devel] [PATCH v2] xsm: hide detailed Xen version from unprivileged guests

> On Jan 11, 2020, at 3:55 AM, Doug Goldstein wrote: > > > > On 1/10/20 9:28 AM, George Dunlap wrote: >> On 1/10/20 11:02 AM, Andrew Cooper wrote: >>> On 10/01/2020 10:37, Sergey Dyasli wrote: Hide the following information that can help identify the running Xen binary version: XENV

Re: [Xen-devel] [PATCH v2] xsm: hide detailed Xen version from unprivileged guests

> On Jan 11, 2020, at 4:02 AM, Doug Goldstein wrote: > > > > On 1/10/20 4:37 AM, Sergey Dyasli wrote: >> Hide the following information that can help identify the running Xen >> binary version: XENVER_extraversion, XENVER_compile_info, XENVER_changeset. >> Add explicit cases for XENVER_comman

Re: [Xen-devel] [PATCH v2] xsm: hide detailed Xen version from unprivileged guests

On 1/10/20 4:37 AM, Sergey Dyasli wrote: Hide the following information that can help identify the running Xen binary version: XENVER_extraversion, XENVER_compile_info, XENVER_changeset. Add explicit cases for XENVER_commandline and XENVER_build_id as well. Introduce xsm_filter_denied() to hvm

Re: [Xen-devel] [PATCH v2] xsm: hide detailed Xen version from unprivileged guests

On 1/10/20 9:28 AM, George Dunlap wrote: On 1/10/20 11:02 AM, Andrew Cooper wrote: On 10/01/2020 10:37, Sergey Dyasli wrote: Hide the following information that can help identify the running Xen binary version: XENVER_extraversion, XENVER_compile_info, XENVER_changeset. Add explicit cases for

Re: [Xen-devel] [PATCH v2] xsm: hide detailed Xen version from unprivileged guests

On 1/10/20 4:45 PM, Jürgen Groß wrote: > On 10.01.20 16:56, Jan Beulich wrote: >> On 10.01.2020 16:28, George Dunlap wrote: >>> On 1/10/20 11:02 AM, Andrew Cooper wrote: On 10/01/2020 10:37, Sergey Dyasli wrote: > Hide the following information that can help identify the running Xen >

Re: [Xen-devel] [PATCH v2] xsm: hide detailed Xen version from unprivileged guests

On 10.01.20 16:56, Jan Beulich wrote: On 10.01.2020 16:28, George Dunlap wrote: On 1/10/20 11:02 AM, Andrew Cooper wrote: On 10/01/2020 10:37, Sergey Dyasli wrote: Hide the following information that can help identify the running Xen binary version: XENVER_extraversion, XENVER_compile_info, XE

Re: [Xen-devel] [PATCH v2] xsm: hide detailed Xen version from unprivileged guests

On 10.01.2020 16:28, George Dunlap wrote: > On 1/10/20 11:02 AM, Andrew Cooper wrote: >> On 10/01/2020 10:37, Sergey Dyasli wrote: >>> Hide the following information that can help identify the running Xen >>> binary version: XENVER_extraversion, XENVER_compile_info, XENVER_changeset. >>> Add explic

Re: [Xen-devel] [PATCH v2] xsm: hide detailed Xen version from unprivileged guests

On 1/10/20 11:02 AM, Andrew Cooper wrote: > On 10/01/2020 10:37, Sergey Dyasli wrote: >> Hide the following information that can help identify the running Xen >> binary version: XENVER_extraversion, XENVER_compile_info, XENVER_changeset. >> Add explicit cases for XENVER_commandline and XENVER_build

Re: [Xen-devel] [PATCH v2] xsm: hide detailed Xen version from unprivileged guests

On 10.01.2020 11:37, Sergey Dyasli wrote: > --- a/tools/firmware/hvmloader/util.c > +++ b/tools/firmware/hvmloader/util.c > @@ -995,6 +995,12 @@ void hvmloader_acpi_build_tables(struct acpi_config > *config, > hvm_param_set(HVM_PARAM_VM_GENERATION_ID_ADDR, config->vm_gid_addr); > } > > +vo

Re: [Xen-devel] [PATCH v2] xsm: hide detailed Xen version from unprivileged guests

On 10/01/2020 10:37, Sergey Dyasli wrote: > Hide the following information that can help identify the running Xen > binary version: XENVER_extraversion, XENVER_compile_info, XENVER_changeset. > Add explicit cases for XENVER_commandline and XENVER_build_id as well. > > Introduce xsm_filter_denied()

[Xen-devel] [PATCH v2] xsm: hide detailed Xen version from unprivileged guests

Hide the following information that can help identify the running Xen binary version: XENVER_extraversion, XENVER_compile_info, XENVER_changeset. Add explicit cases for XENVER_commandline and XENVER_build_id as well. Introduce xsm_filter_denied() to hvmloader to remove "" string from guest's DMI t