On 11.03.2024 13:00, Simone Ballarin wrote: > On 11/03/24 11:08, Jan Beulich wrote: >> On 11.03.2024 09:59, Simone Ballarin wrote: >>> --- a/xen/arch/arm/include/asm/hypercall.h >>> +++ b/xen/arch/arm/include/asm/hypercall.h >>> @@ -1,3 +1,4 @@ >>> +/* SAF-5-safe direct inclusion guard before */ >>> #ifndef __XEN_HYPERCALL_H__ >>> #error "asm/hypercall.h should not be included directly - include >>> xen/hypercall.h instead" >>> #endif >>> --- a/xen/arch/x86/include/asm/hypercall.h >>> +++ b/xen/arch/x86/include/asm/hypercall.h >>> @@ -2,6 +2,7 @@ >>> * asm-x86/hypercall.h >>> */ >>> >>> +/* SAF-5-safe direct inclusion guard before */ >>> #ifndef __XEN_HYPERCALL_H__ >>> #error "asm/hypercall.h should not be included directly - include >>> xen/hypercall.h instead" >>> #endif >> >> Iirc it was said that this way checking for correct guards is suppressed >> altogether in Eclair, which is not what we want. Can you clarify this, >> please? >> > > My first change was moving this check inside the guard. > You commented my patch saying that this would be an error because someone can > include it directly if it has already been included indirectly. > I replied telling that this was the case also before the change. > You agreed with me, and we decided that the correct thing would be fixing the > check and not apply my temporary change to address the finding. > > Considering that the code should be amended, a SAF deviation seems to me > the most appropriate way for suppressing these findings.
Since I don't feel your reply addresses my question, asking differently: With your change in place, will failure to have proper guards (later) in these headers still be reported by Eclair? Jan
