1. Patchew
  2. Xen
  3. View series

[PATCH v2 0/3] Add lockdown mode

Kevin Lampis posted 3 patches 8 months, 1 week ago
Patches applied successfully (tree, apply log)
git fetch https://gitlab.com/xen-project/patchew/xen tags/patchew/20250602134656.3836280-1-kevin.lampis@cloud.com
docs/misc/xen-command-line.pandoc     | 16 ++++++++
xen/arch/arm/domain_build.c           |  4 +-
xen/arch/x86/acpi/cpu_idle.c          |  2 +-
xen/arch/x86/cpu/amd.c                |  2 +-
xen/arch/x86/cpu/mcheck/mce.c         |  2 +-
xen/arch/x86/cpu/microcode/core.c     |  2 +-
xen/arch/x86/dom0_build.c             |  4 +-
xen/arch/x86/hvm/hvm.c                |  2 +-
xen/arch/x86/irq.c                    |  2 +-
xen/arch/x86/nmi.c                    |  2 +-
xen/arch/x86/setup.c                  |  3 +-
xen/arch/x86/traps.c                  |  2 +-
xen/arch/x86/x86_64/mmconfig-shared.c |  2 +-
xen/common/Kconfig                    |  8 ++++
xen/common/Makefile                   |  1 +
xen/common/domain.c                   |  2 +-
xen/common/efi/boot.c                 | 23 ++++++++++++
xen/common/efi/runtime.c              |  3 ++
xen/common/kernel.c                   | 17 ++++++++-
xen/common/kexec.c                    |  2 +-
xen/common/lockdown.c                 | 54 +++++++++++++++++++++++++++
xen/common/numa.c                     |  2 +-
xen/common/page_alloc.c               |  2 +-
xen/common/shutdown.c                 |  2 +-
xen/drivers/char/console.c            |  2 +-
xen/drivers/char/ns16550.c            |  4 +-
xen/drivers/video/vga.c               |  2 +-
xen/include/xen/efi.h                 |  6 +++
xen/include/xen/lockdown.h            | 11 ++++++
xen/include/xen/param.h               | 49 ++++++++++++++++++------
30 files changed, 200 insertions(+), 35 deletions(-)
create mode 100644 xen/common/lockdown.c
create mode 100644 xen/include/xen/lockdown.h
[PATCH v2 0/3] Add lockdown mode
Posted by Kevin Lampis 8 months, 1 week ago 
The intention of lockdown mode is to prevent attacks from a rogue dom0
userspace from compromising the system. Lockdown mode can be controlled by a
Kconfig option and a command-line parameter. It is also enabled automatically
when Secure Boot is enabled and it cannot be disabled in that case.

Ross Lagerwall (2):
  efi: Add a function to check if Secure Boot mode is enabled
  Add lockdown mode

Kevin Lampis (1):
  Disallow most command-line options when lockdown mode is enabled

 docs/misc/xen-command-line.pandoc     | 16 ++++++++
 xen/arch/arm/domain_build.c           |  4 +-
 xen/arch/x86/acpi/cpu_idle.c          |  2 +-
 xen/arch/x86/cpu/amd.c                |  2 +-
 xen/arch/x86/cpu/mcheck/mce.c         |  2 +-
 xen/arch/x86/cpu/microcode/core.c     |  2 +-
 xen/arch/x86/dom0_build.c             |  4 +-
 xen/arch/x86/hvm/hvm.c                |  2 +-
 xen/arch/x86/irq.c                    |  2 +-
 xen/arch/x86/nmi.c                    |  2 +-
 xen/arch/x86/setup.c                  |  3 +-
 xen/arch/x86/traps.c                  |  2 +-
 xen/arch/x86/x86_64/mmconfig-shared.c |  2 +-
 xen/common/Kconfig                    |  8 ++++
 xen/common/Makefile                   |  1 +
 xen/common/domain.c                   |  2 +-
 xen/common/efi/boot.c                 | 23 ++++++++++++
 xen/common/efi/runtime.c              |  3 ++
 xen/common/kernel.c                   | 17 ++++++++-
 xen/common/kexec.c                    |  2 +-
 xen/common/lockdown.c                 | 54 +++++++++++++++++++++++++++
 xen/common/numa.c                     |  2 +-
 xen/common/page_alloc.c               |  2 +-
 xen/common/shutdown.c                 |  2 +-
 xen/drivers/char/console.c            |  2 +-
 xen/drivers/char/ns16550.c            |  4 +-
 xen/drivers/video/vga.c               |  2 +-
 xen/include/xen/efi.h                 |  6 +++
 xen/include/xen/lockdown.h            | 11 ++++++
 xen/include/xen/param.h               | 49 ++++++++++++++++++------
 30 files changed, 200 insertions(+), 35 deletions(-)
 create mode 100644 xen/common/lockdown.c
 create mode 100644 xen/include/xen/lockdown.h

-- 
2.42.0

Patchew 2.1-devel-b67e4c2

© 2016 - 2026 Red Hat, Inc.