From: Cornelia Huck <cohuck@redhat.com>
To: Christian Borntraeger <borntraeger@de.ibm.com>
Cc: Tony Krowiak <akrowiak@linux.vnet.ibm.com>,
linux-s390@vger.kernel.org, linux-kernel@vger.kernel.org,
kvm@vger.kernel.org, freude@de.ibm.com, schwidefsky@de.ibm.com,
heiko.carstens@de.ibm.com, kwankhede@nvidia.com,
bjsdjshi@linux.vnet.ibm.com, pbonzini@redhat.com,
alex.williamson@redhat.com, pmorel@linux.vnet.ibm.com,
alifm@linux.vnet.ibm.com, mjrosato@linux.vnet.ibm.com,
qemu-s390x@nongnu.org, jjherne@linux.vnet.ibm.com,
thuth@redhat.com, pasic@linux.vnet.ibm.com, david@redhat.com
Subject: Re: [RFC 02/19] KVM: s390: refactor crypto initialization
Date: Tue, 14 Nov 2017 12:50:28 +0100 [thread overview]
Message-ID: <20171114125028.1653a2cc.cohuck@redhat.com> (raw)
In-Reply-To: <6e65f497-5cae-f731-2885-a9ce19d92d8b@de.ibm.com>
On Thu, 2 Nov 2017 13:41:18 +0100
Christian Borntraeger <borntraeger@de.ibm.com> wrote:
> On 10/13/2017 07:38 PM, Tony Krowiak wrote:
> > This patch introduces the following changes to crypto initialization.
> >
> > * For key management operations support, the crypto control block
> > (CRYCB) referenced by the KVM guest's SIE state description is
> > formatted only if the Message-Security-Assist (MSA) extension 3
> > facility is installed (STFLE.76 is set). Virtualization of AP
> > facilities, however; requires that a CRYCB of the appropriate
> > format be made available to SIE regardless of the value of STFLE.76.
> >
> > * The Execution Controls A (ECA) field bit 28 in the SIE block needs
> > to be set to enable interpretive execution mode of adjunct processor (AP)
> > instructions.
>
> We should fence setting ECA to cases where we have virtualization capability
> for crypto. In addition we need to bind this somehow to the CPU model, so
> I guess we need to add some CRYPTO feature e.g. add KVM_S390_VM_CPU_FEAT_AP to the
> list of know features
> (see arch/s390/include/uapi/asm/kvm.h)
> ---snip---
> #define KVM_S390_VM_CPU_FEAT_ESOP 0
> #define KVM_S390_VM_CPU_FEAT_SIEF2 1
> #define KVM_S390_VM_CPU_FEAT_64BSCAO 2
> #define KVM_S390_VM_CPU_FEAT_SIIF 3
> #define KVM_S390_VM_CPU_FEAT_GPERE 4
> #define KVM_S390_VM_CPU_FEAT_GSLS 5
> #define KVM_S390_VM_CPU_FEAT_IB 6
> #define KVM_S390_VM_CPU_FEAT_CEI 7
> #define KVM_S390_VM_CPU_FEAT_IBS 8
> #define KVM_S390_VM_CPU_FEAT_SKEY 9
> #define KVM_S390_VM_CPU_FEAT_CMMA 10
> #define KVM_S390_VM_CPU_FEAT_PFMFI 11
> #define KVM_S390_VM_CPU_FEAT_SIGPIF 12
> #define KVM_S390_VM_CPU_FEAT_KSS 13
> ---snip---
So, we need this so userspace can add the appropriate flags, right?
>
>
> I will try to find out a way to properly detect that.
Did you manage to find out?
>
>
>
> >
> > Signed-off-by: Tony Krowiak <akrowiak@linux.vnet.ibm.com>
> > ---
> > arch/s390/include/asm/kvm_host.h | 1 +
> > arch/s390/kvm/kvm-s390.c | 17 +++++++++++++----
> > 2 files changed, 14 insertions(+), 4 deletions(-)
> >
> > diff --git a/arch/s390/include/asm/kvm_host.h b/arch/s390/include/asm/kvm_host.h
> > index 50a6b25..5683f18 100644
> > --- a/arch/s390/include/asm/kvm_host.h
> > +++ b/arch/s390/include/asm/kvm_host.h
> > @@ -188,6 +188,7 @@ struct kvm_s390_sie_block {
> > #define ECA_MVPGI 0x01000000
> > #define ECA_VX 0x00020000
> > #define ECA_PROTEXCI 0x00002000
> > +#define ECA_AP 0x00000008
> > #define ECA_SII 0x00000001
> > __u32 eca; /* 0x004c */
> > #define ICPT_INST 0x04
> > diff --git a/arch/s390/kvm/kvm-s390.c b/arch/s390/kvm/kvm-s390.c
> > index 40d0a1a..e57fc9b 100644
> > --- a/arch/s390/kvm/kvm-s390.c
> > +++ b/arch/s390/kvm/kvm-s390.c
> > @@ -1819,7 +1819,9 @@ static void kvm_s390_set_crycb_format(struct kvm *kvm)
> > {
> > kvm->arch.crypto.crycbd = (__u32)(unsigned long) kvm->arch.crypto.crycb;
> >
> > - if (kvm_s390_apxa_installed())
> > + if (!test_kvm_facility(kvm, 76))
> > + kvm->arch.crypto.crycbd &= ~(CRYCB_FORMAT2); /* format 0 */
> > + else if (kvm_s390_apxa_installed())
> > kvm->arch.crypto.crycbd |= CRYCB_FORMAT2;
> > else
> > kvm->arch.crypto.crycbd |= CRYCB_FORMAT1;
> > @@ -1836,12 +1838,12 @@ static u64 kvm_s390_get_initial_cpuid(void)
> >
> > static void kvm_s390_crypto_init(struct kvm *kvm)
> > {
> > - if (!test_kvm_facility(kvm, 76))
> > - return;
> > -
> > kvm->arch.crypto.crycb = &kvm->arch.sie_page2->crycb;
> > kvm_s390_set_crycb_format(kvm);
> >
> > + if (!test_kvm_facility(kvm, 76))
> > + return;
> > +
> > /* Enable AES/DEA protected key functions by default */
> > kvm->arch.crypto.aes_kw = 1;
> > kvm->arch.crypto.dea_kw = 1;
> > @@ -2366,8 +2368,15 @@ void kvm_arch_vcpu_postcreate(struct kvm_vcpu *vcpu)
> > vcpu->arch.enabled_gmap = vcpu->arch.gmap;
> > }
> >
> > +static void kvm_s390_vcpu_set_crypto_exec_mode(struct kvm_vcpu *vcpu)
> > +{
> > + vcpu->arch.sie_block->eca |= ECA_AP;
> > +}
> > +
> > static void kvm_s390_vcpu_crypto_setup(struct kvm_vcpu *vcpu)
> > {
> > + kvm_s390_vcpu_set_crypto_exec_mode(vcpu);
> > +
> > if (!test_kvm_facility(vcpu->kvm, 76))
> > return;
> >
>
next prev parent reply other threads:[~2017-11-14 11:50 UTC|newest]
Thread overview: 112+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-10-13 17:38 [RFC 00/19] KVM: s390/crypto/vfio: guest dedicated crypto adapters Tony Krowiak
2017-10-13 17:38 ` [RFC 01/19] KVM: s390: SIE considerations for AP Queue virtualization Tony Krowiak
2017-11-02 11:54 ` Christian Borntraeger
2017-11-02 19:53 ` Tony Krowiak
2017-10-13 17:38 ` [RFC 02/19] KVM: s390: refactor crypto initialization Tony Krowiak
2017-11-02 12:41 ` Christian Borntraeger
2017-11-14 11:50 ` Cornelia Huck [this message]
2017-11-14 15:53 ` Tony Krowiak
2017-10-13 17:38 ` [RFC 03/19] s390/zcrypt: new AP matrix bus Tony Krowiak
2017-10-16 8:47 ` Martin Schwidefsky
2017-10-16 15:02 ` Tony Krowiak
2017-11-14 11:58 ` Cornelia Huck
2017-11-14 13:19 ` Tony Krowiak
2017-11-14 15:54 ` Tony Krowiak
2017-11-14 16:07 ` Tony Krowiak
2017-10-13 17:38 ` [RFC 04/19] s390/zcrypt: create an AP matrix device on the " Tony Krowiak
2017-10-18 16:20 ` Cornelia Huck
2017-10-18 17:54 ` Tony Krowiak
2017-10-13 17:38 ` [RFC 05/19] s390/zcrypt: base implementation of AP matrix device driver Tony Krowiak
2017-10-16 8:59 ` Martin Schwidefsky
2017-10-16 15:56 ` Tony Krowiak
2017-11-14 12:40 ` Cornelia Huck
2017-11-14 16:37 ` Tony Krowiak
2017-11-14 17:00 ` Cornelia Huck
2017-11-14 18:15 ` Tony Krowiak
2017-11-15 10:31 ` Cornelia Huck
2017-11-16 12:02 ` Pierre Morel
2017-11-16 12:35 ` Cornelia Huck
2017-11-16 14:25 ` Tony Krowiak
2017-11-16 16:47 ` Cornelia Huck
2017-11-17 21:13 ` Tony Krowiak
2017-11-20 17:15 ` Cornelia Huck
2017-11-16 14:25 ` Pierre Morel
2017-10-13 17:38 ` [RFC 06/19] s390/zcrypt: register matrix device with VFIO mediated device framework Tony Krowiak
2017-10-16 9:03 ` Martin Schwidefsky
2017-10-16 16:09 ` Tony Krowiak
2017-11-14 13:14 ` Cornelia Huck
2017-11-16 15:37 ` Tony Krowiak
2017-10-13 17:38 ` [RFC 07/19] KVM: s390: introduce AP matrix configuration interface Tony Krowiak
2017-10-16 9:10 ` Martin Schwidefsky
2017-10-16 16:26 ` Tony Krowiak
2017-11-14 13:16 ` Cornelia Huck
2017-11-16 15:41 ` Tony Krowiak
2017-10-13 17:38 ` [RFC 08/19] s390/zcrypt: support for assigning adapters to matrix mdev Tony Krowiak
2017-11-14 13:22 ` Cornelia Huck
2017-11-16 23:53 ` Tony Krowiak
2017-11-17 9:50 ` Cornelia Huck
2017-10-13 17:38 ` [RFC 09/19] s390/zcrypt: validate adapter assignment Tony Krowiak
2017-10-13 17:38 ` [RFC 10/19] s390/zcrypt: sysfs interfaces supporting AP domain assignment Tony Krowiak
2017-10-13 17:38 ` [RFC 11/19] s390/zcrypt: validate " Tony Krowiak
2017-10-13 17:38 ` [RFC 12/19] s390/zcrypt: sysfs support for control " Tony Krowiak
2017-10-13 17:38 ` [RFC 13/19] s390/zcrypt: validate " Tony Krowiak
2017-10-16 9:13 ` Martin Schwidefsky
2017-10-13 17:38 ` [RFC 14/19] KVM: s390: Connect the AP mediated matrix device to KVM Tony Krowiak
2017-10-13 17:39 ` [RFC 15/19] s390/zcrypt: introduce ioctl access to VFIO AP Matrix driver Tony Krowiak
2017-10-13 17:39 ` [RFC 16/19] KVM: s390: interface to configure KVM guest's AP matrix Tony Krowiak
2017-10-16 20:22 ` Tony Krowiak
2017-11-14 13:46 ` Cornelia Huck
2017-10-13 17:39 ` [RFC 17/19] KVM: s390: validate input to AP matrix config interface Tony Krowiak
2017-10-13 17:39 ` [RFC 18/19] KVM: s390: New ioctl to configure KVM guest's AP matrix Tony Krowiak
2017-11-02 18:55 ` Tony Krowiak
2017-10-13 17:39 ` [RFC 19/19] s390/facilities: enable AP facilities needed by guest Tony Krowiak
2017-10-16 9:25 ` Martin Schwidefsky
2017-11-02 12:08 ` Christian Borntraeger
2017-11-02 12:23 ` Halil Pasic
[not found] ` <af1bb867-f9a0-458b-b7b2-c0bb9456eb7f@linux.vnet.ibm.com>
2017-11-02 15:53 ` Christian Borntraeger
2017-11-02 18:49 ` Tony Krowiak
2017-11-03 8:47 ` Christian Borntraeger
2017-12-02 1:30 ` Tony Krowiak
2017-12-05 7:52 ` Harald Freudenberger
2017-12-05 14:04 ` Cornelia Huck
2017-12-05 14:23 ` Pierre Morel
2017-12-05 14:30 ` Cornelia Huck
2017-12-05 14:47 ` Pierre Morel
2017-12-05 15:14 ` Tony Krowiak
2017-12-05 15:01 ` Tony Krowiak
2017-12-06 9:15 ` Pierre Morel
2017-12-06 10:15 ` Cornelia Huck
2017-12-05 14:14 ` Tony Krowiak
[not found] ` <OF182217F7.6A47A64E-ON002581CD.002BCF58-C12581CD.002D4127@notes.na.collabserv.com>
2017-11-03 8:49 ` Christian Borntraeger
2017-10-16 9:27 ` [RFC 00/19] KVM: s390/crypto/vfio: guest dedicated crypto adapters Martin Schwidefsky
2017-10-16 10:06 ` Christian Borntraeger
2017-10-16 16:30 ` Tony Krowiak
2017-10-16 10:05 ` Cornelia Huck
2017-10-16 16:27 ` Tony Krowiak
2017-10-18 16:43 ` Christian Borntraeger
2017-10-29 11:11 ` Cornelia Huck
2017-10-30 8:57 ` Christian Borntraeger
2017-10-30 8:57 ` [Qemu-devel] " Christian Borntraeger
2017-10-30 15:34 ` Tony Krowiak
2017-10-30 19:04 ` Tony Krowiak
2017-10-30 19:04 ` [Qemu-devel] " Tony Krowiak
2017-10-31 19:39 ` Tony Krowiak
2017-11-14 13:57 ` Cornelia Huck
2017-11-16 15:23 ` Tony Krowiak
2017-11-16 16:06 ` Pierre Morel
2017-11-16 17:03 ` Cornelia Huck
2017-11-16 20:25 ` Pierre Morel
2017-11-16 23:35 ` Tony Krowiak
2017-11-17 7:07 ` Pierre Morel
2017-11-17 10:07 ` Cornelia Huck
2017-11-17 10:07 ` Cornelia Huck
2017-11-17 20:28 ` Tony Krowiak
2017-11-20 17:13 ` Cornelia Huck
2017-11-21 16:08 ` Tony Krowiak
2017-11-22 13:47 ` Cornelia Huck
2017-11-28 0:39 ` Tony Krowiak
2017-12-05 14:06 ` Cornelia Huck
2017-12-05 15:09 ` Tony Krowiak
2017-11-16 16:49 ` Cornelia Huck
2017-11-16 23:41 ` Tony Krowiak
2017-11-17 9:49 ` Cornelia Huck
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20171114125028.1653a2cc.cohuck@redhat.com \
--to=cohuck@redhat.com \
--cc=akrowiak@linux.vnet.ibm.com \
--cc=alex.williamson@redhat.com \
--cc=alifm@linux.vnet.ibm.com \
--cc=bjsdjshi@linux.vnet.ibm.com \
--cc=borntraeger@de.ibm.com \
--cc=david@redhat.com \
--cc=freude@de.ibm.com \
--cc=heiko.carstens@de.ibm.com \
--cc=jjherne@linux.vnet.ibm.com \
--cc=kvm@vger.kernel.org \
--cc=kwankhede@nvidia.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-s390@vger.kernel.org \
--cc=mjrosato@linux.vnet.ibm.com \
--cc=pasic@linux.vnet.ibm.com \
--cc=pbonzini@redhat.com \
--cc=pmorel@linux.vnet.ibm.com \
--cc=qemu-s390x@nongnu.org \
--cc=schwidefsky@de.ibm.com \
--cc=thuth@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.