From: Janis Schoetterl-Glausch <scgl@linux.ibm.com>
To: Christian Borntraeger <borntraeger@linux.ibm.com>,
Heiko Carstens <hca@linux.ibm.com>,
Janosch Frank <frankja@linux.ibm.com>
Cc: Janis Schoetterl-Glausch <scgl@linux.ibm.com>,
Alexander Gordeev <agordeev@linux.ibm.com>,
Claudio Imbrenda <imbrenda@linux.ibm.com>,
David Hildenbrand <david@redhat.com>,
Jonathan Corbet <corbet@lwn.net>,
kvm@vger.kernel.org, linux-doc@vger.kernel.org,
linux-kernel@vger.kernel.org, linux-s390@vger.kernel.org,
Paolo Bonzini <pbonzini@redhat.com>,
Sven Schnelle <svens@linux.ibm.com>,
Vasily Gorbik <gor@linux.ibm.com>
Subject: [PATCH v4 00/10] KVM: s390: Do storage key checking
Date: Fri, 11 Feb 2022 19:22:05 +0100 [thread overview]
Message-ID: <20220211182215.2730017-1-scgl@linux.ibm.com> (raw)
Check keys when emulating instructions and let user space do key checked
accesses.
User space can do so via an extension of the MEMOP IOCTL:
* allow optional key checking
* allow MEMOP on vm fd, so key checked accesses on absolute memory
become possible
I haven't finished the memop selftest rewrite, but decided to send out a
new version anyway, since the functional patches are (hopefully) final
and the memop selftest patch works. I'll reply to it with the
rewritten version.
v3: https://lore.kernel.org/kvm/20220209170422.1910690-1-scgl@linux.ibm.com/
v2: https://lore.kernel.org/kvm/20220207165930.1608621-1-scgl@linux.ibm.com/
v3 -> v4
* rebase
* ignore key in memop if skey flag not specified
* fix nits in documentation
* pick up tags
v2 -> v3
* get rid of reserved bytes check in vm,vcpu memop
* minor documentation changes
* moved memop selftest patches to end of series and squashed them,
currently working on making the test pretty
v1 -> v2
* rebase
* storage key variants of _?copy_from/to_user instead of
__copy_from/to_user_key, with long key arg instead of char
* refactor protection override checks
* u8 instead of char for key argument in s390 KVM code
* add comments
* pass ar (access register) to trans_exec in access_guest_with_key
* check reserved/unused fields (backwards compatible)
* move key arg of MEMOP out of flags
* rename new MEMOP capability to KVM_CAP_S390_MEM_OP_EXTENSION
* minor changes
Janis Schoetterl-Glausch (10):
s390/uaccess: Add copy_from/to_user_key functions
KVM: s390: Honor storage keys when accessing guest memory
KVM: s390: handle_tprot: Honor storage keys
KVM: s390: selftests: Test TEST PROTECTION emulation
KVM: s390: Add optional storage key checking to MEMOP IOCTL
KVM: s390: Add vm IOCTL for key checked guest absolute memory access
KVM: s390: Rename existing vcpu memop functions
KVM: s390: Add capability for storage key extension of MEM_OP IOCTL
KVM: s390: Update api documentation for memop ioctl
KVM: s390: selftests: Test memops with storage keys
Documentation/virt/kvm/api.rst | 112 ++++-
arch/s390/include/asm/ctl_reg.h | 2 +
arch/s390/include/asm/page.h | 2 +
arch/s390/include/asm/uaccess.h | 22 +
arch/s390/kvm/gaccess.c | 250 +++++++++-
arch/s390/kvm/gaccess.h | 84 +++-
arch/s390/kvm/intercept.c | 12 +-
arch/s390/kvm/kvm-s390.c | 132 ++++-
arch/s390/kvm/priv.c | 66 +--
arch/s390/lib/uaccess.c | 81 +++-
include/uapi/linux/kvm.h | 11 +-
tools/testing/selftests/kvm/.gitignore | 1 +
tools/testing/selftests/kvm/Makefile | 1 +
tools/testing/selftests/kvm/s390x/memop.c | 558 +++++++++++++++++++---
tools/testing/selftests/kvm/s390x/tprot.c | 227 +++++++++
15 files changed, 1375 insertions(+), 186 deletions(-)
create mode 100644 tools/testing/selftests/kvm/s390x/tprot.c
Range-diff against v3:
1: 0049c4412978 = 1: 313eb689b715 s390/uaccess: Add copy_from/to_user_key functions
2: 296096b9a7b9 = 2: 192fe30b1863 KVM: s390: Honor storage keys when accessing guest memory
3: a5976cb3a147 = 3: 19bd017ae5a4 KVM: s390: handle_tprot: Honor storage keys
4: 5f5e056e66df = 4: d20fad8d501b KVM: s390: selftests: Test TEST PROTECTION emulation
5: 64fa17a83b26 ! 5: bdee09b4a15e KVM: s390: Add optional storage key checking to MEMOP IOCTL
@@ Commit message
CPU would, or pass another key if necessary.
Signed-off-by: Janis Schoetterl-Glausch <scgl@linux.ibm.com>
- Acked-by: Janosch Frank <frankja@linux.ibm.com>
Reviewed-by: Claudio Imbrenda <imbrenda@linux.ibm.com>
+ Reviewed-by: Christian Borntraeger <borntraeger@linux.ibm.com>
+ Reviewed-by: Janosch Frank <frankja@linux.ibm.com>
## arch/s390/kvm/kvm-s390.c ##
-@@
- #include <linux/sched/signal.h>
- #include <linux/string.h>
- #include <linux/pgtable.h>
-+#include <linux/bitfield.h>
-
- #include <asm/asm-offsets.h>
- #include <asm/lowcore.h>
@@ arch/s390/kvm/kvm-s390.c: static int kvm_s390_handle_pv(struct kvm *kvm, struct kvm_pv_cmd *cmd)
return r;
}
@@ arch/s390/kvm/kvm-s390.c: static long kvm_s390_guest_mem_op(struct kvm_vcpu *vcp
+ if (mop->flags & KVM_S390_MEMOP_F_SKEY_PROTECTION) {
+ if (access_key_invalid(mop->key))
+ return -EINVAL;
++ } else {
++ mop->key = 0;
+ }
if (!(mop->flags & KVM_S390_MEMOP_F_CHECK_ONLY)) {
tmpbuf = vmalloc(mop->size);
6: 57e3ad332677 ! 6: e207a2f9af8a KVM: s390: Add vm IOCTL for key checked guest absolute memory access
@@ Commit message
accesses and so are not applied as they are when using the vcpu memop.
Signed-off-by: Janis Schoetterl-Glausch <scgl@linux.ibm.com>
- Acked-by: Janosch Frank <frankja@linux.ibm.com>
+ Reviewed-by: Christian Borntraeger <borntraeger@linux.ibm.com>
## arch/s390/kvm/gaccess.c ##
@@ arch/s390/kvm/gaccess.c: static int low_address_protection_enabled(struct kvm_vcpu *vcpu,
@@ arch/s390/kvm/kvm-s390.c: static bool access_key_invalid(u8 access_key)
+ if (mop->flags & KVM_S390_MEMOP_F_SKEY_PROTECTION) {
+ if (access_key_invalid(mop->key))
+ return -EINVAL;
++ } else {
++ mop->key = 0;
+ }
+ if (!(mop->flags & KVM_S390_MEMOP_F_CHECK_ONLY)) {
+ tmpbuf = vmalloc(mop->size);
7: 1615f5ab6e30 = 7: 52adbceebe41 KVM: s390: Rename existing vcpu memop functions
8: a8420e0f1b7f = 8: 43280a2db282 KVM: s390: Add capability for storage key extension of MEM_OP IOCTL
9: c59952ee362b ! 9: 9389cd2f4d23 KVM: s390: Update api documentation for memop ioctl
@@ Commit message
as well as the existing SIDA operations.
Signed-off-by: Janis Schoetterl-Glausch <scgl@linux.ibm.com>
+ Reviewed-by: Janosch Frank <frankja@linux.ibm.com>
## Documentation/virt/kvm/api.rst ##
@@ Documentation/virt/kvm/api.rst: The fields in each entry are defined as follows:
@@ Documentation/virt/kvm/api.rst: Parameters are specified via the following struc
+the access. "ar" designates the access register number to be used; the valid
+range is 0..15.
+Logical accesses are permitted for the VCPU ioctl only.
-+Logical accesses are permitted for non secure guests only.
++Logical accesses are permitted for non-protected guests only.
+
+Supported flags:
+ * ``KVM_S390_MEMOP_F_CHECK_ONLY``
@@ Documentation/virt/kvm/api.rst: Parameters are specified via the following struc
+ * ``KVM_S390_MEMOP_F_SKEY_PROTECTION``
+
+The KVM_S390_MEMOP_F_CHECK_ONLY flag can be set to check whether the
-+corresponding memory access would cause an access exception, without touching
-+the data in memory at the destination.
++corresponding memory access would cause an access exception; however,
++no actual access to the data in memory at the destination is performed.
+In this case, "buf" is unused and can be NULL.
+
+In case an access exception occurred during the access (or would occur
@@ Documentation/virt/kvm/api.rst: Parameters are specified via the following struc
+Absolute accesses are permitted for the VM ioctl if KVM_CAP_S390_MEM_OP_EXTENSION
+is > 0.
+Currently absolute accesses are not permitted for VCPU ioctls.
-+Absolute accesses are permitted for non secure guests only.
++Absolute accesses are permitted for non-protected guests only.
+
+Supported flags:
+ * ``KVM_S390_MEMOP_F_CHECK_ONLY``
@@ Documentation/virt/kvm/api.rst: Parameters are specified via the following struc
+^^^^^^^^^^^^^^^^
+
+Access the secure instruction data area which contains memory operands necessary
-+for instruction emulation for secure guests.
++for instruction emulation for protected guests.
+SIDA accesses are available if the KVM_CAP_S390_PROTECTED capability is available.
+SIDA accesses are permitted for the VCPU ioctl only.
-+SIDA accesses are permitted for secure guests only.
++SIDA accesses are permitted for protected guests only.
-The "reserved" field is meant for future extensions. It is not used by
-KVM with the currently defined set of flags.
10: 68752e1eca95 = 10: af33593d63a4 KVM: s390: selftests: Test memops with storage keys
base-commit: f1baf68e1383f6ed93eb9cff2866d46562607a43
--
2.32.0
next reply other threads:[~2022-02-11 18:22 UTC|newest]
Thread overview: 39+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-02-11 18:22 Janis Schoetterl-Glausch [this message]
2022-02-11 18:22 ` [PATCH v4 01/10] s390/uaccess: Add copy_from/to_user_key functions Janis Schoetterl-Glausch
2022-02-14 15:30 ` Claudio Imbrenda
2022-02-11 18:22 ` [PATCH v4 02/10] KVM: s390: Honor storage keys when accessing guest memory Janis Schoetterl-Glausch
2022-02-14 15:52 ` Claudio Imbrenda
2022-02-11 18:22 ` [PATCH v4 03/10] KVM: s390: handle_tprot: Honor storage keys Janis Schoetterl-Glausch
2022-02-11 18:22 ` [PATCH v4 04/10] KVM: s390: selftests: Test TEST PROTECTION emulation Janis Schoetterl-Glausch
2022-02-11 18:22 ` [PATCH v4 05/10] KVM: s390: Add optional storage key checking to MEMOP IOCTL Janis Schoetterl-Glausch
2022-02-11 18:22 ` [PATCH v4 06/10] KVM: s390: Add vm IOCTL for key checked guest absolute memory access Janis Schoetterl-Glausch
2022-02-14 17:58 ` Claudio Imbrenda
2022-02-21 16:32 ` [PATCH] KVM: s390: Add missing vm MEM_OP size check Janis Schoetterl-Glausch
2022-02-22 8:04 ` Christian Borntraeger
2022-02-11 18:22 ` [PATCH v4 07/10] KVM: s390: Rename existing vcpu memop functions Janis Schoetterl-Glausch
2022-02-11 18:22 ` [PATCH v4 08/10] KVM: s390: Add capability for storage key extension of MEM_OP IOCTL Janis Schoetterl-Glausch
2022-02-14 14:29 ` Christian Borntraeger
2022-02-14 17:47 ` Claudio Imbrenda
2022-02-11 18:22 ` [PATCH v4 09/10] KVM: s390: Update api documentation for memop ioctl Janis Schoetterl-Glausch
2022-02-14 17:52 ` Claudio Imbrenda
2022-02-21 14:36 ` [PATCH] KVM: s390: Clarify key argument for MEM_OP in api docs Janis Schoetterl-Glausch
2022-02-21 16:06 ` Christian Borntraeger
2022-02-11 18:22 ` [PATCH v4 10/10] KVM: s390: selftests: Test memops with storage keys Janis Schoetterl-Glausch
2022-02-17 14:53 ` Janis Schoetterl-Glausch
2022-02-17 14:53 ` [PATCH 1/2] KVM: s390: selftests: Refactor memop test Janis Schoetterl-Glausch
2022-02-17 17:36 ` Shuah Khan
2022-02-18 12:09 ` Janis Schoetterl-Glausch
2022-02-18 22:14 ` Shuah Khan
2022-02-17 14:53 ` [PATCH 2/2] KVM: s390: selftests: Test vm and vcpu memop with keys Janis Schoetterl-Glausch
2022-02-17 17:54 ` Shuah Khan
2022-02-18 12:14 ` Janis Schoetterl-Glausch
2022-02-18 21:14 ` Shuah Khan
2022-02-25 15:53 ` [PATCH v2 0/5] memop selftest for storage key checking Janis Schoetterl-Glausch
2022-02-25 15:53 ` [PATCH v2 1/5] KVM: s390: selftests: Split memop tests Janis Schoetterl-Glausch
2022-02-25 15:53 ` [PATCH v2 2/5] KVM: s390: selftests: Add macro as abstraction for MEM_OP Janis Schoetterl-Glausch
2022-02-25 15:53 ` [PATCH v2 3/5] KVM: s390: selftests: Add named stages for memop test Janis Schoetterl-Glausch
2022-02-25 15:53 ` [PATCH v2 4/5] KVM: s390: selftests: Add more copy memop tests Janis Schoetterl-Glausch
2022-02-25 15:53 ` [PATCH v2 5/5] KVM: s390: selftests: Add error " Janis Schoetterl-Glausch
2022-03-08 10:16 ` [PATCH v2 0/5] memop selftest for storage key checking Christian Borntraeger
2022-03-08 21:11 ` Shuah Khan
2022-02-14 14:52 ` [PATCH v4 00/10] KVM: s390: Do " Christian Borntraeger
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20220211182215.2730017-1-scgl@linux.ibm.com \
--to=scgl@linux.ibm.com \
--cc=agordeev@linux.ibm.com \
--cc=borntraeger@linux.ibm.com \
--cc=corbet@lwn.net \
--cc=david@redhat.com \
--cc=frankja@linux.ibm.com \
--cc=gor@linux.ibm.com \
--cc=hca@linux.ibm.com \
--cc=imbrenda@linux.ibm.com \
--cc=kvm@vger.kernel.org \
--cc=linux-doc@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-s390@vger.kernel.org \
--cc=pbonzini@redhat.com \
--cc=svens@linux.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox