Re: [PATCH v2 04/20] s390/ap/zcrypt: New xflag parameter and extension of the ap msg flags

[Holger Dengler <dengler@linux.ibm.com>]

On 04/03/2025 18:21, Harald Freudenberger wrote:
> Introduce a new flag parameter for the both cprb send functions
> zcrypt_send_cprb() and zcrypt_send_ep11_cprb(). This new
> xflags parameter ("execution flags") shall be used to provide
> execution hints and flags for this crypto request.
> 
> There are two flags implemented to be used with these functions:
> * ZCRYPT_XFLAG_USERSPACE - indicates to the lower layers that
>   all the ptrs address userspace. So when construction the ap msg
>   copy_from_user() is to be used. If this flag is NOT set, the ptrs
>   address kernel memory and thus memcpy() is to be used.
> * ZCRYPT_XFLAG_NOMEMALLOC - indicates that this task must not
>   allocate memory which may be allocated with io operations.
>   For the zcrypt layer this limits the number of EP11 targets
>   to 16 APQNs. But as this flag is passed down the stack, it
>   may induce further restrictions.
> 
> For the AP bus and zcrypt message layer this means:
> * The ZCRYPT_XFLAG_USERSPACE is mapped to the AP flag
>   AP_MSG_FLAG_USERSPACE stored into the flags field of each
>   ap message in the ap_message struct. This replaces the extra
>   function parameter "userspace" and makes some function
>   invocations simpler.
> * The ZCRYPT_XFLAG_NOMEMALLOC causes the AP message buffer to
>   use buffer space from the AP message mempool instead of
>   allocating memory via kmalloc. Note that the buffer space
>   from the AP message mem pool is limited to 12KB per item.
> 
> Signed-off-by: Harald Freudenberger <freude@linux.ibm.com>

The boolean parameter `userspace` should only be merged with the xflags in functions, which has the need to handle ZCRYPT_XFLAG_USERSPACE and ZCRYPT_XFLAG_NOMEMALLOC, e.g _zcrypt_send_cprb(). Functions, which either only take one or the other flag may stay with the boolean parameter. There is also no need for a definition of AP_MSG_FLAG_USERSPACE, as the AP layer does not care about userspace pointers at all, only the zcrypt layer is affected by this flag. See my comments below.

> ---
>  drivers/s390/crypto/ap_bus.c          |  6 +-
>  drivers/s390/crypto/ap_bus.h          | 11 ++--
>  drivers/s390/crypto/zcrypt_api.c      | 90 +++++++++++++++------------
>  drivers/s390/crypto/zcrypt_api.h      | 36 +++++++----
>  drivers/s390/crypto/zcrypt_ccamisc.c  | 16 ++---
>  drivers/s390/crypto/zcrypt_ep11misc.c | 10 +--
>  drivers/s390/crypto/zcrypt_msgtype6.c | 12 ++--
>  drivers/s390/crypto/zcrypt_msgtype6.h |  4 +-
>  8 files changed, 107 insertions(+), 78 deletions(-)
> 
[...]
> diff --git a/drivers/s390/crypto/ap_bus.h b/drivers/s390/crypto/ap_bus.h
> index a7bd44e5cc76..5581fb13af73 100644
> --- a/drivers/s390/crypto/ap_bus.h
> +++ b/drivers/s390/crypto/ap_bus.h
> @@ -233,12 +233,13 @@ struct ap_message {
>  			struct ap_message *);
>  };
>  
> -#define AP_MSG_FLAG_SPECIAL  0x0001   /* flag msg as 'special' with NQAP */
> -#define AP_MSG_FLAG_USAGE    0x0002   /* CCA, EP11: usage (no admin) msg */
> -#define AP_MSG_FLAG_ADMIN    0x0004   /* CCA, EP11: admin (=control) msg */
> -#define AP_MSG_FLAG_MEMPOOL  0x0008   /* ap msg buffer allocated from mempool */
> +#define AP_MSG_FLAG_SPECIAL    0x0001  /* flag msg as 'special' with NQAP */
> +#define AP_MSG_FLAG_USAGE      0x0002  /* CCA, EP11: usage (no admin) msg */
> +#define AP_MSG_FLAG_ADMIN      0x0004  /* CCA, EP11: admin (=control) msg */
> +#define AP_MSG_FLAG_MEMPOOL    0x0008  /* ap msg buffer allocated from mempool */
> +#define AP_MSG_FLAG_USERSPACE  0x0010  /* pointers address userspace memory */

Do we really need this flag in the AP layer? IIRC it has only meaning in the zcrypt layer. If this is correct, please remove it.

>  
> -int ap_init_apmsg(struct ap_message *ap_msg, bool use_mempool);
> +int ap_init_apmsg(struct ap_message *ap_msg, u32 flags);
>  void ap_release_apmsg(struct ap_message *ap_msg);
>  
>  enum ap_sm_wait ap_sm_event(struct ap_queue *aq, enum ap_sm_event event);
> diff --git a/drivers/s390/crypto/zcrypt_api.c b/drivers/s390/crypto/zcrypt_api.c
> index ad09c5306e28..659fe7afb67e 100644
> --- a/drivers/s390/crypto/zcrypt_api.c
> +++ b/drivers/s390/crypto/zcrypt_api.c
> @@ -648,7 +648,7 @@ static long zcrypt_rsa_modexpo(struct ap_perms *perms,
>  
>  	trace_s390_zcrypt_req(mex, TP_ICARSAMODEXPO);
>  
> -	rc = ap_init_apmsg(&ap_msg, false);
> +	rc = ap_init_apmsg(&ap_msg, AP_MSG_FLAG_USERSPACE);

use_mempool == false should be changed to 0, not AP_MSG_FLAG_USERSPACE.
rc = ap_init_apmsg(&ap_msg, 0);

>  	if (rc)
>  		goto out;
>  
> @@ -753,7 +753,7 @@ static long zcrypt_rsa_crt(struct ap_perms *perms,
>  
>  	trace_s390_zcrypt_req(crt, TP_ICARSACRT);
>  
> -	rc = ap_init_apmsg(&ap_msg, false);
> +	rc = ap_init_apmsg(&ap_msg, AP_MSG_FLAG_USERSPACE);

Same here.
rc = ap_init_apmsg(&ap_msg, 0);

>  	if (rc)
>  		goto out;
>  
[...]
> @@ -856,16 +856,19 @@ static long _zcrypt_send_cprb(bool userspace, struct ap_perms *perms,
>  	unsigned short *domain, tdom;
>  	int cpen, qpen, qid = 0, rc;
>  	struct module *mod;
> +	u32 flags;
>  
>  	trace_s390_zcrypt_req(xcrb, TB_ZSECSENDCPRB);
>  
>  	xcrb->status = 0;
>  
> -	rc = ap_init_apmsg(&ap_msg, false);
> +	flags = (xflags & ZCRYPT_XFLAG_USERSPACE ? AP_MSG_FLAG_USERSPACE : 0) |
> +		(xflags & ZCRYPT_XFLAG_NOMEMALLOC ? AP_MSG_FLAG_MEMPOOL : 0);
> +	rc = ap_init_apmsg(&ap_msg, flags);

There is no need to translate ZCRYPT_XFLAG_USERSPACE to ap-msg flags, the AP layer should not care about userspace/kernelspace pointer.
rc = ap_init_apmsg(&ap_msg, xflags & ZCRYPT_XFLAG_NOMEMALLOC ? AP_MSG_FLAG_MEMPOOL : 0);

>  	if (rc)
>  		goto out;
>  
> -	rc = prep_cca_ap_msg(userspace, xcrb, &ap_msg, &func_code, &domain);
> +	rc = prep_cca_ap_msg(xcrb, &ap_msg, &func_code, &domain);

The prep_cca_ap_msg() - and all functions below - can stay with the bool parameter.
rc = prep_cca_ap_msg((xflags & ZCRYPT_XFLAG_USERSPACE), xcrb, &ap_msg, &func_code, &domain);

>  	if (rc)
>  		goto out;
>  	print_hex_dump_debug("ccareq: ", DUMP_PREFIX_ADDRESS, 16, 1,
> @@ -956,7 +959,7 @@ static long _zcrypt_send_cprb(bool userspace, struct ap_perms *perms,
>  	if (*domain == AUTOSEL_DOM)
>  		*domain = AP_QID_QUEUE(qid);
>  
> -	rc = pref_zq->ops->send_cprb(userspace, pref_zq, xcrb, &ap_msg);
> +	rc = pref_zq->ops->send_cprb(pref_zq, xcrb, &ap_msg);

Here as well, stay with the bool parameter userspace in the callback.
rc = pref_zq->ops->send_cprb((xflags & ZCRYPT_XFLAG_USERSPACE), pref_zq, xcrb, &ap_msg);

>  	if (!rc) {
>  		print_hex_dump_debug("ccarpl: ", DUMP_PREFIX_ADDRESS, 16, 1,
>  				     ap_msg.msg, ap_msg.len, false);
[...]
> @@ -1029,52 +1032,58 @@ static bool is_desired_ep11_queue(unsigned int dev_qid,
>  	return false;
>  }
>  
> -static long _zcrypt_send_ep11_cprb(bool userspace, struct ap_perms *perms,
> +static long _zcrypt_send_ep11_cprb(u32 xflags, struct ap_perms *perms,
>  				   struct zcrypt_track *tr,
>  				   struct ep11_urb *xcrb)
>  {
>  	struct zcrypt_card *zc, *pref_zc;
>  	struct zcrypt_queue *zq, *pref_zq;
> -	struct ep11_target_dev *targets;
> +	struct ep11_target_dev targetbuf[16], *targets = NULL;
>  	unsigned short target_num;
>  	unsigned int wgt = 0, pref_wgt = 0;
>  	unsigned int func_code = 0, domain;
>  	struct ap_message ap_msg;
>  	int cpen, qpen, qid = 0, rc;
>  	struct module *mod;
> +	u32 flags;
>  
>  	trace_s390_zcrypt_req(xcrb, TP_ZSENDEP11CPRB);
>  
> -	rc = ap_init_apmsg(&ap_msg, false);
> +	flags = (xflags & ZCRYPT_XFLAG_USERSPACE ? AP_MSG_FLAG_USERSPACE : 0) |
> +		(xflags & ZCRYPT_XFLAG_NOMEMALLOC ? AP_MSG_FLAG_MEMPOOL : 0);
> +	rc = ap_init_apmsg(&ap_msg, flags);

The AP layer does not care about the userspace flag. Please remove it.
rc = ap_init_apmsg(&ap_msg, xflags & ZCRYPT_XFLAG_NOMEMALLOC ? AP_MSG_FLAG_MEMPOOL : 0);

>  	if (rc)
>  		goto out;
>  
>  	target_num = (unsigned short)xcrb->targets_num;
>  
>  	/* empty list indicates autoselect (all available targets) */
> -	targets = NULL;
> +	rc = -ENOMEM;
>  	if (target_num != 0) {
>  		struct ep11_target_dev __user *uptr;
>  
> -		targets = kcalloc(target_num, sizeof(*targets), GFP_KERNEL);
> -		if (!targets) {
> -			func_code = 0;
> -			rc = -ENOMEM;
> +		if (target_num <= ARRAY_SIZE(targetbuf)) {
> +			targets = targetbuf;
> +		} else if (xflags & ZCRYPT_XFLAG_NOMEMALLOC) {
>  			goto out;
> +		} else {
> +			targets = kcalloc(target_num,
> +					  sizeof(*targets), GFP_KERNEL);
> +			if (!targets)
> +				goto out;
>  		}
>  
>  		uptr = (struct ep11_target_dev __force __user *)xcrb->targets;
> -		if (z_copy_from_user(userspace, targets, uptr,
> -				     target_num * sizeof(*targets))) {
> -			func_code = 0;
> +		if (z_copy_from_user(xflags & ZCRYPT_XFLAG_USERSPACE, targets,
> +				     uptr, target_num * sizeof(*targets))) {
>  			rc = -EFAULT;
> -			goto out_free;
> +			goto out;
>  		}
>  	}
>  
> -	rc = prep_ep11_ap_msg(userspace, xcrb, &ap_msg, &func_code, &domain);
> +	rc = prep_ep11_ap_msg(xcrb, &ap_msg, &func_code, &domain);

Stay here with the boolean parameter for userspace.

>  	if (rc)
> -		goto out_free;
> +		goto out;
>  	print_hex_dump_debug("ep11req: ", DUMP_PREFIX_ADDRESS, 16, 1,
>  			     ap_msg.msg, ap_msg.len, false);
>  
[...]
> @@ -1154,11 +1163,11 @@ static long _zcrypt_send_ep11_cprb(bool userspace, struct ap_perms *perms,
>  			pr_debug("no match for address ff.ffff => ENODEV\n");
>  		}
>  		rc = -ENODEV;
> -		goto out_free;
> +		goto out;
>  	}
>  
>  	qid = pref_zq->queue->qid;
> -	rc = pref_zq->ops->send_ep11_cprb(userspace, pref_zq, xcrb, &ap_msg);
> +	rc = pref_zq->ops->send_ep11_cprb(pref_zq, xcrb, &ap_msg);

Keep the boolean parameter for userspace here as well.

>  	if (!rc) {
>  		print_hex_dump_debug("ep11rpl: ", DUMP_PREFIX_ADDRESS, 16, 1,
>  				     ap_msg.msg, ap_msg.len, false);
[...]

-- 
Mit freundlichen Grüßen / Kind regards
Holger Dengler
--
IBM Systems, Linux on IBM Z Development
dengler@linux.ibm.com