From: Janosch Frank <frankja@linux.ibm.com>
To: "Thomas Huth" <thuth@redhat.com>,
"Daniel P. Berrangé" <berrange@redhat.com>
Cc: qemu-s390x@nongnu.org,
Christian Borntraeger <borntraeger@linux.ibm.com>,
David Hildenbrand <david@redhat.com>,
Claudio Imbrenda <imbrenda@linux.ibm.com>,
qemu-devel@nongnu.org, Halil Pasic <pasic@linux.ibm.com>,
Marc Hartmayer <mhartmay@linux.ibm.com>
Subject: Re: [PATCH] target/s390x/kvm/pv: Provide some more useful information if decryption fails
Date: Tue, 9 Jan 2024 16:36:06 +0100 [thread overview]
Message-ID: <d2d2a47a-50cf-47b1-a1b6-1125be5688b6@linux.ibm.com> (raw)
In-Reply-To: <d89b6903-0d15-415b-88ec-6f23cf436172@redhat.com>
On 1/9/24 15:52, Thomas Huth wrote:
> On 09/01/2024 15.42, Daniel P. Berrangé wrote:
>> On Tue, Jan 09, 2024 at 03:30:38PM +0100, Thomas Huth wrote:
>>> It's a common scenario to copy guest images from one host to another
>>> to run the guest on the other machine. This (of course) does not work
>>> with "secure exection" guests since they are encrypted with one certain
>>> host key. However, if you still (accidentally) do it, you only get a
>>> very user-unfriendly error message that looks like this:
>>
>> Not a comment on the patch, but my own interest how/where does the
>> disk image encryption/decryption happen ? Is that in guest kernel
>> context, and any info on what format the encryption uses ?
>
> There is an "ultravisor" (part of the host firmware) that takes care of the
> decryption. See e.g. Claudio's talk here:
>
> https://www.youtube.com/watch?v=J2YibrLfB4s
And here's the tool that creates the encrypted image:
https://github.com/ibm-s390-linux/s390-tools/tree/master/genprotimg
If I remember correctly the image should be aes-256-xts.
The SE header (that contains the image key) should be aes-256-gcm.
The header has keyslots so each machine the VM is allowed to run on can
unwrap the header independently.
Adding Marc to keep me honest here since he wrote genprotimg.
next prev parent reply other threads:[~2024-01-09 15:39 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-01-09 14:30 [PATCH] target/s390x/kvm/pv: Provide some more useful information if decryption fails Thomas Huth
2024-01-09 14:42 ` Daniel P. Berrangé
2024-01-09 14:52 ` Thomas Huth
2024-01-09 15:36 ` Janosch Frank [this message]
2024-01-09 15:34 ` Claudio Imbrenda
2024-01-09 16:51 ` Cédric Le Goater
2024-01-10 12:09 ` Thomas Huth
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=d2d2a47a-50cf-47b1-a1b6-1125be5688b6@linux.ibm.com \
--to=frankja@linux.ibm.com \
--cc=berrange@redhat.com \
--cc=borntraeger@linux.ibm.com \
--cc=david@redhat.com \
--cc=imbrenda@linux.ibm.com \
--cc=mhartmay@linux.ibm.com \
--cc=pasic@linux.ibm.com \
--cc=qemu-devel@nongnu.org \
--cc=qemu-s390x@nongnu.org \
--cc=thuth@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).