Re: [for-5.2 v4 10/10] s390: Recognize host-trust-limitation option

From: David Gibson <david@gibson.dropbear.id.au>
To: Janosch Frank <frankja@linux.ibm.com>
Cc: dgilbert@redhat.com, pair@us.ibm.com, qemu-devel@nongnu.org,
	pbonzini@redhat.com, brijesh.singh@amd.com,
	"Thomas Huth" <thuth@redhat.com>,
	"Cornelia Huck" <cohuck@redhat.com>,
	"Daniel P. Berrangé" <berrange@redhat.com>,
	ehabkost@redhat.com, kvm@vger.kernel.org,
	"Michael S. Tsirkin" <mst@redhat.com>,
	"David Hildenbrand" <david@redhat.com>,
	mdroth@linux.vnet.ibm.com, pasic@linux.ibm.com,
	"Christian Borntraeger" <borntraeger@de.ibm.com>,
	qemu-s390x@nongnu.org, qemu-ppc@nongnu.org,
	"Richard Henderson" <rth@twiddle.net>
Subject: Re: [for-5.2 v4 10/10] s390: Recognize host-trust-limitation option
Date: Mon, 3 Aug 2020 17:54:59 +1000	[thread overview]
Message-ID: <20200803075459.GC7553@yekko.fritz.box> (raw)
In-Reply-To: <8be75973-65bc-6d15-99b0-fbea9fe61c80@linux.ibm.com>

[-- Attachment #1: Type: text/plain, Size: 2640 bytes --]

On Mon, Aug 03, 2020 at 09:49:42AM +0200, Janosch Frank wrote:
> On 7/24/20 4:57 AM, David Gibson wrote:
> > At least some s390 cpu models support "Protected Virtualization" (PV),
> > a mechanism to protect guests from eavesdropping by a compromised
> > hypervisor.
> > 
> > This is similar in function to other mechanisms like AMD's SEV and
> > POWER's PEF, which are controlled bythe "host-trust-limitation"
> > machine option.  s390 is a slightly special case, because we already
> > supported PV, simply by using a CPU model with the required feature
> > (S390_FEAT_UNPACK).
> > 
> > To integrate this with the option used by other platforms, we
> > implement the following compromise:
> > 
> >  - When the host-trust-limitation option is set, s390 will recognize
> >    it, verify that the CPU can support PV (failing if not) and set
> >    virtio default options necessary for encrypted or protected guests,
> >    as on other platforms.  i.e. if host-trust-limitation is set, we
> >    will either create a guest capable of entering PV mode, or fail
> >    outright
> > 
> >  - If host-trust-limitation is not set, guest's might still be able to
> >    enter PV mode, if the CPU has the right model.  This may be a
> >    little surprising, but shouldn't actually be harmful.
> 
> As I already explained, they have to continue to work without any change
> to the VM's configuration.

Yes.. that's what I'm saying will happen.

> Our users already expect PV to work without HTL. This feature is already
> being used and the documentation has been online for a few months. I've
> already heard enough complains because users found small errors in our
> documentation. I'm not looking forward to complains because suddenly we
> need to specify new command line arguments depending on the QEMU version.
> 
> @Cornelia: QEMU is not my expertise, am I missing something here?

What I'm saying here is that you don't need a new option.  I'm only
suggesting we make the new option the preferred way for future
upstream releases.  (the new option has the advantage that you *just*
need to specify it, and any necessary virtio or other options to be
compatible should be handled for you).

But existing configurations should work as is (I'm not sure they do
with the current patch, because I'm not familiar with the s390 code
and have no means to test PV, but that can be sorted out before
merge).

-- 
David Gibson			| I'll have my music baroque, and my code
david AT gibson.dropbear.id.au	| minimalist, thank you.  NOT _the_ _other_
				| _way_ _around_!
http://www.ozlabs.org/~dgibson

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]