From: Pierre Morel <pmorel@linux.ibm.com> To: linux-kernel@vger.kernel.org Cc: pasic@linux.ibm.com, borntraeger@de.ibm.com, frankja@linux.ibm.com, mst@redhat.com, jasowang@redhat.com, cohuck@redhat.com, kvm@vger.kernel.org, linux-s390@vger.kernel.org, virtualization@lists.linux-foundation.org, thomas.lendacky@amd.com, david@gibson.dropbear.id.au, linuxram@us.ibm.com, hca@linux.ibm.com, gor@linux.ibm.com Subject: [PATCH v8 2/2] s390: virtio: PV needs VIRTIO I/O device protection Date: Tue, 18 Aug 2020 16:58:31 +0200 [thread overview] Message-ID: <1597762711-3550-3-git-send-email-pmorel@linux.ibm.com> (raw) In-Reply-To: <1597762711-3550-1-git-send-email-pmorel@linux.ibm.com> If protected virtualization is active on s390, the virtio queues are not accessible to the host, unless VIRTIO_F_IOMMU_PLATFORM has been negotiated. Define CONFIG_ARCH_HAS_RESTRICTED_MEMORY_ACCESS and export arch_has_restricted_memory_access to fail probe if that's not the case, preventing a host error on access attempt. Signed-off-by: Pierre Morel <pmorel@linux.ibm.com> --- arch/s390/Kconfig | 1 + arch/s390/mm/init.c | 30 ++++++++++++++++++++++++++++++ 2 files changed, 31 insertions(+) diff --git a/arch/s390/Kconfig b/arch/s390/Kconfig index 9cfd8de907cb..d4a3ef4fa27b 100644 --- a/arch/s390/Kconfig +++ b/arch/s390/Kconfig @@ -820,6 +820,7 @@ menu "Virtualization" config PROTECTED_VIRTUALIZATION_GUEST def_bool n prompt "Protected virtualization guest support" + select ARCH_HAS_RESTRICTED_MEMORY_ACCESS help Select this option, if you want to be able to run this kernel as a protected virtualization KVM guest. diff --git a/arch/s390/mm/init.c b/arch/s390/mm/init.c index 6dc7c3b60ef6..aec04d7dd089 100644 --- a/arch/s390/mm/init.c +++ b/arch/s390/mm/init.c @@ -45,6 +45,7 @@ #include <asm/kasan.h> #include <asm/dma-mapping.h> #include <asm/uv.h> +#include <linux/virtio_config.h> pgd_t swapper_pg_dir[PTRS_PER_PGD] __section(.bss..swapper_pg_dir); @@ -161,6 +162,35 @@ bool force_dma_unencrypted(struct device *dev) return is_prot_virt_guest(); } +#ifdef CONFIG_ARCH_HAS_RESTRICTED_MEMORY_ACCESS +/* + * arch_has_restricted_memory_access + * @dev: the VIRTIO device being added + * + * Return an error if required features are missing on a guest running + * with protected virtualization. + */ +int arch_has_restricted_memory_access(struct virtio_device *dev) +{ + if (!is_prot_virt_guest()) + return 0; + + if (!virtio_has_feature(dev, VIRTIO_F_VERSION_1)) { + dev_warn(&dev->dev, "device must provide VIRTIO_F_VERSION_1\n"); + return -ENODEV; + } + + if (!virtio_has_feature(dev, VIRTIO_F_IOMMU_PLATFORM)) { + dev_warn(&dev->dev, + "device must provide VIRTIO_F_IOMMU_PLATFORM\n"); + return -ENODEV; + } + + return 0; +} +EXPORT_SYMBOL(arch_has_restricted_memory_access); +#endif + /* protected virtualization */ static void pv_init(void) { -- 2.25.1
WARNING: multiple messages have this Message-ID (diff)
From: Pierre Morel <pmorel@linux.ibm.com> To: linux-kernel@vger.kernel.org Cc: gor@linux.ibm.com, linux-s390@vger.kernel.org, frankja@linux.ibm.com, kvm@vger.kernel.org, mst@redhat.com, cohuck@redhat.com, linuxram@us.ibm.com, virtualization@lists.linux-foundation.org, pasic@linux.ibm.com, borntraeger@de.ibm.com, thomas.lendacky@amd.com, hca@linux.ibm.com, david@gibson.dropbear.id.au Subject: [PATCH v8 2/2] s390: virtio: PV needs VIRTIO I/O device protection Date: Tue, 18 Aug 2020 16:58:31 +0200 [thread overview] Message-ID: <1597762711-3550-3-git-send-email-pmorel@linux.ibm.com> (raw) In-Reply-To: <1597762711-3550-1-git-send-email-pmorel@linux.ibm.com> If protected virtualization is active on s390, the virtio queues are not accessible to the host, unless VIRTIO_F_IOMMU_PLATFORM has been negotiated. Define CONFIG_ARCH_HAS_RESTRICTED_MEMORY_ACCESS and export arch_has_restricted_memory_access to fail probe if that's not the case, preventing a host error on access attempt. Signed-off-by: Pierre Morel <pmorel@linux.ibm.com> --- arch/s390/Kconfig | 1 + arch/s390/mm/init.c | 30 ++++++++++++++++++++++++++++++ 2 files changed, 31 insertions(+) diff --git a/arch/s390/Kconfig b/arch/s390/Kconfig index 9cfd8de907cb..d4a3ef4fa27b 100644 --- a/arch/s390/Kconfig +++ b/arch/s390/Kconfig @@ -820,6 +820,7 @@ menu "Virtualization" config PROTECTED_VIRTUALIZATION_GUEST def_bool n prompt "Protected virtualization guest support" + select ARCH_HAS_RESTRICTED_MEMORY_ACCESS help Select this option, if you want to be able to run this kernel as a protected virtualization KVM guest. diff --git a/arch/s390/mm/init.c b/arch/s390/mm/init.c index 6dc7c3b60ef6..aec04d7dd089 100644 --- a/arch/s390/mm/init.c +++ b/arch/s390/mm/init.c @@ -45,6 +45,7 @@ #include <asm/kasan.h> #include <asm/dma-mapping.h> #include <asm/uv.h> +#include <linux/virtio_config.h> pgd_t swapper_pg_dir[PTRS_PER_PGD] __section(.bss..swapper_pg_dir); @@ -161,6 +162,35 @@ bool force_dma_unencrypted(struct device *dev) return is_prot_virt_guest(); } +#ifdef CONFIG_ARCH_HAS_RESTRICTED_MEMORY_ACCESS +/* + * arch_has_restricted_memory_access + * @dev: the VIRTIO device being added + * + * Return an error if required features are missing on a guest running + * with protected virtualization. + */ +int arch_has_restricted_memory_access(struct virtio_device *dev) +{ + if (!is_prot_virt_guest()) + return 0; + + if (!virtio_has_feature(dev, VIRTIO_F_VERSION_1)) { + dev_warn(&dev->dev, "device must provide VIRTIO_F_VERSION_1\n"); + return -ENODEV; + } + + if (!virtio_has_feature(dev, VIRTIO_F_IOMMU_PLATFORM)) { + dev_warn(&dev->dev, + "device must provide VIRTIO_F_IOMMU_PLATFORM\n"); + return -ENODEV; + } + + return 0; +} +EXPORT_SYMBOL(arch_has_restricted_memory_access); +#endif + /* protected virtualization */ static void pv_init(void) { -- 2.25.1 _______________________________________________ Virtualization mailing list Virtualization@lists.linux-foundation.org https://lists.linuxfoundation.org/mailman/listinfo/virtualization
next prev parent reply other threads:[~2020-08-18 14:58 UTC|newest] Thread overview: 16+ messages / expand[flat|nested] mbox.gz Atom feed top 2020-08-18 14:58 [PATCH v8 0/2] s390: virtio: let arch validate VIRTIO features Pierre Morel 2020-08-18 14:58 ` Pierre Morel 2020-08-18 14:58 ` [PATCH v8 1/2] " Pierre Morel 2020-08-18 14:58 ` Pierre Morel 2020-08-18 17:19 ` Cornelia Huck 2020-08-18 17:19 ` Cornelia Huck 2020-08-19 8:50 ` Pierre Morel 2020-08-19 8:50 ` Pierre Morel 2020-08-19 9:34 ` Cornelia Huck 2020-08-19 9:34 ` Cornelia Huck 2020-08-18 14:58 ` Pierre Morel [this message] 2020-08-18 14:58 ` [PATCH v8 2/2] s390: virtio: PV needs VIRTIO I/O device protection Pierre Morel 2020-08-18 17:22 ` Cornelia Huck 2020-08-18 17:22 ` Cornelia Huck 2020-08-19 8:51 ` Pierre Morel 2020-08-19 8:51 ` Pierre Morel
Reply instructions: You may reply publicly to this message via plain-text email using any one of the following methods: * Save the following mbox file, import it into your mail client, and reply-to-all from there: mbox Avoid top-posting and favor interleaved quoting: https://en.wikipedia.org/wiki/Posting_style#Interleaved_style * Reply using the --to, --cc, and --in-reply-to switches of git-send-email(1): git send-email \ --in-reply-to=1597762711-3550-3-git-send-email-pmorel@linux.ibm.com \ --to=pmorel@linux.ibm.com \ --cc=borntraeger@de.ibm.com \ --cc=cohuck@redhat.com \ --cc=david@gibson.dropbear.id.au \ --cc=frankja@linux.ibm.com \ --cc=gor@linux.ibm.com \ --cc=hca@linux.ibm.com \ --cc=jasowang@redhat.com \ --cc=kvm@vger.kernel.org \ --cc=linux-kernel@vger.kernel.org \ --cc=linux-s390@vger.kernel.org \ --cc=linuxram@us.ibm.com \ --cc=mst@redhat.com \ --cc=pasic@linux.ibm.com \ --cc=thomas.lendacky@amd.com \ --cc=virtualization@lists.linux-foundation.org \ /path/to/YOUR_REPLY https://kernel.org/pub/software/scm/git/docs/git-send-email.html * If your mail client supports setting the In-Reply-To header via mailto: links, try the mailto: linkBe sure your reply has a Subject: header at the top and a blank line before the message body.
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.