From: Christian Borntraeger <borntraeger@de.ibm.com>
To: David Gibson <david@gibson.dropbear.id.au>,
dgilbert@redhat.com, pair@us.ibm.com, qemu-devel@nongnu.org,
brijesh.singh@amd.com, pasic@linux.ibm.com
Cc: pragyansri.pathi@intel.com, Greg Kurz <groug@kaod.org>,
richard.henderson@linaro.org, berrange@redhat.com,
David Hildenbrand <david@redhat.com>,
mdroth@linux.vnet.ibm.com, kvm@vger.kernel.org,
Marcel Apfelbaum <marcel.apfelbaum@gmail.com>,
pbonzini@redhat.com, mtosatti@redhat.com,
Cornelia Huck <cohuck@redhat.com>,
qemu-ppc@nongnu.org, qemu-s390x@nongnu.org, thuth@redhat.com,
mst@redhat.com, frankja@linux.ibm.com, jun.nakajima@intel.com,
andi.kleen@intel.com, Eduardo Habkost <ehabkost@redhat.com>
Subject: Re: [PATCH v8 13/13] s390: Recognize confidential-guest-support option
Date: Wed, 3 Feb 2021 10:05:22 +0100 [thread overview]
Message-ID: <1c9b65d6-b73f-3fde-7b76-f2d7b6e6d175@de.ibm.com> (raw)
In-Reply-To: <20210202041315.196530-14-david@gibson.dropbear.id.au>
On 02.02.21 05:13, David Gibson wrote:
> At least some s390 cpu models support "Protected Virtualization" (PV),
> a mechanism to protect guests from eavesdropping by a compromised
> hypervisor.
>
> This is similar in function to other mechanisms like AMD's SEV and
> POWER's PEF, which are controlled by the "confidential-guest-support"
> machine option. s390 is a slightly special case, because we already
> supported PV, simply by using a CPU model with the required feature
> (S390_FEAT_UNPACK).
>
> To integrate this with the option used by other platforms, we
> implement the following compromise:
>
> - When the confidential-guest-support option is set, s390 will
> recognize it, verify that the CPU can support PV (failing if not)
> and set virtio default options necessary for encrypted or protected
> guests, as on other platforms. i.e. if confidential-guest-support
> is set, we will either create a guest capable of entering PV mode,
> or fail outright.
>
> - If confidential-guest-support is not set, guests might still be
> able to enter PV mode, if the CPU has the right model. This may be
> a little surprising, but shouldn't actually be harmful.
>
> To start a guest supporting Protected Virtualization using the new
> option use the command line arguments:
> -object s390-pv-guest,id=pv0 -machine confidential-guest-support=pv0
>
This version seems to work fine.
Tested-by: Christian Borntraeger <borntraeger@de.ibm.com>
Reviewed-by: Christian Borntraeger <borntraeger@de.ibm.com>
> Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
> ---
> docs/confidential-guest-support.txt | 3 ++
> docs/system/s390x/protvirt.rst | 19 ++++++---
> hw/s390x/pv.c | 62 +++++++++++++++++++++++++++++
> hw/s390x/s390-virtio-ccw.c | 3 ++
> include/hw/s390x/pv.h | 17 ++++++++
> 5 files changed, 98 insertions(+), 6 deletions(-)
>
> diff --git a/docs/confidential-guest-support.txt b/docs/confidential-guest-support.txt
> index 4da4c91bd3..71d07ba57a 100644
> --- a/docs/confidential-guest-support.txt
> +++ b/docs/confidential-guest-support.txt
> @@ -43,4 +43,7 @@ AMD Secure Encrypted Virtualization (SEV)
> POWER Protected Execution Facility (PEF)
> docs/papr-pef.txt
>
> +s390x Protected Virtualization (PV)
> + docs/system/s390x/protvirt.rst
> +
> Other mechanisms may be supported in future.
> diff --git a/docs/system/s390x/protvirt.rst b/docs/system/s390x/protvirt.rst
> index 712974ad87..0f481043d9 100644
> --- a/docs/system/s390x/protvirt.rst
> +++ b/docs/system/s390x/protvirt.rst
> @@ -22,15 +22,22 @@ If those requirements are met, the capability `KVM_CAP_S390_PROTECTED`
> will indicate that KVM can support PVMs on that LPAR.
>
>
> -QEMU Settings
> --------------
> +Running a Protected Virtual Machine
> +-----------------------------------
>
> -To indicate to the VM that it can transition into protected mode, the
> +To run a PVM you will need to select a CPU model which includes the
> `Unpack facility` (stfle bit 161 represented by the feature
> -`unpack`/`S390_FEAT_UNPACK`) needs to be part of the cpu model of
> -the VM.
> +`unpack`/`S390_FEAT_UNPACK`), and add these options to the command line::
> +
> + -object s390-pv-guest,id=pv0 \
> + -machine confidential-guest-support=pv0
> +
> +Adding these options will:
> +
> +* Ensure the `unpack` facility is available
> +* Enable the IOMMU by default for all I/O devices
> +* Initialize the PV mechanism
>
> -All I/O devices need to use the IOMMU.
> Passthrough (vfio) devices are currently not supported.
>
> Host huge page backings are not supported. However guests can use huge
> diff --git a/hw/s390x/pv.c b/hw/s390x/pv.c
> index ab3a2482aa..93eccfc05d 100644
> --- a/hw/s390x/pv.c
> +++ b/hw/s390x/pv.c
> @@ -14,8 +14,11 @@
> #include <linux/kvm.h>
>
> #include "cpu.h"
> +#include "qapi/error.h"
> #include "qemu/error-report.h"
> #include "sysemu/kvm.h"
> +#include "qom/object_interfaces.h"
> +#include "exec/confidential-guest-support.h"
> #include "hw/s390x/ipl.h"
> #include "hw/s390x/pv.h"
>
> @@ -111,3 +114,62 @@ void s390_pv_inject_reset_error(CPUState *cs)
> /* Report that we are unable to enter protected mode */
> env->regs[r1 + 1] = DIAG_308_RC_INVAL_FOR_PV;
> }
> +
> +#define TYPE_S390_PV_GUEST "s390-pv-guest"
> +OBJECT_DECLARE_SIMPLE_TYPE(S390PVGuest, S390_PV_GUEST)
> +
> +/**
> + * S390PVGuest:
> + *
> + * The S390PVGuest object is basically a dummy used to tell the
> + * confidential guest support system to use s390's PV mechanism.
> + *
> + * # $QEMU \
> + * -object s390-pv-guest,id=pv0 \
> + * -machine ...,confidential-guest-support=pv0
> + */
> +struct S390PVGuest {
> + ConfidentialGuestSupport parent_obj;
> +};
> +
> +typedef struct S390PVGuestClass S390PVGuestClass;
> +
> +struct S390PVGuestClass {
> + ConfidentialGuestSupportClass parent_class;
> +};
> +
> +int s390_pv_kvm_init(ConfidentialGuestSupport *cgs, Error **errp)
> +{
> + if (!object_dynamic_cast(OBJECT(cgs), TYPE_S390_PV_GUEST)) {
> + return 0;
> + }
> +
> + if (!s390_has_feat(S390_FEAT_UNPACK)) {
> + error_setg(errp,
> + "CPU model does not support Protected Virtualization");
> + return -1;
> + }
> +
> + cgs->ready = true;
> +
> + return 0;
> +}
> +
> +OBJECT_DEFINE_TYPE_WITH_INTERFACES(S390PVGuest,
> + s390_pv_guest,
> + S390_PV_GUEST,
> + CONFIDENTIAL_GUEST_SUPPORT,
> + { TYPE_USER_CREATABLE },
> + { NULL })
> +
> +static void s390_pv_guest_class_init(ObjectClass *oc, void *data)
> +{
> +}
> +
> +static void s390_pv_guest_init(Object *obj)
> +{
> +}
> +
> +static void s390_pv_guest_finalize(Object *obj)
> +{
> +}
> diff --git a/hw/s390x/s390-virtio-ccw.c b/hw/s390x/s390-virtio-ccw.c
> index a2d9a79c84..2972b607f3 100644
> --- a/hw/s390x/s390-virtio-ccw.c
> +++ b/hw/s390x/s390-virtio-ccw.c
> @@ -250,6 +250,9 @@ static void ccw_init(MachineState *machine)
> /* init CPUs (incl. CPU model) early so s390_has_feature() works */
> s390_init_cpus(machine);
>
> + /* Need CPU model to be determined before we can set up PV */
> + s390_pv_init(machine->cgs, &error_fatal);
> +
> s390_flic_init();
>
> /* init the SIGP facility */
> diff --git a/include/hw/s390x/pv.h b/include/hw/s390x/pv.h
> index aee758bc2d..1f1f545bfc 100644
> --- a/include/hw/s390x/pv.h
> +++ b/include/hw/s390x/pv.h
> @@ -12,6 +12,9 @@
> #ifndef HW_S390_PV_H
> #define HW_S390_PV_H
>
> +#include "qapi/error.h"
> +#include "sysemu/kvm.h"
> +
> #ifdef CONFIG_KVM
> #include "cpu.h"
> #include "hw/s390x/s390-virtio-ccw.h"
> @@ -55,4 +58,18 @@ static inline void s390_pv_unshare(void) {}
> static inline void s390_pv_inject_reset_error(CPUState *cs) {};
> #endif /* CONFIG_KVM */
>
> +int s390_pv_kvm_init(ConfidentialGuestSupport *cgs, Error **errp);
> +static inline int s390_pv_init(ConfidentialGuestSupport *cgs, Error **errp)
> +{
> + if (!cgs) {
> + return 0;
> + }
> + if (kvm_enabled()) {
> + return s390_pv_kvm_init(cgs, errp);
> + }
> +
> + error_setg(errp, "Protected Virtualization requires KVM");
> + return -1;
> +}
> +
> #endif /* HW_S390_PV_H */
>
prev parent reply other threads:[~2021-02-03 9:06 UTC|newest]
Thread overview: 25+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-02-02 4:13 [PATCH v8 00/13] Generalize memory encryption models David Gibson
2021-02-02 4:13 ` [PATCH v8 01/13] qom: Allow optional sugar props David Gibson
2021-02-02 4:13 ` [PATCH v8 02/13] confidential guest support: Introduce new confidential guest support class David Gibson
2021-02-02 4:13 ` [PATCH v8 03/13] sev: Remove false abstraction of flash encryption David Gibson
2021-02-02 4:13 ` [PATCH v8 04/13] confidential guest support: Move side effect out of machine_set_memory_encryption() David Gibson
2021-02-02 4:13 ` [PATCH v8 05/13] confidential guest support: Rework the "memory-encryption" property David Gibson
2021-02-02 4:13 ` [PATCH v8 06/13] sev: Add Error ** to sev_kvm_init() David Gibson
2021-02-02 4:13 ` [PATCH v8 07/13] confidential guest support: Introduce cgs "ready" flag David Gibson
2021-02-03 10:42 ` Dr. David Alan Gilbert
2021-02-03 16:15 ` Greg Kurz
2021-02-04 2:45 ` David Gibson
2021-02-10 16:25 ` Venu Busireddy
2021-02-11 23:48 ` David Gibson
2021-02-02 4:13 ` [PATCH v8 08/13] confidential guest support: Move SEV initialization into arch specific code David Gibson
2021-02-03 16:19 ` Greg Kurz
2021-02-02 4:13 ` [PATCH v8 09/13] confidential guest support: Update documentation David Gibson
2021-02-02 4:13 ` [PATCH v8 10/13] spapr: Add PEF based confidential guest support David Gibson
2021-02-03 17:50 ` Greg Kurz
2021-02-04 2:47 ` David Gibson
2021-02-02 4:13 ` [PATCH v8 11/13] spapr: PEF: prevent migration David Gibson
2021-02-02 4:13 ` [PATCH v8 12/13] confidential guest support: Alter virtio default properties for protected guests David Gibson
2021-02-02 23:06 ` Michael S. Tsirkin
2021-02-03 4:53 ` David Gibson
2021-02-02 4:13 ` [PATCH v8 13/13] s390: Recognize confidential-guest-support option David Gibson
2021-02-03 9:05 ` Christian Borntraeger [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1c9b65d6-b73f-3fde-7b76-f2d7b6e6d175@de.ibm.com \
--to=borntraeger@de.ibm.com \
--cc=andi.kleen@intel.com \
--cc=berrange@redhat.com \
--cc=brijesh.singh@amd.com \
--cc=cohuck@redhat.com \
--cc=david@gibson.dropbear.id.au \
--cc=david@redhat.com \
--cc=dgilbert@redhat.com \
--cc=ehabkost@redhat.com \
--cc=frankja@linux.ibm.com \
--cc=groug@kaod.org \
--cc=jun.nakajima@intel.com \
--cc=kvm@vger.kernel.org \
--cc=marcel.apfelbaum@gmail.com \
--cc=mdroth@linux.vnet.ibm.com \
--cc=mst@redhat.com \
--cc=mtosatti@redhat.com \
--cc=pair@us.ibm.com \
--cc=pasic@linux.ibm.com \
--cc=pbonzini@redhat.com \
--cc=pragyansri.pathi@intel.com \
--cc=qemu-devel@nongnu.org \
--cc=qemu-ppc@nongnu.org \
--cc=qemu-s390x@nongnu.org \
--cc=richard.henderson@linaro.org \
--cc=thuth@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).