From: Pierre Morel <pmorel@linux.ibm.com>
To: Christian Borntraeger <borntraeger@de.ibm.com>,
Tony Krowiak <akrowiak@linux.ibm.com>
Cc: alex.williamson@redhat.com, cohuck@redhat.com,
linux-kernel@vger.kernel.org, linux-s390@vger.kernel.org,
kvm@vger.kernel.org, frankja@linux.ibm.com, pasic@linux.ibm.com,
david@redhat.com, schwidefsky@de.ibm.com,
heiko.carstens@de.ibm.com, freude@linux.ibm.com,
mimu@linux.ibm.com
Subject: Re: [PATCH v4 1/7] s390: ap: kvm: add PQAP interception for AQIC
Date: Thu, 28 Feb 2019 14:23:33 +0100 [thread overview]
Message-ID: <2d52b709-05dd-fa60-658a-36b827cf3041@linux.ibm.com> (raw)
In-Reply-To: <6058a017-6404-af3c-62ef-2452214ac97c@de.ibm.com>
On 28/02/2019 10:42, Christian Borntraeger wrote:
>
>
> On 27.02.2019 19:00, Tony Krowiak wrote:
>> On 2/27/19 3:09 AM, Pierre Morel wrote:
>>> On 26/02/2019 16:47, Tony Krowiak wrote:
>>>> On 2/26/19 6:47 AM, Pierre Morel wrote:
>>>>> On 25/02/2019 19:36, Tony Krowiak wrote:
>>>>>> On 2/22/19 10:29 AM, Pierre Morel wrote:
>>>>>>> We prepare the interception of the PQAP/AQIC instruction for
>>>>>>> the case the AQIC facility is enabled in the guest.
>>>>>>>
>>>>>>> We add a callback inside the KVM arch structure for s390 for
>>>>>>> a VFIO driver to handle a specific response to the PQAP
>>>>>>> instruction with the AQIC command.
>>>>>>>
>>>>>>> We inject the correct exceptions from inside KVM for the case the
>>>>>>> callback is not initialized, which happens when the vfio_ap driver
>>>>>>> is not loaded.
>>>>>>>
>>>>>>> If the callback has been setup we call it.
>>>>>>> If not we setup an answer considering that no queue is available
>>>>>>> for the guest when no callback has been setup.
>>>>>>>
>>>>>>> We do consider the responsability of the driver to always initialize
>>>>>>> the PQAP callback if it defines queues by initializing the CRYCB for
>>>>>>> a guest.
>>>>>>>
>>>>>>> Signed-off-by: Pierre Morel <pmorel@linux.ibm.com>
>>>>>
>>>>> ...snip...
>>>>>
>>>>>>> @@ -592,6 +593,55 @@ static int handle_io_inst(struct kvm_vcpu *vcpu)
>>>>>>> }
>>>>>>> }
>>>>>>> +/*
>>>>>>> + * handle_pqap: Handling pqap interception
>>>>>>> + * @vcpu: the vcpu having issue the pqap instruction
>>>>>>> + *
>>>>>>> + * We now support PQAP/AQIC instructions and we need to correctly
>>>>>>> + * answer the guest even if no dedicated driver's hook is available.
>>>>>>> + *
>>>>>>> + * The intercepting code calls a dedicated callback for this instruction
>>>>>>> + * if a driver did register one in the CRYPTO satellite of the
>>>>>>> + * SIE block.
>>>>>>> + *
>>>>>>> + * For PQAP/AQIC instructions only, verify privilege and specifications.
>>>>>>> + *
>>>>>>> + * If no callback available, the queues are not available, return this to
>>>>>>> + * the caller.
>>>>>>> + * Else return the value returned by the callback.
>>>>>>> + */
>>>>>>> +static int handle_pqap(struct kvm_vcpu *vcpu)
>>>>>>> +{
>>>>>>> + uint8_t fc;
>>>>>>> + struct ap_queue_status status = {};
>>>>>>> +
>>>>>>> + /* Verify that the AP instruction are available */
>>>>>>> + if (!ap_instructions_available())
>>>>>>> + return -EOPNOTSUPP;
>>>>>>
>>>>>> How can the guest even execute an AP instruction if the AP instructions
>>>>>> are not available? If the AP instructions are not available on the host,
>>>>>> they will not be available on the guest (i.e., CPU model feature
>>>>>> S390_FEAT_AP will not be set). I suppose it doesn't hurt to check this
>>>>>> here given QEMU may not be the only client.
>>>>>>
>>>>>>> + /* Verify that the guest is allowed to use AP instructions */
>>>>>>> + if (!(vcpu->arch.sie_block->eca & ECA_APIE))
>>>>>>> + return -EOPNOTSUPP;
>>>>>>> + /* Verify that the function code is AQIC */
>>>>>>> + fc = vcpu->run->s.regs.gprs[0] >> 24;
>>>>>>> + if (fc != 0x03)
>>>>>>> + return -EOPNOTSUPP;
>>>>>>
>>>>>> You must have missed my suggestion to move this to the
>>>>>> vcpu->kvm->arch.crypto.pqap_hook(vcpu) in the following responses:
>>>>>
>>>>> Please consider what happen if the vfio_ap module is not loaded.
>>>>
>>>> I have considered it and even verified my expectations empirically. If
>>>> the vfio_ap module is not loaded, you will not be able to create an mdev device.
>>>
>>> OK, now please consider that another userland tool, not QEMU uses KVM.
>>
>> What does that have to do with loading the vfio_ap module? Without the
>> vfio_ap module, there will be no AP devices for the guest. What are you
>> suggesting here?
>>
>>>
>>>> If you don't have an mdev device, you will not be able to
>>>> start a guest with a vfio-ap device. If you start a guest without a
>>>> vfio-ap device, but enable AP instructions for the guest, there will be
>>>> no AP devices attached to the guest. Without any AP devices attached,
>>>> the PQAP(AQIC) instructions will not ever get executed.
>>>
>>> This is not right. The instruction will be executed, eventually, after decoding.
>>
>> Please explain why the PQAP(AQIC) instruction will be executed on a
>> guest without any devices? Point me to the code in the AP bus where
>> PQAP(AQIC) is executed without a queue?
>
> The host must be prepared to handle malicous and broken guests. So if
> a guest does PQAP, we must handle that gracefully (e.g. by injecting an
> exception)
>
>>
>>>
>>>> Even if for some
>>>> unknown reason the PQAP(AQIC) instruction is executed - for some unknown
>>>> reason, it will fail with response code 0x01, AP-queue number not valid.
>>>
>>> No, before accessing the AP-queue the instruction will be decoded and depending on the installed micro-code it will fail with
>>> - OPERATION EXCEPTION if the micro-code is not installed
>>> - PRIVILEDGE OPERATION if the instruction is issued from userland (programm state)
>>> - SPECIFICATION exception if the instruction do not respect the usage specification
>>>
>>> then it will be interpreted by the microcode and access the queue and only then it will fail with RC 0x01, AP queue not valid.
>>>
>>> In the case of KVM, we intercept the instruction because it is issued by the guest and we set the AQIC facility on to force interception.
>>>
>>> KVM do for us all the decode steps I mention here above, if there is or not a pqap hook to be call to simulate the QP queue access.
>>>
>>> That done, the AP queue virtualisation can be called, this is done by calling the hook.
>>
>> Okay, let's go back to the genesis of this discussion; namely, my
>> suggestion about moving the fc == 0x03 check into the hook code. If
>> the vfio_ap module is not loaded, there will be no hook code. In that
>> case, the check for the hook will fail and ultimately response code
>> 0x01 will be set in the status word (which may not be the right thing
>> to do?). You have not stated a single good reason for keeping this
>> check, but I'm done with this silly argument. It certainly doesn't
>> hurt anything.
>
> The instruction handler must handle the basic checks for the
> instruction itself as outlined above.
>
> Do we want to allow QEMU to fully emulate everything (the ECA_APIE case being off)?
> The we should pass along everything to QEMU, but this is already done with the
> ECA_APIE check, correct?
>
> Do we agree that when we are beyond the ECA_APIE check, that we do not emulate
> in QEMU and we have enabled the AP instructions interpretion?
> If yes then this has some implication:
>
> 1. ECA is on and we should only get PQAP interception for specific FC (namely 3).
> 2. What we certainly should check is the facility bit of the guest (65) and reject fc==3
> right away with a specification exception. I do not want the hook to mess with
> the kvm cpu model. @Pierre would be good to actually check test_kvm_facility(vcpu->kvm, 65))
Currently the check test_kvm_facility(vcpu->kvm, 65) is done in the
instruction handler, what do you mean here?
Regards,
Pierre
--
Pierre Morel
Linux/KVM/QEMU in Böblingen - Germany
next prev parent reply other threads:[~2019-02-28 13:23 UTC|newest]
Thread overview: 79+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-02-22 15:29 [PATCH v4 0/7] vfio: ap: AP Queue Interrupt Control Pierre Morel
2019-02-22 15:29 ` [PATCH v4 1/7] s390: ap: kvm: add PQAP interception for AQIC Pierre Morel
2019-02-25 18:36 ` Tony Krowiak
2019-02-26 11:47 ` Pierre Morel
2019-02-26 15:47 ` Tony Krowiak
2019-02-27 8:09 ` Pierre Morel
2019-02-27 9:13 ` Cornelia Huck
2019-02-27 10:16 ` Pierre Morel
2019-02-27 18:00 ` Tony Krowiak
2019-02-28 9:42 ` Christian Borntraeger
2019-02-28 11:03 ` Christian Borntraeger
2019-02-28 11:22 ` Cornelia Huck
2019-02-28 13:16 ` Pierre Morel
2019-02-28 13:52 ` Cornelia Huck
2019-02-28 14:14 ` Pierre Morel
2019-03-01 12:03 ` Pierre Morel
2019-03-01 12:05 ` Christian Borntraeger
2019-03-01 12:36 ` Cornelia Huck
2019-03-01 15:32 ` Pierre Morel
2019-02-28 13:10 ` Pierre Morel
2019-02-28 15:36 ` Tony Krowiak
2019-02-28 12:39 ` Halil Pasic
2019-02-28 14:12 ` Pierre Morel
2019-02-28 16:51 ` Halil Pasic
2019-03-01 12:10 ` Pierre Morel
2019-02-28 15:43 ` Tony Krowiak
2019-02-28 13:23 ` Pierre Morel [this message]
2019-02-28 13:44 ` Christian Borntraeger
2019-02-28 13:47 ` Pierre Morel
2019-02-28 14:07 ` Halil Pasic
2019-02-28 14:13 ` Pierre Morel
2019-02-28 15:45 ` Tony Krowiak
2019-02-28 15:35 ` Tony Krowiak
2019-03-01 8:42 ` Christian Borntraeger
2019-02-28 8:31 ` Christian Borntraeger
2019-02-22 15:29 ` [PATCH v4 2/7] s390: ap: new vfio_ap_queue structure Pierre Morel
2019-02-26 16:10 ` Tony Krowiak
2019-02-27 8:40 ` Pierre Morel
2019-02-27 20:35 ` Tony Krowiak
2019-02-22 15:29 ` [PATCH v4 3/7] s390: ap: associate a ap_vfio_queue and a matrix mdev Pierre Morel
2019-02-26 18:14 ` Tony Krowiak
2019-02-27 9:29 ` Pierre Morel
2019-02-27 20:14 ` Tony Krowiak
2019-02-27 9:32 ` Cornelia Huck
2019-02-27 10:21 ` Pierre Morel
2019-02-27 10:44 ` Pierre Morel
2019-02-27 20:53 ` Tony Krowiak
2019-03-04 2:09 ` Halil Pasic
2019-03-04 10:19 ` Pierre Morel
2019-03-05 22:17 ` Tony Krowiak
2019-03-12 21:39 ` Tony Krowiak
2019-03-13 10:19 ` Pierre Morel
2019-02-22 15:29 ` [PATCH v4 4/7] vfio: ap: register IOMMU VFIO notifier Pierre Morel
2019-02-27 9:42 ` Cornelia Huck
2019-02-27 10:22 ` Pierre Morel
2019-02-28 8:23 ` Christian Borntraeger
2019-02-28 8:48 ` Pierre Morel
2019-02-28 16:55 ` Halil Pasic
2019-03-01 7:51 ` Christian Borntraeger
2019-02-22 15:29 ` [PATCH v4 5/7] s390: ap: implement PAPQ AQIC interception in kernel Pierre Morel
2019-02-26 18:23 ` Tony Krowiak
2019-02-27 9:54 ` Pierre Morel
2019-02-27 18:17 ` Tony Krowiak
2019-02-27 18:18 ` Tony Krowiak
2019-02-28 20:20 ` Christian Borntraeger
2019-03-01 9:35 ` Pierre Morel
2019-03-04 1:57 ` Halil Pasic
2019-03-04 9:47 ` Pierre Morel
2019-02-22 15:29 ` [PATCH v4 6/7] s390: ap: Cleanup on removing the AP device Pierre Morel
2019-02-26 18:27 ` Tony Krowiak
2019-02-27 9:58 ` Pierre Morel
2019-03-04 13:02 ` Cornelia Huck
2019-03-08 22:43 ` Tony Krowiak
2019-03-11 8:31 ` Pierre Morel
2019-03-12 21:53 ` Tony Krowiak
2019-03-13 10:15 ` Pierre Morel
2019-02-22 15:30 ` [PATCH v4 7/7] s390: ap: kvm: Enable PQAP/AQIC facility for the guest Pierre Morel
2019-02-28 15:08 ` [PATCH v4 0/7] vfio: ap: AP Queue Interrupt Control Halil Pasic
2019-03-01 9:40 ` Pierre Morel
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=2d52b709-05dd-fa60-658a-36b827cf3041@linux.ibm.com \
--to=pmorel@linux.ibm.com \
--cc=akrowiak@linux.ibm.com \
--cc=alex.williamson@redhat.com \
--cc=borntraeger@de.ibm.com \
--cc=cohuck@redhat.com \
--cc=david@redhat.com \
--cc=frankja@linux.ibm.com \
--cc=freude@linux.ibm.com \
--cc=heiko.carstens@de.ibm.com \
--cc=kvm@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-s390@vger.kernel.org \
--cc=mimu@linux.ibm.com \
--cc=pasic@linux.ibm.com \
--cc=schwidefsky@de.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).