From: Tony Krowiak <akrowiak@linux.vnet.ibm.com>
To: linux-s390@vger.kernel.org, linux-kernel@vger.kernel.org,
kvm@vger.kernel.org
Cc: freude@de.ibm.com, schwidefsky@de.ibm.com,
heiko.carstens@de.ibm.com, borntraeger@de.ibm.com,
cohuck@redhat.com, kwankhede@nvidia.com,
bjsdjshi@linux.vnet.ibm.com, pbonzini@redhat.com,
alex.williamson@redhat.com, pmorel@linux.vnet.ibm.com,
alifm@linux.vnet.ibm.com, mjrosato@linux.vnet.ibm.com,
jjherne@linux.vnet.ibm.com, thuth@redhat.com,
pasic@linux.vnet.ibm.com, berrange@redhat.com,
fiuczy@linux.vnet.ibm.com, buendgen@de.ibm.com,
akrowiak@linux.vnet.ibm.com, frankja@linux.ibm.com,
Tony Krowiak <akrowiak@linux.ibm.com>
Subject: [PATCH v11 24/26] KVM: s390: device attrs to enable/disable AP interpretation
Date: Tue, 25 Sep 2018 19:16:39 -0400 [thread overview]
Message-ID: <20180925231641.4954-25-akrowiak@linux.vnet.ibm.com> (raw)
In-Reply-To: <20180925231641.4954-1-akrowiak@linux.vnet.ibm.com>
From: Tony Krowiak <akrowiak@linux.ibm.com>
Introduces two new VM crypto device attributes (KVM_S390_VM_CRYPTO)
to enable or disable AP instruction interpretation from userspace
via the KVM_SET_DEVICE_ATTR ioctl:
* The KVM_S390_VM_CRYPTO_ENABLE_APIE attribute enables hardware
interpretation of AP instructions executed on the guest.
* The KVM_S390_VM_CRYPTO_DISABLE_APIE attribute disables hardware
interpretation of AP instructions executed on the guest. In this
case the instructions will be intercepted and pass through to
the guest.
Signed-off-by: Tony Krowiak <akrowiak@linux.ibm.com>
---
arch/s390/include/uapi/asm/kvm.h | 2 ++
arch/s390/kvm/kvm-s390.c | 31 ++++++++++++++++++++++++++++---
2 files changed, 30 insertions(+), 3 deletions(-)
diff --git a/arch/s390/include/uapi/asm/kvm.h b/arch/s390/include/uapi/asm/kvm.h
index 9a50f02b9894..16511d97e8dc 100644
--- a/arch/s390/include/uapi/asm/kvm.h
+++ b/arch/s390/include/uapi/asm/kvm.h
@@ -160,6 +160,8 @@ struct kvm_s390_vm_cpu_subfunc {
#define KVM_S390_VM_CRYPTO_ENABLE_DEA_KW 1
#define KVM_S390_VM_CRYPTO_DISABLE_AES_KW 2
#define KVM_S390_VM_CRYPTO_DISABLE_DEA_KW 3
+#define KVM_S390_VM_CRYPTO_ENABLE_APIE 4
+#define KVM_S390_VM_CRYPTO_DISABLE_APIE 5
/* kvm attributes for migration mode */
#define KVM_S390_VM_MIGRATION_STOP 0
diff --git a/arch/s390/kvm/kvm-s390.c b/arch/s390/kvm/kvm-s390.c
index c94ef2d0dbe4..81fd82f7626d 100644
--- a/arch/s390/kvm/kvm-s390.c
+++ b/arch/s390/kvm/kvm-s390.c
@@ -856,12 +856,11 @@ void kvm_s390_vcpu_crypto_reset_all(struct kvm *kvm)
static int kvm_s390_vm_set_crypto(struct kvm *kvm, struct kvm_device_attr *attr)
{
- if (!test_kvm_facility(kvm, 76))
- return -EINVAL;
-
mutex_lock(&kvm->lock);
switch (attr->attr) {
case KVM_S390_VM_CRYPTO_ENABLE_AES_KW:
+ if (!test_kvm_facility(kvm, 76))
+ return -EINVAL;
get_random_bytes(
kvm->arch.crypto.crycb->aes_wrapping_key_mask,
sizeof(kvm->arch.crypto.crycb->aes_wrapping_key_mask));
@@ -869,6 +868,8 @@ static int kvm_s390_vm_set_crypto(struct kvm *kvm, struct kvm_device_attr *attr)
VM_EVENT(kvm, 3, "%s", "ENABLE: AES keywrapping support");
break;
case KVM_S390_VM_CRYPTO_ENABLE_DEA_KW:
+ if (!test_kvm_facility(kvm, 76))
+ return -EINVAL;
get_random_bytes(
kvm->arch.crypto.crycb->dea_wrapping_key_mask,
sizeof(kvm->arch.crypto.crycb->dea_wrapping_key_mask));
@@ -876,17 +877,35 @@ static int kvm_s390_vm_set_crypto(struct kvm *kvm, struct kvm_device_attr *attr)
VM_EVENT(kvm, 3, "%s", "ENABLE: DEA keywrapping support");
break;
case KVM_S390_VM_CRYPTO_DISABLE_AES_KW:
+ if (!test_kvm_facility(kvm, 76))
+ return -EINVAL;
kvm->arch.crypto.aes_kw = 0;
memset(kvm->arch.crypto.crycb->aes_wrapping_key_mask, 0,
sizeof(kvm->arch.crypto.crycb->aes_wrapping_key_mask));
VM_EVENT(kvm, 3, "%s", "DISABLE: AES keywrapping support");
break;
case KVM_S390_VM_CRYPTO_DISABLE_DEA_KW:
+ if (!test_kvm_facility(kvm, 76))
+ return -EINVAL;
kvm->arch.crypto.dea_kw = 0;
memset(kvm->arch.crypto.crycb->dea_wrapping_key_mask, 0,
sizeof(kvm->arch.crypto.crycb->dea_wrapping_key_mask));
VM_EVENT(kvm, 3, "%s", "DISABLE: DEA keywrapping support");
break;
+ case KVM_S390_VM_CRYPTO_ENABLE_APIE:
+ if (!ap_instructions_available()) {
+ mutex_unlock(&kvm->lock);
+ return -EOPNOTSUPP;
+ }
+ kvm->arch.crypto.apie = 1;
+ break;
+ case KVM_S390_VM_CRYPTO_DISABLE_APIE:
+ if (!ap_instructions_available()) {
+ mutex_unlock(&kvm->lock);
+ return -EOPNOTSUPP;
+ }
+ kvm->arch.crypto.apie = 0;
+ break;
default:
mutex_unlock(&kvm->lock);
return -ENXIO;
@@ -1495,6 +1514,10 @@ static int kvm_s390_vm_has_attr(struct kvm *kvm, struct kvm_device_attr *attr)
case KVM_S390_VM_CRYPTO_DISABLE_DEA_KW:
ret = 0;
break;
+ case KVM_S390_VM_CRYPTO_ENABLE_APIE:
+ case KVM_S390_VM_CRYPTO_DISABLE_APIE:
+ ret = ap_instructions_available() ? 0 : -ENXIO;
+ break;
default:
ret = -ENXIO;
break;
@@ -2062,6 +2085,7 @@ static u64 kvm_s390_get_initial_cpuid(void)
static void kvm_s390_crypto_init(struct kvm *kvm)
{
kvm->arch.crypto.crycb = &kvm->arch.sie_page2->crycb;
+ kvm->arch.crypto.apie = 0;
kvm_s390_set_crycb_format(kvm);
if (!test_kvm_facility(kvm, 76))
@@ -2601,6 +2625,7 @@ static void kvm_s390_vcpu_crypto_setup(struct kvm_vcpu *vcpu)
vcpu->arch.sie_block->crycbd = vcpu->kvm->arch.crypto.crycbd;
vcpu->arch.sie_block->ecb3 &= ~(ECB3_AES | ECB3_DEA);
+ vcpu->arch.sie_block->eca &= ~ECA_APIE;
if (vcpu->kvm->arch.crypto.apie)
vcpu->arch.sie_block->eca |= ECA_APIE;
--
2.19.0.221.g150f307
next prev parent reply other threads:[~2018-09-25 23:18 UTC|newest]
Thread overview: 65+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-09-25 23:16 [PATCH v11 00/26] guest dedicated crypto adapters Tony Krowiak
2018-09-25 23:16 ` [PATCH v11 01/26] KVM: s390: vsie: simulate VCPU SIE entry/exit Tony Krowiak
2018-09-25 23:16 ` [PATCH v11 02/26] KVM: s390: introduce and use KVM_REQ_VSIE_RESTART Tony Krowiak
2018-09-25 23:16 ` [PATCH v11 03/26] KVM: s390: refactor crypto initialization Tony Krowiak
2018-09-26 13:07 ` Cornelia Huck
2018-09-25 23:16 ` [PATCH v11 04/26] s390: vfio-ap: base implementation of VFIO AP device driver Tony Krowiak
2018-09-26 7:19 ` David Hildenbrand
2018-09-26 13:10 ` Cornelia Huck
2018-09-25 23:16 ` [PATCH v11 05/26] s390: vfio-ap: register matrix device with VFIO mdev framework Tony Krowiak
2018-09-25 23:16 ` [PATCH v11 06/26] s390: vfio-ap: sysfs interfaces to configure adapters Tony Krowiak
2018-09-26 13:19 ` Cornelia Huck
2018-09-25 23:16 ` [PATCH v11 07/26] s390: vfio-ap: sysfs interfaces to configure domains Tony Krowiak
2018-09-25 23:16 ` [PATCH v11 08/26] s390: vfio-ap: sysfs interfaces to configure control domains Tony Krowiak
2018-09-25 23:16 ` [PATCH v11 09/26] s390: vfio-ap: sysfs interface to view matrix mdev matrix Tony Krowiak
2018-09-25 23:16 ` [PATCH v11 10/26] KVM: s390: interfaces to clear CRYCB masks Tony Krowiak
2018-09-26 13:21 ` Cornelia Huck
2018-09-25 23:16 ` [PATCH v11 11/26] s390: vfio-ap: implement mediated device open callback Tony Krowiak
2018-09-28 10:14 ` Cornelia Huck
2018-09-28 13:02 ` Tony Krowiak
2018-09-28 13:33 ` [FIXUP v11] fixup! " Tony Krowiak
2018-09-28 13:34 ` Christian Borntraeger
2018-09-28 13:35 ` Cornelia Huck
2018-09-28 13:41 ` Halil Pasic
2018-09-28 13:42 ` Christian Borntraeger
2018-09-28 13:46 ` Cornelia Huck
2018-09-28 13:41 ` Christian Borntraeger
2018-09-25 23:16 ` [PATCH v11 12/26] s390: vfio-ap: implement VFIO_DEVICE_GET_INFO ioctl Tony Krowiak
2018-09-25 23:16 ` [PATCH v11 13/26] s390: vfio-ap: zeroize the AP queues Tony Krowiak
2018-09-26 13:38 ` Cornelia Huck
2018-09-26 18:58 ` Christian Borntraeger
2018-09-27 7:04 ` Cornelia Huck
2018-09-25 23:16 ` [PATCH v11 14/26] s390: vfio-ap: implement VFIO_DEVICE_RESET ioctl Tony Krowiak
2018-09-25 23:16 ` [PATCH v11 15/26] KVM: s390: Clear Crypto Control Block when using vSIE Tony Krowiak
2018-09-26 7:16 ` David Hildenbrand
2018-09-25 23:16 ` [PATCH v11 16/26] KVM: s390: vsie: Do the CRYCB validation first Tony Krowiak
2018-09-25 23:16 ` [PATCH v11 17/26] KVM: s390: vsie: Make use of CRYCB FORMAT2 clear Tony Krowiak
2018-09-25 23:16 ` [PATCH v11 18/26] KVM: s390: vsie: Allow CRYCB FORMAT-2 Tony Krowiak
2018-09-25 23:16 ` [PATCH v11 19/26] KVM: s390: vsie: allow CRYCB FORMAT-1 Tony Krowiak
2018-09-25 23:16 ` [PATCH v11 20/26] KVM: s390: vsie: allow CRYCB FORMAT-0 Tony Krowiak
2018-09-25 23:16 ` [PATCH v11 21/26] KVM: s390: vsie: allow guest FORMAT-0 CRYCB on host FORMAT-1 Tony Krowiak
2018-09-25 23:16 ` [PATCH v11 22/26] KVM: s390: vsie: allow guest FORMAT-1 CRYCB on host FORMAT-2 Tony Krowiak
2018-09-25 23:16 ` [PATCH v11 23/26] KVM: s390: vsie: allow guest FORMAT-0 " Tony Krowiak
2018-09-25 23:16 ` Tony Krowiak [this message]
2018-09-26 7:14 ` [PATCH v11 24/26] KVM: s390: device attrs to enable/disable AP interpretation David Hildenbrand
2018-09-26 13:44 ` Cornelia Huck
2018-09-25 23:16 ` [PATCH v11 25/26] KVM: s390: CPU model support for AP virtualization Tony Krowiak
2018-09-26 7:15 ` David Hildenbrand
2018-09-26 7:28 ` Christian Borntraeger
2018-09-26 13:39 ` Cornelia Huck
2018-09-25 23:16 ` [PATCH v11 26/26] s390: doc: detailed specifications " Tony Krowiak
2018-09-26 22:42 ` Alex Williamson
2018-09-27 6:53 ` Harald Freudenberger
2018-09-27 11:29 ` Halil Pasic
2018-09-27 11:51 ` Cornelia Huck
2018-09-27 11:59 ` Christian Borntraeger
2018-09-27 13:12 ` Tony Krowiak
2018-09-27 13:56 ` Tony Krowiak
2018-09-27 14:21 ` Tony Krowiak
2018-09-27 19:19 ` Tony Krowiak
2018-09-28 7:20 ` Christian Borntraeger
2018-09-28 11:42 ` Christian Borntraeger
2018-09-28 13:43 ` [FIXUP v9] fixup! fixup! " Tony Krowiak
2018-09-28 13:45 ` Christian Borntraeger
2018-09-26 12:30 ` [PATCH v11 00/26] guest dedicated crypto adapters Christian Borntraeger
2018-09-28 10:16 ` Cornelia Huck
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20180925231641.4954-25-akrowiak@linux.vnet.ibm.com \
--to=akrowiak@linux.vnet.ibm.com \
--cc=akrowiak@linux.ibm.com \
--cc=alex.williamson@redhat.com \
--cc=alifm@linux.vnet.ibm.com \
--cc=berrange@redhat.com \
--cc=bjsdjshi@linux.vnet.ibm.com \
--cc=borntraeger@de.ibm.com \
--cc=buendgen@de.ibm.com \
--cc=cohuck@redhat.com \
--cc=fiuczy@linux.vnet.ibm.com \
--cc=frankja@linux.ibm.com \
--cc=freude@de.ibm.com \
--cc=heiko.carstens@de.ibm.com \
--cc=jjherne@linux.vnet.ibm.com \
--cc=kvm@vger.kernel.org \
--cc=kwankhede@nvidia.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-s390@vger.kernel.org \
--cc=mjrosato@linux.vnet.ibm.com \
--cc=pasic@linux.vnet.ibm.com \
--cc=pbonzini@redhat.com \
--cc=pmorel@linux.vnet.ibm.com \
--cc=schwidefsky@de.ibm.com \
--cc=thuth@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).