On 11/28/19 3:07 PM, Thomas Huth wrote: > On 20/11/2019 12.43, Janosch Frank wrote: >> When a guest has saved a ipib of type 5 and call diagnose308 with >> subcode 10, we have to setup the protected processing environment via >> Ultravisor calls. The calls are done by KVM and are exposed via an API. >> >> The following steps are necessary: >> 1. Create a VM (register it with the Ultravisor) >> 2. Create secure CPUs for all of our current cpus >> 3. Forward the secure header to the Ultravisor (has all information on >> how to decrypt the image and VM information) >> 4. Protect image pages from the host and decrypt them >> 5. Verify the image integrity >> >> Only after step 5 a protected VM is allowed to run. >> >> Signed-off-by: Janosch Frank >> --- > [...] >> diff --git a/hw/s390x/ipl.c b/hw/s390x/ipl.c >> index a077926f36..50501fcd27 100644 >> --- a/hw/s390x/ipl.c >> +++ b/hw/s390x/ipl.c >> @@ -33,6 +33,7 @@ >> #include "qemu/cutils.h" >> #include "qemu/option.h" >> #include "exec/exec-all.h" >> +#include "pv.h" >> >> #define KERN_IMAGE_START 0x010000UL >> #define LINUX_MAGIC_ADDR 0x010008UL >> @@ -668,6 +669,38 @@ static void s390_ipl_prepare_qipl(S390CPU *cpu) >> cpu_physical_memory_unmap(addr, len, 1, len); >> } >> >> +int s390_ipl_prepare_pv_header(void) >> +{ >> + int rc; >> + IplParameterBlock *iplb = s390_ipl_get_iplb_secure(); >> + IPLBlockPV *ipib_pv = &iplb->pv; >> + void *hdr = g_malloc(ipib_pv->pv_header_len); >> + >> + cpu_physical_memory_read(ipib_pv->pv_header_addr, hdr, >> + ipib_pv->pv_header_len); >> + rc = s390_pv_set_sec_parms((uint64_t)hdr, >> + ipib_pv->pv_header_len); >> + g_free(hdr); >> + return rc; >> +} >> + >> +int s390_ipl_pv_unpack(void) >> +{ >> + int i, rc; >> + IplParameterBlock *iplb = s390_ipl_get_iplb_secure(); >> + IPLBlockPV *ipib_pv = &iplb->pv; >> + >> + for (i = 0; i < ipib_pv->num_comp; i++) { >> + rc = s390_pv_unpack(ipib_pv->components[i].addr, >> + TARGET_PAGE_ALIGN(ipib_pv->components[i].size), >> + ipib_pv->components[i].tweak_pref); >> + if (rc) { >> + return rc; >> + } >> + } >> + return rc; >> +} > > For both functions, s390_ipl_prepare_pv_header() and > s390_ipl_pv_unpack(), you're ignoring the return code at the calling > site, so errors go completely unnoticed. I suggest to either do an > error_report() here or at the calling site... > >> diff --git a/hw/s390x/pv.c b/hw/s390x/pv.c >> new file mode 100644 >> index 0000000000..0218070322 >> --- /dev/null >> +++ b/hw/s390x/pv.c >> @@ -0,0 +1,118 @@ >> +/* >> + * Secure execution functions >> + * >> + * Copyright IBM Corp. 2019 >> + * Author(s): >> + * Janosch Frank >> + * >> + * This work is licensed under the terms of the GNU GPL, version 2 or (at >> + * your option) any later version. See the COPYING file in the top-level >> + * directory. >> + */ >> +#include "qemu/osdep.h" >> +#include >> + >> +#include >> + >> +#include "qemu/error-report.h" >> +#include "sysemu/kvm.h" >> +#include "pv.h" >> + >> +static int s390_pv_cmd(uint32_t cmd, void *data) >> +{ >> + int rc; >> + struct kvm_pv_cmd pv_cmd = { >> + .cmd = cmd, >> + .data = (uint64_t)data, >> + }; >> + >> + rc = kvm_vm_ioctl(kvm_state, KVM_S390_PV_COMMAND, &pv_cmd); >> + if (rc) { >> + error_report("KVM PV command failed cmd: %d rc: %d", cmd, rc); >> + exit(1); >> + } >> + return rc; >> +} >> + >> +static int s390_pv_cmd_vcpu(CPUState *cs, uint32_t cmd, void *data) >> +{ >> + int rc; >> + struct kvm_pv_cmd pv_cmd = { >> + .cmd = cmd, >> + .data = (uint64_t)data, >> + }; >> + >> + rc = kvm_vcpu_ioctl(cs, KVM_S390_PV_COMMAND_VCPU, &pv_cmd); >> + if (rc) { >> + error_report("KVM PV VCPU command failed cmd: %d rc: %d", cmd, rc); >> + exit(1); >> + } >> + return rc; >> +} > > ... or even better, since these functions exit on error anyway, make > these functions and all the others "void" instead? > > Thomas > You're not the first stating this idea :-) We might get a return code for diag308 that signals that we failed to start the secure guest and then I might need them again. If we don't get a rc, I'll definitely make all functions void, if we do I'll make nearly all void:)