From: Janosch Frank <frankja@linux.ibm.com>
To: "Daniel P. Berrangé" <berrange@redhat.com>
Cc: thuth@redhat.com, Boris Fiuczynski <fiuczy@linux.ibm.com>,
pmorel@linux.ibm.com, david@redhat.com, cohuck@redhat.com,
qemu-devel@nongnu.org, borntraeger@de.ibm.com,
qemu-s390x@nongnu.org, mihajlov@linux.ibm.com
Subject: Re: [PATCH 00/15] s390x: Protected Virtualization support
Date: Fri, 29 Nov 2019 15:02:41 +0100 [thread overview]
Message-ID: <c2c4b71b-d42e-3487-01d8-ae4f5751748b@linux.ibm.com> (raw)
In-Reply-To: <20191129123524.GI2260471@redhat.com>
[-- Attachment #1.1: Type: text/plain, Size: 4168 bytes --]
On 11/29/19 1:35 PM, Daniel P. Berrangé wrote:
> On Fri, Nov 29, 2019 at 01:14:27PM +0100, Janosch Frank wrote:
>> On 11/29/19 12:08 PM, Daniel P. Berrangé wrote:
>>> On Wed, Nov 20, 2019 at 06:43:19AM -0500, Janosch Frank wrote:
>>>> Most of the QEMU changes for PV are related to the new IPL type with
>>>> subcodes 8 - 10 and the execution of the necessary Ultravisor calls to
>>>> IPL secure guests. Note that we can only boot into secure mode from
>>>> normal mode, i.e. stfle 161 is not active in secure mode.
>>>>
>>>> The other changes related to data gathering for emulation and
>>>> disabling addressing checks in secure mode, as well as CPU resets.
>>>>
>>>> While working on this I sprinkled in some cleanups, as we sometimes
>>>> significantly increase line count of some functions and they got
>>>> unreadable.
>>>
>>> Can you give some guidance on how management applications including
>>> libvirt & layers above (oVirt, OpenStack, etc) would/should use this
>>> feature ? What new command line / monitor calls are needed, and
>>> what feature restrictions are there on its use ?
>>
>> management applications generally do not need to know about this
>> feature. Most of the magic is in the guest image, which boots up in a
>> certain way to become a protected machine.
>>
>> The requirements for that to happen are:
>> * Machine/firmware support
>> * KVM & QEMU support
>> * IO only with iommu
>> * Guest needs to use IO bounce buffers
>> * A kernel image or a kernel on a disk that was prepared with special
>> tooling
>
> If the user has a guest image that's expecting to run in protected
> machine mode, presumably this will fail to boot if run on a host
> which doesn't support this feature ?
Yes, the guest will lack stfle facility 161 and KVM will report a
specification exception on the diagnose subcode 8 - 10.
>
> As a mgmt app I think there will be a need to be able to determine
> whether a host + QEMU combo is actually able to support protected
> machines. If the mgmt app is given an image and the users says it
> required protected mode, then the mgmt app needs to know which
> host(s) are able to run it.
>
> Doing version number checks is not particularly desirable, so is
> there a way libvirt can determine if QEMU + host in general supports
> protected machines, so that we can report this feature to mgmt apps ?
I thought that would be visible via the cpu model by checking for the
unpack facility (161)?
Time for somebody else to explain that.
@Viktor @Boris: This one's for you.
>
>
> If a guest has booted & activated protected mode is there any way
> for libvirt to query that status ? This would allow the mgmt app
> to know that the guest is not going to be migratable thereafter.
Currently not
>
> Is there any way to prevent a guest from using protected mode even
> if QEMU supports it ? eg the mgmt app may want to be able to
> guarantee that all VMs are migratable, so don't want a guest OS
> secretly activating protected mode which blocks migration.
Not enabling facility 161 is enough.
>
>> Such VMs are started like any other VM and run a short "normal" stub
>> that will prepare some things and then requests to be protected.
>>
>> Most of the restrictions are memory related and might be lifted in the
>> future:
>> * No paging
>> * No migration
>
> Presumably QEMU is going to set a migration blocker when a guest
> activates protected mode ?
Well, that's stuff I still need to figure out :)
>
>> * No huge page backings
>> * No collaborative memory management
>
>> There are no monitor changes or cmd additions currently.
>> We're trying to insert protected VMs into the normal VM flow as much as
>> possible. You can even do a memory dump without any segfault or
>> protection exception for QEMU, however the guest's memory content will
>> be unreadable because it's encrypted.
>
> Is there any way to securely acquire a key needed to interpret this,
> or is the memory dump completely useless ?
It's part of the design, but not yet implemented.
>
> Regards,
> Daniel
>
[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 833 bytes --]
next prev parent reply other threads:[~2019-11-29 14:37 UTC|newest]
Thread overview: 90+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-11-20 11:43 [PATCH 00/15] s390x: Protected Virtualization support Janosch Frank
2019-11-20 11:43 ` [PATCH 01/15] s390x: Cleanup cpu resets Janosch Frank
2019-11-21 11:10 ` Cornelia Huck
2019-11-21 11:32 ` Janosch Frank
2019-11-21 12:18 ` Cornelia Huck
2019-11-21 12:53 ` Thomas Huth
2019-11-21 13:11 ` Janosch Frank
2019-11-21 13:17 ` Thomas Huth
2019-11-20 11:43 ` [PATCH 02/15] s390x: Beautify diag308 handling Janosch Frank
2019-11-21 11:17 ` Cornelia Huck
2019-11-21 11:27 ` Janosch Frank
2019-11-21 11:21 ` David Hildenbrand
2019-11-21 11:28 ` Janosch Frank
2019-11-21 13:12 ` Thomas Huth
2019-11-21 13:20 ` Thomas Huth
2019-11-21 13:53 ` Janosch Frank
2019-11-20 11:43 ` [PATCH 03/15] s390x: protvirt: Add diag308 subcodes 8 - 10 Janosch Frank
2019-11-21 12:47 ` Cornelia Huck
2019-11-21 14:36 ` Thomas Huth
2020-02-07 7:56 ` Janosch Frank
2019-11-20 11:43 ` [PATCH 04/15] Header sync protvirt Janosch Frank
2019-11-21 12:59 ` Cornelia Huck
2019-11-21 13:12 ` Janosch Frank
2019-11-21 13:17 ` Cornelia Huck
2019-11-20 11:43 ` [PATCH 05/15] s390x: protvirt: Sync PV state Janosch Frank
2019-11-21 13:25 ` Cornelia Huck
2019-11-21 13:43 ` Janosch Frank
2019-11-21 14:43 ` Thomas Huth
2019-11-20 11:43 ` [PATCH 06/15] s390x: protvirt: Support unpack facility Janosch Frank
2019-11-20 13:43 ` Cornelia Huck
2019-11-21 11:33 ` Janosch Frank
2019-11-21 11:27 ` David Hildenbrand
2019-11-21 14:25 ` Janosch Frank
2019-11-21 14:28 ` David Hildenbrand
2019-11-21 14:31 ` Christian Borntraeger
2019-11-21 14:32 ` Janosch Frank
2019-11-22 13:39 ` Cornelia Huck
2019-11-22 13:49 ` Janosch Frank
2019-11-28 14:07 ` Thomas Huth
2019-11-28 14:20 ` Janosch Frank
2019-11-20 11:43 ` [PATCH 07/15] s390x: protvirt: Handle diag 308 subcodes 0,1,3,4 Janosch Frank
2019-11-21 13:50 ` Cornelia Huck
2019-11-21 14:00 ` Janosch Frank
2019-11-21 14:04 ` Janosch Frank
2019-11-21 14:17 ` Cornelia Huck
2019-11-21 14:23 ` Janosch Frank
2019-11-20 11:43 ` [PATCH 08/15] s390x: protvirt: KVM intercept changes Janosch Frank
2019-11-21 14:07 ` Cornelia Huck
2019-11-21 14:29 ` Janosch Frank
2019-11-21 15:11 ` Thomas Huth
2019-11-28 16:38 ` Janosch Frank
2019-11-28 16:45 ` Cornelia Huck
2019-11-28 16:54 ` Janosch Frank
2019-11-20 11:43 ` [PATCH 09/15] s390x: protvirt: SCLP interpretation Janosch Frank
2019-11-21 14:11 ` Cornelia Huck
2019-11-21 14:24 ` Janosch Frank
2019-11-22 13:48 ` Pierre Morel
2019-11-20 11:43 ` [PATCH 10/15] s390x: protvirt: Add new VCPU reset functions Janosch Frank
2019-11-20 11:43 ` [PATCH 11/15] RFC: s390x: Exit on vcpu reset error Janosch Frank
2019-11-21 12:14 ` David Hildenbrand
2019-11-21 12:19 ` Janosch Frank
2019-11-21 12:22 ` David Hildenbrand
2019-11-20 11:43 ` [PATCH 12/15] s390x: protvirt: Set guest IPL PSW Janosch Frank
2019-11-28 14:30 ` Thomas Huth
2019-11-28 15:39 ` Janosch Frank
2019-11-20 11:43 ` [PATCH 13/15] s390x: protvirt: Move diag 308 data over SIDAD Janosch Frank
2019-11-28 14:40 ` Thomas Huth
2019-11-28 16:08 ` Janosch Frank
2019-11-28 16:14 ` David Hildenbrand
2019-11-20 11:43 ` [PATCH 14/15] s390x: protvirt: Disable address checks for PV guest IO emulation Janosch Frank
2019-11-28 15:28 ` Thomas Huth
2019-11-28 15:36 ` Janosch Frank
2019-11-28 16:10 ` Janosch Frank
2019-11-28 16:18 ` Cornelia Huck
2019-11-28 16:24 ` Janosch Frank
2019-11-28 20:08 ` Thomas Huth
2019-11-20 11:43 ` [PATCH 15/15] s390x: protvirt: Handle SIGP store status correctly Janosch Frank
2019-11-21 11:24 ` David Hildenbrand
2019-11-21 11:29 ` Janosch Frank
2019-11-28 15:30 ` Thomas Huth
2019-11-20 13:26 ` [PATCH 00/15] s390x: Protected Virtualization support Cornelia Huck
2019-11-20 13:33 ` Janosch Frank
2019-11-21 9:13 ` Janosch Frank
2019-11-21 9:39 ` Cornelia Huck
2019-11-29 11:08 ` Daniel P. Berrangé
2019-11-29 12:14 ` Janosch Frank
2019-11-29 12:35 ` Daniel P. Berrangé
2019-11-29 14:02 ` Janosch Frank [this message]
2019-11-29 14:30 ` Viktor Mihajlovski
2019-12-03 10:49 ` Daniel P. Berrangé
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=c2c4b71b-d42e-3487-01d8-ae4f5751748b@linux.ibm.com \
--to=frankja@linux.ibm.com \
--cc=berrange@redhat.com \
--cc=borntraeger@de.ibm.com \
--cc=cohuck@redhat.com \
--cc=david@redhat.com \
--cc=fiuczy@linux.ibm.com \
--cc=mihajlov@linux.ibm.com \
--cc=pmorel@linux.ibm.com \
--cc=qemu-devel@nongnu.org \
--cc=qemu-s390x@nongnu.org \
--cc=thuth@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).