From: David Gibson <david@gibson.dropbear.id.au>
To: pasic@linux.ibm.com, brijesh.singh@amd.com, pair@us.ibm.com,
dgilbert@redhat.com, qemu-devel@nongnu.org
Cc: andi.kleen@intel.com, qemu-ppc@nongnu.org,
"Paolo Bonzini" <pbonzini@redhat.com>,
"Marcelo Tosatti" <mtosatti@redhat.com>,
"David Gibson" <david@gibson.dropbear.id.au>,
"Greg Kurz" <groug@kaod.org>,
frankja@linux.ibm.com, thuth@redhat.com,
"Christian Borntraeger" <borntraeger@de.ibm.com>,
mdroth@linux.vnet.ibm.com, richard.henderson@linaro.org,
kvm@vger.kernel.org, "Daniel P. Berrangé" <berrange@redhat.com>,
"Marcel Apfelbaum" <marcel.apfelbaum@gmail.com>,
"Eduardo Habkost" <ehabkost@redhat.com>,
david@redhat.com, "Cornelia Huck" <cohuck@redhat.com>,
mst@redhat.com, qemu-s390x@nongnu.org,
pragyansri.pathi@intel.com, jun.nakajima@intel.com
Subject: [PATCH v6 13/13] s390: Recognize confidential-guest-support option
Date: Tue, 12 Jan 2021 15:45:08 +1100 [thread overview]
Message-ID: <20210112044508.427338-14-david@gibson.dropbear.id.au> (raw)
In-Reply-To: <20210112044508.427338-1-david@gibson.dropbear.id.au>
At least some s390 cpu models support "Protected Virtualization" (PV),
a mechanism to protect guests from eavesdropping by a compromised
hypervisor.
This is similar in function to other mechanisms like AMD's SEV and
POWER's PEF, which are controlled by the "confidential-guest-support"
machine option. s390 is a slightly special case, because we already
supported PV, simply by using a CPU model with the required feature
(S390_FEAT_UNPACK).
To integrate this with the option used by other platforms, we
implement the following compromise:
- When the confidential-guest-support option is set, s390 will
recognize it, verify that the CPU can support PV (failing if not)
and set virtio default options necessary for encrypted or protected
guests, as on other platforms. i.e. if confidential-guest-support
is set, we will either create a guest capable of entering PV mode,
or fail outright.
- If confidential-guest-support is not set, guests might still be
able to enter PV mode, if the CPU has the right model. This may be
a little surprising, but shouldn't actually be harmful.
To start a guest supporting Protected Virtualization using the new
option use the command line arguments:
-object s390-pv-guest,id=pv0 -machine confidential-guest-support=pv0
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
---
docs/confidential-guest-support.txt | 3 ++
docs/system/s390x/protvirt.rst | 19 +++++++---
hw/s390x/pv.c | 58 +++++++++++++++++++++++++++++
include/hw/s390x/pv.h | 1 +
target/s390x/kvm.c | 3 ++
5 files changed, 78 insertions(+), 6 deletions(-)
diff --git a/docs/confidential-guest-support.txt b/docs/confidential-guest-support.txt
index d466aa79d5..b4912f66c2 100644
--- a/docs/confidential-guest-support.txt
+++ b/docs/confidential-guest-support.txt
@@ -42,4 +42,7 @@ AMD Secure Encrypted Virtualization (SEV)
POWER Protected Execution Facility (PEF)
+s390x Protected Virtualization (PV)
+ docs/system/s390x/protvirt.rst
+
Other mechanisms may be supported in future.
diff --git a/docs/system/s390x/protvirt.rst b/docs/system/s390x/protvirt.rst
index 712974ad87..0f481043d9 100644
--- a/docs/system/s390x/protvirt.rst
+++ b/docs/system/s390x/protvirt.rst
@@ -22,15 +22,22 @@ If those requirements are met, the capability `KVM_CAP_S390_PROTECTED`
will indicate that KVM can support PVMs on that LPAR.
-QEMU Settings
--------------
+Running a Protected Virtual Machine
+-----------------------------------
-To indicate to the VM that it can transition into protected mode, the
+To run a PVM you will need to select a CPU model which includes the
`Unpack facility` (stfle bit 161 represented by the feature
-`unpack`/`S390_FEAT_UNPACK`) needs to be part of the cpu model of
-the VM.
+`unpack`/`S390_FEAT_UNPACK`), and add these options to the command line::
+
+ -object s390-pv-guest,id=pv0 \
+ -machine confidential-guest-support=pv0
+
+Adding these options will:
+
+* Ensure the `unpack` facility is available
+* Enable the IOMMU by default for all I/O devices
+* Initialize the PV mechanism
-All I/O devices need to use the IOMMU.
Passthrough (vfio) devices are currently not supported.
Host huge page backings are not supported. However guests can use huge
diff --git a/hw/s390x/pv.c b/hw/s390x/pv.c
index ab3a2482aa..85592e100a 100644
--- a/hw/s390x/pv.c
+++ b/hw/s390x/pv.c
@@ -14,8 +14,11 @@
#include <linux/kvm.h>
#include "cpu.h"
+#include "qapi/error.h"
#include "qemu/error-report.h"
#include "sysemu/kvm.h"
+#include "qom/object_interfaces.h"
+#include "exec/confidential-guest-support.h"
#include "hw/s390x/ipl.h"
#include "hw/s390x/pv.h"
@@ -111,3 +114,58 @@ void s390_pv_inject_reset_error(CPUState *cs)
/* Report that we are unable to enter protected mode */
env->regs[r1 + 1] = DIAG_308_RC_INVAL_FOR_PV;
}
+
+#define TYPE_S390_PV_GUEST "s390-pv-guest"
+#define S390_PV_GUEST(obj) \
+ OBJECT_CHECK(S390PVGuestState, (obj), TYPE_S390_PV_GUEST)
+
+typedef struct S390PVGuestState S390PVGuestState;
+
+/**
+ * S390PVGuestState:
+ *
+ * The S390PVGuestState object is basically a dummy used to tell the
+ * confidential guest support system to use s390's PV mechanism.
+ *
+ * # $QEMU \
+ * -object s390-pv-guest,id=pv0 \
+ * -machine ...,confidential-guest-support=pv0
+ */
+struct S390PVGuestState {
+ Object parent_obj;
+};
+
+int s390_pv_init(ConfidentialGuestSupport *cgs, Error **errp)
+{
+ if (!object_dynamic_cast(OBJECT(cgs), TYPE_S390_PV_GUEST)) {
+ return 0;
+ }
+
+ if (!s390_has_feat(S390_FEAT_UNPACK)) {
+ error_setg(errp,
+ "CPU model does not support Protected Virtualization");
+ return -1;
+ }
+
+ cgs->ready = true;
+
+ return 0;
+}
+
+static const TypeInfo s390_pv_guest_info = {
+ .parent = TYPE_CONFIDENTIAL_GUEST_SUPPORT,
+ .name = TYPE_S390_PV_GUEST,
+ .instance_size = sizeof(S390PVGuestState),
+ .interfaces = (InterfaceInfo[]) {
+ { TYPE_USER_CREATABLE },
+ { }
+ }
+};
+
+static void
+s390_pv_register_types(void)
+{
+ type_register_static(&s390_pv_guest_info);
+}
+
+type_init(s390_pv_register_types);
diff --git a/include/hw/s390x/pv.h b/include/hw/s390x/pv.h
index aee758bc2d..9bbf66f356 100644
--- a/include/hw/s390x/pv.h
+++ b/include/hw/s390x/pv.h
@@ -43,6 +43,7 @@ void s390_pv_prep_reset(void);
int s390_pv_verify(void);
void s390_pv_unshare(void);
void s390_pv_inject_reset_error(CPUState *cs);
+int s390_pv_init(ConfidentialGuestSupport *cgs, Error **errp);
#else /* CONFIG_KVM */
static inline bool s390_is_pv(void) { return false; }
static inline int s390_pv_vm_enable(void) { return 0; }
diff --git a/target/s390x/kvm.c b/target/s390x/kvm.c
index b8385e6b95..d2435664dc 100644
--- a/target/s390x/kvm.c
+++ b/target/s390x/kvm.c
@@ -387,6 +387,9 @@ int kvm_arch_init(MachineState *ms, KVMState *s)
}
kvm_set_max_memslot_size(KVM_SLOT_MAX_BYTES);
+
+ s390_pv_init(ms->cgs, &error_fatal);
+
return 0;
}
--
2.29.2
WARNING: multiple messages have this Message-ID (diff)
From: David Gibson <david@gibson.dropbear.id.au>
To: pasic@linux.ibm.com, brijesh.singh@amd.com, pair@us.ibm.com,
dgilbert@redhat.com, qemu-devel@nongnu.org
Cc: thuth@redhat.com, "Cornelia Huck" <cohuck@redhat.com>,
"Daniel P. Berrangé" <berrange@redhat.com>,
frankja@linux.ibm.com, kvm@vger.kernel.org, david@redhat.com,
jun.nakajima@intel.com, mst@redhat.com,
"Marcelo Tosatti" <mtosatti@redhat.com>,
richard.henderson@linaro.org, "Greg Kurz" <groug@kaod.org>,
"Eduardo Habkost" <ehabkost@redhat.com>,
mdroth@linux.vnet.ibm.com,
"Christian Borntraeger" <borntraeger@de.ibm.com>,
qemu-s390x@nongnu.org, qemu-ppc@nongnu.org,
pragyansri.pathi@intel.com, andi.kleen@intel.com,
"Paolo Bonzini" <pbonzini@redhat.com>,
"David Gibson" <david@gibson.dropbear.id.au>
Subject: [PATCH v6 13/13] s390: Recognize confidential-guest-support option
Date: Tue, 12 Jan 2021 15:45:08 +1100 [thread overview]
Message-ID: <20210112044508.427338-14-david@gibson.dropbear.id.au> (raw)
In-Reply-To: <20210112044508.427338-1-david@gibson.dropbear.id.au>
At least some s390 cpu models support "Protected Virtualization" (PV),
a mechanism to protect guests from eavesdropping by a compromised
hypervisor.
This is similar in function to other mechanisms like AMD's SEV and
POWER's PEF, which are controlled by the "confidential-guest-support"
machine option. s390 is a slightly special case, because we already
supported PV, simply by using a CPU model with the required feature
(S390_FEAT_UNPACK).
To integrate this with the option used by other platforms, we
implement the following compromise:
- When the confidential-guest-support option is set, s390 will
recognize it, verify that the CPU can support PV (failing if not)
and set virtio default options necessary for encrypted or protected
guests, as on other platforms. i.e. if confidential-guest-support
is set, we will either create a guest capable of entering PV mode,
or fail outright.
- If confidential-guest-support is not set, guests might still be
able to enter PV mode, if the CPU has the right model. This may be
a little surprising, but shouldn't actually be harmful.
To start a guest supporting Protected Virtualization using the new
option use the command line arguments:
-object s390-pv-guest,id=pv0 -machine confidential-guest-support=pv0
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
---
docs/confidential-guest-support.txt | 3 ++
docs/system/s390x/protvirt.rst | 19 +++++++---
hw/s390x/pv.c | 58 +++++++++++++++++++++++++++++
include/hw/s390x/pv.h | 1 +
target/s390x/kvm.c | 3 ++
5 files changed, 78 insertions(+), 6 deletions(-)
diff --git a/docs/confidential-guest-support.txt b/docs/confidential-guest-support.txt
index d466aa79d5..b4912f66c2 100644
--- a/docs/confidential-guest-support.txt
+++ b/docs/confidential-guest-support.txt
@@ -42,4 +42,7 @@ AMD Secure Encrypted Virtualization (SEV)
POWER Protected Execution Facility (PEF)
+s390x Protected Virtualization (PV)
+ docs/system/s390x/protvirt.rst
+
Other mechanisms may be supported in future.
diff --git a/docs/system/s390x/protvirt.rst b/docs/system/s390x/protvirt.rst
index 712974ad87..0f481043d9 100644
--- a/docs/system/s390x/protvirt.rst
+++ b/docs/system/s390x/protvirt.rst
@@ -22,15 +22,22 @@ If those requirements are met, the capability `KVM_CAP_S390_PROTECTED`
will indicate that KVM can support PVMs on that LPAR.
-QEMU Settings
--------------
+Running a Protected Virtual Machine
+-----------------------------------
-To indicate to the VM that it can transition into protected mode, the
+To run a PVM you will need to select a CPU model which includes the
`Unpack facility` (stfle bit 161 represented by the feature
-`unpack`/`S390_FEAT_UNPACK`) needs to be part of the cpu model of
-the VM.
+`unpack`/`S390_FEAT_UNPACK`), and add these options to the command line::
+
+ -object s390-pv-guest,id=pv0 \
+ -machine confidential-guest-support=pv0
+
+Adding these options will:
+
+* Ensure the `unpack` facility is available
+* Enable the IOMMU by default for all I/O devices
+* Initialize the PV mechanism
-All I/O devices need to use the IOMMU.
Passthrough (vfio) devices are currently not supported.
Host huge page backings are not supported. However guests can use huge
diff --git a/hw/s390x/pv.c b/hw/s390x/pv.c
index ab3a2482aa..85592e100a 100644
--- a/hw/s390x/pv.c
+++ b/hw/s390x/pv.c
@@ -14,8 +14,11 @@
#include <linux/kvm.h>
#include "cpu.h"
+#include "qapi/error.h"
#include "qemu/error-report.h"
#include "sysemu/kvm.h"
+#include "qom/object_interfaces.h"
+#include "exec/confidential-guest-support.h"
#include "hw/s390x/ipl.h"
#include "hw/s390x/pv.h"
@@ -111,3 +114,58 @@ void s390_pv_inject_reset_error(CPUState *cs)
/* Report that we are unable to enter protected mode */
env->regs[r1 + 1] = DIAG_308_RC_INVAL_FOR_PV;
}
+
+#define TYPE_S390_PV_GUEST "s390-pv-guest"
+#define S390_PV_GUEST(obj) \
+ OBJECT_CHECK(S390PVGuestState, (obj), TYPE_S390_PV_GUEST)
+
+typedef struct S390PVGuestState S390PVGuestState;
+
+/**
+ * S390PVGuestState:
+ *
+ * The S390PVGuestState object is basically a dummy used to tell the
+ * confidential guest support system to use s390's PV mechanism.
+ *
+ * # $QEMU \
+ * -object s390-pv-guest,id=pv0 \
+ * -machine ...,confidential-guest-support=pv0
+ */
+struct S390PVGuestState {
+ Object parent_obj;
+};
+
+int s390_pv_init(ConfidentialGuestSupport *cgs, Error **errp)
+{
+ if (!object_dynamic_cast(OBJECT(cgs), TYPE_S390_PV_GUEST)) {
+ return 0;
+ }
+
+ if (!s390_has_feat(S390_FEAT_UNPACK)) {
+ error_setg(errp,
+ "CPU model does not support Protected Virtualization");
+ return -1;
+ }
+
+ cgs->ready = true;
+
+ return 0;
+}
+
+static const TypeInfo s390_pv_guest_info = {
+ .parent = TYPE_CONFIDENTIAL_GUEST_SUPPORT,
+ .name = TYPE_S390_PV_GUEST,
+ .instance_size = sizeof(S390PVGuestState),
+ .interfaces = (InterfaceInfo[]) {
+ { TYPE_USER_CREATABLE },
+ { }
+ }
+};
+
+static void
+s390_pv_register_types(void)
+{
+ type_register_static(&s390_pv_guest_info);
+}
+
+type_init(s390_pv_register_types);
diff --git a/include/hw/s390x/pv.h b/include/hw/s390x/pv.h
index aee758bc2d..9bbf66f356 100644
--- a/include/hw/s390x/pv.h
+++ b/include/hw/s390x/pv.h
@@ -43,6 +43,7 @@ void s390_pv_prep_reset(void);
int s390_pv_verify(void);
void s390_pv_unshare(void);
void s390_pv_inject_reset_error(CPUState *cs);
+int s390_pv_init(ConfidentialGuestSupport *cgs, Error **errp);
#else /* CONFIG_KVM */
static inline bool s390_is_pv(void) { return false; }
static inline int s390_pv_vm_enable(void) { return 0; }
diff --git a/target/s390x/kvm.c b/target/s390x/kvm.c
index b8385e6b95..d2435664dc 100644
--- a/target/s390x/kvm.c
+++ b/target/s390x/kvm.c
@@ -387,6 +387,9 @@ int kvm_arch_init(MachineState *ms, KVMState *s)
}
kvm_set_max_memslot_size(KVM_SLOT_MAX_BYTES);
+
+ s390_pv_init(ms->cgs, &error_fatal);
+
return 0;
}
--
2.29.2
next prev parent reply other threads:[~2021-01-12 4:46 UTC|newest]
Thread overview: 69+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-01-12 4:44 [PATCH v6 00/13] Generalize memory encryption models David Gibson
2021-01-12 4:44 ` David Gibson
2021-01-12 4:44 ` [PATCH v6 01/13] qom: Allow optional sugar props David Gibson
2021-01-12 4:44 ` David Gibson
2021-01-12 4:44 ` [PATCH v6 02/13] confidential guest support: Introduce new confidential guest support class David Gibson
2021-01-12 4:44 ` David Gibson
2021-01-12 9:46 ` Daniel P. Berrangé
2021-01-12 9:46 ` Daniel P. Berrangé
2021-01-13 2:09 ` David Gibson
2021-01-13 2:09 ` David Gibson
2021-01-12 4:44 ` [PATCH v6 03/13] sev: Remove false abstraction of flash encryption David Gibson
2021-01-12 4:44 ` David Gibson
2021-01-12 4:44 ` [PATCH v6 04/13] confidential guest support: Move side effect out of machine_set_memory_encryption() David Gibson
2021-01-12 4:44 ` David Gibson
2021-01-12 10:39 ` Greg Kurz
2021-01-12 4:45 ` [PATCH v6 05/13] confidential guest support: Rework the "memory-encryption" property David Gibson
2021-01-12 4:45 ` David Gibson
2021-01-12 10:59 ` Greg Kurz
2021-01-13 0:50 ` David Gibson
2021-01-13 0:50 ` David Gibson
2021-01-13 12:03 ` Dr. David Alan Gilbert
2021-01-13 12:03 ` Dr. David Alan Gilbert
2021-01-12 4:45 ` [PATCH v6 06/13] sev: Add Error ** to sev_kvm_init() David Gibson
2021-01-12 4:45 ` David Gibson
2021-01-12 4:45 ` [PATCH v6 07/13] confidential guest support: Introduce cgs "ready" flag David Gibson
2021-01-12 4:45 ` David Gibson
2021-01-12 4:45 ` [PATCH v6 08/13] confidential guest support: Move SEV initialization into arch specific code David Gibson
2021-01-12 4:45 ` David Gibson
2021-01-12 4:45 ` [PATCH v6 09/13] confidential guest support: Update documentation David Gibson
2021-01-12 4:45 ` David Gibson
2021-01-12 4:45 ` [PATCH v6 10/13] spapr: Add PEF based confidential guest support David Gibson
2021-01-12 4:45 ` David Gibson
2021-01-12 7:56 ` Christian Borntraeger
2021-01-12 7:56 ` Christian Borntraeger
2021-01-12 8:36 ` David Gibson
2021-01-12 8:36 ` David Gibson
2021-01-12 9:52 ` Daniel P. Berrangé
2021-01-12 9:52 ` Daniel P. Berrangé
2021-01-12 9:56 ` Daniel P. Berrangé
2021-01-12 9:56 ` Daniel P. Berrangé
2021-01-13 0:52 ` David Gibson
2021-01-13 0:52 ` David Gibson
2021-01-12 11:27 ` Greg Kurz
2021-01-13 0:56 ` David Gibson
2021-01-13 0:56 ` David Gibson
2021-01-12 4:45 ` [PATCH v6 11/13] spapr: PEF: prevent migration David Gibson
2021-01-12 4:45 ` David Gibson
2021-01-12 11:37 ` Greg Kurz
2021-01-12 4:45 ` [PATCH v6 12/13] confidential guest support: Alter virtio default properties for protected guests David Gibson
2021-01-12 4:45 ` David Gibson
2021-01-12 11:38 ` Greg Kurz
2021-01-12 4:45 ` David Gibson [this message]
2021-01-12 4:45 ` [PATCH v6 13/13] s390: Recognize confidential-guest-support option David Gibson
2021-01-12 8:15 ` Christian Borntraeger
2021-01-12 8:15 ` Christian Borntraeger
2021-01-12 11:36 ` Cornelia Huck
2021-01-12 11:36 ` Cornelia Huck
2021-01-12 11:48 ` Christian Borntraeger
2021-01-12 11:48 ` Christian Borntraeger
2021-01-12 11:49 ` Daniel P. Berrangé
2021-01-12 11:49 ` Daniel P. Berrangé
2021-01-13 0:57 ` David Gibson
2021-01-13 0:57 ` David Gibson
2021-01-13 6:57 ` Christian Borntraeger
2021-01-13 6:57 ` Christian Borntraeger
2021-01-13 23:56 ` David Gibson
2021-01-13 23:56 ` David Gibson
2021-01-12 9:54 ` Daniel P. Berrangé
2021-01-12 9:54 ` Daniel P. Berrangé
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20210112044508.427338-14-david@gibson.dropbear.id.au \
--to=david@gibson.dropbear.id.au \
--cc=andi.kleen@intel.com \
--cc=berrange@redhat.com \
--cc=borntraeger@de.ibm.com \
--cc=brijesh.singh@amd.com \
--cc=cohuck@redhat.com \
--cc=david@redhat.com \
--cc=dgilbert@redhat.com \
--cc=ehabkost@redhat.com \
--cc=frankja@linux.ibm.com \
--cc=groug@kaod.org \
--cc=jun.nakajima@intel.com \
--cc=kvm@vger.kernel.org \
--cc=marcel.apfelbaum@gmail.com \
--cc=mdroth@linux.vnet.ibm.com \
--cc=mst@redhat.com \
--cc=mtosatti@redhat.com \
--cc=pair@us.ibm.com \
--cc=pasic@linux.ibm.com \
--cc=pbonzini@redhat.com \
--cc=pragyansri.pathi@intel.com \
--cc=qemu-devel@nongnu.org \
--cc=qemu-ppc@nongnu.org \
--cc=qemu-s390x@nongnu.org \
--cc=richard.henderson@linaro.org \
--cc=thuth@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.