From: David Gibson <david@gibson.dropbear.id.au> To: pasic@linux.ibm.com, brijesh.singh@amd.com, pair@us.ibm.com, dgilbert@redhat.com, qemu-devel@nongnu.org Cc: andi.kleen@intel.com, qemu-ppc@nongnu.org, "Paolo Bonzini" <pbonzini@redhat.com>, "Marcelo Tosatti" <mtosatti@redhat.com>, "David Gibson" <david@gibson.dropbear.id.au>, "Greg Kurz" <groug@kaod.org>, frankja@linux.ibm.com, thuth@redhat.com, "Christian Borntraeger" <borntraeger@de.ibm.com>, mdroth@linux.vnet.ibm.com, richard.henderson@linaro.org, kvm@vger.kernel.org, "Daniel P. Berrangé" <berrange@redhat.com>, "Marcel Apfelbaum" <marcel.apfelbaum@gmail.com>, "Eduardo Habkost" <ehabkost@redhat.com>, david@redhat.com, "Cornelia Huck" <cohuck@redhat.com>, mst@redhat.com, qemu-s390x@nongnu.org, pragyansri.pathi@intel.com, jun.nakajima@intel.com Subject: [PATCH v6 13/13] s390: Recognize confidential-guest-support option Date: Tue, 12 Jan 2021 15:45:08 +1100 [thread overview] Message-ID: <20210112044508.427338-14-david@gibson.dropbear.id.au> (raw) In-Reply-To: <20210112044508.427338-1-david@gibson.dropbear.id.au> At least some s390 cpu models support "Protected Virtualization" (PV), a mechanism to protect guests from eavesdropping by a compromised hypervisor. This is similar in function to other mechanisms like AMD's SEV and POWER's PEF, which are controlled by the "confidential-guest-support" machine option. s390 is a slightly special case, because we already supported PV, simply by using a CPU model with the required feature (S390_FEAT_UNPACK). To integrate this with the option used by other platforms, we implement the following compromise: - When the confidential-guest-support option is set, s390 will recognize it, verify that the CPU can support PV (failing if not) and set virtio default options necessary for encrypted or protected guests, as on other platforms. i.e. if confidential-guest-support is set, we will either create a guest capable of entering PV mode, or fail outright. - If confidential-guest-support is not set, guests might still be able to enter PV mode, if the CPU has the right model. This may be a little surprising, but shouldn't actually be harmful. To start a guest supporting Protected Virtualization using the new option use the command line arguments: -object s390-pv-guest,id=pv0 -machine confidential-guest-support=pv0 Signed-off-by: David Gibson <david@gibson.dropbear.id.au> --- docs/confidential-guest-support.txt | 3 ++ docs/system/s390x/protvirt.rst | 19 +++++++--- hw/s390x/pv.c | 58 +++++++++++++++++++++++++++++ include/hw/s390x/pv.h | 1 + target/s390x/kvm.c | 3 ++ 5 files changed, 78 insertions(+), 6 deletions(-) diff --git a/docs/confidential-guest-support.txt b/docs/confidential-guest-support.txt index d466aa79d5..b4912f66c2 100644 --- a/docs/confidential-guest-support.txt +++ b/docs/confidential-guest-support.txt @@ -42,4 +42,7 @@ AMD Secure Encrypted Virtualization (SEV) POWER Protected Execution Facility (PEF) +s390x Protected Virtualization (PV) + docs/system/s390x/protvirt.rst + Other mechanisms may be supported in future. diff --git a/docs/system/s390x/protvirt.rst b/docs/system/s390x/protvirt.rst index 712974ad87..0f481043d9 100644 --- a/docs/system/s390x/protvirt.rst +++ b/docs/system/s390x/protvirt.rst @@ -22,15 +22,22 @@ If those requirements are met, the capability `KVM_CAP_S390_PROTECTED` will indicate that KVM can support PVMs on that LPAR. -QEMU Settings -------------- +Running a Protected Virtual Machine +----------------------------------- -To indicate to the VM that it can transition into protected mode, the +To run a PVM you will need to select a CPU model which includes the `Unpack facility` (stfle bit 161 represented by the feature -`unpack`/`S390_FEAT_UNPACK`) needs to be part of the cpu model of -the VM. +`unpack`/`S390_FEAT_UNPACK`), and add these options to the command line:: + + -object s390-pv-guest,id=pv0 \ + -machine confidential-guest-support=pv0 + +Adding these options will: + +* Ensure the `unpack` facility is available +* Enable the IOMMU by default for all I/O devices +* Initialize the PV mechanism -All I/O devices need to use the IOMMU. Passthrough (vfio) devices are currently not supported. Host huge page backings are not supported. However guests can use huge diff --git a/hw/s390x/pv.c b/hw/s390x/pv.c index ab3a2482aa..85592e100a 100644 --- a/hw/s390x/pv.c +++ b/hw/s390x/pv.c @@ -14,8 +14,11 @@ #include <linux/kvm.h> #include "cpu.h" +#include "qapi/error.h" #include "qemu/error-report.h" #include "sysemu/kvm.h" +#include "qom/object_interfaces.h" +#include "exec/confidential-guest-support.h" #include "hw/s390x/ipl.h" #include "hw/s390x/pv.h" @@ -111,3 +114,58 @@ void s390_pv_inject_reset_error(CPUState *cs) /* Report that we are unable to enter protected mode */ env->regs[r1 + 1] = DIAG_308_RC_INVAL_FOR_PV; } + +#define TYPE_S390_PV_GUEST "s390-pv-guest" +#define S390_PV_GUEST(obj) \ + OBJECT_CHECK(S390PVGuestState, (obj), TYPE_S390_PV_GUEST) + +typedef struct S390PVGuestState S390PVGuestState; + +/** + * S390PVGuestState: + * + * The S390PVGuestState object is basically a dummy used to tell the + * confidential guest support system to use s390's PV mechanism. + * + * # $QEMU \ + * -object s390-pv-guest,id=pv0 \ + * -machine ...,confidential-guest-support=pv0 + */ +struct S390PVGuestState { + Object parent_obj; +}; + +int s390_pv_init(ConfidentialGuestSupport *cgs, Error **errp) +{ + if (!object_dynamic_cast(OBJECT(cgs), TYPE_S390_PV_GUEST)) { + return 0; + } + + if (!s390_has_feat(S390_FEAT_UNPACK)) { + error_setg(errp, + "CPU model does not support Protected Virtualization"); + return -1; + } + + cgs->ready = true; + + return 0; +} + +static const TypeInfo s390_pv_guest_info = { + .parent = TYPE_CONFIDENTIAL_GUEST_SUPPORT, + .name = TYPE_S390_PV_GUEST, + .instance_size = sizeof(S390PVGuestState), + .interfaces = (InterfaceInfo[]) { + { TYPE_USER_CREATABLE }, + { } + } +}; + +static void +s390_pv_register_types(void) +{ + type_register_static(&s390_pv_guest_info); +} + +type_init(s390_pv_register_types); diff --git a/include/hw/s390x/pv.h b/include/hw/s390x/pv.h index aee758bc2d..9bbf66f356 100644 --- a/include/hw/s390x/pv.h +++ b/include/hw/s390x/pv.h @@ -43,6 +43,7 @@ void s390_pv_prep_reset(void); int s390_pv_verify(void); void s390_pv_unshare(void); void s390_pv_inject_reset_error(CPUState *cs); +int s390_pv_init(ConfidentialGuestSupport *cgs, Error **errp); #else /* CONFIG_KVM */ static inline bool s390_is_pv(void) { return false; } static inline int s390_pv_vm_enable(void) { return 0; } diff --git a/target/s390x/kvm.c b/target/s390x/kvm.c index b8385e6b95..d2435664dc 100644 --- a/target/s390x/kvm.c +++ b/target/s390x/kvm.c @@ -387,6 +387,9 @@ int kvm_arch_init(MachineState *ms, KVMState *s) } kvm_set_max_memslot_size(KVM_SLOT_MAX_BYTES); + + s390_pv_init(ms->cgs, &error_fatal); + return 0; } -- 2.29.2
WARNING: multiple messages have this Message-ID (diff)
From: David Gibson <david@gibson.dropbear.id.au> To: pasic@linux.ibm.com, brijesh.singh@amd.com, pair@us.ibm.com, dgilbert@redhat.com, qemu-devel@nongnu.org Cc: thuth@redhat.com, "Cornelia Huck" <cohuck@redhat.com>, "Daniel P. Berrangé" <berrange@redhat.com>, frankja@linux.ibm.com, kvm@vger.kernel.org, david@redhat.com, jun.nakajima@intel.com, mst@redhat.com, "Marcelo Tosatti" <mtosatti@redhat.com>, richard.henderson@linaro.org, "Greg Kurz" <groug@kaod.org>, "Eduardo Habkost" <ehabkost@redhat.com>, mdroth@linux.vnet.ibm.com, "Christian Borntraeger" <borntraeger@de.ibm.com>, qemu-s390x@nongnu.org, qemu-ppc@nongnu.org, pragyansri.pathi@intel.com, andi.kleen@intel.com, "Paolo Bonzini" <pbonzini@redhat.com>, "David Gibson" <david@gibson.dropbear.id.au> Subject: [PATCH v6 13/13] s390: Recognize confidential-guest-support option Date: Tue, 12 Jan 2021 15:45:08 +1100 [thread overview] Message-ID: <20210112044508.427338-14-david@gibson.dropbear.id.au> (raw) In-Reply-To: <20210112044508.427338-1-david@gibson.dropbear.id.au> At least some s390 cpu models support "Protected Virtualization" (PV), a mechanism to protect guests from eavesdropping by a compromised hypervisor. This is similar in function to other mechanisms like AMD's SEV and POWER's PEF, which are controlled by the "confidential-guest-support" machine option. s390 is a slightly special case, because we already supported PV, simply by using a CPU model with the required feature (S390_FEAT_UNPACK). To integrate this with the option used by other platforms, we implement the following compromise: - When the confidential-guest-support option is set, s390 will recognize it, verify that the CPU can support PV (failing if not) and set virtio default options necessary for encrypted or protected guests, as on other platforms. i.e. if confidential-guest-support is set, we will either create a guest capable of entering PV mode, or fail outright. - If confidential-guest-support is not set, guests might still be able to enter PV mode, if the CPU has the right model. This may be a little surprising, but shouldn't actually be harmful. To start a guest supporting Protected Virtualization using the new option use the command line arguments: -object s390-pv-guest,id=pv0 -machine confidential-guest-support=pv0 Signed-off-by: David Gibson <david@gibson.dropbear.id.au> --- docs/confidential-guest-support.txt | 3 ++ docs/system/s390x/protvirt.rst | 19 +++++++--- hw/s390x/pv.c | 58 +++++++++++++++++++++++++++++ include/hw/s390x/pv.h | 1 + target/s390x/kvm.c | 3 ++ 5 files changed, 78 insertions(+), 6 deletions(-) diff --git a/docs/confidential-guest-support.txt b/docs/confidential-guest-support.txt index d466aa79d5..b4912f66c2 100644 --- a/docs/confidential-guest-support.txt +++ b/docs/confidential-guest-support.txt @@ -42,4 +42,7 @@ AMD Secure Encrypted Virtualization (SEV) POWER Protected Execution Facility (PEF) +s390x Protected Virtualization (PV) + docs/system/s390x/protvirt.rst + Other mechanisms may be supported in future. diff --git a/docs/system/s390x/protvirt.rst b/docs/system/s390x/protvirt.rst index 712974ad87..0f481043d9 100644 --- a/docs/system/s390x/protvirt.rst +++ b/docs/system/s390x/protvirt.rst @@ -22,15 +22,22 @@ If those requirements are met, the capability `KVM_CAP_S390_PROTECTED` will indicate that KVM can support PVMs on that LPAR. -QEMU Settings -------------- +Running a Protected Virtual Machine +----------------------------------- -To indicate to the VM that it can transition into protected mode, the +To run a PVM you will need to select a CPU model which includes the `Unpack facility` (stfle bit 161 represented by the feature -`unpack`/`S390_FEAT_UNPACK`) needs to be part of the cpu model of -the VM. +`unpack`/`S390_FEAT_UNPACK`), and add these options to the command line:: + + -object s390-pv-guest,id=pv0 \ + -machine confidential-guest-support=pv0 + +Adding these options will: + +* Ensure the `unpack` facility is available +* Enable the IOMMU by default for all I/O devices +* Initialize the PV mechanism -All I/O devices need to use the IOMMU. Passthrough (vfio) devices are currently not supported. Host huge page backings are not supported. However guests can use huge diff --git a/hw/s390x/pv.c b/hw/s390x/pv.c index ab3a2482aa..85592e100a 100644 --- a/hw/s390x/pv.c +++ b/hw/s390x/pv.c @@ -14,8 +14,11 @@ #include <linux/kvm.h> #include "cpu.h" +#include "qapi/error.h" #include "qemu/error-report.h" #include "sysemu/kvm.h" +#include "qom/object_interfaces.h" +#include "exec/confidential-guest-support.h" #include "hw/s390x/ipl.h" #include "hw/s390x/pv.h" @@ -111,3 +114,58 @@ void s390_pv_inject_reset_error(CPUState *cs) /* Report that we are unable to enter protected mode */ env->regs[r1 + 1] = DIAG_308_RC_INVAL_FOR_PV; } + +#define TYPE_S390_PV_GUEST "s390-pv-guest" +#define S390_PV_GUEST(obj) \ + OBJECT_CHECK(S390PVGuestState, (obj), TYPE_S390_PV_GUEST) + +typedef struct S390PVGuestState S390PVGuestState; + +/** + * S390PVGuestState: + * + * The S390PVGuestState object is basically a dummy used to tell the + * confidential guest support system to use s390's PV mechanism. + * + * # $QEMU \ + * -object s390-pv-guest,id=pv0 \ + * -machine ...,confidential-guest-support=pv0 + */ +struct S390PVGuestState { + Object parent_obj; +}; + +int s390_pv_init(ConfidentialGuestSupport *cgs, Error **errp) +{ + if (!object_dynamic_cast(OBJECT(cgs), TYPE_S390_PV_GUEST)) { + return 0; + } + + if (!s390_has_feat(S390_FEAT_UNPACK)) { + error_setg(errp, + "CPU model does not support Protected Virtualization"); + return -1; + } + + cgs->ready = true; + + return 0; +} + +static const TypeInfo s390_pv_guest_info = { + .parent = TYPE_CONFIDENTIAL_GUEST_SUPPORT, + .name = TYPE_S390_PV_GUEST, + .instance_size = sizeof(S390PVGuestState), + .interfaces = (InterfaceInfo[]) { + { TYPE_USER_CREATABLE }, + { } + } +}; + +static void +s390_pv_register_types(void) +{ + type_register_static(&s390_pv_guest_info); +} + +type_init(s390_pv_register_types); diff --git a/include/hw/s390x/pv.h b/include/hw/s390x/pv.h index aee758bc2d..9bbf66f356 100644 --- a/include/hw/s390x/pv.h +++ b/include/hw/s390x/pv.h @@ -43,6 +43,7 @@ void s390_pv_prep_reset(void); int s390_pv_verify(void); void s390_pv_unshare(void); void s390_pv_inject_reset_error(CPUState *cs); +int s390_pv_init(ConfidentialGuestSupport *cgs, Error **errp); #else /* CONFIG_KVM */ static inline bool s390_is_pv(void) { return false; } static inline int s390_pv_vm_enable(void) { return 0; } diff --git a/target/s390x/kvm.c b/target/s390x/kvm.c index b8385e6b95..d2435664dc 100644 --- a/target/s390x/kvm.c +++ b/target/s390x/kvm.c @@ -387,6 +387,9 @@ int kvm_arch_init(MachineState *ms, KVMState *s) } kvm_set_max_memslot_size(KVM_SLOT_MAX_BYTES); + + s390_pv_init(ms->cgs, &error_fatal); + return 0; } -- 2.29.2
next prev parent reply other threads:[~2021-01-12 4:46 UTC|newest] Thread overview: 69+ messages / expand[flat|nested] mbox.gz Atom feed top 2021-01-12 4:44 [PATCH v6 00/13] Generalize memory encryption models David Gibson 2021-01-12 4:44 ` David Gibson 2021-01-12 4:44 ` [PATCH v6 01/13] qom: Allow optional sugar props David Gibson 2021-01-12 4:44 ` David Gibson 2021-01-12 4:44 ` [PATCH v6 02/13] confidential guest support: Introduce new confidential guest support class David Gibson 2021-01-12 4:44 ` David Gibson 2021-01-12 9:46 ` Daniel P. Berrangé 2021-01-12 9:46 ` Daniel P. Berrangé 2021-01-13 2:09 ` David Gibson 2021-01-13 2:09 ` David Gibson 2021-01-12 4:44 ` [PATCH v6 03/13] sev: Remove false abstraction of flash encryption David Gibson 2021-01-12 4:44 ` David Gibson 2021-01-12 4:44 ` [PATCH v6 04/13] confidential guest support: Move side effect out of machine_set_memory_encryption() David Gibson 2021-01-12 4:44 ` David Gibson 2021-01-12 10:39 ` Greg Kurz 2021-01-12 4:45 ` [PATCH v6 05/13] confidential guest support: Rework the "memory-encryption" property David Gibson 2021-01-12 4:45 ` David Gibson 2021-01-12 10:59 ` Greg Kurz 2021-01-13 0:50 ` David Gibson 2021-01-13 0:50 ` David Gibson 2021-01-13 12:03 ` Dr. David Alan Gilbert 2021-01-13 12:03 ` Dr. David Alan Gilbert 2021-01-12 4:45 ` [PATCH v6 06/13] sev: Add Error ** to sev_kvm_init() David Gibson 2021-01-12 4:45 ` David Gibson 2021-01-12 4:45 ` [PATCH v6 07/13] confidential guest support: Introduce cgs "ready" flag David Gibson 2021-01-12 4:45 ` David Gibson 2021-01-12 4:45 ` [PATCH v6 08/13] confidential guest support: Move SEV initialization into arch specific code David Gibson 2021-01-12 4:45 ` David Gibson 2021-01-12 4:45 ` [PATCH v6 09/13] confidential guest support: Update documentation David Gibson 2021-01-12 4:45 ` David Gibson 2021-01-12 4:45 ` [PATCH v6 10/13] spapr: Add PEF based confidential guest support David Gibson 2021-01-12 4:45 ` David Gibson 2021-01-12 7:56 ` Christian Borntraeger 2021-01-12 7:56 ` Christian Borntraeger 2021-01-12 8:36 ` David Gibson 2021-01-12 8:36 ` David Gibson 2021-01-12 9:52 ` Daniel P. Berrangé 2021-01-12 9:52 ` Daniel P. Berrangé 2021-01-12 9:56 ` Daniel P. Berrangé 2021-01-12 9:56 ` Daniel P. Berrangé 2021-01-13 0:52 ` David Gibson 2021-01-13 0:52 ` David Gibson 2021-01-12 11:27 ` Greg Kurz 2021-01-13 0:56 ` David Gibson 2021-01-13 0:56 ` David Gibson 2021-01-12 4:45 ` [PATCH v6 11/13] spapr: PEF: prevent migration David Gibson 2021-01-12 4:45 ` David Gibson 2021-01-12 11:37 ` Greg Kurz 2021-01-12 4:45 ` [PATCH v6 12/13] confidential guest support: Alter virtio default properties for protected guests David Gibson 2021-01-12 4:45 ` David Gibson 2021-01-12 11:38 ` Greg Kurz 2021-01-12 4:45 ` David Gibson [this message] 2021-01-12 4:45 ` [PATCH v6 13/13] s390: Recognize confidential-guest-support option David Gibson 2021-01-12 8:15 ` Christian Borntraeger 2021-01-12 8:15 ` Christian Borntraeger 2021-01-12 11:36 ` Cornelia Huck 2021-01-12 11:36 ` Cornelia Huck 2021-01-12 11:48 ` Christian Borntraeger 2021-01-12 11:48 ` Christian Borntraeger 2021-01-12 11:49 ` Daniel P. Berrangé 2021-01-12 11:49 ` Daniel P. Berrangé 2021-01-13 0:57 ` David Gibson 2021-01-13 0:57 ` David Gibson 2021-01-13 6:57 ` Christian Borntraeger 2021-01-13 6:57 ` Christian Borntraeger 2021-01-13 23:56 ` David Gibson 2021-01-13 23:56 ` David Gibson 2021-01-12 9:54 ` Daniel P. Berrangé 2021-01-12 9:54 ` Daniel P. Berrangé
Reply instructions: You may reply publicly to this message via plain-text email using any one of the following methods: * Save the following mbox file, import it into your mail client, and reply-to-all from there: mbox Avoid top-posting and favor interleaved quoting: https://en.wikipedia.org/wiki/Posting_style#Interleaved_style * Reply using the --to, --cc, and --in-reply-to switches of git-send-email(1): git send-email \ --in-reply-to=20210112044508.427338-14-david@gibson.dropbear.id.au \ --to=david@gibson.dropbear.id.au \ --cc=andi.kleen@intel.com \ --cc=berrange@redhat.com \ --cc=borntraeger@de.ibm.com \ --cc=brijesh.singh@amd.com \ --cc=cohuck@redhat.com \ --cc=david@redhat.com \ --cc=dgilbert@redhat.com \ --cc=ehabkost@redhat.com \ --cc=frankja@linux.ibm.com \ --cc=groug@kaod.org \ --cc=jun.nakajima@intel.com \ --cc=kvm@vger.kernel.org \ --cc=marcel.apfelbaum@gmail.com \ --cc=mdroth@linux.vnet.ibm.com \ --cc=mst@redhat.com \ --cc=mtosatti@redhat.com \ --cc=pair@us.ibm.com \ --cc=pasic@linux.ibm.com \ --cc=pbonzini@redhat.com \ --cc=pragyansri.pathi@intel.com \ --cc=qemu-devel@nongnu.org \ --cc=qemu-ppc@nongnu.org \ --cc=qemu-s390x@nongnu.org \ --cc=richard.henderson@linaro.org \ --cc=thuth@redhat.com \ /path/to/YOUR_REPLY https://kernel.org/pub/software/scm/git/docs/git-send-email.html * If your mail client supports setting the In-Reply-To header via mailto: links, try the mailto: linkBe sure your reply has a Subject: header at the top and a blank line before the message body.
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.