Re: [PATCH v3 01/14] KVM: s390: refactor crypto initialization

From: Pierre Morel
Date: Thu Mar 15 2018 - 10:55:55 EST


On 15/03/2018 15:48, Tony Krowiak wrote:
On 03/15/2018 08:26 AM, Pierre Morel wrote:
On 14/03/2018 19:25, Tony Krowiak wrote:
This patch refactors the code that initializes the crypto
configuration for a guest. The crypto configuration is contained in
a crypto control block (CRYCB) which is a satellite control block to
our main hardware virtualization control block. The CRYCB is
attached to the main virtualization control block via a CRYCB
designation (CRYCBD) designation field containing the address of
the CRYCB as well as its format.

Prior to the introduction of AP device virtualization, there was
no need to provide access to or specify the format of the CRYCB for
a guest unless the MSA extension 3 (MSAX3) facility was installed
on the host system. With the introduction of AP device virtualization,
the CRYCB and its format must be made accessible to the guest
regardless of the presence of the MSAX3 facility.

The crypto initialization code is restructured as follows:

* A new compilation unit is introduced to contain all interfaces
ÂÂ and data structures related to configuring a guest's CRYCB for
ÂÂ both the refactoring of crypto initialization as well as all
ÂÂ subsequent patches introducing AP virtualization support.

* Currently, the asm code for querying the AP configuration is
ÂÂ duplicated in the AP bus as well as in KVM. Since the KVM
ÂÂ code was introduced, the AP bus has externalized the interface
ÂÂ for querying the AP configuration. The KVM interface will be
ÂÂ replaced with a call to the AP bus interface. Of course, this
ÂÂ will be moved to the new compilation unit mentioned above.

* An interface to format the CRYCBD field will be provided via
ÂÂ the new compilation unit and called from the KVM vm
ÂÂ initialization.

Signed-off-by: Tony Krowiak <akrowiak@xxxxxxxxxxxxxxxxxx>
---
 MAINTAINERS | 10 ++++++
 arch/s390/include/asm/kvm-ap.h | 16 ++++++++++
 arch/s390/include/asm/kvm_host.h | 1 +
 arch/s390/kvm/Kconfig | 1 +
 arch/s390/kvm/Makefile | 2 +-
 arch/s390/kvm/kvm-ap.c | 48 +++++++++++++++++++++++++++++
 arch/s390/kvm/kvm-s390.c | 61 ++++---------------------------------
 7 files changed, 84 insertions(+), 55 deletions(-)
 create mode 100644 arch/s390/include/asm/kvm-ap.h
 create mode 100644 arch/s390/kvm/kvm-ap.c

diff --git a/MAINTAINERS b/MAINTAINERS
index 0ec5881..72742d5 100644
--- a/MAINTAINERS
+++ b/MAINTAINERS
@@ -11875,6 +11875,16 @@ W: http://www.ibm.com/developerworks/linux/linux390/
 S: Supported
 F: drivers/s390/crypto/

+S390 VFIO AP DRIVER
+M:ÂÂÂ Tony Krowiak <akrowiak@xxxxxxxxxxxxxxxxxx>
+M:ÂÂÂ Christian Borntraeger <borntraeger@xxxxxxxxxx>
+M:ÂÂÂ Martin Schwidefsky <schwidefsky@xxxxxxxxxx>
+L:ÂÂÂ linux-s390@xxxxxxxxxxxxxxx
+W:ÂÂÂ http://www.ibm.com/developerworks/linux/linux390/
+S:ÂÂÂ Supported
+F:ÂÂÂ arch/s390/include/asm/kvm/kvm-ap.h
+F:ÂÂÂ arch/s390/kvm/kvm-ap.c
+
 S390 ZFCP DRIVER
 M: Steffen Maier <maier@xxxxxxxxxxxxxxxxxx>
 M: Benjamin Block <bblock@xxxxxxxxxxxxxxxxxx>
diff --git a/arch/s390/include/asm/kvm-ap.h b/arch/s390/include/asm/kvm-ap.h
new file mode 100644
index 0000000..362846c
--- /dev/null
+++ b/arch/s390/include/asm/kvm-ap.h
@@ -0,0 +1,16 @@
+/*
+ * Adjunct Processor (AP) configuration management for KVM guests
+ *
+ * Copyright IBM Corp. 2017
+ *
+ * Author(s): Tony Krowiak <akrowia@xxxxxxxxxxxxxxxxxx>
+ */
+
+#ifndef _ASM_KVM_AP
+#define _ASM_KVM_AP
+#include <linux/types.h>
+#include <linux/kvm_host.h>
+
+void kvm_ap_build_crycbd(struct kvm *kvm);
+
+#endif /* _ASM_KVM_AP */
diff --git a/arch/s390/include/asm/kvm_host.h b/arch/s390/include/asm/kvm_host.h
index 34c9b5b..65a944e 100644
--- a/arch/s390/include/asm/kvm_host.h
+++ b/arch/s390/include/asm/kvm_host.h
@@ -257,6 +257,7 @@ struct kvm_s390_sie_block {
ÂÂÂÂÂ __u8ÂÂÂ reservedf0[12];ÂÂÂÂÂÂÂ /* 0x00f0 */
 #define CRYCB_FORMAT1 0x00000001
 #define CRYCB_FORMAT2 0x00000003
+#define CRYCB_FORMAT_MASK 0x00000003
ÂÂÂÂÂ __u32ÂÂÂ crycbd;ÂÂÂÂÂÂÂÂÂÂÂ /* 0x00fc */
ÂÂÂÂÂ __u64ÂÂÂ gcr[16];ÂÂÂÂÂÂÂ /* 0x0100 */
ÂÂÂÂÂ __u64ÂÂÂ gbea;ÂÂÂÂÂÂÂÂÂÂÂ /* 0x0180 */
diff --git a/arch/s390/kvm/Kconfig b/arch/s390/kvm/Kconfig
index a3dbd45..4ca9077 100644
--- a/arch/s390/kvm/Kconfig
+++ b/arch/s390/kvm/Kconfig
@@ -33,6 +33,7 @@ config KVM
ÂÂÂÂÂ select HAVE_KVM_INVALID_WAKEUPS
ÂÂÂÂÂ select SRCU
ÂÂÂÂÂ select KVM_VFIO
+ÂÂÂ select ZCRYPT

I do not think it is a good solution to *always* enable ZCRYPT
when we have KVM.
If CONFIG_ZCRYPT is not selected, then the kvm_ap_apxa_installed() function will not compile
because it calls a zcrypt interface. How would you suggest we make sure zcrypt interfaces
used in KVM are built if CONFIG_ZCRYPT is not selected?

if zcrypt is not configured, I suppose that the KVM code initializaing CRYCB
has no use but the function will be called from KVM.
So I would do something like:

#ifdef ZCRYPT
external definitions.
#else
stubs returning error -ENOZCRYPT (or whatever)
#endif




Pierre




--
Pierre Morel
Linux/KVM/QEMU in BÃblingen - Germany