Re: [PATCH v9 12/22] s390: vfio-ap: sysfs interfaces to configure control domains

[Pierre Morel]

On 22/08/2018 11:42, Cornelia Huck wrote:
> On Wed, 22 Aug 2018 01:18:20 +0200
> Halil Pasic <pasic@xxxxxxxxxxxxx> wrote:
>
> > On 08/21/2018 07:07 PM, Tony Krowiak wrote:
> > > This convention has been enforced by the kernel since v1. This is also
> > > enforced by both the LPAR as well as in z/VM. The following is from the
> > > PR/SM Planning Guide:
> > >
> > > Control Domain
> > > A logical partition's control domains are those cryptographic domains for which remote secure
> > > administration functions can be established and administered from this logical partition. This
> > > logical partitionâs control domains must include its usage domains. For each index selected in the
> > > usage domain index list, you must select the same index in the control domain index list
> > >    
> That's interesting.
>
> > IMHO this quote is quite a half-full half-empty cup one:
> > * it mandates the set of usage domains is a subset of the set
> > of the control domains, but
> > * it speaks of independent controls, namely about the 'usage domain index'
> > and the 'control domain index list' and makes the enforcement of the rule
> > a job of the administrator (instead of codifying it in the controls).
> I'm wondering if a configuration with a usage domain that is not also a
> control domain is rejected outright? Anybody tried that? :)

Yes, and no it is not.
We can use a queue (usage domain) to a AP card for SHA-512 or RSA without
having to define the queue as a control domain.

Regards,
Pierre


--
Pierre Morel
Linux/KVM/QEMU in BÃblingen - Germany