| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 18 Apr 2018 09:49:49 +0200
From: Cornelia Huck <cohuck@...hat.com>
To: Tony Krowiak <akrowiak@...ux.vnet.ibm.com>
Cc: Harald Freudenberger <FREUDE@...ibm.com>,
Pierre Morel <pmorel@...ux.vnet.ibm.com>,
alex.williamson@...hat.com, alifm@...ux.vnet.ibm.com,
berrange@...hat.com, bjsdjshi@...ux.vnet.ibm.com,
borntrae@...ux.ibm.com, fiuczy@...ux.vnet.ibm.com,
heicars2@...ux.vnet.ibm.com, jjherne@...ux.vnet.ibm.com,
kvm@...r.kernel.org, kwankhede@...dia.com,
linux-kernel@...r.kernel.org, linux-s390@...r.kernel.org,
mjrosato@...ux.vnet.ibm.com, mschwid2@...ux.vnet.ibm.com,
pasic@...ux.vnet.ibm.com, pbonzini@...hat.com,
Reinhard Buendgen <BUENDGEN@...ibm.com>, thuth@...hat.com
Subject: Re: [PATCH v4 03/15] KVM: s390: refactor crypto initialization
On Tue, 17 Apr 2018 14:08:59 -0400
Tony Krowiak <akrowiak@...ux.vnet.ibm.com> wrote:
> On 04/17/2018 11:21 AM, Cornelia Huck wrote:
> > On Tue, 17 Apr 2018 10:26:57 -0400
> > Tony Krowiak <akrowiak@...ux.vnet.ibm.com> wrote:
> >
> >> On 04/17/2018 06:10 AM, Cornelia Huck wrote:
> >>> On Tue, 17 Apr 2018 09:49:58 +0200
> >>> "Harald Freudenberger" <FREUDE@...ibm.com> wrote:
> >>>
> >>>> Didn't we say that when APXA is not available there is no Crypto support
> >>>> for KVM ?
> >>> [Going by the code, as I don't have access to the architecture]
> >>>
> >>> Current status seems to be:
> >>> - setup crycb if facility 76 is available (that's MSAX3, I guess?)
> >> The crycb is set up regardless of whether STFLE.76 (MSAX3) is
> >> installed or not.
> > Hm, the current code does a quick exit if bit 76 is not set, doesn't
> > it?
>
> I guess that depends upon what you mean by current code. If you are talking
> about the code as it is distributed today - i.e., before my patch series -
> then you are correct. This patch changes that; it initializes the
> kvm->arch.crypto.crycbd to point to the CRYCB, then clears the format bits
> (kvm->arch.crypto.crycbd &= ~(CRYCB_FORMAT_MASK)) which is the same as
> setting the CRYCB format to format 0. It is only after this that the
> check is done to determine whether STFLE.76 is set.
Ah yes, with "current" I referred to current upstream.
>
> >
> >>> - use format 2 if APXA is available, else use format 1
> >> Use format 0 if MSAX3 is not available
> >> Use format 1 if MSAX3 is available but APXA is not
> >> Use format 2 if MSAX3 and APXA is available
> >>
> >>> From Tony's patch description, the goal seems to be:
> >>> - setup crycb even if MSAX3 is not available
> >> Yes, that is true
> >>
> >>> So my understanding is that we use APXA only to decide on the format of
> >>> the crycb, but provide it in any case?
> >> Yes, that is true
> > With the format selection you outlined above, I guess. Makes sense from
> > my point of view (just looking at the source code).
> It also implements what is stated in the architecture doc.
OK, great.
> >
> >>> (Not providing a crycb if APXA is not available would be loss of
> >>> functionality, I guess? Deciding not to provide vfio-ap if APXA is not
> >>> available is a different game, of course.)
> >> This would require a change to enabling the CPU model feature for
> >> AP.
> > But would it actually make sense to tie vfio-ap to APXA? This needs to
> > be answered by folks with access to the architecture :)
>
> I don't see any reason to do that from an architectural perspective.
> One can access AP devices whether APXA is installed or not, it just limits
> the range of devices that can be addressed
So I guess we should not introduce a tie-in then (unless it radically
simplifies the code...)
Powered by blists - more mailing lists