lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-Id: <9c26da66-2d78-0e0f-a4cd-a943ec6283b0@linux.vnet.ibm.com>
Date:   Tue, 5 Dec 2017 10:09:25 -0500
From:   Tony Krowiak <akrowiak@...ux.vnet.ibm.com>
To:     Cornelia Huck <cohuck@...hat.com>
Cc:     Pierre Morel <pmorel@...ux.vnet.ibm.com>,
        linux-s390@...r.kernel.org, linux-kernel@...r.kernel.org,
        kvm@...r.kernel.org, freude@...ibm.com, schwidefsky@...ibm.com,
        heiko.carstens@...ibm.com, borntraeger@...ibm.com,
        kwankhede@...dia.com, bjsdjshi@...ux.vnet.ibm.com,
        pbonzini@...hat.com, alex.williamson@...hat.com,
        alifm@...ux.vnet.ibm.com, mjrosato@...ux.vnet.ibm.com,
        qemu-s390x@...gnu.org, jjherne@...ux.vnet.ibm.com,
        thuth@...hat.com, pasic@...ux.vnet.ibm.com
Subject: Re: [RFC 00/19] KVM: s390/crypto/vfio: guest dedicated crypto
 adapters

On 12/05/2017 09:06 AM, Cornelia Huck wrote:
> On Mon, 27 Nov 2017 19:39:32 -0500
> Tony Krowiak <akrowiak@...ux.vnet.ibm.com> wrote:
>
>> On 11/22/2017 08:47 AM, Cornelia Huck wrote:
>>> On Tue, 21 Nov 2017 11:08:01 -0500
>>> Tony Krowiak <akrowiak@...ux.vnet.ibm.com> wrote:
>>>
>>>   
>>>> I am not quite sure what you are asking, but I'll attempt to answer
>>>> what I think you're asking. A new type of mediated matrix device
>>>> will be introduced to configure a virtual matrix for a guest that
>>>> provides the interfaces to map a virtual adapter/domain ID to one
>>>> or more real adapter/domain IDs. If by virtualization facility,
>>>> you are talking about the VFIO AP matrix driver, then yes,
>>>> the driver will handle ioctl requests based on the type of the
>>>> mediated matrix device through which the request was submitted:
>>>>
>>>> If the request is to configure the KVM guest's matrix:
>>>>
>>>> * If the mediated matrix device type is passthrough:
>>>>      * Do validation of matrix
>>>>      * Configure the APM, AQM and ADM in the KVM guest's CRYCB
>>>>        according to the configuration specified via the mediated
>>>>        device's sysfs attribute files.
>>>> * If the mediated matrix device type is virtual:
>>>>      * Do validation of matrix
>>>>      * No need to configure CRYCB since all instructions will be
>>>>        intercepted
>>> Ok, so we would have two distinct paths here...
>> It depends upon what you mean by two distinct paths. Configuring the
>> mediated device would require a new mediated device type for virtualized
>> AP matrices. The ioctl for configuring the KVM guest's CRYCB would
>> require an additional check to determine whether the CRYCB need be
>> configured or not.
> Yes, the new type makes this distinct enough so that we can think about
> this later.
>
>>>   
>>>> If the request is to execute an intercepted AP instruction:
>>>>
>>>> * If the mediated matrix device type is passthrough:
>>>>      * Forward the instruction to the AP device and return the
>>>>        result to QEMU.
>>>>
>>>> * If the mediated matrix device type is virtual:
>>>>
>>>>      * Retrieve all of the real APQNs mapped to the virtual
>>>>        adapter and domain IDs configured in the mediated matrix
>>>>        device's sysfs attribute files
>>>>      * If there is more than one APQN mapping, then determine
>>>>        which would be best to use - algorithm TBD
>>>>      * Forward the instruction to the AP device and return the
>>>>        result.
>>> ...and two distinct paths for most instructions here as well.
>> The driver would require additional ioctls to handle
>> interception of all AP instructions for virtual matrices and additional
>> code to remap virtual APQNs to real APQNs and determine which real APQN
>> to which intercepted instructions should be forwarded.
>>>   
>>>> Of course, these are just preliminary ideas at this time.
>>>> I've only prototyped the sysfs configuration interfaces. No
>>>> back end prototyping has been undertaken yet. If the ideas do
>>>> not pan out, however; I think virtualization can be introduced
>>>> as an independent design.
>>> Yes, let's cross that bridge when we get to it.
>> That is the plan. Given Pierre's objections, I thought it might help
>> to touch on this.
> OK, so I admit that I lost track a bit. Are there any remaining issues
> beyond the feature handling? Would it make sense to post a v2?
I was planning on posting a V2 once the features issue is settled.
>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ