| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 22 Aug 2018 17:04:45 +0200
From: David Hildenbrand <david@...hat.com>
To: pmorel@...ux.ibm.com, Tony Krowiak <akrowiak@...ux.vnet.ibm.com>,
linux-s390@...r.kernel.org, linux-kernel@...r.kernel.org,
kvm@...r.kernel.org
Cc: freude@...ibm.com, schwidefsky@...ibm.com,
heiko.carstens@...ibm.com, borntraeger@...ibm.com,
cohuck@...hat.com, kwankhede@...dia.com,
bjsdjshi@...ux.vnet.ibm.com, pbonzini@...hat.com,
alex.williamson@...hat.com, pmorel@...ux.vnet.ibm.com,
alifm@...ux.vnet.ibm.com, mjrosato@...ux.vnet.ibm.com,
jjherne@...ux.vnet.ibm.com, thuth@...hat.com,
pasic@...ux.vnet.ibm.com, berrange@...hat.com,
fiuczy@...ux.vnet.ibm.com, buendgen@...ibm.com,
frankja@...ux.ibm.com, Tony Krowiak <akrowiak@...ux.ibm.com>
Subject: Re: [PATCH v9 21/22] KVM: s390: CPU model support for AP
virtualization
On 22.08.2018 16:33, Pierre Morel wrote:
> On 22/08/2018 13:19, David Hildenbrand wrote:
>> On 13.08.2018 23:48, Tony Krowiak wrote:
>>> From: Tony Krowiak <akrowiak@...ux.ibm.com>
>>>
>>> Introduces a new CPU model feature and two CPU model
>>> facilities to support AP virtualization for KVM guests.
>>>
>>> CPU model feature:
>>>
>>> The KVM_S390_VM_CPU_FEAT_AP feature indicates that
>>> AP instructions are available on the guest. This
>>> feature will be enabled by the kernel only if the AP
>>> instructions are installed on the linux host. This feature
>>> must be specifically turned on for the KVM guest from
>>> userspace to use the VFIO AP device driver for guest
>>> access to AP devices.
>>>
>>> CPU model facilities:
>>>
>>> 1. AP Query Configuration Information (QCI) facility is installed.
>>>
>>> This is indicated by setting facilities bit 12 for
>>> the guest. The kernel will not enable this facility
>>> for the guest if it is not set on the host.
>>>
>>> If this facility is not set for the KVM guest, then only
>>> APQNs with an APQI less than 16 will be used by a Linux
>>> guest regardless of the matrix configuration for the virtual
>>> machine. This is a limitation of the Linux AP bus.
>>>
>>> 2. AP Facilities Test facility (APFT) is installed.
>>>
>>> This is indicated by setting facilities bit 15 for
>>> the guest. The kernel will not enable this facility for
>>> the guest if it is not set on the host.
>>>
>>> If this facility is not set for the KVM guest, then no
>>> AP devices will be available to the guest regardless of
>>> the guest's matrix configuration for the virtual
>>> machine. This is a limitation of the Linux AP bus.
>>>
>>> Signed-off-by: Tony Krowiak <akrowiak@...ux.ibm.com>
>>> Reviewed-by: Christian Borntraeger <borntraeger@...ibm.com>
>>> Reviewed-by: Halil Pasic <pasic@...ux.ibm.com>
>>> Tested-by: Michael Mueller <mimu@...ux.ibm.com>
>>> Tested-by: Farhan Ali <alifm@...ux.ibm.com>
>>> Signed-off-by: Christian Borntraeger <borntraeger@...ibm.com>
>>> ---
>>> arch/s390/kvm/kvm-s390.c | 5 +++++
>>> arch/s390/tools/gen_facilities.c | 2 ++
>>> 2 files changed, 7 insertions(+), 0 deletions(-)
>>>
>>> diff --git a/arch/s390/kvm/kvm-s390.c b/arch/s390/kvm/kvm-s390.c
>>> index 1e8cb67..d5e04d2 100644
>>> --- a/arch/s390/kvm/kvm-s390.c
>>> +++ b/arch/s390/kvm/kvm-s390.c
>>> @@ -367,6 +367,11 @@ static void kvm_s390_cpu_feat_init(void)
>>>
>>> if (MACHINE_HAS_ESOP)
>>> allow_cpu_feat(KVM_S390_VM_CPU_FEAT_ESOP);
>>> +
>>> + /* Check if AP instructions installed on host */
>>> + if (ap_instructions_available())
>>> + allow_cpu_feat(KVM_S390_VM_CPU_FEAT_AP);
>>> +
>>> /*
>>> * We need SIE support, ESOP (PROT_READ protection for gmap_shadow),
>>> * 64bit SCAO (SCA passthrough) and IDTE (for gmap_shadow unshadowing).
>>> diff --git a/arch/s390/tools/gen_facilities.c b/arch/s390/tools/gen_facilities.c
>>> index 90a8c9e..a52290b 100644
>>> --- a/arch/s390/tools/gen_facilities.c
>>> +++ b/arch/s390/tools/gen_facilities.c
>>> @@ -106,6 +106,8 @@ struct facility_def {
>>>
>>> .name = "FACILITIES_KVM_CPUMODEL",
>>> .bits = (int[]){
>>> + 12, /* AP Query Configuration Information */
>>> + 15, /* AP Facilities Test */
>>> -1 /* END */
>>> }
>>> },
>>>
>>
>> I really wonder if we should also export the APXA facility.
>>
>> We can probe and allow that CPU feature. However, we cannot disable it
>> (as of now).
>>
>> We have other CPU features where it is the same case (basically all
>> subfunctions). See kvm_s390_get_processor_subfunc(). We probe them and
>> export them, but support to disable them has never been implemented.
>>
>> On a high level, we could then e.g. deny to start a QEMU guest if APXA
>> is available but has been disabled. (until we know that disabling it
>> actually works - if ever).
>>
>> This helps to catch nasty migration bugs (e.g. APXA suddenly
>> disappearing). Although unlikely, definitely possible. >
>>
>> Are there any other AP related facilities that the guest can from now on
>> probe that should also become part of the CPU model?
>>
>
>
>
> Before going too far in a discussion on features which we do not really
> need, we can make clear that we only support beginning with z13 and only
> in the Z architecture mode as host and as guest.
Easy answer:
The CPU model should be prepared for all eventualities. We have handled
it that way since the beginning.
The minimal thing I expect to have is all relevant features probed and
exported to user space. Just like we do with all the MSA/PTFF/PLO
subfunctions. I expect (and remember) this to be the same for PQAP.
(there are some very special cases regarding subfunctions that are not
indicated)
Why? The CPU model is not KVM specific.
>
> We then need to abort the VFIO driver if APXA is not installed.
While you should do that, the CPU model is more generic. This would only
imply that as of now, the APXA feature would always be available if the
AP feature is available.
In addition, it makes the vSIE handling code easier - there is always
APXA and for now it cannot be disabled.
>
> In this case we will have no problem with older guests not having idea
> about APXA.
>
> Would it be a solution?
Any feature the guest sees, should be part of the CPU model. The whole
environment for cpu subfunctions is already in place both in KVM and
QEMU. Only disabling subfunctions in KVM is not implemented yet.
You can exclude any subfunctions/facilities that are only valid on LPAR
level and cannot be used in some guest either way. (that makes life
sometimes easier)
I know that this might sound a little bit complicated, but it really
isn't. Boils down to modifying kvm_s390_cpu_feat_init() and specifying
some features+feature groups in QEMU.
>
>
> Regards,
> Pierre
>
--
Thanks,
David / dhildenb
Powered by blists - more mailing lists