lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <6475e527-6257-d6dd-e712-e7b64f95ccad@linux.ibm.com>
Date:   Tue, 4 Oct 2022 15:48:02 +0200
From:   Steffen Eiden <seiden@...ux.ibm.com>
To:     Claudio Imbrenda <imbrenda@...ux.ibm.com>, kvm@...r.kernel.org
Cc:     borntraeger@...ibm.com, frankja@...ux.ibm.com, thuth@...hat.com,
        david@...hat.com, linux-s390@...r.kernel.org,
        linux-kernel@...r.kernel.org, scgl@...ux.ibm.com, nrb@...ux.ibm.com
Subject: Re: [PATCH v14 5/6] KVM: s390: pv: support for Destroy fast UVC



On 9/30/22 16:01, Claudio Imbrenda wrote:
> Add support for the Destroy Secure Configuration Fast Ultravisor call,
> and take advantage of it for asynchronous destroy.
> 
> When supported, the protected guest is destroyed immediately using the
> new UVC, leaving only the memory to be cleaned up asynchronously.
> 
> Signed-off-by: Claudio Imbrenda <imbrenda@...ux.ibm.com>
> Reviewed-by: Nico Boehr <nrb@...ux.ibm.com>
> Reviewed-by: Janosch Frank <frankja@...ux.ibm.com>
LGTM
Reviewed-by: Steffen Eiden <seiden@...ux.ibm.com>

> ---
>   arch/s390/include/asm/uv.h | 10 +++++++
>   arch/s390/kvm/pv.c         | 57 ++++++++++++++++++++++++++++++++------
>   2 files changed, 59 insertions(+), 8 deletions(-)
> 
> diff --git a/arch/s390/include/asm/uv.h b/arch/s390/include/asm/uv.h
> index be3ef9dd6972..28a9ad57b6f1 100644
> --- a/arch/s390/include/asm/uv.h
> +++ b/arch/s390/include/asm/uv.h
> @@ -34,6 +34,7 @@
>   #define UVC_CMD_INIT_UV			0x000f
>   #define UVC_CMD_CREATE_SEC_CONF		0x0100
>   #define UVC_CMD_DESTROY_SEC_CONF	0x0101
> +#define UVC_CMD_DESTROY_SEC_CONF_FAST	0x0102
>   #define UVC_CMD_CREATE_SEC_CPU		0x0120
>   #define UVC_CMD_DESTROY_SEC_CPU		0x0121
>   #define UVC_CMD_CONV_TO_SEC_STOR	0x0200
> @@ -81,6 +82,7 @@ enum uv_cmds_inst {
>   	BIT_UVC_CMD_UNSHARE_ALL = 20,
>   	BIT_UVC_CMD_PIN_PAGE_SHARED = 21,
>   	BIT_UVC_CMD_UNPIN_PAGE_SHARED = 22,
> +	BIT_UVC_CMD_DESTROY_SEC_CONF_FAST = 23,
>   	BIT_UVC_CMD_DUMP_INIT = 24,
>   	BIT_UVC_CMD_DUMP_CONFIG_STOR_STATE = 25,
>   	BIT_UVC_CMD_DUMP_CPU = 26,
> @@ -230,6 +232,14 @@ struct uv_cb_nodata {
>   	u64 reserved20[4];
>   } __packed __aligned(8);
>   
> +/* Destroy Configuration Fast */
> +struct uv_cb_destroy_fast {
> +	struct uv_cb_header header;
> +	u64 reserved08[2];
> +	u64 handle;
> +	u64 reserved20[5];
> +} __packed __aligned(8);
> +
>   /* Set Shared Access */
>   struct uv_cb_share {
>   	struct uv_cb_header header;
> diff --git a/arch/s390/kvm/pv.c b/arch/s390/kvm/pv.c
> index 335eeec6e3da..1b51e5c3f7df 100644
> --- a/arch/s390/kvm/pv.c
> +++ b/arch/s390/kvm/pv.c
> @@ -201,6 +201,9 @@ static int kvm_s390_pv_dispose_one_leftover(struct kvm *kvm,
>   {
>   	int cc;
>   
> +	/* It used the destroy-fast UVC, nothing left to do here */
> +	if (!leftover->handle)
> +		goto done_fast;
>   	cc = uv_cmd_nodata(leftover->handle, UVC_CMD_DESTROY_SEC_CONF, rc, rrc);
>   	KVM_UV_EVENT(kvm, 3, "PROTVIRT DESTROY LEFTOVER VM: rc %x rrc %x", *rc, *rrc);
>   	WARN_ONCE(cc, "protvirt destroy leftover vm failed rc %x rrc %x", *rc, *rrc);
> @@ -215,6 +218,7 @@ static int kvm_s390_pv_dispose_one_leftover(struct kvm *kvm,
>   	free_pages(leftover->stor_base, get_order(uv_info.guest_base_stor_len));
>   	free_pages(leftover->old_gmap_table, CRST_ALLOC_ORDER);
>   	vfree(leftover->stor_var);
> +done_fast:
>   	atomic_dec(&kvm->mm->context.protected_count);
>   	return 0;
>   }
> @@ -248,6 +252,32 @@ static void kvm_s390_destroy_lower_2g(struct kvm *kvm)
>   	srcu_read_unlock(&kvm->srcu, srcu_idx);
>   }
>   
> +static int kvm_s390_pv_deinit_vm_fast(struct kvm *kvm, u16 *rc, u16 *rrc)
> +{
> +	struct uv_cb_destroy_fast uvcb = {
> +		.header.cmd = UVC_CMD_DESTROY_SEC_CONF_FAST,
> +		.header.len = sizeof(uvcb),
> +		.handle = kvm_s390_pv_get_handle(kvm),
> +	};
> +	int cc;
> +
> +	cc = uv_call_sched(0, (u64)&uvcb);
> +	*rc = uvcb.header.rc;
> +	*rrc = uvcb.header.rrc;
> +	WRITE_ONCE(kvm->arch.gmap->guest_handle, 0);
> +	KVM_UV_EVENT(kvm, 3, "PROTVIRT DESTROY VM FAST: rc %x rrc %x", *rc, *rrc);
> +	WARN_ONCE(cc, "protvirt destroy vm fast failed rc %x rrc %x", *rc, *rrc);
> +	/* Inteded memory leak on "impossible" error */
> +	if (!cc)
> +		kvm_s390_pv_dealloc_vm(kvm);
> +	return cc ? -EIO : 0;
> +}
> +
> +static inline bool is_destroy_fast_available(void)
> +{
> +	return test_bit_inv(BIT_UVC_CMD_DESTROY_SEC_CONF_FAST, uv_info.inst_calls_list);
> +}
> +
>   /**
>    * kvm_s390_pv_set_aside - Set aside a protected VM for later teardown.
>    * @kvm: the VM
> @@ -269,6 +299,7 @@ static void kvm_s390_destroy_lower_2g(struct kvm *kvm)
>   int kvm_s390_pv_set_aside(struct kvm *kvm, u16 *rc, u16 *rrc)
>   {
>   	struct pv_vm_to_be_destroyed *priv;
> +	int res = 0;
>   
>   	/*
>   	 * If another protected VM was already prepared for teardown, refuse.
> @@ -280,14 +311,21 @@ int kvm_s390_pv_set_aside(struct kvm *kvm, u16 *rc, u16 *rrc)
>   	if (!priv)
>   		return -ENOMEM;
>   
> -	priv->stor_var = kvm->arch.pv.stor_var;
> -	priv->stor_base = kvm->arch.pv.stor_base;
> -	priv->handle = kvm_s390_pv_get_handle(kvm);
> -	priv->old_gmap_table = (unsigned long)kvm->arch.gmap->table;
> -	WRITE_ONCE(kvm->arch.gmap->guest_handle, 0);
> -	if (s390_replace_asce(kvm->arch.gmap)) {
> +	if (is_destroy_fast_available()) {
> +		res = kvm_s390_pv_deinit_vm_fast(kvm, rc, rrc);
> +	} else {
> +		priv->stor_var = kvm->arch.pv.stor_var;
> +		priv->stor_base = kvm->arch.pv.stor_base;
> +		priv->handle = kvm_s390_pv_get_handle(kvm);
> +		priv->old_gmap_table = (unsigned long)kvm->arch.gmap->table;
> +		WRITE_ONCE(kvm->arch.gmap->guest_handle, 0);
> +		if (s390_replace_asce(kvm->arch.gmap))
> +			res = -ENOMEM;
> +	}
> +
> +	if (res) {
>   		kfree(priv);
> -		return -ENOMEM;
> +		return res;
>   	}
>   
>   	kvm_s390_destroy_lower_2g(kvm);
> @@ -464,6 +502,7 @@ static void kvm_s390_pv_mmu_notifier_release(struct mmu_notifier *subscription,
>   {
>   	struct kvm *kvm = container_of(subscription, struct kvm, arch.pv.mmu_notifier);
>   	u16 dummy;
> +	int r;
>   
>   	/*
>   	 * No locking is needed since this is the last thread of the last user of this
> @@ -472,7 +511,9 @@ static void kvm_s390_pv_mmu_notifier_release(struct mmu_notifier *subscription,
>   	 * unregistered. This means that if this notifier runs, then the
>   	 * struct kvm is still valid.
>   	 */
> -	kvm_s390_cpus_from_pv(kvm, &dummy, &dummy);
> +	r = kvm_s390_cpus_from_pv(kvm, &dummy, &dummy);
> +	if (!r && is_destroy_fast_available())
> +		kvm_s390_pv_deinit_vm_fast(kvm, &dummy, &dummy);
>   }
>   
>   static const struct mmu_notifier_ops kvm_s390_pv_mmu_notifier_ops = {

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ