Received: by 10.192.165.148 with SMTP id m20csp3176316imm; Mon, 7 May 2018 07:56:26 -0700 (PDT) X-Google-Smtp-Source: AB8JxZqF8KZIKmhpNumDP/5OEiAwLTv6/zTHALtAy2bt0XGRhllQnF8YV/yg/nNteJgkvhAPBrK5 X-Received: by 2002:a9d:436f:: with SMTP id y44-v6mr28672102oti.312.1525704986341; Mon, 07 May 2018 07:56:26 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1525704986; cv=none; d=google.com; s=arc-20160816; b=DtPAXkgL9qoQIB0RBIsDWwtDa+AJo13mWm60oknW0f+bFn/5ZVgA9vIaE3G6k4a8Kf YHuMQ3czhe7PdQeMGYZNsfcGZ2/MhPGOxKthzACljcokdEjpeep+orZ4w2HHX0cvg8l1 7WicZuCgNqNsly/PBSlGyftuQ7D0bKzq4gW2H1RW1M2mf/5UOz6CwLrGXhqEYCr3ifQj WeeXoMNohfgSGaGahWSYy7F2X/FNRuJnblQTOLQrnLpX0mqrP6a89aBYcWMFXEosuI71 Vk264cilBpnWbOV18TlMVFQU6KBfM5EZ/p+7Hi77KIUSfZc+ZZBlFcqR+ic2GmPkcjkh wvsQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding :content-language:in-reply-to:mime-version:user-agent:date :message-id:organization:from:references:cc:to:subject :arc-authentication-results; bh=Kqwn3P13+kycb4rlTwbrV//p6PcM3w2fySVfnCuWYRU=; b=DqGlkA5AxEJ/msVpzVTaNr2MMxVW4l3qts34X39gNSsoRUuLMtboMfXtbDPeAtry1i 3A+3VYnEfbXQ0/Wlw9ZFX8qmMfT4rKfKSKxipmdH3JT/QFdxL4aL6vie3NtOyQHGhO2M iOarzNJJAX4EE5AMOkIHCnVX1XiB6oUq3MqNbHnesCLiUKFIz06KrqNXuRTjrwRnZIhH 3KMxjU6cKcRL1kAwHwJ6Rhp+/V/yByvKDl8ybLsxvqD7ksuW99eOC/cayA5N26vx+M6O u74lkwYxVby/FvSsOtUR/3KmvKPWGJoBaXQwun9N7bvMhTlInPb0ae5VzFI7MGJuiOWm UVWw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=redhat.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id k33-v6si1838821otk.171.2018.05.07.07.56.12; Mon, 07 May 2018 07:56:26 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=redhat.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752369AbeEGOz1 (ORCPT + 99 others); Mon, 7 May 2018 10:55:27 -0400 Received: from mx3-rdu2.redhat.com ([66.187.233.73]:59372 "EHLO mx1.redhat.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1751912AbeEGOzZ (ORCPT ); Mon, 7 May 2018 10:55:25 -0400 Received: from smtp.corp.redhat.com (int-mx06.intmail.prod.int.rdu2.redhat.com [10.11.54.6]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 428224067EF0; Mon, 7 May 2018 14:55:24 +0000 (UTC) Received: from [10.36.117.190] (ovpn-117-190.ams2.redhat.com [10.36.117.190]) by smtp.corp.redhat.com (Postfix) with ESMTP id E446B2166BAD; Mon, 7 May 2018 14:55:20 +0000 (UTC) Subject: Re: [PATCH v4 01/15] s390: zcrypt: externalize AP instructions available function To: Tony Krowiak , linux-s390@vger.kernel.org, linux-kernel@vger.kernel.org, kvm@vger.kernel.org Cc: freude@de.ibm.com, schwidefsky@de.ibm.com, heiko.carstens@de.ibm.com, borntraeger@de.ibm.com, cohuck@redhat.com, kwankhede@nvidia.com, bjsdjshi@linux.vnet.ibm.com, pbonzini@redhat.com, alex.williamson@redhat.com, pmorel@linux.vnet.ibm.com, alifm@linux.vnet.ibm.com, mjrosato@linux.vnet.ibm.com, jjherne@linux.vnet.ibm.com, thuth@redhat.com, pasic@linux.vnet.ibm.com, berrange@redhat.com, fiuczy@linux.vnet.ibm.com, buendgen@de.ibm.com References: <1523827345-11600-1-git-send-email-akrowiak@linux.vnet.ibm.com> <1523827345-11600-2-git-send-email-akrowiak@linux.vnet.ibm.com> <7e537cfc-5d67-c188-2890-191608cb7b4f@redhat.com> <6ece398b-49eb-c048-64c7-85acf3801103@linux.vnet.ibm.com> From: David Hildenbrand Organization: Red Hat GmbH Message-ID: <88fadaf1-595a-ac72-279a-6706f149be9b@redhat.com> Date: Mon, 7 May 2018 16:55:20 +0200 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.7.0 MIME-Version: 1.0 In-Reply-To: <6ece398b-49eb-c048-64c7-85acf3801103@linux.vnet.ibm.com> Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: 7bit X-Scanned-By: MIMEDefang 2.78 on 10.11.54.6 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.11.55.7]); Mon, 07 May 2018 14:55:24 +0000 (UTC) X-Greylist: inspected by milter-greylist-4.5.16 (mx1.redhat.com [10.11.55.7]); Mon, 07 May 2018 14:55:24 +0000 (UTC) for IP:'10.11.54.6' DOMAIN:'int-mx06.intmail.prod.int.rdu2.redhat.com' HELO:'smtp.corp.redhat.com' FROM:'david@redhat.com' RCPT:'' Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 07.05.2018 16:02, Tony Krowiak wrote: > On 05/04/2018 03:19 AM, David Hildenbrand wrote: >> On 15.04.2018 23:22, Tony Krowiak wrote: >>> If the AP instructions are not available on the linux host, then >>> AP devices can not be interpreted by the SIE. The AP bus has a >> This statement is wrong. The instructions can be interpreted by SIE e.g. >> if there are no devices assigned to a guest. This is e.g. the case for >> !CONFIG_ZCRYPT. > > While the statement is admittedly poorly worded, it is not wrong. > Without going into architectural details, If the AP instructions > are not available, they will not be interpreted for guest > level 1 - i.e., the linux host. If AP instructions are not interpreted > for guest level 1, then they will not be interpreted for guest > level 2 regardless of whether ECA_APIE is set for guest level 2 or > not. I don't see how CONFIG_ZCRYPT has anything to do with this. > > >> >> Also, doesn't this directly imply that the other execution control >> should also not be used ("intercept AP instuctions"). This would be bad. >> Just because !CONFIG_ZCRYPT does not imply that you can't emulate AP >> devices for a guest. > > Setting CONFIG_ZCRYPT=n simply means that the AP bus will not be built > and therefore the AP bus interfaces will not be available to KVM. > As far as ECA_APIE goes, there are only two choices: Set the bit to > enable SIE interpretation of AP instructions; Clear the bit to use I thought somebody once mentioned once in one of these threads that there are actually 2 different bits. One to control interpretation and one to control interception. > interception. We are only supporting SIE interpretation of AP > instructions at this time, so we need a sure-fire way to determine > if the AP instructions are installed, which is the point of this patch. > Since there are no intercept handlers at this time, when the AP bus > module on the guest is initialized, the init function will fail and > the bus will not come up. There are protections built into userspace > (QEMU in this case) to ensure that a guest is not started if the CPU > model feature for AP instructions is not turned on for the guest. The > CPU model feature will be enabled by the KVM only if the AP instructions > are installed on the linux host. Again, that is reason for this > patch. > -- Thanks, David / dhildenb