Received: by 10.192.165.148 with SMTP id m20csp3176316imm;
        Mon, 7 May 2018 07:56:26 -0700 (PDT)
X-Google-Smtp-Source: AB8JxZqF8KZIKmhpNumDP/5OEiAwLTv6/zTHALtAy2bt0XGRhllQnF8YV/yg/nNteJgkvhAPBrK5
X-Received: by 2002:a9d:436f:: with SMTP id y44-v6mr28672102oti.312.1525704986341;
        Mon, 07 May 2018 07:56:26 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1525704986; cv=none;
        d=google.com; s=arc-20160816;
        b=DtPAXkgL9qoQIB0RBIsDWwtDa+AJo13mWm60oknW0f+bFn/5ZVgA9vIaE3G6k4a8Kf
         YHuMQ3czhe7PdQeMGYZNsfcGZ2/MhPGOxKthzACljcokdEjpeep+orZ4w2HHX0cvg8l1
         7WicZuCgNqNsly/PBSlGyftuQ7D0bKzq4gW2H1RW1M2mf/5UOz6CwLrGXhqEYCr3ifQj
         WeeXoMNohfgSGaGahWSYy7F2X/FNRuJnblQTOLQrnLpX0mqrP6a89aBYcWMFXEosuI71
         Vk264cilBpnWbOV18TlMVFQU6KBfM5EZ/p+7Hi77KIUSfZc+ZZBlFcqR+ic2GmPkcjkh
         wvsQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:content-transfer-encoding
         :content-language:in-reply-to:mime-version:user-agent:date
         :message-id:organization:from:references:cc:to:subject
         :arc-authentication-results;
        bh=Kqwn3P13+kycb4rlTwbrV//p6PcM3w2fySVfnCuWYRU=;
        b=DqGlkA5AxEJ/msVpzVTaNr2MMxVW4l3qts34X39gNSsoRUuLMtboMfXtbDPeAtry1i
         3A+3VYnEfbXQ0/Wlw9ZFX8qmMfT4rKfKSKxipmdH3JT/QFdxL4aL6vie3NtOyQHGhO2M
         iOarzNJJAX4EE5AMOkIHCnVX1XiB6oUq3MqNbHnesCLiUKFIz06KrqNXuRTjrwRnZIhH
         3KMxjU6cKcRL1kAwHwJ6Rhp+/V/yByvKDl8ybLsxvqD7ksuW99eOC/cayA5N26vx+M6O
         u74lkwYxVby/FvSsOtUR/3KmvKPWGJoBaXQwun9N7bvMhTlInPb0ae5VzFI7MGJuiOWm
         UVWw==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=redhat.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id k33-v6si1838821otk.171.2018.05.07.07.56.12;
        Mon, 07 May 2018 07:56:26 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=redhat.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1752369AbeEGOz1 (ORCPT <rfc822;zjuysxie86@gmail.com>
        + 99 others); Mon, 7 May 2018 10:55:27 -0400
Received: from mx3-rdu2.redhat.com ([66.187.233.73]:59372 "EHLO mx1.redhat.com"
        rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP
        id S1751912AbeEGOzZ (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Mon, 7 May 2018 10:55:25 -0400
Received: from smtp.corp.redhat.com (int-mx06.intmail.prod.int.rdu2.redhat.com [10.11.54.6])
        (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
        (No client certificate requested)
        by mx1.redhat.com (Postfix) with ESMTPS id 428224067EF0;
        Mon,  7 May 2018 14:55:24 +0000 (UTC)
Received: from [10.36.117.190] (ovpn-117-190.ams2.redhat.com [10.36.117.190])
        by smtp.corp.redhat.com (Postfix) with ESMTP id E446B2166BAD;
        Mon,  7 May 2018 14:55:20 +0000 (UTC)
Subject: Re: [PATCH v4 01/15] s390: zcrypt: externalize AP instructions
 available function
To:     Tony Krowiak <akrowiak@linux.vnet.ibm.com>,
        linux-s390@vger.kernel.org, linux-kernel@vger.kernel.org,
        kvm@vger.kernel.org
Cc:     freude@de.ibm.com, schwidefsky@de.ibm.com,
        heiko.carstens@de.ibm.com, borntraeger@de.ibm.com,
        cohuck@redhat.com, kwankhede@nvidia.com,
        bjsdjshi@linux.vnet.ibm.com, pbonzini@redhat.com,
        alex.williamson@redhat.com, pmorel@linux.vnet.ibm.com,
        alifm@linux.vnet.ibm.com, mjrosato@linux.vnet.ibm.com,
        jjherne@linux.vnet.ibm.com, thuth@redhat.com,
        pasic@linux.vnet.ibm.com, berrange@redhat.com,
        fiuczy@linux.vnet.ibm.com, buendgen@de.ibm.com
References: <1523827345-11600-1-git-send-email-akrowiak@linux.vnet.ibm.com>
 <1523827345-11600-2-git-send-email-akrowiak@linux.vnet.ibm.com>
 <7e537cfc-5d67-c188-2890-191608cb7b4f@redhat.com>
 <6ece398b-49eb-c048-64c7-85acf3801103@linux.vnet.ibm.com>
From:   David Hildenbrand <david@redhat.com>
Organization: Red Hat GmbH
Message-ID: <88fadaf1-595a-ac72-279a-6706f149be9b@redhat.com>
Date:   Mon, 7 May 2018 16:55:20 +0200
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101
 Thunderbird/52.7.0
MIME-Version: 1.0
In-Reply-To: <6ece398b-49eb-c048-64c7-85acf3801103@linux.vnet.ibm.com>
Content-Type: text/plain; charset=utf-8
Content-Language: en-US
Content-Transfer-Encoding: 7bit
X-Scanned-By: MIMEDefang 2.78 on 10.11.54.6
X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.11.55.7]); Mon, 07 May 2018 14:55:24 +0000 (UTC)
X-Greylist: inspected by milter-greylist-4.5.16 (mx1.redhat.com [10.11.55.7]); Mon, 07 May 2018 14:55:24 +0000 (UTC) for IP:'10.11.54.6' DOMAIN:'int-mx06.intmail.prod.int.rdu2.redhat.com' HELO:'smtp.corp.redhat.com' FROM:'david@redhat.com' RCPT:''
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On 07.05.2018 16:02, Tony Krowiak wrote:
> On 05/04/2018 03:19 AM, David Hildenbrand wrote:
>> On 15.04.2018 23:22, Tony Krowiak wrote:
>>> If the AP instructions are not available on the linux host, then
>>> AP devices can not be interpreted by the SIE. The AP bus has a
>> This statement is wrong. The instructions can be interpreted by SIE e.g.
>> if there are no devices assigned to a guest. This is e.g. the case for
>> !CONFIG_ZCRYPT.
> 
> While the statement is admittedly poorly worded, it is not wrong.
> Without going into architectural details, If the AP instructions
> are not available, they will not be interpreted for guest
> level 1 - i.e., the linux host. If AP instructions are not interpreted
> for guest level 1, then they will not be interpreted for guest
> level 2 regardless of whether ECA_APIE is set for guest level 2 or
> not. I don't see how CONFIG_ZCRYPT has anything to do with this.
> 
> 
>>
>> Also, doesn't this directly imply that the other execution control
>> should also not be used ("intercept AP instuctions"). This would be bad.
>> Just because !CONFIG_ZCRYPT does not imply that you can't emulate AP
>> devices for a guest.
> 
> Setting CONFIG_ZCRYPT=n simply means that the AP bus will not be built
> and therefore the AP bus interfaces will not be available to KVM.
> As far as ECA_APIE goes, there are only two choices: Set the bit to
> enable SIE interpretation of AP instructions; Clear the bit to use

I thought somebody once mentioned once in one of these threads that
there are actually 2 different bits. One to control interpretation and
one to control interception.

> interception. We are only supporting SIE interpretation of AP
> instructions at this time, so we need a sure-fire way to determine
> if the AP instructions are installed, which is the point of this patch.
> Since there are no intercept handlers at this time, when the AP bus
> module on the guest is initialized, the init function will fail and
> the bus will not come up. There are protections built into userspace
> (QEMU in this case) to ensure that a guest is not started if the CPU
> model feature for AP instructions is not turned on for the guest. The
> CPU model feature will be enabled by the KVM only if the AP instructions
> are installed on the linux host. Again, that is reason for this
> patch.
> 



-- 

Thanks,

David / dhildenb