Received: by 2002:ac0:a5a6:0:0:0:0:0 with SMTP id m35-v6csp653850imm; Wed, 22 Aug 2018 10:13:59 -0700 (PDT) X-Google-Smtp-Source: ANB0VdbVr0g3lc3kVh2WjH2tkwy67sm+RcQ2nemJShMo9ZG9WpXZfRSuprNBzMFrtXmTDGW3kej7 X-Received: by 2002:a62:2483:: with SMTP id k3-v6mr7965832pfk.195.1534958039930; Wed, 22 Aug 2018 10:13:59 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1534958039; cv=none; d=google.com; s=arc-20160816; b=CEC9W/QOsv7uJR23PdLsnGtHnJrPnxeo6yo9CMi1i+d833kfLv0RtczsIq/RkMul4k VBCgB7SiYjiHkTpKE1IpV03xI7rDZDHRVtsQR+FzF2PZHDodx2wT/5JZOTUxhhkTrP/F CMSZsjxspR9pCPTgPzFgVTV+nkht0Etc4tl2dLgyXqoPoRENhkbRE+oUw/0lMOX18AGI Wp81gPncC8idABSQGwhURnSjO76YKx7UJCimjw0NTT3GRjW6srCtycfhSPwGbF12JQpU EkaO84PhsH4qLR/BHr94WumooyCtpfA0W3DdcDonkGYAofQfeSRMWJLseGti1/C8r1b7 tvHA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:message-id:content-transfer-encoding :content-language:in-reply-to:mime-version:user-agent:date:from :references:cc:to:subject:arc-authentication-results; bh=JPTZcGNou/MbsU/ktB45dW7BLYMk2bcTnQtYXlJHOB4=; b=DpSQoTfctYheH0Kez7SqjSD9gE9rL4NC9FWlWr94cPnoioXJnEUcDkqTUythDiR1kE sOlCzOyxaGx+X35zsXGsPm1XWjpYNLZA1h/I6R2lqqpin9FvFaRxOh4KkCyO7X/YjP8P ntrBc5ivgaJnsnq1zT73e+2Er2tYkUTSqFqRHRRXLeX6e6SmEDJ6E7aa7uZgHEz8jeg5 l9mdtx6hAVj1spn7h4uQlOKHCO8I0u+MASZuIVQww1/4hgqk4Ojwsafyx55COabW8PDm mj7vnmb/ZGLPTdEIZtkvjZx4WCVfzL0K2ps1bND6l6bO0mFbnBgPmJLuRIqtFBq/j08b s7UA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=ibm.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id n28-v6si2276990pfg.127.2018.08.22.10.13.43; Wed, 22 Aug 2018 10:13:59 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=ibm.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727403AbeHVUhs (ORCPT + 99 others); Wed, 22 Aug 2018 16:37:48 -0400 Received: from mx0b-001b2d01.pphosted.com ([148.163.158.5]:44790 "EHLO mx0a-001b2d01.pphosted.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1727234AbeHVUhs (ORCPT ); Wed, 22 Aug 2018 16:37:48 -0400 Received: from pps.filterd (m0098420.ppops.net [127.0.0.1]) by mx0b-001b2d01.pphosted.com (8.16.0.22/8.16.0.22) with SMTP id w7MH8m7d091792 for ; Wed, 22 Aug 2018 13:12:04 -0400 Received: from e06smtp04.uk.ibm.com (e06smtp04.uk.ibm.com [195.75.94.100]) by mx0b-001b2d01.pphosted.com with ESMTP id 2m1axttu0p-1 (version=TLSv1.2 cipher=AES256-GCM-SHA384 bits=256 verify=NOT) for ; Wed, 22 Aug 2018 13:12:03 -0400 Received: from localhost by e06smtp04.uk.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted for from ; Wed, 22 Aug 2018 18:12:01 +0100 Received: from b06cxnps4074.portsmouth.uk.ibm.com (9.149.109.196) by e06smtp04.uk.ibm.com (192.168.101.134) with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted; (version=TLSv1/SSLv3 cipher=AES256-GCM-SHA384 bits=256/256) Wed, 22 Aug 2018 18:11:57 +0100 Received: from d06av23.portsmouth.uk.ibm.com (d06av23.portsmouth.uk.ibm.com [9.149.105.59]) by b06cxnps4074.portsmouth.uk.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id w7MHBumG35586294 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=FAIL); Wed, 22 Aug 2018 17:11:56 GMT Received: from d06av23.portsmouth.uk.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 0637AA4051; Wed, 22 Aug 2018 20:11:56 +0100 (BST) Received: from d06av23.portsmouth.uk.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 06B9DA404D; Wed, 22 Aug 2018 20:11:54 +0100 (BST) Received: from oc0155643701.ibm.com (unknown [9.145.189.122]) by d06av23.portsmouth.uk.ibm.com (Postfix) with ESMTP; Wed, 22 Aug 2018 20:11:53 +0100 (BST) Subject: Re: [PATCH v9 12/22] s390: vfio-ap: sysfs interfaces to configure control domains To: Christian Borntraeger , pmorel@linux.ibm.com, Cornelia Huck Cc: Tony Krowiak , Tony Krowiak , linux-s390@vger.kernel.org, linux-kernel@vger.kernel.org, kvm@vger.kernel.org, freude@de.ibm.com, schwidefsky@de.ibm.com, heiko.carstens@de.ibm.com, kwankhede@nvidia.com, bjsdjshi@linux.vnet.ibm.com, pbonzini@redhat.com, alex.williamson@redhat.com, pmorel@linux.vnet.ibm.com, alifm@linux.vnet.ibm.com, mjrosato@linux.vnet.ibm.com, jjherne@linux.vnet.ibm.com, thuth@redhat.com, pasic@linux.vnet.ibm.com, berrange@redhat.com, fiuczy@linux.vnet.ibm.com, buendgen@de.ibm.com, frankja@linux.ibm.com References: <1534196899-16987-1-git-send-email-akrowiak@linux.vnet.ibm.com> <1534196899-16987-13-git-send-email-akrowiak@linux.vnet.ibm.com> <20180820162317.08bd7d23.cohuck@redhat.com> <660de00a-c403-28c1-4df4-82a973ab3ad5@linux.ibm.com> <20180821172548.57a6c758.cohuck@redhat.com> <82a391ee-85b1-cdc7-0f9b-d37fd8ba8e47@linux.ibm.com> <20180822114250.59a250aa.cohuck@redhat.com> <8bc5f207-f913-825c-f9fc-0a2c7fd280aa@linux.ibm.com> <219b352b-d5a2-189c-e205-82e7f9ae3d64@de.ibm.com> From: Halil Pasic Date: Wed, 22 Aug 2018 19:11:53 +0200 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.8.0 MIME-Version: 1.0 In-Reply-To: <219b352b-d5a2-189c-e205-82e7f9ae3d64@de.ibm.com> Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-US Content-Transfer-Encoding: 7bit X-TM-AS-GCONF: 00 x-cbid: 18082217-0016-0000-0000-000001FA468E X-IBM-AV-DETECTION: SAVI=unused REMOTE=unused XFE=unused x-cbparentid: 18082217-0017-0000-0000-000032509D24 Message-Id: X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:,, definitions=2018-08-22_08:,, signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 priorityscore=1501 malwarescore=0 suspectscore=0 phishscore=0 bulkscore=0 spamscore=0 clxscore=1015 lowpriorityscore=0 mlxscore=0 impostorscore=0 mlxlogscore=999 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1807170000 definitions=main-1808220172 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 08/22/2018 05:48 PM, Christian Borntraeger wrote: > On 08/22/2018 05:34 PM, Pierre Morel wrote: >> On 22/08/2018 17:11, Christian Borntraeger wrote: >>> >>> >>> On 08/22/2018 01:03 PM, Pierre Morel wrote: >>>>> That's interesting. >>>>> >>>>>> IMHO this quote is quite a half-full half-empty cup one: >>>>>> * it mandates the set of usage domains is a subset of the set >>>>>> of the control domains, but >>>>>> * it speaks of independent controls, namely about the 'usage domain index' >>>>>> and the 'control domain index list' and makes the enforcement of the rule >>>>>> a job of the administrator (instead of codifying it in the controls). >>>>> I'm wondering if a configuration with a usage domain that is not also a >>>>> control domain is rejected outright? Anybody tried that? :) >>>> >>>> Yes, and no it is not. >>>> We can use a queue (usage domain) to a AP card for SHA-512 or RSA without >>>> having to define the queue as a control domain. >>> >>> Huh? My HMC allows to add a domain as >>> - control only domain >>> - control and usage domain. >>> >>> But I am not able to configure a usage-only domain for my LPAR. That seems to match >>> the current code, no? >>> >> >> Yes, it may not be configurable by the HMC but if we start a guest with no control domain it is not a problem to access the hardware through the usage domain. >> >> I tested this a long time ago, but tested again today to be sure on my LPAR. >> >> AFAIU adding a control only domain and a control and usage domain >> allows say: >> control and usage domain 1 >> control only domain 2 >> >> Allow to send a message to domain 2 using queue 1 >> >> Allow also to send a domain modifying message to domain 1 using queue 1 >> >> control domain are domain which are controlled > > So you have changed the code to not automatically make a usage domain a > control domain in the bitfield (and you could still use it as a usage > domain). Correct? I tested basically the same yesterday, with the same results. > I think this is probably expected. the "usage implies control" seems to > be a convention implemented by HMC (lpar) and z/VM but millicode offers > the bits to have usage-only domains. As LPAR and z/VM will always enable > any usage-domain to also be a control domain we should do the same. I'm fine either way, but slightly prefer higher level management software and not the kernel accommodating this convention. Please consider a quote from Harald's mail in another sub-thread """ ... about control domains Talked with the s390 firmware guys. The convention that the control domain mask is a superset of the usage domain mask is only true for 1st level guests. It is absolutely valid to run a kvm guest with restricted control domain mask bitmap in the CRYCB. It is valid to have an empty control domain mask and the guest should be able to run crypto CPRBs on the usage domain(s) without any problems. However, nobody has tried this. """ I'm yet to get an explanation why was this convention established in the first place. And I can not figure it out myself. For me a setup where I know that the domains used by some guest can not be modified by the same guest makes perfect sense. If I try to think in analogies, I kind of compare modification (that is control domain) with write access, and usage (that is usage domain) with read access to, let's say a regular file. For me, all options (rw, r, and w) do make sense, and if I had to pick the one that makes the least sense I would pick write only. The convention is in these terms making read-only illegal. But should 'usage only domains' ever get identified as something somebody wants to do we can just add an attribute for that. So I'm fine either way. Still I find the commit message for this patch, the implementation of assign_control_domain() and also the documentation slightly misleading regarding what does one get from assign_domain. Regards, Halil > > >> It seems that the HMC enforce the LPARs to have access to their usage domain (AFAIU from Harald) >