Received: by 2002:ac0:a5a6:0:0:0:0:0 with SMTP id m35-v6csp780528imm; Wed, 22 Aug 2018 12:27:54 -0700 (PDT) X-Google-Smtp-Source: AA+uWPzBo2Irxm3jMlSh0HAcyl9BVQ1XFJ61dWrFxjREGqHfrGBiFeYZQciG9bIo1NRSBvRKstxw X-Received: by 2002:a62:68c3:: with SMTP id d186-v6mr59099309pfc.70.1534966074361; Wed, 22 Aug 2018 12:27:54 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1534966074; cv=none; d=google.com; s=arc-20160816; b=sHa5Vj1PEPG+Fl4LCRVuOxrqRtI/1johIx7dD+6XCqK/eHI5lwfYE/4NzP/xU9ndwr 7740C46czAJgQvTOQknHPTLz/ijvM/WKL5PYyBYx1rMWK72MJbwBjAVgD4dhOjJG0QN+ vSDjAOnwue6fyuUnfodl31k9szSUHy/ePyZDCjT+UJMNxGpdnZzJk5AW2dHtCwkYmQVQ yauXOmR/UsVqNCedSfUEdxiYGO8uyEIAc1Z+HtUZDcUzOUOjppjVH3L5Q1ro37urVmO5 nF7bYPL5DFWF6XLyVZPcV+S+QaVYuJUVYyC4pWhwnzRcCnqh/RKrmQlPXHUW4GixyRwO GVDw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:message-id:content-language :content-transfer-encoding:in-reply-to:mime-version:user-agent:date :from:references:cc:to:subject:arc-authentication-results; bh=8qSc4jcUMR1exa314Gron4I0N3+5QnbJHclZn5EJ6tc=; b=T8iNkxPOXOHnB20jj/NVZ3duLI0KOL2OU8hEM2U5iKMZGUwXAXkA8hAqHaf6IYk+xE hYgeRgkZhZ530ViVAFQQ4/IoxJDRtX9DrTtAlKpn/LCSPC7EohMaMrgOiSB6d02fc0hc VCZtrXGn0F0xVe0N/oPUAqnK4ahgZzOv915zxQnKEHotzu3lnAGa1p/6ArutTxxo3YL5 buITfssZtc9IXsO9E0M+P1+ePA2dq5KQxAkmRY2j/WjKCFtXa8w3gu5FcyWfzVUNCfRa 2n+SGZ8/1YKu/njyPmUuWlZ3SGh9wKa5C+CDd5eNvWXUIVrTpaaRA978tHPeSFwFzWlI MVMA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=ibm.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id t16-v6si2280963pgj.234.2018.08.22.12.27.39; Wed, 22 Aug 2018 12:27:54 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=ibm.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728106AbeHVWwl (ORCPT + 99 others); Wed, 22 Aug 2018 18:52:41 -0400 Received: from mx0a-001b2d01.pphosted.com ([148.163.156.1]:48066 "EHLO mx0a-001b2d01.pphosted.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727466AbeHVWwl (ORCPT ); Wed, 22 Aug 2018 18:52:41 -0400 Received: from pps.filterd (m0098399.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.16.0.22/8.16.0.22) with SMTP id w7MJOV0X058976 for ; Wed, 22 Aug 2018 15:26:31 -0400 Received: from e16.ny.us.ibm.com (e16.ny.us.ibm.com [129.33.205.206]) by mx0a-001b2d01.pphosted.com with ESMTP id 2m1dy203pn-1 (version=TLSv1.2 cipher=AES256-GCM-SHA384 bits=256 verify=NOT) for ; Wed, 22 Aug 2018 15:26:31 -0400 Received: from localhost by e16.ny.us.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted for from ; Wed, 22 Aug 2018 15:16:25 -0400 Received: from b01cxnp22034.gho.pok.ibm.com (9.57.198.24) by e16.ny.us.ibm.com (146.89.104.203) with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted; (version=TLSv1/SSLv3 cipher=AES256-GCM-SHA384 bits=256/256) Wed, 22 Aug 2018 15:16:22 -0400 Received: from b01ledav001.gho.pok.ibm.com (b01ledav001.gho.pok.ibm.com [9.57.199.106]) by b01cxnp22034.gho.pok.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id w7MJGKVY63897850 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=FAIL); Wed, 22 Aug 2018 19:16:20 GMT Received: from b01ledav001.gho.pok.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 02D3F2805E; Wed, 22 Aug 2018 15:14:51 -0400 (EDT) Received: from b01ledav001.gho.pok.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 5F73C28058; Wed, 22 Aug 2018 15:14:50 -0400 (EDT) Received: from oc8043147753.ibm.com (unknown [9.60.75.213]) by b01ledav001.gho.pok.ibm.com (Postfix) with ESMTP; Wed, 22 Aug 2018 15:14:50 -0400 (EDT) Subject: Re: [PATCH v9 12/22] s390: vfio-ap: sysfs interfaces to configure control domains To: Halil Pasic , Christian Borntraeger , pmorel@linux.ibm.com, Cornelia Huck Cc: Tony Krowiak , linux-s390@vger.kernel.org, linux-kernel@vger.kernel.org, kvm@vger.kernel.org, freude@de.ibm.com, schwidefsky@de.ibm.com, heiko.carstens@de.ibm.com, kwankhede@nvidia.com, bjsdjshi@linux.vnet.ibm.com, pbonzini@redhat.com, alex.williamson@redhat.com, pmorel@linux.vnet.ibm.com, alifm@linux.vnet.ibm.com, mjrosato@linux.vnet.ibm.com, jjherne@linux.vnet.ibm.com, thuth@redhat.com, pasic@linux.vnet.ibm.com, berrange@redhat.com, fiuczy@linux.vnet.ibm.com, buendgen@de.ibm.com, frankja@linux.ibm.com References: <1534196899-16987-1-git-send-email-akrowiak@linux.vnet.ibm.com> <1534196899-16987-13-git-send-email-akrowiak@linux.vnet.ibm.com> <20180820162317.08bd7d23.cohuck@redhat.com> <660de00a-c403-28c1-4df4-82a973ab3ad5@linux.ibm.com> <20180821172548.57a6c758.cohuck@redhat.com> <82a391ee-85b1-cdc7-0f9b-d37fd8ba8e47@linux.ibm.com> <20180822114250.59a250aa.cohuck@redhat.com> <8bc5f207-f913-825c-f9fc-0a2c7fd280aa@linux.ibm.com> <219b352b-d5a2-189c-e205-82e7f9ae3d64@de.ibm.com> From: Tony Krowiak Date: Wed, 22 Aug 2018 15:16:19 -0400 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.2.0 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 7bit Content-Language: en-US X-TM-AS-GCONF: 00 x-cbid: 18082219-0072-0000-0000-0000039575CC X-IBM-SpamModules-Scores: X-IBM-SpamModules-Versions: BY=3.00009593; HX=3.00000242; KW=3.00000007; PH=3.00000004; SC=3.00000266; SDB=6.01077331; UDB=6.00555442; IPR=6.00857306; MB=3.00022872; MTD=3.00000008; XFM=3.00000015; UTC=2018-08-22 19:16:24 X-IBM-AV-DETECTION: SAVI=unused REMOTE=unused XFE=unused x-cbparentid: 18082219-0073-0000-0000-0000492ABC87 Message-Id: <9ef5fcb9-02e0-88e3-007c-eedb14e6db80@linux.ibm.com> X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:,, definitions=2018-08-22_10:,, signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 priorityscore=1501 malwarescore=0 suspectscore=0 phishscore=0 bulkscore=0 spamscore=0 clxscore=1015 lowpriorityscore=0 mlxscore=0 impostorscore=0 mlxlogscore=999 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1807170000 definitions=main-1808220191 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 08/22/2018 01:11 PM, Halil Pasic wrote: > > > On 08/22/2018 05:48 PM, Christian Borntraeger wrote: >> On 08/22/2018 05:34 PM, Pierre Morel wrote: >>> On 22/08/2018 17:11, Christian Borntraeger wrote: >>>> >>>> >>>> On 08/22/2018 01:03 PM, Pierre Morel wrote: >>>>>> That's interesting. >>>>>> >>>>>>> IMHO this quote is quite a half-full half-empty cup one: >>>>>>> * it mandates the set of usage domains is a subset of the set >>>>>>> of the control domains, but >>>>>>> * it speaks of independent controls, namely about the 'usage >>>>>>> domain index' >>>>>>> and the 'control domain index list' and makes the enforcement of >>>>>>> the rule >>>>>>> a job of the administrator (instead of codifying it in the >>>>>>> controls). >>>>>> I'm wondering if a configuration with a usage domain that is not >>>>>> also a >>>>>> control domain is rejected outright? Anybody tried that? :) >>>>> >>>>> Yes, and no it is not. >>>>> We can use a queue (usage domain) to a AP card for SHA-512 or RSA >>>>> without >>>>> having to define the queue as a control domain. >>>> >>>> Huh? My HMC allows to add a domain as >>>> - control only domain >>>> - control and usage domain. >>>> >>>> But I am not able to configure a usage-only domain for my LPAR. >>>> That seems to match >>>> the current code, no? >>>> >>> >>> Yes, it may not be configurable by the HMC but if we start a guest >>> with no control domain it is not a problem to access the hardware >>> through the usage domain. >>> >>> I tested this a long time ago, but tested again today to be sure on >>> my LPAR. >>> >>> AFAIU adding a control only domain and a control and usage domain >>> allows say: >>> control and usage domain 1 >>> control only domain 2 >>> >>> Allow to send a message to domain 2 using queue 1 >>> >>> Allow also to send a domain modifying message to domain 1 using queue 1 >>> >>> control domain are domain which are controlled >> >> So you have changed the code to not automatically make a usage domain a >> control domain in the bitfield (and you could still use it as a usage >> domain). Correct? > > I tested basically the same yesterday, with the same results. > >> I think this is probably expected. the "usage implies control" seems to >> be a convention implemented by HMC (lpar) and z/VM but millicode offers >> the bits to have usage-only domains. As LPAR and z/VM will always enable >> any usage-domain to also be a control domain we should do the same. > > I'm fine either way, but slightly prefer higher level management software > and not the kernel accommodating this convention. > > Please consider a quote from Harald's mail in another sub-thread > > > """ > ... about control domains > > Talked with the s390 firmware guys. The convention that the control > domain > mask is a superset of the usage domain mask is only true for 1st level > guests. > > It is absolutely valid to run a kvm guest with restricted control domain > mask bitmap in the CRYCB. It is valid to have an empty control domain > mask > and the guest should be able to run crypto CPRBs on the usage > domain(s) without > any problems. However, nobody has tried this. > """ > > I'm yet to get an explanation why was this convention established in > the first > place. And I can not figure it out myself. For me a setup where I know > that > the domains used by some guest can not be modified by the same guest > makes > perfect sense. If I try to think in analogies, I kind of compare > modification > (that is control domain) with write access, and usage (that is usage > domain) > with read access to, let's say a regular file. For me, all options > (rw, r, and w) > do make sense, and if I had to pick the one that makes the least sense > I would > pick write only. The convention is in these terms making read-only > illegal. But > should 'usage only domains' ever get identified as something somebody > wants to do > we can just add an attribute for that. So I'm fine either way. One of the things I suggested in a private conversation with Christian earlier today was to provide an additional rw sysfs attribute - a boolean - that indicates whether all usage domains should also be control domains. The default could be true. This would allow one to configure guests with usage-only domains as well as satisfy the convention. > > > Still I find the commit message for this patch, the implementation of > assign_control_domain() and also the documentation slightly misleading > regarding > what does one get from assign_domain. > > > Regards, > Halil > > > > > >> >> >>> It seems that the HMC enforce the LPARs to have access to their >>> usage domain (AFAIU from Harald) >>