Received: by 2002:ac0:a5a6:0:0:0:0:0 with SMTP id m35-v6csp1338563imm;
        Thu, 23 Aug 2018 01:05:28 -0700 (PDT)
X-Google-Smtp-Source: ANB0VdYDaCM9olJ/+2alAgJXFSx0FptFDLpavCq+B4PiZ4mOUWNG9xshyUlu/JyY4zI6dVdAxprO
X-Received: by 2002:a62:6781:: with SMTP id t1-v6mr4168111pfj.200.1535011528182;
        Thu, 23 Aug 2018 01:05:28 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1535011528; cv=none;
        d=google.com; s=arc-20160816;
        b=xr9UJLg2rArGaSn/wrLqd3Wmaujo06YccgWBrCKHec4AWRsNLt5QlmHE1l4wW6+iHX
         RrUhOGwUJ2+igLO/TF98dOpQH484JWqAGzSLOfU9qQF1kIzu43Jfhacqep50f5XjJT4H
         d4JKjwX1vq76jgBSRZkmPBoN4CYoVYUmTi/QxY8qXPMBQ8sMhGZBL7g12Nl359j8HfZ0
         R76+e2Wm067xOdVGkz84IVOI13aqnL0ERDjxRV5RcetSFNqiF0oc39AkmATHiDHZTfJO
         +Q0l1aGukO0m2O4urwN+zJXl3Ml6MMoopryLpkLq2X3z6VOJOwjjWkuA5nB3V/1I0odT
         rZ8A==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:message-id:content-transfer-encoding
         :content-language:in-reply-to:mime-version:user-agent:date:from
         :references:cc:to:subject:reply-to:arc-authentication-results;
        bh=uBlhyCo1WUG3zccHj09XUXYLgNdhW9C/fLwkgq65OTw=;
        b=aI5xA/rI78lP9d9joCzkC+e7G9P96qVm50HDvH8Nw4qTSMVPc52+czOP5QpIq5S82R
         bCf6SKn/Lz+zx3SGspqxSB5Ib5w2PJC8jyPu0tdAJZ5KWnKf63eom6EZMvgfysh/PL0Z
         kd2bcXj+8GtKxwPum04aau6Nv4MF2821BGMObiRCm+fzoXteHJXi0nNZeTbwDiTMVWaK
         vdcQ1B6rce8qsNFY3ljviRlyRCCLXmAzNjs6AJ/wUJfRzFBZvn6ZNEyMenIq+FzAs4CP
         s8UGumMDO8JrDbCKf+iQHR5srHNc32tOo5ieFb+6342Uui7LelW6UA+GP+OTnoixDDNE
         g9/A==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=ibm.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id f9-v6si3675657pgl.554.2018.08.23.01.05.13;
        Thu, 23 Aug 2018 01:05:28 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=ibm.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1728952AbeHWL3y (ORCPT <rfc822;0330sisy@gmail.com> + 99 others);
        Thu, 23 Aug 2018 07:29:54 -0400
Received: from mx0a-001b2d01.pphosted.com ([148.163.156.1]:52090 "EHLO
        mx0a-001b2d01.pphosted.com" rhost-flags-OK-OK-OK-OK)
        by vger.kernel.org with ESMTP id S1728085AbeHWL3x (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Thu, 23 Aug 2018 07:29:53 -0400
Received: from pps.filterd (m0098399.ppops.net [127.0.0.1])
        by mx0a-001b2d01.pphosted.com (8.16.0.22/8.16.0.22) with SMTP id w7N7x9qT031730
        for <linux-kernel@vger.kernel.org>; Thu, 23 Aug 2018 04:01:29 -0400
Received: from e06smtp05.uk.ibm.com (e06smtp05.uk.ibm.com [195.75.94.101])
        by mx0a-001b2d01.pphosted.com with ESMTP id 2m1rmhs1dt-1
        (version=TLSv1.2 cipher=AES256-GCM-SHA384 bits=256 verify=NOT)
        for <linux-kernel@vger.kernel.org>; Thu, 23 Aug 2018 04:01:29 -0400
Received: from localhost
        by e06smtp05.uk.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted
        for <linux-kernel@vger.kernel.org> from <pmorel@linux.ibm.com>;
        Thu, 23 Aug 2018 09:01:26 +0100
Received: from b06cxnps4074.portsmouth.uk.ibm.com (9.149.109.196)
        by e06smtp05.uk.ibm.com (192.168.101.135) with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted;
        (version=TLSv1/SSLv3 cipher=AES256-GCM-SHA384 bits=256/256)
        Thu, 23 Aug 2018 09:01:24 +0100
Received: from d06av22.portsmouth.uk.ibm.com (d06av22.portsmouth.uk.ibm.com [9.149.105.58])
        by b06cxnps4074.portsmouth.uk.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id w7N81NLi22609944
        (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=FAIL);
        Thu, 23 Aug 2018 08:01:23 GMT
Received: from d06av22.portsmouth.uk.ibm.com (unknown [127.0.0.1])
        by IMSVA (Postfix) with ESMTP id 601984C05A;
        Thu, 23 Aug 2018 11:01:24 +0100 (BST)
Received: from d06av22.portsmouth.uk.ibm.com (unknown [127.0.0.1])
        by IMSVA (Postfix) with ESMTP id 111E64C05C;
        Thu, 23 Aug 2018 11:01:24 +0100 (BST)
Received: from [9.152.224.92] (unknown [9.152.224.92])
        by d06av22.portsmouth.uk.ibm.com (Postfix) with ESMTP;
        Thu, 23 Aug 2018 11:01:24 +0100 (BST)
Reply-To: pmorel@linux.ibm.com
Subject: Re: [PATCH v2 5/5] KVM: s390: vsie: Do the CRYCB validation first
To:     David Hildenbrand <david@redhat.com>
Cc:     linux-kernel@vger.kernel.org, cohuck@redhat.com,
        linux-s390@vger.kernel.org, kvm@vger.kernel.org,
        frankja@linux.ibm.com, akrowiak@linux.ibm.com,
        borntraeger@de.ibm.com, schwidefsky@de.ibm.com,
        heiko.carstens@de.ibm.com
References: <1534956717-14087-1-git-send-email-pmorel@linux.ibm.com>
 <1534956717-14087-6-git-send-email-pmorel@linux.ibm.com>
 <e985a036-1b19-0feb-e50c-d55dec3dc9e7@redhat.com>
 <01047750-cdc6-b462-1e4f-c79c1036ab94@linux.ibm.com>
 <18c65e67-c5e6-9c2f-e7ab-962376427369@redhat.com>
From:   Pierre Morel <pmorel@linux.ibm.com>
Date:   Thu, 23 Aug 2018 10:01:22 +0200
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101
 Thunderbird/52.9.1
MIME-Version: 1.0
In-Reply-To: <18c65e67-c5e6-9c2f-e7ab-962376427369@redhat.com>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Language: en-US
Content-Transfer-Encoding: 8bit
X-TM-AS-GCONF: 00
x-cbid: 18082308-0020-0000-0000-000002BA93C9
X-IBM-AV-DETECTION: SAVI=unused REMOTE=unused XFE=unused
x-cbparentid: 18082308-0021-0000-0000-00002107EE0C
Message-Id: <ea1dad6d-a698-5d0d-2c41-c08c46068e96@linux.ibm.com>
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:,, definitions=2018-08-23_04:,,
 signatures=0
X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 priorityscore=1501
 malwarescore=0 suspectscore=0 phishscore=0 bulkscore=0 spamscore=0
 clxscore=1015 lowpriorityscore=0 mlxscore=0 impostorscore=0
 mlxlogscore=999 adultscore=0 classifier=spam adjust=0 reason=mlx
 scancount=1 engine=8.0.1-1807170000 definitions=main-1808230085
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On 23/08/2018 09:31, David Hildenbrand wrote:
> On 23.08.2018 09:17, Pierre Morel wrote:
>> On 22/08/2018 19:15, David Hildenbrand wrote:
>>> On 22.08.2018 18:51, Pierre Morel wrote:
>>>> When entering the SIE the CRYCB validation better
>>>> be done independently of the instruction's
>>>> availability.
>>>>
>>>> Signed-off-by: Pierre Morel <pmorel@linux.ibm.com>
>>>> ---
>>>>    arch/s390/kvm/vsie.c | 11 ++++++-----
>>>>    1 file changed, 6 insertions(+), 5 deletions(-)
>>>>
>>>> diff --git a/arch/s390/kvm/vsie.c b/arch/s390/kvm/vsie.c
>>>> index 7ee4329..fca25aa 100644
>>>> --- a/arch/s390/kvm/vsie.c
>>>> +++ b/arch/s390/kvm/vsie.c
>>>> @@ -164,17 +164,18 @@ static int shadow_crycb(struct kvm_vcpu *vcpu, struct vsie_page *vsie_page)
>>>>    	/* format-1 is supported with message-security-assist extension 3 */
>>>>    	if (!test_kvm_facility(vcpu->kvm, 76))
>>>>    		return 0;
>>>> -	/* we may only allow it if enabled for guest 2 */
>>>> -	ecb3_flags = scb_o->ecb3 & vcpu->arch.sie_block->ecb3 &
>>>> -		     (ECB3_AES | ECB3_DEA);
>>>> -	if (!ecb3_flags)
>>>> -		return 0;
>>>>    
>>>>    	if ((crycb_addr & PAGE_MASK) != ((crycb_addr + 128) & PAGE_MASK))
>>>>    		return set_validity_icpt(scb_s, 0x003CU);
>>>>    	if (!crycb_addr)
>>>>    		return set_validity_icpt(scb_s, 0x0039U);
>>>>    
>>>> +	/* we may only allow it if enabled for guest 2 */
>>>> +	ecb3_flags = scb_o->ecb3 & vcpu->arch.sie_block->ecb3 &
>>>> +		     (ECB3_AES | ECB3_DEA);
>>>> +	if (!ecb3_flags)
>>>> +		return 0;
>>>> +
>>>>    	/* copy only the wrapping keys */
>>>>    	if (read_guest_real(vcpu, crycb_addr + 72,
>>>>    			    vsie_page->crycb.dea_wrapping_key_mask, 56))
>>>>
>>>
>>> That makes sense, especially if ECB3_AES is used but effectively turned
>>> off by us.
>>>
>>> What is the expected behavior if ECB3_AES | ECB3_DEA are not set by g2
>>> for g3?
>>>
>>
>> The use of functions PCKMO-Encrypt-DEA/AES induce a specification error.
>>
>> However other MSA3 function will continue to be usable.
> 
> No, I meant which checks should be performed here.

The SIE should check the validity of the CRYCB.

However since we do not copy the key masks we do not
expect any access error on crycb_o

So it is more a philosophical problem, should the
hypervizor enforce an error here to act as the firmware?


regards,
Pierre



-- 
Pierre Morel
Linux/KVM/QEMU in Böblingen - Germany