Received: by 2002:a25:6193:0:0:0:0:0 with SMTP id v141csp4687481ybb; Tue, 7 Apr 2020 12:21:30 -0700 (PDT) X-Google-Smtp-Source: APiQypJ5Eh/eOL/T41u2MZBZGjZYUDfhAC+ax7o3fw4JQiYowP9pMQpDhNUZN7tzjzt4jtujeuxf X-Received: by 2002:aca:c70f:: with SMTP id x15mr342516oif.80.1586287290242; Tue, 07 Apr 2020 12:21:30 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1586287290; cv=none; d=google.com; s=arc-20160816; b=XMxoDmRRCvhQwdGcpEDdBxmA8NNTaLvVunZqDClrKRN85o4xWQyOLw8KSnbDSYqxmV 6cGvr2bbgd+QFCznKlaQHw2g3zES/STCY89E5L3xT7qODPeKUzFTqkopSe648dvoRFVR 2zOofuA8XagAX3C1oJCMubuy/uCCGf8lBZd1S9/FrwR8d1im4ZucbyVbgJFwsc6zBIBM Xf6BnEgLc5164PLuSV9wWFEqM+ZAptnA23iRSP/28M52HQKhi0BJSO/sW1+DLa8IoqjT HzOjJW8RIcVFJvrVmipVVIdkzxq4cJ9noNSrjyJn32nn0B/qGBC9ynx1OyCTBb+n98JG wDPQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :message-id:date:subject:cc:to:from; bh=eNbGbSGffzu9rzRuye5a0DUPyrH5kxaWkjDFFkp/z8I=; b=xDlvoAY+t9GEV6UWva0vS/1cwbdBWszp2wO0qlqt2OxXpTKZHH9rtMeFZmEK7/OYSw QVyZX0wreCKSxx7857tIJFdy5AG3LMrZmFqhL2KTAdDmAqjeBfyb1r4bCnvMWtX5IiQq fS2nu7lcXt03+aYClAqO+l3CS1sNQtqp4ZlEu7TK76NZuz4lxwdbciwL6Lz96gN6zsQH YocrRKU3ph6XjCesEUwjfPAOdYJQzG6HEKDQ9Minc169+7lKpiQKQz0YUIGEzAfNssCr /rdyghA3WNSFhLIu3Y/CE7KIC3w3qpiZk0P7cRK9M5kwqHioA3XasVviupqEObW3YKM1 eijw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=ibm.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id i187si1030872oif.89.2020.04.07.12.21.14; Tue, 07 Apr 2020 12:21:30 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=ibm.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726891AbgDGTUb (ORCPT + 99 others); Tue, 7 Apr 2020 15:20:31 -0400 Received: from mx0b-001b2d01.pphosted.com ([148.163.158.5]:27120 "EHLO mx0a-001b2d01.pphosted.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1726339AbgDGTUb (ORCPT ); Tue, 7 Apr 2020 15:20:31 -0400 Received: from pps.filterd (m0098420.ppops.net [127.0.0.1]) by mx0b-001b2d01.pphosted.com (8.16.0.42/8.16.0.42) with SMTP id 037J9CSD122181; Tue, 7 Apr 2020 15:20:28 -0400 Received: from pps.reinject (localhost [127.0.0.1]) by mx0b-001b2d01.pphosted.com with ESMTP id 308ye2g8nk-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 07 Apr 2020 15:20:28 -0400 Received: from m0098420.ppops.net (m0098420.ppops.net [127.0.0.1]) by pps.reinject (8.16.0.36/8.16.0.36) with SMTP id 037J9xv3123748; Tue, 7 Apr 2020 15:20:27 -0400 Received: from ppma01dal.us.ibm.com (83.d6.3fa9.ip4.static.sl-reverse.com [169.63.214.131]) by mx0b-001b2d01.pphosted.com with ESMTP id 308ye2g8n9-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 07 Apr 2020 15:20:27 -0400 Received: from pps.filterd (ppma01dal.us.ibm.com [127.0.0.1]) by ppma01dal.us.ibm.com (8.16.0.27/8.16.0.27) with SMTP id 037JKC8Z012933; Tue, 7 Apr 2020 19:20:27 GMT Received: from b01cxnp22034.gho.pok.ibm.com (b01cxnp22034.gho.pok.ibm.com [9.57.198.24]) by ppma01dal.us.ibm.com with ESMTP id 306hv6h2qe-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 07 Apr 2020 19:20:27 +0000 Received: from b01ledav001.gho.pok.ibm.com (b01ledav001.gho.pok.ibm.com [9.57.199.106]) by b01cxnp22034.gho.pok.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id 037JKPSR52560156 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Tue, 7 Apr 2020 19:20:25 GMT Received: from b01ledav001.gho.pok.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 2743F28071; Tue, 7 Apr 2020 19:20:25 +0000 (GMT) Received: from b01ledav001.gho.pok.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 75DE128058; Tue, 7 Apr 2020 19:20:24 +0000 (GMT) Received: from cpe-172-100-173-215.stny.res.rr.com.com (unknown [9.85.207.206]) by b01ledav001.gho.pok.ibm.com (Postfix) with ESMTP; Tue, 7 Apr 2020 19:20:24 +0000 (GMT) From: Tony Krowiak To: linux-s390@vger.kernel.org, linux-kernel@vger.kernel.org, kvm@vger.kernel.org Cc: freude@linux.ibm.com, borntraeger@de.ibm.com, cohuck@redhat.com, mjrosato@linux.ibm.com, pmorel@linux.ibm.com, pasic@linux.ibm.com, alex.williamson@redhat.com, kwankhede@nvidia.com, jjherne@linux.ibm.com, fiuczy@linux.ibm.com, Tony Krowiak Subject: [PATCH v7 00/15] s390/vfio-ap: dynamic configuration support Date: Tue, 7 Apr 2020 15:20:00 -0400 Message-Id: <20200407192015.19887-1-akrowiak@linux.ibm.com> X-Mailer: git-send-email 2.21.1 MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-TM-AS-GCONF: 00 X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.138,18.0.676 definitions=2020-04-07_08:2020-04-07,2020-04-07 signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 adultscore=0 priorityscore=1501 malwarescore=0 clxscore=1011 spamscore=0 mlxlogscore=999 bulkscore=0 phishscore=0 lowpriorityscore=0 mlxscore=0 suspectscore=3 impostorscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2003020000 definitions=main-2004070151 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org The current design for AP pass-through does not support making dynamic changes to the AP matrix of a running guest resulting in a few deficiencies this patch series is intended to mitigate: 1. Adapters, domains and control domains can not be added to or removed from a running guest. In order to modify a guest's AP configuration, the guest must be terminated; only then can AP resources be assigned to or unassigned from the guest's matrix mdev. The new AP configuration becomes available to the guest when it is subsequently restarted. 2. The AP bus's /sys/bus/ap/apmask and /sys/bus/ap/aqmask interfaces can be modified by a root user without any restrictions. A change to either mask can result in AP queue devices being unbound from the vfio_ap device driver and bound to a zcrypt device driver even if a guest is using the queues, thus giving the host access to the guest's private crypto data and vice versa. 3. The APQNs derived from the Cartesian product of the APIDs of the adapters and APQIs of the domains assigned to a matrix mdev must reference an AP queue device bound to the vfio_ap device driver. The AP architecture allows assignment of AP resources that are not available to the system, so this artificial restriction is not compliant with the architecture. 4. The AP configuration profile can be dynamically changed for the linux host after a KVM guest is started. For example, a new domain can be dynamically added to the configuration profile via the SE or an HMC connected to a DPM enabled lpar. Likewise, AP adapters can be dynamically configured (online state) and deconfigured (standby state) using the SE, an SCLP command or an HMC connected to a DPM enabled lpar. This can result in inadvertent sharing of AP queues between the guest and host. 5. A root user can manually unbind an AP queue device representing a queue in use by a KVM guest via the vfio_ap device driver's sysfs unbind attribute. In this case, the guest will be using a queue that is not bound to the driver which violates the device model. This patch series introduces the following changes to the current design to alleviate the shortcomings described above as well as to implement more of the AP architecture: 1. A root user will be prevented from making changes to the AP bus's /sys/bus/ap/apmask or /sys/bus/ap/aqmask if the ownership of an APQN changes from the vfio_ap device driver to a zcrypt driver when the APQN is assigned to a matrix mdev. 2. Allow a root user to hot plug/unplug AP adapters, domains and control domains using the matrix mdev's assign/unassign attributes. 4. Allow assignment of an AP adapter or domain to a matrix mdev even if it results in assignment of an APQN that does not reference an AP queue device bound to the vfio_ap device driver, as long as the APQN is not reserved for use by the default zcrypt drivers (also known as over-provisioning of AP resources). Allowing over-provisioning of AP resources better models the architecture which does not preclude assigning AP resources that are not yet available in the system. 5. Handle dynamic changes to the AP device model. 1. Rationale for changes to AP bus's apmask/aqmask interfaces: ---------------------------------------------------------- Due to the extremely sensitive nature of cryptographic data, it is imperative that great care be taken to ensure that such data is secured. Allowing a root user, either inadvertently or maliciously, to configure these masks such that a queue is shared between the host and a guest is not only avoidable, it is advisable. It was suggested that this scenario is better handled in user space with management software, but that does not preclude a malicious administrator from using the sysfs interfaces to gain access to a guest's crypto data. It was also suggested that this scenario could be avoided by taking access to the adapter away from the guest and zeroing out the queues prior to the vfio_ap driver releasing the device; however, stealing an adapter in use from a guest as a by-product of an operation is bad and will likely cause problems for the guest unnecessarily. It was decided that the most effective solution with the least number of negative side effects is to prevent the situation at the source. 2. Rationale for hot plug/unplug using matrix mdev sysfs interfaces: ---------------------------------------------------------------- Allowing a user to hot plug/unplug AP resources using the matrix mdev sysfs interfaces circumvents the need to terminate the guest in order to modify its AP configuration. Allowing dynamic configuration makes reconfiguring a guest's AP matrix much less disruptive. 3. Rationale for allowing over-provisioning of AP resources: ----------------------------------------------------------- Allowing assignment of AP resources to a matrix mdev and ultimately to a guest better models the AP architecture. The architecture does not preclude assignment of unavailable AP resources. If a queue subsequently becomes available while a guest using the matrix mdev to which its APQN is assigned, the guest will be given access to it. If an APQN is dynamically unassigned from the underlying host system, it will automatically become unavailable to the guest. Change log v6-v7: ---------------- * Added callbacks to AP bus: - on_config_changed: Notifies implementing drivers that the AP configuration has changed since last AP device scan. - on_scan_complete: Notifies implementing drivers that the device scan has completed. - implemented on_config_changed and on_scan_complete callbacks for vfio_ap device driver. - updated vfio_ap device driver's probe and remove callbacks to handle dynamic changes to the AP device model. * Added code to filter APQNs when assigning AP resources to a KVM guest's CRYCB Change log v5-v6: ---------------- * Fixed a bug in ap_bus.c introduced with patch 2/7 of the v5 series. Harald Freudenberer pointed out that the mutex lock for ap_perms_mutex in the apmask_store and aqmask_store functions was not being freed. * Removed patch 6/7 which added logging to the vfio_ap driver to expedite acceptance of this series. The logging will be introduced with a separate patch series to allow more time to explore options such as DBF logging vs. tracepoints. * Added 3 patches related to ensuring that APQNs that do not reference AP queue devices bound to the vfio_ap device driver are not assigned to the guest CRYCB: Patch 4: Filter CRYCB bits for unavailable queue devices Patch 5: sysfs attribute to display the guest CRYCB Patch 6: update guest CRYCB in vfio_ap probe and remove callbacks * Added a patch (Patch 9) to version the vfio_ap module. * Reshuffled patches to allow the in_use callback implementation to invoke the vfio_ap_mdev_verify_no_sharing() function introduced in patch 2. Change log v4-v5: ---------------- * Added a patch to provide kernel s390dbf debug logs for VFIO AP Change log v3->v4: ----------------- * Restored patches preventing root user from changing ownership of APQNs from zcrypt drivers to the vfio_ap driver if the APQN is assigned to an mdev. * No longer enforcing requirement restricting guest access to queues represented by a queue device bound to the vfio_ap device driver. * Removed shadow CRYCB and now directly updating the guest CRYCB from the matrix mdev's matrix. * Rebased the patch series on top of 'vfio: ap: AP Queue Interrupt Control' patches. * Disabled bind/unbind sysfs interfaces for vfio_ap driver Change log v2->v3: ----------------- * Allow guest access to an AP queue only if the queue is bound to the vfio_ap device driver. * Removed the patch to test CRYCB masks before taking the vCPUs out of SIE. Now checking the shadow CRYCB in the vfio_ap driver. Change log v1->v2: ----------------- * Removed patches preventing root user from unbinding AP queues from the vfio_ap device driver * Introduced a shadow CRYCB in the vfio_ap driver to manage dynamic changes to the AP guest configuration due to root user interventions or hardware anomalies. Harald Freudenberger (1): s390/zcrypt: Notify driver on config changed and scan complete callbacks Tony Krowiak (14): s390/vfio-ap: store queue struct in hash table for quick access s390/vfio-ap: manage link between queue struct and matrix mdev s390/zcrypt: driver callback to indicate resource in use s390/vfio-ap: implement in-use callback for vfio_ap driver s390/vfio-ap: introduce shadow CRYCB s390/vfio-ap: sysfs attribute to display the guest CRYCB s390/vfio-ap: filter CRYCB bits for unavailable queue devices s390/vfio_ap: add qlink from ap_matrix_mdev struct to vfio_ap_queue struct s390/vfio-ap: allow assignment of unavailable AP queues to mdev device s390/vfio-ap: allow configuration of matrix mdev in use by a KVM guest s390/vfio-ap: allow hot plug/unplug of AP resources using mdev device s390/vfio-ap: handle host AP config change notification s390/vfio-ap: handle AP bus scan completed notification s390/vfio-ap: handle probe/remove not due to host AP config changes drivers/s390/crypto/ap_bus.c | 301 ++++++- drivers/s390/crypto/ap_bus.h | 17 + drivers/s390/crypto/vfio_ap_drv.c | 35 +- drivers/s390/crypto/vfio_ap_ops.c | 1103 +++++++++++++++++++------ drivers/s390/crypto/vfio_ap_private.h | 24 +- 5 files changed, 1167 insertions(+), 313 deletions(-) -- 2.21.1