Received: by 10.223.164.202 with SMTP id h10csp715820wrb;
        Tue, 14 Nov 2017 08:29:31 -0800 (PST)
X-Google-Smtp-Source: AGs4zMaqzhUpxOh6U/Se8gGe9pBO6BSmG5FdCnmv8n/9489ki0cdjo/MhEU88SB88dqZLrJ6npfK
X-Received: by 10.84.198.131 with SMTP id p3mr13024365pld.245.1510676971611;
        Tue, 14 Nov 2017 08:29:31 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1510676971; cv=none;
        d=google.com; s=arc-20160816;
        b=mFpgMMCa4/kcAbfuNB0CtpFR7+Ghxknbnlc/1+kRSfJauBiKrmMhylOhvEvO5ItYiA
         7M+bjyVafhMfOQBNqZZ/Xp/ddo7vBlrEzp5PN78U9i8UX/Duo1YGd/K4e/GqX574FDHZ
         fsaNtGZZQTv9OujyfB61NQ3rHIPeGNsOAk3jwdPH6jxkPM6glf9XBpUszQcZdQoaXcFZ
         i8w3DG6Bo7SVrfGcuUgMX0m6pSBju9FEiRzqPNDnVRt1qWacpGY2blyQd9ycj4bARVDp
         ayYAFqDEi+0+O0Tz4ph5cYwCllRJXuq/4BsQMBoctg0O+mRotn6AHn2IGBHKcEdOyZqd
         5swg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:message-id:content-language
         :content-transfer-encoding:in-reply-to:mime-version:user-agent:date
         :from:references:cc:to:subject:arc-authentication-results;
        bh=CXoIwB+RIlQhbFtIoOoqAmdfBkUmzMWkAVR1TLb7jo4=;
        b=CGr3LqmEH5EV4LGxRQxLWCHJfRaBEE823j64Z7WX87f6KhylIEmWKeoefZ1txXpxqp
         z/n5sIFNYyglFCtqGJ2lJFXtawfN0me5GygMqs4h1yQ7mhdcQYLtu+/fObc3z0dW9YpN
         DLC/Ew/FSMimVuspm+dnCaM1YSG1DOprNhymrIGgixOy0lICTsIr/UG67GbnLtNhiirb
         mJvhaTzKI5Imue3qsX0JYr1pOPZ2+7GTdECTpPMOwVjnR6sTSXJaRt7380FGcd3nXFAu
         kMj+OsQH/i+dv6XEGt96f01LxN/mU/fXM7Aq9ULn5qmM+4XbZUxw11T1SgyBaKLZsV5M
         CdQQ==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=ibm.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id y1si17855294pff.367.2017.11.14.08.29.19;
        Tue, 14 Nov 2017 08:29:31 -0800 (PST)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=ibm.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1755644AbdKNPx1 (ORCPT <rfc822;jaysonjohndmello@gmail.com>
        + 88 others); Tue, 14 Nov 2017 10:53:27 -0500
Received: from mx0a-001b2d01.pphosted.com ([148.163.156.1]:60296 "EHLO
        mx0a-001b2d01.pphosted.com" rhost-flags-OK-OK-OK-OK)
        by vger.kernel.org with ESMTP id S1754211AbdKNPxU (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Tue, 14 Nov 2017 10:53:20 -0500
Received: from pps.filterd (m0098404.ppops.net [127.0.0.1])
        by mx0a-001b2d01.pphosted.com (8.16.0.21/8.16.0.21) with SMTP id vAEFr2Qe050826
        for <linux-kernel@vger.kernel.org>; Tue, 14 Nov 2017 10:53:20 -0500
Received: from e31.co.us.ibm.com (e31.co.us.ibm.com [32.97.110.149])
        by mx0a-001b2d01.pphosted.com with ESMTP id 2e82qnjrvx-1
        (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=NOT)
        for <linux-kernel@vger.kernel.org>; Tue, 14 Nov 2017 10:53:19 -0500
Received: from localhost
        by e31.co.us.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted
        for <linux-kernel@vger.kernel.org> from <akrowiak@linux.vnet.ibm.com>;
        Tue, 14 Nov 2017 08:53:18 -0700
Received: from b03cxnp08025.gho.boulder.ibm.com (9.17.130.17)
        by e31.co.us.ibm.com (192.168.1.131) with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted;
        Tue, 14 Nov 2017 08:53:15 -0700
Received: from b03ledav003.gho.boulder.ibm.com (b03ledav003.gho.boulder.ibm.com [9.17.130.234])
        by b03cxnp08025.gho.boulder.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id vAEFrEwa8651250;
        Tue, 14 Nov 2017 08:53:14 -0700
Received: from b03ledav003.gho.boulder.ibm.com (unknown [127.0.0.1])
        by IMSVA (Postfix) with ESMTP id 547BC6A03B;
        Tue, 14 Nov 2017 08:53:14 -0700 (MST)
Received: from oc8043147753.ibm.com (unknown [9.60.75.228])
        by b03ledav003.gho.boulder.ibm.com (Postfix) with ESMTP id E2EAE6A045;
        Tue, 14 Nov 2017 08:53:12 -0700 (MST)
Subject: Re: [RFC 02/19] KVM: s390: refactor crypto initialization
To:     Cornelia Huck <cohuck@redhat.com>,
        Christian Borntraeger <borntraeger@de.ibm.com>
Cc:     linux-s390@vger.kernel.org, linux-kernel@vger.kernel.org,
        kvm@vger.kernel.org, freude@de.ibm.com, schwidefsky@de.ibm.com,
        heiko.carstens@de.ibm.com, kwankhede@nvidia.com,
        bjsdjshi@linux.vnet.ibm.com, pbonzini@redhat.com,
        alex.williamson@redhat.com, pmorel@linux.vnet.ibm.com,
        alifm@linux.vnet.ibm.com, mjrosato@linux.vnet.ibm.com,
        qemu-s390x@nongnu.org, jjherne@linux.vnet.ibm.com,
        thuth@redhat.com, pasic@linux.vnet.ibm.com, david@redhat.com
References: <1507916344-3896-1-git-send-email-akrowiak@linux.vnet.ibm.com>
 <1507916344-3896-3-git-send-email-akrowiak@linux.vnet.ibm.com>
 <6e65f497-5cae-f731-2885-a9ce19d92d8b@de.ibm.com>
 <20171114125028.1653a2cc.cohuck@redhat.com>
From:   Tony Krowiak <akrowiak@linux.vnet.ibm.com>
Date:   Tue, 14 Nov 2017 10:53:12 -0500
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101
 Thunderbird/52.2.0
MIME-Version: 1.0
In-Reply-To: <20171114125028.1653a2cc.cohuck@redhat.com>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 7bit
Content-Language: en-US
X-TM-AS-GCONF: 00
x-cbid: 17111415-8235-0000-0000-00000C8FC92F
X-IBM-SpamModules-Scores: 
X-IBM-SpamModules-Versions: BY=3.00008066; HX=3.00000241; KW=3.00000007;
 PH=3.00000004; SC=3.00000240; SDB=6.00945794; UDB=6.00477352; IPR=6.00726091;
 BA=6.00005690; NDR=6.00000001; ZLA=6.00000005; ZF=6.00000009; ZB=6.00000000;
 ZP=6.00000000; ZH=6.00000000; ZU=6.00000002; MB=3.00018012; XFM=3.00000015;
 UTC=2017-11-14 15:53:18
X-IBM-AV-DETECTION: SAVI=unused REMOTE=unused XFE=unused
x-cbparentid: 17111415-8236-0000-0000-00003E702BD2
Message-Id: <e2530c7c-5230-3992-1e44-c6f330a647fc@linux.vnet.ibm.com>
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:,, definitions=2017-11-14_07:,,
 signatures=0
X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 priorityscore=1501
 malwarescore=0 suspectscore=0 phishscore=0 bulkscore=0 spamscore=0
 clxscore=1015 lowpriorityscore=0 impostorscore=0 adultscore=0
 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1709140000
 definitions=main-1711140216
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On 11/14/2017 06:50 AM, Cornelia Huck wrote:
> On Thu, 2 Nov 2017 13:41:18 +0100
> Christian Borntraeger <borntraeger@de.ibm.com> wrote:
>
>> On 10/13/2017 07:38 PM, Tony Krowiak wrote:
>>> This patch introduces the following changes to crypto initialization.
>>>
>>> * For key management operations support, the crypto control block
>>>    (CRYCB) referenced by the KVM guest's SIE state description is
>>>    formatted only if the Message-Security-Assist (MSA) extension 3
>>>    facility is installed (STFLE.76 is set). Virtualization of AP
>>>    facilities, however; requires that a CRYCB of the appropriate
>>>    format be made available to SIE regardless of the value of STFLE.76.
>>>
>>> * The Execution Controls A (ECA) field bit 28 in the SIE block needs
>>>    to be set to enable interpretive execution mode of adjunct processor (AP)
>>>    instructions.
>> We should fence setting ECA to cases where we have virtualization capability
>> for crypto. In addition we need to bind this somehow to the CPU model, so
>> I guess we need to add some CRYPTO feature e.g. add KVM_S390_VM_CPU_FEAT_AP to the
>> list of know features
>> (see arch/s390/include/uapi/asm/kvm.h)
>> ---snip---
>> #define KVM_S390_VM_CPU_FEAT_ESOP       0
>> #define KVM_S390_VM_CPU_FEAT_SIEF2      1
>> #define KVM_S390_VM_CPU_FEAT_64BSCAO    2
>> #define KVM_S390_VM_CPU_FEAT_SIIF       3
>> #define KVM_S390_VM_CPU_FEAT_GPERE      4
>> #define KVM_S390_VM_CPU_FEAT_GSLS       5
>> #define KVM_S390_VM_CPU_FEAT_IB         6
>> #define KVM_S390_VM_CPU_FEAT_CEI        7
>> #define KVM_S390_VM_CPU_FEAT_IBS        8
>> #define KVM_S390_VM_CPU_FEAT_SKEY       9
>> #define KVM_S390_VM_CPU_FEAT_CMMA       10
>> #define KVM_S390_VM_CPU_FEAT_PFMFI      11
>> #define KVM_S390_VM_CPU_FEAT_SIGPIF     12
>> #define KVM_S390_VM_CPU_FEAT_KSS        13
>> ---snip---
> So, we need this so userspace can add the appropriate flags, right?
>
>>
>> I will try to find out a way to properly detect that.
> Did you manage to find out
The AP bus (drivers/s390/crypto/ap_bus.c) calls 
ap_instructions_available() function in drivers/s390/crypto/ap_asm.c
to determine whether AP instructions are installed. This function 
executes the PQAP(TAPQ) function and incorporates
exception table to catch the operation exception if the AP instructions 
are not installed.  I propose externalizing
that function so it can be called from KVM.
>
>>
>>
>>> Signed-off-by: Tony Krowiak <akrowiak@linux.vnet.ibm.com>
>>> ---
>>>   arch/s390/include/asm/kvm_host.h |    1 +
>>>   arch/s390/kvm/kvm-s390.c         |   17 +++++++++++++----
>>>   2 files changed, 14 insertions(+), 4 deletions(-)
>>>
>>> diff --git a/arch/s390/include/asm/kvm_host.h b/arch/s390/include/asm/kvm_host.h
>>> index 50a6b25..5683f18 100644
>>> --- a/arch/s390/include/asm/kvm_host.h
>>> +++ b/arch/s390/include/asm/kvm_host.h
>>> @@ -188,6 +188,7 @@ struct kvm_s390_sie_block {
>>>   #define ECA_MVPGI	0x01000000
>>>   #define ECA_VX		0x00020000
>>>   #define ECA_PROTEXCI	0x00002000
>>> +#define ECA_AP		0x00000008
>>>   #define ECA_SII		0x00000001
>>>   	__u32	eca;			/* 0x004c */
>>>   #define ICPT_INST	0x04
>>> diff --git a/arch/s390/kvm/kvm-s390.c b/arch/s390/kvm/kvm-s390.c
>>> index 40d0a1a..e57fc9b 100644
>>> --- a/arch/s390/kvm/kvm-s390.c
>>> +++ b/arch/s390/kvm/kvm-s390.c
>>> @@ -1819,7 +1819,9 @@ static void kvm_s390_set_crycb_format(struct kvm *kvm)
>>>   {
>>>   	kvm->arch.crypto.crycbd = (__u32)(unsigned long) kvm->arch.crypto.crycb;
>>>
>>> -	if (kvm_s390_apxa_installed())
>>> +	if (!test_kvm_facility(kvm, 76))
>>> +		kvm->arch.crypto.crycbd &= ~(CRYCB_FORMAT2); /* format 0 */
>>> +	else if (kvm_s390_apxa_installed())
>>>   		kvm->arch.crypto.crycbd |= CRYCB_FORMAT2;
>>>   	else
>>>   		kvm->arch.crypto.crycbd |= CRYCB_FORMAT1;
>>> @@ -1836,12 +1838,12 @@ static u64 kvm_s390_get_initial_cpuid(void)
>>>
>>>   static void kvm_s390_crypto_init(struct kvm *kvm)
>>>   {
>>> -	if (!test_kvm_facility(kvm, 76))
>>> -		return;
>>> -
>>>   	kvm->arch.crypto.crycb = &kvm->arch.sie_page2->crycb;
>>>   	kvm_s390_set_crycb_format(kvm);
>>>
>>> +	if (!test_kvm_facility(kvm, 76))
>>> +		return;
>>> +
>>>   	/* Enable AES/DEA protected key functions by default */
>>>   	kvm->arch.crypto.aes_kw = 1;
>>>   	kvm->arch.crypto.dea_kw = 1;
>>> @@ -2366,8 +2368,15 @@ void kvm_arch_vcpu_postcreate(struct kvm_vcpu *vcpu)
>>>   	vcpu->arch.enabled_gmap = vcpu->arch.gmap;
>>>   }
>>>
>>> +static void kvm_s390_vcpu_set_crypto_exec_mode(struct kvm_vcpu *vcpu)
>>> +{
>>> +	vcpu->arch.sie_block->eca |= ECA_AP;
>>> +}
>>> +
>>>   static void kvm_s390_vcpu_crypto_setup(struct kvm_vcpu *vcpu)
>>>   {
>>> +	kvm_s390_vcpu_set_crypto_exec_mode(vcpu);
>>> +
>>>   	if (!test_kvm_facility(vcpu->kvm, 76))
>>>   		return;
>>>    



From 1584042142505272974@xxx Tue Nov 14 11:51:47 +0000 2017
X-GM-THRID: 1581165303301391978
X-Gmail-Labels: Inbox,Category Forums,HistoricalUnread