aboutsummaryrefslogtreecommitdiff
path: root/hw/s390x/pv.c
AgeCommit message (Collapse)Author
2023-07-10hw/s390x: Move KVM specific PV from hw/ to target/s390x/kvm/Philippe Mathieu-Daudé
Protected Virtualization (PV) is not a real hardware device: it is a feature of the firmware on s390x that is exposed to userspace via the KVM interface. Move the pv.c/pv.h files to target/s390x/kvm/ to make this clearer. Suggested-by: Thomas Huth <thuth@redhat.com> Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org> Message-Id: <20230624200644.23931-1-philmd@linaro.org> Signed-off-by: Thomas Huth <thuth@redhat.com>
2023-05-16s390x/pv: Fix spurious warning with asynchronous teardownClaudio Imbrenda
Kernel commit 292a7d6fca33 ("KVM: s390: pv: fix asynchronous teardown for small VMs") causes the KVM_PV_ASYNC_CLEANUP_PREPARE ioctl to fail if the VM is not larger than 2GiB. QEMU would attempt it and fail, print an error message, and then proceed with a normal teardown. Avoid attempting to use asynchronous teardown altogether when the VM is not larger than 2 GiB. This will avoid triggering the error message and also avoid pointless overhead; normal teardown is fast enough for small VMs. Reported-by: Marc Hartmayer <mhartmay@linux.ibm.com> Fixes: c3a073c610 ("s390x/pv: Add support for asynchronous teardown for reboot") Link: https://lore.kernel.org/all/20230421085036.52511-2-imbrenda@linux.ibm.com/ Signed-off-by: Claudio Imbrenda <imbrenda@linux.ibm.com> Message-Id: <20230510105531.30623-2-imbrenda@linux.ibm.com> Reviewed-by: Thomas Huth <thuth@redhat.com> [thuth: Fix inline function parameter in pv.h] Signed-off-by: Thomas Huth <thuth@redhat.com>
2023-02-27s390x/pv: Add support for asynchronous teardown for rebootClaudio Imbrenda
This patch adds support for the asynchronous teardown for reboot for protected VMs. When attempting to tear down a protected VM, try to use the new asynchronous interface first. If that fails, fall back to the classic synchronous one. The asynchronous interface involves invoking the new KVM_PV_ASYNC_DISABLE_PREPARE command for the KVM_S390_PV_COMMAND ioctl. This will prepare the current protected VM for asynchronous teardown. Once the protected VM is prepared for teardown, execution can continue immediately. Once the protected VM has been prepared, a new thread is started to actually perform the teardown. The new thread uses the new KVM_PV_ASYNC_DISABLE command for the KVM_S390_PV_COMMAND ioctl. The previously prepared protected VM is torn down in the new thread. Once KVM_PV_ASYNC_DISABLE is invoked, it is possible to use KVM_PV_ASYNC_DISABLE_PREPARE again. If a protected VM has already been prepared and its cleanup has not started, it will not be possible to prepare a new VM. In that case the classic synchronous teardown has to be performed. The synchronous teardown will now also clean up any prepared VMs whose asynchronous teardown has not been initiated yet. This considerably speeds up the reboot of a protected VM; for large VMs especially, it could take a long time to perform a reboot with the traditional synchronous teardown, while with this patch it is almost immediate. Signed-off-by: Claudio Imbrenda <imbrenda@linux.ibm.com> Reviewed-by: Thomas Huth <thuth@redhat.com> Message-Id: <20230214163035.44104-3-imbrenda@linux.ibm.com> Signed-off-by: Thomas Huth <thuth@redhat.com>
2023-01-18s390x/pv: Implement a CGS check helperCédric Le Goater
When a protected VM is started with the maximum number of CPUs (248), the service call providing information on the CPUs requires more buffer space than allocated and QEMU disgracefully aborts : LOADPARM=[........] Using virtio-blk. Using SCSI scheme. ................................................................................... qemu-system-s390x: KVM_S390_MEM_OP failed: Argument list too long When protected virtualization is initialized, compute the maximum number of vCPUs supported by the machine and return useful information to the user before the machine starts in case of error. Suggested-by: Thomas Huth <thuth@redhat.com> Reviewed-by: Thomas Huth <thuth@redhat.com> Signed-off-by: Cédric Le Goater <clg@redhat.com> Message-Id: <20230116174607.2459498-2-clg@kaod.org> Signed-off-by: Thomas Huth <thuth@redhat.com>
2022-10-27s390x/pv: remove semicolon from macro definitionClaudio Imbrenda
Remove spurious semicolon at the end of the macro s390_pv_cmd Signed-off-by: Claudio Imbrenda <imbrenda@linux.ibm.com> Acked-by: Cornelia Huck <cohuck@redhat.com> Message-Id: <20221010151041.89071-1-imbrenda@linux.ibm.com> Signed-off-by: Thomas Huth <thuth@redhat.com>
2022-10-26s390x: Add KVM PV dump interfaceJanosch Frank
Let's add a few bits of code which hide the new KVM PV dump API from us via new functions. Signed-off-by: Janosch Frank <frankja@linux.ibm.com> Reviewed-by: Janis Schoetterl-Glausch <scgl@linux.ibm.com> Reviewed-by: Steffen Eiden <seiden@linux.ibm.com> [ Marc-André: fix up for compilation issue ] Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com> Message-Id: <20221017083822.43118-10-frankja@linux.ibm.com>
2022-10-26s390x: Introduce PV query interfaceJanosch Frank
Introduce an interface over which we can get information about UV data. Signed-off-by: Janosch Frank <frankja@linux.ibm.com> Reviewed-by: Steffen Eiden <seiden@linux.ibm.com> Reviewed-by: Janis Schoetterl-Glausch <scgl@linux.ibm.com> Acked-by: Thomas Huth <thuth@redhat.com> Message-Id: <20221017083822.43118-8-frankja@linux.ibm.com>
2021-05-02Do not include cpu.h if it's not really necessaryThomas Huth
Stop including cpu.h in files that don't need it. Signed-off-by: Thomas Huth <thuth@redhat.com> Message-Id: <20210416171314.2074665-4-thuth@redhat.com> Signed-off-by: Laurent Vivier <laurent@vivier.eu>
2021-02-08s390: Recognize confidential-guest-support optionDavid Gibson
At least some s390 cpu models support "Protected Virtualization" (PV), a mechanism to protect guests from eavesdropping by a compromised hypervisor. This is similar in function to other mechanisms like AMD's SEV and POWER's PEF, which are controlled by the "confidential-guest-support" machine option. s390 is a slightly special case, because we already supported PV, simply by using a CPU model with the required feature (S390_FEAT_UNPACK). To integrate this with the option used by other platforms, we implement the following compromise: - When the confidential-guest-support option is set, s390 will recognize it, verify that the CPU can support PV (failing if not) and set virtio default options necessary for encrypted or protected guests, as on other platforms. i.e. if confidential-guest-support is set, we will either create a guest capable of entering PV mode, or fail outright. - If confidential-guest-support is not set, guests might still be able to enter PV mode, if the CPU has the right model. This may be a little surprising, but shouldn't actually be harmful. To start a guest supporting Protected Virtualization using the new option use the command line arguments: -object s390-pv-guest,id=pv0 -machine confidential-guest-support=pv0 Signed-off-by: David Gibson <david@gibson.dropbear.id.au> Tested-by: Christian Borntraeger <borntraeger@de.ibm.com> Reviewed-by: Christian Borntraeger <borntraeger@de.ibm.com>
2020-06-05s390x: pv: Fix KVM_PV_PREP_RESET command wrapper nameJanosch Frank
s390_pv_perf_clear_reset() is not a very helpful name since that function needs to be called for a normal and a clear reset via diag308. Let's instead name it s390_pv_prep_reset() which reflects the purpose of the function a bit better. Signed-off-by: Janosch Frank <frankja@linux.ibm.com> Reviewed-by: David Hildenbrand <david@redhat.com> Message-Id: <20200505124159.24099-1-frankja@linux.ibm.com> Signed-off-by: Cornelia Huck <cohuck@redhat.com>
2020-04-29s390x/s390-virtio-ccw: Fix build on systems without KVMChristian Borntraeger
linux/kvm.h is not available on all platforms. Let us move s390_machine_inject_pv_error into pv.c as it uses KVM structures. Also rename the function to s390_pv_inject_reset_error. While at it, ipl.h needs an include for "exec/address-spaces.h" as it uses address_space_memory. Fixes: c3347ed0d2ee ("s390x: protvirt: Support unpack facility") Reported-by: Bruce Rogers <brogers@suse.com> Signed-off-by: Christian Borntraeger <borntraeger@de.ibm.com> Message-Id: <20200406100158.5940-2-borntraeger@de.ibm.com> Reviewed-by: David Hildenbrand <david@redhat.com> Signed-off-by: Cornelia Huck <cohuck@redhat.com>
2020-04-29s390x/pv: Retry ioctls on -EINTRChristian Borntraeger
PV_ENABLE (and maybe others) might return -EINTR when a signal is pending. See the Linux kernel patch "s390/gmap: return proper error code on ksm unsharing" for details. Let us retry the ioctl in that case. Fixes: c3347ed0d2ee ("s390x: protvirt: Support unpack facility") Reported-by: Marc Hartmayer <mhartmay@linux.ibm.com> Acked-by: Janosch Frank <frankja@linux.vnet.ibm.com> Tested-by: Marc Hartmayer <mhartmay@linux.ibm.com> Signed-off-by: Christian Borntraeger <borntraeger@de.ibm.com> Message-Id: <20200327124616.34866-1-borntraeger@de.ibm.com> Signed-off-by: Cornelia Huck <cohuck@redhat.com>
2020-04-29s390x: protvirt: Support unpack facilityJanosch Frank
The unpack facility provides the means to setup a protected guest. A protected guest cannot be introspected by the hypervisor or any user/administrator of the machine it is running on. Protected guests are encrypted at rest and need a special boot mechanism via diag308 subcode 8 and 10. Code 8 sets the PV specific IPLB which is retained separately from those set via code 5. Code 10 is used to unpack the VM into protected memory, verify its integrity and start it. Signed-off-by: Janosch Frank <frankja@linux.ibm.com> Co-developed-by: Christian Borntraeger <borntraeger@de.ibm.com> [Changes to machine] Reviewed-by: David Hildenbrand <david@redhat.com> Reviewed-by: Claudio Imbrenda <imbrenda@linux.ibm.com> Reviewed-by: Cornelia Huck <cohuck@redhat.com> Message-Id: <20200323083606.24520-1-frankja@linux.ibm.com> [CH: fixed up KVM_PV_VM_ -> KVM_PV_] Signed-off-by: Cornelia Huck <cohuck@redhat.com>