KVM: s390: protvirt: Add initial vm and cpu lifecycle handling

This contains 3 main changes:
1. changes in SIE control block handling for secure guests
2. helper functions for create/destroy/unpack secure guests
3. KVM_S390_PV_COMMAND ioctl to allow userspace dealing with secure
machines

Signed-off-by: Janosch Frank <frankja@linux.ibm.com>
Reviewed-by: David Hildenbrand <david@redhat.com>
Reviewed-by: Cornelia Huck <cohuck@redhat.com>
[borntraeger@de.ibm.com: patch merging, splitting, fixing]
Signed-off-by: Christian Borntraeger <borntraeger@de.ibm.com>
This commit is contained in:
Janosch Frank 2019-09-30 04:19:18 -04:00 committed by Christian Borntraeger
parent 6933316fe0
commit 29b40f105e
7 changed files with 635 additions and 4 deletions

View File

@ -160,7 +160,13 @@ struct kvm_s390_sie_block {
__u8 reserved08[4]; /* 0x0008 */ __u8 reserved08[4]; /* 0x0008 */
#define PROG_IN_SIE (1<<0) #define PROG_IN_SIE (1<<0)
__u32 prog0c; /* 0x000c */ __u32 prog0c; /* 0x000c */
__u8 reserved10[16]; /* 0x0010 */ union {
__u8 reserved10[16]; /* 0x0010 */
struct {
__u64 pv_handle_cpu;
__u64 pv_handle_config;
};
};
#define PROG_BLOCK_SIE (1<<0) #define PROG_BLOCK_SIE (1<<0)
#define PROG_REQUEST (1<<1) #define PROG_REQUEST (1<<1)
atomic_t prog20; /* 0x0020 */ atomic_t prog20; /* 0x0020 */
@ -233,7 +239,7 @@ struct kvm_s390_sie_block {
#define ECB3_RI 0x01 #define ECB3_RI 0x01
__u8 ecb3; /* 0x0063 */ __u8 ecb3; /* 0x0063 */
__u32 scaol; /* 0x0064 */ __u32 scaol; /* 0x0064 */
__u8 reserved68; /* 0x0068 */ __u8 sdf; /* 0x0068 */
__u8 epdx; /* 0x0069 */ __u8 epdx; /* 0x0069 */
__u8 reserved6a[2]; /* 0x006a */ __u8 reserved6a[2]; /* 0x006a */
__u32 todpr; /* 0x006c */ __u32 todpr; /* 0x006c */
@ -645,6 +651,11 @@ struct kvm_guestdbg_info_arch {
unsigned long last_bp; unsigned long last_bp;
}; };
struct kvm_s390_pv_vcpu {
u64 handle;
unsigned long stor_base;
};
struct kvm_vcpu_arch { struct kvm_vcpu_arch {
struct kvm_s390_sie_block *sie_block; struct kvm_s390_sie_block *sie_block;
/* if vsie is active, currently executed shadow sie control block */ /* if vsie is active, currently executed shadow sie control block */
@ -673,6 +684,7 @@ struct kvm_vcpu_arch {
__u64 cputm_start; __u64 cputm_start;
bool gs_enabled; bool gs_enabled;
bool skey_enabled; bool skey_enabled;
struct kvm_s390_pv_vcpu pv;
}; };
struct kvm_vm_stat { struct kvm_vm_stat {
@ -843,6 +855,13 @@ struct kvm_s390_gisa_interrupt {
DECLARE_BITMAP(kicked_mask, KVM_MAX_VCPUS); DECLARE_BITMAP(kicked_mask, KVM_MAX_VCPUS);
}; };
struct kvm_s390_pv {
u64 handle;
u64 guest_len;
unsigned long stor_base;
void *stor_var;
};
struct kvm_arch{ struct kvm_arch{
void *sca; void *sca;
int use_esca; int use_esca;
@ -878,6 +897,7 @@ struct kvm_arch{
DECLARE_BITMAP(cpu_feat, KVM_S390_VM_CPU_FEAT_NR_BITS); DECLARE_BITMAP(cpu_feat, KVM_S390_VM_CPU_FEAT_NR_BITS);
DECLARE_BITMAP(idle_mask, KVM_MAX_VCPUS); DECLARE_BITMAP(idle_mask, KVM_MAX_VCPUS);
struct kvm_s390_gisa_interrupt gisa_int; struct kvm_s390_gisa_interrupt gisa_int;
struct kvm_s390_pv pv;
}; };
#define KVM_HVA_ERR_BAD (-1UL) #define KVM_HVA_ERR_BAD (-1UL)

View File

@ -23,11 +23,19 @@
#define UVC_RC_INV_STATE 0x0003 #define UVC_RC_INV_STATE 0x0003
#define UVC_RC_INV_LEN 0x0005 #define UVC_RC_INV_LEN 0x0005
#define UVC_RC_NO_RESUME 0x0007 #define UVC_RC_NO_RESUME 0x0007
#define UVC_RC_NEED_DESTROY 0x8000
#define UVC_CMD_QUI 0x0001 #define UVC_CMD_QUI 0x0001
#define UVC_CMD_INIT_UV 0x000f #define UVC_CMD_INIT_UV 0x000f
#define UVC_CMD_CREATE_SEC_CONF 0x0100
#define UVC_CMD_DESTROY_SEC_CONF 0x0101
#define UVC_CMD_CREATE_SEC_CPU 0x0120
#define UVC_CMD_DESTROY_SEC_CPU 0x0121
#define UVC_CMD_CONV_TO_SEC_STOR 0x0200 #define UVC_CMD_CONV_TO_SEC_STOR 0x0200
#define UVC_CMD_CONV_FROM_SEC_STOR 0x0201 #define UVC_CMD_CONV_FROM_SEC_STOR 0x0201
#define UVC_CMD_SET_SEC_CONF_PARAMS 0x0300
#define UVC_CMD_UNPACK_IMG 0x0301
#define UVC_CMD_VERIFY_IMG 0x0302
#define UVC_CMD_PIN_PAGE_SHARED 0x0341 #define UVC_CMD_PIN_PAGE_SHARED 0x0341
#define UVC_CMD_UNPIN_PAGE_SHARED 0x0342 #define UVC_CMD_UNPIN_PAGE_SHARED 0x0342
#define UVC_CMD_SET_SHARED_ACCESS 0x1000 #define UVC_CMD_SET_SHARED_ACCESS 0x1000
@ -37,10 +45,17 @@
enum uv_cmds_inst { enum uv_cmds_inst {
BIT_UVC_CMD_QUI = 0, BIT_UVC_CMD_QUI = 0,
BIT_UVC_CMD_INIT_UV = 1, BIT_UVC_CMD_INIT_UV = 1,
BIT_UVC_CMD_CREATE_SEC_CONF = 2,
BIT_UVC_CMD_DESTROY_SEC_CONF = 3,
BIT_UVC_CMD_CREATE_SEC_CPU = 4,
BIT_UVC_CMD_DESTROY_SEC_CPU = 5,
BIT_UVC_CMD_CONV_TO_SEC_STOR = 6, BIT_UVC_CMD_CONV_TO_SEC_STOR = 6,
BIT_UVC_CMD_CONV_FROM_SEC_STOR = 7, BIT_UVC_CMD_CONV_FROM_SEC_STOR = 7,
BIT_UVC_CMD_SET_SHARED_ACCESS = 8, BIT_UVC_CMD_SET_SHARED_ACCESS = 8,
BIT_UVC_CMD_REMOVE_SHARED_ACCESS = 9, BIT_UVC_CMD_REMOVE_SHARED_ACCESS = 9,
BIT_UVC_CMD_SET_SEC_PARMS = 11,
BIT_UVC_CMD_UNPACK_IMG = 13,
BIT_UVC_CMD_VERIFY_IMG = 14,
BIT_UVC_CMD_PIN_PAGE_SHARED = 21, BIT_UVC_CMD_PIN_PAGE_SHARED = 21,
BIT_UVC_CMD_UNPIN_PAGE_SHARED = 22, BIT_UVC_CMD_UNPIN_PAGE_SHARED = 22,
}; };
@ -52,6 +67,7 @@ struct uv_cb_header {
u16 rrc; /* Return Reason Code */ u16 rrc; /* Return Reason Code */
} __packed __aligned(8); } __packed __aligned(8);
/* Query Ultravisor Information */
struct uv_cb_qui { struct uv_cb_qui {
struct uv_cb_header header; struct uv_cb_header header;
u64 reserved08; u64 reserved08;
@ -71,6 +87,7 @@ struct uv_cb_qui {
u8 reserveda0[200 - 160]; u8 reserveda0[200 - 160];
} __packed __aligned(8); } __packed __aligned(8);
/* Initialize Ultravisor */
struct uv_cb_init { struct uv_cb_init {
struct uv_cb_header header; struct uv_cb_header header;
u64 reserved08[2]; u64 reserved08[2];
@ -79,6 +96,35 @@ struct uv_cb_init {
u64 reserved28[4]; u64 reserved28[4];
} __packed __aligned(8); } __packed __aligned(8);
/* Create Guest Configuration */
struct uv_cb_cgc {
struct uv_cb_header header;
u64 reserved08[2];
u64 guest_handle;
u64 conf_base_stor_origin;
u64 conf_virt_stor_origin;
u64 reserved30;
u64 guest_stor_origin;
u64 guest_stor_len;
u64 guest_sca;
u64 guest_asce;
u64 reserved58[5];
} __packed __aligned(8);
/* Create Secure CPU */
struct uv_cb_csc {
struct uv_cb_header header;
u64 reserved08[2];
u64 cpu_handle;
u64 guest_handle;
u64 stor_origin;
u8 reserved30[6];
u16 num;
u64 state_origin;
u64 reserved40[4];
} __packed __aligned(8);
/* Convert to Secure */
struct uv_cb_cts { struct uv_cb_cts {
struct uv_cb_header header; struct uv_cb_header header;
u64 reserved08[2]; u64 reserved08[2];
@ -86,12 +132,34 @@ struct uv_cb_cts {
u64 gaddr; u64 gaddr;
} __packed __aligned(8); } __packed __aligned(8);
/* Convert from Secure / Pin Page Shared */
struct uv_cb_cfs { struct uv_cb_cfs {
struct uv_cb_header header; struct uv_cb_header header;
u64 reserved08[2]; u64 reserved08[2];
u64 paddr; u64 paddr;
} __packed __aligned(8); } __packed __aligned(8);
/* Set Secure Config Parameter */
struct uv_cb_ssc {
struct uv_cb_header header;
u64 reserved08[2];
u64 guest_handle;
u64 sec_header_origin;
u32 sec_header_len;
u32 reserved2c;
u64 reserved30[4];
} __packed __aligned(8);
/* Unpack */
struct uv_cb_unp {
struct uv_cb_header header;
u64 reserved08[2];
u64 guest_handle;
u64 gaddr;
u64 tweak[2];
u64 reserved38[3];
} __packed __aligned(8);
/* /*
* A common UV call struct for calls that take no payload * A common UV call struct for calls that take no payload
* Examples: * Examples:
@ -105,6 +173,7 @@ struct uv_cb_nodata {
u64 reserved20[4]; u64 reserved20[4];
} __packed __aligned(8); } __packed __aligned(8);
/* Set Shared Access */
struct uv_cb_share { struct uv_cb_share {
struct uv_cb_header header; struct uv_cb_header header;
u64 reserved08[3]; u64 reserved08[3];

View File

@ -9,6 +9,6 @@ common-objs = $(KVM)/kvm_main.o $(KVM)/eventfd.o $(KVM)/async_pf.o $(KVM)/irqch
ccflags-y := -Ivirt/kvm -Iarch/s390/kvm ccflags-y := -Ivirt/kvm -Iarch/s390/kvm
kvm-objs := $(common-objs) kvm-s390.o intercept.o interrupt.o priv.o sigp.o kvm-objs := $(common-objs) kvm-s390.o intercept.o interrupt.o priv.o sigp.o
kvm-objs += diag.o gaccess.o guestdbg.o vsie.o kvm-objs += diag.o gaccess.o guestdbg.o vsie.o pv.o
obj-$(CONFIG_KVM) += kvm.o obj-$(CONFIG_KVM) += kvm.o

View File

@ -44,6 +44,7 @@
#include <asm/cpacf.h> #include <asm/cpacf.h>
#include <asm/timex.h> #include <asm/timex.h>
#include <asm/ap.h> #include <asm/ap.h>
#include <asm/uv.h>
#include "kvm-s390.h" #include "kvm-s390.h"
#include "gaccess.h" #include "gaccess.h"
@ -234,8 +235,10 @@ int kvm_arch_check_processor_compat(void)
return 0; return 0;
} }
/* forward declarations */
static void kvm_gmap_notifier(struct gmap *gmap, unsigned long start, static void kvm_gmap_notifier(struct gmap *gmap, unsigned long start,
unsigned long end); unsigned long end);
static int sca_switch_to_extended(struct kvm *kvm);
static void kvm_clock_sync_scb(struct kvm_s390_sie_block *scb, u64 delta) static void kvm_clock_sync_scb(struct kvm_s390_sie_block *scb, u64 delta)
{ {
@ -2165,6 +2168,160 @@ out:
return r; return r;
} }
static int kvm_s390_cpus_from_pv(struct kvm *kvm, u16 *rcp, u16 *rrcp)
{
struct kvm_vcpu *vcpu;
u16 rc, rrc;
int ret = 0;
int i;
/*
* We ignore failures and try to destroy as many CPUs as possible.
* At the same time we must not free the assigned resources when
* this fails, as the ultravisor has still access to that memory.
* So kvm_s390_pv_destroy_cpu can leave a "wanted" memory leak
* behind.
* We want to return the first failure rc and rrc, though.
*/
kvm_for_each_vcpu(i, vcpu, kvm) {
mutex_lock(&vcpu->mutex);
if (kvm_s390_pv_destroy_cpu(vcpu, &rc, &rrc) && !ret) {
*rcp = rc;
*rrcp = rrc;
ret = -EIO;
}
mutex_unlock(&vcpu->mutex);
}
return ret;
}
static int kvm_s390_cpus_to_pv(struct kvm *kvm, u16 *rc, u16 *rrc)
{
int i, r = 0;
u16 dummy;
struct kvm_vcpu *vcpu;
kvm_for_each_vcpu(i, vcpu, kvm) {
mutex_lock(&vcpu->mutex);
r = kvm_s390_pv_create_cpu(vcpu, rc, rrc);
mutex_unlock(&vcpu->mutex);
if (r)
break;
}
if (r)
kvm_s390_cpus_from_pv(kvm, &dummy, &dummy);
return r;
}
static int kvm_s390_handle_pv(struct kvm *kvm, struct kvm_pv_cmd *cmd)
{
int r = 0;
u16 dummy;
void __user *argp = (void __user *)cmd->data;
switch (cmd->cmd) {
case KVM_PV_ENABLE: {
r = -EINVAL;
if (kvm_s390_pv_is_protected(kvm))
break;
/*
* FMT 4 SIE needs esca. As we never switch back to bsca from
* esca, we need no cleanup in the error cases below
*/
r = sca_switch_to_extended(kvm);
if (r)
break;
r = kvm_s390_pv_init_vm(kvm, &cmd->rc, &cmd->rrc);
if (r)
break;
r = kvm_s390_cpus_to_pv(kvm, &cmd->rc, &cmd->rrc);
if (r)
kvm_s390_pv_deinit_vm(kvm, &dummy, &dummy);
break;
}
case KVM_PV_DISABLE: {
r = -EINVAL;
if (!kvm_s390_pv_is_protected(kvm))
break;
r = kvm_s390_cpus_from_pv(kvm, &cmd->rc, &cmd->rrc);
/*
* If a CPU could not be destroyed, destroy VM will also fail.
* There is no point in trying to destroy it. Instead return
* the rc and rrc from the first CPU that failed destroying.
*/
if (r)
break;
r = kvm_s390_pv_deinit_vm(kvm, &cmd->rc, &cmd->rrc);
break;
}
case KVM_PV_SET_SEC_PARMS: {
struct kvm_s390_pv_sec_parm parms = {};
void *hdr;
r = -EINVAL;
if (!kvm_s390_pv_is_protected(kvm))
break;
r = -EFAULT;
if (copy_from_user(&parms, argp, sizeof(parms)))
break;
/* Currently restricted to 8KB */
r = -EINVAL;
if (parms.length > PAGE_SIZE * 2)
break;
r = -ENOMEM;
hdr = vmalloc(parms.length);
if (!hdr)
break;
r = -EFAULT;
if (!copy_from_user(hdr, (void __user *)parms.origin,
parms.length))
r = kvm_s390_pv_set_sec_parms(kvm, hdr, parms.length,
&cmd->rc, &cmd->rrc);
vfree(hdr);
break;
}
case KVM_PV_UNPACK: {
struct kvm_s390_pv_unp unp = {};
r = -EINVAL;
if (!kvm_s390_pv_is_protected(kvm))
break;
r = -EFAULT;
if (copy_from_user(&unp, argp, sizeof(unp)))
break;
r = kvm_s390_pv_unpack(kvm, unp.addr, unp.size, unp.tweak,
&cmd->rc, &cmd->rrc);
break;
}
case KVM_PV_VERIFY: {
r = -EINVAL;
if (!kvm_s390_pv_is_protected(kvm))
break;
r = uv_cmd_nodata(kvm_s390_pv_get_handle(kvm),
UVC_CMD_VERIFY_IMG, &cmd->rc, &cmd->rrc);
KVM_UV_EVENT(kvm, 3, "PROTVIRT VERIFY: rc %x rrc %x", cmd->rc,
cmd->rrc);
break;
}
default:
r = -ENOTTY;
}
return r;
}
long kvm_arch_vm_ioctl(struct file *filp, long kvm_arch_vm_ioctl(struct file *filp,
unsigned int ioctl, unsigned long arg) unsigned int ioctl, unsigned long arg)
{ {
@ -2262,6 +2419,31 @@ long kvm_arch_vm_ioctl(struct file *filp,
mutex_unlock(&kvm->slots_lock); mutex_unlock(&kvm->slots_lock);
break; break;
} }
case KVM_S390_PV_COMMAND: {
struct kvm_pv_cmd args;
r = 0;
if (!is_prot_virt_host()) {
r = -EINVAL;
break;
}
if (copy_from_user(&args, argp, sizeof(args))) {
r = -EFAULT;
break;
}
if (args.flags) {
r = -EINVAL;
break;
}
mutex_lock(&kvm->lock);
r = kvm_s390_handle_pv(kvm, &args);
mutex_unlock(&kvm->lock);
if (copy_to_user(argp, &args, sizeof(args))) {
r = -EFAULT;
break;
}
break;
}
default: default:
r = -ENOTTY; r = -ENOTTY;
} }
@ -2525,6 +2707,8 @@ out_err:
void kvm_arch_vcpu_destroy(struct kvm_vcpu *vcpu) void kvm_arch_vcpu_destroy(struct kvm_vcpu *vcpu)
{ {
u16 rc, rrc;
VCPU_EVENT(vcpu, 3, "%s", "free cpu"); VCPU_EVENT(vcpu, 3, "%s", "free cpu");
trace_kvm_s390_destroy_vcpu(vcpu->vcpu_id); trace_kvm_s390_destroy_vcpu(vcpu->vcpu_id);
kvm_s390_clear_local_irqs(vcpu); kvm_s390_clear_local_irqs(vcpu);
@ -2537,6 +2721,9 @@ void kvm_arch_vcpu_destroy(struct kvm_vcpu *vcpu)
if (vcpu->kvm->arch.use_cmma) if (vcpu->kvm->arch.use_cmma)
kvm_s390_vcpu_unsetup_cmma(vcpu); kvm_s390_vcpu_unsetup_cmma(vcpu);
/* We can not hold the vcpu mutex here, we are already dying */
if (kvm_s390_pv_cpu_get_handle(vcpu))
kvm_s390_pv_destroy_cpu(vcpu, &rc, &rrc);
free_page((unsigned long)(vcpu->arch.sie_block)); free_page((unsigned long)(vcpu->arch.sie_block));
} }
@ -2558,10 +2745,20 @@ static void kvm_free_vcpus(struct kvm *kvm)
void kvm_arch_destroy_vm(struct kvm *kvm) void kvm_arch_destroy_vm(struct kvm *kvm)
{ {
u16 rc, rrc;
kvm_free_vcpus(kvm); kvm_free_vcpus(kvm);
sca_dispose(kvm); sca_dispose(kvm);
debug_unregister(kvm->arch.dbf);
kvm_s390_gisa_destroy(kvm); kvm_s390_gisa_destroy(kvm);
/*
* We are already at the end of life and kvm->lock is not taken.
* This is ok as the file descriptor is closed by now and nobody
* can mess with the pv state. To avoid lockdep_assert_held from
* complaining we do not use kvm_s390_pv_is_protected.
*/
if (kvm_s390_pv_get_handle(kvm))
kvm_s390_pv_deinit_vm(kvm, &rc, &rrc);
debug_unregister(kvm->arch.dbf);
free_page((unsigned long)kvm->arch.sie_page2); free_page((unsigned long)kvm->arch.sie_page2);
if (!kvm_is_ucontrol(kvm)) if (!kvm_is_ucontrol(kvm))
gmap_remove(kvm->arch.gmap); gmap_remove(kvm->arch.gmap);
@ -2657,6 +2854,9 @@ static int sca_switch_to_extended(struct kvm *kvm)
unsigned int vcpu_idx; unsigned int vcpu_idx;
u32 scaol, scaoh; u32 scaol, scaoh;
if (kvm->arch.use_esca)
return 0;
new_sca = alloc_pages_exact(sizeof(*new_sca), GFP_KERNEL|__GFP_ZERO); new_sca = alloc_pages_exact(sizeof(*new_sca), GFP_KERNEL|__GFP_ZERO);
if (!new_sca) if (!new_sca)
return -ENOMEM; return -ENOMEM;
@ -2908,6 +3108,7 @@ static void kvm_s390_vcpu_setup_model(struct kvm_vcpu *vcpu)
static int kvm_s390_vcpu_setup(struct kvm_vcpu *vcpu) static int kvm_s390_vcpu_setup(struct kvm_vcpu *vcpu)
{ {
int rc = 0; int rc = 0;
u16 uvrc, uvrrc;
atomic_set(&vcpu->arch.sie_block->cpuflags, CPUSTAT_ZARCH | atomic_set(&vcpu->arch.sie_block->cpuflags, CPUSTAT_ZARCH |
CPUSTAT_SM | CPUSTAT_SM |
@ -2975,6 +3176,14 @@ static int kvm_s390_vcpu_setup(struct kvm_vcpu *vcpu)
kvm_s390_vcpu_crypto_setup(vcpu); kvm_s390_vcpu_crypto_setup(vcpu);
mutex_lock(&vcpu->kvm->lock);
if (kvm_s390_pv_is_protected(vcpu->kvm)) {
rc = kvm_s390_pv_create_cpu(vcpu, &uvrc, &uvrrc);
if (rc)
kvm_s390_vcpu_unsetup_cmma(vcpu);
}
mutex_unlock(&vcpu->kvm->lock);
return rc; return rc;
} }
@ -4540,6 +4749,9 @@ int kvm_arch_prepare_memory_region(struct kvm *kvm,
if (mem->guest_phys_addr + mem->memory_size > kvm->arch.mem_limit) if (mem->guest_phys_addr + mem->memory_size > kvm->arch.mem_limit)
return -EINVAL; return -EINVAL;
/* When we are protected, we should not change the memory slots */
if (kvm_s390_pv_get_handle(kvm))
return -EINVAL;
return 0; return 0;
} }

View File

@ -15,6 +15,7 @@
#include <linux/hrtimer.h> #include <linux/hrtimer.h>
#include <linux/kvm.h> #include <linux/kvm.h>
#include <linux/kvm_host.h> #include <linux/kvm_host.h>
#include <linux/lockdep.h>
#include <asm/facility.h> #include <asm/facility.h>
#include <asm/processor.h> #include <asm/processor.h>
#include <asm/sclp.h> #include <asm/sclp.h>
@ -207,6 +208,38 @@ static inline int kvm_s390_user_cpu_state_ctrl(struct kvm *kvm)
return kvm->arch.user_cpu_state_ctrl != 0; return kvm->arch.user_cpu_state_ctrl != 0;
} }
/* implemented in pv.c */
int kvm_s390_pv_destroy_cpu(struct kvm_vcpu *vcpu, u16 *rc, u16 *rrc);
int kvm_s390_pv_create_cpu(struct kvm_vcpu *vcpu, u16 *rc, u16 *rrc);
int kvm_s390_pv_deinit_vm(struct kvm *kvm, u16 *rc, u16 *rrc);
int kvm_s390_pv_init_vm(struct kvm *kvm, u16 *rc, u16 *rrc);
int kvm_s390_pv_set_sec_parms(struct kvm *kvm, void *hdr, u64 length, u16 *rc,
u16 *rrc);
int kvm_s390_pv_unpack(struct kvm *kvm, unsigned long addr, unsigned long size,
unsigned long tweak, u16 *rc, u16 *rrc);
static inline u64 kvm_s390_pv_get_handle(struct kvm *kvm)
{
return kvm->arch.pv.handle;
}
static inline u64 kvm_s390_pv_cpu_get_handle(struct kvm_vcpu *vcpu)
{
return vcpu->arch.pv.handle;
}
static inline bool kvm_s390_pv_is_protected(struct kvm *kvm)
{
lockdep_assert_held(&kvm->lock);
return !!kvm_s390_pv_get_handle(kvm);
}
static inline bool kvm_s390_pv_cpu_is_protected(struct kvm_vcpu *vcpu)
{
lockdep_assert_held(&vcpu->mutex);
return !!kvm_s390_pv_cpu_get_handle(vcpu);
}
/* implemented in interrupt.c */ /* implemented in interrupt.c */
int kvm_s390_handle_wait(struct kvm_vcpu *vcpu); int kvm_s390_handle_wait(struct kvm_vcpu *vcpu);
void kvm_s390_vcpu_wakeup(struct kvm_vcpu *vcpu); void kvm_s390_vcpu_wakeup(struct kvm_vcpu *vcpu);

266
arch/s390/kvm/pv.c Normal file
View File

@ -0,0 +1,266 @@
// SPDX-License-Identifier: GPL-2.0
/*
* Hosting Protected Virtual Machines
*
* Copyright IBM Corp. 2019, 2020
* Author(s): Janosch Frank <frankja@linux.ibm.com>
*/
#include <linux/kvm.h>
#include <linux/kvm_host.h>
#include <linux/pagemap.h>
#include <linux/sched/signal.h>
#include <asm/pgalloc.h>
#include <asm/gmap.h>
#include <asm/uv.h>
#include <asm/mman.h>
#include "kvm-s390.h"
int kvm_s390_pv_destroy_cpu(struct kvm_vcpu *vcpu, u16 *rc, u16 *rrc)
{
int cc = 0;
if (kvm_s390_pv_cpu_get_handle(vcpu)) {
cc = uv_cmd_nodata(kvm_s390_pv_cpu_get_handle(vcpu),
UVC_CMD_DESTROY_SEC_CPU, rc, rrc);
KVM_UV_EVENT(vcpu->kvm, 3,
"PROTVIRT DESTROY VCPU %d: rc %x rrc %x",
vcpu->vcpu_id, *rc, *rrc);
WARN_ONCE(cc, "protvirt destroy cpu failed rc %x rrc %x",
*rc, *rrc);
}
/* Intended memory leak for something that should never happen. */
if (!cc)
free_pages(vcpu->arch.pv.stor_base,
get_order(uv_info.guest_cpu_stor_len));
vcpu->arch.sie_block->pv_handle_cpu = 0;
vcpu->arch.sie_block->pv_handle_config = 0;
memset(&vcpu->arch.pv, 0, sizeof(vcpu->arch.pv));
vcpu->arch.sie_block->sdf = 0;
kvm_make_request(KVM_REQ_TLB_FLUSH, vcpu);
return cc ? EIO : 0;
}
int kvm_s390_pv_create_cpu(struct kvm_vcpu *vcpu, u16 *rc, u16 *rrc)
{
struct uv_cb_csc uvcb = {
.header.cmd = UVC_CMD_CREATE_SEC_CPU,
.header.len = sizeof(uvcb),
};
int cc;
if (kvm_s390_pv_cpu_get_handle(vcpu))
return -EINVAL;
vcpu->arch.pv.stor_base = __get_free_pages(GFP_KERNEL,
get_order(uv_info.guest_cpu_stor_len));
if (!vcpu->arch.pv.stor_base)
return -ENOMEM;
/* Input */
uvcb.guest_handle = kvm_s390_pv_get_handle(vcpu->kvm);
uvcb.num = vcpu->arch.sie_block->icpua;
uvcb.state_origin = (u64)vcpu->arch.sie_block;
uvcb.stor_origin = (u64)vcpu->arch.pv.stor_base;
cc = uv_call(0, (u64)&uvcb);
*rc = uvcb.header.rc;
*rrc = uvcb.header.rrc;
KVM_UV_EVENT(vcpu->kvm, 3,
"PROTVIRT CREATE VCPU: cpu %d handle %llx rc %x rrc %x",
vcpu->vcpu_id, uvcb.cpu_handle, uvcb.header.rc,
uvcb.header.rrc);
if (cc) {
u16 dummy;
kvm_s390_pv_destroy_cpu(vcpu, &dummy, &dummy);
return -EIO;
}
/* Output */
vcpu->arch.pv.handle = uvcb.cpu_handle;
vcpu->arch.sie_block->pv_handle_cpu = uvcb.cpu_handle;
vcpu->arch.sie_block->pv_handle_config = kvm_s390_pv_get_handle(vcpu->kvm);
vcpu->arch.sie_block->sdf = 2;
kvm_make_request(KVM_REQ_TLB_FLUSH, vcpu);
return 0;
}
/* only free resources when the destroy was successful */
static void kvm_s390_pv_dealloc_vm(struct kvm *kvm)
{
vfree(kvm->arch.pv.stor_var);
free_pages(kvm->arch.pv.stor_base,
get_order(uv_info.guest_base_stor_len));
memset(&kvm->arch.pv, 0, sizeof(kvm->arch.pv));
}
static int kvm_s390_pv_alloc_vm(struct kvm *kvm)
{
unsigned long base = uv_info.guest_base_stor_len;
unsigned long virt = uv_info.guest_virt_var_stor_len;
unsigned long npages = 0, vlen = 0;
struct kvm_memory_slot *memslot;
kvm->arch.pv.stor_var = NULL;
kvm->arch.pv.stor_base = __get_free_pages(GFP_KERNEL, get_order(base));
if (!kvm->arch.pv.stor_base)
return -ENOMEM;
/*
* Calculate current guest storage for allocation of the
* variable storage, which is based on the length in MB.
*
* Slots are sorted by GFN
*/
mutex_lock(&kvm->slots_lock);
memslot = kvm_memslots(kvm)->memslots;
npages = memslot->base_gfn + memslot->npages;
mutex_unlock(&kvm->slots_lock);
kvm->arch.pv.guest_len = npages * PAGE_SIZE;
/* Allocate variable storage */
vlen = ALIGN(virt * ((npages * PAGE_SIZE) / HPAGE_SIZE), PAGE_SIZE);
vlen += uv_info.guest_virt_base_stor_len;
kvm->arch.pv.stor_var = vzalloc(vlen);
if (!kvm->arch.pv.stor_var)
goto out_err;
return 0;
out_err:
kvm_s390_pv_dealloc_vm(kvm);
return -ENOMEM;
}
/* this should not fail, but if it does, we must not free the donated memory */
int kvm_s390_pv_deinit_vm(struct kvm *kvm, u16 *rc, u16 *rrc)
{
int cc;
cc = uv_cmd_nodata(kvm_s390_pv_get_handle(kvm),
UVC_CMD_DESTROY_SEC_CONF, rc, rrc);
WRITE_ONCE(kvm->arch.gmap->guest_handle, 0);
atomic_set(&kvm->mm->context.is_protected, 0);
KVM_UV_EVENT(kvm, 3, "PROTVIRT DESTROY VM: rc %x rrc %x", *rc, *rrc);
WARN_ONCE(cc, "protvirt destroy vm failed rc %x rrc %x", *rc, *rrc);
/* Inteded memory leak on "impossible" error */
if (!cc)
kvm_s390_pv_dealloc_vm(kvm);
return cc ? -EIO : 0;
}
int kvm_s390_pv_init_vm(struct kvm *kvm, u16 *rc, u16 *rrc)
{
struct uv_cb_cgc uvcb = {
.header.cmd = UVC_CMD_CREATE_SEC_CONF,
.header.len = sizeof(uvcb)
};
int cc, ret;
u16 dummy;
ret = kvm_s390_pv_alloc_vm(kvm);
if (ret)
return ret;
/* Inputs */
uvcb.guest_stor_origin = 0; /* MSO is 0 for KVM */
uvcb.guest_stor_len = kvm->arch.pv.guest_len;
uvcb.guest_asce = kvm->arch.gmap->asce;
uvcb.guest_sca = (unsigned long)kvm->arch.sca;
uvcb.conf_base_stor_origin = (u64)kvm->arch.pv.stor_base;
uvcb.conf_virt_stor_origin = (u64)kvm->arch.pv.stor_var;
cc = uv_call(0, (u64)&uvcb);
*rc = uvcb.header.rc;
*rrc = uvcb.header.rrc;
KVM_UV_EVENT(kvm, 3, "PROTVIRT CREATE VM: handle %llx len %llx rc %x rrc %x",
uvcb.guest_handle, uvcb.guest_stor_len, *rc, *rrc);
/* Outputs */
kvm->arch.pv.handle = uvcb.guest_handle;
if (cc) {
if (uvcb.header.rc & UVC_RC_NEED_DESTROY)
kvm_s390_pv_deinit_vm(kvm, &dummy, &dummy);
else
kvm_s390_pv_dealloc_vm(kvm);
return -EIO;
}
kvm->arch.gmap->guest_handle = uvcb.guest_handle;
atomic_set(&kvm->mm->context.is_protected, 1);
return 0;
}
int kvm_s390_pv_set_sec_parms(struct kvm *kvm, void *hdr, u64 length, u16 *rc,
u16 *rrc)
{
struct uv_cb_ssc uvcb = {
.header.cmd = UVC_CMD_SET_SEC_CONF_PARAMS,
.header.len = sizeof(uvcb),
.sec_header_origin = (u64)hdr,
.sec_header_len = length,
.guest_handle = kvm_s390_pv_get_handle(kvm),
};
int cc = uv_call(0, (u64)&uvcb);
*rc = uvcb.header.rc;
*rrc = uvcb.header.rrc;
KVM_UV_EVENT(kvm, 3, "PROTVIRT VM SET PARMS: rc %x rrc %x",
*rc, *rrc);
return cc ? -EINVAL : 0;
}
static int unpack_one(struct kvm *kvm, unsigned long addr, u64 tweak,
u64 offset, u16 *rc, u16 *rrc)
{
struct uv_cb_unp uvcb = {
.header.cmd = UVC_CMD_UNPACK_IMG,
.header.len = sizeof(uvcb),
.guest_handle = kvm_s390_pv_get_handle(kvm),
.gaddr = addr,
.tweak[0] = tweak,
.tweak[1] = offset,
};
int ret = gmap_make_secure(kvm->arch.gmap, addr, &uvcb);
*rc = uvcb.header.rc;
*rrc = uvcb.header.rrc;
if (ret && ret != -EAGAIN)
KVM_UV_EVENT(kvm, 3, "PROTVIRT VM UNPACK: failed addr %llx with rc %x rrc %x",
uvcb.gaddr, *rc, *rrc);
return ret;
}
int kvm_s390_pv_unpack(struct kvm *kvm, unsigned long addr, unsigned long size,
unsigned long tweak, u16 *rc, u16 *rrc)
{
u64 offset = 0;
int ret = 0;
if (addr & ~PAGE_MASK || !size || size & ~PAGE_MASK)
return -EINVAL;
KVM_UV_EVENT(kvm, 3, "PROTVIRT VM UNPACK: start addr %lx size %lx",
addr, size);
while (offset < size) {
ret = unpack_one(kvm, addr, tweak, offset, rc, rrc);
if (ret == -EAGAIN) {
cond_resched();
if (fatal_signal_pending(current))
break;
continue;
}
if (ret)
break;
addr += PAGE_SIZE;
offset += PAGE_SIZE;
}
if (!ret)
KVM_UV_EVENT(kvm, 3, "%s", "PROTVIRT VM UNPACK: successful");
return ret;
}

View File

@ -1478,6 +1478,37 @@ struct kvm_enc_region {
#define KVM_S390_NORMAL_RESET _IO(KVMIO, 0xc3) #define KVM_S390_NORMAL_RESET _IO(KVMIO, 0xc3)
#define KVM_S390_CLEAR_RESET _IO(KVMIO, 0xc4) #define KVM_S390_CLEAR_RESET _IO(KVMIO, 0xc4)
struct kvm_s390_pv_sec_parm {
__u64 origin;
__u64 length;
};
struct kvm_s390_pv_unp {
__u64 addr;
__u64 size;
__u64 tweak;
};
enum pv_cmd_id {
KVM_PV_ENABLE,
KVM_PV_DISABLE,
KVM_PV_SET_SEC_PARMS,
KVM_PV_UNPACK,
KVM_PV_VERIFY,
};
struct kvm_pv_cmd {
__u32 cmd; /* Command to be executed */
__u16 rc; /* Ultravisor return code */
__u16 rrc; /* Ultravisor return reason code */
__u64 data; /* Data or address */
__u32 flags; /* flags for future extensions. Must be 0 for now */
__u32 reserved[3];
};
/* Available with KVM_CAP_S390_PROTECTED */
#define KVM_S390_PV_COMMAND _IOWR(KVMIO, 0xc5, struct kvm_pv_cmd)
/* Secure Encrypted Virtualization command */ /* Secure Encrypted Virtualization command */
enum sev_cmd_id { enum sev_cmd_id {
/* Guest initialization commands */ /* Guest initialization commands */