[Kernel-packages] [Bug 1787405] Re: [FEAT] Guest-dedicated Crypto Adapters
** Tags added: cscc
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1787405
Title:
[FEAT] Guest-dedicated Crypto Adapters
Status in Ubuntu on IBM z Systems:
Fix Released
Status in libvirt package in Ubuntu:
Fix Released
Status in linux package in Ubuntu:
Fix Released
Status in qemu package in Ubuntu:
Fix Released
Status in libvirt source package in Bionic:
Fix Released
Status in linux source package in Bionic:
Fix Released
Status in qemu source package in Bionic:
Fix Released
Status in libvirt source package in Cosmic:
Fix Released
Status in linux source package in Cosmic:
Fix Released
Status in qemu source package in Cosmic:
Fix Released
Status in linux source package in Disco:
Fix Released
Bug description:
[Impact]
* The ability to pass through more cryptographic capabilities is a very
important feature for users of s390x as virtualization platform.
Its availability upstream now and its backport in this bug allows to
exploit the crypto cards as new HW for these virtualization use
cases.
* This falls under both "other safe cases" SRU exceptions:
- For Long Term Support releases we regularly want to enable new
hardware ...
- For Long Term Support releases we sometimes want to introduce new
features. They must not change the behaviour on existing
installations ...
* This bug has three main components:
- kernel (ability to do all of this)
- qemu (add feature to exploit the new code)
- libvirt (make the feature user consumable)
[Test Case]
* In general this consists of a few steps
- get the updated kernel/qemu/libvirt
- mask the card & domains from the usual driver
- load vfio-ap
- assign card to vfio-ap
- prepare a guest
- configure a guest to use the card
* See comment #66 how to do all of that in detail
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1787405/comments/66
[Regression Potential]
* The changes are mostly s390x only and adding a new feature so
regressions to existing components should be low. But to backport it
slight changes to the MDEV handling had to be applied as well.
The potential regressions I can see are in that MDEV handling if one
of the backports would be bad.
Fortunately we know that without the related libvirt fixes we added
here using MDEVs didn't work at all yet, and people very rarely use
qemu without libvirt for anything else than experiments.
Therefore I'm confident that even if there would be a flaw in the
MDEV changes no one is hugely relying on it.
[Other Info]
* n/a
== SRU Justification ==
(Kernel SRU)
Allow kvm to dedicate crypto adapters (and domains) as passthrough devices to
a KVM guest such that the hypervisor cannot observe the communication of the
guest with the device.
(Since all kernel patches/commits are from kernel 4.19, they will
automagically land in 'Disco'.)
== Fix ==
9ea5972 ("KVM: s390: vsie: simulate VCPU SIE entry/exit")
3194cdb ("KVM: s390: introduce and use KVM_REQ_VSIE_RESTART")
e585b24 ("KVM: s390: refactor crypto initialization")
1fde573 ("s390: vfio-ap: base implementation of VFIO AP device driver")
65f0671 ("s390: vfio-ap: register matrix device with VFIO mdev framework")
96d152b ("s390: vfio-ap: sysfs interfaces to configure adapters")
3211da0 ("s390: vfio-ap: sysfs interfaces to configure domains")
3b1eab7 ("s390: vfio-ap: sysfs interfaces to configure control domains")
81b2b4b ("s390: vfio-ap: sysfs interface to view matrix mdev matrix")
4210459 ("KVM: s390: interface to clear CRYCB masks")
258287c ("s390: vfio-ap: implement mediated device open callback")
e06670c ("s390: vfio-ap: implement VFIO_DEVICE_GET_INFO ioctl")
46a7263 ("s390: vfio-ap: zeroize the AP queues")
cd8a377 ("s390: vfio-ap: implement VFIO_DEVICE_RESET ioctl")
6cc571b ("KVM: s390: Clear Crypto Control Block when using vSIE")
d6f6959 ("KVM: s390: vsie: Do the CRYCB validation first")
3af84de ("KVM: s390: vsie: Make use of CRYCB FORMAT2 clear")
56019f9 ("KVM: s390: vsie: Allow CRYCB FORMAT-2")
19fd83a ("KVM: s390: vsie: allow CRYCB FORMAT-1")
6ee7409 ("KVM: s390: vsie: allow CRYCB FORMAT-0")
c9ba8c2 ("KVM: s390: vsie: allow guest FORMAT-0 CRYCB on host FORMAT-1")
6b79de4 ("KVM: s390: vsie: allow guest FORMAT-1 CRYCB on host FORMAT-2")
9ee71f2 ("KVM: s390: vsie: allow guest FORMAT-0 CRYCB on host FORMAT-2")
37940fb ("KVM: s390: device attrs to enable/disable AP interpretation")
112c24d ("KVM: s390: CPU model support for AP virtualization")
492a6be ("s390: doc: detailed specifications for AP virtualization")
<-- till here in 'kvm/next'
(https://git.kernel.org/pub/scm/virt/kvm/kvm.git/) -->
8e41bd5 ("KVM: s390: fix locking for crypto setting error path")
0e237e4 ("KVM: s390:
[Kernel-packages] [Bug 1787405] Re: [FEAT] Guest-dedicated Crypto Adapters
** Changed in: ubuntu-z-systems
Status: Fix Committed => Fix Released
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1787405
Title:
[FEAT] Guest-dedicated Crypto Adapters
Status in Ubuntu on IBM z Systems:
Fix Released
Status in libvirt package in Ubuntu:
Fix Released
Status in linux package in Ubuntu:
Fix Released
Status in qemu package in Ubuntu:
Fix Released
Status in libvirt source package in Bionic:
Fix Released
Status in linux source package in Bionic:
Fix Released
Status in qemu source package in Bionic:
Fix Released
Status in libvirt source package in Cosmic:
Fix Released
Status in linux source package in Cosmic:
Fix Released
Status in qemu source package in Cosmic:
Fix Released
Status in linux source package in Disco:
Fix Released
Bug description:
[Impact]
* The ability to pass through more cryptographic capabilities is a very
important feature for users of s390x as virtualization platform.
Its availability upstream now and its backport in this bug allows to
exploit the crypto cards as new HW for these virtualization use
cases.
* This falls under both "other safe cases" SRU exceptions:
- For Long Term Support releases we regularly want to enable new
hardware ...
- For Long Term Support releases we sometimes want to introduce new
features. They must not change the behaviour on existing
installations ...
* This bug has three main components:
- kernel (ability to do all of this)
- qemu (add feature to exploit the new code)
- libvirt (make the feature user consumable)
[Test Case]
* In general this consists of a few steps
- get the updated kernel/qemu/libvirt
- mask the card & domains from the usual driver
- load vfio-ap
- assign card to vfio-ap
- prepare a guest
- configure a guest to use the card
* See comment #66 how to do all of that in detail
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1787405/comments/66
[Regression Potential]
* The changes are mostly s390x only and adding a new feature so
regressions to existing components should be low. But to backport it
slight changes to the MDEV handling had to be applied as well.
The potential regressions I can see are in that MDEV handling if one
of the backports would be bad.
Fortunately we know that without the related libvirt fixes we added
here using MDEVs didn't work at all yet, and people very rarely use
qemu without libvirt for anything else than experiments.
Therefore I'm confident that even if there would be a flaw in the
MDEV changes no one is hugely relying on it.
[Other Info]
* n/a
== SRU Justification ==
(Kernel SRU)
Allow kvm to dedicate crypto adapters (and domains) as passthrough devices to
a KVM guest such that the hypervisor cannot observe the communication of the
guest with the device.
(Since all kernel patches/commits are from kernel 4.19, they will
automagically land in 'Disco'.)
== Fix ==
9ea5972 ("KVM: s390: vsie: simulate VCPU SIE entry/exit")
3194cdb ("KVM: s390: introduce and use KVM_REQ_VSIE_RESTART")
e585b24 ("KVM: s390: refactor crypto initialization")
1fde573 ("s390: vfio-ap: base implementation of VFIO AP device driver")
65f0671 ("s390: vfio-ap: register matrix device with VFIO mdev framework")
96d152b ("s390: vfio-ap: sysfs interfaces to configure adapters")
3211da0 ("s390: vfio-ap: sysfs interfaces to configure domains")
3b1eab7 ("s390: vfio-ap: sysfs interfaces to configure control domains")
81b2b4b ("s390: vfio-ap: sysfs interface to view matrix mdev matrix")
4210459 ("KVM: s390: interface to clear CRYCB masks")
258287c ("s390: vfio-ap: implement mediated device open callback")
e06670c ("s390: vfio-ap: implement VFIO_DEVICE_GET_INFO ioctl")
46a7263 ("s390: vfio-ap: zeroize the AP queues")
cd8a377 ("s390: vfio-ap: implement VFIO_DEVICE_RESET ioctl")
6cc571b ("KVM: s390: Clear Crypto Control Block when using vSIE")
d6f6959 ("KVM: s390: vsie: Do the CRYCB validation first")
3af84de ("KVM: s390: vsie: Make use of CRYCB FORMAT2 clear")
56019f9 ("KVM: s390: vsie: Allow CRYCB FORMAT-2")
19fd83a ("KVM: s390: vsie: allow CRYCB FORMAT-1")
6ee7409 ("KVM: s390: vsie: allow CRYCB FORMAT-0")
c9ba8c2 ("KVM: s390: vsie: allow guest FORMAT-0 CRYCB on host FORMAT-1")
6b79de4 ("KVM: s390: vsie: allow guest FORMAT-1 CRYCB on host FORMAT-2")
9ee71f2 ("KVM: s390: vsie: allow guest FORMAT-0 CRYCB on host FORMAT-2")
37940fb ("KVM: s390: device attrs to enable/disable AP interpretation")
112c24d ("KVM: s390: CPU model support for AP virtualization")
492a6be ("s390: doc: detailed specifications for AP virtualization")
<-- till here in 'kvm/next'
(https://git.kernel.org/pub/scm/virt/kvm/kvm.git/) -->
8e41bd5 ("KVM: s390: fix locking for
[Kernel-packages] [Bug 1787405] Re: [FEAT] Guest-dedicated Crypto Adapters
This bug was fixed in the package linux - 4.19.0-12.13
---
linux (4.19.0-12.13) disco; urgency=medium
* linux: 4.19.0-12.13 -proposed tracker (LP: #1813664)
* kernel oops in bcache module (LP: #1793901)
- SAUCE: bcache: never writeback a discard operation
* Disco update: 4.19.18 upstream stable release (LP: #1813611)
- ipv6: Consider sk_bound_dev_if when binding a socket to a v4 mapped
address
- mlxsw: spectrum: Disable lag port TX before removing it
- mlxsw: spectrum_switchdev: Set PVID correctly during VLAN deletion
- net: dsa: mv88x6xxx: mv88e6390 errata
- net, skbuff: do not prefer skb allocation fails early
- qmi_wwan: add MTU default to qmap network interface
- ipv6: Take rcu_read_lock in __inet6_bind for mapped addresses
- net: clear skb->tstamp in bridge forwarding path
- netfilter: ipset: Allow matching on destination MAC address for mac and
ipmac sets
- gpio: pl061: Move irq_chip definition inside struct pl061
- drm/amd/display: Guard against null stream_state in set_crc_source
- drm/amdkfd: fix interrupt spin lock
- ixgbe: allow IPsec Tx offload in VEPA mode
- platform/x86: asus-wmi: Tell the EC the OS will handle the display off
hotkey
- e1000e: allow non-monotonic SYSTIM readings
- usb: typec: tcpm: Do not disconnect link for self powered devices
- selftests/bpf: enable (uncomment) all tests in test_libbpf.sh
- of: overlay: add missing of_node_put() after add new node to changeset
- writeback: don't decrement wb->refcnt if !wb->bdi
- serial: set suppress_bind_attrs flag only if builtin
- bpf: Allow narrow loads with offset > 0
- ALSA: oxfw: add support for APOGEE duet FireWire
- x86/mce: Fix -Wmissing-prototypes warnings
- MIPS: SiByte: Enable swiotlb for SWARM, LittleSur and BigSur
- crypto: ecc - regularize scalar for scalar multiplication
- arm64: perf: set suppress_bind_attrs flag to true
- drm/atomic-helper: Complete fake_commit->flip_done potentially earlier
- clk: meson: meson8b: fix incorrect divider mapping in cpu_scale_table
- samples: bpf: fix: error handling regarding kprobe_events
- usb: gadget: udc: renesas_usb3: add a safety connection way for
forced_b_device
- fpga: altera-cvp: fix probing for multiple FPGAs on the bus
- selinux: always allow mounting submounts
- ASoC: pcm3168a: Don't disable pcm3168a when CONFIG_PM defined
- scsi: qedi: Check for session online before getting iSCSI TLV data.
- drm/amdgpu: Reorder uvd ring init before uvd resume
- rxe: IB_WR_REG_MR does not capture MR's iova field
- efi/libstub: Disable some warnings for x86{,_64}
- jffs2: Fix use of uninitialized delayed_work, lockdep breakage
- clk: imx: make mux parent strings const
- pstore/ram: Do not treat empty buffers as valid
- media: uvcvideo: Refactor teardown of uvc on USB disconnect
- powerpc/xmon: Fix invocation inside lock region
- powerpc/pseries/cpuidle: Fix preempt warning
- media: firewire: Fix app_info parameter type in avc_ca{,_app}_info
- ASoC: use dma_ops of parent device for acp_audio_dma
- media: venus: core: Set dma maximum segment size
- staging: erofs: fix use-after-free of on-stack `z_erofs_vle_unzip_io'
- net: call sk_dst_reset when set SO_DONTROUTE
- scsi: target: use consistent left-aligned ASCII INQUIRY data
- scsi: target/core: Make sure that target_wait_for_sess_cmds() waits long
enough
- selftests: do not macro-expand failed assertion expressions
- arm64: kasan: Increase stack size for KASAN_EXTRA
- clk: imx6q: reset exclusive gates on init
- arm64: Fix minor issues with the dcache_by_line_op macro
- bpf: relax verifier restriction on BPF_MOV | BPF_ALU
- kconfig: fix file name and line number of warn_ignored_character()
- kconfig: fix memory leak when EOF is encountered in quotation
- mmc: atmel-mci: do not assume idle after atmci_request_end
- btrfs: volumes: Make sure there is no overlap of dev extents at mount time
- btrfs: alloc_chunk: fix more DUP stripe size handling
- btrfs: fix use-after-free due to race between replace start and cancel
- btrfs: improve error handling of btrfs_add_link
- tty/serial: do not free trasnmit buffer page under port lock
- perf intel-pt: Fix error with config term "pt=0"
- perf tests ARM: Disable breakpoint tests 32-bit
- perf svghelper: Fix unchecked usage of strncpy()
- perf parse-events: Fix unchecked usage of strncpy()
- perf vendor events intel: Fix Load_Miss_Real_Latency on SKL/SKX
- netfilter: ipt_CLUSTERIP: check MAC address when duplicate config is set
- netfilter: ipt_CLUSTERIP: remove wrong WARN_ON_ONCE in netns exit routine
- netfilter: ipt_CLUSTERIP: fix deadlock in netns exit routine
- x86/topology: Use total_cpus for max logical packages calculation
- dm crypt: use u64 instead of sector_t
[Kernel-packages] [Bug 1787405] Re: [FEAT] Guest-dedicated Crypto Adapters
This bug was fixed in the package libvirt - 4.6.0-2ubuntu3.2
---
libvirt (4.6.0-2ubuntu3.2) cosmic; urgency=medium
* d/p/ubuntu/lp1787405-0008-qemu-mdev-Use-vfio-pci-display-property-only
-with-vf.patch: fix handling of non PCI vfio display propery (part
of LP: #1787405)
libvirt (4.6.0-2ubuntu3.1) cosmic; urgency=medium
* debian/patches/ubuntu/lp1787405-*: Support guest dedicated Crypto
Adapters on s390x (LP: #1787405)
-- Christian Ehrhardt Thu, 06 Dec
2018 09:16:13 +0100
** Changed in: libvirt (Ubuntu Cosmic)
Status: Fix Committed => Fix Released
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1787405
Title:
[FEAT] Guest-dedicated Crypto Adapters
Status in Ubuntu on IBM z Systems:
Fix Committed
Status in libvirt package in Ubuntu:
Fix Released
Status in linux package in Ubuntu:
Fix Committed
Status in qemu package in Ubuntu:
Fix Released
Status in libvirt source package in Bionic:
Fix Released
Status in linux source package in Bionic:
Fix Released
Status in qemu source package in Bionic:
Fix Released
Status in libvirt source package in Cosmic:
Fix Released
Status in linux source package in Cosmic:
Fix Released
Status in qemu source package in Cosmic:
Fix Released
Status in linux source package in Disco:
Fix Committed
Bug description:
[Impact]
* The ability to pass through more cryptographic capabilities is a very
important feature for users of s390x as virtualization platform.
Its availability upstream now and its backport in this bug allows to
exploit the crypto cards as new HW for these virtualization use
cases.
* This falls under both "other safe cases" SRU exceptions:
- For Long Term Support releases we regularly want to enable new
hardware ...
- For Long Term Support releases we sometimes want to introduce new
features. They must not change the behaviour on existing
installations ...
* This bug has three main components:
- kernel (ability to do all of this)
- qemu (add feature to exploit the new code)
- libvirt (make the feature user consumable)
[Test Case]
* In general this consists of a few steps
- get the updated kernel/qemu/libvirt
- mask the card & domains from the usual driver
- load vfio-ap
- assign card to vfio-ap
- prepare a guest
- configure a guest to use the card
* See comment #66 how to do all of that in detail
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1787405/comments/66
[Regression Potential]
* The changes are mostly s390x only and adding a new feature so
regressions to existing components should be low. But to backport it
slight changes to the MDEV handling had to be applied as well.
The potential regressions I can see are in that MDEV handling if one
of the backports would be bad.
Fortunately we know that without the related libvirt fixes we added
here using MDEVs didn't work at all yet, and people very rarely use
qemu without libvirt for anything else than experiments.
Therefore I'm confident that even if there would be a flaw in the
MDEV changes no one is hugely relying on it.
[Other Info]
* n/a
== SRU Justification ==
(Kernel SRU)
Allow kvm to dedicate crypto adapters (and domains) as passthrough devices to
a KVM guest such that the hypervisor cannot observe the communication of the
guest with the device.
(Since all kernel patches/commits are from kernel 4.19, they will
automagically land in 'Disco'.)
== Fix ==
9ea5972 ("KVM: s390: vsie: simulate VCPU SIE entry/exit")
3194cdb ("KVM: s390: introduce and use KVM_REQ_VSIE_RESTART")
e585b24 ("KVM: s390: refactor crypto initialization")
1fde573 ("s390: vfio-ap: base implementation of VFIO AP device driver")
65f0671 ("s390: vfio-ap: register matrix device with VFIO mdev framework")
96d152b ("s390: vfio-ap: sysfs interfaces to configure adapters")
3211da0 ("s390: vfio-ap: sysfs interfaces to configure domains")
3b1eab7 ("s390: vfio-ap: sysfs interfaces to configure control domains")
81b2b4b ("s390: vfio-ap: sysfs interface to view matrix mdev matrix")
4210459 ("KVM: s390: interface to clear CRYCB masks")
258287c ("s390: vfio-ap: implement mediated device open callback")
e06670c ("s390: vfio-ap: implement VFIO_DEVICE_GET_INFO ioctl")
46a7263 ("s390: vfio-ap: zeroize the AP queues")
cd8a377 ("s390: vfio-ap: implement VFIO_DEVICE_RESET ioctl")
6cc571b ("KVM: s390: Clear Crypto Control Block when using vSIE")
d6f6959 ("KVM: s390: vsie: Do the CRYCB validation first")
3af84de ("KVM: s390: vsie: Make use of CRYCB FORMAT2 clear")
56019f9 ("KVM: s390: vsie: Allow CRYCB FORMAT-2")
19fd83a ("KVM: s390: vsie: allow CRYCB FORMAT-1")
6ee7409 ("KVM: s390: vsie: allow CRYCB FORMAT-0")
c9ba8c2 ("KVM: s390: vsie: allow
[Kernel-packages] [Bug 1787405] Re: [FEAT] Guest-dedicated Crypto Adapters
This bug was fixed in the package qemu - 1:2.12+dfsg-3ubuntu8.2
---
qemu (1:2.12+dfsg-3ubuntu8.2) cosmic; urgency=medium
* debian/patches/ubuntu/lp1787405-*: Support guest dedicated Crypto
Adapters on s390x (LP: #1787405)
-- Christian Ehrhardt Fri, 23 Nov
2018 08:39:19 +0100
** Changed in: qemu (Ubuntu Cosmic)
Status: Fix Committed => Fix Released
** Changed in: qemu (Ubuntu Bionic)
Status: Fix Committed => Fix Released
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1787405
Title:
[FEAT] Guest-dedicated Crypto Adapters
Status in Ubuntu on IBM z Systems:
Fix Committed
Status in libvirt package in Ubuntu:
Fix Released
Status in linux package in Ubuntu:
Fix Committed
Status in qemu package in Ubuntu:
Fix Released
Status in libvirt source package in Bionic:
Fix Released
Status in linux source package in Bionic:
Fix Released
Status in qemu source package in Bionic:
Fix Released
Status in libvirt source package in Cosmic:
Fix Committed
Status in linux source package in Cosmic:
Fix Released
Status in qemu source package in Cosmic:
Fix Released
Status in linux source package in Disco:
Fix Committed
Bug description:
[Impact]
* The ability to pass through more cryptographic capabilities is a very
important feature for users of s390x as virtualization platform.
Its availability upstream now and its backport in this bug allows to
exploit the crypto cards as new HW for these virtualization use
cases.
* This falls under both "other safe cases" SRU exceptions:
- For Long Term Support releases we regularly want to enable new
hardware ...
- For Long Term Support releases we sometimes want to introduce new
features. They must not change the behaviour on existing
installations ...
* This bug has three main components:
- kernel (ability to do all of this)
- qemu (add feature to exploit the new code)
- libvirt (make the feature user consumable)
[Test Case]
* In general this consists of a few steps
- get the updated kernel/qemu/libvirt
- mask the card & domains from the usual driver
- load vfio-ap
- assign card to vfio-ap
- prepare a guest
- configure a guest to use the card
* See comment #66 how to do all of that in detail
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1787405/comments/66
[Regression Potential]
* The changes are mostly s390x only and adding a new feature so
regressions to existing components should be low. But to backport it
slight changes to the MDEV handling had to be applied as well.
The potential regressions I can see are in that MDEV handling if one
of the backports would be bad.
Fortunately we know that without the related libvirt fixes we added
here using MDEVs didn't work at all yet, and people very rarely use
qemu without libvirt for anything else than experiments.
Therefore I'm confident that even if there would be a flaw in the
MDEV changes no one is hugely relying on it.
[Other Info]
* n/a
== SRU Justification ==
(Kernel SRU)
Allow kvm to dedicate crypto adapters (and domains) as passthrough devices to
a KVM guest such that the hypervisor cannot observe the communication of the
guest with the device.
(Since all kernel patches/commits are from kernel 4.19, they will
automagically land in 'Disco'.)
== Fix ==
9ea5972 ("KVM: s390: vsie: simulate VCPU SIE entry/exit")
3194cdb ("KVM: s390: introduce and use KVM_REQ_VSIE_RESTART")
e585b24 ("KVM: s390: refactor crypto initialization")
1fde573 ("s390: vfio-ap: base implementation of VFIO AP device driver")
65f0671 ("s390: vfio-ap: register matrix device with VFIO mdev framework")
96d152b ("s390: vfio-ap: sysfs interfaces to configure adapters")
3211da0 ("s390: vfio-ap: sysfs interfaces to configure domains")
3b1eab7 ("s390: vfio-ap: sysfs interfaces to configure control domains")
81b2b4b ("s390: vfio-ap: sysfs interface to view matrix mdev matrix")
4210459 ("KVM: s390: interface to clear CRYCB masks")
258287c ("s390: vfio-ap: implement mediated device open callback")
e06670c ("s390: vfio-ap: implement VFIO_DEVICE_GET_INFO ioctl")
46a7263 ("s390: vfio-ap: zeroize the AP queues")
cd8a377 ("s390: vfio-ap: implement VFIO_DEVICE_RESET ioctl")
6cc571b ("KVM: s390: Clear Crypto Control Block when using vSIE")
d6f6959 ("KVM: s390: vsie: Do the CRYCB validation first")
3af84de ("KVM: s390: vsie: Make use of CRYCB FORMAT2 clear")
56019f9 ("KVM: s390: vsie: Allow CRYCB FORMAT-2")
19fd83a ("KVM: s390: vsie: allow CRYCB FORMAT-1")
6ee7409 ("KVM: s390: vsie: allow CRYCB FORMAT-0")
c9ba8c2 ("KVM: s390: vsie: allow guest FORMAT-0 CRYCB on host FORMAT-1")
6b79de4 ("KVM: s390: vsie: allow guest FORMAT-1 CRYCB on host FORMAT-2")
9ee71f2 ("KVM:
[Kernel-packages] [Bug 1787405] Re: [FEAT] Guest-dedicated Crypto Adapters
This bug was fixed in the package qemu - 1:2.11+dfsg-1ubuntu7.9
---
qemu (1:2.11+dfsg-1ubuntu7.9) bionic; urgency=medium
* debian/patches/ubuntu/lp1787405-*: Support guest dedicated Crypto
Adapters on s390x (LP: #1787405)
-- Christian Ehrhardt Thu, 15 Nov
2018 12:29:56 +0100
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1787405
Title:
[FEAT] Guest-dedicated Crypto Adapters
Status in Ubuntu on IBM z Systems:
Fix Committed
Status in libvirt package in Ubuntu:
Fix Released
Status in linux package in Ubuntu:
Fix Committed
Status in qemu package in Ubuntu:
Fix Released
Status in libvirt source package in Bionic:
Fix Released
Status in linux source package in Bionic:
Fix Released
Status in qemu source package in Bionic:
Fix Released
Status in libvirt source package in Cosmic:
Fix Committed
Status in linux source package in Cosmic:
Fix Released
Status in qemu source package in Cosmic:
Fix Released
Status in linux source package in Disco:
Fix Committed
Bug description:
[Impact]
* The ability to pass through more cryptographic capabilities is a very
important feature for users of s390x as virtualization platform.
Its availability upstream now and its backport in this bug allows to
exploit the crypto cards as new HW for these virtualization use
cases.
* This falls under both "other safe cases" SRU exceptions:
- For Long Term Support releases we regularly want to enable new
hardware ...
- For Long Term Support releases we sometimes want to introduce new
features. They must not change the behaviour on existing
installations ...
* This bug has three main components:
- kernel (ability to do all of this)
- qemu (add feature to exploit the new code)
- libvirt (make the feature user consumable)
[Test Case]
* In general this consists of a few steps
- get the updated kernel/qemu/libvirt
- mask the card & domains from the usual driver
- load vfio-ap
- assign card to vfio-ap
- prepare a guest
- configure a guest to use the card
* See comment #66 how to do all of that in detail
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1787405/comments/66
[Regression Potential]
* The changes are mostly s390x only and adding a new feature so
regressions to existing components should be low. But to backport it
slight changes to the MDEV handling had to be applied as well.
The potential regressions I can see are in that MDEV handling if one
of the backports would be bad.
Fortunately we know that without the related libvirt fixes we added
here using MDEVs didn't work at all yet, and people very rarely use
qemu without libvirt for anything else than experiments.
Therefore I'm confident that even if there would be a flaw in the
MDEV changes no one is hugely relying on it.
[Other Info]
* n/a
== SRU Justification ==
(Kernel SRU)
Allow kvm to dedicate crypto adapters (and domains) as passthrough devices to
a KVM guest such that the hypervisor cannot observe the communication of the
guest with the device.
(Since all kernel patches/commits are from kernel 4.19, they will
automagically land in 'Disco'.)
== Fix ==
9ea5972 ("KVM: s390: vsie: simulate VCPU SIE entry/exit")
3194cdb ("KVM: s390: introduce and use KVM_REQ_VSIE_RESTART")
e585b24 ("KVM: s390: refactor crypto initialization")
1fde573 ("s390: vfio-ap: base implementation of VFIO AP device driver")
65f0671 ("s390: vfio-ap: register matrix device with VFIO mdev framework")
96d152b ("s390: vfio-ap: sysfs interfaces to configure adapters")
3211da0 ("s390: vfio-ap: sysfs interfaces to configure domains")
3b1eab7 ("s390: vfio-ap: sysfs interfaces to configure control domains")
81b2b4b ("s390: vfio-ap: sysfs interface to view matrix mdev matrix")
4210459 ("KVM: s390: interface to clear CRYCB masks")
258287c ("s390: vfio-ap: implement mediated device open callback")
e06670c ("s390: vfio-ap: implement VFIO_DEVICE_GET_INFO ioctl")
46a7263 ("s390: vfio-ap: zeroize the AP queues")
cd8a377 ("s390: vfio-ap: implement VFIO_DEVICE_RESET ioctl")
6cc571b ("KVM: s390: Clear Crypto Control Block when using vSIE")
d6f6959 ("KVM: s390: vsie: Do the CRYCB validation first")
3af84de ("KVM: s390: vsie: Make use of CRYCB FORMAT2 clear")
56019f9 ("KVM: s390: vsie: Allow CRYCB FORMAT-2")
19fd83a ("KVM: s390: vsie: allow CRYCB FORMAT-1")
6ee7409 ("KVM: s390: vsie: allow CRYCB FORMAT-0")
c9ba8c2 ("KVM: s390: vsie: allow guest FORMAT-0 CRYCB on host FORMAT-1")
6b79de4 ("KVM: s390: vsie: allow guest FORMAT-1 CRYCB on host FORMAT-2")
9ee71f2 ("KVM: s390: vsie: allow guest FORMAT-0 CRYCB on host FORMAT-2")
37940fb ("KVM: s390: device attrs to enable/disable AP interpretation")
112c24d ("KVM: s390: CPU model
[Kernel-packages] [Bug 1787405] Re: [FEAT] Guest-dedicated Crypto Adapters
This bug was fixed in the package libvirt - 4.0.0-1ubuntu8.6
---
libvirt (4.0.0-1ubuntu8.6) bionic; urgency=medium
* d/control: explicitly Build-dep on libwiretap-dev to fix FTBFS since
libwireshark 2.6.x SRU upload (LP: #1801666)
* debian/patches/ubuntu/lp1787405-*: Support guest dedicated Crypto
Adapters on s390x (LP: #1787405)
-- Christian Ehrhardt Fri, 09 Nov
2018 07:42:01 +0100
** Changed in: libvirt (Ubuntu Bionic)
Status: Fix Committed => Fix Released
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1787405
Title:
[FEAT] Guest-dedicated Crypto Adapters
Status in Ubuntu on IBM z Systems:
Fix Committed
Status in libvirt package in Ubuntu:
Fix Released
Status in linux package in Ubuntu:
Fix Committed
Status in qemu package in Ubuntu:
Fix Released
Status in libvirt source package in Bionic:
Fix Released
Status in linux source package in Bionic:
Fix Released
Status in qemu source package in Bionic:
Fix Committed
Status in libvirt source package in Cosmic:
Fix Committed
Status in linux source package in Cosmic:
Fix Released
Status in qemu source package in Cosmic:
Fix Committed
Status in linux source package in Disco:
Fix Committed
Bug description:
[Impact]
* The ability to pass through more cryptographic capabilities is a very
important feature for users of s390x as virtualization platform.
Its availability upstream now and its backport in this bug allows to
exploit the crypto cards as new HW for these virtualization use
cases.
* This falls under both "other safe cases" SRU exceptions:
- For Long Term Support releases we regularly want to enable new
hardware ...
- For Long Term Support releases we sometimes want to introduce new
features. They must not change the behaviour on existing
installations ...
* This bug has three main components:
- kernel (ability to do all of this)
- qemu (add feature to exploit the new code)
- libvirt (make the feature user consumable)
[Test Case]
* In general this consists of a few steps
- get the updated kernel/qemu/libvirt
- mask the card & domains from the usual driver
- load vfio-ap
- assign card to vfio-ap
- prepare a guest
- configure a guest to use the card
* See comment #66 how to do all of that in detail
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1787405/comments/66
[Regression Potential]
* The changes are mostly s390x only and adding a new feature so
regressions to existing components should be low. But to backport it
slight changes to the MDEV handling had to be applied as well.
The potential regressions I can see are in that MDEV handling if one
of the backports would be bad.
Fortunately we know that without the related libvirt fixes we added
here using MDEVs didn't work at all yet, and people very rarely use
qemu without libvirt for anything else than experiments.
Therefore I'm confident that even if there would be a flaw in the
MDEV changes no one is hugely relying on it.
[Other Info]
* n/a
== SRU Justification ==
(Kernel SRU)
Allow kvm to dedicate crypto adapters (and domains) as passthrough devices to
a KVM guest such that the hypervisor cannot observe the communication of the
guest with the device.
(Since all kernel patches/commits are from kernel 4.19, they will
automagically land in 'Disco'.)
== Fix ==
9ea5972 ("KVM: s390: vsie: simulate VCPU SIE entry/exit")
3194cdb ("KVM: s390: introduce and use KVM_REQ_VSIE_RESTART")
e585b24 ("KVM: s390: refactor crypto initialization")
1fde573 ("s390: vfio-ap: base implementation of VFIO AP device driver")
65f0671 ("s390: vfio-ap: register matrix device with VFIO mdev framework")
96d152b ("s390: vfio-ap: sysfs interfaces to configure adapters")
3211da0 ("s390: vfio-ap: sysfs interfaces to configure domains")
3b1eab7 ("s390: vfio-ap: sysfs interfaces to configure control domains")
81b2b4b ("s390: vfio-ap: sysfs interface to view matrix mdev matrix")
4210459 ("KVM: s390: interface to clear CRYCB masks")
258287c ("s390: vfio-ap: implement mediated device open callback")
e06670c ("s390: vfio-ap: implement VFIO_DEVICE_GET_INFO ioctl")
46a7263 ("s390: vfio-ap: zeroize the AP queues")
cd8a377 ("s390: vfio-ap: implement VFIO_DEVICE_RESET ioctl")
6cc571b ("KVM: s390: Clear Crypto Control Block when using vSIE")
d6f6959 ("KVM: s390: vsie: Do the CRYCB validation first")
3af84de ("KVM: s390: vsie: Make use of CRYCB FORMAT2 clear")
56019f9 ("KVM: s390: vsie: Allow CRYCB FORMAT-2")
19fd83a ("KVM: s390: vsie: allow CRYCB FORMAT-1")
6ee7409 ("KVM: s390: vsie: allow CRYCB FORMAT-0")
c9ba8c2 ("KVM: s390: vsie: allow guest FORMAT-0 CRYCB on host FORMAT-1")
6b79de4 ("KVM: s390: vsie: allow guest FORMAT-1 CRYCB
[Kernel-packages] [Bug 1787405] Re: [FEAT] Guest-dedicated Crypto Adapters
Thanks for accepting that follow-on fix.
With that it now fully works on cosmic as well following the howto on comment
#66
** Tags removed: verification-needed verification-needed-cosmic
** Tags added: verification-done verification-done-cosmic
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1787405
Title:
[FEAT] Guest-dedicated Crypto Adapters
Status in Ubuntu on IBM z Systems:
Fix Committed
Status in libvirt package in Ubuntu:
Fix Released
Status in linux package in Ubuntu:
Fix Committed
Status in qemu package in Ubuntu:
Fix Released
Status in libvirt source package in Bionic:
Fix Committed
Status in linux source package in Bionic:
Fix Released
Status in qemu source package in Bionic:
Fix Committed
Status in libvirt source package in Cosmic:
Fix Committed
Status in linux source package in Cosmic:
Fix Released
Status in qemu source package in Cosmic:
Fix Committed
Status in linux source package in Disco:
Fix Committed
Bug description:
[Impact]
* The ability to pass through more cryptographic capabilities is a very
important feature for users of s390x as virtualization platform.
Its availability upstream now and its backport in this bug allows to
exploit the crypto cards as new HW for these virtualization use
cases.
* This falls under both "other safe cases" SRU exceptions:
- For Long Term Support releases we regularly want to enable new
hardware ...
- For Long Term Support releases we sometimes want to introduce new
features. They must not change the behaviour on existing
installations ...
* This bug has three main components:
- kernel (ability to do all of this)
- qemu (add feature to exploit the new code)
- libvirt (make the feature user consumable)
[Test Case]
* In general this consists of a few steps
- get the updated kernel/qemu/libvirt
- mask the card & domains from the usual driver
- load vfio-ap
- assign card to vfio-ap
- prepare a guest
- configure a guest to use the card
* See comment #66 how to do all of that in detail
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1787405/comments/66
[Regression Potential]
* The changes are mostly s390x only and adding a new feature so
regressions to existing components should be low. But to backport it
slight changes to the MDEV handling had to be applied as well.
The potential regressions I can see are in that MDEV handling if one
of the backports would be bad.
Fortunately we know that without the related libvirt fixes we added
here using MDEVs didn't work at all yet, and people very rarely use
qemu without libvirt for anything else than experiments.
Therefore I'm confident that even if there would be a flaw in the
MDEV changes no one is hugely relying on it.
[Other Info]
* n/a
== SRU Justification ==
(Kernel SRU)
Allow kvm to dedicate crypto adapters (and domains) as passthrough devices to
a KVM guest such that the hypervisor cannot observe the communication of the
guest with the device.
(Since all kernel patches/commits are from kernel 4.19, they will
automagically land in 'Disco'.)
== Fix ==
9ea5972 ("KVM: s390: vsie: simulate VCPU SIE entry/exit")
3194cdb ("KVM: s390: introduce and use KVM_REQ_VSIE_RESTART")
e585b24 ("KVM: s390: refactor crypto initialization")
1fde573 ("s390: vfio-ap: base implementation of VFIO AP device driver")
65f0671 ("s390: vfio-ap: register matrix device with VFIO mdev framework")
96d152b ("s390: vfio-ap: sysfs interfaces to configure adapters")
3211da0 ("s390: vfio-ap: sysfs interfaces to configure domains")
3b1eab7 ("s390: vfio-ap: sysfs interfaces to configure control domains")
81b2b4b ("s390: vfio-ap: sysfs interface to view matrix mdev matrix")
4210459 ("KVM: s390: interface to clear CRYCB masks")
258287c ("s390: vfio-ap: implement mediated device open callback")
e06670c ("s390: vfio-ap: implement VFIO_DEVICE_GET_INFO ioctl")
46a7263 ("s390: vfio-ap: zeroize the AP queues")
cd8a377 ("s390: vfio-ap: implement VFIO_DEVICE_RESET ioctl")
6cc571b ("KVM: s390: Clear Crypto Control Block when using vSIE")
d6f6959 ("KVM: s390: vsie: Do the CRYCB validation first")
3af84de ("KVM: s390: vsie: Make use of CRYCB FORMAT2 clear")
56019f9 ("KVM: s390: vsie: Allow CRYCB FORMAT-2")
19fd83a ("KVM: s390: vsie: allow CRYCB FORMAT-1")
6ee7409 ("KVM: s390: vsie: allow CRYCB FORMAT-0")
c9ba8c2 ("KVM: s390: vsie: allow guest FORMAT-0 CRYCB on host FORMAT-1")
6b79de4 ("KVM: s390: vsie: allow guest FORMAT-1 CRYCB on host FORMAT-2")
9ee71f2 ("KVM: s390: vsie: allow guest FORMAT-0 CRYCB on host FORMAT-2")
37940fb ("KVM: s390: device attrs to enable/disable AP interpretation")
112c24d ("KVM: s390: CPU model support for AP virtualization")
492a6be ("s390:
[Kernel-packages] [Bug 1787405] Re: [FEAT] Guest-dedicated Crypto Adapters
FYI: We also resolved the systemd test issues in Bionic (unrelated, but needed
a fix).
Lets see how they will look like in Cosmic after the tests on the new upload
complete.
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1787405
Title:
[FEAT] Guest-dedicated Crypto Adapters
Status in Ubuntu on IBM z Systems:
Fix Committed
Status in libvirt package in Ubuntu:
Fix Released
Status in linux package in Ubuntu:
Fix Committed
Status in qemu package in Ubuntu:
Fix Released
Status in libvirt source package in Bionic:
Fix Committed
Status in linux source package in Bionic:
Fix Released
Status in qemu source package in Bionic:
Fix Committed
Status in libvirt source package in Cosmic:
Fix Committed
Status in linux source package in Cosmic:
Fix Released
Status in qemu source package in Cosmic:
Fix Committed
Status in linux source package in Disco:
Fix Committed
Bug description:
[Impact]
* The ability to pass through more cryptographic capabilities is a very
important feature for users of s390x as virtualization platform.
Its availability upstream now and its backport in this bug allows to
exploit the crypto cards as new HW for these virtualization use
cases.
* This falls under both "other safe cases" SRU exceptions:
- For Long Term Support releases we regularly want to enable new
hardware ...
- For Long Term Support releases we sometimes want to introduce new
features. They must not change the behaviour on existing
installations ...
* This bug has three main components:
- kernel (ability to do all of this)
- qemu (add feature to exploit the new code)
- libvirt (make the feature user consumable)
[Test Case]
* In general this consists of a few steps
- get the updated kernel/qemu/libvirt
- mask the card & domains from the usual driver
- load vfio-ap
- assign card to vfio-ap
- prepare a guest
- configure a guest to use the card
* See comment #66 how to do all of that in detail
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1787405/comments/66
[Regression Potential]
* The changes are mostly s390x only and adding a new feature so
regressions to existing components should be low. But to backport it
slight changes to the MDEV handling had to be applied as well.
The potential regressions I can see are in that MDEV handling if one
of the backports would be bad.
Fortunately we know that without the related libvirt fixes we added
here using MDEVs didn't work at all yet, and people very rarely use
qemu without libvirt for anything else than experiments.
Therefore I'm confident that even if there would be a flaw in the
MDEV changes no one is hugely relying on it.
[Other Info]
* n/a
== SRU Justification ==
(Kernel SRU)
Allow kvm to dedicate crypto adapters (and domains) as passthrough devices to
a KVM guest such that the hypervisor cannot observe the communication of the
guest with the device.
(Since all kernel patches/commits are from kernel 4.19, they will
automagically land in 'Disco'.)
== Fix ==
9ea5972 ("KVM: s390: vsie: simulate VCPU SIE entry/exit")
3194cdb ("KVM: s390: introduce and use KVM_REQ_VSIE_RESTART")
e585b24 ("KVM: s390: refactor crypto initialization")
1fde573 ("s390: vfio-ap: base implementation of VFIO AP device driver")
65f0671 ("s390: vfio-ap: register matrix device with VFIO mdev framework")
96d152b ("s390: vfio-ap: sysfs interfaces to configure adapters")
3211da0 ("s390: vfio-ap: sysfs interfaces to configure domains")
3b1eab7 ("s390: vfio-ap: sysfs interfaces to configure control domains")
81b2b4b ("s390: vfio-ap: sysfs interface to view matrix mdev matrix")
4210459 ("KVM: s390: interface to clear CRYCB masks")
258287c ("s390: vfio-ap: implement mediated device open callback")
e06670c ("s390: vfio-ap: implement VFIO_DEVICE_GET_INFO ioctl")
46a7263 ("s390: vfio-ap: zeroize the AP queues")
cd8a377 ("s390: vfio-ap: implement VFIO_DEVICE_RESET ioctl")
6cc571b ("KVM: s390: Clear Crypto Control Block when using vSIE")
d6f6959 ("KVM: s390: vsie: Do the CRYCB validation first")
3af84de ("KVM: s390: vsie: Make use of CRYCB FORMAT2 clear")
56019f9 ("KVM: s390: vsie: Allow CRYCB FORMAT-2")
19fd83a ("KVM: s390: vsie: allow CRYCB FORMAT-1")
6ee7409 ("KVM: s390: vsie: allow CRYCB FORMAT-0")
c9ba8c2 ("KVM: s390: vsie: allow guest FORMAT-0 CRYCB on host FORMAT-1")
6b79de4 ("KVM: s390: vsie: allow guest FORMAT-1 CRYCB on host FORMAT-2")
9ee71f2 ("KVM: s390: vsie: allow guest FORMAT-0 CRYCB on host FORMAT-2")
37940fb ("KVM: s390: device attrs to enable/disable AP interpretation")
112c24d ("KVM: s390: CPU model support for AP virtualization")
492a6be ("s390: doc: detailed specifications for AP virtualization")
<-- till here in
[Kernel-packages] [Bug 1787405] Re: [FEAT] Guest-dedicated Crypto Adapters
Hello bugproxy, or anyone else affected,
Accepted libvirt into cosmic-proposed. The package will build now and be
available at
https://launchpad.net/ubuntu/+source/libvirt/4.6.0-2ubuntu3.2 in a few
hours, and then in the -proposed repository.
Please help us by testing this new package. See
https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how
to enable and use -proposed. Your feedback will aid us getting this
update out to other Ubuntu users.
If this package fixes the bug for you, please add a comment to this bug,
mentioning the version of the package you tested and change the tag from
verification-needed-cosmic to verification-done-cosmic. If it does not
fix the bug for you, please add a comment stating that, and change the
tag to verification-failed-cosmic. In either case, without details of
your testing we will not be able to proceed.
Further information regarding the verification process can be found at
https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in
advance for helping!
N.B. The updated package will be released to -updates after the bug(s)
fixed by this package have been verified and the package has been in
-proposed for a minimum of 7 days.
** Changed in: libvirt (Ubuntu Cosmic)
Status: In Progress => Fix Committed
** Tags removed: verification-done verification-done-cosmic
** Tags added: verification-needed verification-needed-cosmic
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1787405
Title:
[FEAT] Guest-dedicated Crypto Adapters
Status in Ubuntu on IBM z Systems:
Fix Committed
Status in libvirt package in Ubuntu:
Fix Released
Status in linux package in Ubuntu:
Fix Committed
Status in qemu package in Ubuntu:
Fix Released
Status in libvirt source package in Bionic:
Fix Committed
Status in linux source package in Bionic:
Fix Released
Status in qemu source package in Bionic:
Fix Committed
Status in libvirt source package in Cosmic:
Fix Committed
Status in linux source package in Cosmic:
Fix Released
Status in qemu source package in Cosmic:
Fix Committed
Status in linux source package in Disco:
Fix Committed
Bug description:
[Impact]
* The ability to pass through more cryptographic capabilities is a very
important feature for users of s390x as virtualization platform.
Its availability upstream now and its backport in this bug allows to
exploit the crypto cards as new HW for these virtualization use
cases.
* This falls under both "other safe cases" SRU exceptions:
- For Long Term Support releases we regularly want to enable new
hardware ...
- For Long Term Support releases we sometimes want to introduce new
features. They must not change the behaviour on existing
installations ...
* This bug has three main components:
- kernel (ability to do all of this)
- qemu (add feature to exploit the new code)
- libvirt (make the feature user consumable)
[Test Case]
* In general this consists of a few steps
- get the updated kernel/qemu/libvirt
- mask the card & domains from the usual driver
- load vfio-ap
- assign card to vfio-ap
- prepare a guest
- configure a guest to use the card
* See comment #66 how to do all of that in detail
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1787405/comments/66
[Regression Potential]
* The changes are mostly s390x only and adding a new feature so
regressions to existing components should be low. But to backport it
slight changes to the MDEV handling had to be applied as well.
The potential regressions I can see are in that MDEV handling if one
of the backports would be bad.
Fortunately we know that without the related libvirt fixes we added
here using MDEVs didn't work at all yet, and people very rarely use
qemu without libvirt for anything else than experiments.
Therefore I'm confident that even if there would be a flaw in the
MDEV changes no one is hugely relying on it.
[Other Info]
* n/a
== SRU Justification ==
(Kernel SRU)
Allow kvm to dedicate crypto adapters (and domains) as passthrough devices to
a KVM guest such that the hypervisor cannot observe the communication of the
guest with the device.
(Since all kernel patches/commits are from kernel 4.19, they will
automagically land in 'Disco'.)
== Fix ==
9ea5972 ("KVM: s390: vsie: simulate VCPU SIE entry/exit")
3194cdb ("KVM: s390: introduce and use KVM_REQ_VSIE_RESTART")
e585b24 ("KVM: s390: refactor crypto initialization")
1fde573 ("s390: vfio-ap: base implementation of VFIO AP device driver")
65f0671 ("s390: vfio-ap: register matrix device with VFIO mdev framework")
96d152b ("s390: vfio-ap: sysfs interfaces to configure adapters")
3211da0 ("s390: vfio-ap: sysfs interfaces to configure domains")
3b1eab7
[Kernel-packages] [Bug 1787405] Re: [FEAT] Guest-dedicated Crypto Adapters
Uploaded libvirt_4.6.0-2ubuntu3.2_source.changes @SRU Team please accept
that into C-proposed over the one we currently have. Then I can re-
confirm it there.
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1787405
Title:
[FEAT] Guest-dedicated Crypto Adapters
Status in Ubuntu on IBM z Systems:
Fix Committed
Status in libvirt package in Ubuntu:
Fix Released
Status in linux package in Ubuntu:
Fix Committed
Status in qemu package in Ubuntu:
Fix Released
Status in libvirt source package in Bionic:
Fix Committed
Status in linux source package in Bionic:
Fix Released
Status in qemu source package in Bionic:
Fix Committed
Status in libvirt source package in Cosmic:
In Progress
Status in linux source package in Cosmic:
Fix Released
Status in qemu source package in Cosmic:
Fix Committed
Status in linux source package in Disco:
Fix Committed
Bug description:
[Impact]
* The ability to pass through more cryptographic capabilities is a very
important feature for users of s390x as virtualization platform.
Its availability upstream now and its backport in this bug allows to
exploit the crypto cards as new HW for these virtualization use
cases.
* This falls under both "other safe cases" SRU exceptions:
- For Long Term Support releases we regularly want to enable new
hardware ...
- For Long Term Support releases we sometimes want to introduce new
features. They must not change the behaviour on existing
installations ...
* This bug has three main components:
- kernel (ability to do all of this)
- qemu (add feature to exploit the new code)
- libvirt (make the feature user consumable)
[Test Case]
* In general this consists of a few steps
- get the updated kernel/qemu/libvirt
- mask the card & domains from the usual driver
- load vfio-ap
- assign card to vfio-ap
- prepare a guest
- configure a guest to use the card
* See comment #66 how to do all of that in detail
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1787405/comments/66
[Regression Potential]
* The changes are mostly s390x only and adding a new feature so
regressions to existing components should be low. But to backport it
slight changes to the MDEV handling had to be applied as well.
The potential regressions I can see are in that MDEV handling if one
of the backports would be bad.
Fortunately we know that without the related libvirt fixes we added
here using MDEVs didn't work at all yet, and people very rarely use
qemu without libvirt for anything else than experiments.
Therefore I'm confident that even if there would be a flaw in the
MDEV changes no one is hugely relying on it.
[Other Info]
* n/a
== SRU Justification ==
(Kernel SRU)
Allow kvm to dedicate crypto adapters (and domains) as passthrough devices to
a KVM guest such that the hypervisor cannot observe the communication of the
guest with the device.
(Since all kernel patches/commits are from kernel 4.19, they will
automagically land in 'Disco'.)
== Fix ==
9ea5972 ("KVM: s390: vsie: simulate VCPU SIE entry/exit")
3194cdb ("KVM: s390: introduce and use KVM_REQ_VSIE_RESTART")
e585b24 ("KVM: s390: refactor crypto initialization")
1fde573 ("s390: vfio-ap: base implementation of VFIO AP device driver")
65f0671 ("s390: vfio-ap: register matrix device with VFIO mdev framework")
96d152b ("s390: vfio-ap: sysfs interfaces to configure adapters")
3211da0 ("s390: vfio-ap: sysfs interfaces to configure domains")
3b1eab7 ("s390: vfio-ap: sysfs interfaces to configure control domains")
81b2b4b ("s390: vfio-ap: sysfs interface to view matrix mdev matrix")
4210459 ("KVM: s390: interface to clear CRYCB masks")
258287c ("s390: vfio-ap: implement mediated device open callback")
e06670c ("s390: vfio-ap: implement VFIO_DEVICE_GET_INFO ioctl")
46a7263 ("s390: vfio-ap: zeroize the AP queues")
cd8a377 ("s390: vfio-ap: implement VFIO_DEVICE_RESET ioctl")
6cc571b ("KVM: s390: Clear Crypto Control Block when using vSIE")
d6f6959 ("KVM: s390: vsie: Do the CRYCB validation first")
3af84de ("KVM: s390: vsie: Make use of CRYCB FORMAT2 clear")
56019f9 ("KVM: s390: vsie: Allow CRYCB FORMAT-2")
19fd83a ("KVM: s390: vsie: allow CRYCB FORMAT-1")
6ee7409 ("KVM: s390: vsie: allow CRYCB FORMAT-0")
c9ba8c2 ("KVM: s390: vsie: allow guest FORMAT-0 CRYCB on host FORMAT-1")
6b79de4 ("KVM: s390: vsie: allow guest FORMAT-1 CRYCB on host FORMAT-2")
9ee71f2 ("KVM: s390: vsie: allow guest FORMAT-0 CRYCB on host FORMAT-2")
37940fb ("KVM: s390: device attrs to enable/disable AP interpretation")
112c24d ("KVM: s390: CPU model support for AP virtualization")
492a6be ("s390: doc: detailed specifications for AP virtualization")
<-- till here in 'kvm/next'
[Kernel-packages] [Bug 1787405] Re: [FEAT] Guest-dedicated Crypto Adapters
The mini-fox on top for disco was delayed by some openstack/nova/sqlite tests.
I debugged and fixed them together with coreycb, uploading the Cosmic fix on
top of the current one in proposed.
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1787405
Title:
[FEAT] Guest-dedicated Crypto Adapters
Status in Ubuntu on IBM z Systems:
Fix Committed
Status in libvirt package in Ubuntu:
Fix Released
Status in linux package in Ubuntu:
Fix Committed
Status in qemu package in Ubuntu:
Fix Released
Status in libvirt source package in Bionic:
Fix Committed
Status in linux source package in Bionic:
Fix Released
Status in qemu source package in Bionic:
Fix Committed
Status in libvirt source package in Cosmic:
In Progress
Status in linux source package in Cosmic:
Fix Released
Status in qemu source package in Cosmic:
Fix Committed
Status in linux source package in Disco:
Fix Committed
Bug description:
[Impact]
* The ability to pass through more cryptographic capabilities is a very
important feature for users of s390x as virtualization platform.
Its availability upstream now and its backport in this bug allows to
exploit the crypto cards as new HW for these virtualization use
cases.
* This falls under both "other safe cases" SRU exceptions:
- For Long Term Support releases we regularly want to enable new
hardware ...
- For Long Term Support releases we sometimes want to introduce new
features. They must not change the behaviour on existing
installations ...
* This bug has three main components:
- kernel (ability to do all of this)
- qemu (add feature to exploit the new code)
- libvirt (make the feature user consumable)
[Test Case]
* In general this consists of a few steps
- get the updated kernel/qemu/libvirt
- mask the card & domains from the usual driver
- load vfio-ap
- assign card to vfio-ap
- prepare a guest
- configure a guest to use the card
* See comment #66 how to do all of that in detail
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1787405/comments/66
[Regression Potential]
* The changes are mostly s390x only and adding a new feature so
regressions to existing components should be low. But to backport it
slight changes to the MDEV handling had to be applied as well.
The potential regressions I can see are in that MDEV handling if one
of the backports would be bad.
Fortunately we know that without the related libvirt fixes we added
here using MDEVs didn't work at all yet, and people very rarely use
qemu without libvirt for anything else than experiments.
Therefore I'm confident that even if there would be a flaw in the
MDEV changes no one is hugely relying on it.
[Other Info]
* n/a
== SRU Justification ==
(Kernel SRU)
Allow kvm to dedicate crypto adapters (and domains) as passthrough devices to
a KVM guest such that the hypervisor cannot observe the communication of the
guest with the device.
(Since all kernel patches/commits are from kernel 4.19, they will
automagically land in 'Disco'.)
== Fix ==
9ea5972 ("KVM: s390: vsie: simulate VCPU SIE entry/exit")
3194cdb ("KVM: s390: introduce and use KVM_REQ_VSIE_RESTART")
e585b24 ("KVM: s390: refactor crypto initialization")
1fde573 ("s390: vfio-ap: base implementation of VFIO AP device driver")
65f0671 ("s390: vfio-ap: register matrix device with VFIO mdev framework")
96d152b ("s390: vfio-ap: sysfs interfaces to configure adapters")
3211da0 ("s390: vfio-ap: sysfs interfaces to configure domains")
3b1eab7 ("s390: vfio-ap: sysfs interfaces to configure control domains")
81b2b4b ("s390: vfio-ap: sysfs interface to view matrix mdev matrix")
4210459 ("KVM: s390: interface to clear CRYCB masks")
258287c ("s390: vfio-ap: implement mediated device open callback")
e06670c ("s390: vfio-ap: implement VFIO_DEVICE_GET_INFO ioctl")
46a7263 ("s390: vfio-ap: zeroize the AP queues")
cd8a377 ("s390: vfio-ap: implement VFIO_DEVICE_RESET ioctl")
6cc571b ("KVM: s390: Clear Crypto Control Block when using vSIE")
d6f6959 ("KVM: s390: vsie: Do the CRYCB validation first")
3af84de ("KVM: s390: vsie: Make use of CRYCB FORMAT2 clear")
56019f9 ("KVM: s390: vsie: Allow CRYCB FORMAT-2")
19fd83a ("KVM: s390: vsie: allow CRYCB FORMAT-1")
6ee7409 ("KVM: s390: vsie: allow CRYCB FORMAT-0")
c9ba8c2 ("KVM: s390: vsie: allow guest FORMAT-0 CRYCB on host FORMAT-1")
6b79de4 ("KVM: s390: vsie: allow guest FORMAT-1 CRYCB on host FORMAT-2")
9ee71f2 ("KVM: s390: vsie: allow guest FORMAT-0 CRYCB on host FORMAT-2")
37940fb ("KVM: s390: device attrs to enable/disable AP interpretation")
112c24d ("KVM: s390: CPU model support for AP virtualization")
492a6be ("s390: doc: detailed specifications for AP virtualization")
<--
[Kernel-packages] [Bug 1787405] Re: [FEAT] Guest-dedicated Crypto Adapters
This bug was fixed in the package libvirt - 4.6.0-2ubuntu5
---
libvirt (4.6.0-2ubuntu5) disco; urgency=medium
* d/p/ubuntu/lp1787405-0008-qemu-mdev-Use-vfio-pci-display-property-only
-with-vf.patch: fix handling of non PCI vfio display propery (part
of LP: #1787405)
-- Christian Ehrhardt Thu, 06 Dec
2018 09:20:39 +0100
** Changed in: libvirt (Ubuntu)
Status: In Progress => Fix Released
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1787405
Title:
[FEAT] Guest-dedicated Crypto Adapters
Status in Ubuntu on IBM z Systems:
Fix Committed
Status in libvirt package in Ubuntu:
Fix Released
Status in linux package in Ubuntu:
Fix Committed
Status in qemu package in Ubuntu:
Fix Released
Status in libvirt source package in Bionic:
Fix Committed
Status in linux source package in Bionic:
Fix Released
Status in qemu source package in Bionic:
Fix Committed
Status in libvirt source package in Cosmic:
In Progress
Status in linux source package in Cosmic:
Fix Released
Status in qemu source package in Cosmic:
Fix Committed
Status in linux source package in Disco:
Fix Committed
Bug description:
[Impact]
* The ability to pass through more cryptographic capabilities is a very
important feature for users of s390x as virtualization platform.
Its availability upstream now and its backport in this bug allows to
exploit the crypto cards as new HW for these virtualization use
cases.
* This falls under both "other safe cases" SRU exceptions:
- For Long Term Support releases we regularly want to enable new
hardware ...
- For Long Term Support releases we sometimes want to introduce new
features. They must not change the behaviour on existing
installations ...
* This bug has three main components:
- kernel (ability to do all of this)
- qemu (add feature to exploit the new code)
- libvirt (make the feature user consumable)
[Test Case]
* In general this consists of a few steps
- get the updated kernel/qemu/libvirt
- mask the card & domains from the usual driver
- load vfio-ap
- assign card to vfio-ap
- prepare a guest
- configure a guest to use the card
* See comment #66 how to do all of that in detail
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1787405/comments/66
[Regression Potential]
* The changes are mostly s390x only and adding a new feature so
regressions to existing components should be low. But to backport it
slight changes to the MDEV handling had to be applied as well.
The potential regressions I can see are in that MDEV handling if one
of the backports would be bad.
Fortunately we know that without the related libvirt fixes we added
here using MDEVs didn't work at all yet, and people very rarely use
qemu without libvirt for anything else than experiments.
Therefore I'm confident that even if there would be a flaw in the
MDEV changes no one is hugely relying on it.
[Other Info]
* n/a
== SRU Justification ==
(Kernel SRU)
Allow kvm to dedicate crypto adapters (and domains) as passthrough devices to
a KVM guest such that the hypervisor cannot observe the communication of the
guest with the device.
(Since all kernel patches/commits are from kernel 4.19, they will
automagically land in 'Disco'.)
== Fix ==
9ea5972 ("KVM: s390: vsie: simulate VCPU SIE entry/exit")
3194cdb ("KVM: s390: introduce and use KVM_REQ_VSIE_RESTART")
e585b24 ("KVM: s390: refactor crypto initialization")
1fde573 ("s390: vfio-ap: base implementation of VFIO AP device driver")
65f0671 ("s390: vfio-ap: register matrix device with VFIO mdev framework")
96d152b ("s390: vfio-ap: sysfs interfaces to configure adapters")
3211da0 ("s390: vfio-ap: sysfs interfaces to configure domains")
3b1eab7 ("s390: vfio-ap: sysfs interfaces to configure control domains")
81b2b4b ("s390: vfio-ap: sysfs interface to view matrix mdev matrix")
4210459 ("KVM: s390: interface to clear CRYCB masks")
258287c ("s390: vfio-ap: implement mediated device open callback")
e06670c ("s390: vfio-ap: implement VFIO_DEVICE_GET_INFO ioctl")
46a7263 ("s390: vfio-ap: zeroize the AP queues")
cd8a377 ("s390: vfio-ap: implement VFIO_DEVICE_RESET ioctl")
6cc571b ("KVM: s390: Clear Crypto Control Block when using vSIE")
d6f6959 ("KVM: s390: vsie: Do the CRYCB validation first")
3af84de ("KVM: s390: vsie: Make use of CRYCB FORMAT2 clear")
56019f9 ("KVM: s390: vsie: Allow CRYCB FORMAT-2")
19fd83a ("KVM: s390: vsie: allow CRYCB FORMAT-1")
6ee7409 ("KVM: s390: vsie: allow CRYCB FORMAT-0")
c9ba8c2 ("KVM: s390: vsie: allow guest FORMAT-0 CRYCB on host FORMAT-1")
6b79de4 ("KVM: s390: vsie: allow guest FORMAT-1 CRYCB on host FORMAT-2")
9ee71f2 ("KVM: s390: vsie: allow guest FORMAT-0 CRYCB on
[Kernel-packages] [Bug 1787405] Re: [FEAT] Guest-dedicated Crypto Adapters
Tested 4.6.0-2ubuntu3.2~ppa1 from the PPA.
I can now add
without getting display='off' added
- no new/different related apparmor issues
- starting the guest works fine
- generated qemu line LGTM
-device
vfio-ap,id=hostdev0,sysfsdev=/sys/bus/mdev/devices/24f952b3-03d1-4df2-9967-0d5f7d63d5f2
- guest sees AP adapter
- did a few start/stop cycles to check stability of getting the mdev back (to
other guest after
first shut down for example)
I have the same ready for Disco as 4.6.0-2ubuntu5 and will upload that
now.
Once complete the 4.6.0-2ubuntu3.2 shall replace the libvirt currently
in cosmic-proposed.
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1787405
Title:
[FEAT] Guest-dedicated Crypto Adapters
Status in Ubuntu on IBM z Systems:
Fix Committed
Status in libvirt package in Ubuntu:
In Progress
Status in linux package in Ubuntu:
Fix Committed
Status in qemu package in Ubuntu:
Fix Released
Status in libvirt source package in Bionic:
Fix Committed
Status in linux source package in Bionic:
Fix Released
Status in qemu source package in Bionic:
Fix Committed
Status in libvirt source package in Cosmic:
In Progress
Status in linux source package in Cosmic:
Fix Released
Status in qemu source package in Cosmic:
Fix Committed
Status in linux source package in Disco:
Fix Committed
Bug description:
[Impact]
* The ability to pass through more cryptographic capabilities is a very
important feature for users of s390x as virtualization platform.
Its availability upstream now and its backport in this bug allows to
exploit the crypto cards as new HW for these virtualization use
cases.
* This falls under both "other safe cases" SRU exceptions:
- For Long Term Support releases we regularly want to enable new
hardware ...
- For Long Term Support releases we sometimes want to introduce new
features. They must not change the behaviour on existing
installations ...
* This bug has three main components:
- kernel (ability to do all of this)
- qemu (add feature to exploit the new code)
- libvirt (make the feature user consumable)
[Test Case]
* In general this consists of a few steps
- get the updated kernel/qemu/libvirt
- mask the card & domains from the usual driver
- load vfio-ap
- assign card to vfio-ap
- prepare a guest
- configure a guest to use the card
* See comment #66 how to do all of that in detail
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1787405/comments/66
[Regression Potential]
* The changes are mostly s390x only and adding a new feature so
regressions to existing components should be low. But to backport it
slight changes to the MDEV handling had to be applied as well.
The potential regressions I can see are in that MDEV handling if one
of the backports would be bad.
Fortunately we know that without the related libvirt fixes we added
here using MDEVs didn't work at all yet, and people very rarely use
qemu without libvirt for anything else than experiments.
Therefore I'm confident that even if there would be a flaw in the
MDEV changes no one is hugely relying on it.
[Other Info]
* n/a
== SRU Justification ==
(Kernel SRU)
Allow kvm to dedicate crypto adapters (and domains) as passthrough devices to
a KVM guest such that the hypervisor cannot observe the communication of the
guest with the device.
(Since all kernel patches/commits are from kernel 4.19, they will
automagically land in 'Disco'.)
== Fix ==
9ea5972 ("KVM: s390: vsie: simulate VCPU SIE entry/exit")
3194cdb ("KVM: s390: introduce and use KVM_REQ_VSIE_RESTART")
e585b24 ("KVM: s390: refactor crypto initialization")
1fde573 ("s390: vfio-ap: base implementation of VFIO AP device driver")
65f0671 ("s390: vfio-ap: register matrix device with VFIO mdev framework")
96d152b ("s390: vfio-ap: sysfs interfaces to configure adapters")
3211da0 ("s390: vfio-ap: sysfs interfaces to configure domains")
3b1eab7 ("s390: vfio-ap: sysfs interfaces to configure control domains")
81b2b4b ("s390: vfio-ap: sysfs interface to view matrix mdev matrix")
4210459 ("KVM: s390: interface to clear CRYCB masks")
258287c ("s390: vfio-ap: implement mediated device open callback")
e06670c ("s390: vfio-ap: implement VFIO_DEVICE_GET_INFO ioctl")
46a7263 ("s390: vfio-ap: zeroize the AP queues")
cd8a377 ("s390: vfio-ap: implement VFIO_DEVICE_RESET ioctl")
6cc571b ("KVM: s390: Clear Crypto Control Block when using vSIE")
d6f6959 ("KVM: s390: vsie: Do the CRYCB validation first")
3af84de ("KVM: s390: vsie: Make use of CRYCB FORMAT2 clear")
56019f9 ("KVM: s390: vsie: Allow CRYCB FORMAT-2")
19fd83a ("KVM: s390: vsie: allow CRYCB FORMAT-1")
6ee7409 ("KVM: s390: vsie: allow
[Kernel-packages] [Bug 1787405] Re: [FEAT] Guest-dedicated Crypto Adapters
Respins with that fix on top build now for Bionic and Disco in the PPA [1]
(same we used so far).
Lets see if they build and work as expected ...
[1]: https://launchpad.net/~ci-train-ppa-service/+archive/ubuntu/3520
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1787405
Title:
[FEAT] Guest-dedicated Crypto Adapters
Status in Ubuntu on IBM z Systems:
Fix Committed
Status in libvirt package in Ubuntu:
In Progress
Status in linux package in Ubuntu:
Fix Committed
Status in qemu package in Ubuntu:
Fix Released
Status in libvirt source package in Bionic:
Fix Committed
Status in linux source package in Bionic:
Fix Released
Status in qemu source package in Bionic:
Fix Committed
Status in libvirt source package in Cosmic:
In Progress
Status in linux source package in Cosmic:
Fix Released
Status in qemu source package in Cosmic:
Fix Committed
Status in linux source package in Disco:
Fix Committed
Bug description:
[Impact]
* The ability to pass through more cryptographic capabilities is a very
important feature for users of s390x as virtualization platform.
Its availability upstream now and its backport in this bug allows to
exploit the crypto cards as new HW for these virtualization use
cases.
* This falls under both "other safe cases" SRU exceptions:
- For Long Term Support releases we regularly want to enable new
hardware ...
- For Long Term Support releases we sometimes want to introduce new
features. They must not change the behaviour on existing
installations ...
* This bug has three main components:
- kernel (ability to do all of this)
- qemu (add feature to exploit the new code)
- libvirt (make the feature user consumable)
[Test Case]
* In general this consists of a few steps
- get the updated kernel/qemu/libvirt
- mask the card & domains from the usual driver
- load vfio-ap
- assign card to vfio-ap
- prepare a guest
- configure a guest to use the card
* See comment #66 how to do all of that in detail
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1787405/comments/66
[Regression Potential]
* The changes are mostly s390x only and adding a new feature so
regressions to existing components should be low. But to backport it
slight changes to the MDEV handling had to be applied as well.
The potential regressions I can see are in that MDEV handling if one
of the backports would be bad.
Fortunately we know that without the related libvirt fixes we added
here using MDEVs didn't work at all yet, and people very rarely use
qemu without libvirt for anything else than experiments.
Therefore I'm confident that even if there would be a flaw in the
MDEV changes no one is hugely relying on it.
[Other Info]
* n/a
== SRU Justification ==
(Kernel SRU)
Allow kvm to dedicate crypto adapters (and domains) as passthrough devices to
a KVM guest such that the hypervisor cannot observe the communication of the
guest with the device.
(Since all kernel patches/commits are from kernel 4.19, they will
automagically land in 'Disco'.)
== Fix ==
9ea5972 ("KVM: s390: vsie: simulate VCPU SIE entry/exit")
3194cdb ("KVM: s390: introduce and use KVM_REQ_VSIE_RESTART")
e585b24 ("KVM: s390: refactor crypto initialization")
1fde573 ("s390: vfio-ap: base implementation of VFIO AP device driver")
65f0671 ("s390: vfio-ap: register matrix device with VFIO mdev framework")
96d152b ("s390: vfio-ap: sysfs interfaces to configure adapters")
3211da0 ("s390: vfio-ap: sysfs interfaces to configure domains")
3b1eab7 ("s390: vfio-ap: sysfs interfaces to configure control domains")
81b2b4b ("s390: vfio-ap: sysfs interface to view matrix mdev matrix")
4210459 ("KVM: s390: interface to clear CRYCB masks")
258287c ("s390: vfio-ap: implement mediated device open callback")
e06670c ("s390: vfio-ap: implement VFIO_DEVICE_GET_INFO ioctl")
46a7263 ("s390: vfio-ap: zeroize the AP queues")
cd8a377 ("s390: vfio-ap: implement VFIO_DEVICE_RESET ioctl")
6cc571b ("KVM: s390: Clear Crypto Control Block when using vSIE")
d6f6959 ("KVM: s390: vsie: Do the CRYCB validation first")
3af84de ("KVM: s390: vsie: Make use of CRYCB FORMAT2 clear")
56019f9 ("KVM: s390: vsie: Allow CRYCB FORMAT-2")
19fd83a ("KVM: s390: vsie: allow CRYCB FORMAT-1")
6ee7409 ("KVM: s390: vsie: allow CRYCB FORMAT-0")
c9ba8c2 ("KVM: s390: vsie: allow guest FORMAT-0 CRYCB on host FORMAT-1")
6b79de4 ("KVM: s390: vsie: allow guest FORMAT-1 CRYCB on host FORMAT-2")
9ee71f2 ("KVM: s390: vsie: allow guest FORMAT-0 CRYCB on host FORMAT-2")
37940fb ("KVM: s390: device attrs to enable/disable AP interpretation")
112c24d ("KVM: s390: CPU model support for AP virtualization")
492a6be ("s390: doc: detailed specifications for AP
[Kernel-packages] [Bug 1787405] Re: [FEAT] Guest-dedicated Crypto Adapters
Seems to me like:
4.7 d6f97d13 "qemu: mdev: Use vfio-pci 'display' property only with vfio-pci
mdevs"
Related:
4.6 d48813e8 conf: Introduce new video type 'none'
4.6 c0ca6dcf qemu: command: Enable formatting vfio-pci.display option onto
cmdline
4.6 d54e45b6 conf: Introduce new attribute 'display'
4.6 11c7bdac qemu: caps: Add vfio-pci.display capability
I think the appearance of the 4.6 changes I referred made the 4.7 change above
needed.
Lets spin a PPA with just this on top and retest this.
If good we can push it to disco and on top the cosmic SRU (and release
it as one update).
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1787405
Title:
[FEAT] Guest-dedicated Crypto Adapters
Status in Ubuntu on IBM z Systems:
Fix Committed
Status in libvirt package in Ubuntu:
In Progress
Status in linux package in Ubuntu:
Fix Committed
Status in qemu package in Ubuntu:
Fix Released
Status in libvirt source package in Bionic:
Fix Committed
Status in linux source package in Bionic:
Fix Released
Status in qemu source package in Bionic:
Fix Committed
Status in libvirt source package in Cosmic:
In Progress
Status in linux source package in Cosmic:
Fix Released
Status in qemu source package in Cosmic:
Fix Committed
Status in linux source package in Disco:
Fix Committed
Bug description:
[Impact]
* The ability to pass through more cryptographic capabilities is a very
important feature for users of s390x as virtualization platform.
Its availability upstream now and its backport in this bug allows to
exploit the crypto cards as new HW for these virtualization use
cases.
* This falls under both "other safe cases" SRU exceptions:
- For Long Term Support releases we regularly want to enable new
hardware ...
- For Long Term Support releases we sometimes want to introduce new
features. They must not change the behaviour on existing
installations ...
* This bug has three main components:
- kernel (ability to do all of this)
- qemu (add feature to exploit the new code)
- libvirt (make the feature user consumable)
[Test Case]
* In general this consists of a few steps
- get the updated kernel/qemu/libvirt
- mask the card & domains from the usual driver
- load vfio-ap
- assign card to vfio-ap
- prepare a guest
- configure a guest to use the card
* See comment #66 how to do all of that in detail
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1787405/comments/66
[Regression Potential]
* The changes are mostly s390x only and adding a new feature so
regressions to existing components should be low. But to backport it
slight changes to the MDEV handling had to be applied as well.
The potential regressions I can see are in that MDEV handling if one
of the backports would be bad.
Fortunately we know that without the related libvirt fixes we added
here using MDEVs didn't work at all yet, and people very rarely use
qemu without libvirt for anything else than experiments.
Therefore I'm confident that even if there would be a flaw in the
MDEV changes no one is hugely relying on it.
[Other Info]
* n/a
== SRU Justification ==
(Kernel SRU)
Allow kvm to dedicate crypto adapters (and domains) as passthrough devices to
a KVM guest such that the hypervisor cannot observe the communication of the
guest with the device.
(Since all kernel patches/commits are from kernel 4.19, they will
automagically land in 'Disco'.)
== Fix ==
9ea5972 ("KVM: s390: vsie: simulate VCPU SIE entry/exit")
3194cdb ("KVM: s390: introduce and use KVM_REQ_VSIE_RESTART")
e585b24 ("KVM: s390: refactor crypto initialization")
1fde573 ("s390: vfio-ap: base implementation of VFIO AP device driver")
65f0671 ("s390: vfio-ap: register matrix device with VFIO mdev framework")
96d152b ("s390: vfio-ap: sysfs interfaces to configure adapters")
3211da0 ("s390: vfio-ap: sysfs interfaces to configure domains")
3b1eab7 ("s390: vfio-ap: sysfs interfaces to configure control domains")
81b2b4b ("s390: vfio-ap: sysfs interface to view matrix mdev matrix")
4210459 ("KVM: s390: interface to clear CRYCB masks")
258287c ("s390: vfio-ap: implement mediated device open callback")
e06670c ("s390: vfio-ap: implement VFIO_DEVICE_GET_INFO ioctl")
46a7263 ("s390: vfio-ap: zeroize the AP queues")
cd8a377 ("s390: vfio-ap: implement VFIO_DEVICE_RESET ioctl")
6cc571b ("KVM: s390: Clear Crypto Control Block when using vSIE")
d6f6959 ("KVM: s390: vsie: Do the CRYCB validation first")
3af84de ("KVM: s390: vsie: Make use of CRYCB FORMAT2 clear")
56019f9 ("KVM: s390: vsie: Allow CRYCB FORMAT-2")
19fd83a ("KVM: s390: vsie: allow CRYCB FORMAT-1")
6ee7409 ("KVM: s390: vsie: allow CRYCB FORMAT-0")
c9ba8c2 ("KVM: s390: vsie: allow guest
[Kernel-packages] [Bug 1787405] Re: [FEAT] Guest-dedicated Crypto Adapters
Did cosmic as well now.
First verified that with the non-proposed version it fails (on
1:2.12+dfsg-3ubuntu8.1 / 4.6.0-2ubuntu3)
=> fails as expected (can't even define the XML)
Then upgraded to 1:2.12+dfsg-3ubuntu8.2 and 4.6.0-2ubuntu3.1 from cosmic
proposed.
With that qemu works as intended and gets the ap passed through.
But libvirt in 4.6 has gained the (unwelcome) smartness to add display=off
which is useful for other mdevs but breaks vfio-ap usage.
That causes this:
error: internal error: qemu unexpectedly closed the monitor:
2018-12-06T07:48:27.407849Z qemu-system-s390x: -device
vfio-ap,id=hostdev0,sysfsdev=/sys/bus/mdev/devices/24f952b3-03d1-4df2-9967-0d5f7d63d5f2,display=off:
Property '.display' not found
This is still no regression (only the new feature is incomplete on cosmic).
We can either release 4.6.0-2ubuntu3.1 or wait for 4.6.0-2ubuntu3.2 which I
start to prep now.
Yet I need to find the right fix first ...
Setting c-verified as well (for qemu and kernel to get their SRU queues
flushed at least).
Summarizing:
- kernel verified B
- qemu verified B
- libvirt verified B
- libvirt will get a follow on fix for C to handle display
- Setting the libvirt task back to in progress
** Changed in: libvirt (Ubuntu Cosmic)
Status: Fix Committed => In Progress
** Tags removed: verification-needed verification-needed-cosmic
** Tags added: verification-done verification-done-cosmic
** Changed in: libvirt (Ubuntu)
Status: Fix Released => In Progress
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1787405
Title:
[FEAT] Guest-dedicated Crypto Adapters
Status in Ubuntu on IBM z Systems:
Fix Committed
Status in libvirt package in Ubuntu:
In Progress
Status in linux package in Ubuntu:
Fix Committed
Status in qemu package in Ubuntu:
Fix Released
Status in libvirt source package in Bionic:
Fix Committed
Status in linux source package in Bionic:
Fix Released
Status in qemu source package in Bionic:
Fix Committed
Status in libvirt source package in Cosmic:
In Progress
Status in linux source package in Cosmic:
Fix Released
Status in qemu source package in Cosmic:
Fix Committed
Status in linux source package in Disco:
Fix Committed
Bug description:
[Impact]
* The ability to pass through more cryptographic capabilities is a very
important feature for users of s390x as virtualization platform.
Its availability upstream now and its backport in this bug allows to
exploit the crypto cards as new HW for these virtualization use
cases.
* This falls under both "other safe cases" SRU exceptions:
- For Long Term Support releases we regularly want to enable new
hardware ...
- For Long Term Support releases we sometimes want to introduce new
features. They must not change the behaviour on existing
installations ...
* This bug has three main components:
- kernel (ability to do all of this)
- qemu (add feature to exploit the new code)
- libvirt (make the feature user consumable)
[Test Case]
* In general this consists of a few steps
- get the updated kernel/qemu/libvirt
- mask the card & domains from the usual driver
- load vfio-ap
- assign card to vfio-ap
- prepare a guest
- configure a guest to use the card
* See comment #66 how to do all of that in detail
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1787405/comments/66
[Regression Potential]
* The changes are mostly s390x only and adding a new feature so
regressions to existing components should be low. But to backport it
slight changes to the MDEV handling had to be applied as well.
The potential regressions I can see are in that MDEV handling if one
of the backports would be bad.
Fortunately we know that without the related libvirt fixes we added
here using MDEVs didn't work at all yet, and people very rarely use
qemu without libvirt for anything else than experiments.
Therefore I'm confident that even if there would be a flaw in the
MDEV changes no one is hugely relying on it.
[Other Info]
* n/a
== SRU Justification ==
(Kernel SRU)
Allow kvm to dedicate crypto adapters (and domains) as passthrough devices to
a KVM guest such that the hypervisor cannot observe the communication of the
guest with the device.
(Since all kernel patches/commits are from kernel 4.19, they will
automagically land in 'Disco'.)
== Fix ==
9ea5972 ("KVM: s390: vsie: simulate VCPU SIE entry/exit")
3194cdb ("KVM: s390: introduce and use KVM_REQ_VSIE_RESTART")
e585b24 ("KVM: s390: refactor crypto initialization")
1fde573 ("s390: vfio-ap: base implementation of VFIO AP device driver")
65f0671 ("s390: vfio-ap: register matrix device with VFIO mdev framework")
96d152b ("s390: vfio-ap: sysfs interfaces to configure adapters")
[Kernel-packages] [Bug 1787405] Re: [FEAT] Guest-dedicated Crypto Adapters
Looking back I'm afraid comment #59 was not testing "all" releases when
it said "I successfully tested on s390 the provided libvirt packages as
requested in point 4 of paelzer last comment".
There really is more than just the latest LTS :-)
Now lets find the patch that makes it stop adding that silly display attribute.
Can even be found with just defining a vfio-ap hostdev as outlined in
comment #66 which after a safe will have that display attribute
in xml.
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1787405
Title:
[FEAT] Guest-dedicated Crypto Adapters
Status in Ubuntu on IBM z Systems:
Fix Committed
Status in libvirt package in Ubuntu:
In Progress
Status in linux package in Ubuntu:
Fix Committed
Status in qemu package in Ubuntu:
Fix Released
Status in libvirt source package in Bionic:
Fix Committed
Status in linux source package in Bionic:
Fix Released
Status in qemu source package in Bionic:
Fix Committed
Status in libvirt source package in Cosmic:
In Progress
Status in linux source package in Cosmic:
Fix Released
Status in qemu source package in Cosmic:
Fix Committed
Status in linux source package in Disco:
Fix Committed
Bug description:
[Impact]
* The ability to pass through more cryptographic capabilities is a very
important feature for users of s390x as virtualization platform.
Its availability upstream now and its backport in this bug allows to
exploit the crypto cards as new HW for these virtualization use
cases.
* This falls under both "other safe cases" SRU exceptions:
- For Long Term Support releases we regularly want to enable new
hardware ...
- For Long Term Support releases we sometimes want to introduce new
features. They must not change the behaviour on existing
installations ...
* This bug has three main components:
- kernel (ability to do all of this)
- qemu (add feature to exploit the new code)
- libvirt (make the feature user consumable)
[Test Case]
* In general this consists of a few steps
- get the updated kernel/qemu/libvirt
- mask the card & domains from the usual driver
- load vfio-ap
- assign card to vfio-ap
- prepare a guest
- configure a guest to use the card
* See comment #66 how to do all of that in detail
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1787405/comments/66
[Regression Potential]
* The changes are mostly s390x only and adding a new feature so
regressions to existing components should be low. But to backport it
slight changes to the MDEV handling had to be applied as well.
The potential regressions I can see are in that MDEV handling if one
of the backports would be bad.
Fortunately we know that without the related libvirt fixes we added
here using MDEVs didn't work at all yet, and people very rarely use
qemu without libvirt for anything else than experiments.
Therefore I'm confident that even if there would be a flaw in the
MDEV changes no one is hugely relying on it.
[Other Info]
* n/a
== SRU Justification ==
(Kernel SRU)
Allow kvm to dedicate crypto adapters (and domains) as passthrough devices to
a KVM guest such that the hypervisor cannot observe the communication of the
guest with the device.
(Since all kernel patches/commits are from kernel 4.19, they will
automagically land in 'Disco'.)
== Fix ==
9ea5972 ("KVM: s390: vsie: simulate VCPU SIE entry/exit")
3194cdb ("KVM: s390: introduce and use KVM_REQ_VSIE_RESTART")
e585b24 ("KVM: s390: refactor crypto initialization")
1fde573 ("s390: vfio-ap: base implementation of VFIO AP device driver")
65f0671 ("s390: vfio-ap: register matrix device with VFIO mdev framework")
96d152b ("s390: vfio-ap: sysfs interfaces to configure adapters")
3211da0 ("s390: vfio-ap: sysfs interfaces to configure domains")
3b1eab7 ("s390: vfio-ap: sysfs interfaces to configure control domains")
81b2b4b ("s390: vfio-ap: sysfs interface to view matrix mdev matrix")
4210459 ("KVM: s390: interface to clear CRYCB masks")
258287c ("s390: vfio-ap: implement mediated device open callback")
e06670c ("s390: vfio-ap: implement VFIO_DEVICE_GET_INFO ioctl")
46a7263 ("s390: vfio-ap: zeroize the AP queues")
cd8a377 ("s390: vfio-ap: implement VFIO_DEVICE_RESET ioctl")
6cc571b ("KVM: s390: Clear Crypto Control Block when using vSIE")
d6f6959 ("KVM: s390: vsie: Do the CRYCB validation first")
3af84de ("KVM: s390: vsie: Make use of CRYCB FORMAT2 clear")
56019f9 ("KVM: s390: vsie: Allow CRYCB FORMAT-2")
19fd83a ("KVM: s390: vsie: allow CRYCB FORMAT-1")
6ee7409 ("KVM: s390: vsie: allow CRYCB FORMAT-0")
c9ba8c2 ("KVM: s390: vsie: allow guest FORMAT-0 CRYCB on host FORMAT-1")
6b79de4 ("KVM: s390: vsie: allow guest FORMAT-1 CRYCB on host FORMAT-2")
9ee71f2 ("KVM:
[Kernel-packages] [Bug 1787405] Re: [FEAT] Guest-dedicated Crypto Adapters
Verified Bionic with the libvirt+qemu setup outlined in comment #66
Guest starting fine and in the guest:
$ lszcrypt
CARD.DOMAIN TYPE MODESTATUS REQUEST_CNT
-
00 CEX5C CCA-Coproc online1
00.0016 CEX5C CCA-Coproc online1
qemu cmdline that was generated:
-device
vfio-ap,id=hostdev0,sysfsdev=/sys/bus/mdev/devices/24f952b3-03d1-4df2-9967-0d5f7d63d5f2
Cosmic is still a todo (but not today)
@IBM - will you also test and re-verify this or don't you have
time/motivation as the PPAs were essentially the same?
** Tags removed: verification-needed-bionic
** Tags added: verification-done-bionic
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1787405
Title:
[FEAT] Guest-dedicated Crypto Adapters
Status in Ubuntu on IBM z Systems:
Fix Committed
Status in libvirt package in Ubuntu:
Fix Released
Status in linux package in Ubuntu:
Fix Committed
Status in qemu package in Ubuntu:
Fix Released
Status in libvirt source package in Bionic:
Fix Committed
Status in linux source package in Bionic:
Fix Released
Status in qemu source package in Bionic:
Fix Committed
Status in libvirt source package in Cosmic:
Fix Committed
Status in linux source package in Cosmic:
Fix Released
Status in qemu source package in Cosmic:
Fix Committed
Status in linux source package in Disco:
Fix Committed
Bug description:
[Impact]
* The ability to pass through more cryptographic capabilities is a very
important feature for users of s390x as virtualization platform.
Its availability upstream now and its backport in this bug allows to
exploit the crypto cards as new HW for these virtualization use
cases.
* This falls under both "other safe cases" SRU exceptions:
- For Long Term Support releases we regularly want to enable new
hardware ...
- For Long Term Support releases we sometimes want to introduce new
features. They must not change the behaviour on existing
installations ...
* This bug has three main components:
- kernel (ability to do all of this)
- qemu (add feature to exploit the new code)
- libvirt (make the feature user consumable)
[Test Case]
* In general this consists of a few steps
- get the updated kernel/qemu/libvirt
- mask the card & domains from the usual driver
- load vfio-ap
- assign card to vfio-ap
- prepare a guest
- configure a guest to use the card
* See comment #66 how to do all of that in detail
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1787405/comments/66
[Regression Potential]
* The changes are mostly s390x only and adding a new feature so
regressions to existing components should be low. But to backport it
slight changes to the MDEV handling had to be applied as well.
The potential regressions I can see are in that MDEV handling if one
of the backports would be bad.
Fortunately we know that without the related libvirt fixes we added
here using MDEVs didn't work at all yet, and people very rarely use
qemu without libvirt for anything else than experiments.
Therefore I'm confident that even if there would be a flaw in the
MDEV changes no one is hugely relying on it.
[Other Info]
* n/a
== SRU Justification ==
(Kernel SRU)
Allow kvm to dedicate crypto adapters (and domains) as passthrough devices to
a KVM guest such that the hypervisor cannot observe the communication of the
guest with the device.
(Since all kernel patches/commits are from kernel 4.19, they will
automagically land in 'Disco'.)
== Fix ==
9ea5972 ("KVM: s390: vsie: simulate VCPU SIE entry/exit")
3194cdb ("KVM: s390: introduce and use KVM_REQ_VSIE_RESTART")
e585b24 ("KVM: s390: refactor crypto initialization")
1fde573 ("s390: vfio-ap: base implementation of VFIO AP device driver")
65f0671 ("s390: vfio-ap: register matrix device with VFIO mdev framework")
96d152b ("s390: vfio-ap: sysfs interfaces to configure adapters")
3211da0 ("s390: vfio-ap: sysfs interfaces to configure domains")
3b1eab7 ("s390: vfio-ap: sysfs interfaces to configure control domains")
81b2b4b ("s390: vfio-ap: sysfs interface to view matrix mdev matrix")
4210459 ("KVM: s390: interface to clear CRYCB masks")
258287c ("s390: vfio-ap: implement mediated device open callback")
e06670c ("s390: vfio-ap: implement VFIO_DEVICE_GET_INFO ioctl")
46a7263 ("s390: vfio-ap: zeroize the AP queues")
cd8a377 ("s390: vfio-ap: implement VFIO_DEVICE_RESET ioctl")
6cc571b ("KVM: s390: Clear Crypto Control Block when using vSIE")
d6f6959 ("KVM: s390: vsie: Do the CRYCB validation first")
3af84de ("KVM: s390: vsie: Make use of CRYCB FORMAT2 clear")
56019f9 ("KVM: s390: vsie: Allow CRYCB FORMAT-2")
19fd83a ("KVM: s390: vsie: allow
[Kernel-packages] [Bug 1787405] Re: [FEAT] Guest-dedicated Crypto Adapters
This bug was fixed in the package linux - 4.15.0-42.45 --- linux (4.15.0-42.45) bionic; urgency=medium * linux: 4.15.0-42.45 -proposed tracker (LP: #1803592) * [FEAT] Guest-dedicated Crypto Adapters (LP: #1787405) - KVM: s390: reset crypto attributes for all vcpus - KVM: s390: vsie: simulate VCPU SIE entry/exit - KVM: s390: introduce and use KVM_REQ_VSIE_RESTART - KVM: s390: refactor crypto initialization - s390: vfio-ap: base implementation of VFIO AP device driver - s390: vfio-ap: register matrix device with VFIO mdev framework - s390: vfio-ap: sysfs interfaces to configure adapters - s390: vfio-ap: sysfs interfaces to configure domains - s390: vfio-ap: sysfs interfaces to configure control domains - s390: vfio-ap: sysfs interface to view matrix mdev matrix - KVM: s390: interface to clear CRYCB masks - s390: vfio-ap: implement mediated device open callback - s390: vfio-ap: implement VFIO_DEVICE_GET_INFO ioctl - s390: vfio-ap: zeroize the AP queues - s390: vfio-ap: implement VFIO_DEVICE_RESET ioctl - KVM: s390: Clear Crypto Control Block when using vSIE - KVM: s390: vsie: Do the CRYCB validation first - KVM: s390: vsie: Make use of CRYCB FORMAT2 clear - KVM: s390: vsie: Allow CRYCB FORMAT-2 - KVM: s390: vsie: allow CRYCB FORMAT-1 - KVM: s390: vsie: allow CRYCB FORMAT-0 - KVM: s390: vsie: allow guest FORMAT-0 CRYCB on host FORMAT-1 - KVM: s390: vsie: allow guest FORMAT-1 CRYCB on host FORMAT-2 - KVM: s390: vsie: allow guest FORMAT-0 CRYCB on host FORMAT-2 - KVM: s390: device attrs to enable/disable AP interpretation - KVM: s390: CPU model support for AP virtualization - s390: doc: detailed specifications for AP virtualization - KVM: s390: fix locking for crypto setting error path - KVM: s390: Tracing APCB changes - s390: vfio-ap: setup APCB mask using KVM dedicated function - s390/zcrypt: Add ZAPQ inline function. - s390/zcrypt: Review inline assembler constraints. - s390/zcrypt: Integrate ap_asm.h into include/asm/ap.h. - s390/zcrypt: fix ap_instructions_available() returncodes - s390/zcrypt: remove VLA usage from the AP bus - s390/zcrypt: Remove deprecated ioctls. - s390/zcrypt: Remove deprecated zcrypt proc interface. - s390/zcrypt: Support up to 256 crypto adapters. - [Config:] Enable CONFIG_S390_AP_IOMMU and set CONFIG_VFIO_AP to module. * Bypass of mount visibility through userns + mount propagation (LP: #1789161) - mount: Retest MNT_LOCKED in do_umount - mount: Don't allow copying MNT_UNBINDABLE|MNT_LOCKED mounts * CVE-2018-18955: nested user namespaces with more than five extents incorrectly grant privileges over inode (LP: #1801924) // CVE-2018-18955 - userns: also map extents in the reverse map to kernel IDs * kdump fail due to an IRQ storm (LP: #1797990) - SAUCE: x86/PCI: Export find_cap() to be used in early PCI code - SAUCE: x86/quirks: Add parameter to clear MSIs early on boot - SAUCE: x86/quirks: Scan all busses for early PCI quirks -- Thadeu Lima de Souza Cascardo Thu, 15 Nov 2018 17:01:46 -0200 ** Changed in: linux (Ubuntu Bionic) Status: Fix Committed => Fix Released -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1787405 Title: [FEAT] Guest-dedicated Crypto Adapters Status in Ubuntu on IBM z Systems: Fix Committed Status in libvirt package in Ubuntu: Fix Released Status in linux package in Ubuntu: Fix Committed Status in qemu package in Ubuntu: Fix Released Status in libvirt source package in Bionic: Fix Committed Status in linux source package in Bionic: Fix Released Status in qemu source package in Bionic: Fix Committed Status in libvirt source package in Cosmic: Fix Committed Status in linux source package in Cosmic: Fix Released Status in qemu source package in Cosmic: Fix Committed Status in linux source package in Disco: Fix Committed Bug description: [Impact] * The ability to pass through more cryptographic capabilities is a very important feature for users of s390x as virtualization platform. Its availability upstream now and its backport in this bug allows to exploit the crypto cards as new HW for these virtualization use cases. * This falls under both "other safe cases" SRU exceptions: - For Long Term Support releases we regularly want to enable new hardware ... - For Long Term Support releases we sometimes want to introduce new features. They must not change the behaviour on existing installations ... * This bug has three main components: - kernel (ability to do all of this) - qemu (add feature to exploit the new code) - libvirt (make the feature user consumable) [Test Case] * In general this consists of a few steps - get the
[Kernel-packages] [Bug 1787405] Re: [FEAT] Guest-dedicated Crypto Adapters
This bug was fixed in the package linux - 4.18.0-12.13 --- linux (4.18.0-12.13) cosmic; urgency=medium * linux: 4.18.0-12.13 -proposed tracker (LP: #1802743) * [FEAT] Guest-dedicated Crypto Adapters (LP: #1787405) - s390/zcrypt: Add ZAPQ inline function. - s390/zcrypt: Review inline assembler constraints. - s390/zcrypt: Integrate ap_asm.h into include/asm/ap.h. - s390/zcrypt: fix ap_instructions_available() returncodes - KVM: s390: vsie: simulate VCPU SIE entry/exit - KVM: s390: introduce and use KVM_REQ_VSIE_RESTART - KVM: s390: refactor crypto initialization - s390: vfio-ap: base implementation of VFIO AP device driver - s390: vfio-ap: register matrix device with VFIO mdev framework - s390: vfio-ap: sysfs interfaces to configure adapters - s390: vfio-ap: sysfs interfaces to configure domains - s390: vfio-ap: sysfs interfaces to configure control domains - s390: vfio-ap: sysfs interface to view matrix mdev matrix - KVM: s390: interface to clear CRYCB masks - s390: vfio-ap: implement mediated device open callback - s390: vfio-ap: implement VFIO_DEVICE_GET_INFO ioctl - s390: vfio-ap: zeroize the AP queues - s390: vfio-ap: implement VFIO_DEVICE_RESET ioctl - KVM: s390: Clear Crypto Control Block when using vSIE - KVM: s390: vsie: Do the CRYCB validation first - KVM: s390: vsie: Make use of CRYCB FORMAT2 clear - KVM: s390: vsie: Allow CRYCB FORMAT-2 - KVM: s390: vsie: allow CRYCB FORMAT-1 - KVM: s390: vsie: allow CRYCB FORMAT-0 - KVM: s390: vsie: allow guest FORMAT-0 CRYCB on host FORMAT-1 - KVM: s390: vsie: allow guest FORMAT-1 CRYCB on host FORMAT-2 - KVM: s390: vsie: allow guest FORMAT-0 CRYCB on host FORMAT-2 - KVM: s390: device attrs to enable/disable AP interpretation - KVM: s390: CPU model support for AP virtualization - s390: doc: detailed specifications for AP virtualization - KVM: s390: fix locking for crypto setting error path - KVM: s390: Tracing APCB changes - s390: vfio-ap: setup APCB mask using KVM dedicated function - [Config:] Enable CONFIG_S390_AP_IOMMU and set CONFIG_VFIO_AP to module. * Bypass of mount visibility through userns + mount propagation (LP: #1789161) - mount: Retest MNT_LOCKED in do_umount - mount: Don't allow copying MNT_UNBINDABLE|MNT_LOCKED mounts * CVE-2018-18955: nested user namespaces with more than five extents incorrectly grant privileges over inode (LP: #1801924) // CVE-2018-18955 - userns: also map extents in the reverse map to kernel IDs * kdump fail due to an IRQ storm (LP: #1797990) - SAUCE: x86/PCI: Export find_cap() to be used in early PCI code - SAUCE: x86/quirks: Add parameter to clear MSIs early on boot - SAUCE: x86/quirks: Scan all busses for early PCI quirks * crash in ENA driver on removing an interface (LP: #1802341) - SAUCE: net: ena: fix crash during ena_remove() * Ubuntu 18.04.1 - [s390x] Kernel panic while stressing network bonding (LP: #1797367) - s390/qeth: reduce hard-coded access to ccw channels - s390/qeth: sanitize strings in debug messages * Add checksum offload and TSO support for HiNIC adapters (LP: #1800664) - net-next/hinic: add checksum offload and TSO support * smartpqi updates for ubuntu 18.04.2 (LP: #1798208) - scsi: smartpqi: improve handling for sync requests - scsi: smartpqi: improve error checking for sync requests - scsi: smartpqi: add inspur advantech ids - scsi: smartpqi: fix critical ARM issue reading PQI index registers - scsi: smartpqi: bump driver version to 1.1.4-130 * [GLK/CLX] Enhanced IBRS (LP: #1786139) - x86/speculation: Remove SPECTRE_V2_IBRS in enum spectre_v2_mitigation - x86/speculation: Support Enhanced IBRS on future CPUs * Enable keyboard wakeup for S2Idle laptops (LP: #1798552) - Input: i8042 - enable keyboard wakeups by default when s2idle is used * Overlayfs in user namespace leaks directory content of inaccessible directories (LP: #1793458) // CVE-2018-6559 - SAUCE: overlayfs: ensure mounter privileges when reading directories * Update ENA driver to version 2.0.1K (LP: #1798182) - net: ena: remove ndo_poll_controller - net: ena: fix auto casting to boolean - net: ena: minor performance improvement - net: ena: complete host info to match latest ENA spec - net: ena: introduce Low Latency Queues data structures according to ENA spec - net: ena: add functions for handling Low Latency Queues in ena_com - net: ena: add functions for handling Low Latency Queues in ena_netdev - net: ena: use CSUM_CHECKED device indication to report skb's checksum status - net: ena: explicit casting and initialization, and clearer error handling - net: ena: limit refill Rx threshold to 256 to avoid latency issues - net: ena: change rx copybreak default to reduce kernel memory pressure - net: ena: remove redundant
[Kernel-packages] [Bug 1787405] Re: [FEAT] Guest-dedicated Crypto Adapters
@IBM - overall that means, please test from proposed:
libvirt 4.6.0-2ubuntu3.1 + qemu 1:2.12+dfsg-3ubuntu8.2 on 18.10
libvirt 4.0.0-1ubuntu8.6 + qemu 1:2.11+dfsg-1ubuntu7.9 on 18.04
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1787405
Title:
[FEAT] Guest-dedicated Crypto Adapters
Status in Ubuntu on IBM z Systems:
Fix Committed
Status in libvirt package in Ubuntu:
Fix Released
Status in linux package in Ubuntu:
Fix Committed
Status in qemu package in Ubuntu:
Fix Released
Status in libvirt source package in Bionic:
Fix Committed
Status in linux source package in Bionic:
Fix Committed
Status in qemu source package in Bionic:
Fix Committed
Status in libvirt source package in Cosmic:
Fix Committed
Status in linux source package in Cosmic:
Fix Committed
Status in qemu source package in Cosmic:
Fix Committed
Status in linux source package in Disco:
Fix Committed
Bug description:
[Impact]
* The ability to pass through more cryptographic capabilities is a very
important feature for users of s390x as virtualization platform.
Its availability upstream now and its backport in this bug allows to
exploit the crypto cards as new HW for these virtualization use
cases.
* This falls under both "other safe cases" SRU exceptions:
- For Long Term Support releases we regularly want to enable new
hardware ...
- For Long Term Support releases we sometimes want to introduce new
features. They must not change the behaviour on existing
installations ...
* This bug has three main components:
- kernel (ability to do all of this)
- qemu (add feature to exploit the new code)
- libvirt (make the feature user consumable)
[Test Case]
* In general this consists of a few steps
- get the updated kernel/qemu/libvirt
- mask the card & domains from the usual driver
- load vfio-ap
- assign card to vfio-ap
- prepare a guest
- configure a guest to use the card
* See comment #66 how to do all of that in detail
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1787405/comments/66
[Regression Potential]
* The changes are mostly s390x only and adding a new feature so
regressions to existing components should be low. But to backport it
slight changes to the MDEV handling had to be applied as well.
The potential regressions I can see are in that MDEV handling if one
of the backports would be bad.
Fortunately we know that without the related libvirt fixes we added
here using MDEVs didn't work at all yet, and people very rarely use
qemu without libvirt for anything else than experiments.
Therefore I'm confident that even if there would be a flaw in the
MDEV changes no one is hugely relying on it.
[Other Info]
* n/a
== SRU Justification ==
(Kernel SRU)
Allow kvm to dedicate crypto adapters (and domains) as passthrough devices to
a KVM guest such that the hypervisor cannot observe the communication of the
guest with the device.
(Since all kernel patches/commits are from kernel 4.19, they will
automagically land in 'Disco'.)
== Fix ==
9ea5972 ("KVM: s390: vsie: simulate VCPU SIE entry/exit")
3194cdb ("KVM: s390: introduce and use KVM_REQ_VSIE_RESTART")
e585b24 ("KVM: s390: refactor crypto initialization")
1fde573 ("s390: vfio-ap: base implementation of VFIO AP device driver")
65f0671 ("s390: vfio-ap: register matrix device with VFIO mdev framework")
96d152b ("s390: vfio-ap: sysfs interfaces to configure adapters")
3211da0 ("s390: vfio-ap: sysfs interfaces to configure domains")
3b1eab7 ("s390: vfio-ap: sysfs interfaces to configure control domains")
81b2b4b ("s390: vfio-ap: sysfs interface to view matrix mdev matrix")
4210459 ("KVM: s390: interface to clear CRYCB masks")
258287c ("s390: vfio-ap: implement mediated device open callback")
e06670c ("s390: vfio-ap: implement VFIO_DEVICE_GET_INFO ioctl")
46a7263 ("s390: vfio-ap: zeroize the AP queues")
cd8a377 ("s390: vfio-ap: implement VFIO_DEVICE_RESET ioctl")
6cc571b ("KVM: s390: Clear Crypto Control Block when using vSIE")
d6f6959 ("KVM: s390: vsie: Do the CRYCB validation first")
3af84de ("KVM: s390: vsie: Make use of CRYCB FORMAT2 clear")
56019f9 ("KVM: s390: vsie: Allow CRYCB FORMAT-2")
19fd83a ("KVM: s390: vsie: allow CRYCB FORMAT-1")
6ee7409 ("KVM: s390: vsie: allow CRYCB FORMAT-0")
c9ba8c2 ("KVM: s390: vsie: allow guest FORMAT-0 CRYCB on host FORMAT-1")
6b79de4 ("KVM: s390: vsie: allow guest FORMAT-1 CRYCB on host FORMAT-2")
9ee71f2 ("KVM: s390: vsie: allow guest FORMAT-0 CRYCB on host FORMAT-2")
37940fb ("KVM: s390: device attrs to enable/disable AP interpretation")
112c24d ("KVM: s390: CPU model support for AP virtualization")
492a6be ("s390: doc: detailed specifications for AP virtualization")
<-- till
[Kernel-packages] [Bug 1787405] Re: [FEAT] Guest-dedicated Crypto Adapters
** Changed in: ubuntu-z-systems
Status: In Progress => Fix Committed
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1787405
Title:
[FEAT] Guest-dedicated Crypto Adapters
Status in Ubuntu on IBM z Systems:
Fix Committed
Status in libvirt package in Ubuntu:
Fix Released
Status in linux package in Ubuntu:
Fix Committed
Status in qemu package in Ubuntu:
Fix Released
Status in libvirt source package in Bionic:
Fix Committed
Status in linux source package in Bionic:
Fix Committed
Status in qemu source package in Bionic:
Fix Committed
Status in libvirt source package in Cosmic:
Fix Committed
Status in linux source package in Cosmic:
Fix Committed
Status in qemu source package in Cosmic:
Fix Committed
Status in linux source package in Disco:
Fix Committed
Bug description:
[Impact]
* The ability to pass through more cryptographic capabilities is a very
important feature for users of s390x as virtualization platform.
Its availability upstream now and its backport in this bug allows to
exploit the crypto cards as new HW for these virtualization use
cases.
* This falls under both "other safe cases" SRU exceptions:
- For Long Term Support releases we regularly want to enable new
hardware ...
- For Long Term Support releases we sometimes want to introduce new
features. They must not change the behaviour on existing
installations ...
* This bug has three main components:
- kernel (ability to do all of this)
- qemu (add feature to exploit the new code)
- libvirt (make the feature user consumable)
[Test Case]
* In general this consists of a few steps
- get the updated kernel/qemu/libvirt
- mask the card & domains from the usual driver
- load vfio-ap
- assign card to vfio-ap
- prepare a guest
- configure a guest to use the card
* See comment #66 how to do all of that in detail
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1787405/comments/66
[Regression Potential]
* The changes are mostly s390x only and adding a new feature so
regressions to existing components should be low. But to backport it
slight changes to the MDEV handling had to be applied as well.
The potential regressions I can see are in that MDEV handling if one
of the backports would be bad.
Fortunately we know that without the related libvirt fixes we added
here using MDEVs didn't work at all yet, and people very rarely use
qemu without libvirt for anything else than experiments.
Therefore I'm confident that even if there would be a flaw in the
MDEV changes no one is hugely relying on it.
[Other Info]
* n/a
== SRU Justification ==
(Kernel SRU)
Allow kvm to dedicate crypto adapters (and domains) as passthrough devices to
a KVM guest such that the hypervisor cannot observe the communication of the
guest with the device.
(Since all kernel patches/commits are from kernel 4.19, they will
automagically land in 'Disco'.)
== Fix ==
9ea5972 ("KVM: s390: vsie: simulate VCPU SIE entry/exit")
3194cdb ("KVM: s390: introduce and use KVM_REQ_VSIE_RESTART")
e585b24 ("KVM: s390: refactor crypto initialization")
1fde573 ("s390: vfio-ap: base implementation of VFIO AP device driver")
65f0671 ("s390: vfio-ap: register matrix device with VFIO mdev framework")
96d152b ("s390: vfio-ap: sysfs interfaces to configure adapters")
3211da0 ("s390: vfio-ap: sysfs interfaces to configure domains")
3b1eab7 ("s390: vfio-ap: sysfs interfaces to configure control domains")
81b2b4b ("s390: vfio-ap: sysfs interface to view matrix mdev matrix")
4210459 ("KVM: s390: interface to clear CRYCB masks")
258287c ("s390: vfio-ap: implement mediated device open callback")
e06670c ("s390: vfio-ap: implement VFIO_DEVICE_GET_INFO ioctl")
46a7263 ("s390: vfio-ap: zeroize the AP queues")
cd8a377 ("s390: vfio-ap: implement VFIO_DEVICE_RESET ioctl")
6cc571b ("KVM: s390: Clear Crypto Control Block when using vSIE")
d6f6959 ("KVM: s390: vsie: Do the CRYCB validation first")
3af84de ("KVM: s390: vsie: Make use of CRYCB FORMAT2 clear")
56019f9 ("KVM: s390: vsie: Allow CRYCB FORMAT-2")
19fd83a ("KVM: s390: vsie: allow CRYCB FORMAT-1")
6ee7409 ("KVM: s390: vsie: allow CRYCB FORMAT-0")
c9ba8c2 ("KVM: s390: vsie: allow guest FORMAT-0 CRYCB on host FORMAT-1")
6b79de4 ("KVM: s390: vsie: allow guest FORMAT-1 CRYCB on host FORMAT-2")
9ee71f2 ("KVM: s390: vsie: allow guest FORMAT-0 CRYCB on host FORMAT-2")
37940fb ("KVM: s390: device attrs to enable/disable AP interpretation")
112c24d ("KVM: s390: CPU model support for AP virtualization")
492a6be ("s390: doc: detailed specifications for AP virtualization")
<-- till here in 'kvm/next'
(https://git.kernel.org/pub/scm/virt/kvm/kvm.git/) -->
8e41bd5 ("KVM: s390: fix
[Kernel-packages] [Bug 1787405] Re: [FEAT] Guest-dedicated Crypto Adapters
Hello bugproxy, or anyone else affected,
Accepted qemu into cosmic-proposed. The package will build now and be
available at https://launchpad.net/ubuntu/+source/qemu/1:2.12+dfsg-
3ubuntu8.2 in a few hours, and then in the -proposed repository.
Please help us by testing this new package. See
https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how
to enable and use -proposed.Your feedback will aid us getting this
update out to other Ubuntu users.
If this package fixes the bug for you, please add a comment to this bug,
mentioning the version of the package you tested and change the tag from
verification-needed-cosmic to verification-done-cosmic. If it does not
fix the bug for you, please add a comment stating that, and change the
tag to verification-failed-cosmic. In either case, details of your
testing will help us make a better decision.
Further information regarding the verification process can be found at
https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in
advance!
** Changed in: qemu (Ubuntu Cosmic)
Status: Triaged => Fix Committed
** Tags removed: verification-done-cosmic
** Tags added: verification-needed verification-needed-cosmic
** Changed in: qemu (Ubuntu Bionic)
Status: Triaged => Fix Committed
** Tags removed: verification-done-bionic
** Tags added: verification-needed-bionic
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1787405
Title:
[FEAT] Guest-dedicated Crypto Adapters
Status in Ubuntu on IBM z Systems:
In Progress
Status in libvirt package in Ubuntu:
Fix Released
Status in linux package in Ubuntu:
Fix Committed
Status in qemu package in Ubuntu:
Fix Released
Status in libvirt source package in Bionic:
Fix Committed
Status in linux source package in Bionic:
Fix Committed
Status in qemu source package in Bionic:
Fix Committed
Status in libvirt source package in Cosmic:
Fix Committed
Status in linux source package in Cosmic:
Fix Committed
Status in qemu source package in Cosmic:
Fix Committed
Status in linux source package in Disco:
Fix Committed
Bug description:
[Impact]
* The ability to pass through more cryptographic capabilities is a very
important feature for users of s390x as virtualization platform.
Its availability upstream now and its backport in this bug allows to
exploit the crypto cards as new HW for these virtualization use
cases.
* This falls under both "other safe cases" SRU exceptions:
- For Long Term Support releases we regularly want to enable new
hardware ...
- For Long Term Support releases we sometimes want to introduce new
features. They must not change the behaviour on existing
installations ...
* This bug has three main components:
- kernel (ability to do all of this)
- qemu (add feature to exploit the new code)
- libvirt (make the feature user consumable)
[Test Case]
* In general this consists of a few steps
- get the updated kernel/qemu/libvirt
- mask the card & domains from the usual driver
- load vfio-ap
- assign card to vfio-ap
- prepare a guest
- configure a guest to use the card
* See comment #66 how to do all of that in detail
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1787405/comments/66
[Regression Potential]
* The changes are mostly s390x only and adding a new feature so
regressions to existing components should be low. But to backport it
slight changes to the MDEV handling had to be applied as well.
The potential regressions I can see are in that MDEV handling if one
of the backports would be bad.
Fortunately we know that without the related libvirt fixes we added
here using MDEVs didn't work at all yet, and people very rarely use
qemu without libvirt for anything else than experiments.
Therefore I'm confident that even if there would be a flaw in the
MDEV changes no one is hugely relying on it.
[Other Info]
* n/a
== SRU Justification ==
(Kernel SRU)
Allow kvm to dedicate crypto adapters (and domains) as passthrough devices to
a KVM guest such that the hypervisor cannot observe the communication of the
guest with the device.
(Since all kernel patches/commits are from kernel 4.19, they will
automagically land in 'Disco'.)
== Fix ==
9ea5972 ("KVM: s390: vsie: simulate VCPU SIE entry/exit")
3194cdb ("KVM: s390: introduce and use KVM_REQ_VSIE_RESTART")
e585b24 ("KVM: s390: refactor crypto initialization")
1fde573 ("s390: vfio-ap: base implementation of VFIO AP device driver")
65f0671 ("s390: vfio-ap: register matrix device with VFIO mdev framework")
96d152b ("s390: vfio-ap: sysfs interfaces to configure adapters")
3211da0 ("s390: vfio-ap: sysfs interfaces to configure domains")
3b1eab7 ("s390: vfio-ap: sysfs interfaces to configure control
[Kernel-packages] [Bug 1787405] Re: [FEAT] Guest-dedicated Crypto Adapters
I found some more things that I'd want for the opengl changes and decided to
unbundle it from this SRU.
That said the qemu and libvirt code for this bug here is now uploaded to
bionic-/cosmic-unapproved for review by the SRU Team.
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1787405
Title:
[FEAT] Guest-dedicated Crypto Adapters
Status in Ubuntu on IBM z Systems:
In Progress
Status in libvirt package in Ubuntu:
Fix Released
Status in linux package in Ubuntu:
Fix Committed
Status in qemu package in Ubuntu:
Fix Released
Status in libvirt source package in Bionic:
Triaged
Status in linux source package in Bionic:
Fix Committed
Status in qemu source package in Bionic:
Triaged
Status in libvirt source package in Cosmic:
Triaged
Status in linux source package in Cosmic:
Fix Committed
Status in qemu source package in Cosmic:
Triaged
Status in linux source package in Disco:
Fix Committed
Bug description:
[Impact]
* The ability to pass through more cryptographic capabilities is a very
important feature for users of s390x as virtualization platform.
Its availability upstream now and its backport in this bug allows to
exploit the crypto cards as new HW for these virtualization use
cases.
* This falls under both "other safe cases" SRU exceptions:
- For Long Term Support releases we regularly want to enable new
hardware ...
- For Long Term Support releases we sometimes want to introduce new
features. They must not change the behaviour on existing
installations ...
* This bug has three main components:
- kernel (ability to do all of this)
- qemu (add feature to exploit the new code)
- libvirt (make the feature user consumable)
[Test Case]
* In general this consists of a few steps
- get the updated kernel/qemu/libvirt
- mask the card & domains from the usual driver
- load vfio-ap
- assign card to vfio-ap
- prepare a guest
- configure a guest to use the card
* See comment #66 how to do all of that in detail
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1787405/comments/66
[Regression Potential]
* The changes are mostly s390x only and adding a new feature so
regressions to existing components should be low. But to backport it
slight changes to the MDEV handling had to be applied as well.
The potential regressions I can see are in that MDEV handling if one
of the backports would be bad.
Fortunately we know that without the related libvirt fixes we added
here using MDEVs didn't work at all yet, and people very rarely use
qemu without libvirt for anything else than experiments.
Therefore I'm confident that even if there would be a flaw in the
MDEV changes no one is hugely relying on it.
[Other Info]
* n/a
== SRU Justification ==
(Kernel SRU)
Allow kvm to dedicate crypto adapters (and domains) as passthrough devices to
a KVM guest such that the hypervisor cannot observe the communication of the
guest with the device.
(Since all kernel patches/commits are from kernel 4.19, they will
automagically land in 'Disco'.)
== Fix ==
9ea5972 ("KVM: s390: vsie: simulate VCPU SIE entry/exit")
3194cdb ("KVM: s390: introduce and use KVM_REQ_VSIE_RESTART")
e585b24 ("KVM: s390: refactor crypto initialization")
1fde573 ("s390: vfio-ap: base implementation of VFIO AP device driver")
65f0671 ("s390: vfio-ap: register matrix device with VFIO mdev framework")
96d152b ("s390: vfio-ap: sysfs interfaces to configure adapters")
3211da0 ("s390: vfio-ap: sysfs interfaces to configure domains")
3b1eab7 ("s390: vfio-ap: sysfs interfaces to configure control domains")
81b2b4b ("s390: vfio-ap: sysfs interface to view matrix mdev matrix")
4210459 ("KVM: s390: interface to clear CRYCB masks")
258287c ("s390: vfio-ap: implement mediated device open callback")
e06670c ("s390: vfio-ap: implement VFIO_DEVICE_GET_INFO ioctl")
46a7263 ("s390: vfio-ap: zeroize the AP queues")
cd8a377 ("s390: vfio-ap: implement VFIO_DEVICE_RESET ioctl")
6cc571b ("KVM: s390: Clear Crypto Control Block when using vSIE")
d6f6959 ("KVM: s390: vsie: Do the CRYCB validation first")
3af84de ("KVM: s390: vsie: Make use of CRYCB FORMAT2 clear")
56019f9 ("KVM: s390: vsie: Allow CRYCB FORMAT-2")
19fd83a ("KVM: s390: vsie: allow CRYCB FORMAT-1")
6ee7409 ("KVM: s390: vsie: allow CRYCB FORMAT-0")
c9ba8c2 ("KVM: s390: vsie: allow guest FORMAT-0 CRYCB on host FORMAT-1")
6b79de4 ("KVM: s390: vsie: allow guest FORMAT-1 CRYCB on host FORMAT-2")
9ee71f2 ("KVM: s390: vsie: allow guest FORMAT-0 CRYCB on host FORMAT-2")
37940fb ("KVM: s390: device attrs to enable/disable AP interpretation")
112c24d ("KVM: s390: CPU model support for AP virtualization")
492a6be ("s390: doc: detailed specifications for AP
[Kernel-packages] [Bug 1787405] Re: [FEAT] Guest-dedicated Crypto Adapters
The migration into 19.04 is complete and the CVE fixes completed as well.
I updated all related repositories and the content 100% matches what we have
pre-tested.
Just a small delay to make sure the bundled opengl enablement works as
well (or to unbundle it).
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1787405
Title:
[FEAT] Guest-dedicated Crypto Adapters
Status in Ubuntu on IBM z Systems:
In Progress
Status in libvirt package in Ubuntu:
Fix Released
Status in linux package in Ubuntu:
Fix Committed
Status in qemu package in Ubuntu:
Fix Released
Status in libvirt source package in Bionic:
Triaged
Status in linux source package in Bionic:
Fix Committed
Status in qemu source package in Bionic:
Triaged
Status in libvirt source package in Cosmic:
Triaged
Status in linux source package in Cosmic:
Fix Committed
Status in qemu source package in Cosmic:
Triaged
Status in linux source package in Disco:
Fix Committed
Bug description:
[Impact]
* The ability to pass through more cryptographic capabilities is a very
important feature for users of s390x as virtualization platform.
Its availability upstream now and its backport in this bug allows to
exploit the crypto cards as new HW for these virtualization use
cases.
* This falls under both "other safe cases" SRU exceptions:
- For Long Term Support releases we regularly want to enable new
hardware ...
- For Long Term Support releases we sometimes want to introduce new
features. They must not change the behaviour on existing
installations ...
* This bug has three main components:
- kernel (ability to do all of this)
- qemu (add feature to exploit the new code)
- libvirt (make the feature user consumable)
[Test Case]
* In general this consists of a few steps
- get the updated kernel/qemu/libvirt
- mask the card & domains from the usual driver
- load vfio-ap
- assign card to vfio-ap
- prepare a guest
- configure a guest to use the card
* See comment #66 how to do all of that in detail
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1787405/comments/66
[Regression Potential]
* The changes are mostly s390x only and adding a new feature so
regressions to existing components should be low. But to backport it
slight changes to the MDEV handling had to be applied as well.
The potential regressions I can see are in that MDEV handling if one
of the backports would be bad.
Fortunately we know that without the related libvirt fixes we added
here using MDEVs didn't work at all yet, and people very rarely use
qemu without libvirt for anything else than experiments.
Therefore I'm confident that even if there would be a flaw in the
MDEV changes no one is hugely relying on it.
[Other Info]
* n/a
== SRU Justification ==
(Kernel SRU)
Allow kvm to dedicate crypto adapters (and domains) as passthrough devices to
a KVM guest such that the hypervisor cannot observe the communication of the
guest with the device.
(Since all kernel patches/commits are from kernel 4.19, they will
automagically land in 'Disco'.)
== Fix ==
9ea5972 ("KVM: s390: vsie: simulate VCPU SIE entry/exit")
3194cdb ("KVM: s390: introduce and use KVM_REQ_VSIE_RESTART")
e585b24 ("KVM: s390: refactor crypto initialization")
1fde573 ("s390: vfio-ap: base implementation of VFIO AP device driver")
65f0671 ("s390: vfio-ap: register matrix device with VFIO mdev framework")
96d152b ("s390: vfio-ap: sysfs interfaces to configure adapters")
3211da0 ("s390: vfio-ap: sysfs interfaces to configure domains")
3b1eab7 ("s390: vfio-ap: sysfs interfaces to configure control domains")
81b2b4b ("s390: vfio-ap: sysfs interface to view matrix mdev matrix")
4210459 ("KVM: s390: interface to clear CRYCB masks")
258287c ("s390: vfio-ap: implement mediated device open callback")
e06670c ("s390: vfio-ap: implement VFIO_DEVICE_GET_INFO ioctl")
46a7263 ("s390: vfio-ap: zeroize the AP queues")
cd8a377 ("s390: vfio-ap: implement VFIO_DEVICE_RESET ioctl")
6cc571b ("KVM: s390: Clear Crypto Control Block when using vSIE")
d6f6959 ("KVM: s390: vsie: Do the CRYCB validation first")
3af84de ("KVM: s390: vsie: Make use of CRYCB FORMAT2 clear")
56019f9 ("KVM: s390: vsie: Allow CRYCB FORMAT-2")
19fd83a ("KVM: s390: vsie: allow CRYCB FORMAT-1")
6ee7409 ("KVM: s390: vsie: allow CRYCB FORMAT-0")
c9ba8c2 ("KVM: s390: vsie: allow guest FORMAT-0 CRYCB on host FORMAT-1")
6b79de4 ("KVM: s390: vsie: allow guest FORMAT-1 CRYCB on host FORMAT-2")
9ee71f2 ("KVM: s390: vsie: allow guest FORMAT-0 CRYCB on host FORMAT-2")
37940fb ("KVM: s390: device attrs to enable/disable AP interpretation")
112c24d ("KVM: s390: CPU model support for AP virtualization")
492a6be ("s390: doc:
[Kernel-packages] [Bug 1787405] Re: [FEAT] Guest-dedicated Crypto Adapters
This bug was fixed in the package qemu - 1:2.12+dfsg-3ubuntu9 --- qemu (1:2.12+dfsg-3ubuntu9) disco; urgency=medium [ Marc Deslauriers ] * SECURITY UPDATE: integer overflow in NE2000 NIC emulation - debian/patches/CVE-2018-10839.patch: use proper type in hw/net/ne2000.c. - CVE-2018-10839 * SECURITY UPDATE: integer overflow via crafted QMP command - debian/patches/CVE-2018-12617.patch: check bytes count read by guest-file-read in qga/commands-posix.c. - CVE-2018-12617 * SECURITY UPDATE: OOB heap buffer r/w access in NVM Express Controller - debian/patches/CVE-2018-16847.patch: check size in hw/block/nvme.c. - CVE-2018-16847 * SECURITY UPDATE: buffer overflow in rtl8139 - debian/patches/CVE-2018-17958.patch: use proper type in hw/net/rtl8139.c. - CVE-2018-17958 * SECURITY UPDATE: buffer overflow in pcnet - debian/patches/CVE-2018-17962.patch: use proper type in hw/net/pcnet.c. - CVE-2018-17962 * SECURITY UPDATE: DoS via large packet sizes - debian/patches/CVE-2018-17963.patch: check size in net/net.c. - CVE-2018-17963 * SECURITY UPDATE: DoS in lsi53c895a - debian/patches/CVE-2018-18849.patch: check message length value is valid in hw/scsi/lsi53c895a.c. - CVE-2018-18849 * SECURITY UPDATE: Out-of-bounds r/w stack access in ppc64 - debian/patches/CVE-2018-18954.patch: check size before data buffer access in hw/ppc/pnv_lpc.c. - CVE-2018-18954 * SECURITY UPDATE: race condition in 9p - debian/patches/CVE-2018-19364-1.patch: use write lock in hw/9pfs/cofile.c. - debian/patches/CVE-2018-19364-2.patch: use write lock in hw/9pfs/9p.c. - CVE-2018-19364 [ Christian Ehrhardt] * debian/patches/ubuntu/lp1787405-*: Support guest dedicated Crypto Adapters on s390x (LP: #1787405) * enable opengl for vfio-MDEV support (LP: #1804766) - d/control-in: set --enable-opengl - d/control-in: add gl related build-dependencies -- Christian Ehrhardt Wed, 21 Nov 2018 13:17:01 -0500 ** Changed in: qemu (Ubuntu) Status: In Progress => Fix Released ** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-10839 ** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-12617 ** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-16847 ** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-17958 ** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-17962 ** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-17963 ** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-18849 ** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-18954 ** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-19364 -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1787405 Title: [FEAT] Guest-dedicated Crypto Adapters Status in Ubuntu on IBM z Systems: In Progress Status in libvirt package in Ubuntu: Fix Released Status in linux package in Ubuntu: Fix Committed Status in qemu package in Ubuntu: Fix Released Status in libvirt source package in Bionic: Triaged Status in linux source package in Bionic: Fix Committed Status in qemu source package in Bionic: Triaged Status in libvirt source package in Cosmic: Triaged Status in linux source package in Cosmic: Fix Committed Status in qemu source package in Cosmic: Triaged Status in linux source package in Disco: Fix Committed Bug description: [Impact] * The ability to pass through more cryptographic capabilities is a very important feature for users of s390x as virtualization platform. Its availability upstream now and its backport in this bug allows to exploit the crypto cards as new HW for these virtualization use cases. * This falls under both "other safe cases" SRU exceptions: - For Long Term Support releases we regularly want to enable new hardware ... - For Long Term Support releases we sometimes want to introduce new features. They must not change the behaviour on existing installations ... * This bug has three main components: - kernel (ability to do all of this) - qemu (add feature to exploit the new code) - libvirt (make the feature user consumable) [Test Case] * In general this consists of a few steps - get the updated kernel/qemu/libvirt - mask the card & domains from the usual driver - load vfio-ap - assign card to vfio-ap - prepare a guest - configure a guest to use the card * See comment #66 how to do all of that in detail https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1787405/comments/66 [Regression Potential] * The changes are mostly s390x only and adding a new feature so regressions to existing components should be low. But to backport it
[Kernel-packages] [Bug 1787405] Re: [FEAT] Guest-dedicated Crypto Adapters
This bug was fixed in the package libvirt - 4.6.0-2ubuntu4
---
libvirt (4.6.0-2ubuntu4) disco; urgency=medium
* debian/patches/ubuntu/lp1787405-*: Support guest dedicated Crypto
Adapters on s390x (LP: #1787405)
* d/p/ubuntu/lp-1802727-netdevbridge-fall-back-to-ioctl-from-sysfs.patch:
fix libvirt bridge handling in unprivileged containers (LP: #1802906)
-- Christian Ehrhardt Fri, 09 Nov
2018 07:42:01 +0100
** Changed in: libvirt (Ubuntu)
Status: In Progress => Fix Released
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1787405
Title:
[FEAT] Guest-dedicated Crypto Adapters
Status in Ubuntu on IBM z Systems:
In Progress
Status in libvirt package in Ubuntu:
Fix Released
Status in linux package in Ubuntu:
Fix Committed
Status in qemu package in Ubuntu:
In Progress
Status in libvirt source package in Bionic:
Triaged
Status in linux source package in Bionic:
Fix Committed
Status in qemu source package in Bionic:
Triaged
Status in libvirt source package in Cosmic:
Triaged
Status in linux source package in Cosmic:
Fix Committed
Status in qemu source package in Cosmic:
Triaged
Status in linux source package in Disco:
Fix Committed
Bug description:
[Impact]
* The ability to pass through more cryptographic capabilities is a very
important feature for users of s390x as virtualization platform.
Its availability upstream now and its backport in this bug allows to
exploit the crypto cards as new HW for these virtualization use
cases.
* This falls under both "other safe cases" SRU exceptions:
- For Long Term Support releases we regularly want to enable new
hardware ...
- For Long Term Support releases we sometimes want to introduce new
features. They must not change the behaviour on existing
installations ...
* This bug has three main components:
- kernel (ability to do all of this)
- qemu (add feature to exploit the new code)
- libvirt (make the feature user consumable)
[Test Case]
* In general this consists of a few steps
- get the updated kernel/qemu/libvirt
- mask the card & domains from the usual driver
- load vfio-ap
- assign card to vfio-ap
- prepare a guest
- configure a guest to use the card
* See comment #66 how to do all of that in detail
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1787405/comments/66
[Regression Potential]
* The changes are mostly s390x only and adding a new feature so
regressions to existing components should be low. But to backport it
slight changes to the MDEV handling had to be applied as well.
The potential regressions I can see are in that MDEV handling if one
of the backports would be bad.
Fortunately we know that without the related libvirt fixes we added
here using MDEVs didn't work at all yet, and people very rarely use
qemu without libvirt for anything else than experiments.
Therefore I'm confident that even if there would be a flaw in the
MDEV changes no one is hugely relying on it.
[Other Info]
* n/a
== SRU Justification ==
(Kernel SRU)
Allow kvm to dedicate crypto adapters (and domains) as passthrough devices to
a KVM guest such that the hypervisor cannot observe the communication of the
guest with the device.
(Since all kernel patches/commits are from kernel 4.19, they will
automagically land in 'Disco'.)
== Fix ==
9ea5972 ("KVM: s390: vsie: simulate VCPU SIE entry/exit")
3194cdb ("KVM: s390: introduce and use KVM_REQ_VSIE_RESTART")
e585b24 ("KVM: s390: refactor crypto initialization")
1fde573 ("s390: vfio-ap: base implementation of VFIO AP device driver")
65f0671 ("s390: vfio-ap: register matrix device with VFIO mdev framework")
96d152b ("s390: vfio-ap: sysfs interfaces to configure adapters")
3211da0 ("s390: vfio-ap: sysfs interfaces to configure domains")
3b1eab7 ("s390: vfio-ap: sysfs interfaces to configure control domains")
81b2b4b ("s390: vfio-ap: sysfs interface to view matrix mdev matrix")
4210459 ("KVM: s390: interface to clear CRYCB masks")
258287c ("s390: vfio-ap: implement mediated device open callback")
e06670c ("s390: vfio-ap: implement VFIO_DEVICE_GET_INFO ioctl")
46a7263 ("s390: vfio-ap: zeroize the AP queues")
cd8a377 ("s390: vfio-ap: implement VFIO_DEVICE_RESET ioctl")
6cc571b ("KVM: s390: Clear Crypto Control Block when using vSIE")
d6f6959 ("KVM: s390: vsie: Do the CRYCB validation first")
3af84de ("KVM: s390: vsie: Make use of CRYCB FORMAT2 clear")
56019f9 ("KVM: s390: vsie: Allow CRYCB FORMAT-2")
19fd83a ("KVM: s390: vsie: allow CRYCB FORMAT-1")
6ee7409 ("KVM: s390: vsie: allow CRYCB FORMAT-0")
c9ba8c2 ("KVM: s390: vsie: allow guest FORMAT-0 CRYCB on host FORMAT-1")
6b79de4 ("KVM: s390: vsie: allow guest FORMAT-1 CRYCB on host
[Kernel-packages] [Bug 1787405] Re: [FEAT] Guest-dedicated Crypto Adapters
Used the Kernel from Proposed:
apt-cache policy linux-image-4.15.0-42-generic
linux-image-4.15.0-42-generic:
Installed: 4.15.0-42.45
Candidate: 4.15.0-42.45
Libvirt/Qemu from PPA [1]
Having one device assigned to my LPAR atm:
$ ll /sys/bus/ap/devices/
total 0
drwxr-xr-x 2 root root 0 Nov 23 03:29 ./
drwxr-xr-x 4 root root 0 Nov 23 03:29 ../
lrwxrwxrwx 1 root root 0 Nov 23 03:29 00.0016 ->
../../../devices/ap/card00/00.0016/
lrwxrwxrwx 1 root root 0 Nov 23 03:29 card00 -> ../../../devices/ap/card00/
# mask out the adapters/queues of your choice that you want to virtualize
# In my case i have card 0 queue 16 (hex 16 dec 22 to match HMC config)
$ lszcrypt
CARD.DOMAIN TYPE MODESTATUS REQUEST_CNT
-
00 CEX5C CCA-Coproc online5
00.0016 CEX5C CCA-Coproc online5
# so lets assign that to vfio-ap instead of zcrypt use
# Adapter
$ cat /sys/bus/ap/apmask
0x
$ echo -0x0 | sudo tee /sys/bus/ap/apmask
$ cat /sys/bus/ap/apmask
0x7fff
# Domain
$ cat /sys/bus/ap/aqmask
0x
$ echo -0x16 | sudo tee /sys/bus/ap/aqmask
$ cat /sys/bus/ap/aqmask
0xfdff
$ sudo modprobe vfio_ap
$ dmesg | tail
...
[272006.492864] vfio_ap matrix: MDEV: Registered
# create a new MDEV
$ uuid=$(uuidgen)
$ echo ${uuid} | sudo tee
/sys/devices/vfio_ap/matrix/mdev_supported_types/vfio_ap-passthrough/create
in Dmesg:
[272197.818811] iommu: Adding device 24f952b3-03d1-4df2-9967-0d5f7d63d5f2 to
group 0
[272197.818815] vfio_mdev 24f952b3-03d1-4df2-9967-0d5f7d63d5f2: MDEV: group_id
= 0
# Assign adapter 0 to vfio-ap
echo +0x0 > /sys/devices/vfio_ap/matrix/${uuid}/assign_adapter
# Assign domain 16 (22) to vfio-ap
$ echo +0x16 | sudo tee /sys/devices/vfio_ap/matrix/${uuid}/assign_domain
$ echo +0x16 | sudo tee
/sys/devices/vfio_ap/matrix/${uuid}/assign_control_domain
Check the matrix you have set up
$ cat /sys/devices/vfio_ap/matrix/${uuid}/matrix
00.0016
Get something to bootable to then start it with the MDEV assigned:
$ uvt-kvm create --memory=1024 --password=ubuntu bionic-vfio-ap arch=s390x
label=daily release=bionic
# wait until initialized and shut it down
$ virsh shutdown bionic-vfio-ap
# Modify to also use the MDEV
$ virsh edit bionic-vfio-ap
# add a snippet matching your UUID like:
When restarting the guest this correctly adds the commandline argument:
-device
vfio-ap,id=hostdev0,sysfsdev=/sys/bus/mdev/devices/24f952b3-03d1-4df2-9967-0d5f7d63d5f2
We also see virt-aa helper generting vfio rules
$ grep '/dev/vfio' /etc/apparmor.d/libvirt/$(virsh dominfo bionic-vfio-ap | awk
'/^Security label/ {print $3}').files
"/dev/vfio/vfio" rw,
"/dev/vfio/[0-9]*" rw,
And most importantly in the guest the adapter is present:
$ lszcrypt
CARD.DOMAIN TYPE MODESTATUS REQUEST_CNT
-
00 CEX5C CCA-Coproc online1
00.0016 CEX5C CCA-Coproc online1
Thanks Halil that I was watching [2] in Edinburgh :-)
And thanks cborntra for the WIP script to set those up.
[1]: https://launchpad.net/~ci-train-ppa-service/+archive/ubuntu/3520
[2]:
https://events.linuxfoundation.org/wp-content/uploads/2017/12/vfio-ap-The-Perils-of-the-Weird-Halil-Pasic-IBM.pdf
** Description changed:
[Impact]
- * The ability to pass through more cryptographic capabilities is a very
-important feature for users of s390x as virtualization platform.
-Its availability upstream now and its backport in this bug allows to
-exploit the crypto cards as new HW for these virtualization use
-cases.
-
- * This falls under both "other safe cases" SRU exceptions:
- - For Long Term Support releases we regularly want to enable new
- hardware ...
- - For Long Term Support releases we sometimes want to introduce new
- features. They must not change the behaviour on existing
- installations ...
+ * The ability to pass through more cryptographic capabilities is a very
+ important feature for users of s390x as virtualization platform.
+ Its availability upstream now and its backport in this bug allows to
+ exploit the crypto cards as new HW for these virtualization use
+ cases.
- * This bug has three main components:
-- kernel (ability to do all of this)
-- qemu (add feature to exploit the new code)
-- libvirt (make the feature user consumable)
+ * This falls under both "other safe cases" SRU exceptions:
+ - For Long Term Support releases we regularly want to enable new
+ hardware ...
+ - For Long Term Support releases we sometimes want to introduce new
+ features. They must not change the behaviour on existing
+ installations ...
+
+ *
[Kernel-packages] [Bug 1787405] Re: [FEAT] Guest-dedicated Crypto Adapters
** Description changed:
+ [Impact]
+
+ * The ability to pass through more cryptographic capabilities is a very
+important feature for users of s390x as virtualization platform.
+Its availability upstream now and its backport in this bug allows to
+exploit the crypto cards as new HW for these virtualization use
+cases.
+
+ * This falls under both "other safe cases" SRU exceptions:
+ - For Long Term Support releases we regularly want to enable new
+ hardware ...
+ - For Long Term Support releases we sometimes want to introduce new
+ features. They must not change the behaviour on existing
+ installations ...
+
+ * This bug has three main components:
+- kernel (ability to do all of this)
+- qemu (add feature to exploit the new code)
+- libvirt (make the feature user consumable)
+
+ [Test Case]
+
+ * TBD: prepping commands atm ...
+
+ [Regression Potential]
+
+ * The changes are mostly s390x only and adding a new feature so
+regressions to existing components should be low. But to backport it
+slight changes to the MDEV handling had to be applied as well.
+The potential regressions I can see are in that MDEV handling if one
+of the backports would be bad.
+Fortunately we know that without the related libvirt fixes we added
+here using MDEVs didn't work at all yet, and people very rarely use
+qemu without libvirt for anything else than experiments.
+Therefore I'm confident that even if there would be a flaw in the
+MDEV changes no one is hugely relying on it.
+
+ [Other Info]
+
+ * n/a
+
+
== SRU Justification ==
(Kernel SRU)
Allow kvm to dedicate crypto adapters (and domains) as passthrough devices to
a KVM guest such that the hypervisor cannot observe the communication of the
guest with the device.
(Since all kernel patches/commits are from kernel 4.19, they will
automagically land in 'Disco'.)
== Fix ==
9ea5972 ("KVM: s390: vsie: simulate VCPU SIE entry/exit")
3194cdb ("KVM: s390: introduce and use KVM_REQ_VSIE_RESTART")
e585b24 ("KVM: s390: refactor crypto initialization")
1fde573 ("s390: vfio-ap: base implementation of VFIO AP device driver")
65f0671 ("s390: vfio-ap: register matrix device with VFIO mdev framework")
96d152b ("s390: vfio-ap: sysfs interfaces to configure adapters")
3211da0 ("s390: vfio-ap: sysfs interfaces to configure domains")
3b1eab7 ("s390: vfio-ap: sysfs interfaces to configure control domains")
81b2b4b ("s390: vfio-ap: sysfs interface to view matrix mdev matrix")
4210459 ("KVM: s390: interface to clear CRYCB masks")
258287c ("s390: vfio-ap: implement mediated device open callback")
e06670c ("s390: vfio-ap: implement VFIO_DEVICE_GET_INFO ioctl")
46a7263 ("s390: vfio-ap: zeroize the AP queues")
cd8a377 ("s390: vfio-ap: implement VFIO_DEVICE_RESET ioctl")
6cc571b ("KVM: s390: Clear Crypto Control Block when using vSIE")
d6f6959 ("KVM: s390: vsie: Do the CRYCB validation first")
3af84de ("KVM: s390: vsie: Make use of CRYCB FORMAT2 clear")
56019f9 ("KVM: s390: vsie: Allow CRYCB FORMAT-2")
19fd83a ("KVM: s390: vsie: allow CRYCB FORMAT-1")
6ee7409 ("KVM: s390: vsie: allow CRYCB FORMAT-0")
c9ba8c2 ("KVM: s390: vsie: allow guest FORMAT-0 CRYCB on host FORMAT-1")
6b79de4 ("KVM: s390: vsie: allow guest FORMAT-1 CRYCB on host FORMAT-2")
9ee71f2 ("KVM: s390: vsie: allow guest FORMAT-0 CRYCB on host FORMAT-2")
37940fb ("KVM: s390: device attrs to enable/disable AP interpretation")
112c24d ("KVM: s390: CPU model support for AP virtualization")
492a6be ("s390: doc: detailed specifications for AP virtualization")
<-- till here in 'kvm/next'
(https://git.kernel.org/pub/scm/virt/kvm/kvm.git/) -->
8e41bd5 ("KVM: s390: fix locking for crypto setting error path")
0e237e4 ("KVM: s390: Tracing APCB changes")
76c7829 ("s390: vfio-ap: setup APCB mask using KVM dedicated function")
<-- till here in 'kvms390/next'
(https://git.kernel.org/pub/scm/linux/kernel/git/kvms390/linux.git/) -->
<-- In addition to that some prereqs for the 'ap/crypto' driver are
necessary -->
ea3c418 ("s390/zcrypt: Add ZAPQ inline function.")
df80c03 ("s390/zcrypt: Review inline assembler constraints.")
f1b0a43 ("s390/zcrypt: Integrate ap_asm.h into include/asm/ap.h.")
2395103 ("s390/zcrypt: fix ap_instructions_available() returncodes")
7e0bdbe ("s390/zcrypt: AP bus support for alternate driver(s)")
3d8f60d3 ("s390/zcrypt: hex string mask improvements for apmask and aqmask.")
fa108f9 ("s390/zcrypt: remove VLA usage from the AP bus")
<--
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1787405/comments/12
-->
== PATCH ==
Above git commits are all from 4.19.
The git commands for 4.18 would be:
$ git cherry-pick
(112c24d "KVM: s390: CPU model support for AP virtualization" may have a
trivial merge conflict with the etoken patch)
$ git cherry-pick
$
[Kernel-packages] [Bug 1787405] Re: [FEAT] Guest-dedicated Crypto Adapters
** Changed in: libvirt (Ubuntu Bionic)
Status: New => Triaged
** Changed in: libvirt (Ubuntu Cosmic)
Status: New => Triaged
** Changed in: qemu (Ubuntu Bionic)
Status: New => Triaged
** Changed in: qemu (Ubuntu Cosmic)
Status: New => Triaged
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1787405
Title:
[FEAT] Guest-dedicated Crypto Adapters
Status in Ubuntu on IBM z Systems:
In Progress
Status in libvirt package in Ubuntu:
In Progress
Status in linux package in Ubuntu:
Fix Committed
Status in qemu package in Ubuntu:
In Progress
Status in libvirt source package in Bionic:
Triaged
Status in linux source package in Bionic:
Fix Committed
Status in qemu source package in Bionic:
Triaged
Status in libvirt source package in Cosmic:
Triaged
Status in linux source package in Cosmic:
Fix Committed
Status in qemu source package in Cosmic:
Triaged
Status in linux source package in Disco:
Fix Committed
Bug description:
== SRU Justification ==
(Kernel SRU)
Allow kvm to dedicate crypto adapters (and domains) as passthrough devices to
a KVM guest such that the hypervisor cannot observe the communication of the
guest with the device.
(Since all kernel patches/commits are from kernel 4.19, they will
automagically land in 'Disco'.)
== Fix ==
9ea5972 ("KVM: s390: vsie: simulate VCPU SIE entry/exit")
3194cdb ("KVM: s390: introduce and use KVM_REQ_VSIE_RESTART")
e585b24 ("KVM: s390: refactor crypto initialization")
1fde573 ("s390: vfio-ap: base implementation of VFIO AP device driver")
65f0671 ("s390: vfio-ap: register matrix device with VFIO mdev framework")
96d152b ("s390: vfio-ap: sysfs interfaces to configure adapters")
3211da0 ("s390: vfio-ap: sysfs interfaces to configure domains")
3b1eab7 ("s390: vfio-ap: sysfs interfaces to configure control domains")
81b2b4b ("s390: vfio-ap: sysfs interface to view matrix mdev matrix")
4210459 ("KVM: s390: interface to clear CRYCB masks")
258287c ("s390: vfio-ap: implement mediated device open callback")
e06670c ("s390: vfio-ap: implement VFIO_DEVICE_GET_INFO ioctl")
46a7263 ("s390: vfio-ap: zeroize the AP queues")
cd8a377 ("s390: vfio-ap: implement VFIO_DEVICE_RESET ioctl")
6cc571b ("KVM: s390: Clear Crypto Control Block when using vSIE")
d6f6959 ("KVM: s390: vsie: Do the CRYCB validation first")
3af84de ("KVM: s390: vsie: Make use of CRYCB FORMAT2 clear")
56019f9 ("KVM: s390: vsie: Allow CRYCB FORMAT-2")
19fd83a ("KVM: s390: vsie: allow CRYCB FORMAT-1")
6ee7409 ("KVM: s390: vsie: allow CRYCB FORMAT-0")
c9ba8c2 ("KVM: s390: vsie: allow guest FORMAT-0 CRYCB on host FORMAT-1")
6b79de4 ("KVM: s390: vsie: allow guest FORMAT-1 CRYCB on host FORMAT-2")
9ee71f2 ("KVM: s390: vsie: allow guest FORMAT-0 CRYCB on host FORMAT-2")
37940fb ("KVM: s390: device attrs to enable/disable AP interpretation")
112c24d ("KVM: s390: CPU model support for AP virtualization")
492a6be ("s390: doc: detailed specifications for AP virtualization")
<-- till here in 'kvm/next'
(https://git.kernel.org/pub/scm/virt/kvm/kvm.git/) -->
8e41bd5 ("KVM: s390: fix locking for crypto setting error path")
0e237e4 ("KVM: s390: Tracing APCB changes")
76c7829 ("s390: vfio-ap: setup APCB mask using KVM dedicated function")
<-- till here in 'kvms390/next'
(https://git.kernel.org/pub/scm/linux/kernel/git/kvms390/linux.git/)
-->
<-- In addition to that some prereqs for the 'ap/crypto' driver are
necessary -->
ea3c418 ("s390/zcrypt: Add ZAPQ inline function.")
df80c03 ("s390/zcrypt: Review inline assembler constraints.")
f1b0a43 ("s390/zcrypt: Integrate ap_asm.h into include/asm/ap.h.")
2395103 ("s390/zcrypt: fix ap_instructions_available() returncodes")
7e0bdbe ("s390/zcrypt: AP bus support for alternate driver(s)")
3d8f60d3 ("s390/zcrypt: hex string mask improvements for apmask and aqmask.")
fa108f9 ("s390/zcrypt: remove VLA usage from the AP bus")
<--
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1787405/comments/12
-->
== PATCH ==
Above git commits are all from 4.19.
The git commands for 4.18 would be:
$ git cherry-pick
(112c24d "KVM: s390: CPU model support for AP virtualization" may have
a trivial merge conflict with the etoken patch)
$ git cherry-pick
$ git cherry-pick
== Regression Potential ==
Low to mid:
- mid because in summary there are a lot of changes, but low
- they are all limited to the s390x architecture
- and again limited to KVM/s390x, vfio-ap and the zcrypt (aka ap) driver
- Test kernel was built for testting.
== Test Case ==
Setup a system for KVM use on an s390x LPAR that has CryptoExpress (aka
crypto-) adapters installed.
Verify that the AP bus created a sysfs device for each APQN, like:
/sys/devices/ap/card04/04.0006
/sys/devices/ap/card04/04.0047
[Kernel-packages] [Bug 1787405] Re: [FEAT] Guest-dedicated Crypto Adapters
Integrated the upcoming qemu CVE fixes as well as another SRU fix going
on currently into the builds of our PPA. Also I forked a branch for
18.10 for the same changes.
With that I started the cross arch regression check (still ongoing - and
will for a while)
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1787405
Title:
[FEAT] Guest-dedicated Crypto Adapters
Status in Ubuntu on IBM z Systems:
In Progress
Status in libvirt package in Ubuntu:
In Progress
Status in linux package in Ubuntu:
Fix Committed
Status in qemu package in Ubuntu:
In Progress
Status in linux source package in Bionic:
Fix Committed
Status in linux source package in Cosmic:
Fix Committed
Status in linux source package in Disco:
Fix Committed
Bug description:
== SRU Justification ==
(Kernel SRU)
Allow kvm to dedicate crypto adapters (and domains) as passthrough devices to
a KVM guest such that the hypervisor cannot observe the communication of the
guest with the device.
(Since all kernel patches/commits are from kernel 4.19, they will
automagically land in 'Disco'.)
== Fix ==
9ea5972 ("KVM: s390: vsie: simulate VCPU SIE entry/exit")
3194cdb ("KVM: s390: introduce and use KVM_REQ_VSIE_RESTART")
e585b24 ("KVM: s390: refactor crypto initialization")
1fde573 ("s390: vfio-ap: base implementation of VFIO AP device driver")
65f0671 ("s390: vfio-ap: register matrix device with VFIO mdev framework")
96d152b ("s390: vfio-ap: sysfs interfaces to configure adapters")
3211da0 ("s390: vfio-ap: sysfs interfaces to configure domains")
3b1eab7 ("s390: vfio-ap: sysfs interfaces to configure control domains")
81b2b4b ("s390: vfio-ap: sysfs interface to view matrix mdev matrix")
4210459 ("KVM: s390: interface to clear CRYCB masks")
258287c ("s390: vfio-ap: implement mediated device open callback")
e06670c ("s390: vfio-ap: implement VFIO_DEVICE_GET_INFO ioctl")
46a7263 ("s390: vfio-ap: zeroize the AP queues")
cd8a377 ("s390: vfio-ap: implement VFIO_DEVICE_RESET ioctl")
6cc571b ("KVM: s390: Clear Crypto Control Block when using vSIE")
d6f6959 ("KVM: s390: vsie: Do the CRYCB validation first")
3af84de ("KVM: s390: vsie: Make use of CRYCB FORMAT2 clear")
56019f9 ("KVM: s390: vsie: Allow CRYCB FORMAT-2")
19fd83a ("KVM: s390: vsie: allow CRYCB FORMAT-1")
6ee7409 ("KVM: s390: vsie: allow CRYCB FORMAT-0")
c9ba8c2 ("KVM: s390: vsie: allow guest FORMAT-0 CRYCB on host FORMAT-1")
6b79de4 ("KVM: s390: vsie: allow guest FORMAT-1 CRYCB on host FORMAT-2")
9ee71f2 ("KVM: s390: vsie: allow guest FORMAT-0 CRYCB on host FORMAT-2")
37940fb ("KVM: s390: device attrs to enable/disable AP interpretation")
112c24d ("KVM: s390: CPU model support for AP virtualization")
492a6be ("s390: doc: detailed specifications for AP virtualization")
<-- till here in 'kvm/next'
(https://git.kernel.org/pub/scm/virt/kvm/kvm.git/) -->
8e41bd5 ("KVM: s390: fix locking for crypto setting error path")
0e237e4 ("KVM: s390: Tracing APCB changes")
76c7829 ("s390: vfio-ap: setup APCB mask using KVM dedicated function")
<-- till here in 'kvms390/next'
(https://git.kernel.org/pub/scm/linux/kernel/git/kvms390/linux.git/)
-->
<-- In addition to that some prereqs for the 'ap/crypto' driver are
necessary -->
ea3c418 ("s390/zcrypt: Add ZAPQ inline function.")
df80c03 ("s390/zcrypt: Review inline assembler constraints.")
f1b0a43 ("s390/zcrypt: Integrate ap_asm.h into include/asm/ap.h.")
2395103 ("s390/zcrypt: fix ap_instructions_available() returncodes")
7e0bdbe ("s390/zcrypt: AP bus support for alternate driver(s)")
3d8f60d3 ("s390/zcrypt: hex string mask improvements for apmask and aqmask.")
fa108f9 ("s390/zcrypt: remove VLA usage from the AP bus")
<--
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1787405/comments/12
-->
== PATCH ==
Above git commits are all from 4.19.
The git commands for 4.18 would be:
$ git cherry-pick
(112c24d "KVM: s390: CPU model support for AP virtualization" may have
a trivial merge conflict with the etoken patch)
$ git cherry-pick
$ git cherry-pick
== Regression Potential ==
Low to mid:
- mid because in summary there are a lot of changes, but low
- they are all limited to the s390x architecture
- and again limited to KVM/s390x, vfio-ap and the zcrypt (aka ap) driver
- Test kernel was built for testting.
== Test Case ==
Setup a system for KVM use on an s390x LPAR that has CryptoExpress (aka
crypto-) adapters installed.
Verify that the AP bus created a sysfs device for each APQN, like:
/sys/devices/ap/card04/04.0006
/sys/devices/ap/card04/04.0047
/sys/devices/ap/card0a/0a.0006
/sys/devices/ap/card0a/0a.0047
Verify the APQN range via the following two sysfs files:
/sys/bus/ap/apmask
/sys/bus/ap/aqmask
Configure and start a guest.
More details see: 492a6be ("s390: doc: detailed
[Kernel-packages] [Bug 1787405] Re: [FEAT] Guest-dedicated Crypto Adapters
In preparation I did prepare the series for Disco/Cosmic:
For libvirt 4.6 compared to our series to 4.0:
- drop three being upstream in 4.4 and 4.6
2b9690b62d01bb0b8555764e2365976b98fe4d47 v4.4.0
21442874cf61ce61c7e0f8bcd616641f35adda2b v4.4.0
d54e45b6edd7623e488a19e30bc4148a21fa8b03 v4.6.0
- old lp1787405-0006-conf-Move-VFIO-AP-validation-from-post-parse-to-QEMU.patch
backport can now use the upstream versions of
208d6e6f5aafa102d04ce300c6338b0736bb52df and
faab373b53e1a4eacf0d6f524eb47df243f21fac instead
- we can now use the upstram patch for f865d58028ccd568b6e7909608678584b12d3c90
as-is
- context updates for
debian/patches/ubuntu/lp1787405-0003-qemu-add-vfio-ap-capability.patch
- also updated the Bionic branch as I realized patch 6 had actually two
upstream patches as source (only meta data).
For qemu:
- patch debian/patches/ubuntu/lp1787405-0001-linux-headers-update.patch had
some minor context updates
- patch
ubuntu/lp1787405-0002-s390x-cpumodel-Set-up-CPU-model-for-AP-device-suppor.patch
and
ubuntu/lp1787405-0004-s390x-ap-base-Adjunct-Processor-AP-object-model.patch can
now use the upstream version as-is
- some minor header updates for the Bionic branch
Both branches are built for Disco in the PPA we already used [1].
I'll wait another day for the libvirt upstreaming - there were a few
reviews, but no formal ack's yet. I'll ping via IRC if nothing more is
happening until tomorrow.
FYI: To add more fun to all the code-porting I just happened to realize that
there is also a bunch of CVE fixes incoming (I don't know the content yet). But
that might force us to bump these branches once more.
[1]: https://launchpad.net/~ci-train-ppa-service/+archive/ubuntu/3520
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1787405
Title:
[FEAT] Guest-dedicated Crypto Adapters
Status in Ubuntu on IBM z Systems:
In Progress
Status in libvirt package in Ubuntu:
In Progress
Status in linux package in Ubuntu:
Fix Committed
Status in qemu package in Ubuntu:
In Progress
Status in linux source package in Bionic:
Fix Committed
Status in linux source package in Cosmic:
Fix Committed
Status in linux source package in Disco:
Fix Committed
Bug description:
== SRU Justification ==
(Kernel SRU)
Allow kvm to dedicate crypto adapters (and domains) as passthrough devices to
a KVM guest such that the hypervisor cannot observe the communication of the
guest with the device.
(Since all kernel patches/commits are from kernel 4.19, they will
automagically land in 'Disco'.)
== Fix ==
9ea5972 ("KVM: s390: vsie: simulate VCPU SIE entry/exit")
3194cdb ("KVM: s390: introduce and use KVM_REQ_VSIE_RESTART")
e585b24 ("KVM: s390: refactor crypto initialization")
1fde573 ("s390: vfio-ap: base implementation of VFIO AP device driver")
65f0671 ("s390: vfio-ap: register matrix device with VFIO mdev framework")
96d152b ("s390: vfio-ap: sysfs interfaces to configure adapters")
3211da0 ("s390: vfio-ap: sysfs interfaces to configure domains")
3b1eab7 ("s390: vfio-ap: sysfs interfaces to configure control domains")
81b2b4b ("s390: vfio-ap: sysfs interface to view matrix mdev matrix")
4210459 ("KVM: s390: interface to clear CRYCB masks")
258287c ("s390: vfio-ap: implement mediated device open callback")
e06670c ("s390: vfio-ap: implement VFIO_DEVICE_GET_INFO ioctl")
46a7263 ("s390: vfio-ap: zeroize the AP queues")
cd8a377 ("s390: vfio-ap: implement VFIO_DEVICE_RESET ioctl")
6cc571b ("KVM: s390: Clear Crypto Control Block when using vSIE")
d6f6959 ("KVM: s390: vsie: Do the CRYCB validation first")
3af84de ("KVM: s390: vsie: Make use of CRYCB FORMAT2 clear")
56019f9 ("KVM: s390: vsie: Allow CRYCB FORMAT-2")
19fd83a ("KVM: s390: vsie: allow CRYCB FORMAT-1")
6ee7409 ("KVM: s390: vsie: allow CRYCB FORMAT-0")
c9ba8c2 ("KVM: s390: vsie: allow guest FORMAT-0 CRYCB on host FORMAT-1")
6b79de4 ("KVM: s390: vsie: allow guest FORMAT-1 CRYCB on host FORMAT-2")
9ee71f2 ("KVM: s390: vsie: allow guest FORMAT-0 CRYCB on host FORMAT-2")
37940fb ("KVM: s390: device attrs to enable/disable AP interpretation")
112c24d ("KVM: s390: CPU model support for AP virtualization")
492a6be ("s390: doc: detailed specifications for AP virtualization")
<-- till here in 'kvm/next'
(https://git.kernel.org/pub/scm/virt/kvm/kvm.git/) -->
8e41bd5 ("KVM: s390: fix locking for crypto setting error path")
0e237e4 ("KVM: s390: Tracing APCB changes")
76c7829 ("s390: vfio-ap: setup APCB mask using KVM dedicated function")
<-- till here in 'kvms390/next'
(https://git.kernel.org/pub/scm/linux/kernel/git/kvms390/linux.git/)
-->
<-- In addition to that some prereqs for the 'ap/crypto' driver are
necessary -->
ea3c418 ("s390/zcrypt: Add ZAPQ inline function.")
df80c03 ("s390/zcrypt: Review inline assembler constraints.")
f1b0a43 ("s390/zcrypt: Integrate
[Kernel-packages] [Bug 1787405] Re: [FEAT] Guest-dedicated Crypto Adapters
Actually Eric beat me, so while I rebased here the patch for lbivirt
vfio MDEV for virt-aa-helper was merged.
That said I can finalize the branches for Disco tomorrow and run a round
of regression tests before an upload to Disco.
In the meantime I got a few cards to my lpar, maybe I can also verify
the feature on my own now.
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1787405
Title:
[FEAT] Guest-dedicated Crypto Adapters
Status in Ubuntu on IBM z Systems:
In Progress
Status in libvirt package in Ubuntu:
In Progress
Status in linux package in Ubuntu:
Fix Committed
Status in qemu package in Ubuntu:
In Progress
Status in linux source package in Bionic:
Fix Committed
Status in linux source package in Cosmic:
Fix Committed
Status in linux source package in Disco:
Fix Committed
Bug description:
== SRU Justification ==
(Kernel SRU)
Allow kvm to dedicate crypto adapters (and domains) as passthrough devices to
a KVM guest such that the hypervisor cannot observe the communication of the
guest with the device.
(Since all kernel patches/commits are from kernel 4.19, they will
automagically land in 'Disco'.)
== Fix ==
9ea5972 ("KVM: s390: vsie: simulate VCPU SIE entry/exit")
3194cdb ("KVM: s390: introduce and use KVM_REQ_VSIE_RESTART")
e585b24 ("KVM: s390: refactor crypto initialization")
1fde573 ("s390: vfio-ap: base implementation of VFIO AP device driver")
65f0671 ("s390: vfio-ap: register matrix device with VFIO mdev framework")
96d152b ("s390: vfio-ap: sysfs interfaces to configure adapters")
3211da0 ("s390: vfio-ap: sysfs interfaces to configure domains")
3b1eab7 ("s390: vfio-ap: sysfs interfaces to configure control domains")
81b2b4b ("s390: vfio-ap: sysfs interface to view matrix mdev matrix")
4210459 ("KVM: s390: interface to clear CRYCB masks")
258287c ("s390: vfio-ap: implement mediated device open callback")
e06670c ("s390: vfio-ap: implement VFIO_DEVICE_GET_INFO ioctl")
46a7263 ("s390: vfio-ap: zeroize the AP queues")
cd8a377 ("s390: vfio-ap: implement VFIO_DEVICE_RESET ioctl")
6cc571b ("KVM: s390: Clear Crypto Control Block when using vSIE")
d6f6959 ("KVM: s390: vsie: Do the CRYCB validation first")
3af84de ("KVM: s390: vsie: Make use of CRYCB FORMAT2 clear")
56019f9 ("KVM: s390: vsie: Allow CRYCB FORMAT-2")
19fd83a ("KVM: s390: vsie: allow CRYCB FORMAT-1")
6ee7409 ("KVM: s390: vsie: allow CRYCB FORMAT-0")
c9ba8c2 ("KVM: s390: vsie: allow guest FORMAT-0 CRYCB on host FORMAT-1")
6b79de4 ("KVM: s390: vsie: allow guest FORMAT-1 CRYCB on host FORMAT-2")
9ee71f2 ("KVM: s390: vsie: allow guest FORMAT-0 CRYCB on host FORMAT-2")
37940fb ("KVM: s390: device attrs to enable/disable AP interpretation")
112c24d ("KVM: s390: CPU model support for AP virtualization")
492a6be ("s390: doc: detailed specifications for AP virtualization")
<-- till here in 'kvm/next'
(https://git.kernel.org/pub/scm/virt/kvm/kvm.git/) -->
8e41bd5 ("KVM: s390: fix locking for crypto setting error path")
0e237e4 ("KVM: s390: Tracing APCB changes")
76c7829 ("s390: vfio-ap: setup APCB mask using KVM dedicated function")
<-- till here in 'kvms390/next'
(https://git.kernel.org/pub/scm/linux/kernel/git/kvms390/linux.git/)
-->
<-- In addition to that some prereqs for the 'ap/crypto' driver are
necessary -->
ea3c418 ("s390/zcrypt: Add ZAPQ inline function.")
df80c03 ("s390/zcrypt: Review inline assembler constraints.")
f1b0a43 ("s390/zcrypt: Integrate ap_asm.h into include/asm/ap.h.")
2395103 ("s390/zcrypt: fix ap_instructions_available() returncodes")
7e0bdbe ("s390/zcrypt: AP bus support for alternate driver(s)")
3d8f60d3 ("s390/zcrypt: hex string mask improvements for apmask and aqmask.")
fa108f9 ("s390/zcrypt: remove VLA usage from the AP bus")
<--
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1787405/comments/12
-->
== PATCH ==
Above git commits are all from 4.19.
The git commands for 4.18 would be:
$ git cherry-pick
(112c24d "KVM: s390: CPU model support for AP virtualization" may have
a trivial merge conflict with the etoken patch)
$ git cherry-pick
$ git cherry-pick
== Regression Potential ==
Low to mid:
- mid because in summary there are a lot of changes, but low
- they are all limited to the s390x architecture
- and again limited to KVM/s390x, vfio-ap and the zcrypt (aka ap) driver
- Test kernel was built for testting.
== Test Case ==
Setup a system for KVM use on an s390x LPAR that has CryptoExpress (aka
crypto-) adapters installed.
Verify that the AP bus created a sysfs device for each APQN, like:
/sys/devices/ap/card04/04.0006
/sys/devices/ap/card04/04.0047
/sys/devices/ap/card0a/0a.0006
/sys/devices/ap/card0a/0a.0047
Verify the APQN range via the following two sysfs files:
/sys/bus/ap/apmask
/sys/bus/ap/aqmask
Configure
[Kernel-packages] [Bug 1787405] Re: [FEAT] Guest-dedicated Crypto Adapters
FYI: https://www.redhat.com/archives/libvir-list/2018-November/msg00827.html
for the MDEV-vfio apparmor fix upstreaming.
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1787405
Title:
[FEAT] Guest-dedicated Crypto Adapters
Status in Ubuntu on IBM z Systems:
In Progress
Status in libvirt package in Ubuntu:
In Progress
Status in linux package in Ubuntu:
Fix Committed
Status in qemu package in Ubuntu:
In Progress
Status in linux source package in Bionic:
Fix Committed
Status in linux source package in Cosmic:
Fix Committed
Status in linux source package in Disco:
Fix Committed
Bug description:
== SRU Justification ==
(Kernel SRU)
Allow kvm to dedicate crypto adapters (and domains) as passthrough devices to
a KVM guest such that the hypervisor cannot observe the communication of the
guest with the device.
(Since all kernel patches/commits are from kernel 4.19, they will
automagically land in 'Disco'.)
== Fix ==
9ea5972 ("KVM: s390: vsie: simulate VCPU SIE entry/exit")
3194cdb ("KVM: s390: introduce and use KVM_REQ_VSIE_RESTART")
e585b24 ("KVM: s390: refactor crypto initialization")
1fde573 ("s390: vfio-ap: base implementation of VFIO AP device driver")
65f0671 ("s390: vfio-ap: register matrix device with VFIO mdev framework")
96d152b ("s390: vfio-ap: sysfs interfaces to configure adapters")
3211da0 ("s390: vfio-ap: sysfs interfaces to configure domains")
3b1eab7 ("s390: vfio-ap: sysfs interfaces to configure control domains")
81b2b4b ("s390: vfio-ap: sysfs interface to view matrix mdev matrix")
4210459 ("KVM: s390: interface to clear CRYCB masks")
258287c ("s390: vfio-ap: implement mediated device open callback")
e06670c ("s390: vfio-ap: implement VFIO_DEVICE_GET_INFO ioctl")
46a7263 ("s390: vfio-ap: zeroize the AP queues")
cd8a377 ("s390: vfio-ap: implement VFIO_DEVICE_RESET ioctl")
6cc571b ("KVM: s390: Clear Crypto Control Block when using vSIE")
d6f6959 ("KVM: s390: vsie: Do the CRYCB validation first")
3af84de ("KVM: s390: vsie: Make use of CRYCB FORMAT2 clear")
56019f9 ("KVM: s390: vsie: Allow CRYCB FORMAT-2")
19fd83a ("KVM: s390: vsie: allow CRYCB FORMAT-1")
6ee7409 ("KVM: s390: vsie: allow CRYCB FORMAT-0")
c9ba8c2 ("KVM: s390: vsie: allow guest FORMAT-0 CRYCB on host FORMAT-1")
6b79de4 ("KVM: s390: vsie: allow guest FORMAT-1 CRYCB on host FORMAT-2")
9ee71f2 ("KVM: s390: vsie: allow guest FORMAT-0 CRYCB on host FORMAT-2")
37940fb ("KVM: s390: device attrs to enable/disable AP interpretation")
112c24d ("KVM: s390: CPU model support for AP virtualization")
492a6be ("s390: doc: detailed specifications for AP virtualization")
<-- till here in 'kvm/next'
(https://git.kernel.org/pub/scm/virt/kvm/kvm.git/) -->
8e41bd5 ("KVM: s390: fix locking for crypto setting error path")
0e237e4 ("KVM: s390: Tracing APCB changes")
76c7829 ("s390: vfio-ap: setup APCB mask using KVM dedicated function")
<-- till here in 'kvms390/next'
(https://git.kernel.org/pub/scm/linux/kernel/git/kvms390/linux.git/)
-->
<-- In addition to that some prereqs for the 'ap/crypto' driver are
necessary -->
ea3c418 ("s390/zcrypt: Add ZAPQ inline function.")
df80c03 ("s390/zcrypt: Review inline assembler constraints.")
f1b0a43 ("s390/zcrypt: Integrate ap_asm.h into include/asm/ap.h.")
2395103 ("s390/zcrypt: fix ap_instructions_available() returncodes")
7e0bdbe ("s390/zcrypt: AP bus support for alternate driver(s)")
3d8f60d3 ("s390/zcrypt: hex string mask improvements for apmask and aqmask.")
fa108f9 ("s390/zcrypt: remove VLA usage from the AP bus")
<--
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1787405/comments/12
-->
== PATCH ==
Above git commits are all from 4.19.
The git commands for 4.18 would be:
$ git cherry-pick
(112c24d "KVM: s390: CPU model support for AP virtualization" may have
a trivial merge conflict with the etoken patch)
$ git cherry-pick
$ git cherry-pick
== Regression Potential ==
Low to mid:
- mid because in summary there are a lot of changes, but low
- they are all limited to the s390x architecture
- and again limited to KVM/s390x, vfio-ap and the zcrypt (aka ap) driver
- Test kernel was built for testting.
== Test Case ==
Setup a system for KVM use on an s390x LPAR that has CryptoExpress (aka
crypto-) adapters installed.
Verify that the AP bus created a sysfs device for each APQN, like:
/sys/devices/ap/card04/04.0006
/sys/devices/ap/card04/04.0047
/sys/devices/ap/card0a/0a.0006
/sys/devices/ap/card0a/0a.0047
Verify the APQN range via the following two sysfs files:
/sys/bus/ap/apmask
/sys/bus/ap/aqmask
Configure and start a guest.
More details see: 492a6be ("s390: doc: detailed specifications for AP
virtualization")
But for that an updated qemu and libvirt should be in place - that's
addressed in LP1787405,
[Kernel-packages] [Bug 1787405] Re: [FEAT] Guest-dedicated Crypto Adapters
Arr, thanks chrome :-/
Such a nice update lost, well let me rewrite it in a shorter fashion:
1. the patches seem good, thanks for the effort to help backporting
2. the extra changes seem safe to me
3. I added a patch on top to get it working with virt-aa-helper
That is essentially an extension to [1], while hotplug is already covered by
[2] (always
easier as at this time of the livecycle it can inspect the attributes).
4. Now please try the PPA at [3]
If confirmed working I think the next steps are:
- bring the virt-aa-helper change upstream
- some more testing and regression check
- get all of this into current Ubuntu development release
- plan SRU releases to 18.10/18.04 then
[1]:
https://libvirt.org/git/?p=libvirt.git;a=commit;h=74e86b6b2521881808bb93290bcebcb469ab7820
[2]:
https://libvirt.org/git/?p=libvirt.git;a=commit;h=606afafba4054d275ffaa4d9afa78c35e2366571
[3]: https://launchpad.net/~ci-train-ppa-service/+archive/ubuntu/3520
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1787405
Title:
[FEAT] Guest-dedicated Crypto Adapters
Status in Ubuntu on IBM z Systems:
In Progress
Status in libvirt package in Ubuntu:
In Progress
Status in linux package in Ubuntu:
Fix Committed
Status in qemu package in Ubuntu:
In Progress
Status in linux source package in Bionic:
Fix Committed
Status in linux source package in Cosmic:
Fix Committed
Status in linux source package in Disco:
Fix Committed
Bug description:
== SRU Justification ==
(Kernel SRU)
Allow kvm to dedicate crypto adapters (and domains) as passthrough devices to
a KVM guest such that the hypervisor cannot observe the communication of the
guest with the device.
(Since all kernel patches/commits are from kernel 4.19, they will
automagically land in 'Disco'.)
== Fix ==
9ea5972 ("KVM: s390: vsie: simulate VCPU SIE entry/exit")
3194cdb ("KVM: s390: introduce and use KVM_REQ_VSIE_RESTART")
e585b24 ("KVM: s390: refactor crypto initialization")
1fde573 ("s390: vfio-ap: base implementation of VFIO AP device driver")
65f0671 ("s390: vfio-ap: register matrix device with VFIO mdev framework")
96d152b ("s390: vfio-ap: sysfs interfaces to configure adapters")
3211da0 ("s390: vfio-ap: sysfs interfaces to configure domains")
3b1eab7 ("s390: vfio-ap: sysfs interfaces to configure control domains")
81b2b4b ("s390: vfio-ap: sysfs interface to view matrix mdev matrix")
4210459 ("KVM: s390: interface to clear CRYCB masks")
258287c ("s390: vfio-ap: implement mediated device open callback")
e06670c ("s390: vfio-ap: implement VFIO_DEVICE_GET_INFO ioctl")
46a7263 ("s390: vfio-ap: zeroize the AP queues")
cd8a377 ("s390: vfio-ap: implement VFIO_DEVICE_RESET ioctl")
6cc571b ("KVM: s390: Clear Crypto Control Block when using vSIE")
d6f6959 ("KVM: s390: vsie: Do the CRYCB validation first")
3af84de ("KVM: s390: vsie: Make use of CRYCB FORMAT2 clear")
56019f9 ("KVM: s390: vsie: Allow CRYCB FORMAT-2")
19fd83a ("KVM: s390: vsie: allow CRYCB FORMAT-1")
6ee7409 ("KVM: s390: vsie: allow CRYCB FORMAT-0")
c9ba8c2 ("KVM: s390: vsie: allow guest FORMAT-0 CRYCB on host FORMAT-1")
6b79de4 ("KVM: s390: vsie: allow guest FORMAT-1 CRYCB on host FORMAT-2")
9ee71f2 ("KVM: s390: vsie: allow guest FORMAT-0 CRYCB on host FORMAT-2")
37940fb ("KVM: s390: device attrs to enable/disable AP interpretation")
112c24d ("KVM: s390: CPU model support for AP virtualization")
492a6be ("s390: doc: detailed specifications for AP virtualization")
<-- till here in 'kvm/next'
(https://git.kernel.org/pub/scm/virt/kvm/kvm.git/) -->
8e41bd5 ("KVM: s390: fix locking for crypto setting error path")
0e237e4 ("KVM: s390: Tracing APCB changes")
76c7829 ("s390: vfio-ap: setup APCB mask using KVM dedicated function")
<-- till here in 'kvms390/next'
(https://git.kernel.org/pub/scm/linux/kernel/git/kvms390/linux.git/)
-->
<-- In addition to that some prereqs for the 'ap/crypto' driver are
necessary -->
ea3c418 ("s390/zcrypt: Add ZAPQ inline function.")
df80c03 ("s390/zcrypt: Review inline assembler constraints.")
f1b0a43 ("s390/zcrypt: Integrate ap_asm.h into include/asm/ap.h.")
2395103 ("s390/zcrypt: fix ap_instructions_available() returncodes")
7e0bdbe ("s390/zcrypt: AP bus support for alternate driver(s)")
3d8f60d3 ("s390/zcrypt: hex string mask improvements for apmask and aqmask.")
fa108f9 ("s390/zcrypt: remove VLA usage from the AP bus")
<--
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1787405/comments/12
-->
== PATCH ==
Above git commits are all from 4.19.
The git commands for 4.18 would be:
$ git cherry-pick
(112c24d "KVM: s390: CPU model support for AP virtualization" may have
a trivial merge conflict with the etoken patch)
$ git cherry-pick
$ git cherry-pick
== Regression Potential ==
Low to mid:
- mid because in summary there
[Kernel-packages] [Bug 1787405] Re: [FEAT] Guest-dedicated Crypto Adapters
** Tags added: verification-done-cosmic
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1787405
Title:
[FEAT] Guest-dedicated Crypto Adapters
Status in Ubuntu on IBM z Systems:
In Progress
Status in libvirt package in Ubuntu:
In Progress
Status in linux package in Ubuntu:
Fix Committed
Status in qemu package in Ubuntu:
In Progress
Status in linux source package in Bionic:
Fix Committed
Status in linux source package in Cosmic:
Fix Committed
Status in linux source package in Disco:
Fix Committed
Bug description:
== SRU Justification ==
(Kernel SRU)
Allow kvm to dedicate crypto adapters (and domains) as passthrough devices to
a KVM guest such that the hypervisor cannot observe the communication of the
guest with the device.
(Since all kernel patches/commits are from kernel 4.19, they will
automagically land in 'Disco'.)
== Fix ==
9ea5972 ("KVM: s390: vsie: simulate VCPU SIE entry/exit")
3194cdb ("KVM: s390: introduce and use KVM_REQ_VSIE_RESTART")
e585b24 ("KVM: s390: refactor crypto initialization")
1fde573 ("s390: vfio-ap: base implementation of VFIO AP device driver")
65f0671 ("s390: vfio-ap: register matrix device with VFIO mdev framework")
96d152b ("s390: vfio-ap: sysfs interfaces to configure adapters")
3211da0 ("s390: vfio-ap: sysfs interfaces to configure domains")
3b1eab7 ("s390: vfio-ap: sysfs interfaces to configure control domains")
81b2b4b ("s390: vfio-ap: sysfs interface to view matrix mdev matrix")
4210459 ("KVM: s390: interface to clear CRYCB masks")
258287c ("s390: vfio-ap: implement mediated device open callback")
e06670c ("s390: vfio-ap: implement VFIO_DEVICE_GET_INFO ioctl")
46a7263 ("s390: vfio-ap: zeroize the AP queues")
cd8a377 ("s390: vfio-ap: implement VFIO_DEVICE_RESET ioctl")
6cc571b ("KVM: s390: Clear Crypto Control Block when using vSIE")
d6f6959 ("KVM: s390: vsie: Do the CRYCB validation first")
3af84de ("KVM: s390: vsie: Make use of CRYCB FORMAT2 clear")
56019f9 ("KVM: s390: vsie: Allow CRYCB FORMAT-2")
19fd83a ("KVM: s390: vsie: allow CRYCB FORMAT-1")
6ee7409 ("KVM: s390: vsie: allow CRYCB FORMAT-0")
c9ba8c2 ("KVM: s390: vsie: allow guest FORMAT-0 CRYCB on host FORMAT-1")
6b79de4 ("KVM: s390: vsie: allow guest FORMAT-1 CRYCB on host FORMAT-2")
9ee71f2 ("KVM: s390: vsie: allow guest FORMAT-0 CRYCB on host FORMAT-2")
37940fb ("KVM: s390: device attrs to enable/disable AP interpretation")
112c24d ("KVM: s390: CPU model support for AP virtualization")
492a6be ("s390: doc: detailed specifications for AP virtualization")
<-- till here in 'kvm/next'
(https://git.kernel.org/pub/scm/virt/kvm/kvm.git/) -->
8e41bd5 ("KVM: s390: fix locking for crypto setting error path")
0e237e4 ("KVM: s390: Tracing APCB changes")
76c7829 ("s390: vfio-ap: setup APCB mask using KVM dedicated function")
<-- till here in 'kvms390/next'
(https://git.kernel.org/pub/scm/linux/kernel/git/kvms390/linux.git/)
-->
<-- In addition to that some prereqs for the 'ap/crypto' driver are
necessary -->
ea3c418 ("s390/zcrypt: Add ZAPQ inline function.")
df80c03 ("s390/zcrypt: Review inline assembler constraints.")
f1b0a43 ("s390/zcrypt: Integrate ap_asm.h into include/asm/ap.h.")
2395103 ("s390/zcrypt: fix ap_instructions_available() returncodes")
7e0bdbe ("s390/zcrypt: AP bus support for alternate driver(s)")
3d8f60d3 ("s390/zcrypt: hex string mask improvements for apmask and aqmask.")
fa108f9 ("s390/zcrypt: remove VLA usage from the AP bus")
<--
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1787405/comments/12
-->
== PATCH ==
Above git commits are all from 4.19.
The git commands for 4.18 would be:
$ git cherry-pick
(112c24d "KVM: s390: CPU model support for AP virtualization" may have
a trivial merge conflict with the etoken patch)
$ git cherry-pick
$ git cherry-pick
== Regression Potential ==
Low to mid:
- mid because in summary there are a lot of changes, but low
- they are all limited to the s390x architecture
- and again limited to KVM/s390x, vfio-ap and the zcrypt (aka ap) driver
- Test kernel was built for testting.
== Test Case ==
Setup a system for KVM use on an s390x LPAR that has CryptoExpress (aka
crypto-) adapters installed.
Verify that the AP bus created a sysfs device for each APQN, like:
/sys/devices/ap/card04/04.0006
/sys/devices/ap/card04/04.0047
/sys/devices/ap/card0a/0a.0006
/sys/devices/ap/card0a/0a.0047
Verify the APQN range via the following two sysfs files:
/sys/bus/ap/apmask
/sys/bus/ap/aqmask
Configure and start a guest.
More details see: 492a6be ("s390: doc: detailed specifications for AP
virtualization")
But for that an updated qemu and libvirt should be in place - that's
addressed in LP1787405, too.
(So this is only the kernel part of that ticket.)
__
[Kernel-packages] [Bug 1787405] Re: [FEAT] Guest-dedicated Crypto Adapters
** Tags removed: kernel-key
** Tags added: kernel-da-key
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1787405
Title:
[FEAT] Guest-dedicated Crypto Adapters
Status in Ubuntu on IBM z Systems:
In Progress
Status in libvirt package in Ubuntu:
In Progress
Status in linux package in Ubuntu:
Fix Committed
Status in qemu package in Ubuntu:
In Progress
Status in linux source package in Bionic:
Fix Committed
Status in linux source package in Cosmic:
Fix Committed
Status in linux source package in Disco:
Fix Committed
Bug description:
== SRU Justification ==
(Kernel SRU)
Allow kvm to dedicate crypto adapters (and domains) as passthrough devices to
a KVM guest such that the hypervisor cannot observe the communication of the
guest with the device.
(Since all kernel patches/commits are from kernel 4.19, they will
automagically land in 'Disco'.)
== Fix ==
9ea5972 ("KVM: s390: vsie: simulate VCPU SIE entry/exit")
3194cdb ("KVM: s390: introduce and use KVM_REQ_VSIE_RESTART")
e585b24 ("KVM: s390: refactor crypto initialization")
1fde573 ("s390: vfio-ap: base implementation of VFIO AP device driver")
65f0671 ("s390: vfio-ap: register matrix device with VFIO mdev framework")
96d152b ("s390: vfio-ap: sysfs interfaces to configure adapters")
3211da0 ("s390: vfio-ap: sysfs interfaces to configure domains")
3b1eab7 ("s390: vfio-ap: sysfs interfaces to configure control domains")
81b2b4b ("s390: vfio-ap: sysfs interface to view matrix mdev matrix")
4210459 ("KVM: s390: interface to clear CRYCB masks")
258287c ("s390: vfio-ap: implement mediated device open callback")
e06670c ("s390: vfio-ap: implement VFIO_DEVICE_GET_INFO ioctl")
46a7263 ("s390: vfio-ap: zeroize the AP queues")
cd8a377 ("s390: vfio-ap: implement VFIO_DEVICE_RESET ioctl")
6cc571b ("KVM: s390: Clear Crypto Control Block when using vSIE")
d6f6959 ("KVM: s390: vsie: Do the CRYCB validation first")
3af84de ("KVM: s390: vsie: Make use of CRYCB FORMAT2 clear")
56019f9 ("KVM: s390: vsie: Allow CRYCB FORMAT-2")
19fd83a ("KVM: s390: vsie: allow CRYCB FORMAT-1")
6ee7409 ("KVM: s390: vsie: allow CRYCB FORMAT-0")
c9ba8c2 ("KVM: s390: vsie: allow guest FORMAT-0 CRYCB on host FORMAT-1")
6b79de4 ("KVM: s390: vsie: allow guest FORMAT-1 CRYCB on host FORMAT-2")
9ee71f2 ("KVM: s390: vsie: allow guest FORMAT-0 CRYCB on host FORMAT-2")
37940fb ("KVM: s390: device attrs to enable/disable AP interpretation")
112c24d ("KVM: s390: CPU model support for AP virtualization")
492a6be ("s390: doc: detailed specifications for AP virtualization")
<-- till here in 'kvm/next'
(https://git.kernel.org/pub/scm/virt/kvm/kvm.git/) -->
8e41bd5 ("KVM: s390: fix locking for crypto setting error path")
0e237e4 ("KVM: s390: Tracing APCB changes")
76c7829 ("s390: vfio-ap: setup APCB mask using KVM dedicated function")
<-- till here in 'kvms390/next'
(https://git.kernel.org/pub/scm/linux/kernel/git/kvms390/linux.git/)
-->
<-- In addition to that some prereqs for the 'ap/crypto' driver are
necessary -->
ea3c418 ("s390/zcrypt: Add ZAPQ inline function.")
df80c03 ("s390/zcrypt: Review inline assembler constraints.")
f1b0a43 ("s390/zcrypt: Integrate ap_asm.h into include/asm/ap.h.")
2395103 ("s390/zcrypt: fix ap_instructions_available() returncodes")
7e0bdbe ("s390/zcrypt: AP bus support for alternate driver(s)")
3d8f60d3 ("s390/zcrypt: hex string mask improvements for apmask and aqmask.")
fa108f9 ("s390/zcrypt: remove VLA usage from the AP bus")
<--
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1787405/comments/12
-->
== PATCH ==
Above git commits are all from 4.19.
The git commands for 4.18 would be:
$ git cherry-pick
(112c24d "KVM: s390: CPU model support for AP virtualization" may have
a trivial merge conflict with the etoken patch)
$ git cherry-pick
$ git cherry-pick
== Regression Potential ==
Low to mid:
- mid because in summary there are a lot of changes, but low
- they are all limited to the s390x architecture
- and again limited to KVM/s390x, vfio-ap and the zcrypt (aka ap) driver
- Test kernel was built for testting.
== Test Case ==
Setup a system for KVM use on an s390x LPAR that has CryptoExpress (aka
crypto-) adapters installed.
Verify that the AP bus created a sysfs device for each APQN, like:
/sys/devices/ap/card04/04.0006
/sys/devices/ap/card04/04.0047
/sys/devices/ap/card0a/0a.0006
/sys/devices/ap/card0a/0a.0047
Verify the APQN range via the following two sysfs files:
/sys/bus/ap/apmask
/sys/bus/ap/aqmask
Configure and start a guest.
More details see: 492a6be ("s390: doc: detailed specifications for AP
virtualization")
But for that an updated qemu and libvirt should be in place - that's
addressed in LP1787405, too.
(So this is only the kernel part of that ticket.)
[Kernel-packages] [Bug 1787405] Re: [FEAT] Guest-dedicated Crypto Adapters
@cborntra: done for you - tags updated - thanks for testing.
On the libvirt side I wait for a series by Boris atm, let me know if the
expectations are otherwise.
** Tags removed: verification-needed-bionic
** Tags added: verification-done-bionic
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1787405
Title:
[FEAT] Guest-dedicated Crypto Adapters
Status in Ubuntu on IBM z Systems:
In Progress
Status in libvirt package in Ubuntu:
In Progress
Status in linux package in Ubuntu:
Fix Committed
Status in qemu package in Ubuntu:
In Progress
Status in linux source package in Bionic:
Fix Committed
Status in linux source package in Cosmic:
Fix Committed
Status in linux source package in Disco:
Fix Committed
Bug description:
== SRU Justification ==
(Kernel SRU)
Allow kvm to dedicate crypto adapters (and domains) as passthrough devices to
a KVM guest such that the hypervisor cannot observe the communication of the
guest with the device.
(Since all kernel patches/commits are from kernel 4.19, they will
automagically land in 'Disco'.)
== Fix ==
9ea5972 ("KVM: s390: vsie: simulate VCPU SIE entry/exit")
3194cdb ("KVM: s390: introduce and use KVM_REQ_VSIE_RESTART")
e585b24 ("KVM: s390: refactor crypto initialization")
1fde573 ("s390: vfio-ap: base implementation of VFIO AP device driver")
65f0671 ("s390: vfio-ap: register matrix device with VFIO mdev framework")
96d152b ("s390: vfio-ap: sysfs interfaces to configure adapters")
3211da0 ("s390: vfio-ap: sysfs interfaces to configure domains")
3b1eab7 ("s390: vfio-ap: sysfs interfaces to configure control domains")
81b2b4b ("s390: vfio-ap: sysfs interface to view matrix mdev matrix")
4210459 ("KVM: s390: interface to clear CRYCB masks")
258287c ("s390: vfio-ap: implement mediated device open callback")
e06670c ("s390: vfio-ap: implement VFIO_DEVICE_GET_INFO ioctl")
46a7263 ("s390: vfio-ap: zeroize the AP queues")
cd8a377 ("s390: vfio-ap: implement VFIO_DEVICE_RESET ioctl")
6cc571b ("KVM: s390: Clear Crypto Control Block when using vSIE")
d6f6959 ("KVM: s390: vsie: Do the CRYCB validation first")
3af84de ("KVM: s390: vsie: Make use of CRYCB FORMAT2 clear")
56019f9 ("KVM: s390: vsie: Allow CRYCB FORMAT-2")
19fd83a ("KVM: s390: vsie: allow CRYCB FORMAT-1")
6ee7409 ("KVM: s390: vsie: allow CRYCB FORMAT-0")
c9ba8c2 ("KVM: s390: vsie: allow guest FORMAT-0 CRYCB on host FORMAT-1")
6b79de4 ("KVM: s390: vsie: allow guest FORMAT-1 CRYCB on host FORMAT-2")
9ee71f2 ("KVM: s390: vsie: allow guest FORMAT-0 CRYCB on host FORMAT-2")
37940fb ("KVM: s390: device attrs to enable/disable AP interpretation")
112c24d ("KVM: s390: CPU model support for AP virtualization")
492a6be ("s390: doc: detailed specifications for AP virtualization")
<-- till here in 'kvm/next'
(https://git.kernel.org/pub/scm/virt/kvm/kvm.git/) -->
8e41bd5 ("KVM: s390: fix locking for crypto setting error path")
0e237e4 ("KVM: s390: Tracing APCB changes")
76c7829 ("s390: vfio-ap: setup APCB mask using KVM dedicated function")
<-- till here in 'kvms390/next'
(https://git.kernel.org/pub/scm/linux/kernel/git/kvms390/linux.git/)
-->
<-- In addition to that some prereqs for the 'ap/crypto' driver are
necessary -->
ea3c418 ("s390/zcrypt: Add ZAPQ inline function.")
df80c03 ("s390/zcrypt: Review inline assembler constraints.")
f1b0a43 ("s390/zcrypt: Integrate ap_asm.h into include/asm/ap.h.")
2395103 ("s390/zcrypt: fix ap_instructions_available() returncodes")
7e0bdbe ("s390/zcrypt: AP bus support for alternate driver(s)")
3d8f60d3 ("s390/zcrypt: hex string mask improvements for apmask and aqmask.")
fa108f9 ("s390/zcrypt: remove VLA usage from the AP bus")
<--
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1787405/comments/12
-->
== PATCH ==
Above git commits are all from 4.19.
The git commands for 4.18 would be:
$ git cherry-pick
(112c24d "KVM: s390: CPU model support for AP virtualization" may have
a trivial merge conflict with the etoken patch)
$ git cherry-pick
$ git cherry-pick
== Regression Potential ==
Low to mid:
- mid because in summary there are a lot of changes, but low
- they are all limited to the s390x architecture
- and again limited to KVM/s390x, vfio-ap and the zcrypt (aka ap) driver
- Test kernel was built for testting.
== Test Case ==
Setup a system for KVM use on an s390x LPAR that has CryptoExpress (aka
crypto-) adapters installed.
Verify that the AP bus created a sysfs device for each APQN, like:
/sys/devices/ap/card04/04.0006
/sys/devices/ap/card04/04.0047
/sys/devices/ap/card0a/0a.0006
/sys/devices/ap/card0a/0a.0047
Verify the APQN range via the following two sysfs files:
/sys/bus/ap/apmask
/sys/bus/ap/aqmask
Configure and start a guest.
More details see: 492a6be ("s390: doc: detailed
[Kernel-packages] [Bug 1787405] Re: [FEAT] Guest-dedicated Crypto Adapters
@cborntra
At the moment, fix committed is the kernel only for bionic & cosmic.
Please check and comment if the kernels look sane to be released into
-updates.
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1787405
Title:
[FEAT] Guest-dedicated Crypto Adapters
Status in Ubuntu on IBM z Systems:
In Progress
Status in libvirt package in Ubuntu:
In Progress
Status in linux package in Ubuntu:
Fix Committed
Status in qemu package in Ubuntu:
In Progress
Status in linux source package in Bionic:
Fix Committed
Status in linux source package in Cosmic:
Fix Committed
Status in linux source package in Disco:
Fix Committed
Bug description:
== SRU Justification ==
(Kernel SRU)
Allow kvm to dedicate crypto adapters (and domains) as passthrough devices to
a KVM guest such that the hypervisor cannot observe the communication of the
guest with the device.
(Since all kernel patches/commits are from kernel 4.19, they will
automagically land in 'Disco'.)
== Fix ==
9ea5972 ("KVM: s390: vsie: simulate VCPU SIE entry/exit")
3194cdb ("KVM: s390: introduce and use KVM_REQ_VSIE_RESTART")
e585b24 ("KVM: s390: refactor crypto initialization")
1fde573 ("s390: vfio-ap: base implementation of VFIO AP device driver")
65f0671 ("s390: vfio-ap: register matrix device with VFIO mdev framework")
96d152b ("s390: vfio-ap: sysfs interfaces to configure adapters")
3211da0 ("s390: vfio-ap: sysfs interfaces to configure domains")
3b1eab7 ("s390: vfio-ap: sysfs interfaces to configure control domains")
81b2b4b ("s390: vfio-ap: sysfs interface to view matrix mdev matrix")
4210459 ("KVM: s390: interface to clear CRYCB masks")
258287c ("s390: vfio-ap: implement mediated device open callback")
e06670c ("s390: vfio-ap: implement VFIO_DEVICE_GET_INFO ioctl")
46a7263 ("s390: vfio-ap: zeroize the AP queues")
cd8a377 ("s390: vfio-ap: implement VFIO_DEVICE_RESET ioctl")
6cc571b ("KVM: s390: Clear Crypto Control Block when using vSIE")
d6f6959 ("KVM: s390: vsie: Do the CRYCB validation first")
3af84de ("KVM: s390: vsie: Make use of CRYCB FORMAT2 clear")
56019f9 ("KVM: s390: vsie: Allow CRYCB FORMAT-2")
19fd83a ("KVM: s390: vsie: allow CRYCB FORMAT-1")
6ee7409 ("KVM: s390: vsie: allow CRYCB FORMAT-0")
c9ba8c2 ("KVM: s390: vsie: allow guest FORMAT-0 CRYCB on host FORMAT-1")
6b79de4 ("KVM: s390: vsie: allow guest FORMAT-1 CRYCB on host FORMAT-2")
9ee71f2 ("KVM: s390: vsie: allow guest FORMAT-0 CRYCB on host FORMAT-2")
37940fb ("KVM: s390: device attrs to enable/disable AP interpretation")
112c24d ("KVM: s390: CPU model support for AP virtualization")
492a6be ("s390: doc: detailed specifications for AP virtualization")
<-- till here in 'kvm/next'
(https://git.kernel.org/pub/scm/virt/kvm/kvm.git/) -->
8e41bd5 ("KVM: s390: fix locking for crypto setting error path")
0e237e4 ("KVM: s390: Tracing APCB changes")
76c7829 ("s390: vfio-ap: setup APCB mask using KVM dedicated function")
<-- till here in 'kvms390/next'
(https://git.kernel.org/pub/scm/linux/kernel/git/kvms390/linux.git/)
-->
<-- In addition to that some prereqs for the 'ap/crypto' driver are
necessary -->
ea3c418 ("s390/zcrypt: Add ZAPQ inline function.")
df80c03 ("s390/zcrypt: Review inline assembler constraints.")
f1b0a43 ("s390/zcrypt: Integrate ap_asm.h into include/asm/ap.h.")
2395103 ("s390/zcrypt: fix ap_instructions_available() returncodes")
7e0bdbe ("s390/zcrypt: AP bus support for alternate driver(s)")
3d8f60d3 ("s390/zcrypt: hex string mask improvements for apmask and aqmask.")
fa108f9 ("s390/zcrypt: remove VLA usage from the AP bus")
<--
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1787405/comments/12
-->
== PATCH ==
Above git commits are all from 4.19.
The git commands for 4.18 would be:
$ git cherry-pick
(112c24d "KVM: s390: CPU model support for AP virtualization" may have
a trivial merge conflict with the etoken patch)
$ git cherry-pick
$ git cherry-pick
== Regression Potential ==
Low to mid:
- mid because in summary there are a lot of changes, but low
- they are all limited to the s390x architecture
- and again limited to KVM/s390x, vfio-ap and the zcrypt (aka ap) driver
- Test kernel was built for testting.
== Test Case ==
Setup a system for KVM use on an s390x LPAR that has CryptoExpress (aka
crypto-) adapters installed.
Verify that the AP bus created a sysfs device for each APQN, like:
/sys/devices/ap/card04/04.0006
/sys/devices/ap/card04/04.0047
/sys/devices/ap/card0a/0a.0006
/sys/devices/ap/card0a/0a.0047
Verify the APQN range via the following two sysfs files:
/sys/bus/ap/apmask
/sys/bus/ap/aqmask
Configure and start a guest.
More details see: 492a6be ("s390: doc: detailed specifications for AP
virtualization")
But for that an updated qemu and libvirt should be in
[Kernel-packages] [Bug 1787405] Re: [FEAT] Guest-dedicated Crypto Adapters
This bug is awaiting verification that the kernel in -proposed solves
the problem. Please test the kernel and update this bug with the
results. If the problem is solved, change the tag 'verification-needed-
bionic' to 'verification-done-bionic'. If the problem still exists,
change the tag 'verification-needed-bionic' to 'verification-failed-
bionic'.
If verification is not done by 5 working days from today, this fix will
be dropped from the source code, and this bug will be closed.
See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how
to enable and use -proposed. Thank you!
** Tags added: verification-needed-bionic
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1787405
Title:
[FEAT] Guest-dedicated Crypto Adapters
Status in Ubuntu on IBM z Systems:
In Progress
Status in libvirt package in Ubuntu:
In Progress
Status in linux package in Ubuntu:
Fix Committed
Status in qemu package in Ubuntu:
In Progress
Status in linux source package in Bionic:
Fix Committed
Status in linux source package in Cosmic:
Fix Committed
Status in linux source package in Disco:
Fix Committed
Bug description:
== SRU Justification ==
(Kernel SRU)
Allow kvm to dedicate crypto adapters (and domains) as passthrough devices to
a KVM guest such that the hypervisor cannot observe the communication of the
guest with the device.
(Since all kernel patches/commits are from kernel 4.19, they will
automagically land in 'Disco'.)
== Fix ==
9ea5972 ("KVM: s390: vsie: simulate VCPU SIE entry/exit")
3194cdb ("KVM: s390: introduce and use KVM_REQ_VSIE_RESTART")
e585b24 ("KVM: s390: refactor crypto initialization")
1fde573 ("s390: vfio-ap: base implementation of VFIO AP device driver")
65f0671 ("s390: vfio-ap: register matrix device with VFIO mdev framework")
96d152b ("s390: vfio-ap: sysfs interfaces to configure adapters")
3211da0 ("s390: vfio-ap: sysfs interfaces to configure domains")
3b1eab7 ("s390: vfio-ap: sysfs interfaces to configure control domains")
81b2b4b ("s390: vfio-ap: sysfs interface to view matrix mdev matrix")
4210459 ("KVM: s390: interface to clear CRYCB masks")
258287c ("s390: vfio-ap: implement mediated device open callback")
e06670c ("s390: vfio-ap: implement VFIO_DEVICE_GET_INFO ioctl")
46a7263 ("s390: vfio-ap: zeroize the AP queues")
cd8a377 ("s390: vfio-ap: implement VFIO_DEVICE_RESET ioctl")
6cc571b ("KVM: s390: Clear Crypto Control Block when using vSIE")
d6f6959 ("KVM: s390: vsie: Do the CRYCB validation first")
3af84de ("KVM: s390: vsie: Make use of CRYCB FORMAT2 clear")
56019f9 ("KVM: s390: vsie: Allow CRYCB FORMAT-2")
19fd83a ("KVM: s390: vsie: allow CRYCB FORMAT-1")
6ee7409 ("KVM: s390: vsie: allow CRYCB FORMAT-0")
c9ba8c2 ("KVM: s390: vsie: allow guest FORMAT-0 CRYCB on host FORMAT-1")
6b79de4 ("KVM: s390: vsie: allow guest FORMAT-1 CRYCB on host FORMAT-2")
9ee71f2 ("KVM: s390: vsie: allow guest FORMAT-0 CRYCB on host FORMAT-2")
37940fb ("KVM: s390: device attrs to enable/disable AP interpretation")
112c24d ("KVM: s390: CPU model support for AP virtualization")
492a6be ("s390: doc: detailed specifications for AP virtualization")
<-- till here in 'kvm/next'
(https://git.kernel.org/pub/scm/virt/kvm/kvm.git/) -->
8e41bd5 ("KVM: s390: fix locking for crypto setting error path")
0e237e4 ("KVM: s390: Tracing APCB changes")
76c7829 ("s390: vfio-ap: setup APCB mask using KVM dedicated function")
<-- till here in 'kvms390/next'
(https://git.kernel.org/pub/scm/linux/kernel/git/kvms390/linux.git/)
-->
<-- In addition to that some prereqs for the 'ap/crypto' driver are
necessary -->
ea3c418 ("s390/zcrypt: Add ZAPQ inline function.")
df80c03 ("s390/zcrypt: Review inline assembler constraints.")
f1b0a43 ("s390/zcrypt: Integrate ap_asm.h into include/asm/ap.h.")
2395103 ("s390/zcrypt: fix ap_instructions_available() returncodes")
7e0bdbe ("s390/zcrypt: AP bus support for alternate driver(s)")
3d8f60d3 ("s390/zcrypt: hex string mask improvements for apmask and aqmask.")
fa108f9 ("s390/zcrypt: remove VLA usage from the AP bus")
<--
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1787405/comments/12
-->
== PATCH ==
Above git commits are all from 4.19.
The git commands for 4.18 would be:
$ git cherry-pick
(112c24d "KVM: s390: CPU model support for AP virtualization" may have
a trivial merge conflict with the etoken patch)
$ git cherry-pick
$ git cherry-pick
== Regression Potential ==
Low to mid:
- mid because in summary there are a lot of changes, but low
- they are all limited to the s390x architecture
- and again limited to KVM/s390x, vfio-ap and the zcrypt (aka ap) driver
- Test kernel was built for testting.
== Test Case ==
Setup a system for KVM use on an s390x LPAR that has CryptoExpress (aka
crypto-) adapters
[Kernel-packages] [Bug 1787405] Re: [FEAT] Guest-dedicated Crypto Adapters
** Changed in: linux (Ubuntu Cosmic)
Status: In Progress => Fix Committed
** Changed in: linux (Ubuntu Bionic)
Status: In Progress => Fix Committed
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1787405
Title:
[FEAT] Guest-dedicated Crypto Adapters
Status in Ubuntu on IBM z Systems:
In Progress
Status in libvirt package in Ubuntu:
In Progress
Status in linux package in Ubuntu:
Fix Committed
Status in qemu package in Ubuntu:
In Progress
Status in linux source package in Bionic:
Fix Committed
Status in linux source package in Cosmic:
Fix Committed
Status in linux source package in Disco:
Fix Committed
Bug description:
== SRU Justification ==
(Kernel SRU)
Allow kvm to dedicate crypto adapters (and domains) as passthrough devices to
a KVM guest such that the hypervisor cannot observe the communication of the
guest with the device.
(Since all kernel patches/commits are from kernel 4.19, they will
automagically land in 'Disco'.)
== Fix ==
9ea5972 ("KVM: s390: vsie: simulate VCPU SIE entry/exit")
3194cdb ("KVM: s390: introduce and use KVM_REQ_VSIE_RESTART")
e585b24 ("KVM: s390: refactor crypto initialization")
1fde573 ("s390: vfio-ap: base implementation of VFIO AP device driver")
65f0671 ("s390: vfio-ap: register matrix device with VFIO mdev framework")
96d152b ("s390: vfio-ap: sysfs interfaces to configure adapters")
3211da0 ("s390: vfio-ap: sysfs interfaces to configure domains")
3b1eab7 ("s390: vfio-ap: sysfs interfaces to configure control domains")
81b2b4b ("s390: vfio-ap: sysfs interface to view matrix mdev matrix")
4210459 ("KVM: s390: interface to clear CRYCB masks")
258287c ("s390: vfio-ap: implement mediated device open callback")
e06670c ("s390: vfio-ap: implement VFIO_DEVICE_GET_INFO ioctl")
46a7263 ("s390: vfio-ap: zeroize the AP queues")
cd8a377 ("s390: vfio-ap: implement VFIO_DEVICE_RESET ioctl")
6cc571b ("KVM: s390: Clear Crypto Control Block when using vSIE")
d6f6959 ("KVM: s390: vsie: Do the CRYCB validation first")
3af84de ("KVM: s390: vsie: Make use of CRYCB FORMAT2 clear")
56019f9 ("KVM: s390: vsie: Allow CRYCB FORMAT-2")
19fd83a ("KVM: s390: vsie: allow CRYCB FORMAT-1")
6ee7409 ("KVM: s390: vsie: allow CRYCB FORMAT-0")
c9ba8c2 ("KVM: s390: vsie: allow guest FORMAT-0 CRYCB on host FORMAT-1")
6b79de4 ("KVM: s390: vsie: allow guest FORMAT-1 CRYCB on host FORMAT-2")
9ee71f2 ("KVM: s390: vsie: allow guest FORMAT-0 CRYCB on host FORMAT-2")
37940fb ("KVM: s390: device attrs to enable/disable AP interpretation")
112c24d ("KVM: s390: CPU model support for AP virtualization")
492a6be ("s390: doc: detailed specifications for AP virtualization")
<-- till here in 'kvm/next'
(https://git.kernel.org/pub/scm/virt/kvm/kvm.git/) -->
8e41bd5 ("KVM: s390: fix locking for crypto setting error path")
0e237e4 ("KVM: s390: Tracing APCB changes")
76c7829 ("s390: vfio-ap: setup APCB mask using KVM dedicated function")
<-- till here in 'kvms390/next'
(https://git.kernel.org/pub/scm/linux/kernel/git/kvms390/linux.git/)
-->
<-- In addition to that some prereqs for the 'ap/crypto' driver are
necessary -->
ea3c418 ("s390/zcrypt: Add ZAPQ inline function.")
df80c03 ("s390/zcrypt: Review inline assembler constraints.")
f1b0a43 ("s390/zcrypt: Integrate ap_asm.h into include/asm/ap.h.")
2395103 ("s390/zcrypt: fix ap_instructions_available() returncodes")
7e0bdbe ("s390/zcrypt: AP bus support for alternate driver(s)")
3d8f60d3 ("s390/zcrypt: hex string mask improvements for apmask and aqmask.")
fa108f9 ("s390/zcrypt: remove VLA usage from the AP bus")
<--
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1787405/comments/12
-->
== PATCH ==
Above git commits are all from 4.19.
The git commands for 4.18 would be:
$ git cherry-pick
(112c24d "KVM: s390: CPU model support for AP virtualization" may have
a trivial merge conflict with the etoken patch)
$ git cherry-pick
$ git cherry-pick
== Regression Potential ==
Low to mid:
- mid because in summary there are a lot of changes, but low
- they are all limited to the s390x architecture
- and again limited to KVM/s390x, vfio-ap and the zcrypt (aka ap) driver
- Test kernel was built for testting.
== Test Case ==
Setup a system for KVM use on an s390x LPAR that has CryptoExpress (aka
crypto-) adapters installed.
Verify that the AP bus created a sysfs device for each APQN, like:
/sys/devices/ap/card04/04.0006
/sys/devices/ap/card04/04.0047
/sys/devices/ap/card0a/0a.0006
/sys/devices/ap/card0a/0a.0047
Verify the APQN range via the following two sysfs files:
/sys/bus/ap/apmask
/sys/bus/ap/aqmask
Configure and start a guest.
More details see: 492a6be ("s390: doc: detailed specifications for AP
virtualization")
But for that an updated qemu and libvirt should be in
[Kernel-packages] [Bug 1787405] Re: [FEAT] Guest-dedicated Crypto Adapters
** Changed in: linux (Ubuntu Cosmic)
Status: Fix Committed => In Progress
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1787405
Title:
[FEAT] Guest-dedicated Crypto Adapters
Status in Ubuntu on IBM z Systems:
In Progress
Status in libvirt package in Ubuntu:
In Progress
Status in linux package in Ubuntu:
Fix Committed
Status in qemu package in Ubuntu:
In Progress
Status in linux source package in Bionic:
In Progress
Status in linux source package in Cosmic:
In Progress
Status in linux source package in Disco:
Fix Committed
Bug description:
== SRU Justification ==
(Kernel SRU)
Allow kvm to dedicate crypto adapters (and domains) as passthrough devices to
a KVM guest such that the hypervisor cannot observe the communication of the
guest with the device.
(Since all kernel patches/commits are from kernel 4.19, they will
automagically land in 'Disco'.)
== Fix ==
9ea5972 ("KVM: s390: vsie: simulate VCPU SIE entry/exit")
3194cdb ("KVM: s390: introduce and use KVM_REQ_VSIE_RESTART")
e585b24 ("KVM: s390: refactor crypto initialization")
1fde573 ("s390: vfio-ap: base implementation of VFIO AP device driver")
65f0671 ("s390: vfio-ap: register matrix device with VFIO mdev framework")
96d152b ("s390: vfio-ap: sysfs interfaces to configure adapters")
3211da0 ("s390: vfio-ap: sysfs interfaces to configure domains")
3b1eab7 ("s390: vfio-ap: sysfs interfaces to configure control domains")
81b2b4b ("s390: vfio-ap: sysfs interface to view matrix mdev matrix")
4210459 ("KVM: s390: interface to clear CRYCB masks")
258287c ("s390: vfio-ap: implement mediated device open callback")
e06670c ("s390: vfio-ap: implement VFIO_DEVICE_GET_INFO ioctl")
46a7263 ("s390: vfio-ap: zeroize the AP queues")
cd8a377 ("s390: vfio-ap: implement VFIO_DEVICE_RESET ioctl")
6cc571b ("KVM: s390: Clear Crypto Control Block when using vSIE")
d6f6959 ("KVM: s390: vsie: Do the CRYCB validation first")
3af84de ("KVM: s390: vsie: Make use of CRYCB FORMAT2 clear")
56019f9 ("KVM: s390: vsie: Allow CRYCB FORMAT-2")
19fd83a ("KVM: s390: vsie: allow CRYCB FORMAT-1")
6ee7409 ("KVM: s390: vsie: allow CRYCB FORMAT-0")
c9ba8c2 ("KVM: s390: vsie: allow guest FORMAT-0 CRYCB on host FORMAT-1")
6b79de4 ("KVM: s390: vsie: allow guest FORMAT-1 CRYCB on host FORMAT-2")
9ee71f2 ("KVM: s390: vsie: allow guest FORMAT-0 CRYCB on host FORMAT-2")
37940fb ("KVM: s390: device attrs to enable/disable AP interpretation")
112c24d ("KVM: s390: CPU model support for AP virtualization")
492a6be ("s390: doc: detailed specifications for AP virtualization")
<-- till here in 'kvm/next'
(https://git.kernel.org/pub/scm/virt/kvm/kvm.git/) -->
8e41bd5 ("KVM: s390: fix locking for crypto setting error path")
0e237e4 ("KVM: s390: Tracing APCB changes")
76c7829 ("s390: vfio-ap: setup APCB mask using KVM dedicated function")
<-- till here in 'kvms390/next'
(https://git.kernel.org/pub/scm/linux/kernel/git/kvms390/linux.git/)
-->
<-- In addition to that some prereqs for the 'ap/crypto' driver are
necessary -->
ea3c418 ("s390/zcrypt: Add ZAPQ inline function.")
df80c03 ("s390/zcrypt: Review inline assembler constraints.")
f1b0a43 ("s390/zcrypt: Integrate ap_asm.h into include/asm/ap.h.")
2395103 ("s390/zcrypt: fix ap_instructions_available() returncodes")
7e0bdbe ("s390/zcrypt: AP bus support for alternate driver(s)")
3d8f60d3 ("s390/zcrypt: hex string mask improvements for apmask and aqmask.")
fa108f9 ("s390/zcrypt: remove VLA usage from the AP bus")
<--
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1787405/comments/12
-->
== PATCH ==
Above git commits are all from 4.19.
The git commands for 4.18 would be:
$ git cherry-pick
(112c24d "KVM: s390: CPU model support for AP virtualization" may have
a trivial merge conflict with the etoken patch)
$ git cherry-pick
$ git cherry-pick
== Regression Potential ==
Low to mid:
- mid because in summary there are a lot of changes, but low
- they are all limited to the s390x architecture
- and again limited to KVM/s390x, vfio-ap and the zcrypt (aka ap) driver
- Test kernel was built for testting.
== Test Case ==
Setup a system for KVM use on an s390x LPAR that has CryptoExpress (aka
crypto-) adapters installed.
Verify that the AP bus created a sysfs device for each APQN, like:
/sys/devices/ap/card04/04.0006
/sys/devices/ap/card04/04.0047
/sys/devices/ap/card0a/0a.0006
/sys/devices/ap/card0a/0a.0047
Verify the APQN range via the following two sysfs files:
/sys/bus/ap/apmask
/sys/bus/ap/aqmask
Configure and start a guest.
More details see: 492a6be ("s390: doc: detailed specifications for AP
virtualization")
But for that an updated qemu and libvirt should be in place - that's
addressed in LP1787405, too.
(So this is only the kernel part of that
[Kernel-packages] [Bug 1787405] Re: [FEAT] Guest-dedicated Crypto Adapters
FYI: build log of the current incomplete backport:
https://launchpadlibrarian.net/397706595/buildlog_ubuntu-bionic-s390x.libvirt_4.0.0-1ubuntu8.6~ppa1_BUILDING.txt.gz
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1787405
Title:
[FEAT] Guest-dedicated Crypto Adapters
Status in Ubuntu on IBM z Systems:
In Progress
Status in libvirt package in Ubuntu:
In Progress
Status in linux package in Ubuntu:
Fix Committed
Status in qemu package in Ubuntu:
In Progress
Status in linux source package in Bionic:
In Progress
Status in linux source package in Cosmic:
Fix Committed
Status in linux source package in Disco:
Fix Committed
Bug description:
== SRU Justification ==
(Kernel SRU)
Allow kvm to dedicate crypto adapters (and domains) as passthrough devices to
a KVM guest such that the hypervisor cannot observe the communication of the
guest with the device.
(Since all kernel patches/commits are from kernel 4.19, they will
automagically land in 'Disco'.)
== Fix ==
9ea5972 ("KVM: s390: vsie: simulate VCPU SIE entry/exit")
3194cdb ("KVM: s390: introduce and use KVM_REQ_VSIE_RESTART")
e585b24 ("KVM: s390: refactor crypto initialization")
1fde573 ("s390: vfio-ap: base implementation of VFIO AP device driver")
65f0671 ("s390: vfio-ap: register matrix device with VFIO mdev framework")
96d152b ("s390: vfio-ap: sysfs interfaces to configure adapters")
3211da0 ("s390: vfio-ap: sysfs interfaces to configure domains")
3b1eab7 ("s390: vfio-ap: sysfs interfaces to configure control domains")
81b2b4b ("s390: vfio-ap: sysfs interface to view matrix mdev matrix")
4210459 ("KVM: s390: interface to clear CRYCB masks")
258287c ("s390: vfio-ap: implement mediated device open callback")
e06670c ("s390: vfio-ap: implement VFIO_DEVICE_GET_INFO ioctl")
46a7263 ("s390: vfio-ap: zeroize the AP queues")
cd8a377 ("s390: vfio-ap: implement VFIO_DEVICE_RESET ioctl")
6cc571b ("KVM: s390: Clear Crypto Control Block when using vSIE")
d6f6959 ("KVM: s390: vsie: Do the CRYCB validation first")
3af84de ("KVM: s390: vsie: Make use of CRYCB FORMAT2 clear")
56019f9 ("KVM: s390: vsie: Allow CRYCB FORMAT-2")
19fd83a ("KVM: s390: vsie: allow CRYCB FORMAT-1")
6ee7409 ("KVM: s390: vsie: allow CRYCB FORMAT-0")
c9ba8c2 ("KVM: s390: vsie: allow guest FORMAT-0 CRYCB on host FORMAT-1")
6b79de4 ("KVM: s390: vsie: allow guest FORMAT-1 CRYCB on host FORMAT-2")
9ee71f2 ("KVM: s390: vsie: allow guest FORMAT-0 CRYCB on host FORMAT-2")
37940fb ("KVM: s390: device attrs to enable/disable AP interpretation")
112c24d ("KVM: s390: CPU model support for AP virtualization")
492a6be ("s390: doc: detailed specifications for AP virtualization")
<-- till here in 'kvm/next'
(https://git.kernel.org/pub/scm/virt/kvm/kvm.git/) -->
8e41bd5 ("KVM: s390: fix locking for crypto setting error path")
0e237e4 ("KVM: s390: Tracing APCB changes")
76c7829 ("s390: vfio-ap: setup APCB mask using KVM dedicated function")
<-- till here in 'kvms390/next'
(https://git.kernel.org/pub/scm/linux/kernel/git/kvms390/linux.git/)
-->
<-- In addition to that some prereqs for the 'ap/crypto' driver are
necessary -->
ea3c418 ("s390/zcrypt: Add ZAPQ inline function.")
df80c03 ("s390/zcrypt: Review inline assembler constraints.")
f1b0a43 ("s390/zcrypt: Integrate ap_asm.h into include/asm/ap.h.")
2395103 ("s390/zcrypt: fix ap_instructions_available() returncodes")
7e0bdbe ("s390/zcrypt: AP bus support for alternate driver(s)")
3d8f60d3 ("s390/zcrypt: hex string mask improvements for apmask and aqmask.")
fa108f9 ("s390/zcrypt: remove VLA usage from the AP bus")
<--
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1787405/comments/12
-->
== PATCH ==
Above git commits are all from 4.19.
The git commands for 4.18 would be:
$ git cherry-pick
(112c24d "KVM: s390: CPU model support for AP virtualization" may have
a trivial merge conflict with the etoken patch)
$ git cherry-pick
$ git cherry-pick
== Regression Potential ==
Low to mid:
- mid because in summary there are a lot of changes, but low
- they are all limited to the s390x architecture
- and again limited to KVM/s390x, vfio-ap and the zcrypt (aka ap) driver
- Test kernel was built for testting.
== Test Case ==
Setup a system for KVM use on an s390x LPAR that has CryptoExpress (aka
crypto-) adapters installed.
Verify that the AP bus created a sysfs device for each APQN, like:
/sys/devices/ap/card04/04.0006
/sys/devices/ap/card04/04.0047
/sys/devices/ap/card0a/0a.0006
/sys/devices/ap/card0a/0a.0047
Verify the APQN range via the following two sysfs files:
/sys/bus/ap/apmask
/sys/bus/ap/aqmask
Configure and start a guest.
More details see: 492a6be ("s390: doc: detailed specifications for AP
virtualization")
But for that an updated qemu and libvirt should be in
[Kernel-packages] [Bug 1787405] Re: [FEAT] Guest-dedicated Crypto Adapters
Some noise in libvirt, I'm not entirely sure if VIR_ENUM_IMPL would need
all the bumps up to 415 or if inserting it at 282 (next) is safe. I
thnik as long as it is the same enum at virQEMUCapsFlags in the header
it should be ok right?
Some more missing bits since vfio-ccw isn't available in libvirt 4.0, but it
seemed doable as well.
Some more around qemuDomainPrimeVfioDeviceAddresses not yet existing. In
general vfio-ccw and some later Mdev code is missing there, I don't think that
will work without backporting some more.
The series around 72241444002678f7a8e2f423ff14fcbc27ab0fa5 in particular might
be needed - but is that too much?
I'd highly appreciate if Boris (or whoever can afford the time, but was
working on this and knows the context) could give that a review. The
Debianized and backported changes can be found at [1] - also [3] for
qemu, but that was a much safer backport as mentioned before.
Lets see what build and test will say, but maybe here some help to backport it
to 4.0 the way you want it might be appreciated - at least in identifying the
extended series.
It is now in the same PPA [2] that I referred to before.
[...]
Yeah it failed to build.
I could now just pick above referenced commit on top of what I have, but I
think giving you a chance to look at it what you think will be required for a
4.0 backport is probably much more efficient.
[1]:
https://git.launchpad.net/~paelzer/libvirt/commit/?id=19e25b48b31f8d717ea466ce2eb9537f5c5b07ea
[2]: https://launchpad.net/~ci-train-ppa-service/+archive/ubuntu/3520
[3]:
https://git.launchpad.net/~paelzer/ubuntu/+source/qemu/commit/?id=912b6b5ba1c774eb1251f06a3ffb8ba0cf1c1ea2
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1787405
Title:
[FEAT] Guest-dedicated Crypto Adapters
Status in Ubuntu on IBM z Systems:
In Progress
Status in libvirt package in Ubuntu:
In Progress
Status in linux package in Ubuntu:
Fix Committed
Status in qemu package in Ubuntu:
In Progress
Status in linux source package in Bionic:
In Progress
Status in linux source package in Cosmic:
Fix Committed
Status in linux source package in Disco:
Fix Committed
Bug description:
== SRU Justification ==
(Kernel SRU)
Allow kvm to dedicate crypto adapters (and domains) as passthrough devices to
a KVM guest such that the hypervisor cannot observe the communication of the
guest with the device.
(Since all kernel patches/commits are from kernel 4.19, they will
automagically land in 'Disco'.)
== Fix ==
9ea5972 ("KVM: s390: vsie: simulate VCPU SIE entry/exit")
3194cdb ("KVM: s390: introduce and use KVM_REQ_VSIE_RESTART")
e585b24 ("KVM: s390: refactor crypto initialization")
1fde573 ("s390: vfio-ap: base implementation of VFIO AP device driver")
65f0671 ("s390: vfio-ap: register matrix device with VFIO mdev framework")
96d152b ("s390: vfio-ap: sysfs interfaces to configure adapters")
3211da0 ("s390: vfio-ap: sysfs interfaces to configure domains")
3b1eab7 ("s390: vfio-ap: sysfs interfaces to configure control domains")
81b2b4b ("s390: vfio-ap: sysfs interface to view matrix mdev matrix")
4210459 ("KVM: s390: interface to clear CRYCB masks")
258287c ("s390: vfio-ap: implement mediated device open callback")
e06670c ("s390: vfio-ap: implement VFIO_DEVICE_GET_INFO ioctl")
46a7263 ("s390: vfio-ap: zeroize the AP queues")
cd8a377 ("s390: vfio-ap: implement VFIO_DEVICE_RESET ioctl")
6cc571b ("KVM: s390: Clear Crypto Control Block when using vSIE")
d6f6959 ("KVM: s390: vsie: Do the CRYCB validation first")
3af84de ("KVM: s390: vsie: Make use of CRYCB FORMAT2 clear")
56019f9 ("KVM: s390: vsie: Allow CRYCB FORMAT-2")
19fd83a ("KVM: s390: vsie: allow CRYCB FORMAT-1")
6ee7409 ("KVM: s390: vsie: allow CRYCB FORMAT-0")
c9ba8c2 ("KVM: s390: vsie: allow guest FORMAT-0 CRYCB on host FORMAT-1")
6b79de4 ("KVM: s390: vsie: allow guest FORMAT-1 CRYCB on host FORMAT-2")
9ee71f2 ("KVM: s390: vsie: allow guest FORMAT-0 CRYCB on host FORMAT-2")
37940fb ("KVM: s390: device attrs to enable/disable AP interpretation")
112c24d ("KVM: s390: CPU model support for AP virtualization")
492a6be ("s390: doc: detailed specifications for AP virtualization")
<-- till here in 'kvm/next'
(https://git.kernel.org/pub/scm/virt/kvm/kvm.git/) -->
8e41bd5 ("KVM: s390: fix locking for crypto setting error path")
0e237e4 ("KVM: s390: Tracing APCB changes")
76c7829 ("s390: vfio-ap: setup APCB mask using KVM dedicated function")
<-- till here in 'kvms390/next'
(https://git.kernel.org/pub/scm/linux/kernel/git/kvms390/linux.git/)
-->
<-- In addition to that some prereqs for the 'ap/crypto' driver are
necessary -->
ea3c418 ("s390/zcrypt: Add ZAPQ inline function.")
df80c03 ("s390/zcrypt: Review inline assembler constraints.")
f1b0a43 ("s390/zcrypt: Integrate ap_asm.h into include/asm/ap.h.")
2395103
[Kernel-packages] [Bug 1787405] Re: [FEAT] Guest-dedicated Crypto Adapters
Thanks for the not-too conflicting patch series.
I gave it a try and must agree that it seems backportable reasonably (checked
only qemu for now).
To me it looks safe in terms of not affecting other use cases, nor other
architectures.
It also looks safe for upgrades/migrations not affecting active machine state
structs.
I'll give it some testing after I have looked into a libvirt backport as well.
But you could already use the code from the ppa [1] to verify if that is doing
what you expected.
If libvirt is as-easy then I think we can shove that in between without the
long delays I was afraid of. I could just push it on top of 2.12 in Disco and
SRU 2.12/2.11 from there.
If you could help
One question already thou - is there any bug if e.g. any of the
libvirt/qemu/kernel code is released without the other? So for example if the
qemu update is installed but not the upgraded kernel (or any other combination
of the three) would it crash? Or would is just say, sorry not supported on
probing or so?
I ask you to think about that so that (if required) dependencies will be bumped
accordingly.
Summary:
- please test [1]
- any hard version dependencies needed?
- I'll ping once also libvirt is in that PPA (or if I have any issues
backporting it)
[1]: https://launchpad.net/~ci-train-ppa-service/+archive/ubuntu/3520
** Changed in: qemu (Ubuntu)
Status: Triaged => In Progress
** Changed in: libvirt (Ubuntu)
Status: Triaged => In Progress
** Changed in: libvirt (Ubuntu)
Assignee: (unassigned) => Christian Ehrhardt (paelzer)
** Changed in: qemu (Ubuntu)
Assignee: (unassigned) => Christian Ehrhardt (paelzer)
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1787405
Title:
[FEAT] Guest-dedicated Crypto Adapters
Status in Ubuntu on IBM z Systems:
In Progress
Status in libvirt package in Ubuntu:
In Progress
Status in linux package in Ubuntu:
Fix Committed
Status in qemu package in Ubuntu:
In Progress
Status in linux source package in Bionic:
In Progress
Status in linux source package in Cosmic:
Fix Committed
Status in linux source package in Disco:
Fix Committed
Bug description:
== SRU Justification ==
(Kernel SRU)
Allow kvm to dedicate crypto adapters (and domains) as passthrough devices to
a KVM guest such that the hypervisor cannot observe the communication of the
guest with the device.
(Since all kernel patches/commits are from kernel 4.19, they will
automagically land in 'Disco'.)
== Fix ==
9ea5972 ("KVM: s390: vsie: simulate VCPU SIE entry/exit")
3194cdb ("KVM: s390: introduce and use KVM_REQ_VSIE_RESTART")
e585b24 ("KVM: s390: refactor crypto initialization")
1fde573 ("s390: vfio-ap: base implementation of VFIO AP device driver")
65f0671 ("s390: vfio-ap: register matrix device with VFIO mdev framework")
96d152b ("s390: vfio-ap: sysfs interfaces to configure adapters")
3211da0 ("s390: vfio-ap: sysfs interfaces to configure domains")
3b1eab7 ("s390: vfio-ap: sysfs interfaces to configure control domains")
81b2b4b ("s390: vfio-ap: sysfs interface to view matrix mdev matrix")
4210459 ("KVM: s390: interface to clear CRYCB masks")
258287c ("s390: vfio-ap: implement mediated device open callback")
e06670c ("s390: vfio-ap: implement VFIO_DEVICE_GET_INFO ioctl")
46a7263 ("s390: vfio-ap: zeroize the AP queues")
cd8a377 ("s390: vfio-ap: implement VFIO_DEVICE_RESET ioctl")
6cc571b ("KVM: s390: Clear Crypto Control Block when using vSIE")
d6f6959 ("KVM: s390: vsie: Do the CRYCB validation first")
3af84de ("KVM: s390: vsie: Make use of CRYCB FORMAT2 clear")
56019f9 ("KVM: s390: vsie: Allow CRYCB FORMAT-2")
19fd83a ("KVM: s390: vsie: allow CRYCB FORMAT-1")
6ee7409 ("KVM: s390: vsie: allow CRYCB FORMAT-0")
c9ba8c2 ("KVM: s390: vsie: allow guest FORMAT-0 CRYCB on host FORMAT-1")
6b79de4 ("KVM: s390: vsie: allow guest FORMAT-1 CRYCB on host FORMAT-2")
9ee71f2 ("KVM: s390: vsie: allow guest FORMAT-0 CRYCB on host FORMAT-2")
37940fb ("KVM: s390: device attrs to enable/disable AP interpretation")
112c24d ("KVM: s390: CPU model support for AP virtualization")
492a6be ("s390: doc: detailed specifications for AP virtualization")
<-- till here in 'kvm/next'
(https://git.kernel.org/pub/scm/virt/kvm/kvm.git/) -->
8e41bd5 ("KVM: s390: fix locking for crypto setting error path")
0e237e4 ("KVM: s390: Tracing APCB changes")
76c7829 ("s390: vfio-ap: setup APCB mask using KVM dedicated function")
<-- till here in 'kvms390/next'
(https://git.kernel.org/pub/scm/linux/kernel/git/kvms390/linux.git/)
-->
<-- In addition to that some prereqs for the 'ap/crypto' driver are
necessary -->
ea3c418 ("s390/zcrypt: Add ZAPQ inline function.")
df80c03 ("s390/zcrypt: Review inline assembler constraints.")
f1b0a43 ("s390/zcrypt: Integrate ap_asm.h into include/asm/ap.h.")
2395103
[Kernel-packages] [Bug 1787405] Re: [FEAT] Guest-dedicated Crypto Adapters
--- Comment From heinz-werner_se...@de.ibm.com 2018-11-15 06:17 EDT---
Our latest date to have the kernel patches applied to 18.04.1(kernel 4.15) is
the December SRU, because we have long lasting customer service durations as
well as an ongoing customer PoC.
For testing reason , we do need this made available mid of December - so
18.04.2 is too late.
And the HWE is unfortunately no alternative for us, due to the testing that we
intensively do on kernel 4.15, hence kernel upgrades via the HWE kernel would
require much more (re-)testing on our side and the alignment to our product
release would become to complex to manage.
Please confirm, that the patch will be made available with the next SRU.
The additianally req. patches for qemu can be applied to 2.11 (hence no
need to wait for 3.1 availability, this should make things simpler).
This all is required due to our Test start for not later than beginning
CW04-2019.
** Tags removed: verification-needed-cosmic
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1787405
Title:
[FEAT] Guest-dedicated Crypto Adapters
Status in Ubuntu on IBM z Systems:
In Progress
Status in libvirt package in Ubuntu:
Triaged
Status in linux package in Ubuntu:
Fix Committed
Status in qemu package in Ubuntu:
Triaged
Status in linux source package in Bionic:
In Progress
Status in linux source package in Cosmic:
Fix Committed
Status in linux source package in Disco:
Fix Committed
Bug description:
== SRU Justification ==
(Kernel SRU)
Allow kvm to dedicate crypto adapters (and domains) as passthrough devices to
a KVM guest such that the hypervisor cannot observe the communication of the
guest with the device.
(Since all kernel patches/commits are from kernel 4.19, they will
automagically land in 'Disco'.)
== Fix ==
9ea5972 ("KVM: s390: vsie: simulate VCPU SIE entry/exit")
3194cdb ("KVM: s390: introduce and use KVM_REQ_VSIE_RESTART")
e585b24 ("KVM: s390: refactor crypto initialization")
1fde573 ("s390: vfio-ap: base implementation of VFIO AP device driver")
65f0671 ("s390: vfio-ap: register matrix device with VFIO mdev framework")
96d152b ("s390: vfio-ap: sysfs interfaces to configure adapters")
3211da0 ("s390: vfio-ap: sysfs interfaces to configure domains")
3b1eab7 ("s390: vfio-ap: sysfs interfaces to configure control domains")
81b2b4b ("s390: vfio-ap: sysfs interface to view matrix mdev matrix")
4210459 ("KVM: s390: interface to clear CRYCB masks")
258287c ("s390: vfio-ap: implement mediated device open callback")
e06670c ("s390: vfio-ap: implement VFIO_DEVICE_GET_INFO ioctl")
46a7263 ("s390: vfio-ap: zeroize the AP queues")
cd8a377 ("s390: vfio-ap: implement VFIO_DEVICE_RESET ioctl")
6cc571b ("KVM: s390: Clear Crypto Control Block when using vSIE")
d6f6959 ("KVM: s390: vsie: Do the CRYCB validation first")
3af84de ("KVM: s390: vsie: Make use of CRYCB FORMAT2 clear")
56019f9 ("KVM: s390: vsie: Allow CRYCB FORMAT-2")
19fd83a ("KVM: s390: vsie: allow CRYCB FORMAT-1")
6ee7409 ("KVM: s390: vsie: allow CRYCB FORMAT-0")
c9ba8c2 ("KVM: s390: vsie: allow guest FORMAT-0 CRYCB on host FORMAT-1")
6b79de4 ("KVM: s390: vsie: allow guest FORMAT-1 CRYCB on host FORMAT-2")
9ee71f2 ("KVM: s390: vsie: allow guest FORMAT-0 CRYCB on host FORMAT-2")
37940fb ("KVM: s390: device attrs to enable/disable AP interpretation")
112c24d ("KVM: s390: CPU model support for AP virtualization")
492a6be ("s390: doc: detailed specifications for AP virtualization")
<-- till here in 'kvm/next'
(https://git.kernel.org/pub/scm/virt/kvm/kvm.git/) -->
8e41bd5 ("KVM: s390: fix locking for crypto setting error path")
0e237e4 ("KVM: s390: Tracing APCB changes")
76c7829 ("s390: vfio-ap: setup APCB mask using KVM dedicated function")
<-- till here in 'kvms390/next'
(https://git.kernel.org/pub/scm/linux/kernel/git/kvms390/linux.git/)
-->
<-- In addition to that some prereqs for the 'ap/crypto' driver are
necessary -->
ea3c418 ("s390/zcrypt: Add ZAPQ inline function.")
df80c03 ("s390/zcrypt: Review inline assembler constraints.")
f1b0a43 ("s390/zcrypt: Integrate ap_asm.h into include/asm/ap.h.")
2395103 ("s390/zcrypt: fix ap_instructions_available() returncodes")
7e0bdbe ("s390/zcrypt: AP bus support for alternate driver(s)")
3d8f60d3 ("s390/zcrypt: hex string mask improvements for apmask and aqmask.")
fa108f9 ("s390/zcrypt: remove VLA usage from the AP bus")
<--
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1787405/comments/12
-->
== PATCH ==
Above git commits are all from 4.19.
The git commands for 4.18 would be:
$ git cherry-pick
(112c24d "KVM: s390: CPU model support for AP virtualization" may have
a trivial merge conflict with the etoken patch)
$ git cherry-pick
$ git cherry-pick
== Regression Potential ==
Low to mid:
- mid because in
[Kernel-packages] [Bug 1787405] Re: [FEAT] Guest-dedicated Crypto Adapters
This bug is awaiting verification that the kernel in -proposed solves
the problem. Please test the kernel and update this bug with the
results. If the problem is solved, change the tag 'verification-needed-
cosmic' to 'verification-done-cosmic'. If the problem still exists,
change the tag 'verification-needed-cosmic' to 'verification-failed-
cosmic'.
If verification is not done by 5 working days from today, this fix will
be dropped from the source code, and this bug will be closed.
See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how
to enable and use -proposed. Thank you!
** Tags added: verification-needed-cosmic
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1787405
Title:
[FEAT] Guest-dedicated Crypto Adapters
Status in Ubuntu on IBM z Systems:
In Progress
Status in libvirt package in Ubuntu:
Triaged
Status in linux package in Ubuntu:
Fix Committed
Status in qemu package in Ubuntu:
Triaged
Status in linux source package in Bionic:
In Progress
Status in linux source package in Cosmic:
Fix Committed
Status in linux source package in Disco:
Fix Committed
Bug description:
== SRU Justification ==
(Kernel SRU)
Allow kvm to dedicate crypto adapters (and domains) as passthrough devices to
a KVM guest such that the hypervisor cannot observe the communication of the
guest with the device.
(Since all kernel patches/commits are from kernel 4.19, they will
automagically land in 'Disco'.)
== Fix ==
9ea5972 ("KVM: s390: vsie: simulate VCPU SIE entry/exit")
3194cdb ("KVM: s390: introduce and use KVM_REQ_VSIE_RESTART")
e585b24 ("KVM: s390: refactor crypto initialization")
1fde573 ("s390: vfio-ap: base implementation of VFIO AP device driver")
65f0671 ("s390: vfio-ap: register matrix device with VFIO mdev framework")
96d152b ("s390: vfio-ap: sysfs interfaces to configure adapters")
3211da0 ("s390: vfio-ap: sysfs interfaces to configure domains")
3b1eab7 ("s390: vfio-ap: sysfs interfaces to configure control domains")
81b2b4b ("s390: vfio-ap: sysfs interface to view matrix mdev matrix")
4210459 ("KVM: s390: interface to clear CRYCB masks")
258287c ("s390: vfio-ap: implement mediated device open callback")
e06670c ("s390: vfio-ap: implement VFIO_DEVICE_GET_INFO ioctl")
46a7263 ("s390: vfio-ap: zeroize the AP queues")
cd8a377 ("s390: vfio-ap: implement VFIO_DEVICE_RESET ioctl")
6cc571b ("KVM: s390: Clear Crypto Control Block when using vSIE")
d6f6959 ("KVM: s390: vsie: Do the CRYCB validation first")
3af84de ("KVM: s390: vsie: Make use of CRYCB FORMAT2 clear")
56019f9 ("KVM: s390: vsie: Allow CRYCB FORMAT-2")
19fd83a ("KVM: s390: vsie: allow CRYCB FORMAT-1")
6ee7409 ("KVM: s390: vsie: allow CRYCB FORMAT-0")
c9ba8c2 ("KVM: s390: vsie: allow guest FORMAT-0 CRYCB on host FORMAT-1")
6b79de4 ("KVM: s390: vsie: allow guest FORMAT-1 CRYCB on host FORMAT-2")
9ee71f2 ("KVM: s390: vsie: allow guest FORMAT-0 CRYCB on host FORMAT-2")
37940fb ("KVM: s390: device attrs to enable/disable AP interpretation")
112c24d ("KVM: s390: CPU model support for AP virtualization")
492a6be ("s390: doc: detailed specifications for AP virtualization")
<-- till here in 'kvm/next'
(https://git.kernel.org/pub/scm/virt/kvm/kvm.git/) -->
8e41bd5 ("KVM: s390: fix locking for crypto setting error path")
0e237e4 ("KVM: s390: Tracing APCB changes")
76c7829 ("s390: vfio-ap: setup APCB mask using KVM dedicated function")
<-- till here in 'kvms390/next'
(https://git.kernel.org/pub/scm/linux/kernel/git/kvms390/linux.git/)
-->
<-- In addition to that some prereqs for the 'ap/crypto' driver are
necessary -->
ea3c418 ("s390/zcrypt: Add ZAPQ inline function.")
df80c03 ("s390/zcrypt: Review inline assembler constraints.")
f1b0a43 ("s390/zcrypt: Integrate ap_asm.h into include/asm/ap.h.")
2395103 ("s390/zcrypt: fix ap_instructions_available() returncodes")
7e0bdbe ("s390/zcrypt: AP bus support for alternate driver(s)")
3d8f60d3 ("s390/zcrypt: hex string mask improvements for apmask and aqmask.")
fa108f9 ("s390/zcrypt: remove VLA usage from the AP bus")
<--
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1787405/comments/12
-->
== PATCH ==
Above git commits are all from 4.19.
The git commands for 4.18 would be:
$ git cherry-pick
(112c24d "KVM: s390: CPU model support for AP virtualization" may have
a trivial merge conflict with the etoken patch)
$ git cherry-pick
$ git cherry-pick
== Regression Potential ==
Low to mid:
- mid because in summary there are a lot of changes, but low
- they are all limited to the s390x architecture
- and again limited to KVM/s390x, vfio-ap and the zcrypt (aka ap) driver
- Test kernel was built for testting.
== Test Case ==
Setup a system for KVM use on an s390x LPAR that has CryptoExpress (aka
crypto-) adapters installed.
[Kernel-packages] [Bug 1787405] Re: [FEAT] Guest-dedicated Crypto Adapters
** Changed in: linux (Ubuntu Disco)
Status: In Progress => Fix Committed
** Changed in: linux (Ubuntu Cosmic)
Status: Triaged => Fix Committed
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1787405
Title:
[FEAT] Guest-dedicated Crypto Adapters
Status in Ubuntu on IBM z Systems:
In Progress
Status in libvirt package in Ubuntu:
Triaged
Status in linux package in Ubuntu:
Fix Committed
Status in qemu package in Ubuntu:
Triaged
Status in linux source package in Bionic:
In Progress
Status in linux source package in Cosmic:
Fix Committed
Status in linux source package in Disco:
Fix Committed
Bug description:
== SRU Justification ==
(Kernel SRU)
Allow kvm to dedicate crypto adapters (and domains) as passthrough devices to
a KVM guest such that the hypervisor cannot observe the communication of the
guest with the device.
(Since all kernel patches/commits are from kernel 4.19, they will
automagically land in 'Disco'.)
== Fix ==
9ea5972 ("KVM: s390: vsie: simulate VCPU SIE entry/exit")
3194cdb ("KVM: s390: introduce and use KVM_REQ_VSIE_RESTART")
e585b24 ("KVM: s390: refactor crypto initialization")
1fde573 ("s390: vfio-ap: base implementation of VFIO AP device driver")
65f0671 ("s390: vfio-ap: register matrix device with VFIO mdev framework")
96d152b ("s390: vfio-ap: sysfs interfaces to configure adapters")
3211da0 ("s390: vfio-ap: sysfs interfaces to configure domains")
3b1eab7 ("s390: vfio-ap: sysfs interfaces to configure control domains")
81b2b4b ("s390: vfio-ap: sysfs interface to view matrix mdev matrix")
4210459 ("KVM: s390: interface to clear CRYCB masks")
258287c ("s390: vfio-ap: implement mediated device open callback")
e06670c ("s390: vfio-ap: implement VFIO_DEVICE_GET_INFO ioctl")
46a7263 ("s390: vfio-ap: zeroize the AP queues")
cd8a377 ("s390: vfio-ap: implement VFIO_DEVICE_RESET ioctl")
6cc571b ("KVM: s390: Clear Crypto Control Block when using vSIE")
d6f6959 ("KVM: s390: vsie: Do the CRYCB validation first")
3af84de ("KVM: s390: vsie: Make use of CRYCB FORMAT2 clear")
56019f9 ("KVM: s390: vsie: Allow CRYCB FORMAT-2")
19fd83a ("KVM: s390: vsie: allow CRYCB FORMAT-1")
6ee7409 ("KVM: s390: vsie: allow CRYCB FORMAT-0")
c9ba8c2 ("KVM: s390: vsie: allow guest FORMAT-0 CRYCB on host FORMAT-1")
6b79de4 ("KVM: s390: vsie: allow guest FORMAT-1 CRYCB on host FORMAT-2")
9ee71f2 ("KVM: s390: vsie: allow guest FORMAT-0 CRYCB on host FORMAT-2")
37940fb ("KVM: s390: device attrs to enable/disable AP interpretation")
112c24d ("KVM: s390: CPU model support for AP virtualization")
492a6be ("s390: doc: detailed specifications for AP virtualization")
<-- till here in 'kvm/next'
(https://git.kernel.org/pub/scm/virt/kvm/kvm.git/) -->
8e41bd5 ("KVM: s390: fix locking for crypto setting error path")
0e237e4 ("KVM: s390: Tracing APCB changes")
76c7829 ("s390: vfio-ap: setup APCB mask using KVM dedicated function")
<-- till here in 'kvms390/next'
(https://git.kernel.org/pub/scm/linux/kernel/git/kvms390/linux.git/)
-->
<-- In addition to that some prereqs for the 'ap/crypto' driver are
necessary -->
ea3c418 ("s390/zcrypt: Add ZAPQ inline function.")
df80c03 ("s390/zcrypt: Review inline assembler constraints.")
f1b0a43 ("s390/zcrypt: Integrate ap_asm.h into include/asm/ap.h.")
2395103 ("s390/zcrypt: fix ap_instructions_available() returncodes")
7e0bdbe ("s390/zcrypt: AP bus support for alternate driver(s)")
3d8f60d3 ("s390/zcrypt: hex string mask improvements for apmask and aqmask.")
fa108f9 ("s390/zcrypt: remove VLA usage from the AP bus")
<--
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1787405/comments/12
-->
== PATCH ==
Above git commits are all from 4.19.
The git commands for 4.18 would be:
$ git cherry-pick
(112c24d "KVM: s390: CPU model support for AP virtualization" may have
a trivial merge conflict with the etoken patch)
$ git cherry-pick
$ git cherry-pick
== Regression Potential ==
Low to mid:
- mid because in summary there are a lot of changes, but low
- they are all limited to the s390x architecture
- and again limited to KVM/s390x, vfio-ap and the zcrypt (aka ap) driver
- Test kernel was built for testting.
== Test Case ==
Setup a system for KVM use on an s390x LPAR that has CryptoExpress (aka
crypto-) adapters installed.
Verify that the AP bus created a sysfs device for each APQN, like:
/sys/devices/ap/card04/04.0006
/sys/devices/ap/card04/04.0047
/sys/devices/ap/card0a/0a.0006
/sys/devices/ap/card0a/0a.0047
Verify the APQN range via the following two sysfs files:
/sys/bus/ap/apmask
/sys/bus/ap/aqmask
Configure and start a guest.
More details see: 492a6be ("s390: doc: detailed specifications for AP
virtualization")
But for that an updated qemu and libvirt should be in place - that's
[Kernel-packages] [Bug 1787405] Re: [FEAT] Guest-dedicated Crypto Adapters
(Minor update: removed "19.04" from the bug title as it is misleading.
18.04 is the ultimate target.)
** Summary changed:
- [19.04 FEAT] Guest-dedicated Crypto Adapters
+ [FEAT] Guest-dedicated Crypto Adapters
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1787405
Title:
[FEAT] Guest-dedicated Crypto Adapters
Status in Ubuntu on IBM z Systems:
In Progress
Status in libvirt package in Ubuntu:
Triaged
Status in linux package in Ubuntu:
In Progress
Status in qemu package in Ubuntu:
Triaged
Status in linux source package in Bionic:
In Progress
Status in linux source package in Cosmic:
Triaged
Status in linux source package in Disco:
In Progress
Bug description:
== SRU Justification ==
(Kernel SRU)
Allow kvm to dedicate crypto adapters (and domains) as passthrough devices to
a KVM guest such that the hypervisor cannot observe the communication of the
guest with the device.
(Since all kernel patches/commits are from kernel 4.19, they will
automagically land in 'Disco'.)
== Fix ==
9ea5972 ("KVM: s390: vsie: simulate VCPU SIE entry/exit")
3194cdb ("KVM: s390: introduce and use KVM_REQ_VSIE_RESTART")
e585b24 ("KVM: s390: refactor crypto initialization")
1fde573 ("s390: vfio-ap: base implementation of VFIO AP device driver")
65f0671 ("s390: vfio-ap: register matrix device with VFIO mdev framework")
96d152b ("s390: vfio-ap: sysfs interfaces to configure adapters")
3211da0 ("s390: vfio-ap: sysfs interfaces to configure domains")
3b1eab7 ("s390: vfio-ap: sysfs interfaces to configure control domains")
81b2b4b ("s390: vfio-ap: sysfs interface to view matrix mdev matrix")
4210459 ("KVM: s390: interface to clear CRYCB masks")
258287c ("s390: vfio-ap: implement mediated device open callback")
e06670c ("s390: vfio-ap: implement VFIO_DEVICE_GET_INFO ioctl")
46a7263 ("s390: vfio-ap: zeroize the AP queues")
cd8a377 ("s390: vfio-ap: implement VFIO_DEVICE_RESET ioctl")
6cc571b ("KVM: s390: Clear Crypto Control Block when using vSIE")
d6f6959 ("KVM: s390: vsie: Do the CRYCB validation first")
3af84de ("KVM: s390: vsie: Make use of CRYCB FORMAT2 clear")
56019f9 ("KVM: s390: vsie: Allow CRYCB FORMAT-2")
19fd83a ("KVM: s390: vsie: allow CRYCB FORMAT-1")
6ee7409 ("KVM: s390: vsie: allow CRYCB FORMAT-0")
c9ba8c2 ("KVM: s390: vsie: allow guest FORMAT-0 CRYCB on host FORMAT-1")
6b79de4 ("KVM: s390: vsie: allow guest FORMAT-1 CRYCB on host FORMAT-2")
9ee71f2 ("KVM: s390: vsie: allow guest FORMAT-0 CRYCB on host FORMAT-2")
37940fb ("KVM: s390: device attrs to enable/disable AP interpretation")
112c24d ("KVM: s390: CPU model support for AP virtualization")
492a6be ("s390: doc: detailed specifications for AP virtualization")
<-- till here in 'kvm/next'
(https://git.kernel.org/pub/scm/virt/kvm/kvm.git/) -->
8e41bd5 ("KVM: s390: fix locking for crypto setting error path")
0e237e4 ("KVM: s390: Tracing APCB changes")
76c7829 ("s390: vfio-ap: setup APCB mask using KVM dedicated function")
<-- till here in 'kvms390/next'
(https://git.kernel.org/pub/scm/linux/kernel/git/kvms390/linux.git/)
-->
<-- In addition to that some prereqs for the 'ap/crypto' driver are
necessary -->
ea3c418 ("s390/zcrypt: Add ZAPQ inline function.")
df80c03 ("s390/zcrypt: Review inline assembler constraints.")
f1b0a43 ("s390/zcrypt: Integrate ap_asm.h into include/asm/ap.h.")
2395103 ("s390/zcrypt: fix ap_instructions_available() returncodes")
7e0bdbe ("s390/zcrypt: AP bus support for alternate driver(s)")
3d8f60d3 ("s390/zcrypt: hex string mask improvements for apmask and aqmask.")
fa108f9 ("s390/zcrypt: remove VLA usage from the AP bus")
<--
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1787405/comments/12
-->
== PATCH ==
Above git commits are all from 4.19.
The git commands for 4.18 would be:
$ git cherry-pick
(112c24d "KVM: s390: CPU model support for AP virtualization" may have
a trivial merge conflict with the etoken patch)
$ git cherry-pick
$ git cherry-pick
== Regression Potential ==
Low to mid:
- mid because in summary there are a lot of changes, but low
- they are all limited to the s390x architecture
- and again limited to KVM/s390x, vfio-ap and the zcrypt (aka ap) driver
- Test kernel was built for testting.
== Test Case ==
Setup a system for KVM use on an s390x LPAR that has CryptoExpress (aka
crypto-) adapters installed.
Verify that the AP bus created a sysfs device for each APQN, like:
/sys/devices/ap/card04/04.0006
/sys/devices/ap/card04/04.0047
/sys/devices/ap/card0a/0a.0006
/sys/devices/ap/card0a/0a.0047
Verify the APQN range via the following two sysfs files:
/sys/bus/ap/apmask
/sys/bus/ap/aqmask
Configure and start a guest.
More details see: 492a6be ("s390: doc: detailed specifications for AP
virtualization")
But for that an updated
