Re: [PATCH 4/7] KVM: s390/CPACF: Choose crypto control block format
Am 04.02.2015 um 14:48 schrieb Paolo Bonzini: > > > On 04/02/2015 14:05, Christian Borntraeger wrote: Could this also be part of the "things" that KVM can choose to enable, even though it's not a facility? >> Can you re-ask that question? Not sure what you want to know. >> >> This is mostly a fixup for z13, which wants to have a bigger control block. >> but >> this block is not guest visible. > > Okay, this is what I was asking. If the block is not guest visible > that's fine. > > What happens if the guest executes PQAP(QCI)? It will get an illegal opcode because we dont provide the PQAP instruction to the guest. (We have to provide it, if we want to virtualize the off-cpu crypto cards - right now we only provide the on-cpu crypto instructions) -- To unsubscribe from this list: send the line "unsubscribe kvm" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [PATCH 4/7] KVM: s390/CPACF: Choose crypto control block format
On 04/02/2015 14:05, Christian Borntraeger wrote: >> > >> > Could this also be part of the "things" that KVM can choose to enable, >> > even though it's not a facility? > Can you re-ask that question? Not sure what you want to know. > > This is mostly a fixup for z13, which wants to have a bigger control block. > but > this block is not guest visible. Okay, this is what I was asking. If the block is not guest visible that's fine. What happens if the guest executes PQAP(QCI)? Paolo > Talking about key wrapping, this is actually masked via a facility bit (for > MSA-3 > and MSA-4), therefore we have the test_vfacility thing in that function. -- To unsubscribe from this list: send the line "unsubscribe kvm" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [PATCH 4/7] KVM: s390/CPACF: Choose crypto control block format
Am 04.02.2015 um 14:00 schrieb Paolo Bonzini: > > > On 04/02/2015 10:44, Christian Borntraeger wrote: >> +static void kvm_s390_set_crycb_format(struct kvm *kvm) >> +{ >> +kvm->arch.crypto.crycbd = (__u32)(unsigned long) kvm->arch.crypto.crycb; >> + >> +if (kvm_s390_apxa_installed()) >> +kvm->arch.crypto.crycbd |= CRYCB_FORMAT2; >> +else >> +kvm->arch.crypto.crycbd |= CRYCB_FORMAT1; >> +} >> + >> static int kvm_s390_crypto_init(struct kvm *kvm) >> { >> if (!test_vfacility(76)) >> @@ -663,8 +709,7 @@ static int kvm_s390_crypto_init(struct kvm *kvm) >> if (!kvm->arch.crypto.crycb) >> return -ENOMEM; >> >> -kvm->arch.crypto.crycbd = (__u32) (unsigned long) >> kvm->arch.crypto.crycb | >> - CRYCB_FORMAT1; >> +kvm_s390_set_crycb_format(kvm); > > Could this also be part of the "things" that KVM can choose to enable, > even though it's not a facility? Can you re-ask that question? Not sure what you want to know. This is mostly a fixup for z13, which wants to have a bigger control block. but this block is not guest visible. Talking about key wrapping, this is actually masked via a facility bit (for MSA-3 and MSA-4), therefore we have the test_vfacility thing in that function. Christian -- To unsubscribe from this list: send the line "unsubscribe kvm" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [PATCH 4/7] KVM: s390/CPACF: Choose crypto control block format
On 04/02/2015 10:44, Christian Borntraeger wrote: > +static void kvm_s390_set_crycb_format(struct kvm *kvm) > +{ > + kvm->arch.crypto.crycbd = (__u32)(unsigned long) kvm->arch.crypto.crycb; > + > + if (kvm_s390_apxa_installed()) > + kvm->arch.crypto.crycbd |= CRYCB_FORMAT2; > + else > + kvm->arch.crypto.crycbd |= CRYCB_FORMAT1; > +} > + > static int kvm_s390_crypto_init(struct kvm *kvm) > { > if (!test_vfacility(76)) > @@ -663,8 +709,7 @@ static int kvm_s390_crypto_init(struct kvm *kvm) > if (!kvm->arch.crypto.crycb) > return -ENOMEM; > > - kvm->arch.crypto.crycbd = (__u32) (unsigned long) > kvm->arch.crypto.crycb | > - CRYCB_FORMAT1; > + kvm_s390_set_crycb_format(kvm); Could this also be part of the "things" that KVM can choose to enable, even though it's not a facility? Paolo -- To unsubscribe from this list: send the line "unsubscribe kvm" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
[PATCH 4/7] KVM: s390/CPACF: Choose crypto control block format
From: Tony Krowiak We need to specify a different format for the crypto control block depending on whether the APXA facility is installed or not. Let's test for it by executing the PQAP(QCI) function and use either a format-1 or a format-2 crypto control block accordingly. Signed-off-by: Tony Krowiak Signed-off-by: Christian Borntraeger --- arch/s390/include/asm/kvm_host.h | 2 ++ arch/s390/kvm/kvm-s390.c | 49 ++-- 2 files changed, 49 insertions(+), 2 deletions(-) diff --git a/arch/s390/include/asm/kvm_host.h b/arch/s390/include/asm/kvm_host.h index d1ecc7f..09b6c1f 100644 --- a/arch/s390/include/asm/kvm_host.h +++ b/arch/s390/include/asm/kvm_host.h @@ -163,6 +163,7 @@ struct kvm_s390_sie_block { __u64 tecmc; /* 0x00e8 */ __u8reservedf0[12]; /* 0x00f0 */ #define CRYCB_FORMAT1 0x0001 +#define CRYCB_FORMAT2 0x0003 __u32 crycbd; /* 0x00fc */ __u64 gcr[16];/* 0x0100 */ __u64 gbea; /* 0x0180 */ @@ -515,6 +516,7 @@ struct kvm_s390_crypto_cb { __u8reserved00[72]; /* 0x */ __u8dea_wrapping_key_mask[24]; /* 0x0048 */ __u8aes_wrapping_key_mask[32]; /* 0x0060 */ + __u8reserved80[128];/* 0x0080 */ }; struct kvm_arch{ diff --git a/arch/s390/kvm/kvm-s390.c b/arch/s390/kvm/kvm-s390.c index 57f5538..57ba533 100644 --- a/arch/s390/kvm/kvm-s390.c +++ b/arch/s390/kvm/kvm-s390.c @@ -653,6 +653,52 @@ long kvm_arch_vm_ioctl(struct file *filp, return r; } +static int kvm_s390_query_ap_config(u8 *config) +{ + u32 fcn_code = 0x0400UL; + u32 cc; + + asm volatile( + "lgr 0,%1\n" + "lgr 2,%2\n" + ".long 0xb2af\n"/* PQAP(QCI) */ + "ipm %0\n" + "srl %0,28\n" + : "=r" (cc) + : "r" (fcn_code), "r" (config) + : "cc", "0", "2", "memory" + ); + + return cc; +} + +static int kvm_s390_apxa_installed(void) +{ + u8 config[128]; + int cc; + + if (test_facility(2) && test_facility(12)) { + cc = kvm_s390_query_ap_config(config); + + if (cc) + pr_err("PQAP(QCI) failed with cc=%d", cc); + else + return config[0] & 0x40; + } + + return 0; +} + +static void kvm_s390_set_crycb_format(struct kvm *kvm) +{ + kvm->arch.crypto.crycbd = (__u32)(unsigned long) kvm->arch.crypto.crycb; + + if (kvm_s390_apxa_installed()) + kvm->arch.crypto.crycbd |= CRYCB_FORMAT2; + else + kvm->arch.crypto.crycbd |= CRYCB_FORMAT1; +} + static int kvm_s390_crypto_init(struct kvm *kvm) { if (!test_vfacility(76)) @@ -663,8 +709,7 @@ static int kvm_s390_crypto_init(struct kvm *kvm) if (!kvm->arch.crypto.crycb) return -ENOMEM; - kvm->arch.crypto.crycbd = (__u32) (unsigned long) kvm->arch.crypto.crycb | - CRYCB_FORMAT1; + kvm_s390_set_crycb_format(kvm); /* Disable AES/DEA protected key functions by default */ kvm->arch.crypto.aes_kw = 0; -- 1.9.3 -- To unsubscribe from this list: send the line "unsubscribe kvm" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html