Re: [PATCH v3 01/14] KVM: s390: refactor crypto initialization

[Tony Krowiak]

On 04/05/2018 06:45 AM, Christian Borntraeger wrote:


On 04/05/2018 12:42 PM, Christian Borntraeger wrote:


On 03/14/2018 07:25 PM, Tony Krowiak wrote:

This patch refactors the code that initializes the crypto
configuration for a guest. The crypto configuration is contained in
a crypto control block (CRYCB) which is a satellite control block to
our main hardware virtualization control block. The CRYCB is
attached to the main virtualization control block via a CRYCB
designation (CRYCBD) designation field containing the address of
the CRYCB as well as its format.

Prior to the introduction of AP device virtualization, there was
no need to provide access to or specify the format of the CRYCB for
a guest unless the MSA extension 3 (MSAX3) facility was installed
on the host system. With the introduction of AP device virtualization,
the CRYCB and its format must be made accessible to the guest
regardless of the presence of the MSAX3 facility.

The crypto initialization code is restructured as follows:

* A new compilation unit is introduced to contain all interfaces
   and data structures related to configuring a guest's CRYCB for
   both the refactoring of crypto initialization as well as all
   subsequent patches introducing AP virtualization support.

* Currently, the asm code for querying the AP configuration is
   duplicated in the AP bus as well as in KVM. Since the KVM
   code was introduced, the AP bus has externalized the interface
   for querying the AP configuration. The KVM interface will be
   replaced with a call to the AP bus interface. Of course, this
   will be moved to the new compilation unit mentioned above.

* An interface to format the CRYCBD field will be provided via
   the new compilation unit and called from the KVM vm
   initialization.

Signed-off-by: Tony Krowiak 
---
  MAINTAINERS  |   10 ++
  arch/s390/include/asm/kvm-ap.h   |   16 ++
  arch/s390/include/asm/kvm_host.h |1 +
  arch/s390/kvm/Kconfig|1 +
  arch/s390/kvm/Makefile   |2 +-
  arch/s390/kvm/kvm-ap.c   |   48 +
  arch/s390/kvm/kvm-s390.c |   61 -
  7 files changed, 84 insertions(+), 55 deletions(-)
  create mode 100644 arch/s390/include/asm/kvm-ap.h
  create mode 100644 arch/s390/kvm/kvm-ap.c

diff --git a/MAINTAINERS b/MAINTAINERS
index 0ec5881..72742d5 100644
--- a/MAINTAINERS
+++ b/MAINTAINERS
@@ -11875,6 +11875,16 @@ W: 
http://www.ibm.com/developerworks/linux/linux390/
  S:Supported
  F:drivers/s390/crypto/

+S390 VFIO AP DRIVER
+M: Tony Krowiak 
+M: Christian Borntraeger 
+M: Martin Schwidefsky 
+L: linux-s...@vger.kernel.org
+W: http://www.ibm.com/developerworks/linux/linux390/
+S: Supported
+F: arch/s390/include/asm/kvm/kvm-ap.h
+F: arch/s390/kvm/kvm-ap.c
+
  S390 ZFCP DRIVER
  M:Steffen Maier 
  M:Benjamin Block 


The Maintainers update belongs into a different patch (e.g. when you introduce
drivers/s390/crypto/vfio_ap_drv.c )

To put it differently. I think kvm-ap code in here is more related to kvm than 
to
vfio-ap.

Okay, I'll remove this from here. It looks like it is already covered under
KERNEL VIRTUAL MACHINE for s390 (KVM/s390).
  

Re: [PATCH v3 01/14] KVM: s390: refactor crypto initialization

[Tony Krowiak]

On 04/05/2018 06:45 AM, Christian Borntraeger wrote:


On 04/05/2018 12:42 PM, Christian Borntraeger wrote:


On 03/14/2018 07:25 PM, Tony Krowiak wrote:

This patch refactors the code that initializes the crypto
configuration for a guest. The crypto configuration is contained in
a crypto control block (CRYCB) which is a satellite control block to
our main hardware virtualization control block. The CRYCB is
attached to the main virtualization control block via a CRYCB
designation (CRYCBD) designation field containing the address of
the CRYCB as well as its format.

Prior to the introduction of AP device virtualization, there was
no need to provide access to or specify the format of the CRYCB for
a guest unless the MSA extension 3 (MSAX3) facility was installed
on the host system. With the introduction of AP device virtualization,
the CRYCB and its format must be made accessible to the guest
regardless of the presence of the MSAX3 facility.

The crypto initialization code is restructured as follows:

* A new compilation unit is introduced to contain all interfaces
   and data structures related to configuring a guest's CRYCB for
   both the refactoring of crypto initialization as well as all
   subsequent patches introducing AP virtualization support.

* Currently, the asm code for querying the AP configuration is
   duplicated in the AP bus as well as in KVM. Since the KVM
   code was introduced, the AP bus has externalized the interface
   for querying the AP configuration. The KVM interface will be
   replaced with a call to the AP bus interface. Of course, this
   will be moved to the new compilation unit mentioned above.

* An interface to format the CRYCBD field will be provided via
   the new compilation unit and called from the KVM vm
   initialization.

Signed-off-by: Tony Krowiak 
---
  MAINTAINERS  |   10 ++
  arch/s390/include/asm/kvm-ap.h   |   16 ++
  arch/s390/include/asm/kvm_host.h |1 +
  arch/s390/kvm/Kconfig|1 +
  arch/s390/kvm/Makefile   |2 +-
  arch/s390/kvm/kvm-ap.c   |   48 +
  arch/s390/kvm/kvm-s390.c |   61 -
  7 files changed, 84 insertions(+), 55 deletions(-)
  create mode 100644 arch/s390/include/asm/kvm-ap.h
  create mode 100644 arch/s390/kvm/kvm-ap.c

diff --git a/MAINTAINERS b/MAINTAINERS
index 0ec5881..72742d5 100644
--- a/MAINTAINERS
+++ b/MAINTAINERS
@@ -11875,6 +11875,16 @@ W: 
http://www.ibm.com/developerworks/linux/linux390/
  S:Supported
  F:drivers/s390/crypto/

+S390 VFIO AP DRIVER
+M: Tony Krowiak 
+M: Christian Borntraeger 
+M: Martin Schwidefsky 
+L: linux-s...@vger.kernel.org
+W: http://www.ibm.com/developerworks/linux/linux390/
+S: Supported
+F: arch/s390/include/asm/kvm/kvm-ap.h
+F: arch/s390/kvm/kvm-ap.c
+
  S390 ZFCP DRIVER
  M:Steffen Maier 
  M:Benjamin Block 


The Maintainers update belongs into a different patch (e.g. when you introduce
drivers/s390/crypto/vfio_ap_drv.c )

To put it differently. I think kvm-ap code in here is more related to kvm than 
to
vfio-ap.

Okay, I'll remove this from here. It looks like it is already covered under
KERNEL VIRTUAL MACHINE for s390 (KVM/s390).
  

Re: [PATCH v3 01/14] KVM: s390: refactor crypto initialization

[Christian Borntraeger]

On 04/05/2018 12:42 PM, Christian Borntraeger wrote:
> 
> 
> On 03/14/2018 07:25 PM, Tony Krowiak wrote:
>> This patch refactors the code that initializes the crypto
>> configuration for a guest. The crypto configuration is contained in
>> a crypto control block (CRYCB) which is a satellite control block to
>> our main hardware virtualization control block. The CRYCB is
>> attached to the main virtualization control block via a CRYCB
>> designation (CRYCBD) designation field containing the address of
>> the CRYCB as well as its format.
>>
>> Prior to the introduction of AP device virtualization, there was
>> no need to provide access to or specify the format of the CRYCB for
>> a guest unless the MSA extension 3 (MSAX3) facility was installed
>> on the host system. With the introduction of AP device virtualization,
>> the CRYCB and its format must be made accessible to the guest
>> regardless of the presence of the MSAX3 facility.
>>
>> The crypto initialization code is restructured as follows:
>>
>> * A new compilation unit is introduced to contain all interfaces
>>   and data structures related to configuring a guest's CRYCB for
>>   both the refactoring of crypto initialization as well as all
>>   subsequent patches introducing AP virtualization support.
>>
>> * Currently, the asm code for querying the AP configuration is
>>   duplicated in the AP bus as well as in KVM. Since the KVM
>>   code was introduced, the AP bus has externalized the interface
>>   for querying the AP configuration. The KVM interface will be
>>   replaced with a call to the AP bus interface. Of course, this
>>   will be moved to the new compilation unit mentioned above.
>>
>> * An interface to format the CRYCBD field will be provided via
>>   the new compilation unit and called from the KVM vm
>>   initialization.
>>
>> Signed-off-by: Tony Krowiak 
>> ---
>>  MAINTAINERS  |   10 ++
>>  arch/s390/include/asm/kvm-ap.h   |   16 ++
>>  arch/s390/include/asm/kvm_host.h |1 +
>>  arch/s390/kvm/Kconfig|1 +
>>  arch/s390/kvm/Makefile   |2 +-
>>  arch/s390/kvm/kvm-ap.c   |   48 +
>>  arch/s390/kvm/kvm-s390.c |   61 
>> -
>>  7 files changed, 84 insertions(+), 55 deletions(-)
>>  create mode 100644 arch/s390/include/asm/kvm-ap.h
>>  create mode 100644 arch/s390/kvm/kvm-ap.c
>>
>> diff --git a/MAINTAINERS b/MAINTAINERS
>> index 0ec5881..72742d5 100644
>> --- a/MAINTAINERS
>> +++ b/MAINTAINERS
>> @@ -11875,6 +11875,16 @@ W:  
>> http://www.ibm.com/developerworks/linux/linux390/
>>  S:  Supported
>>  F:  drivers/s390/crypto/
>>
>> +S390 VFIO AP DRIVER
>> +M:  Tony Krowiak 
>> +M:  Christian Borntraeger 
>> +M:  Martin Schwidefsky 
>> +L:  linux-s...@vger.kernel.org
>> +W:  http://www.ibm.com/developerworks/linux/linux390/
>> +S:  Supported
>> +F:  arch/s390/include/asm/kvm/kvm-ap.h
>> +F:  arch/s390/kvm/kvm-ap.c
>> +
>>  S390 ZFCP DRIVER
>>  M:  Steffen Maier 
>>  M:  Benjamin Block 
> 
> 
> The Maintainers update belongs into a different patch (e.g. when you 
> introduce 
> drivers/s390/crypto/vfio_ap_drv.c )

To put it differently. I think kvm-ap code in here is more related to kvm than 
to
vfio-ap. 

Re: [PATCH v3 01/14] KVM: s390: refactor crypto initialization

[Christian Borntraeger]

On 04/05/2018 12:42 PM, Christian Borntraeger wrote:
> 
> 
> On 03/14/2018 07:25 PM, Tony Krowiak wrote:
>> This patch refactors the code that initializes the crypto
>> configuration for a guest. The crypto configuration is contained in
>> a crypto control block (CRYCB) which is a satellite control block to
>> our main hardware virtualization control block. The CRYCB is
>> attached to the main virtualization control block via a CRYCB
>> designation (CRYCBD) designation field containing the address of
>> the CRYCB as well as its format.
>>
>> Prior to the introduction of AP device virtualization, there was
>> no need to provide access to or specify the format of the CRYCB for
>> a guest unless the MSA extension 3 (MSAX3) facility was installed
>> on the host system. With the introduction of AP device virtualization,
>> the CRYCB and its format must be made accessible to the guest
>> regardless of the presence of the MSAX3 facility.
>>
>> The crypto initialization code is restructured as follows:
>>
>> * A new compilation unit is introduced to contain all interfaces
>>   and data structures related to configuring a guest's CRYCB for
>>   both the refactoring of crypto initialization as well as all
>>   subsequent patches introducing AP virtualization support.
>>
>> * Currently, the asm code for querying the AP configuration is
>>   duplicated in the AP bus as well as in KVM. Since the KVM
>>   code was introduced, the AP bus has externalized the interface
>>   for querying the AP configuration. The KVM interface will be
>>   replaced with a call to the AP bus interface. Of course, this
>>   will be moved to the new compilation unit mentioned above.
>>
>> * An interface to format the CRYCBD field will be provided via
>>   the new compilation unit and called from the KVM vm
>>   initialization.
>>
>> Signed-off-by: Tony Krowiak 
>> ---
>>  MAINTAINERS  |   10 ++
>>  arch/s390/include/asm/kvm-ap.h   |   16 ++
>>  arch/s390/include/asm/kvm_host.h |1 +
>>  arch/s390/kvm/Kconfig|1 +
>>  arch/s390/kvm/Makefile   |2 +-
>>  arch/s390/kvm/kvm-ap.c   |   48 +
>>  arch/s390/kvm/kvm-s390.c |   61 
>> -
>>  7 files changed, 84 insertions(+), 55 deletions(-)
>>  create mode 100644 arch/s390/include/asm/kvm-ap.h
>>  create mode 100644 arch/s390/kvm/kvm-ap.c
>>
>> diff --git a/MAINTAINERS b/MAINTAINERS
>> index 0ec5881..72742d5 100644
>> --- a/MAINTAINERS
>> +++ b/MAINTAINERS
>> @@ -11875,6 +11875,16 @@ W:  
>> http://www.ibm.com/developerworks/linux/linux390/
>>  S:  Supported
>>  F:  drivers/s390/crypto/
>>
>> +S390 VFIO AP DRIVER
>> +M:  Tony Krowiak 
>> +M:  Christian Borntraeger 
>> +M:  Martin Schwidefsky 
>> +L:  linux-s...@vger.kernel.org
>> +W:  http://www.ibm.com/developerworks/linux/linux390/
>> +S:  Supported
>> +F:  arch/s390/include/asm/kvm/kvm-ap.h
>> +F:  arch/s390/kvm/kvm-ap.c
>> +
>>  S390 ZFCP DRIVER
>>  M:  Steffen Maier 
>>  M:  Benjamin Block 
> 
> 
> The Maintainers update belongs into a different patch (e.g. when you 
> introduce 
> drivers/s390/crypto/vfio_ap_drv.c )

To put it differently. I think kvm-ap code in here is more related to kvm than 
to
vfio-ap. 

Re: [PATCH v3 01/14] KVM: s390: refactor crypto initialization

[Christian Borntraeger]

On 03/14/2018 07:25 PM, Tony Krowiak wrote:
> This patch refactors the code that initializes the crypto
> configuration for a guest. The crypto configuration is contained in
> a crypto control block (CRYCB) which is a satellite control block to
> our main hardware virtualization control block. The CRYCB is
> attached to the main virtualization control block via a CRYCB
> designation (CRYCBD) designation field containing the address of
> the CRYCB as well as its format.
> 
> Prior to the introduction of AP device virtualization, there was
> no need to provide access to or specify the format of the CRYCB for
> a guest unless the MSA extension 3 (MSAX3) facility was installed
> on the host system. With the introduction of AP device virtualization,
> the CRYCB and its format must be made accessible to the guest
> regardless of the presence of the MSAX3 facility.
> 
> The crypto initialization code is restructured as follows:
> 
> * A new compilation unit is introduced to contain all interfaces
>   and data structures related to configuring a guest's CRYCB for
>   both the refactoring of crypto initialization as well as all
>   subsequent patches introducing AP virtualization support.
> 
> * Currently, the asm code for querying the AP configuration is
>   duplicated in the AP bus as well as in KVM. Since the KVM
>   code was introduced, the AP bus has externalized the interface
>   for querying the AP configuration. The KVM interface will be
>   replaced with a call to the AP bus interface. Of course, this
>   will be moved to the new compilation unit mentioned above.
> 
> * An interface to format the CRYCBD field will be provided via
>   the new compilation unit and called from the KVM vm
>   initialization.
> 
> Signed-off-by: Tony Krowiak 
> ---
>  MAINTAINERS  |   10 ++
>  arch/s390/include/asm/kvm-ap.h   |   16 ++
>  arch/s390/include/asm/kvm_host.h |1 +
>  arch/s390/kvm/Kconfig|1 +
>  arch/s390/kvm/Makefile   |2 +-
>  arch/s390/kvm/kvm-ap.c   |   48 +
>  arch/s390/kvm/kvm-s390.c |   61 -
>  7 files changed, 84 insertions(+), 55 deletions(-)
>  create mode 100644 arch/s390/include/asm/kvm-ap.h
>  create mode 100644 arch/s390/kvm/kvm-ap.c
> 
> diff --git a/MAINTAINERS b/MAINTAINERS
> index 0ec5881..72742d5 100644
> --- a/MAINTAINERS
> +++ b/MAINTAINERS
> @@ -11875,6 +11875,16 @@ W:   
> http://www.ibm.com/developerworks/linux/linux390/
>  S:   Supported
>  F:   drivers/s390/crypto/
> 
> +S390 VFIO AP DRIVER
> +M:   Tony Krowiak 
> +M:   Christian Borntraeger 
> +M:   Martin Schwidefsky 
> +L:   linux-s...@vger.kernel.org
> +W:   http://www.ibm.com/developerworks/linux/linux390/
> +S:   Supported
> +F:   arch/s390/include/asm/kvm/kvm-ap.h
> +F:   arch/s390/kvm/kvm-ap.c
> +
>  S390 ZFCP DRIVER
>  M:   Steffen Maier 
>  M:   Benjamin Block 


The Maintainers update belongs into a different patch (e.g. when you introduce 
drivers/s390/crypto/vfio_ap_drv.c )

Re: [PATCH v3 01/14] KVM: s390: refactor crypto initialization

[Christian Borntraeger]

On 03/14/2018 07:25 PM, Tony Krowiak wrote:
> This patch refactors the code that initializes the crypto
> configuration for a guest. The crypto configuration is contained in
> a crypto control block (CRYCB) which is a satellite control block to
> our main hardware virtualization control block. The CRYCB is
> attached to the main virtualization control block via a CRYCB
> designation (CRYCBD) designation field containing the address of
> the CRYCB as well as its format.
> 
> Prior to the introduction of AP device virtualization, there was
> no need to provide access to or specify the format of the CRYCB for
> a guest unless the MSA extension 3 (MSAX3) facility was installed
> on the host system. With the introduction of AP device virtualization,
> the CRYCB and its format must be made accessible to the guest
> regardless of the presence of the MSAX3 facility.
> 
> The crypto initialization code is restructured as follows:
> 
> * A new compilation unit is introduced to contain all interfaces
>   and data structures related to configuring a guest's CRYCB for
>   both the refactoring of crypto initialization as well as all
>   subsequent patches introducing AP virtualization support.
> 
> * Currently, the asm code for querying the AP configuration is
>   duplicated in the AP bus as well as in KVM. Since the KVM
>   code was introduced, the AP bus has externalized the interface
>   for querying the AP configuration. The KVM interface will be
>   replaced with a call to the AP bus interface. Of course, this
>   will be moved to the new compilation unit mentioned above.
> 
> * An interface to format the CRYCBD field will be provided via
>   the new compilation unit and called from the KVM vm
>   initialization.
> 
> Signed-off-by: Tony Krowiak 
> ---
>  MAINTAINERS  |   10 ++
>  arch/s390/include/asm/kvm-ap.h   |   16 ++
>  arch/s390/include/asm/kvm_host.h |1 +
>  arch/s390/kvm/Kconfig|1 +
>  arch/s390/kvm/Makefile   |2 +-
>  arch/s390/kvm/kvm-ap.c   |   48 +
>  arch/s390/kvm/kvm-s390.c |   61 -
>  7 files changed, 84 insertions(+), 55 deletions(-)
>  create mode 100644 arch/s390/include/asm/kvm-ap.h
>  create mode 100644 arch/s390/kvm/kvm-ap.c
> 
> diff --git a/MAINTAINERS b/MAINTAINERS
> index 0ec5881..72742d5 100644
> --- a/MAINTAINERS
> +++ b/MAINTAINERS
> @@ -11875,6 +11875,16 @@ W:   
> http://www.ibm.com/developerworks/linux/linux390/
>  S:   Supported
>  F:   drivers/s390/crypto/
> 
> +S390 VFIO AP DRIVER
> +M:   Tony Krowiak 
> +M:   Christian Borntraeger 
> +M:   Martin Schwidefsky 
> +L:   linux-s...@vger.kernel.org
> +W:   http://www.ibm.com/developerworks/linux/linux390/
> +S:   Supported
> +F:   arch/s390/include/asm/kvm/kvm-ap.h
> +F:   arch/s390/kvm/kvm-ap.c
> +
>  S390 ZFCP DRIVER
>  M:   Steffen Maier 
>  M:   Benjamin Block 


The Maintainers update belongs into a different patch (e.g. when you introduce 
drivers/s390/crypto/vfio_ap_drv.c )

Re: [PATCH v3 01/14] KVM: s390: refactor crypto initialization

[Cornelia Huck]

On Thu, 29 Mar 2018 14:57:22 -0400
Tony Krowiak  wrote:

> On 03/26/2018 04:44 AM, Cornelia Huck wrote:
> > On Thu, 15 Mar 2018 15:55:39 +0100
> > Pierre Morel  wrote:
> >  
> >> On 15/03/2018 15:48, Tony Krowiak wrote:  
> >>> On 03/15/2018 08:26 AM, Pierre Morel wrote:  
>  On 14/03/2018 19:25, Tony Krowiak wrote:  
> > diff --git a/arch/s390/kvm/Kconfig b/arch/s390/kvm/Kconfig
> > index a3dbd45..4ca9077 100644
> > --- a/arch/s390/kvm/Kconfig
> > +++ b/arch/s390/kvm/Kconfig
> > @@ -33,6 +33,7 @@ config KVM
> >select HAVE_KVM_INVALID_WAKEUPS
> >select SRCU
> >select KVM_VFIO
> > +select ZCRYPT  
>  I do not think it is a good solution to *always* enable ZCRYPT
>  when we have KVM.  
> >>> If CONFIG_ZCRYPT is not selected, then the kvm_ap_apxa_installed()
> >>> function will not compile
> >>> because it calls a zcrypt interface. How would you suggest we make
> >>> sure zcrypt interfaces
> >>> used in KVM are built if CONFIG_ZCRYPT is not selected?  
> >> if zcrypt is not configured, I suppose that the KVM code initializaing 
> >> CRYCB
> >> has no use but the function will be called from KVM.
> >> So I would do something like:
> >>
> >> #ifdef ZCRYPT
> >> external definitions.
> >> #else
> >> stubs returning error -ENOZCRYPT (or whatever)
> >> #endif  
> > The kvm code used some kind of detection for crycb before (IIRC it was
> > for the key-wrapping stuff). I assume that usage is independent of
> > zcrypt driver usage in the host?  
> A function in kvm-s390.c was replaced with a call to the function in
> ap_bus.c that was externalized in patch 2/14. This was done to remove
> duplicate code. Since zcrypt is built into the kernel, I didn't think
> it would be a problem, but apparently because of the way zcrypt is
> configured, it is still possible to remove it from the kernel build.

Yes.

> >
> > So, I think that apxa detection function should be used to s390
> > architecture base code and not be conditional on anything.  
> I am convinced that the original function from kvm_s390.c should be
> restored.

That would work as well, but removing the code duplication via moving
to s390 architecture code should not be that bad, either. Leaving the
decision to the respective maintainers.

Re: [PATCH v3 01/14] KVM: s390: refactor crypto initialization

[Cornelia Huck]

On Thu, 29 Mar 2018 14:57:22 -0400
Tony Krowiak  wrote:

> On 03/26/2018 04:44 AM, Cornelia Huck wrote:
> > On Thu, 15 Mar 2018 15:55:39 +0100
> > Pierre Morel  wrote:
> >  
> >> On 15/03/2018 15:48, Tony Krowiak wrote:  
> >>> On 03/15/2018 08:26 AM, Pierre Morel wrote:  
>  On 14/03/2018 19:25, Tony Krowiak wrote:  
> > diff --git a/arch/s390/kvm/Kconfig b/arch/s390/kvm/Kconfig
> > index a3dbd45..4ca9077 100644
> > --- a/arch/s390/kvm/Kconfig
> > +++ b/arch/s390/kvm/Kconfig
> > @@ -33,6 +33,7 @@ config KVM
> >select HAVE_KVM_INVALID_WAKEUPS
> >select SRCU
> >select KVM_VFIO
> > +select ZCRYPT  
>  I do not think it is a good solution to *always* enable ZCRYPT
>  when we have KVM.  
> >>> If CONFIG_ZCRYPT is not selected, then the kvm_ap_apxa_installed()
> >>> function will not compile
> >>> because it calls a zcrypt interface. How would you suggest we make
> >>> sure zcrypt interfaces
> >>> used in KVM are built if CONFIG_ZCRYPT is not selected?  
> >> if zcrypt is not configured, I suppose that the KVM code initializaing 
> >> CRYCB
> >> has no use but the function will be called from KVM.
> >> So I would do something like:
> >>
> >> #ifdef ZCRYPT
> >> external definitions.
> >> #else
> >> stubs returning error -ENOZCRYPT (or whatever)
> >> #endif  
> > The kvm code used some kind of detection for crycb before (IIRC it was
> > for the key-wrapping stuff). I assume that usage is independent of
> > zcrypt driver usage in the host?  
> A function in kvm-s390.c was replaced with a call to the function in
> ap_bus.c that was externalized in patch 2/14. This was done to remove
> duplicate code. Since zcrypt is built into the kernel, I didn't think
> it would be a problem, but apparently because of the way zcrypt is
> configured, it is still possible to remove it from the kernel build.

Yes.

> >
> > So, I think that apxa detection function should be used to s390
> > architecture base code and not be conditional on anything.  
> I am convinced that the original function from kvm_s390.c should be
> restored.

That would work as well, but removing the code duplication via moving
to s390 architecture code should not be that bad, either. Leaving the
decision to the respective maintainers.

Re: [PATCH v3 01/14] KVM: s390: refactor crypto initialization

[Tony Krowiak]

On 03/26/2018 04:44 AM, Cornelia Huck wrote:

On Thu, 15 Mar 2018 15:55:39 +0100
Pierre Morel  wrote:


On 15/03/2018 15:48, Tony Krowiak wrote:

On 03/15/2018 08:26 AM, Pierre Morel wrote:

On 14/03/2018 19:25, Tony Krowiak wrote:

diff --git a/arch/s390/kvm/Kconfig b/arch/s390/kvm/Kconfig
index a3dbd45..4ca9077 100644
--- a/arch/s390/kvm/Kconfig
+++ b/arch/s390/kvm/Kconfig
@@ -33,6 +33,7 @@ config KVM
   select HAVE_KVM_INVALID_WAKEUPS
   select SRCU
   select KVM_VFIO
+select ZCRYPT

I do not think it is a good solution to *always* enable ZCRYPT
when we have KVM.

If CONFIG_ZCRYPT is not selected, then the kvm_ap_apxa_installed()
function will not compile
because it calls a zcrypt interface. How would you suggest we make
sure zcrypt interfaces
used in KVM are built if CONFIG_ZCRYPT is not selected?

if zcrypt is not configured, I suppose that the KVM code initializaing CRYCB
has no use but the function will be called from KVM.
So I would do something like:

#ifdef ZCRYPT
external definitions.
#else
stubs returning error -ENOZCRYPT (or whatever)
#endif

The kvm code used some kind of detection for crycb before (IIRC it was
for the key-wrapping stuff). I assume that usage is independent of
zcrypt driver usage in the host?

A function in kvm-s390.c was replaced with a call to the function in
ap_bus.c that was externalized in patch 2/14. This was done to remove
duplicate code. Since zcrypt is built into the kernel, I didn't think
it would be a problem, but apparently because of the way zcrypt is
configured, it is still possible to remove it from the kernel build.


So, I think that apxa detection function should be used to s390
architecture base code and not be conditional on anything.

I am convinced that the original function from kvm_s390.c should be
restored.

Re: [PATCH v3 01/14] KVM: s390: refactor crypto initialization

[Tony Krowiak]

On 03/26/2018 04:44 AM, Cornelia Huck wrote:

On Thu, 15 Mar 2018 15:55:39 +0100
Pierre Morel  wrote:


On 15/03/2018 15:48, Tony Krowiak wrote:

On 03/15/2018 08:26 AM, Pierre Morel wrote:

On 14/03/2018 19:25, Tony Krowiak wrote:

diff --git a/arch/s390/kvm/Kconfig b/arch/s390/kvm/Kconfig
index a3dbd45..4ca9077 100644
--- a/arch/s390/kvm/Kconfig
+++ b/arch/s390/kvm/Kconfig
@@ -33,6 +33,7 @@ config KVM
   select HAVE_KVM_INVALID_WAKEUPS
   select SRCU
   select KVM_VFIO
+select ZCRYPT

I do not think it is a good solution to *always* enable ZCRYPT
when we have KVM.

If CONFIG_ZCRYPT is not selected, then the kvm_ap_apxa_installed()
function will not compile
because it calls a zcrypt interface. How would you suggest we make
sure zcrypt interfaces
used in KVM are built if CONFIG_ZCRYPT is not selected?

if zcrypt is not configured, I suppose that the KVM code initializaing CRYCB
has no use but the function will be called from KVM.
So I would do something like:

#ifdef ZCRYPT
external definitions.
#else
stubs returning error -ENOZCRYPT (or whatever)
#endif

The kvm code used some kind of detection for crycb before (IIRC it was
for the key-wrapping stuff). I assume that usage is independent of
zcrypt driver usage in the host?

A function in kvm-s390.c was replaced with a call to the function in
ap_bus.c that was externalized in patch 2/14. This was done to remove
duplicate code. Since zcrypt is built into the kernel, I didn't think
it would be a problem, but apparently because of the way zcrypt is
configured, it is still possible to remove it from the kernel build.


So, I think that apxa detection function should be used to s390
architecture base code and not be conditional on anything.

I am convinced that the original function from kvm_s390.c should be
restored.

Re: [PATCH v3 01/14] KVM: s390: refactor crypto initialization

[Cornelia Huck]

On Thu, 15 Mar 2018 15:55:39 +0100
Pierre Morel  wrote:

> On 15/03/2018 15:48, Tony Krowiak wrote:
> > On 03/15/2018 08:26 AM, Pierre Morel wrote:  
> >> On 14/03/2018 19:25, Tony Krowiak wrote:  

> >>> diff --git a/arch/s390/kvm/Kconfig b/arch/s390/kvm/Kconfig
> >>> index a3dbd45..4ca9077 100644
> >>> --- a/arch/s390/kvm/Kconfig
> >>> +++ b/arch/s390/kvm/Kconfig
> >>> @@ -33,6 +33,7 @@ config KVM
> >>>   select HAVE_KVM_INVALID_WAKEUPS
> >>>   select SRCU
> >>>   select KVM_VFIO
> >>> +    select ZCRYPT  
> >>
> >> I do not think it is a good solution to *always* enable ZCRYPT
> >> when we have KVM.  
> > If CONFIG_ZCRYPT is not selected, then the kvm_ap_apxa_installed() 
> > function will not compile
> > because it calls a zcrypt interface. How would you suggest we make 
> > sure zcrypt interfaces
> > used in KVM are built if CONFIG_ZCRYPT is not selected?  
> 
> if zcrypt is not configured, I suppose that the KVM code initializaing CRYCB
> has no use but the function will be called from KVM.
> So I would do something like:
> 
> #ifdef ZCRYPT
> external definitions.
> #else
> stubs returning error -ENOZCRYPT (or whatever)
> #endif

The kvm code used some kind of detection for crycb before (IIRC it was
for the key-wrapping stuff). I assume that usage is independent of
zcrypt driver usage in the host?

So, I think that apxa detection function should be used to s390
architecture base code and not be conditional on anything.

Re: [PATCH v3 01/14] KVM: s390: refactor crypto initialization

[Cornelia Huck]

On Thu, 15 Mar 2018 15:55:39 +0100
Pierre Morel  wrote:

> On 15/03/2018 15:48, Tony Krowiak wrote:
> > On 03/15/2018 08:26 AM, Pierre Morel wrote:  
> >> On 14/03/2018 19:25, Tony Krowiak wrote:  

> >>> diff --git a/arch/s390/kvm/Kconfig b/arch/s390/kvm/Kconfig
> >>> index a3dbd45..4ca9077 100644
> >>> --- a/arch/s390/kvm/Kconfig
> >>> +++ b/arch/s390/kvm/Kconfig
> >>> @@ -33,6 +33,7 @@ config KVM
> >>>   select HAVE_KVM_INVALID_WAKEUPS
> >>>   select SRCU
> >>>   select KVM_VFIO
> >>> +    select ZCRYPT  
> >>
> >> I do not think it is a good solution to *always* enable ZCRYPT
> >> when we have KVM.  
> > If CONFIG_ZCRYPT is not selected, then the kvm_ap_apxa_installed() 
> > function will not compile
> > because it calls a zcrypt interface. How would you suggest we make 
> > sure zcrypt interfaces
> > used in KVM are built if CONFIG_ZCRYPT is not selected?  
> 
> if zcrypt is not configured, I suppose that the KVM code initializaing CRYCB
> has no use but the function will be called from KVM.
> So I would do something like:
> 
> #ifdef ZCRYPT
> external definitions.
> #else
> stubs returning error -ENOZCRYPT (or whatever)
> #endif

The kvm code used some kind of detection for crycb before (IIRC it was
for the key-wrapping stuff). I assume that usage is independent of
zcrypt driver usage in the host?

So, I think that apxa detection function should be used to s390
architecture base code and not be conditional on anything.

Re: [PATCH v3 01/14] KVM: s390: refactor crypto initialization

[Pierre Morel]

On 15/03/2018 15:48, Tony Krowiak wrote:

On 03/15/2018 08:26 AM, Pierre Morel wrote:

On 14/03/2018 19:25, Tony Krowiak wrote:

This patch refactors the code that initializes the crypto
configuration for a guest. The crypto configuration is contained in
a crypto control block (CRYCB) which is a satellite control block to
our main hardware virtualization control block. The CRYCB is
attached to the main virtualization control block via a CRYCB
designation (CRYCBD) designation field containing the address of
the CRYCB as well as its format.

Prior to the introduction of AP device virtualization, there was
no need to provide access to or specify the format of the CRYCB for
a guest unless the MSA extension 3 (MSAX3) facility was installed
on the host system. With the introduction of AP device virtualization,
the CRYCB and its format must be made accessible to the guest
regardless of the presence of the MSAX3 facility.

The crypto initialization code is restructured as follows:

* A new compilation unit is introduced to contain all interfaces
   and data structures related to configuring a guest's CRYCB for
   both the refactoring of crypto initialization as well as all
   subsequent patches introducing AP virtualization support.

* Currently, the asm code for querying the AP configuration is
   duplicated in the AP bus as well as in KVM. Since the KVM
   code was introduced, the AP bus has externalized the interface
   for querying the AP configuration. The KVM interface will be
   replaced with a call to the AP bus interface. Of course, this
   will be moved to the new compilation unit mentioned above.

* An interface to format the CRYCBD field will be provided via
   the new compilation unit and called from the KVM vm
   initialization.

Signed-off-by: Tony Krowiak 
---
  MAINTAINERS  |   10 ++
  arch/s390/include/asm/kvm-ap.h   |   16 ++
  arch/s390/include/asm/kvm_host.h |    1 +
  arch/s390/kvm/Kconfig    |    1 +
  arch/s390/kvm/Makefile   |    2 +-
  arch/s390/kvm/kvm-ap.c   |   48 +
  arch/s390/kvm/kvm-s390.c |   61 
-

  7 files changed, 84 insertions(+), 55 deletions(-)
  create mode 100644 arch/s390/include/asm/kvm-ap.h
  create mode 100644 arch/s390/kvm/kvm-ap.c

diff --git a/MAINTAINERS b/MAINTAINERS
index 0ec5881..72742d5 100644
--- a/MAINTAINERS
+++ b/MAINTAINERS
@@ -11875,6 +11875,16 @@ W: 
http://www.ibm.com/developerworks/linux/linux390/

  S:    Supported
  F:    drivers/s390/crypto/

+S390 VFIO AP DRIVER
+M:    Tony Krowiak 
+M:    Christian Borntraeger 
+M:    Martin Schwidefsky 
+L:    linux-s...@vger.kernel.org
+W:    http://www.ibm.com/developerworks/linux/linux390/
+S:    Supported
+F:    arch/s390/include/asm/kvm/kvm-ap.h
+F:    arch/s390/kvm/kvm-ap.c
+
  S390 ZFCP DRIVER
  M:    Steffen Maier 
  M:    Benjamin Block 
diff --git a/arch/s390/include/asm/kvm-ap.h 
b/arch/s390/include/asm/kvm-ap.h

new file mode 100644
index 000..362846c
--- /dev/null
+++ b/arch/s390/include/asm/kvm-ap.h
@@ -0,0 +1,16 @@
+/*
+ * Adjunct Processor (AP) configuration management for KVM guests
+ *
+ * Copyright IBM Corp. 2017
+ *
+ * Author(s): Tony Krowiak 
+ */
+
+#ifndef _ASM_KVM_AP
+#define _ASM_KVM_AP
+#include 
+#include 
+
+void kvm_ap_build_crycbd(struct kvm *kvm);
+
+#endif /* _ASM_KVM_AP */
diff --git a/arch/s390/include/asm/kvm_host.h 
b/arch/s390/include/asm/kvm_host.h

index 34c9b5b..65a944e 100644
--- a/arch/s390/include/asm/kvm_host.h
+++ b/arch/s390/include/asm/kvm_host.h
@@ -257,6 +257,7 @@ struct kvm_s390_sie_block {
  __u8    reservedf0[12];    /* 0x00f0 */
  #define CRYCB_FORMAT1 0x0001
  #define CRYCB_FORMAT2 0x0003
+#define CRYCB_FORMAT_MASK 0x0003
  __u32    crycbd;    /* 0x00fc */
  __u64    gcr[16];    /* 0x0100 */
  __u64    gbea;    /* 0x0180 */
diff --git a/arch/s390/kvm/Kconfig b/arch/s390/kvm/Kconfig
index a3dbd45..4ca9077 100644
--- a/arch/s390/kvm/Kconfig
+++ b/arch/s390/kvm/Kconfig
@@ -33,6 +33,7 @@ config KVM
  select HAVE_KVM_INVALID_WAKEUPS
  select SRCU
  select KVM_VFIO
+    select ZCRYPT


I do not think it is a good solution to *always* enable ZCRYPT
when we have KVM.
If CONFIG_ZCRYPT is not selected, then the kvm_ap_apxa_installed() 
function will not compile
because it calls a zcrypt interface. How would you suggest we make 
sure zcrypt interfaces

used in KVM are built if CONFIG_ZCRYPT is not selected?


if zcrypt is not configured, I suppose that the KVM code initializaing CRYCB
has no use but the function will be called from KVM.
So I would do something like:

#ifdef ZCRYPT
external definitions.
#else
stubs returning error -ENOZCRYPT (or whatever)
#endif





Pierre






--
Pierre 

Re: [PATCH v3 01/14] KVM: s390: refactor crypto initialization

[Pierre Morel]

On 15/03/2018 15:48, Tony Krowiak wrote:

On 03/15/2018 08:26 AM, Pierre Morel wrote:

On 14/03/2018 19:25, Tony Krowiak wrote:

This patch refactors the code that initializes the crypto
configuration for a guest. The crypto configuration is contained in
a crypto control block (CRYCB) which is a satellite control block to
our main hardware virtualization control block. The CRYCB is
attached to the main virtualization control block via a CRYCB
designation (CRYCBD) designation field containing the address of
the CRYCB as well as its format.

Prior to the introduction of AP device virtualization, there was
no need to provide access to or specify the format of the CRYCB for
a guest unless the MSA extension 3 (MSAX3) facility was installed
on the host system. With the introduction of AP device virtualization,
the CRYCB and its format must be made accessible to the guest
regardless of the presence of the MSAX3 facility.

The crypto initialization code is restructured as follows:

* A new compilation unit is introduced to contain all interfaces
   and data structures related to configuring a guest's CRYCB for
   both the refactoring of crypto initialization as well as all
   subsequent patches introducing AP virtualization support.

* Currently, the asm code for querying the AP configuration is
   duplicated in the AP bus as well as in KVM. Since the KVM
   code was introduced, the AP bus has externalized the interface
   for querying the AP configuration. The KVM interface will be
   replaced with a call to the AP bus interface. Of course, this
   will be moved to the new compilation unit mentioned above.

* An interface to format the CRYCBD field will be provided via
   the new compilation unit and called from the KVM vm
   initialization.

Signed-off-by: Tony Krowiak 
---
  MAINTAINERS  |   10 ++
  arch/s390/include/asm/kvm-ap.h   |   16 ++
  arch/s390/include/asm/kvm_host.h |    1 +
  arch/s390/kvm/Kconfig    |    1 +
  arch/s390/kvm/Makefile   |    2 +-
  arch/s390/kvm/kvm-ap.c   |   48 +
  arch/s390/kvm/kvm-s390.c |   61 
-

  7 files changed, 84 insertions(+), 55 deletions(-)
  create mode 100644 arch/s390/include/asm/kvm-ap.h
  create mode 100644 arch/s390/kvm/kvm-ap.c

diff --git a/MAINTAINERS b/MAINTAINERS
index 0ec5881..72742d5 100644
--- a/MAINTAINERS
+++ b/MAINTAINERS
@@ -11875,6 +11875,16 @@ W: 
http://www.ibm.com/developerworks/linux/linux390/

  S:    Supported
  F:    drivers/s390/crypto/

+S390 VFIO AP DRIVER
+M:    Tony Krowiak 
+M:    Christian Borntraeger 
+M:    Martin Schwidefsky 
+L:    linux-s...@vger.kernel.org
+W:    http://www.ibm.com/developerworks/linux/linux390/
+S:    Supported
+F:    arch/s390/include/asm/kvm/kvm-ap.h
+F:    arch/s390/kvm/kvm-ap.c
+
  S390 ZFCP DRIVER
  M:    Steffen Maier 
  M:    Benjamin Block 
diff --git a/arch/s390/include/asm/kvm-ap.h 
b/arch/s390/include/asm/kvm-ap.h

new file mode 100644
index 000..362846c
--- /dev/null
+++ b/arch/s390/include/asm/kvm-ap.h
@@ -0,0 +1,16 @@
+/*
+ * Adjunct Processor (AP) configuration management for KVM guests
+ *
+ * Copyright IBM Corp. 2017
+ *
+ * Author(s): Tony Krowiak 
+ */
+
+#ifndef _ASM_KVM_AP
+#define _ASM_KVM_AP
+#include 
+#include 
+
+void kvm_ap_build_crycbd(struct kvm *kvm);
+
+#endif /* _ASM_KVM_AP */
diff --git a/arch/s390/include/asm/kvm_host.h 
b/arch/s390/include/asm/kvm_host.h

index 34c9b5b..65a944e 100644
--- a/arch/s390/include/asm/kvm_host.h
+++ b/arch/s390/include/asm/kvm_host.h
@@ -257,6 +257,7 @@ struct kvm_s390_sie_block {
  __u8    reservedf0[12];    /* 0x00f0 */
  #define CRYCB_FORMAT1 0x0001
  #define CRYCB_FORMAT2 0x0003
+#define CRYCB_FORMAT_MASK 0x0003
  __u32    crycbd;    /* 0x00fc */
  __u64    gcr[16];    /* 0x0100 */
  __u64    gbea;    /* 0x0180 */
diff --git a/arch/s390/kvm/Kconfig b/arch/s390/kvm/Kconfig
index a3dbd45..4ca9077 100644
--- a/arch/s390/kvm/Kconfig
+++ b/arch/s390/kvm/Kconfig
@@ -33,6 +33,7 @@ config KVM
  select HAVE_KVM_INVALID_WAKEUPS
  select SRCU
  select KVM_VFIO
+    select ZCRYPT


I do not think it is a good solution to *always* enable ZCRYPT
when we have KVM.
If CONFIG_ZCRYPT is not selected, then the kvm_ap_apxa_installed() 
function will not compile
because it calls a zcrypt interface. How would you suggest we make 
sure zcrypt interfaces

used in KVM are built if CONFIG_ZCRYPT is not selected?


if zcrypt is not configured, I suppose that the KVM code initializaing CRYCB
has no use but the function will be called from KVM.
So I would do something like:

#ifdef ZCRYPT
external definitions.
#else
stubs returning error -ENOZCRYPT (or whatever)
#endif





Pierre






--
Pierre Morel
Linux/KVM/QEMU in Böblingen - Germany

Re: [PATCH v3 01/14] KVM: s390: refactor crypto initialization

[Tony Krowiak]

On 03/15/2018 08:26 AM, Pierre Morel wrote:

On 14/03/2018 19:25, Tony Krowiak wrote:

This patch refactors the code that initializes the crypto
configuration for a guest. The crypto configuration is contained in
a crypto control block (CRYCB) which is a satellite control block to
our main hardware virtualization control block. The CRYCB is
attached to the main virtualization control block via a CRYCB
designation (CRYCBD) designation field containing the address of
the CRYCB as well as its format.

Prior to the introduction of AP device virtualization, there was
no need to provide access to or specify the format of the CRYCB for
a guest unless the MSA extension 3 (MSAX3) facility was installed
on the host system. With the introduction of AP device virtualization,
the CRYCB and its format must be made accessible to the guest
regardless of the presence of the MSAX3 facility.

The crypto initialization code is restructured as follows:

* A new compilation unit is introduced to contain all interfaces
   and data structures related to configuring a guest's CRYCB for
   both the refactoring of crypto initialization as well as all
   subsequent patches introducing AP virtualization support.

* Currently, the asm code for querying the AP configuration is
   duplicated in the AP bus as well as in KVM. Since the KVM
   code was introduced, the AP bus has externalized the interface
   for querying the AP configuration. The KVM interface will be
   replaced with a call to the AP bus interface. Of course, this
   will be moved to the new compilation unit mentioned above.

* An interface to format the CRYCBD field will be provided via
   the new compilation unit and called from the KVM vm
   initialization.

Signed-off-by: Tony Krowiak 
---
  MAINTAINERS  |   10 ++
  arch/s390/include/asm/kvm-ap.h   |   16 ++
  arch/s390/include/asm/kvm_host.h |1 +
  arch/s390/kvm/Kconfig|1 +
  arch/s390/kvm/Makefile   |2 +-
  arch/s390/kvm/kvm-ap.c   |   48 +
  arch/s390/kvm/kvm-s390.c |   61 
-

  7 files changed, 84 insertions(+), 55 deletions(-)
  create mode 100644 arch/s390/include/asm/kvm-ap.h
  create mode 100644 arch/s390/kvm/kvm-ap.c

diff --git a/MAINTAINERS b/MAINTAINERS
index 0ec5881..72742d5 100644
--- a/MAINTAINERS
+++ b/MAINTAINERS
@@ -11875,6 +11875,16 @@ W: 
http://www.ibm.com/developerworks/linux/linux390/

  S:Supported
  F:drivers/s390/crypto/

+S390 VFIO AP DRIVER
+M:Tony Krowiak 
+M:Christian Borntraeger 
+M:Martin Schwidefsky 
+L:linux-s...@vger.kernel.org
+W:http://www.ibm.com/developerworks/linux/linux390/
+S:Supported
+F:arch/s390/include/asm/kvm/kvm-ap.h
+F:arch/s390/kvm/kvm-ap.c
+
  S390 ZFCP DRIVER
  M:Steffen Maier 
  M:Benjamin Block 
diff --git a/arch/s390/include/asm/kvm-ap.h 
b/arch/s390/include/asm/kvm-ap.h

new file mode 100644
index 000..362846c
--- /dev/null
+++ b/arch/s390/include/asm/kvm-ap.h
@@ -0,0 +1,16 @@
+/*
+ * Adjunct Processor (AP) configuration management for KVM guests
+ *
+ * Copyright IBM Corp. 2017
+ *
+ * Author(s): Tony Krowiak 
+ */
+
+#ifndef _ASM_KVM_AP
+#define _ASM_KVM_AP
+#include 
+#include 
+
+void kvm_ap_build_crycbd(struct kvm *kvm);
+
+#endif /* _ASM_KVM_AP */
diff --git a/arch/s390/include/asm/kvm_host.h 
b/arch/s390/include/asm/kvm_host.h

index 34c9b5b..65a944e 100644
--- a/arch/s390/include/asm/kvm_host.h
+++ b/arch/s390/include/asm/kvm_host.h
@@ -257,6 +257,7 @@ struct kvm_s390_sie_block {
  __u8reservedf0[12];/* 0x00f0 */
  #define CRYCB_FORMAT1 0x0001
  #define CRYCB_FORMAT2 0x0003
+#define CRYCB_FORMAT_MASK 0x0003
  __u32crycbd;/* 0x00fc */
  __u64gcr[16];/* 0x0100 */
  __u64gbea;/* 0x0180 */
diff --git a/arch/s390/kvm/Kconfig b/arch/s390/kvm/Kconfig
index a3dbd45..4ca9077 100644
--- a/arch/s390/kvm/Kconfig
+++ b/arch/s390/kvm/Kconfig
@@ -33,6 +33,7 @@ config KVM
  select HAVE_KVM_INVALID_WAKEUPS
  select SRCU
  select KVM_VFIO
+select ZCRYPT


I do not think it is a good solution to *always* enable ZCRYPT
when we have KVM.
If CONFIG_ZCRYPT is not selected, then the kvm_ap_apxa_installed() 
function will not compile
because it calls a zcrypt interface. How would you suggest we make sure 
zcrypt interfaces

used in KVM are built if CONFIG_ZCRYPT is not selected?


Pierre

Re: [PATCH v3 01/14] KVM: s390: refactor crypto initialization

[Tony Krowiak]

On 03/15/2018 08:26 AM, Pierre Morel wrote:

On 14/03/2018 19:25, Tony Krowiak wrote:

This patch refactors the code that initializes the crypto
configuration for a guest. The crypto configuration is contained in
a crypto control block (CRYCB) which is a satellite control block to
our main hardware virtualization control block. The CRYCB is
attached to the main virtualization control block via a CRYCB
designation (CRYCBD) designation field containing the address of
the CRYCB as well as its format.

Prior to the introduction of AP device virtualization, there was
no need to provide access to or specify the format of the CRYCB for
a guest unless the MSA extension 3 (MSAX3) facility was installed
on the host system. With the introduction of AP device virtualization,
the CRYCB and its format must be made accessible to the guest
regardless of the presence of the MSAX3 facility.

The crypto initialization code is restructured as follows:

* A new compilation unit is introduced to contain all interfaces
   and data structures related to configuring a guest's CRYCB for
   both the refactoring of crypto initialization as well as all
   subsequent patches introducing AP virtualization support.

* Currently, the asm code for querying the AP configuration is
   duplicated in the AP bus as well as in KVM. Since the KVM
   code was introduced, the AP bus has externalized the interface
   for querying the AP configuration. The KVM interface will be
   replaced with a call to the AP bus interface. Of course, this
   will be moved to the new compilation unit mentioned above.

* An interface to format the CRYCBD field will be provided via
   the new compilation unit and called from the KVM vm
   initialization.

Signed-off-by: Tony Krowiak 
---
  MAINTAINERS  |   10 ++
  arch/s390/include/asm/kvm-ap.h   |   16 ++
  arch/s390/include/asm/kvm_host.h |1 +
  arch/s390/kvm/Kconfig|1 +
  arch/s390/kvm/Makefile   |2 +-
  arch/s390/kvm/kvm-ap.c   |   48 +
  arch/s390/kvm/kvm-s390.c |   61 
-

  7 files changed, 84 insertions(+), 55 deletions(-)
  create mode 100644 arch/s390/include/asm/kvm-ap.h
  create mode 100644 arch/s390/kvm/kvm-ap.c

diff --git a/MAINTAINERS b/MAINTAINERS
index 0ec5881..72742d5 100644
--- a/MAINTAINERS
+++ b/MAINTAINERS
@@ -11875,6 +11875,16 @@ W: 
http://www.ibm.com/developerworks/linux/linux390/

  S:Supported
  F:drivers/s390/crypto/

+S390 VFIO AP DRIVER
+M:Tony Krowiak 
+M:Christian Borntraeger 
+M:Martin Schwidefsky 
+L:linux-s...@vger.kernel.org
+W:http://www.ibm.com/developerworks/linux/linux390/
+S:Supported
+F:arch/s390/include/asm/kvm/kvm-ap.h
+F:arch/s390/kvm/kvm-ap.c
+
  S390 ZFCP DRIVER
  M:Steffen Maier 
  M:Benjamin Block 
diff --git a/arch/s390/include/asm/kvm-ap.h 
b/arch/s390/include/asm/kvm-ap.h

new file mode 100644
index 000..362846c
--- /dev/null
+++ b/arch/s390/include/asm/kvm-ap.h
@@ -0,0 +1,16 @@
+/*
+ * Adjunct Processor (AP) configuration management for KVM guests
+ *
+ * Copyright IBM Corp. 2017
+ *
+ * Author(s): Tony Krowiak 
+ */
+
+#ifndef _ASM_KVM_AP
+#define _ASM_KVM_AP
+#include 
+#include 
+
+void kvm_ap_build_crycbd(struct kvm *kvm);
+
+#endif /* _ASM_KVM_AP */
diff --git a/arch/s390/include/asm/kvm_host.h 
b/arch/s390/include/asm/kvm_host.h

index 34c9b5b..65a944e 100644
--- a/arch/s390/include/asm/kvm_host.h
+++ b/arch/s390/include/asm/kvm_host.h
@@ -257,6 +257,7 @@ struct kvm_s390_sie_block {
  __u8reservedf0[12];/* 0x00f0 */
  #define CRYCB_FORMAT1 0x0001
  #define CRYCB_FORMAT2 0x0003
+#define CRYCB_FORMAT_MASK 0x0003
  __u32crycbd;/* 0x00fc */
  __u64gcr[16];/* 0x0100 */
  __u64gbea;/* 0x0180 */
diff --git a/arch/s390/kvm/Kconfig b/arch/s390/kvm/Kconfig
index a3dbd45..4ca9077 100644
--- a/arch/s390/kvm/Kconfig
+++ b/arch/s390/kvm/Kconfig
@@ -33,6 +33,7 @@ config KVM
  select HAVE_KVM_INVALID_WAKEUPS
  select SRCU
  select KVM_VFIO
+select ZCRYPT


I do not think it is a good solution to *always* enable ZCRYPT
when we have KVM.
If CONFIG_ZCRYPT is not selected, then the kvm_ap_apxa_installed() 
function will not compile
because it calls a zcrypt interface. How would you suggest we make sure 
zcrypt interfaces

used in KVM are built if CONFIG_ZCRYPT is not selected?


Pierre

Re: [PATCH v3 01/14] KVM: s390: refactor crypto initialization

[Pierre Morel]

On 14/03/2018 19:25, Tony Krowiak wrote:

This patch refactors the code that initializes the crypto
configuration for a guest. The crypto configuration is contained in
a crypto control block (CRYCB) which is a satellite control block to
our main hardware virtualization control block. The CRYCB is
attached to the main virtualization control block via a CRYCB
designation (CRYCBD) designation field containing the address of
the CRYCB as well as its format.

Prior to the introduction of AP device virtualization, there was
no need to provide access to or specify the format of the CRYCB for
a guest unless the MSA extension 3 (MSAX3) facility was installed
on the host system. With the introduction of AP device virtualization,
the CRYCB and its format must be made accessible to the guest
regardless of the presence of the MSAX3 facility.

The crypto initialization code is restructured as follows:

* A new compilation unit is introduced to contain all interfaces
   and data structures related to configuring a guest's CRYCB for
   both the refactoring of crypto initialization as well as all
   subsequent patches introducing AP virtualization support.

* Currently, the asm code for querying the AP configuration is
   duplicated in the AP bus as well as in KVM. Since the KVM
   code was introduced, the AP bus has externalized the interface
   for querying the AP configuration. The KVM interface will be
   replaced with a call to the AP bus interface. Of course, this
   will be moved to the new compilation unit mentioned above.

* An interface to format the CRYCBD field will be provided via
   the new compilation unit and called from the KVM vm
   initialization.

Signed-off-by: Tony Krowiak 
---
  MAINTAINERS  |   10 ++
  arch/s390/include/asm/kvm-ap.h   |   16 ++
  arch/s390/include/asm/kvm_host.h |1 +
  arch/s390/kvm/Kconfig|1 +
  arch/s390/kvm/Makefile   |2 +-
  arch/s390/kvm/kvm-ap.c   |   48 +
  arch/s390/kvm/kvm-s390.c |   61 -
  7 files changed, 84 insertions(+), 55 deletions(-)
  create mode 100644 arch/s390/include/asm/kvm-ap.h
  create mode 100644 arch/s390/kvm/kvm-ap.c

diff --git a/MAINTAINERS b/MAINTAINERS
index 0ec5881..72742d5 100644
--- a/MAINTAINERS
+++ b/MAINTAINERS
@@ -11875,6 +11875,16 @@ W: 
http://www.ibm.com/developerworks/linux/linux390/
  S:Supported
  F:drivers/s390/crypto/

+S390 VFIO AP DRIVER
+M: Tony Krowiak 
+M: Christian Borntraeger 
+M: Martin Schwidefsky 
+L: linux-s...@vger.kernel.org
+W: http://www.ibm.com/developerworks/linux/linux390/
+S: Supported
+F: arch/s390/include/asm/kvm/kvm-ap.h
+F: arch/s390/kvm/kvm-ap.c
+
  S390 ZFCP DRIVER
  M:Steffen Maier 
  M:Benjamin Block 
diff --git a/arch/s390/include/asm/kvm-ap.h b/arch/s390/include/asm/kvm-ap.h
new file mode 100644
index 000..362846c
--- /dev/null
+++ b/arch/s390/include/asm/kvm-ap.h
@@ -0,0 +1,16 @@
+/*
+ * Adjunct Processor (AP) configuration management for KVM guests
+ *
+ * Copyright IBM Corp. 2017
+ *
+ * Author(s): Tony Krowiak 
+ */
+
+#ifndef _ASM_KVM_AP
+#define _ASM_KVM_AP
+#include 
+#include 
+
+void kvm_ap_build_crycbd(struct kvm *kvm);
+
+#endif /* _ASM_KVM_AP */
diff --git a/arch/s390/include/asm/kvm_host.h b/arch/s390/include/asm/kvm_host.h
index 34c9b5b..65a944e 100644
--- a/arch/s390/include/asm/kvm_host.h
+++ b/arch/s390/include/asm/kvm_host.h
@@ -257,6 +257,7 @@ struct kvm_s390_sie_block {
__u8reservedf0[12]; /* 0x00f0 */
  #define CRYCB_FORMAT1 0x0001
  #define CRYCB_FORMAT2 0x0003
+#define CRYCB_FORMAT_MASK 0x0003
__u32   crycbd; /* 0x00fc */
__u64   gcr[16];/* 0x0100 */
__u64   gbea;   /* 0x0180 */
diff --git a/arch/s390/kvm/Kconfig b/arch/s390/kvm/Kconfig
index a3dbd45..4ca9077 100644
--- a/arch/s390/kvm/Kconfig
+++ b/arch/s390/kvm/Kconfig
@@ -33,6 +33,7 @@ config KVM
select HAVE_KVM_INVALID_WAKEUPS
select SRCU
select KVM_VFIO
+   select ZCRYPT


I do not think it is a good solution to *always* enable ZCRYPT
when we have KVM.

Pierre


--
Pierre Morel
Linux/KVM/QEMU in Böblingen - Germany

Re: [PATCH v3 01/14] KVM: s390: refactor crypto initialization

[Pierre Morel]

On 14/03/2018 19:25, Tony Krowiak wrote:

This patch refactors the code that initializes the crypto
configuration for a guest. The crypto configuration is contained in
a crypto control block (CRYCB) which is a satellite control block to
our main hardware virtualization control block. The CRYCB is
attached to the main virtualization control block via a CRYCB
designation (CRYCBD) designation field containing the address of
the CRYCB as well as its format.

Prior to the introduction of AP device virtualization, there was
no need to provide access to or specify the format of the CRYCB for
a guest unless the MSA extension 3 (MSAX3) facility was installed
on the host system. With the introduction of AP device virtualization,
the CRYCB and its format must be made accessible to the guest
regardless of the presence of the MSAX3 facility.

The crypto initialization code is restructured as follows:

* A new compilation unit is introduced to contain all interfaces
   and data structures related to configuring a guest's CRYCB for
   both the refactoring of crypto initialization as well as all
   subsequent patches introducing AP virtualization support.

* Currently, the asm code for querying the AP configuration is
   duplicated in the AP bus as well as in KVM. Since the KVM
   code was introduced, the AP bus has externalized the interface
   for querying the AP configuration. The KVM interface will be
   replaced with a call to the AP bus interface. Of course, this
   will be moved to the new compilation unit mentioned above.

* An interface to format the CRYCBD field will be provided via
   the new compilation unit and called from the KVM vm
   initialization.

Signed-off-by: Tony Krowiak 
---
  MAINTAINERS  |   10 ++
  arch/s390/include/asm/kvm-ap.h   |   16 ++
  arch/s390/include/asm/kvm_host.h |1 +
  arch/s390/kvm/Kconfig|1 +
  arch/s390/kvm/Makefile   |2 +-
  arch/s390/kvm/kvm-ap.c   |   48 +
  arch/s390/kvm/kvm-s390.c |   61 -
  7 files changed, 84 insertions(+), 55 deletions(-)
  create mode 100644 arch/s390/include/asm/kvm-ap.h
  create mode 100644 arch/s390/kvm/kvm-ap.c

diff --git a/MAINTAINERS b/MAINTAINERS
index 0ec5881..72742d5 100644
--- a/MAINTAINERS
+++ b/MAINTAINERS
@@ -11875,6 +11875,16 @@ W: 
http://www.ibm.com/developerworks/linux/linux390/
  S:Supported
  F:drivers/s390/crypto/

+S390 VFIO AP DRIVER
+M: Tony Krowiak 
+M: Christian Borntraeger 
+M: Martin Schwidefsky 
+L: linux-s...@vger.kernel.org
+W: http://www.ibm.com/developerworks/linux/linux390/
+S: Supported
+F: arch/s390/include/asm/kvm/kvm-ap.h
+F: arch/s390/kvm/kvm-ap.c
+
  S390 ZFCP DRIVER
  M:Steffen Maier 
  M:Benjamin Block 
diff --git a/arch/s390/include/asm/kvm-ap.h b/arch/s390/include/asm/kvm-ap.h
new file mode 100644
index 000..362846c
--- /dev/null
+++ b/arch/s390/include/asm/kvm-ap.h
@@ -0,0 +1,16 @@
+/*
+ * Adjunct Processor (AP) configuration management for KVM guests
+ *
+ * Copyright IBM Corp. 2017
+ *
+ * Author(s): Tony Krowiak 
+ */
+
+#ifndef _ASM_KVM_AP
+#define _ASM_KVM_AP
+#include 
+#include 
+
+void kvm_ap_build_crycbd(struct kvm *kvm);
+
+#endif /* _ASM_KVM_AP */
diff --git a/arch/s390/include/asm/kvm_host.h b/arch/s390/include/asm/kvm_host.h
index 34c9b5b..65a944e 100644
--- a/arch/s390/include/asm/kvm_host.h
+++ b/arch/s390/include/asm/kvm_host.h
@@ -257,6 +257,7 @@ struct kvm_s390_sie_block {
__u8reservedf0[12]; /* 0x00f0 */
  #define CRYCB_FORMAT1 0x0001
  #define CRYCB_FORMAT2 0x0003
+#define CRYCB_FORMAT_MASK 0x0003
__u32   crycbd; /* 0x00fc */
__u64   gcr[16];/* 0x0100 */
__u64   gbea;   /* 0x0180 */
diff --git a/arch/s390/kvm/Kconfig b/arch/s390/kvm/Kconfig
index a3dbd45..4ca9077 100644
--- a/arch/s390/kvm/Kconfig
+++ b/arch/s390/kvm/Kconfig
@@ -33,6 +33,7 @@ config KVM
select HAVE_KVM_INVALID_WAKEUPS
select SRCU
select KVM_VFIO
+   select ZCRYPT


I do not think it is a good solution to *always* enable ZCRYPT
when we have KVM.

Pierre


--
Pierre Morel
Linux/KVM/QEMU in Böblingen - Germany

[PATCH v3 01/14] KVM: s390: refactor crypto initialization

[Tony Krowiak]

This patch refactors the code that initializes the crypto
configuration for a guest. The crypto configuration is contained in
a crypto control block (CRYCB) which is a satellite control block to
our main hardware virtualization control block. The CRYCB is
attached to the main virtualization control block via a CRYCB
designation (CRYCBD) designation field containing the address of
the CRYCB as well as its format.

Prior to the introduction of AP device virtualization, there was
no need to provide access to or specify the format of the CRYCB for
a guest unless the MSA extension 3 (MSAX3) facility was installed
on the host system. With the introduction of AP device virtualization,
the CRYCB and its format must be made accessible to the guest
regardless of the presence of the MSAX3 facility.

The crypto initialization code is restructured as follows:

* A new compilation unit is introduced to contain all interfaces
  and data structures related to configuring a guest's CRYCB for
  both the refactoring of crypto initialization as well as all
  subsequent patches introducing AP virtualization support.

* Currently, the asm code for querying the AP configuration is
  duplicated in the AP bus as well as in KVM. Since the KVM
  code was introduced, the AP bus has externalized the interface
  for querying the AP configuration. The KVM interface will be
  replaced with a call to the AP bus interface. Of course, this
  will be moved to the new compilation unit mentioned above.

* An interface to format the CRYCBD field will be provided via
  the new compilation unit and called from the KVM vm
  initialization.

Signed-off-by: Tony Krowiak 
---
 MAINTAINERS  |   10 ++
 arch/s390/include/asm/kvm-ap.h   |   16 ++
 arch/s390/include/asm/kvm_host.h |1 +
 arch/s390/kvm/Kconfig|1 +
 arch/s390/kvm/Makefile   |2 +-
 arch/s390/kvm/kvm-ap.c   |   48 +
 arch/s390/kvm/kvm-s390.c |   61 -
 7 files changed, 84 insertions(+), 55 deletions(-)
 create mode 100644 arch/s390/include/asm/kvm-ap.h
 create mode 100644 arch/s390/kvm/kvm-ap.c

diff --git a/MAINTAINERS b/MAINTAINERS
index 0ec5881..72742d5 100644
--- a/MAINTAINERS
+++ b/MAINTAINERS
@@ -11875,6 +11875,16 @@ W: 
http://www.ibm.com/developerworks/linux/linux390/
 S: Supported
 F: drivers/s390/crypto/
 
+S390 VFIO AP DRIVER
+M: Tony Krowiak 
+M: Christian Borntraeger 
+M: Martin Schwidefsky 
+L: linux-s...@vger.kernel.org
+W: http://www.ibm.com/developerworks/linux/linux390/
+S: Supported
+F: arch/s390/include/asm/kvm/kvm-ap.h
+F: arch/s390/kvm/kvm-ap.c
+
 S390 ZFCP DRIVER
 M: Steffen Maier 
 M: Benjamin Block 
diff --git a/arch/s390/include/asm/kvm-ap.h b/arch/s390/include/asm/kvm-ap.h
new file mode 100644
index 000..362846c
--- /dev/null
+++ b/arch/s390/include/asm/kvm-ap.h
@@ -0,0 +1,16 @@
+/*
+ * Adjunct Processor (AP) configuration management for KVM guests
+ *
+ * Copyright IBM Corp. 2017
+ *
+ * Author(s): Tony Krowiak 
+ */
+
+#ifndef _ASM_KVM_AP
+#define _ASM_KVM_AP
+#include 
+#include 
+
+void kvm_ap_build_crycbd(struct kvm *kvm);
+
+#endif /* _ASM_KVM_AP */
diff --git a/arch/s390/include/asm/kvm_host.h b/arch/s390/include/asm/kvm_host.h
index 34c9b5b..65a944e 100644
--- a/arch/s390/include/asm/kvm_host.h
+++ b/arch/s390/include/asm/kvm_host.h
@@ -257,6 +257,7 @@ struct kvm_s390_sie_block {
__u8reservedf0[12]; /* 0x00f0 */
 #define CRYCB_FORMAT1 0x0001
 #define CRYCB_FORMAT2 0x0003
+#define CRYCB_FORMAT_MASK 0x0003
__u32   crycbd; /* 0x00fc */
__u64   gcr[16];/* 0x0100 */
__u64   gbea;   /* 0x0180 */
diff --git a/arch/s390/kvm/Kconfig b/arch/s390/kvm/Kconfig
index a3dbd45..4ca9077 100644
--- a/arch/s390/kvm/Kconfig
+++ b/arch/s390/kvm/Kconfig
@@ -33,6 +33,7 @@ config KVM
select HAVE_KVM_INVALID_WAKEUPS
select SRCU
select KVM_VFIO
+   select ZCRYPT
---help---
  Support hosting paravirtualized guest machines using the SIE
  virtualization capability on the mainframe. This should work
diff --git a/arch/s390/kvm/Makefile b/arch/s390/kvm/Makefile
index 05ee90a..1876bfe 100644
--- a/arch/s390/kvm/Makefile
+++ b/arch/s390/kvm/Makefile
@@ -9,6 +9,6 @@ common-objs = $(KVM)/kvm_main.o $(KVM)/eventfd.o  
$(KVM)/async_pf.o $(KVM)/irqch
 ccflags-y := -Ivirt/kvm -Iarch/s390/kvm
 
 kvm-objs := $(common-objs) kvm-s390.o intercept.o interrupt.o priv.o sigp.o
-kvm-objs += diag.o gaccess.o guestdbg.o vsie.o
+kvm-objs += diag.o gaccess.o guestdbg.o vsie.o kvm-ap.o
 
 obj-$(CONFIG_KVM) += kvm.o
diff --git a/arch/s390/kvm/kvm-ap.c b/arch/s390/kvm/kvm-ap.c
new 

[PATCH v3 01/14] KVM: s390: refactor crypto initialization

[Tony Krowiak]

This patch refactors the code that initializes the crypto
configuration for a guest. The crypto configuration is contained in
a crypto control block (CRYCB) which is a satellite control block to
our main hardware virtualization control block. The CRYCB is
attached to the main virtualization control block via a CRYCB
designation (CRYCBD) designation field containing the address of
the CRYCB as well as its format.

Prior to the introduction of AP device virtualization, there was
no need to provide access to or specify the format of the CRYCB for
a guest unless the MSA extension 3 (MSAX3) facility was installed
on the host system. With the introduction of AP device virtualization,
the CRYCB and its format must be made accessible to the guest
regardless of the presence of the MSAX3 facility.

The crypto initialization code is restructured as follows:

* A new compilation unit is introduced to contain all interfaces
  and data structures related to configuring a guest's CRYCB for
  both the refactoring of crypto initialization as well as all
  subsequent patches introducing AP virtualization support.

* Currently, the asm code for querying the AP configuration is
  duplicated in the AP bus as well as in KVM. Since the KVM
  code was introduced, the AP bus has externalized the interface
  for querying the AP configuration. The KVM interface will be
  replaced with a call to the AP bus interface. Of course, this
  will be moved to the new compilation unit mentioned above.

* An interface to format the CRYCBD field will be provided via
  the new compilation unit and called from the KVM vm
  initialization.

Signed-off-by: Tony Krowiak 
---
 MAINTAINERS  |   10 ++
 arch/s390/include/asm/kvm-ap.h   |   16 ++
 arch/s390/include/asm/kvm_host.h |1 +
 arch/s390/kvm/Kconfig|1 +
 arch/s390/kvm/Makefile   |2 +-
 arch/s390/kvm/kvm-ap.c   |   48 +
 arch/s390/kvm/kvm-s390.c |   61 -
 7 files changed, 84 insertions(+), 55 deletions(-)
 create mode 100644 arch/s390/include/asm/kvm-ap.h
 create mode 100644 arch/s390/kvm/kvm-ap.c

diff --git a/MAINTAINERS b/MAINTAINERS
index 0ec5881..72742d5 100644
--- a/MAINTAINERS
+++ b/MAINTAINERS
@@ -11875,6 +11875,16 @@ W: 
http://www.ibm.com/developerworks/linux/linux390/
 S: Supported
 F: drivers/s390/crypto/
 
+S390 VFIO AP DRIVER
+M: Tony Krowiak 
+M: Christian Borntraeger 
+M: Martin Schwidefsky 
+L: linux-s...@vger.kernel.org
+W: http://www.ibm.com/developerworks/linux/linux390/
+S: Supported
+F: arch/s390/include/asm/kvm/kvm-ap.h
+F: arch/s390/kvm/kvm-ap.c
+
 S390 ZFCP DRIVER
 M: Steffen Maier 
 M: Benjamin Block 
diff --git a/arch/s390/include/asm/kvm-ap.h b/arch/s390/include/asm/kvm-ap.h
new file mode 100644
index 000..362846c
--- /dev/null
+++ b/arch/s390/include/asm/kvm-ap.h
@@ -0,0 +1,16 @@
+/*
+ * Adjunct Processor (AP) configuration management for KVM guests
+ *
+ * Copyright IBM Corp. 2017
+ *
+ * Author(s): Tony Krowiak 
+ */
+
+#ifndef _ASM_KVM_AP
+#define _ASM_KVM_AP
+#include 
+#include 
+
+void kvm_ap_build_crycbd(struct kvm *kvm);
+
+#endif /* _ASM_KVM_AP */
diff --git a/arch/s390/include/asm/kvm_host.h b/arch/s390/include/asm/kvm_host.h
index 34c9b5b..65a944e 100644
--- a/arch/s390/include/asm/kvm_host.h
+++ b/arch/s390/include/asm/kvm_host.h
@@ -257,6 +257,7 @@ struct kvm_s390_sie_block {
__u8reservedf0[12]; /* 0x00f0 */
 #define CRYCB_FORMAT1 0x0001
 #define CRYCB_FORMAT2 0x0003
+#define CRYCB_FORMAT_MASK 0x0003
__u32   crycbd; /* 0x00fc */
__u64   gcr[16];/* 0x0100 */
__u64   gbea;   /* 0x0180 */
diff --git a/arch/s390/kvm/Kconfig b/arch/s390/kvm/Kconfig
index a3dbd45..4ca9077 100644
--- a/arch/s390/kvm/Kconfig
+++ b/arch/s390/kvm/Kconfig
@@ -33,6 +33,7 @@ config KVM
select HAVE_KVM_INVALID_WAKEUPS
select SRCU
select KVM_VFIO
+   select ZCRYPT
---help---
  Support hosting paravirtualized guest machines using the SIE
  virtualization capability on the mainframe. This should work
diff --git a/arch/s390/kvm/Makefile b/arch/s390/kvm/Makefile
index 05ee90a..1876bfe 100644
--- a/arch/s390/kvm/Makefile
+++ b/arch/s390/kvm/Makefile
@@ -9,6 +9,6 @@ common-objs = $(KVM)/kvm_main.o $(KVM)/eventfd.o  
$(KVM)/async_pf.o $(KVM)/irqch
 ccflags-y := -Ivirt/kvm -Iarch/s390/kvm
 
 kvm-objs := $(common-objs) kvm-s390.o intercept.o interrupt.o priv.o sigp.o
-kvm-objs += diag.o gaccess.o guestdbg.o vsie.o
+kvm-objs += diag.o gaccess.o guestdbg.o vsie.o kvm-ap.o
 
 obj-$(CONFIG_KVM) += kvm.o
diff --git a/arch/s390/kvm/kvm-ap.c b/arch/s390/kvm/kvm-ap.c
new file mode 100644
index 000..a2c6ad2
--- /dev/null
+++ b/arch/s390/kvm/kvm-ap.c
@@ -0,0 +1,48 @@
+/*
+ * Adjunct Processor (AP) configuration management for KVM guests
+ *
+ *