[v9] s390x: Protected Virtualization support

[PATCH v9 15/15] s390x: Add unpack facility feature to GA1

Posted by Janosch Frank 5 years, 11 months ago

From: Christian Borntraeger <borntraeger@de.ibm.com>

The unpack facility is an indication that diagnose 308 subcodes 8-10
are available to the guest. That means, that the guest can put itself
into protected mode.

Once it is in protected mode, the hardware stops any attempt of VM
introspection by the hypervisor.

Some features are currently not supported in protected mode:
     * Passthrough devices
     * Migration
     * Huge page backings

Signed-off-by: Christian Borntraeger <borntraeger@de.ibm.com>
Reviewed-by: David Hildenbrand <david@redhat.com>
---
 target/s390x/gen-features.c | 1 +
 target/s390x/kvm.c          | 5 +++++
 2 files changed, 6 insertions(+)

diff --git a/target/s390x/gen-features.c b/target/s390x/gen-features.c
index 6278845b12b8dee8..8ddeebc54419a3e2 100644
--- a/target/s390x/gen-features.c
+++ b/target/s390x/gen-features.c
@@ -562,6 +562,7 @@ static uint16_t full_GEN15_GA1[] = {
     S390_FEAT_GROUP_MSA_EXT_9,
     S390_FEAT_GROUP_MSA_EXT_9_PCKMO,
     S390_FEAT_ETOKEN,
+    S390_FEAT_UNPACK,
 };
 
 /* Default features (in order of release)
diff --git a/target/s390x/kvm.c b/target/s390x/kvm.c
index ff6027036ec2f14a..e11e895a3d9038bb 100644
--- a/target/s390x/kvm.c
+++ b/target/s390x/kvm.c
@@ -2403,6 +2403,11 @@ void kvm_s390_get_host_cpu_model(S390CPUModel *model, Error **errp)
         clear_bit(S390_FEAT_BPB, model->features);
     }
 
+    /* we do have the IPL enhancements */
+    if (cap_protected) {
+        set_bit(S390_FEAT_UNPACK, model->features);
+    }
+
     /* We emulate a zPCI bus and AEN, therefore we don't need HW support */
     set_bit(S390_FEAT_ZPCI, model->features);
     set_bit(S390_FEAT_ADAPTER_EVENT_NOTIFICATION, model->features);
-- 
2.25.1

Re: [PATCH v9 15/15] s390x: Add unpack facility feature to GA1

Posted by Cornelia Huck 5 years, 10 months ago

On Wed, 11 Mar 2020 09:21:51 -0400
Janosch Frank <frankja@linux.ibm.com> wrote:

> From: Christian Borntraeger <borntraeger@de.ibm.com>
> 
> The unpack facility is an indication that diagnose 308 subcodes 8-10
> are available to the guest. That means, that the guest can put itself
> into protected mode.
> 
> Once it is in protected mode, the hardware stops any attempt of VM
> introspection by the hypervisor.
> 
> Some features are currently not supported in protected mode:
>      * Passthrough devices

s/Passthrough/vfio/ ?

>      * Migration
>      * Huge page backings
> 
> Signed-off-by: Christian Borntraeger <borntraeger@de.ibm.com>
> Reviewed-by: David Hildenbrand <david@redhat.com>

Btw: please add your s-o-b if you're passing on patches from others.

> ---
>  target/s390x/gen-features.c | 1 +
>  target/s390x/kvm.c          | 5 +++++
>  2 files changed, 6 insertions(+)
> 
> diff --git a/target/s390x/gen-features.c b/target/s390x/gen-features.c
> index 6278845b12b8dee8..8ddeebc54419a3e2 100644
> --- a/target/s390x/gen-features.c
> +++ b/target/s390x/gen-features.c
> @@ -562,6 +562,7 @@ static uint16_t full_GEN15_GA1[] = {
>      S390_FEAT_GROUP_MSA_EXT_9,
>      S390_FEAT_GROUP_MSA_EXT_9_PCKMO,
>      S390_FEAT_ETOKEN,
> +    S390_FEAT_UNPACK,
>  };
>  
>  /* Default features (in order of release)
> diff --git a/target/s390x/kvm.c b/target/s390x/kvm.c
> index ff6027036ec2f14a..e11e895a3d9038bb 100644
> --- a/target/s390x/kvm.c
> +++ b/target/s390x/kvm.c
> @@ -2403,6 +2403,11 @@ void kvm_s390_get_host_cpu_model(S390CPUModel *model, Error **errp)
>          clear_bit(S390_FEAT_BPB, model->features);
>      }
>  
> +    /* we do have the IPL enhancements */

I'm more confused by that comment than educated :) Not sure what 'IPL
enhancements' means in this context.

> +    if (cap_protected) {
> +        set_bit(S390_FEAT_UNPACK, model->features);
> +    }
> +
>      /* We emulate a zPCI bus and AEN, therefore we don't need HW support */
>      set_bit(S390_FEAT_ZPCI, model->features);
>      set_bit(S390_FEAT_ADAPTER_EVENT_NOTIFICATION, model->features);

Re: [PATCH v9 15/15] s390x: Add unpack facility feature to GA1

Posted by Janosch Frank 5 years, 10 months ago

On 3/17/20 7:06 PM, Cornelia Huck wrote:
> On Wed, 11 Mar 2020 09:21:51 -0400
> Janosch Frank <frankja@linux.ibm.com> wrote:
> 
>> From: Christian Borntraeger <borntraeger@de.ibm.com>
>>
>> The unpack facility is an indication that diagnose 308 subcodes 8-10
>> are available to the guest. That means, that the guest can put itself
>> into protected mode.
>>
>> Once it is in protected mode, the hardware stops any attempt of VM
>> introspection by the hypervisor.
>>
>> Some features are currently not supported in protected mode:
>>      * Passthrough devices
> 
> s/Passthrough/vfio/ ?

Ack

> 
>>      * Migration
>>      * Huge page backings
>>
>> Signed-off-by: Christian Borntraeger <borntraeger@de.ibm.com>
>> Reviewed-by: David Hildenbrand <david@redhat.com>
> 
> Btw: please add your s-o-b if you're passing on patches from others.

Ack

> 
>> ---
>>  target/s390x/gen-features.c | 1 +
>>  target/s390x/kvm.c          | 5 +++++
>>  2 files changed, 6 insertions(+)
>>
>> diff --git a/target/s390x/gen-features.c b/target/s390x/gen-features.c
>> index 6278845b12b8dee8..8ddeebc54419a3e2 100644
>> --- a/target/s390x/gen-features.c
>> +++ b/target/s390x/gen-features.c
>> @@ -562,6 +562,7 @@ static uint16_t full_GEN15_GA1[] = {
>>      S390_FEAT_GROUP_MSA_EXT_9,
>>      S390_FEAT_GROUP_MSA_EXT_9_PCKMO,
>>      S390_FEAT_ETOKEN,
>> +    S390_FEAT_UNPACK,
>>  };
>>  
>>  /* Default features (in order of release)
>> diff --git a/target/s390x/kvm.c b/target/s390x/kvm.c
>> index ff6027036ec2f14a..e11e895a3d9038bb 100644
>> --- a/target/s390x/kvm.c
>> +++ b/target/s390x/kvm.c
>> @@ -2403,6 +2403,11 @@ void kvm_s390_get_host_cpu_model(S390CPUModel *model, Error **errp)
>>          clear_bit(S390_FEAT_BPB, model->features);
>>      }
>>  
>> +    /* we do have the IPL enhancements */
> 
> I'm more confused by that comment than educated :) Not sure what 'IPL
> enhancements' means in this context.

/* We do have the protected virtualization ipl unpack facility */
?

> 
>> +    if (cap_protected) {
>> +        set_bit(S390_FEAT_UNPACK, model->features);
>> +    }
>> +
>>      /* We emulate a zPCI bus and AEN, therefore we don't need HW support */
>>      set_bit(S390_FEAT_ZPCI, model->features);
>>      set_bit(S390_FEAT_ADAPTER_EVENT_NOTIFICATION, model->features);
>

Re: [PATCH v9 15/15] s390x: Add unpack facility feature to GA1

Posted by Cornelia Huck 5 years, 10 months ago

On Wed, 18 Mar 2020 09:44:08 +0100
Janosch Frank <frankja@linux.ibm.com> wrote:

> On 3/17/20 7:06 PM, Cornelia Huck wrote:
> > On Wed, 11 Mar 2020 09:21:51 -0400
> > Janosch Frank <frankja@linux.ibm.com> wrote:

> >> diff --git a/target/s390x/kvm.c b/target/s390x/kvm.c
> >> index ff6027036ec2f14a..e11e895a3d9038bb 100644
> >> --- a/target/s390x/kvm.c
> >> +++ b/target/s390x/kvm.c
> >> @@ -2403,6 +2403,11 @@ void kvm_s390_get_host_cpu_model(S390CPUModel *model, Error **errp)
> >>          clear_bit(S390_FEAT_BPB, model->features);
> >>      }
> >>  
> >> +    /* we do have the IPL enhancements */  
> > 
> > I'm more confused by that comment than educated :) Not sure what 'IPL
> > enhancements' means in this context.  
> 
> /* We do have the protected virtualization ipl unpack facility */
> ?

Ah :)

What about

/*
 * If we have support for protected virtualization, indicate
 * the protected virtualization IPL unpack facility.
 */

?

> 
> >   
> >> +    if (cap_protected) {
> >> +        set_bit(S390_FEAT_UNPACK, model->features);
> >> +    }
> >> +
> >>      /* We emulate a zPCI bus and AEN, therefore we don't need HW support */
> >>      set_bit(S390_FEAT_ZPCI, model->features);
> >>      set_bit(S390_FEAT_ADAPTER_EVENT_NOTIFICATION, model->features);  
> >   
> 
>

Re: [PATCH v9 15/15] s390x: Add unpack facility feature to GA1

Posted by Janosch Frank 5 years, 10 months ago

On 3/18/20 10:27 AM, Cornelia Huck wrote:
> What about
> 
> /*
>  * If we have support for protected virtualization, indicate
>  * the protected virtualization IPL unpack facility.
>  */
> 
Sure

Re: [PATCH v9 15/15] s390x: Add unpack facility feature to GA1

Posted by Claudio Imbrenda 5 years, 11 months ago

On Wed, 11 Mar 2020 09:21:51 -0400
Janosch Frank <frankja@linux.ibm.com> wrote:

> From: Christian Borntraeger <borntraeger@de.ibm.com>
> 
> The unpack facility is an indication that diagnose 308 subcodes 8-10
> are available to the guest. That means, that the guest can put itself
> into protected mode.
> 
> Once it is in protected mode, the hardware stops any attempt of VM
> introspection by the hypervisor.
> 
> Some features are currently not supported in protected mode:
>      * Passthrough devices
>      * Migration
>      * Huge page backings
> 
> Signed-off-by: Christian Borntraeger <borntraeger@de.ibm.com>
> Reviewed-by: David Hildenbrand <david@redhat.com>
> ---
>  target/s390x/gen-features.c | 1 +
>  target/s390x/kvm.c          | 5 +++++
>  2 files changed, 6 insertions(+)
> 
> diff --git a/target/s390x/gen-features.c b/target/s390x/gen-features.c
> index 6278845b12b8dee8..8ddeebc54419a3e2 100644
> --- a/target/s390x/gen-features.c
> +++ b/target/s390x/gen-features.c
> @@ -562,6 +562,7 @@ static uint16_t full_GEN15_GA1[] = {
>      S390_FEAT_GROUP_MSA_EXT_9,
>      S390_FEAT_GROUP_MSA_EXT_9_PCKMO,
>      S390_FEAT_ETOKEN,
> +    S390_FEAT_UNPACK,
>  };
>  
>  /* Default features (in order of release)
> diff --git a/target/s390x/kvm.c b/target/s390x/kvm.c
> index ff6027036ec2f14a..e11e895a3d9038bb 100644
> --- a/target/s390x/kvm.c
> +++ b/target/s390x/kvm.c
> @@ -2403,6 +2403,11 @@ void kvm_s390_get_host_cpu_model(S390CPUModel
> *model, Error **errp) clear_bit(S390_FEAT_BPB, model->features);
>      }
>  
> +    /* we do have the IPL enhancements */
> +    if (cap_protected) {
> +        set_bit(S390_FEAT_UNPACK, model->features);
> +    }
> +
>      /* We emulate a zPCI bus and AEN, therefore we don't need HW
> support */ set_bit(S390_FEAT_ZPCI, model->features);
>      set_bit(S390_FEAT_ADAPTER_EVENT_NOTIFICATION, model->features);

Reviewed-by: Claudio Imbrenda <imbrenda@linux.ibm.com>