[RFC,21/37] KVM: S390: protvirt: Instruction emulation

Message ID	20191024114059.102802-22-frankja@linux.ibm.com (mailing list archive)
State	New, archived
Headers	show Return-Path: <SRS0=LVJf=YR=vger.kernel.org=kvm-owner@kernel.org> Gateway: Authorized Use Only! Violators will be prosecuted for <kvm@vger.kernel.org> from <frankja@linux.ibm.com>; Thu, 24 Oct 2019 12:42:24 +0100 Gateway: Authorized Use Only! Violators will be prosecuted; (version=TLSv1/SSLv3 cipher=AES256-GCM-SHA384 bits=256/256) Thu, 24 Oct 2019 12:42:22 +0100 From: Janosch Frank <frankja@linux.ibm.com> To: kvm@vger.kernel.org Cc: linux-s390@vger.kernel.org, thuth@redhat.com, david@redhat.com, borntraeger@de.ibm.com, imbrenda@linux.ibm.com, mihajlov@linux.ibm.com, mimu@linux.ibm.com, cohuck@redhat.com, gor@linux.ibm.com, frankja@linux.ibm.com Subject: [RFC 21/37] KVM: S390: protvirt: Instruction emulation Date: Thu, 24 Oct 2019 07:40:43 -0400 In-Reply-To: <20191024114059.102802-1-frankja@linux.ibm.com> References: <20191024114059.102802-1-frankja@linux.ibm.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Message-Id: <20191024114059.102802-22-frankja@linux.ibm.com> Sender: kvm-owner@vger.kernel.org Precedence: bulk
Series	KVM: s390: Add support for protected VMs \| expand [RFC,00/37] KVM: s390: Add support for protected VMs [RFC,01/37] DOCUMENTATION: protvirt: Protected virtual machine introduction [RFC,02/37] s390/protvirt: introduce host side setup [RFC,03/37] s390/protvirt: add ultravisor initialization [RFC,04/37] KVM: s390: protvirt: Add initial lifecycle handling [RFC,05/37] s390: KVM: Export PV handle to gmap [RFC,06/37] s390: UV: Add import and export to UV library [RFC,07/37] KVM: s390: protvirt: Secure memory is not mergeable [RFC,08/37] KVM: s390: add missing include in gmap.h [RFC,09/37] KVM: s390: protvirt: Implement on-demand pinning [RFC,10/37] s390: add (non)secure page access exceptions handlers [RFC,11/37] DOCUMENTATION: protvirt: Interrupt injection [RFC,12/37] KVM: s390: protvirt: Handle SE notification interceptions [RFC,13/37] KVM: s390: protvirt: Add interruption injection controls [RFC,14/37] KVM: s390: protvirt: Implement interruption injection [RFC,15/37] KVM: s390: protvirt: Add machine-check interruption injection controls [RFC,16/37] KVM: s390: protvirt: Implement machine-check interruption injection [RFC,17/37] DOCUMENTATION: protvirt: Instruction emulation [RFC,18/37] KVM: s390: protvirt: Handle spec exception loops [RFC,19/37] KVM: s390: protvirt: Add new gprs location handling [RFC,20/37] KVM: S390: protvirt: Introduce instruction data area bounce buffer [RFC,21/37] KVM: S390: protvirt: Instruction emulation [RFC,22/37] KVM: s390: protvirt: Add SCLP handling [RFC,23/37] KVM: s390: protvirt: Make sure prefix is always protected [RFC,24/37] KVM: s390: protvirt: Write sthyi data to instruction data area [RFC,25/37] KVM: s390: protvirt: STSI handling [RFC,26/37] KVM: s390: protvirt: Only sync fmt4 registers [RFC,27/37] KVM: s390: protvirt: SIGP handling [RFC,28/37] KVM: s390: protvirt: Add program exception injection [RFC,29/37] KVM: s390: protvirt: Sync pv state [RFC,30/37] DOCUMENTATION: protvirt: Diag 308 IPL [RFC,31/37] KVM: s390: protvirt: Add diag 308 subcode 8 - 10 handling [RFC,32/37] KVM: s390: protvirt: UV calls diag308 0, 1 [RFC,33/37] KVM: s390: Introduce VCPU reset IOCTL [RFC,34/37] KVM: s390: protvirt: Report CPU state to Ultravisor [RFC,35/37] KVM: s390: Fix cpu reset local IRQ clearing [RFC,36/37] KVM: s390: protvirt: Support cmd 5 operation state [RFC,37/37] KVM: s390: protvirt: Add UV debug trace

Message ID

20191024114059.102802-22-frankja@linux.ibm.com (mailing list archive)

State

New, archived

Headers

From: Janosch Frank <frankja@linux.ibm.com>
To: kvm@vger.kernel.org
Cc: linux-s390@vger.kernel.org, thuth@redhat.com, david@redhat.com,
        borntraeger@de.ibm.com, imbrenda@linux.ibm.com,
        mihajlov@linux.ibm.com, mimu@linux.ibm.com, cohuck@redhat.com,
        gor@linux.ibm.com, frankja@linux.ibm.com
Subject: [RFC 21/37] KVM: S390: protvirt: Instruction emulation
Date: Thu, 24 Oct 2019 07:40:43 -0400
In-Reply-To: <20191024114059.102802-1-frankja@linux.ibm.com>
References: <20191024114059.102802-1-frankja@linux.ibm.com>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Message-Id: <20191024114059.102802-22-frankja@linux.ibm.com>
Sender: kvm-owner@vger.kernel.org
Precedence: bulk

Series

KVM: s390: Add support for protected VMs | expand

Commit Message

Janosch Frank Oct. 24, 2019, 11:40 a.m. UTC

We have two new SIE exit codes 104 for a secure instruction
interception, on which the SIE needs hypervisor action to complete the
instruction.

And 108 which is merely a notification and provides data for tracking
and management, like for the lowcore we set notification bits for the
lowcore pages.

Signed-off-by: Janosch Frank <frankja@linux.ibm.com>
---
 arch/s390/include/asm/kvm_host.h |  2 ++
 arch/s390/kvm/intercept.c        | 23 +++++++++++++++++++++++
 2 files changed, 25 insertions(+)

Comments

Cornelia Huck Nov. 14, 2019, 3:38 p.m. UTC | #1

On Thu, 24 Oct 2019 07:40:43 -0400
Janosch Frank <frankja@linux.ibm.com> wrote:

> We have two new SIE exit codes 104 for a secure instruction
> interception, on which the SIE needs hypervisor action to complete the
> instruction.
> 
> And 108 which is merely a notification and provides data for tracking
> and management, like for the lowcore we set notification bits for the
> lowcore pages.

What about the following:

"With protected virtualization, we have two new SIE exit codes:

- 104 indicates a secure instruction interception; the hypervisor needs
  to complete emulation of the instruction.
- 108 is merely a notification providing data for tracking and
  management in the hypervisor; for example, we set notification bits
  for the lowcore pages."

?

> 
> Signed-off-by: Janosch Frank <frankja@linux.ibm.com>
> ---
>  arch/s390/include/asm/kvm_host.h |  2 ++
>  arch/s390/kvm/intercept.c        | 23 +++++++++++++++++++++++
>  2 files changed, 25 insertions(+)
> 
> diff --git a/arch/s390/include/asm/kvm_host.h b/arch/s390/include/asm/kvm_host.h
> index 2a8a1e21e1c3..a42dfe98128b 100644
> --- a/arch/s390/include/asm/kvm_host.h
> +++ b/arch/s390/include/asm/kvm_host.h
> @@ -212,6 +212,8 @@ struct kvm_s390_sie_block {
>  #define ICPT_KSS	0x5c
>  #define ICPT_PV_MCHKR	0x60
>  #define ICPT_PV_INT_EN	0x64
> +#define ICPT_PV_INSTR	0x68
> +#define ICPT_PV_NOT	0x6c

Maybe ICPT_PV_NOTIF?

>  	__u8	icptcode;		/* 0x0050 */
>  	__u8	icptstatus;		/* 0x0051 */
>  	__u16	ihcpu;			/* 0x0052 */
> diff --git a/arch/s390/kvm/intercept.c b/arch/s390/kvm/intercept.c
> index b013a9c88d43..a1df8a43c88b 100644
> --- a/arch/s390/kvm/intercept.c
> +++ b/arch/s390/kvm/intercept.c
> @@ -451,6 +451,23 @@ static int handle_operexc(struct kvm_vcpu *vcpu)
>  	return kvm_s390_inject_program_int(vcpu, PGM_OPERATION);
>  }
>  
> +static int handle_pv_spx(struct kvm_vcpu *vcpu)
> +{
> +	u32 pref = *(u32 *)vcpu->arch.sie_block->sidad;
> +
> +	kvm_s390_set_prefix(vcpu, pref);
> +	trace_kvm_s390_handle_prefix(vcpu, 1, pref);
> +	return 0;
> +}
> +
> +static int handle_pv_not(struct kvm_vcpu *vcpu)
> +{
> +	if (vcpu->arch.sie_block->ipa == 0xb210)
> +		return handle_pv_spx(vcpu);
> +
> +	return handle_instruction(vcpu);

Hm... if I understood it correctly, we are getting this one because the
SIE informs us about things that it handled itself (but which we
should be aware of). What can handle_instruction() do in this case?

> +}
> +
>  int kvm_handle_sie_intercept(struct kvm_vcpu *vcpu)
>  {
>  	int rc, per_rc = 0;
> @@ -505,6 +522,12 @@ int kvm_handle_sie_intercept(struct kvm_vcpu *vcpu)
>  		 */
>  		rc = 0;
>  	break;
> +	case ICPT_PV_INSTR:
> +		rc = handle_instruction(vcpu);
> +		break;
> +	case ICPT_PV_NOT:
> +		rc = handle_pv_not(vcpu);
> +		break;
>  	default:
>  		return -EOPNOTSUPP;
>  	}

Janosch Frank Nov. 14, 2019, 4 p.m. UTC | #2

On 11/14/19 4:38 PM, Cornelia Huck wrote:
> On Thu, 24 Oct 2019 07:40:43 -0400
> Janosch Frank <frankja@linux.ibm.com> wrote:
> 
>> We have two new SIE exit codes 104 for a secure instruction
>> interception, on which the SIE needs hypervisor action to complete the
>> instruction.
>>
>> And 108 which is merely a notification and provides data for tracking
>> and management, like for the lowcore we set notification bits for the
>> lowcore pages.
> 
> What about the following:
> 
> "With protected virtualization, we have two new SIE exit codes:
> 
> - 104 indicates a secure instruction interception; the hypervisor needs
>   to complete emulation of the instruction.
> - 108 is merely a notification providing data for tracking and
>   management in the hypervisor; for example, we set notification bits
>   for the lowcore pages."
> 
> ?
> 
>>
>> Signed-off-by: Janosch Frank <frankja@linux.ibm.com>
>> ---
>>  arch/s390/include/asm/kvm_host.h |  2 ++
>>  arch/s390/kvm/intercept.c        | 23 +++++++++++++++++++++++
>>  2 files changed, 25 insertions(+)
>>
>> diff --git a/arch/s390/include/asm/kvm_host.h b/arch/s390/include/asm/kvm_host.h
>> index 2a8a1e21e1c3..a42dfe98128b 100644
>> --- a/arch/s390/include/asm/kvm_host.h
>> +++ b/arch/s390/include/asm/kvm_host.h
>> @@ -212,6 +212,8 @@ struct kvm_s390_sie_block {
>>  #define ICPT_KSS	0x5c
>>  #define ICPT_PV_MCHKR	0x60
>>  #define ICPT_PV_INT_EN	0x64
>> +#define ICPT_PV_INSTR	0x68
>> +#define ICPT_PV_NOT	0x6c
> 
> Maybe ICPT_PV_NOTIF?

NOTF?

> 
>>  	__u8	icptcode;		/* 0x0050 */
>>  	__u8	icptstatus;		/* 0x0051 */
>>  	__u16	ihcpu;			/* 0x0052 */
>> diff --git a/arch/s390/kvm/intercept.c b/arch/s390/kvm/intercept.c
>> index b013a9c88d43..a1df8a43c88b 100644
>> --- a/arch/s390/kvm/intercept.c
>> +++ b/arch/s390/kvm/intercept.c
>> @@ -451,6 +451,23 @@ static int handle_operexc(struct kvm_vcpu *vcpu)
>>  	return kvm_s390_inject_program_int(vcpu, PGM_OPERATION);
>>  }
>>  
>> +static int handle_pv_spx(struct kvm_vcpu *vcpu)
>> +{
>> +	u32 pref = *(u32 *)vcpu->arch.sie_block->sidad;
>> +
>> +	kvm_s390_set_prefix(vcpu, pref);
>> +	trace_kvm_s390_handle_prefix(vcpu, 1, pref);
>> +	return 0;
>> +}
>> +
>> +static int handle_pv_not(struct kvm_vcpu *vcpu)
>> +{
>> +	if (vcpu->arch.sie_block->ipa == 0xb210)
>> +		return handle_pv_spx(vcpu);
>> +
>> +	return handle_instruction(vcpu);
> 
> Hm... if I understood it correctly, we are getting this one because the
> SIE informs us about things that it handled itself (but which we
> should be aware of). What can handle_instruction() do in this case?

There used to be an instruction which I could just pipe through normal
instruction handling. But I can't really remember what it was, too many
firmware changes in that area since then.

I'll mark it as a TODO for thinking about it with some coffee.

> 
>> +}
>> +
>>  int kvm_handle_sie_intercept(struct kvm_vcpu *vcpu)
>>  {
>>  	int rc, per_rc = 0;
>> @@ -505,6 +522,12 @@ int kvm_handle_sie_intercept(struct kvm_vcpu *vcpu)
>>  		 */
>>  		rc = 0;
>>  	break;
>> +	case ICPT_PV_INSTR:
>> +		rc = handle_instruction(vcpu);
>> +		break;
>> +	case ICPT_PV_NOT:
>> +		rc = handle_pv_not(vcpu);
>> +		break;
>>  	default:
>>  		return -EOPNOTSUPP;
>>  	}
>

Cornelia Huck Nov. 14, 2019, 4:05 p.m. UTC | #3

On Thu, 14 Nov 2019 17:00:41 +0100
Janosch Frank <frankja@linux.ibm.com> wrote:

> On 11/14/19 4:38 PM, Cornelia Huck wrote:
> > On Thu, 24 Oct 2019 07:40:43 -0400
> > Janosch Frank <frankja@linux.ibm.com> wrote:
> >   
> >> We have two new SIE exit codes 104 for a secure instruction
> >> interception, on which the SIE needs hypervisor action to complete the
> >> instruction.
> >>
> >> And 108 which is merely a notification and provides data for tracking
> >> and management, like for the lowcore we set notification bits for the
> >> lowcore pages.  
> > 
> > What about the following:
> > 
> > "With protected virtualization, we have two new SIE exit codes:
> > 
> > - 104 indicates a secure instruction interception; the hypervisor needs
> >   to complete emulation of the instruction.
> > - 108 is merely a notification providing data for tracking and
> >   management in the hypervisor; for example, we set notification bits
> >   for the lowcore pages."
> > 
> > ?
> >   
> >>
> >> Signed-off-by: Janosch Frank <frankja@linux.ibm.com>
> >> ---
> >>  arch/s390/include/asm/kvm_host.h |  2 ++
> >>  arch/s390/kvm/intercept.c        | 23 +++++++++++++++++++++++
> >>  2 files changed, 25 insertions(+)
> >>
> >> diff --git a/arch/s390/include/asm/kvm_host.h b/arch/s390/include/asm/kvm_host.h
> >> index 2a8a1e21e1c3..a42dfe98128b 100644
> >> --- a/arch/s390/include/asm/kvm_host.h
> >> +++ b/arch/s390/include/asm/kvm_host.h
> >> @@ -212,6 +212,8 @@ struct kvm_s390_sie_block {
> >>  #define ICPT_KSS	0x5c
> >>  #define ICPT_PV_MCHKR	0x60
> >>  #define ICPT_PV_INT_EN	0x64
> >> +#define ICPT_PV_INSTR	0x68
> >> +#define ICPT_PV_NOT	0x6c  
> > 
> > Maybe ICPT_PV_NOTIF?  
> 
> NOTF?

Sounds good.

> 
> >   
> >>  	__u8	icptcode;		/* 0x0050 */
> >>  	__u8	icptstatus;		/* 0x0051 */
> >>  	__u16	ihcpu;			/* 0x0052 */
> >> diff --git a/arch/s390/kvm/intercept.c b/arch/s390/kvm/intercept.c
> >> index b013a9c88d43..a1df8a43c88b 100644
> >> --- a/arch/s390/kvm/intercept.c
> >> +++ b/arch/s390/kvm/intercept.c
> >> @@ -451,6 +451,23 @@ static int handle_operexc(struct kvm_vcpu *vcpu)
> >>  	return kvm_s390_inject_program_int(vcpu, PGM_OPERATION);
> >>  }
> >>  
> >> +static int handle_pv_spx(struct kvm_vcpu *vcpu)
> >> +{
> >> +	u32 pref = *(u32 *)vcpu->arch.sie_block->sidad;
> >> +
> >> +	kvm_s390_set_prefix(vcpu, pref);
> >> +	trace_kvm_s390_handle_prefix(vcpu, 1, pref);
> >> +	return 0;
> >> +}
> >> +
> >> +static int handle_pv_not(struct kvm_vcpu *vcpu)
> >> +{
> >> +	if (vcpu->arch.sie_block->ipa == 0xb210)
> >> +		return handle_pv_spx(vcpu);
> >> +
> >> +	return handle_instruction(vcpu);  
> > 
> > Hm... if I understood it correctly, we are getting this one because the
> > SIE informs us about things that it handled itself (but which we
> > should be aware of). What can handle_instruction() do in this case?  
> 
> There used to be an instruction which I could just pipe through normal
> instruction handling. But I can't really remember what it was, too many
> firmware changes in that area since then.
> 
> I'll mark it as a TODO for thinking about it with some coffee.

ok :)

> 
> >   
> >> +}
> >> +
> >>  int kvm_handle_sie_intercept(struct kvm_vcpu *vcpu)
> >>  {
> >>  	int rc, per_rc = 0;
> >> @@ -505,6 +522,12 @@ int kvm_handle_sie_intercept(struct kvm_vcpu *vcpu)
> >>  		 */
> >>  		rc = 0;
> >>  	break;
> >> +	case ICPT_PV_INSTR:
> >> +		rc = handle_instruction(vcpu);
> >> +		break;
> >> +	case ICPT_PV_NOT:
> >> +		rc = handle_pv_not(vcpu);
> >> +		break;
> >>  	default:
> >>  		return -EOPNOTSUPP;
> >>  	}  
> >   
> 
>

diff --git a/arch/s390/include/asm/kvm_host.h b/arch/s390/include/asm/kvm_host.h
index 2a8a1e21e1c3..a42dfe98128b 100644
--- a/arch/s390/include/asm/kvm_host.h
+++ b/arch/s390/include/asm/kvm_host.h
@@ -212,6 +212,8 @@  struct kvm_s390_sie_block {
 #define ICPT_KSS	0x5c
 #define ICPT_PV_MCHKR	0x60
 #define ICPT_PV_INT_EN	0x64
+#define ICPT_PV_INSTR	0x68
+#define ICPT_PV_NOT	0x6c
 	__u8	icptcode;		/* 0x0050 */
 	__u8	icptstatus;		/* 0x0051 */
 	__u16	ihcpu;			/* 0x0052 */
diff --git a/arch/s390/kvm/intercept.c b/arch/s390/kvm/intercept.c
index b013a9c88d43..a1df8a43c88b 100644
--- a/arch/s390/kvm/intercept.c
+++ b/arch/s390/kvm/intercept.c
@@ -451,6 +451,23 @@  static int handle_operexc(struct kvm_vcpu *vcpu)
 	return kvm_s390_inject_program_int(vcpu, PGM_OPERATION);
 }
 
+static int handle_pv_spx(struct kvm_vcpu *vcpu)
+{
+	u32 pref = *(u32 *)vcpu->arch.sie_block->sidad;
+
+	kvm_s390_set_prefix(vcpu, pref);
+	trace_kvm_s390_handle_prefix(vcpu, 1, pref);
+	return 0;
+}
+
+static int handle_pv_not(struct kvm_vcpu *vcpu)
+{
+	if (vcpu->arch.sie_block->ipa == 0xb210)
+		return handle_pv_spx(vcpu);
+
+	return handle_instruction(vcpu);
+}
+
 int kvm_handle_sie_intercept(struct kvm_vcpu *vcpu)
 {
 	int rc, per_rc = 0;
@@ -505,6 +522,12 @@  int kvm_handle_sie_intercept(struct kvm_vcpu *vcpu)
 		 */
 		rc = 0;
 	break;
+	case ICPT_PV_INSTR:
+		rc = handle_instruction(vcpu);
+		break;
+	case ICPT_PV_NOT:
+		rc = handle_pv_not(vcpu);
+		break;
 	default:
 		return -EOPNOTSUPP;
 	}

[RFC,21/37] KVM: S390: protvirt: Instruction emulation

Commit Message

Comments

Patch