| Message ID | 20200304114231.23493-3-frankja@linux.ibm.com (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
| Series | s390x: Protected Virtualization support | expand |
On 04.03.20 12:42, Janosch Frank wrote: > For diag308 subcodes 8 - 10 we have a new ipib of type 5. The ipib > holds the address and length of the secure execution header, as well > as a list of guest components. > > Each component is a block of memory, for example kernel or initrd, > which needs to be decrypted by the Ultravisor in order to run a > protected VM. The secure execution header instructs the Ultravisor on > how to handle the protected VM and its components. > > Subcodes 8 and 9 are similiar to 5 and 6 and subcode 10 will finally > start the protected guest. > > Subcodes 8-10 are not valid in protected mode, we have to do a subcode > 3 and then the 8 and 10 combination for a protected reboot. > > Signed-off-by: Janosch Frank <frankja@linux.ibm.com> > --- > hw/s390x/ipl.c | 47 ++++++++++++++++++++++++++++++++++++++++++--- > hw/s390x/ipl.h | 32 ++++++++++++++++++++++++++++++ > target/s390x/diag.c | 26 ++++++++++++++++++++++--- > 3 files changed, 99 insertions(+), 6 deletions(-) > > diff --git a/hw/s390x/ipl.c b/hw/s390x/ipl.c > index 9c1ecd423c..80c6ab233a 100644 > --- a/hw/s390x/ipl.c > +++ b/hw/s390x/ipl.c > @@ -538,15 +538,55 @@ static bool is_virtio_scsi_device(IplParameterBlock *iplb) > return is_virtio_ccw_device_of_type(iplb, VIRTIO_ID_SCSI); > } > > +int s390_ipl_pv_check_components(IplParameterBlock *iplb) What about making this bool s390_ipl_pv_valid(IplParameterBlock *iplb) and return true/false? > +{ > + int i; > + IPLBlockPV *ipib_pv = &iplb->pv; nit: place "int i;" down here > + > + if (ipib_pv->num_comp == 0) { > + return -EINVAL; > + } > + > + for (i = 0; i < ipib_pv->num_comp; i++) { > + /* Addr must be 4k aligned */ > + if (ipib_pv->components[i].addr & ~TARGET_PAGE_MASK) { > + return -EINVAL; > + } > + > + /* Tweak prefix is monotonously increasing with each component */ should that be "monotonically increasing" ? > + if (i < ipib_pv->num_comp - 1 && > + ipib_pv->components[i].tweak_pref > > + ipib_pv->components[i + 1].tweak_pref) { and I assume "==" is valid then. > + return -EINVAL; > + } > + } > + return 0; > +} > + > void s390_ipl_update_diag308(IplParameterBlock *iplb) > { > S390IPLState *ipl = get_ipl_device(); > > - ipl->iplb = *iplb; > - ipl->iplb_valid = true; > + if (iplb->pbt == S390_IPL_TYPE_PV) { > + ipl->iplb_pv = *iplb; > + ipl->iplb_valid_pv = true; > + } else { > + ipl->iplb = *iplb; > + ipl->iplb_valid = true; > + } > ipl->netboot = is_virtio_net_device(iplb); > } > > +IplParameterBlock *s390_ipl_get_iplb_secure(void) Why suddenly the "secure" ? s390_ipl_get_iplb_pv? > +{ > + S390IPLState *ipl = get_ipl_device(); > + > + if (!ipl->iplb_valid_pv) { > + return NULL; > + } > + return &ipl->iplb_pv; > +} > + > IplParameterBlock *s390_ipl_get_iplb(void) > { > S390IPLState *ipl = get_ipl_device(); > @@ -561,7 +601,8 @@ void s390_ipl_reset_request(CPUState *cs, enum s390_reset reset_type) > { > S390IPLState *ipl = get_ipl_device(); > > - if (reset_type == S390_RESET_EXTERNAL || reset_type == S390_RESET_REIPL) { > + if (reset_type == S390_RESET_EXTERNAL || reset_type == S390_RESET_REIPL || > + reset_type == S390_RESET_PV) { What about a switch-case now instead? > /* use CPU 0 for full resets */ > ipl->reset_cpu_index = 0; > } else { > diff --git a/hw/s390x/ipl.h b/hw/s390x/ipl.h > index d4813105db..04be63cee1 100644 > --- a/hw/s390x/ipl.h > +++ b/hw/s390x/ipl.h > @@ -15,6 +15,24 @@ > #include "cpu.h" > #include "hw/qdev-core.h" > > +struct IPLBlockPVComp { > + uint64_t tweak_pref; > + uint64_t addr; > + uint64_t size; > +} QEMU_PACKED; Do we need the packed here? All members are naturally aligned. > +typedef struct IPLBlockPVComp IPLBlockPVComp; > + > +struct IPLBlockPV { > + uint8_t reserved[87]; > + uint8_t version; > + uint32_t reserved70; > + uint32_t num_comp; > + uint64_t pv_header_addr; > + uint64_t pv_header_len; > + struct IPLBlockPVComp components[]; > +} QEMU_PACKED; Dito. [...] > uint64_t compat_bios_start_addr; > bool enforce_bios; > bool iplb_valid; > + bool iplb_valid_pv; I'd name this "iplb_pv_valid" to match "iplb_pv". > bool netboot; > /* reset related properties don't have to be migrated or reset */ > enum s390_reset reset_type; > @@ -161,9 +185,11 @@ QEMU_BUILD_BUG_MSG(offsetof(S390IPLState, iplb) & 3, "alignment of iplb wrong"); > > #define S390_IPL_TYPE_FCP 0x00 > #define S390_IPL_TYPE_CCW 0x02 > +#define S390_IPL_TYPE_PV 0x05 > #define S390_IPL_TYPE_QEMU_SCSI 0xff > > #define S390_IPLB_HEADER_LEN 8 > +#define S390_IPLB_MIN_PV_LEN 148 > #define S390_IPLB_MIN_CCW_LEN 200 > #define S390_IPLB_MIN_FCP_LEN 384 > #define S390_IPLB_MIN_QEMU_SCSI_LEN 200 > @@ -185,4 +211,10 @@ static inline bool iplb_valid_fcp(IplParameterBlock *iplb) > iplb->pbt == S390_IPL_TYPE_FCP; > } > > +static inline bool iplb_valid_pv(IplParameterBlock *iplb) > +{ > + return be32_to_cpu(iplb->len) >= S390_IPLB_MIN_PV_LEN && > + iplb->pbt == S390_IPL_TYPE_PV; > +} > + > #endif > diff --git a/target/s390x/diag.c b/target/s390x/diag.c > index b5aec06d6b..945b263f0a 100644 > --- a/target/s390x/diag.c > +++ b/target/s390x/diag.c > @@ -52,6 +52,7 @@ int handle_diag_288(CPUS390XState *env, uint64_t r1, uint64_t r3) > #define DIAG_308_RC_OK 0x0001 > #define DIAG_308_RC_NO_CONF 0x0102 > #define DIAG_308_RC_INVALID 0x0402 > +#define DIAG_308_RC_NO_PV_CONF 0x0902 > > #define DIAG308_RESET_MOD_CLR 0 > #define DIAG308_RESET_LOAD_NORM 1 > @@ -59,6 +60,9 @@ int handle_diag_288(CPUS390XState *env, uint64_t r1, uint64_t r3) > #define DIAG308_LOAD_NORMAL_DUMP 4 > #define DIAG308_SET 5 > #define DIAG308_STORE 6 > +#define DIAG308_PV_SET 8 > +#define DIAG308_PV_STORE 9 > +#define DIAG308_PV_START 10 > > static int diag308_parm_check(CPUS390XState *env, uint64_t r1, uint64_t addr, > uintptr_t ra, bool write) > @@ -105,6 +109,7 @@ void handle_diag_308(CPUS390XState *env, uint64_t r1, uint64_t r3, uintptr_t ra) > s390_ipl_reset_request(cs, S390_RESET_REIPL); > break; > case DIAG308_SET: > + case DIAG308_PV_SET: > if (diag308_parm_check(env, r1, addr, ra, false)) { > return; > } > @@ -117,7 +122,8 @@ void handle_diag_308(CPUS390XState *env, uint64_t r1, uint64_t r3, uintptr_t ra) > > cpu_physical_memory_read(addr, iplb, be32_to_cpu(iplb->len)); > > - if (!iplb_valid_ccw(iplb) && !iplb_valid_fcp(iplb)) { > + if (!iplb_valid_ccw(iplb) && !iplb_valid_fcp(iplb) && > + !(iplb_valid_pv(iplb) && !s390_ipl_pv_check_components(iplb))) { I really think we should make this s390_ipl_pv_valid(), we're mixing functions that return true on success with functions that return 0 on success. Also, can't we simply move that check into iplb_valid_pv(iplb) to make this here easier to read? > env->regs[r1 + 1] = DIAG_308_RC_INVALID; > goto out; > } > @@ -128,17 +134,31 @@ out: > g_free(iplb); > return; > case DIAG308_STORE: > + case DIAG308_PV_STORE: > if (diag308_parm_check(env, r1, addr, ra, true)) { > return; > } > - iplb = s390_ipl_get_iplb(); > + if (subcode == DIAG308_PV_STORE) { > + iplb = s390_ipl_get_iplb_secure(); > + } else { > + iplb = s390_ipl_get_iplb(); > + } > if (iplb) { > cpu_physical_memory_write(addr, iplb, be32_to_cpu(iplb->len)); > env->regs[r1 + 1] = DIAG_308_RC_OK; > } else { > env->regs[r1 + 1] = DIAG_308_RC_NO_CONF; > } > - return; > + break; > + case DIAG308_PV_START: > + iplb = s390_ipl_get_iplb_secure(); > + if (!iplb || !iplb_valid_pv(iplb)) { Why do we need another iplb_valid_pv() check? I thought we would verify this when setting and marking valid. > + env->regs[r1 + 1] = DIAG_308_RC_NO_PV_CONF; > + return; > + } > +
On 04.03.20 12:42, Janosch Frank wrote: > For diag308 subcodes 8 - 10 we have a new ipib of type 5. The ipib > holds the address and length of the secure execution header, as well > as a list of guest components. > > Each component is a block of memory, for example kernel or initrd, > which needs to be decrypted by the Ultravisor in order to run a > protected VM. The secure execution header instructs the Ultravisor on > how to handle the protected VM and its components. > > Subcodes 8 and 9 are similiar to 5 and 6 and subcode 10 will finally > start the protected guest. s/similiar/similar/
On 04.03.20 12:42, Janosch Frank wrote: > For diag308 subcodes 8 - 10 we have a new ipib of type 5. The ipib > holds the address and length of the secure execution header, as well > as a list of guest components. > > Each component is a block of memory, for example kernel or initrd, > which needs to be decrypted by the Ultravisor in order to run a > protected VM. The secure execution header instructs the Ultravisor on > how to handle the protected VM and its components. > > Subcodes 8 and 9 are similiar to 5 and 6 and subcode 10 will finally > start the protected guest. > > Subcodes 8-10 are not valid in protected mode, we have to do a subcode > 3 and then the 8 and 10 combination for a protected reboot. > > Signed-off-by: Janosch Frank <frankja@linux.ibm.com> > --- > hw/s390x/ipl.c | 47 ++++++++++++++++++++++++++++++++++++++++++--- > hw/s390x/ipl.h | 32 ++++++++++++++++++++++++++++++ > target/s390x/diag.c | 26 ++++++++++++++++++++++--- > 3 files changed, 99 insertions(+), 6 deletions(-) > > diff --git a/hw/s390x/ipl.c b/hw/s390x/ipl.c > index 9c1ecd423c..80c6ab233a 100644 > --- a/hw/s390x/ipl.c > +++ b/hw/s390x/ipl.c > @@ -538,15 +538,55 @@ static bool is_virtio_scsi_device(IplParameterBlock *iplb) > return is_virtio_ccw_device_of_type(iplb, VIRTIO_ID_SCSI); > } > > +int s390_ipl_pv_check_components(IplParameterBlock *iplb) > +{ > + int i; > + IPLBlockPV *ipib_pv = &iplb->pv; > + > + if (ipib_pv->num_comp == 0) { > + return -EINVAL; > + } > + > + for (i = 0; i < ipib_pv->num_comp; i++) { > + /* Addr must be 4k aligned */ > + if (ipib_pv->components[i].addr & ~TARGET_PAGE_MASK) { > + return -EINVAL; > + } > + > + /* Tweak prefix is monotonously increasing with each component */ > + if (i < ipib_pv->num_comp - 1 && > + ipib_pv->components[i].tweak_pref > > + ipib_pv->components[i + 1].tweak_pref) { > + return -EINVAL; > + } > + } > + return 0; > +} > + > void s390_ipl_update_diag308(IplParameterBlock *iplb) > { > S390IPLState *ipl = get_ipl_device(); > > - ipl->iplb = *iplb; > - ipl->iplb_valid = true; > + if (iplb->pbt == S390_IPL_TYPE_PV) { > + ipl->iplb_pv = *iplb; > + ipl->iplb_valid_pv = true; > + } else { > + ipl->iplb = *iplb; > + ipl->iplb_valid = true; > + } > ipl->netboot = is_virtio_net_device(iplb); > } > > +IplParameterBlock *s390_ipl_get_iplb_secure(void) > +{ > + S390IPLState *ipl = get_ipl_device(); > + > + if (!ipl->iplb_valid_pv) { > + return NULL; > + } > + return &ipl->iplb_pv; > +} > + > IplParameterBlock *s390_ipl_get_iplb(void) > { > S390IPLState *ipl = get_ipl_device(); > @@ -561,7 +601,8 @@ void s390_ipl_reset_request(CPUState *cs, enum s390_reset reset_type) > { > S390IPLState *ipl = get_ipl_device(); > > - if (reset_type == S390_RESET_EXTERNAL || reset_type == S390_RESET_REIPL) { > + if (reset_type == S390_RESET_EXTERNAL || reset_type == S390_RESET_REIPL || > + reset_type == S390_RESET_PV) { > /* use CPU 0 for full resets */ > ipl->reset_cpu_index = 0; > } else { > diff --git a/hw/s390x/ipl.h b/hw/s390x/ipl.h > index d4813105db..04be63cee1 100644 > --- a/hw/s390x/ipl.h > +++ b/hw/s390x/ipl.h > @@ -15,6 +15,24 @@ > #include "cpu.h" > #include "hw/qdev-core.h" > > +struct IPLBlockPVComp { > + uint64_t tweak_pref; > + uint64_t addr; > + uint64_t size; > +} QEMU_PACKED; > +typedef struct IPLBlockPVComp IPLBlockPVComp; > + > +struct IPLBlockPV { > + uint8_t reserved[87]; > + uint8_t version; > + uint32_t reserved70; > + uint32_t num_comp; > + uint64_t pv_header_addr; > + uint64_t pv_header_len; > + struct IPLBlockPVComp components[]; > +} QEMU_PACKED; > +typedef struct IPLBlockPV IPLBlockPV; > + > struct IplBlockCcw { > uint8_t reserved0[85]; > uint8_t ssid; > @@ -71,6 +89,7 @@ union IplParameterBlock { > union { > IplBlockCcw ccw; > IplBlockFcp fcp; > + IPLBlockPV pv; > IplBlockQemuScsi scsi; > }; > } QEMU_PACKED; > @@ -84,9 +103,11 @@ union IplParameterBlock { > typedef union IplParameterBlock IplParameterBlock; > > int s390_ipl_set_loadparm(uint8_t *loadparm); > +int s390_ipl_pv_check_components(IplParameterBlock *iplb); > void s390_ipl_update_diag308(IplParameterBlock *iplb); > void s390_ipl_prepare_cpu(S390CPU *cpu); > IplParameterBlock *s390_ipl_get_iplb(void); > +IplParameterBlock *s390_ipl_get_iplb_secure(void); > > enum s390_reset { > /* default is a reset not triggered by a CPU e.g. issued by QMP */ > @@ -94,6 +115,7 @@ enum s390_reset { > S390_RESET_REIPL, > S390_RESET_MODIFIED_CLEAR, > S390_RESET_LOAD_NORMAL, > + S390_RESET_PV, > }; > void s390_ipl_reset_request(CPUState *cs, enum s390_reset reset_type); > void s390_ipl_get_reset_request(CPUState **cs, enum s390_reset *reset_type); > @@ -133,6 +155,7 @@ struct S390IPLState { > /*< private >*/ > DeviceState parent_obj; > IplParameterBlock iplb; > + IplParameterBlock iplb_pv; > QemuIplParameters qipl; > uint64_t start_addr; > uint64_t compat_start_addr; > @@ -140,6 +163,7 @@ struct S390IPLState { > uint64_t compat_bios_start_addr; > bool enforce_bios; > bool iplb_valid; > + bool iplb_valid_pv; > bool netboot; > /* reset related properties don't have to be migrated or reset */ > enum s390_reset reset_type; > @@ -161,9 +185,11 @@ QEMU_BUILD_BUG_MSG(offsetof(S390IPLState, iplb) & 3, "alignment of iplb wrong"); > > #define S390_IPL_TYPE_FCP 0x00 > #define S390_IPL_TYPE_CCW 0x02 > +#define S390_IPL_TYPE_PV 0x05 > #define S390_IPL_TYPE_QEMU_SCSI 0xff > > #define S390_IPLB_HEADER_LEN 8 > +#define S390_IPLB_MIN_PV_LEN 148 > #define S390_IPLB_MIN_CCW_LEN 200 > #define S390_IPLB_MIN_FCP_LEN 384 > #define S390_IPLB_MIN_QEMU_SCSI_LEN 200 > @@ -185,4 +211,10 @@ static inline bool iplb_valid_fcp(IplParameterBlock *iplb) > iplb->pbt == S390_IPL_TYPE_FCP; > } > > +static inline bool iplb_valid_pv(IplParameterBlock *iplb) > +{ > + return be32_to_cpu(iplb->len) >= S390_IPLB_MIN_PV_LEN && > + iplb->pbt == S390_IPL_TYPE_PV; > +} > + > #endif > diff --git a/target/s390x/diag.c b/target/s390x/diag.c > index b5aec06d6b..945b263f0a 100644 > --- a/target/s390x/diag.c > +++ b/target/s390x/diag.c > @@ -52,6 +52,7 @@ int handle_diag_288(CPUS390XState *env, uint64_t r1, uint64_t r3) > #define DIAG_308_RC_OK 0x0001 > #define DIAG_308_RC_NO_CONF 0x0102 > #define DIAG_308_RC_INVALID 0x0402 > +#define DIAG_308_RC_NO_PV_CONF 0x0902 > > #define DIAG308_RESET_MOD_CLR 0 > #define DIAG308_RESET_LOAD_NORM 1 > @@ -59,6 +60,9 @@ int handle_diag_288(CPUS390XState *env, uint64_t r1, uint64_t r3) > #define DIAG308_LOAD_NORMAL_DUMP 4 > #define DIAG308_SET 5 > #define DIAG308_STORE 6 > +#define DIAG308_PV_SET 8 > +#define DIAG308_PV_STORE 9 > +#define DIAG308_PV_START 10 > > static int diag308_parm_check(CPUS390XState *env, uint64_t r1, uint64_t addr, > uintptr_t ra, bool write) > @@ -105,6 +109,7 @@ void handle_diag_308(CPUS390XState *env, uint64_t r1, uint64_t r3, uintptr_t ra) > s390_ipl_reset_request(cs, S390_RESET_REIPL); > break; > case DIAG308_SET: > + case DIAG308_PV_SET: > if (diag308_parm_check(env, r1, addr, ra, false)) { > return; > } > @@ -117,7 +122,8 @@ void handle_diag_308(CPUS390XState *env, uint64_t r1, uint64_t r3, uintptr_t ra) > > cpu_physical_memory_read(addr, iplb, be32_to_cpu(iplb->len)); > > - if (!iplb_valid_ccw(iplb) && !iplb_valid_fcp(iplb)) { > + if (!iplb_valid_ccw(iplb) && !iplb_valid_fcp(iplb) && > + !(iplb_valid_pv(iplb) && !s390_ipl_pv_check_components(iplb))) { > env->regs[r1 + 1] = DIAG_308_RC_INVALID; > goto out; > } > @@ -128,17 +134,31 @@ out: > g_free(iplb); > return; > case DIAG308_STORE: > + case DIAG308_PV_STORE: > if (diag308_parm_check(env, r1, addr, ra, true)) { > return; > } > - iplb = s390_ipl_get_iplb(); > + if (subcode == DIAG308_PV_STORE) { > + iplb = s390_ipl_get_iplb_secure(); > + } else { > + iplb = s390_ipl_get_iplb(); > + } > if (iplb) { > cpu_physical_memory_write(addr, iplb, be32_to_cpu(iplb->len)); > env->regs[r1 + 1] = DIAG_308_RC_OK; > } else { > env->regs[r1 + 1] = DIAG_308_RC_NO_CONF; > } > - return; > + break; > + case DIAG308_PV_START: > + iplb = s390_ipl_get_iplb_secure(); > + if (!iplb || !iplb_valid_pv(iplb)) { > + env->regs[r1 + 1] = DIAG_308_RC_NO_PV_CONF; > + return; > + } > + > + s390_ipl_reset_request(cs, S390_RESET_PV); > + break; > default: > s390_program_interrupt(env, PGM_SPECIFICATION, ra); > break; > Sorry, another comment. The new subcodes should be fenced via the cpu model or similar. Applying this patch and triggering one of these subcodes will end in a questionable state.
On 04.03.20 12:42, Janosch Frank wrote: > For diag308 subcodes 8 - 10 we have a new ipib of type 5. The ipib > holds the address and length of the secure execution header, as well > as a list of guest components. > > Each component is a block of memory, for example kernel or initrd, > which needs to be decrypted by the Ultravisor in order to run a > protected VM. The secure execution header instructs the Ultravisor on > how to handle the protected VM and its components. > > Subcodes 8 and 9 are similiar to 5 and 6 and subcode 10 will finally > start the protected guest. > > Subcodes 8-10 are not valid in protected mode, we have to do a subcode > 3 and then the 8 and 10 combination for a protected reboot. > > Signed-off-by: Janosch Frank <frankja@linux.ibm.com> > --- > hw/s390x/ipl.c | 47 ++++++++++++++++++++++++++++++++++++++++++--- > hw/s390x/ipl.h | 32 ++++++++++++++++++++++++++++++ > target/s390x/diag.c | 26 ++++++++++++++++++++++--- > 3 files changed, 99 insertions(+), 6 deletions(-) > > diff --git a/hw/s390x/ipl.c b/hw/s390x/ipl.c > index 9c1ecd423c..80c6ab233a 100644 > --- a/hw/s390x/ipl.c > +++ b/hw/s390x/ipl.c Can you update the copyright dates for files that you touch? > @@ -538,15 +538,55 @@ static bool is_virtio_scsi_device(IplParameterBlock *iplb) > return is_virtio_ccw_device_of_type(iplb, VIRTIO_ID_SCSI); > } > > +int s390_ipl_pv_check_components(IplParameterBlock *iplb) > +{ > + int i; > + IPLBlockPV *ipib_pv = &iplb->pv; > + > + if (ipib_pv->num_comp == 0) { > + return -EINVAL; > + } > + > + for (i = 0; i < ipib_pv->num_comp; i++) { > + /* Addr must be 4k aligned */ > + if (ipib_pv->components[i].addr & ~TARGET_PAGE_MASK) { > + return -EINVAL; > + } > + > + /* Tweak prefix is monotonously increasing with each component */ > + if (i < ipib_pv->num_comp - 1 && Why do we need this check? Isnt that already ensured by the for loop? > + ipib_pv->components[i].tweak_pref > > + ipib_pv->components[i + 1].tweak_pref) { I think i+1 must be greater than i. So ">=" instead? > + return -EINVAL; > + } > + } > + return 0; > +} > + > void s390_ipl_update_diag308(IplParameterBlock *iplb) maybe add a comment that explains that a guest can have 2 IPLBs. one for the secure guest and one thsat we go back to when rebooting. > { > S390IPLState *ipl = get_ipl_device(); > > - ipl->iplb = *iplb; > - ipl->iplb_valid = true; > + if (iplb->pbt == S390_IPL_TYPE_PV) { > + ipl->iplb_pv = *iplb; > + ipl->iplb_valid_pv = true; > + } else { > + ipl->iplb = *iplb; > + ipl->iplb_valid = true; > + } > ipl->netboot = is_virtio_net_device(iplb); > } > > +IplParameterBlock *s390_ipl_get_iplb_secure(void) > +{ > + S390IPLState *ipl = get_ipl_device(); > + > + if (!ipl->iplb_valid_pv) { > + return NULL; > + } > + return &ipl->iplb_pv; > +} > + > IplParameterBlock *s390_ipl_get_iplb(void) > { > S390IPLState *ipl = get_ipl_device(); > @@ -561,7 +601,8 @@ void s390_ipl_reset_request(CPUState *cs, enum s390_reset reset_type) > { > S390IPLState *ipl = get_ipl_device(); > > - if (reset_type == S390_RESET_EXTERNAL || reset_type == S390_RESET_REIPL) { > + if (reset_type == S390_RESET_EXTERNAL || reset_type == S390_RESET_REIPL || > + reset_type == S390_RESET_PV) { > /* use CPU 0 for full resets */ > ipl->reset_cpu_index = 0; > } else { > diff --git a/hw/s390x/ipl.h b/hw/s390x/ipl.h > index d4813105db..04be63cee1 100644 > --- a/hw/s390x/ipl.h > +++ b/hw/s390x/ipl.h > @@ -15,6 +15,24 @@ > #include "cpu.h" > #include "hw/qdev-core.h" > > +struct IPLBlockPVComp { > + uint64_t tweak_pref; > + uint64_t addr; > + uint64_t size; > +} QEMU_PACKED; > +typedef struct IPLBlockPVComp IPLBlockPVComp; > + > +struct IPLBlockPV { > + uint8_t reserved[87]; > + uint8_t version; > + uint32_t reserved70; Here you have 70 (the offset in hex I guess), I tßhink this is an odd name. In addition the reserved field 2 lines above has no address part in its name.
On 3/4/20 6:04 PM, David Hildenbrand wrote: > On 04.03.20 12:42, Janosch Frank wrote: >> For diag308 subcodes 8 - 10 we have a new ipib of type 5. The ipib >> holds the address and length of the secure execution header, as well >> as a list of guest components. >> >> Each component is a block of memory, for example kernel or initrd, >> which needs to be decrypted by the Ultravisor in order to run a >> protected VM. The secure execution header instructs the Ultravisor on >> how to handle the protected VM and its components. >> >> Subcodes 8 and 9 are similiar to 5 and 6 and subcode 10 will finally >> start the protected guest. >> >> Subcodes 8-10 are not valid in protected mode, we have to do a subcode >> 3 and then the 8 and 10 combination for a protected reboot. >> >> Signed-off-by: Janosch Frank <frankja@linux.ibm.com> >> --- >> hw/s390x/ipl.c | 47 ++++++++++++++++++++++++++++++++++++++++++--- >> hw/s390x/ipl.h | 32 ++++++++++++++++++++++++++++++ >> target/s390x/diag.c | 26 ++++++++++++++++++++++--- >> 3 files changed, 99 insertions(+), 6 deletions(-) >> >> diff --git a/hw/s390x/ipl.c b/hw/s390x/ipl.c >> index 9c1ecd423c..80c6ab233a 100644 >> --- a/hw/s390x/ipl.c >> +++ b/hw/s390x/ipl.c >> @@ -538,15 +538,55 @@ static bool is_virtio_scsi_device(IplParameterBlock *iplb) >> return is_virtio_ccw_device_of_type(iplb, VIRTIO_ID_SCSI); >> } >> >> +int s390_ipl_pv_check_components(IplParameterBlock *iplb) > > What about making this > > bool s390_ipl_pv_valid(IplParameterBlock *iplb) > > and return true/false? We already have iplb_valid_pv() and ipl->iplb_valid_pv. Do you have any other more expressive name we could use? > >> +{ >> + int i; >> + IPLBlockPV *ipib_pv = &iplb->pv; > > nit: place "int i;" down here Ack > >> + >> + if (ipib_pv->num_comp == 0) { >> + return -EINVAL; >> + } >> + >> + for (i = 0; i < ipib_pv->num_comp; i++) { >> + /* Addr must be 4k aligned */ >> + if (ipib_pv->components[i].addr & ~TARGET_PAGE_MASK) { >> + return -EINVAL; >> + } >> + >> + /* Tweak prefix is monotonously increasing with each component */ > > should that be "monotonically increasing" ? Ooooooh, yeah... > >> + if (i < ipib_pv->num_comp - 1 && >> + ipib_pv->components[i].tweak_pref > >> + ipib_pv->components[i + 1].tweak_pref) { > > and I assume "==" is valid then. Nope, it should be >= in this check > >> + return -EINVAL; >> + } >> + } >> + return 0; >> +} >> + >> void s390_ipl_update_diag308(IplParameterBlock *iplb) >> { >> S390IPLState *ipl = get_ipl_device(); >> >> - ipl->iplb = *iplb; >> - ipl->iplb_valid = true; >> + if (iplb->pbt == S390_IPL_TYPE_PV) { >> + ipl->iplb_pv = *iplb; >> + ipl->iplb_valid_pv = true; >> + } else { >> + ipl->iplb = *iplb; >> + ipl->iplb_valid = true; >> + } >> ipl->netboot = is_virtio_net_device(iplb); >> } >> >> +IplParameterBlock *s390_ipl_get_iplb_secure(void) > > Why suddenly the "secure" ? s390_ipl_get_iplb_pv? Remnants of former times > >> +{ >> + S390IPLState *ipl = get_ipl_device(); >> + >> + if (!ipl->iplb_valid_pv) { >> + return NULL; >> + } >> + return &ipl->iplb_pv; >> +} >> + >> IplParameterBlock *s390_ipl_get_iplb(void) >> { >> S390IPLState *ipl = get_ipl_device(); >> @@ -561,7 +601,8 @@ void s390_ipl_reset_request(CPUState *cs, enum s390_reset reset_type) >> { >> S390IPLState *ipl = get_ipl_device(); >> >> - if (reset_type == S390_RESET_EXTERNAL || reset_type == S390_RESET_REIPL) { >> + if (reset_type == S390_RESET_EXTERNAL || reset_type == S390_RESET_REIPL || >> + reset_type == S390_RESET_PV) { > > What about a switch-case now instead? > >> /* use CPU 0 for full resets */ >> ipl->reset_cpu_index = 0; >> } else { >> diff --git a/hw/s390x/ipl.h b/hw/s390x/ipl.h >> index d4813105db..04be63cee1 100644 >> --- a/hw/s390x/ipl.h >> +++ b/hw/s390x/ipl.h >> @@ -15,6 +15,24 @@ >> #include "cpu.h" >> #include "hw/qdev-core.h" >> >> +struct IPLBlockPVComp { >> + uint64_t tweak_pref; >> + uint64_t addr; >> + uint64_t size; >> +} QEMU_PACKED; > > Do we need the packed here? All members are naturally aligned. No, I'll remove them > >> +typedef struct IPLBlockPVComp IPLBlockPVComp; >> + >> +struct IPLBlockPV { >> + uint8_t reserved[87]; >> + uint8_t version; >> + uint32_t reserved70; >> + uint32_t num_comp; >> + uint64_t pv_header_addr; >> + uint64_t pv_header_len; >> + struct IPLBlockPVComp components[]; >> +} QEMU_PACKED; > > Dito. > > [...] > >> uint64_t compat_bios_start_addr; >> bool enforce_bios; >> bool iplb_valid; >> + bool iplb_valid_pv; > > I'd name this "iplb_pv_valid" to match "iplb_pv". I like matching prefixes :) > >> bool netboot; >> /* reset related properties don't have to be migrated or reset */ >> enum s390_reset reset_type; >> @@ -161,9 +185,11 @@ QEMU_BUILD_BUG_MSG(offsetof(S390IPLState, iplb) & 3, "alignment of iplb wrong"); >> >> #define S390_IPL_TYPE_FCP 0x00 >> #define S390_IPL_TYPE_CCW 0x02 >> +#define S390_IPL_TYPE_PV 0x05 >> #define S390_IPL_TYPE_QEMU_SCSI 0xff >> >> #define S390_IPLB_HEADER_LEN 8 >> +#define S390_IPLB_MIN_PV_LEN 148 >> #define S390_IPLB_MIN_CCW_LEN 200 >> #define S390_IPLB_MIN_FCP_LEN 384 >> #define S390_IPLB_MIN_QEMU_SCSI_LEN 200 >> @@ -185,4 +211,10 @@ static inline bool iplb_valid_fcp(IplParameterBlock *iplb) >> iplb->pbt == S390_IPL_TYPE_FCP; >> } >> >> +static inline bool iplb_valid_pv(IplParameterBlock *iplb) >> +{ >> + return be32_to_cpu(iplb->len) >= S390_IPLB_MIN_PV_LEN && >> + iplb->pbt == S390_IPL_TYPE_PV; >> +} >> + >> #endif >> diff --git a/target/s390x/diag.c b/target/s390x/diag.c >> index b5aec06d6b..945b263f0a 100644 >> --- a/target/s390x/diag.c >> +++ b/target/s390x/diag.c >> @@ -52,6 +52,7 @@ int handle_diag_288(CPUS390XState *env, uint64_t r1, uint64_t r3) >> #define DIAG_308_RC_OK 0x0001 >> #define DIAG_308_RC_NO_CONF 0x0102 >> #define DIAG_308_RC_INVALID 0x0402 >> +#define DIAG_308_RC_NO_PV_CONF 0x0902 >> >> #define DIAG308_RESET_MOD_CLR 0 >> #define DIAG308_RESET_LOAD_NORM 1 >> @@ -59,6 +60,9 @@ int handle_diag_288(CPUS390XState *env, uint64_t r1, uint64_t r3) >> #define DIAG308_LOAD_NORMAL_DUMP 4 >> #define DIAG308_SET 5 >> #define DIAG308_STORE 6 >> +#define DIAG308_PV_SET 8 >> +#define DIAG308_PV_STORE 9 >> +#define DIAG308_PV_START 10 >> >> static int diag308_parm_check(CPUS390XState *env, uint64_t r1, uint64_t addr, >> uintptr_t ra, bool write) >> @@ -105,6 +109,7 @@ void handle_diag_308(CPUS390XState *env, uint64_t r1, uint64_t r3, uintptr_t ra) >> s390_ipl_reset_request(cs, S390_RESET_REIPL); >> break; >> case DIAG308_SET: >> + case DIAG308_PV_SET: >> if (diag308_parm_check(env, r1, addr, ra, false)) { >> return; >> } >> @@ -117,7 +122,8 @@ void handle_diag_308(CPUS390XState *env, uint64_t r1, uint64_t r3, uintptr_t ra) >> >> cpu_physical_memory_read(addr, iplb, be32_to_cpu(iplb->len)); >> >> - if (!iplb_valid_ccw(iplb) && !iplb_valid_fcp(iplb)) { >> + if (!iplb_valid_ccw(iplb) && !iplb_valid_fcp(iplb) && >> + !(iplb_valid_pv(iplb) && !s390_ipl_pv_check_components(iplb))) { > > I really think we should make this s390_ipl_pv_valid(), we're mixing > functions that return true on success with functions that return 0 on > success. Also, can't we simply move that check into iplb_valid_pv(iplb) > to make this here easier to read? Yes, let me figure something out > >> env->regs[r1 + 1] = DIAG_308_RC_INVALID; >> goto out; >> } >> @@ -128,17 +134,31 @@ out: >> g_free(iplb); >> return; >> case DIAG308_STORE: >> + case DIAG308_PV_STORE: >> if (diag308_parm_check(env, r1, addr, ra, true)) { >> return; >> } >> - iplb = s390_ipl_get_iplb(); >> + if (subcode == DIAG308_PV_STORE) { >> + iplb = s390_ipl_get_iplb_secure(); >> + } else { >> + iplb = s390_ipl_get_iplb(); >> + } >> if (iplb) { >> cpu_physical_memory_write(addr, iplb, be32_to_cpu(iplb->len)); >> env->regs[r1 + 1] = DIAG_308_RC_OK; >> } else { >> env->regs[r1 + 1] = DIAG_308_RC_NO_CONF; >> } >> - return; >> + break; >> + case DIAG308_PV_START: >> + iplb = s390_ipl_get_iplb_secure(); >> + if (!iplb || !iplb_valid_pv(iplb)) { > > Why do we need another iplb_valid_pv() check? I thought we would verify > this when setting and marking valid. Good question, I'll look into it and give this patch a dust off > >> + env->regs[r1 + 1] = DIAG_308_RC_NO_PV_CONF; >> + return; >> + } >> + > >
On 3/5/20 1:04 PM, Janosch Frank wrote: > On 3/4/20 6:04 PM, David Hildenbrand wrote: >> On 04.03.20 12:42, Janosch Frank wrote: >>> For diag308 subcodes 8 - 10 we have a new ipib of type 5. The ipib >>> holds the address and length of the secure execution header, as well >>> as a list of guest components. >>> >>> Each component is a block of memory, for example kernel or initrd, >>> which needs to be decrypted by the Ultravisor in order to run a >>> protected VM. The secure execution header instructs the Ultravisor on >>> how to handle the protected VM and its components. >>> >>> Subcodes 8 and 9 are similiar to 5 and 6 and subcode 10 will finally >>> start the protected guest. >>> >>> Subcodes 8-10 are not valid in protected mode, we have to do a subcode >>> 3 and then the 8 and 10 combination for a protected reboot. >>> >>> Signed-off-by: Janosch Frank <frankja@linux.ibm.com> >>> --- >>> hw/s390x/ipl.c | 47 ++++++++++++++++++++++++++++++++++++++++++--- >>> hw/s390x/ipl.h | 32 ++++++++++++++++++++++++++++++ >>> target/s390x/diag.c | 26 ++++++++++++++++++++++--- >>> 3 files changed, 99 insertions(+), 6 deletions(-) >>> >>> diff --git a/hw/s390x/ipl.c b/hw/s390x/ipl.c >>> index 9c1ecd423c..80c6ab233a 100644 >>> --- a/hw/s390x/ipl.c >>> +++ b/hw/s390x/ipl.c >>> @@ -538,15 +538,55 @@ static bool is_virtio_scsi_device(IplParameterBlock *iplb) >>> return is_virtio_ccw_device_of_type(iplb, VIRTIO_ID_SCSI); >>> } >>> >>> +int s390_ipl_pv_check_components(IplParameterBlock *iplb) >> >> What about making this >> >> bool s390_ipl_pv_valid(IplParameterBlock *iplb) >> >> and return true/false? > > We already have iplb_valid_pv() and ipl->iplb_valid_pv. > Do you have any other more expressive name we could use? I think it makes more sense to rip out these tiny functions and consolidate them like this: +static inline bool iplb_valid(IplParameterBlock *iplb) { - return be32_to_cpu(iplb->len) >= S390_IPLB_MIN_FCP_LEN && - iplb->pbt == S390_IPL_TYPE_FCP; + switch (iplb->pbt) { + case S390_IPL_TYPE_FCP: + return (be32_to_cpu(iplb->len) >= S390_IPLB_MIN_FCP_LEN && + iplb->pbt == S390_IPL_TYPE_FCP); + case S390_IPL_TYPE_CCW: + return (be32_to_cpu(iplb->len) >= S390_IPLB_MIN_CCW_LEN && + iplb->pbt == S390_IPL_TYPE_CCW); + case S390_IPL_TYPE_PV: + if(be32_to_cpu(iplb->len) < S390_IPLB_MIN_PV_LEN || + iplb->pbt != S390_IPL_TYPE_PV) { + return false; + } + return s390_ipl_pv_check_components(iplb); + default: + return false; + } } The component check is still a separate function right above this one in ipl.h > >> >>> +{ >>> + int i; >>> + IPLBlockPV *ipib_pv = &iplb->pv; >> >> nit: place "int i;" down here > > Ack > >> >>> + >>> + if (ipib_pv->num_comp == 0) { >>> + return -EINVAL; >>> + } >>> + >>> + for (i = 0; i < ipib_pv->num_comp; i++) { >>> + /* Addr must be 4k aligned */ >>> + if (ipib_pv->components[i].addr & ~TARGET_PAGE_MASK) { >>> + return -EINVAL; >>> + } >>> + >>> + /* Tweak prefix is monotonously increasing with each component */ >> >> should that be "monotonically increasing" ? > > Ooooooh, yeah... > >> >>> + if (i < ipib_pv->num_comp - 1 && >>> + ipib_pv->components[i].tweak_pref > >>> + ipib_pv->components[i + 1].tweak_pref) { >> >> and I assume "==" is valid then. > > Nope, it should be >= in this check > >> >>> + return -EINVAL; >>> + } >>> + } >>> + return 0; >>> +} >>> + >>> void s390_ipl_update_diag308(IplParameterBlock *iplb) >>> { >>> S390IPLState *ipl = get_ipl_device(); >>> >>> - ipl->iplb = *iplb; >>> - ipl->iplb_valid = true; >>> + if (iplb->pbt == S390_IPL_TYPE_PV) { >>> + ipl->iplb_pv = *iplb; >>> + ipl->iplb_valid_pv = true; >>> + } else { >>> + ipl->iplb = *iplb; >>> + ipl->iplb_valid = true; >>> + } >>> ipl->netboot = is_virtio_net_device(iplb); >>> } >>> >>> +IplParameterBlock *s390_ipl_get_iplb_secure(void) >> >> Why suddenly the "secure" ? s390_ipl_get_iplb_pv? > > Remnants of former times > >> >>> +{ >>> + S390IPLState *ipl = get_ipl_device(); >>> + >>> + if (!ipl->iplb_valid_pv) { >>> + return NULL; >>> + } >>> + return &ipl->iplb_pv; >>> +} >>> + >>> IplParameterBlock *s390_ipl_get_iplb(void) >>> { >>> S390IPLState *ipl = get_ipl_device(); >>> @@ -561,7 +601,8 @@ void s390_ipl_reset_request(CPUState *cs, enum s390_reset reset_type) >>> { >>> S390IPLState *ipl = get_ipl_device(); >>> >>> - if (reset_type == S390_RESET_EXTERNAL || reset_type == S390_RESET_REIPL) { >>> + if (reset_type == S390_RESET_EXTERNAL || reset_type == S390_RESET_REIPL || >>> + reset_type == S390_RESET_PV) { >> >> What about a switch-case now instead? >> >>> /* use CPU 0 for full resets */ >>> ipl->reset_cpu_index = 0; >>> } else { >>> diff --git a/hw/s390x/ipl.h b/hw/s390x/ipl.h >>> index d4813105db..04be63cee1 100644 >>> --- a/hw/s390x/ipl.h >>> +++ b/hw/s390x/ipl.h >>> @@ -15,6 +15,24 @@ >>> #include "cpu.h" >>> #include "hw/qdev-core.h" >>> >>> +struct IPLBlockPVComp { >>> + uint64_t tweak_pref; >>> + uint64_t addr; >>> + uint64_t size; >>> +} QEMU_PACKED; >> >> Do we need the packed here? All members are naturally aligned. > > No, I'll remove them > >> >>> +typedef struct IPLBlockPVComp IPLBlockPVComp; >>> + >>> +struct IPLBlockPV { >>> + uint8_t reserved[87]; >>> + uint8_t version; >>> + uint32_t reserved70; >>> + uint32_t num_comp; >>> + uint64_t pv_header_addr; >>> + uint64_t pv_header_len; >>> + struct IPLBlockPVComp components[]; >>> +} QEMU_PACKED; >> >> Dito. >> >> [...] >> >>> uint64_t compat_bios_start_addr; >>> bool enforce_bios; >>> bool iplb_valid; >>> + bool iplb_valid_pv; >> >> I'd name this "iplb_pv_valid" to match "iplb_pv". > > I like matching prefixes :) > >> >>> bool netboot; >>> /* reset related properties don't have to be migrated or reset */ >>> enum s390_reset reset_type; >>> @@ -161,9 +185,11 @@ QEMU_BUILD_BUG_MSG(offsetof(S390IPLState, iplb) & 3, "alignment of iplb wrong"); >>> >>> #define S390_IPL_TYPE_FCP 0x00 >>> #define S390_IPL_TYPE_CCW 0x02 >>> +#define S390_IPL_TYPE_PV 0x05 >>> #define S390_IPL_TYPE_QEMU_SCSI 0xff >>> >>> #define S390_IPLB_HEADER_LEN 8 >>> +#define S390_IPLB_MIN_PV_LEN 148 >>> #define S390_IPLB_MIN_CCW_LEN 200 >>> #define S390_IPLB_MIN_FCP_LEN 384 >>> #define S390_IPLB_MIN_QEMU_SCSI_LEN 200 >>> @@ -185,4 +211,10 @@ static inline bool iplb_valid_fcp(IplParameterBlock *iplb) >>> iplb->pbt == S390_IPL_TYPE_FCP; >>> } >>> >>> +static inline bool iplb_valid_pv(IplParameterBlock *iplb) >>> +{ >>> + return be32_to_cpu(iplb->len) >= S390_IPLB_MIN_PV_LEN && >>> + iplb->pbt == S390_IPL_TYPE_PV; >>> +} >>> + >>> #endif >>> diff --git a/target/s390x/diag.c b/target/s390x/diag.c >>> index b5aec06d6b..945b263f0a 100644 >>> --- a/target/s390x/diag.c >>> +++ b/target/s390x/diag.c >>> @@ -52,6 +52,7 @@ int handle_diag_288(CPUS390XState *env, uint64_t r1, uint64_t r3) >>> #define DIAG_308_RC_OK 0x0001 >>> #define DIAG_308_RC_NO_CONF 0x0102 >>> #define DIAG_308_RC_INVALID 0x0402 >>> +#define DIAG_308_RC_NO_PV_CONF 0x0902 >>> >>> #define DIAG308_RESET_MOD_CLR 0 >>> #define DIAG308_RESET_LOAD_NORM 1 >>> @@ -59,6 +60,9 @@ int handle_diag_288(CPUS390XState *env, uint64_t r1, uint64_t r3) >>> #define DIAG308_LOAD_NORMAL_DUMP 4 >>> #define DIAG308_SET 5 >>> #define DIAG308_STORE 6 >>> +#define DIAG308_PV_SET 8 >>> +#define DIAG308_PV_STORE 9 >>> +#define DIAG308_PV_START 10 >>> >>> static int diag308_parm_check(CPUS390XState *env, uint64_t r1, uint64_t addr, >>> uintptr_t ra, bool write) >>> @@ -105,6 +109,7 @@ void handle_diag_308(CPUS390XState *env, uint64_t r1, uint64_t r3, uintptr_t ra) >>> s390_ipl_reset_request(cs, S390_RESET_REIPL); >>> break; >>> case DIAG308_SET: >>> + case DIAG308_PV_SET: >>> if (diag308_parm_check(env, r1, addr, ra, false)) { >>> return; >>> } >>> @@ -117,7 +122,8 @@ void handle_diag_308(CPUS390XState *env, uint64_t r1, uint64_t r3, uintptr_t ra) >>> >>> cpu_physical_memory_read(addr, iplb, be32_to_cpu(iplb->len)); >>> >>> - if (!iplb_valid_ccw(iplb) && !iplb_valid_fcp(iplb)) { >>> + if (!iplb_valid_ccw(iplb) && !iplb_valid_fcp(iplb) && >>> + !(iplb_valid_pv(iplb) && !s390_ipl_pv_check_components(iplb))) { >> >> I really think we should make this s390_ipl_pv_valid(), we're mixing >> functions that return true on success with functions that return 0 on >> success. Also, can't we simply move that check into iplb_valid_pv(iplb) >> to make this here easier to read? > > Yes, let me figure something out > >> >>> env->regs[r1 + 1] = DIAG_308_RC_INVALID; >>> goto out; >>> } >>> @@ -128,17 +134,31 @@ out: >>> g_free(iplb); >>> return; >>> case DIAG308_STORE: >>> + case DIAG308_PV_STORE: >>> if (diag308_parm_check(env, r1, addr, ra, true)) { >>> return; >>> } >>> - iplb = s390_ipl_get_iplb(); >>> + if (subcode == DIAG308_PV_STORE) { >>> + iplb = s390_ipl_get_iplb_secure(); >>> + } else { >>> + iplb = s390_ipl_get_iplb(); >>> + } >>> if (iplb) { >>> cpu_physical_memory_write(addr, iplb, be32_to_cpu(iplb->len)); >>> env->regs[r1 + 1] = DIAG_308_RC_OK; >>> } else { >>> env->regs[r1 + 1] = DIAG_308_RC_NO_CONF; >>> } >>> - return; >>> + break; >>> + case DIAG308_PV_START: >>> + iplb = s390_ipl_get_iplb_secure(); >>> + if (!iplb || !iplb_valid_pv(iplb)) { >> >> Why do we need another iplb_valid_pv() check? I thought we would verify >> this when setting and marking valid. > > Good question, I'll look into it and give this patch a dust off > >> >>> + env->regs[r1 + 1] = DIAG_308_RC_NO_PV_CONF; >>> + return; >>> + } >>> + >> >> > >
On 05.03.20 13:24, Janosch Frank wrote: > On 3/5/20 1:04 PM, Janosch Frank wrote: >> On 3/4/20 6:04 PM, David Hildenbrand wrote: >>> On 04.03.20 12:42, Janosch Frank wrote: >>>> For diag308 subcodes 8 - 10 we have a new ipib of type 5. The ipib >>>> holds the address and length of the secure execution header, as well >>>> as a list of guest components. >>>> >>>> Each component is a block of memory, for example kernel or initrd, >>>> which needs to be decrypted by the Ultravisor in order to run a >>>> protected VM. The secure execution header instructs the Ultravisor on >>>> how to handle the protected VM and its components. >>>> >>>> Subcodes 8 and 9 are similiar to 5 and 6 and subcode 10 will finally >>>> start the protected guest. >>>> >>>> Subcodes 8-10 are not valid in protected mode, we have to do a subcode >>>> 3 and then the 8 and 10 combination for a protected reboot. >>>> >>>> Signed-off-by: Janosch Frank <frankja@linux.ibm.com> >>>> --- >>>> hw/s390x/ipl.c | 47 ++++++++++++++++++++++++++++++++++++++++++--- >>>> hw/s390x/ipl.h | 32 ++++++++++++++++++++++++++++++ >>>> target/s390x/diag.c | 26 ++++++++++++++++++++++--- >>>> 3 files changed, 99 insertions(+), 6 deletions(-) >>>> >>>> diff --git a/hw/s390x/ipl.c b/hw/s390x/ipl.c >>>> index 9c1ecd423c..80c6ab233a 100644 >>>> --- a/hw/s390x/ipl.c >>>> +++ b/hw/s390x/ipl.c >>>> @@ -538,15 +538,55 @@ static bool is_virtio_scsi_device(IplParameterBlock *iplb) >>>> return is_virtio_ccw_device_of_type(iplb, VIRTIO_ID_SCSI); >>>> } >>>> >>>> +int s390_ipl_pv_check_components(IplParameterBlock *iplb) >>> >>> What about making this >>> >>> bool s390_ipl_pv_valid(IplParameterBlock *iplb) >>> >>> and return true/false? >> >> We already have iplb_valid_pv() and ipl->iplb_valid_pv. >> Do you have any other more expressive name we could use? > > I think it makes more sense to rip out these tiny functions and > consolidate them like this: > > +static inline bool iplb_valid(IplParameterBlock *iplb) > { > - return be32_to_cpu(iplb->len) >= S390_IPLB_MIN_FCP_LEN && > - iplb->pbt == S390_IPL_TYPE_FCP; > + switch (iplb->pbt) { > + case S390_IPL_TYPE_FCP: > + return (be32_to_cpu(iplb->len) >= S390_IPLB_MIN_FCP_LEN && > + iplb->pbt == S390_IPL_TYPE_FCP); > + case S390_IPL_TYPE_CCW: > + return (be32_to_cpu(iplb->len) >= S390_IPLB_MIN_CCW_LEN && > + iplb->pbt == S390_IPL_TYPE_CCW); > + case S390_IPL_TYPE_PV: > + if(be32_to_cpu(iplb->len) < S390_IPLB_MIN_PV_LEN || > + iplb->pbt != S390_IPL_TYPE_PV) { > + return false; > + } > + return s390_ipl_pv_check_components(iplb); yeah, and maybe even inline s390_ipl_pv_check_components().
On 3/4/20 7:59 PM, Christian Borntraeger wrote: > > > On 04.03.20 12:42, Janosch Frank wrote: >> For diag308 subcodes 8 - 10 we have a new ipib of type 5. The ipib >> holds the address and length of the secure execution header, as well >> as a list of guest components. >> >> Each component is a block of memory, for example kernel or initrd, >> which needs to be decrypted by the Ultravisor in order to run a >> protected VM. The secure execution header instructs the Ultravisor on >> how to handle the protected VM and its components. >> >> Subcodes 8 and 9 are similiar to 5 and 6 and subcode 10 will finally >> start the protected guest. >> >> Subcodes 8-10 are not valid in protected mode, we have to do a subcode >> 3 and then the 8 and 10 combination for a protected reboot. >> >> Signed-off-by: Janosch Frank <frankja@linux.ibm.com> >> --- >> hw/s390x/ipl.c | 47 ++++++++++++++++++++++++++++++++++++++++++--- >> hw/s390x/ipl.h | 32 ++++++++++++++++++++++++++++++ >> target/s390x/diag.c | 26 ++++++++++++++++++++++--- >> 3 files changed, 99 insertions(+), 6 deletions(-) >> >> diff --git a/hw/s390x/ipl.c b/hw/s390x/ipl.c >> index 9c1ecd423c..80c6ab233a 100644 >> --- a/hw/s390x/ipl.c >> +++ b/hw/s390x/ipl.c > > Can you update the copyright dates for files that you touch? > >> @@ -538,15 +538,55 @@ static bool is_virtio_scsi_device(IplParameterBlock *iplb) >> return is_virtio_ccw_device_of_type(iplb, VIRTIO_ID_SCSI); >> } >> >> +int s390_ipl_pv_check_components(IplParameterBlock *iplb) >> +{ >> + int i; >> + IPLBlockPV *ipib_pv = &iplb->pv; >> + >> + if (ipib_pv->num_comp == 0) { >> + return -EINVAL; >> + } >> + >> + for (i = 0; i < ipib_pv->num_comp; i++) { >> + /* Addr must be 4k aligned */ >> + if (ipib_pv->components[i].addr & ~TARGET_PAGE_MASK) { >> + return -EINVAL; >> + } >> + >> + /* Tweak prefix is monotonously increasing with each component */ >> + if (i < ipib_pv->num_comp - 1 && > > Why do we need this check? Isnt that already ensured by the for loop? This is "i < ipib_pv->num_comp - 1" because we use i + 1 below, not "i < ipib_pv->num_comp" > >> + ipib_pv->components[i].tweak_pref > >> + ipib_pv->components[i + 1].tweak_pref) { > > I think i+1 must be greater than i. So ">=" instead? Ack > >> + return -EINVAL; >> + } >> + } >> + return 0; >> +} >> + >> void s390_ipl_update_diag308(IplParameterBlock *iplb) > > maybe add a comment that explains that a guest can have 2 IPLBs. one for > the secure guest and one thsat we go back to when rebooting. Sure >> { >> S390IPLState *ipl = get_ipl_device(); >> >> - ipl->iplb = *iplb; >> - ipl->iplb_valid = true; >> + if (iplb->pbt == S390_IPL_TYPE_PV) { >> + ipl->iplb_pv = *iplb; >> + ipl->iplb_valid_pv = true; >> + } else { >> + ipl->iplb = *iplb; >> + ipl->iplb_valid = true; >> + } >> ipl->netboot = is_virtio_net_device(iplb); >> } >> >> +IplParameterBlock *s390_ipl_get_iplb_secure(void) >> +{ >> + S390IPLState *ipl = get_ipl_device(); >> + >> + if (!ipl->iplb_valid_pv) { >> + return NULL; >> + } >> + return &ipl->iplb_pv; >> +} >> + >> IplParameterBlock *s390_ipl_get_iplb(void) >> { >> S390IPLState *ipl = get_ipl_device(); >> @@ -561,7 +601,8 @@ void s390_ipl_reset_request(CPUState *cs, enum s390_reset reset_type) >> { >> S390IPLState *ipl = get_ipl_device(); >> >> - if (reset_type == S390_RESET_EXTERNAL || reset_type == S390_RESET_REIPL) { >> + if (reset_type == S390_RESET_EXTERNAL || reset_type == S390_RESET_REIPL || >> + reset_type == S390_RESET_PV) { >> /* use CPU 0 for full resets */ >> ipl->reset_cpu_index = 0; >> } else { >> diff --git a/hw/s390x/ipl.h b/hw/s390x/ipl.h >> index d4813105db..04be63cee1 100644 >> --- a/hw/s390x/ipl.h >> +++ b/hw/s390x/ipl.h >> @@ -15,6 +15,24 @@ >> #include "cpu.h" >> #include "hw/qdev-core.h" >> >> +struct IPLBlockPVComp { >> + uint64_t tweak_pref; >> + uint64_t addr; >> + uint64_t size; >> +} QEMU_PACKED; >> +typedef struct IPLBlockPVComp IPLBlockPVComp; >> + >> +struct IPLBlockPV { >> + uint8_t reserved[87]; >> + uint8_t version; >> + uint32_t reserved70; > > Here you have 70 (the offset in hex I guess), I tßhink this is an odd name. In addition the reserved field 2 lines above has no address part in its > name. I wanted to prepare for my ipl cleanup patch set which adds offsets to all the reserved fields. Do you want me to remove it or make the first one "reserved18" ?
On 3/4/20 6:06 PM, David Hildenbrand wrote: > On 04.03.20 12:42, Janosch Frank wrote: >> For diag308 subcodes 8 - 10 we have a new ipib of type 5. The ipib >> holds the address and length of the secure execution header, as well >> as a list of guest components. >> >> Each component is a block of memory, for example kernel or initrd, >> which needs to be decrypted by the Ultravisor in order to run a >> protected VM. The secure execution header instructs the Ultravisor on >> how to handle the protected VM and its components. >> >> Subcodes 8 and 9 are similiar to 5 and 6 and subcode 10 will finally >> start the protected guest. >> >> Subcodes 8-10 are not valid in protected mode, we have to do a subcode >> 3 and then the 8 and 10 combination for a protected reboot. >> >> Signed-off-by: Janosch Frank <frankja@linux.ibm.com> >> --- >> hw/s390x/ipl.c | 47 ++++++++++++++++++++++++++++++++++++++++++--- >> hw/s390x/ipl.h | 32 ++++++++++++++++++++++++++++++ >> target/s390x/diag.c | 26 ++++++++++++++++++++++--- >> 3 files changed, 99 insertions(+), 6 deletions(-) >> >> diff --git a/hw/s390x/ipl.c b/hw/s390x/ipl.c >> index 9c1ecd423c..80c6ab233a 100644 >> --- a/hw/s390x/ipl.c >> +++ b/hw/s390x/ipl.c >> @@ -538,15 +538,55 @@ static bool is_virtio_scsi_device(IplParameterBlock *iplb) >> return is_virtio_ccw_device_of_type(iplb, VIRTIO_ID_SCSI); >> } >> >> +int s390_ipl_pv_check_components(IplParameterBlock *iplb) >> +{ >> + int i; >> + IPLBlockPV *ipib_pv = &iplb->pv; >> + >> + if (ipib_pv->num_comp == 0) { >> + return -EINVAL; >> + } >> + >> + for (i = 0; i < ipib_pv->num_comp; i++) { >> + /* Addr must be 4k aligned */ >> + if (ipib_pv->components[i].addr & ~TARGET_PAGE_MASK) { >> + return -EINVAL; >> + } >> + >> + /* Tweak prefix is monotonously increasing with each component */ >> + if (i < ipib_pv->num_comp - 1 && >> + ipib_pv->components[i].tweak_pref > >> + ipib_pv->components[i + 1].tweak_pref) { >> + return -EINVAL; >> + } >> + } >> + return 0; >> +} >> + >> void s390_ipl_update_diag308(IplParameterBlock *iplb) >> { >> S390IPLState *ipl = get_ipl_device(); >> >> - ipl->iplb = *iplb; >> - ipl->iplb_valid = true; >> + if (iplb->pbt == S390_IPL_TYPE_PV) { >> + ipl->iplb_pv = *iplb; >> + ipl->iplb_valid_pv = true; >> + } else { >> + ipl->iplb = *iplb; >> + ipl->iplb_valid = true; >> + } >> ipl->netboot = is_virtio_net_device(iplb); >> } >> >> +IplParameterBlock *s390_ipl_get_iplb_secure(void) >> +{ >> + S390IPLState *ipl = get_ipl_device(); >> + >> + if (!ipl->iplb_valid_pv) { >> + return NULL; >> + } >> + return &ipl->iplb_pv; >> +} >> + >> IplParameterBlock *s390_ipl_get_iplb(void) >> { >> S390IPLState *ipl = get_ipl_device(); >> @@ -561,7 +601,8 @@ void s390_ipl_reset_request(CPUState *cs, enum s390_reset reset_type) >> { >> S390IPLState *ipl = get_ipl_device(); >> >> - if (reset_type == S390_RESET_EXTERNAL || reset_type == S390_RESET_REIPL) { >> + if (reset_type == S390_RESET_EXTERNAL || reset_type == S390_RESET_REIPL || >> + reset_type == S390_RESET_PV) { >> /* use CPU 0 for full resets */ >> ipl->reset_cpu_index = 0; >> } else { >> diff --git a/hw/s390x/ipl.h b/hw/s390x/ipl.h >> index d4813105db..04be63cee1 100644 >> --- a/hw/s390x/ipl.h >> +++ b/hw/s390x/ipl.h >> @@ -15,6 +15,24 @@ >> #include "cpu.h" >> #include "hw/qdev-core.h" >> >> +struct IPLBlockPVComp { >> + uint64_t tweak_pref; >> + uint64_t addr; >> + uint64_t size; >> +} QEMU_PACKED; >> +typedef struct IPLBlockPVComp IPLBlockPVComp; >> + >> +struct IPLBlockPV { >> + uint8_t reserved[87]; >> + uint8_t version; >> + uint32_t reserved70; >> + uint32_t num_comp; >> + uint64_t pv_header_addr; >> + uint64_t pv_header_len; >> + struct IPLBlockPVComp components[]; >> +} QEMU_PACKED; >> +typedef struct IPLBlockPV IPLBlockPV; >> + >> struct IplBlockCcw { >> uint8_t reserved0[85]; >> uint8_t ssid; >> @@ -71,6 +89,7 @@ union IplParameterBlock { >> union { >> IplBlockCcw ccw; >> IplBlockFcp fcp; >> + IPLBlockPV pv; >> IplBlockQemuScsi scsi; >> }; >> } QEMU_PACKED; >> @@ -84,9 +103,11 @@ union IplParameterBlock { >> typedef union IplParameterBlock IplParameterBlock; >> >> int s390_ipl_set_loadparm(uint8_t *loadparm); >> +int s390_ipl_pv_check_components(IplParameterBlock *iplb); >> void s390_ipl_update_diag308(IplParameterBlock *iplb); >> void s390_ipl_prepare_cpu(S390CPU *cpu); >> IplParameterBlock *s390_ipl_get_iplb(void); >> +IplParameterBlock *s390_ipl_get_iplb_secure(void); >> >> enum s390_reset { >> /* default is a reset not triggered by a CPU e.g. issued by QMP */ >> @@ -94,6 +115,7 @@ enum s390_reset { >> S390_RESET_REIPL, >> S390_RESET_MODIFIED_CLEAR, >> S390_RESET_LOAD_NORMAL, >> + S390_RESET_PV, >> }; >> void s390_ipl_reset_request(CPUState *cs, enum s390_reset reset_type); >> void s390_ipl_get_reset_request(CPUState **cs, enum s390_reset *reset_type); >> @@ -133,6 +155,7 @@ struct S390IPLState { >> /*< private >*/ >> DeviceState parent_obj; >> IplParameterBlock iplb; >> + IplParameterBlock iplb_pv; >> QemuIplParameters qipl; >> uint64_t start_addr; >> uint64_t compat_start_addr; >> @@ -140,6 +163,7 @@ struct S390IPLState { >> uint64_t compat_bios_start_addr; >> bool enforce_bios; >> bool iplb_valid; >> + bool iplb_valid_pv; >> bool netboot; >> /* reset related properties don't have to be migrated or reset */ >> enum s390_reset reset_type; >> @@ -161,9 +185,11 @@ QEMU_BUILD_BUG_MSG(offsetof(S390IPLState, iplb) & 3, "alignment of iplb wrong"); >> >> #define S390_IPL_TYPE_FCP 0x00 >> #define S390_IPL_TYPE_CCW 0x02 >> +#define S390_IPL_TYPE_PV 0x05 >> #define S390_IPL_TYPE_QEMU_SCSI 0xff >> >> #define S390_IPLB_HEADER_LEN 8 >> +#define S390_IPLB_MIN_PV_LEN 148 >> #define S390_IPLB_MIN_CCW_LEN 200 >> #define S390_IPLB_MIN_FCP_LEN 384 >> #define S390_IPLB_MIN_QEMU_SCSI_LEN 200 >> @@ -185,4 +211,10 @@ static inline bool iplb_valid_fcp(IplParameterBlock *iplb) >> iplb->pbt == S390_IPL_TYPE_FCP; >> } >> >> +static inline bool iplb_valid_pv(IplParameterBlock *iplb) >> +{ >> + return be32_to_cpu(iplb->len) >= S390_IPLB_MIN_PV_LEN && >> + iplb->pbt == S390_IPL_TYPE_PV; >> +} >> + >> #endif >> diff --git a/target/s390x/diag.c b/target/s390x/diag.c >> index b5aec06d6b..945b263f0a 100644 >> --- a/target/s390x/diag.c >> +++ b/target/s390x/diag.c >> @@ -52,6 +52,7 @@ int handle_diag_288(CPUS390XState *env, uint64_t r1, uint64_t r3) >> #define DIAG_308_RC_OK 0x0001 >> #define DIAG_308_RC_NO_CONF 0x0102 >> #define DIAG_308_RC_INVALID 0x0402 >> +#define DIAG_308_RC_NO_PV_CONF 0x0902 >> >> #define DIAG308_RESET_MOD_CLR 0 >> #define DIAG308_RESET_LOAD_NORM 1 >> @@ -59,6 +60,9 @@ int handle_diag_288(CPUS390XState *env, uint64_t r1, uint64_t r3) >> #define DIAG308_LOAD_NORMAL_DUMP 4 >> #define DIAG308_SET 5 >> #define DIAG308_STORE 6 >> +#define DIAG308_PV_SET 8 >> +#define DIAG308_PV_STORE 9 >> +#define DIAG308_PV_START 10 >> >> static int diag308_parm_check(CPUS390XState *env, uint64_t r1, uint64_t addr, >> uintptr_t ra, bool write) >> @@ -105,6 +109,7 @@ void handle_diag_308(CPUS390XState *env, uint64_t r1, uint64_t r3, uintptr_t ra) >> s390_ipl_reset_request(cs, S390_RESET_REIPL); >> break; >> case DIAG308_SET: >> + case DIAG308_PV_SET: >> if (diag308_parm_check(env, r1, addr, ra, false)) { >> return; >> } >> @@ -117,7 +122,8 @@ void handle_diag_308(CPUS390XState *env, uint64_t r1, uint64_t r3, uintptr_t ra) >> >> cpu_physical_memory_read(addr, iplb, be32_to_cpu(iplb->len)); >> >> - if (!iplb_valid_ccw(iplb) && !iplb_valid_fcp(iplb)) { >> + if (!iplb_valid_ccw(iplb) && !iplb_valid_fcp(iplb) && >> + !(iplb_valid_pv(iplb) && !s390_ipl_pv_check_components(iplb))) { >> env->regs[r1 + 1] = DIAG_308_RC_INVALID; >> goto out; >> } >> @@ -128,17 +134,31 @@ out: >> g_free(iplb); >> return; >> case DIAG308_STORE: >> + case DIAG308_PV_STORE: >> if (diag308_parm_check(env, r1, addr, ra, true)) { >> return; >> } >> - iplb = s390_ipl_get_iplb(); >> + if (subcode == DIAG308_PV_STORE) { >> + iplb = s390_ipl_get_iplb_secure(); >> + } else { >> + iplb = s390_ipl_get_iplb(); >> + } >> if (iplb) { >> cpu_physical_memory_write(addr, iplb, be32_to_cpu(iplb->len)); >> env->regs[r1 + 1] = DIAG_308_RC_OK; >> } else { >> env->regs[r1 + 1] = DIAG_308_RC_NO_CONF; >> } >> - return; >> + break; >> + case DIAG308_PV_START: >> + iplb = s390_ipl_get_iplb_secure(); >> + if (!iplb || !iplb_valid_pv(iplb)) { >> + env->regs[r1 + 1] = DIAG_308_RC_NO_PV_CONF; >> + return; >> + } >> + >> + s390_ipl_reset_request(cs, S390_RESET_PV); >> + break; >> default: >> s390_program_interrupt(env, PGM_SPECIFICATION, ra); >> break; >> > > Sorry, another comment. The new subcodes should be fenced via the cpu > model or similar. Applying this patch and triggering one of these > subcodes will end in a questionable state. > Ahh, yes, we removed the KVM check for this. Will add.
diff --git a/hw/s390x/ipl.c b/hw/s390x/ipl.c index 9c1ecd423c..80c6ab233a 100644 --- a/hw/s390x/ipl.c +++ b/hw/s390x/ipl.c @@ -538,15 +538,55 @@ static bool is_virtio_scsi_device(IplParameterBlock *iplb) return is_virtio_ccw_device_of_type(iplb, VIRTIO_ID_SCSI); } +int s390_ipl_pv_check_components(IplParameterBlock *iplb) +{ + int i; + IPLBlockPV *ipib_pv = &iplb->pv; + + if (ipib_pv->num_comp == 0) { + return -EINVAL; + } + + for (i = 0; i < ipib_pv->num_comp; i++) { + /* Addr must be 4k aligned */ + if (ipib_pv->components[i].addr & ~TARGET_PAGE_MASK) { + return -EINVAL; + } + + /* Tweak prefix is monotonously increasing with each component */ + if (i < ipib_pv->num_comp - 1 && + ipib_pv->components[i].tweak_pref > + ipib_pv->components[i + 1].tweak_pref) { + return -EINVAL; + } + } + return 0; +} + void s390_ipl_update_diag308(IplParameterBlock *iplb) { S390IPLState *ipl = get_ipl_device(); - ipl->iplb = *iplb; - ipl->iplb_valid = true; + if (iplb->pbt == S390_IPL_TYPE_PV) { + ipl->iplb_pv = *iplb; + ipl->iplb_valid_pv = true; + } else { + ipl->iplb = *iplb; + ipl->iplb_valid = true; + } ipl->netboot = is_virtio_net_device(iplb); } +IplParameterBlock *s390_ipl_get_iplb_secure(void) +{ + S390IPLState *ipl = get_ipl_device(); + + if (!ipl->iplb_valid_pv) { + return NULL; + } + return &ipl->iplb_pv; +} + IplParameterBlock *s390_ipl_get_iplb(void) { S390IPLState *ipl = get_ipl_device(); @@ -561,7 +601,8 @@ void s390_ipl_reset_request(CPUState *cs, enum s390_reset reset_type) { S390IPLState *ipl = get_ipl_device(); - if (reset_type == S390_RESET_EXTERNAL || reset_type == S390_RESET_REIPL) { + if (reset_type == S390_RESET_EXTERNAL || reset_type == S390_RESET_REIPL || + reset_type == S390_RESET_PV) { /* use CPU 0 for full resets */ ipl->reset_cpu_index = 0; } else { diff --git a/hw/s390x/ipl.h b/hw/s390x/ipl.h index d4813105db..04be63cee1 100644 --- a/hw/s390x/ipl.h +++ b/hw/s390x/ipl.h @@ -15,6 +15,24 @@ #include "cpu.h" #include "hw/qdev-core.h" +struct IPLBlockPVComp { + uint64_t tweak_pref; + uint64_t addr; + uint64_t size; +} QEMU_PACKED; +typedef struct IPLBlockPVComp IPLBlockPVComp; + +struct IPLBlockPV { + uint8_t reserved[87]; + uint8_t version; + uint32_t reserved70; + uint32_t num_comp; + uint64_t pv_header_addr; + uint64_t pv_header_len; + struct IPLBlockPVComp components[]; +} QEMU_PACKED; +typedef struct IPLBlockPV IPLBlockPV; + struct IplBlockCcw { uint8_t reserved0[85]; uint8_t ssid; @@ -71,6 +89,7 @@ union IplParameterBlock { union { IplBlockCcw ccw; IplBlockFcp fcp; + IPLBlockPV pv; IplBlockQemuScsi scsi; }; } QEMU_PACKED; @@ -84,9 +103,11 @@ union IplParameterBlock { typedef union IplParameterBlock IplParameterBlock; int s390_ipl_set_loadparm(uint8_t *loadparm); +int s390_ipl_pv_check_components(IplParameterBlock *iplb); void s390_ipl_update_diag308(IplParameterBlock *iplb); void s390_ipl_prepare_cpu(S390CPU *cpu); IplParameterBlock *s390_ipl_get_iplb(void); +IplParameterBlock *s390_ipl_get_iplb_secure(void); enum s390_reset { /* default is a reset not triggered by a CPU e.g. issued by QMP */ @@ -94,6 +115,7 @@ enum s390_reset { S390_RESET_REIPL, S390_RESET_MODIFIED_CLEAR, S390_RESET_LOAD_NORMAL, + S390_RESET_PV, }; void s390_ipl_reset_request(CPUState *cs, enum s390_reset reset_type); void s390_ipl_get_reset_request(CPUState **cs, enum s390_reset *reset_type); @@ -133,6 +155,7 @@ struct S390IPLState { /*< private >*/ DeviceState parent_obj; IplParameterBlock iplb; + IplParameterBlock iplb_pv; QemuIplParameters qipl; uint64_t start_addr; uint64_t compat_start_addr; @@ -140,6 +163,7 @@ struct S390IPLState { uint64_t compat_bios_start_addr; bool enforce_bios; bool iplb_valid; + bool iplb_valid_pv; bool netboot; /* reset related properties don't have to be migrated or reset */ enum s390_reset reset_type; @@ -161,9 +185,11 @@ QEMU_BUILD_BUG_MSG(offsetof(S390IPLState, iplb) & 3, "alignment of iplb wrong"); #define S390_IPL_TYPE_FCP 0x00 #define S390_IPL_TYPE_CCW 0x02 +#define S390_IPL_TYPE_PV 0x05 #define S390_IPL_TYPE_QEMU_SCSI 0xff #define S390_IPLB_HEADER_LEN 8 +#define S390_IPLB_MIN_PV_LEN 148 #define S390_IPLB_MIN_CCW_LEN 200 #define S390_IPLB_MIN_FCP_LEN 384 #define S390_IPLB_MIN_QEMU_SCSI_LEN 200 @@ -185,4 +211,10 @@ static inline bool iplb_valid_fcp(IplParameterBlock *iplb) iplb->pbt == S390_IPL_TYPE_FCP; } +static inline bool iplb_valid_pv(IplParameterBlock *iplb) +{ + return be32_to_cpu(iplb->len) >= S390_IPLB_MIN_PV_LEN && + iplb->pbt == S390_IPL_TYPE_PV; +} + #endif diff --git a/target/s390x/diag.c b/target/s390x/diag.c index b5aec06d6b..945b263f0a 100644 --- a/target/s390x/diag.c +++ b/target/s390x/diag.c @@ -52,6 +52,7 @@ int handle_diag_288(CPUS390XState *env, uint64_t r1, uint64_t r3) #define DIAG_308_RC_OK 0x0001 #define DIAG_308_RC_NO_CONF 0x0102 #define DIAG_308_RC_INVALID 0x0402 +#define DIAG_308_RC_NO_PV_CONF 0x0902 #define DIAG308_RESET_MOD_CLR 0 #define DIAG308_RESET_LOAD_NORM 1 @@ -59,6 +60,9 @@ int handle_diag_288(CPUS390XState *env, uint64_t r1, uint64_t r3) #define DIAG308_LOAD_NORMAL_DUMP 4 #define DIAG308_SET 5 #define DIAG308_STORE 6 +#define DIAG308_PV_SET 8 +#define DIAG308_PV_STORE 9 +#define DIAG308_PV_START 10 static int diag308_parm_check(CPUS390XState *env, uint64_t r1, uint64_t addr, uintptr_t ra, bool write) @@ -105,6 +109,7 @@ void handle_diag_308(CPUS390XState *env, uint64_t r1, uint64_t r3, uintptr_t ra) s390_ipl_reset_request(cs, S390_RESET_REIPL); break; case DIAG308_SET: + case DIAG308_PV_SET: if (diag308_parm_check(env, r1, addr, ra, false)) { return; } @@ -117,7 +122,8 @@ void handle_diag_308(CPUS390XState *env, uint64_t r1, uint64_t r3, uintptr_t ra) cpu_physical_memory_read(addr, iplb, be32_to_cpu(iplb->len)); - if (!iplb_valid_ccw(iplb) && !iplb_valid_fcp(iplb)) { + if (!iplb_valid_ccw(iplb) && !iplb_valid_fcp(iplb) && + !(iplb_valid_pv(iplb) && !s390_ipl_pv_check_components(iplb))) { env->regs[r1 + 1] = DIAG_308_RC_INVALID; goto out; } @@ -128,17 +134,31 @@ out: g_free(iplb); return; case DIAG308_STORE: + case DIAG308_PV_STORE: if (diag308_parm_check(env, r1, addr, ra, true)) { return; } - iplb = s390_ipl_get_iplb(); + if (subcode == DIAG308_PV_STORE) { + iplb = s390_ipl_get_iplb_secure(); + } else { + iplb = s390_ipl_get_iplb(); + } if (iplb) { cpu_physical_memory_write(addr, iplb, be32_to_cpu(iplb->len)); env->regs[r1 + 1] = DIAG_308_RC_OK; } else { env->regs[r1 + 1] = DIAG_308_RC_NO_CONF; } - return; + break; + case DIAG308_PV_START: + iplb = s390_ipl_get_iplb_secure(); + if (!iplb || !iplb_valid_pv(iplb)) { + env->regs[r1 + 1] = DIAG_308_RC_NO_PV_CONF; + return; + } + + s390_ipl_reset_request(cs, S390_RESET_PV); + break; default: s390_program_interrupt(env, PGM_SPECIFICATION, ra); break;
For diag308 subcodes 8 - 10 we have a new ipib of type 5. The ipib holds the address and length of the secure execution header, as well as a list of guest components. Each component is a block of memory, for example kernel or initrd, which needs to be decrypted by the Ultravisor in order to run a protected VM. The secure execution header instructs the Ultravisor on how to handle the protected VM and its components. Subcodes 8 and 9 are similiar to 5 and 6 and subcode 10 will finally start the protected guest. Subcodes 8-10 are not valid in protected mode, we have to do a subcode 3 and then the 8 and 10 combination for a protected reboot. Signed-off-by: Janosch Frank <frankja@linux.ibm.com> --- hw/s390x/ipl.c | 47 ++++++++++++++++++++++++++++++++++++++++++--- hw/s390x/ipl.h | 32 ++++++++++++++++++++++++++++++ target/s390x/diag.c | 26 ++++++++++++++++++++++--- 3 files changed, 99 insertions(+), 6 deletions(-)