[v4,20/36] KVM: s390/mm: handle guest unpin events

Message ID	20200224114107.4646-21-borntraeger@de.ibm.com (mailing list archive)
State	New, archived
Headers	show Return-Path: <SRS0=NYzf=4M=vger.kernel.org=kvm-owner@kernel.org> From: Christian Borntraeger <borntraeger@de.ibm.com> To: Christian Borntraeger <borntraeger@de.ibm.com>, Janosch Frank <frankja@linux.vnet.ibm.com> Cc: KVM <kvm@vger.kernel.org>, Cornelia Huck <cohuck@redhat.com>, David Hildenbrand <david@redhat.com>, Thomas Huth <thuth@redhat.com>, Ulrich Weigand <Ulrich.Weigand@de.ibm.com>, Claudio Imbrenda <imbrenda@linux.ibm.com>, linux-s390 <linux-s390@vger.kernel.org>, Michael Mueller <mimu@linux.ibm.com>, Vasily Gorbik <gor@linux.ibm.com> Subject: [PATCH v4 20/36] KVM: s390/mm: handle guest unpin events Date: Mon, 24 Feb 2020 06:40:51 -0500 Message-Id: <20200224114107.4646-21-borntraeger@de.ibm.com> In-Reply-To: <20200224114107.4646-1-borntraeger@de.ibm.com> References: <20200224114107.4646-1-borntraeger@de.ibm.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Sender: kvm-owner@vger.kernel.org Precedence: bulk
Series	KVM: s390: Add support for protected VMs \| expand [v4,00/36] KVM: s390: Add support for protected VMs [v4,01/36] mm/gup/writeback: add callbacks for inaccessible pages [v4,02/36] KVM: s390/interrupt: do not pin adapter interrupt pages [v4,03/36] s390/protvirt: introduce host side setup [v4,04/36] s390/protvirt: add ultravisor initialization [v4,05/36] s390/mm: provide memory management functions for protected KVM guests [v4,06/36] s390/mm: add (non)secure page access exceptions handlers [v4,07/36] KVM: s390: protvirt: Add UV debug trace [v4,08/36] KVM: s390: add new variants of UV CALL [v4,09/36] KVM: s390: protvirt: Add initial vm and cpu lifecycle handling [v4,10/36] KVM: s390: protvirt: Secure memory is not mergeable [v4,11/36] KVM: s390/mm: Make pages accessible before destroying the guest [v4,12/36] KVM: s390: protvirt: Handle SE notification interceptions [v4,13/36] KVM: s390: protvirt: Instruction emulation [v4,14/36] KVM: s390: protvirt: Implement interrupt injection [v4,15/36] KVM: s390: protvirt: Add SCLP interrupt handling [v4,16/36] KVM: s390: protvirt: Handle spec exception loops [v4,17/36] KVM: s390: protvirt: Add new gprs location handling [v4,18/36] KVM: S390: protvirt: Introduce instruction data area bounce buffer [v4,19/36] KVM: s390: protvirt: handle secure guest prefix pages [v4,20/36] KVM: s390/mm: handle guest unpin events [v4,21/36] KVM: s390: protvirt: Write sthyi data to instruction data area [v4,22/36] KVM: s390: protvirt: STSI handling [v4,23/36] KVM: s390: protvirt: disallow one_reg [v4,24/36] KVM: s390: protvirt: Do only reset registers that are accessible [v4,25/36] KVM: s390: protvirt: Only sync fmt4 registers [v4,26/36] KVM: s390: protvirt: Add program exception injection [v4,27/36] KVM: s390: protvirt: UV calls in support of diag308 0, 1 [v4,28/36] KVM: s390: protvirt: Report CPU state to Ultravisor [v4,29/36] KVM: s390: protvirt: Support cmd 5 operation state [v4,30/36] KVM: s390: protvirt: Mask PSW interrupt bits for interception 104 and 112 [v4,31/36] KVM: s390: protvirt: do not inject interrupts after start [v4,32/36] KVM: s390: protvirt: Add UV cpu reset calls [v4,33/36] DOCUMENTATION: Protected virtual machine introduction and IPL [v4,34/36] s390: protvirt: Add sysfs firmware interface for Ultravisor information [v4,35/36] KVM: s390: protvirt: introduce and enable KVM_CAP_S390_PROTECTED [v4,36/36] KVM: s390: protvirt: Add KVM api documentation

Message ID

20200224114107.4646-21-borntraeger@de.ibm.com (mailing list archive)

State

New, archived

Headers

From: Christian Borntraeger <borntraeger@de.ibm.com>
To: Christian Borntraeger <borntraeger@de.ibm.com>,
        Janosch Frank <frankja@linux.vnet.ibm.com>
Cc: KVM <kvm@vger.kernel.org>, Cornelia Huck <cohuck@redhat.com>,
        David Hildenbrand <david@redhat.com>,
        Thomas Huth <thuth@redhat.com>,
        Ulrich Weigand <Ulrich.Weigand@de.ibm.com>,
        Claudio Imbrenda <imbrenda@linux.ibm.com>,
        linux-s390 <linux-s390@vger.kernel.org>,
        Michael Mueller <mimu@linux.ibm.com>,
        Vasily Gorbik <gor@linux.ibm.com>
Subject: [PATCH v4 20/36] KVM: s390/mm: handle guest unpin events
Date: Mon, 24 Feb 2020 06:40:51 -0500
Message-Id: <20200224114107.4646-21-borntraeger@de.ibm.com>
In-Reply-To: <20200224114107.4646-1-borntraeger@de.ibm.com>
References: <20200224114107.4646-1-borntraeger@de.ibm.com>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Sender: kvm-owner@vger.kernel.org
Precedence: bulk

Series

KVM: s390: Add support for protected VMs | expand

Commit Message

Christian Borntraeger Feb. 24, 2020, 11:40 a.m. UTC

From: Claudio Imbrenda <imbrenda@linux.ibm.com>

The current code tries to first pin shared pages, if that fails (e.g.
because the page is not shared) it will export them. For shared pages
this means that we get a new intercept telling us that the guest is
unsharing that page. We will make the page secure at that point in time
and revoke the host access. This is synchronized with other host events,
e.g. the code will wait until host I/O has finished.

Signed-off-by: Claudio Imbrenda <imbrenda@linux.ibm.com>
Acked-by: David Hildenbrand <david@redhat.com>
[borntraeger@de.ibm.com: patch merging, splitting, fixing]
Signed-off-by: Christian Borntraeger <borntraeger@de.ibm.com>
---
 arch/s390/kvm/intercept.c | 24 ++++++++++++++++++++++++
 1 file changed, 24 insertions(+)

Comments

Cornelia Huck Feb. 25, 2020, 12:18 p.m. UTC | #1

On Mon, 24 Feb 2020 06:40:51 -0500
Christian Borntraeger <borntraeger@de.ibm.com> wrote:

> From: Claudio Imbrenda <imbrenda@linux.ibm.com>
> 
> The current code tries to first pin shared pages, if that fails (e.g.
> because the page is not shared) it will export them. For shared pages
> this means that we get a new intercept telling us that the guest is
> unsharing that page. We will make the page secure at that point in time
> and revoke the host access. This is synchronized with other host events,
> e.g. the code will wait until host I/O has finished.
> 
> Signed-off-by: Claudio Imbrenda <imbrenda@linux.ibm.com>
> Acked-by: David Hildenbrand <david@redhat.com>
> [borntraeger@de.ibm.com: patch merging, splitting, fixing]
> Signed-off-by: Christian Borntraeger <borntraeger@de.ibm.com>
> ---
>  arch/s390/kvm/intercept.c | 24 ++++++++++++++++++++++++
>  1 file changed, 24 insertions(+)
> 
> diff --git a/arch/s390/kvm/intercept.c b/arch/s390/kvm/intercept.c
> index b6b7d4b0e26c..c06599939541 100644
> --- a/arch/s390/kvm/intercept.c
> +++ b/arch/s390/kvm/intercept.c
> @@ -16,6 +16,7 @@
>  #include <asm/asm-offsets.h>
>  #include <asm/irq.h>
>  #include <asm/sysinfo.h>
> +#include <asm/uv.h>
>  
>  #include "kvm-s390.h"
>  #include "gaccess.h"
> @@ -484,12 +485,35 @@ static int handle_pv_sclp(struct kvm_vcpu *vcpu)
>  	return 0;
>  }
>  
> +static int handle_pv_uvc(struct kvm_vcpu *vcpu)
> +{
> +	struct uv_cb_share *guest_uvcb = (void *)vcpu->arch.sie_block->sidad;
> +	struct uv_cb_cts uvcb = {
> +		.header.cmd	= UVC_CMD_UNPIN_PAGE_SHARED,
> +		.header.len	= sizeof(uvcb),
> +		.guest_handle	= kvm_s390_pv_get_handle(vcpu->kvm),
> +		.gaddr		= guest_uvcb->paddr,
> +	};
> +	int rc;
> +
> +	if (guest_uvcb->header.cmd != UVC_CMD_REMOVE_SHARED_ACCESS) {
> +		WARN_ONCE(1, "Unexpected UVC 0x%x!\n", guest_uvcb->header.cmd);

"Unexpected notification intercept for UVC 0x%x"

?

> +		return 0;
> +	}
> +	rc = gmap_make_secure(vcpu->arch.gmap, uvcb.gaddr, &uvcb);
> +	if (rc == -EINVAL)

Add a comment why?

> +		return 0;
> +	return rc;
> +}
> +
>  static int handle_pv_notification(struct kvm_vcpu *vcpu)
>  {
>  	if (vcpu->arch.sie_block->ipa == 0xb210)
>  		return handle_pv_spx(vcpu);
>  	if (vcpu->arch.sie_block->ipa == 0xb220)
>  		return handle_pv_sclp(vcpu);
> +	if (vcpu->arch.sie_block->ipa == 0xb9a4)
> +		return handle_pv_uvc(vcpu);
>  
>  	return handle_instruction(vcpu);
>  }

Christian Borntraeger Feb. 25, 2020, 2:21 p.m. UTC | #2

On 25.02.20 13:18, Cornelia Huck wrote:
> On Mon, 24 Feb 2020 06:40:51 -0500
> Christian Borntraeger <borntraeger@de.ibm.com> wrote:
> 
>> From: Claudio Imbrenda <imbrenda@linux.ibm.com>
>>
>> The current code tries to first pin shared pages, if that fails (e.g.
>> because the page is not shared) it will export them. For shared pages
>> this means that we get a new intercept telling us that the guest is
>> unsharing that page. We will make the page secure at that point in time
>> and revoke the host access. This is synchronized with other host events,
>> e.g. the code will wait until host I/O has finished.
>>
>> Signed-off-by: Claudio Imbrenda <imbrenda@linux.ibm.com>
>> Acked-by: David Hildenbrand <david@redhat.com>
>> [borntraeger@de.ibm.com: patch merging, splitting, fixing]
>> Signed-off-by: Christian Borntraeger <borntraeger@de.ibm.com>
>> ---
>>  arch/s390/kvm/intercept.c | 24 ++++++++++++++++++++++++
>>  1 file changed, 24 insertions(+)
>>
>> diff --git a/arch/s390/kvm/intercept.c b/arch/s390/kvm/intercept.c
>> index b6b7d4b0e26c..c06599939541 100644
>> --- a/arch/s390/kvm/intercept.c
>> +++ b/arch/s390/kvm/intercept.c
>> @@ -16,6 +16,7 @@
>>  #include <asm/asm-offsets.h>
>>  #include <asm/irq.h>
>>  #include <asm/sysinfo.h>
>> +#include <asm/uv.h>
>>  
>>  #include "kvm-s390.h"
>>  #include "gaccess.h"
>> @@ -484,12 +485,35 @@ static int handle_pv_sclp(struct kvm_vcpu *vcpu)
>>  	return 0;
>>  }
>>  
>> +static int handle_pv_uvc(struct kvm_vcpu *vcpu)
>> +{
>> +	struct uv_cb_share *guest_uvcb = (void *)vcpu->arch.sie_block->sidad;
>> +	struct uv_cb_cts uvcb = {
>> +		.header.cmd	= UVC_CMD_UNPIN_PAGE_SHARED,
>> +		.header.len	= sizeof(uvcb),
>> +		.guest_handle	= kvm_s390_pv_get_handle(vcpu->kvm),
>> +		.gaddr		= guest_uvcb->paddr,
>> +	};
>> +	int rc;
>> +
>> +	if (guest_uvcb->header.cmd != UVC_CMD_REMOVE_SHARED_ACCESS) {
>> +		WARN_ONCE(1, "Unexpected UVC 0x%x!\n", guest_uvcb->header.cmd);
> 
> "Unexpected notification intercept for UVC 0x%x"

ok.
> 
> ?
> 
>> +		return 0;
>> +	}
>> +	rc = gmap_make_secure(vcpu->arch.gmap, uvcb.gaddr, &uvcb);
>> +	if (rc == -EINVAL)
> 
> Add a comment why?

       /*
        * If the unpin did not succeed, the guest will exit again for the UVC
        * and we will retry the unpin.
        */



I will also fixup the misleading patch description:

The current code tries to first pin shared pages, if that fails (e.g.
because the page is not shared) it will export them. For shared pages
this means that we get a new intercept telling us that the guest is
unsharing that page. We will unpin the page at that point in time,
following the same rules as for make secure. (wait for writeback, no
elevated page refs etc).

Cornelia Huck Feb. 25, 2020, 2:30 p.m. UTC | #3

On Tue, 25 Feb 2020 15:21:42 +0100
Christian Borntraeger <borntraeger@de.ibm.com> wrote:

> On 25.02.20 13:18, Cornelia Huck wrote:
> > On Mon, 24 Feb 2020 06:40:51 -0500
> > Christian Borntraeger <borntraeger@de.ibm.com> wrote:
> >   
> >> From: Claudio Imbrenda <imbrenda@linux.ibm.com>
> >>
> >> The current code tries to first pin shared pages, if that fails (e.g.
> >> because the page is not shared) it will export them. For shared pages
> >> this means that we get a new intercept telling us that the guest is
> >> unsharing that page. We will make the page secure at that point in time
> >> and revoke the host access. This is synchronized with other host events,
> >> e.g. the code will wait until host I/O has finished.
> >>
> >> Signed-off-by: Claudio Imbrenda <imbrenda@linux.ibm.com>
> >> Acked-by: David Hildenbrand <david@redhat.com>
> >> [borntraeger@de.ibm.com: patch merging, splitting, fixing]
> >> Signed-off-by: Christian Borntraeger <borntraeger@de.ibm.com>
> >> ---
> >>  arch/s390/kvm/intercept.c | 24 ++++++++++++++++++++++++
> >>  1 file changed, 24 insertions(+)

> I will also fixup the misleading patch description:
> 
> The current code tries to first pin shared pages, if that fails (e.g.
> because the page is not shared) it will export them. For shared pages
> this means that we get a new intercept telling us that the guest is
> unsharing that page. We will unpin the page at that point in time,
> following the same rules as for make secure. (wait for writeback, no
> elevated page refs etc).

I'd suggest:

"...as for making a page secure (i.e. waiting for writeback, no
elevated page references, etc.)"

With the touchups,

Reviewed-by: Cornelia Huck <cohuck@redhat.com>

diff --git a/arch/s390/kvm/intercept.c b/arch/s390/kvm/intercept.c
index b6b7d4b0e26c..c06599939541 100644
--- a/arch/s390/kvm/intercept.c
+++ b/arch/s390/kvm/intercept.c
@@ -16,6 +16,7 @@ 
 #include <asm/asm-offsets.h>
 #include <asm/irq.h>
 #include <asm/sysinfo.h>
+#include <asm/uv.h>
 
 #include "kvm-s390.h"
 #include "gaccess.h"
@@ -484,12 +485,35 @@  static int handle_pv_sclp(struct kvm_vcpu *vcpu)
 	return 0;
 }
 
+static int handle_pv_uvc(struct kvm_vcpu *vcpu)
+{
+	struct uv_cb_share *guest_uvcb = (void *)vcpu->arch.sie_block->sidad;
+	struct uv_cb_cts uvcb = {
+		.header.cmd	= UVC_CMD_UNPIN_PAGE_SHARED,
+		.header.len	= sizeof(uvcb),
+		.guest_handle	= kvm_s390_pv_get_handle(vcpu->kvm),
+		.gaddr		= guest_uvcb->paddr,
+	};
+	int rc;
+
+	if (guest_uvcb->header.cmd != UVC_CMD_REMOVE_SHARED_ACCESS) {
+		WARN_ONCE(1, "Unexpected UVC 0x%x!\n", guest_uvcb->header.cmd);
+		return 0;
+	}
+	rc = gmap_make_secure(vcpu->arch.gmap, uvcb.gaddr, &uvcb);
+	if (rc == -EINVAL)
+		return 0;
+	return rc;
+}
+
 static int handle_pv_notification(struct kvm_vcpu *vcpu)
 {
 	if (vcpu->arch.sie_block->ipa == 0xb210)
 		return handle_pv_spx(vcpu);
 	if (vcpu->arch.sie_block->ipa == 0xb220)
 		return handle_pv_sclp(vcpu);
+	if (vcpu->arch.sie_block->ipa == 0xb9a4)
+		return handle_pv_uvc(vcpu);
 
 	return handle_instruction(vcpu);
 }

[v4,20/36] KVM: s390/mm: handle guest unpin events

Commit Message

Comments

Patch