[v2,1/4] s390x/pv: Implement a CGS check helper

Message ID	20230106075330.3662549-2-clg@kaod.org (mailing list archive)
State	New, archived
Headers	show Return-Path: <qemu-devel-bounces+qemu-devel=archiver.kernel.org@nongnu.org> From: =?utf-8?q?C=C3=A9dric_Le_Goater?= <clg@kaod.org> To: qemu-s390x@nongnu.org Cc: qemu-devel@nongnu.org, Thomas Huth <thuth@redhat.com>, Halil Pasic <pasic@linux.ibm.com>, Christian Borntraeger <borntraeger@linux.ibm.com>, Claudio Imbrenda <imbrenda@linux.ibm.com>, frankja@linux.ibm.com, David Hildenbrand <david@redhat.com>, Ilya Leoshkevich <iii@linux.ibm.com>, Eric Farman <farman@linux.ibm.com>, =?utf-8?q?C=C3=A9dric_Le_Goater?= <clg@redhat.com> Subject: [PATCH v2 1/4] s390x/pv: Implement a CGS check helper Date: Fri, 6 Jan 2023 08:53:27 +0100 Message-Id: <20230106075330.3662549-2-clg@kaod.org> In-Reply-To: <20230106075330.3662549-1-clg@kaod.org> References: <20230106075330.3662549-1-clg@kaod.org> MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Received-SPF: pass client-ip=150.107.74.76; envelope-from=SRS0=FbrK=5D=kaod.org=clg@ozlabs.org; helo=gandalf.ozlabs.org X-Spam_score_int: -16 X-Spam_score: -1.7 X-Spam_bar: - X-Spam_report: (-1.7 / 5.0 requ) BAYES_00=-1.9, HEADER_FROM_DIFFERENT_DOMAINS=0.25, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001 autolearn=no autolearn_force=no X-Spam_action: no action Precedence: list Errors-To: qemu-devel-bounces+qemu-devel=archiver.kernel.org@nongnu.org Sender: qemu-devel-bounces+qemu-devel=archiver.kernel.org@nongnu.org
Series	s390x/pv: Improve protected VM support \| expand [v2,0/4] s390x/pv: Improve protected VM support [v2,1/4] s390x/pv: Implement a CGS check helper [v2,2/4] s390x/pv: Check for support on the host [v2,3/4] s390x/pv: Introduce a s390_pv_check() helper for runtime [v2,4/4] s390x/pv: Move check on hugepage under s390_pv_guest_check()

Message ID

20230106075330.3662549-2-clg@kaod.org (mailing list archive)

State

New, archived

Headers

From: =?utf-8?q?C=C3=A9dric_Le_Goater?= <clg@kaod.org>
To: qemu-s390x@nongnu.org
Cc: qemu-devel@nongnu.org, Thomas Huth <thuth@redhat.com>,
 Halil Pasic <pasic@linux.ibm.com>,
 Christian Borntraeger <borntraeger@linux.ibm.com>,
 Claudio Imbrenda <imbrenda@linux.ibm.com>, frankja@linux.ibm.com,
 David Hildenbrand <david@redhat.com>, Ilya Leoshkevich <iii@linux.ibm.com>,
 Eric Farman <farman@linux.ibm.com>,
 =?utf-8?q?C=C3=A9dric_Le_Goater?= <clg@redhat.com>
Subject: [PATCH v2 1/4] s390x/pv: Implement a CGS check helper
Date: Fri,  6 Jan 2023 08:53:27 +0100
Message-Id: <20230106075330.3662549-2-clg@kaod.org>
In-Reply-To: <20230106075330.3662549-1-clg@kaod.org>
References: <20230106075330.3662549-1-clg@kaod.org>
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Received-SPF: pass client-ip=150.107.74.76;
 envelope-from=SRS0=FbrK=5D=kaod.org=clg@ozlabs.org; helo=gandalf.ozlabs.org
X-Spam_score_int: -16
X-Spam_score: -1.7
X-Spam_bar: -
X-Spam_report: (-1.7 / 5.0 requ) BAYES_00=-1.9,
 HEADER_FROM_DIFFERENT_DOMAINS=0.25, SPF_HELO_PASS=-0.001,
 SPF_PASS=-0.001 autolearn=no autolearn_force=no
X-Spam_action: no action
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <https://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Errors-To: qemu-devel-bounces+qemu-devel=archiver.kernel.org@nongnu.org
Sender: qemu-devel-bounces+qemu-devel=archiver.kernel.org@nongnu.org

Series

s390x/pv: Improve protected VM support | expand

Commit Message

Cédric Le Goater Jan. 6, 2023, 7:53 a.m. UTC

From: Cédric Le Goater <clg@redhat.com>

When a protected VM is started with the maximum number of CPUs (248),
the service call providing information on the CPUs requires more
buffer space than allocated and QEMU disgracefully aborts :

    LOADPARM=[........]
    Using virtio-blk.
    Using SCSI scheme.
    ...................................................................................
    qemu-system-s390x: KVM_S390_MEM_OP failed: Argument list too long

When protected virtualization is initialized, compute the maximum
number of vCPUs supported by the machine and return useful information
to the user before the machine starts in case of error.

Suggested-by: Thomas Huth <thuth@redhat.com>
Signed-off-by: Cédric Le Goater <clg@redhat.com>
---
 hw/s390x/pv.c | 40 ++++++++++++++++++++++++++++++++++++++++
 1 file changed, 40 insertions(+)

Comments

Thomas Huth Jan. 9, 2023, 1:34 p.m. UTC | #1

On 06/01/2023 08.53, Cédric Le Goater wrote:
> From: Cédric Le Goater <clg@redhat.com>
> 
> When a protected VM is started with the maximum number of CPUs (248),
> the service call providing information on the CPUs requires more
> buffer space than allocated and QEMU disgracefully aborts :
> 
>      LOADPARM=[........]
>      Using virtio-blk.
>      Using SCSI scheme.
>      ...................................................................................
>      qemu-system-s390x: KVM_S390_MEM_OP failed: Argument list too long
> 
> When protected virtualization is initialized, compute the maximum
> number of vCPUs supported by the machine and return useful information
> to the user before the machine starts in case of error.
> 
> Suggested-by: Thomas Huth <thuth@redhat.com>
> Signed-off-by: Cédric Le Goater <clg@redhat.com>
> ---
>   hw/s390x/pv.c | 40 ++++++++++++++++++++++++++++++++++++++++
>   1 file changed, 40 insertions(+)
> 
> diff --git a/hw/s390x/pv.c b/hw/s390x/pv.c
> index 8dfe92d8df..8a1c71436b 100644
> --- a/hw/s390x/pv.c
> +++ b/hw/s390x/pv.c
> @@ -20,6 +20,7 @@
>   #include "exec/confidential-guest-support.h"
>   #include "hw/s390x/ipl.h"
>   #include "hw/s390x/pv.h"
> +#include "hw/s390x/sclp.h"
>   #include "target/s390x/kvm/kvm_s390x.h"
>   
>   static bool info_valid;
> @@ -249,6 +250,41 @@ struct S390PVGuestClass {
>       ConfidentialGuestSupportClass parent_class;
>   };
>   
> +/*
> + * If protected virtualization is enabled, the amount of data that the
> + * Read SCP Info Service Call can use is limited to one page. The
> + * available space also depends on the Extended-Length SCCB (ELS)
> + * feature which can take more buffer space to store feature
> + * information. This impacts the maximum number of CPUs supported in
> + * the machine.
> + */
> +static uint32_t s390_pv_get_max_cpus(void)
> +{
> +    int offset_cpu = s390_has_feat(S390_FEAT_EXTENDED_LENGTH_SCCB) ?
> +        offsetof(ReadInfo, entries) : SCLP_READ_SCP_INFO_FIXED_CPU_OFFSET;
> +
> +    return (TARGET_PAGE_SIZE - offset_cpu) / sizeof(CPUEntry);
> +}
> +
> +static bool s390_pv_check_cpus(Error **errp)
> +{
> +    MachineState *ms = MACHINE(qdev_get_machine());
> +    uint32_t pv_max_cpus = s390_pv_get_max_cpus();
> +
> +    if (ms->smp.max_cpus > pv_max_cpus) {
> +        error_setg(errp, "Protected VMs support a maximum of %d CPUs",
> +                   pv_max_cpus);
> +        return false;
> +    }
> +
> +    return true;
> +}
> +
> +static bool s390_pv_guest_check(ConfidentialGuestSupport *cgs, Error **errp)
> +{
> +    return s390_pv_check_cpus(errp);
> +}
> +
>   int s390_pv_kvm_init(ConfidentialGuestSupport *cgs, Error **errp)
>   {
>       if (!object_dynamic_cast(OBJECT(cgs), TYPE_S390_PV_GUEST)) {
> @@ -261,6 +297,10 @@ int s390_pv_kvm_init(ConfidentialGuestSupport *cgs, Error **errp)
>           return -1;
>       }
>   
> +    if (!s390_pv_guest_check(cgs, errp)) {
> +        return -1;
> +    }
> +
>       cgs->ready = true;
>   
>       return 0;

Looks good to me now.

Reviewed-by: Thomas Huth <thuth@redhat.com>

Cédric Le Goater Jan. 9, 2023, 1:57 p.m. UTC | #2

On 1/9/23 14:34, Thomas Huth wrote:
> On 06/01/2023 08.53, Cédric Le Goater wrote:
>> From: Cédric Le Goater <clg@redhat.com>
>>
>> When a protected VM is started with the maximum number of CPUs (248),
>> the service call providing information on the CPUs requires more
>> buffer space than allocated and QEMU disgracefully aborts :
>>
>>      LOADPARM=[........]
>>      Using virtio-blk.
>>      Using SCSI scheme.
>>      ...................................................................................
>>      qemu-system-s390x: KVM_S390_MEM_OP failed: Argument list too long
>>
>> When protected virtualization is initialized, compute the maximum
>> number of vCPUs supported by the machine and return useful information
>> to the user before the machine starts in case of error.
>>
>> Suggested-by: Thomas Huth <thuth@redhat.com>
>> Signed-off-by: Cédric Le Goater <clg@redhat.com>
>> ---
>>   hw/s390x/pv.c | 40 ++++++++++++++++++++++++++++++++++++++++
>>   1 file changed, 40 insertions(+)
>>
>> diff --git a/hw/s390x/pv.c b/hw/s390x/pv.c
>> index 8dfe92d8df..8a1c71436b 100644
>> --- a/hw/s390x/pv.c
>> +++ b/hw/s390x/pv.c
>> @@ -20,6 +20,7 @@
>>   #include "exec/confidential-guest-support.h"
>>   #include "hw/s390x/ipl.h"
>>   #include "hw/s390x/pv.h"
>> +#include "hw/s390x/sclp.h"
>>   #include "target/s390x/kvm/kvm_s390x.h"
>>   static bool info_valid;
>> @@ -249,6 +250,41 @@ struct S390PVGuestClass {
>>       ConfidentialGuestSupportClass parent_class;
>>   };
>> +/*
>> + * If protected virtualization is enabled, the amount of data that the
>> + * Read SCP Info Service Call can use is limited to one page. The
>> + * available space also depends on the Extended-Length SCCB (ELS)
>> + * feature which can take more buffer space to store feature
>> + * information. This impacts the maximum number of CPUs supported in
>> + * the machine.
>> + */
>> +static uint32_t s390_pv_get_max_cpus(void)
>> +{
>> +    int offset_cpu = s390_has_feat(S390_FEAT_EXTENDED_LENGTH_SCCB) ?
>> +        offsetof(ReadInfo, entries) : SCLP_READ_SCP_INFO_FIXED_CPU_OFFSET;
>> +
>> +    return (TARGET_PAGE_SIZE - offset_cpu) / sizeof(CPUEntry);
>> +}
>> +
>> +static bool s390_pv_check_cpus(Error **errp)
>> +{
>> +    MachineState *ms = MACHINE(qdev_get_machine());
>> +    uint32_t pv_max_cpus = s390_pv_get_max_cpus();
>> +
>> +    if (ms->smp.max_cpus > pv_max_cpus) {
>> +        error_setg(errp, "Protected VMs support a maximum of %d CPUs",
>> +                   pv_max_cpus);
>> +        return false;
>> +    }
>> +
>> +    return true;
>> +}
>> +
>> +static bool s390_pv_guest_check(ConfidentialGuestSupport *cgs, Error **errp)
>> +{
>> +    return s390_pv_check_cpus(errp);
>> +}
>> +
>>   int s390_pv_kvm_init(ConfidentialGuestSupport *cgs, Error **errp)
>>   {
>>       if (!object_dynamic_cast(OBJECT(cgs), TYPE_S390_PV_GUEST)) {
>> @@ -261,6 +297,10 @@ int s390_pv_kvm_init(ConfidentialGuestSupport *cgs, Error **errp)
>>           return -1;
>>       }
>> +    if (!s390_pv_guest_check(cgs, errp)) {
>> +        return -1;
>> +    }
>> +
>>       cgs->ready = true;
>>       return 0;
> 
> Looks good to me now.
> 
> Reviewed-by: Thomas Huth <thuth@redhat.com>

I think we could move the huge page test in s390_pv_guest_check() also.
We are finishing a discussion with Janosch on the runtime test and I will
send a v3.

Thanks,

C.

Thomas Huth Jan. 9, 2023, 2:12 p.m. UTC | #3

On 09/01/2023 14.57, Cédric Le Goater wrote:
> On 1/9/23 14:34, Thomas Huth wrote:
>> On 06/01/2023 08.53, Cédric Le Goater wrote:
>>> From: Cédric Le Goater <clg@redhat.com>
>>>
>>> When a protected VM is started with the maximum number of CPUs (248),
>>> the service call providing information on the CPUs requires more
>>> buffer space than allocated and QEMU disgracefully aborts :
>>>
>>>      LOADPARM=[........]
>>>      Using virtio-blk.
>>>      Using SCSI scheme.
>>>      
>>> ................................................................................... 
>>>
>>>      qemu-system-s390x: KVM_S390_MEM_OP failed: Argument list too long
>>>
>>> When protected virtualization is initialized, compute the maximum
>>> number of vCPUs supported by the machine and return useful information
>>> to the user before the machine starts in case of error.
>>>
>>> Suggested-by: Thomas Huth <thuth@redhat.com>
>>> Signed-off-by: Cédric Le Goater <clg@redhat.com>
>>> ---
>>>   hw/s390x/pv.c | 40 ++++++++++++++++++++++++++++++++++++++++
>>>   1 file changed, 40 insertions(+)
>>>
>>> diff --git a/hw/s390x/pv.c b/hw/s390x/pv.c
>>> index 8dfe92d8df..8a1c71436b 100644
>>> --- a/hw/s390x/pv.c
>>> +++ b/hw/s390x/pv.c
>>> @@ -20,6 +20,7 @@
>>>   #include "exec/confidential-guest-support.h"
>>>   #include "hw/s390x/ipl.h"
>>>   #include "hw/s390x/pv.h"
>>> +#include "hw/s390x/sclp.h"
>>>   #include "target/s390x/kvm/kvm_s390x.h"
>>>   static bool info_valid;
>>> @@ -249,6 +250,41 @@ struct S390PVGuestClass {
>>>       ConfidentialGuestSupportClass parent_class;
>>>   };
>>> +/*
>>> + * If protected virtualization is enabled, the amount of data that the
>>> + * Read SCP Info Service Call can use is limited to one page. The
>>> + * available space also depends on the Extended-Length SCCB (ELS)
>>> + * feature which can take more buffer space to store feature
>>> + * information. This impacts the maximum number of CPUs supported in
>>> + * the machine.
>>> + */
>>> +static uint32_t s390_pv_get_max_cpus(void)
>>> +{
>>> +    int offset_cpu = s390_has_feat(S390_FEAT_EXTENDED_LENGTH_SCCB) ?
>>> +        offsetof(ReadInfo, entries) : SCLP_READ_SCP_INFO_FIXED_CPU_OFFSET;
>>> +
>>> +    return (TARGET_PAGE_SIZE - offset_cpu) / sizeof(CPUEntry);
>>> +}
>>> +
>>> +static bool s390_pv_check_cpus(Error **errp)
>>> +{
>>> +    MachineState *ms = MACHINE(qdev_get_machine());
>>> +    uint32_t pv_max_cpus = s390_pv_get_max_cpus();
>>> +
>>> +    if (ms->smp.max_cpus > pv_max_cpus) {
>>> +        error_setg(errp, "Protected VMs support a maximum of %d CPUs",
>>> +                   pv_max_cpus);
>>> +        return false;
>>> +    }
>>> +
>>> +    return true;
>>> +}
>>> +
>>> +static bool s390_pv_guest_check(ConfidentialGuestSupport *cgs, Error 
>>> **errp)
>>> +{
>>> +    return s390_pv_check_cpus(errp);
>>> +}
>>> +
>>>   int s390_pv_kvm_init(ConfidentialGuestSupport *cgs, Error **errp)
>>>   {
>>>       if (!object_dynamic_cast(OBJECT(cgs), TYPE_S390_PV_GUEST)) {
>>> @@ -261,6 +297,10 @@ int s390_pv_kvm_init(ConfidentialGuestSupport *cgs, 
>>> Error **errp)
>>>           return -1;
>>>       }
>>> +    if (!s390_pv_guest_check(cgs, errp)) {
>>> +        return -1;
>>> +    }
>>> +
>>>       cgs->ready = true;
>>>       return 0;
>>
>> Looks good to me now.
>>
>> Reviewed-by: Thomas Huth <thuth@redhat.com>
> 
> I think we could move the huge page test in s390_pv_guest_check() also.
> We are finishing a discussion with Janosch on the runtime test and I will
> send a v3.

Core question is likely: What if the hypervisor admin does not know whether 
the guest will run in protected mode or not, and thus always wants to enable 
the feature (so that the owner of the guest can decide)? So we cannot know 
right from the start whether we have a confidential guest or not? ... should 
we then really check the condition at the beginning, or is it better to 
check when the guest tries to switch to protected mode?

  Thomas

Cédric Le Goater Jan. 9, 2023, 2:28 p.m. UTC | #4

On 1/9/23 15:12, Thomas Huth wrote:
> On 09/01/2023 14.57, Cédric Le Goater wrote:
>> On 1/9/23 14:34, Thomas Huth wrote:
>>> On 06/01/2023 08.53, Cédric Le Goater wrote:
>>>> From: Cédric Le Goater <clg@redhat.com>
>>>>
>>>> When a protected VM is started with the maximum number of CPUs (248),
>>>> the service call providing information on the CPUs requires more
>>>> buffer space than allocated and QEMU disgracefully aborts :
>>>>
>>>>      LOADPARM=[........]
>>>>      Using virtio-blk.
>>>>      Using SCSI scheme.
>>>> ...................................................................................
>>>>      qemu-system-s390x: KVM_S390_MEM_OP failed: Argument list too long
>>>>
>>>> When protected virtualization is initialized, compute the maximum
>>>> number of vCPUs supported by the machine and return useful information
>>>> to the user before the machine starts in case of error.
>>>>
>>>> Suggested-by: Thomas Huth <thuth@redhat.com>
>>>> Signed-off-by: Cédric Le Goater <clg@redhat.com>
>>>> ---
>>>>   hw/s390x/pv.c | 40 ++++++++++++++++++++++++++++++++++++++++
>>>>   1 file changed, 40 insertions(+)
>>>>
>>>> diff --git a/hw/s390x/pv.c b/hw/s390x/pv.c
>>>> index 8dfe92d8df..8a1c71436b 100644
>>>> --- a/hw/s390x/pv.c
>>>> +++ b/hw/s390x/pv.c
>>>> @@ -20,6 +20,7 @@
>>>>   #include "exec/confidential-guest-support.h"
>>>>   #include "hw/s390x/ipl.h"
>>>>   #include "hw/s390x/pv.h"
>>>> +#include "hw/s390x/sclp.h"
>>>>   #include "target/s390x/kvm/kvm_s390x.h"
>>>>   static bool info_valid;
>>>> @@ -249,6 +250,41 @@ struct S390PVGuestClass {
>>>>       ConfidentialGuestSupportClass parent_class;
>>>>   };
>>>> +/*
>>>> + * If protected virtualization is enabled, the amount of data that the
>>>> + * Read SCP Info Service Call can use is limited to one page. The
>>>> + * available space also depends on the Extended-Length SCCB (ELS)
>>>> + * feature which can take more buffer space to store feature
>>>> + * information. This impacts the maximum number of CPUs supported in
>>>> + * the machine.
>>>> + */
>>>> +static uint32_t s390_pv_get_max_cpus(void)
>>>> +{
>>>> +    int offset_cpu = s390_has_feat(S390_FEAT_EXTENDED_LENGTH_SCCB) ?
>>>> +        offsetof(ReadInfo, entries) : SCLP_READ_SCP_INFO_FIXED_CPU_OFFSET;
>>>> +
>>>> +    return (TARGET_PAGE_SIZE - offset_cpu) / sizeof(CPUEntry);
>>>> +}
>>>> +
>>>> +static bool s390_pv_check_cpus(Error **errp)
>>>> +{
>>>> +    MachineState *ms = MACHINE(qdev_get_machine());
>>>> +    uint32_t pv_max_cpus = s390_pv_get_max_cpus();
>>>> +
>>>> +    if (ms->smp.max_cpus > pv_max_cpus) {
>>>> +        error_setg(errp, "Protected VMs support a maximum of %d CPUs",
>>>> +                   pv_max_cpus);
>>>> +        return false;
>>>> +    }
>>>> +
>>>> +    return true;
>>>> +}
>>>> +
>>>> +static bool s390_pv_guest_check(ConfidentialGuestSupport *cgs, Error **errp)
>>>> +{
>>>> +    return s390_pv_check_cpus(errp);
>>>> +}
>>>> +
>>>>   int s390_pv_kvm_init(ConfidentialGuestSupport *cgs, Error **errp)
>>>>   {
>>>>       if (!object_dynamic_cast(OBJECT(cgs), TYPE_S390_PV_GUEST)) {
>>>> @@ -261,6 +297,10 @@ int s390_pv_kvm_init(ConfidentialGuestSupport *cgs, Error **errp)
>>>>           return -1;
>>>>       }
>>>> +    if (!s390_pv_guest_check(cgs, errp)) {
>>>> +        return -1;
>>>> +    }
>>>> +
>>>>       cgs->ready = true;
>>>>       return 0;
>>>
>>> Looks good to me now.
>>>
>>> Reviewed-by: Thomas Huth <thuth@redhat.com>
>>
>> I think we could move the huge page test in s390_pv_guest_check() also.
>> We are finishing a discussion with Janosch on the runtime test and I will
>> send a v3.
> 
> Core question is likely: What if the hypervisor admin does not know whether the guest will run in protected mode or not, and thus always wants to enable the feature (so that the owner of the guest can decide)? 

If we take this direction, then, on a protected host, libvirt (or QEMU ?)
would need to set the VM as protected always : machine option and CGS
object passed on the command line.

> So we cannot know right from the start whether we have a confidential 
> guest or not? ... 

AFAIUI, it only depends on the kernel of the guest OS. A non secure
kernel runs fine in a protected VM. The PV switch is not performed
in diag308.

C.


> should we then really check the condition at the beginning, 
> or is it better to check when the guest tries to switch to protected mode?

diff --git a/hw/s390x/pv.c b/hw/s390x/pv.c
index 8dfe92d8df..8a1c71436b 100644
--- a/hw/s390x/pv.c
+++ b/hw/s390x/pv.c
@@ -20,6 +20,7 @@ 
 #include "exec/confidential-guest-support.h"
 #include "hw/s390x/ipl.h"
 #include "hw/s390x/pv.h"
+#include "hw/s390x/sclp.h"
 #include "target/s390x/kvm/kvm_s390x.h"
 
 static bool info_valid;
@@ -249,6 +250,41 @@  struct S390PVGuestClass {
     ConfidentialGuestSupportClass parent_class;
 };
 
+/*
+ * If protected virtualization is enabled, the amount of data that the
+ * Read SCP Info Service Call can use is limited to one page. The
+ * available space also depends on the Extended-Length SCCB (ELS)
+ * feature which can take more buffer space to store feature
+ * information. This impacts the maximum number of CPUs supported in
+ * the machine.
+ */
+static uint32_t s390_pv_get_max_cpus(void)
+{
+    int offset_cpu = s390_has_feat(S390_FEAT_EXTENDED_LENGTH_SCCB) ?
+        offsetof(ReadInfo, entries) : SCLP_READ_SCP_INFO_FIXED_CPU_OFFSET;
+
+    return (TARGET_PAGE_SIZE - offset_cpu) / sizeof(CPUEntry);
+}
+
+static bool s390_pv_check_cpus(Error **errp)
+{
+    MachineState *ms = MACHINE(qdev_get_machine());
+    uint32_t pv_max_cpus = s390_pv_get_max_cpus();
+
+    if (ms->smp.max_cpus > pv_max_cpus) {
+        error_setg(errp, "Protected VMs support a maximum of %d CPUs",
+                   pv_max_cpus);
+        return false;
+    }
+
+    return true;
+}
+
+static bool s390_pv_guest_check(ConfidentialGuestSupport *cgs, Error **errp)
+{
+    return s390_pv_check_cpus(errp);
+}
+
 int s390_pv_kvm_init(ConfidentialGuestSupport *cgs, Error **errp)
 {
     if (!object_dynamic_cast(OBJECT(cgs), TYPE_S390_PV_GUEST)) {
@@ -261,6 +297,10 @@  int s390_pv_kvm_init(ConfidentialGuestSupport *cgs, Error **errp)
         return -1;
     }
 
+    if (!s390_pv_guest_check(cgs, errp)) {
+        return -1;
+    }
+
     cgs->ready = true;
 
     return 0;

[v2,1/4] s390x/pv: Implement a CGS check helper

Commit Message

Comments

Patch