Re: [PATCH v4 08/15] KVM: s390: interfaces to (de)configure guest's AP matrix

From: Tony Krowiak
Date: Mon May 07 2018 - 10:15:10 EST

Next message: Eric Dumazet: "Re: [PATCH] net: 8390: Fix possible data races in __ei_get_stats"
Previous message: bugzilla-daemon: "[Bug 199631] New: WARNING: at drivers/thunderbolt/switch.c:587 tb_switch_add+0x63e/0x730 [thunderbolt]"
In reply to: Pierre Morel: "Re: [PATCH v4 08/15] KVM: s390: interfaces to (de)configure guest's AP matrix"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On 05/03/2018 12:01 PM, Pierre Morel wrote:

On 03/05/2018 16:41, Tony Krowiak wrote:

On 05/02/2018 10:57 AM, Pierre Morel wrote:

On 25/04/2018 18:21, Tony Krowiak wrote:

On 04/23/2018 09:46 AM, Pierre Morel wrote:

On 15/04/2018 23:22, Tony Krowiak wrote:

Provides interfaces to assign AP adapters, usage domains
and control domains to a KVM guest.

...

The kvm_ap_configure_matrix(kvm, matrix) interface configures the APM, AQM and ADM in the
guest's CRYCB which implies AP instructions are being interpreted. There is nothing in SIE
precluding the sharing of AP queues between guests using SIE to interpret AP instructions,
it is my opinion - along with several others - that this is not advisable given the
results are not predictable, not to mention the security concerns. If the protocol to access
queues changes, then we create a different interface. The other option is to include a flag
on the kvm_ap_configure_matrix(kvm, matrix) interface to indicate whether sharing is
allowed. I don't like this, because we have no way of knowing if the caller has taken the
proper care to ensure the VM sharing the queue should be allowed access. Besides, when
queue sharing is implemented, it is my opinion that we will intercept the AP instructions
and the matrix will not be configured in the CRYCB. I stick by my response above.

I mean, validating the queue sharing is a mater of the VFIO driver.
This code is not needed if the VFIO driver is not used.
But it is not very important.

Yes, this check could have been implemented in the VFIO driver, but as I stated above, that
would require the driver to "know" the internals of KVM. I think the KVM logic should
be encapsulated in KVM. If we want to allow sharing of interpreted AP devices, then we
can always add a flag to the interface.

+static int kvm_ap_matrix_apm_create(struct kvm_ap_matrix *ap_matrix,
+ struct ap_config_info *config)
+{
+ int apm_max = (config && config->apxa) ? config->Na + 1 : 16;

At this moment you already know the format of the crycb.

How?

you calculated this in kvm_ap_build_crycbd() which is called from kvm_s390_crypto_init()
itself called from kvm_arch_init_vm().
It is when starting the VM.

This structure is used by the vfio_ap driver to store the mediated matrix device's matrix
configuration as well as to configure the CRYCB. The mediated device's matrix is
configured before the guest is started ... it is the means for configuring the guest's
matrix after all. The bottom line is, this function will be called long before the
kvm_ap_build_crycbd() function is called.

you are right, I was thinking about open, should have take more attention.
Sorry.

Pierre

Next message: Eric Dumazet: "Re: [PATCH] net: 8390: Fix possible data races in __ei_get_stats"
Previous message: bugzilla-daemon: "[Bug 199631] New: WARNING: at drivers/thunderbolt/switch.c:587 tb_switch_add+0x63e/0x730 [thunderbolt]"
In reply to: Pierre Morel: "Re: [PATCH v4 08/15] KVM: s390: interfaces to (de)configure guest's AP matrix"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]