[RFC 5/5] s390x/docs: documentation for ap-matrix

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Signed-off-by: Tony Krowiak <akrowiak@xxxxxxxxxxxxxxxxxx>
---
 docs/ap_matrix.txt |  529 ++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 files changed, 529 insertions(+), 0 deletions(-)
 create mode 100644 docs/ap_matrix.txt

diff --git a/docs/ap_matrix.txt b/docs/ap_matrix.txt
new file mode 100644
index 0000000..ec7bd44
--- /dev/null
+++ b/docs/ap_matrix.txt
@@ -0,0 +1,529 @@
+Adjunct Processor (AP) Matrix Devices
+=====================================
+
+Contents:
+=========
+* Introduction
+* AP Architectural Overview
+* Start Interpretive Execution (SIE) Instruction
+* AP Matrix Configuration on Linux Host
+* AP Matrix Configuration for a Linux Guest
+* Starting a Linux Guest Configured with an AP Matrix
+* Example: Configure AP Matrices for Two Linux Guests
+
+Introduction:
+============
+The IBM Adjunct Processor (AP) Cryptographic Facility is comprised 
+of three AP instructions and from 1 to 256 PCIe cryptographic adapter cards.
+These AP devices provide cryptographic functions to all CPUs assigned to a
+linux system running in an IBM Z system LPAR.
+ 
+The intent of this document is to provide administrators with the basic
+knowledge needed to provide a linux guest with direct access to one or more AP
+adapters available to the host linux system using an AP matrix device 
+
+AP Architectural Overview:
+=========================
+In order understand the terminology used in the rest of this document, let's 
+start with some definitions:
+
+* AP adapter
+
+  An AP adapter is a PCIe cryptographic adapter that can perform cryptographic
+  functions. There can be from 0 to 256 AP adapters assigned to an LPAR.
+  Each adapter is identified by a number from 0 to 255. When 
+  installed, an AP is accessed by AP instructions executed by any CPU. 
+
+* AP domain
+
+  An adapter is partitioned into domains. Each domain can be thought of as 
+  a set of hardware registers dedicated to an active LPAR. An adapter can hold 
+  up to 256 domains. Each domain is identified by a number from 0 to 255. 
+  Domains can be further classified into two types: 
+  
+    * Usage domains are domains that can be accessed directly to process AP 
+      commands
+  
+    * Control domains are domains that are accessed indirectly by AP 
+      commands sent to a usage domain to control or change the domain, for 
+      example; to specify a private key that can be used by the domain to 
+      perform cryptographic functions.
+
+* AP Queue
+
+  An AP queue is the means by which an AP command is sent to an 
+  AP usage domain inside a specific AP. An AP queue is identified by a tuple 
+  comprised of an AP adapter ID and a usage domain index. The index corresponds
+  to a given usage domain within the adapter. This tuple forms an AP Queue 
+  Number (APQN). AP instructions specify an APQN to identify the AP Queue 
+  to which an AP command-request message is to be sent, or from which a 
+  command-reply message is to be received. An APQN is specified in this 
+  document with one of two formats: APQN (xx,yyyy) or simply xx.yyyy, where 
+  xx is an adapter number and yyyy is a domain number. Both numbers will be 
+  specified in hexidecimal format.
+
+* AP Instructions:
+
+  There are three AP instructions:
+
+  * NQAP: to enqueue an AP command-request message to an AP queue
+  * DQAP: to dequeue an AP command-reply message from an AP queue
+  * PQAP: to administer an AP queue
+
+Start Interpretive Execution (SIE) Instruction
+==============================================
+A linux guest running on an IBM Z system is started under KVM by executing the 
+Start Interpretive Execution (SIE) instruction. The SIE state description is a 
+control block that contains the state information for a KVM guest and is 
+supplied as input to the SIE instruction. The SIE state description contains a 
+field that references a Crypto Control Block (CRYCB) containing three
+fields to identify the AP adapters, usage domains and control domains assigned 
+to the KVM guest: 
+
+* The AP Mask (APM) field specifies the AP adapter numbers assigned to the 
+  KVM guest. The APM controls which adapters are valid for the KVM guest.
+
+* The AP Queue Mask (AQM) field specifies the AP usage domain numbers assigned 
+  to the KVM guest. The AQM controls which usage domains are valid for the 
+  KVM guest.
+
+* The AP Domain Mask field specifies the AP control domains assigned to the 
+  KVM guest. The ADM controls which control domains are valid for the 
+  KVM guest.
+
+These three fields comprise the AP matrix for the guest. The APQNs accessible
+to the guest is the intersection of all assigned adapter numbers (APM) and 
+all assigned usage domain numbers (AQM). For example, if adapters 1 and 2 and 
+usage domains 5 and 6 are assigned to a guest, the APQNs (1,5), (1,6), (2,5) and
+(2,6) will be valid for AP instructions executed on the guest.
+
+The SIE instruction is run in interpretive execution mode which means the 
+AP instructions executed on the guest are interpreted by the hardware. This 
+allows a guest direct access to the AP adapter cards. Since each domain within
+a given adapter holds the master key used in the cryptographic functions it 
+supports, each APQN must be assigned to at most one guest.
+
+   Example 1: Valid configuration for two guests:
+   ---------------------------------------------
+   Guest1: adapters 1,2  domains 5,6
+   Guest2: adapter  1,2  domain 7
+
+   This is valid because both guests have a unique set of APQNs: Guest1 has
+   APQNs (1,5), (1,6), (2,5) and (2,6); Guest2 has APQN (1,7) and (2,7). There
+   is not overlap.
+
+   Example 2: Invalid configuration for two guests:
+   -----------------------------------------------
+   Guest1: adapters 1,2  domains 5,6
+   Guest2: adapter  1    domains 6,7
+
+   This is an invalid configuration because both guests have access to 
+   APQNs (1,6).
+
+AP Matrix Configuration on Linux Host:
+=====================================
+A linux system is a guest of the LPAR in which it is running and has access to
+the AP resources configured for the LPAR. The LPAR's AP matrix is 
+configured using the 'Customize/Delete Activation Profiles' dialog from the HMC. 
+This dialog displays the activation profiles configured for the linux system. 
+Selecting the specific activation profile to be edited and clicking the 
+'Customize Profile' button will open the 'Customize Image Profiles' dialog. 
+Selecting the 'Crypto' link in the tree view on the left hand side of the dialog 
+will display the AP matrix configuration in the right hand panel. There, one can 
+assign AP adapters - called Cryptos - and domains to the LPAR. When the linux 
+system is started using this activation profile, it will have access to the
+AP matrix configured via the activation profile.
+
+When the linux system is started, the AP adapter devices will be connected to 
+the AP bus and the following AP matrix interfaces will be created in sysfs:
+
+/sys/bus/ap
+... [devices]
+...... xx.yyyy
+...... ...
+...... cardxx
+...... ...
+
+Where:
+    cardxx     is adapter number xx (in hex)
+    yyyy       is a usage domain number yyyy (in hex)
+....xx.yyyy    is APQN (xx,yyyy)
+
+For example, if AP adapters 5 and 6 and domains 4 and 71 are configured for the
+LPAR, the sysfs representation on the linux system would look like this:
+
+/sys/bus/ap
+... [devices]
+...... 05.0004
+...... 05.0047
+...... 06.0004
+...... 06.0047
+...... card05
+...... card06
+
+There will also be AP device drivers created to control each type of AP matrix 
+interface available to the IBM Z system:
+
+/sys/bus/ap
+... [drivers]
+...... [cex2acard]        for Crypto Express 2/3 accelerator cards
+...... [cex2aqueue]       for AP queues served by Crypto Express 2/3 
+                          accelerator cards
+...... [cex4card]         for Crypto Express 4/5/6 accelerator and coprocessor 
+                          cards
+...... [cex4queue]        for AP queues served by Crypto Express 4/5/6 
+                          accelerator and coprocessor cards
+...... [pcixcccard]       for Crypto Express 2/3 coprocessor cards
+...... [pcixccqueue]      for AP queues served by Crypto Express 2/3 
+                          coprocessor cards
+
+Links to the AP interfaces controlled by each AP device driver will be created 
+in the device driver's sysfs directory. For example, if AP adapter 5 and domains
+4 and 71 (0x47) are assigned to the LPAR and adapter 5 is a CEX5 card, the 
+following links will be created in the CEX5 drivers' sysfs directories:
+
+/sys/bus/ap
+... [drivers]
+...... [cex4card]
+......... [card05]
+...... [cex4queue]
+......... [05.0004]
+......... [05.0047]
+
+AP Matrix Configuration for a Linux Guest:
+=========================================
+In order to configure the AP matrix for a guest, the adapters, usage domains 
+and control domains to be used by the guest must be identified. This section
+describes how to configure a guest's AP matrix.
+
+When the linux host is booted, an AP matrix bus will be initialized. When 
+initialized, the AP matrix bus creates a single AP matrix device to 
+hold the APQNs to be made available to guests:
+
+/sys/bus/ap_matrix
+... [devices]
+......[matrix] symlink to the AP matrix device directory
+
+/sys/devices
+... [ap_matrix]
+......[matrix] the AP matrix device directory
+
+The kernel interfaces for configuring an AP matrix for a linux guest are built 
+on the VFIO mediated device framework and are provided by the vfio_ap_matrix 
+kernel module. The dependency chain for the vfio_ap_matrix module is:
+
+* vfio
+* mdev
+* vfio_mdev
+* vfio_ap_matrix
+
+When the vfio_ap_matrix module is loaded, it will create the following sysfs 
+interfaces:
+
+/sys/bus/ap
+... [drivers]
+...... [vfio_ap_matrix]
+......... bind
+
+The vfio_ap_matrix device driver is created to provide an interface for securing
+APQNs from use by the host linux system. This is accomplished by unbinding the
+APQNs from the host device driver and binding them to the vfio_ap_matrix 
+device driver. For example, suppose we want to secure APQN (05,0004). Assuming
+for this example that AP adapter card 5 is a CEX5 coprocessor card:
+
+    echo 05.0004 > /sys/bus/ap/drivers/cex4queue/unbind
+    echo 05.0004 > /sys/bus/ap/drivers/vfio_ap_matrix/bind
+
+This action will store the APQN in the /sys/devices/ap_matrix/matrix device 
+which makes it available for use by a linux guest.
+
+Another side effect of loading the vfio_ap_matrix module is the creation of the
+sysfs interfaces for configuring an AP matrix for a linux guest. These sysfs 
+interfaces are built on the VFIO mediated device framework. To configure an AP 
+matrix for a guest, a mediated matrix device must be created for the 
+/sys/devices/ap_matrix/matrix device. A mediated matrix device must be created
+for each guest that needs access to one or more AP queues. The sysfs interface 
+for creating a mediated matrix device is in:
+
+/sys/devices
+... [ap_matrix]
+......[matrix]
+......... [mdev_supported_types]
+............ [ap_matrix-passthrough]
+............... create
+............... [devices]
+
+A mediated AP matrix device is created by writing a UUID to the attribute
+file named 'create', for example:
+
+    uuidgen > create
+
+When a mediated AP matrix device is created, a sysfs directory named after 
+the UUID will be created in the devices subdirectory:
+
+/sys/devices
+... [ap_matrix]
+......[matrix]
+......... [mdev_supported_types]
+............ [ap_matrix-passthrough]
+............... create
+............... [devices]
+.................. [$uuid]
+..................... adapters
+..................... assign_adapter
+..................... assign_control_domain
+..................... assign_domain
+..................... control_domains
+..................... domains
+..................... remove
+..................... unassign_adapter
+..................... unassign_control_domain
+..................... unassign_domain
+
+There will also be three sets of attribute files created in the mediated matrix 
+device's sysfs directory:
+
+1 Adapter assignment
+    * An adapter is assigned by writing the adapter's number into the 
+      'assign_adapter' file. This may be repeated multiple times to assign
+      multiple adapters. For example, to assign adapters 5 and 6 to mediated 
+      matrix device $uuid:
+      
+          echo 5 > assign_adapter
+          echo 6 > assign_adapter
+
+    * An adapter may be unassigned by writing the adapter's number into the 
+      'unassign_adapter' file. This may also be done multiple times to
+      unassign multiple adapters.
+
+    * To view the adapter numbers assigned to the AP matrix mediated device, 
+      print the 'adapters' file:
+
+          cat adapters
+
+1 Usage Domain assignment
+    * A usage domain is assigned by writing the usage domain's number into the 
+      'assign_domain' file. This may be repeated multiple times to assign
+      multiple usage domains. For example, to assign usage domains 4 and 
+      71 (0x47) to mediated matrix device $uuid:
+
+          echo 4 > assign_domain
+          echo 47 > assign_domain
+
+    * A domain may be unassigned by writing the usage domain's number into the 
+      'unassign_domain' file. This may be repeated multiple times to unassign
+      multiple usage domains.
+
+    * To view the usage domain numbers assigned to the AP matrix mediated 
+    device, print the 'domains' file:
+
+          cat domains
+
+1 Control domain assignment
+    * A control domain is assigned by writing the control domain's number into 
+      the 'assign_control_domain' file. This may be repeated multiple times to 
+      assign multiple control domains. It is not necessary to assign 
+      usage domain numbers as control domains, that is done automatically by 
+      default. To assign control domains 4 and 37 (0x35) to mediated matrix 
+      device $uuid:
+      
+          echo 4 > assign_control_domain
+          echo 25 > assign_control_domain
+
+    * A control domain may be unassigned by writing the control domain's number 
+      into the 'unassign_control_domain' file. This may be repeated multiple
+      times to unassign multiple control domains.
+
+    * To view the control domain numbers assigned to the AP matrix mediated 
+      device, print the 'control_domains' file:
+
+          cat control_domains
+
+Note: Hot plug/unplug is not currently supported for mediated AP matrix devices,
+      so the AP matrix resulting from assignment and/or unassignment of AP 
+      adapters, usage domains and control domains to a mediated AP matrix device 
+      will not take affect until the linux guest is rebooted.
+
+Starting a Linux Guest Configured with an AP Matrix:
+===================================================
+In addition to providing the sysfs interfaces for configuring the AP matrix for 
+a linux guest, a mediated AP matrix device also acts as a communication pathway 
+between QEMU and the vfio_ap_matrix device driver. To gain access to the 
+device driver, the following option must be specified on the QEMU command line:
+
+-device vfio_ap_matrix,sysfsdev=$path-to-mdev
+
+The sysfsdev parameter specifies the path to the mediated matrix device.
+There are a number of ways to specify this path:
+
+/sys/devices/ap_matrix/matrix/$uuid
+/sys/bus/mdev/devices/$uuid
+/sys/bus/mdev/drivers/vfio_mdev/$uuid
+/sys/devices/ap_matrix/matrix/mdev_supported_types/ap_matrix-passthrough/devices/$uuid
+
+When the linux guest is subsequently started, the guest will open the mediated 
+matrix device's file descriptor to issue the command instructing the device 
+driver to configure the AP matrix for the linux guest. In response, the 
+vfio_ap_matrix device driver will update the APM, AQM, and ADM fields in the 
+guest's CRYCB with the adapter, usage domain and control domain numbers 
+specified via the mediated matrix device's sysfs attribute files. Programs 
+running on the linux guest will then:
+
+1. Have access to the APQNs derived from the intersection of the AP adapter and
+   usage domain numbers specified in the APM and AQM respectively
+
+2. Have authorization to process AP commands to change a control domains
+   identified in an AP instruction sent to a valid APQN.
+
+Example: Configure AP Matrices for Two Linux Guests:
+===================================================
+Let's now provide an example to illustrate how KVM guests may be given
+direct access to APQNs. For this example, we will illustrate how to configure 
+two guests such that executing the lszcrypt command on the guests would 
+look like this:
+
+Guest1
+------
+CARD.DOMAIN TYPE  MODE        
+------------------------------
+05          CEX5C CCA-Coproc  
+05.0004     CEX5C CCA-Coproc
+05.00ab     CEX5C CCA-Coproc  
+06          CEX5A Accelerator 
+06.0004     CEX5A Accelerator 
+06.00ab     CEX5C CCA-Coproc  
+
+Guest2
+------
+CARD.DOMAIN TYPE  MODE        
+------------------------------
+05          CEX5A Accelerator 
+05.0047     CEX5A Accelerator 
+05.00ff     CEX5A Accelerator 
+
+These are the steps for configuring Guest1 and Guest2:
+   
+1. The first thing that needs to be done is to unbind each AP Queue device from
+   its respective AP device driver to prevent access from the host linux system
+   and to reserve it for use by a linux guest. For our example, let's assume
+   the AP queues are bound to the cex4queue driver. 
+
+   /sys/bus/ap
+   --- [drivers]
+   ------ [cex4queue]
+   --------- [05.0004]
+   --------- [05.0047]
+   --------- [05.00ab]
+   --------- [05.00ff]
+   --------- [06.0004]
+   --------- [06.00ab]
+   --------- unbind
+
+   To unbind AP queue 05.0004 from the cex4queue device driver:
+
+    echo 05.0004 > unbind
+
+   This must also be done for AP queues 05.00ab, 05.0047, 05.00ff, 06.0004,
+   and 06.00ab.
+
+2. The next step is to reserve the queues for use by the two KVM guests. 
+   This is accomplished by binding them to the VFIO AP matrix device driver:
+
+   /sys/bus/ap
+   ---[drivers]
+   ------ [vfio_ap_matrix]
+   ---------- bind
+
+   For Guest1:
+
+    echo 05.0004 > bind
+    echo 05.00ab > bind
+    echo 06.0004 > bind
+    echo 06.00ab > bind
+
+   For Guest2:
+
+   echo 05.0047 > bind
+   echo 05.00ff > bind
+
+3. Create the mediated matrix devices needed to configure the AP matrices for 
+   and to provide an interface to the vfio_ap_matrix driver for use by the 
+   two guests:
+
+   /sys/devices/
+   --- [ap_matrix]
+   ------ [matrix] (this is the AP matrix device)
+   --------- [mdev_supported_types]
+   ------------ [ap_matrix-passthrough] (the mediated device type)
+   --------------- create
+   --------------- [devices]
+
+   To create the mediated devices for the two guests:
+
+    uuidgen > create
+    uuidgen > create
+
+   This will create two mediated devices in the [devices] subdirectory named 
+   with the UUID written to the create attribute file. We call them $uuid1
+   and $uuid2:
+
+   /sys/devices/
+   --- [ap_matrix]
+   ------ [matrix]
+   --------- [mdev_supported_types]
+   ------------ [ap_matrix-passthrough]
+   --------------- [devices]
+   ------------------ [$uuid1]
+   --------------------- adapters
+   --------------------- assign_adapter
+   --------------------- assign_control_domain
+   --------------------- assign_domain
+   --------------------- control_domains
+   --------------------- domains
+   --------------------- unassign_adapter
+   --------------------- unassign_control_domain
+   --------------------- unassign_domain
+   ------------------ [$uuid2]
+   --------------------- adapters
+   --------------------- assign_adapter
+   --------------------- assign_control_domain
+   --------------------- assign_domain
+   --------------------- control_domains
+   --------------------- domains
+   --------------------- unassign_adapter
+   --------------------- unassign_control_domain
+   --------------------- unassign_domain
+
+4. The administrator now needs to configure the matrices for mediated 
+   devices $uuid1 (for Guest1) and $uuid2 (for Guest2). 
+
+   For Guest1:
+   cd /sys/devices/ap_matrix/matrix/mdev_supported_types/ap_matrix_passthrough
+   cd ./devices/$uuid1:
+
+   echo 5 > assign_adapter
+   echo 6 > assign_adapter 
+   echo 4 > assign_domain
+   echo ab > assign_domain
+
+   For Guest2:
+   cd /sys/devices/ap_matrix/matrix/mdev_supported_types/ap_matrix_passthrough
+   cd ./devices/$uuid2:
+
+   echo 5 > assign_adapter 
+   echo 47 > assign_domain
+   echo ff > assign_domain
+
+   By architectural convention, all usage domains - i.e., domains assigned 
+   via the assign_domain attribute file - will also be configured in the ADM 
+   field of the KVM guest's CRYCB, so there is no need to assign control 
+   domains here unless you want to assign control domains that are not 
+   assigned as usage domains.
+
+5. Start Guest1
+
+   /usr/bin/qemu-system-s390x ... -device vfio_ap_matrix,sysfsdev=/sys/devices/ap_matrix/matrix/$uuid1 ...
+
+6. Start Guest2
+
+   /usr/bin/qemu-system-s390x ... -device vfio_ap_matrix,sysfsdev=/sys/devices/ap_matrix/matrix/$uuid2 ...
\ No newline at end of file
-- 
1.7.1




[Index of Archives]     [KVM ARM]     [KVM ia64]     [KVM ppc]     [Virtualization Tools]     [Spice Development]     [Libvirt]     [Libvirt Users]     [Linux USB Devel]     [Linux Audio Users]     [Yosemite Questions]     [Linux Kernel]     [Linux SCSI]     [XFree86]

  Powered by Linux