On Tue, 19 Nov 2019 09:11:11 +0100
Janosch Frank <frankja@xxxxxxxxxxxxx> wrote:
> On 11/18/19 5:39 PM, Cornelia Huck wrote:
> > On Thu, 24 Oct 2019 07:40:45 -0400
> > Janosch Frank <frankja@xxxxxxxxxxxxx> wrote:
> >
> > Add at least a short sentence here?
>
> For protected VMs the lowcore does not only need to be mapped, but also
> needs to be protected memory, if not we'll get a validity interception
> when trying to run it.
Much better, thanks!
>
> >
> >> Signed-off-by: Janosch Frank <frankja@xxxxxxxxxxxxx>
> >> ---
> >> arch/s390/kvm/kvm-s390.c | 9 +++++++++
> >> 1 file changed, 9 insertions(+)
> >>
> >> diff --git a/arch/s390/kvm/kvm-s390.c b/arch/s390/kvm/kvm-s390.c
> >> index eddc9508c1b1..17a78774c617 100644
> >> --- a/arch/s390/kvm/kvm-s390.c
> >> +++ b/arch/s390/kvm/kvm-s390.c
> >> @@ -3646,6 +3646,15 @@ static int kvm_s390_handle_requests(struct kvm_vcpu *vcpu)
> >> rc = gmap_mprotect_notify(vcpu->arch.gmap,
> >> kvm_s390_get_prefix(vcpu),
> >> PAGE_SIZE * 2, PROT_WRITE);
> >> + if (!rc && kvm_s390_pv_is_protected(vcpu->kvm)) {
> >> + rc = uv_convert_to_secure(vcpu->arch.gmap,
> >> + kvm_s390_get_prefix(vcpu));
> >> + WARN_ON_ONCE(rc && rc != -EEXIST);
> >> + rc = uv_convert_to_secure(vcpu->arch.gmap,
> >> + kvm_s390_get_prefix(vcpu) + PAGE_SIZE);
> >> + WARN_ON_ONCE(rc && rc != -EEXIST);
> >> + rc = 0;
> >
> > So, what happens if we have an error other than -EEXIST (which
> > presumably means that we already protected it) here? The page is not
> > protected, and further accesses will get an error? (Another question:
> > what can actually go wrong here?)
>
> If KVM or QEMU write into a lowcore, we will fail the integrity check on
> import and this cpu will never run again.
>From the guest's POV, is that similar to a cpu going into xstop?
> In retrospect a warn_on_once might be the wrong error handling here.
>
> >
> >> + }
> >> if (rc) {
> >> kvm_make_request(KVM_REQ_MMU_RELOAD, vcpu);
> >> return rc;
> >
>
>
Attachment:
pgphrJNx4n5gc.pgp
Description: OpenPGP digital signature
