Re: [for-6.0 v5 13/13] s390: Recognize securable-guest-memory option

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Tue, Dec 15, 2020 at 12:45:26PM +0100, Cornelia Huck wrote:
> On Fri,  4 Dec 2020 16:44:15 +1100
> David Gibson <david@xxxxxxxxxxxxxxxxxxxxx> wrote:
> 
> > At least some s390 cpu models support "Protected Virtualization" (PV),
> > a mechanism to protect guests from eavesdropping by a compromised
> > hypervisor.
> > 
> > This is similar in function to other mechanisms like AMD's SEV and
> > POWER's PEF, which are controlled bythe "securable-guest-memory" machine
> 
> s/bythe/by the/
> 
> > option.  s390 is a slightly special case, because we already supported
> > PV, simply by using a CPU model with the required feature
> > (S390_FEAT_UNPACK).
> > 
> > To integrate this with the option used by other platforms, we
> > implement the following compromise:
> > 
> >  - When the securable-guest-memory option is set, s390 will recognize it,
> >    verify that the CPU can support PV (failing if not) and set virtio
> >    default options necessary for encrypted or protected guests, as on
> >    other platforms.  i.e. if securable-guest-memory is set, we will
> >    either create a guest capable of entering PV mode, or fail outright
> 
> s/outright/outright./
> 
> > 
> >  - If securable-guest-memory is not set, guest's might still be able to
> 
> s/guest's/guests/

All those corrected, thanks.

> >    enter PV mode, if the CPU has the right model.  This may be a
> >    little surprising, but shouldn't actually be harmful.
> > 
> > To start a guest supporting Protected Virtualization using the new
> > option use the command line arguments:
> >     -object s390-pv-guest,id=pv0 -machine securable-guest-memory=pv0
> > 
> > Signed-off-by: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>
> > ---
> >  hw/s390x/pv.c         | 58 +++++++++++++++++++++++++++++++++++++++++++
> >  include/hw/s390x/pv.h |  1 +
> >  target/s390x/kvm.c    |  3 +++
> >  3 files changed, 62 insertions(+)
> > 
> 
> Modulo any naming changes etc., I think this should work for s390. I
> don't have the hardware to test this, however, and would appreciate
> someone with a PV setup giving this a go.

Makes sense.

-- 
David Gibson			| I'll have my music baroque, and my code
david AT gibson.dropbear.id.au	| minimalist, thank you.  NOT _the_ _other_
				| _way_ _around_!
http://www.ozlabs.org/~dgibson

Attachment: signature.asc
Description: PGP signature


[Index of Archives]     [KVM ARM]     [KVM ia64]     [KVM ppc]     [Virtualization Tools]     [Spice Development]     [Libvirt]     [Libvirt Users]     [Linux USB Devel]     [Linux Audio Users]     [Yosemite Questions]     [Linux Kernel]     [Linux SCSI]     [XFree86]

  Powered by Linux