On Thu, 26 Jul 2018 21:54:12 +0200
Christian Borntraeger <borntraeger@xxxxxxxxxx> wrote:
> From: Harald Freudenberger <freude@xxxxxxxxxxxxx>
>
> The current AP bus, AP devices and AP device drivers implementation
> uses a clearly defined mapping for binding AP devices to AP device
> drivers. So for example a CEX6C queue will always be bound to the
> cex4queue device driver.
>
> The Linux Device Driver model has no sensitivity for more than one
> device driver eligible for one device type. If there exist more than
> one drivers matching to the device type, simple all drivers are tried
> consecutively. There is no way to determine and influence the probing
> order of the drivers.
>
> With KVM there is a need to provide additional device drivers matching
> to the very same type of AP devices. With a simple implementation the
> KVM drivers run in competition to the regular drivers. Whichever
> 'wins' a device depends on build order and implementation details
> within the common Linux Device Driver Model and is not
> deterministic. However, a userspace process could figure out which
> device should be bound to which driver and sort out the correct
> binding by manipulating attributes in the sysfs.
>
> If for security reasons a AP device must not get bound to the 'wrong'
> device driver the sorting out has to be done within the Linux kernel
> by the AP bus code. This patch modifies the behavior of the AP bus
> for probing drivers for devices in a way that two sets of drivers are
> usable. Two new bitmasks 'apmask' and 'aqmask' are used to mark a
> subset of the APQN range for 'usable by the ap bus and the default
> drivers' or 'not usable by the default drivers and thus available for
> alternate drivers like vfio-xxx'. So an APQN which is addressed by
> this masking only the default drivers will be probed. In contrary an
> APQN which is not addressed by the masks will never be probed and
> bound to default drivers but onny to alternate drivers.
s/onny/only/
>
> Eventually the two masks give a way to divide the range of APQNs into
> two pools: one pool of APQNs used by the AP bus and the default
> drivers and thus via zcrypt drivers available to the userspace of the
> system. And another pool where no zcrypt drivers are bound to and
> which can be used by alternate drivers (like vfio-xxx) for their
> needs. This division is hot-plug save and makes sure a APQN assigned
> to an alternate driver is at no time somehow exploitable by the wrong
> party.
So, these masks are supposed to be exclusive, right? I understand the
desire to lock out alternate device drivers due to security concerns,
but why the other way around? Is it "this apqn has been bound to an
alternate driver, we can't trust it even if it is re-bound"?
>
> For the first shot the two masks located in sysfs at
> /sys/bus/ap/apmask and /sys/bus/ap/aqmask are read-only and by default
> all APQNs belong to the ap bus and the default drivers:
>
> cat /sys/bus/ap/apmask
> 0xffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
> cat /sys/bus/ap/aqmask
> 0xffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
>
> The only way to change these masks is currently via kernel command
> line, for example like:
>
> ... ap.apmask=0xffff ap.aqmask=0x40
>
> would give these two pools:
>
> default drivers pool: adapter 0 - 15, domain 1
> alternate drivers pool: adapter 0 - 15, all but domain 1
> adapter 16-255, all domains
This looks a bit non-intuitive to me. Is there an easy way to determine
the masks if all I know is the list of apqns I want to have in the
default respectively alternate drivers pool?
>
> This patch will also be the base for an upcoming extension to the
> zcrypt drivers to be able to provide additional zcrypt device nodes
> with filtering based on ap and aq masks.
>
> Signed-off-by: Christian Borntraeger <borntraeger@xxxxxxxxxx>
> Signed-off-by: Harald Freudenberger <freude@xxxxxxxxxxxxx>
> ---
> drivers/s390/crypto/ap_bus.c | 158 ++++++++++++++++++++++++++--
> drivers/s390/crypto/ap_bus.h | 28 +++++
> drivers/s390/crypto/zcrypt_cex2a.c | 2 +
> drivers/s390/crypto/zcrypt_cex4.c | 2 +
> drivers/s390/crypto/zcrypt_pcixcc.c | 2 +
> 5 files changed, 186 insertions(+), 6 deletions(-)
>
> diff --git a/drivers/s390/crypto/ap_bus.c b/drivers/s390/crypto/ap_bus.c
> index c0a6723be54b..b36a4e17a734 100644
> --- a/drivers/s390/crypto/ap_bus.c
> +++ b/drivers/s390/crypto/ap_bus.c
> static int ap_device_probe(struct device *dev)
> {
> struct ap_device *ap_dev = to_ap_dev(dev);
> struct ap_driver *ap_drv = to_ap_drv(dev->driver);
> - int rc;
> + int card, queue, devres, drvres, rc;
> +
> + if (is_queue_dev(dev)) {
> + /*
> + * For apqns marked as reserved/used by ap bus and
> + * default drivers only drivers with a default flag
> + * will be called for probe this device.
It's a bit more than that, right? You also won't probe non-reserved
devices if the driver has the default flag set.
/*
* If the apqn is marked as reserved/used by ap bus and
* default drivers, only probe with drivers with the default
* flag set. If it is not marked, only probe with drivers
* with the default flag not set.
*/
[As an aside: Is 'default' a good name for the driver flag? To a casual
reader I think it implies that it is the default driver if no other
driver comes along. Call it maybe 'trusted' or something like that?]
> + */
> + card = AP_QID_CARD(to_ap_queue(dev)->qid);
> + queue = AP_QID_QUEUE(to_ap_queue(dev)->qid);
> + devres = test_bit_inv(card, ap_rights.apm)
> + && test_bit_inv(queue, ap_rights.aqm);
> + drvres = ap_drv->flags & AP_DRIVER_FLAG_DEFAULT;
> + if ((devres && !drvres) || (!devres && drvres))
> + return -ENODEV;
> + }
>
> /* Add queue/card to list of active queues/cards */
> spin_lock_bh(&ap_list_lock);
--
To unsubscribe from this list: send the line "unsubscribe linux-s390" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
