As guest memory is inaccessible and information about the guest's state is very limited, new ways for instruction emulation have been introduced. With a bounce area for guest GRs and instruction data, guest state leaks can be limited by the Ultravisor. KVM now has to move instruction input and output through these areas. Signed-off-by: Janosch Frank <frankja@xxxxxxxxxxxxx> --- Documentation/virtual/kvm/s390-pv.txt | 47 +++++++++++++++++++++++++++ 1 file changed, 47 insertions(+) diff --git a/Documentation/virtual/kvm/s390-pv.txt b/Documentation/virtual/kvm/s390-pv.txt index e09f2dc5f164..cb08d78a7922 100644 --- a/Documentation/virtual/kvm/s390-pv.txt +++ b/Documentation/virtual/kvm/s390-pv.txt @@ -48,3 +48,50 @@ interception codes have been introduced. One which tells us that CRs have changed. And one for PSW bit 13 changes. The CRs and the PSW in the state description only contain the mask bits and no further info like the current instruction address. + + +Instruction emulation: +With the format 4 state description the SIE instruction already +interprets more instructions than it does with format 2. As it is not +able to interpret all instruction, the SIE and the UV safeguard KVM's +emulation inputs and outputs. + +Guest GRs and most of the instruction data, like IO data structures +are filtered. Instruction data is copied to and from the Secure +Instruction Data Area. Guest GRs are put into / retrieved from the +Interception-Data block. + +The Interception-Data block from the state description's offset 0x380 +contains GRs 0 - 16. Only GR values needed to emulate an instruction +will be copied into this area. + +The Interception Parameters state description field still contains the +the bytes of the instruction text but with pre-set register +values. I.e. each instruction always uses the same instruction text, +to not leak guest instruction text. + +The Secure Instruction Data Area contains instruction storage +data. Data for diag 500 is exempt from that and has to be moved +through shared buffers to KVM. + +When SIE intercepts an instruction, it will only allow data and +program interrupts for this instruction to be moved to the guest via +the two data areas discussed before. Other data is ignored or results +in validity interceptions. + + +Instruction emulation interceptions: +There are two types of SIE secure instruction intercepts. The normal +and the notification type. Normal secure instruction intercepts will +make the guest pending for instruction completion of the intercepted +instruction type, i.e. on SIE entry it is attempted to complete +emulation of the instruction with the data provided by KVM. That might +be a program exception or instruction completion. + +The notification type intercepts inform KVM about guest environment +changes due to guest instruction interpretation. Such an interception +is recognized for the store prefix instruction and provides the new +lowcore location for mapping change notification arming. Any KVM data +in the data areas is ignored, program exceptions are not injected and +execution continues on next SIE entry, as if no intercept had +happened. -- 2.20.1