On 11/1/19 12:26 PM, Christian Borntraeger wrote:
>
>
> On 24.10.19 13:40, Janosch Frank wrote:
>> The convert to/from secure (or also "import/export") ultravisor calls
>> are need for page management, i.e. paging, of secure execution VM.
>>
>> Export encrypts a secure guest's page and makes it accessible to the
>> guest for paging.
>>
>> Import makes a page accessible to a secure guest.
>> On the first import of that page, the page will be cleared by the
>> Ultravisor before it is given to the guest.
>>
>> All following imports will decrypt a exported page and verify
>> integrity before giving the page to the guest.
>>
>> Signed-off-by: Janosch Frank <frankja@xxxxxxxxxxxxx>
>> ---
>> arch/s390/include/asm/uv.h | 51 ++++++++++++++++++++++++++++++++++++++
>> 1 file changed, 51 insertions(+)
>>
>> diff --git a/arch/s390/include/asm/uv.h b/arch/s390/include/asm/uv.h
>> index 0bfbafcca136..99cdd2034503 100644
>> --- a/arch/s390/include/asm/uv.h
>> +++ b/arch/s390/include/asm/uv.h
>> @@ -15,6 +15,7 @@
>> #include <linux/errno.h>
>> #include <linux/bug.h>
>> #include <asm/page.h>
>> +#include <asm/gmap.h>
>>
>> #define UVC_RC_EXECUTED 0x0001
>> #define UVC_RC_INV_CMD 0x0002
>> @@ -279,6 +280,54 @@ static inline int uv_cmd_nodata(u64 handle, u16 cmd, u32 *ret)
>> return rc ? -EINVAL : 0;
>> }
>>
>> +/*
>> + * Requests the Ultravisor to encrypt a guest page and make it
>> + * accessible to the host for paging (export).
>> + *
>> + * @paddr: Absolute host address of page to be exported
>> + */
>> +static inline int uv_convert_from_secure(unsigned long paddr)
>> +{
>> + struct uv_cb_cfs uvcb = {
>> + .header.cmd = UVC_CMD_CONV_FROM_SEC_STOR,
>> + .header.len = sizeof(uvcb),
>> + .paddr = paddr
>> + };
>> + if (!uv_call(0, (u64)&uvcb))
>> + return 0;
>
> As discussed on the KVM forum. We should also check for
> uvcb.header.rc != UVC_RC_EXECUTED
> I know, we cant really do much if this fails, but we certainly want to know.
>
>
>
>
>
>
>> + return -EINVAL;
>> +}
>> +
>> +/*
>> + * Requests the Ultravisor to make a page accessible to a guest
>> + * (import). If it's brought in the first time, it will be cleared. If
>> + * it has been exported before, it will be decrypted and integrity
>> + * checked.
>> + *
>> + * @handle: Ultravisor guest handle
>> + * @gaddr: Guest 2 absolute address to be imported
>> + */
>> +static inline int uv_convert_to_secure(struct gmap *gmap, unsigned long gaddr)
>> +{
>> + int cc;
>> + struct uv_cb_cts uvcb = {
>> + .header.cmd = UVC_CMD_CONV_TO_SEC_STOR,
>> + .header.len = sizeof(uvcb),
>> + .guest_handle = gmap->se_handle,
>> + .gaddr = gaddr
>> + };
>> +
>> + cc = uv_call(0, (u64)&uvcb);
>> +
>> + if (!cc)
>> + return 0;
>> + if (uvcb.header.rc == 0x104)
>> + return -EEXIST;
>> + if (uvcb.header.rc == 0x10a)
>> + return -EFAULT;
>
> again, we should probably check for rc != UVC_RC_EXECUTED to detect any other problem.
That's handled by the CC and the return below.
CC == 1 means error
cc == 0 is success, that's why we return erly on cc == 0
>
>> + return -EINVAL;
>> +}
>> +
>> void setup_uv(void);
>> void adjust_to_uv_max(unsigned long *vmax);
>> #else
>> @@ -286,6 +335,8 @@ void adjust_to_uv_max(unsigned long *vmax);
>> static inline void setup_uv(void) {}
>> static inline void adjust_to_uv_max(unsigned long *vmax) {}
>> static inline int uv_cmd_nodata(u64 handle, u16 cmd, u32 *ret) { return 0; }
>> +static inline int uv_convert_from_secure(unsigned long paddr) { return 0; }
>> +static inline int uv_convert_to_secure(unsigned long handle, unsigned long gaddr) { return 0; }
>> #endif
>>
>> #if defined(CONFIG_PROTECTED_VIRTUALIZATION_GUEST) || \
>>
Attachment:
signature.asc
Description: OpenPGP digital signature
