Re: [PATCH v4 05/36] s390/mm: provide memory management functions for protected KVM guests

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Mon, 24 Feb 2020 06:40:36 -0500
Christian Borntraeger <borntraeger@xxxxxxxxxx> wrote:

> From: Claudio Imbrenda <imbrenda@xxxxxxxxxxxxx>
> 
> This provides the basic ultravisor calls and page table handling to cope
> with secure guests:
> - provide arch_make_page_accessible
> - make pages accessible after unmapping of secure guests
> - provide the ultravisor commands convert to/from secure
> - provide the ultravisor commands pin/unpin shared
> - provide callbacks to make pages secure (inacccessible)
>  - we check for the expected pin count to only make pages secure if the
>    host is not accessing them
>  - we fence hugetlbfs for secure pages
> - add missing radix-tree include into gmap.h
> 
> The basic idea is that a page can have 3 states: secure, normal or
> shared. The hypervisor can call into a firmware function called
> ultravisor that allows to change the state of a page: convert from/to
> secure. The convert from secure will encrypt the page and make it
> available to the host and host I/O. The convert to secure will remove
> the host capability to access this page.
> The design is that on convert to secure we will wait until writeback and
> page refs are indicating no host usage. At the same time the convert
> from secure (export to host) will be called in common code when the
> refcount or the writeback bit is already set. This avoids races between
> convert from and to secure.
> 
> Then there is also the concept of shared pages. Those are kind of secure
> where the host can still access those pages. We need to be notified when
> the guest "unshares" such a page, basically doing a convert to secure by
> then. There is a call "pin shared page" that we use instead of convert
> from secure when possible.
> 
> We do use PG_arch_1 as an optimization to minimize the convert from
> secure/pin shared.
> 
> Several comments have been added in the code to explain the logic in
> the relevant places.
> 
> Co-developed-by: Ulrich Weigand <Ulrich.Weigand@xxxxxxxxxx>
> Signed-off-by: Ulrich Weigand <Ulrich.Weigand@xxxxxxxxxx>
> Signed-off-by: Claudio Imbrenda <imbrenda@xxxxxxxxxxxxx>
> Acked-by: David Hildenbrand <david@xxxxxxxxxx>
> Reviewed-by: Christian Borntraeger <borntraeger@xxxxxxxxxx>
> [borntraeger@xxxxxxxxxx: patch merging, splitting, fixing]
> Signed-off-by: Christian Borntraeger <borntraeger@xxxxxxxxxx>
> ---
>  arch/s390/include/asm/gmap.h        |   4 +
>  arch/s390/include/asm/mmu.h         |   2 +
>  arch/s390/include/asm/mmu_context.h |   1 +
>  arch/s390/include/asm/page.h        |   5 +
>  arch/s390/include/asm/pgtable.h     |  35 ++++-
>  arch/s390/include/asm/uv.h          |  31 ++++
>  arch/s390/kernel/uv.c               | 227 ++++++++++++++++++++++++++++
>  7 files changed, 300 insertions(+), 5 deletions(-)

My mm-fu is not very strong; but this looks sane to me.

Acked-by: Cornelia Huck <cohuck@xxxxxxxxxx>




[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Kernel Development]     [Kernel Newbies]     [IDE]     [Security]     [Git]     [Netfilter]     [Bugtraq]     [Yosemite Info]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Linux ATA RAID]     [Samba]     [Linux Media]     [Device Mapper]

  Powered by Linux