среда

[Bug 1787405] Comment bridged from LTC Bugzilla

------- Comment From freude@de.ibm.com 2018-11-07 10:16 EDT-------
I installed a fresh Ubuntu 18.04.1 on a LPAR and after booting
these both packages on top:

linux-image-4.15.0-38-generic_4.15.0-38.42~lp1787405_s390x.deb
linux-modules-4.15.0-38-generic_4.15.0-38.42~lp1787405_s390x.deb

then I needed to configure zipl to something usefull as the modified
zipl.conf obviously is somewhat broken after package install:

--------------------------------------------------------------------------------
[defaultboot]
defaultmenu=menu

[UBUNTU18.04.1]
target=/boot
image=/boot/vmlinuz.old
parameters="scsi_mod.scsi_logging_level=4605 printk.time=1 zfcp.dbfsize=100 root=/dev/disk/by-path/ccw-0.0.e96b-part1"
ramdisk=/boot/initrd.img.old

[newkernel]
target=/boot
image=/boot/vmlinuz
parameters="scsi_mod.scsi_logging_level=4605 printk.time=1 zfcp.dbfsize=100 root=/dev/disk/by-path/ccw-0.0.e96b-part1"
ramdisk=/boot/initrd.img

:menu
target=/boot
1 = UBUNTU18.04.1
2 = newkernel
default = 2
prompt = 1
timeout = 10

--------------------------------------------------------------------------------

after boot the new kernel is active:

uname -a
Linux s83lp75 4.15.0-38-generic #42~lp1787405 SMP Mon Nov 5 21:13:01 UTC 2018 s390x s390x s390x GNU/Linux

then I ran my brand new developed zcrypttest and all the testcases ran fine.
This is at least an indication that the zcrypt dd is not broken, multi domain and multi adapter works and all the 3 kinds of adapters can get addressed with all the different cprbs and work as expected. Even more some basic assumptions about request scheduling memory consumptions are tested.

What's not covered is the new functionallity coming with the apmask and
aqmask. I'll do this later as I'd like to devel some testcases for this
feature in the next days.

--
You received this bug notification because you are subscribed to linux
in Ubuntu.
Matching subscriptions: Bgg, Bmail, Nb
https://bugs.launchpad.net/bugs/1787405

Title:
[19.04 FEAT] Guest-dedicated Crypto Adapters

Status in Ubuntu on IBM z Systems:
Triaged
Status in libvirt package in Ubuntu:
Confirmed
Status in linux package in Ubuntu:
Triaged
Status in qemu package in Ubuntu:
Incomplete

Bug description:
== SRU Justification ==

(Kernel SRU)

Allow kvm to dedicate crypto adapters (and domains) as passthrough devices to a KVM guest such that the hypervisor cannot observe the communication of the guest with the device.
(Since all kernel patches/commits are from kernel 4.19, they will automagically land in 'Disco'.)

== Fix ==

9ea5972 ("KVM: s390: vsie: simulate VCPU SIE entry/exit")
3194cdb ("KVM: s390: introduce and use KVM_REQ_VSIE_RESTART")
e585b24 ("KVM: s390: refactor crypto initialization")
1fde573 ("s390: vfio-ap: base implementation of VFIO AP device driver")
65f0671 ("s390: vfio-ap: register matrix device with VFIO mdev framework")
96d152b ("s390: vfio-ap: sysfs interfaces to configure adapters")
3211da0 ("s390: vfio-ap: sysfs interfaces to configure domains")
3b1eab7 ("s390: vfio-ap: sysfs interfaces to configure control domains")
81b2b4b ("s390: vfio-ap: sysfs interface to view matrix mdev matrix")
4210459 ("KVM: s390: interface to clear CRYCB masks")
258287c ("s390: vfio-ap: implement mediated device open callback")
e06670c ("s390: vfio-ap: implement VFIO_DEVICE_GET_INFO ioctl")
46a7263 ("s390: vfio-ap: zeroize the AP queues")
cd8a377 ("s390: vfio-ap: implement VFIO_DEVICE_RESET ioctl")
6cc571b ("KVM: s390: Clear Crypto Control Block when using vSIE")
d6f6959 ("KVM: s390: vsie: Do the CRYCB validation first")
3af84de ("KVM: s390: vsie: Make use of CRYCB FORMAT2 clear")
56019f9 ("KVM: s390: vsie: Allow CRYCB FORMAT-2")
19fd83a ("KVM: s390: vsie: allow CRYCB FORMAT-1")
6ee7409 ("KVM: s390: vsie: allow CRYCB FORMAT-0")
c9ba8c2 ("KVM: s390: vsie: allow guest FORMAT-0 CRYCB on host FORMAT-1")
6b79de4 ("KVM: s390: vsie: allow guest FORMAT-1 CRYCB on host FORMAT-2")
9ee71f2 ("KVM: s390: vsie: allow guest FORMAT-0 CRYCB on host FORMAT-2")
37940fb ("KVM: s390: device attrs to enable/disable AP interpretation")
112c24d ("KVM: s390: CPU model support for AP virtualization")
492a6be ("s390: doc: detailed specifications for AP virtualization")

<-- till here in 'kvm/next'
(https://git.kernel.org/pub/scm/virt/kvm/kvm.git/) -->

8e41bd5 ("KVM: s390: fix locking for crypto setting error path")
0e237e4 ("KVM: s390: Tracing APCB changes")
76c7829 ("s390: vfio-ap: setup APCB mask using KVM dedicated function")

<-- till here in 'kvms390/next'
(https://git.kernel.org/pub/scm/linux/kernel/git/kvms390/linux.git/)
-->

<-- In addition to that some prereqs for the 'ap/crypto' driver are
necessary -->

ea3c418 ("s390/zcrypt: Add ZAPQ inline function.")
df80c03 ("s390/zcrypt: Review inline assembler constraints.")
f1b0a43 ("s390/zcrypt: Integrate ap_asm.h into include/asm/ap.h.")
2395103 ("s390/zcrypt: fix ap_instructions_available() returncodes")
7e0bdbe ("s390/zcrypt: AP bus support for alternate driver(s)")
3d8f60d3 ("s390/zcrypt: hex string mask improvements for apmask and aqmask.")
fa108f9 ("s390/zcrypt: remove VLA usage from the AP bus")

<--
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1787405/comments/12
-->

== PATCH ==

Above git commits are all from 4.19.
The git commands for 4.18 would be:

$ git cherry-pick <all from 'kvm/next' list>

(112c24d "KVM: s390: CPU model support for AP virtualization" may have
a trivial merge conflict with the etoken patch)

$ git cherry-pick <all from 'kvms390/next' list>

$ git cherry-pick <all from 'ap/zcrypt' list>

== Regression Potential ==

Low to mid:

- mid because in summary there are a lot of changes, but low
- they are all limited to the s390x architecture
- and again limited to KVM/s390x, vfio-ap and the zcrypt (aka ap) driver
- Test kernel was built for testting.

== Test Case ==

Setup a system for KVM use on an s390x LPAR that has CryptoExpress (aka crypto-) adapters installed.
Verify that the AP bus created a sysfs device for each APQN, like:
/sys/devices/ap/card04/04.0006
/sys/devices/ap/card04/04.0047
/sys/devices/ap/card0a/0a.0006
/sys/devices/ap/card0a/0a.0047
Verify the APQN range via the following two sysfs files:
/sys/bus/ap/apmask
/sys/bus/ap/aqmask
Configure and start a guest.
More details see: 492a6be ("s390: doc: detailed specifications for AP virtualization")
But for that an updated qemu and libvirt should be in place - that's addressed in LP1787405, too.
(So this is only the kernel part of that ticket.)
__________

Description:
Allow kvm to dedicate crypto adapters (and domains) as passthrough devices to a KVM guest such that the hypervisor cannot observe the communication of the guest with the device.

This functionality will be contribute to following packages.
--kernel, qemu and libvirt.

Currently these functions are not finalized and therefore no git-commit are avalable,
- kernel > 4.19
- libvirt > 4.6.0
- qemu > 3.0

We will provide these as soon as possible.

This request is launched against Ubuntu 18.10 to fulllfil the feature integration process of Canonical.
But the main intention is, to get this integrated into 18.04 LTS !!!!!!

Thererfore, the backports will be required for both distros.!

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu-z-systems/+bug/1787405/+subscriptions

Комментариев нет:

Отправить комментарий