On Mon, 23 Mar 2020 04:36:06 -0400
Janosch Frank <fran...@linux.ibm.com> wrote:
> The unpack facility provides the means to setup a protected guest. A
> protected guest cannot be introspected by the hypervisor or any
> user/administrator of the machine it is running on.
>
> Protected guests are encrypted at rest and need a special boot
> mechanism via diag308 subcode 8 and 10.
>
> Code 8 sets the PV specific IPLB which is retained separately from
> those set via code 5.
>
> Code 10 is used to unpack the VM into protected memory, verify its
> integrity and start it.
>
> Signed-off-by: Janosch Frank <fran...@linux.ibm.com>
> Co-developed-by: Christian Borntraeger <borntrae...@de.ibm.com> [Changes
> to machine]
> Reviewed-by: David Hildenbrand <da...@redhat.com>
> Reviewed-by: Claudio Imbrenda <imbre...@linux.ibm.com>
> Reviewed-by: Cornelia Huck <coh...@redhat.com>
> ---
> MAINTAINERS | 2 +
> hw/s390x/Makefile.objs | 1 +
> hw/s390x/ipl.c | 59 +++++++++++++-
> hw/s390x/ipl.h | 91 ++++++++++++++++++++-
> hw/s390x/pv.c | 98 +++++++++++++++++++++++
> hw/s390x/s390-virtio-ccw.c | 119 +++++++++++++++++++++++++++-
> include/hw/s390x/pv.h | 55 +++++++++++++
> include/hw/s390x/s390-virtio-ccw.h | 1 +
> target/s390x/cpu.c | 1 +
> target/s390x/cpu_features_def.inc.h | 1 +
> target/s390x/diag.c | 39 ++++++++-
> target/s390x/kvm-stub.c | 5 ++
> target/s390x/kvm.c | 5 ++
> target/s390x/kvm_s390x.h | 1 +
> 14 files changed, 468 insertions(+), 10 deletions(-)
> create mode 100644 hw/s390x/pv.c
> create mode 100644 include/hw/s390x/pv.h
(...)
> diff --git a/hw/s390x/pv.c b/hw/s390x/pv.c
> new file mode 100644
> index 0000000000000000..8cf5cd2c9bcd48b0
> --- /dev/null
> +++ b/hw/s390x/pv.c
(...)
> +int s390_pv_set_sec_parms(uint64_t origin, uint64_t length)
> +{
> + struct kvm_s390_pv_sec_parm args = {
> + .origin = origin,
> + .length = length,
> + };
> +
> + return s390_pv_cmd(KVM_PV_VM_SET_SEC_PARMS, &args);
> +}
> +
> +/*
> + * Called for each component in the SE type IPL parameter block 0.
> + */
> +int s390_pv_unpack(uint64_t addr, uint64_t size, uint64_t tweak)
> +{
> + struct kvm_s390_pv_unp args = {
> + .addr = addr,
> + .size = size,
> + .tweak = tweak,
> + };
> +
> + return s390_pv_cmd(KVM_PV_VM_UNPACK, &args);
> +}
> +
> +void s390_pv_perf_clear_reset(void)
> +{
> + s390_pv_cmd_exit(KVM_PV_VM_PREP_RESET, NULL);
> +}
> +
> +int s390_pv_verify(void)
> +{
> + return s390_pv_cmd(KVM_PV_VM_VERIFY, NULL);
> +}
> +
> +void s390_pv_unshare(void)
> +{
> + s390_pv_cmd_exit(KVM_PV_VM_UNSHARE_ALL, NULL);
> +}
Note that the dummy headers update in this series still had the
KVM_PV_VM_ defines, while the real headers update pulled in the KVM_PV_
defines that went upstream. I fixed this up in s390-next.
(...)
