projects / linux-block.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: 29d37e5) | patch
s390/mm: provide memory management functions for protected KVM guests
authorClaudio Imbrenda <imbrenda@linux.ibm.com>
Tue, 21 Jan 2020 08:48:44 +0000 (09:48 +0100)
committerChristian Borntraeger <borntraeger@de.ibm.com>
Thu, 27 Feb 2020 18:44:40 +0000 (19:44 +0100)
commit214d9bbcd3a67230b932f6cea83c078ab34d9e70
treecc7aaa1a18bc63dba4b930880c4e329942070ddbtree | snapshot
parent29d37e5b82f3e96dd648167657d5a0e0111ce877commit | diff
s390/mm: provide memory management functions for protected KVM guests

This provides the basic ultravisor calls and page table handling to cope
with secure guests:
- provide arch_make_page_accessible
- make pages accessible after unmapping of secure guests
- provide the ultravisor commands convert to/from secure
- provide the ultravisor commands pin/unpin shared
- provide callbacks to make pages secure (inacccessible)
 - we check for the expected pin count to only make pages secure if the
   host is not accessing them
 - we fence hugetlbfs for secure pages
- add missing radix-tree include into gmap.h

The basic idea is that a page can have 3 states: secure, normal or
shared. The hypervisor can call into a firmware function called
ultravisor that allows to change the state of a page: convert from/to
secure. The convert from secure will encrypt the page and make it
available to the host and host I/O. The convert to secure will remove
the host capability to access this page.
The design is that on convert to secure we will wait until writeback and
page refs are indicating no host usage. At the same time the convert
from secure (export to host) will be called in common code when the
refcount or the writeback bit is already set. This avoids races between
convert from and to secure.

Then there is also the concept of shared pages. Those are kind of secure
where the host can still access those pages. We need to be notified when
the guest "unshares" such a page, basically doing a convert to secure by
then. There is a call "pin shared page" that we use instead of convert
from secure when possible.

We do use PG_arch_1 as an optimization to minimize the convert from
secure/pin shared.

Several comments have been added in the code to explain the logic in
the relevant places.

Co-developed-by: Ulrich Weigand <Ulrich.Weigand@de.ibm.com>
Signed-off-by: Ulrich Weigand <Ulrich.Weigand@de.ibm.com>
Signed-off-by: Claudio Imbrenda <imbrenda@linux.ibm.com>
Acked-by: David Hildenbrand <david@redhat.com>
Acked-by: Cornelia Huck <cohuck@redhat.com>
Reviewed-by: Christian Borntraeger <borntraeger@de.ibm.com>
[borntraeger@de.ibm.com: patch merging, splitting, fixing]
Signed-off-by: Christian Borntraeger <borntraeger@de.ibm.com>
arch/s390/include/asm/gmap.h diff | blob | blame | history
arch/s390/include/asm/mmu.h diff | blob | blame | history
arch/s390/include/asm/mmu_context.h diff | blob | blame | history
arch/s390/include/asm/page.h diff | blob | blame | history
arch/s390/include/asm/pgtable.h diff | blob | blame | history
arch/s390/include/asm/uv.h diff | blob | blame | history
arch/s390/kernel/uv.c diff | blob | blame | history
Linux 6.x block layer and io_uring tree(s)