1 /* 2 * Protected Virtualization functions 3 * 4 * Copyright IBM Corp. 2020 5 * Author(s): 6 * Janosch Frank <frankja@linux.ibm.com> 7 * 8 * This work is licensed under the terms of the GNU GPL, version 2 or (at 9 * your option) any later version. See the COPYING file in the top-level 10 * directory. 11 */ 12 #include "qemu/osdep.h" 13 14 #include <linux/kvm.h> 15 16 #include "qemu/units.h" 17 #include "qapi/error.h" 18 #include "qemu/error-report.h" 19 #include "sysemu/kvm.h" 20 #include "sysemu/cpus.h" 21 #include "qom/object_interfaces.h" 22 #include "exec/confidential-guest-support.h" 23 #include "hw/s390x/ipl.h" 24 #include "hw/s390x/sclp.h" 25 #include "target/s390x/kvm/kvm_s390x.h" 26 #include "target/s390x/kvm/pv.h" 27 28 static bool info_valid; 29 static struct kvm_s390_pv_info_vm info_vm; 30 static struct kvm_s390_pv_info_dump info_dump; 31 32 static int __s390_pv_cmd(uint32_t cmd, const char *cmdname, void *data, 33 int *pvrc) 34 { 35 struct kvm_pv_cmd pv_cmd = { 36 .cmd = cmd, 37 .data = (uint64_t)data, 38 }; 39 int rc; 40 41 do { 42 rc = kvm_vm_ioctl(kvm_state, KVM_S390_PV_COMMAND, &pv_cmd); 43 } while (rc == -EINTR); 44 45 if (rc) { 46 error_report("KVM PV command %d (%s) failed: header rc %x rrc %x " 47 "IOCTL rc: %d", cmd, cmdname, pv_cmd.rc, pv_cmd.rrc, 48 rc); 49 } 50 if (pvrc) { 51 *pvrc = pv_cmd.rc; 52 } 53 return rc; 54 } 55 56 /* 57 * This macro lets us pass the command as a string to the function so 58 * we can print it on an error. 59 */ 60 #define s390_pv_cmd(cmd, data) __s390_pv_cmd(cmd, #cmd, data, NULL) 61 #define s390_pv_cmd_pvrc(cmd, data, pvrc) __s390_pv_cmd(cmd, #cmd, data, pvrc) 62 #define s390_pv_cmd_exit(cmd, data) \ 63 { \ 64 int rc; \ 65 \ 66 rc = __s390_pv_cmd(cmd, #cmd, data, NULL); \ 67 if (rc) { \ 68 exit(1); \ 69 } \ 70 } 71 72 int s390_pv_query_info(void) 73 { 74 struct kvm_s390_pv_info info = { 75 .header.id = KVM_PV_INFO_VM, 76 .header.len_max = sizeof(info.header) + sizeof(info.vm), 77 }; 78 int rc; 79 80 /* Info API's first user is dump so they are bundled */ 81 if (!kvm_s390_get_protected_dump()) { 82 return 0; 83 } 84 85 rc = s390_pv_cmd(KVM_PV_INFO, &info); 86 if (rc) { 87 error_report("KVM PV INFO cmd %x failed: %s", 88 info.header.id, strerror(-rc)); 89 return rc; 90 } 91 memcpy(&info_vm, &info.vm, sizeof(info.vm)); 92 93 info.header.id = KVM_PV_INFO_DUMP; 94 info.header.len_max = sizeof(info.header) + sizeof(info.dump); 95 rc = s390_pv_cmd(KVM_PV_INFO, &info); 96 if (rc) { 97 error_report("KVM PV INFO cmd %x failed: %s", 98 info.header.id, strerror(-rc)); 99 return rc; 100 } 101 102 memcpy(&info_dump, &info.dump, sizeof(info.dump)); 103 info_valid = true; 104 105 return rc; 106 } 107 108 int s390_pv_vm_enable(void) 109 { 110 return s390_pv_cmd(KVM_PV_ENABLE, NULL); 111 } 112 113 void s390_pv_vm_disable(void) 114 { 115 s390_pv_cmd_exit(KVM_PV_DISABLE, NULL); 116 } 117 118 static void *s390_pv_do_unprot_async_fn(void *p) 119 { 120 s390_pv_cmd_exit(KVM_PV_ASYNC_CLEANUP_PERFORM, NULL); 121 return NULL; 122 } 123 124 bool s390_pv_vm_try_disable_async(S390CcwMachineState *ms) 125 { 126 /* 127 * t is only needed to create the thread; once qemu_thread_create 128 * returns, it can safely be discarded. 129 */ 130 QemuThread t; 131 132 /* 133 * If the feature is not present or if the VM is not larger than 2 GiB, 134 * KVM_PV_ASYNC_CLEANUP_PREPARE fill fail; no point in attempting it. 135 */ 136 if ((MACHINE(ms)->maxram_size <= 2 * GiB) || 137 !kvm_check_extension(kvm_state, KVM_CAP_S390_PROTECTED_ASYNC_DISABLE)) { 138 return false; 139 } 140 if (s390_pv_cmd(KVM_PV_ASYNC_CLEANUP_PREPARE, NULL) != 0) { 141 return false; 142 } 143 144 qemu_thread_create(&t, "async_cleanup", s390_pv_do_unprot_async_fn, NULL, 145 QEMU_THREAD_DETACHED); 146 147 return true; 148 } 149 150 int s390_pv_set_sec_parms(uint64_t origin, uint64_t length, Error **errp) 151 { 152 int ret, pvrc; 153 struct kvm_s390_pv_sec_parm args = { 154 .origin = origin, 155 .length = length, 156 }; 157 158 ret = s390_pv_cmd_pvrc(KVM_PV_SET_SEC_PARMS, &args, &pvrc); 159 if (ret) { 160 error_setg(errp, "Failed to set secure execution parameters"); 161 if (pvrc == 0x108) { 162 error_append_hint(errp, "Please check whether the image is " 163 "correctly encrypted for this host\n"); 164 } 165 } 166 167 return ret; 168 } 169 170 /* 171 * Called for each component in the SE type IPL parameter block 0. 172 */ 173 int s390_pv_unpack(uint64_t addr, uint64_t size, uint64_t tweak) 174 { 175 struct kvm_s390_pv_unp args = { 176 .addr = addr, 177 .size = size, 178 .tweak = tweak, 179 }; 180 181 return s390_pv_cmd(KVM_PV_UNPACK, &args); 182 } 183 184 void s390_pv_prep_reset(void) 185 { 186 s390_pv_cmd_exit(KVM_PV_PREP_RESET, NULL); 187 } 188 189 int s390_pv_verify(void) 190 { 191 return s390_pv_cmd(KVM_PV_VERIFY, NULL); 192 } 193 194 void s390_pv_unshare(void) 195 { 196 s390_pv_cmd_exit(KVM_PV_UNSHARE_ALL, NULL); 197 } 198 199 void s390_pv_inject_reset_error(CPUState *cs) 200 { 201 int r1 = (cs->kvm_run->s390_sieic.ipa & 0x00f0) >> 4; 202 CPUS390XState *env = &S390_CPU(cs)->env; 203 204 /* Report that we are unable to enter protected mode */ 205 env->regs[r1 + 1] = DIAG_308_RC_INVAL_FOR_PV; 206 } 207 208 uint64_t kvm_s390_pv_dmp_get_size_cpu(void) 209 { 210 return info_dump.dump_cpu_buffer_len; 211 } 212 213 uint64_t kvm_s390_pv_dmp_get_size_completion_data(void) 214 { 215 return info_dump.dump_config_finalize_len; 216 } 217 218 uint64_t kvm_s390_pv_dmp_get_size_mem_state(void) 219 { 220 return info_dump.dump_config_mem_buffer_per_1m; 221 } 222 223 bool kvm_s390_pv_info_basic_valid(void) 224 { 225 return info_valid; 226 } 227 228 static int s390_pv_dump_cmd(uint64_t subcmd, uint64_t uaddr, uint64_t gaddr, 229 uint64_t len) 230 { 231 struct kvm_s390_pv_dmp dmp = { 232 .subcmd = subcmd, 233 .buff_addr = uaddr, 234 .buff_len = len, 235 .gaddr = gaddr, 236 }; 237 int ret; 238 239 ret = s390_pv_cmd(KVM_PV_DUMP, (void *)&dmp); 240 if (ret) { 241 error_report("KVM DUMP command %ld failed", subcmd); 242 } 243 return ret; 244 } 245 246 int kvm_s390_dump_cpu(S390CPU *cpu, void *buff) 247 { 248 struct kvm_s390_pv_dmp dmp = { 249 .subcmd = KVM_PV_DUMP_CPU, 250 .buff_addr = (uint64_t)buff, 251 .gaddr = 0, 252 .buff_len = info_dump.dump_cpu_buffer_len, 253 }; 254 struct kvm_pv_cmd pv = { 255 .cmd = KVM_PV_DUMP, 256 .data = (uint64_t)&dmp, 257 }; 258 259 return kvm_vcpu_ioctl(CPU(cpu), KVM_S390_PV_CPU_COMMAND, &pv); 260 } 261 262 int kvm_s390_dump_init(void) 263 { 264 return s390_pv_dump_cmd(KVM_PV_DUMP_INIT, 0, 0, 0); 265 } 266 267 int kvm_s390_dump_mem_state(uint64_t gaddr, size_t len, void *dest) 268 { 269 return s390_pv_dump_cmd(KVM_PV_DUMP_CONFIG_STOR_STATE, (uint64_t)dest, 270 gaddr, len); 271 } 272 273 int kvm_s390_dump_completion_data(void *buff) 274 { 275 return s390_pv_dump_cmd(KVM_PV_DUMP_COMPLETE, (uint64_t)buff, 0, 276 info_dump.dump_config_finalize_len); 277 } 278 279 #define TYPE_S390_PV_GUEST "s390-pv-guest" 280 OBJECT_DECLARE_SIMPLE_TYPE(S390PVGuest, S390_PV_GUEST) 281 282 /** 283 * S390PVGuest: 284 * 285 * The S390PVGuest object is basically a dummy used to tell the 286 * confidential guest support system to use s390's PV mechanism. 287 * 288 * # $QEMU \ 289 * -object s390-pv-guest,id=pv0 \ 290 * -machine ...,confidential-guest-support=pv0 291 */ 292 struct S390PVGuest { 293 ConfidentialGuestSupport parent_obj; 294 }; 295 296 typedef struct S390PVGuestClass S390PVGuestClass; 297 298 struct S390PVGuestClass { 299 ConfidentialGuestSupportClass parent_class; 300 }; 301 302 /* 303 * If protected virtualization is enabled, the amount of data that the 304 * Read SCP Info Service Call can use is limited to one page. The 305 * available space also depends on the Extended-Length SCCB (ELS) 306 * feature which can take more buffer space to store feature 307 * information. This impacts the maximum number of CPUs supported in 308 * the machine. 309 */ 310 static uint32_t s390_pv_get_max_cpus(void) 311 { 312 int offset_cpu = s390_has_feat(S390_FEAT_EXTENDED_LENGTH_SCCB) ? 313 offsetof(ReadInfo, entries) : SCLP_READ_SCP_INFO_FIXED_CPU_OFFSET; 314 315 return (TARGET_PAGE_SIZE - offset_cpu) / sizeof(CPUEntry); 316 } 317 318 static bool s390_pv_check_cpus(Error **errp) 319 { 320 MachineState *ms = MACHINE(qdev_get_machine()); 321 uint32_t pv_max_cpus = s390_pv_get_max_cpus(); 322 323 if (ms->smp.max_cpus > pv_max_cpus) { 324 error_setg(errp, "Protected VMs support a maximum of %d CPUs", 325 pv_max_cpus); 326 return false; 327 } 328 329 return true; 330 } 331 332 static bool s390_pv_guest_check(ConfidentialGuestSupport *cgs, Error **errp) 333 { 334 return s390_pv_check_cpus(errp); 335 } 336 337 static int s390_pv_kvm_init(ConfidentialGuestSupport *cgs, Error **errp) 338 { 339 if (!object_dynamic_cast(OBJECT(cgs), TYPE_S390_PV_GUEST)) { 340 return 0; 341 } 342 343 if (!kvm_enabled()) { 344 error_setg(errp, "Protected Virtualization requires KVM"); 345 return -1; 346 } 347 348 if (!s390_has_feat(S390_FEAT_UNPACK)) { 349 error_setg(errp, 350 "CPU model does not support Protected Virtualization"); 351 return -1; 352 } 353 354 if (!s390_pv_guest_check(cgs, errp)) { 355 return -1; 356 } 357 358 cgs->ready = true; 359 360 return 0; 361 } 362 363 OBJECT_DEFINE_TYPE_WITH_INTERFACES(S390PVGuest, 364 s390_pv_guest, 365 S390_PV_GUEST, 366 CONFIDENTIAL_GUEST_SUPPORT, 367 { TYPE_USER_CREATABLE }, 368 { NULL }) 369 370 static void s390_pv_guest_class_init(ObjectClass *oc, void *data) 371 { 372 ConfidentialGuestSupportClass *klass = CONFIDENTIAL_GUEST_SUPPORT_CLASS(oc); 373 374 klass->kvm_init = s390_pv_kvm_init; 375 } 376 377 static void s390_pv_guest_init(Object *obj) 378 { 379 } 380 381 static void s390_pv_guest_finalize(Object *obj) 382 { 383 } 384