Re: [PATCH 00/15] s390x: Protected Virtualization support

qemu-s390x

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PATCH 00/15] s390x: Protected Virtualization support

From:	Janosch Frank
Subject:	Re: [PATCH 00/15] s390x: Protected Virtualization support
Date:	Fri, 29 Nov 2019 13:14:27 +0100
User-agent:	Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.1.1

On 11/29/19 12:08 PM, Daniel P. Berrangé wrote:
> On Wed, Nov 20, 2019 at 06:43:19AM -0500, Janosch Frank wrote:
>> Most of the QEMU changes for PV are related to the new IPL type with
>> subcodes 8 - 10 and the execution of the necessary Ultravisor calls to
>> IPL secure guests. Note that we can only boot into secure mode from
>> normal mode, i.e. stfle 161 is not active in secure mode.
>>
>> The other changes related to data gathering for emulation and
>> disabling addressing checks in secure mode, as well as CPU resets.
>>
>> While working on this I sprinkled in some cleanups, as we sometimes
>> significantly increase line count of some functions and they got
>> unreadable.
> 
> Can you give some guidance on how management applications including
> libvirt & layers above (oVirt, OpenStack, etc) would/should use this
> feature ?  What new command line / monitor calls are needed, and
> what feature restrictions are there on its use ?
> 
> Regards,
> Daniel
> 

Hey Daniel,

management applications generally do not need to know about this
feature. Most of the magic is in the guest image, which boots up in a
certain way to become a protected machine.

The requirements for that to happen are:
* Machine/firmware support
* KVM & QEMU support
* IO only with iommu
* Guest needs to use IO bounce buffers
* A kernel image or a kernel on a disk that was prepared with special
tooling

Such VMs are started like any other VM and run a short "normal" stub
that will prepare some things and then requests to be protected.

Most of the restrictions are memory related and might be lifted in the
future:
* No paging
* No migration
* No huge page backings
* No collaborative memory management

There are no monitor changes or cmd additions currently.
We're trying to insert protected VMs into the normal VM flow as much as
possible. You can even do a memory dump without any segfault or
protection exception for QEMU, however the guest's memory content will
be unreadable because it's encrypted.

signature.asc
Description: OpenPGP digital signature

[Prev in Thread]

Current Thread

[Next in Thread]

Re: [PATCH 14/15] s390x: protvirt: Disable address checks for PV guest IO emulation, (continued)
- [PATCH 15/15] s390x: protvirt: Handle SIGP store status correctly, Janosch Frank, 2019/11/20
  - Re: [PATCH 15/15] s390x: protvirt: Handle SIGP store status correctly, David Hildenbrand, 2019/11/21
    - Re: [PATCH 15/15] s390x: protvirt: Handle SIGP store status correctly, Janosch Frank, 2019/11/21
  - Re: [PATCH 15/15] s390x: protvirt: Handle SIGP store status correctly, Thomas Huth, 2019/11/28
- Re: [PATCH 00/15] s390x: Protected Virtualization support, Cornelia Huck, 2019/11/20
  - Re: [PATCH 00/15] s390x: Protected Virtualization support, Janosch Frank, 2019/11/21
    - Re: [PATCH 00/15] s390x: Protected Virtualization support, Cornelia Huck, 2019/11/21
- Re: [PATCH 00/15] s390x: Protected Virtualization support, Daniel P . Berrangé, 2019/11/29
  - Re: [PATCH 00/15] s390x: Protected Virtualization support, Janosch Frank <=
    - Re: [PATCH 00/15] s390x: Protected Virtualization support, Daniel P . Berrangé, 2019/11/29
    - Re: [PATCH 00/15] s390x: Protected Virtualization support, Janosch Frank, 2019/11/29
    - Re: [PATCH 00/15] s390x: Protected Virtualization support, Viktor Mihajlovski, 2019/11/29

Prev by Date: Re: [PATCH v2 10/13] s390x: protvirt: Set guest IPL PSW
Next by Date: Re: [PATCH 00/15] s390x: Protected Virtualization support
Previous by thread: Re: [PATCH 00/15] s390x: Protected Virtualization support
Next by thread: Re: [PATCH 00/15] s390x: Protected Virtualization support
Index(es):
- Date
- Thread