~ [ source navigation ] ~ [ diff markup ] ~ [ identifier search ] ~

TOMOYO Linux Cross Reference
Linux/Documentation/virt/kvm/s390/s390-pv.rst

Version: ~ [ linux-6.12-rc7 ] ~ [ linux-6.11.7 ] ~ [ linux-6.10.14 ] ~ [ linux-6.9.12 ] ~ [ linux-6.8.12 ] ~ [ linux-6.7.12 ] ~ [ linux-6.6.60 ] ~ [ linux-6.5.13 ] ~ [ linux-6.4.16 ] ~ [ linux-6.3.13 ] ~ [ linux-6.2.16 ] ~ [ linux-6.1.116 ] ~ [ linux-6.0.19 ] ~ [ linux-5.19.17 ] ~ [ linux-5.18.19 ] ~ [ linux-5.17.15 ] ~ [ linux-5.16.20 ] ~ [ linux-5.15.171 ] ~ [ linux-5.14.21 ] ~ [ linux-5.13.19 ] ~ [ linux-5.12.19 ] ~ [ linux-5.11.22 ] ~ [ linux-5.10.229 ] ~ [ linux-5.9.16 ] ~ [ linux-5.8.18 ] ~ [ linux-5.7.19 ] ~ [ linux-5.6.19 ] ~ [ linux-5.5.19 ] ~ [ linux-5.4.285 ] ~ [ linux-5.3.18 ] ~ [ linux-5.2.21 ] ~ [ linux-5.1.21 ] ~ [ linux-5.0.21 ] ~ [ linux-4.20.17 ] ~ [ linux-4.19.323 ] ~ [ linux-4.18.20 ] ~ [ linux-4.17.19 ] ~ [ linux-4.16.18 ] ~ [ linux-4.15.18 ] ~ [ linux-4.14.336 ] ~ [ linux-4.13.16 ] ~ [ linux-4.12.14 ] ~ [ linux-4.11.12 ] ~ [ linux-4.10.17 ] ~ [ linux-4.9.337 ] ~ [ linux-4.4.302 ] ~ [ linux-3.10.108 ] ~ [ linux-2.6.32.71 ] ~ [ linux-2.6.0 ] ~ [ linux-2.4.37.11 ] ~ [ unix-v6-master ] ~ [ ccs-tools-1.8.12 ] ~ [ policy-sample ] ~
Architecture: ~ [ i386 ] ~ [ alpha ] ~ [ m68k ] ~ [ mips ] ~ [ ppc ] ~ [ sparc ] ~ [ sparc64 ] ~

Diff markup

Differences between /Documentation/virt/kvm/s390/s390-pv.rst (Architecture sparc) and /Documentation/virt/kvm/s390/s390-pv.rst (Architecture i386)


  1 .. SPDX-License-Identifier: GPL-2.0                 1 .. SPDX-License-Identifier: GPL-2.0
  2                                                     2 
  3 =========================================           3 =========================================
  4 s390 (IBM Z) Ultravisor and Protected VMs           4 s390 (IBM Z) Ultravisor and Protected VMs
  5 =========================================           5 =========================================
  6                                                     6 
  7 Summary                                             7 Summary
  8 -------                                             8 -------
  9 Protected virtual machines (PVM) are KVM VMs t      9 Protected virtual machines (PVM) are KVM VMs that do not allow KVM to
 10 access VM state like guest memory or guest reg     10 access VM state like guest memory or guest registers. Instead, the
 11 PVMs are mostly managed by a new entity called     11 PVMs are mostly managed by a new entity called Ultravisor (UV). The UV
 12 provides an API that can be used by PVMs and K     12 provides an API that can be used by PVMs and KVM to request management
 13 actions.                                           13 actions.
 14                                                    14 
 15 Each guest starts in non-protected mode and th     15 Each guest starts in non-protected mode and then may make a request to
 16 transition into protected mode. On transition,     16 transition into protected mode. On transition, KVM registers the guest
 17 and its VCPUs with the Ultravisor and prepares     17 and its VCPUs with the Ultravisor and prepares everything for running
 18 it.                                                18 it.
 19                                                    19 
 20 The Ultravisor will secure and decrypt the gue     20 The Ultravisor will secure and decrypt the guest's boot memory
 21 (i.e. kernel/initrd). It will safeguard state      21 (i.e. kernel/initrd). It will safeguard state changes like VCPU
 22 starts/stops and injected interrupts while the     22 starts/stops and injected interrupts while the guest is running.
 23                                                    23 
 24 As access to the guest's state, such as the SI     24 As access to the guest's state, such as the SIE state description, is
 25 normally needed to be able to run a VM, some c     25 normally needed to be able to run a VM, some changes have been made in
 26 the behavior of the SIE instruction. A new for     26 the behavior of the SIE instruction. A new format 4 state description
 27 has been introduced, where some fields have di     27 has been introduced, where some fields have different meanings for a
 28 PVM. SIE exits are minimized as much as possib     28 PVM. SIE exits are minimized as much as possible to improve speed and
 29 reduce exposed guest state.                        29 reduce exposed guest state.
 30                                                    30 
 31                                                    31 
 32 Interrupt injection                                32 Interrupt injection
 33 -------------------                                33 -------------------
 34 Interrupt injection is safeguarded by the Ultr     34 Interrupt injection is safeguarded by the Ultravisor. As KVM doesn't
 35 have access to the VCPUs' lowcores, injection      35 have access to the VCPUs' lowcores, injection is handled via the
 36 format 4 state description.                        36 format 4 state description.
 37                                                    37 
 38 Machine check, external, IO and restart interr     38 Machine check, external, IO and restart interruptions each can be
 39 injected on SIE entry via a bit in the interru     39 injected on SIE entry via a bit in the interrupt injection control
 40 field (offset 0x54). If the guest cpu is not e     40 field (offset 0x54). If the guest cpu is not enabled for the interrupt
 41 at the time of injection, a validity intercept     41 at the time of injection, a validity interception is recognized. The
 42 format 4 state description contains fields in      42 format 4 state description contains fields in the interception data
 43 block where data associated with the interrupt     43 block where data associated with the interrupt can be transported.
 44                                                    44 
 45 Program and Service Call exceptions have anoth     45 Program and Service Call exceptions have another layer of
 46 safeguarding; they can only be injected for in     46 safeguarding; they can only be injected for instructions that have
 47 been intercepted into KVM. The exceptions need     47 been intercepted into KVM. The exceptions need to be a valid outcome
 48 of an instruction emulation by KVM, e.g. we ca     48 of an instruction emulation by KVM, e.g. we can never inject a
 49 addressing exception as they are reported by S     49 addressing exception as they are reported by SIE since KVM has no
 50 access to the guest memory.                        50 access to the guest memory.
 51                                                    51 
 52                                                    52 
 53 Mask notification interceptions                    53 Mask notification interceptions
 54 -------------------------------                    54 -------------------------------
 55 KVM cannot intercept lctl(g) and lpsw(e) anymo     55 KVM cannot intercept lctl(g) and lpsw(e) anymore in order to be
 56 notified when a PVM enables a certain class of     56 notified when a PVM enables a certain class of interrupt.  As a
 57 replacement, two new interception codes have b     57 replacement, two new interception codes have been introduced: One
 58 indicating that the contents of CRs 0, 6, or 1     58 indicating that the contents of CRs 0, 6, or 14 have been changed,
 59 indicating different interruption subclasses;      59 indicating different interruption subclasses; and one indicating that
 60 PSW bit 13 has been changed, indicating that a     60 PSW bit 13 has been changed, indicating that a machine check
 61 intervention was requested and those are now e     61 intervention was requested and those are now enabled.
 62                                                    62 
 63 Instruction emulation                              63 Instruction emulation
 64 ---------------------                              64 ---------------------
 65 With the format 4 state description for PVMs,      65 With the format 4 state description for PVMs, the SIE instruction already
 66 interprets more instructions than it does with     66 interprets more instructions than it does with format 2. It is not able
 67 to interpret every instruction, but needs to h     67 to interpret every instruction, but needs to hand some tasks to KVM;
 68 therefore, the SIE and the ultravisor safeguar     68 therefore, the SIE and the ultravisor safeguard emulation inputs and outputs.
 69                                                    69 
 70 The control structures associated with SIE pro     70 The control structures associated with SIE provide the Secure
 71 Instruction Data Area (SIDA), the Interception     71 Instruction Data Area (SIDA), the Interception Parameters (IP) and the
 72 Secure Interception General Register Save Area     72 Secure Interception General Register Save Area.  Guest GRs and most of
 73 the instruction data, such as I/O data structu     73 the instruction data, such as I/O data structures, are filtered.
 74 Instruction data is copied to and from the SID     74 Instruction data is copied to and from the SIDA when needed.  Guest
 75 GRs are put into / retrieved from the Secure I     75 GRs are put into / retrieved from the Secure Interception General
 76 Register Save Area.                                76 Register Save Area.
 77                                                    77 
 78 Only GR values needed to emulate an instructio     78 Only GR values needed to emulate an instruction will be copied into this
 79 save area and the real register numbers will b     79 save area and the real register numbers will be hidden.
 80                                                    80 
 81 The Interception Parameters state description      81 The Interception Parameters state description field still contains
 82 the bytes of the instruction text, but with pr     82 the bytes of the instruction text, but with pre-set register values
 83 instead of the actual ones. I.e. each instruct     83 instead of the actual ones. I.e. each instruction always uses the same
 84 instruction text, in order not to leak guest i     84 instruction text, in order not to leak guest instruction text.
 85 This also implies that the register content th     85 This also implies that the register content that a guest had in r<n>
 86 may be in r<m> from the hypervisor's point of      86 may be in r<m> from the hypervisor's point of view.
 87                                                    87 
 88 The Secure Instruction Data Area contains inst     88 The Secure Instruction Data Area contains instruction storage
 89 data. Instruction data, i.e. data being refere     89 data. Instruction data, i.e. data being referenced by an instruction
 90 like the SCCB for sclp, is moved via the SIDA.     90 like the SCCB for sclp, is moved via the SIDA. When an instruction is
 91 intercepted, the SIE will only allow data and      91 intercepted, the SIE will only allow data and program interrupts for
 92 this instruction to be moved to the guest via      92 this instruction to be moved to the guest via the two data areas
 93 discussed before. Other data is either ignored     93 discussed before. Other data is either ignored or results in validity
 94 interceptions.                                     94 interceptions.
 95                                                    95 
 96                                                    96 
 97 Instruction emulation interceptions                97 Instruction emulation interceptions
 98 -----------------------------------                98 -----------------------------------
 99 There are two types of SIE secure instruction      99 There are two types of SIE secure instruction intercepts: the normal
100 and the notification type. Normal secure instr    100 and the notification type. Normal secure instruction intercepts will
101 make the guest pending for instruction complet    101 make the guest pending for instruction completion of the intercepted
102 instruction type, i.e. on SIE entry it is atte    102 instruction type, i.e. on SIE entry it is attempted to complete
103 emulation of the instruction with the data pro    103 emulation of the instruction with the data provided by KVM. That might
104 be a program exception or instruction completi    104 be a program exception or instruction completion.
105                                                   105 
106 The notification type intercepts inform KVM ab    106 The notification type intercepts inform KVM about guest environment
107 changes due to guest instruction interpretatio    107 changes due to guest instruction interpretation. Such an interception
108 is recognized, for example, for the store pref    108 is recognized, for example, for the store prefix instruction to provide
109 the new lowcore location. On SIE reentry, any     109 the new lowcore location. On SIE reentry, any KVM data in the data areas
110 is ignored and execution continues as if the g    110 is ignored and execution continues as if the guest instruction had
111 completed. For that reason KVM is not allowed     111 completed. For that reason KVM is not allowed to inject a program
112 interrupt.                                        112 interrupt.
113                                                   113 
114 Links                                             114 Links
115 -----                                             115 -----
116 `KVM Forum 2019 presentation <https://static.s    116 `KVM Forum 2019 presentation <https://static.sched.com/hosted_files/kvmforum2019/3b/ibm_protected_vms_s390x.pdf>`_
                                                      

~ [ source navigation ] ~ [ diff markup ] ~ [ identifier search ] ~

kernel.org | git.kernel.org | LWN.net | Project Home | SVN repository | Mail admin

Linux® is a registered trademark of Linus Torvalds in the United States and other countries.
TOMOYO® is a registered trademark of NTT DATA CORPORATION.

sflogo.php