2019-10-23 13:56:36 +02:00
|
|
|
// SPDX-License-Identifier: GPL-2.0
|
|
|
|
|
/*
|
|
|
|
|
* Common Ultravisor functions and initialization
|
|
|
|
|
*
|
2024-10-24 10:41:07 +02:00
|
|
|
* Copyright IBM Corp. 2019, 2024
|
2019-10-23 13:56:36 +02:00
|
|
|
*/
|
|
|
|
|
#define KMSG_COMPONENT "prot_virt"
|
|
|
|
|
#define pr_fmt(fmt) KMSG_COMPONENT ": " fmt
|
|
|
|
|
|
2025-06-12 13:47:38 +02:00
|
|
|
#include <linux/export.h>
|
2019-10-23 13:56:36 +02:00
|
|
|
#include <linux/kernel.h>
|
|
|
|
|
#include <linux/types.h>
|
|
|
|
|
#include <linux/sizes.h>
|
|
|
|
|
#include <linux/bitmap.h>
|
|
|
|
|
#include <linux/memblock.h>
|
2020-01-21 09:48:44 +01:00
|
|
|
#include <linux/pagemap.h>
|
|
|
|
|
#include <linux/swap.h>
|
2024-08-02 17:55:21 +02:00
|
|
|
#include <linux/pagewalk.h>
|
s390/uv: Improve splitting of large folios that cannot be split while dirty
Currently, starting a PV VM on an iomap-based filesystem with large
folio support, such as XFS, will not work. We'll be stuck in
unpack_one()->gmap_make_secure(), because we can't seem to make progress
splitting the large folio.
The problem is that we require a writable PTE but a writable PTE under such
filesystems will imply a dirty folio.
So whenever we have a writable PTE, we'll have a dirty folio, and dirty
iomap folios cannot currently get split, because
split_folio()->split_huge_page_to_list_to_order()->filemap_release_folio()
will fail in iomap_release_folio().
So we will not make any progress splitting such large folios.
Until dirty folios can be split more reliably, let's manually trigger
writeback of the problematic folio using
filemap_write_and_wait_range(), and retry the split immediately
afterwards exactly once, before looking up the folio again.
Should this logic be part of split_folio()? Likely not; most split users
don't have to split so eagerly to make any progress.
For now, this seems to affect xfs, zonefs and erofs, and this patch
makes it work again (tested on xfs only).
While this could be considered a fix for commit 6795801366da ("xfs: Support
large folios"), commit df2f9708ff1f ("zonefs: enable support for large
folios") and commit ce529cc25b18 ("erofs: enable large folios for iomap
mode"), before commit eef88fe45ac9 ("s390/uv: Split large folios in
gmap_make_secure()"), we did not try splitting large folios at all. So it's
all rather part of making SE compatible with file systems that support
large folios. But to have some "Fixes:" tag, let's just use eef88fe45ac9.
Not CCing stable, because there are a lot of dependencies, and it simply
not working is not critical in stable kernels.
Reported-by: Sebastian Mitterle <smitterl@redhat.com>
Closes: https://issues.redhat.com/browse/RHEL-58218
Fixes: eef88fe45ac9 ("s390/uv: Split large folios in gmap_make_secure()")
Signed-off-by: David Hildenbrand <david@redhat.com>
Link: https://lore.kernel.org/r/20250516123946.1648026-4-david@redhat.com
Message-ID: <20250516123946.1648026-4-david@redhat.com>
Reviewed-by: Claudio Imbrenda <imbrenda@linux.ibm.com>
Signed-off-by: Claudio Imbrenda <imbrenda@linux.ibm.com>
2025-05-16 14:39:46 +02:00
|
|
|
#include <linux/backing-dev.h>
|
2019-10-23 13:56:36 +02:00
|
|
|
#include <asm/facility.h>
|
|
|
|
|
#include <asm/sections.h>
|
|
|
|
|
#include <asm/uv.h>
|
|
|
|
|
|
|
|
|
|
/* the bootdata_preserved fields come from ones in arch/s390/boot/uv.c */
|
|
|
|
|
int __bootdata_preserved(prot_virt_guest);
|
2024-02-15 08:59:45 +01:00
|
|
|
EXPORT_SYMBOL(prot_virt_guest);
|
2019-10-23 13:56:36 +02:00
|
|
|
|
2023-06-15 12:05:27 +02:00
|
|
|
/*
|
|
|
|
|
* uv_info contains both host and guest information but it's currently only
|
|
|
|
|
* expected to be used within modules if it's the KVM module or for
|
|
|
|
|
* any PV guest module.
|
|
|
|
|
*
|
|
|
|
|
* The kernel itself will write these values once in uv_query_info()
|
|
|
|
|
* and then make some of them readable via a sysfs interface.
|
|
|
|
|
*/
|
2020-04-23 14:01:14 +02:00
|
|
|
struct uv_info __bootdata_preserved(uv_info);
|
2023-06-15 12:05:27 +02:00
|
|
|
EXPORT_SYMBOL(uv_info);
|
2020-04-23 14:01:14 +02:00
|
|
|
|
2020-09-11 11:38:21 +02:00
|
|
|
int __bootdata_preserved(prot_virt_host);
|
2019-10-23 13:56:36 +02:00
|
|
|
EXPORT_SYMBOL(prot_virt_host);
|
|
|
|
|
|
2021-12-13 19:16:38 +01:00
|
|
|
static int __init uv_init(phys_addr_t stor_base, unsigned long stor_len)
|
2019-10-23 13:56:39 +02:00
|
|
|
{
|
|
|
|
|
struct uv_cb_init uvcb = {
|
|
|
|
|
.header.cmd = UVC_CMD_INIT_UV,
|
|
|
|
|
.header.len = sizeof(uvcb),
|
|
|
|
|
.stor_origin = stor_base,
|
|
|
|
|
.stor_len = stor_len,
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
if (uv_call(0, (uint64_t)&uvcb)) {
|
|
|
|
|
pr_err("Ultravisor init failed with rc: 0x%x rrc: 0%x\n",
|
|
|
|
|
uvcb.header.rc, uvcb.header.rrc);
|
|
|
|
|
return -1;
|
|
|
|
|
}
|
|
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
void __init setup_uv(void)
|
|
|
|
|
{
|
2021-12-13 19:16:38 +01:00
|
|
|
void *uv_stor_base;
|
2019-10-23 13:56:39 +02:00
|
|
|
|
2020-09-11 11:38:21 +02:00
|
|
|
if (!is_prot_virt_host())
|
|
|
|
|
return;
|
|
|
|
|
|
2021-12-13 19:16:38 +01:00
|
|
|
uv_stor_base = memblock_alloc_try_nid(
|
2019-10-23 13:56:39 +02:00
|
|
|
uv_info.uv_base_stor_len, SZ_1M, SZ_2G,
|
|
|
|
|
MEMBLOCK_ALLOC_ACCESSIBLE, NUMA_NO_NODE);
|
|
|
|
|
if (!uv_stor_base) {
|
|
|
|
|
pr_warn("Failed to reserve %lu bytes for ultravisor base storage\n",
|
|
|
|
|
uv_info.uv_base_stor_len);
|
|
|
|
|
goto fail;
|
|
|
|
|
}
|
|
|
|
|
|
2021-12-13 19:16:38 +01:00
|
|
|
if (uv_init(__pa(uv_stor_base), uv_info.uv_base_stor_len)) {
|
|
|
|
|
memblock_free(uv_stor_base, uv_info.uv_base_stor_len);
|
2019-10-23 13:56:39 +02:00
|
|
|
goto fail;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
pr_info("Reserving %luMB as ultravisor base storage\n",
|
|
|
|
|
uv_info.uv_base_stor_len >> 20);
|
|
|
|
|
return;
|
|
|
|
|
fail:
|
|
|
|
|
pr_info("Disabling support for protected virtualization");
|
|
|
|
|
prot_virt_host = 0;
|
|
|
|
|
}
|
|
|
|
|
|
2020-01-21 09:48:44 +01:00
|
|
|
/*
|
|
|
|
|
* Requests the Ultravisor to pin the page in the shared state. This will
|
|
|
|
|
* cause an intercept when the guest attempts to unshare the pinned page.
|
|
|
|
|
*/
|
2023-08-15 14:43:31 -04:00
|
|
|
int uv_pin_shared(unsigned long paddr)
|
2020-01-21 09:48:44 +01:00
|
|
|
{
|
|
|
|
|
struct uv_cb_cfs uvcb = {
|
|
|
|
|
.header.cmd = UVC_CMD_PIN_PAGE_SHARED,
|
|
|
|
|
.header.len = sizeof(uvcb),
|
|
|
|
|
.paddr = paddr,
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
if (uv_call(0, (u64)&uvcb))
|
|
|
|
|
return -EINVAL;
|
|
|
|
|
return 0;
|
|
|
|
|
}
|
2023-08-15 14:43:31 -04:00
|
|
|
EXPORT_SYMBOL_GPL(uv_pin_shared);
|
2020-01-21 09:48:44 +01:00
|
|
|
|
2020-09-07 08:46:59 -04:00
|
|
|
/*
|
|
|
|
|
* Requests the Ultravisor to destroy a guest page and make it
|
|
|
|
|
* accessible to the host. The destroy clears the page instead of
|
|
|
|
|
* exporting.
|
|
|
|
|
*
|
|
|
|
|
* @paddr: Absolute host address of page to be destroyed
|
|
|
|
|
*/
|
2024-05-08 20:29:52 +02:00
|
|
|
static int uv_destroy(unsigned long paddr)
|
2020-09-07 08:46:59 -04:00
|
|
|
{
|
|
|
|
|
struct uv_cb_cfs uvcb = {
|
|
|
|
|
.header.cmd = UVC_CMD_DESTR_SEC_STOR,
|
|
|
|
|
.header.len = sizeof(uvcb),
|
|
|
|
|
.paddr = paddr
|
|
|
|
|
};
|
|
|
|
|
|
2020-11-17 20:00:33 +01:00
|
|
|
if (uv_call(0, (u64)&uvcb)) {
|
|
|
|
|
/*
|
|
|
|
|
* Older firmware uses 107/d as an indication of a non secure
|
|
|
|
|
* page. Let us emulate the newer variant (no-op).
|
|
|
|
|
*/
|
|
|
|
|
if (uvcb.header.rc == 0x107 && uvcb.header.rrc == 0xd)
|
|
|
|
|
return 0;
|
2020-09-07 08:46:59 -04:00
|
|
|
return -EINVAL;
|
2020-11-17 20:00:33 +01:00
|
|
|
}
|
2020-09-07 08:46:59 -04:00
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
|
2021-09-20 15:24:54 +02:00
|
|
|
/*
|
2024-05-08 20:29:52 +02:00
|
|
|
* The caller must already hold a reference to the folio
|
2021-09-20 15:24:54 +02:00
|
|
|
*/
|
2024-05-08 20:29:52 +02:00
|
|
|
int uv_destroy_folio(struct folio *folio)
|
2021-09-20 15:24:54 +02:00
|
|
|
{
|
|
|
|
|
int rc;
|
|
|
|
|
|
2025-05-28 11:55:02 +02:00
|
|
|
/* Large folios cannot be secure */
|
2024-05-08 20:29:49 +02:00
|
|
|
if (unlikely(folio_test_large(folio)))
|
|
|
|
|
return 0;
|
|
|
|
|
|
|
|
|
|
folio_get(folio);
|
2024-05-08 20:29:52 +02:00
|
|
|
rc = uv_destroy(folio_to_phys(folio));
|
2021-09-20 15:24:54 +02:00
|
|
|
if (!rc)
|
2024-05-08 20:29:49 +02:00
|
|
|
clear_bit(PG_arch_1, &folio->flags);
|
|
|
|
|
folio_put(folio);
|
2021-09-20 15:24:54 +02:00
|
|
|
return rc;
|
|
|
|
|
}
|
2025-01-23 15:46:17 +01:00
|
|
|
EXPORT_SYMBOL(uv_destroy_folio);
|
2021-09-20 15:24:54 +02:00
|
|
|
|
2024-05-08 20:29:52 +02:00
|
|
|
/*
|
|
|
|
|
* The present PTE still indirectly holds a folio reference through the mapping.
|
|
|
|
|
*/
|
|
|
|
|
int uv_destroy_pte(pte_t pte)
|
|
|
|
|
{
|
|
|
|
|
VM_WARN_ON(!pte_present(pte));
|
|
|
|
|
return uv_destroy_folio(pfn_folio(pte_pfn(pte)));
|
|
|
|
|
}
|
|
|
|
|
|
2020-01-21 09:48:44 +01:00
|
|
|
/*
|
|
|
|
|
* Requests the Ultravisor to encrypt a guest page and make it
|
|
|
|
|
* accessible to the host for paging (export).
|
|
|
|
|
*
|
|
|
|
|
* @paddr: Absolute host address of page to be exported
|
|
|
|
|
*/
|
2025-01-23 15:46:17 +01:00
|
|
|
int uv_convert_from_secure(unsigned long paddr)
|
2020-01-21 09:48:44 +01:00
|
|
|
{
|
|
|
|
|
struct uv_cb_cfs uvcb = {
|
|
|
|
|
.header.cmd = UVC_CMD_CONV_FROM_SEC_STOR,
|
|
|
|
|
.header.len = sizeof(uvcb),
|
|
|
|
|
.paddr = paddr
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
if (uv_call(0, (u64)&uvcb))
|
|
|
|
|
return -EINVAL;
|
|
|
|
|
return 0;
|
|
|
|
|
}
|
2025-01-23 15:46:17 +01:00
|
|
|
EXPORT_SYMBOL_GPL(uv_convert_from_secure);
|
2020-01-21 09:48:44 +01:00
|
|
|
|
2021-09-20 15:24:54 +02:00
|
|
|
/*
|
2024-05-08 20:29:53 +02:00
|
|
|
* The caller must already hold a reference to the folio.
|
2021-09-20 15:24:54 +02:00
|
|
|
*/
|
2025-01-23 15:46:17 +01:00
|
|
|
int uv_convert_from_secure_folio(struct folio *folio)
|
2021-09-20 15:24:54 +02:00
|
|
|
{
|
|
|
|
|
int rc;
|
|
|
|
|
|
2025-05-28 11:55:02 +02:00
|
|
|
/* Large folios cannot be secure */
|
2024-05-08 20:29:49 +02:00
|
|
|
if (unlikely(folio_test_large(folio)))
|
|
|
|
|
return 0;
|
|
|
|
|
|
|
|
|
|
folio_get(folio);
|
2024-05-08 20:29:53 +02:00
|
|
|
rc = uv_convert_from_secure(folio_to_phys(folio));
|
2021-09-20 15:24:54 +02:00
|
|
|
if (!rc)
|
2024-05-08 20:29:49 +02:00
|
|
|
clear_bit(PG_arch_1, &folio->flags);
|
|
|
|
|
folio_put(folio);
|
2021-09-20 15:24:54 +02:00
|
|
|
return rc;
|
|
|
|
|
}
|
2025-01-23 15:46:17 +01:00
|
|
|
EXPORT_SYMBOL_GPL(uv_convert_from_secure_folio);
|
2021-09-20 15:24:54 +02:00
|
|
|
|
2024-05-08 20:29:53 +02:00
|
|
|
/*
|
|
|
|
|
* The present PTE still indirectly holds a folio reference through the mapping.
|
|
|
|
|
*/
|
|
|
|
|
int uv_convert_from_secure_pte(pte_t pte)
|
|
|
|
|
{
|
|
|
|
|
VM_WARN_ON(!pte_present(pte));
|
|
|
|
|
return uv_convert_from_secure_folio(pfn_folio(pte_pfn(pte)));
|
|
|
|
|
}
|
|
|
|
|
|
2025-03-12 19:49:12 +01:00
|
|
|
/**
|
|
|
|
|
* should_export_before_import - Determine whether an export is needed
|
|
|
|
|
* before an import-like operation
|
|
|
|
|
* @uvcb: the Ultravisor control block of the UVC to be performed
|
|
|
|
|
* @mm: the mm of the process
|
|
|
|
|
*
|
|
|
|
|
* Returns whether an export is needed before every import-like operation.
|
|
|
|
|
* This is needed for shared pages, which don't trigger a secure storage
|
|
|
|
|
* exception when accessed from a different guest.
|
|
|
|
|
*
|
|
|
|
|
* Although considered as one, the Unpin Page UVC is not an actual import,
|
|
|
|
|
* so it is not affected.
|
|
|
|
|
*
|
|
|
|
|
* No export is needed also when there is only one protected VM, because the
|
|
|
|
|
* page cannot belong to the wrong VM in that case (there is no "other VM"
|
|
|
|
|
* it can belong to).
|
|
|
|
|
*
|
|
|
|
|
* Return: true if an export is needed before every import, otherwise false.
|
|
|
|
|
*/
|
|
|
|
|
static bool should_export_before_import(struct uv_cb_header *uvcb, struct mm_struct *mm)
|
|
|
|
|
{
|
|
|
|
|
/*
|
|
|
|
|
* The misc feature indicates, among other things, that importing a
|
|
|
|
|
* shared page from a different protected VM will automatically also
|
|
|
|
|
* transfer its ownership.
|
|
|
|
|
*/
|
|
|
|
|
if (uv_has_feature(BIT_UV_FEAT_MISC))
|
|
|
|
|
return false;
|
|
|
|
|
if (uvcb->cmd == UVC_CMD_UNPIN_PAGE_SHARED)
|
|
|
|
|
return false;
|
|
|
|
|
return atomic_read(&mm->context.protected_count) > 1;
|
|
|
|
|
}
|
|
|
|
|
|
2020-01-21 09:48:44 +01:00
|
|
|
/*
|
2024-03-22 16:11:46 +00:00
|
|
|
* Calculate the expected ref_count for a folio that would otherwise have no
|
2020-01-21 09:48:44 +01:00
|
|
|
* further pins. This was cribbed from similar functions in other places in
|
|
|
|
|
* the kernel, but with some slight modifications. We know that a secure
|
2024-03-22 16:11:46 +00:00
|
|
|
* folio can not be a large folio, for example.
|
2020-01-21 09:48:44 +01:00
|
|
|
*/
|
2024-03-22 16:11:46 +00:00
|
|
|
static int expected_folio_refs(struct folio *folio)
|
2020-01-21 09:48:44 +01:00
|
|
|
{
|
|
|
|
|
int res;
|
|
|
|
|
|
2024-03-22 16:11:46 +00:00
|
|
|
res = folio_mapcount(folio);
|
|
|
|
|
if (folio_test_swapcache(folio)) {
|
2020-01-21 09:48:44 +01:00
|
|
|
res++;
|
2024-03-22 16:11:46 +00:00
|
|
|
} else if (folio_mapping(folio)) {
|
2020-01-21 09:48:44 +01:00
|
|
|
res++;
|
2024-03-22 16:11:46 +00:00
|
|
|
if (folio->private)
|
2020-01-21 09:48:44 +01:00
|
|
|
res++;
|
|
|
|
|
}
|
|
|
|
|
return res;
|
|
|
|
|
}
|
|
|
|
|
|
2025-01-23 15:46:17 +01:00
|
|
|
/**
|
2025-03-12 19:49:12 +01:00
|
|
|
* __make_folio_secure() - make a folio secure
|
2025-01-23 15:46:17 +01:00
|
|
|
* @folio: the folio to make secure
|
|
|
|
|
* @uvcb: the uvcb that describes the UVC to be used
|
|
|
|
|
*
|
|
|
|
|
* The folio @folio will be made secure if possible, @uvcb will be passed
|
|
|
|
|
* as-is to the UVC.
|
|
|
|
|
*
|
|
|
|
|
* Return: 0 on success;
|
|
|
|
|
* -EBUSY if the folio is in writeback or has too many references;
|
|
|
|
|
* -EAGAIN if the UVC needs to be attempted again;
|
|
|
|
|
* -ENXIO if the address is not mapped;
|
|
|
|
|
* -EINVAL if the UVC failed for other reasons.
|
|
|
|
|
*
|
|
|
|
|
* Context: The caller must hold exactly one extra reference on the folio
|
2025-03-12 19:49:12 +01:00
|
|
|
* (it's the same logic as split_folio()), and the folio must be
|
|
|
|
|
* locked.
|
2025-01-23 15:46:17 +01:00
|
|
|
*/
|
2025-03-12 19:49:12 +01:00
|
|
|
static int __make_folio_secure(struct folio *folio, struct uv_cb_header *uvcb)
|
2020-01-21 09:48:44 +01:00
|
|
|
{
|
2021-09-20 15:24:52 +02:00
|
|
|
int expected, cc = 0;
|
2020-01-21 09:48:44 +01:00
|
|
|
|
2024-03-22 16:11:46 +00:00
|
|
|
if (folio_test_writeback(folio))
|
2025-01-23 15:46:17 +01:00
|
|
|
return -EBUSY;
|
|
|
|
|
expected = expected_folio_refs(folio) + 1;
|
2024-03-22 16:11:46 +00:00
|
|
|
if (!folio_ref_freeze(folio, expected))
|
2020-01-21 09:48:44 +01:00
|
|
|
return -EBUSY;
|
2024-03-22 16:11:46 +00:00
|
|
|
set_bit(PG_arch_1, &folio->flags);
|
2021-09-20 15:24:52 +02:00
|
|
|
/*
|
|
|
|
|
* If the UVC does not succeed or fail immediately, we don't want to
|
|
|
|
|
* loop for long, or we might get stall notifications.
|
|
|
|
|
* On the other hand, this is a complex scenario and we are holding a lot of
|
|
|
|
|
* locks, so we can't easily sleep and reschedule. We try only once,
|
|
|
|
|
* and if the UVC returned busy or partial completion, we return
|
|
|
|
|
* -EAGAIN and we let the callers deal with it.
|
|
|
|
|
*/
|
|
|
|
|
cc = __uv_call(0, (u64)uvcb);
|
2024-03-22 16:11:46 +00:00
|
|
|
folio_ref_unfreeze(folio, expected);
|
2021-09-20 15:24:52 +02:00
|
|
|
/*
|
2024-03-22 16:11:46 +00:00
|
|
|
* Return -ENXIO if the folio was not mapped, -EINVAL for other errors.
|
2021-09-20 15:24:52 +02:00
|
|
|
* If busy or partially completed, return -EAGAIN.
|
|
|
|
|
*/
|
|
|
|
|
if (cc == UVC_CC_OK)
|
|
|
|
|
return 0;
|
|
|
|
|
else if (cc == UVC_CC_BUSY || cc == UVC_CC_PARTIAL)
|
|
|
|
|
return -EAGAIN;
|
|
|
|
|
return uvcb->rc == 0x10a ? -ENXIO : -EINVAL;
|
2020-01-21 09:48:44 +01:00
|
|
|
}
|
2025-03-12 19:49:12 +01:00
|
|
|
|
|
|
|
|
static int make_folio_secure(struct mm_struct *mm, struct folio *folio, struct uv_cb_header *uvcb)
|
|
|
|
|
{
|
|
|
|
|
int rc;
|
|
|
|
|
|
|
|
|
|
if (!folio_trylock(folio))
|
|
|
|
|
return -EAGAIN;
|
|
|
|
|
if (should_export_before_import(uvcb, mm))
|
|
|
|
|
uv_convert_from_secure(folio_to_phys(folio));
|
|
|
|
|
rc = __make_folio_secure(folio, uvcb);
|
|
|
|
|
folio_unlock(folio);
|
|
|
|
|
|
|
|
|
|
return rc;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/**
|
2025-05-16 14:39:45 +02:00
|
|
|
* s390_wiggle_split_folio() - try to drain extra references to a folio and
|
|
|
|
|
* split the folio if it is large.
|
2025-03-12 19:49:12 +01:00
|
|
|
* @mm: the mm containing the folio to work on
|
|
|
|
|
* @folio: the folio
|
|
|
|
|
*
|
|
|
|
|
* Context: Must be called while holding an extra reference to the folio;
|
|
|
|
|
* the mm lock should not be held.
|
2025-05-16 14:39:45 +02:00
|
|
|
* Return: 0 if the operation was successful;
|
|
|
|
|
* -EAGAIN if splitting the large folio was not successful,
|
|
|
|
|
* but another attempt can be made;
|
|
|
|
|
* -EINVAL in case of other folio splitting errors. See split_folio().
|
2025-03-12 19:49:12 +01:00
|
|
|
*/
|
2025-05-16 14:39:45 +02:00
|
|
|
static int s390_wiggle_split_folio(struct mm_struct *mm, struct folio *folio)
|
2025-03-12 19:49:12 +01:00
|
|
|
{
|
s390/uv: Improve splitting of large folios that cannot be split while dirty
Currently, starting a PV VM on an iomap-based filesystem with large
folio support, such as XFS, will not work. We'll be stuck in
unpack_one()->gmap_make_secure(), because we can't seem to make progress
splitting the large folio.
The problem is that we require a writable PTE but a writable PTE under such
filesystems will imply a dirty folio.
So whenever we have a writable PTE, we'll have a dirty folio, and dirty
iomap folios cannot currently get split, because
split_folio()->split_huge_page_to_list_to_order()->filemap_release_folio()
will fail in iomap_release_folio().
So we will not make any progress splitting such large folios.
Until dirty folios can be split more reliably, let's manually trigger
writeback of the problematic folio using
filemap_write_and_wait_range(), and retry the split immediately
afterwards exactly once, before looking up the folio again.
Should this logic be part of split_folio()? Likely not; most split users
don't have to split so eagerly to make any progress.
For now, this seems to affect xfs, zonefs and erofs, and this patch
makes it work again (tested on xfs only).
While this could be considered a fix for commit 6795801366da ("xfs: Support
large folios"), commit df2f9708ff1f ("zonefs: enable support for large
folios") and commit ce529cc25b18 ("erofs: enable large folios for iomap
mode"), before commit eef88fe45ac9 ("s390/uv: Split large folios in
gmap_make_secure()"), we did not try splitting large folios at all. So it's
all rather part of making SE compatible with file systems that support
large folios. But to have some "Fixes:" tag, let's just use eef88fe45ac9.
Not CCing stable, because there are a lot of dependencies, and it simply
not working is not critical in stable kernels.
Reported-by: Sebastian Mitterle <smitterl@redhat.com>
Closes: https://issues.redhat.com/browse/RHEL-58218
Fixes: eef88fe45ac9 ("s390/uv: Split large folios in gmap_make_secure()")
Signed-off-by: David Hildenbrand <david@redhat.com>
Link: https://lore.kernel.org/r/20250516123946.1648026-4-david@redhat.com
Message-ID: <20250516123946.1648026-4-david@redhat.com>
Reviewed-by: Claudio Imbrenda <imbrenda@linux.ibm.com>
Signed-off-by: Claudio Imbrenda <imbrenda@linux.ibm.com>
2025-05-16 14:39:46 +02:00
|
|
|
int rc, tried_splits;
|
2025-03-12 19:49:12 +01:00
|
|
|
|
|
|
|
|
lockdep_assert_not_held(&mm->mmap_lock);
|
|
|
|
|
folio_wait_writeback(folio);
|
|
|
|
|
lru_add_drain_all();
|
2025-05-16 14:39:45 +02:00
|
|
|
|
s390/uv: Improve splitting of large folios that cannot be split while dirty
Currently, starting a PV VM on an iomap-based filesystem with large
folio support, such as XFS, will not work. We'll be stuck in
unpack_one()->gmap_make_secure(), because we can't seem to make progress
splitting the large folio.
The problem is that we require a writable PTE but a writable PTE under such
filesystems will imply a dirty folio.
So whenever we have a writable PTE, we'll have a dirty folio, and dirty
iomap folios cannot currently get split, because
split_folio()->split_huge_page_to_list_to_order()->filemap_release_folio()
will fail in iomap_release_folio().
So we will not make any progress splitting such large folios.
Until dirty folios can be split more reliably, let's manually trigger
writeback of the problematic folio using
filemap_write_and_wait_range(), and retry the split immediately
afterwards exactly once, before looking up the folio again.
Should this logic be part of split_folio()? Likely not; most split users
don't have to split so eagerly to make any progress.
For now, this seems to affect xfs, zonefs and erofs, and this patch
makes it work again (tested on xfs only).
While this could be considered a fix for commit 6795801366da ("xfs: Support
large folios"), commit df2f9708ff1f ("zonefs: enable support for large
folios") and commit ce529cc25b18 ("erofs: enable large folios for iomap
mode"), before commit eef88fe45ac9 ("s390/uv: Split large folios in
gmap_make_secure()"), we did not try splitting large folios at all. So it's
all rather part of making SE compatible with file systems that support
large folios. But to have some "Fixes:" tag, let's just use eef88fe45ac9.
Not CCing stable, because there are a lot of dependencies, and it simply
not working is not critical in stable kernels.
Reported-by: Sebastian Mitterle <smitterl@redhat.com>
Closes: https://issues.redhat.com/browse/RHEL-58218
Fixes: eef88fe45ac9 ("s390/uv: Split large folios in gmap_make_secure()")
Signed-off-by: David Hildenbrand <david@redhat.com>
Link: https://lore.kernel.org/r/20250516123946.1648026-4-david@redhat.com
Message-ID: <20250516123946.1648026-4-david@redhat.com>
Reviewed-by: Claudio Imbrenda <imbrenda@linux.ibm.com>
Signed-off-by: Claudio Imbrenda <imbrenda@linux.ibm.com>
2025-05-16 14:39:46 +02:00
|
|
|
if (!folio_test_large(folio))
|
|
|
|
|
return 0;
|
|
|
|
|
|
|
|
|
|
for (tried_splits = 0; tried_splits < 2; tried_splits++) {
|
|
|
|
|
struct address_space *mapping;
|
|
|
|
|
loff_t lstart, lend;
|
|
|
|
|
struct inode *inode;
|
|
|
|
|
|
2025-03-12 19:49:12 +01:00
|
|
|
folio_lock(folio);
|
|
|
|
|
rc = split_folio(folio);
|
s390/uv: Improve splitting of large folios that cannot be split while dirty
Currently, starting a PV VM on an iomap-based filesystem with large
folio support, such as XFS, will not work. We'll be stuck in
unpack_one()->gmap_make_secure(), because we can't seem to make progress
splitting the large folio.
The problem is that we require a writable PTE but a writable PTE under such
filesystems will imply a dirty folio.
So whenever we have a writable PTE, we'll have a dirty folio, and dirty
iomap folios cannot currently get split, because
split_folio()->split_huge_page_to_list_to_order()->filemap_release_folio()
will fail in iomap_release_folio().
So we will not make any progress splitting such large folios.
Until dirty folios can be split more reliably, let's manually trigger
writeback of the problematic folio using
filemap_write_and_wait_range(), and retry the split immediately
afterwards exactly once, before looking up the folio again.
Should this logic be part of split_folio()? Likely not; most split users
don't have to split so eagerly to make any progress.
For now, this seems to affect xfs, zonefs and erofs, and this patch
makes it work again (tested on xfs only).
While this could be considered a fix for commit 6795801366da ("xfs: Support
large folios"), commit df2f9708ff1f ("zonefs: enable support for large
folios") and commit ce529cc25b18 ("erofs: enable large folios for iomap
mode"), before commit eef88fe45ac9 ("s390/uv: Split large folios in
gmap_make_secure()"), we did not try splitting large folios at all. So it's
all rather part of making SE compatible with file systems that support
large folios. But to have some "Fixes:" tag, let's just use eef88fe45ac9.
Not CCing stable, because there are a lot of dependencies, and it simply
not working is not critical in stable kernels.
Reported-by: Sebastian Mitterle <smitterl@redhat.com>
Closes: https://issues.redhat.com/browse/RHEL-58218
Fixes: eef88fe45ac9 ("s390/uv: Split large folios in gmap_make_secure()")
Signed-off-by: David Hildenbrand <david@redhat.com>
Link: https://lore.kernel.org/r/20250516123946.1648026-4-david@redhat.com
Message-ID: <20250516123946.1648026-4-david@redhat.com>
Reviewed-by: Claudio Imbrenda <imbrenda@linux.ibm.com>
Signed-off-by: Claudio Imbrenda <imbrenda@linux.ibm.com>
2025-05-16 14:39:46 +02:00
|
|
|
if (rc != -EBUSY) {
|
|
|
|
|
folio_unlock(folio);
|
|
|
|
|
return rc;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* Splitting with -EBUSY can fail for various reasons, but we
|
|
|
|
|
* have to handle one case explicitly for now: some mappings
|
|
|
|
|
* don't allow for splitting dirty folios; writeback will
|
|
|
|
|
* mark them clean again, including marking all page table
|
|
|
|
|
* entries mapping the folio read-only, to catch future write
|
|
|
|
|
* attempts.
|
|
|
|
|
*
|
|
|
|
|
* While the system should be writing back dirty folios in the
|
|
|
|
|
* background, we obtained this folio by looking up a writable
|
|
|
|
|
* page table entry. On these problematic mappings, writable
|
|
|
|
|
* page table entries imply dirty folios, preventing the
|
|
|
|
|
* split in the first place.
|
|
|
|
|
*
|
|
|
|
|
* To prevent a livelock when trigger writeback manually and
|
|
|
|
|
* letting the caller look up the folio again in the page
|
|
|
|
|
* table (turning it dirty), immediately try to split again.
|
|
|
|
|
*
|
|
|
|
|
* This is only a problem for some mappings (e.g., XFS);
|
|
|
|
|
* mappings that do not support writeback (e.g., shmem) do not
|
|
|
|
|
* apply.
|
|
|
|
|
*/
|
|
|
|
|
if (!folio_test_dirty(folio) || folio_test_anon(folio) ||
|
|
|
|
|
!folio->mapping || !mapping_can_writeback(folio->mapping)) {
|
|
|
|
|
folio_unlock(folio);
|
|
|
|
|
break;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* Ideally, we'd only trigger writeback on this exact folio. But
|
|
|
|
|
* there is no easy way to do that, so we'll stabilize the
|
|
|
|
|
* mapping while we still hold the folio lock, so we can drop
|
|
|
|
|
* the folio lock to trigger writeback on the range currently
|
|
|
|
|
* covered by the folio instead.
|
|
|
|
|
*/
|
|
|
|
|
mapping = folio->mapping;
|
|
|
|
|
lstart = folio_pos(folio);
|
|
|
|
|
lend = lstart + folio_size(folio) - 1;
|
|
|
|
|
inode = igrab(mapping->host);
|
2025-03-12 19:49:12 +01:00
|
|
|
folio_unlock(folio);
|
|
|
|
|
|
s390/uv: Improve splitting of large folios that cannot be split while dirty
Currently, starting a PV VM on an iomap-based filesystem with large
folio support, such as XFS, will not work. We'll be stuck in
unpack_one()->gmap_make_secure(), because we can't seem to make progress
splitting the large folio.
The problem is that we require a writable PTE but a writable PTE under such
filesystems will imply a dirty folio.
So whenever we have a writable PTE, we'll have a dirty folio, and dirty
iomap folios cannot currently get split, because
split_folio()->split_huge_page_to_list_to_order()->filemap_release_folio()
will fail in iomap_release_folio().
So we will not make any progress splitting such large folios.
Until dirty folios can be split more reliably, let's manually trigger
writeback of the problematic folio using
filemap_write_and_wait_range(), and retry the split immediately
afterwards exactly once, before looking up the folio again.
Should this logic be part of split_folio()? Likely not; most split users
don't have to split so eagerly to make any progress.
For now, this seems to affect xfs, zonefs and erofs, and this patch
makes it work again (tested on xfs only).
While this could be considered a fix for commit 6795801366da ("xfs: Support
large folios"), commit df2f9708ff1f ("zonefs: enable support for large
folios") and commit ce529cc25b18 ("erofs: enable large folios for iomap
mode"), before commit eef88fe45ac9 ("s390/uv: Split large folios in
gmap_make_secure()"), we did not try splitting large folios at all. So it's
all rather part of making SE compatible with file systems that support
large folios. But to have some "Fixes:" tag, let's just use eef88fe45ac9.
Not CCing stable, because there are a lot of dependencies, and it simply
not working is not critical in stable kernels.
Reported-by: Sebastian Mitterle <smitterl@redhat.com>
Closes: https://issues.redhat.com/browse/RHEL-58218
Fixes: eef88fe45ac9 ("s390/uv: Split large folios in gmap_make_secure()")
Signed-off-by: David Hildenbrand <david@redhat.com>
Link: https://lore.kernel.org/r/20250516123946.1648026-4-david@redhat.com
Message-ID: <20250516123946.1648026-4-david@redhat.com>
Reviewed-by: Claudio Imbrenda <imbrenda@linux.ibm.com>
Signed-off-by: Claudio Imbrenda <imbrenda@linux.ibm.com>
2025-05-16 14:39:46 +02:00
|
|
|
if (unlikely(!inode))
|
|
|
|
|
break;
|
|
|
|
|
|
|
|
|
|
filemap_write_and_wait_range(mapping, lstart, lend);
|
|
|
|
|
iput(mapping->host);
|
2025-03-12 19:49:12 +01:00
|
|
|
}
|
|
|
|
|
return -EAGAIN;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
int make_hva_secure(struct mm_struct *mm, unsigned long hva, struct uv_cb_header *uvcb)
|
|
|
|
|
{
|
|
|
|
|
struct vm_area_struct *vma;
|
|
|
|
|
struct folio_walk fw;
|
|
|
|
|
struct folio *folio;
|
|
|
|
|
int rc;
|
|
|
|
|
|
|
|
|
|
mmap_read_lock(mm);
|
|
|
|
|
vma = vma_lookup(mm, hva);
|
|
|
|
|
if (!vma) {
|
|
|
|
|
mmap_read_unlock(mm);
|
|
|
|
|
return -EFAULT;
|
|
|
|
|
}
|
|
|
|
|
folio = folio_walk_start(&fw, vma, hva, 0);
|
|
|
|
|
if (!folio) {
|
|
|
|
|
mmap_read_unlock(mm);
|
|
|
|
|
return -ENXIO;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
folio_get(folio);
|
|
|
|
|
/*
|
|
|
|
|
* Secure pages cannot be huge and userspace should not combine both.
|
|
|
|
|
* In case userspace does it anyway this will result in an -EFAULT for
|
|
|
|
|
* the unpack. The guest is thus never reaching secure mode.
|
|
|
|
|
* If userspace plays dirty tricks and decides to map huge pages at a
|
|
|
|
|
* later point in time, it will receive a segmentation fault or
|
|
|
|
|
* KVM_RUN will return -EFAULT.
|
|
|
|
|
*/
|
|
|
|
|
if (folio_test_hugetlb(folio))
|
|
|
|
|
rc = -EFAULT;
|
|
|
|
|
else if (folio_test_large(folio))
|
|
|
|
|
rc = -E2BIG;
|
|
|
|
|
else if (!pte_write(fw.pte) || (pte_val(fw.pte) & _PAGE_INVALID))
|
|
|
|
|
rc = -ENXIO;
|
|
|
|
|
else
|
|
|
|
|
rc = make_folio_secure(mm, folio, uvcb);
|
|
|
|
|
folio_walk_end(&fw, vma);
|
|
|
|
|
mmap_read_unlock(mm);
|
|
|
|
|
|
2025-05-16 14:39:44 +02:00
|
|
|
if (rc == -E2BIG || rc == -EBUSY) {
|
2025-05-16 14:39:45 +02:00
|
|
|
rc = s390_wiggle_split_folio(mm, folio);
|
2025-05-16 14:39:44 +02:00
|
|
|
if (!rc)
|
|
|
|
|
rc = -EAGAIN;
|
|
|
|
|
}
|
2025-03-12 19:49:12 +01:00
|
|
|
folio_put(folio);
|
|
|
|
|
|
|
|
|
|
return rc;
|
|
|
|
|
}
|
|
|
|
|
EXPORT_SYMBOL_GPL(make_hva_secure);
|
2022-06-28 15:56:03 +02:00
|
|
|
|
2020-01-21 09:48:44 +01:00
|
|
|
/*
|
2024-05-08 20:29:54 +02:00
|
|
|
* To be called with the folio locked or with an extra reference! This will
|
2025-05-28 11:55:02 +02:00
|
|
|
* prevent kvm_s390_pv_make_secure() from touching the folio concurrently.
|
|
|
|
|
* Having 2 parallel arch_make_folio_accessible is fine, as the UV calls will
|
|
|
|
|
* become a no-op if the folio is already exported.
|
2020-01-21 09:48:44 +01:00
|
|
|
*/
|
2024-05-08 20:29:54 +02:00
|
|
|
int arch_make_folio_accessible(struct folio *folio)
|
2020-01-21 09:48:44 +01:00
|
|
|
{
|
|
|
|
|
int rc = 0;
|
|
|
|
|
|
2025-05-28 11:55:02 +02:00
|
|
|
/* Large folios cannot be secure */
|
2024-05-08 20:29:49 +02:00
|
|
|
if (unlikely(folio_test_large(folio)))
|
2020-01-21 09:48:44 +01:00
|
|
|
return 0;
|
|
|
|
|
|
|
|
|
|
/*
|
2024-05-08 20:29:50 +02:00
|
|
|
* PG_arch_1 is used in 2 places:
|
|
|
|
|
* 1. for storage keys of hugetlb folios and KVM
|
|
|
|
|
* 2. As an indication that this small folio might be secure. This can
|
2020-01-21 09:48:44 +01:00
|
|
|
* overindicate, e.g. we set the bit before calling
|
|
|
|
|
* convert_to_secure.
|
2024-05-08 20:29:50 +02:00
|
|
|
* As secure pages are never large folios, both variants can co-exists.
|
2020-01-21 09:48:44 +01:00
|
|
|
*/
|
2024-05-08 20:29:49 +02:00
|
|
|
if (!test_bit(PG_arch_1, &folio->flags))
|
2020-01-21 09:48:44 +01:00
|
|
|
return 0;
|
|
|
|
|
|
2024-05-08 20:29:49 +02:00
|
|
|
rc = uv_pin_shared(folio_to_phys(folio));
|
2020-01-21 09:48:44 +01:00
|
|
|
if (!rc) {
|
2024-05-08 20:29:49 +02:00
|
|
|
clear_bit(PG_arch_1, &folio->flags);
|
2020-01-21 09:48:44 +01:00
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
|
2024-05-08 20:29:49 +02:00
|
|
|
rc = uv_convert_from_secure(folio_to_phys(folio));
|
2020-01-21 09:48:44 +01:00
|
|
|
if (!rc) {
|
2024-05-08 20:29:49 +02:00
|
|
|
clear_bit(PG_arch_1, &folio->flags);
|
2020-01-21 09:48:44 +01:00
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return rc;
|
|
|
|
|
}
|
2024-05-08 20:29:54 +02:00
|
|
|
EXPORT_SYMBOL_GPL(arch_make_folio_accessible);
|
2020-01-21 09:48:44 +01:00
|
|
|
|
2020-02-13 04:15:25 -05:00
|
|
|
static ssize_t uv_query_facilities(struct kobject *kobj,
|
2023-06-15 12:05:32 +02:00
|
|
|
struct kobj_attribute *attr, char *buf)
|
2020-02-13 04:15:25 -05:00
|
|
|
{
|
2023-06-15 12:05:32 +02:00
|
|
|
return sysfs_emit(buf, "%lx\n%lx\n%lx\n%lx\n",
|
|
|
|
|
uv_info.inst_calls_list[0],
|
|
|
|
|
uv_info.inst_calls_list[1],
|
|
|
|
|
uv_info.inst_calls_list[2],
|
|
|
|
|
uv_info.inst_calls_list[3]);
|
2020-02-13 04:15:25 -05:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static struct kobj_attribute uv_query_facilities_attr =
|
|
|
|
|
__ATTR(facilities, 0444, uv_query_facilities, NULL);
|
|
|
|
|
|
2022-05-17 16:36:19 +00:00
|
|
|
static ssize_t uv_query_supp_se_hdr_ver(struct kobject *kobj,
|
|
|
|
|
struct kobj_attribute *attr, char *buf)
|
|
|
|
|
{
|
|
|
|
|
return sysfs_emit(buf, "%lx\n", uv_info.supp_se_hdr_ver);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static struct kobj_attribute uv_query_supp_se_hdr_ver_attr =
|
|
|
|
|
__ATTR(supp_se_hdr_ver, 0444, uv_query_supp_se_hdr_ver, NULL);
|
|
|
|
|
|
|
|
|
|
static ssize_t uv_query_supp_se_hdr_pcf(struct kobject *kobj,
|
|
|
|
|
struct kobj_attribute *attr, char *buf)
|
|
|
|
|
{
|
|
|
|
|
return sysfs_emit(buf, "%lx\n", uv_info.supp_se_hdr_pcf);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static struct kobj_attribute uv_query_supp_se_hdr_pcf_attr =
|
|
|
|
|
__ATTR(supp_se_hdr_pcf, 0444, uv_query_supp_se_hdr_pcf, NULL);
|
|
|
|
|
|
2022-05-17 16:36:20 +00:00
|
|
|
static ssize_t uv_query_dump_cpu_len(struct kobject *kobj,
|
2023-06-15 12:05:32 +02:00
|
|
|
struct kobj_attribute *attr, char *buf)
|
2022-05-17 16:36:20 +00:00
|
|
|
{
|
2023-06-15 12:05:32 +02:00
|
|
|
return sysfs_emit(buf, "%lx\n", uv_info.guest_cpu_stor_len);
|
2022-05-17 16:36:20 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static struct kobj_attribute uv_query_dump_cpu_len_attr =
|
|
|
|
|
__ATTR(uv_query_dump_cpu_len, 0444, uv_query_dump_cpu_len, NULL);
|
|
|
|
|
|
|
|
|
|
static ssize_t uv_query_dump_storage_state_len(struct kobject *kobj,
|
2023-06-15 12:05:32 +02:00
|
|
|
struct kobj_attribute *attr, char *buf)
|
2022-05-17 16:36:20 +00:00
|
|
|
{
|
2023-06-15 12:05:32 +02:00
|
|
|
return sysfs_emit(buf, "%lx\n", uv_info.conf_dump_storage_state_len);
|
2022-05-17 16:36:20 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static struct kobj_attribute uv_query_dump_storage_state_len_attr =
|
|
|
|
|
__ATTR(dump_storage_state_len, 0444, uv_query_dump_storage_state_len, NULL);
|
|
|
|
|
|
|
|
|
|
static ssize_t uv_query_dump_finalize_len(struct kobject *kobj,
|
2023-06-15 12:05:32 +02:00
|
|
|
struct kobj_attribute *attr, char *buf)
|
2022-05-17 16:36:20 +00:00
|
|
|
{
|
2023-06-15 12:05:32 +02:00
|
|
|
return sysfs_emit(buf, "%lx\n", uv_info.conf_dump_finalize_len);
|
2022-05-17 16:36:20 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static struct kobj_attribute uv_query_dump_finalize_len_attr =
|
|
|
|
|
__ATTR(dump_finalize_len, 0444, uv_query_dump_finalize_len, NULL);
|
|
|
|
|
|
2021-01-12 05:40:53 -05:00
|
|
|
static ssize_t uv_query_feature_indications(struct kobject *kobj,
|
|
|
|
|
struct kobj_attribute *attr, char *buf)
|
|
|
|
|
{
|
|
|
|
|
return sysfs_emit(buf, "%lx\n", uv_info.uv_feature_indications);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static struct kobj_attribute uv_query_feature_indications_attr =
|
|
|
|
|
__ATTR(feature_indications, 0444, uv_query_feature_indications, NULL);
|
|
|
|
|
|
2020-02-13 04:15:25 -05:00
|
|
|
static ssize_t uv_query_max_guest_cpus(struct kobject *kobj,
|
2023-06-15 12:05:32 +02:00
|
|
|
struct kobj_attribute *attr, char *buf)
|
2020-02-13 04:15:25 -05:00
|
|
|
{
|
2023-06-15 12:05:32 +02:00
|
|
|
return sysfs_emit(buf, "%d\n", uv_info.max_guest_cpu_id + 1);
|
2020-02-13 04:15:25 -05:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static struct kobj_attribute uv_query_max_guest_cpus_attr =
|
|
|
|
|
__ATTR(max_cpus, 0444, uv_query_max_guest_cpus, NULL);
|
|
|
|
|
|
|
|
|
|
static ssize_t uv_query_max_guest_vms(struct kobject *kobj,
|
2023-06-15 12:05:32 +02:00
|
|
|
struct kobj_attribute *attr, char *buf)
|
2020-02-13 04:15:25 -05:00
|
|
|
{
|
2023-06-15 12:05:32 +02:00
|
|
|
return sysfs_emit(buf, "%d\n", uv_info.max_num_sec_conf);
|
2020-02-13 04:15:25 -05:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static struct kobj_attribute uv_query_max_guest_vms_attr =
|
|
|
|
|
__ATTR(max_guests, 0444, uv_query_max_guest_vms, NULL);
|
|
|
|
|
|
|
|
|
|
static ssize_t uv_query_max_guest_addr(struct kobject *kobj,
|
2023-06-15 12:05:32 +02:00
|
|
|
struct kobj_attribute *attr, char *buf)
|
2020-02-13 04:15:25 -05:00
|
|
|
{
|
2023-06-15 12:05:32 +02:00
|
|
|
return sysfs_emit(buf, "%lx\n", uv_info.max_sec_stor_addr);
|
2020-02-13 04:15:25 -05:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static struct kobj_attribute uv_query_max_guest_addr_attr =
|
|
|
|
|
__ATTR(max_address, 0444, uv_query_max_guest_addr, NULL);
|
|
|
|
|
|
2022-05-18 13:59:08 +00:00
|
|
|
static ssize_t uv_query_supp_att_req_hdr_ver(struct kobject *kobj,
|
2023-06-15 12:05:32 +02:00
|
|
|
struct kobj_attribute *attr, char *buf)
|
2022-05-18 13:59:08 +00:00
|
|
|
{
|
2023-06-15 12:05:32 +02:00
|
|
|
return sysfs_emit(buf, "%lx\n", uv_info.supp_att_req_hdr_ver);
|
2022-05-18 13:59:08 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static struct kobj_attribute uv_query_supp_att_req_hdr_ver_attr =
|
|
|
|
|
__ATTR(supp_att_req_hdr_ver, 0444, uv_query_supp_att_req_hdr_ver, NULL);
|
|
|
|
|
|
|
|
|
|
static ssize_t uv_query_supp_att_pflags(struct kobject *kobj,
|
2023-06-15 12:05:32 +02:00
|
|
|
struct kobj_attribute *attr, char *buf)
|
2022-05-18 13:59:08 +00:00
|
|
|
{
|
2023-06-15 12:05:32 +02:00
|
|
|
return sysfs_emit(buf, "%lx\n", uv_info.supp_att_pflags);
|
2022-05-18 13:59:08 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static struct kobj_attribute uv_query_supp_att_pflags_attr =
|
|
|
|
|
__ATTR(supp_att_pflags, 0444, uv_query_supp_att_pflags, NULL);
|
|
|
|
|
|
2023-06-15 12:05:33 +02:00
|
|
|
static ssize_t uv_query_supp_add_secret_req_ver(struct kobject *kobj,
|
|
|
|
|
struct kobj_attribute *attr, char *buf)
|
|
|
|
|
{
|
|
|
|
|
return sysfs_emit(buf, "%lx\n", uv_info.supp_add_secret_req_ver);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static struct kobj_attribute uv_query_supp_add_secret_req_ver_attr =
|
|
|
|
|
__ATTR(supp_add_secret_req_ver, 0444, uv_query_supp_add_secret_req_ver, NULL);
|
|
|
|
|
|
|
|
|
|
static ssize_t uv_query_supp_add_secret_pcf(struct kobject *kobj,
|
|
|
|
|
struct kobj_attribute *attr, char *buf)
|
|
|
|
|
{
|
|
|
|
|
return sysfs_emit(buf, "%lx\n", uv_info.supp_add_secret_pcf);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static struct kobj_attribute uv_query_supp_add_secret_pcf_attr =
|
|
|
|
|
__ATTR(supp_add_secret_pcf, 0444, uv_query_supp_add_secret_pcf, NULL);
|
|
|
|
|
|
|
|
|
|
static ssize_t uv_query_supp_secret_types(struct kobject *kobj,
|
|
|
|
|
struct kobj_attribute *attr, char *buf)
|
|
|
|
|
{
|
|
|
|
|
return sysfs_emit(buf, "%lx\n", uv_info.supp_secret_types);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static struct kobj_attribute uv_query_supp_secret_types_attr =
|
|
|
|
|
__ATTR(supp_secret_types, 0444, uv_query_supp_secret_types, NULL);
|
|
|
|
|
|
|
|
|
|
static ssize_t uv_query_max_secrets(struct kobject *kobj,
|
|
|
|
|
struct kobj_attribute *attr, char *buf)
|
|
|
|
|
{
|
2024-10-24 08:26:38 +02:00
|
|
|
return sysfs_emit(buf, "%d\n",
|
|
|
|
|
uv_info.max_assoc_secrets + uv_info.max_retr_secrets);
|
2023-06-15 12:05:33 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static struct kobj_attribute uv_query_max_secrets_attr =
|
|
|
|
|
__ATTR(max_secrets, 0444, uv_query_max_secrets, NULL);
|
|
|
|
|
|
2024-10-24 08:26:38 +02:00
|
|
|
static ssize_t uv_query_max_retr_secrets(struct kobject *kobj,
|
|
|
|
|
struct kobj_attribute *attr, char *buf)
|
|
|
|
|
{
|
|
|
|
|
return sysfs_emit(buf, "%d\n", uv_info.max_retr_secrets);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static struct kobj_attribute uv_query_max_retr_secrets_attr =
|
|
|
|
|
__ATTR(max_retr_secrets, 0444, uv_query_max_retr_secrets, NULL);
|
|
|
|
|
|
|
|
|
|
static ssize_t uv_query_max_assoc_secrets(struct kobject *kobj,
|
|
|
|
|
struct kobj_attribute *attr,
|
|
|
|
|
char *buf)
|
|
|
|
|
{
|
|
|
|
|
return sysfs_emit(buf, "%d\n", uv_info.max_assoc_secrets);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static struct kobj_attribute uv_query_max_assoc_secrets_attr =
|
|
|
|
|
__ATTR(max_assoc_secrets, 0444, uv_query_max_assoc_secrets, NULL);
|
|
|
|
|
|
2020-02-13 04:15:25 -05:00
|
|
|
static struct attribute *uv_query_attrs[] = {
|
|
|
|
|
&uv_query_facilities_attr.attr,
|
2021-01-12 05:40:53 -05:00
|
|
|
&uv_query_feature_indications_attr.attr,
|
2020-02-13 04:15:25 -05:00
|
|
|
&uv_query_max_guest_cpus_attr.attr,
|
|
|
|
|
&uv_query_max_guest_vms_attr.attr,
|
|
|
|
|
&uv_query_max_guest_addr_attr.attr,
|
2022-05-17 16:36:19 +00:00
|
|
|
&uv_query_supp_se_hdr_ver_attr.attr,
|
|
|
|
|
&uv_query_supp_se_hdr_pcf_attr.attr,
|
2022-05-17 16:36:20 +00:00
|
|
|
&uv_query_dump_storage_state_len_attr.attr,
|
|
|
|
|
&uv_query_dump_finalize_len_attr.attr,
|
|
|
|
|
&uv_query_dump_cpu_len_attr.attr,
|
2022-05-18 13:59:08 +00:00
|
|
|
&uv_query_supp_att_req_hdr_ver_attr.attr,
|
|
|
|
|
&uv_query_supp_att_pflags_attr.attr,
|
2023-06-15 12:05:33 +02:00
|
|
|
&uv_query_supp_add_secret_req_ver_attr.attr,
|
|
|
|
|
&uv_query_supp_add_secret_pcf_attr.attr,
|
|
|
|
|
&uv_query_supp_secret_types_attr.attr,
|
|
|
|
|
&uv_query_max_secrets_attr.attr,
|
2024-10-24 08:26:38 +02:00
|
|
|
&uv_query_max_assoc_secrets_attr.attr,
|
|
|
|
|
&uv_query_max_retr_secrets_attr.attr,
|
2020-02-13 04:15:25 -05:00
|
|
|
NULL,
|
|
|
|
|
};
|
|
|
|
|
|
2024-10-23 09:55:28 +02:00
|
|
|
static inline struct uv_cb_query_keys uv_query_keys(void)
|
|
|
|
|
{
|
|
|
|
|
struct uv_cb_query_keys uvcb = {
|
|
|
|
|
.header.cmd = UVC_CMD_QUERY_KEYS,
|
|
|
|
|
.header.len = sizeof(uvcb)
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
uv_call(0, (uint64_t)&uvcb);
|
|
|
|
|
return uvcb;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static inline ssize_t emit_hash(struct uv_key_hash *hash, char *buf, int at)
|
|
|
|
|
{
|
|
|
|
|
return sysfs_emit_at(buf, at, "%016llx%016llx%016llx%016llx\n",
|
|
|
|
|
hash->dword[0], hash->dword[1], hash->dword[2], hash->dword[3]);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static ssize_t uv_keys_host_key(struct kobject *kobj,
|
|
|
|
|
struct kobj_attribute *attr, char *buf)
|
|
|
|
|
{
|
|
|
|
|
struct uv_cb_query_keys uvcb = uv_query_keys();
|
|
|
|
|
|
|
|
|
|
return emit_hash(&uvcb.key_hashes[UVC_QUERY_KEYS_IDX_HK], buf, 0);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static struct kobj_attribute uv_keys_host_key_attr =
|
|
|
|
|
__ATTR(host_key, 0444, uv_keys_host_key, NULL);
|
|
|
|
|
|
|
|
|
|
static ssize_t uv_keys_backup_host_key(struct kobject *kobj,
|
|
|
|
|
struct kobj_attribute *attr, char *buf)
|
|
|
|
|
{
|
|
|
|
|
struct uv_cb_query_keys uvcb = uv_query_keys();
|
|
|
|
|
|
|
|
|
|
return emit_hash(&uvcb.key_hashes[UVC_QUERY_KEYS_IDX_BACK_HK], buf, 0);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static struct kobj_attribute uv_keys_backup_host_key_attr =
|
|
|
|
|
__ATTR(backup_host_key, 0444, uv_keys_backup_host_key, NULL);
|
|
|
|
|
|
|
|
|
|
static ssize_t uv_keys_all(struct kobject *kobj,
|
|
|
|
|
struct kobj_attribute *attr, char *buf)
|
|
|
|
|
{
|
|
|
|
|
struct uv_cb_query_keys uvcb = uv_query_keys();
|
|
|
|
|
ssize_t len = 0;
|
|
|
|
|
int i;
|
|
|
|
|
|
|
|
|
|
for (i = 0; i < ARRAY_SIZE(uvcb.key_hashes); i++)
|
|
|
|
|
len += emit_hash(uvcb.key_hashes + i, buf, len);
|
|
|
|
|
|
|
|
|
|
return len;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static struct kobj_attribute uv_keys_all_attr =
|
|
|
|
|
__ATTR(all, 0444, uv_keys_all, NULL);
|
|
|
|
|
|
2020-02-13 04:15:25 -05:00
|
|
|
static struct attribute_group uv_query_attr_group = {
|
|
|
|
|
.attrs = uv_query_attrs,
|
|
|
|
|
};
|
|
|
|
|
|
2024-10-23 09:55:28 +02:00
|
|
|
static struct attribute *uv_keys_attrs[] = {
|
|
|
|
|
&uv_keys_host_key_attr.attr,
|
|
|
|
|
&uv_keys_backup_host_key_attr.attr,
|
|
|
|
|
&uv_keys_all_attr.attr,
|
|
|
|
|
NULL,
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
static struct attribute_group uv_keys_attr_group = {
|
|
|
|
|
.attrs = uv_keys_attrs,
|
|
|
|
|
};
|
|
|
|
|
|
2021-02-09 09:33:12 -05:00
|
|
|
static ssize_t uv_is_prot_virt_guest(struct kobject *kobj,
|
2023-06-15 12:05:32 +02:00
|
|
|
struct kobj_attribute *attr, char *buf)
|
2021-02-09 09:33:12 -05:00
|
|
|
{
|
2024-07-04 11:02:46 +00:00
|
|
|
return sysfs_emit(buf, "%d\n", prot_virt_guest);
|
2021-02-09 09:33:12 -05:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static ssize_t uv_is_prot_virt_host(struct kobject *kobj,
|
2023-06-15 12:05:32 +02:00
|
|
|
struct kobj_attribute *attr, char *buf)
|
2021-02-09 09:33:12 -05:00
|
|
|
{
|
2024-07-04 11:02:46 +00:00
|
|
|
return sysfs_emit(buf, "%d\n", prot_virt_host);
|
2021-02-09 09:33:12 -05:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static struct kobj_attribute uv_prot_virt_guest =
|
|
|
|
|
__ATTR(prot_virt_guest, 0444, uv_is_prot_virt_guest, NULL);
|
|
|
|
|
|
|
|
|
|
static struct kobj_attribute uv_prot_virt_host =
|
|
|
|
|
__ATTR(prot_virt_host, 0444, uv_is_prot_virt_host, NULL);
|
|
|
|
|
|
|
|
|
|
static const struct attribute *uv_prot_virt_attrs[] = {
|
|
|
|
|
&uv_prot_virt_guest.attr,
|
|
|
|
|
&uv_prot_virt_host.attr,
|
|
|
|
|
NULL,
|
|
|
|
|
};
|
|
|
|
|
|
2020-02-13 04:15:25 -05:00
|
|
|
static struct kset *uv_query_kset;
|
2024-10-23 09:55:28 +02:00
|
|
|
static struct kset *uv_keys_kset;
|
2020-02-13 04:15:25 -05:00
|
|
|
static struct kobject *uv_kobj;
|
|
|
|
|
|
2024-10-15 13:39:39 +02:00
|
|
|
static int __init uv_sysfs_dir_init(const struct attribute_group *grp,
|
|
|
|
|
struct kset **uv_dir_kset, const char *name)
|
|
|
|
|
{
|
|
|
|
|
struct kset *kset;
|
|
|
|
|
int rc;
|
|
|
|
|
|
|
|
|
|
kset = kset_create_and_add(name, NULL, uv_kobj);
|
|
|
|
|
if (!kset)
|
|
|
|
|
return -ENOMEM;
|
|
|
|
|
*uv_dir_kset = kset;
|
|
|
|
|
|
|
|
|
|
rc = sysfs_create_group(&kset->kobj, grp);
|
|
|
|
|
if (rc)
|
|
|
|
|
kset_unregister(kset);
|
|
|
|
|
return rc;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static int __init uv_sysfs_init(void)
|
2020-02-13 04:15:25 -05:00
|
|
|
{
|
|
|
|
|
int rc = -ENOMEM;
|
|
|
|
|
|
|
|
|
|
if (!test_facility(158))
|
|
|
|
|
return 0;
|
|
|
|
|
|
|
|
|
|
uv_kobj = kobject_create_and_add("uv", firmware_kobj);
|
|
|
|
|
if (!uv_kobj)
|
|
|
|
|
return -ENOMEM;
|
|
|
|
|
|
2021-02-09 09:33:12 -05:00
|
|
|
rc = sysfs_create_files(uv_kobj, uv_prot_virt_attrs);
|
|
|
|
|
if (rc)
|
|
|
|
|
goto out_kobj;
|
|
|
|
|
|
2024-10-15 13:39:39 +02:00
|
|
|
rc = uv_sysfs_dir_init(&uv_query_attr_group, &uv_query_kset, "query");
|
|
|
|
|
if (rc)
|
2021-02-09 09:33:12 -05:00
|
|
|
goto out_ind_files;
|
2020-02-13 04:15:25 -05:00
|
|
|
|
2024-10-23 09:55:28 +02:00
|
|
|
/* Get installed key hashes if available, ignore any errors */
|
|
|
|
|
if (test_bit_inv(BIT_UVC_CMD_QUERY_KEYS, uv_info.inst_calls_list))
|
|
|
|
|
uv_sysfs_dir_init(&uv_keys_attr_group, &uv_keys_kset, "keys");
|
|
|
|
|
|
2024-10-15 13:39:39 +02:00
|
|
|
return 0;
|
2020-02-13 04:15:25 -05:00
|
|
|
|
2021-02-09 09:33:12 -05:00
|
|
|
out_ind_files:
|
|
|
|
|
sysfs_remove_files(uv_kobj, uv_prot_virt_attrs);
|
2020-02-13 04:15:25 -05:00
|
|
|
out_kobj:
|
|
|
|
|
kobject_del(uv_kobj);
|
|
|
|
|
kobject_put(uv_kobj);
|
|
|
|
|
return rc;
|
|
|
|
|
}
|
2024-10-15 13:39:39 +02:00
|
|
|
device_initcall(uv_sysfs_init);
|
2024-10-24 10:41:07 +02:00
|
|
|
|
|
|
|
|
/*
|
2025-04-24 15:36:15 +02:00
|
|
|
* Locate a secret in the list by its id.
|
|
|
|
|
* @secret_id: search pattern.
|
|
|
|
|
* @list: ephemeral buffer space
|
|
|
|
|
* @secret: output data, containing the secret's metadata.
|
|
|
|
|
*
|
|
|
|
|
* Search for a secret with the given secret_id in the Ultravisor secret store.
|
2024-10-24 10:41:07 +02:00
|
|
|
*
|
|
|
|
|
* Context: might sleep.
|
|
|
|
|
*/
|
|
|
|
|
static int find_secret_in_page(const u8 secret_id[UV_SECRET_ID_LEN],
|
|
|
|
|
const struct uv_secret_list *list,
|
|
|
|
|
struct uv_secret_list_item_hdr *secret)
|
|
|
|
|
{
|
|
|
|
|
u16 i;
|
|
|
|
|
|
|
|
|
|
for (i = 0; i < list->total_num_secrets; i++) {
|
|
|
|
|
if (memcmp(secret_id, list->secrets[i].id, UV_SECRET_ID_LEN) == 0) {
|
|
|
|
|
*secret = list->secrets[i].hdr;
|
|
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
return -ENOENT;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* Do the actual search for `uv_get_secret_metadata`.
|
2025-04-24 15:36:15 +02:00
|
|
|
* @secret_id: search pattern.
|
|
|
|
|
* @list: ephemeral buffer space
|
|
|
|
|
* @secret: output data, containing the secret's metadata.
|
2024-10-24 10:41:07 +02:00
|
|
|
*
|
|
|
|
|
* Context: might sleep.
|
|
|
|
|
*/
|
2025-04-24 15:36:15 +02:00
|
|
|
int uv_find_secret(const u8 secret_id[UV_SECRET_ID_LEN],
|
|
|
|
|
struct uv_secret_list *list,
|
|
|
|
|
struct uv_secret_list_item_hdr *secret)
|
2024-10-24 10:41:07 +02:00
|
|
|
{
|
|
|
|
|
u16 start_idx = 0;
|
|
|
|
|
u16 list_rc;
|
|
|
|
|
int ret;
|
|
|
|
|
|
|
|
|
|
do {
|
|
|
|
|
uv_list_secrets(list, start_idx, &list_rc, NULL);
|
|
|
|
|
if (list_rc != UVC_RC_EXECUTED && list_rc != UVC_RC_MORE_DATA) {
|
|
|
|
|
if (list_rc == UVC_RC_INV_CMD)
|
|
|
|
|
return -ENODEV;
|
|
|
|
|
else
|
|
|
|
|
return -EIO;
|
|
|
|
|
}
|
|
|
|
|
ret = find_secret_in_page(secret_id, list, secret);
|
|
|
|
|
if (ret == 0)
|
|
|
|
|
return ret;
|
|
|
|
|
start_idx = list->next_secret_idx;
|
|
|
|
|
} while (list_rc == UVC_RC_MORE_DATA && start_idx < list->next_secret_idx);
|
|
|
|
|
|
|
|
|
|
return -ENOENT;
|
|
|
|
|
}
|
2025-04-24 15:36:15 +02:00
|
|
|
EXPORT_SYMBOL_GPL(uv_find_secret);
|
2024-10-24 10:41:07 +02:00
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* uv_retrieve_secret() - get the secret value for the secret index.
|
|
|
|
|
* @secret_idx: Secret index for which the secret should be retrieved.
|
|
|
|
|
* @buf: Buffer to store retrieved secret.
|
|
|
|
|
* @buf_size: Size of the buffer. The correct buffer size is reported as part of
|
|
|
|
|
* the result from `uv_get_secret_metadata`.
|
|
|
|
|
*
|
|
|
|
|
* Calls the Retrieve Secret UVC and translates the UV return code into an errno.
|
|
|
|
|
*
|
|
|
|
|
* Context: might sleep.
|
|
|
|
|
*
|
|
|
|
|
* Return:
|
|
|
|
|
* * %0 - Entry found; buffer contains a valid secret.
|
|
|
|
|
* * %ENOENT: - No entry found or secret at the index is non-retrievable.
|
|
|
|
|
* * %ENODEV: - Not supported: UV not available or command not available.
|
|
|
|
|
* * %EINVAL: - Buffer too small for content.
|
|
|
|
|
* * %EIO: - Other unexpected UV error.
|
|
|
|
|
*/
|
|
|
|
|
int uv_retrieve_secret(u16 secret_idx, u8 *buf, size_t buf_size)
|
|
|
|
|
{
|
|
|
|
|
struct uv_cb_retr_secr uvcb = {
|
|
|
|
|
.header.len = sizeof(uvcb),
|
|
|
|
|
.header.cmd = UVC_CMD_RETR_SECRET,
|
|
|
|
|
.secret_idx = secret_idx,
|
|
|
|
|
.buf_addr = (u64)buf,
|
|
|
|
|
.buf_size = buf_size,
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
uv_call_sched(0, (u64)&uvcb);
|
|
|
|
|
|
|
|
|
|
switch (uvcb.header.rc) {
|
|
|
|
|
case UVC_RC_EXECUTED:
|
|
|
|
|
return 0;
|
|
|
|
|
case UVC_RC_INV_CMD:
|
|
|
|
|
return -ENODEV;
|
|
|
|
|
case UVC_RC_RETR_SECR_STORE_EMPTY:
|
|
|
|
|
case UVC_RC_RETR_SECR_INV_SECRET:
|
|
|
|
|
case UVC_RC_RETR_SECR_INV_IDX:
|
|
|
|
|
return -ENOENT;
|
|
|
|
|
case UVC_RC_RETR_SECR_BUF_SMALL:
|
|
|
|
|
return -EINVAL;
|
|
|
|
|
default:
|
|
|
|
|
return -EIO;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
EXPORT_SYMBOL_GPL(uv_retrieve_secret);
|