In preparation I did prepare the series for Disco/Cosmic: For libvirt 4.6 compared to our series to 4.0: - drop three being upstream in 4.4 and 4.6 2b9690b62d01bb0b8555764e2365976b98fe4d47 v4.4.0 21442874cf61ce61c7e0f8bcd616641f35adda2b v4.4.0 d54e45b6edd7623e488a19e30bc4148a21fa8b03 v4.6.0 - old lp1787405-0006-conf-Move-VFIO-AP-validation-from-post-parse-to-QEMU.patch backport can now use the upstream versions of 208d6e6f5aafa102d04ce300c6338b0736bb52df and faab373b53e1a4eacf0d6f524eb47df243f21fac instead - we can now use the upstram patch for f865d58028ccd568b6e7909608678584b12d3c90 as-is - context updates for debian/patches/ubuntu/lp1787405-0003-qemu-add-vfio-ap-capability.patch - also updated the Bionic branch as I realized patch 6 had actually two upstream patches as source (only meta data).
For qemu: - patch debian/patches/ubuntu/lp1787405-0001-linux-headers-update.patch had some minor context updates - patch ubuntu/lp1787405-0002-s390x-cpumodel-Set-up-CPU-model-for-AP-device-suppor.patch and ubuntu/lp1787405-0004-s390x-ap-base-Adjunct-Processor-AP-object-model.patch can now use the upstream version as-is - some minor header updates for the Bionic branch Both branches are built for Disco in the PPA we already used [1]. I'll wait another day for the libvirt upstreaming - there were a few reviews, but no formal ack's yet. I'll ping via IRC if nothing more is happening until tomorrow. FYI: To add more fun to all the code-porting I just happened to realize that there is also a bunch of CVE fixes incoming (I don't know the content yet). But that might force us to bump these branches once more. [1]: https://launchpad.net/~ci-train-ppa-service/+archive/ubuntu/3520 -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1787405 Title: [FEAT] Guest-dedicated Crypto Adapters Status in Ubuntu on IBM z Systems: In Progress Status in libvirt package in Ubuntu: In Progress Status in linux package in Ubuntu: Fix Committed Status in qemu package in Ubuntu: In Progress Status in linux source package in Bionic: Fix Committed Status in linux source package in Cosmic: Fix Committed Status in linux source package in Disco: Fix Committed Bug description: == SRU Justification == (Kernel SRU) Allow kvm to dedicate crypto adapters (and domains) as passthrough devices to a KVM guest such that the hypervisor cannot observe the communication of the guest with the device. (Since all kernel patches/commits are from kernel 4.19, they will automagically land in 'Disco'.) == Fix == 9ea5972 ("KVM: s390: vsie: simulate VCPU SIE entry/exit") 3194cdb ("KVM: s390: introduce and use KVM_REQ_VSIE_RESTART") e585b24 ("KVM: s390: refactor crypto initialization") 1fde573 ("s390: vfio-ap: base implementation of VFIO AP device driver") 65f0671 ("s390: vfio-ap: register matrix device with VFIO mdev framework") 96d152b ("s390: vfio-ap: sysfs interfaces to configure adapters") 3211da0 ("s390: vfio-ap: sysfs interfaces to configure domains") 3b1eab7 ("s390: vfio-ap: sysfs interfaces to configure control domains") 81b2b4b ("s390: vfio-ap: sysfs interface to view matrix mdev matrix") 4210459 ("KVM: s390: interface to clear CRYCB masks") 258287c ("s390: vfio-ap: implement mediated device open callback") e06670c ("s390: vfio-ap: implement VFIO_DEVICE_GET_INFO ioctl") 46a7263 ("s390: vfio-ap: zeroize the AP queues") cd8a377 ("s390: vfio-ap: implement VFIO_DEVICE_RESET ioctl") 6cc571b ("KVM: s390: Clear Crypto Control Block when using vSIE") d6f6959 ("KVM: s390: vsie: Do the CRYCB validation first") 3af84de ("KVM: s390: vsie: Make use of CRYCB FORMAT2 clear") 56019f9 ("KVM: s390: vsie: Allow CRYCB FORMAT-2") 19fd83a ("KVM: s390: vsie: allow CRYCB FORMAT-1") 6ee7409 ("KVM: s390: vsie: allow CRYCB FORMAT-0") c9ba8c2 ("KVM: s390: vsie: allow guest FORMAT-0 CRYCB on host FORMAT-1") 6b79de4 ("KVM: s390: vsie: allow guest FORMAT-1 CRYCB on host FORMAT-2") 9ee71f2 ("KVM: s390: vsie: allow guest FORMAT-0 CRYCB on host FORMAT-2") 37940fb ("KVM: s390: device attrs to enable/disable AP interpretation") 112c24d ("KVM: s390: CPU model support for AP virtualization") 492a6be ("s390: doc: detailed specifications for AP virtualization") <-- till here in 'kvm/next' (https://git.kernel.org/pub/scm/virt/kvm/kvm.git/) --> 8e41bd5 ("KVM: s390: fix locking for crypto setting error path") 0e237e4 ("KVM: s390: Tracing APCB changes") 76c7829 ("s390: vfio-ap: setup APCB mask using KVM dedicated function") <-- till here in 'kvms390/next' (https://git.kernel.org/pub/scm/linux/kernel/git/kvms390/linux.git/) --> <-- In addition to that some prereqs for the 'ap/crypto' driver are necessary --> ea3c418 ("s390/zcrypt: Add ZAPQ inline function.") df80c03 ("s390/zcrypt: Review inline assembler constraints.") f1b0a43 ("s390/zcrypt: Integrate ap_asm.h into include/asm/ap.h.") 2395103 ("s390/zcrypt: fix ap_instructions_available() returncodes") 7e0bdbe ("s390/zcrypt: AP bus support for alternate driver(s)") 3d8f60d3 ("s390/zcrypt: hex string mask improvements for apmask and aqmask.") fa108f9 ("s390/zcrypt: remove VLA usage from the AP bus") <-- https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1787405/comments/12 --> == PATCH == Above git commits are all from 4.19. The git commands for 4.18 would be: $ git cherry-pick <all from 'kvm/next' list> (112c24d "KVM: s390: CPU model support for AP virtualization" may have a trivial merge conflict with the etoken patch) $ git cherry-pick <all from 'kvms390/next' list> $ git cherry-pick <all from 'ap/zcrypt' list> == Regression Potential == Low to mid: - mid because in summary there are a lot of changes, but low - they are all limited to the s390x architecture - and again limited to KVM/s390x, vfio-ap and the zcrypt (aka ap) driver - Test kernel was built for testting. == Test Case == Setup a system for KVM use on an s390x LPAR that has CryptoExpress (aka crypto-) adapters installed. Verify that the AP bus created a sysfs device for each APQN, like: /sys/devices/ap/card04/04.0006 /sys/devices/ap/card04/04.0047 /sys/devices/ap/card0a/0a.0006 /sys/devices/ap/card0a/0a.0047 Verify the APQN range via the following two sysfs files: /sys/bus/ap/apmask /sys/bus/ap/aqmask Configure and start a guest. More details see: 492a6be ("s390: doc: detailed specifications for AP virtualization") But for that an updated qemu and libvirt should be in place - that's addressed in LP1787405, too. (So this is only the kernel part of that ticket.) __________ Description: Allow kvm to dedicate crypto adapters (and domains) as passthrough devices to a KVM guest such that the hypervisor cannot observe the communication of the guest with the device. This functionality will be contribute to following packages. --kernel, qemu and libvirt. Currently these functions are not finalized and therefore no git-commit are avalable, - kernel > 4.19 - libvirt > 4.6.0 - qemu > 3.0 We will provide these as soon as possible. This request is launched against Ubuntu 18.10 to fulllfil the feature integration process of Canonical. But the main intention is, to get this integrated into 18.04 LTS !!!!!! Thererfore, the backports will be required for both distros.! To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-z-systems/+bug/1787405/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
