s390x: CPACF: Handle key wrap machine options
Check for the aes_key_wrap and dea_key_wrap machine options and set the appropriate KVM device attribute(s) to tell the kernel to enable or disable the AES/DEA protected key functions for the guest domain. This patch introduces two new machine options for indicating the state of AES/DEA key wrapping functions. This controls whether the guest will have access to the AES/DEA crypto functions. aes_key_wrap="on | off" is changed to aes-key-wrap="on | off" dea_key_wrap="on | off" is changed to dea-key-wrap="on | off" Check for the aes-key-wrap and dea-key-wrap machine options and set the appropriate KVM device attribute(s) to tell the kernel to enable or disable the AES/DEA protected key functions for the guest domain. Reviewed-by: David Hildenbrand <dahi@linux.vnet.ibm.com> Signed-off-by: Tony Krowiak <akrowiak@linux.vnet.ibm.com> Signed-off-by: Jens Freimann <jfrei@linux.vnet.ibm.com> Message-Id: <1426164834-38648-4-git-send-email-jfrei@linux.vnet.ibm.com> Signed-off-by: Cornelia Huck <cornelia.huck@de.ibm.com>
This commit is contained in:
parent
2b147555f7
commit
2eb1cd0768
@ -22,6 +22,18 @@
|
||||
|
||||
#define TYPE_S390_CCW_MACHINE "s390-ccw-machine"
|
||||
|
||||
#define S390_CCW_MACHINE(obj) \
|
||||
OBJECT_CHECK(S390CcwMachineState, (obj), TYPE_S390_CCW_MACHINE)
|
||||
|
||||
typedef struct S390CcwMachineState {
|
||||
/*< private >*/
|
||||
MachineState parent_obj;
|
||||
|
||||
/*< public >*/
|
||||
bool aes_key_wrap;
|
||||
bool dea_key_wrap;
|
||||
} S390CcwMachineState;
|
||||
|
||||
void io_subsystem_reset(void)
|
||||
{
|
||||
DeviceState *css, *sclp, *flic;
|
||||
@ -207,9 +219,60 @@ static void ccw_machine_class_init(ObjectClass *oc, void *data)
|
||||
nc->nmi_monitor_handler = s390_nmi;
|
||||
}
|
||||
|
||||
static inline bool machine_get_aes_key_wrap(Object *obj, Error **errp)
|
||||
{
|
||||
S390CcwMachineState *ms = S390_CCW_MACHINE(obj);
|
||||
|
||||
return ms->aes_key_wrap;
|
||||
}
|
||||
|
||||
static inline void machine_set_aes_key_wrap(Object *obj, bool value,
|
||||
Error **errp)
|
||||
{
|
||||
S390CcwMachineState *ms = S390_CCW_MACHINE(obj);
|
||||
|
||||
ms->aes_key_wrap = value;
|
||||
}
|
||||
|
||||
static inline bool machine_get_dea_key_wrap(Object *obj, Error **errp)
|
||||
{
|
||||
S390CcwMachineState *ms = S390_CCW_MACHINE(obj);
|
||||
|
||||
return ms->dea_key_wrap;
|
||||
}
|
||||
|
||||
static inline void machine_set_dea_key_wrap(Object *obj, bool value,
|
||||
Error **errp)
|
||||
{
|
||||
S390CcwMachineState *ms = S390_CCW_MACHINE(obj);
|
||||
|
||||
ms->dea_key_wrap = value;
|
||||
}
|
||||
|
||||
static inline void s390_machine_initfn(Object *obj)
|
||||
{
|
||||
object_property_add_bool(obj, "aes-key-wrap",
|
||||
machine_get_aes_key_wrap,
|
||||
machine_set_aes_key_wrap, NULL);
|
||||
object_property_set_description(obj, "aes-key-wrap",
|
||||
"enable/disable AES key wrapping using the CPACF wrapping key",
|
||||
NULL);
|
||||
object_property_set_bool(obj, true, "aes-key-wrap", NULL);
|
||||
|
||||
object_property_add_bool(obj, "dea-key-wrap",
|
||||
machine_get_dea_key_wrap,
|
||||
machine_set_dea_key_wrap, NULL);
|
||||
object_property_set_description(obj, "dea-key-wrap",
|
||||
"enable/disable DEA key wrapping using the CPACF wrapping key",
|
||||
NULL);
|
||||
object_property_set_bool(obj, true, "dea-key-wrap", NULL);
|
||||
}
|
||||
|
||||
static const TypeInfo ccw_machine_info = {
|
||||
.name = TYPE_S390_CCW_MACHINE,
|
||||
.parent = TYPE_MACHINE,
|
||||
.instance_size = sizeof(S390CcwMachineState),
|
||||
.instance_init = s390_machine_initfn,
|
||||
.class_init = ccw_machine_class_init,
|
||||
.interfaces = (InterfaceInfo[]) {
|
||||
{ TYPE_NMI },
|
||||
|
@ -37,7 +37,9 @@ DEF("machine", HAS_ARG, QEMU_OPTION_machine, \
|
||||
" kvm_shadow_mem=size of KVM shadow MMU\n"
|
||||
" dump-guest-core=on|off include guest memory in a core dump (default=on)\n"
|
||||
" mem-merge=on|off controls memory merge support (default: on)\n"
|
||||
" iommu=on|off controls emulated Intel IOMMU (VT-d) support (default=off)\n",
|
||||
" iommu=on|off controls emulated Intel IOMMU (VT-d) support (default=off)\n"
|
||||
" aes-key-wrap=on|off controls support for AES key wrapping (default=on)\n"
|
||||
" dea-key-wrap=on|off controls support for DEA key wrapping (default=on)\n",
|
||||
QEMU_ARCH_ALL)
|
||||
STEXI
|
||||
@item -machine [type=]@var{name}[,prop=@var{value}[,...]]
|
||||
@ -66,6 +68,14 @@ the host, de-duplicates identical memory pages among VMs instances
|
||||
(enabled by default).
|
||||
@item iommu=on|off
|
||||
Enables or disables emulated Intel IOMMU (VT-d) support. The default is off.
|
||||
@item aes-key-wrap=on|off
|
||||
Enables or disables AES key wrapping support on s390-ccw hosts. This feature
|
||||
controls whether AES wrapping keys will be created to allow
|
||||
execution of AES cryptographic functions. The default is on.
|
||||
@item dea-key-wrap=on|off
|
||||
Enables or disables DEA key wrapping support on s390-ccw hosts. This feature
|
||||
controls whether DEA wrapping keys will be created to allow
|
||||
execution of DEA cryptographic functions. The default is on.
|
||||
@end table
|
||||
ETEXI
|
||||
|
||||
|
@ -193,6 +193,55 @@ static void kvm_s390_enable_cmma(KVMState *s)
|
||||
trace_kvm_enable_cmma(rc);
|
||||
}
|
||||
|
||||
static void kvm_s390_set_attr(uint64_t attr)
|
||||
{
|
||||
struct kvm_device_attr attribute = {
|
||||
.group = KVM_S390_VM_CRYPTO,
|
||||
.attr = attr,
|
||||
};
|
||||
|
||||
int ret = kvm_vm_ioctl(kvm_state, KVM_SET_DEVICE_ATTR, &attribute);
|
||||
|
||||
if (ret) {
|
||||
error_report("Failed to set crypto device attribute %lu: %s",
|
||||
attr, strerror(-ret));
|
||||
}
|
||||
}
|
||||
|
||||
static void kvm_s390_init_aes_kw(void)
|
||||
{
|
||||
uint64_t attr = KVM_S390_VM_CRYPTO_DISABLE_AES_KW;
|
||||
|
||||
if (object_property_get_bool(OBJECT(qdev_get_machine()), "aes-key-wrap",
|
||||
NULL)) {
|
||||
attr = KVM_S390_VM_CRYPTO_ENABLE_AES_KW;
|
||||
}
|
||||
|
||||
if (kvm_vm_check_attr(kvm_state, KVM_S390_VM_CRYPTO, attr)) {
|
||||
kvm_s390_set_attr(attr);
|
||||
}
|
||||
}
|
||||
|
||||
static void kvm_s390_init_dea_kw(void)
|
||||
{
|
||||
uint64_t attr = KVM_S390_VM_CRYPTO_DISABLE_DEA_KW;
|
||||
|
||||
if (object_property_get_bool(OBJECT(qdev_get_machine()), "dea-key-wrap",
|
||||
NULL)) {
|
||||
attr = KVM_S390_VM_CRYPTO_ENABLE_DEA_KW;
|
||||
}
|
||||
|
||||
if (kvm_vm_check_attr(kvm_state, KVM_S390_VM_CRYPTO, attr)) {
|
||||
kvm_s390_set_attr(attr);
|
||||
}
|
||||
}
|
||||
|
||||
static void kvm_s390_init_crypto(void)
|
||||
{
|
||||
kvm_s390_init_aes_kw();
|
||||
kvm_s390_init_dea_kw();
|
||||
}
|
||||
|
||||
int kvm_arch_init(MachineState *ms, KVMState *s)
|
||||
{
|
||||
cap_sync_regs = kvm_check_extension(s, KVM_CAP_SYNC_REGS);
|
||||
@ -234,6 +283,8 @@ void kvm_s390_reset_vcpu(S390CPU *cpu)
|
||||
if (kvm_vcpu_ioctl(cs, KVM_S390_INITIAL_RESET, NULL)) {
|
||||
error_report("Initial CPU reset failed on CPU %i", cs->cpu_index);
|
||||
}
|
||||
|
||||
kvm_s390_init_crypto();
|
||||
}
|
||||
|
||||
static int can_sync_regs(CPUState *cs, int regs)
|
||||
|
Loading…
Reference in New Issue
Block a user