• H
    s390/zcrypt: AP bus support for alternate driver(s) · 7e0bdbe5
    Harald Freudenberger 提交于
    The current AP bus, AP devices and AP device drivers implementation
    uses a clearly defined mapping for binding AP devices to AP device
    drivers. So for example a CEX6C queue will always be bound to the
    cex4queue device driver.
    
    The Linux Device Driver model has no sensitivity for more than one
    device driver eligible for one device type. If there exist more than
    one drivers matching to the device type, simple all drivers are tried
    consecutively.  There is no way to determine and influence the probing
    order of the drivers.
    
    With KVM there is a need to provide additional device drivers matching
    to the very same type of AP devices. With a simple implementation the
    KVM drivers run in competition to the regular drivers. Whichever
    'wins' a device depends on build order and implementation details
    within the common Linux Device Driver Model and is not
    deterministic. However, a userspace process could figure out which
    device should be bound to which driver and sort out the correct
    binding by manipulating attributes in the sysfs.
    
    If for security reasons a AP device must not get bound to the 'wrong'
    device driver the sorting out has to be done within the Linux kernel
    by the AP bus code. This patch modifies the behavior of the AP bus
    for probing drivers for devices in a way that two sets of drivers are
    usable. Two new bitmasks 'apmask' and 'aqmask' are used to mark a
    subset of the APQN range for 'usable by the ap bus and the default
    drivers' or 'not usable by the default drivers and thus available for
    alternate drivers like vfio-xxx'. So an APQN which is addressed by
    this masking only the default drivers will be probed. In contrary an
    APQN which is not addressed by the masks will never be probed and
    bound to default drivers but onny to alternate drivers.
    
    Eventually the two masks give a way to divide the range of APQNs into
    two pools: one pool of APQNs used by the AP bus and the default
    drivers and thus via zcrypt drivers available to the userspace of the
    system. And another pool where no zcrypt drivers are bound to and
    which can be used by alternate drivers (like vfio-xxx) for their
    needs. This division is hot-plug save and makes sure a APQN assigned
    to an alternate driver is at no time somehow exploitable by the wrong
    party.
    
    The two masks are located in sysfs at /sys/bus/ap/apmask and
    /sys/bus/ap/aqmask.  The mask syntax is exactly the same as the
    already existing mask attributes in the /sys/bus/ap directory (for
    example ap_usage_domain_mask and ap_control_domain_mask).
    
    By default all APQNs belong to the ap bus and the default drivers:
    
      cat /sys/bus/ap/apmask
      0xffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
      cat /sys/bus/ap/aqmask
      0xffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
    
    The masks can be changed at boot time with the kernel command line
    like this:
    
      ... ap.apmask=0xffff ap.aqmask=0x40
    
    This would give these two pools:
    
      default drivers pool:    adapter 0 - 15, domain 1
      alternate drivers pool:  adapter 0 - 15, all but domain 1
    			   adapter 16-255, all domains
    
    The sysfs attributes for this two masks are writeable and an
    administrator is able to reconfigure the assignements on the fly by
    writing new mask values into.  With changing the mask(s) a revision of
    the existing queue to driver bindings is done. So all APQNs which are
    bound to the 'wrong' driver are reprobed via kernel function
    device_reprobe() and thus the new correct driver will be assigned with
    respect of the changed apmask and aqmask bits.
    
    The mask values are bitmaps in big endian order starting with bit 0.
    So adapter number 0 is the leftmost bit, mask is 0x8000... The sysfs
    attributes accept 2 different formats:
    - Absolute hex string starting with 0x like "0x12345678" does set
      the mask starting from left to right. If the given string is shorter
      than the mask it is padded with 0s on the right. If the string is
      longer than the mask an error comes back (EINVAL).
    - '+' or '-' followed by a numerical value. Valid examples are "+1",
      "-13", "+0x41", "-0xff" and even "+0" and "-0". Only the addressed
      bit in the mask is switched on ('+') or off ('-').
    
    This patch will also be the base for an upcoming extension to the
    zcrypt drivers to be able to provide additional zcrypt device nodes
    with filtering based on ap and aq masks.
    Signed-off-by: NHarald Freudenberger <freude@linux.ibm.com>
    Signed-off-by: NMartin Schwidefsky <schwidefsky@de.ibm.com>
    7e0bdbe5
zcrypt_pcixcc.c 8.2 KB