summaryrefslogblamecommitdiffstats
path: root/docs/vfio-ap.txt
blob: b1eb2deeaf2fe771800a80e6fe53e71a65e75749 (plain) (tree)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442

























































































































































































































































































































































































































































                                                                                
                                                                      























































































































                                                                                  















































                                                                                





























































                                                                             
                                            

































































































































































































                                                                                


                                                                               
 



                                                                               
Adjunct Processor (AP) Device
=============================

Contents:
=========
* Introduction
* AP Architectural Overview
* Start Interpretive Execution (SIE) Instruction
* AP Matrix Configuration on Linux Host
* Starting a Linux Guest Configured with an AP Matrix
* Example: Configure AP Matrices for Three Linux Guests

Introduction:
============
The IBM Adjunct Processor (AP) Cryptographic Facility is comprised
of three AP instructions and from 1 to 256 PCIe cryptographic adapter cards.
These AP devices provide cryptographic functions to all CPUs assigned to a
linux system running in an IBM Z system LPAR.

On s390x, AP adapter cards are exposed via the AP bus. This document
describes how those cards may be made available to KVM guests using the
VFIO mediated device framework.

AP Architectural Overview:
=========================
In order understand the terminology used in the rest of this document, let's
start with some definitions:

* AP adapter

  An AP adapter is an IBM Z adapter card that can perform cryptographic
  functions. There can be from 0 to 256 adapters assigned to an LPAR depending
  on the machine model. Adapters assigned to the LPAR in which a linux host is
  running will be available to the linux host. Each adapter is identified by a
  number from 0 to 255; however, the maximum adapter number allowed is
  determined by machine model. When installed, an AP adapter is accessed by
  AP instructions executed by any CPU.

* AP domain

  An adapter is partitioned into domains. Each domain can be thought of as
  a set of hardware registers for processing AP instructions. An adapter can
  hold up to 256 domains; however, the maximum domain number allowed is
  determined by machine model. Each domain is identified by a number from 0 to
  255. Domains can be further classified into two types:

    * Usage domains are domains that can be accessed directly to process AP
      commands

    * Control domains are domains that are accessed indirectly by AP
      commands sent to a usage domain to control or change the domain; for
      example, to set a secure private key for the domain.

* AP Queue

  An AP queue is the means by which an AP command-request message is sent to an
  AP usage domain inside a specific AP. An AP queue is identified by a tuple
  comprised of an AP adapter ID (APID) and an AP queue index (APQI). The
  APQI corresponds to a given usage domain number within the adapter. This tuple
  forms an AP Queue Number (APQN) uniquely identifying an AP queue. AP
  instructions include a field containing the APQN to identify the AP queue to
  which the AP command-request message is to be sent for processing.

* AP Instructions:

  There are three AP instructions:

  * NQAP: to enqueue an AP command-request message to a queue
  * DQAP: to dequeue an AP command-reply message from a queue
  * PQAP: to administer the queues

  AP instructions identify the domain that is targeted to process the AP
  command; this must be one of the usage domains. An AP command may modify a
  domain that is not one of the usage domains, but the modified domain
  must be one of the control domains.

Start Interpretive Execution (SIE) Instruction
==============================================
A KVM guest is started by executing the Start Interpretive Execution (SIE)
instruction. The SIE state description is a control block that contains the
state information for a KVM guest and is supplied as input to the SIE
instruction. The SIE state description contains a satellite control block called
the Crypto Control Block (CRYCB). The CRYCB contains three fields to identify
the adapters, usage domains and control domains assigned to the KVM guest:

* The AP Mask (APM) field is a bit mask that identifies the AP adapters assigned
  to the KVM guest. Each bit in the mask, from left to right, corresponds to
  an APID from 0-255. If a bit is set, the corresponding adapter is valid for
  use by the KVM guest.

* The AP Queue Mask (AQM) field is a bit mask identifying the AP usage domains
  assigned to the KVM guest. Each bit in the mask, from left to right,
  corresponds to  an AP queue index (APQI) from 0-255. If a bit is set, the
  corresponding queue is valid for use by the KVM guest.

* The AP Domain Mask field is a bit mask that identifies the AP control domains
  assigned to the KVM guest. The ADM bit mask controls which domains can be
  changed by an AP command-request message sent to a usage domain from the
  guest. Each bit in the mask, from left to right, corresponds to a domain from
  0-255. If a bit is set, the corresponding domain can be modified by an AP
  command-request message sent to a usage domain.

If you recall from the description of an AP Queue, AP instructions include
an APQN to identify the AP adapter and AP queue to which an AP command-request
message is to be sent (NQAP and PQAP instructions), or from which a
command-reply message is to be received (DQAP instruction). The validity of an
APQN is defined by the matrix calculated from the APM and AQM; it is the
cross product of all assigned adapter numbers (APM) with all assigned queue
indexes (AQM). For example, if adapters 1 and 2 and usage domains 5 and 6 are
assigned to a guest, the APQNs (1,5), (1,6), (2,5) and (2,6) will be valid for
the guest.

The APQNs can provide secure key functionality - i.e., a private key is stored
on the adapter card for each of its domains - so each APQN must be assigned to
at most one guest or the linux host.

   Example 1: Valid configuration:
   ------------------------------
   Guest1: adapters 1,2  domains 5,6
   Guest2: adapter  1,2  domain 7

   This is valid because both guests have a unique set of APQNs: Guest1 has
   APQNs (1,5), (1,6), (2,5) and (2,6); Guest2 has APQNs (1,7) and (2,7).

   Example 2: Valid configuration:
   ------------------------------
   Guest1: adapters 1,2 domains 5,6
   Guest2: adapters 3,4 domains 5,6

   This is also valid because both guests have a unique set of APQNs:
      Guest1 has APQNs (1,5), (1,6), (2,5), (2,6);
      Guest2 has APQNs (3,5), (3,6), (4,5), (4,6)

   Example 3: Invalid configuration:
   --------------------------------
   Guest1: adapters 1,2  domains 5,6
   Guest2: adapter  1    domains 6,7

   This is an invalid configuration because both guests have access to
   APQN (1,6).

AP Matrix Configuration on Linux Host:
=====================================
A linux system is a guest of the LPAR in which it is running and has access to
the AP resources configured for the LPAR. The LPAR's AP matrix is
configured via its Activation Profile which can be edited on the HMC. When the
linux system is started, the AP bus will detect the AP devices assigned to the
LPAR and create the following in sysfs:

/sys/bus/ap
... [devices]
...... xx.yyyy
...... ...
...... cardxx
...... ...

Where:
    cardxx     is AP adapter number xx (in hex)
....xx.yyyy    is an APQN with xx specifying the APID and yyyy specifying the
               APQI

For example, if AP adapters 5 and 6 and domains 4, 71 (0x47), 171 (0xab) and
255 (0xff) are configured for the LPAR, the sysfs representation on the linux
host system would look like this:

/sys/bus/ap
... [devices]
...... 05.0004
...... 05.0047
...... 05.00ab
...... 05.00ff
...... 06.0004
...... 06.0047
...... 06.00ab
...... 06.00ff
...... card05
...... card06

A set of default device drivers are also created to control each type of AP
device that can be assigned to the LPAR on which a linux host is running:

/sys/bus/ap
... [drivers]
...... [cex2acard]        for Crypto Express 2/3 accelerator cards
...... [cex2aqueue]       for AP queues served by Crypto Express 2/3
                          accelerator cards
...... [cex4card]         for Crypto Express 4/5/6 accelerator and coprocessor
                          cards
...... [cex4queue]        for AP queues served by Crypto Express 4/5/6
                          accelerator and coprocessor cards
...... [pcixcccard]       for Crypto Express 2/3 coprocessor cards
...... [pcixccqueue]      for AP queues served by Crypto Express 2/3
                          coprocessor cards

Binding AP devices to device drivers
------------------------------------
There are two sysfs files that specify bitmasks marking a subset of the APQN
range as 'usable by the default AP queue device drivers' or 'not usable by the
default device drivers' and thus available for use by the alternate device
driver(s). The sysfs locations of the masks are:

   /sys/bus/ap/apmask
   /sys/bus/ap/aqmask

   The 'apmask' is a 256-bit mask that identifies a set of AP adapter IDs
   (APID). Each bit in the mask, from left to right (i.e., from most significant
   to least significant bit in big endian order), corresponds to an APID from
   0-255. If a bit is set, the APID is marked as usable only by the default AP
   queue device drivers; otherwise, the APID is usable by the vfio_ap
   device driver.

   The 'aqmask' is a 256-bit mask that identifies a set of AP queue indexes
   (APQI). Each bit in the mask, from left to right (i.e., from most significant
   to least significant bit in big endian order), corresponds to an APQI from
   0-255. If a bit is set, the APQI is marked as usable only by the default AP
   queue device drivers; otherwise, the APQI is usable by the vfio_ap device
   driver.

   Take, for example, the following mask:

      0x7dffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff

    It indicates:

      1, 2, 3, 4, 5, and 7-255 belong to the default drivers' pool, and 0 and 6
      belong to the vfio_ap device driver's pool.

   The APQN of each AP queue device assigned to the linux host is checked by the
   AP bus against the set of APQNs derived from the cross product of APIDs
   and APQIs marked as usable only by the default AP queue device drivers. If a
   match is detected,  only the default AP queue device drivers will be probed;
   otherwise, the vfio_ap device driver will be probed.

   By default, the two masks are set to reserve all APQNs for use by the default
   AP queue device drivers. There are two ways the default masks can be changed:

   1. The sysfs mask files can be edited by echoing a string into the
      respective sysfs mask file in one of two formats:

      * An absolute hex string starting with 0x - like "0x12345678" - sets
        the mask. If the given string is shorter than the mask, it is padded
        with 0s on the right; for example, specifying a mask value of 0x41 is
        the same as specifying:

           0x4100000000000000000000000000000000000000000000000000000000000000

        Keep in mind that the mask reads from left to right (i.e., most
        significant to least significant bit in big endian order), so the mask
        above identifies device numbers 1 and 7 (01000001).

        If the string is longer than the mask, the operation is terminated with
        an error (EINVAL).

      * Individual bits in the mask can be switched on and off by specifying
        each bit number to be switched in a comma separated list. Each bit
        number string must be prepended with a ('+') or minus ('-') to indicate
        the corresponding bit is to be switched on ('+') or off ('-'). Some
        valid values are:

           "+0"    switches bit 0 on
           "-13"   switches bit 13 off
           "+0x41" switches bit 65 on
           "-0xff" switches bit 255 off

           The following example:
              +0,-6,+0x47,-0xf0

              Switches bits 0 and 71 (0x47) on
              Switches bits 6 and 240 (0xf0) off

        Note that the bits not specified in the list remain as they were before
        the operation.

   2. The masks can also be changed at boot time via parameters on the kernel
      command line like this:

         ap.apmask=0xffff ap.aqmask=0x40

         This would create the following masks:

            apmask:
            0xffff000000000000000000000000000000000000000000000000000000000000

            aqmask:
            0x4000000000000000000000000000000000000000000000000000000000000000

         Resulting in these two pools:

            default drivers pool:    adapter 0-15, domain 1
            alternate drivers pool:  adapter 16-255, domains 0, 2-255

Configuring an AP matrix for a linux guest.
------------------------------------------
The sysfs interfaces for configuring an AP matrix for a guest are built on the
VFIO mediated device framework. To configure an AP matrix for a guest, a
mediated matrix device must first be created for the /sys/devices/vfio_ap/matrix
device. When the vfio_ap device driver is loaded, it registers with the VFIO
mediated device framework. When the driver registers, the sysfs interfaces for
creating mediated matrix devices is created:

/sys/devices
... [vfio_ap]
......[matrix]
......... [mdev_supported_types]
............ [vfio_ap-passthrough]
............... create
............... [devices]

A mediated AP matrix device is created by writing a UUID to the attribute file
named 'create', for example:

   uuidgen > create

   or

   echo $uuid > create

When a mediated AP matrix device is created, a sysfs directory named after
the UUID is created in the 'devices' subdirectory:

/sys/devices
... [vfio_ap]
......[matrix]
......... [mdev_supported_types]
............ [vfio_ap-passthrough]
............... create
............... [devices]
.................. [$uuid]

There will also be three sets of attribute files created in the mediated
matrix device's sysfs directory to configure an AP matrix for the
KVM guest:

/sys/devices
... [vfio_ap]
......[matrix]
......... [mdev_supported_types]
............ [vfio_ap-passthrough]
............... create
............... [devices]
.................. [$uuid]
..................... assign_adapter
..................... assign_control_domain
..................... assign_domain
..................... matrix
..................... unassign_adapter
..................... unassign_control_domain
..................... unassign_domain

assign_adapter
   To assign an AP adapter to the mediated matrix device, its APID is written
   to the 'assign_adapter' file. This may be done multiple times to assign more
   than one adapter. The APID may be specified using conventional semantics
   as a decimal, hexadecimal, or octal number. For example, to assign adapters
   4, 5 and 16 to a mediated matrix device in decimal, hexadecimal and octal
   respectively:

       echo 4 > assign_adapter
       echo 0x5 > assign_adapter
       echo 020 > assign_adapter

   In order to successfully assign an adapter:

   * The adapter number specified must represent a value from 0 up to the
     maximum adapter number allowed by the machine model. If an adapter number
     higher than the maximum is specified, the operation will terminate with
     an error (ENODEV).

   * All APQNs that can be derived from the adapter ID being assigned and the
     IDs of the previously assigned domains must be bound to the vfio_ap device
     driver. If no domains have yet been assigned, then there must be at least
     one APQN with the specified APID bound to the vfio_ap driver. If no such
     APQNs are bound to the driver, the operation will terminate with an
     error (EADDRNOTAVAIL).

     No APQN that can be derived from the adapter ID and the IDs of the
     previously assigned domains can be assigned to another mediated matrix
     device. If an APQN is assigned to another mediated matrix device, the
     operation will terminate with an error (EADDRINUSE).

unassign_adapter
   To unassign an AP adapter, its APID is written to the 'unassign_adapter'
   file. This may also be done multiple times to unassign more than one adapter.

assign_domain
   To assign a usage domain, the domain number is written into the
   'assign_domain' file. This may be done multiple times to assign more than one
   usage domain. The domain number is specified using conventional semantics as
   a decimal, hexadecimal, or octal number. For example, to assign usage domains
   4, 8, and 71 to a mediated matrix device in decimal, hexadecimal and octal
   respectively:

      echo 4 > assign_domain
      echo 0x8 > assign_domain
      echo 0107 > assign_domain

   In order to successfully assign a domain:

   * The domain number specified must represent a value from 0 up to the
     maximum domain number allowed by the machine model. If a domain number
     higher than the maximum is specified, the operation will terminate with
     an error (ENODEV).

   * All APQNs that can be derived from the domain ID being assigned and the IDs
     of the previously assigned adapters must be bound to the vfio_ap device
     driver. If no domains have yet been assigned, then there must be at least
     one APQN with the specified APQI bound to the vfio_ap driver. If no such
     APQNs are bound to the driver, the operation will terminate with an
     error (EADDRNOTAVAIL).

     No APQN that can be derived from the domain ID being assigned and the IDs
     of the previously assigned adapters can be assigned to another mediated
     matrix device. If an APQN is assigned to another mediated matrix device,
     the operation will terminate with an error (EADDRINUSE).

unassign_domain
   To unassign a usage domain, the domain number is written into the
   'unassign_domain' file. This may be done multiple times to unassign more than
   one usage domain.

assign_control_domain
   To assign a control domain, the domain number is written into the
   'assign_control_domain' file. This may be done multiple times to
   assign more than one control domain. The domain number may be specified using
   conventional semantics as a decimal, hexadecimal, or octal number. For
   example, to assign  control domains 4, 8, and 71 to  a mediated matrix device
   in decimal, hexadecimal and octal respectively:

      echo 4 > assign_domain
      echo 0x8 > assign_domain
      echo 0107 > assign_domain

   In order to successfully assign a control domain, the domain number
   specified must represent a value from 0 up to the maximum domain number
   allowed by the machine model. If a control domain number higher than the
   maximum is specified, the operation will terminate with an error (ENODEV).

unassign_control_domain
   To unassign a control domain, the domain number is written into the
   'unassign_domain' file. This may be done multiple times to unassign more than
   one control domain.

Notes: No changes to the AP matrix will be allowed while a guest using
the mediated matrix device is running. Attempts to assign an adapter,
domain or control domain will be rejected and an error (EBUSY) returned.

Starting a Linux Guest Configured with an AP Matrix:
===================================================
To provide a mediated matrix device for use by a guest, the following option
must be specified on the QEMU command line:

   -device vfio_ap,sysfsdev=$path-to-mdev

The sysfsdev parameter specifies the path to the mediated matrix device.
There are a number of ways to specify this path:

/sys/devices/vfio_ap/matrix/$uuid
/sys/bus/mdev/devices/$uuid
/sys/bus/mdev/drivers/vfio_mdev/$uuid
/sys/devices/vfio_ap/matrix/mdev_supported_types/vfio_ap-passthrough/devices/$uuid

When the linux guest is started, the guest will open the mediated
matrix device's file descriptor to get information about the mediated matrix
device. The vfio_ap device driver will update the APM, AQM, and ADM fields in
the guest's CRYCB with the adapter, usage domain and control domains assigned
via the mediated matrix device's sysfs attribute files. Programs running on the
linux guest will then:

1. Have direct access to the APQNs derived from the cross product of the AP
   adapter numbers (APID) and queue indexes (APQI) specified in the APM and AQM
   fields of the guests's CRYCB respectively. These APQNs identify the AP queues
   that are valid for use by the guest; meaning, AP commands can be sent by the
   guest to any of these queues for processing.

2. Have authorization to process AP commands to change a control domain
   identified in the ADM field of the guest's CRYCB. The AP command must be sent
   to a valid APQN (see 1 above).

CPU model features:

Three CPU model features are available for controlling guest access to AP
facilities:

1. AP facilities feature

   The AP facilities feature indicates that AP facilities are installed on the
   guest. This feature will be exposed for use only if the AP facilities
   are installed on the host system. The feature is s390-specific and is
   represented as a parameter of the -cpu option on the QEMU command line:

      qemu-system-s390x -cpu $model,ap=on|off

      Where:

         $model is the CPU model defined for the guest (defaults to the model of
                the host system if not specified).

         ap=on|off indicates whether AP facilities are installed (on) or not
                   (off). The default for CPU models zEC12 or newer
                   is ap=on. AP facilities must be installed on the guest if a
                   vfio-ap device (-device vfio-ap,sysfsdev=$path) is configured
                   for the guest, or the guest will fail to start.

2. Query Configuration Information (QCI) facility

   The QCI facility is used by the AP bus running on the guest to query the
   configuration of the AP facilities. This facility will be available
   only if the QCI facility is installed on the host system. The feature is
   s390-specific and is represented as a parameter of the -cpu option on the
   QEMU command line:

      qemu-system-s390x -cpu $model,apqci=on|off

      Where:

         $model is the CPU model defined for the guest

         apqci=on|off indicates whether the QCI facility is installed (on) or
                      not (off). The default for CPU models zEC12 or newer
                      is apqci=on; for older models, QCI will not be installed.

                      If QCI is installed (apqci=on) but AP facilities are not
                      (ap=off), an error message will be logged, but the guest
                      will be allowed to start. It makes no sense to have QCI
                      installed if the AP facilities are not; this is considered
                      an invalid configuration.

                      If the QCI facility is not installed, APQNs with an APQI
                      greater than 15 will not be detected by the AP bus
                      running on the guest.

3. Adjunct Process Facility Test (APFT) facility

   The APFT facility is used by the AP bus running on the guest to test the
   AP facilities available for a given AP queue. This facility will be available
   only if the APFT facility is installed on the host system. The feature is
   s390-specific and is represented as a parameter of the -cpu option on the
   QEMU command line:

      qemu-system-s390x -cpu $model,apft=on|off

      Where:

         $model is the CPU model defined for the guest (defaults to the model of
                the host system if not specified).

         apft=on|off indicates whether the APFT facility is installed (on) or
                     not (off). The default for CPU models zEC12 and
                     newer is apft=on for older models, APFT will not be
                     installed.

                     If APFT is installed (apft=on) but AP facilities are not
                     (ap=off), an error message will be logged, but the guest
                     will be allowed to start. It makes no sense to have APFT
                     installed if the AP facilities are not; this is considered
                     an invalid configuration.

                     It also makes no sense to turn APFT off because the AP bus
                     running on the guest will not detect CEX4 and newer devices
                     without it. Since only CEX4 and newer devices are supported
                     for guest usage, no AP devices can be made accessible to a
                     guest started without APFT installed.

Hot plug a vfio-ap device into a running guest:
==============================================
Only one vfio-ap device can be attached to the virtual machine's ap-bus, so a
vfio-ap device can be hot plugged if and only if no vfio-ap device is attached
to the bus already, whether via the QEMU command line or a prior hot plug
action.

To hot plug a vfio-ap device, use the QEMU device_add command:

    (qemu) device_add vfio-ap,sysfsdev="$path-to-mdev"

    Where the '$path-to-mdev' value specifies the absolute path to a mediated
    device to which AP resources to be used by the guest have been assigned.

Note that on Linux guests, the AP devices will be created in the
/sys/bus/ap/devices directory when the AP bus subsequently performs its periodic
scan, so there may be a short delay before the AP devices are accessible on the
guest.

The command will fail if:

* A vfio-ap device has already been attached to the virtual machine's ap-bus.

* The CPU model features for controlling guest access to AP facilities are not
  enabled (see 'CPU model features' subsection in the previous section).

Hot unplug a vfio-ap device from a running guest:
================================================
A vfio-ap device can be unplugged from a running KVM guest if a vfio-ap device
has been attached to the virtual machine's ap-bus via the QEMU command line
or a prior hot plug action.

To hot unplug a vfio-ap device, use the QEMU device_del command:

    (qemu) device_del vfio-ap,sysfsdev="$path-to-mdev"

    Where $path-to-mdev is the same as the path specified when the vfio-ap
    device was attached to the virtual machine's ap-bus.

On a Linux guest, the AP devices will be removed from the /sys/bus/ap/devices
directory on the guest when the AP bus subsequently performs its periodic scan,
so there may be a short delay before the AP devices are no longer accessible by
the guest.

The command will fail if the $path-to-mdev specified on the device_del command
does not match the value specified when the vfio-ap device was attached to
the virtual machine's ap-bus.

Example: Configure AP Matrixes for Three Linux Guests:
=====================================================
Let's now provide an example to illustrate how KVM guests may be given
access to AP facilities. For this example, we will show how to configure
three guests such that executing the lszcrypt command on the guests would
look like this:

Guest1
------
CARD.DOMAIN TYPE  MODE
------------------------------
05          CEX5C CCA-Coproc
05.0004     CEX5C CCA-Coproc
05.00ab     CEX5C CCA-Coproc
06          CEX5A Accelerator
06.0004     CEX5A Accelerator
06.00ab     CEX5C CCA-Coproc

Guest2
------
CARD.DOMAIN TYPE  MODE
------------------------------
05          CEX5A Accelerator
05.0047     CEX5A Accelerator
05.00ff     CEX5A Accelerator (5,4), (5,171), (6,4), (6,171),

Guest3
------
CARD.DOMAIN TYPE  MODE
------------------------------
06          CEX5A Accelerator
06.0047     CEX5A Accelerator
06.00ff     CEX5A Accelerator

These are the steps:

1. Install the vfio_ap module on the linux host. The dependency chain for the
   vfio_ap module is:
   * iommu
   * s390
   * zcrypt
   * vfio
   * vfio_mdev
   * vfio_mdev_device
   * KVM

   To build the vfio_ap module, the kernel build must be configured with the
   following Kconfig elements selected:
   * IOMMU_SUPPORT
   * S390
   * ZCRYPT
   * S390_AP_IOMMU
   * VFIO
   * VFIO_MDEV
   * VFIO_MDEV_DEVICE
   * KVM

   If using make menuconfig select the following to build the vfio_ap module:
   -> Device Drivers
      -> IOMMU Hardware Support
         select S390 AP IOMMU Support
      -> VFIO Non-Privileged userspace driver framework
         -> Mediated device driver framework
            -> VFIO driver for Mediated devices
   -> I/O subsystem
      -> VFIO support for AP devices

2. Secure the AP queues to be used by the three guests so that the host can not
   access them. To secure the AP queues 05.0004, 05.0047, 05.00ab, 05.00ff,
   06.0004, 06.0047, 06.00ab, and 06.00ff for use by the vfio_ap device driver,
   the corresponding APQNs must be removed from the default queue drivers pool
   as follows:

      echo -5,-6 > /sys/bus/ap/apmask

      echo -4,-0x47,-0xab,-0xff > /sys/bus/ap/aqmask

   This will result in AP queues 05.0004, 05.0047, 05.00ab, 05.00ff, 06.0004,
   06.0047, 06.00ab, and 06.00ff getting bound to the vfio_ap device driver. The
   sysfs directory for the vfio_ap device driver will now contain symbolic links
   to the AP queue devices bound to it:

   /sys/bus/ap
   ... [drivers]
   ...... [vfio_ap]
   ......... [05.0004]
   ......... [05.0047]
   ......... [05.00ab]
   ......... [05.00ff]
   ......... [06.0004]
   ......... [06.0047]
   ......... [06.00ab]
   ......... [06.00ff]

   Keep in mind that only type 10 and newer adapters (i.e., CEX4 and later)
   can be bound to the vfio_ap device driver. The reason for this is to
   simplify the implementation by not needlessly complicating the design by
   supporting older devices that will go out of service in the relatively near
   future, and for which there are few older systems on which to test.

   The administrator, therefore, must take care to secure only AP queues that
   can be bound to the vfio_ap device driver. The device type for a given AP
   queue device can be read from the parent card's sysfs directory. For example,
   to see the hardware type of the queue 05.0004:

   cat /sys/bus/ap/devices/card05/hwtype

   The hwtype must be 10 or higher (CEX4 or newer) in order to be bound to the
   vfio_ap device driver.

3. Create the mediated devices needed to configure the AP matrixes for the
   three guests and to provide an interface to the vfio_ap driver for
   use by the guests:

   /sys/devices/vfio_ap/matrix/
   --- [mdev_supported_types]
   ------ [vfio_ap-passthrough] (passthrough mediated matrix device type)
   --------- create
   --------- [devices]

   To create the mediated devices for the three guests:

       uuidgen > create
       uuidgen > create
       uuidgen > create

        or

        echo $uuid1 > create
        echo $uuid2 > create
        echo $uuid3 > create

   This will create three mediated devices in the [devices] subdirectory named
   after the UUID used to create the mediated device. We'll call them $uuid1,
   $uuid2 and $uuid3 and this is the sysfs directory structure after creation:

   /sys/devices/vfio_ap/matrix/
   --- [mdev_supported_types]
   ------ [vfio_ap-passthrough]
   --------- [devices]
   ------------ [$uuid1]
   --------------- assign_adapter
   --------------- assign_control_domain
   --------------- assign_domain
   --------------- matrix
   --------------- unassign_adapter
   --------------- unassign_control_domain
   --------------- unassign_domain

   ------------ [$uuid2]
   --------------- assign_adapter
   --------------- assign_control_domain
   --------------- assign_domain
   --------------- matrix
   --------------- unassign_adapter
   ----------------unassign_control_domain
   ----------------unassign_domain

   ------------ [$uuid3]
   --------------- assign_adapter
   --------------- assign_control_domain
   --------------- assign_domain
   --------------- matrix
   --------------- unassign_adapter
   ----------------unassign_control_domain
   ----------------unassign_domain

4. The administrator now needs to configure the matrixes for the mediated
   devices $uuid1 (for Guest1), $uuid2 (for Guest2) and $uuid3 (for Guest3).

   This is how the matrix is configured for Guest1:

      echo 5 > assign_adapter
      echo 6 > assign_adapter
      echo 4 > assign_domain
      echo 0xab > assign_domain

      Control domains can similarly be assigned using the assign_control_domain
      sysfs file.

      If a mistake is made configuring an adapter, domain or control domain,
      you can use the unassign_xxx interfaces to unassign the adapter, domain or
      control domain.

      To display the matrix configuration for Guest1:

         cat matrix

         The output will display the APQNs in the format xx.yyyy, where xx is
         the adapter number and yyyy is the domain number. The output for Guest1
         will look like this:

         05.0004
         05.00ab
         06.0004
         06.00ab

   This is how the matrix is configured for Guest2:

      echo 5 > assign_adapter
      echo 0x47 > assign_domain
      echo 0xff > assign_domain

   This is how the matrix is configured for Guest3:

      echo 6 > assign_adapter
      echo 0x47 > assign_domain
      echo 0xff > assign_domain

5. Start Guest1:

   /usr/bin/qemu-system-s390x ... -cpu host,ap=on,apqci=on,apft=on \
      -device vfio-ap,sysfsdev=/sys/devices/vfio_ap/matrix/$uuid1 ...

7. Start Guest2:

   /usr/bin/qemu-system-s390x ... -cpu host,ap=on,apqci=on,apft=on \
      -device vfio-ap,sysfsdev=/sys/devices/vfio_ap/matrix/$uuid2 ...

7. Start Guest3:

   /usr/bin/qemu-system-s390x ... -cpu host,ap=on,apqci=on,apft=on \
      -device vfio-ap,sysfsdev=/sys/devices/vfio_ap/matrix/$uuid3 ...

When the guest is shut down, the mediated matrix devices may be removed.

Using our example again, to remove the mediated matrix device $uuid1:

   /sys/devices/vfio_ap/matrix/
      --- [mdev_supported_types]
      ------ [vfio_ap-passthrough]
      --------- [devices]
      ------------ [$uuid1]
      --------------- remove


   echo 1 > remove

   This will remove all of the mdev matrix device's sysfs structures including
   the mdev device itself. To recreate and reconfigure the mdev matrix device,
   all of the steps starting with step 3 will have to be performed again. Note
   that the remove will fail if a guest using the mdev is still running.

   It is not necessary to remove an mdev matrix device, but one may want to
   remove it if no guest will use it during the remaining lifetime of the linux
   host. If the mdev matrix device is removed, one may want to also reconfigure
   the pool of adapters and queues reserved for use by the default drivers.

Limitations
===========
* The KVM/kernel interfaces do not provide a way to prevent restoring an APQN
  to the default drivers pool of a queue that is still assigned to a mediated
  device in use by a guest. It is incumbent upon the administrator to
  ensure there is no mediated device in use by a guest to which the APQN is
  assigned lest the host be given access to the private data of the AP queue
  device, such as a private key configured specifically for the guest.

* Dynamically assigning AP resources to or unassigning AP resources from a
  mediated matrix device - see 'Configuring an AP matrix for a linux guest'
  section above - while a running guest is using it is currently not supported.

* Live guest migration is not supported for guests using AP devices. If a guest
  is using AP devices, the vfio-ap device configured for the guest must be
  unplugged before migrating the guest (see 'Hot unplug a vfio-ap device from a
  running guest' section above.