diff options
| author | Peter Maydell | 2020-04-30 15:00:36 +0200 |
|---|---|---|
| committer | Peter Maydell | 2020-04-30 15:00:36 +0200 |
| commit | 16aaacb307ed607b9780c12702c44f0fe52edc7e (patch) | |
| tree | 46cb25b7cfb44f59cb0f49c03b93ad1089199f68 /docs/system/s390x | |
| parent | Merge remote-tracking branch 'remotes/armbru/tags/pull-qapi-2020-04-30' into ... (diff) | |
| parent | s390x/s390-virtio-ccw: Fix build on systems without KVM (diff) | |
| download | qemu-16aaacb307ed607b9780c12702c44f0fe52edc7e.tar.gz qemu-16aaacb307ed607b9780c12702c44f0fe52edc7e.tar.xz qemu-16aaacb307ed607b9780c12702c44f0fe52edc7e.zip | |
Merge remote-tracking branch 'remotes/cohuck/tags/s390x-20200430' into staging
- update Linux headers to 5.7-rc3 (and virtio-net fixup)
- support for protected virtualization aka secure execution
# gpg: Signature made Thu 30 Apr 2020 10:41:31 BST
# gpg: using RSA key C3D0D66DC3624FF6A8C018CEDECF6B93C6F02FAF
# gpg: issuer "cohuck@redhat.com"
# gpg: Good signature from "Cornelia Huck <conny@cornelia-huck.de>" [marginal]
# gpg: aka "Cornelia Huck <huckc@linux.vnet.ibm.com>" [full]
# gpg: aka "Cornelia Huck <cornelia.huck@de.ibm.com>" [full]
# gpg: aka "Cornelia Huck <cohuck@kernel.org>" [marginal]
# gpg: aka "Cornelia Huck <cohuck@redhat.com>" [marginal]
# Primary key fingerprint: C3D0 D66D C362 4FF6 A8C0 18CE DECF 6B93 C6F0 2FAF
* remotes/cohuck/tags/s390x-20200430:
s390x/s390-virtio-ccw: Fix build on systems without KVM
s390x/pv: Retry ioctls on -EINTR
s390x: protvirt: Fix stray error_report_err in s390_machine_protect
s390x: Add unpack facility feature to GA1
docs: system: Add protvirt docs
s390x: protvirt: Handle SIGP store status correctly
s390x: protvirt: Move IO control structures over SIDA
s390x: protvirt: Disable address checks for PV guest IO emulation
s390x: protvirt: Move diag 308 data over SIDA
s390x: protvirt: Set guest IPL PSW
s390x: protvirt: SCLP interpretation
s390x: protvirt: Move STSI data over SIDAD
s390x: Add SIDA memory ops
s390x: protvirt: KVM intercept changes
s390x: protvirt: Inhibit balloon when switching to protected mode
s390x: protvirt: Add migration blocker
s390x: protvirt: Support unpack facility
s390x: Move diagnose 308 subcodes and rcs into ipl.h
linux-headers: update against Linux 5.7-rc3
virtio-net: fix rsc_ext compat handling
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Diffstat (limited to 'docs/system/s390x')
| -rw-r--r-- | docs/system/s390x/protvirt.rst | 60 |
1 files changed, 60 insertions, 0 deletions
diff --git a/docs/system/s390x/protvirt.rst b/docs/system/s390x/protvirt.rst new file mode 100644 index 0000000000..712974ad87 --- /dev/null +++ b/docs/system/s390x/protvirt.rst @@ -0,0 +1,60 @@ +Protected Virtualization on s390x +================================= + +The memory and most of the registers of Protected Virtual Machines +(PVMs) are encrypted or inaccessible to the hypervisor, effectively +prohibiting VM introspection when the VM is running. At rest, PVMs are +encrypted and can only be decrypted by the firmware, represented by an +entity called Ultravisor, of specific IBM Z machines. + + +Prerequisites +------------- + +To run PVMs, a machine with the Protected Virtualization feature, as +indicated by the Ultravisor Call facility (stfle bit 158), is +required. The Ultravisor needs to be initialized at boot by setting +`prot_virt=1` on the host's kernel command line. + +Running PVMs requires using the KVM hypervisor. + +If those requirements are met, the capability `KVM_CAP_S390_PROTECTED` +will indicate that KVM can support PVMs on that LPAR. + + +QEMU Settings +------------- + +To indicate to the VM that it can transition into protected mode, the +`Unpack facility` (stfle bit 161 represented by the feature +`unpack`/`S390_FEAT_UNPACK`) needs to be part of the cpu model of +the VM. + +All I/O devices need to use the IOMMU. +Passthrough (vfio) devices are currently not supported. + +Host huge page backings are not supported. However guests can use huge +pages as indicated by its facilities. + + +Boot Process +------------ + +A secure guest image can either be loaded from disk or supplied on the +QEMU command line. Booting from disk is done by the unmodified +s390-ccw BIOS. I.e., the bootmap is interpreted, multiple components +are read into memory and control is transferred to one of the +components (zipl stage3). Stage3 does some fixups and then transfers +control to some program residing in guest memory, which is normally +the OS kernel. The secure image has another component prepended +(stage3a) that uses the new diag308 subcodes 8 and 10 to trigger the +transition into secure mode. + +Booting from the image supplied on the QEMU command line requires that +the file passed via -kernel has the same memory layout as would result +from the disk boot. This memory layout includes the encrypted +components (kernel, initrd, cmdline), the stage3a loader and +metadata. In case this boot method is used, the command line +options -initrd and -cmdline are ineffective. The preparation of a PVM +image is done via the `genprotimg` tool from the s390-tools +collection. |