OpenCloudOS-Kernel/drivers/s390/crypto/ap_bus.c

1701 lines
41 KiB
C
Raw Normal View History

// SPDX-License-Identifier: GPL-2.0+
/*
* Copyright IBM Corp. 2006, 2012
* Author(s): Cornelia Huck <cornelia.huck@de.ibm.com>
* Martin Schwidefsky <schwidefsky@de.ibm.com>
* Ralph Wuerthner <rwuerthn@de.ibm.com>
* Felix Beck <felix.beck@de.ibm.com>
* Holger Dengler <hd@linux.vnet.ibm.com>
*
* Adjunct processor bus.
*/
#define KMSG_COMPONENT "ap"
#define pr_fmt(fmt) KMSG_COMPONENT ": " fmt
#include <linux/kernel_stat.h>
#include <linux/moduleparam.h>
#include <linux/init.h>
#include <linux/delay.h>
#include <linux/err.h>
#include <linux/interrupt.h>
#include <linux/workqueue.h>
include cleanup: Update gfp.h and slab.h includes to prepare for breaking implicit slab.h inclusion from percpu.h percpu.h is included by sched.h and module.h and thus ends up being included when building most .c files. percpu.h includes slab.h which in turn includes gfp.h making everything defined by the two files universally available and complicating inclusion dependencies. percpu.h -> slab.h dependency is about to be removed. Prepare for this change by updating users of gfp and slab facilities include those headers directly instead of assuming availability. As this conversion needs to touch large number of source files, the following script is used as the basis of conversion. http://userweb.kernel.org/~tj/misc/slabh-sweep.py The script does the followings. * Scan files for gfp and slab usages and update includes such that only the necessary includes are there. ie. if only gfp is used, gfp.h, if slab is used, slab.h. * When the script inserts a new include, it looks at the include blocks and try to put the new include such that its order conforms to its surrounding. It's put in the include block which contains core kernel includes, in the same order that the rest are ordered - alphabetical, Christmas tree, rev-Xmas-tree or at the end if there doesn't seem to be any matching order. * If the script can't find a place to put a new include (mostly because the file doesn't have fitting include block), it prints out an error message indicating which .h file needs to be added to the file. The conversion was done in the following steps. 1. The initial automatic conversion of all .c files updated slightly over 4000 files, deleting around 700 includes and adding ~480 gfp.h and ~3000 slab.h inclusions. The script emitted errors for ~400 files. 2. Each error was manually checked. Some didn't need the inclusion, some needed manual addition while adding it to implementation .h or embedding .c file was more appropriate for others. This step added inclusions to around 150 files. 3. The script was run again and the output was compared to the edits from #2 to make sure no file was left behind. 4. Several build tests were done and a couple of problems were fixed. e.g. lib/decompress_*.c used malloc/free() wrappers around slab APIs requiring slab.h to be added manually. 5. The script was run on all .h files but without automatically editing them as sprinkling gfp.h and slab.h inclusions around .h files could easily lead to inclusion dependency hell. Most gfp.h inclusion directives were ignored as stuff from gfp.h was usually wildly available and often used in preprocessor macros. Each slab.h inclusion directive was examined and added manually as necessary. 6. percpu.h was updated not to include slab.h. 7. Build test were done on the following configurations and failures were fixed. CONFIG_GCOV_KERNEL was turned off for all tests (as my distributed build env didn't work with gcov compiles) and a few more options had to be turned off depending on archs to make things build (like ipr on powerpc/64 which failed due to missing writeq). * x86 and x86_64 UP and SMP allmodconfig and a custom test config. * powerpc and powerpc64 SMP allmodconfig * sparc and sparc64 SMP allmodconfig * ia64 SMP allmodconfig * s390 SMP allmodconfig * alpha SMP allmodconfig * um on x86_64 SMP allmodconfig 8. percpu.h modifications were reverted so that it could be applied as a separate patch and serve as bisection point. Given the fact that I had only a couple of failures from tests on step 6, I'm fairly confident about the coverage of this conversion patch. If there is a breakage, it's likely to be something in one of the arch headers which should be easily discoverable easily on most builds of the specific arch. Signed-off-by: Tejun Heo <tj@kernel.org> Guess-its-ok-by: Christoph Lameter <cl@linux-foundation.org> Cc: Ingo Molnar <mingo@redhat.com> Cc: Lee Schermerhorn <Lee.Schermerhorn@hp.com>
2010-03-24 16:04:11 +08:00
#include <linux/slab.h>
#include <linux/notifier.h>
#include <linux/kthread.h>
#include <linux/mutex.h>
#include <linux/suspend.h>
#include <asm/airq.h>
#include <linux/atomic.h>
#include <asm/isc.h>
#include <linux/hrtimer.h>
#include <linux/ktime.h>
#include <asm/facility.h>
#include <linux/crypto.h>
#include <linux/mod_devicetable.h>
#include <linux/debugfs.h>
s390/zcrypt: AP bus support for alternate driver(s) The current AP bus, AP devices and AP device drivers implementation uses a clearly defined mapping for binding AP devices to AP device drivers. So for example a CEX6C queue will always be bound to the cex4queue device driver. The Linux Device Driver model has no sensitivity for more than one device driver eligible for one device type. If there exist more than one drivers matching to the device type, simple all drivers are tried consecutively. There is no way to determine and influence the probing order of the drivers. With KVM there is a need to provide additional device drivers matching to the very same type of AP devices. With a simple implementation the KVM drivers run in competition to the regular drivers. Whichever 'wins' a device depends on build order and implementation details within the common Linux Device Driver Model and is not deterministic. However, a userspace process could figure out which device should be bound to which driver and sort out the correct binding by manipulating attributes in the sysfs. If for security reasons a AP device must not get bound to the 'wrong' device driver the sorting out has to be done within the Linux kernel by the AP bus code. This patch modifies the behavior of the AP bus for probing drivers for devices in a way that two sets of drivers are usable. Two new bitmasks 'apmask' and 'aqmask' are used to mark a subset of the APQN range for 'usable by the ap bus and the default drivers' or 'not usable by the default drivers and thus available for alternate drivers like vfio-xxx'. So an APQN which is addressed by this masking only the default drivers will be probed. In contrary an APQN which is not addressed by the masks will never be probed and bound to default drivers but onny to alternate drivers. Eventually the two masks give a way to divide the range of APQNs into two pools: one pool of APQNs used by the AP bus and the default drivers and thus via zcrypt drivers available to the userspace of the system. And another pool where no zcrypt drivers are bound to and which can be used by alternate drivers (like vfio-xxx) for their needs. This division is hot-plug save and makes sure a APQN assigned to an alternate driver is at no time somehow exploitable by the wrong party. The two masks are located in sysfs at /sys/bus/ap/apmask and /sys/bus/ap/aqmask. The mask syntax is exactly the same as the already existing mask attributes in the /sys/bus/ap directory (for example ap_usage_domain_mask and ap_control_domain_mask). By default all APQNs belong to the ap bus and the default drivers: cat /sys/bus/ap/apmask 0xffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff cat /sys/bus/ap/aqmask 0xffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff The masks can be changed at boot time with the kernel command line like this: ... ap.apmask=0xffff ap.aqmask=0x40 This would give these two pools: default drivers pool: adapter 0 - 15, domain 1 alternate drivers pool: adapter 0 - 15, all but domain 1 adapter 16-255, all domains The sysfs attributes for this two masks are writeable and an administrator is able to reconfigure the assignements on the fly by writing new mask values into. With changing the mask(s) a revision of the existing queue to driver bindings is done. So all APQNs which are bound to the 'wrong' driver are reprobed via kernel function device_reprobe() and thus the new correct driver will be assigned with respect of the changed apmask and aqmask bits. The mask values are bitmaps in big endian order starting with bit 0. So adapter number 0 is the leftmost bit, mask is 0x8000... The sysfs attributes accept 2 different formats: - Absolute hex string starting with 0x like "0x12345678" does set the mask starting from left to right. If the given string is shorter than the mask it is padded with 0s on the right. If the string is longer than the mask an error comes back (EINVAL). - '+' or '-' followed by a numerical value. Valid examples are "+1", "-13", "+0x41", "-0xff" and even "+0" and "-0". Only the addressed bit in the mask is switched on ('+') or off ('-'). This patch will also be the base for an upcoming extension to the zcrypt drivers to be able to provide additional zcrypt device nodes with filtering based on ap and aq masks. Signed-off-by: Harald Freudenberger <freude@linux.ibm.com> Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>
2018-07-20 14:36:53 +08:00
#include <linux/ctype.h>
#include "ap_bus.h"
#include "ap_debug.h"
/*
* Module parameters; note though this file itself isn't modular.
*/
int ap_domain_index = -1; /* Adjunct Processor Domain Index */
static DEFINE_SPINLOCK(ap_domain_lock);
module_param_named(domain, ap_domain_index, int, 0440);
MODULE_PARM_DESC(domain, "domain index for ap devices");
EXPORT_SYMBOL(ap_domain_index);
static int ap_thread_flag;
module_param_named(poll_thread, ap_thread_flag, int, 0440);
MODULE_PARM_DESC(poll_thread, "Turn on/off poll thread, default is 0 (off).");
s390/zcrypt: AP bus support for alternate driver(s) The current AP bus, AP devices and AP device drivers implementation uses a clearly defined mapping for binding AP devices to AP device drivers. So for example a CEX6C queue will always be bound to the cex4queue device driver. The Linux Device Driver model has no sensitivity for more than one device driver eligible for one device type. If there exist more than one drivers matching to the device type, simple all drivers are tried consecutively. There is no way to determine and influence the probing order of the drivers. With KVM there is a need to provide additional device drivers matching to the very same type of AP devices. With a simple implementation the KVM drivers run in competition to the regular drivers. Whichever 'wins' a device depends on build order and implementation details within the common Linux Device Driver Model and is not deterministic. However, a userspace process could figure out which device should be bound to which driver and sort out the correct binding by manipulating attributes in the sysfs. If for security reasons a AP device must not get bound to the 'wrong' device driver the sorting out has to be done within the Linux kernel by the AP bus code. This patch modifies the behavior of the AP bus for probing drivers for devices in a way that two sets of drivers are usable. Two new bitmasks 'apmask' and 'aqmask' are used to mark a subset of the APQN range for 'usable by the ap bus and the default drivers' or 'not usable by the default drivers and thus available for alternate drivers like vfio-xxx'. So an APQN which is addressed by this masking only the default drivers will be probed. In contrary an APQN which is not addressed by the masks will never be probed and bound to default drivers but onny to alternate drivers. Eventually the two masks give a way to divide the range of APQNs into two pools: one pool of APQNs used by the AP bus and the default drivers and thus via zcrypt drivers available to the userspace of the system. And another pool where no zcrypt drivers are bound to and which can be used by alternate drivers (like vfio-xxx) for their needs. This division is hot-plug save and makes sure a APQN assigned to an alternate driver is at no time somehow exploitable by the wrong party. The two masks are located in sysfs at /sys/bus/ap/apmask and /sys/bus/ap/aqmask. The mask syntax is exactly the same as the already existing mask attributes in the /sys/bus/ap directory (for example ap_usage_domain_mask and ap_control_domain_mask). By default all APQNs belong to the ap bus and the default drivers: cat /sys/bus/ap/apmask 0xffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff cat /sys/bus/ap/aqmask 0xffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff The masks can be changed at boot time with the kernel command line like this: ... ap.apmask=0xffff ap.aqmask=0x40 This would give these two pools: default drivers pool: adapter 0 - 15, domain 1 alternate drivers pool: adapter 0 - 15, all but domain 1 adapter 16-255, all domains The sysfs attributes for this two masks are writeable and an administrator is able to reconfigure the assignements on the fly by writing new mask values into. With changing the mask(s) a revision of the existing queue to driver bindings is done. So all APQNs which are bound to the 'wrong' driver are reprobed via kernel function device_reprobe() and thus the new correct driver will be assigned with respect of the changed apmask and aqmask bits. The mask values are bitmaps in big endian order starting with bit 0. So adapter number 0 is the leftmost bit, mask is 0x8000... The sysfs attributes accept 2 different formats: - Absolute hex string starting with 0x like "0x12345678" does set the mask starting from left to right. If the given string is shorter than the mask it is padded with 0s on the right. If the string is longer than the mask an error comes back (EINVAL). - '+' or '-' followed by a numerical value. Valid examples are "+1", "-13", "+0x41", "-0xff" and even "+0" and "-0". Only the addressed bit in the mask is switched on ('+') or off ('-'). This patch will also be the base for an upcoming extension to the zcrypt drivers to be able to provide additional zcrypt device nodes with filtering based on ap and aq masks. Signed-off-by: Harald Freudenberger <freude@linux.ibm.com> Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>
2018-07-20 14:36:53 +08:00
static char *apm_str;
module_param_named(apmask, apm_str, charp, 0440);
MODULE_PARM_DESC(apmask, "AP bus adapter mask.");
static char *aqm_str;
module_param_named(aqmask, aqm_str, charp, 0440);
MODULE_PARM_DESC(aqmask, "AP bus domain mask.");
static struct device *ap_root_device;
DEFINE_SPINLOCK(ap_list_lock);
LIST_HEAD(ap_card_list);
s390/zcrypt: multiple zcrypt device nodes support This patch is an extension to the zcrypt device driver to provide, support and maintain multiple zcrypt device nodes. The individual zcrypt device nodes can be restricted in terms of crypto cards, domains and available ioctls. Such a device node can be used as a base for container solutions like docker to control and restrict the access to crypto resources. The handling is done with a new sysfs subdir /sys/class/zcrypt. Echoing a name (or an empty sting) into the attribute "create" creates a new zcrypt device node. In /sys/class/zcrypt a new link will appear which points to the sysfs device tree of this new device. The attribute files "ioctlmask", "apmask" and "aqmask" in this directory are used to customize this new zcrypt device node instance. Finally the zcrypt device node can be destroyed by echoing the name into /sys/class/zcrypt/destroy. The internal structs holding the device info are reference counted - so a destroy will not hard remove a device but only marks it as removable when the reference counter drops to zero. The mask values are bitmaps in big endian order starting with bit 0. So adapter number 0 is the leftmost bit, mask is 0x8000... The sysfs attributes accept 2 different formats: * Absolute hex string starting with 0x like "0x12345678" does set the mask starting from left to right. If the given string is shorter than the mask it is padded with 0s on the right. If the string is longer than the mask an error comes back (EINVAL). * Relative format - a concatenation (done with ',') of the terms +<bitnr>[-<bitnr>] or -<bitnr>[-<bitnr>]. <bitnr> may be any valid number (hex, decimal or octal) in the range 0...255. Here are some examples: "+0-15,+32,-128,-0xFF" "-0-255,+1-16,+0x128" "+1,+2,+3,+4,-5,-7-10" A simple usage examples: # create new zcrypt device 'my_zcrypt': echo "my_zcrypt" >/sys/class/zcrypt/create # go into the device dir of this new device echo "my_zcrypt" >create cd my_zcrypt/ ls -l total 0 -rw-r--r-- 1 root root 4096 Jul 20 15:23 apmask -rw-r--r-- 1 root root 4096 Jul 20 15:23 aqmask -r--r--r-- 1 root root 4096 Jul 20 15:23 dev -rw-r--r-- 1 root root 4096 Jul 20 15:23 ioctlmask lrwxrwxrwx 1 root root 0 Jul 20 15:23 subsystem -> ../../../../class/zcrypt ... # customize this zcrypt node clone # enable only adapter 0 and 2 echo "0xa0" >apmask # enable only domain 6 echo "+6" >aqmask # enable all 256 ioctls echo "+0-255" >ioctls # now the /dev/my_zcrypt may be used # finally destroy it echo "my_zcrypt" >/sys/class/zcrypt/destroy Please note that a very similar 'filtering behavior' also applies to the parent z90crypt device. The two mask attributes apmask and aqmask in /sys/bus/ap act the very same for the z90crypt device node. However the implementation here is totally different as the ap bus acts on bind/unbind of queue devices and associated drivers but the effect is still the same. So there are two filters active for each additional zcrypt device node: The adapter/domain needs to be enabled on the ap bus level and it needs to be active on the zcrypt device node level. Signed-off-by: Harald Freudenberger <freude@linux.ibm.com> Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>
2018-09-17 22:18:41 +08:00
/* Default permissions (ioctl, card and domain masking) */
struct ap_perms ap_perms;
EXPORT_SYMBOL(ap_perms);
DEFINE_MUTEX(ap_perms_mutex);
EXPORT_SYMBOL(ap_perms_mutex);
s390/zcrypt: AP bus support for alternate driver(s) The current AP bus, AP devices and AP device drivers implementation uses a clearly defined mapping for binding AP devices to AP device drivers. So for example a CEX6C queue will always be bound to the cex4queue device driver. The Linux Device Driver model has no sensitivity for more than one device driver eligible for one device type. If there exist more than one drivers matching to the device type, simple all drivers are tried consecutively. There is no way to determine and influence the probing order of the drivers. With KVM there is a need to provide additional device drivers matching to the very same type of AP devices. With a simple implementation the KVM drivers run in competition to the regular drivers. Whichever 'wins' a device depends on build order and implementation details within the common Linux Device Driver Model and is not deterministic. However, a userspace process could figure out which device should be bound to which driver and sort out the correct binding by manipulating attributes in the sysfs. If for security reasons a AP device must not get bound to the 'wrong' device driver the sorting out has to be done within the Linux kernel by the AP bus code. This patch modifies the behavior of the AP bus for probing drivers for devices in a way that two sets of drivers are usable. Two new bitmasks 'apmask' and 'aqmask' are used to mark a subset of the APQN range for 'usable by the ap bus and the default drivers' or 'not usable by the default drivers and thus available for alternate drivers like vfio-xxx'. So an APQN which is addressed by this masking only the default drivers will be probed. In contrary an APQN which is not addressed by the masks will never be probed and bound to default drivers but onny to alternate drivers. Eventually the two masks give a way to divide the range of APQNs into two pools: one pool of APQNs used by the AP bus and the default drivers and thus via zcrypt drivers available to the userspace of the system. And another pool where no zcrypt drivers are bound to and which can be used by alternate drivers (like vfio-xxx) for their needs. This division is hot-plug save and makes sure a APQN assigned to an alternate driver is at no time somehow exploitable by the wrong party. The two masks are located in sysfs at /sys/bus/ap/apmask and /sys/bus/ap/aqmask. The mask syntax is exactly the same as the already existing mask attributes in the /sys/bus/ap directory (for example ap_usage_domain_mask and ap_control_domain_mask). By default all APQNs belong to the ap bus and the default drivers: cat /sys/bus/ap/apmask 0xffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff cat /sys/bus/ap/aqmask 0xffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff The masks can be changed at boot time with the kernel command line like this: ... ap.apmask=0xffff ap.aqmask=0x40 This would give these two pools: default drivers pool: adapter 0 - 15, domain 1 alternate drivers pool: adapter 0 - 15, all but domain 1 adapter 16-255, all domains The sysfs attributes for this two masks are writeable and an administrator is able to reconfigure the assignements on the fly by writing new mask values into. With changing the mask(s) a revision of the existing queue to driver bindings is done. So all APQNs which are bound to the 'wrong' driver are reprobed via kernel function device_reprobe() and thus the new correct driver will be assigned with respect of the changed apmask and aqmask bits. The mask values are bitmaps in big endian order starting with bit 0. So adapter number 0 is the leftmost bit, mask is 0x8000... The sysfs attributes accept 2 different formats: - Absolute hex string starting with 0x like "0x12345678" does set the mask starting from left to right. If the given string is shorter than the mask it is padded with 0s on the right. If the string is longer than the mask an error comes back (EINVAL). - '+' or '-' followed by a numerical value. Valid examples are "+1", "-13", "+0x41", "-0xff" and even "+0" and "-0". Only the addressed bit in the mask is switched on ('+') or off ('-'). This patch will also be the base for an upcoming extension to the zcrypt drivers to be able to provide additional zcrypt device nodes with filtering based on ap and aq masks. Signed-off-by: Harald Freudenberger <freude@linux.ibm.com> Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>
2018-07-20 14:36:53 +08:00
static struct ap_config_info *ap_configuration;
s390/zcrypt: Fix kernel crash on systems without AP bus support On systems without AP bus (e.g. KVM) the kernel crashes during init calls when zcrypt is built-in: kernel BUG at drivers/base/driver.c:153! illegal operation: 0001 ilc:1 [#1] SMP Modules linked in: CPU: 1 PID: 1 Comm: swapper/0 Not tainted 4.2.0+ #221 task: 0000000010a40000 ti: 0000000010a48000 task.ti:0000000010a48000 Krnl PSW : 0704c00180000000 0000000000592bd6(driver_register+0x106/0x140) R:0 T:1 IO:1 EX:1 Key:0 M:1 W:0 P:0 AS:3 CC:0 PM:0 EA:3 0000000000000012 0000000000000000 0000000000c45328 0000000000c44e30 00000000009ef63c 000000000067f598 0000000000cf3c58 0000000000000000 000000000000007b 0000000000cb1030 0000000000000002 0000000000000000 0000000000ca8580 0000000010306700 00000000001001d8 0000000010a4bd88 Krnl Code: 0000000000592bc6: f0b00004ebcf srp 4(12,%r0),3023(%r14),0 0000000000592bcc: f0a0000407f4 srp 4(11,%r0),2036,0 #0000000000592bd2: a7f40001 brc 15,592bd4 >0000000000592bd6: e330d0000004 lg %r3,0(%r13) 0000000000592bdc: c0200021edfd larl %r2,9d07d6 0000000000592be2: c0e500126d8f brasl %r14,7e0700 0000000000592be8: e330d0080004 lg %r3,8(%r13) 0000000000592bee: a7f4ffab brc 15,592b44 Call Trace: ([<00000000001001c8>] do_one_initcall+0x90/0x1d0) [<0000000000c6dd34>] kernel_init_freeable+0x1e4/0x2a0 [<00000000007db53a>] kernel_init+0x2a/0x120 [<00000000007e8ece>] kernel_thread_starter+0x6/0xc [<00000000007e8ec8>] kernel_thread_starter+0x0/0xc Last Breaking-Event-Address: [<0000000000592bd2>] driver_register+0x102/0x140 When zcrypt is built as a module, the module loader ensures that the driver modules cannot be loaded if the AP bus module returns an error during initialisation. But if zcrypt and the driver are built-in, the driver is getting initialised even if the AP bus initialisation failed. The driver invokes ap_driver_register() during initialisation, which then causes operations on uninitialised data structures to be performed. Explicitly protect ap_driver_register() by introducing an "initialised" flag that gets set iff the AP bus initialisation was successful. When the AP bus initialisation failed, ap_driver_register() will error out with -ENODEV, causing the driver initialisation to fail as well. Test results: 1. Inside KVM (no AP bus), zcrypt built-in Boots. /sys/bus/ap not present (expected). 2. Inside KVM (no AP bus), zcrypt as module Boots. Loading zcrypt_cex4 fails because loading ap_bus fails (expected). 3. On LPAR with CEX5, zcrypt built-in Boots. /sys/bus/ap/devices/card* present but .../card*/type missing (i.e. zcrypt_device_register() fails, unrelated issue). 4. On LPAR with CEX5, zcrypt as module Boots. Loading zcrypt_cex4 successful, /sys/bus/ap/devices/card*/type present. No further testing (user-space functionality) was done. Signed-off-by: Sascha Silbe <silbe@linux.vnet.ibm.com> Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>
2015-10-28 01:29:52 +08:00
static bool initialised;
/*
* AP bus related debug feature things.
*/
debug_info_t *ap_dbf_info;
/*
* Workqueue timer for bus rescan.
*/
static struct timer_list ap_config_timer;
static int ap_config_time = AP_CONFIG_TIME;
static void ap_scan_bus(struct work_struct *);
static DECLARE_WORK(ap_scan_work, ap_scan_bus);
/*
* Tasklet & timer for AP request polling and interrupts
*/
static void ap_tasklet_fn(unsigned long);
static DECLARE_TASKLET(ap_tasklet, ap_tasklet_fn, 0);
static DECLARE_WAIT_QUEUE_HEAD(ap_poll_wait);
static struct task_struct *ap_poll_kthread;
static DEFINE_MUTEX(ap_poll_thread_mutex);
static DEFINE_SPINLOCK(ap_poll_timer_lock);
static struct hrtimer ap_poll_timer;
/*
* In LPAR poll with 4kHz frequency. Poll every 250000 nanoseconds.
* If z/VM change to 1500000 nanoseconds to adjust to z/VM polling.
*/
static unsigned long long poll_timeout = 250000;
/* Suspend flag */
static int ap_suspend_flag;
/* Maximum domain id */
static int ap_max_domain_id;
/*
* Flag to check if domain was set through module parameter domain=. This is
* important when supsend and resume is done in a z/VM environment where the
* domain might change.
*/
static int user_set_domain;
static struct bus_type ap_bus_type;
/* Adapter interrupt definitions */
static void ap_interrupt_handler(struct airq_struct *airq, bool floating);
static int ap_airq_flag;
static struct airq_struct ap_airq = {
.handler = ap_interrupt_handler,
.isc = AP_ISC,
};
/**
* ap_using_interrupts() - Returns non-zero if interrupt support is
* available.
*/
static inline int ap_using_interrupts(void)
{
return ap_airq_flag;
}
/**
* ap_airq_ptr() - Get the address of the adapter interrupt indicator
*
* Returns the address of the local-summary-indicator of the adapter
* interrupt handler for AP, or NULL if adapter interrupts are not
* available.
*/
void *ap_airq_ptr(void)
{
if (ap_using_interrupts())
return ap_airq.lsi_ptr;
return NULL;
}
/**
* ap_interrupts_available(): Test if AP interrupts are available.
*
* Returns 1 if AP interrupts are available.
*/
static int ap_interrupts_available(void)
{
return test_facility(65);
}
/**
* ap_configuration_available(): Test if AP configuration
* information is available.
*
* Returns 1 if AP configuration information is available.
*/
static int ap_configuration_available(void)
{
return test_facility(12);
}
/**
* ap_apft_available(): Test if AP facilities test (APFT)
* facility is available.
*
* Returns 1 if APFT is is available.
*/
static int ap_apft_available(void)
{
return test_facility(15);
}
/*
* ap_qact_available(): Test if the PQAP(QACT) subfunction is available.
*
* Returns 1 if the QACT subfunction is available.
*/
static inline int ap_qact_available(void)
{
if (ap_configuration)
return ap_configuration->qact;
return 0;
}
/*
* ap_query_configuration(): Fetch cryptographic config info
*
* Returns the ap configuration info fetched via PQAP(QCI).
* On success 0 is returned, on failure a negative errno
* is returned, e.g. if the PQAP(QCI) instruction is not
* available, the return value will be -EOPNOTSUPP.
*/
static inline int ap_query_configuration(struct ap_config_info *info)
{
if (!ap_configuration_available())
return -EOPNOTSUPP;
if (!info)
return -EINVAL;
return ap_qci(info);
}
EXPORT_SYMBOL(ap_query_configuration);
/**
* ap_init_configuration(): Allocate and query configuration array.
*/
static void ap_init_configuration(void)
{
if (!ap_configuration_available())
return;
ap_configuration = kzalloc(sizeof(*ap_configuration), GFP_KERNEL);
if (!ap_configuration)
return;
if (ap_query_configuration(ap_configuration) != 0) {
kfree(ap_configuration);
ap_configuration = NULL;
return;
}
}
/*
* ap_test_config(): helper function to extract the nrth bit
* within the unsigned int array field.
*/
static inline int ap_test_config(unsigned int *field, unsigned int nr)
{
return ap_test_bit((field + (nr >> 5)), (nr & 0x1f));
}
/*
* ap_test_config_card_id(): Test, whether an AP card ID is configured.
* @id AP card ID
*
* Returns 0 if the card is not configured
* 1 if the card is configured or
* if the configuration information is not available
*/
static inline int ap_test_config_card_id(unsigned int id)
{
if (!ap_configuration) /* QCI not supported */
/* only ids 0...3F may be probed */
return id < 0x40 ? 1 : 0;
return ap_test_config(ap_configuration->apm, id);
}
/*
* ap_test_config_domain(): Test, whether an AP usage domain is configured.
* @domain AP usage domain ID
*
* Returns 0 if the usage domain is not configured
* 1 if the usage domain is configured or
* if the configuration information is not available
*/
static inline int ap_test_config_domain(unsigned int domain)
{
if (!ap_configuration) /* QCI not supported */
return domain < 16;
return ap_test_config(ap_configuration->aqm, domain);
}
/**
* ap_query_queue(): Check if an AP queue is available.
* @qid: The AP queue number
* @queue_depth: Pointer to queue depth value
* @device_type: Pointer to device type value
* @facilities: Pointer to facility indicator
*/
static int ap_query_queue(ap_qid_t qid, int *queue_depth, int *device_type,
unsigned int *facilities)
{
struct ap_queue_status status;
unsigned long info;
int nd;
if (!ap_test_config_card_id(AP_QID_CARD(qid)))
return -ENODEV;
status = ap_test_queue(qid, ap_apft_available(), &info);
switch (status.response_code) {
case AP_RESPONSE_NORMAL:
*queue_depth = (int)(info & 0xff);
*device_type = (int)((info >> 24) & 0xff);
*facilities = (unsigned int)(info >> 32);
/* Update maximum domain id */
nd = (info >> 16) & 0xff;
/* if N bit is available, z13 and newer */
if ((info & (1UL << 57)) && nd > 0)
ap_max_domain_id = nd;
else /* older machine types */
ap_max_domain_id = 15;
switch (*device_type) {
/* For CEX2 and CEX3 the available functions
* are not reflected by the facilities bits.
* Instead it is coded into the type. So here
* modify the function bits based on the type.
*/
case AP_DEVICE_TYPE_CEX2A:
case AP_DEVICE_TYPE_CEX3A:
*facilities |= 0x08000000;
break;
case AP_DEVICE_TYPE_CEX2C:
case AP_DEVICE_TYPE_CEX3C:
*facilities |= 0x10000000;
break;
default:
break;
}
return 0;
case AP_RESPONSE_Q_NOT_AVAIL:
case AP_RESPONSE_DECONFIGURED:
case AP_RESPONSE_CHECKSTOPPED:
case AP_RESPONSE_INVALID_ADDRESS:
return -ENODEV;
case AP_RESPONSE_RESET_IN_PROGRESS:
case AP_RESPONSE_OTHERWISE_CHANGED:
case AP_RESPONSE_BUSY:
return -EBUSY;
default:
BUG();
}
}
void ap_wait(enum ap_wait wait)
{
ktime_t hr_time;
switch (wait) {
case AP_WAIT_AGAIN:
case AP_WAIT_INTERRUPT:
if (ap_using_interrupts())
break;
if (ap_poll_kthread) {
wake_up(&ap_poll_wait);
break;
}
/* Fall through */
case AP_WAIT_TIMEOUT:
spin_lock_bh(&ap_poll_timer_lock);
if (!hrtimer_is_queued(&ap_poll_timer)) {
hr_time = poll_timeout;
hrtimer_forward_now(&ap_poll_timer, hr_time);
hrtimer_restart(&ap_poll_timer);
}
spin_unlock_bh(&ap_poll_timer_lock);
break;
case AP_WAIT_NONE:
default:
break;
}
}
/**
* ap_request_timeout(): Handling of request timeouts
* @t: timer making this callback
*
* Handles request timeouts.
*/
void ap_request_timeout(struct timer_list *t)
{
struct ap_queue *aq = from_timer(aq, t, timeout);
if (ap_suspend_flag)
return;
spin_lock_bh(&aq->lock);
ap_wait(ap_sm_event(aq, AP_EVENT_TIMEOUT));
spin_unlock_bh(&aq->lock);
}
/**
* ap_poll_timeout(): AP receive polling for finished AP requests.
* @unused: Unused pointer.
*
* Schedules the AP tasklet using a high resolution timer.
*/
static enum hrtimer_restart ap_poll_timeout(struct hrtimer *unused)
{
if (!ap_suspend_flag)
tasklet_schedule(&ap_tasklet);
return HRTIMER_NORESTART;
}
/**
* ap_interrupt_handler() - Schedule ap_tasklet on interrupt
* @airq: pointer to adapter interrupt descriptor
*/
static void ap_interrupt_handler(struct airq_struct *airq, bool floating)
{
inc_irq_stat(IRQIO_APB);
if (!ap_suspend_flag)
tasklet_schedule(&ap_tasklet);
}
/**
* ap_tasklet_fn(): Tasklet to poll all AP devices.
* @dummy: Unused variable
*
* Poll all AP devices on the bus.
*/
static void ap_tasklet_fn(unsigned long dummy)
{
struct ap_card *ac;
struct ap_queue *aq;
enum ap_wait wait = AP_WAIT_NONE;
/* Reset the indicator if interrupts are used. Thus new interrupts can
* be received. Doing it in the beginning of the tasklet is therefor
* important that no requests on any AP get lost.
*/
if (ap_using_interrupts())
xchg(ap_airq.lsi_ptr, 0);
spin_lock_bh(&ap_list_lock);
for_each_ap_card(ac) {
for_each_ap_queue(aq, ac) {
spin_lock_bh(&aq->lock);
wait = min(wait, ap_sm_event_loop(aq, AP_EVENT_POLL));
spin_unlock_bh(&aq->lock);
}
}
spin_unlock_bh(&ap_list_lock);
ap_wait(wait);
}
static int ap_pending_requests(void)
{
struct ap_card *ac;
struct ap_queue *aq;
spin_lock_bh(&ap_list_lock);
for_each_ap_card(ac) {
for_each_ap_queue(aq, ac) {
if (aq->queue_count == 0)
continue;
spin_unlock_bh(&ap_list_lock);
return 1;
}
}
spin_unlock_bh(&ap_list_lock);
return 0;
}
/**
* ap_poll_thread(): Thread that polls for finished requests.
* @data: Unused pointer
*
* AP bus poll thread. The purpose of this thread is to poll for
* finished requests in a loop if there is a "free" cpu - that is
* a cpu that doesn't have anything better to do. The polling stops
* as soon as there is another task or if all messages have been
* delivered.
*/
static int ap_poll_thread(void *data)
{
DECLARE_WAITQUEUE(wait, current);
set_user_nice(current, MAX_NICE);
set_freezable();
while (!kthread_should_stop()) {
add_wait_queue(&ap_poll_wait, &wait);
set_current_state(TASK_INTERRUPTIBLE);
if (ap_suspend_flag || !ap_pending_requests()) {
schedule();
try_to_freeze();
}
set_current_state(TASK_RUNNING);
remove_wait_queue(&ap_poll_wait, &wait);
if (need_resched()) {
schedule();
try_to_freeze();
continue;
}
ap_tasklet_fn(0);
}
return 0;
}
static int ap_poll_thread_start(void)
{
int rc;
if (ap_using_interrupts() || ap_poll_kthread)
return 0;
mutex_lock(&ap_poll_thread_mutex);
ap_poll_kthread = kthread_run(ap_poll_thread, NULL, "appoll");
rc = PTR_ERR_OR_ZERO(ap_poll_kthread);
if (rc)
ap_poll_kthread = NULL;
mutex_unlock(&ap_poll_thread_mutex);
return rc;
}
static void ap_poll_thread_stop(void)
{
if (!ap_poll_kthread)
return;
mutex_lock(&ap_poll_thread_mutex);
kthread_stop(ap_poll_kthread);
ap_poll_kthread = NULL;
mutex_unlock(&ap_poll_thread_mutex);
}
#define is_card_dev(x) ((x)->parent == ap_root_device)
#define is_queue_dev(x) ((x)->parent != ap_root_device)
/**
* ap_bus_match()
* @dev: Pointer to device
* @drv: Pointer to device_driver
*
* AP bus driver registration/unregistration.
*/
static int ap_bus_match(struct device *dev, struct device_driver *drv)
{
struct ap_driver *ap_drv = to_ap_drv(drv);
struct ap_device_id *id;
/*
* Compare device type of the device with the list of
* supported types of the device_driver.
*/
for (id = ap_drv->ids; id->match_flags; id++) {
if (is_card_dev(dev) &&
id->match_flags & AP_DEVICE_ID_MATCH_CARD_TYPE &&
id->dev_type == to_ap_dev(dev)->device_type)
return 1;
if (is_queue_dev(dev) &&
id->match_flags & AP_DEVICE_ID_MATCH_QUEUE_TYPE &&
id->dev_type == to_ap_dev(dev)->device_type)
return 1;
}
return 0;
}
/**
* ap_uevent(): Uevent function for AP devices.
* @dev: Pointer to device
* @env: Pointer to kobj_uevent_env
*
* It sets up a single environment variable DEV_TYPE which contains the
* hardware device type.
*/
static int ap_uevent(struct device *dev, struct kobj_uevent_env *env)
{
struct ap_device *ap_dev = to_ap_dev(dev);
int retval = 0;
if (!ap_dev)
return -ENODEV;
/* Set up DEV_TYPE environment variable. */
retval = add_uevent_var(env, "DEV_TYPE=%04X", ap_dev->device_type);
if (retval)
return retval;
/* Add MODALIAS= */
retval = add_uevent_var(env, "MODALIAS=ap:t%02X", ap_dev->device_type);
return retval;
}
static int ap_dev_suspend(struct device *dev)
{
struct ap_device *ap_dev = to_ap_dev(dev);
if (ap_dev->drv && ap_dev->drv->suspend)
ap_dev->drv->suspend(ap_dev);
return 0;
}
static int ap_dev_resume(struct device *dev)
{
struct ap_device *ap_dev = to_ap_dev(dev);
if (ap_dev->drv && ap_dev->drv->resume)
ap_dev->drv->resume(ap_dev);
return 0;
}
static void ap_bus_suspend(void)
{
AP_DBF(DBF_DEBUG, "%s running\n", __func__);
ap_suspend_flag = 1;
/*
* Disable scanning for devices, thus we do not want to scan
* for them after removing.
*/
flush_work(&ap_scan_work);
tasklet_disable(&ap_tasklet);
}
static int __ap_card_devices_unregister(struct device *dev, void *dummy)
{
if (is_card_dev(dev))
device_unregister(dev);
return 0;
}
static int __ap_queue_devices_unregister(struct device *dev, void *dummy)
{
if (is_queue_dev(dev))
device_unregister(dev);
return 0;
}
static int __ap_queue_devices_with_id_unregister(struct device *dev, void *data)
{
if (is_queue_dev(dev) &&
AP_QID_CARD(to_ap_queue(dev)->qid) == (int)(long) data)
device_unregister(dev);
return 0;
}
static void ap_bus_resume(void)
{
int rc;
AP_DBF(DBF_DEBUG, "%s running\n", __func__);
/* remove all queue devices */
bus_for_each_dev(&ap_bus_type, NULL, NULL,
__ap_queue_devices_unregister);
/* remove all card devices */
bus_for_each_dev(&ap_bus_type, NULL, NULL,
__ap_card_devices_unregister);
/* Reset thin interrupt setting */
if (ap_interrupts_available() && !ap_using_interrupts()) {
rc = register_adapter_interrupt(&ap_airq);
ap_airq_flag = (rc == 0);
}
if (!ap_interrupts_available() && ap_using_interrupts()) {
unregister_adapter_interrupt(&ap_airq);
ap_airq_flag = 0;
}
/* Reset domain */
if (!user_set_domain)
ap_domain_index = -1;
/* Get things going again */
ap_suspend_flag = 0;
if (ap_airq_flag)
xchg(ap_airq.lsi_ptr, 0);
tasklet_enable(&ap_tasklet);
queue_work(system_long_wq, &ap_scan_work);
}
static int ap_power_event(struct notifier_block *this, unsigned long event,
void *ptr)
{
switch (event) {
case PM_HIBERNATION_PREPARE:
case PM_SUSPEND_PREPARE:
ap_bus_suspend();
break;
case PM_POST_HIBERNATION:
case PM_POST_SUSPEND:
ap_bus_resume();
break;
default:
break;
}
return NOTIFY_DONE;
}
static struct notifier_block ap_power_notifier = {
.notifier_call = ap_power_event,
};
static SIMPLE_DEV_PM_OPS(ap_bus_pm_ops, ap_dev_suspend, ap_dev_resume);
static struct bus_type ap_bus_type = {
.name = "ap",
.match = &ap_bus_match,
.uevent = &ap_uevent,
.pm = &ap_bus_pm_ops,
};
s390/zcrypt: AP bus support for alternate driver(s) The current AP bus, AP devices and AP device drivers implementation uses a clearly defined mapping for binding AP devices to AP device drivers. So for example a CEX6C queue will always be bound to the cex4queue device driver. The Linux Device Driver model has no sensitivity for more than one device driver eligible for one device type. If there exist more than one drivers matching to the device type, simple all drivers are tried consecutively. There is no way to determine and influence the probing order of the drivers. With KVM there is a need to provide additional device drivers matching to the very same type of AP devices. With a simple implementation the KVM drivers run in competition to the regular drivers. Whichever 'wins' a device depends on build order and implementation details within the common Linux Device Driver Model and is not deterministic. However, a userspace process could figure out which device should be bound to which driver and sort out the correct binding by manipulating attributes in the sysfs. If for security reasons a AP device must not get bound to the 'wrong' device driver the sorting out has to be done within the Linux kernel by the AP bus code. This patch modifies the behavior of the AP bus for probing drivers for devices in a way that two sets of drivers are usable. Two new bitmasks 'apmask' and 'aqmask' are used to mark a subset of the APQN range for 'usable by the ap bus and the default drivers' or 'not usable by the default drivers and thus available for alternate drivers like vfio-xxx'. So an APQN which is addressed by this masking only the default drivers will be probed. In contrary an APQN which is not addressed by the masks will never be probed and bound to default drivers but onny to alternate drivers. Eventually the two masks give a way to divide the range of APQNs into two pools: one pool of APQNs used by the AP bus and the default drivers and thus via zcrypt drivers available to the userspace of the system. And another pool where no zcrypt drivers are bound to and which can be used by alternate drivers (like vfio-xxx) for their needs. This division is hot-plug save and makes sure a APQN assigned to an alternate driver is at no time somehow exploitable by the wrong party. The two masks are located in sysfs at /sys/bus/ap/apmask and /sys/bus/ap/aqmask. The mask syntax is exactly the same as the already existing mask attributes in the /sys/bus/ap directory (for example ap_usage_domain_mask and ap_control_domain_mask). By default all APQNs belong to the ap bus and the default drivers: cat /sys/bus/ap/apmask 0xffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff cat /sys/bus/ap/aqmask 0xffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff The masks can be changed at boot time with the kernel command line like this: ... ap.apmask=0xffff ap.aqmask=0x40 This would give these two pools: default drivers pool: adapter 0 - 15, domain 1 alternate drivers pool: adapter 0 - 15, all but domain 1 adapter 16-255, all domains The sysfs attributes for this two masks are writeable and an administrator is able to reconfigure the assignements on the fly by writing new mask values into. With changing the mask(s) a revision of the existing queue to driver bindings is done. So all APQNs which are bound to the 'wrong' driver are reprobed via kernel function device_reprobe() and thus the new correct driver will be assigned with respect of the changed apmask and aqmask bits. The mask values are bitmaps in big endian order starting with bit 0. So adapter number 0 is the leftmost bit, mask is 0x8000... The sysfs attributes accept 2 different formats: - Absolute hex string starting with 0x like "0x12345678" does set the mask starting from left to right. If the given string is shorter than the mask it is padded with 0s on the right. If the string is longer than the mask an error comes back (EINVAL). - '+' or '-' followed by a numerical value. Valid examples are "+1", "-13", "+0x41", "-0xff" and even "+0" and "-0". Only the addressed bit in the mask is switched on ('+') or off ('-'). This patch will also be the base for an upcoming extension to the zcrypt drivers to be able to provide additional zcrypt device nodes with filtering based on ap and aq masks. Signed-off-by: Harald Freudenberger <freude@linux.ibm.com> Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>
2018-07-20 14:36:53 +08:00
static int __ap_revise_reserved(struct device *dev, void *dummy)
{
int rc, card, queue, devres, drvres;
if (is_queue_dev(dev)) {
card = AP_QID_CARD(to_ap_queue(dev)->qid);
queue = AP_QID_QUEUE(to_ap_queue(dev)->qid);
mutex_lock(&ap_perms_mutex);
devres = test_bit_inv(card, ap_perms.apm)
&& test_bit_inv(queue, ap_perms.aqm);
mutex_unlock(&ap_perms_mutex);
drvres = to_ap_drv(dev->driver)->flags
& AP_DRIVER_FLAG_DEFAULT;
if (!!devres != !!drvres) {
AP_DBF(DBF_DEBUG, "reprobing queue=%02x.%04x\n",
card, queue);
rc = device_reprobe(dev);
}
}
return 0;
}
static void ap_bus_revise_bindings(void)
{
bus_for_each_dev(&ap_bus_type, NULL, NULL, __ap_revise_reserved);
}
int ap_owned_by_def_drv(int card, int queue)
{
int rc = 0;
if (card < 0 || card >= AP_DEVICES || queue < 0 || queue >= AP_DOMAINS)
return -EINVAL;
mutex_lock(&ap_perms_mutex);
if (test_bit_inv(card, ap_perms.apm)
&& test_bit_inv(queue, ap_perms.aqm))
rc = 1;
mutex_unlock(&ap_perms_mutex);
return rc;
}
EXPORT_SYMBOL(ap_owned_by_def_drv);
int ap_apqn_in_matrix_owned_by_def_drv(unsigned long *apm,
unsigned long *aqm)
{
int card, queue, rc = 0;
mutex_lock(&ap_perms_mutex);
for (card = 0; !rc && card < AP_DEVICES; card++)
if (test_bit_inv(card, apm) &&
test_bit_inv(card, ap_perms.apm))
for (queue = 0; !rc && queue < AP_DOMAINS; queue++)
if (test_bit_inv(queue, aqm) &&
test_bit_inv(queue, ap_perms.aqm))
rc = 1;
mutex_unlock(&ap_perms_mutex);
return rc;
}
EXPORT_SYMBOL(ap_apqn_in_matrix_owned_by_def_drv);
static int ap_device_probe(struct device *dev)
{
struct ap_device *ap_dev = to_ap_dev(dev);
struct ap_driver *ap_drv = to_ap_drv(dev->driver);
s390/zcrypt: AP bus support for alternate driver(s) The current AP bus, AP devices and AP device drivers implementation uses a clearly defined mapping for binding AP devices to AP device drivers. So for example a CEX6C queue will always be bound to the cex4queue device driver. The Linux Device Driver model has no sensitivity for more than one device driver eligible for one device type. If there exist more than one drivers matching to the device type, simple all drivers are tried consecutively. There is no way to determine and influence the probing order of the drivers. With KVM there is a need to provide additional device drivers matching to the very same type of AP devices. With a simple implementation the KVM drivers run in competition to the regular drivers. Whichever 'wins' a device depends on build order and implementation details within the common Linux Device Driver Model and is not deterministic. However, a userspace process could figure out which device should be bound to which driver and sort out the correct binding by manipulating attributes in the sysfs. If for security reasons a AP device must not get bound to the 'wrong' device driver the sorting out has to be done within the Linux kernel by the AP bus code. This patch modifies the behavior of the AP bus for probing drivers for devices in a way that two sets of drivers are usable. Two new bitmasks 'apmask' and 'aqmask' are used to mark a subset of the APQN range for 'usable by the ap bus and the default drivers' or 'not usable by the default drivers and thus available for alternate drivers like vfio-xxx'. So an APQN which is addressed by this masking only the default drivers will be probed. In contrary an APQN which is not addressed by the masks will never be probed and bound to default drivers but onny to alternate drivers. Eventually the two masks give a way to divide the range of APQNs into two pools: one pool of APQNs used by the AP bus and the default drivers and thus via zcrypt drivers available to the userspace of the system. And another pool where no zcrypt drivers are bound to and which can be used by alternate drivers (like vfio-xxx) for their needs. This division is hot-plug save and makes sure a APQN assigned to an alternate driver is at no time somehow exploitable by the wrong party. The two masks are located in sysfs at /sys/bus/ap/apmask and /sys/bus/ap/aqmask. The mask syntax is exactly the same as the already existing mask attributes in the /sys/bus/ap directory (for example ap_usage_domain_mask and ap_control_domain_mask). By default all APQNs belong to the ap bus and the default drivers: cat /sys/bus/ap/apmask 0xffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff cat /sys/bus/ap/aqmask 0xffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff The masks can be changed at boot time with the kernel command line like this: ... ap.apmask=0xffff ap.aqmask=0x40 This would give these two pools: default drivers pool: adapter 0 - 15, domain 1 alternate drivers pool: adapter 0 - 15, all but domain 1 adapter 16-255, all domains The sysfs attributes for this two masks are writeable and an administrator is able to reconfigure the assignements on the fly by writing new mask values into. With changing the mask(s) a revision of the existing queue to driver bindings is done. So all APQNs which are bound to the 'wrong' driver are reprobed via kernel function device_reprobe() and thus the new correct driver will be assigned with respect of the changed apmask and aqmask bits. The mask values are bitmaps in big endian order starting with bit 0. So adapter number 0 is the leftmost bit, mask is 0x8000... The sysfs attributes accept 2 different formats: - Absolute hex string starting with 0x like "0x12345678" does set the mask starting from left to right. If the given string is shorter than the mask it is padded with 0s on the right. If the string is longer than the mask an error comes back (EINVAL). - '+' or '-' followed by a numerical value. Valid examples are "+1", "-13", "+0x41", "-0xff" and even "+0" and "-0". Only the addressed bit in the mask is switched on ('+') or off ('-'). This patch will also be the base for an upcoming extension to the zcrypt drivers to be able to provide additional zcrypt device nodes with filtering based on ap and aq masks. Signed-off-by: Harald Freudenberger <freude@linux.ibm.com> Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>
2018-07-20 14:36:53 +08:00
int card, queue, devres, drvres, rc;
if (is_queue_dev(dev)) {
/*
* If the apqn is marked as reserved/used by ap bus and
* default drivers, only probe with drivers with the default
* flag set. If it is not marked, only probe with drivers
* with the default flag not set.
*/
card = AP_QID_CARD(to_ap_queue(dev)->qid);
queue = AP_QID_QUEUE(to_ap_queue(dev)->qid);
mutex_lock(&ap_perms_mutex);
devres = test_bit_inv(card, ap_perms.apm)
&& test_bit_inv(queue, ap_perms.aqm);
mutex_unlock(&ap_perms_mutex);
drvres = ap_drv->flags & AP_DRIVER_FLAG_DEFAULT;
if (!!devres != !!drvres)
return -ENODEV;
s390/zcrypt: reinit ap queue state machine during device probe Until the vfio-ap driver came into live there was a well known agreement about the way how ap devices are initialized and their states when the driver's probe function is called. However, the vfio device driver when receiving an ap queue device does additional resets thereby removing the registration for interrupts for the ap device done by the ap bus core code. So when later the vfio driver releases the device and one of the default zcrypt drivers takes care of the device the interrupt registration needs to get renewed. The current code does no renew and result is that requests send into such a queue will never see a reply processed - the application hangs. This patch adds a function which resets the aq queue state machine for the ap queue device and triggers the walk through the initial states (which are reset and registration for interrupts). This function is now called before the driver's probe function is invoked. When the association between driver and device is released, the driver's remove function is called. The current implementation calls a ap queue function ap_queue_remove(). This invokation has been moved to the ap bus function to make the probe / remove pair for ap bus and drivers more symmetric. Fixes: 7e0bdbe5c21c ("s390/zcrypt: AP bus support for alternate driver(s)") Cc: stable@vger.kernel.org # 4.19+ Signed-off-by: Harald Freudenberger <freude@linux.ibm.com> Reviewd-by: Tony Krowiak <akrowiak@linux.ibm.com> Reviewd-by: Martin Schwidefsky <schwidefsky@de.ibm.com> Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>
2018-11-09 21:59:24 +08:00
/* (re-)init queue's state machine */
ap_queue_reinit_state(to_ap_queue(dev));
s390/zcrypt: AP bus support for alternate driver(s) The current AP bus, AP devices and AP device drivers implementation uses a clearly defined mapping for binding AP devices to AP device drivers. So for example a CEX6C queue will always be bound to the cex4queue device driver. The Linux Device Driver model has no sensitivity for more than one device driver eligible for one device type. If there exist more than one drivers matching to the device type, simple all drivers are tried consecutively. There is no way to determine and influence the probing order of the drivers. With KVM there is a need to provide additional device drivers matching to the very same type of AP devices. With a simple implementation the KVM drivers run in competition to the regular drivers. Whichever 'wins' a device depends on build order and implementation details within the common Linux Device Driver Model and is not deterministic. However, a userspace process could figure out which device should be bound to which driver and sort out the correct binding by manipulating attributes in the sysfs. If for security reasons a AP device must not get bound to the 'wrong' device driver the sorting out has to be done within the Linux kernel by the AP bus code. This patch modifies the behavior of the AP bus for probing drivers for devices in a way that two sets of drivers are usable. Two new bitmasks 'apmask' and 'aqmask' are used to mark a subset of the APQN range for 'usable by the ap bus and the default drivers' or 'not usable by the default drivers and thus available for alternate drivers like vfio-xxx'. So an APQN which is addressed by this masking only the default drivers will be probed. In contrary an APQN which is not addressed by the masks will never be probed and bound to default drivers but onny to alternate drivers. Eventually the two masks give a way to divide the range of APQNs into two pools: one pool of APQNs used by the AP bus and the default drivers and thus via zcrypt drivers available to the userspace of the system. And another pool where no zcrypt drivers are bound to and which can be used by alternate drivers (like vfio-xxx) for their needs. This division is hot-plug save and makes sure a APQN assigned to an alternate driver is at no time somehow exploitable by the wrong party. The two masks are located in sysfs at /sys/bus/ap/apmask and /sys/bus/ap/aqmask. The mask syntax is exactly the same as the already existing mask attributes in the /sys/bus/ap directory (for example ap_usage_domain_mask and ap_control_domain_mask). By default all APQNs belong to the ap bus and the default drivers: cat /sys/bus/ap/apmask 0xffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff cat /sys/bus/ap/aqmask 0xffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff The masks can be changed at boot time with the kernel command line like this: ... ap.apmask=0xffff ap.aqmask=0x40 This would give these two pools: default drivers pool: adapter 0 - 15, domain 1 alternate drivers pool: adapter 0 - 15, all but domain 1 adapter 16-255, all domains The sysfs attributes for this two masks are writeable and an administrator is able to reconfigure the assignements on the fly by writing new mask values into. With changing the mask(s) a revision of the existing queue to driver bindings is done. So all APQNs which are bound to the 'wrong' driver are reprobed via kernel function device_reprobe() and thus the new correct driver will be assigned with respect of the changed apmask and aqmask bits. The mask values are bitmaps in big endian order starting with bit 0. So adapter number 0 is the leftmost bit, mask is 0x8000... The sysfs attributes accept 2 different formats: - Absolute hex string starting with 0x like "0x12345678" does set the mask starting from left to right. If the given string is shorter than the mask it is padded with 0s on the right. If the string is longer than the mask an error comes back (EINVAL). - '+' or '-' followed by a numerical value. Valid examples are "+1", "-13", "+0x41", "-0xff" and even "+0" and "-0". Only the addressed bit in the mask is switched on ('+') or off ('-'). This patch will also be the base for an upcoming extension to the zcrypt drivers to be able to provide additional zcrypt device nodes with filtering based on ap and aq masks. Signed-off-by: Harald Freudenberger <freude@linux.ibm.com> Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>
2018-07-20 14:36:53 +08:00
}
/* Add queue/card to list of active queues/cards */
spin_lock_bh(&ap_list_lock);
if (is_card_dev(dev))
list_add(&to_ap_card(dev)->list, &ap_card_list);
else
list_add(&to_ap_queue(dev)->list,
&to_ap_queue(dev)->card->queues);
spin_unlock_bh(&ap_list_lock);
ap_dev->drv = ap_drv;
rc = ap_drv->probe ? ap_drv->probe(ap_dev) : -ENODEV;
if (rc) {
spin_lock_bh(&ap_list_lock);
if (is_card_dev(dev))
list_del_init(&to_ap_card(dev)->list);
else
list_del_init(&to_ap_queue(dev)->list);
spin_unlock_bh(&ap_list_lock);
ap_dev->drv = NULL;
}
return rc;
}
static int ap_device_remove(struct device *dev)
{
struct ap_device *ap_dev = to_ap_dev(dev);
struct ap_driver *ap_drv = ap_dev->drv;
s390/zcrypt: revisit ap device remove procedure Working with the vfio-ap driver let to some revisit of the way how an ap (queue) device is removed from the driver. With the current implementation all the cleanup was done before the driver even got notified about the removal. Now the ap queue removal is done in 3 steps: 1) A preparation step, all ap messages within the queue are flushed and so the driver does 'receive' them. Also a new state AP_STATE_REMOVE assigned to the queue makes sure there are no new messages queued in. 2) Now the driver's remove function is invoked and the driver should do the job of cleaning up it's internal administration lists or whatever. After 2) is done it is guaranteed, that the driver is not invoked any more. On the other hand the driver has to make sure that the APQN is not accessed any more after step 2 is complete. 3) Now the ap bus code does the job of total cleanup of the APQN. A reset with zero is triggered and the state of the queue goes to AP_STATE_UNBOUND. After step 3) is complete, the ap queue has no pending messages and the APQN is cleared and so there are no requests and replies lingering around in the firmware queue for this APQN. Also the interrupts are disabled. After these remove steps the ap queue device may be assigned to another driver. Stress testing this remove/probe procedure showed a problem with the correct module reference counting. The actual receive of an reply in the driver is done asynchronous with completions. So with a driver change on an ap queue the message flush triggers completions but the threads waiting for the completions may run at a time where the queue already has the new driver assigned. So the module_put() at receive time needs to be done on the driver module which queued the ap message. This change is also part of this patch. Signed-off-by: Harald Freudenberger <freude@linux.ibm.com> Reviewed-by: Ingo Franzki <ifranzki@linux.ibm.com> Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>
2019-02-23 00:24:11 +08:00
/* prepare ap queue device removal */
s390/zcrypt: reinit ap queue state machine during device probe Until the vfio-ap driver came into live there was a well known agreement about the way how ap devices are initialized and their states when the driver's probe function is called. However, the vfio device driver when receiving an ap queue device does additional resets thereby removing the registration for interrupts for the ap device done by the ap bus core code. So when later the vfio driver releases the device and one of the default zcrypt drivers takes care of the device the interrupt registration needs to get renewed. The current code does no renew and result is that requests send into such a queue will never see a reply processed - the application hangs. This patch adds a function which resets the aq queue state machine for the ap queue device and triggers the walk through the initial states (which are reset and registration for interrupts). This function is now called before the driver's probe function is invoked. When the association between driver and device is released, the driver's remove function is called. The current implementation calls a ap queue function ap_queue_remove(). This invokation has been moved to the ap bus function to make the probe / remove pair for ap bus and drivers more symmetric. Fixes: 7e0bdbe5c21c ("s390/zcrypt: AP bus support for alternate driver(s)") Cc: stable@vger.kernel.org # 4.19+ Signed-off-by: Harald Freudenberger <freude@linux.ibm.com> Reviewd-by: Tony Krowiak <akrowiak@linux.ibm.com> Reviewd-by: Martin Schwidefsky <schwidefsky@de.ibm.com> Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>
2018-11-09 21:59:24 +08:00
if (is_queue_dev(dev))
s390/zcrypt: revisit ap device remove procedure Working with the vfio-ap driver let to some revisit of the way how an ap (queue) device is removed from the driver. With the current implementation all the cleanup was done before the driver even got notified about the removal. Now the ap queue removal is done in 3 steps: 1) A preparation step, all ap messages within the queue are flushed and so the driver does 'receive' them. Also a new state AP_STATE_REMOVE assigned to the queue makes sure there are no new messages queued in. 2) Now the driver's remove function is invoked and the driver should do the job of cleaning up it's internal administration lists or whatever. After 2) is done it is guaranteed, that the driver is not invoked any more. On the other hand the driver has to make sure that the APQN is not accessed any more after step 2 is complete. 3) Now the ap bus code does the job of total cleanup of the APQN. A reset with zero is triggered and the state of the queue goes to AP_STATE_UNBOUND. After step 3) is complete, the ap queue has no pending messages and the APQN is cleared and so there are no requests and replies lingering around in the firmware queue for this APQN. Also the interrupts are disabled. After these remove steps the ap queue device may be assigned to another driver. Stress testing this remove/probe procedure showed a problem with the correct module reference counting. The actual receive of an reply in the driver is done asynchronous with completions. So with a driver change on an ap queue the message flush triggers completions but the threads waiting for the completions may run at a time where the queue already has the new driver assigned. So the module_put() at receive time needs to be done on the driver module which queued the ap message. This change is also part of this patch. Signed-off-by: Harald Freudenberger <freude@linux.ibm.com> Reviewed-by: Ingo Franzki <ifranzki@linux.ibm.com> Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>
2019-02-23 00:24:11 +08:00
ap_queue_prepare_remove(to_ap_queue(dev));
/* driver's chance to clean up gracefully */
if (ap_drv->remove)
ap_drv->remove(ap_dev);
s390/zcrypt: revisit ap device remove procedure Working with the vfio-ap driver let to some revisit of the way how an ap (queue) device is removed from the driver. With the current implementation all the cleanup was done before the driver even got notified about the removal. Now the ap queue removal is done in 3 steps: 1) A preparation step, all ap messages within the queue are flushed and so the driver does 'receive' them. Also a new state AP_STATE_REMOVE assigned to the queue makes sure there are no new messages queued in. 2) Now the driver's remove function is invoked and the driver should do the job of cleaning up it's internal administration lists or whatever. After 2) is done it is guaranteed, that the driver is not invoked any more. On the other hand the driver has to make sure that the APQN is not accessed any more after step 2 is complete. 3) Now the ap bus code does the job of total cleanup of the APQN. A reset with zero is triggered and the state of the queue goes to AP_STATE_UNBOUND. After step 3) is complete, the ap queue has no pending messages and the APQN is cleared and so there are no requests and replies lingering around in the firmware queue for this APQN. Also the interrupts are disabled. After these remove steps the ap queue device may be assigned to another driver. Stress testing this remove/probe procedure showed a problem with the correct module reference counting. The actual receive of an reply in the driver is done asynchronous with completions. So with a driver change on an ap queue the message flush triggers completions but the threads waiting for the completions may run at a time where the queue already has the new driver assigned. So the module_put() at receive time needs to be done on the driver module which queued the ap message. This change is also part of this patch. Signed-off-by: Harald Freudenberger <freude@linux.ibm.com> Reviewed-by: Ingo Franzki <ifranzki@linux.ibm.com> Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>
2019-02-23 00:24:11 +08:00
/* now do the ap queue device remove */
if (is_queue_dev(dev))
ap_queue_remove(to_ap_queue(dev));
/* Remove queue/card from list of active queues/cards */
spin_lock_bh(&ap_list_lock);
if (is_card_dev(dev))
list_del_init(&to_ap_card(dev)->list);
else
list_del_init(&to_ap_queue(dev)->list);
spin_unlock_bh(&ap_list_lock);
return 0;
}
int ap_driver_register(struct ap_driver *ap_drv, struct module *owner,
char *name)
{
struct device_driver *drv = &ap_drv->driver;
s390/zcrypt: Fix kernel crash on systems without AP bus support On systems without AP bus (e.g. KVM) the kernel crashes during init calls when zcrypt is built-in: kernel BUG at drivers/base/driver.c:153! illegal operation: 0001 ilc:1 [#1] SMP Modules linked in: CPU: 1 PID: 1 Comm: swapper/0 Not tainted 4.2.0+ #221 task: 0000000010a40000 ti: 0000000010a48000 task.ti:0000000010a48000 Krnl PSW : 0704c00180000000 0000000000592bd6(driver_register+0x106/0x140) R:0 T:1 IO:1 EX:1 Key:0 M:1 W:0 P:0 AS:3 CC:0 PM:0 EA:3 0000000000000012 0000000000000000 0000000000c45328 0000000000c44e30 00000000009ef63c 000000000067f598 0000000000cf3c58 0000000000000000 000000000000007b 0000000000cb1030 0000000000000002 0000000000000000 0000000000ca8580 0000000010306700 00000000001001d8 0000000010a4bd88 Krnl Code: 0000000000592bc6: f0b00004ebcf srp 4(12,%r0),3023(%r14),0 0000000000592bcc: f0a0000407f4 srp 4(11,%r0),2036,0 #0000000000592bd2: a7f40001 brc 15,592bd4 >0000000000592bd6: e330d0000004 lg %r3,0(%r13) 0000000000592bdc: c0200021edfd larl %r2,9d07d6 0000000000592be2: c0e500126d8f brasl %r14,7e0700 0000000000592be8: e330d0080004 lg %r3,8(%r13) 0000000000592bee: a7f4ffab brc 15,592b44 Call Trace: ([<00000000001001c8>] do_one_initcall+0x90/0x1d0) [<0000000000c6dd34>] kernel_init_freeable+0x1e4/0x2a0 [<00000000007db53a>] kernel_init+0x2a/0x120 [<00000000007e8ece>] kernel_thread_starter+0x6/0xc [<00000000007e8ec8>] kernel_thread_starter+0x0/0xc Last Breaking-Event-Address: [<0000000000592bd2>] driver_register+0x102/0x140 When zcrypt is built as a module, the module loader ensures that the driver modules cannot be loaded if the AP bus module returns an error during initialisation. But if zcrypt and the driver are built-in, the driver is getting initialised even if the AP bus initialisation failed. The driver invokes ap_driver_register() during initialisation, which then causes operations on uninitialised data structures to be performed. Explicitly protect ap_driver_register() by introducing an "initialised" flag that gets set iff the AP bus initialisation was successful. When the AP bus initialisation failed, ap_driver_register() will error out with -ENODEV, causing the driver initialisation to fail as well. Test results: 1. Inside KVM (no AP bus), zcrypt built-in Boots. /sys/bus/ap not present (expected). 2. Inside KVM (no AP bus), zcrypt as module Boots. Loading zcrypt_cex4 fails because loading ap_bus fails (expected). 3. On LPAR with CEX5, zcrypt built-in Boots. /sys/bus/ap/devices/card* present but .../card*/type missing (i.e. zcrypt_device_register() fails, unrelated issue). 4. On LPAR with CEX5, zcrypt as module Boots. Loading zcrypt_cex4 successful, /sys/bus/ap/devices/card*/type present. No further testing (user-space functionality) was done. Signed-off-by: Sascha Silbe <silbe@linux.vnet.ibm.com> Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>
2015-10-28 01:29:52 +08:00
if (!initialised)
return -ENODEV;
drv->bus = &ap_bus_type;
drv->probe = ap_device_probe;
drv->remove = ap_device_remove;
drv->owner = owner;
drv->name = name;
return driver_register(drv);
}
EXPORT_SYMBOL(ap_driver_register);
void ap_driver_unregister(struct ap_driver *ap_drv)
{
driver_unregister(&ap_drv->driver);
}
EXPORT_SYMBOL(ap_driver_unregister);
void ap_bus_force_rescan(void)
{
if (ap_suspend_flag)
return;
/* processing a asynchronous bus rescan */
del_timer(&ap_config_timer);
queue_work(system_long_wq, &ap_scan_work);
flush_work(&ap_scan_work);
}
EXPORT_SYMBOL(ap_bus_force_rescan);
/*
* A config change has happened, force an ap bus rescan.
*/
void ap_bus_cfg_chg(void)
{
AP_DBF(DBF_INFO, "%s config change, forcing bus rescan\n", __func__);
ap_bus_force_rescan();
}
/*
* hex2bitmap() - parse hex mask string and set bitmap.
* Valid strings are "0x012345678" with at least one valid hex number.
* Rest of the bitmap to the right is padded with 0. No spaces allowed
* within the string, the leading 0x may be omitted.
* Returns the bitmask with exactly the bits set as given by the hex
* string (both in big endian order).
*/
s390/zcrypt: AP bus support for alternate driver(s) The current AP bus, AP devices and AP device drivers implementation uses a clearly defined mapping for binding AP devices to AP device drivers. So for example a CEX6C queue will always be bound to the cex4queue device driver. The Linux Device Driver model has no sensitivity for more than one device driver eligible for one device type. If there exist more than one drivers matching to the device type, simple all drivers are tried consecutively. There is no way to determine and influence the probing order of the drivers. With KVM there is a need to provide additional device drivers matching to the very same type of AP devices. With a simple implementation the KVM drivers run in competition to the regular drivers. Whichever 'wins' a device depends on build order and implementation details within the common Linux Device Driver Model and is not deterministic. However, a userspace process could figure out which device should be bound to which driver and sort out the correct binding by manipulating attributes in the sysfs. If for security reasons a AP device must not get bound to the 'wrong' device driver the sorting out has to be done within the Linux kernel by the AP bus code. This patch modifies the behavior of the AP bus for probing drivers for devices in a way that two sets of drivers are usable. Two new bitmasks 'apmask' and 'aqmask' are used to mark a subset of the APQN range for 'usable by the ap bus and the default drivers' or 'not usable by the default drivers and thus available for alternate drivers like vfio-xxx'. So an APQN which is addressed by this masking only the default drivers will be probed. In contrary an APQN which is not addressed by the masks will never be probed and bound to default drivers but onny to alternate drivers. Eventually the two masks give a way to divide the range of APQNs into two pools: one pool of APQNs used by the AP bus and the default drivers and thus via zcrypt drivers available to the userspace of the system. And another pool where no zcrypt drivers are bound to and which can be used by alternate drivers (like vfio-xxx) for their needs. This division is hot-plug save and makes sure a APQN assigned to an alternate driver is at no time somehow exploitable by the wrong party. The two masks are located in sysfs at /sys/bus/ap/apmask and /sys/bus/ap/aqmask. The mask syntax is exactly the same as the already existing mask attributes in the /sys/bus/ap directory (for example ap_usage_domain_mask and ap_control_domain_mask). By default all APQNs belong to the ap bus and the default drivers: cat /sys/bus/ap/apmask 0xffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff cat /sys/bus/ap/aqmask 0xffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff The masks can be changed at boot time with the kernel command line like this: ... ap.apmask=0xffff ap.aqmask=0x40 This would give these two pools: default drivers pool: adapter 0 - 15, domain 1 alternate drivers pool: adapter 0 - 15, all but domain 1 adapter 16-255, all domains The sysfs attributes for this two masks are writeable and an administrator is able to reconfigure the assignements on the fly by writing new mask values into. With changing the mask(s) a revision of the existing queue to driver bindings is done. So all APQNs which are bound to the 'wrong' driver are reprobed via kernel function device_reprobe() and thus the new correct driver will be assigned with respect of the changed apmask and aqmask bits. The mask values are bitmaps in big endian order starting with bit 0. So adapter number 0 is the leftmost bit, mask is 0x8000... The sysfs attributes accept 2 different formats: - Absolute hex string starting with 0x like "0x12345678" does set the mask starting from left to right. If the given string is shorter than the mask it is padded with 0s on the right. If the string is longer than the mask an error comes back (EINVAL). - '+' or '-' followed by a numerical value. Valid examples are "+1", "-13", "+0x41", "-0xff" and even "+0" and "-0". Only the addressed bit in the mask is switched on ('+') or off ('-'). This patch will also be the base for an upcoming extension to the zcrypt drivers to be able to provide additional zcrypt device nodes with filtering based on ap and aq masks. Signed-off-by: Harald Freudenberger <freude@linux.ibm.com> Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>
2018-07-20 14:36:53 +08:00
static int hex2bitmap(const char *str, unsigned long *bitmap, int bits)
{
int i, n, b;
/* bits needs to be a multiple of 8 */
if (bits & 0x07)
return -EINVAL;
if (str[0] == '0' && str[1] == 'x')
str++;
if (*str == 'x')
str++;
for (i = 0; isxdigit(*str) && i < bits; str++) {
b = hex_to_bin(*str);
for (n = 0; n < 4; n++)
if (b & (0x08 >> n))
set_bit_inv(i + n, bitmap);
i += 4;
}
if (*str == '\n')
str++;
if (*str)
return -EINVAL;
return 0;
}
/*
* modify_bitmap() - parse bitmask argument and modify an existing
* bit mask accordingly. A concatenation (done with ',') of these
* terms is recognized:
* +<bitnr>[-<bitnr>] or -<bitnr>[-<bitnr>]
* <bitnr> may be any valid number (hex, decimal or octal) in the range
* 0...bits-1; the leading + or - is required. Here are some examples:
* +0-15,+32,-128,-0xFF
* -0-255,+1-16,+0x128
* +1,+2,+3,+4,-5,-7-10
* Returns the new bitmap after all changes have been applied. Every
* positive value in the string will set a bit and every negative value
* in the string will clear a bit. As a bit may be touched more than once,
* the last 'operation' wins:
* +0-255,-128 = first bits 0-255 will be set, then bit 128 will be
* cleared again. All other bits are unmodified.
*/
static int modify_bitmap(const char *str, unsigned long *bitmap, int bits)
{
int a, i, z;
char *np, sign;
/* bits needs to be a multiple of 8 */
if (bits & 0x07)
s390/zcrypt: AP bus support for alternate driver(s) The current AP bus, AP devices and AP device drivers implementation uses a clearly defined mapping for binding AP devices to AP device drivers. So for example a CEX6C queue will always be bound to the cex4queue device driver. The Linux Device Driver model has no sensitivity for more than one device driver eligible for one device type. If there exist more than one drivers matching to the device type, simple all drivers are tried consecutively. There is no way to determine and influence the probing order of the drivers. With KVM there is a need to provide additional device drivers matching to the very same type of AP devices. With a simple implementation the KVM drivers run in competition to the regular drivers. Whichever 'wins' a device depends on build order and implementation details within the common Linux Device Driver Model and is not deterministic. However, a userspace process could figure out which device should be bound to which driver and sort out the correct binding by manipulating attributes in the sysfs. If for security reasons a AP device must not get bound to the 'wrong' device driver the sorting out has to be done within the Linux kernel by the AP bus code. This patch modifies the behavior of the AP bus for probing drivers for devices in a way that two sets of drivers are usable. Two new bitmasks 'apmask' and 'aqmask' are used to mark a subset of the APQN range for 'usable by the ap bus and the default drivers' or 'not usable by the default drivers and thus available for alternate drivers like vfio-xxx'. So an APQN which is addressed by this masking only the default drivers will be probed. In contrary an APQN which is not addressed by the masks will never be probed and bound to default drivers but onny to alternate drivers. Eventually the two masks give a way to divide the range of APQNs into two pools: one pool of APQNs used by the AP bus and the default drivers and thus via zcrypt drivers available to the userspace of the system. And another pool where no zcrypt drivers are bound to and which can be used by alternate drivers (like vfio-xxx) for their needs. This division is hot-plug save and makes sure a APQN assigned to an alternate driver is at no time somehow exploitable by the wrong party. The two masks are located in sysfs at /sys/bus/ap/apmask and /sys/bus/ap/aqmask. The mask syntax is exactly the same as the already existing mask attributes in the /sys/bus/ap directory (for example ap_usage_domain_mask and ap_control_domain_mask). By default all APQNs belong to the ap bus and the default drivers: cat /sys/bus/ap/apmask 0xffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff cat /sys/bus/ap/aqmask 0xffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff The masks can be changed at boot time with the kernel command line like this: ... ap.apmask=0xffff ap.aqmask=0x40 This would give these two pools: default drivers pool: adapter 0 - 15, domain 1 alternate drivers pool: adapter 0 - 15, all but domain 1 adapter 16-255, all domains The sysfs attributes for this two masks are writeable and an administrator is able to reconfigure the assignements on the fly by writing new mask values into. With changing the mask(s) a revision of the existing queue to driver bindings is done. So all APQNs which are bound to the 'wrong' driver are reprobed via kernel function device_reprobe() and thus the new correct driver will be assigned with respect of the changed apmask and aqmask bits. The mask values are bitmaps in big endian order starting with bit 0. So adapter number 0 is the leftmost bit, mask is 0x8000... The sysfs attributes accept 2 different formats: - Absolute hex string starting with 0x like "0x12345678" does set the mask starting from left to right. If the given string is shorter than the mask it is padded with 0s on the right. If the string is longer than the mask an error comes back (EINVAL). - '+' or '-' followed by a numerical value. Valid examples are "+1", "-13", "+0x41", "-0xff" and even "+0" and "-0". Only the addressed bit in the mask is switched on ('+') or off ('-'). This patch will also be the base for an upcoming extension to the zcrypt drivers to be able to provide additional zcrypt device nodes with filtering based on ap and aq masks. Signed-off-by: Harald Freudenberger <freude@linux.ibm.com> Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>
2018-07-20 14:36:53 +08:00
return -EINVAL;
while (*str) {
sign = *str++;
if (sign != '+' && sign != '-')
return -EINVAL;
a = z = simple_strtoul(str, &np, 0);
if (str == np || a >= bits)
return -EINVAL;
str = np;
if (*str == '-') {
z = simple_strtoul(++str, &np, 0);
if (str == np || a > z || z >= bits)
return -EINVAL;
str = np;
}
for (i = a; i <= z; i++)
if (sign == '+')
set_bit_inv(i, bitmap);
else
clear_bit_inv(i, bitmap);
while (*str == ',' || *str == '\n')
str++;
}
s390/zcrypt: AP bus support for alternate driver(s) The current AP bus, AP devices and AP device drivers implementation uses a clearly defined mapping for binding AP devices to AP device drivers. So for example a CEX6C queue will always be bound to the cex4queue device driver. The Linux Device Driver model has no sensitivity for more than one device driver eligible for one device type. If there exist more than one drivers matching to the device type, simple all drivers are tried consecutively. There is no way to determine and influence the probing order of the drivers. With KVM there is a need to provide additional device drivers matching to the very same type of AP devices. With a simple implementation the KVM drivers run in competition to the regular drivers. Whichever 'wins' a device depends on build order and implementation details within the common Linux Device Driver Model and is not deterministic. However, a userspace process could figure out which device should be bound to which driver and sort out the correct binding by manipulating attributes in the sysfs. If for security reasons a AP device must not get bound to the 'wrong' device driver the sorting out has to be done within the Linux kernel by the AP bus code. This patch modifies the behavior of the AP bus for probing drivers for devices in a way that two sets of drivers are usable. Two new bitmasks 'apmask' and 'aqmask' are used to mark a subset of the APQN range for 'usable by the ap bus and the default drivers' or 'not usable by the default drivers and thus available for alternate drivers like vfio-xxx'. So an APQN which is addressed by this masking only the default drivers will be probed. In contrary an APQN which is not addressed by the masks will never be probed and bound to default drivers but onny to alternate drivers. Eventually the two masks give a way to divide the range of APQNs into two pools: one pool of APQNs used by the AP bus and the default drivers and thus via zcrypt drivers available to the userspace of the system. And another pool where no zcrypt drivers are bound to and which can be used by alternate drivers (like vfio-xxx) for their needs. This division is hot-plug save and makes sure a APQN assigned to an alternate driver is at no time somehow exploitable by the wrong party. The two masks are located in sysfs at /sys/bus/ap/apmask and /sys/bus/ap/aqmask. The mask syntax is exactly the same as the already existing mask attributes in the /sys/bus/ap directory (for example ap_usage_domain_mask and ap_control_domain_mask). By default all APQNs belong to the ap bus and the default drivers: cat /sys/bus/ap/apmask 0xffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff cat /sys/bus/ap/aqmask 0xffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff The masks can be changed at boot time with the kernel command line like this: ... ap.apmask=0xffff ap.aqmask=0x40 This would give these two pools: default drivers pool: adapter 0 - 15, domain 1 alternate drivers pool: adapter 0 - 15, all but domain 1 adapter 16-255, all domains The sysfs attributes for this two masks are writeable and an administrator is able to reconfigure the assignements on the fly by writing new mask values into. With changing the mask(s) a revision of the existing queue to driver bindings is done. So all APQNs which are bound to the 'wrong' driver are reprobed via kernel function device_reprobe() and thus the new correct driver will be assigned with respect of the changed apmask and aqmask bits. The mask values are bitmaps in big endian order starting with bit 0. So adapter number 0 is the leftmost bit, mask is 0x8000... The sysfs attributes accept 2 different formats: - Absolute hex string starting with 0x like "0x12345678" does set the mask starting from left to right. If the given string is shorter than the mask it is padded with 0s on the right. If the string is longer than the mask an error comes back (EINVAL). - '+' or '-' followed by a numerical value. Valid examples are "+1", "-13", "+0x41", "-0xff" and even "+0" and "-0". Only the addressed bit in the mask is switched on ('+') or off ('-'). This patch will also be the base for an upcoming extension to the zcrypt drivers to be able to provide additional zcrypt device nodes with filtering based on ap and aq masks. Signed-off-by: Harald Freudenberger <freude@linux.ibm.com> Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>
2018-07-20 14:36:53 +08:00
return 0;
}
s390/zcrypt: multiple zcrypt device nodes support This patch is an extension to the zcrypt device driver to provide, support and maintain multiple zcrypt device nodes. The individual zcrypt device nodes can be restricted in terms of crypto cards, domains and available ioctls. Such a device node can be used as a base for container solutions like docker to control and restrict the access to crypto resources. The handling is done with a new sysfs subdir /sys/class/zcrypt. Echoing a name (or an empty sting) into the attribute "create" creates a new zcrypt device node. In /sys/class/zcrypt a new link will appear which points to the sysfs device tree of this new device. The attribute files "ioctlmask", "apmask" and "aqmask" in this directory are used to customize this new zcrypt device node instance. Finally the zcrypt device node can be destroyed by echoing the name into /sys/class/zcrypt/destroy. The internal structs holding the device info are reference counted - so a destroy will not hard remove a device but only marks it as removable when the reference counter drops to zero. The mask values are bitmaps in big endian order starting with bit 0. So adapter number 0 is the leftmost bit, mask is 0x8000... The sysfs attributes accept 2 different formats: * Absolute hex string starting with 0x like "0x12345678" does set the mask starting from left to right. If the given string is shorter than the mask it is padded with 0s on the right. If the string is longer than the mask an error comes back (EINVAL). * Relative format - a concatenation (done with ',') of the terms +<bitnr>[-<bitnr>] or -<bitnr>[-<bitnr>]. <bitnr> may be any valid number (hex, decimal or octal) in the range 0...255. Here are some examples: "+0-15,+32,-128,-0xFF" "-0-255,+1-16,+0x128" "+1,+2,+3,+4,-5,-7-10" A simple usage examples: # create new zcrypt device 'my_zcrypt': echo "my_zcrypt" >/sys/class/zcrypt/create # go into the device dir of this new device echo "my_zcrypt" >create cd my_zcrypt/ ls -l total 0 -rw-r--r-- 1 root root 4096 Jul 20 15:23 apmask -rw-r--r-- 1 root root 4096 Jul 20 15:23 aqmask -r--r--r-- 1 root root 4096 Jul 20 15:23 dev -rw-r--r-- 1 root root 4096 Jul 20 15:23 ioctlmask lrwxrwxrwx 1 root root 0 Jul 20 15:23 subsystem -> ../../../../class/zcrypt ... # customize this zcrypt node clone # enable only adapter 0 and 2 echo "0xa0" >apmask # enable only domain 6 echo "+6" >aqmask # enable all 256 ioctls echo "+0-255" >ioctls # now the /dev/my_zcrypt may be used # finally destroy it echo "my_zcrypt" >/sys/class/zcrypt/destroy Please note that a very similar 'filtering behavior' also applies to the parent z90crypt device. The two mask attributes apmask and aqmask in /sys/bus/ap act the very same for the z90crypt device node. However the implementation here is totally different as the ap bus acts on bind/unbind of queue devices and associated drivers but the effect is still the same. So there are two filters active for each additional zcrypt device node: The adapter/domain needs to be enabled on the ap bus level and it needs to be active on the zcrypt device node level. Signed-off-by: Harald Freudenberger <freude@linux.ibm.com> Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>
2018-09-17 22:18:41 +08:00
int ap_parse_mask_str(const char *str,
unsigned long *bitmap, int bits,
struct mutex *lock)
{
unsigned long *newmap, size;
int rc;
/* bits needs to be a multiple of 8 */
if (bits & 0x07)
return -EINVAL;
size = BITS_TO_LONGS(bits)*sizeof(unsigned long);
newmap = kmalloc(size, GFP_KERNEL);
if (!newmap)
return -ENOMEM;
if (mutex_lock_interruptible(lock)) {
kfree(newmap);
return -ERESTARTSYS;
}
if (*str == '+' || *str == '-') {
memcpy(newmap, bitmap, size);
rc = modify_bitmap(str, newmap, bits);
} else {
memset(newmap, 0, size);
rc = hex2bitmap(str, newmap, bits);
}
if (rc == 0)
memcpy(bitmap, newmap, size);
mutex_unlock(lock);
kfree(newmap);
return rc;
}
s390/zcrypt: multiple zcrypt device nodes support This patch is an extension to the zcrypt device driver to provide, support and maintain multiple zcrypt device nodes. The individual zcrypt device nodes can be restricted in terms of crypto cards, domains and available ioctls. Such a device node can be used as a base for container solutions like docker to control and restrict the access to crypto resources. The handling is done with a new sysfs subdir /sys/class/zcrypt. Echoing a name (or an empty sting) into the attribute "create" creates a new zcrypt device node. In /sys/class/zcrypt a new link will appear which points to the sysfs device tree of this new device. The attribute files "ioctlmask", "apmask" and "aqmask" in this directory are used to customize this new zcrypt device node instance. Finally the zcrypt device node can be destroyed by echoing the name into /sys/class/zcrypt/destroy. The internal structs holding the device info are reference counted - so a destroy will not hard remove a device but only marks it as removable when the reference counter drops to zero. The mask values are bitmaps in big endian order starting with bit 0. So adapter number 0 is the leftmost bit, mask is 0x8000... The sysfs attributes accept 2 different formats: * Absolute hex string starting with 0x like "0x12345678" does set the mask starting from left to right. If the given string is shorter than the mask it is padded with 0s on the right. If the string is longer than the mask an error comes back (EINVAL). * Relative format - a concatenation (done with ',') of the terms +<bitnr>[-<bitnr>] or -<bitnr>[-<bitnr>]. <bitnr> may be any valid number (hex, decimal or octal) in the range 0...255. Here are some examples: "+0-15,+32,-128,-0xFF" "-0-255,+1-16,+0x128" "+1,+2,+3,+4,-5,-7-10" A simple usage examples: # create new zcrypt device 'my_zcrypt': echo "my_zcrypt" >/sys/class/zcrypt/create # go into the device dir of this new device echo "my_zcrypt" >create cd my_zcrypt/ ls -l total 0 -rw-r--r-- 1 root root 4096 Jul 20 15:23 apmask -rw-r--r-- 1 root root 4096 Jul 20 15:23 aqmask -r--r--r-- 1 root root 4096 Jul 20 15:23 dev -rw-r--r-- 1 root root 4096 Jul 20 15:23 ioctlmask lrwxrwxrwx 1 root root 0 Jul 20 15:23 subsystem -> ../../../../class/zcrypt ... # customize this zcrypt node clone # enable only adapter 0 and 2 echo "0xa0" >apmask # enable only domain 6 echo "+6" >aqmask # enable all 256 ioctls echo "+0-255" >ioctls # now the /dev/my_zcrypt may be used # finally destroy it echo "my_zcrypt" >/sys/class/zcrypt/destroy Please note that a very similar 'filtering behavior' also applies to the parent z90crypt device. The two mask attributes apmask and aqmask in /sys/bus/ap act the very same for the z90crypt device node. However the implementation here is totally different as the ap bus acts on bind/unbind of queue devices and associated drivers but the effect is still the same. So there are two filters active for each additional zcrypt device node: The adapter/domain needs to be enabled on the ap bus level and it needs to be active on the zcrypt device node level. Signed-off-by: Harald Freudenberger <freude@linux.ibm.com> Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>
2018-09-17 22:18:41 +08:00
EXPORT_SYMBOL(ap_parse_mask_str);
/*
* AP bus attributes.
*/
static ssize_t ap_domain_show(struct bus_type *bus, char *buf)
{
return snprintf(buf, PAGE_SIZE, "%d\n", ap_domain_index);
}
static ssize_t ap_domain_store(struct bus_type *bus,
const char *buf, size_t count)
{
int domain;
if (sscanf(buf, "%i\n", &domain) != 1 ||
s390/zcrypt: AP bus support for alternate driver(s) The current AP bus, AP devices and AP device drivers implementation uses a clearly defined mapping for binding AP devices to AP device drivers. So for example a CEX6C queue will always be bound to the cex4queue device driver. The Linux Device Driver model has no sensitivity for more than one device driver eligible for one device type. If there exist more than one drivers matching to the device type, simple all drivers are tried consecutively. There is no way to determine and influence the probing order of the drivers. With KVM there is a need to provide additional device drivers matching to the very same type of AP devices. With a simple implementation the KVM drivers run in competition to the regular drivers. Whichever 'wins' a device depends on build order and implementation details within the common Linux Device Driver Model and is not deterministic. However, a userspace process could figure out which device should be bound to which driver and sort out the correct binding by manipulating attributes in the sysfs. If for security reasons a AP device must not get bound to the 'wrong' device driver the sorting out has to be done within the Linux kernel by the AP bus code. This patch modifies the behavior of the AP bus for probing drivers for devices in a way that two sets of drivers are usable. Two new bitmasks 'apmask' and 'aqmask' are used to mark a subset of the APQN range for 'usable by the ap bus and the default drivers' or 'not usable by the default drivers and thus available for alternate drivers like vfio-xxx'. So an APQN which is addressed by this masking only the default drivers will be probed. In contrary an APQN which is not addressed by the masks will never be probed and bound to default drivers but onny to alternate drivers. Eventually the two masks give a way to divide the range of APQNs into two pools: one pool of APQNs used by the AP bus and the default drivers and thus via zcrypt drivers available to the userspace of the system. And another pool where no zcrypt drivers are bound to and which can be used by alternate drivers (like vfio-xxx) for their needs. This division is hot-plug save and makes sure a APQN assigned to an alternate driver is at no time somehow exploitable by the wrong party. The two masks are located in sysfs at /sys/bus/ap/apmask and /sys/bus/ap/aqmask. The mask syntax is exactly the same as the already existing mask attributes in the /sys/bus/ap directory (for example ap_usage_domain_mask and ap_control_domain_mask). By default all APQNs belong to the ap bus and the default drivers: cat /sys/bus/ap/apmask 0xffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff cat /sys/bus/ap/aqmask 0xffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff The masks can be changed at boot time with the kernel command line like this: ... ap.apmask=0xffff ap.aqmask=0x40 This would give these two pools: default drivers pool: adapter 0 - 15, domain 1 alternate drivers pool: adapter 0 - 15, all but domain 1 adapter 16-255, all domains The sysfs attributes for this two masks are writeable and an administrator is able to reconfigure the assignements on the fly by writing new mask values into. With changing the mask(s) a revision of the existing queue to driver bindings is done. So all APQNs which are bound to the 'wrong' driver are reprobed via kernel function device_reprobe() and thus the new correct driver will be assigned with respect of the changed apmask and aqmask bits. The mask values are bitmaps in big endian order starting with bit 0. So adapter number 0 is the leftmost bit, mask is 0x8000... The sysfs attributes accept 2 different formats: - Absolute hex string starting with 0x like "0x12345678" does set the mask starting from left to right. If the given string is shorter than the mask it is padded with 0s on the right. If the string is longer than the mask an error comes back (EINVAL). - '+' or '-' followed by a numerical value. Valid examples are "+1", "-13", "+0x41", "-0xff" and even "+0" and "-0". Only the addressed bit in the mask is switched on ('+') or off ('-'). This patch will also be the base for an upcoming extension to the zcrypt drivers to be able to provide additional zcrypt device nodes with filtering based on ap and aq masks. Signed-off-by: Harald Freudenberger <freude@linux.ibm.com> Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>
2018-07-20 14:36:53 +08:00
domain < 0 || domain > ap_max_domain_id ||
!test_bit_inv(domain, ap_perms.aqm))
return -EINVAL;
spin_lock_bh(&ap_domain_lock);
ap_domain_index = domain;
spin_unlock_bh(&ap_domain_lock);
AP_DBF(DBF_DEBUG, "stored new default domain=%d\n", domain);
return count;
}
static BUS_ATTR_RW(ap_domain);
static ssize_t ap_control_domain_mask_show(struct bus_type *bus, char *buf)
{
if (!ap_configuration) /* QCI not supported */
return snprintf(buf, PAGE_SIZE, "not supported\n");
return snprintf(buf, PAGE_SIZE,
"0x%08x%08x%08x%08x%08x%08x%08x%08x\n",
ap_configuration->adm[0], ap_configuration->adm[1],
ap_configuration->adm[2], ap_configuration->adm[3],
ap_configuration->adm[4], ap_configuration->adm[5],
ap_configuration->adm[6], ap_configuration->adm[7]);
}
static BUS_ATTR_RO(ap_control_domain_mask);
static ssize_t ap_usage_domain_mask_show(struct bus_type *bus, char *buf)
{
if (!ap_configuration) /* QCI not supported */
return snprintf(buf, PAGE_SIZE, "not supported\n");
return snprintf(buf, PAGE_SIZE,
"0x%08x%08x%08x%08x%08x%08x%08x%08x\n",
ap_configuration->aqm[0], ap_configuration->aqm[1],
ap_configuration->aqm[2], ap_configuration->aqm[3],
ap_configuration->aqm[4], ap_configuration->aqm[5],
ap_configuration->aqm[6], ap_configuration->aqm[7]);
}
static BUS_ATTR_RO(ap_usage_domain_mask);
static ssize_t ap_adapter_mask_show(struct bus_type *bus, char *buf)
{
if (!ap_configuration) /* QCI not supported */
return snprintf(buf, PAGE_SIZE, "not supported\n");
return snprintf(buf, PAGE_SIZE,
"0x%08x%08x%08x%08x%08x%08x%08x%08x\n",
ap_configuration->apm[0], ap_configuration->apm[1],
ap_configuration->apm[2], ap_configuration->apm[3],
ap_configuration->apm[4], ap_configuration->apm[5],
ap_configuration->apm[6], ap_configuration->apm[7]);
}
static BUS_ATTR_RO(ap_adapter_mask);
static ssize_t ap_interrupts_show(struct bus_type *bus, char *buf)
{
return snprintf(buf, PAGE_SIZE, "%d\n",
ap_using_interrupts() ? 1 : 0);
}
static BUS_ATTR_RO(ap_interrupts);
static ssize_t config_time_show(struct bus_type *bus, char *buf)
{
return snprintf(buf, PAGE_SIZE, "%d\n", ap_config_time);
}
static ssize_t config_time_store(struct bus_type *bus,
const char *buf, size_t count)
{
int time;
if (sscanf(buf, "%d\n", &time) != 1 || time < 5 || time > 120)
return -EINVAL;
ap_config_time = time;
mod_timer(&ap_config_timer, jiffies + ap_config_time * HZ);
return count;
}
static BUS_ATTR_RW(config_time);
static ssize_t poll_thread_show(struct bus_type *bus, char *buf)
{
return snprintf(buf, PAGE_SIZE, "%d\n", ap_poll_kthread ? 1 : 0);
}
static ssize_t poll_thread_store(struct bus_type *bus,
const char *buf, size_t count)
{
int flag, rc;
if (sscanf(buf, "%d\n", &flag) != 1)
return -EINVAL;
if (flag) {
rc = ap_poll_thread_start();
if (rc)
count = rc;
} else
ap_poll_thread_stop();
return count;
}
static BUS_ATTR_RW(poll_thread);
static ssize_t poll_timeout_show(struct bus_type *bus, char *buf)
{
return snprintf(buf, PAGE_SIZE, "%llu\n", poll_timeout);
}
static ssize_t poll_timeout_store(struct bus_type *bus, const char *buf,
size_t count)
{
unsigned long long time;
ktime_t hr_time;
/* 120 seconds = maximum poll interval */
if (sscanf(buf, "%llu\n", &time) != 1 || time < 1 ||
time > 120000000000ULL)
return -EINVAL;
poll_timeout = time;
hr_time = poll_timeout;
spin_lock_bh(&ap_poll_timer_lock);
hrtimer_cancel(&ap_poll_timer);
hrtimer_set_expires(&ap_poll_timer, hr_time);
hrtimer_start_expires(&ap_poll_timer, HRTIMER_MODE_ABS);
spin_unlock_bh(&ap_poll_timer_lock);
return count;
}
static BUS_ATTR_RW(poll_timeout);
static ssize_t ap_max_domain_id_show(struct bus_type *bus, char *buf)
{
int max_domain_id;
if (ap_configuration)
max_domain_id = ap_max_domain_id ? : -1;
else
max_domain_id = 15;
return snprintf(buf, PAGE_SIZE, "%d\n", max_domain_id);
}
static BUS_ATTR_RO(ap_max_domain_id);
s390/zcrypt: AP bus support for alternate driver(s) The current AP bus, AP devices and AP device drivers implementation uses a clearly defined mapping for binding AP devices to AP device drivers. So for example a CEX6C queue will always be bound to the cex4queue device driver. The Linux Device Driver model has no sensitivity for more than one device driver eligible for one device type. If there exist more than one drivers matching to the device type, simple all drivers are tried consecutively. There is no way to determine and influence the probing order of the drivers. With KVM there is a need to provide additional device drivers matching to the very same type of AP devices. With a simple implementation the KVM drivers run in competition to the regular drivers. Whichever 'wins' a device depends on build order and implementation details within the common Linux Device Driver Model and is not deterministic. However, a userspace process could figure out which device should be bound to which driver and sort out the correct binding by manipulating attributes in the sysfs. If for security reasons a AP device must not get bound to the 'wrong' device driver the sorting out has to be done within the Linux kernel by the AP bus code. This patch modifies the behavior of the AP bus for probing drivers for devices in a way that two sets of drivers are usable. Two new bitmasks 'apmask' and 'aqmask' are used to mark a subset of the APQN range for 'usable by the ap bus and the default drivers' or 'not usable by the default drivers and thus available for alternate drivers like vfio-xxx'. So an APQN which is addressed by this masking only the default drivers will be probed. In contrary an APQN which is not addressed by the masks will never be probed and bound to default drivers but onny to alternate drivers. Eventually the two masks give a way to divide the range of APQNs into two pools: one pool of APQNs used by the AP bus and the default drivers and thus via zcrypt drivers available to the userspace of the system. And another pool where no zcrypt drivers are bound to and which can be used by alternate drivers (like vfio-xxx) for their needs. This division is hot-plug save and makes sure a APQN assigned to an alternate driver is at no time somehow exploitable by the wrong party. The two masks are located in sysfs at /sys/bus/ap/apmask and /sys/bus/ap/aqmask. The mask syntax is exactly the same as the already existing mask attributes in the /sys/bus/ap directory (for example ap_usage_domain_mask and ap_control_domain_mask). By default all APQNs belong to the ap bus and the default drivers: cat /sys/bus/ap/apmask 0xffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff cat /sys/bus/ap/aqmask 0xffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff The masks can be changed at boot time with the kernel command line like this: ... ap.apmask=0xffff ap.aqmask=0x40 This would give these two pools: default drivers pool: adapter 0 - 15, domain 1 alternate drivers pool: adapter 0 - 15, all but domain 1 adapter 16-255, all domains The sysfs attributes for this two masks are writeable and an administrator is able to reconfigure the assignements on the fly by writing new mask values into. With changing the mask(s) a revision of the existing queue to driver bindings is done. So all APQNs which are bound to the 'wrong' driver are reprobed via kernel function device_reprobe() and thus the new correct driver will be assigned with respect of the changed apmask and aqmask bits. The mask values are bitmaps in big endian order starting with bit 0. So adapter number 0 is the leftmost bit, mask is 0x8000... The sysfs attributes accept 2 different formats: - Absolute hex string starting with 0x like "0x12345678" does set the mask starting from left to right. If the given string is shorter than the mask it is padded with 0s on the right. If the string is longer than the mask an error comes back (EINVAL). - '+' or '-' followed by a numerical value. Valid examples are "+1", "-13", "+0x41", "-0xff" and even "+0" and "-0". Only the addressed bit in the mask is switched on ('+') or off ('-'). This patch will also be the base for an upcoming extension to the zcrypt drivers to be able to provide additional zcrypt device nodes with filtering based on ap and aq masks. Signed-off-by: Harald Freudenberger <freude@linux.ibm.com> Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>
2018-07-20 14:36:53 +08:00
static ssize_t apmask_show(struct bus_type *bus, char *buf)
{
int rc;
if (mutex_lock_interruptible(&ap_perms_mutex))
return -ERESTARTSYS;
rc = snprintf(buf, PAGE_SIZE,
"0x%016lx%016lx%016lx%016lx\n",
ap_perms.apm[0], ap_perms.apm[1],
ap_perms.apm[2], ap_perms.apm[3]);
mutex_unlock(&ap_perms_mutex);
return rc;
}
static ssize_t apmask_store(struct bus_type *bus, const char *buf,
size_t count)
{
int rc;
s390/zcrypt: AP bus support for alternate driver(s) The current AP bus, AP devices and AP device drivers implementation uses a clearly defined mapping for binding AP devices to AP device drivers. So for example a CEX6C queue will always be bound to the cex4queue device driver. The Linux Device Driver model has no sensitivity for more than one device driver eligible for one device type. If there exist more than one drivers matching to the device type, simple all drivers are tried consecutively. There is no way to determine and influence the probing order of the drivers. With KVM there is a need to provide additional device drivers matching to the very same type of AP devices. With a simple implementation the KVM drivers run in competition to the regular drivers. Whichever 'wins' a device depends on build order and implementation details within the common Linux Device Driver Model and is not deterministic. However, a userspace process could figure out which device should be bound to which driver and sort out the correct binding by manipulating attributes in the sysfs. If for security reasons a AP device must not get bound to the 'wrong' device driver the sorting out has to be done within the Linux kernel by the AP bus code. This patch modifies the behavior of the AP bus for probing drivers for devices in a way that two sets of drivers are usable. Two new bitmasks 'apmask' and 'aqmask' are used to mark a subset of the APQN range for 'usable by the ap bus and the default drivers' or 'not usable by the default drivers and thus available for alternate drivers like vfio-xxx'. So an APQN which is addressed by this masking only the default drivers will be probed. In contrary an APQN which is not addressed by the masks will never be probed and bound to default drivers but onny to alternate drivers. Eventually the two masks give a way to divide the range of APQNs into two pools: one pool of APQNs used by the AP bus and the default drivers and thus via zcrypt drivers available to the userspace of the system. And another pool where no zcrypt drivers are bound to and which can be used by alternate drivers (like vfio-xxx) for their needs. This division is hot-plug save and makes sure a APQN assigned to an alternate driver is at no time somehow exploitable by the wrong party. The two masks are located in sysfs at /sys/bus/ap/apmask and /sys/bus/ap/aqmask. The mask syntax is exactly the same as the already existing mask attributes in the /sys/bus/ap directory (for example ap_usage_domain_mask and ap_control_domain_mask). By default all APQNs belong to the ap bus and the default drivers: cat /sys/bus/ap/apmask 0xffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff cat /sys/bus/ap/aqmask 0xffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff The masks can be changed at boot time with the kernel command line like this: ... ap.apmask=0xffff ap.aqmask=0x40 This would give these two pools: default drivers pool: adapter 0 - 15, domain 1 alternate drivers pool: adapter 0 - 15, all but domain 1 adapter 16-255, all domains The sysfs attributes for this two masks are writeable and an administrator is able to reconfigure the assignements on the fly by writing new mask values into. With changing the mask(s) a revision of the existing queue to driver bindings is done. So all APQNs which are bound to the 'wrong' driver are reprobed via kernel function device_reprobe() and thus the new correct driver will be assigned with respect of the changed apmask and aqmask bits. The mask values are bitmaps in big endian order starting with bit 0. So adapter number 0 is the leftmost bit, mask is 0x8000... The sysfs attributes accept 2 different formats: - Absolute hex string starting with 0x like "0x12345678" does set the mask starting from left to right. If the given string is shorter than the mask it is padded with 0s on the right. If the string is longer than the mask an error comes back (EINVAL). - '+' or '-' followed by a numerical value. Valid examples are "+1", "-13", "+0x41", "-0xff" and even "+0" and "-0". Only the addressed bit in the mask is switched on ('+') or off ('-'). This patch will also be the base for an upcoming extension to the zcrypt drivers to be able to provide additional zcrypt device nodes with filtering based on ap and aq masks. Signed-off-by: Harald Freudenberger <freude@linux.ibm.com> Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>
2018-07-20 14:36:53 +08:00
s390/zcrypt: multiple zcrypt device nodes support This patch is an extension to the zcrypt device driver to provide, support and maintain multiple zcrypt device nodes. The individual zcrypt device nodes can be restricted in terms of crypto cards, domains and available ioctls. Such a device node can be used as a base for container solutions like docker to control and restrict the access to crypto resources. The handling is done with a new sysfs subdir /sys/class/zcrypt. Echoing a name (or an empty sting) into the attribute "create" creates a new zcrypt device node. In /sys/class/zcrypt a new link will appear which points to the sysfs device tree of this new device. The attribute files "ioctlmask", "apmask" and "aqmask" in this directory are used to customize this new zcrypt device node instance. Finally the zcrypt device node can be destroyed by echoing the name into /sys/class/zcrypt/destroy. The internal structs holding the device info are reference counted - so a destroy will not hard remove a device but only marks it as removable when the reference counter drops to zero. The mask values are bitmaps in big endian order starting with bit 0. So adapter number 0 is the leftmost bit, mask is 0x8000... The sysfs attributes accept 2 different formats: * Absolute hex string starting with 0x like "0x12345678" does set the mask starting from left to right. If the given string is shorter than the mask it is padded with 0s on the right. If the string is longer than the mask an error comes back (EINVAL). * Relative format - a concatenation (done with ',') of the terms +<bitnr>[-<bitnr>] or -<bitnr>[-<bitnr>]. <bitnr> may be any valid number (hex, decimal or octal) in the range 0...255. Here are some examples: "+0-15,+32,-128,-0xFF" "-0-255,+1-16,+0x128" "+1,+2,+3,+4,-5,-7-10" A simple usage examples: # create new zcrypt device 'my_zcrypt': echo "my_zcrypt" >/sys/class/zcrypt/create # go into the device dir of this new device echo "my_zcrypt" >create cd my_zcrypt/ ls -l total 0 -rw-r--r-- 1 root root 4096 Jul 20 15:23 apmask -rw-r--r-- 1 root root 4096 Jul 20 15:23 aqmask -r--r--r-- 1 root root 4096 Jul 20 15:23 dev -rw-r--r-- 1 root root 4096 Jul 20 15:23 ioctlmask lrwxrwxrwx 1 root root 0 Jul 20 15:23 subsystem -> ../../../../class/zcrypt ... # customize this zcrypt node clone # enable only adapter 0 and 2 echo "0xa0" >apmask # enable only domain 6 echo "+6" >aqmask # enable all 256 ioctls echo "+0-255" >ioctls # now the /dev/my_zcrypt may be used # finally destroy it echo "my_zcrypt" >/sys/class/zcrypt/destroy Please note that a very similar 'filtering behavior' also applies to the parent z90crypt device. The two mask attributes apmask and aqmask in /sys/bus/ap act the very same for the z90crypt device node. However the implementation here is totally different as the ap bus acts on bind/unbind of queue devices and associated drivers but the effect is still the same. So there are two filters active for each additional zcrypt device node: The adapter/domain needs to be enabled on the ap bus level and it needs to be active on the zcrypt device node level. Signed-off-by: Harald Freudenberger <freude@linux.ibm.com> Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>
2018-09-17 22:18:41 +08:00
rc = ap_parse_mask_str(buf, ap_perms.apm, AP_DEVICES, &ap_perms_mutex);
if (rc)
return rc;
s390/zcrypt: AP bus support for alternate driver(s) The current AP bus, AP devices and AP device drivers implementation uses a clearly defined mapping for binding AP devices to AP device drivers. So for example a CEX6C queue will always be bound to the cex4queue device driver. The Linux Device Driver model has no sensitivity for more than one device driver eligible for one device type. If there exist more than one drivers matching to the device type, simple all drivers are tried consecutively. There is no way to determine and influence the probing order of the drivers. With KVM there is a need to provide additional device drivers matching to the very same type of AP devices. With a simple implementation the KVM drivers run in competition to the regular drivers. Whichever 'wins' a device depends on build order and implementation details within the common Linux Device Driver Model and is not deterministic. However, a userspace process could figure out which device should be bound to which driver and sort out the correct binding by manipulating attributes in the sysfs. If for security reasons a AP device must not get bound to the 'wrong' device driver the sorting out has to be done within the Linux kernel by the AP bus code. This patch modifies the behavior of the AP bus for probing drivers for devices in a way that two sets of drivers are usable. Two new bitmasks 'apmask' and 'aqmask' are used to mark a subset of the APQN range for 'usable by the ap bus and the default drivers' or 'not usable by the default drivers and thus available for alternate drivers like vfio-xxx'. So an APQN which is addressed by this masking only the default drivers will be probed. In contrary an APQN which is not addressed by the masks will never be probed and bound to default drivers but onny to alternate drivers. Eventually the two masks give a way to divide the range of APQNs into two pools: one pool of APQNs used by the AP bus and the default drivers and thus via zcrypt drivers available to the userspace of the system. And another pool where no zcrypt drivers are bound to and which can be used by alternate drivers (like vfio-xxx) for their needs. This division is hot-plug save and makes sure a APQN assigned to an alternate driver is at no time somehow exploitable by the wrong party. The two masks are located in sysfs at /sys/bus/ap/apmask and /sys/bus/ap/aqmask. The mask syntax is exactly the same as the already existing mask attributes in the /sys/bus/ap directory (for example ap_usage_domain_mask and ap_control_domain_mask). By default all APQNs belong to the ap bus and the default drivers: cat /sys/bus/ap/apmask 0xffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff cat /sys/bus/ap/aqmask 0xffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff The masks can be changed at boot time with the kernel command line like this: ... ap.apmask=0xffff ap.aqmask=0x40 This would give these two pools: default drivers pool: adapter 0 - 15, domain 1 alternate drivers pool: adapter 0 - 15, all but domain 1 adapter 16-255, all domains The sysfs attributes for this two masks are writeable and an administrator is able to reconfigure the assignements on the fly by writing new mask values into. With changing the mask(s) a revision of the existing queue to driver bindings is done. So all APQNs which are bound to the 'wrong' driver are reprobed via kernel function device_reprobe() and thus the new correct driver will be assigned with respect of the changed apmask and aqmask bits. The mask values are bitmaps in big endian order starting with bit 0. So adapter number 0 is the leftmost bit, mask is 0x8000... The sysfs attributes accept 2 different formats: - Absolute hex string starting with 0x like "0x12345678" does set the mask starting from left to right. If the given string is shorter than the mask it is padded with 0s on the right. If the string is longer than the mask an error comes back (EINVAL). - '+' or '-' followed by a numerical value. Valid examples are "+1", "-13", "+0x41", "-0xff" and even "+0" and "-0". Only the addressed bit in the mask is switched on ('+') or off ('-'). This patch will also be the base for an upcoming extension to the zcrypt drivers to be able to provide additional zcrypt device nodes with filtering based on ap and aq masks. Signed-off-by: Harald Freudenberger <freude@linux.ibm.com> Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>
2018-07-20 14:36:53 +08:00
ap_bus_revise_bindings();
return count;
}
static BUS_ATTR_RW(apmask);
static ssize_t aqmask_show(struct bus_type *bus, char *buf)
{
int rc;
if (mutex_lock_interruptible(&ap_perms_mutex))
return -ERESTARTSYS;
rc = snprintf(buf, PAGE_SIZE,
"0x%016lx%016lx%016lx%016lx\n",
ap_perms.aqm[0], ap_perms.aqm[1],
ap_perms.aqm[2], ap_perms.aqm[3]);
mutex_unlock(&ap_perms_mutex);
return rc;
}
static ssize_t aqmask_store(struct bus_type *bus, const char *buf,
size_t count)
{
int rc;
s390/zcrypt: AP bus support for alternate driver(s) The current AP bus, AP devices and AP device drivers implementation uses a clearly defined mapping for binding AP devices to AP device drivers. So for example a CEX6C queue will always be bound to the cex4queue device driver. The Linux Device Driver model has no sensitivity for more than one device driver eligible for one device type. If there exist more than one drivers matching to the device type, simple all drivers are tried consecutively. There is no way to determine and influence the probing order of the drivers. With KVM there is a need to provide additional device drivers matching to the very same type of AP devices. With a simple implementation the KVM drivers run in competition to the regular drivers. Whichever 'wins' a device depends on build order and implementation details within the common Linux Device Driver Model and is not deterministic. However, a userspace process could figure out which device should be bound to which driver and sort out the correct binding by manipulating attributes in the sysfs. If for security reasons a AP device must not get bound to the 'wrong' device driver the sorting out has to be done within the Linux kernel by the AP bus code. This patch modifies the behavior of the AP bus for probing drivers for devices in a way that two sets of drivers are usable. Two new bitmasks 'apmask' and 'aqmask' are used to mark a subset of the APQN range for 'usable by the ap bus and the default drivers' or 'not usable by the default drivers and thus available for alternate drivers like vfio-xxx'. So an APQN which is addressed by this masking only the default drivers will be probed. In contrary an APQN which is not addressed by the masks will never be probed and bound to default drivers but onny to alternate drivers. Eventually the two masks give a way to divide the range of APQNs into two pools: one pool of APQNs used by the AP bus and the default drivers and thus via zcrypt drivers available to the userspace of the system. And another pool where no zcrypt drivers are bound to and which can be used by alternate drivers (like vfio-xxx) for their needs. This division is hot-plug save and makes sure a APQN assigned to an alternate driver is at no time somehow exploitable by the wrong party. The two masks are located in sysfs at /sys/bus/ap/apmask and /sys/bus/ap/aqmask. The mask syntax is exactly the same as the already existing mask attributes in the /sys/bus/ap directory (for example ap_usage_domain_mask and ap_control_domain_mask). By default all APQNs belong to the ap bus and the default drivers: cat /sys/bus/ap/apmask 0xffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff cat /sys/bus/ap/aqmask 0xffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff The masks can be changed at boot time with the kernel command line like this: ... ap.apmask=0xffff ap.aqmask=0x40 This would give these two pools: default drivers pool: adapter 0 - 15, domain 1 alternate drivers pool: adapter 0 - 15, all but domain 1 adapter 16-255, all domains The sysfs attributes for this two masks are writeable and an administrator is able to reconfigure the assignements on the fly by writing new mask values into. With changing the mask(s) a revision of the existing queue to driver bindings is done. So all APQNs which are bound to the 'wrong' driver are reprobed via kernel function device_reprobe() and thus the new correct driver will be assigned with respect of the changed apmask and aqmask bits. The mask values are bitmaps in big endian order starting with bit 0. So adapter number 0 is the leftmost bit, mask is 0x8000... The sysfs attributes accept 2 different formats: - Absolute hex string starting with 0x like "0x12345678" does set the mask starting from left to right. If the given string is shorter than the mask it is padded with 0s on the right. If the string is longer than the mask an error comes back (EINVAL). - '+' or '-' followed by a numerical value. Valid examples are "+1", "-13", "+0x41", "-0xff" and even "+0" and "-0". Only the addressed bit in the mask is switched on ('+') or off ('-'). This patch will also be the base for an upcoming extension to the zcrypt drivers to be able to provide additional zcrypt device nodes with filtering based on ap and aq masks. Signed-off-by: Harald Freudenberger <freude@linux.ibm.com> Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>
2018-07-20 14:36:53 +08:00
s390/zcrypt: multiple zcrypt device nodes support This patch is an extension to the zcrypt device driver to provide, support and maintain multiple zcrypt device nodes. The individual zcrypt device nodes can be restricted in terms of crypto cards, domains and available ioctls. Such a device node can be used as a base for container solutions like docker to control and restrict the access to crypto resources. The handling is done with a new sysfs subdir /sys/class/zcrypt. Echoing a name (or an empty sting) into the attribute "create" creates a new zcrypt device node. In /sys/class/zcrypt a new link will appear which points to the sysfs device tree of this new device. The attribute files "ioctlmask", "apmask" and "aqmask" in this directory are used to customize this new zcrypt device node instance. Finally the zcrypt device node can be destroyed by echoing the name into /sys/class/zcrypt/destroy. The internal structs holding the device info are reference counted - so a destroy will not hard remove a device but only marks it as removable when the reference counter drops to zero. The mask values are bitmaps in big endian order starting with bit 0. So adapter number 0 is the leftmost bit, mask is 0x8000... The sysfs attributes accept 2 different formats: * Absolute hex string starting with 0x like "0x12345678" does set the mask starting from left to right. If the given string is shorter than the mask it is padded with 0s on the right. If the string is longer than the mask an error comes back (EINVAL). * Relative format - a concatenation (done with ',') of the terms +<bitnr>[-<bitnr>] or -<bitnr>[-<bitnr>]. <bitnr> may be any valid number (hex, decimal or octal) in the range 0...255. Here are some examples: "+0-15,+32,-128,-0xFF" "-0-255,+1-16,+0x128" "+1,+2,+3,+4,-5,-7-10" A simple usage examples: # create new zcrypt device 'my_zcrypt': echo "my_zcrypt" >/sys/class/zcrypt/create # go into the device dir of this new device echo "my_zcrypt" >create cd my_zcrypt/ ls -l total 0 -rw-r--r-- 1 root root 4096 Jul 20 15:23 apmask -rw-r--r-- 1 root root 4096 Jul 20 15:23 aqmask -r--r--r-- 1 root root 4096 Jul 20 15:23 dev -rw-r--r-- 1 root root 4096 Jul 20 15:23 ioctlmask lrwxrwxrwx 1 root root 0 Jul 20 15:23 subsystem -> ../../../../class/zcrypt ... # customize this zcrypt node clone # enable only adapter 0 and 2 echo "0xa0" >apmask # enable only domain 6 echo "+6" >aqmask # enable all 256 ioctls echo "+0-255" >ioctls # now the /dev/my_zcrypt may be used # finally destroy it echo "my_zcrypt" >/sys/class/zcrypt/destroy Please note that a very similar 'filtering behavior' also applies to the parent z90crypt device. The two mask attributes apmask and aqmask in /sys/bus/ap act the very same for the z90crypt device node. However the implementation here is totally different as the ap bus acts on bind/unbind of queue devices and associated drivers but the effect is still the same. So there are two filters active for each additional zcrypt device node: The adapter/domain needs to be enabled on the ap bus level and it needs to be active on the zcrypt device node level. Signed-off-by: Harald Freudenberger <freude@linux.ibm.com> Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>
2018-09-17 22:18:41 +08:00
rc = ap_parse_mask_str(buf, ap_perms.aqm, AP_DOMAINS, &ap_perms_mutex);
if (rc)
return rc;
s390/zcrypt: AP bus support for alternate driver(s) The current AP bus, AP devices and AP device drivers implementation uses a clearly defined mapping for binding AP devices to AP device drivers. So for example a CEX6C queue will always be bound to the cex4queue device driver. The Linux Device Driver model has no sensitivity for more than one device driver eligible for one device type. If there exist more than one drivers matching to the device type, simple all drivers are tried consecutively. There is no way to determine and influence the probing order of the drivers. With KVM there is a need to provide additional device drivers matching to the very same type of AP devices. With a simple implementation the KVM drivers run in competition to the regular drivers. Whichever 'wins' a device depends on build order and implementation details within the common Linux Device Driver Model and is not deterministic. However, a userspace process could figure out which device should be bound to which driver and sort out the correct binding by manipulating attributes in the sysfs. If for security reasons a AP device must not get bound to the 'wrong' device driver the sorting out has to be done within the Linux kernel by the AP bus code. This patch modifies the behavior of the AP bus for probing drivers for devices in a way that two sets of drivers are usable. Two new bitmasks 'apmask' and 'aqmask' are used to mark a subset of the APQN range for 'usable by the ap bus and the default drivers' or 'not usable by the default drivers and thus available for alternate drivers like vfio-xxx'. So an APQN which is addressed by this masking only the default drivers will be probed. In contrary an APQN which is not addressed by the masks will never be probed and bound to default drivers but onny to alternate drivers. Eventually the two masks give a way to divide the range of APQNs into two pools: one pool of APQNs used by the AP bus and the default drivers and thus via zcrypt drivers available to the userspace of the system. And another pool where no zcrypt drivers are bound to and which can be used by alternate drivers (like vfio-xxx) for their needs. This division is hot-plug save and makes sure a APQN assigned to an alternate driver is at no time somehow exploitable by the wrong party. The two masks are located in sysfs at /sys/bus/ap/apmask and /sys/bus/ap/aqmask. The mask syntax is exactly the same as the already existing mask attributes in the /sys/bus/ap directory (for example ap_usage_domain_mask and ap_control_domain_mask). By default all APQNs belong to the ap bus and the default drivers: cat /sys/bus/ap/apmask 0xffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff cat /sys/bus/ap/aqmask 0xffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff The masks can be changed at boot time with the kernel command line like this: ... ap.apmask=0xffff ap.aqmask=0x40 This would give these two pools: default drivers pool: adapter 0 - 15, domain 1 alternate drivers pool: adapter 0 - 15, all but domain 1 adapter 16-255, all domains The sysfs attributes for this two masks are writeable and an administrator is able to reconfigure the assignements on the fly by writing new mask values into. With changing the mask(s) a revision of the existing queue to driver bindings is done. So all APQNs which are bound to the 'wrong' driver are reprobed via kernel function device_reprobe() and thus the new correct driver will be assigned with respect of the changed apmask and aqmask bits. The mask values are bitmaps in big endian order starting with bit 0. So adapter number 0 is the leftmost bit, mask is 0x8000... The sysfs attributes accept 2 different formats: - Absolute hex string starting with 0x like "0x12345678" does set the mask starting from left to right. If the given string is shorter than the mask it is padded with 0s on the right. If the string is longer than the mask an error comes back (EINVAL). - '+' or '-' followed by a numerical value. Valid examples are "+1", "-13", "+0x41", "-0xff" and even "+0" and "-0". Only the addressed bit in the mask is switched on ('+') or off ('-'). This patch will also be the base for an upcoming extension to the zcrypt drivers to be able to provide additional zcrypt device nodes with filtering based on ap and aq masks. Signed-off-by: Harald Freudenberger <freude@linux.ibm.com> Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>
2018-07-20 14:36:53 +08:00
ap_bus_revise_bindings();
return count;
}
static BUS_ATTR_RW(aqmask);
static struct bus_attribute *const ap_bus_attrs[] = {
&bus_attr_ap_domain,
&bus_attr_ap_control_domain_mask,
&bus_attr_ap_usage_domain_mask,
&bus_attr_ap_adapter_mask,
&bus_attr_config_time,
&bus_attr_poll_thread,
&bus_attr_ap_interrupts,
&bus_attr_poll_timeout,
&bus_attr_ap_max_domain_id,
s390/zcrypt: AP bus support for alternate driver(s) The current AP bus, AP devices and AP device drivers implementation uses a clearly defined mapping for binding AP devices to AP device drivers. So for example a CEX6C queue will always be bound to the cex4queue device driver. The Linux Device Driver model has no sensitivity for more than one device driver eligible for one device type. If there exist more than one drivers matching to the device type, simple all drivers are tried consecutively. There is no way to determine and influence the probing order of the drivers. With KVM there is a need to provide additional device drivers matching to the very same type of AP devices. With a simple implementation the KVM drivers run in competition to the regular drivers. Whichever 'wins' a device depends on build order and implementation details within the common Linux Device Driver Model and is not deterministic. However, a userspace process could figure out which device should be bound to which driver and sort out the correct binding by manipulating attributes in the sysfs. If for security reasons a AP device must not get bound to the 'wrong' device driver the sorting out has to be done within the Linux kernel by the AP bus code. This patch modifies the behavior of the AP bus for probing drivers for devices in a way that two sets of drivers are usable. Two new bitmasks 'apmask' and 'aqmask' are used to mark a subset of the APQN range for 'usable by the ap bus and the default drivers' or 'not usable by the default drivers and thus available for alternate drivers like vfio-xxx'. So an APQN which is addressed by this masking only the default drivers will be probed. In contrary an APQN which is not addressed by the masks will never be probed and bound to default drivers but onny to alternate drivers. Eventually the two masks give a way to divide the range of APQNs into two pools: one pool of APQNs used by the AP bus and the default drivers and thus via zcrypt drivers available to the userspace of the system. And another pool where no zcrypt drivers are bound to and which can be used by alternate drivers (like vfio-xxx) for their needs. This division is hot-plug save and makes sure a APQN assigned to an alternate driver is at no time somehow exploitable by the wrong party. The two masks are located in sysfs at /sys/bus/ap/apmask and /sys/bus/ap/aqmask. The mask syntax is exactly the same as the already existing mask attributes in the /sys/bus/ap directory (for example ap_usage_domain_mask and ap_control_domain_mask). By default all APQNs belong to the ap bus and the default drivers: cat /sys/bus/ap/apmask 0xffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff cat /sys/bus/ap/aqmask 0xffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff The masks can be changed at boot time with the kernel command line like this: ... ap.apmask=0xffff ap.aqmask=0x40 This would give these two pools: default drivers pool: adapter 0 - 15, domain 1 alternate drivers pool: adapter 0 - 15, all but domain 1 adapter 16-255, all domains The sysfs attributes for this two masks are writeable and an administrator is able to reconfigure the assignements on the fly by writing new mask values into. With changing the mask(s) a revision of the existing queue to driver bindings is done. So all APQNs which are bound to the 'wrong' driver are reprobed via kernel function device_reprobe() and thus the new correct driver will be assigned with respect of the changed apmask and aqmask bits. The mask values are bitmaps in big endian order starting with bit 0. So adapter number 0 is the leftmost bit, mask is 0x8000... The sysfs attributes accept 2 different formats: - Absolute hex string starting with 0x like "0x12345678" does set the mask starting from left to right. If the given string is shorter than the mask it is padded with 0s on the right. If the string is longer than the mask an error comes back (EINVAL). - '+' or '-' followed by a numerical value. Valid examples are "+1", "-13", "+0x41", "-0xff" and even "+0" and "-0". Only the addressed bit in the mask is switched on ('+') or off ('-'). This patch will also be the base for an upcoming extension to the zcrypt drivers to be able to provide additional zcrypt device nodes with filtering based on ap and aq masks. Signed-off-by: Harald Freudenberger <freude@linux.ibm.com> Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>
2018-07-20 14:36:53 +08:00
&bus_attr_apmask,
&bus_attr_aqmask,
NULL,
};
/**
* ap_select_domain(): Select an AP domain if possible and we haven't
* already done so before.
*/
static void ap_select_domain(void)
{
int count, max_count, best_domain;
struct ap_queue_status status;
int i, j;
/*
* We want to use a single domain. Either the one specified with
* the "domain=" parameter or the domain with the maximum number
* of devices.
*/
spin_lock_bh(&ap_domain_lock);
if (ap_domain_index >= 0) {
/* Domain has already been selected. */
spin_unlock_bh(&ap_domain_lock);
return;
}
best_domain = -1;
max_count = 0;
for (i = 0; i < AP_DOMAINS; i++) {
s390/zcrypt: AP bus support for alternate driver(s) The current AP bus, AP devices and AP device drivers implementation uses a clearly defined mapping for binding AP devices to AP device drivers. So for example a CEX6C queue will always be bound to the cex4queue device driver. The Linux Device Driver model has no sensitivity for more than one device driver eligible for one device type. If there exist more than one drivers matching to the device type, simple all drivers are tried consecutively. There is no way to determine and influence the probing order of the drivers. With KVM there is a need to provide additional device drivers matching to the very same type of AP devices. With a simple implementation the KVM drivers run in competition to the regular drivers. Whichever 'wins' a device depends on build order and implementation details within the common Linux Device Driver Model and is not deterministic. However, a userspace process could figure out which device should be bound to which driver and sort out the correct binding by manipulating attributes in the sysfs. If for security reasons a AP device must not get bound to the 'wrong' device driver the sorting out has to be done within the Linux kernel by the AP bus code. This patch modifies the behavior of the AP bus for probing drivers for devices in a way that two sets of drivers are usable. Two new bitmasks 'apmask' and 'aqmask' are used to mark a subset of the APQN range for 'usable by the ap bus and the default drivers' or 'not usable by the default drivers and thus available for alternate drivers like vfio-xxx'. So an APQN which is addressed by this masking only the default drivers will be probed. In contrary an APQN which is not addressed by the masks will never be probed and bound to default drivers but onny to alternate drivers. Eventually the two masks give a way to divide the range of APQNs into two pools: one pool of APQNs used by the AP bus and the default drivers and thus via zcrypt drivers available to the userspace of the system. And another pool where no zcrypt drivers are bound to and which can be used by alternate drivers (like vfio-xxx) for their needs. This division is hot-plug save and makes sure a APQN assigned to an alternate driver is at no time somehow exploitable by the wrong party. The two masks are located in sysfs at /sys/bus/ap/apmask and /sys/bus/ap/aqmask. The mask syntax is exactly the same as the already existing mask attributes in the /sys/bus/ap directory (for example ap_usage_domain_mask and ap_control_domain_mask). By default all APQNs belong to the ap bus and the default drivers: cat /sys/bus/ap/apmask 0xffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff cat /sys/bus/ap/aqmask 0xffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff The masks can be changed at boot time with the kernel command line like this: ... ap.apmask=0xffff ap.aqmask=0x40 This would give these two pools: default drivers pool: adapter 0 - 15, domain 1 alternate drivers pool: adapter 0 - 15, all but domain 1 adapter 16-255, all domains The sysfs attributes for this two masks are writeable and an administrator is able to reconfigure the assignements on the fly by writing new mask values into. With changing the mask(s) a revision of the existing queue to driver bindings is done. So all APQNs which are bound to the 'wrong' driver are reprobed via kernel function device_reprobe() and thus the new correct driver will be assigned with respect of the changed apmask and aqmask bits. The mask values are bitmaps in big endian order starting with bit 0. So adapter number 0 is the leftmost bit, mask is 0x8000... The sysfs attributes accept 2 different formats: - Absolute hex string starting with 0x like "0x12345678" does set the mask starting from left to right. If the given string is shorter than the mask it is padded with 0s on the right. If the string is longer than the mask an error comes back (EINVAL). - '+' or '-' followed by a numerical value. Valid examples are "+1", "-13", "+0x41", "-0xff" and even "+0" and "-0". Only the addressed bit in the mask is switched on ('+') or off ('-'). This patch will also be the base for an upcoming extension to the zcrypt drivers to be able to provide additional zcrypt device nodes with filtering based on ap and aq masks. Signed-off-by: Harald Freudenberger <freude@linux.ibm.com> Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>
2018-07-20 14:36:53 +08:00
if (!ap_test_config_domain(i) ||
!test_bit_inv(i, ap_perms.aqm))
continue;
count = 0;
for (j = 0; j < AP_DEVICES; j++) {
if (!ap_test_config_card_id(j))
continue;
status = ap_test_queue(AP_MKQID(j, i),
ap_apft_available(),
NULL);
if (status.response_code != AP_RESPONSE_NORMAL)
continue;
count++;
}
if (count > max_count) {
max_count = count;
best_domain = i;
}
}
if (best_domain >= 0) {
ap_domain_index = best_domain;
AP_DBF(DBF_DEBUG, "new ap_domain_index=%d\n", ap_domain_index);
}
spin_unlock_bh(&ap_domain_lock);
}
/*
* This function checks the type and returns either 0 for not
* supported or the highest compatible type value (which may
* include the input type value).
*/
static int ap_get_compatible_type(ap_qid_t qid, int rawtype, unsigned int func)
{
int comp_type = 0;
/* < CEX2A is not supported */
if (rawtype < AP_DEVICE_TYPE_CEX2A)
return 0;
/* up to CEX6 known and fully supported */
if (rawtype <= AP_DEVICE_TYPE_CEX6)
return rawtype;
/*
* unknown new type > CEX6, check for compatibility
* to the highest known and supported type which is
* currently CEX6 with the help of the QACT function.
*/
if (ap_qact_available()) {
struct ap_queue_status status;
union ap_qact_ap_info apinfo = {0};
apinfo.mode = (func >> 26) & 0x07;
apinfo.cat = AP_DEVICE_TYPE_CEX6;
status = ap_qact(qid, 0, &apinfo);
if (status.response_code == AP_RESPONSE_NORMAL
&& apinfo.cat >= AP_DEVICE_TYPE_CEX2A
&& apinfo.cat <= AP_DEVICE_TYPE_CEX6)
comp_type = apinfo.cat;
}
if (!comp_type)
AP_DBF(DBF_WARN, "queue=%02x.%04x unable to map type %d\n",
AP_QID_CARD(qid), AP_QID_QUEUE(qid), rawtype);
else if (comp_type != rawtype)
AP_DBF(DBF_INFO, "queue=%02x.%04x map type %d to %d\n",
AP_QID_CARD(qid), AP_QID_QUEUE(qid), rawtype, comp_type);
return comp_type;
}
/*
* Helper function to be used with bus_find_dev
* matches for the card device with the given id
*/
static int __match_card_device_with_id(struct device *dev, void *data)
{
return is_card_dev(dev) && to_ap_card(dev)->id == (int)(long) data;
}
/*
* Helper function to be used with bus_find_dev
* matches for the queue device with a given qid
*/
static int __match_queue_device_with_qid(struct device *dev, void *data)
{
return is_queue_dev(dev) && to_ap_queue(dev)->qid == (int)(long) data;
}
/*
* Helper function to be used with bus_find_dev
* matches any queue device with given queue id
*/
static int __match_queue_device_with_queue_id(struct device *dev, void *data)
{
return is_queue_dev(dev)
&& AP_QID_QUEUE(to_ap_queue(dev)->qid) == (int)(long) data;
}
/*
* Helper function for ap_scan_bus().
* Does the scan bus job for the given adapter id.
*/
static void _ap_scan_bus_adapter(int id)
{
ap_qid_t qid;
unsigned int func;
struct ap_card *ac;
struct device *dev;
struct ap_queue *aq;
int rc, dom, depth, type, comp_type, borked;
/* check if there is a card device registered with this id */
dev = bus_find_device(&ap_bus_type, NULL,
(void *)(long) id,
__match_card_device_with_id);
ac = dev ? to_ap_card(dev) : NULL;
if (!ap_test_config_card_id(id)) {
if (dev) {
/* Card device has been removed from configuration */
bus_for_each_dev(&ap_bus_type, NULL,
(void *)(long) id,
__ap_queue_devices_with_id_unregister);
device_unregister(dev);
put_device(dev);
}
return;
}
/*
* This card id is enabled in the configuration. If we already have
* a card device with this id, check if type and functions are still
* the very same. Also verify that at least one queue is available.
*/
if (ac) {
/* find the first valid queue */
for (dom = 0; dom < AP_DOMAINS; dom++) {
qid = AP_MKQID(id, dom);
if (ap_query_queue(qid, &depth, &type, &func) == 0)
break;
}
borked = 0;
if (dom >= AP_DOMAINS) {
/* no accessible queue on this card */
borked = 1;
} else if (ac->raw_hwtype != type) {
/* card type has changed */
AP_DBF(DBF_INFO, "card=%02x type changed.\n", id);
borked = 1;
} else if (ac->functions != func) {
/* card functions have changed */
AP_DBF(DBF_INFO, "card=%02x functions changed.\n", id);
borked = 1;
}
if (borked) {
/* unregister card device and associated queues */
bus_for_each_dev(&ap_bus_type, NULL,
(void *)(long) id,
__ap_queue_devices_with_id_unregister);
device_unregister(dev);
put_device(dev);
/* go back if there is no valid queue on this card */
if (dom >= AP_DOMAINS)
return;
ac = NULL;
}
}
/*
* Go through all possible queue ids. Check and maybe create or release
* queue devices for this card. If there exists no card device yet,
* create a card device also.
*/
for (dom = 0; dom < AP_DOMAINS; dom++) {
qid = AP_MKQID(id, dom);
dev = bus_find_device(&ap_bus_type, NULL,
(void *)(long) qid,
__match_queue_device_with_qid);
aq = dev ? to_ap_queue(dev) : NULL;
if (!ap_test_config_domain(dom)) {
if (dev) {
/* Queue device exists but has been
* removed from configuration.
*/
device_unregister(dev);
put_device(dev);
}
continue;
}
/* try to fetch infos about this queue */
rc = ap_query_queue(qid, &depth, &type, &func);
if (dev) {
if (rc == -ENODEV)
borked = 1;
else {
spin_lock_bh(&aq->lock);
borked = aq->state == AP_STATE_BORKED;
spin_unlock_bh(&aq->lock);
}
if (borked) {
/* Remove broken device */
AP_DBF(DBF_DEBUG,
"removing broken queue=%02x.%04x\n",
id, dom);
device_unregister(dev);
}
put_device(dev);
continue;
}
if (rc)
continue;
/* a new queue device is needed, check out comp type */
comp_type = ap_get_compatible_type(qid, type, func);
if (!comp_type)
continue;
/* maybe a card device needs to be created first */
if (!ac) {
ac = ap_card_create(id, depth, type, comp_type, func);
if (!ac)
continue;
ac->ap_dev.device.bus = &ap_bus_type;
ac->ap_dev.device.parent = ap_root_device;
dev_set_name(&ac->ap_dev.device, "card%02x", id);
/* Register card device with AP bus */
rc = device_register(&ac->ap_dev.device);
if (rc) {
put_device(&ac->ap_dev.device);
ac = NULL;
break;
}
/* get it and thus adjust reference counter */
get_device(&ac->ap_dev.device);
}
/* now create the new queue device */
aq = ap_queue_create(qid, comp_type);
if (!aq)
continue;
aq->card = ac;
aq->ap_dev.device.bus = &ap_bus_type;
aq->ap_dev.device.parent = &ac->ap_dev.device;
dev_set_name(&aq->ap_dev.device, "%02x.%04x", id, dom);
/* Register queue device */
rc = device_register(&aq->ap_dev.device);
if (rc) {
put_device(&aq->ap_dev.device);
continue;
}
} /* end domain loop */
if (ac)
put_device(&ac->ap_dev.device);
}
/**
* ap_scan_bus(): Scan the AP bus for new devices
* Runs periodically, workqueue timer (ap_config_time)
*/
static void ap_scan_bus(struct work_struct *unused)
{
int id;
AP_DBF(DBF_DEBUG, "%s running\n", __func__);
ap_query_configuration(ap_configuration);
ap_select_domain();
/* loop over all possible adapters */
for (id = 0; id < AP_DEVICES; id++)
_ap_scan_bus_adapter(id);
/* check if there is at least one queue available with default domain */
if (ap_domain_index >= 0) {
struct device *dev =
bus_find_device(&ap_bus_type, NULL,
(void *)(long) ap_domain_index,
__match_queue_device_with_queue_id);
if (dev)
put_device(dev);
else
AP_DBF(DBF_INFO,
"no queue device with default domain %d available\n",
ap_domain_index);
}
mod_timer(&ap_config_timer, jiffies + ap_config_time * HZ);
}
static void ap_config_timeout(struct timer_list *unused)
{
if (ap_suspend_flag)
return;
queue_work(system_long_wq, &ap_scan_work);
}
static int __init ap_debug_init(void)
{
ap_dbf_info = debug_register("ap", 1, 1,
DBF_MAX_SPRINTF_ARGS * sizeof(long));
debug_register_view(ap_dbf_info, &debug_sprintf_view);
debug_set_level(ap_dbf_info, DBF_ERR);
return 0;
}
s390/zcrypt: AP bus support for alternate driver(s) The current AP bus, AP devices and AP device drivers implementation uses a clearly defined mapping for binding AP devices to AP device drivers. So for example a CEX6C queue will always be bound to the cex4queue device driver. The Linux Device Driver model has no sensitivity for more than one device driver eligible for one device type. If there exist more than one drivers matching to the device type, simple all drivers are tried consecutively. There is no way to determine and influence the probing order of the drivers. With KVM there is a need to provide additional device drivers matching to the very same type of AP devices. With a simple implementation the KVM drivers run in competition to the regular drivers. Whichever 'wins' a device depends on build order and implementation details within the common Linux Device Driver Model and is not deterministic. However, a userspace process could figure out which device should be bound to which driver and sort out the correct binding by manipulating attributes in the sysfs. If for security reasons a AP device must not get bound to the 'wrong' device driver the sorting out has to be done within the Linux kernel by the AP bus code. This patch modifies the behavior of the AP bus for probing drivers for devices in a way that two sets of drivers are usable. Two new bitmasks 'apmask' and 'aqmask' are used to mark a subset of the APQN range for 'usable by the ap bus and the default drivers' or 'not usable by the default drivers and thus available for alternate drivers like vfio-xxx'. So an APQN which is addressed by this masking only the default drivers will be probed. In contrary an APQN which is not addressed by the masks will never be probed and bound to default drivers but onny to alternate drivers. Eventually the two masks give a way to divide the range of APQNs into two pools: one pool of APQNs used by the AP bus and the default drivers and thus via zcrypt drivers available to the userspace of the system. And another pool where no zcrypt drivers are bound to and which can be used by alternate drivers (like vfio-xxx) for their needs. This division is hot-plug save and makes sure a APQN assigned to an alternate driver is at no time somehow exploitable by the wrong party. The two masks are located in sysfs at /sys/bus/ap/apmask and /sys/bus/ap/aqmask. The mask syntax is exactly the same as the already existing mask attributes in the /sys/bus/ap directory (for example ap_usage_domain_mask and ap_control_domain_mask). By default all APQNs belong to the ap bus and the default drivers: cat /sys/bus/ap/apmask 0xffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff cat /sys/bus/ap/aqmask 0xffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff The masks can be changed at boot time with the kernel command line like this: ... ap.apmask=0xffff ap.aqmask=0x40 This would give these two pools: default drivers pool: adapter 0 - 15, domain 1 alternate drivers pool: adapter 0 - 15, all but domain 1 adapter 16-255, all domains The sysfs attributes for this two masks are writeable and an administrator is able to reconfigure the assignements on the fly by writing new mask values into. With changing the mask(s) a revision of the existing queue to driver bindings is done. So all APQNs which are bound to the 'wrong' driver are reprobed via kernel function device_reprobe() and thus the new correct driver will be assigned with respect of the changed apmask and aqmask bits. The mask values are bitmaps in big endian order starting with bit 0. So adapter number 0 is the leftmost bit, mask is 0x8000... The sysfs attributes accept 2 different formats: - Absolute hex string starting with 0x like "0x12345678" does set the mask starting from left to right. If the given string is shorter than the mask it is padded with 0s on the right. If the string is longer than the mask an error comes back (EINVAL). - '+' or '-' followed by a numerical value. Valid examples are "+1", "-13", "+0x41", "-0xff" and even "+0" and "-0". Only the addressed bit in the mask is switched on ('+') or off ('-'). This patch will also be the base for an upcoming extension to the zcrypt drivers to be able to provide additional zcrypt device nodes with filtering based on ap and aq masks. Signed-off-by: Harald Freudenberger <freude@linux.ibm.com> Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>
2018-07-20 14:36:53 +08:00
static void __init ap_perms_init(void)
{
/* all resources useable if no kernel parameter string given */
s390/zcrypt: multiple zcrypt device nodes support This patch is an extension to the zcrypt device driver to provide, support and maintain multiple zcrypt device nodes. The individual zcrypt device nodes can be restricted in terms of crypto cards, domains and available ioctls. Such a device node can be used as a base for container solutions like docker to control and restrict the access to crypto resources. The handling is done with a new sysfs subdir /sys/class/zcrypt. Echoing a name (or an empty sting) into the attribute "create" creates a new zcrypt device node. In /sys/class/zcrypt a new link will appear which points to the sysfs device tree of this new device. The attribute files "ioctlmask", "apmask" and "aqmask" in this directory are used to customize this new zcrypt device node instance. Finally the zcrypt device node can be destroyed by echoing the name into /sys/class/zcrypt/destroy. The internal structs holding the device info are reference counted - so a destroy will not hard remove a device but only marks it as removable when the reference counter drops to zero. The mask values are bitmaps in big endian order starting with bit 0. So adapter number 0 is the leftmost bit, mask is 0x8000... The sysfs attributes accept 2 different formats: * Absolute hex string starting with 0x like "0x12345678" does set the mask starting from left to right. If the given string is shorter than the mask it is padded with 0s on the right. If the string is longer than the mask an error comes back (EINVAL). * Relative format - a concatenation (done with ',') of the terms +<bitnr>[-<bitnr>] or -<bitnr>[-<bitnr>]. <bitnr> may be any valid number (hex, decimal or octal) in the range 0...255. Here are some examples: "+0-15,+32,-128,-0xFF" "-0-255,+1-16,+0x128" "+1,+2,+3,+4,-5,-7-10" A simple usage examples: # create new zcrypt device 'my_zcrypt': echo "my_zcrypt" >/sys/class/zcrypt/create # go into the device dir of this new device echo "my_zcrypt" >create cd my_zcrypt/ ls -l total 0 -rw-r--r-- 1 root root 4096 Jul 20 15:23 apmask -rw-r--r-- 1 root root 4096 Jul 20 15:23 aqmask -r--r--r-- 1 root root 4096 Jul 20 15:23 dev -rw-r--r-- 1 root root 4096 Jul 20 15:23 ioctlmask lrwxrwxrwx 1 root root 0 Jul 20 15:23 subsystem -> ../../../../class/zcrypt ... # customize this zcrypt node clone # enable only adapter 0 and 2 echo "0xa0" >apmask # enable only domain 6 echo "+6" >aqmask # enable all 256 ioctls echo "+0-255" >ioctls # now the /dev/my_zcrypt may be used # finally destroy it echo "my_zcrypt" >/sys/class/zcrypt/destroy Please note that a very similar 'filtering behavior' also applies to the parent z90crypt device. The two mask attributes apmask and aqmask in /sys/bus/ap act the very same for the z90crypt device node. However the implementation here is totally different as the ap bus acts on bind/unbind of queue devices and associated drivers but the effect is still the same. So there are two filters active for each additional zcrypt device node: The adapter/domain needs to be enabled on the ap bus level and it needs to be active on the zcrypt device node level. Signed-off-by: Harald Freudenberger <freude@linux.ibm.com> Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>
2018-09-17 22:18:41 +08:00
memset(&ap_perms.ioctlm, 0xFF, sizeof(ap_perms.ioctlm));
s390/zcrypt: AP bus support for alternate driver(s) The current AP bus, AP devices and AP device drivers implementation uses a clearly defined mapping for binding AP devices to AP device drivers. So for example a CEX6C queue will always be bound to the cex4queue device driver. The Linux Device Driver model has no sensitivity for more than one device driver eligible for one device type. If there exist more than one drivers matching to the device type, simple all drivers are tried consecutively. There is no way to determine and influence the probing order of the drivers. With KVM there is a need to provide additional device drivers matching to the very same type of AP devices. With a simple implementation the KVM drivers run in competition to the regular drivers. Whichever 'wins' a device depends on build order and implementation details within the common Linux Device Driver Model and is not deterministic. However, a userspace process could figure out which device should be bound to which driver and sort out the correct binding by manipulating attributes in the sysfs. If for security reasons a AP device must not get bound to the 'wrong' device driver the sorting out has to be done within the Linux kernel by the AP bus code. This patch modifies the behavior of the AP bus for probing drivers for devices in a way that two sets of drivers are usable. Two new bitmasks 'apmask' and 'aqmask' are used to mark a subset of the APQN range for 'usable by the ap bus and the default drivers' or 'not usable by the default drivers and thus available for alternate drivers like vfio-xxx'. So an APQN which is addressed by this masking only the default drivers will be probed. In contrary an APQN which is not addressed by the masks will never be probed and bound to default drivers but onny to alternate drivers. Eventually the two masks give a way to divide the range of APQNs into two pools: one pool of APQNs used by the AP bus and the default drivers and thus via zcrypt drivers available to the userspace of the system. And another pool where no zcrypt drivers are bound to and which can be used by alternate drivers (like vfio-xxx) for their needs. This division is hot-plug save and makes sure a APQN assigned to an alternate driver is at no time somehow exploitable by the wrong party. The two masks are located in sysfs at /sys/bus/ap/apmask and /sys/bus/ap/aqmask. The mask syntax is exactly the same as the already existing mask attributes in the /sys/bus/ap directory (for example ap_usage_domain_mask and ap_control_domain_mask). By default all APQNs belong to the ap bus and the default drivers: cat /sys/bus/ap/apmask 0xffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff cat /sys/bus/ap/aqmask 0xffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff The masks can be changed at boot time with the kernel command line like this: ... ap.apmask=0xffff ap.aqmask=0x40 This would give these two pools: default drivers pool: adapter 0 - 15, domain 1 alternate drivers pool: adapter 0 - 15, all but domain 1 adapter 16-255, all domains The sysfs attributes for this two masks are writeable and an administrator is able to reconfigure the assignements on the fly by writing new mask values into. With changing the mask(s) a revision of the existing queue to driver bindings is done. So all APQNs which are bound to the 'wrong' driver are reprobed via kernel function device_reprobe() and thus the new correct driver will be assigned with respect of the changed apmask and aqmask bits. The mask values are bitmaps in big endian order starting with bit 0. So adapter number 0 is the leftmost bit, mask is 0x8000... The sysfs attributes accept 2 different formats: - Absolute hex string starting with 0x like "0x12345678" does set the mask starting from left to right. If the given string is shorter than the mask it is padded with 0s on the right. If the string is longer than the mask an error comes back (EINVAL). - '+' or '-' followed by a numerical value. Valid examples are "+1", "-13", "+0x41", "-0xff" and even "+0" and "-0". Only the addressed bit in the mask is switched on ('+') or off ('-'). This patch will also be the base for an upcoming extension to the zcrypt drivers to be able to provide additional zcrypt device nodes with filtering based on ap and aq masks. Signed-off-by: Harald Freudenberger <freude@linux.ibm.com> Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>
2018-07-20 14:36:53 +08:00
memset(&ap_perms.apm, 0xFF, sizeof(ap_perms.apm));
memset(&ap_perms.aqm, 0xFF, sizeof(ap_perms.aqm));
/* apm kernel parameter string */
s390/zcrypt: AP bus support for alternate driver(s) The current AP bus, AP devices and AP device drivers implementation uses a clearly defined mapping for binding AP devices to AP device drivers. So for example a CEX6C queue will always be bound to the cex4queue device driver. The Linux Device Driver model has no sensitivity for more than one device driver eligible for one device type. If there exist more than one drivers matching to the device type, simple all drivers are tried consecutively. There is no way to determine and influence the probing order of the drivers. With KVM there is a need to provide additional device drivers matching to the very same type of AP devices. With a simple implementation the KVM drivers run in competition to the regular drivers. Whichever 'wins' a device depends on build order and implementation details within the common Linux Device Driver Model and is not deterministic. However, a userspace process could figure out which device should be bound to which driver and sort out the correct binding by manipulating attributes in the sysfs. If for security reasons a AP device must not get bound to the 'wrong' device driver the sorting out has to be done within the Linux kernel by the AP bus code. This patch modifies the behavior of the AP bus for probing drivers for devices in a way that two sets of drivers are usable. Two new bitmasks 'apmask' and 'aqmask' are used to mark a subset of the APQN range for 'usable by the ap bus and the default drivers' or 'not usable by the default drivers and thus available for alternate drivers like vfio-xxx'. So an APQN which is addressed by this masking only the default drivers will be probed. In contrary an APQN which is not addressed by the masks will never be probed and bound to default drivers but onny to alternate drivers. Eventually the two masks give a way to divide the range of APQNs into two pools: one pool of APQNs used by the AP bus and the default drivers and thus via zcrypt drivers available to the userspace of the system. And another pool where no zcrypt drivers are bound to and which can be used by alternate drivers (like vfio-xxx) for their needs. This division is hot-plug save and makes sure a APQN assigned to an alternate driver is at no time somehow exploitable by the wrong party. The two masks are located in sysfs at /sys/bus/ap/apmask and /sys/bus/ap/aqmask. The mask syntax is exactly the same as the already existing mask attributes in the /sys/bus/ap directory (for example ap_usage_domain_mask and ap_control_domain_mask). By default all APQNs belong to the ap bus and the default drivers: cat /sys/bus/ap/apmask 0xffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff cat /sys/bus/ap/aqmask 0xffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff The masks can be changed at boot time with the kernel command line like this: ... ap.apmask=0xffff ap.aqmask=0x40 This would give these two pools: default drivers pool: adapter 0 - 15, domain 1 alternate drivers pool: adapter 0 - 15, all but domain 1 adapter 16-255, all domains The sysfs attributes for this two masks are writeable and an administrator is able to reconfigure the assignements on the fly by writing new mask values into. With changing the mask(s) a revision of the existing queue to driver bindings is done. So all APQNs which are bound to the 'wrong' driver are reprobed via kernel function device_reprobe() and thus the new correct driver will be assigned with respect of the changed apmask and aqmask bits. The mask values are bitmaps in big endian order starting with bit 0. So adapter number 0 is the leftmost bit, mask is 0x8000... The sysfs attributes accept 2 different formats: - Absolute hex string starting with 0x like "0x12345678" does set the mask starting from left to right. If the given string is shorter than the mask it is padded with 0s on the right. If the string is longer than the mask an error comes back (EINVAL). - '+' or '-' followed by a numerical value. Valid examples are "+1", "-13", "+0x41", "-0xff" and even "+0" and "-0". Only the addressed bit in the mask is switched on ('+') or off ('-'). This patch will also be the base for an upcoming extension to the zcrypt drivers to be able to provide additional zcrypt device nodes with filtering based on ap and aq masks. Signed-off-by: Harald Freudenberger <freude@linux.ibm.com> Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>
2018-07-20 14:36:53 +08:00
if (apm_str) {
memset(&ap_perms.apm, 0, sizeof(ap_perms.apm));
s390/zcrypt: multiple zcrypt device nodes support This patch is an extension to the zcrypt device driver to provide, support and maintain multiple zcrypt device nodes. The individual zcrypt device nodes can be restricted in terms of crypto cards, domains and available ioctls. Such a device node can be used as a base for container solutions like docker to control and restrict the access to crypto resources. The handling is done with a new sysfs subdir /sys/class/zcrypt. Echoing a name (or an empty sting) into the attribute "create" creates a new zcrypt device node. In /sys/class/zcrypt a new link will appear which points to the sysfs device tree of this new device. The attribute files "ioctlmask", "apmask" and "aqmask" in this directory are used to customize this new zcrypt device node instance. Finally the zcrypt device node can be destroyed by echoing the name into /sys/class/zcrypt/destroy. The internal structs holding the device info are reference counted - so a destroy will not hard remove a device but only marks it as removable when the reference counter drops to zero. The mask values are bitmaps in big endian order starting with bit 0. So adapter number 0 is the leftmost bit, mask is 0x8000... The sysfs attributes accept 2 different formats: * Absolute hex string starting with 0x like "0x12345678" does set the mask starting from left to right. If the given string is shorter than the mask it is padded with 0s on the right. If the string is longer than the mask an error comes back (EINVAL). * Relative format - a concatenation (done with ',') of the terms +<bitnr>[-<bitnr>] or -<bitnr>[-<bitnr>]. <bitnr> may be any valid number (hex, decimal or octal) in the range 0...255. Here are some examples: "+0-15,+32,-128,-0xFF" "-0-255,+1-16,+0x128" "+1,+2,+3,+4,-5,-7-10" A simple usage examples: # create new zcrypt device 'my_zcrypt': echo "my_zcrypt" >/sys/class/zcrypt/create # go into the device dir of this new device echo "my_zcrypt" >create cd my_zcrypt/ ls -l total 0 -rw-r--r-- 1 root root 4096 Jul 20 15:23 apmask -rw-r--r-- 1 root root 4096 Jul 20 15:23 aqmask -r--r--r-- 1 root root 4096 Jul 20 15:23 dev -rw-r--r-- 1 root root 4096 Jul 20 15:23 ioctlmask lrwxrwxrwx 1 root root 0 Jul 20 15:23 subsystem -> ../../../../class/zcrypt ... # customize this zcrypt node clone # enable only adapter 0 and 2 echo "0xa0" >apmask # enable only domain 6 echo "+6" >aqmask # enable all 256 ioctls echo "+0-255" >ioctls # now the /dev/my_zcrypt may be used # finally destroy it echo "my_zcrypt" >/sys/class/zcrypt/destroy Please note that a very similar 'filtering behavior' also applies to the parent z90crypt device. The two mask attributes apmask and aqmask in /sys/bus/ap act the very same for the z90crypt device node. However the implementation here is totally different as the ap bus acts on bind/unbind of queue devices and associated drivers but the effect is still the same. So there are two filters active for each additional zcrypt device node: The adapter/domain needs to be enabled on the ap bus level and it needs to be active on the zcrypt device node level. Signed-off-by: Harald Freudenberger <freude@linux.ibm.com> Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>
2018-09-17 22:18:41 +08:00
ap_parse_mask_str(apm_str, ap_perms.apm, AP_DEVICES,
&ap_perms_mutex);
s390/zcrypt: AP bus support for alternate driver(s) The current AP bus, AP devices and AP device drivers implementation uses a clearly defined mapping for binding AP devices to AP device drivers. So for example a CEX6C queue will always be bound to the cex4queue device driver. The Linux Device Driver model has no sensitivity for more than one device driver eligible for one device type. If there exist more than one drivers matching to the device type, simple all drivers are tried consecutively. There is no way to determine and influence the probing order of the drivers. With KVM there is a need to provide additional device drivers matching to the very same type of AP devices. With a simple implementation the KVM drivers run in competition to the regular drivers. Whichever 'wins' a device depends on build order and implementation details within the common Linux Device Driver Model and is not deterministic. However, a userspace process could figure out which device should be bound to which driver and sort out the correct binding by manipulating attributes in the sysfs. If for security reasons a AP device must not get bound to the 'wrong' device driver the sorting out has to be done within the Linux kernel by the AP bus code. This patch modifies the behavior of the AP bus for probing drivers for devices in a way that two sets of drivers are usable. Two new bitmasks 'apmask' and 'aqmask' are used to mark a subset of the APQN range for 'usable by the ap bus and the default drivers' or 'not usable by the default drivers and thus available for alternate drivers like vfio-xxx'. So an APQN which is addressed by this masking only the default drivers will be probed. In contrary an APQN which is not addressed by the masks will never be probed and bound to default drivers but onny to alternate drivers. Eventually the two masks give a way to divide the range of APQNs into two pools: one pool of APQNs used by the AP bus and the default drivers and thus via zcrypt drivers available to the userspace of the system. And another pool where no zcrypt drivers are bound to and which can be used by alternate drivers (like vfio-xxx) for their needs. This division is hot-plug save and makes sure a APQN assigned to an alternate driver is at no time somehow exploitable by the wrong party. The two masks are located in sysfs at /sys/bus/ap/apmask and /sys/bus/ap/aqmask. The mask syntax is exactly the same as the already existing mask attributes in the /sys/bus/ap directory (for example ap_usage_domain_mask and ap_control_domain_mask). By default all APQNs belong to the ap bus and the default drivers: cat /sys/bus/ap/apmask 0xffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff cat /sys/bus/ap/aqmask 0xffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff The masks can be changed at boot time with the kernel command line like this: ... ap.apmask=0xffff ap.aqmask=0x40 This would give these two pools: default drivers pool: adapter 0 - 15, domain 1 alternate drivers pool: adapter 0 - 15, all but domain 1 adapter 16-255, all domains The sysfs attributes for this two masks are writeable and an administrator is able to reconfigure the assignements on the fly by writing new mask values into. With changing the mask(s) a revision of the existing queue to driver bindings is done. So all APQNs which are bound to the 'wrong' driver are reprobed via kernel function device_reprobe() and thus the new correct driver will be assigned with respect of the changed apmask and aqmask bits. The mask values are bitmaps in big endian order starting with bit 0. So adapter number 0 is the leftmost bit, mask is 0x8000... The sysfs attributes accept 2 different formats: - Absolute hex string starting with 0x like "0x12345678" does set the mask starting from left to right. If the given string is shorter than the mask it is padded with 0s on the right. If the string is longer than the mask an error comes back (EINVAL). - '+' or '-' followed by a numerical value. Valid examples are "+1", "-13", "+0x41", "-0xff" and even "+0" and "-0". Only the addressed bit in the mask is switched on ('+') or off ('-'). This patch will also be the base for an upcoming extension to the zcrypt drivers to be able to provide additional zcrypt device nodes with filtering based on ap and aq masks. Signed-off-by: Harald Freudenberger <freude@linux.ibm.com> Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>
2018-07-20 14:36:53 +08:00
}
/* aqm kernel parameter string */
if (aqm_str) {
memset(&ap_perms.aqm, 0, sizeof(ap_perms.aqm));
s390/zcrypt: multiple zcrypt device nodes support This patch is an extension to the zcrypt device driver to provide, support and maintain multiple zcrypt device nodes. The individual zcrypt device nodes can be restricted in terms of crypto cards, domains and available ioctls. Such a device node can be used as a base for container solutions like docker to control and restrict the access to crypto resources. The handling is done with a new sysfs subdir /sys/class/zcrypt. Echoing a name (or an empty sting) into the attribute "create" creates a new zcrypt device node. In /sys/class/zcrypt a new link will appear which points to the sysfs device tree of this new device. The attribute files "ioctlmask", "apmask" and "aqmask" in this directory are used to customize this new zcrypt device node instance. Finally the zcrypt device node can be destroyed by echoing the name into /sys/class/zcrypt/destroy. The internal structs holding the device info are reference counted - so a destroy will not hard remove a device but only marks it as removable when the reference counter drops to zero. The mask values are bitmaps in big endian order starting with bit 0. So adapter number 0 is the leftmost bit, mask is 0x8000... The sysfs attributes accept 2 different formats: * Absolute hex string starting with 0x like "0x12345678" does set the mask starting from left to right. If the given string is shorter than the mask it is padded with 0s on the right. If the string is longer than the mask an error comes back (EINVAL). * Relative format - a concatenation (done with ',') of the terms +<bitnr>[-<bitnr>] or -<bitnr>[-<bitnr>]. <bitnr> may be any valid number (hex, decimal or octal) in the range 0...255. Here are some examples: "+0-15,+32,-128,-0xFF" "-0-255,+1-16,+0x128" "+1,+2,+3,+4,-5,-7-10" A simple usage examples: # create new zcrypt device 'my_zcrypt': echo "my_zcrypt" >/sys/class/zcrypt/create # go into the device dir of this new device echo "my_zcrypt" >create cd my_zcrypt/ ls -l total 0 -rw-r--r-- 1 root root 4096 Jul 20 15:23 apmask -rw-r--r-- 1 root root 4096 Jul 20 15:23 aqmask -r--r--r-- 1 root root 4096 Jul 20 15:23 dev -rw-r--r-- 1 root root 4096 Jul 20 15:23 ioctlmask lrwxrwxrwx 1 root root 0 Jul 20 15:23 subsystem -> ../../../../class/zcrypt ... # customize this zcrypt node clone # enable only adapter 0 and 2 echo "0xa0" >apmask # enable only domain 6 echo "+6" >aqmask # enable all 256 ioctls echo "+0-255" >ioctls # now the /dev/my_zcrypt may be used # finally destroy it echo "my_zcrypt" >/sys/class/zcrypt/destroy Please note that a very similar 'filtering behavior' also applies to the parent z90crypt device. The two mask attributes apmask and aqmask in /sys/bus/ap act the very same for the z90crypt device node. However the implementation here is totally different as the ap bus acts on bind/unbind of queue devices and associated drivers but the effect is still the same. So there are two filters active for each additional zcrypt device node: The adapter/domain needs to be enabled on the ap bus level and it needs to be active on the zcrypt device node level. Signed-off-by: Harald Freudenberger <freude@linux.ibm.com> Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>
2018-09-17 22:18:41 +08:00
ap_parse_mask_str(aqm_str, ap_perms.aqm, AP_DOMAINS,
&ap_perms_mutex);
s390/zcrypt: AP bus support for alternate driver(s) The current AP bus, AP devices and AP device drivers implementation uses a clearly defined mapping for binding AP devices to AP device drivers. So for example a CEX6C queue will always be bound to the cex4queue device driver. The Linux Device Driver model has no sensitivity for more than one device driver eligible for one device type. If there exist more than one drivers matching to the device type, simple all drivers are tried consecutively. There is no way to determine and influence the probing order of the drivers. With KVM there is a need to provide additional device drivers matching to the very same type of AP devices. With a simple implementation the KVM drivers run in competition to the regular drivers. Whichever 'wins' a device depends on build order and implementation details within the common Linux Device Driver Model and is not deterministic. However, a userspace process could figure out which device should be bound to which driver and sort out the correct binding by manipulating attributes in the sysfs. If for security reasons a AP device must not get bound to the 'wrong' device driver the sorting out has to be done within the Linux kernel by the AP bus code. This patch modifies the behavior of the AP bus for probing drivers for devices in a way that two sets of drivers are usable. Two new bitmasks 'apmask' and 'aqmask' are used to mark a subset of the APQN range for 'usable by the ap bus and the default drivers' or 'not usable by the default drivers and thus available for alternate drivers like vfio-xxx'. So an APQN which is addressed by this masking only the default drivers will be probed. In contrary an APQN which is not addressed by the masks will never be probed and bound to default drivers but onny to alternate drivers. Eventually the two masks give a way to divide the range of APQNs into two pools: one pool of APQNs used by the AP bus and the default drivers and thus via zcrypt drivers available to the userspace of the system. And another pool where no zcrypt drivers are bound to and which can be used by alternate drivers (like vfio-xxx) for their needs. This division is hot-plug save and makes sure a APQN assigned to an alternate driver is at no time somehow exploitable by the wrong party. The two masks are located in sysfs at /sys/bus/ap/apmask and /sys/bus/ap/aqmask. The mask syntax is exactly the same as the already existing mask attributes in the /sys/bus/ap directory (for example ap_usage_domain_mask and ap_control_domain_mask). By default all APQNs belong to the ap bus and the default drivers: cat /sys/bus/ap/apmask 0xffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff cat /sys/bus/ap/aqmask 0xffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff The masks can be changed at boot time with the kernel command line like this: ... ap.apmask=0xffff ap.aqmask=0x40 This would give these two pools: default drivers pool: adapter 0 - 15, domain 1 alternate drivers pool: adapter 0 - 15, all but domain 1 adapter 16-255, all domains The sysfs attributes for this two masks are writeable and an administrator is able to reconfigure the assignements on the fly by writing new mask values into. With changing the mask(s) a revision of the existing queue to driver bindings is done. So all APQNs which are bound to the 'wrong' driver are reprobed via kernel function device_reprobe() and thus the new correct driver will be assigned with respect of the changed apmask and aqmask bits. The mask values are bitmaps in big endian order starting with bit 0. So adapter number 0 is the leftmost bit, mask is 0x8000... The sysfs attributes accept 2 different formats: - Absolute hex string starting with 0x like "0x12345678" does set the mask starting from left to right. If the given string is shorter than the mask it is padded with 0s on the right. If the string is longer than the mask an error comes back (EINVAL). - '+' or '-' followed by a numerical value. Valid examples are "+1", "-13", "+0x41", "-0xff" and even "+0" and "-0". Only the addressed bit in the mask is switched on ('+') or off ('-'). This patch will also be the base for an upcoming extension to the zcrypt drivers to be able to provide additional zcrypt device nodes with filtering based on ap and aq masks. Signed-off-by: Harald Freudenberger <freude@linux.ibm.com> Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>
2018-07-20 14:36:53 +08:00
}
}
/**
* ap_module_init(): The module initialization code.
*
* Initializes the module.
*/
static int __init ap_module_init(void)
{
int max_domain_id;
int rc, i;
rc = ap_debug_init();
if (rc)
return rc;
if (!ap_instructions_available()) {
pr_warn("The hardware system does not support AP instructions\n");
return -ENODEV;
}
s390/zcrypt: multiple zcrypt device nodes support This patch is an extension to the zcrypt device driver to provide, support and maintain multiple zcrypt device nodes. The individual zcrypt device nodes can be restricted in terms of crypto cards, domains and available ioctls. Such a device node can be used as a base for container solutions like docker to control and restrict the access to crypto resources. The handling is done with a new sysfs subdir /sys/class/zcrypt. Echoing a name (or an empty sting) into the attribute "create" creates a new zcrypt device node. In /sys/class/zcrypt a new link will appear which points to the sysfs device tree of this new device. The attribute files "ioctlmask", "apmask" and "aqmask" in this directory are used to customize this new zcrypt device node instance. Finally the zcrypt device node can be destroyed by echoing the name into /sys/class/zcrypt/destroy. The internal structs holding the device info are reference counted - so a destroy will not hard remove a device but only marks it as removable when the reference counter drops to zero. The mask values are bitmaps in big endian order starting with bit 0. So adapter number 0 is the leftmost bit, mask is 0x8000... The sysfs attributes accept 2 different formats: * Absolute hex string starting with 0x like "0x12345678" does set the mask starting from left to right. If the given string is shorter than the mask it is padded with 0s on the right. If the string is longer than the mask an error comes back (EINVAL). * Relative format - a concatenation (done with ',') of the terms +<bitnr>[-<bitnr>] or -<bitnr>[-<bitnr>]. <bitnr> may be any valid number (hex, decimal or octal) in the range 0...255. Here are some examples: "+0-15,+32,-128,-0xFF" "-0-255,+1-16,+0x128" "+1,+2,+3,+4,-5,-7-10" A simple usage examples: # create new zcrypt device 'my_zcrypt': echo "my_zcrypt" >/sys/class/zcrypt/create # go into the device dir of this new device echo "my_zcrypt" >create cd my_zcrypt/ ls -l total 0 -rw-r--r-- 1 root root 4096 Jul 20 15:23 apmask -rw-r--r-- 1 root root 4096 Jul 20 15:23 aqmask -r--r--r-- 1 root root 4096 Jul 20 15:23 dev -rw-r--r-- 1 root root 4096 Jul 20 15:23 ioctlmask lrwxrwxrwx 1 root root 0 Jul 20 15:23 subsystem -> ../../../../class/zcrypt ... # customize this zcrypt node clone # enable only adapter 0 and 2 echo "0xa0" >apmask # enable only domain 6 echo "+6" >aqmask # enable all 256 ioctls echo "+0-255" >ioctls # now the /dev/my_zcrypt may be used # finally destroy it echo "my_zcrypt" >/sys/class/zcrypt/destroy Please note that a very similar 'filtering behavior' also applies to the parent z90crypt device. The two mask attributes apmask and aqmask in /sys/bus/ap act the very same for the z90crypt device node. However the implementation here is totally different as the ap bus acts on bind/unbind of queue devices and associated drivers but the effect is still the same. So there are two filters active for each additional zcrypt device node: The adapter/domain needs to be enabled on the ap bus level and it needs to be active on the zcrypt device node level. Signed-off-by: Harald Freudenberger <freude@linux.ibm.com> Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>
2018-09-17 22:18:41 +08:00
/* set up the AP permissions (ioctls, ap and aq masks) */
s390/zcrypt: AP bus support for alternate driver(s) The current AP bus, AP devices and AP device drivers implementation uses a clearly defined mapping for binding AP devices to AP device drivers. So for example a CEX6C queue will always be bound to the cex4queue device driver. The Linux Device Driver model has no sensitivity for more than one device driver eligible for one device type. If there exist more than one drivers matching to the device type, simple all drivers are tried consecutively. There is no way to determine and influence the probing order of the drivers. With KVM there is a need to provide additional device drivers matching to the very same type of AP devices. With a simple implementation the KVM drivers run in competition to the regular drivers. Whichever 'wins' a device depends on build order and implementation details within the common Linux Device Driver Model and is not deterministic. However, a userspace process could figure out which device should be bound to which driver and sort out the correct binding by manipulating attributes in the sysfs. If for security reasons a AP device must not get bound to the 'wrong' device driver the sorting out has to be done within the Linux kernel by the AP bus code. This patch modifies the behavior of the AP bus for probing drivers for devices in a way that two sets of drivers are usable. Two new bitmasks 'apmask' and 'aqmask' are used to mark a subset of the APQN range for 'usable by the ap bus and the default drivers' or 'not usable by the default drivers and thus available for alternate drivers like vfio-xxx'. So an APQN which is addressed by this masking only the default drivers will be probed. In contrary an APQN which is not addressed by the masks will never be probed and bound to default drivers but onny to alternate drivers. Eventually the two masks give a way to divide the range of APQNs into two pools: one pool of APQNs used by the AP bus and the default drivers and thus via zcrypt drivers available to the userspace of the system. And another pool where no zcrypt drivers are bound to and which can be used by alternate drivers (like vfio-xxx) for their needs. This division is hot-plug save and makes sure a APQN assigned to an alternate driver is at no time somehow exploitable by the wrong party. The two masks are located in sysfs at /sys/bus/ap/apmask and /sys/bus/ap/aqmask. The mask syntax is exactly the same as the already existing mask attributes in the /sys/bus/ap directory (for example ap_usage_domain_mask and ap_control_domain_mask). By default all APQNs belong to the ap bus and the default drivers: cat /sys/bus/ap/apmask 0xffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff cat /sys/bus/ap/aqmask 0xffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff The masks can be changed at boot time with the kernel command line like this: ... ap.apmask=0xffff ap.aqmask=0x40 This would give these two pools: default drivers pool: adapter 0 - 15, domain 1 alternate drivers pool: adapter 0 - 15, all but domain 1 adapter 16-255, all domains The sysfs attributes for this two masks are writeable and an administrator is able to reconfigure the assignements on the fly by writing new mask values into. With changing the mask(s) a revision of the existing queue to driver bindings is done. So all APQNs which are bound to the 'wrong' driver are reprobed via kernel function device_reprobe() and thus the new correct driver will be assigned with respect of the changed apmask and aqmask bits. The mask values are bitmaps in big endian order starting with bit 0. So adapter number 0 is the leftmost bit, mask is 0x8000... The sysfs attributes accept 2 different formats: - Absolute hex string starting with 0x like "0x12345678" does set the mask starting from left to right. If the given string is shorter than the mask it is padded with 0s on the right. If the string is longer than the mask an error comes back (EINVAL). - '+' or '-' followed by a numerical value. Valid examples are "+1", "-13", "+0x41", "-0xff" and even "+0" and "-0". Only the addressed bit in the mask is switched on ('+') or off ('-'). This patch will also be the base for an upcoming extension to the zcrypt drivers to be able to provide additional zcrypt device nodes with filtering based on ap and aq masks. Signed-off-by: Harald Freudenberger <freude@linux.ibm.com> Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>
2018-07-20 14:36:53 +08:00
ap_perms_init();
/* Get AP configuration data if available */
ap_init_configuration();
if (ap_configuration)
max_domain_id =
ap_max_domain_id ? ap_max_domain_id : AP_DOMAINS - 1;
else
max_domain_id = 15;
s390/zcrypt: AP bus support for alternate driver(s) The current AP bus, AP devices and AP device drivers implementation uses a clearly defined mapping for binding AP devices to AP device drivers. So for example a CEX6C queue will always be bound to the cex4queue device driver. The Linux Device Driver model has no sensitivity for more than one device driver eligible for one device type. If there exist more than one drivers matching to the device type, simple all drivers are tried consecutively. There is no way to determine and influence the probing order of the drivers. With KVM there is a need to provide additional device drivers matching to the very same type of AP devices. With a simple implementation the KVM drivers run in competition to the regular drivers. Whichever 'wins' a device depends on build order and implementation details within the common Linux Device Driver Model and is not deterministic. However, a userspace process could figure out which device should be bound to which driver and sort out the correct binding by manipulating attributes in the sysfs. If for security reasons a AP device must not get bound to the 'wrong' device driver the sorting out has to be done within the Linux kernel by the AP bus code. This patch modifies the behavior of the AP bus for probing drivers for devices in a way that two sets of drivers are usable. Two new bitmasks 'apmask' and 'aqmask' are used to mark a subset of the APQN range for 'usable by the ap bus and the default drivers' or 'not usable by the default drivers and thus available for alternate drivers like vfio-xxx'. So an APQN which is addressed by this masking only the default drivers will be probed. In contrary an APQN which is not addressed by the masks will never be probed and bound to default drivers but onny to alternate drivers. Eventually the two masks give a way to divide the range of APQNs into two pools: one pool of APQNs used by the AP bus and the default drivers and thus via zcrypt drivers available to the userspace of the system. And another pool where no zcrypt drivers are bound to and which can be used by alternate drivers (like vfio-xxx) for their needs. This division is hot-plug save and makes sure a APQN assigned to an alternate driver is at no time somehow exploitable by the wrong party. The two masks are located in sysfs at /sys/bus/ap/apmask and /sys/bus/ap/aqmask. The mask syntax is exactly the same as the already existing mask attributes in the /sys/bus/ap directory (for example ap_usage_domain_mask and ap_control_domain_mask). By default all APQNs belong to the ap bus and the default drivers: cat /sys/bus/ap/apmask 0xffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff cat /sys/bus/ap/aqmask 0xffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff The masks can be changed at boot time with the kernel command line like this: ... ap.apmask=0xffff ap.aqmask=0x40 This would give these two pools: default drivers pool: adapter 0 - 15, domain 1 alternate drivers pool: adapter 0 - 15, all but domain 1 adapter 16-255, all domains The sysfs attributes for this two masks are writeable and an administrator is able to reconfigure the assignements on the fly by writing new mask values into. With changing the mask(s) a revision of the existing queue to driver bindings is done. So all APQNs which are bound to the 'wrong' driver are reprobed via kernel function device_reprobe() and thus the new correct driver will be assigned with respect of the changed apmask and aqmask bits. The mask values are bitmaps in big endian order starting with bit 0. So adapter number 0 is the leftmost bit, mask is 0x8000... The sysfs attributes accept 2 different formats: - Absolute hex string starting with 0x like "0x12345678" does set the mask starting from left to right. If the given string is shorter than the mask it is padded with 0s on the right. If the string is longer than the mask an error comes back (EINVAL). - '+' or '-' followed by a numerical value. Valid examples are "+1", "-13", "+0x41", "-0xff" and even "+0" and "-0". Only the addressed bit in the mask is switched on ('+') or off ('-'). This patch will also be the base for an upcoming extension to the zcrypt drivers to be able to provide additional zcrypt device nodes with filtering based on ap and aq masks. Signed-off-by: Harald Freudenberger <freude@linux.ibm.com> Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>
2018-07-20 14:36:53 +08:00
if (ap_domain_index < -1 || ap_domain_index > max_domain_id ||
(ap_domain_index >= 0 &&
!test_bit_inv(ap_domain_index, ap_perms.aqm))) {
pr_warn("%d is not a valid cryptographic domain\n",
ap_domain_index);
ap_domain_index = -1;
}
/* In resume callback we need to know if the user had set the domain.
* If so, we can not just reset it.
*/
if (ap_domain_index >= 0)
user_set_domain = 1;
if (ap_interrupts_available()) {
rc = register_adapter_interrupt(&ap_airq);
ap_airq_flag = (rc == 0);
}
/* Create /sys/bus/ap. */
rc = bus_register(&ap_bus_type);
if (rc)
goto out;
for (i = 0; ap_bus_attrs[i]; i++) {
rc = bus_create_file(&ap_bus_type, ap_bus_attrs[i]);
if (rc)
goto out_bus;
}
/* Create /sys/devices/ap. */
ap_root_device = root_device_register("ap");
rc = PTR_ERR_OR_ZERO(ap_root_device);
if (rc)
goto out_bus;
/* Setup the AP bus rescan timer. */
timer_setup(&ap_config_timer, ap_config_timeout, 0);
/*
* Setup the high resultion poll timer.
* If we are running under z/VM adjust polling to z/VM polling rate.
*/
if (MACHINE_IS_VM)
poll_timeout = 1500000;
spin_lock_init(&ap_poll_timer_lock);
hrtimer_init(&ap_poll_timer, CLOCK_MONOTONIC, HRTIMER_MODE_ABS);
ap_poll_timer.function = ap_poll_timeout;
/* Start the low priority AP bus poll thread. */
if (ap_thread_flag) {
rc = ap_poll_thread_start();
if (rc)
goto out_work;
}
rc = register_pm_notifier(&ap_power_notifier);
if (rc)
goto out_pm;
queue_work(system_long_wq, &ap_scan_work);
s390/zcrypt: Fix kernel crash on systems without AP bus support On systems without AP bus (e.g. KVM) the kernel crashes during init calls when zcrypt is built-in: kernel BUG at drivers/base/driver.c:153! illegal operation: 0001 ilc:1 [#1] SMP Modules linked in: CPU: 1 PID: 1 Comm: swapper/0 Not tainted 4.2.0+ #221 task: 0000000010a40000 ti: 0000000010a48000 task.ti:0000000010a48000 Krnl PSW : 0704c00180000000 0000000000592bd6(driver_register+0x106/0x140) R:0 T:1 IO:1 EX:1 Key:0 M:1 W:0 P:0 AS:3 CC:0 PM:0 EA:3 0000000000000012 0000000000000000 0000000000c45328 0000000000c44e30 00000000009ef63c 000000000067f598 0000000000cf3c58 0000000000000000 000000000000007b 0000000000cb1030 0000000000000002 0000000000000000 0000000000ca8580 0000000010306700 00000000001001d8 0000000010a4bd88 Krnl Code: 0000000000592bc6: f0b00004ebcf srp 4(12,%r0),3023(%r14),0 0000000000592bcc: f0a0000407f4 srp 4(11,%r0),2036,0 #0000000000592bd2: a7f40001 brc 15,592bd4 >0000000000592bd6: e330d0000004 lg %r3,0(%r13) 0000000000592bdc: c0200021edfd larl %r2,9d07d6 0000000000592be2: c0e500126d8f brasl %r14,7e0700 0000000000592be8: e330d0080004 lg %r3,8(%r13) 0000000000592bee: a7f4ffab brc 15,592b44 Call Trace: ([<00000000001001c8>] do_one_initcall+0x90/0x1d0) [<0000000000c6dd34>] kernel_init_freeable+0x1e4/0x2a0 [<00000000007db53a>] kernel_init+0x2a/0x120 [<00000000007e8ece>] kernel_thread_starter+0x6/0xc [<00000000007e8ec8>] kernel_thread_starter+0x0/0xc Last Breaking-Event-Address: [<0000000000592bd2>] driver_register+0x102/0x140 When zcrypt is built as a module, the module loader ensures that the driver modules cannot be loaded if the AP bus module returns an error during initialisation. But if zcrypt and the driver are built-in, the driver is getting initialised even if the AP bus initialisation failed. The driver invokes ap_driver_register() during initialisation, which then causes operations on uninitialised data structures to be performed. Explicitly protect ap_driver_register() by introducing an "initialised" flag that gets set iff the AP bus initialisation was successful. When the AP bus initialisation failed, ap_driver_register() will error out with -ENODEV, causing the driver initialisation to fail as well. Test results: 1. Inside KVM (no AP bus), zcrypt built-in Boots. /sys/bus/ap not present (expected). 2. Inside KVM (no AP bus), zcrypt as module Boots. Loading zcrypt_cex4 fails because loading ap_bus fails (expected). 3. On LPAR with CEX5, zcrypt built-in Boots. /sys/bus/ap/devices/card* present but .../card*/type missing (i.e. zcrypt_device_register() fails, unrelated issue). 4. On LPAR with CEX5, zcrypt as module Boots. Loading zcrypt_cex4 successful, /sys/bus/ap/devices/card*/type present. No further testing (user-space functionality) was done. Signed-off-by: Sascha Silbe <silbe@linux.vnet.ibm.com> Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>
2015-10-28 01:29:52 +08:00
initialised = true;
return 0;
out_pm:
ap_poll_thread_stop();
out_work:
hrtimer_cancel(&ap_poll_timer);
root_device_unregister(ap_root_device);
out_bus:
while (i--)
bus_remove_file(&ap_bus_type, ap_bus_attrs[i]);
bus_unregister(&ap_bus_type);
out:
if (ap_using_interrupts())
unregister_adapter_interrupt(&ap_airq);
kfree(ap_configuration);
return rc;
}
device_initcall(ap_module_init);