[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[qemu-s390x] [RFC 5/5] s390x/docs: documentation for ap-matrix
|
From: |
Tony Krowiak |
|
Subject: |
[qemu-s390x] [RFC 5/5] s390x/docs: documentation for ap-matrix |
|
Date: |
Thu, 26 Oct 2017 11:54:54 -0400 |
Signed-off-by: Tony Krowiak <address@hidden>
---
docs/ap_matrix.txt | 529 ++++++++++++++++++++++++++++++++++++++++++++++++++++
1 files changed, 529 insertions(+), 0 deletions(-)
create mode 100644 docs/ap_matrix.txt
diff --git a/docs/ap_matrix.txt b/docs/ap_matrix.txt
new file mode 100644
index 0000000..ec7bd44
--- /dev/null
+++ b/docs/ap_matrix.txt
@@ -0,0 +1,529 @@
+Adjunct Processor (AP) Matrix Devices
+=====================================
+
+Contents:
+=========
+* Introduction
+* AP Architectural Overview
+* Start Interpretive Execution (SIE) Instruction
+* AP Matrix Configuration on Linux Host
+* AP Matrix Configuration for a Linux Guest
+* Starting a Linux Guest Configured with an AP Matrix
+* Example: Configure AP Matrices for Two Linux Guests
+
+Introduction:
+============
+The IBM Adjunct Processor (AP) Cryptographic Facility is comprised
+of three AP instructions and from 1 to 256 PCIe cryptographic adapter cards.
+These AP devices provide cryptographic functions to all CPUs assigned to a
+linux system running in an IBM Z system LPAR.
+
+The intent of this document is to provide administrators with the basic
+knowledge needed to provide a linux guest with direct access to one or more AP
+adapters available to the host linux system using an AP matrix device
+
+AP Architectural Overview:
+=========================
+In order understand the terminology used in the rest of this document, let's
+start with some definitions:
+
+* AP adapter
+
+ An AP adapter is a PCIe cryptographic adapter that can perform cryptographic
+ functions. There can be from 0 to 256 AP adapters assigned to an LPAR.
+ Each adapter is identified by a number from 0 to 255. When
+ installed, an AP is accessed by AP instructions executed by any CPU.
+
+* AP domain
+
+ An adapter is partitioned into domains. Each domain can be thought of as
+ a set of hardware registers dedicated to an active LPAR. An adapter can hold
+ up to 256 domains. Each domain is identified by a number from 0 to 255.
+ Domains can be further classified into two types:
+
+ * Usage domains are domains that can be accessed directly to process AP
+ commands
+
+ * Control domains are domains that are accessed indirectly by AP
+ commands sent to a usage domain to control or change the domain, for
+ example; to specify a private key that can be used by the domain to
+ perform cryptographic functions.
+
+* AP Queue
+
+ An AP queue is the means by which an AP command is sent to an
+ AP usage domain inside a specific AP. An AP queue is identified by a tuple
+ comprised of an AP adapter ID and a usage domain index. The index corresponds
+ to a given usage domain within the adapter. This tuple forms an AP Queue
+ Number (APQN). AP instructions specify an APQN to identify the AP Queue
+ to which an AP command-request message is to be sent, or from which a
+ command-reply message is to be received. An APQN is specified in this
+ document with one of two formats: APQN (xx,yyyy) or simply xx.yyyy, where
+ xx is an adapter number and yyyy is a domain number. Both numbers will be
+ specified in hexidecimal format.
+
+* AP Instructions:
+
+ There are three AP instructions:
+
+ * NQAP: to enqueue an AP command-request message to an AP queue
+ * DQAP: to dequeue an AP command-reply message from an AP queue
+ * PQAP: to administer an AP queue
+
+Start Interpretive Execution (SIE) Instruction
+==============================================
+A linux guest running on an IBM Z system is started under KVM by executing the
+Start Interpretive Execution (SIE) instruction. The SIE state description is a
+control block that contains the state information for a KVM guest and is
+supplied as input to the SIE instruction. The SIE state description contains a
+field that references a Crypto Control Block (CRYCB) containing three
+fields to identify the AP adapters, usage domains and control domains assigned
+to the KVM guest:
+
+* The AP Mask (APM) field specifies the AP adapter numbers assigned to the
+ KVM guest. The APM controls which adapters are valid for the KVM guest.
+
+* The AP Queue Mask (AQM) field specifies the AP usage domain numbers assigned
+ to the KVM guest. The AQM controls which usage domains are valid for the
+ KVM guest.
+
+* The AP Domain Mask field specifies the AP control domains assigned to the
+ KVM guest. The ADM controls which control domains are valid for the
+ KVM guest.
+
+These three fields comprise the AP matrix for the guest. The APQNs accessible
+to the guest is the intersection of all assigned adapter numbers (APM) and
+all assigned usage domain numbers (AQM). For example, if adapters 1 and 2 and
+usage domains 5 and 6 are assigned to a guest, the APQNs (1,5), (1,6), (2,5)
and
+(2,6) will be valid for AP instructions executed on the guest.
+
+The SIE instruction is run in interpretive execution mode which means the
+AP instructions executed on the guest are interpreted by the hardware. This
+allows a guest direct access to the AP adapter cards. Since each domain within
+a given adapter holds the master key used in the cryptographic functions it
+supports, each APQN must be assigned to at most one guest.
+
+ Example 1: Valid configuration for two guests:
+ ---------------------------------------------
+ Guest1: adapters 1,2 domains 5,6
+ Guest2: adapter 1,2 domain 7
+
+ This is valid because both guests have a unique set of APQNs: Guest1 has
+ APQNs (1,5), (1,6), (2,5) and (2,6); Guest2 has APQN (1,7) and (2,7). There
+ is not overlap.
+
+ Example 2: Invalid configuration for two guests:
+ -----------------------------------------------
+ Guest1: adapters 1,2 domains 5,6
+ Guest2: adapter 1 domains 6,7
+
+ This is an invalid configuration because both guests have access to
+ APQNs (1,6).
+
+AP Matrix Configuration on Linux Host:
+=====================================
+A linux system is a guest of the LPAR in which it is running and has access to
+the AP resources configured for the LPAR. The LPAR's AP matrix is
+configured using the 'Customize/Delete Activation Profiles' dialog from the
HMC.
+This dialog displays the activation profiles configured for the linux system.
+Selecting the specific activation profile to be edited and clicking the
+'Customize Profile' button will open the 'Customize Image Profiles' dialog.
+Selecting the 'Crypto' link in the tree view on the left hand side of the
dialog
+will display the AP matrix configuration in the right hand panel. There, one
can
+assign AP adapters - called Cryptos - and domains to the LPAR. When the linux
+system is started using this activation profile, it will have access to the
+AP matrix configured via the activation profile.
+
+When the linux system is started, the AP adapter devices will be connected to
+the AP bus and the following AP matrix interfaces will be created in sysfs:
+
+/sys/bus/ap
+... [devices]
+...... xx.yyyy
+...... ...
+...... cardxx
+...... ...
+
+Where:
+ cardxx is adapter number xx (in hex)
+ yyyy is a usage domain number yyyy (in hex)
+....xx.yyyy is APQN (xx,yyyy)
+
+For example, if AP adapters 5 and 6 and domains 4 and 71 are configured for the
+LPAR, the sysfs representation on the linux system would look like this:
+
+/sys/bus/ap
+... [devices]
+...... 05.0004
+...... 05.0047
+...... 06.0004
+...... 06.0047
+...... card05
+...... card06
+
+There will also be AP device drivers created to control each type of AP matrix
+interface available to the IBM Z system:
+
+/sys/bus/ap
+... [drivers]
+...... [cex2acard] for Crypto Express 2/3 accelerator cards
+...... [cex2aqueue] for AP queues served by Crypto Express 2/3
+ accelerator cards
+...... [cex4card] for Crypto Express 4/5/6 accelerator and coprocessor
+ cards
+...... [cex4queue] for AP queues served by Crypto Express 4/5/6
+ accelerator and coprocessor cards
+...... [pcixcccard] for Crypto Express 2/3 coprocessor cards
+...... [pcixccqueue] for AP queues served by Crypto Express 2/3
+ coprocessor cards
+
+Links to the AP interfaces controlled by each AP device driver will be created
+in the device driver's sysfs directory. For example, if AP adapter 5 and
domains
+4 and 71 (0x47) are assigned to the LPAR and adapter 5 is a CEX5 card, the
+following links will be created in the CEX5 drivers' sysfs directories:
+
+/sys/bus/ap
+... [drivers]
+...... [cex4card]
+......... [card05]
+...... [cex4queue]
+......... [05.0004]
+......... [05.0047]
+
+AP Matrix Configuration for a Linux Guest:
+=========================================
+In order to configure the AP matrix for a guest, the adapters, usage domains
+and control domains to be used by the guest must be identified. This section
+describes how to configure a guest's AP matrix.
+
+When the linux host is booted, an AP matrix bus will be initialized. When
+initialized, the AP matrix bus creates a single AP matrix device to
+hold the APQNs to be made available to guests:
+
+/sys/bus/ap_matrix
+... [devices]
+......[matrix] symlink to the AP matrix device directory
+
+/sys/devices
+... [ap_matrix]
+......[matrix] the AP matrix device directory
+
+The kernel interfaces for configuring an AP matrix for a linux guest are built
+on the VFIO mediated device framework and are provided by the vfio_ap_matrix
+kernel module. The dependency chain for the vfio_ap_matrix module is:
+
+* vfio
+* mdev
+* vfio_mdev
+* vfio_ap_matrix
+
+When the vfio_ap_matrix module is loaded, it will create the following sysfs
+interfaces:
+
+/sys/bus/ap
+... [drivers]
+...... [vfio_ap_matrix]
+......... bind
+
+The vfio_ap_matrix device driver is created to provide an interface for
securing
+APQNs from use by the host linux system. This is accomplished by unbinding the
+APQNs from the host device driver and binding them to the vfio_ap_matrix
+device driver. For example, suppose we want to secure APQN (05,0004). Assuming
+for this example that AP adapter card 5 is a CEX5 coprocessor card:
+
+ echo 05.0004 > /sys/bus/ap/drivers/cex4queue/unbind
+ echo 05.0004 > /sys/bus/ap/drivers/vfio_ap_matrix/bind
+
+This action will store the APQN in the /sys/devices/ap_matrix/matrix device
+which makes it available for use by a linux guest.
+
+Another side effect of loading the vfio_ap_matrix module is the creation of the
+sysfs interfaces for configuring an AP matrix for a linux guest. These sysfs
+interfaces are built on the VFIO mediated device framework. To configure an AP
+matrix for a guest, a mediated matrix device must be created for the
+/sys/devices/ap_matrix/matrix device. A mediated matrix device must be created
+for each guest that needs access to one or more AP queues. The sysfs interface
+for creating a mediated matrix device is in:
+
+/sys/devices
+... [ap_matrix]
+......[matrix]
+......... [mdev_supported_types]
+............ [ap_matrix-passthrough]
+............... create
+............... [devices]
+
+A mediated AP matrix device is created by writing a UUID to the attribute
+file named 'create', for example:
+
+ uuidgen > create
+
+When a mediated AP matrix device is created, a sysfs directory named after
+the UUID will be created in the devices subdirectory:
+
+/sys/devices
+... [ap_matrix]
+......[matrix]
+......... [mdev_supported_types]
+............ [ap_matrix-passthrough]
+............... create
+............... [devices]
+.................. [$uuid]
+..................... adapters
+..................... assign_adapter
+..................... assign_control_domain
+..................... assign_domain
+..................... control_domains
+..................... domains
+..................... remove
+..................... unassign_adapter
+..................... unassign_control_domain
+..................... unassign_domain
+
+There will also be three sets of attribute files created in the mediated
matrix
+device's sysfs directory:
+
+1 Adapter assignment
+ * An adapter is assigned by writing the adapter's number into the
+ 'assign_adapter' file. This may be repeated multiple times to assign
+ multiple adapters. For example, to assign adapters 5 and 6 to mediated
+ matrix device $uuid:
+
+ echo 5 > assign_adapter
+ echo 6 > assign_adapter
+
+ * An adapter may be unassigned by writing the adapter's number into the
+ 'unassign_adapter' file. This may also be done multiple times to
+ unassign multiple adapters.
+
+ * To view the adapter numbers assigned to the AP matrix mediated device,
+ print the 'adapters' file:
+
+ cat adapters
+
+1 Usage Domain assignment
+ * A usage domain is assigned by writing the usage domain's number into the
+ 'assign_domain' file. This may be repeated multiple times to assign
+ multiple usage domains. For example, to assign usage domains 4 and
+ 71 (0x47) to mediated matrix device $uuid:
+
+ echo 4 > assign_domain
+ echo 47 > assign_domain
+
+ * A domain may be unassigned by writing the usage domain's number into the
+ 'unassign_domain' file. This may be repeated multiple times to unassign
+ multiple usage domains.
+
+ * To view the usage domain numbers assigned to the AP matrix mediated
+ device, print the 'domains' file:
+
+ cat domains
+
+1 Control domain assignment
+ * A control domain is assigned by writing the control domain's number into
+ the 'assign_control_domain' file. This may be repeated multiple times to
+ assign multiple control domains. It is not necessary to assign
+ usage domain numbers as control domains, that is done automatically by
+ default. To assign control domains 4 and 37 (0x35) to mediated matrix
+ device $uuid:
+
+ echo 4 > assign_control_domain
+ echo 25 > assign_control_domain
+
+ * A control domain may be unassigned by writing the control domain's
number
+ into the 'unassign_control_domain' file. This may be repeated multiple
+ times to unassign multiple control domains.
+
+ * To view the control domain numbers assigned to the AP matrix mediated
+ device, print the 'control_domains' file:
+
+ cat control_domains
+
+Note: Hot plug/unplug is not currently supported for mediated AP matrix
devices,
+ so the AP matrix resulting from assignment and/or unassignment of AP
+ adapters, usage domains and control domains to a mediated AP matrix
device
+ will not take affect until the linux guest is rebooted.
+
+Starting a Linux Guest Configured with an AP Matrix:
+===================================================
+In addition to providing the sysfs interfaces for configuring the AP matrix
for
+a linux guest, a mediated AP matrix device also acts as a communication
pathway
+between QEMU and the vfio_ap_matrix device driver. To gain access to the
+device driver, the following option must be specified on the QEMU command line:
+
+-device vfio_ap_matrix,sysfsdev=$path-to-mdev
+
+The sysfsdev parameter specifies the path to the mediated matrix device.
+There are a number of ways to specify this path:
+
+/sys/devices/ap_matrix/matrix/$uuid
+/sys/bus/mdev/devices/$uuid
+/sys/bus/mdev/drivers/vfio_mdev/$uuid
+/sys/devices/ap_matrix/matrix/mdev_supported_types/ap_matrix-passthrough/devices/$uuid
+
+When the linux guest is subsequently started, the guest will open the mediated
+matrix device's file descriptor to issue the command instructing the device
+driver to configure the AP matrix for the linux guest. In response, the
+vfio_ap_matrix device driver will update the APM, AQM, and ADM fields in the
+guest's CRYCB with the adapter, usage domain and control domain numbers
+specified via the mediated matrix device's sysfs attribute files. Programs
+running on the linux guest will then:
+
+1. Have access to the APQNs derived from the intersection of the AP adapter and
+ usage domain numbers specified in the APM and AQM respectively
+
+2. Have authorization to process AP commands to change a control domains
+ identified in an AP instruction sent to a valid APQN.
+
+Example: Configure AP Matrices for Two Linux Guests:
+===================================================
+Let's now provide an example to illustrate how KVM guests may be given
+direct access to APQNs. For this example, we will illustrate how to configure
+two guests such that executing the lszcrypt command on the guests would
+look like this:
+
+Guest1
+------
+CARD.DOMAIN TYPE MODE
+------------------------------
+05 CEX5C CCA-Coproc
+05.0004 CEX5C CCA-Coproc
+05.00ab CEX5C CCA-Coproc
+06 CEX5A Accelerator
+06.0004 CEX5A Accelerator
+06.00ab CEX5C CCA-Coproc
+
+Guest2
+------
+CARD.DOMAIN TYPE MODE
+------------------------------
+05 CEX5A Accelerator
+05.0047 CEX5A Accelerator
+05.00ff CEX5A Accelerator
+
+These are the steps for configuring Guest1 and Guest2:
+
+1. The first thing that needs to be done is to unbind each AP Queue device from
+ its respective AP device driver to prevent access from the host linux system
+ and to reserve it for use by a linux guest. For our example, let's assume
+ the AP queues are bound to the cex4queue driver.
+
+ /sys/bus/ap
+ --- [drivers]
+ ------ [cex4queue]
+ --------- [05.0004]
+ --------- [05.0047]
+ --------- [05.00ab]
+ --------- [05.00ff]
+ --------- [06.0004]
+ --------- [06.00ab]
+ --------- unbind
+
+ To unbind AP queue 05.0004 from the cex4queue device driver:
+
+ echo 05.0004 > unbind
+
+ This must also be done for AP queues 05.00ab, 05.0047, 05.00ff, 06.0004,
+ and 06.00ab.
+
+2. The next step is to reserve the queues for use by the two KVM guests.
+ This is accomplished by binding them to the VFIO AP matrix device driver:
+
+ /sys/bus/ap
+ ---[drivers]
+ ------ [vfio_ap_matrix]
+ ---------- bind
+
+ For Guest1:
+
+ echo 05.0004 > bind
+ echo 05.00ab > bind
+ echo 06.0004 > bind
+ echo 06.00ab > bind
+
+ For Guest2:
+
+ echo 05.0047 > bind
+ echo 05.00ff > bind
+
+3. Create the mediated matrix devices needed to configure the AP matrices for
+ and to provide an interface to the vfio_ap_matrix driver for use by the
+ two guests:
+
+ /sys/devices/
+ --- [ap_matrix]
+ ------ [matrix] (this is the AP matrix device)
+ --------- [mdev_supported_types]
+ ------------ [ap_matrix-passthrough] (the mediated device type)
+ --------------- create
+ --------------- [devices]
+
+ To create the mediated devices for the two guests:
+
+ uuidgen > create
+ uuidgen > create
+
+ This will create two mediated devices in the [devices] subdirectory named
+ with the UUID written to the create attribute file. We call them $uuid1
+ and $uuid2:
+
+ /sys/devices/
+ --- [ap_matrix]
+ ------ [matrix]
+ --------- [mdev_supported_types]
+ ------------ [ap_matrix-passthrough]
+ --------------- [devices]
+ ------------------ [$uuid1]
+ --------------------- adapters
+ --------------------- assign_adapter
+ --------------------- assign_control_domain
+ --------------------- assign_domain
+ --------------------- control_domains
+ --------------------- domains
+ --------------------- unassign_adapter
+ --------------------- unassign_control_domain
+ --------------------- unassign_domain
+ ------------------ [$uuid2]
+ --------------------- adapters
+ --------------------- assign_adapter
+ --------------------- assign_control_domain
+ --------------------- assign_domain
+ --------------------- control_domains
+ --------------------- domains
+ --------------------- unassign_adapter
+ --------------------- unassign_control_domain
+ --------------------- unassign_domain
+
+4. The administrator now needs to configure the matrices for mediated
+ devices $uuid1 (for Guest1) and $uuid2 (for Guest2).
+
+ For Guest1:
+ cd /sys/devices/ap_matrix/matrix/mdev_supported_types/ap_matrix_passthrough
+ cd ./devices/$uuid1:
+
+ echo 5 > assign_adapter
+ echo 6 > assign_adapter
+ echo 4 > assign_domain
+ echo ab > assign_domain
+
+ For Guest2:
+ cd /sys/devices/ap_matrix/matrix/mdev_supported_types/ap_matrix_passthrough
+ cd ./devices/$uuid2:
+
+ echo 5 > assign_adapter
+ echo 47 > assign_domain
+ echo ff > assign_domain
+
+ By architectural convention, all usage domains - i.e., domains assigned
+ via the assign_domain attribute file - will also be configured in the ADM
+ field of the KVM guest's CRYCB, so there is no need to assign control
+ domains here unless you want to assign control domains that are not
+ assigned as usage domains.
+
+5. Start Guest1
+
+ /usr/bin/qemu-system-s390x ... -device
vfio_ap_matrix,sysfsdev=/sys/devices/ap_matrix/matrix/$uuid1 ...
+
+6. Start Guest2
+
+ /usr/bin/qemu-system-s390x ... -device
vfio_ap_matrix,sysfsdev=/sys/devices/ap_matrix/matrix/$uuid2 ...
\ No newline at end of file
--
1.7.1