forked from rpms/qemu-kvm
You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
208 lines
7.7 KiB
208 lines
7.7 KiB
From c1273f9e38f81f912cd2bd1dd4a43f9652766f76 Mon Sep 17 00:00:00 2001
|
|
From: Thomas Huth <thuth@redhat.com>
|
|
Date: Wed, 10 Jan 2024 15:29:16 +0100
|
|
Subject: [PATCH 5/5] target/s390x/kvm/pv: Provide some more useful information
|
|
if decryption fails
|
|
MIME-Version: 1.0
|
|
Content-Type: text/plain; charset=UTF-8
|
|
Content-Transfer-Encoding: 8bit
|
|
|
|
RH-Author: Thomas Huth <thuth@redhat.com>
|
|
RH-MergeRequest: 348: s390x: Provide some more useful information if decryption of a PV image fails
|
|
RH-Jira: RHEL-18214
|
|
RH-Acked-by: Jon Maloy <jmaloy@redhat.com>
|
|
RH-Acked-by: Cédric Le Goater <clg@redhat.com>
|
|
RH-Commit: [5/5] 087acaecfaa5921b409beb212123214fa79fe50c
|
|
|
|
JIRA: https://issues.redhat.com/browse/RHEL-18214
|
|
|
|
commit 7af51621b16ae86646cc2dc9dee30de8176ff761
|
|
Author: Thomas Huth <thuth@redhat.com>
|
|
Date: Wed Jan 10 15:29:16 2024 +0100
|
|
|
|
target/s390x/kvm/pv: Provide some more useful information if decryption fails
|
|
|
|
It's a common scenario to copy guest images from one host to another
|
|
to run the guest on the other machine. This (of course) does not work
|
|
with "secure execution" guests since they are encrypted with one certain
|
|
host key. However, if you still (accidentally) do it, you only get a
|
|
very user-unfriendly error message that looks like this:
|
|
|
|
qemu-system-s390x: KVM PV command 2 (KVM_PV_SET_SEC_PARMS) failed:
|
|
header rc 108 rrc 5 IOCTL rc: -22
|
|
|
|
Let's provide at least a somewhat nicer hint to the users so that they
|
|
are able to figure out what might have gone wrong.
|
|
|
|
Message-ID: <20240110142916.850605-1-thuth@redhat.com>
|
|
Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
|
|
Reviewed-by: Cédric Le Goater <clg@redhat.com>
|
|
Reviewed-by: Claudio Imbrenda <imbrenda@linux.ibm.com>
|
|
Signed-off-by: Thomas Huth <thuth@redhat.com>
|
|
|
|
Conflicts:
|
|
target/s390x/kvm/pv.c
|
|
target/s390x/kvm/pv.h
|
|
(contextual conflict due to missing async-teardown in RHEL8)
|
|
Signed-off-by: Thomas Huth <thuth@redhat.com>
|
|
---
|
|
hw/s390x/ipl.c | 5 ++---
|
|
hw/s390x/ipl.h | 2 +-
|
|
hw/s390x/s390-virtio-ccw.c | 5 ++++-
|
|
target/s390x/kvm/pv.c | 25 ++++++++++++++++++++-----
|
|
target/s390x/kvm/pv.h | 5 +++--
|
|
5 files changed, 30 insertions(+), 12 deletions(-)
|
|
|
|
diff --git a/hw/s390x/ipl.c b/hw/s390x/ipl.c
|
|
index c25e247426..c6cefdd3fe 100644
|
|
--- a/hw/s390x/ipl.c
|
|
+++ b/hw/s390x/ipl.c
|
|
@@ -709,7 +709,7 @@ static void s390_ipl_prepare_qipl(S390CPU *cpu)
|
|
cpu_physical_memory_unmap(addr, len, 1, len);
|
|
}
|
|
|
|
-int s390_ipl_prepare_pv_header(void)
|
|
+int s390_ipl_prepare_pv_header(Error **errp)
|
|
{
|
|
IplParameterBlock *ipib = s390_ipl_get_iplb_pv();
|
|
IPLBlockPV *ipib_pv = &ipib->pv;
|
|
@@ -718,8 +718,7 @@ int s390_ipl_prepare_pv_header(void)
|
|
|
|
cpu_physical_memory_read(ipib_pv->pv_header_addr, hdr,
|
|
ipib_pv->pv_header_len);
|
|
- rc = s390_pv_set_sec_parms((uintptr_t)hdr,
|
|
- ipib_pv->pv_header_len);
|
|
+ rc = s390_pv_set_sec_parms((uintptr_t)hdr, ipib_pv->pv_header_len, errp);
|
|
g_free(hdr);
|
|
return rc;
|
|
}
|
|
diff --git a/hw/s390x/ipl.h b/hw/s390x/ipl.h
|
|
index dfc6dfd89c..f9cce33330 100644
|
|
--- a/hw/s390x/ipl.h
|
|
+++ b/hw/s390x/ipl.h
|
|
@@ -107,7 +107,7 @@ typedef union IplParameterBlock IplParameterBlock;
|
|
|
|
int s390_ipl_set_loadparm(uint8_t *loadparm);
|
|
void s390_ipl_update_diag308(IplParameterBlock *iplb);
|
|
-int s390_ipl_prepare_pv_header(void);
|
|
+int s390_ipl_prepare_pv_header(Error **errp);
|
|
int s390_ipl_pv_unpack(void);
|
|
void s390_ipl_prepare_cpu(S390CPU *cpu);
|
|
IplParameterBlock *s390_ipl_get_iplb(void);
|
|
diff --git a/hw/s390x/s390-virtio-ccw.c b/hw/s390x/s390-virtio-ccw.c
|
|
index 7bfa5b4e8f..94434c3bb1 100644
|
|
--- a/hw/s390x/s390-virtio-ccw.c
|
|
+++ b/hw/s390x/s390-virtio-ccw.c
|
|
@@ -374,7 +374,7 @@ static int s390_machine_protect(S390CcwMachineState *ms)
|
|
}
|
|
|
|
/* Set SE header and unpack */
|
|
- rc = s390_ipl_prepare_pv_header();
|
|
+ rc = s390_ipl_prepare_pv_header(&local_err);
|
|
if (rc) {
|
|
goto out_err;
|
|
}
|
|
@@ -393,6 +393,9 @@ static int s390_machine_protect(S390CcwMachineState *ms)
|
|
return rc;
|
|
|
|
out_err:
|
|
+ if (local_err) {
|
|
+ error_report_err(local_err);
|
|
+ }
|
|
s390_machine_unprotect(ms);
|
|
return rc;
|
|
}
|
|
diff --git a/target/s390x/kvm/pv.c b/target/s390x/kvm/pv.c
|
|
index e14db4f41a..ae75063777 100644
|
|
--- a/target/s390x/kvm/pv.c
|
|
+++ b/target/s390x/kvm/pv.c
|
|
@@ -27,7 +27,8 @@ static bool info_valid;
|
|
static struct kvm_s390_pv_info_vm info_vm;
|
|
static struct kvm_s390_pv_info_dump info_dump;
|
|
|
|
-static int __s390_pv_cmd(uint32_t cmd, const char *cmdname, void *data)
|
|
+static int __s390_pv_cmd(uint32_t cmd, const char *cmdname, void *data,
|
|
+ int *pvrc)
|
|
{
|
|
struct kvm_pv_cmd pv_cmd = {
|
|
.cmd = cmd,
|
|
@@ -44,6 +45,9 @@ static int __s390_pv_cmd(uint32_t cmd, const char *cmdname, void *data)
|
|
"IOCTL rc: %d", cmd, cmdname, pv_cmd.rc, pv_cmd.rrc,
|
|
rc);
|
|
}
|
|
+ if (pvrc) {
|
|
+ *pvrc = pv_cmd.rc;
|
|
+ }
|
|
return rc;
|
|
}
|
|
|
|
@@ -51,12 +55,13 @@ static int __s390_pv_cmd(uint32_t cmd, const char *cmdname, void *data)
|
|
* This macro lets us pass the command as a string to the function so
|
|
* we can print it on an error.
|
|
*/
|
|
-#define s390_pv_cmd(cmd, data) __s390_pv_cmd(cmd, #cmd, data)
|
|
+#define s390_pv_cmd(cmd, data) __s390_pv_cmd(cmd, #cmd, data, NULL)
|
|
+#define s390_pv_cmd_pvrc(cmd, data, pvrc) __s390_pv_cmd(cmd, #cmd, data, pvrc)
|
|
#define s390_pv_cmd_exit(cmd, data) \
|
|
{ \
|
|
int rc; \
|
|
\
|
|
- rc = __s390_pv_cmd(cmd, #cmd, data);\
|
|
+ rc = __s390_pv_cmd(cmd, #cmd, data, NULL); \
|
|
if (rc) { \
|
|
exit(1); \
|
|
} \
|
|
@@ -108,14 +113,24 @@ void s390_pv_vm_disable(void)
|
|
s390_pv_cmd_exit(KVM_PV_DISABLE, NULL);
|
|
}
|
|
|
|
-int s390_pv_set_sec_parms(uint64_t origin, uint64_t length)
|
|
+int s390_pv_set_sec_parms(uint64_t origin, uint64_t length, Error **errp)
|
|
{
|
|
+ int ret, pvrc;
|
|
struct kvm_s390_pv_sec_parm args = {
|
|
.origin = origin,
|
|
.length = length,
|
|
};
|
|
|
|
- return s390_pv_cmd(KVM_PV_SET_SEC_PARMS, &args);
|
|
+ ret = s390_pv_cmd_pvrc(KVM_PV_SET_SEC_PARMS, &args, &pvrc);
|
|
+ if (ret) {
|
|
+ error_setg(errp, "Failed to set secure execution parameters");
|
|
+ if (pvrc == 0x108) {
|
|
+ error_append_hint(errp, "Please check whether the image is "
|
|
+ "correctly encrypted for this host\n");
|
|
+ }
|
|
+ }
|
|
+
|
|
+ return ret;
|
|
}
|
|
|
|
/*
|
|
diff --git a/target/s390x/kvm/pv.h b/target/s390x/kvm/pv.h
|
|
index 9360aa1091..6868c3f4ac 100644
|
|
--- a/target/s390x/kvm/pv.h
|
|
+++ b/target/s390x/kvm/pv.h
|
|
@@ -41,7 +41,7 @@ static inline bool s390_is_pv(void)
|
|
int s390_pv_query_info(void);
|
|
int s390_pv_vm_enable(void);
|
|
void s390_pv_vm_disable(void);
|
|
-int s390_pv_set_sec_parms(uint64_t origin, uint64_t length);
|
|
+int s390_pv_set_sec_parms(uint64_t origin, uint64_t length, Error **errp);
|
|
int s390_pv_unpack(uint64_t addr, uint64_t size, uint64_t tweak);
|
|
void s390_pv_prep_reset(void);
|
|
int s390_pv_verify(void);
|
|
@@ -60,7 +60,8 @@ static inline bool s390_is_pv(void) { return false; }
|
|
static inline int s390_pv_query_info(void) { return 0; }
|
|
static inline int s390_pv_vm_enable(void) { return 0; }
|
|
static inline void s390_pv_vm_disable(void) {}
|
|
-static inline int s390_pv_set_sec_parms(uint64_t origin, uint64_t length) { return 0; }
|
|
+static inline int s390_pv_set_sec_parms(uint64_t origin, uint64_t length,
|
|
+ Error **errp) { return 0; }
|
|
static inline int s390_pv_unpack(uint64_t addr, uint64_t size, uint64_t tweak) { return 0; }
|
|
static inline void s390_pv_prep_reset(void) {}
|
|
static inline int s390_pv_verify(void) { return 0; }
|
|
--
|
|
2.41.0
|
|
|