Linux kernel stable tree (mirror) https://git.radix-linux.su/kernel/linux.git/atom?h=v5.10.257 2020-10-07T19:50:02+00:00 2020-10-07T19:50:02+00:00 Julian Wiedmann jwi@linux.ibm.com 2020-10-02T09:18:19+00:00 urn:sha1:eefc69a09ca5b441ee136f9fb68ab5970cfc2d51 s/ait address/at address Signed-off-by: Julian Wiedmann <jwi@linux.ibm.com> Acked-by: Christian Borntraeger <borntraeger@de.ibm.com> Signed-off-by: Vasily Gorbik <gor@linux.ibm.com> 2020-09-24T08:03:28+00:00 Harald Freudenberger freude@linux.ibm.com 2020-09-21T08:45:55+00:00 urn:sha1:fa6999e326fe7851ecbd572b8cb9be8e930ebf41 This patch extends the pkey kernel module to support CCA and EP11 secure ECC (private) keys as source for deriving ECC protected (private) keys. There is yet another new ioctl to support this: PKEY_KBLOB2PROTK3 can handle all the old keys plus CCA and EP11 secure ECC keys. For details see ioctl description in pkey.h. The CPACF unit currently only supports a subset of 5 different ECC curves (P-256, P-384, P-521, ED25519, ED448) and so only keys of this curve type can be transformed into protected keys. However, the pkey and the cca/ep11 low level functions do not check this but simple pass-through the key blob to the firmware onto the crypto cards. So most likely the failure will be a response carrying an error code resulting in user space errno value EIO instead of EINVAL. Deriving a protected key from an EP11 ECC secure key requires a CEX7 in EP11 mode. Deriving a protected key from an CCA ECC secure key requires a CEX7 in CCA mode. Together with this new ioctl the ioctls for querying lists of apqns (PKEY_APQNS4K and PKEY_APQNS4KT) have been extended to support EP11 and CCA ECC secure key type and key blobs. Together with this ioctl there comes a new struct ep11kblob_header which is to be prepended onto the EP11 key blob. See details in pkey.h for the fields in there. The older EP11 AES key blob with some info stored in the (unused) session field is also supported with this new ioctl. Signed-off-by: Harald Freudenberger <freude@linux.ibm.com> Reviewed-by: Ingo Franzki <ifranzki@linux.ibm.com> Signed-off-by: Vasily Gorbik <gor@linux.ibm.com> 2020-08-06T19:59:31+00:00 Linus Torvalds torvalds@linux-foundation.org 2020-08-06T19:59:31+00:00 urn:sha1:921d2597abfc05e303f08baa6ead8f9ab8a723e1 Pull KVM updates from Paolo Bonzini: "s390: - implement diag318 x86: - Report last CPU for debugging - Emulate smaller MAXPHYADDR in the guest than in the host - .noinstr and tracing fixes from Thomas - nested SVM page table switching optimization and fixes Generic: - Unify shadow MMU cache data structures across architectures" * tag 'for-linus' of git://git.kernel.org/pub/scm/virt/kvm/kvm: (127 commits) KVM: SVM: Fix sev_pin_memory() error handling KVM: LAPIC: Set the TDCR settable bits KVM: x86: Specify max TDP level via kvm_configure_mmu() KVM: x86/mmu: Rename max_page_level to max_huge_page_level KVM: x86: Dynamically calculate TDP level from max level and MAXPHYADDR KVM: VXM: Remove temporary WARN on expected vs. actual EPTP level mismatch KVM: x86: Pull the PGD's level from the MMU instead of recalculating it KVM: VMX: Make vmx_load_mmu_pgd() static KVM: x86/mmu: Add separate helper for shadow NPT root page role calc KVM: VMX: Drop a duplicate declaration of construct_eptp() KVM: nSVM: Correctly set the shadow NPT root level in its MMU role KVM: Using macros instead of magic values MIPS: KVM: Fix build error caused by 'kvm_run' cleanup KVM: nSVM: remove nonsensical EXITINFO1 adjustment on nested NPF KVM: x86: Add a capability for GUEST_MAXPHYADDR < HOST_MAXPHYADDR support KVM: VMX: optimize #PF injection when MAXPHYADDR does not match KVM: VMX: Add guest physical address check in EPT violation and misconfig KVM: VMX: introduce vmx_need_pf_intercept KVM: x86: update exception bitmap on CPUID changes KVM: x86: rename update_bp_intercept to update_exception_bitmap ... 2020-07-03T08:49:34+00:00 Harald Freudenberger freude@linux.ibm.com 2020-04-30T10:23:29+00:00 urn:sha1:74ecbef7b90800e368809642ecc671ba4a57ab09 Some beautifications related to the internal only used struct ap_message and related code. Instead of one int carrying only the special flag now a u32 flags field is used. At struct CPRBX the pointers to additional data are now marked with __user. This caused some changes needed on code, where these structs are also used within the zcrypt misc functions. The ica_rsa_* structs now use the generic types __u8, __u32, ... instead of char, unsigned int. zcrypt_msg6 and zcrypt_msg50 use min_t() instead of min(). Signed-off-by: Harald Freudenberger <freude@linux.ibm.com> Signed-off-by: Heiko Carstens <heiko.carstens@de.ibm.com> 2020-06-29T14:32:25+00:00 Heiko Carstens heiko.carstens@de.ibm.com 2020-06-18T05:41:18+00:00 urn:sha1:6ffb3f6b46d0d02c318946047dc5ce6553495848 There is no interface to userspace which exposes anything that would require the struct __debug_entry definition. Therefore remove it from uapi. This allows to change the definition, since it is only kernel internally used. The only exception is the crash utility, however that tool must handle changes all the time anyway. Signed-off-by: Heiko Carstens <heiko.carstens@de.ibm.com> 2020-06-23T08:55:33+00:00 Collin Walling walling@linux.ibm.com 2020-06-22T15:46:36+00:00 urn:sha1:23a60f834406c8e3805328b630d09d5546b460c1 DIAGNOSE 0x318 (diag318) sets information regarding the environment the VM is running in (Linux, z/VM, etc) and is observed via firmware/service events. This is a privileged s390x instruction that must be intercepted by SIE. Userspace handles the instruction as well as migration. Data is communicated via VCPU register synchronization. The Control Program Name Code (CPNC) is stored in the SIE block. The CPNC along with the Control Program Version Code (CPVC) are stored in the kvm_vcpu_arch struct. This data is reset on load normal and clear resets. Signed-off-by: Collin Walling <walling@linux.ibm.com> Reviewed-by: Janosch Frank <frankja@linux.ibm.com> Acked-by: Cornelia Huck <cohuck@redhat.com> Reviewed-by: David Hildenbrand <david@redhat.com> Link: https://lore.kernel.org/r/20200622154636.5499-3-walling@linux.ibm.com [borntraeger@de.ibm.com: fix sync_reg position] Signed-off-by: Christian Borntraeger <borntraeger@de.ibm.com> 2020-05-06T13:19:35+00:00 Jason J. Herne jjherne@linux.ibm.com 2020-03-02T19:03:37+00:00 urn:sha1:3737e8ee4f2fc7e77994d1a8bd618a9dda5a5514 Recognize IPL Block's Ipl Type of "nvme". Populate related structs and sysfs entries. Signed-off-by: Jason J. Herne <jjherne@linux.ibm.com> Signed-off-by: Vasily Gorbik <gor@linux.ibm.com> 2020-01-30T12:07:56+00:00 Harald Freudenberger freude@linux.ibm.com 2019-12-06T13:21:38+00:00 urn:sha1:55d0a513a0e202c68af2c8f4b1e923a345227bbb Extend the low level ep11 misc functions implementation by several functions to support EP11 key objects for paes and pkey: - EP11 AES secure key generation - EP11 AES secure key generation from given clear key value - EP11 AES secure key blob check - findcard function returns list of apqns based on given criterias - EP11 AES secure key derive to CPACF protected key Extend the pkey module to be able to generate and handle EP11 secure keys and also use them as base for deriving protected keys for CPACF usage. These ioctls are extended to support EP11 keys: PKEY_GENSECK2, PKEY_CLR2SECK2, PKEY_VERIFYKEY2, PKEY_APQNS4K, PKEY_APQNS4KT, PKEY_KBLOB2PROTK2. Additionally the 'clear key' token to protected key now uses an EP11 card if the other ways (via PCKMO, via CCA) fail. The PAES cipher implementation needed a new upper limit for the max key size, but is now also working with EP11 keys. Signed-off-by: Harald Freudenberger <freude@linux.ibm.com> Signed-off-by: Vasily Gorbik <gor@linux.ibm.com> 2020-01-30T12:07:55+00:00 Harald Freudenberger freude@linux.ibm.com 2019-08-30T13:57:17+00:00 urn:sha1:a7367997abb64b5e5a4f6fe6091629440b10da40 Minor rework for struct ep11_cprb and struct ep11_urb. Use of u8, u16, u32 instead of unsigned char. Declare pointers to mem from userspace with __user to give sparse a chance to check. Export zcrypt_send_ep11_cprb() function as this function will be called by code in progress which will build ep11 cprbs within the zcrypt device driver zoo and send them to EP11 crypto cards. Signed-off-by: Harald Freudenberger <freude@linux.ibm.com> Signed-off-by: Vasily Gorbik <gor@linux.ibm.com> 2020-01-30T12:07:55+00:00 Harald Freudenberger freude@linux.ibm.com 2019-08-30T13:17:27+00:00 urn:sha1:8f291ebf327050822d4ebf3812e5cc033ee0a88a For EP11 CPRBs there was only to choose between specify one or more ep11 targets or not give a target at all. Without any target the zcrypt code assumed AUTOSELECT. For EP11 this ended up in choosing any EP11 APQN with regards to the weight. However, CCA CPRBs can have a more fine granular target addressing. The caller can give 0xFFFF as AUTOSELECT for the card and/or the domain. So it's possible to address any card but domain given or any domain but card given. This patch now introduces the very same for EP11 CPRB handling. An EP11 target entry now may contain 0xFFFF as card and/or domain value with the meaning of ANY card or domain. So now the same behavior as with CCA CPRBs becomes possible: Address any card with given domain or address any domain within given card. For convenience the zcrypt.h header file now has two new defines AUTOSEL_AP and AUTOSEL_DOM covering the 0xFFFF value to address card any and domain any. Signed-off-by: Harald Freudenberger <freude@linux.ibm.com> Signed-off-by: Vasily Gorbik <gor@linux.ibm.com>