yeahuh / rpms / qemu-kvm

Forked from rpms/qemu-kvm 2 years ago
Clone
902636
From e6474080e3816e82e87c545a3d22db77c55ab053 Mon Sep 17 00:00:00 2001
902636
From: Thomas Huth <thuth@redhat.com>
902636
Date: Fri, 29 May 2020 05:54:04 -0400
902636
Subject: [PATCH 22/42] s390x: protvirt: Support unpack facility
902636
902636
RH-Author: Thomas Huth <thuth@redhat.com>
902636
Message-id: <20200529055420.16855-23-thuth@redhat.com>
902636
Patchwork-id: 97045
902636
O-Subject: [RHEL-8.3.0 qemu-kvm PATCH v2 22/38] s390x: protvirt: Support unpack facility
902636
Bugzilla: 1828317
902636
RH-Acked-by: Claudio Imbrenda <cimbrend@redhat.com>
902636
RH-Acked-by: Cornelia Huck <cohuck@redhat.com>
902636
RH-Acked-by: David Hildenbrand <david@redhat.com>
902636
902636
From: Janosch Frank <frankja@linux.ibm.com>
902636
902636
The unpack facility provides the means to setup a protected guest. A
902636
protected guest cannot be introspected by the hypervisor or any
902636
user/administrator of the machine it is running on.
902636
902636
Protected guests are encrypted at rest and need a special boot
902636
mechanism via diag308 subcode 8 and 10.
902636
902636
Code 8 sets the PV specific IPLB which is retained separately from
902636
those set via code 5.
902636
902636
Code 10 is used to unpack the VM into protected memory, verify its
902636
integrity and start it.
902636
902636
Signed-off-by: Janosch Frank <frankja@linux.ibm.com>
902636
Co-developed-by: Christian Borntraeger <borntraeger@de.ibm.com> [Changes
902636
to machine]
902636
Reviewed-by: David Hildenbrand <david@redhat.com>
902636
Reviewed-by: Claudio Imbrenda <imbrenda@linux.ibm.com>
902636
Reviewed-by: Cornelia Huck <cohuck@redhat.com>
902636
Message-Id: <20200323083606.24520-1-frankja@linux.ibm.com>
902636
[CH: fixed up KVM_PV_VM_ -> KVM_PV_]
902636
Signed-off-by: Cornelia Huck <cohuck@redhat.com>
902636
(cherry picked from commit c3347ed0d2ee42a7dcf7bfe7f9c3884a9596727a)
902636
Signed-off-by: Danilo C. L. de Paula <ddepaula@redhat.com>
902636
---
902636
 MAINTAINERS                         |   2 +
902636
 hw/s390x/Makefile.objs              |   1 +
902636
 hw/s390x/ipl.c                      |  59 +++++++++++++-
902636
 hw/s390x/ipl.h                      |  91 ++++++++++++++++++++-
902636
 hw/s390x/pv.c                       |  98 +++++++++++++++++++++++
902636
 hw/s390x/s390-virtio-ccw.c          | 119 +++++++++++++++++++++++++++-
902636
 include/hw/s390x/pv.h               |  55 +++++++++++++
902636
 include/hw/s390x/s390-virtio-ccw.h  |   1 +
902636
 target/s390x/cpu.c                  |   1 +
902636
 target/s390x/cpu_features_def.inc.h |   1 +
902636
 target/s390x/diag.c                 |  39 ++++++++-
902636
 target/s390x/kvm-stub.c             |   5 ++
902636
 target/s390x/kvm.c                  |   5 ++
902636
 target/s390x/kvm_s390x.h            |   1 +
902636
 14 files changed, 468 insertions(+), 10 deletions(-)
902636
 create mode 100644 hw/s390x/pv.c
902636
 create mode 100644 include/hw/s390x/pv.h
902636
902636
diff --git a/MAINTAINERS b/MAINTAINERS
902636
index 49d5d44edc..2742c95575 100644
902636
--- a/MAINTAINERS
902636
+++ b/MAINTAINERS
902636
@@ -385,6 +385,8 @@ F: target/s390x/machine.c
902636
 F: target/s390x/sigp.c
902636
 F: target/s390x/cpu_features*.[ch]
902636
 F: target/s390x/cpu_models.[ch]
902636
+F: hw/s390x/pv.c
902636
+F: include/hw/s390x/pv.h
902636
 F: hw/intc/s390_flic.c
902636
 F: hw/intc/s390_flic_kvm.c
902636
 F: include/hw/s390x/s390_flic.h
902636
diff --git a/hw/s390x/Makefile.objs b/hw/s390x/Makefile.objs
902636
index e02ed80b68..a46a1c7894 100644
902636
--- a/hw/s390x/Makefile.objs
902636
+++ b/hw/s390x/Makefile.objs
902636
@@ -31,6 +31,7 @@ obj-y += tod-qemu.o
902636
 obj-$(CONFIG_KVM) += tod-kvm.o
902636
 obj-$(CONFIG_KVM) += s390-skeys-kvm.o
902636
 obj-$(CONFIG_KVM) += s390-stattrib-kvm.o
902636
+obj-$(CONFIG_KVM) += pv.o
902636
 obj-y += s390-ccw.o
902636
 obj-y += ap-device.o
902636
 obj-y += ap-bridge.o
902636
diff --git a/hw/s390x/ipl.c b/hw/s390x/ipl.c
902636
index fa0409dc23..586d95b5b6 100644
902636
--- a/hw/s390x/ipl.c
902636
+++ b/hw/s390x/ipl.c
902636
@@ -1,10 +1,11 @@
902636
 /*
902636
  * bootloader support
902636
  *
902636
- * Copyright IBM, Corp. 2012
902636
+ * Copyright IBM, Corp. 2012, 2020
902636
  *
902636
  * Authors:
902636
  *  Christian Borntraeger <borntraeger@de.ibm.com>
902636
+ *  Janosch Frank <frankja@linux.ibm.com>
902636
  *
902636
  * This work is licensed under the terms of the GNU GPL, version 2 or (at your
902636
  * option) any later version.  See the COPYING file in the top-level directory.
902636
@@ -27,6 +28,7 @@
902636
 #include "hw/s390x/vfio-ccw.h"
902636
 #include "hw/s390x/css.h"
902636
 #include "hw/s390x/ebcdic.h"
902636
+#include "hw/s390x/pv.h"
902636
 #include "ipl.h"
902636
 #include "qemu/error-report.h"
902636
 #include "qemu/config-file.h"
902636
@@ -557,12 +559,31 @@ void s390_ipl_update_diag308(IplParameterBlock *iplb)
902636
 {
902636
     S390IPLState *ipl = get_ipl_device();
902636
 
902636
-    ipl->iplb = *iplb;
902636
-    ipl->iplb_valid = true;
902636
+    /*
902636
+     * The IPLB set and retrieved by subcodes 8/9 is completely
902636
+     * separate from the one managed via subcodes 5/6.
902636
+     */
902636
+    if (iplb->pbt == S390_IPL_TYPE_PV) {
902636
+        ipl->iplb_pv = *iplb;
902636
+        ipl->iplb_valid_pv = true;
902636
+    } else {
902636
+        ipl->iplb = *iplb;
902636
+        ipl->iplb_valid = true;
902636
+    }
902636
     ipl->netboot = is_virtio_net_device(iplb);
902636
     update_machine_ipl_properties(iplb);
902636
 }
902636
 
902636
+IplParameterBlock *s390_ipl_get_iplb_pv(void)
902636
+{
902636
+    S390IPLState *ipl = get_ipl_device();
902636
+
902636
+    if (!ipl->iplb_valid_pv) {
902636
+        return NULL;
902636
+    }
902636
+    return &ipl->iplb_pv;
902636
+}
902636
+
902636
 IplParameterBlock *s390_ipl_get_iplb(void)
902636
 {
902636
     S390IPLState *ipl = get_ipl_device();
902636
@@ -651,6 +672,38 @@ static void s390_ipl_prepare_qipl(S390CPU *cpu)
902636
     cpu_physical_memory_unmap(addr, len, 1, len);
902636
 }
902636
 
902636
+int s390_ipl_prepare_pv_header(void)
902636
+{
902636
+    IplParameterBlock *ipib = s390_ipl_get_iplb_pv();
902636
+    IPLBlockPV *ipib_pv = &ipib->pv;
902636
+    void *hdr = g_malloc(ipib_pv->pv_header_len);
902636
+    int rc;
902636
+
902636
+    cpu_physical_memory_read(ipib_pv->pv_header_addr, hdr,
902636
+                             ipib_pv->pv_header_len);
902636
+    rc = s390_pv_set_sec_parms((uintptr_t)hdr,
902636
+                               ipib_pv->pv_header_len);
902636
+    g_free(hdr);
902636
+    return rc;
902636
+}
902636
+
902636
+int s390_ipl_pv_unpack(void)
902636
+{
902636
+    IplParameterBlock *ipib = s390_ipl_get_iplb_pv();
902636
+    IPLBlockPV *ipib_pv = &ipib->pv;
902636
+    int i, rc = 0;
902636
+
902636
+    for (i = 0; i < ipib_pv->num_comp; i++) {
902636
+        rc = s390_pv_unpack(ipib_pv->components[i].addr,
902636
+                            TARGET_PAGE_ALIGN(ipib_pv->components[i].size),
902636
+                            ipib_pv->components[i].tweak_pref);
902636
+        if (rc) {
902636
+            break;
902636
+        }
902636
+    }
902636
+    return rc;
902636
+}
902636
+
902636
 void s390_ipl_prepare_cpu(S390CPU *cpu)
902636
 {
902636
     S390IPLState *ipl = get_ipl_device();
902636
diff --git a/hw/s390x/ipl.h b/hw/s390x/ipl.h
902636
index a5665e6bfd..89b3044d7a 100644
902636
--- a/hw/s390x/ipl.h
902636
+++ b/hw/s390x/ipl.h
902636
@@ -1,8 +1,9 @@
902636
 /*
902636
  * s390 IPL device
902636
  *
902636
- * Copyright 2015 IBM Corp.
902636
+ * Copyright 2015, 2020 IBM Corp.
902636
  * Author(s): Zhang Fan <bjfanzh@cn.ibm.com>
902636
+ * Janosch Frank <frankja@linux.ibm.com>
902636
  *
902636
  * This work is licensed under the terms of the GNU GPL, version 2 or (at
902636
  * your option) any later version. See the COPYING file in the top-level
902636
@@ -15,6 +16,24 @@
902636
 #include "cpu.h"
902636
 #include "hw/qdev-core.h"
902636
 
902636
+struct IPLBlockPVComp {
902636
+    uint64_t tweak_pref;
902636
+    uint64_t addr;
902636
+    uint64_t size;
902636
+} QEMU_PACKED;
902636
+typedef struct IPLBlockPVComp IPLBlockPVComp;
902636
+
902636
+struct IPLBlockPV {
902636
+    uint8_t  reserved18[87];    /* 0x18 */
902636
+    uint8_t  version;           /* 0x6f */
902636
+    uint32_t reserved70;        /* 0x70 */
902636
+    uint32_t num_comp;          /* 0x74 */
902636
+    uint64_t pv_header_addr;    /* 0x78 */
902636
+    uint64_t pv_header_len;     /* 0x80 */
902636
+    struct IPLBlockPVComp components[];
902636
+} QEMU_PACKED;
902636
+typedef struct IPLBlockPV IPLBlockPV;
902636
+
902636
 struct IplBlockCcw {
902636
     uint8_t  reserved0[85];
902636
     uint8_t  ssid;
902636
@@ -71,6 +90,7 @@ union IplParameterBlock {
902636
         union {
902636
             IplBlockCcw ccw;
902636
             IplBlockFcp fcp;
902636
+            IPLBlockPV pv;
902636
             IplBlockQemuScsi scsi;
902636
         };
902636
     } QEMU_PACKED;
902636
@@ -85,8 +105,11 @@ typedef union IplParameterBlock IplParameterBlock;
902636
 
902636
 int s390_ipl_set_loadparm(uint8_t *loadparm);
902636
 void s390_ipl_update_diag308(IplParameterBlock *iplb);
902636
+int s390_ipl_prepare_pv_header(void);
902636
+int s390_ipl_pv_unpack(void);
902636
 void s390_ipl_prepare_cpu(S390CPU *cpu);
902636
 IplParameterBlock *s390_ipl_get_iplb(void);
902636
+IplParameterBlock *s390_ipl_get_iplb_pv(void);
902636
 
902636
 enum s390_reset {
902636
     /* default is a reset not triggered by a CPU e.g. issued by QMP */
902636
@@ -94,6 +117,7 @@ enum s390_reset {
902636
     S390_RESET_REIPL,
902636
     S390_RESET_MODIFIED_CLEAR,
902636
     S390_RESET_LOAD_NORMAL,
902636
+    S390_RESET_PV,
902636
 };
902636
 void s390_ipl_reset_request(CPUState *cs, enum s390_reset reset_type);
902636
 void s390_ipl_get_reset_request(CPUState **cs, enum s390_reset *reset_type);
902636
@@ -133,6 +157,7 @@ struct S390IPLState {
902636
     /*< private >*/
902636
     DeviceState parent_obj;
902636
     IplParameterBlock iplb;
902636
+    IplParameterBlock iplb_pv;
902636
     QemuIplParameters qipl;
902636
     uint64_t start_addr;
902636
     uint64_t compat_start_addr;
902636
@@ -140,6 +165,7 @@ struct S390IPLState {
902636
     uint64_t compat_bios_start_addr;
902636
     bool enforce_bios;
902636
     bool iplb_valid;
902636
+    bool iplb_valid_pv;
902636
     bool netboot;
902636
     /* reset related properties don't have to be migrated or reset */
902636
     enum s390_reset reset_type;
902636
@@ -162,6 +188,8 @@ QEMU_BUILD_BUG_MSG(offsetof(S390IPLState, iplb) & 3, "alignment of iplb wrong");
902636
 #define DIAG_308_RC_OK              0x0001
902636
 #define DIAG_308_RC_NO_CONF         0x0102
902636
 #define DIAG_308_RC_INVALID         0x0402
902636
+#define DIAG_308_RC_NO_PV_CONF      0x0902
902636
+#define DIAG_308_RC_INVAL_FOR_PV    0x0a02
902636
 
902636
 #define DIAG308_RESET_MOD_CLR       0
902636
 #define DIAG308_RESET_LOAD_NORM     1
902636
@@ -169,12 +197,17 @@ QEMU_BUILD_BUG_MSG(offsetof(S390IPLState, iplb) & 3, "alignment of iplb wrong");
902636
 #define DIAG308_LOAD_NORMAL_DUMP    4
902636
 #define DIAG308_SET                 5
902636
 #define DIAG308_STORE               6
902636
+#define DIAG308_PV_SET              8
902636
+#define DIAG308_PV_STORE            9
902636
+#define DIAG308_PV_START            10
902636
 
902636
 #define S390_IPL_TYPE_FCP 0x00
902636
 #define S390_IPL_TYPE_CCW 0x02
902636
+#define S390_IPL_TYPE_PV 0x05
902636
 #define S390_IPL_TYPE_QEMU_SCSI 0xff
902636
 
902636
 #define S390_IPLB_HEADER_LEN 8
902636
+#define S390_IPLB_MIN_PV_LEN 148
902636
 #define S390_IPLB_MIN_CCW_LEN 200
902636
 #define S390_IPLB_MIN_FCP_LEN 384
902636
 #define S390_IPLB_MIN_QEMU_SCSI_LEN 200
902636
@@ -184,6 +217,62 @@ static inline bool iplb_valid_len(IplParameterBlock *iplb)
902636
     return be32_to_cpu(iplb->len) <= sizeof(IplParameterBlock);
902636
 }
902636
 
902636
+static inline bool ipl_valid_pv_components(IplParameterBlock *iplb)
902636
+{
902636
+    IPLBlockPV *ipib_pv = &iplb->pv;
902636
+    int i;
902636
+
902636
+    if (ipib_pv->num_comp == 0) {
902636
+        return false;
902636
+    }
902636
+
902636
+    for (i = 0; i < ipib_pv->num_comp; i++) {
902636
+        /* Addr must be 4k aligned */
902636
+        if (ipib_pv->components[i].addr & ~TARGET_PAGE_MASK) {
902636
+            return false;
902636
+        }
902636
+
902636
+        /* Tweak prefix is monotonically increasing with each component */
902636
+        if (i < ipib_pv->num_comp - 1 &&
902636
+            ipib_pv->components[i].tweak_pref >=
902636
+            ipib_pv->components[i + 1].tweak_pref) {
902636
+            return false;
902636
+        }
902636
+    }
902636
+    return true;
902636
+}
902636
+
902636
+static inline bool ipl_valid_pv_header(IplParameterBlock *iplb)
902636
+{
902636
+        IPLBlockPV *ipib_pv = &iplb->pv;
902636
+
902636
+        if (ipib_pv->pv_header_len > 2 * TARGET_PAGE_SIZE) {
902636
+            return false;
902636
+        }
902636
+
902636
+        if (!address_space_access_valid(&address_space_memory,
902636
+                                        ipib_pv->pv_header_addr,
902636
+                                        ipib_pv->pv_header_len,
902636
+                                        false,
902636
+                                        MEMTXATTRS_UNSPECIFIED)) {
902636
+            return false;
902636
+        }
902636
+
902636
+        return true;
902636
+}
902636
+
902636
+static inline bool iplb_valid_pv(IplParameterBlock *iplb)
902636
+{
902636
+    if (iplb->pbt != S390_IPL_TYPE_PV ||
902636
+        be32_to_cpu(iplb->len) < S390_IPLB_MIN_PV_LEN) {
902636
+        return false;
902636
+    }
902636
+    if (!ipl_valid_pv_header(iplb)) {
902636
+        return false;
902636
+    }
902636
+    return ipl_valid_pv_components(iplb);
902636
+}
902636
+
902636
 static inline bool iplb_valid(IplParameterBlock *iplb)
902636
 {
902636
     switch (iplb->pbt) {
902636
diff --git a/hw/s390x/pv.c b/hw/s390x/pv.c
902636
new file mode 100644
902636
index 0000000000..a40a844806
902636
--- /dev/null
902636
+++ b/hw/s390x/pv.c
902636
@@ -0,0 +1,98 @@
902636
+/*
902636
+ * Protected Virtualization functions
902636
+ *
902636
+ * Copyright IBM Corp. 2020
902636
+ * Author(s):
902636
+ *  Janosch Frank <frankja@linux.ibm.com>
902636
+ *
902636
+ * This work is licensed under the terms of the GNU GPL, version 2 or (at
902636
+ * your option) any later version. See the COPYING file in the top-level
902636
+ * directory.
902636
+ */
902636
+#include "qemu/osdep.h"
902636
+
902636
+#include <linux/kvm.h>
902636
+
902636
+#include "qemu/error-report.h"
902636
+#include "sysemu/kvm.h"
902636
+#include "hw/s390x/pv.h"
902636
+
902636
+static int __s390_pv_cmd(uint32_t cmd, const char *cmdname, void *data)
902636
+{
902636
+    struct kvm_pv_cmd pv_cmd = {
902636
+        .cmd = cmd,
902636
+        .data = (uint64_t)data,
902636
+    };
902636
+    int rc = kvm_vm_ioctl(kvm_state, KVM_S390_PV_COMMAND, &pv_cmd);
902636
+
902636
+    if (rc) {
902636
+        error_report("KVM PV command %d (%s) failed: header rc %x rrc %x "
902636
+                     "IOCTL rc: %d", cmd, cmdname, pv_cmd.rc, pv_cmd.rrc,
902636
+                     rc);
902636
+    }
902636
+    return rc;
902636
+}
902636
+
902636
+/*
902636
+ * This macro lets us pass the command as a string to the function so
902636
+ * we can print it on an error.
902636
+ */
902636
+#define s390_pv_cmd(cmd, data) __s390_pv_cmd(cmd, #cmd, data);
902636
+#define s390_pv_cmd_exit(cmd, data)    \
902636
+{                                      \
902636
+    int rc;                            \
902636
+                                       \
902636
+    rc = __s390_pv_cmd(cmd, #cmd, data);\
902636
+    if (rc) {                          \
902636
+        exit(1);                       \
902636
+    }                                  \
902636
+}
902636
+
902636
+int s390_pv_vm_enable(void)
902636
+{
902636
+    return s390_pv_cmd(KVM_PV_ENABLE, NULL);
902636
+}
902636
+
902636
+void s390_pv_vm_disable(void)
902636
+{
902636
+     s390_pv_cmd_exit(KVM_PV_DISABLE, NULL);
902636
+}
902636
+
902636
+int s390_pv_set_sec_parms(uint64_t origin, uint64_t length)
902636
+{
902636
+    struct kvm_s390_pv_sec_parm args = {
902636
+        .origin = origin,
902636
+        .length = length,
902636
+    };
902636
+
902636
+    return s390_pv_cmd(KVM_PV_SET_SEC_PARMS, &args);
902636
+}
902636
+
902636
+/*
902636
+ * Called for each component in the SE type IPL parameter block 0.
902636
+ */
902636
+int s390_pv_unpack(uint64_t addr, uint64_t size, uint64_t tweak)
902636
+{
902636
+    struct kvm_s390_pv_unp args = {
902636
+        .addr = addr,
902636
+        .size = size,
902636
+        .tweak = tweak,
902636
+    };
902636
+
902636
+    return s390_pv_cmd(KVM_PV_UNPACK, &args);
902636
+}
902636
+
902636
+void s390_pv_perf_clear_reset(void)
902636
+{
902636
+    s390_pv_cmd_exit(KVM_PV_PREP_RESET, NULL);
902636
+}
902636
+
902636
+int s390_pv_verify(void)
902636
+{
902636
+    return s390_pv_cmd(KVM_PV_VERIFY, NULL);
902636
+}
902636
+
902636
+void s390_pv_unshare(void)
902636
+{
902636
+    s390_pv_cmd_exit(KVM_PV_UNSHARE_ALL, NULL);
902636
+}
902636
diff --git a/hw/s390x/s390-virtio-ccw.c b/hw/s390x/s390-virtio-ccw.c
902636
index 4ea01c53c0..82da1d9ab5 100644
902636
--- a/hw/s390x/s390-virtio-ccw.c
902636
+++ b/hw/s390x/s390-virtio-ccw.c
902636
@@ -1,9 +1,10 @@
902636
 /*
902636
  * virtio ccw machine
902636
  *
902636
- * Copyright 2012 IBM Corp.
902636
+ * Copyright 2012, 2020 IBM Corp.
902636
  * Copyright (c) 2009 Alexander Graf <agraf@suse.de>
902636
  * Author(s): Cornelia Huck <cornelia.huck@de.ibm.com>
902636
+ *            Janosch Frank <frankja@linux.ibm.com>
902636
  *
902636
  * This work is licensed under the terms of the GNU GPL, version 2 or (at
902636
  * your option) any later version. See the COPYING file in the top-level
902636
@@ -41,6 +42,8 @@
902636
 #include "hw/qdev-properties.h"
902636
 #include "hw/s390x/tod.h"
902636
 #include "sysemu/sysemu.h"
902636
+#include "hw/s390x/pv.h"
902636
+#include <linux/kvm.h>
902636
 
902636
 S390CPU *s390_cpu_addr2state(uint16_t cpu_addr)
902636
 {
902636
@@ -318,10 +321,78 @@ static inline void s390_do_cpu_ipl(CPUState *cs, run_on_cpu_data arg)
902636
     s390_cpu_set_state(S390_CPU_STATE_OPERATING, cpu);
902636
 }
902636
 
902636
+static void s390_machine_unprotect(S390CcwMachineState *ms)
902636
+{
902636
+    s390_pv_vm_disable();
902636
+    ms->pv = false;
902636
+}
902636
+
902636
+static int s390_machine_protect(S390CcwMachineState *ms)
902636
+{
902636
+    int rc;
902636
+
902636
+    /* Create SE VM */
902636
+    rc = s390_pv_vm_enable();
902636
+    if (rc) {
902636
+        return rc;
902636
+    }
902636
+
902636
+    ms->pv = true;
902636
+
902636
+    /* Set SE header and unpack */
902636
+    rc = s390_ipl_prepare_pv_header();
902636
+    if (rc) {
902636
+        goto out_err;
902636
+    }
902636
+
902636
+    /* Decrypt image */
902636
+    rc = s390_ipl_pv_unpack();
902636
+    if (rc) {
902636
+        goto out_err;
902636
+    }
902636
+
902636
+    /* Verify integrity */
902636
+    rc = s390_pv_verify();
902636
+    if (rc) {
902636
+        goto out_err;
902636
+    }
902636
+    return rc;
902636
+
902636
+out_err:
902636
+    s390_machine_unprotect(ms);
902636
+    return rc;
902636
+}
902636
+
902636
+static void s390_machine_inject_pv_error(CPUState *cs)
902636
+{
902636
+    int r1 = (cs->kvm_run->s390_sieic.ipa & 0x00f0) >> 4;
902636
+    CPUS390XState *env = &S390_CPU(cs)->env;
902636
+
902636
+    /* Report that we are unable to enter protected mode */
902636
+    env->regs[r1 + 1] = DIAG_308_RC_INVAL_FOR_PV;
902636
+}
902636
+
902636
+static void s390_pv_prepare_reset(S390CcwMachineState *ms)
902636
+{
902636
+    CPUState *cs;
902636
+
902636
+    if (!s390_is_pv()) {
902636
+        return;
902636
+    }
902636
+    /* Unsharing requires all cpus to be stopped */
902636
+    CPU_FOREACH(cs) {
902636
+        s390_cpu_set_state(S390_CPU_STATE_STOPPED, S390_CPU(cs));
902636
+    }
902636
+    s390_pv_unshare();
902636
+    s390_pv_perf_clear_reset();
902636
+}
902636
+
902636
 static void s390_machine_reset(MachineState *machine)
902636
 {
902636
+    S390CcwMachineState *ms = S390_CCW_MACHINE(machine);
902636
     enum s390_reset reset_type;
902636
     CPUState *cs, *t;
902636
+    S390CPU *cpu;
902636
 
902636
     /* get the reset parameters, reset them once done */
902636
     s390_ipl_get_reset_request(&cs, &reset_type);
902636
@@ -329,9 +400,15 @@ static void s390_machine_reset(MachineState *machine)
902636
     /* all CPUs are paused and synchronized at this point */
902636
     s390_cmma_reset();
902636
 
902636
+    cpu = S390_CPU(cs);
902636
+
902636
     switch (reset_type) {
902636
     case S390_RESET_EXTERNAL:
902636
     case S390_RESET_REIPL:
902636
+        if (s390_is_pv()) {
902636
+            s390_machine_unprotect(ms);
902636
+        }
902636
+
902636
         qemu_devices_reset();
902636
         s390_crypto_reset();
902636
 
902636
@@ -339,22 +416,56 @@ static void s390_machine_reset(MachineState *machine)
902636
         run_on_cpu(cs, s390_do_cpu_ipl, RUN_ON_CPU_NULL);
902636
         break;
902636
     case S390_RESET_MODIFIED_CLEAR:
902636
+        /*
902636
+         * Susbsystem reset needs to be done before we unshare memory
902636
+         * and lose access to VIRTIO structures in guest memory.
902636
+         */
902636
+        subsystem_reset();
902636
+        s390_crypto_reset();
902636
+        s390_pv_prepare_reset(ms);
902636
         CPU_FOREACH(t) {
902636
             run_on_cpu(t, s390_do_cpu_full_reset, RUN_ON_CPU_NULL);
902636
         }
902636
-        subsystem_reset();
902636
-        s390_crypto_reset();
902636
         run_on_cpu(cs, s390_do_cpu_load_normal, RUN_ON_CPU_NULL);
902636
         break;
902636
     case S390_RESET_LOAD_NORMAL:
902636
+        /*
902636
+         * Susbsystem reset needs to be done before we unshare memory
902636
+         * and lose access to VIRTIO structures in guest memory.
902636
+         */
902636
+        subsystem_reset();
902636
+        s390_pv_prepare_reset(ms);
902636
         CPU_FOREACH(t) {
902636
             if (t == cs) {
902636
                 continue;
902636
             }
902636
             run_on_cpu(t, s390_do_cpu_reset, RUN_ON_CPU_NULL);
902636
         }
902636
-        subsystem_reset();
902636
         run_on_cpu(cs, s390_do_cpu_initial_reset, RUN_ON_CPU_NULL);
902636
+        run_on_cpu(cs, s390_do_cpu_load_normal, RUN_ON_CPU_NULL);
902636
+        break;
902636
+    case S390_RESET_PV: /* Subcode 10 */
902636
+        subsystem_reset();
902636
+        s390_crypto_reset();
902636
+
902636
+        CPU_FOREACH(t) {
902636
+            if (t == cs) {
902636
+                continue;
902636
+            }
902636
+            run_on_cpu(t, s390_do_cpu_full_reset, RUN_ON_CPU_NULL);
902636
+        }
902636
+        run_on_cpu(cs, s390_do_cpu_reset, RUN_ON_CPU_NULL);
902636
+
902636
+        if (s390_machine_protect(ms)) {
902636
+            s390_machine_inject_pv_error(cs);
902636
+            /*
902636
+             * Continue after the diag308 so the guest knows something
902636
+             * went wrong.
902636
+             */
902636
+            s390_cpu_set_state(S390_CPU_STATE_OPERATING, cpu);
902636
+            return;
902636
+        }
902636
+
902636
         run_on_cpu(cs, s390_do_cpu_load_normal, RUN_ON_CPU_NULL);
902636
         break;
902636
     default:
902636
diff --git a/include/hw/s390x/pv.h b/include/hw/s390x/pv.h
902636
new file mode 100644
902636
index 0000000000..c6cb360f2f
902636
--- /dev/null
902636
+++ b/include/hw/s390x/pv.h
902636
@@ -0,0 +1,55 @@
902636
+/*
902636
+ * Protected Virtualization header
902636
+ *
902636
+ * Copyright IBM Corp. 2020
902636
+ * Author(s):
902636
+ *  Janosch Frank <frankja@linux.ibm.com>
902636
+ *
902636
+ * This work is licensed under the terms of the GNU GPL, version 2 or (at
902636
+ * your option) any later version. See the COPYING file in the top-level
902636
+ * directory.
902636
+ */
902636
+#ifndef HW_S390_PV_H
902636
+#define HW_S390_PV_H
902636
+
902636
+#ifdef CONFIG_KVM
902636
+#include "hw/s390x/s390-virtio-ccw.h"
902636
+
902636
+static inline bool s390_is_pv(void)
902636
+{
902636
+    static S390CcwMachineState *ccw;
902636
+    Object *obj;
902636
+
902636
+    if (ccw) {
902636
+        return ccw->pv;
902636
+    }
902636
+
902636
+    /* we have to bail out for the "none" machine */
902636
+    obj = object_dynamic_cast(qdev_get_machine(),
902636
+                              TYPE_S390_CCW_MACHINE);
902636
+    if (!obj) {
902636
+        return false;
902636
+    }
902636
+    ccw = S390_CCW_MACHINE(obj);
902636
+    return ccw->pv;
902636
+}
902636
+
902636
+int s390_pv_vm_enable(void);
902636
+void s390_pv_vm_disable(void);
902636
+int s390_pv_set_sec_parms(uint64_t origin, uint64_t length);
902636
+int s390_pv_unpack(uint64_t addr, uint64_t size, uint64_t tweak);
902636
+void s390_pv_perf_clear_reset(void);
902636
+int s390_pv_verify(void);
902636
+void s390_pv_unshare(void);
902636
+#else /* CONFIG_KVM */
902636
+static inline bool s390_is_pv(void) { return false; }
902636
+static inline int s390_pv_vm_enable(void) { return 0; }
902636
+static inline void s390_pv_vm_disable(void) {}
902636
+static inline int s390_pv_set_sec_parms(uint64_t origin, uint64_t length) { return 0; }
902636
+static inline int s390_pv_unpack(uint64_t addr, uint64_t size, uint64_t tweak) { return 0; }
902636
+static inline void s390_pv_perf_clear_reset(void) {}
902636
+static inline int s390_pv_verify(void) { return 0; }
902636
+static inline void s390_pv_unshare(void) {}
902636
+#endif /* CONFIG_KVM */
902636
+
902636
+#endif /* HW_S390_PV_H */
902636
diff --git a/include/hw/s390x/s390-virtio-ccw.h b/include/hw/s390x/s390-virtio-ccw.h
902636
index 8aa27199c9..cd1dccc6e3 100644
902636
--- a/include/hw/s390x/s390-virtio-ccw.h
902636
+++ b/include/hw/s390x/s390-virtio-ccw.h
902636
@@ -28,6 +28,7 @@ typedef struct S390CcwMachineState {
902636
     /*< public >*/
902636
     bool aes_key_wrap;
902636
     bool dea_key_wrap;
902636
+    bool pv;
902636
     uint8_t loadparm[8];
902636
 } S390CcwMachineState;
902636
 
902636
diff --git a/target/s390x/cpu.c b/target/s390x/cpu.c
902636
index c0dd502b84..8f38cd8e6f 100644
902636
--- a/target/s390x/cpu.c
902636
+++ b/target/s390x/cpu.c
902636
@@ -37,6 +37,7 @@
902636
 #include "sysemu/hw_accel.h"
902636
 #include "hw/qdev-properties.h"
902636
 #ifndef CONFIG_USER_ONLY
902636
+#include "hw/s390x/pv.h"
902636
 #include "hw/boards.h"
902636
 #include "sysemu/arch_init.h"
902636
 #include "sysemu/sysemu.h"
902636
diff --git a/target/s390x/cpu_features_def.inc.h b/target/s390x/cpu_features_def.inc.h
902636
index 31dff0d84e..60db28351d 100644
902636
--- a/target/s390x/cpu_features_def.inc.h
902636
+++ b/target/s390x/cpu_features_def.inc.h
902636
@@ -107,6 +107,7 @@ DEF_FEAT(DEFLATE_BASE, "deflate-base", STFL, 151, "Deflate-conversion facility (
902636
 DEF_FEAT(VECTOR_PACKED_DECIMAL_ENH, "vxpdeh", STFL, 152, "Vector-Packed-Decimal-Enhancement Facility")
902636
 DEF_FEAT(MSA_EXT_9, "msa9-base", STFL, 155, "Message-security-assist-extension-9 facility (excluding subfunctions)")
902636
 DEF_FEAT(ETOKEN, "etoken", STFL, 156, "Etoken facility")
902636
+DEF_FEAT(UNPACK, "unpack", STFL, 161, "Unpack facility")
902636
 
902636
 /* Features exposed via SCLP SCCB Byte 80 - 98  (bit numbers relative to byte-80) */
902636
 DEF_FEAT(SIE_GSLS, "gsls", SCLP_CONF_CHAR, 40, "SIE: Guest-storage-limit-suppression facility")
902636
diff --git a/target/s390x/diag.c b/target/s390x/diag.c
902636
index 8aba6341f9..b2cbefb8cf 100644
902636
--- a/target/s390x/diag.c
902636
+++ b/target/s390x/diag.c
902636
@@ -20,6 +20,8 @@
902636
 #include "sysemu/cpus.h"
902636
 #include "hw/s390x/ipl.h"
902636
 #include "hw/s390x/s390-virtio-ccw.h"
902636
+#include "hw/s390x/pv.h"
902636
+#include "kvm_s390x.h"
902636
 
902636
 int handle_diag_288(CPUS390XState *env, uint64_t r1, uint64_t r3)
902636
 {
902636
@@ -52,6 +54,10 @@ int handle_diag_288(CPUS390XState *env, uint64_t r1, uint64_t r3)
902636
 static int diag308_parm_check(CPUS390XState *env, uint64_t r1, uint64_t addr,
902636
                               uintptr_t ra, bool write)
902636
 {
902636
+    /* Handled by the Ultravisor */
902636
+    if (s390_is_pv()) {
902636
+        return 0;
902636
+    }
902636
     if ((r1 & 1) || (addr & ~TARGET_PAGE_MASK)) {
902636
         s390_program_interrupt(env, PGM_SPECIFICATION, ra);
902636
         return -1;
902636
@@ -67,6 +73,7 @@ static int diag308_parm_check(CPUS390XState *env, uint64_t r1, uint64_t addr,
902636
 
902636
 void handle_diag_308(CPUS390XState *env, uint64_t r1, uint64_t r3, uintptr_t ra)
902636
 {
902636
+    bool valid;
902636
     CPUState *cs = env_cpu(env);
902636
     uint64_t addr =  env->regs[r1];
902636
     uint64_t subcode = env->regs[r3];
902636
@@ -82,6 +89,11 @@ void handle_diag_308(CPUS390XState *env, uint64_t r1, uint64_t r3, uintptr_t ra)
902636
         return;
902636
     }
902636
 
902636
+    if (subcode >= DIAG308_PV_SET && !s390_has_feat(S390_FEAT_UNPACK)) {
902636
+        s390_program_interrupt(env, PGM_SPECIFICATION, ra);
902636
+        return;
902636
+    }
902636
+
902636
     switch (subcode) {
902636
     case DIAG308_RESET_MOD_CLR:
902636
         s390_ipl_reset_request(cs, S390_RESET_MODIFIED_CLEAR);
902636
@@ -94,6 +106,7 @@ void handle_diag_308(CPUS390XState *env, uint64_t r1, uint64_t r3, uintptr_t ra)
902636
         s390_ipl_reset_request(cs, S390_RESET_REIPL);
902636
         break;
902636
     case DIAG308_SET:
902636
+    case DIAG308_PV_SET:
902636
         if (diag308_parm_check(env, r1, addr, ra, false)) {
902636
             return;
902636
         }
902636
@@ -106,7 +119,8 @@ void handle_diag_308(CPUS390XState *env, uint64_t r1, uint64_t r3, uintptr_t ra)
902636
 
902636
         cpu_physical_memory_read(addr, iplb, be32_to_cpu(iplb->len));
902636
 
902636
-        if (!iplb_valid(iplb)) {
902636
+        valid = subcode == DIAG308_PV_SET ? iplb_valid_pv(iplb) : iplb_valid(iplb);
902636
+        if (!valid) {
902636
             env->regs[r1 + 1] = DIAG_308_RC_INVALID;
902636
             goto out;
902636
         }
902636
@@ -117,10 +131,15 @@ out:
902636
         g_free(iplb);
902636
         return;
902636
     case DIAG308_STORE:
902636
+    case DIAG308_PV_STORE:
902636
         if (diag308_parm_check(env, r1, addr, ra, true)) {
902636
             return;
902636
         }
902636
-        iplb = s390_ipl_get_iplb();
902636
+        if (subcode == DIAG308_PV_STORE) {
902636
+            iplb = s390_ipl_get_iplb_pv();
902636
+        } else {
902636
+            iplb = s390_ipl_get_iplb();
902636
+        }
902636
         if (iplb) {
902636
             cpu_physical_memory_write(addr, iplb, be32_to_cpu(iplb->len));
902636
             env->regs[r1 + 1] = DIAG_308_RC_OK;
902636
@@ -128,6 +147,22 @@ out:
902636
             env->regs[r1 + 1] = DIAG_308_RC_NO_CONF;
902636
         }
902636
         return;
902636
+    case DIAG308_PV_START:
902636
+        iplb = s390_ipl_get_iplb_pv();
902636
+        if (!iplb) {
902636
+            env->regs[r1 + 1] = DIAG_308_RC_NO_PV_CONF;
902636
+            return;
902636
+        }
902636
+
902636
+        if (kvm_s390_get_hpage_1m()) {
902636
+            error_report("Protected VMs can currently not be backed with "
902636
+                         "huge pages");
902636
+            env->regs[r1 + 1] = DIAG_308_RC_INVAL_FOR_PV;
902636
+            return;
902636
+        }
902636
+
902636
+        s390_ipl_reset_request(cs, S390_RESET_PV);
902636
+        break;
902636
     default:
902636
         s390_program_interrupt(env, PGM_SPECIFICATION, ra);
902636
         break;
902636
diff --git a/target/s390x/kvm-stub.c b/target/s390x/kvm-stub.c
902636
index c4cd497f85..aa185017a2 100644
902636
--- a/target/s390x/kvm-stub.c
902636
+++ b/target/s390x/kvm-stub.c
902636
@@ -39,6 +39,11 @@ int kvm_s390_vcpu_interrupt_post_load(S390CPU *cpu)
902636
     return 0;
902636
 }
902636
 
902636
+int kvm_s390_get_hpage_1m(void)
902636
+{
902636
+    return 0;
902636
+}
902636
+
902636
 int kvm_s390_get_ri(void)
902636
 {
902636
     return 0;
902636
diff --git a/target/s390x/kvm.c b/target/s390x/kvm.c
902636
index 75d82af6fc..9a0be13959 100644
902636
--- a/target/s390x/kvm.c
902636
+++ b/target/s390x/kvm.c
902636
@@ -321,6 +321,11 @@ void kvm_s390_set_max_pagesize(uint64_t pagesize, Error **errp)
902636
     cap_hpage_1m = 1;
902636
 }
902636
 
902636
+int kvm_s390_get_hpage_1m(void)
902636
+{
902636
+    return cap_hpage_1m;
902636
+}
902636
+
902636
 static void ccw_machine_class_foreach(ObjectClass *oc, void *opaque)
902636
 {
902636
     MachineClass *mc = MACHINE_CLASS(oc);
902636
diff --git a/target/s390x/kvm_s390x.h b/target/s390x/kvm_s390x.h
902636
index 0b21789796..dea813f450 100644
902636
--- a/target/s390x/kvm_s390x.h
902636
+++ b/target/s390x/kvm_s390x.h
902636
@@ -23,6 +23,7 @@ void kvm_s390_program_interrupt(S390CPU *cpu, uint16_t code);
902636
 int kvm_s390_set_cpu_state(S390CPU *cpu, uint8_t cpu_state);
902636
 void kvm_s390_vcpu_interrupt_pre_save(S390CPU *cpu);
902636
 int kvm_s390_vcpu_interrupt_post_load(S390CPU *cpu);
902636
+int kvm_s390_get_hpage_1m(void);
902636
 int kvm_s390_get_ri(void);
902636
 int kvm_s390_get_gs(void);
902636
 int kvm_s390_get_clock(uint8_t *tod_high, uint64_t *tod_clock);
902636
-- 
902636
2.27.0
902636