[SRU][F][H][PATCH 0/1] zcrypt DD: Toleration for new IBM Z Crypto Hardware (LP: 1954680)

Frank Heimes frank.heimes at canonical.com
Wed Dec 15 13:52:41 UTC 2021


Hi Kleber,
no, it's the correct LP bug #.
But it came in as private - I just made it public (sorry).
You should be able to open that URL now ...

Bye, Frank

On Wed, Dec 15, 2021 at 2:50 PM Kleber Souza <kleber.souza at canonical.com>
wrote:

> Hi Frank,
>
> On 14.12.21 12:34, frank.heimes at canonical.com wrote:
> > BugLink: https://bugs.launchpad.net/bugs/1954680
>
> The above BugLink is invalid? Could you please point us to the
> correct LP bug report?
>
>
> Thanks,
>
> Kleber
>
>
> > SRU Justification:
> >
> > [Impact]
> >
> >   * CEX8 hardware CryptoExpress adapter shall support quantum-safe crypto
> >     and therefore require nowadays message sizes > 12kB.
> >
> >   * This change here is mainly required to support EP11 responses to
> admin requests at zNext
> >     which due to QS certificates can grow larger than 12kB.
> >
> >   * It's to cover a minimal patch to provide toleration support for this
> feature
> >     which shall be back-ported to all distribution releases in service
> at zNext
> >
> >   * This SRU requests belongs to the hardware enablement case.
> >
> > [Fix]
> >
> >   * bd39654a2282 bd39654a2282c1a51c044575a6bc00d641d5dfd1 "s390/AP:
> support new dynamic AP bus size limit"
> >
> > [Test Plan]
> >
> >   * An Ubuntu 20.04 (respectively 21.04) LPAR or z/VM guest is needed
> >     that has access to at least one online crypto domain.
> >
> >   * Ideally using a CEX8 adapter (but can be too early to get one).
> >
> >   * Then get the patched kernel installed (see PPA below).
> >
> >   * And look for the /sys/devices/ap/cardxx/max_msg_size sysfs
> attributes.
> >
> >   * On top IBM has some more in-depth zcrypt tests (see also LP#1933805).
> >
> > [Where problems could occur]
> >
> >   * First of all the modification are limited to:
> >     the zcrypt driver ("/drivers/s390/crypto/ap_*.*" and
> >     "/drivers/s390/crypto/zcrypt_*.*")
> >     hence are s390x platform specific and crypto specific and
> >     should even affect CEX8 cards only.
> >     So in case anything fails, it's limited to s390x cryptography,
> >     which usually allows sw fall-backs.
> >
> >   * The function signature of ap_queue_info and ap_test_queue got
> modified,
> >     which may lead to issues if called with the old signatures,
> >     but that would be identified by the test compile already.
> >
> >   * Some minor new structures like 'info', 'ml' got introduced,
> >     but are properly declared and initialized.
> >
> >   * The way ap_queue_info and ap_card_create get filled and used was
> changed,
> >     therefore in some code areas slightly different data might be
> expected,
> >     if not properly adapted to the new way.
> >     But a verification test will prove this.
> >
> >   * The actual msg length is now handled based on bufsize rather than len
> >     and with that zq is calculated in a different way (using
> zcrypt_queue_alloc)
> >     which may cause some side effects if not properly (alloc)
> >     or not thoroughly done.
> >
> >   * in _zcrypt_send_cprb and _zcrypt_send_ep11_cprb some additional
> calculations
> >     and checks (if-stmts) were introduced, but they look sane.
> >
> >   * New code to identify older cards got added, since message sizes >
> 12kB
> >     are supported by CEX8 and higher only.
> >     The dispatcher responsible for choosing the right card and queue is
> aware
> >     of the individual card AP bus message limit.
> >     But already at the user space tools it should be ensured that the
> right
> >     card is used.
> >
> >   * Nevertheless, the patch is not small, hence s390x hardware crypto
> >     zcrypt driver needs to be properly re-tested.
> >
> > [Other Info]
> >
> >   * The above commit/patch is upstream accepted with 5.14.
> >
> >   * Impish's Kernel 5.13 was already patched, based on LP#1933805.
> >
> >   * With that the patched zcrypt driver is already tested to some extend
> >     based on Impish (since with these cherry-picks the zcrypt driver is
> largely
> >     the same now).
> >
> >   * Hence the SRU is only needed for Focal
> >     and Hirsute (just to avoid regressions on upgrades).
> >
> > Harald Freudenberger (1):
> >    s390/AP: support new dynamic AP bus size limit
> >
> >   drivers/s390/crypto/ap_bus.c           | 50 +++++++++++++++++-------
> >   drivers/s390/crypto/ap_bus.h           | 11 ++++--
> >   drivers/s390/crypto/ap_card.c          | 16 +++++++-
> >   drivers/s390/crypto/ap_queue.c         |  2 +-
> >   drivers/s390/crypto/zcrypt_api.c       |  6 +++
> >   drivers/s390/crypto/zcrypt_cex4.c      |  9 ++---
> >   drivers/s390/crypto/zcrypt_msgtype50.c | 26 ++++++-------
> >   drivers/s390/crypto/zcrypt_msgtype6.c  | 54 ++++++++++++++------------
> >   drivers/s390/crypto/zcrypt_msgtype6.h  |  2 -
> >   drivers/s390/crypto/zcrypt_queue.c     |  6 +--
> >   10 files changed, 116 insertions(+), 66 deletions(-)
> >
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ubuntu.com/archives/kernel-team/attachments/20211215/cf95ccc3/attachment-0001.html>


More information about the kernel-team mailing list