ACK: [SRU][J][PATCH 0/3] KVM: Attestation support for Secure Execution (crypto) (LP: 1959973)

Bartlomiej Zolnierkiewicz bartlomiej.zolnierkiewicz at canonical.com
Tue Jun 21 17:00:03 UTC 2022


Acked-by: Bartlomiej Zolnierkiewicz <bartlomiej.zolnierkiewicz at canonical.com>

On Tue, Jun 21, 2022 at 12:37 PM <frank.heimes at canonical.com> wrote:
>
> BugLink: https://bugs.launchpad.net/bugs/1959973
>
> SRU Justification:
>
> [Impact]
>
>  * This is a hardware enablement SRU in support of
>    IBM z15 and LinuxONE III (FC 115) secure execution feature.
>
>  * It adds a misc character device to expose some Ultravisor
>    functions to userspace.
>
>  * The device is only available if the (optional) Ultravisor
>    Facility (158) is present in the system.
>
>  * Two Ultravisor calls are supported:
>    - Query Ultravisor Information (QUI) and
>    - Receive Attestation Measurement (Attest[ation])
>
>  * This is in support of for example. external frameworks,
>    specific deployment models or especially
>    potentially regulatory requirements.
>
> [Fix]
>
>  * 4689752c79fa 4689752c79fa30e91b49b39a9fba93c4d1f3e20c "drivers/s390/char: Add Ultravisor io device"
>
>  * eb3de2d8f78d eb3de2d8f78d893303891d879f941c47f2f2d13d "s390/uv_uapi: depend on CONFIG_S390"
>
>  * patch to set kernel config option 'CONFIG_S390_UV_UAPI=y'
>
> [Test Plan]
>
>  * An IBM z15 or LinuxONE III LPAR with FC 115 enabled is required.
>
>  * Installation of Ubuntu Server 22.04 LTS on top.
>
>  * Install a kernel that incl. the above patches/commits
>    (that has the kernel config option 'CONFIG_S390_UV_UAPI' enabled).
>
>  * Activate the kernel (reboot) and look for the existence of
>    the uvdevice '/dev/uv'.
>
>  * Use a userspace test program that makes use of the new
>    misc device by exploiting 'ATTEST'.
>
>  * Due to hardware requirements this test needs to be conducted by IBM.
>
> [Where problems could occur]
>
>  * The definitions in uv_cmds_inst and uv_feat_ind could be wrong
>    and the codes wrong or mixed up, which would lead to a broken
>    functionality/interface.
>
>  * The uvdevice header definitions could be erroneous,
>    defining an wrong interface.
>
>  * The newly added kernel options could be implemented in a wrong way,
>    so that it doesn't enable the 'uvdevice', but unlikely.
>
>  * The implementation of the device itself in 'uvdevice.c' could be broken
>    by wrong or broken pointer arithmetics, wrong method arguments,
>    wrong sizeof/length calculations, which - in worst case - could entirely
>    crash a system.
>
>  * The ioctl control block implementation could be wrong in a way,
>    that it doesn't properly handle the case where the facility is not
>    available in the system.
>
>  * Entry point, copy and check routines could be wrong,
>    allowing non-desired calls.
>
>  * This is an s390x-only functionality,
>    that is only  available on IBM z15 / LinuxONE III systems and newer,
>    and only is the optional feature 'FC 115' in place,
>    which is limited to 'secure-execution' workloads.
>
> [Other Info]
>
>  * The above commit is marked to be merged into 5.19-rc2,
>    and since the planned target kernel for kinetic is
>    5.19, the SRU is not needed for kinetic.
>
> Frank Heimes (1):
>   UBUNTU: [Config] CONFIG_S390_UV_UAPI=y for s390x
>
> Paolo Bonzini (1):
>   s390/uv_uapi: depend on CONFIG_S390
>
> Steffen Eiden (1):
>   drivers/s390/char: Add Ultravisor io device
>
>  MAINTAINERS                               |   2 +
>  arch/s390/include/asm/uv.h                |  23 +-
>  arch/s390/include/uapi/asm/uvdevice.h     |  51 +++++
>  debian.master/config/annotations          |   2 +
>  debian.master/config/config.common.ubuntu |   1 +
>  drivers/s390/char/Kconfig                 |  11 +
>  drivers/s390/char/Makefile                |   1 +
>  drivers/s390/char/uvdevice.c              | 257 ++++++++++++++++++++++
>  8 files changed, 347 insertions(+), 1 deletion(-)
>  create mode 100644 arch/s390/include/uapi/asm/uvdevice.h
>  create mode 100644 drivers/s390/char/uvdevice.c
>
> --
> 2.34.1



More information about the kernel-team mailing list