ACK/Cmnt: [SRU][J][PULL] KVM: Secure Execution guest dump encryption with customer keys

Stefan Bader stefan.bader at canonical.com
Fri Sep 6 09:20:51 UTC 2024 

On 30.08.24 11:34, frank.heimes at canonical.com wrote:
> BugLink: https://bugs.launchpad.net/bugs/1959940
> 
> [ Impact ]
> 
>   * Hypervisor-initiated dumps for Secure Execution
>     (aka confidential computing) guests are not helpful,
>     because memory and CPU state is encrypted by a
>     transient key only available to the Ultravisor (uv).
> 
>   * Workload owners can still configure kdump in order to obtain kernel
>     crash information, but there are situation where kdump doesn't work.
> 
>   * In such situations problem determination is severely impeded.
> 
>   * This patch set solves this by implementing dumps created in a way
>     that can only be decrypted by the owner of the guest image
>     and be used for problem determination.
> 
> [ Test Plan ]
> 
>   * The setup of a Secure Execution environment is not trivial
>     and requires a certain set of hardware (IBM z15 or higher)
>     with FC 115).
> 
>   * On top of the modification of qemu that are handled in this
>     LP bug, modifications of the Kernel (LP#1959940) and
>     the s390-tools (LP#1959965) are required on top.
> 
>   * So at least a modified kernel and qemu test builds are needed
>     or both should be in -proposed at the same time (which might
>     be difficult).
>     A modified s390-tools is not urgently needed, since for the
>     verification of the kernel and qemu part a newer version
>     can be used (but a modified s390-tools is also available in PPA).
> 
>   * A detailed description (using Ubuntu as example) on how to setup
>     secure execution is available here:
>     Introducing IBM Secure Execution for Linux, April 2024 update
>     https://www.ibm.com/docs/en/linuxonibm/pdf/lx24se04.pdf
> 
>   * And information on 'Working with dumps of KVM guests in
>     IBM Secure Execution mode' is available here:
>     https://www.ibm.com/docs/en/linux-on-systems\
>     ?topic=commands-zgetdump#czgetdump__se_dump_examples
> 
> [ Where problems could occur ]
> 
>   * Ultravisor (uv) return codes are introduced, which is
>     generally appreciated. Just the right return codes need to be set
>     (and reacted upon).
> 
>   * Protected virtual machine dumps are newly introduced on top of
>     dump of 'normal' KVM VMs.
>     Since code is shared, it could have an unforeseen impact.
> 
>   * The doc renaming could lead to confusion,
>     if people rely on old doc structure.
> 
>   * The new capability case (217) could cause issues,
>     for example is case of issues during initialization..
>   
>   * CPU dump functionality was added (mainly as new s390x specific code
>     under s390/kvm), but CPU dump is only one part,
>     if not working correctly, it may lead to partially useless dump data.
> 
>   * Configuration dump functionality was also added
>     (again mainly as new s390x specific code under s390/kvm),
>     similar to CPU dump.
>     And moving from dumping inside of a VM to dumping from outside
>     (due to potential failures if done inside), might lead to a more
>     complex flow (now involving the uv), hence could be more error prone.
> 
>   * Adding query dump information, requires user space buffers.
>     Here it's crucial that buffer size is big enough.
> 
>   * The newly added constants and structure definitions that are
>     needed for dump support could become problematic in case wrong
>     data types were used (applies to all header modifications).
> 
>   * IOCTL for PV information retrieval got introduced
>     (kvm_s390_handle_pv_info, kvm_s390_handle_pv).
>     There are potential side effect (see man ioctl),
>     hence all potential failure cases should be covered.
> 
>   * New dump feature requires to know how much memory is needed, but if
>     this call for this is incorrect, it could break the dump process.
> 
>   * uv_cb_header struct changed to offset representation,
>     but using wrong offsets will lead to a wrong struct,
>     dump issues and potential crashes.
> 
> [ Other Info ]
> 
>   * Since 22.04 is a popular LTS release, it is already in use by many
>     secure execution customers.
>     But in case of severe crashes or issues in the secure execution
>     (KVM) guests dumps cannot be used as of today.
> 
>   * This enables customers, IBM and Canonical to get support in case of
>     crashes/dumps on hardware that runs secure execution environments.
> 
> The following changes since commit 26e0f85b437d70d39acea1321f64dffe6608319d:
> 
>    UBUNTU: Upstream stable to v5.15.162 (2024-07-26 11:56:43 +0200)
> 
> are available in the Git repository at:
> 
>    https://git.launchpad.net/~fheimes/+git/lp1959940j/ 0d574dbec328ae55aea03cf010e4998b02dda47f
> 
> for you to fetch changes up to 0d574dbec328ae55aea03cf010e4998b02dda47f:
> 
>    Documentation/virt/kvm/api.rst: Explain rc/rrc delivery (2024-08-29 08:35:21 +0200)
> 
> ----------------------------------------------------------------
> Janosch Frank (12):
>        s390: uv: Add offset comments to UV query struct and fix naming
>        s390/uv: Add SE hdr query information
>        s390/uv: Add dump fields to query
>        KVM: s390: pv: Add query interface
>        KVM: s390: pv: Add dump support definitions
>        KVM: s390: pv: Add query dump information
>        KVM: s390: Add configuration dump functionality
>        KVM: s390: Add CPU dump functionality
>        KVM: s390: Add KVM_CAP_S390_PROTECTED_DUMP
>        Documentation: virt: Protected virtual machine dumps
>        Documentation/virt/kvm/api.rst: Add protvirt dump/info api descriptions
>        Documentation/virt/kvm/api.rst: Explain rc/rrc delivery
> 
> Paolo Bonzini (1):
>        Documentation: KVM: add separate directories for architecture-specific documentation
> 
>   Documentation/virt/kvm/api.rst                     | 161 +++++++++++-
>   Documentation/virt/kvm/index.rst                   |  26 +-
>   Documentation/virt/kvm/s390/index.rst              |  13 +
>   Documentation/virt/kvm/{ => s390}/s390-diag.rst    |   0
>   Documentation/virt/kvm/{ => s390}/s390-pv-boot.rst |   0
>   Documentation/virt/kvm/s390/s390-pv-dump.rst       |  64 +++++
>   Documentation/virt/kvm/{ => s390}/s390-pv.rst      |   0
>   .../virt/kvm/{ => x86}/amd-memory-encryption.rst   |   0
>   Documentation/virt/kvm/{ => x86}/cpuid.rst         |   0
>   Documentation/virt/kvm/{ => x86}/halt-polling.rst  |   0
>   Documentation/virt/kvm/{ => x86}/hypercalls.rst    |   0
>   Documentation/virt/kvm/x86/index.rst               |  18 ++
>   Documentation/virt/kvm/{ => x86}/mmu.rst           |   0
>   Documentation/virt/kvm/{ => x86}/msr.rst           |   0
>   Documentation/virt/kvm/{ => x86}/nested-vmx.rst    |   0
>   .../virt/kvm/{ => x86}/running-nested-guests.rst   |   0
>   Documentation/virt/kvm/{ => x86}/timekeeping.rst   |   0
>   arch/s390/boot/uv.c                                |   4 +
>   arch/s390/include/asm/kvm_host.h                   |   1 +
>   arch/s390/include/asm/uv.h                         |  77 ++++--
>   arch/s390/kernel/uv.c                              |  53 ++++
>   arch/s390/kvm/kvm-s390.c                           | 269 +++++++++++++++++++++
>   arch/s390/kvm/kvm-s390.h                           |   5 +
>   arch/s390/kvm/pv.c                                 | 198 +++++++++++++++
>   include/uapi/linux/kvm.h                           |  55 +++++
>   25 files changed, 906 insertions(+), 38 deletions(-)
>   create mode 100644 Documentation/virt/kvm/s390/index.rst
>   rename Documentation/virt/kvm/{ => s390}/s390-diag.rst (100%)
>   rename Documentation/virt/kvm/{ => s390}/s390-pv-boot.rst (100%)
>   create mode 100644 Documentation/virt/kvm/s390/s390-pv-dump.rst
>   rename Documentation/virt/kvm/{ => s390}/s390-pv.rst (100%)
>   rename Documentation/virt/kvm/{ => x86}/amd-memory-encryption.rst (100%)
>   rename Documentation/virt/kvm/{ => x86}/cpuid.rst (100%)
>   rename Documentation/virt/kvm/{ => x86}/halt-polling.rst (100%)
>   rename Documentation/virt/kvm/{ => x86}/hypercalls.rst (100%)
>   create mode 100644 Documentation/virt/kvm/x86/index.rst
>   rename Documentation/virt/kvm/{ => x86}/mmu.rst (100%)
>   rename Documentation/virt/kvm/{ => x86}/msr.rst (100%)
>   rename Documentation/virt/kvm/{ => x86}/nested-vmx.rst (100%)
>   rename Documentation/virt/kvm/{ => x86}/running-nested-guests.rst (100%)
>   rename Documentation/virt/kvm/{ => x86}/timekeeping.rst (100%)
> 

Changes affect only architectural code for which a detailed test plan 
exists.

Acked-by: Stefan Bader <stefan.bader at canonical.com>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_0xE8675DEECBEECEA3.asc
Type: application/pgp-keys
Size: 48643 bytes
Desc: OpenPGP public key
URL: <https://lists.ubuntu.com/archives/kernel-team/attachments/20240906/27d86661/attachment-0001.key>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/kernel-team/attachments/20240906/27d86661/attachment-0001.sig>

More information about the kernel-team mailing list