KVM: s390: protvirt: Add initial vm and cpu lifecycle handling

	__u8	reserved08[4];		/* 0x0008 */

#define PROG_IN_SIE (1<<0)

	__u32	prog0c;			/* 0x000c */

	union {

		__u8	reserved10[16];		/* 0x0010 */

		struct {

			__u64	pv_handle_cpu;

			__u64	pv_handle_config;

		};

	};

#define PROG_BLOCK_SIE	(1<<0)

#define PROG_REQUEST	(1<<1)

	atomic_t prog20;		/* 0x0020 */

#define ECB3_RI  0x01

	__u8    ecb3;			/* 0x0063 */

	__u32	scaol;			/* 0x0064 */

	__u8	reserved68;		/* 0x0068 */

	__u8	sdf;			/* 0x0068 */

	__u8    epdx;			/* 0x0069 */

	__u8    reserved6a[2];		/* 0x006a */

	__u32	todpr;			/* 0x006c */

	unsigned long last_bp;

};

struct kvm_s390_pv_vcpu {

	u64 handle;

	unsigned long stor_base;

};

struct kvm_vcpu_arch {

	struct kvm_s390_sie_block *sie_block;

	/* if vsie is active, currently executed shadow sie control block */

	__u64 cputm_start;

	bool gs_enabled;

	bool skey_enabled;

	struct kvm_s390_pv_vcpu pv;

};

struct kvm_vm_stat {

	DECLARE_BITMAP(kicked_mask, KVM_MAX_VCPUS);

};

struct kvm_s390_pv {

	u64 handle;

	u64 guest_len;

	unsigned long stor_base;

	void *stor_var;

};

struct kvm_arch{

	void *sca;

	int use_esca;

	DECLARE_BITMAP(cpu_feat, KVM_S390_VM_CPU_FEAT_NR_BITS);

	DECLARE_BITMAP(idle_mask, KVM_MAX_VCPUS);

	struct kvm_s390_gisa_interrupt gisa_int;

	struct kvm_s390_pv pv;

};

#define KVM_HVA_ERR_BAD		(-1UL)

#define UVC_RC_INV_STATE	0x0003

#define UVC_RC_INV_LEN		0x0005

#define UVC_RC_NO_RESUME	0x0007

#define UVC_RC_NEED_DESTROY	0x8000

#define UVC_CMD_QUI			0x0001

#define UVC_CMD_INIT_UV			0x000f

#define UVC_CMD_CREATE_SEC_CONF		0x0100

#define UVC_CMD_DESTROY_SEC_CONF	0x0101

#define UVC_CMD_CREATE_SEC_CPU		0x0120

#define UVC_CMD_DESTROY_SEC_CPU		0x0121

#define UVC_CMD_CONV_TO_SEC_STOR	0x0200

#define UVC_CMD_CONV_FROM_SEC_STOR	0x0201

#define UVC_CMD_SET_SEC_CONF_PARAMS	0x0300

#define UVC_CMD_UNPACK_IMG		0x0301

#define UVC_CMD_VERIFY_IMG		0x0302

#define UVC_CMD_PIN_PAGE_SHARED		0x0341

#define UVC_CMD_UNPIN_PAGE_SHARED	0x0342

#define UVC_CMD_SET_SHARED_ACCESS	0x1000

enum uv_cmds_inst {

	BIT_UVC_CMD_QUI = 0,

	BIT_UVC_CMD_INIT_UV = 1,

	BIT_UVC_CMD_CREATE_SEC_CONF = 2,

	BIT_UVC_CMD_DESTROY_SEC_CONF = 3,

	BIT_UVC_CMD_CREATE_SEC_CPU = 4,

	BIT_UVC_CMD_DESTROY_SEC_CPU = 5,

	BIT_UVC_CMD_CONV_TO_SEC_STOR = 6,

	BIT_UVC_CMD_CONV_FROM_SEC_STOR = 7,

	BIT_UVC_CMD_SET_SHARED_ACCESS = 8,

	BIT_UVC_CMD_REMOVE_SHARED_ACCESS = 9,

	BIT_UVC_CMD_SET_SEC_PARMS = 11,

	BIT_UVC_CMD_UNPACK_IMG = 13,

	BIT_UVC_CMD_VERIFY_IMG = 14,

	BIT_UVC_CMD_PIN_PAGE_SHARED = 21,

	BIT_UVC_CMD_UNPIN_PAGE_SHARED = 22,

};

	u16 rrc;	/* Return Reason Code */

} __packed __aligned(8);

/* Query Ultravisor Information */

struct uv_cb_qui {

	struct uv_cb_header header;

	u64 reserved08;

	u8  reserveda0[200 - 160];

} __packed __aligned(8);

/* Initialize Ultravisor */

struct uv_cb_init {

	struct uv_cb_header header;

	u64 reserved08[2];

	u64 reserved28[4];

} __packed __aligned(8);

/* Create Guest Configuration */

struct uv_cb_cgc {

	struct uv_cb_header header;

	u64 reserved08[2];

	u64 guest_handle;

	u64 conf_base_stor_origin;

	u64 conf_virt_stor_origin;

	u64 reserved30;

	u64 guest_stor_origin;

	u64 guest_stor_len;

	u64 guest_sca;

	u64 guest_asce;

	u64 reserved58[5];

} __packed __aligned(8);

/* Create Secure CPU */

struct uv_cb_csc {

	struct uv_cb_header header;

	u64 reserved08[2];

	u64 cpu_handle;

	u64 guest_handle;

	u64 stor_origin;

	u8  reserved30[6];

	u16 num;

	u64 state_origin;

	u64 reserved40[4];

} __packed __aligned(8);

/* Convert to Secure */

struct uv_cb_cts {

	struct uv_cb_header header;

	u64 reserved08[2];

	u64 gaddr;

} __packed __aligned(8);

/* Convert from Secure / Pin Page Shared */

struct uv_cb_cfs {

	struct uv_cb_header header;

	u64 reserved08[2];

	u64 paddr;

} __packed __aligned(8);

/* Set Secure Config Parameter */

struct uv_cb_ssc {

	struct uv_cb_header header;

	u64 reserved08[2];

	u64 guest_handle;

	u64 sec_header_origin;

	u32 sec_header_len;

	u32 reserved2c;

	u64 reserved30[4];

} __packed __aligned(8);

/* Unpack */

struct uv_cb_unp {

	struct uv_cb_header header;

	u64 reserved08[2];

	u64 guest_handle;

	u64 gaddr;

	u64 tweak[2];

	u64 reserved38[3];

} __packed __aligned(8);

/*

 * A common UV call struct for calls that take no payload

 * Examples:

	u64 reserved20[4];

} __packed __aligned(8);

/* Set Shared Access */

struct uv_cb_share {

	struct uv_cb_header header;

	u64 reserved08[3];

ccflags-y := -Ivirt/kvm -Iarch/s390/kvm

kvm-objs := $(common-objs) kvm-s390.o intercept.o interrupt.o priv.o sigp.o

kvm-objs += diag.o gaccess.o guestdbg.o vsie.o

kvm-objs += diag.o gaccess.o guestdbg.o vsie.o pv.o

obj-$(CONFIG_KVM) += kvm.o

#include <asm/cpacf.h>

#include <asm/timex.h>

#include <asm/ap.h>

#include <asm/uv.h>

#include "kvm-s390.h"

#include "gaccess.h"

	return 0;

}

/* forward declarations */

static void kvm_gmap_notifier(struct gmap *gmap, unsigned long start,

			      unsigned long end);

static int sca_switch_to_extended(struct kvm *kvm);

static void kvm_clock_sync_scb(struct kvm_s390_sie_block *scb, u64 delta)

{

	return r;

}

static int kvm_s390_cpus_from_pv(struct kvm *kvm, u16 *rcp, u16 *rrcp)

{

	struct kvm_vcpu *vcpu;

	u16 rc, rrc;

	int ret = 0;

	int i;

	/*

	 * We ignore failures and try to destroy as many CPUs as possible.

	 * At the same time we must not free the assigned resources when

	 * this fails, as the ultravisor has still access to that memory.

	 * So kvm_s390_pv_destroy_cpu can leave a "wanted" memory leak

	 * behind.

	 * We want to return the first failure rc and rrc, though.

	 */

	kvm_for_each_vcpu(i, vcpu, kvm) {

		mutex_lock(&vcpu->mutex);

		if (kvm_s390_pv_destroy_cpu(vcpu, &rc, &rrc) && !ret) {

			*rcp = rc;

			*rrcp = rrc;

			ret = -EIO;

		}

		mutex_unlock(&vcpu->mutex);

	}

	return ret;

}

static int kvm_s390_cpus_to_pv(struct kvm *kvm, u16 *rc, u16 *rrc)

{

	int i, r = 0;

	u16 dummy;

	struct kvm_vcpu *vcpu;

	kvm_for_each_vcpu(i, vcpu, kvm) {

		mutex_lock(&vcpu->mutex);

		r = kvm_s390_pv_create_cpu(vcpu, rc, rrc);

		mutex_unlock(&vcpu->mutex);

		if (r)

			break;

	}

	if (r)

		kvm_s390_cpus_from_pv(kvm, &dummy, &dummy);

	return r;

}

static int kvm_s390_handle_pv(struct kvm *kvm, struct kvm_pv_cmd *cmd)

{

	int r = 0;

	u16 dummy;

	void __user *argp = (void __user *)cmd->data;

	switch (cmd->cmd) {

	case KVM_PV_ENABLE: {

		r = -EINVAL;

		if (kvm_s390_pv_is_protected(kvm))

			break;

		/*

		 *  FMT 4 SIE needs esca. As we never switch back to bsca from

		 *  esca, we need no cleanup in the error cases below

		 */

		r = sca_switch_to_extended(kvm);

		if (r)

			break;

		r = kvm_s390_pv_init_vm(kvm, &cmd->rc, &cmd->rrc);

		if (r)

			break;

		r = kvm_s390_cpus_to_pv(kvm, &cmd->rc, &cmd->rrc);

		if (r)

			kvm_s390_pv_deinit_vm(kvm, &dummy, &dummy);

		break;

	}

	case KVM_PV_DISABLE: {

		r = -EINVAL;

		if (!kvm_s390_pv_is_protected(kvm))

			break;

		r = kvm_s390_cpus_from_pv(kvm, &cmd->rc, &cmd->rrc);

		/*

		 * If a CPU could not be destroyed, destroy VM will also fail.

		 * There is no point in trying to destroy it. Instead return

		 * the rc and rrc from the first CPU that failed destroying.

		 */

		if (r)

			break;

		r = kvm_s390_pv_deinit_vm(kvm, &cmd->rc, &cmd->rrc);

		break;

	}

	case KVM_PV_SET_SEC_PARMS: {

		struct kvm_s390_pv_sec_parm parms = {};

		void *hdr;

		r = -EINVAL;

		if (!kvm_s390_pv_is_protected(kvm))

			break;

		r = -EFAULT;

		if (copy_from_user(&parms, argp, sizeof(parms)))

			break;

		/* Currently restricted to 8KB */

		r = -EINVAL;

		if (parms.length > PAGE_SIZE * 2)

			break;

		r = -ENOMEM;

		hdr = vmalloc(parms.length);

		if (!hdr)

			break;

		r = -EFAULT;

		if (!copy_from_user(hdr, (void __user *)parms.origin,

				    parms.length))

			r = kvm_s390_pv_set_sec_parms(kvm, hdr, parms.length,

						      &cmd->rc, &cmd->rrc);

		vfree(hdr);

		break;

	}

	case KVM_PV_UNPACK: {

		struct kvm_s390_pv_unp unp = {};

		r = -EINVAL;

		if (!kvm_s390_pv_is_protected(kvm))

			break;

		r = -EFAULT;

		if (copy_from_user(&unp, argp, sizeof(unp)))

			break;

		r = kvm_s390_pv_unpack(kvm, unp.addr, unp.size, unp.tweak,

				       &cmd->rc, &cmd->rrc);

		break;

	}

	case KVM_PV_VERIFY: {

		r = -EINVAL;

		if (!kvm_s390_pv_is_protected(kvm))

			break;

		r = uv_cmd_nodata(kvm_s390_pv_get_handle(kvm),

				  UVC_CMD_VERIFY_IMG, &cmd->rc, &cmd->rrc);

		KVM_UV_EVENT(kvm, 3, "PROTVIRT VERIFY: rc %x rrc %x", cmd->rc,

			     cmd->rrc);

		break;

	}

	default:

		r = -ENOTTY;

	}

	return r;

}

long kvm_arch_vm_ioctl(struct file *filp,

		       unsigned int ioctl, unsigned long arg)

{

		mutex_unlock(&kvm->slots_lock);

		break;

	}

	case KVM_S390_PV_COMMAND: {

		struct kvm_pv_cmd args;

		r = 0;

		if (!is_prot_virt_host()) {

			r = -EINVAL;

			break;

		}

		if (copy_from_user(&args, argp, sizeof(args))) {

			r = -EFAULT;

			break;

		}

		if (args.flags) {

			r = -EINVAL;

			break;

		}

		mutex_lock(&kvm->lock);

		r = kvm_s390_handle_pv(kvm, &args);

		mutex_unlock(&kvm->lock);

		if (copy_to_user(argp, &args, sizeof(args))) {

			r = -EFAULT;

			break;

		}

		break;

	}

	default:

		r = -ENOTTY;

	}

void kvm_arch_vcpu_destroy(struct kvm_vcpu *vcpu)

{

	u16 rc, rrc;

	VCPU_EVENT(vcpu, 3, "%s", "free cpu");

	trace_kvm_s390_destroy_vcpu(vcpu->vcpu_id);

	kvm_s390_clear_local_irqs(vcpu);

	if (vcpu->kvm->arch.use_cmma)

		kvm_s390_vcpu_unsetup_cmma(vcpu);

	/* We can not hold the vcpu mutex here, we are already dying */

	if (kvm_s390_pv_cpu_get_handle(vcpu))

		kvm_s390_pv_destroy_cpu(vcpu, &rc, &rrc);

	free_page((unsigned long)(vcpu->arch.sie_block));

}

void kvm_arch_destroy_vm(struct kvm *kvm)

{

	u16 rc, rrc;

	kvm_free_vcpus(kvm);

	sca_dispose(kvm);

	debug_unregister(kvm->arch.dbf);

	kvm_s390_gisa_destroy(kvm);

	/*

	 * We are already at the end of life and kvm->lock is not taken.

	 * This is ok as the file descriptor is closed by now and nobody

	 * can mess with the pv state. To avoid lockdep_assert_held from

	 * complaining we do not use kvm_s390_pv_is_protected.

	 */

	if (kvm_s390_pv_get_handle(kvm))

		kvm_s390_pv_deinit_vm(kvm, &rc, &rrc);

	debug_unregister(kvm->arch.dbf);

	free_page((unsigned long)kvm->arch.sie_page2);

	if (!kvm_is_ucontrol(kvm))

		gmap_remove(kvm->arch.gmap);

	unsigned int vcpu_idx;

	u32 scaol, scaoh;

	if (kvm->arch.use_esca)

		return 0;

	new_sca = alloc_pages_exact(sizeof(*new_sca), GFP_KERNEL|__GFP_ZERO);

	if (!new_sca)

		return -ENOMEM;

static int kvm_s390_vcpu_setup(struct kvm_vcpu *vcpu)

{

	int rc = 0;

	u16 uvrc, uvrrc;

	atomic_set(&vcpu->arch.sie_block->cpuflags, CPUSTAT_ZARCH |

						    CPUSTAT_SM |

	kvm_s390_vcpu_crypto_setup(vcpu);

	mutex_lock(&vcpu->kvm->lock);

	if (kvm_s390_pv_is_protected(vcpu->kvm)) {

		rc = kvm_s390_pv_create_cpu(vcpu, &uvrc, &uvrrc);

		if (rc)

			kvm_s390_vcpu_unsetup_cmma(vcpu);

	}

	mutex_unlock(&vcpu->kvm->lock);

	return rc;

}

	if (mem->guest_phys_addr + mem->memory_size > kvm->arch.mem_limit)

		return -EINVAL;

	/* When we are protected, we should not change the memory slots */

	if (kvm_s390_pv_get_handle(kvm))

		return -EINVAL;

	return 0;

}

#include <linux/hrtimer.h>

#include <linux/kvm.h>

#include <linux/kvm_host.h>

#include <linux/lockdep.h>

#include <asm/facility.h>

#include <asm/processor.h>

#include <asm/sclp.h>

	return kvm->arch.user_cpu_state_ctrl != 0;

}

/* implemented in pv.c */

int kvm_s390_pv_destroy_cpu(struct kvm_vcpu *vcpu, u16 *rc, u16 *rrc);

int kvm_s390_pv_create_cpu(struct kvm_vcpu *vcpu, u16 *rc, u16 *rrc);

int kvm_s390_pv_deinit_vm(struct kvm *kvm, u16 *rc, u16 *rrc);

int kvm_s390_pv_init_vm(struct kvm *kvm, u16 *rc, u16 *rrc);

int kvm_s390_pv_set_sec_parms(struct kvm *kvm, void *hdr, u64 length, u16 *rc,

			      u16 *rrc);

int kvm_s390_pv_unpack(struct kvm *kvm, unsigned long addr, unsigned long size,

		       unsigned long tweak, u16 *rc, u16 *rrc);

static inline u64 kvm_s390_pv_get_handle(struct kvm *kvm)

{

	return kvm->arch.pv.handle;

}

static inline u64 kvm_s390_pv_cpu_get_handle(struct kvm_vcpu *vcpu)

{

	return vcpu->arch.pv.handle;

}

static inline bool kvm_s390_pv_is_protected(struct kvm *kvm)

{

	lockdep_assert_held(&kvm->lock);

	return !!kvm_s390_pv_get_handle(kvm);

}

static inline bool kvm_s390_pv_cpu_is_protected(struct kvm_vcpu *vcpu)

{

	lockdep_assert_held(&vcpu->mutex);

	return !!kvm_s390_pv_cpu_get_handle(vcpu);

}

/* implemented in interrupt.c */

int kvm_s390_handle_wait(struct kvm_vcpu *vcpu);

void kvm_s390_vcpu_wakeup(struct kvm_vcpu *vcpu);