162306a36Sopenharmony_ci.. SPDX-License-Identifier: GPL-2.0 262306a36Sopenharmony_ci 362306a36Sopenharmony_ci====================================== 462306a36Sopenharmony_cis390 (IBM Z) Boot/IPL of Protected VMs 562306a36Sopenharmony_ci====================================== 662306a36Sopenharmony_ci 762306a36Sopenharmony_ciSummary 862306a36Sopenharmony_ci------- 962306a36Sopenharmony_ciThe memory of Protected Virtual Machines (PVMs) is not accessible to 1062306a36Sopenharmony_ciI/O or the hypervisor. In those cases where the hypervisor needs to 1162306a36Sopenharmony_ciaccess the memory of a PVM, that memory must be made accessible. 1262306a36Sopenharmony_ciMemory made accessible to the hypervisor will be encrypted. See 1362306a36Sopenharmony_ciDocumentation/virt/kvm/s390/s390-pv.rst for details." 1462306a36Sopenharmony_ci 1562306a36Sopenharmony_ciOn IPL (boot) a small plaintext bootloader is started, which provides 1662306a36Sopenharmony_ciinformation about the encrypted components and necessary metadata to 1762306a36Sopenharmony_ciKVM to decrypt the protected virtual machine. 1862306a36Sopenharmony_ci 1962306a36Sopenharmony_ciBased on this data, KVM will make the protected virtual machine known 2062306a36Sopenharmony_cito the Ultravisor (UV) and instruct it to secure the memory of the 2162306a36Sopenharmony_ciPVM, decrypt the components and verify the data and address list 2262306a36Sopenharmony_cihashes, to ensure integrity. Afterwards KVM can run the PVM via the 2362306a36Sopenharmony_ciSIE instruction which the UV will intercept and execute on KVM's 2462306a36Sopenharmony_cibehalf. 2562306a36Sopenharmony_ci 2662306a36Sopenharmony_ciAs the guest image is just like an opaque kernel image that does the 2762306a36Sopenharmony_ciswitch into PV mode itself, the user can load encrypted guest 2862306a36Sopenharmony_ciexecutables and data via every available method (network, dasd, scsi, 2962306a36Sopenharmony_cidirect kernel, ...) without the need to change the boot process. 3062306a36Sopenharmony_ci 3162306a36Sopenharmony_ci 3262306a36Sopenharmony_ciDiag308 3362306a36Sopenharmony_ci------- 3462306a36Sopenharmony_ciThis diagnose instruction is the basic mechanism to handle IPL and 3562306a36Sopenharmony_cirelated operations for virtual machines. The VM can set and retrieve 3662306a36Sopenharmony_ciIPL information blocks, that specify the IPL method/devices and 3762306a36Sopenharmony_cirequest VM memory and subsystem resets, as well as IPLs. 3862306a36Sopenharmony_ci 3962306a36Sopenharmony_ciFor PVMs this concept has been extended with new subcodes: 4062306a36Sopenharmony_ci 4162306a36Sopenharmony_ciSubcode 8: Set an IPL Information Block of type 5 (information block 4262306a36Sopenharmony_cifor PVMs) 4362306a36Sopenharmony_ciSubcode 9: Store the saved block in guest memory 4462306a36Sopenharmony_ciSubcode 10: Move into Protected Virtualization mode 4562306a36Sopenharmony_ci 4662306a36Sopenharmony_ciThe new PV load-device-specific-parameters field specifies all data 4762306a36Sopenharmony_cithat is necessary to move into PV mode. 4862306a36Sopenharmony_ci 4962306a36Sopenharmony_ci* PV Header origin 5062306a36Sopenharmony_ci* PV Header length 5162306a36Sopenharmony_ci* List of Components composed of 5262306a36Sopenharmony_ci * AES-XTS Tweak prefix 5362306a36Sopenharmony_ci * Origin 5462306a36Sopenharmony_ci * Size 5562306a36Sopenharmony_ci 5662306a36Sopenharmony_ciThe PV header contains the keys and hashes, which the UV will use to 5762306a36Sopenharmony_cidecrypt and verify the PV, as well as control flags and a start PSW. 5862306a36Sopenharmony_ci 5962306a36Sopenharmony_ciThe components are for instance an encrypted kernel, kernel parameters 6062306a36Sopenharmony_ciand initrd. The components are decrypted by the UV. 6162306a36Sopenharmony_ci 6262306a36Sopenharmony_ciAfter the initial import of the encrypted data, all defined pages will 6362306a36Sopenharmony_cicontain the guest content. All non-specified pages will start out as 6462306a36Sopenharmony_cizero pages on first access. 6562306a36Sopenharmony_ci 6662306a36Sopenharmony_ci 6762306a36Sopenharmony_ciWhen running in protected virtualization mode, some subcodes will result in 6862306a36Sopenharmony_ciexceptions or return error codes. 6962306a36Sopenharmony_ci 7062306a36Sopenharmony_ciSubcodes 4 and 7, which specify operations that do not clear the guest 7162306a36Sopenharmony_cimemory, will result in specification exceptions. This is because the 7262306a36Sopenharmony_ciUV will clear all memory when a secure VM is removed, and therefore 7362306a36Sopenharmony_cinon-clearing IPL subcodes are not allowed. 7462306a36Sopenharmony_ci 7562306a36Sopenharmony_ciSubcodes 8, 9, 10 will result in specification exceptions. 7662306a36Sopenharmony_ciRe-IPL into a protected mode is only possible via a detour into non 7762306a36Sopenharmony_ciprotected mode. 7862306a36Sopenharmony_ci 7962306a36Sopenharmony_ciKeys 8062306a36Sopenharmony_ci---- 8162306a36Sopenharmony_ciEvery CEC will have a unique public key to enable tooling to build 8262306a36Sopenharmony_ciencrypted images. 8362306a36Sopenharmony_ciSee `s390-tools <https://github.com/ibm-s390-linux/s390-tools/>`_ 8462306a36Sopenharmony_cifor the tooling. 85