162306a36Sopenharmony_ci.. SPDX-License-Identifier: GPL-2.0 262306a36Sopenharmony_ci 362306a36Sopenharmony_ci=========================================== 462306a36Sopenharmony_cis390 (IBM Z) Protected Virtualization dumps 562306a36Sopenharmony_ci=========================================== 662306a36Sopenharmony_ci 762306a36Sopenharmony_ciSummary 862306a36Sopenharmony_ci------- 962306a36Sopenharmony_ci 1062306a36Sopenharmony_ciDumping a VM is an essential tool for debugging problems inside 1162306a36Sopenharmony_ciit. This is especially true when a protected VM runs into trouble as 1262306a36Sopenharmony_cithere's no way to access its memory and registers from the outside 1362306a36Sopenharmony_ciwhile it's running. 1462306a36Sopenharmony_ci 1562306a36Sopenharmony_ciHowever when dumping a protected VM we need to maintain its 1662306a36Sopenharmony_ciconfidentiality until the dump is in the hands of the VM owner who 1762306a36Sopenharmony_cishould be the only one capable of analysing it. 1862306a36Sopenharmony_ci 1962306a36Sopenharmony_ciThe confidentiality of the VM dump is ensured by the Ultravisor who 2062306a36Sopenharmony_ciprovides an interface to KVM over which encrypted CPU and memory data 2162306a36Sopenharmony_cican be requested. The encryption is based on the Customer 2262306a36Sopenharmony_ciCommunication Key which is the key that's used to encrypt VM data in a 2362306a36Sopenharmony_ciway that the customer is able to decrypt. 2462306a36Sopenharmony_ci 2562306a36Sopenharmony_ci 2662306a36Sopenharmony_ciDump process 2762306a36Sopenharmony_ci------------ 2862306a36Sopenharmony_ci 2962306a36Sopenharmony_ciA dump is done in 3 steps: 3062306a36Sopenharmony_ci 3162306a36Sopenharmony_ci**Initiation** 3262306a36Sopenharmony_ci 3362306a36Sopenharmony_ciThis step initializes the dump process, generates cryptographic seeds 3462306a36Sopenharmony_ciand extracts dump keys with which the VM dump data will be encrypted. 3562306a36Sopenharmony_ci 3662306a36Sopenharmony_ci**Data gathering** 3762306a36Sopenharmony_ci 3862306a36Sopenharmony_ciCurrently there are two types of data that can be gathered from a VM: 3962306a36Sopenharmony_cithe memory and the vcpu state. 4062306a36Sopenharmony_ci 4162306a36Sopenharmony_ciThe vcpu state contains all the important registers, general, floating 4262306a36Sopenharmony_cipoint, vector, control and tod/timers of a vcpu. The vcpu dump can 4362306a36Sopenharmony_cicontain incomplete data if a vcpu is dumped while an instruction is 4462306a36Sopenharmony_ciemulated with help of the hypervisor. This is indicated by a flag bit 4562306a36Sopenharmony_ciin the dump data. For the same reason it is very important to not only 4662306a36Sopenharmony_ciwrite out the encrypted vcpu state, but also the unencrypted state 4762306a36Sopenharmony_cifrom the hypervisor. 4862306a36Sopenharmony_ci 4962306a36Sopenharmony_ciThe memory state is further divided into the encrypted memory and its 5062306a36Sopenharmony_cimetadata comprised of the encryption tweaks and status flags. The 5162306a36Sopenharmony_ciencrypted memory can simply be read once it has been exported. The 5262306a36Sopenharmony_citime of the export does not matter as no re-encryption is 5362306a36Sopenharmony_cineeded. Memory that has been swapped out and hence was exported can be 5462306a36Sopenharmony_ciread from the swap and written to the dump target without need for any 5562306a36Sopenharmony_cispecial actions. 5662306a36Sopenharmony_ci 5762306a36Sopenharmony_ciThe tweaks / status flags for the exported pages need to be requested 5862306a36Sopenharmony_cifrom the Ultravisor. 5962306a36Sopenharmony_ci 6062306a36Sopenharmony_ci**Finalization** 6162306a36Sopenharmony_ci 6262306a36Sopenharmony_ciThe finalization step will provide the data needed to be able to 6362306a36Sopenharmony_cidecrypt the vcpu and memory data and end the dump process. When this 6462306a36Sopenharmony_cistep completes successfully a new dump initiation can be started. 65