With v2.22.0 the s390-tools (aka s390utils on RHEL) have an important addition that helps to pass through crypto domains to KVM guests: they allow for persistence and help the user to avoid invalid configurations. (Thanks to Matthew Rosato for explaining the details to me.)
- Remove the host driver from the device and assign vfio_ap
- Start a mediated device of type vfio_ap-passthrough with assigned adapter, usage domain and optionally control domain
- Attach the mediated device via its UUID and the <hostdev> element to the KVM domain
- Of course, you need the mediated device configuration and the KVM definition to be persisted.
- The passthrough driver needs to be loaded; this might depend on the kernel you are using. On RHEL you can configure the kernel module vfio_ap to be automatically loaded at boot as described here. Otherwise, trying to define a device via the nodedev API might just tell you: unsupported configuration: invalid parent device 'ap_matrix'
- Finally, the crypto devices' driver assignments need to be persisted.