From 73d2f941dba897e69d8c173299529c9519580858 Mon Sep 17 00:00:00 2001 From: Miroslav Rezanina Date: Jun 21 2021 09:27:01 +0000 Subject: * Mon Jun 21 2021 Miroslav Rezanina - 6.0.0-6 - kvm-yank-Unregister-function-when-using-TLS-migration.patch [bz#1972462] - kvm-pc-bios-s390-ccw-don-t-try-to-read-the-next-block-if.patch [bz#1957194] - kvm-redhat-Install-the-s390-netboot.img-that-we-ve-built.patch [bz#1957194] - kvm-sockets-update-SOCKET_ADDRESS_TYPE_FD-listen-2-backl.patch [bz#1957194] - kvm-target-i386-sev-add-support-to-query-the-attestation.patch [bz#1957194] - kvm-spapr-Don-t-hijack-current_machine-boot_order.patch [bz#1957194] - kvm-target-i386-Add-CPU-model-versions-supporting-xsaves.patch [bz#1957194] - kvm-spapr-Remove-stale-comment-about-power-saving-LPCR-b.patch [bz#1957194] - kvm-spapr-Set-LPCR-to-current-AIL-mode-when-starting-a-n.patch [bz#1957194] - Specfile cleanup [bz#1973029] - Resolves: bz#1972462 (QEMU core dump when doing TLS migration via TCP) - Resolves: bz#1957194 (Synchronize RHEL-AV 8.5.0 changes to RHEL 9.0.0 Beta) - Resolves: bz#1973029 (Spec file cleanups) --- diff --git a/kvm-pc-bios-s390-ccw-don-t-try-to-read-the-next-block-if.patch b/kvm-pc-bios-s390-ccw-don-t-try-to-read-the-next-block-if.patch new file mode 100644 index 0000000..77db467 --- /dev/null +++ b/kvm-pc-bios-s390-ccw-don-t-try-to-read-the-next-block-if.patch @@ -0,0 +1,51 @@ +From bd1d37e3536136130df41ac8162ce5bb4f361f87 Mon Sep 17 00:00:00 2001 +From: Thomas Huth +Date: Tue, 1 Jun 2021 08:52:10 -0400 +Subject: [PATCH 02/21] pc-bios/s390-ccw: don't try to read the next block if + end of chunk is reached +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +RH-Author: Miroslav Rezanina +RH-MergeRequest: 8: Synchronize with RHEL-AV 8.5 release 19 to RHEL 9 +RH-Commit: [1/8] 69a43520a9e7f0ab92bdfdc47281c7606f5159e7 (mrezanin/centos-src-qemu-kvm) +RH-Bugzilla: 1957194 +RH-Acked-by: Daniel P. Berrangé +RH-Acked-by: Greg Kurz +RH-Acked-by: Laurent Vivier +RH-Acked-by: Vitaly Kuznetsov + +From: Marc Hartmayer + +Don't read the block if a null block number is reached, because this means that +the end of chunk is reached. + +Reviewed-by: Collin Walling +Signed-off-by: Marc Hartmayer +Message-Id: <20210416074736.17409-1-mhartmay@linux.ibm.com> +Signed-off-by: Thomas Huth +(cherry picked from commit a6625d38cce3901a7c1cba069f0abcf743a293f1) +Signed-off-by: Thomas Huth +Signed-off-by: Danilo C. L. de Paula +Signed-off-by: Miroslav Rezanina +--- + pc-bios/s390-ccw/bootmap.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/pc-bios/s390-ccw/bootmap.c b/pc-bios/s390-ccw/bootmap.c +index 44df7d16af..b46997c0b7 100644 +--- a/pc-bios/s390-ccw/bootmap.c ++++ b/pc-bios/s390-ccw/bootmap.c +@@ -213,7 +213,7 @@ static int eckd_get_boot_menu_index(block_number_t s1b_block_nr) + next_block_nr = eckd_block_num(&s1b->seek[i + 1].chs); + } + +- if (next_block_nr) { ++ if (next_block_nr && !is_null_block_number(next_block_nr)) { + read_block(next_block_nr, s2_next_blk, + "Cannot read stage2 boot loader"); + } +-- +2.27.0 + diff --git a/kvm-sockets-update-SOCKET_ADDRESS_TYPE_FD-listen-2-backl.patch b/kvm-sockets-update-SOCKET_ADDRESS_TYPE_FD-listen-2-backl.patch new file mode 100644 index 0000000..75d505c --- /dev/null +++ b/kvm-sockets-update-SOCKET_ADDRESS_TYPE_FD-listen-2-backl.patch @@ -0,0 +1,115 @@ +From 415a6a1ced90cc8b8691eb7ab027bba4611fc236 Mon Sep 17 00:00:00 2001 +From: Stefan Hajnoczi +Date: Wed, 2 Jun 2021 15:51:02 -0400 +Subject: [PATCH 04/21] sockets: update SOCKET_ADDRESS_TYPE_FD listen(2) + backlog +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +RH-Author: Miroslav Rezanina +RH-MergeRequest: 8: Synchronize with RHEL-AV 8.5 release 19 to RHEL 9 +RH-Commit: [3/8] a8fd97eb477ad51fca75c1cc344185e1de59caf1 (mrezanin/centos-src-qemu-kvm) +RH-Bugzilla: 1957194 +RH-Acked-by: Daniel P. Berrangé +RH-Acked-by: Greg Kurz +RH-Acked-by: Laurent Vivier +RH-Acked-by: Vitaly Kuznetsov + +socket_get_fd() fails with the error "socket_get_fd: too many +connections" if the given listen backlog value is not 1. + +Not all callers set the backlog to 1. For example, commit +582d4210eb2f2ab5baac328fe4b479cd86da1647 ("qemu-nbd: Use SOMAXCONN for +socket listen() backlog") uses SOMAXCONN. This will always fail with in +socket_get_fd(). + +This patch calls listen(2) on the fd to update the backlog value. The +socket may already be in the listen state. I have tested that this works +on Linux 5.10 and macOS Catalina. + +As a bonus this allows us to detect when the fd cannot listen. Now we'll +be able to catch unbound or connected fds in socket_listen(). + +Drop the num argument from socket_get_fd() since this function is also +called by socket_connect() where a listen backlog value does not make +sense. + +Fixes: e5b6353cf25c99c3f08bf51e29933352f7140e8f ("socket: Add backlog parameter to socket_listen") +Reported-by: Richard W.M. Jones +Cc: Juan Quintela +Cc: Eric Blake +Signed-off-by: Stefan Hajnoczi +Message-Id: <20210310173004.420190-1-stefanha@redhat.com> +Tested-by: Richard W.M. Jones +Reviewed-by: Eric Blake +Reviewed-by: Stefano Garzarella +Signed-off-by: Eric Blake +(cherry picked from commit 37179e9ea45d6428b29ae789209c119ac18c1d39) +Signed-off-by: Stefan Hajnoczi +Signed-off-by: Danilo C. L. de Paula +Signed-off-by: Miroslav Rezanina +--- + util/qemu-sockets.c | 29 ++++++++++++++++++++++------- + 1 file changed, 22 insertions(+), 7 deletions(-) + +diff --git a/util/qemu-sockets.c b/util/qemu-sockets.c +index 8af0278f15..2463c49773 100644 +--- a/util/qemu-sockets.c ++++ b/util/qemu-sockets.c +@@ -1116,14 +1116,10 @@ fail: + return NULL; + } + +-static int socket_get_fd(const char *fdstr, int num, Error **errp) ++static int socket_get_fd(const char *fdstr, Error **errp) + { + Monitor *cur_mon = monitor_cur(); + int fd; +- if (num != 1) { +- error_setg_errno(errp, EINVAL, "socket_get_fd: too many connections"); +- return -1; +- } + if (cur_mon) { + fd = monitor_get_fd(cur_mon, fdstr, errp); + if (fd < 0) { +@@ -1159,7 +1155,7 @@ int socket_connect(SocketAddress *addr, Error **errp) + break; + + case SOCKET_ADDRESS_TYPE_FD: +- fd = socket_get_fd(addr->u.fd.str, 1, errp); ++ fd = socket_get_fd(addr->u.fd.str, errp); + break; + + case SOCKET_ADDRESS_TYPE_VSOCK: +@@ -1187,7 +1183,26 @@ int socket_listen(SocketAddress *addr, int num, Error **errp) + break; + + case SOCKET_ADDRESS_TYPE_FD: +- fd = socket_get_fd(addr->u.fd.str, num, errp); ++ fd = socket_get_fd(addr->u.fd.str, errp); ++ if (fd < 0) { ++ return -1; ++ } ++ ++ /* ++ * If the socket is not yet in the listen state, then transition it to ++ * the listen state now. ++ * ++ * If it's already listening then this updates the backlog value as ++ * requested. ++ * ++ * If this socket cannot listen because it's already in another state ++ * (e.g. unbound or connected) then we'll catch the error here. ++ */ ++ if (listen(fd, num) != 0) { ++ error_setg_errno(errp, errno, "Failed to listen on fd socket"); ++ closesocket(fd); ++ return -1; ++ } + break; + + case SOCKET_ADDRESS_TYPE_VSOCK: +-- +2.27.0 + diff --git a/kvm-spapr-Don-t-hijack-current_machine-boot_order.patch b/kvm-spapr-Don-t-hijack-current_machine-boot_order.patch new file mode 100644 index 0000000..3cc304d --- /dev/null +++ b/kvm-spapr-Don-t-hijack-current_machine-boot_order.patch @@ -0,0 +1,115 @@ +From b859b919acc83ea12c5c5b2991afac47e9532660 Mon Sep 17 00:00:00 2001 +From: Greg Kurz +Date: Thu, 3 Jun 2021 13:29:40 -0400 +Subject: [PATCH 06/21] spapr: Don't hijack current_machine->boot_order +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +RH-Author: Miroslav Rezanina +RH-MergeRequest: 8: Synchronize with RHEL-AV 8.5 release 19 to RHEL 9 +RH-Commit: [5/8] 04822ea86e438f013915cd46e09a33627a640a47 (mrezanin/centos-src-qemu-kvm) +RH-Bugzilla: 1957194 +RH-Acked-by: Daniel P. Berrangé +RH-Acked-by: Greg Kurz +RH-Acked-by: Laurent Vivier +RH-Acked-by: Vitaly Kuznetsov + +From: Greg Kurz + +QEMU 6.0 moved all the -boot variables to the machine. Especially, the +removal of the boot_order static changed the handling of '-boot once' +from: + + if (boot_once) { + qemu_boot_set(boot_once, &error_fatal); + qemu_register_reset(restore_boot_order, g_strdup(boot_order)); + } + +to + + if (current_machine->boot_once) { + qemu_boot_set(current_machine->boot_once, &error_fatal); + qemu_register_reset(restore_boot_order, + g_strdup(current_machine->boot_order)); + } + +This means that we now register as subsequent boot order a copy +of current_machine->boot_once that was just set with the previous +call to qemu_boot_set(), i.e. we never transition away from the +once boot order. + +It is certainly fragile^Wwrong for the spapr code to hijack a +field of the base machine type object like that. The boot order +rework simply turned this software boundary violation into an +actual bug. + +Have the spapr code to handle that with its own field in +SpaprMachineState. Also kfree() the initial boot device +string when "once" was used. + +Fixes: 4b7acd2ac821 ("vl: clean up -boot variables") +Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1960119 +Cc: pbonzini@redhat.com +Signed-off-by: Greg Kurz +Message-Id: <20210521160735.1901914-1-groug@kaod.org> +Signed-off-by: David Gibson +(cherry picked from commit 3bf0844f3be77b24cc8f56fc8df9ff199f8324cb) +Signed-off-by: Greg Kurz + +Conflicts: + include/hw/ppc/spapr.h + +Trivial context conflict because downstream has experimental support +for secure guests (f23e4b5090ba). + +Signed-off-by: Danilo C. L. de Paula +Signed-off-by: Miroslav Rezanina +--- + hw/ppc/spapr.c | 8 +++++--- + include/hw/ppc/spapr.h | 3 +++ + 2 files changed, 8 insertions(+), 3 deletions(-) + +diff --git a/hw/ppc/spapr.c b/hw/ppc/spapr.c +index 653574ba91..11db32c537 100644 +--- a/hw/ppc/spapr.c ++++ b/hw/ppc/spapr.c +@@ -1006,7 +1006,7 @@ static void spapr_dt_chosen(SpaprMachineState *spapr, void *fdt, bool reset) + _FDT(chosen = fdt_add_subnode(fdt, 0, "chosen")); + + if (reset) { +- const char *boot_device = machine->boot_order; ++ const char *boot_device = spapr->boot_device; + char *stdout_path = spapr_vio_stdout_path(spapr->vio_bus); + size_t cb = 0; + char *bootlist = get_boot_devices_list(&cb); +@@ -2364,8 +2364,10 @@ static SaveVMHandlers savevm_htab_handlers = { + static void spapr_boot_set(void *opaque, const char *boot_device, + Error **errp) + { +- MachineState *machine = MACHINE(opaque); +- machine->boot_order = g_strdup(boot_device); ++ SpaprMachineState *spapr = SPAPR_MACHINE(opaque); ++ ++ g_free(spapr->boot_device); ++ spapr->boot_device = g_strdup(boot_device); + } + + static void spapr_create_lmb_dr_connectors(SpaprMachineState *spapr) +diff --git a/include/hw/ppc/spapr.h b/include/hw/ppc/spapr.h +index 54cdde8980..6d15066bc3 100644 +--- a/include/hw/ppc/spapr.h ++++ b/include/hw/ppc/spapr.h +@@ -227,6 +227,9 @@ struct SpaprMachineState { + /* Secure Guest support via x-svm-allowed */ + bool svm_allowed; + ++ /* Set by -boot */ ++ char *boot_device; ++ + /*< public >*/ + char *kvm_type; + char *host_model; +-- +2.27.0 + diff --git a/kvm-spapr-Remove-stale-comment-about-power-saving-LPCR-b.patch b/kvm-spapr-Remove-stale-comment-about-power-saving-LPCR-b.patch new file mode 100644 index 0000000..4c7c9a1 --- /dev/null +++ b/kvm-spapr-Remove-stale-comment-about-power-saving-LPCR-b.patch @@ -0,0 +1,52 @@ +From 63933b51e447d4acb08d3900ff64d150a3f2bdf8 Mon Sep 17 00:00:00 2001 +From: Laurent Vivier +Date: Wed, 9 Jun 2021 05:58:34 -0400 +Subject: [PATCH 08/21] spapr: Remove stale comment about power-saving LPCR + bits +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +RH-Author: Miroslav Rezanina +RH-MergeRequest: 8: Synchronize with RHEL-AV 8.5 release 19 to RHEL 9 +RH-Commit: [7/8] 12872a0193d22915de5d71d8055094f9f15e63b0 (mrezanin/centos-src-qemu-kvm) +RH-Bugzilla: 1957194 +RH-Acked-by: Daniel P. Berrangé +RH-Acked-by: Greg Kurz +RH-Acked-by: Laurent Vivier +RH-Acked-by: Vitaly Kuznetsov + +From: Nicholas Piggin + +Commit 47a9b551547 ("spapr: Clean up handling of LPCR power-saving exit +bits") moved this logic but did not remove the comment from the +previous location. + +Signed-off-by: Nicholas Piggin +Message-Id: <20210526091626.3388262-2-npiggin@gmail.com> +Reviewed-by: Cédric Le Goater +Reviewed-by: Greg Kurz +Signed-off-by: David Gibson +Signed-off-by: Laurent Vivier +(cherry picked from commit 7be3bf6c8429969f97728bb712d9a99997835607) +Signed-off-by: Danilo C. L. de Paula +Signed-off-by: Miroslav Rezanina +--- + hw/ppc/spapr_rtas.c | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/hw/ppc/spapr_rtas.c b/hw/ppc/spapr_rtas.c +index 8a79f9c628..91c71d1c94 100644 +--- a/hw/ppc/spapr_rtas.c ++++ b/hw/ppc/spapr_rtas.c +@@ -164,7 +164,6 @@ static void rtas_start_cpu(PowerPCCPU *callcpu, SpaprMachineState *spapr, + + env->msr = (1ULL << MSR_SF) | (1ULL << MSR_ME); + +- /* Enable Power-saving mode Exit Cause exceptions for the new CPU */ + lpcr = env->spr[SPR_LPCR]; + if (!pcc->interrupts_big_endian(callcpu)) { + lpcr |= LPCR_ILE; +-- +2.27.0 + diff --git a/kvm-spapr-Set-LPCR-to-current-AIL-mode-when-starting-a-n.patch b/kvm-spapr-Set-LPCR-to-current-AIL-mode-when-starting-a-n.patch new file mode 100644 index 0000000..c30b63e --- /dev/null +++ b/kvm-spapr-Set-LPCR-to-current-AIL-mode-when-starting-a-n.patch @@ -0,0 +1,90 @@ +From 8bb294ea3f26a8ce01ad76c19a6de359dce0c113 Mon Sep 17 00:00:00 2001 +From: Laurent Vivier +Date: Wed, 9 Jun 2021 05:58:35 -0400 +Subject: [PATCH 09/21] spapr: Set LPCR to current AIL mode when starting a new + CPU +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +RH-Author: Miroslav Rezanina +RH-MergeRequest: 8: Synchronize with RHEL-AV 8.5 release 19 to RHEL 9 +RH-Commit: [8/8] 7a1cb27881f93c245ab9e8b8540cbd06d4f8c14f (mrezanin/centos-src-qemu-kvm) +RH-Bugzilla: 1957194 +RH-Acked-by: Daniel P. Berrangé +RH-Acked-by: Greg Kurz +RH-Acked-by: Laurent Vivier +RH-Acked-by: Vitaly Kuznetsov + +From: Nicholas Piggin + +TCG does not keep track of AIL mode in a central place, it's based on +the current LPCR[AIL] bits. Synchronize the new CPU's LPCR to the +current LPCR in rtas_start_cpu(), similarly to the way the ILE bit is +synchronized. + +Open-code the ILE setting as well now that the caller's LPCR is +available directly, there is no need for the indirection. + +Without this, under both TCG and KVM, adding a POWER8/9/10 class CPU +with a new core ID after a modern Linux has booted results in the new +CPU's LPCR missing the LPCR[AIL]=0b11 setting that the other CPUs have. +This can cause crashes and unexpected behaviour. + +Signed-off-by: Nicholas Piggin +Message-Id: <20210526091626.3388262-3-npiggin@gmail.com> +Reviewed-by: Cédric Le Goater +Reviewed-by: Greg Kurz +Signed-off-by: David Gibson +Signed-off-by: Laurent Vivier +(cherry picked from commit ac559ecbea2649819e7b3fdd09f4e0243e0128db) +Signed-off-by: Danilo C. L. de Paula +Signed-off-by: Miroslav Rezanina +--- + hw/ppc/spapr_rtas.c | 14 +++++++++----- + 1 file changed, 9 insertions(+), 5 deletions(-) + +diff --git a/hw/ppc/spapr_rtas.c b/hw/ppc/spapr_rtas.c +index 91c71d1c94..27ab339b0c 100644 +--- a/hw/ppc/spapr_rtas.c ++++ b/hw/ppc/spapr_rtas.c +@@ -133,8 +133,8 @@ static void rtas_start_cpu(PowerPCCPU *callcpu, SpaprMachineState *spapr, + target_ulong id, start, r3; + PowerPCCPU *newcpu; + CPUPPCState *env; +- PowerPCCPUClass *pcc; + target_ulong lpcr; ++ target_ulong caller_lpcr; + + if (nargs != 3 || nret != 1) { + rtas_st(rets, 0, RTAS_OUT_PARAM_ERROR); +@@ -153,7 +153,6 @@ static void rtas_start_cpu(PowerPCCPU *callcpu, SpaprMachineState *spapr, + } + + env = &newcpu->env; +- pcc = POWERPC_CPU_GET_CLASS(newcpu); + + if (!CPU(newcpu)->halted) { + rtas_st(rets, 0, RTAS_OUT_HW_ERROR); +@@ -164,10 +163,15 @@ static void rtas_start_cpu(PowerPCCPU *callcpu, SpaprMachineState *spapr, + + env->msr = (1ULL << MSR_SF) | (1ULL << MSR_ME); + ++ caller_lpcr = callcpu->env.spr[SPR_LPCR]; + lpcr = env->spr[SPR_LPCR]; +- if (!pcc->interrupts_big_endian(callcpu)) { +- lpcr |= LPCR_ILE; +- } ++ ++ /* Set ILE the same way */ ++ lpcr = (lpcr & ~LPCR_ILE) | (caller_lpcr & LPCR_ILE); ++ ++ /* Set AIL the same way */ ++ lpcr = (lpcr & ~LPCR_AIL) | (caller_lpcr & LPCR_AIL); ++ + if (env->mmu_model == POWERPC_MMU_3_00) { + /* + * New cpus are expected to start in the same radix/hash mode +-- +2.27.0 + diff --git a/kvm-target-i386-Add-CPU-model-versions-supporting-xsaves.patch b/kvm-target-i386-Add-CPU-model-versions-supporting-xsaves.patch new file mode 100644 index 0000000..bdf810c --- /dev/null +++ b/kvm-target-i386-Add-CPU-model-versions-supporting-xsaves.patch @@ -0,0 +1,322 @@ +From a7752067b45bc05f1127a62e39c38a3361bb1840 Mon Sep 17 00:00:00 2001 +From: Vitaly Kuznetsov +Date: Thu, 3 Jun 2021 14:04:18 -0400 +Subject: [PATCH 07/21] target/i386: Add CPU model versions supporting 'xsaves' +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +RH-Author: Miroslav Rezanina +RH-MergeRequest: 8: Synchronize with RHEL-AV 8.5 release 19 to RHEL 9 +RH-Commit: [6/8] 814973113f19a21d10a90fcbbcd881eef354933d (mrezanin/centos-src-qemu-kvm) +RH-Bugzilla: 1957194 +RH-Acked-by: Daniel P. Berrangé +RH-Acked-by: Greg Kurz +RH-Acked-by: Laurent Vivier +RH-Acked-by: Vitaly Kuznetsov + +Hyper-V 2016 refuses to boot on Skylake+ CPU models because they lack +'xsaves'/'vmx-xsaves' features and this diverges from real hardware. The +same issue emerges with AMD "EPYC" CPU model prior to version 3 which got +'xsaves' added. EPYC-Rome/EPYC-Milan CPU models have 'xsaves' enabled from +the very beginning so the comment blaming KVM to explain why other CPUs +lack 'xsaves' is likely outdated. + +Signed-off-by: Vitaly Kuznetsov +Message-Id: <20210412073952.860944-1-vkuznets@redhat.com> +Signed-off-by: Eduardo Habkost +(cherry picked from commit 7bde6b18575dd79c26ce1616e0c33151e83d9d7e) + +Conflicts: + target/i386/cpu.c (context, skipping c1826ea6a0520) + +Signed-off-by: Vitaly Kuznetsov +Signed-off-by: Danilo C. L. de Paula +Signed-off-by: Miroslav Rezanina +--- + target/i386/cpu.c | 150 +++++++++++++++++++++++++++++----------------- + 1 file changed, 94 insertions(+), 56 deletions(-) + +diff --git a/target/i386/cpu.c b/target/i386/cpu.c +index c30bb2a6b0..da47c3e50e 100644 +--- a/target/i386/cpu.c ++++ b/target/i386/cpu.c +@@ -2881,12 +2881,7 @@ static X86CPUDefinition builtin_x86_defs[] = { + CPUID_7_0_EBX_BMI2 | CPUID_7_0_EBX_ERMS | CPUID_7_0_EBX_INVPCID | + CPUID_7_0_EBX_RTM | CPUID_7_0_EBX_RDSEED | CPUID_7_0_EBX_ADX | + CPUID_7_0_EBX_SMAP, +- /* Missing: XSAVES (not supported by some Linux versions, +- * including v4.1 to v4.12). +- * KVM doesn't yet expose any XSAVES state save component, +- * and the only one defined in Skylake (processor tracing) +- * probably will block migration anyway. +- */ ++ /* XSAVES is added in version 4 */ + .features[FEAT_XSAVE] = + CPUID_XSAVE_XSAVEOPT | CPUID_XSAVE_XSAVEC | + CPUID_XSAVE_XGETBV1, +@@ -2962,6 +2957,15 @@ static X86CPUDefinition builtin_x86_defs[] = { + { /* end of list */ } + } + }, ++ { ++ .version = 4, ++ .note = "IBRS, XSAVES, no TSX", ++ .props = (PropValue[]) { ++ { "xsaves", "on" }, ++ { "vmx-xsaves", "on" }, ++ { /* end of list */ } ++ } ++ }, + { /* end of list */ } + } + }, +@@ -3001,12 +3005,7 @@ static X86CPUDefinition builtin_x86_defs[] = { + CPUID_7_0_EBX_AVX512VL | CPUID_7_0_EBX_CLFLUSHOPT, + .features[FEAT_7_0_ECX] = + CPUID_7_0_ECX_PKU, +- /* Missing: XSAVES (not supported by some Linux versions, +- * including v4.1 to v4.12). +- * KVM doesn't yet expose any XSAVES state save component, +- * and the only one defined in Skylake (processor tracing) +- * probably will block migration anyway. +- */ ++ /* XSAVES is added in version 5 */ + .features[FEAT_XSAVE] = + CPUID_XSAVE_XSAVEOPT | CPUID_XSAVE_XSAVEC | + CPUID_XSAVE_XGETBV1, +@@ -3094,6 +3093,15 @@ static X86CPUDefinition builtin_x86_defs[] = { + { /* end of list */ } + } + }, ++ { ++ .version = 5, ++ .note = "IBRS, XSAVES, EPT switching, no TSX", ++ .props = (PropValue[]) { ++ { "xsaves", "on" }, ++ { "vmx-xsaves", "on" }, ++ { /* end of list */ } ++ } ++ }, + { /* end of list */ } + } + }, +@@ -3136,12 +3144,7 @@ static X86CPUDefinition builtin_x86_defs[] = { + CPUID_7_0_ECX_AVX512VNNI, + .features[FEAT_7_0_EDX] = + CPUID_7_0_EDX_SPEC_CTRL | CPUID_7_0_EDX_SPEC_CTRL_SSBD, +- /* Missing: XSAVES (not supported by some Linux versions, +- * including v4.1 to v4.12). +- * KVM doesn't yet expose any XSAVES state save component, +- * and the only one defined in Skylake (processor tracing) +- * probably will block migration anyway. +- */ ++ /* XSAVES is added in version 5 */ + .features[FEAT_XSAVE] = + CPUID_XSAVE_XSAVEOPT | CPUID_XSAVE_XSAVEC | + CPUID_XSAVE_XGETBV1, +@@ -3225,6 +3228,14 @@ static X86CPUDefinition builtin_x86_defs[] = { + { /* end of list */ } + }, + }, ++ { .version = 5, ++ .note = "ARCH_CAPABILITIES, EPT switching, XSAVES, no TSX", ++ .props = (PropValue[]) { ++ { "xsaves", "on" }, ++ { "vmx-xsaves", "on" }, ++ { /* end of list */ } ++ }, ++ }, + { /* end of list */ } + } + }, +@@ -3274,13 +3285,7 @@ static X86CPUDefinition builtin_x86_defs[] = { + MSR_ARCH_CAP_PSCHANGE_MC_NO | MSR_ARCH_CAP_TAA_NO, + .features[FEAT_7_1_EAX] = + CPUID_7_1_EAX_AVX512_BF16, +- /* +- * Missing: XSAVES (not supported by some Linux versions, +- * including v4.1 to v4.12). +- * KVM doesn't yet expose any XSAVES state save component, +- * and the only one defined in Skylake (processor tracing) +- * probably will block migration anyway. +- */ ++ /* XSAVES is added in version 2 */ + .features[FEAT_XSAVE] = + CPUID_XSAVE_XSAVEOPT | CPUID_XSAVE_XSAVEC | + CPUID_XSAVE_XGETBV1, +@@ -3336,6 +3341,18 @@ static X86CPUDefinition builtin_x86_defs[] = { + .features[FEAT_VMX_VMFUNC] = MSR_VMX_VMFUNC_EPT_SWITCHING, + .xlevel = 0x80000008, + .model_id = "Intel Xeon Processor (Cooperlake)", ++ .versions = (X86CPUVersionDefinition[]) { ++ { .version = 1 }, ++ { .version = 2, ++ .note = "XSAVES", ++ .props = (PropValue[]) { ++ { "xsaves", "on" }, ++ { "vmx-xsaves", "on" }, ++ { /* end of list */ } ++ }, ++ }, ++ { /* end of list */ } ++ } + }, + { + .name = "Icelake-Client", +@@ -3378,12 +3395,7 @@ static X86CPUDefinition builtin_x86_defs[] = { + CPUID_7_0_ECX_AVX512_VPOPCNTDQ, + .features[FEAT_7_0_EDX] = + CPUID_7_0_EDX_SPEC_CTRL | CPUID_7_0_EDX_SPEC_CTRL_SSBD, +- /* Missing: XSAVES (not supported by some Linux versions, +- * including v4.1 to v4.12). +- * KVM doesn't yet expose any XSAVES state save component, +- * and the only one defined in Skylake (processor tracing) +- * probably will block migration anyway. +- */ ++ /* XSAVES is added in version 3 */ + .features[FEAT_XSAVE] = + CPUID_XSAVE_XSAVEOPT | CPUID_XSAVE_XSAVEC | + CPUID_XSAVE_XGETBV1, +@@ -3451,6 +3463,15 @@ static X86CPUDefinition builtin_x86_defs[] = { + { /* end of list */ } + }, + }, ++ { ++ .version = 3, ++ .note = "no TSX, XSAVES, deprecated", ++ .props = (PropValue[]) { ++ { "xsaves", "on" }, ++ { "vmx-xsaves", "on" }, ++ { /* end of list */ } ++ }, ++ }, + { /* end of list */ } + }, + .deprecation_note = "use Icelake-Server instead" +@@ -3499,12 +3520,7 @@ static X86CPUDefinition builtin_x86_defs[] = { + CPUID_7_0_ECX_AVX512_VPOPCNTDQ | CPUID_7_0_ECX_LA57, + .features[FEAT_7_0_EDX] = + CPUID_7_0_EDX_SPEC_CTRL | CPUID_7_0_EDX_SPEC_CTRL_SSBD, +- /* Missing: XSAVES (not supported by some Linux versions, +- * including v4.1 to v4.12). +- * KVM doesn't yet expose any XSAVES state save component, +- * and the only one defined in Skylake (processor tracing) +- * probably will block migration anyway. +- */ ++ /* XSAVES is added in version 5 */ + .features[FEAT_XSAVE] = + CPUID_XSAVE_XSAVEOPT | CPUID_XSAVE_XSAVEC | + CPUID_XSAVE_XGETBV1, +@@ -3597,6 +3613,15 @@ static X86CPUDefinition builtin_x86_defs[] = { + { /* end of list */ } + }, + }, ++ { ++ .version = 5, ++ .note = "XSAVES", ++ .props = (PropValue[]) { ++ { "xsaves", "on" }, ++ { "vmx-xsaves", "on" }, ++ { /* end of list */ } ++ }, ++ }, + { /* end of list */ } + } + }, +@@ -3631,13 +3656,7 @@ static X86CPUDefinition builtin_x86_defs[] = { + .features[FEAT_7_0_EDX] = + CPUID_7_0_EDX_SPEC_CTRL | CPUID_7_0_EDX_ARCH_CAPABILITIES | + CPUID_7_0_EDX_SPEC_CTRL_SSBD, +- /* +- * Missing: XSAVES (not supported by some Linux versions, +- * including v4.1 to v4.12). +- * KVM doesn't yet expose any XSAVES state save component, +- * and the only one defined in Skylake (processor tracing) +- * probably will block migration anyway. +- */ ++ /* XSAVES is added in version 3 */ + .features[FEAT_XSAVE] = + CPUID_XSAVE_XSAVEOPT | CPUID_XSAVE_XSAVEC | CPUID_XSAVE_XGETBV1, + .features[FEAT_6_EAX] = +@@ -3704,6 +3723,15 @@ static X86CPUDefinition builtin_x86_defs[] = { + { /* end of list */ }, + }, + }, ++ { ++ .version = 3, ++ .note = "XSAVES, no MPX, no MONITOR", ++ .props = (PropValue[]) { ++ { "xsaves", "on" }, ++ { "vmx-xsaves", "on" }, ++ { /* end of list */ }, ++ }, ++ }, + { /* end of list */ }, + }, + }, +@@ -3762,13 +3790,7 @@ static X86CPUDefinition builtin_x86_defs[] = { + CPUID_7_0_EDX_CORE_CAPABILITY, + .features[FEAT_CORE_CAPABILITY] = + MSR_CORE_CAP_SPLIT_LOCK_DETECT, +- /* +- * Missing: XSAVES (not supported by some Linux versions, +- * including v4.1 to v4.12). +- * KVM doesn't yet expose any XSAVES state save component, +- * and the only one defined in Skylake (processor tracing) +- * probably will block migration anyway. +- */ ++ /* XSAVES is is added in version 3 */ + .features[FEAT_XSAVE] = + CPUID_XSAVE_XSAVEOPT | CPUID_XSAVE_XSAVEC | + CPUID_XSAVE_XGETBV1, +@@ -3833,6 +3855,15 @@ static X86CPUDefinition builtin_x86_defs[] = { + { /* end of list */ }, + }, + }, ++ { ++ .version = 3, ++ .note = "XSAVES, no MPX", ++ .props = (PropValue[]) { ++ { "xsaves", "on" }, ++ { "vmx-xsaves", "on" }, ++ { /* end of list */ }, ++ }, ++ }, + { /* end of list */ }, + }, + }, +@@ -4114,11 +4145,7 @@ static X86CPUDefinition builtin_x86_defs[] = { + CPUID_7_0_EBX_FSGSBASE | CPUID_7_0_EBX_BMI1 | CPUID_7_0_EBX_AVX2 | + CPUID_7_0_EBX_SMEP | CPUID_7_0_EBX_BMI2 | CPUID_7_0_EBX_RDSEED | + CPUID_7_0_EBX_ADX | CPUID_7_0_EBX_SMAP | CPUID_7_0_EBX_CLFLUSHOPT, +- /* +- * Missing: XSAVES (not supported by some Linux versions, +- * including v4.1 to v4.12). +- * KVM doesn't yet expose any XSAVES state save component. +- */ ++ /* XSAVES is added in version 2 */ + .features[FEAT_XSAVE] = + CPUID_XSAVE_XSAVEOPT | CPUID_XSAVE_XSAVEC | + CPUID_XSAVE_XGETBV1, +@@ -4129,6 +4156,17 @@ static X86CPUDefinition builtin_x86_defs[] = { + .xlevel = 0x8000001E, + .model_id = "Hygon Dhyana Processor", + .cache_info = &epyc_cache_info, ++ .versions = (X86CPUVersionDefinition[]) { ++ { .version = 1 }, ++ { .version = 2, ++ .note = "XSAVES", ++ .props = (PropValue[]) { ++ { "xsaves", "on" }, ++ { /* end of list */ } ++ }, ++ }, ++ { /* end of list */ } ++ } + }, + { + .name = "EPYC-Rome", +-- +2.27.0 + diff --git a/kvm-target-i386-sev-add-support-to-query-the-attestation.patch b/kvm-target-i386-sev-add-support-to-query-the-attestation.patch new file mode 100644 index 0000000..fd08786 --- /dev/null +++ b/kvm-target-i386-sev-add-support-to-query-the-attestation.patch @@ -0,0 +1,262 @@ +From ba750c8ed71bc73c79fecefa895192793ef6b7db Mon Sep 17 00:00:00 2001 +From: Connor Kuehl +Date: Wed, 2 Jun 2021 19:39:20 -0400 +Subject: [PATCH 05/21] target/i386/sev: add support to query the attestation + report +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +RH-Author: Miroslav Rezanina +RH-MergeRequest: 8: Synchronize with RHEL-AV 8.5 release 19 to RHEL 9 +RH-Commit: [4/8] de6088cb0cd1db779b85a50be87846e967f8c92c (mrezanin/centos-src-qemu-kvm) +RH-Bugzilla: 1957194 +RH-Acked-by: Daniel P. Berrangé +RH-Acked-by: Greg Kurz +RH-Acked-by: Laurent Vivier +RH-Acked-by: Vitaly Kuznetsov + +From: Brijesh Singh + +The SEV FW >= 0.23 added a new command that can be used to query the +attestation report containing the SHA-256 digest of the guest memory +and VMSA encrypted with the LAUNCH_UPDATE and sign it with the PEK. + +Note, we already have a command (LAUNCH_MEASURE) that can be used to +query the SHA-256 digest of the guest memory encrypted through the +LAUNCH_UPDATE. The main difference between previous and this command +is that the report is signed with the PEK and unlike the LAUNCH_MEASURE +command the ATTESATION_REPORT command can be called while the guest +is running. + +Add a QMP interface "query-sev-attestation-report" that can be used +to get the report encoded in base64. + +Cc: James Bottomley +Cc: Tom Lendacky +Cc: Eric Blake +Cc: Paolo Bonzini +Cc: kvm@vger.kernel.org +Reviewed-by: James Bottomley +Tested-by: James Bottomley +Signed-off-by: Brijesh Singh +Reviewed-by: Connor Kuehl +Message-Id: <20210429170728.24322-1-brijesh.singh@amd.com> +Signed-off-by: Eduardo Habkost +(cherry picked from commit 3ea1a80243d5b5ba23d8c2b7d3a86034ea0ade22) +Signed-off-by: Connor Kuehl +Signed-off-by: Danilo C. L. de Paula +Signed-off-by: Miroslav Rezanina +--- + linux-headers/linux/kvm.h | 8 +++++ + qapi/misc-target.json | 38 ++++++++++++++++++++++ + target/i386/monitor.c | 6 ++++ + target/i386/sev-stub.c | 7 ++++ + target/i386/sev.c | 67 +++++++++++++++++++++++++++++++++++++++ + target/i386/sev_i386.h | 2 ++ + target/i386/trace-events | 1 + + 7 files changed, 129 insertions(+) + +diff --git a/linux-headers/linux/kvm.h b/linux-headers/linux/kvm.h +index 020b62a619..897f831374 100644 +--- a/linux-headers/linux/kvm.h ++++ b/linux-headers/linux/kvm.h +@@ -1591,6 +1591,8 @@ enum sev_cmd_id { + KVM_SEV_DBG_ENCRYPT, + /* Guest certificates commands */ + KVM_SEV_CERT_EXPORT, ++ /* Attestation report */ ++ KVM_SEV_GET_ATTESTATION_REPORT, + + KVM_SEV_NR_MAX, + }; +@@ -1643,6 +1645,12 @@ struct kvm_sev_dbg { + __u32 len; + }; + ++struct kvm_sev_attestation_report { ++ __u8 mnonce[16]; ++ __u64 uaddr; ++ __u32 len; ++}; ++ + #define KVM_DEV_ASSIGN_ENABLE_IOMMU (1 << 0) + #define KVM_DEV_ASSIGN_PCI_2_3 (1 << 1) + #define KVM_DEV_ASSIGN_MASK_INTX (1 << 2) +diff --git a/qapi/misc-target.json b/qapi/misc-target.json +index 0c7491cd82..4b62f0ac05 100644 +--- a/qapi/misc-target.json ++++ b/qapi/misc-target.json +@@ -285,3 +285,41 @@ + ## + { 'command': 'query-gic-capabilities', 'returns': ['GICCapability'], + 'if': 'defined(TARGET_ARM)' } ++ ++ ++## ++# @SevAttestationReport: ++# ++# The struct describes attestation report for a Secure Encrypted Virtualization ++# feature. ++# ++# @data: guest attestation report (base64 encoded) ++# ++# ++# Since: 6.1 ++## ++{ 'struct': 'SevAttestationReport', ++ 'data': { 'data': 'str'}, ++ 'if': 'defined(TARGET_I386)' } ++ ++## ++# @query-sev-attestation-report: ++# ++# This command is used to get the SEV attestation report, and is supported on AMD ++# X86 platforms only. ++# ++# @mnonce: a random 16 bytes value encoded in base64 (it will be included in report) ++# ++# Returns: SevAttestationReport objects. ++# ++# Since: 6.1 ++# ++# Example: ++# ++# -> { "execute" : "query-sev-attestation-report", "arguments": { "mnonce": "aaaaaaa" } } ++# <- { "return" : { "data": "aaaaaaaabbbddddd"} } ++# ++## ++{ 'command': 'query-sev-attestation-report', 'data': { 'mnonce': 'str' }, ++ 'returns': 'SevAttestationReport', ++ 'if': 'defined(TARGET_I386)' } +diff --git a/target/i386/monitor.c b/target/i386/monitor.c +index 5994408bee..119211f0b0 100644 +--- a/target/i386/monitor.c ++++ b/target/i386/monitor.c +@@ -757,3 +757,9 @@ void qmp_sev_inject_launch_secret(const char *packet_hdr, + + sev_inject_launch_secret(packet_hdr, secret, gpa, errp); + } ++ ++SevAttestationReport * ++qmp_query_sev_attestation_report(const char *mnonce, Error **errp) ++{ ++ return sev_get_attestation_report(mnonce, errp); ++} +diff --git a/target/i386/sev-stub.c b/target/i386/sev-stub.c +index 0207f1c5aa..0227cb5177 100644 +--- a/target/i386/sev-stub.c ++++ b/target/i386/sev-stub.c +@@ -74,3 +74,10 @@ int sev_es_save_reset_vector(void *flash_ptr, uint64_t flash_size) + { + abort(); + } ++ ++SevAttestationReport * ++sev_get_attestation_report(const char *mnonce, Error **errp) ++{ ++ error_setg(errp, "SEV is not available in this QEMU"); ++ return NULL; ++} +diff --git a/target/i386/sev.c b/target/i386/sev.c +index 72b9e2ab40..740548f213 100644 +--- a/target/i386/sev.c ++++ b/target/i386/sev.c +@@ -491,6 +491,73 @@ out: + return cap; + } + ++SevAttestationReport * ++sev_get_attestation_report(const char *mnonce, Error **errp) ++{ ++ struct kvm_sev_attestation_report input = {}; ++ SevAttestationReport *report = NULL; ++ SevGuestState *sev = sev_guest; ++ guchar *data; ++ guchar *buf; ++ gsize len; ++ int err = 0, ret; ++ ++ if (!sev_enabled()) { ++ error_setg(errp, "SEV is not enabled"); ++ return NULL; ++ } ++ ++ /* lets decode the mnonce string */ ++ buf = g_base64_decode(mnonce, &len); ++ if (!buf) { ++ error_setg(errp, "SEV: failed to decode mnonce input"); ++ return NULL; ++ } ++ ++ /* verify the input mnonce length */ ++ if (len != sizeof(input.mnonce)) { ++ error_setg(errp, "SEV: mnonce must be %zu bytes (got %" G_GSIZE_FORMAT ")", ++ sizeof(input.mnonce), len); ++ g_free(buf); ++ return NULL; ++ } ++ ++ /* Query the report length */ ++ ret = sev_ioctl(sev->sev_fd, KVM_SEV_GET_ATTESTATION_REPORT, ++ &input, &err); ++ if (ret < 0) { ++ if (err != SEV_RET_INVALID_LEN) { ++ error_setg(errp, "failed to query the attestation report length " ++ "ret=%d fw_err=%d (%s)", ret, err, fw_error_to_str(err)); ++ g_free(buf); ++ return NULL; ++ } ++ } ++ ++ data = g_malloc(input.len); ++ input.uaddr = (unsigned long)data; ++ memcpy(input.mnonce, buf, sizeof(input.mnonce)); ++ ++ /* Query the report */ ++ ret = sev_ioctl(sev->sev_fd, KVM_SEV_GET_ATTESTATION_REPORT, ++ &input, &err); ++ if (ret) { ++ error_setg_errno(errp, errno, "Failed to get attestation report" ++ " ret=%d fw_err=%d (%s)", ret, err, fw_error_to_str(err)); ++ goto e_free_data; ++ } ++ ++ report = g_new0(SevAttestationReport, 1); ++ report->data = g_base64_encode(data, input.len); ++ ++ trace_kvm_sev_attestation_report(mnonce, report->data); ++ ++e_free_data: ++ g_free(data); ++ g_free(buf); ++ return report; ++} ++ + static int + sev_read_file_base64(const char *filename, guchar **data, gsize *len) + { +diff --git a/target/i386/sev_i386.h b/target/i386/sev_i386.h +index ae221d4c72..ae6d840478 100644 +--- a/target/i386/sev_i386.h ++++ b/target/i386/sev_i386.h +@@ -35,5 +35,7 @@ extern uint32_t sev_get_cbit_position(void); + extern uint32_t sev_get_reduced_phys_bits(void); + extern char *sev_get_launch_measurement(void); + extern SevCapability *sev_get_capabilities(Error **errp); ++extern SevAttestationReport * ++sev_get_attestation_report(const char *mnonce, Error **errp); + + #endif +diff --git a/target/i386/trace-events b/target/i386/trace-events +index a22ab24e21..8d6437404d 100644 +--- a/target/i386/trace-events ++++ b/target/i386/trace-events +@@ -10,3 +10,4 @@ kvm_sev_launch_update_data(void *addr, uint64_t len) "addr %p len 0x%" PRIx64 + kvm_sev_launch_measurement(const char *value) "data %s" + kvm_sev_launch_finish(void) "" + kvm_sev_launch_secret(uint64_t hpa, uint64_t hva, uint64_t secret, int len) "hpa 0x%" PRIx64 " hva 0x%" PRIx64 " data 0x%" PRIx64 " len %d" ++kvm_sev_attestation_report(const char *mnonce, const char *data) "mnonce %s data %s" +-- +2.27.0 + diff --git a/kvm-yank-Unregister-function-when-using-TLS-migration.patch b/kvm-yank-Unregister-function-when-using-TLS-migration.patch new file mode 100644 index 0000000..1691c50 --- /dev/null +++ b/kvm-yank-Unregister-function-when-using-TLS-migration.patch @@ -0,0 +1,146 @@ +From a722ec5614bbaa36992653250add7dabd39b12ad Mon Sep 17 00:00:00 2001 +From: Leonardo Bras +Date: Tue, 1 Jun 2021 02:40:31 -0300 +Subject: [PATCH 01/21] yank: Unregister function when using TLS migration +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +RH-Author: Leonardo Brás +RH-MergeRequest: 10: yank: Unregister function when using TLS migration +RH-Commit: [1/1] b39e19a3a92dc7f881527198824ce7f402aa9289 (LeoBras/centos-qemu-kvm) +RH-Bugzilla: 1972462 +RH-Acked-by: Miroslav Rezanina +RH-Acked-by: Peter Xu > +RH-Acked-by: Dr. David Alan Gilbert + +After yank feature was introduced in migration, whenever migration +is started using TLS, the following error happens in both source and +destination hosts: + +(qemu) qemu-kvm: ../util/yank.c:107: yank_unregister_instance: +Assertion `QLIST_EMPTY(&entry->yankfns)' failed. + +This happens because of a missing yank_unregister_function() when using +qio-channel-tls. + +Fix this by also allowing TYPE_QIO_CHANNEL_TLS object type to perform +yank_unregister_function() in channel_close() and multifd_load_cleanup(). + +Also, inside migration_channel_connect() and +migration_channel_process_incoming() move yank_register_function() so +it only runs once on a TLS migration. + +Fixes: b5eea99ec2f ("migration: Add yank feature", 2021-01-13) +Buglink: https://bugzilla.redhat.com/show_bug.cgi?id=1964326 +Signed-off-by: Leonardo Bras +Reviewed-by: Lukas Straub +Reviewed-by: Peter Xu +Message-Id: <20210601054030.1153249-1-leobras.c@gmail.com> + +Signed-off-by: Dr. David Alan Gilbert +(cherry picked from commit 7de2e8565335c13fb3516cddbe2e40e366cce273) +Signed-off-by: Leonardo Bras +Signed-off-by: Miroslav Rezanina +--- + migration/channel.c | 26 ++++++++++++++------------ + migration/multifd.c | 3 ++- + migration/qemu-file-channel.c | 4 +++- + 3 files changed, 19 insertions(+), 14 deletions(-) + +diff --git a/migration/channel.c b/migration/channel.c +index c9ee902021..01275a9162 100644 +--- a/migration/channel.c ++++ b/migration/channel.c +@@ -38,18 +38,19 @@ void migration_channel_process_incoming(QIOChannel *ioc) + trace_migration_set_incoming_channel( + ioc, object_get_typename(OBJECT(ioc))); + +- if (object_dynamic_cast(OBJECT(ioc), TYPE_QIO_CHANNEL_SOCKET)) { +- yank_register_function(MIGRATION_YANK_INSTANCE, +- migration_yank_iochannel, +- QIO_CHANNEL(ioc)); +- } +- + if (s->parameters.tls_creds && + *s->parameters.tls_creds && + !object_dynamic_cast(OBJECT(ioc), + TYPE_QIO_CHANNEL_TLS)) { + migration_tls_channel_process_incoming(s, ioc, &local_err); + } else { ++ if (object_dynamic_cast(OBJECT(ioc), TYPE_QIO_CHANNEL_SOCKET) || ++ object_dynamic_cast(OBJECT(ioc), TYPE_QIO_CHANNEL_TLS)) { ++ yank_register_function(MIGRATION_YANK_INSTANCE, ++ migration_yank_iochannel, ++ QIO_CHANNEL(ioc)); ++ } ++ + migration_ioc_process_incoming(ioc, &local_err); + } + +@@ -76,12 +77,6 @@ void migration_channel_connect(MigrationState *s, + ioc, object_get_typename(OBJECT(ioc)), hostname, error); + + if (!error) { +- if (object_dynamic_cast(OBJECT(ioc), TYPE_QIO_CHANNEL_SOCKET)) { +- yank_register_function(MIGRATION_YANK_INSTANCE, +- migration_yank_iochannel, +- QIO_CHANNEL(ioc)); +- } +- + if (s->parameters.tls_creds && + *s->parameters.tls_creds && + !object_dynamic_cast(OBJECT(ioc), +@@ -99,6 +94,13 @@ void migration_channel_connect(MigrationState *s, + } else { + QEMUFile *f = qemu_fopen_channel_output(ioc); + ++ if (object_dynamic_cast(OBJECT(ioc), TYPE_QIO_CHANNEL_SOCKET) || ++ object_dynamic_cast(OBJECT(ioc), TYPE_QIO_CHANNEL_TLS)) { ++ yank_register_function(MIGRATION_YANK_INSTANCE, ++ migration_yank_iochannel, ++ QIO_CHANNEL(ioc)); ++ } ++ + qemu_mutex_lock(&s->qemu_file_lock); + s->to_dst_file = f; + qemu_mutex_unlock(&s->qemu_file_lock); +diff --git a/migration/multifd.c b/migration/multifd.c +index a6677c45c8..a8dedcf822 100644 +--- a/migration/multifd.c ++++ b/migration/multifd.c +@@ -987,7 +987,8 @@ int multifd_load_cleanup(Error **errp) + for (i = 0; i < migrate_multifd_channels(); i++) { + MultiFDRecvParams *p = &multifd_recv_state->params[i]; + +- if (object_dynamic_cast(OBJECT(p->c), TYPE_QIO_CHANNEL_SOCKET) ++ if ((object_dynamic_cast(OBJECT(p->c), TYPE_QIO_CHANNEL_SOCKET) || ++ object_dynamic_cast(OBJECT(p->c), TYPE_QIO_CHANNEL_TLS)) + && OBJECT(p->c)->ref == 1) { + yank_unregister_function(MIGRATION_YANK_INSTANCE, + migration_yank_iochannel, +diff --git a/migration/qemu-file-channel.c b/migration/qemu-file-channel.c +index 876d05a540..fad340ea7a 100644 +--- a/migration/qemu-file-channel.c ++++ b/migration/qemu-file-channel.c +@@ -26,6 +26,7 @@ + #include "qemu-file-channel.h" + #include "qemu-file.h" + #include "io/channel-socket.h" ++#include "io/channel-tls.h" + #include "qemu/iov.h" + #include "qemu/yank.h" + #include "yank_functions.h" +@@ -106,7 +107,8 @@ static int channel_close(void *opaque, Error **errp) + int ret; + QIOChannel *ioc = QIO_CHANNEL(opaque); + ret = qio_channel_close(ioc, errp); +- if (object_dynamic_cast(OBJECT(ioc), TYPE_QIO_CHANNEL_SOCKET) ++ if ((object_dynamic_cast(OBJECT(ioc), TYPE_QIO_CHANNEL_SOCKET) || ++ object_dynamic_cast(OBJECT(ioc), TYPE_QIO_CHANNEL_TLS)) + && OBJECT(ioc)->ref == 1) { + yank_unregister_function(MIGRATION_YANK_INSTANCE, + migration_yank_iochannel, +-- +2.27.0 + diff --git a/qemu-kvm.spec b/qemu-kvm.spec index ae2bcd2..e812783 100644 --- a/qemu-kvm.spec +++ b/qemu-kvm.spec @@ -1,13 +1,27 @@ -%global SLOF_gittagdate 20191022 -%global SLOF_gittagcommit 899d9883 +%global libfdt_version 1.6.0 +%global libseccomp_version 2.4.0 +%global libusbx_version 1.0.23 +%global meson_version 0.55.3-3 +%global usbredir_version 0.7.1 %global have_usbredir 1 %global have_opengl 1 %global have_fdt 0 %global have_kvm_setup 0 %global have_memlock_limits 0 +# have_block_rbd is not relevant for RHEL but makes it +# easier to sync spec dependency list with Fedora +%global have_block_rbd 1 +%global have_pmem 1 +%ifnarch x86_64 + %global have_pmem 0 +%endif +%global have_numactl 1 +%ifarch s390x + %global have_numactl 0 +%endif %ifnarch %{ix86} x86_64 %global have_usbredir 0 @@ -60,13 +74,12 @@ Requires: %{name}-block-ssh = %{epoch}:%{version}-%{release} Summary: QEMU is a machine emulator and virtualizer Name: qemu-kvm Version: 6.0.0 -Release: 5%{?rcversion}%{?dist} +Release: 6%{?rcversion}%{?dist} # Epoch because we pushed a qemu-1.0 package. AIUI this can't ever be dropped # Epoch 15 used for RHEL 8 # Epoch 17 used for RHEL 9 (due to release versioning offset in RHEL 8.5) Epoch: 17 License: GPLv2 and GPLv2+ and CC-BY -Group: Development/Tools URL: http://www.qemu.org/ ExclusiveArch: x86_64 %{power64} aarch64 s390x @@ -144,101 +157,83 @@ Patch32: kvm-virtio-scsi-Set-host-notifiers-and-callbacks-separat.patch Patch33: kvm-virtio-scsi-Configure-all-host-notifiers-in-a-single.patch # For bz#1957194 - Synchronize RHEL-AV 8.5.0 changes to RHEL 9.0.0 Beta Patch34: kvm-hw-arm-smmuv3-Another-range-invalidation-fix.patch +# For bz#1972462 - QEMU core dump when doing TLS migration via TCP +Patch35: kvm-yank-Unregister-function-when-using-TLS-migration.patch +# For bz#1957194 - Synchronize RHEL-AV 8.5.0 changes to RHEL 9.0.0 Beta +Patch36: kvm-pc-bios-s390-ccw-don-t-try-to-read-the-next-block-if.patch +# For bz#1957194 - Synchronize RHEL-AV 8.5.0 changes to RHEL 9.0.0 Beta +Patch37: kvm-sockets-update-SOCKET_ADDRESS_TYPE_FD-listen-2-backl.patch +# For bz#1957194 - Synchronize RHEL-AV 8.5.0 changes to RHEL 9.0.0 Beta +Patch38: kvm-target-i386-sev-add-support-to-query-the-attestation.patch +# For bz#1957194 - Synchronize RHEL-AV 8.5.0 changes to RHEL 9.0.0 Beta +Patch39: kvm-spapr-Don-t-hijack-current_machine-boot_order.patch +# For bz#1957194 - Synchronize RHEL-AV 8.5.0 changes to RHEL 9.0.0 Beta +Patch40: kvm-target-i386-Add-CPU-model-versions-supporting-xsaves.patch +# For bz#1957194 - Synchronize RHEL-AV 8.5.0 changes to RHEL 9.0.0 Beta +Patch41: kvm-spapr-Remove-stale-comment-about-power-saving-LPCR-b.patch +# For bz#1957194 - Synchronize RHEL-AV 8.5.0 changes to RHEL 9.0.0 Beta +Patch42: kvm-spapr-Set-LPCR-to-current-AIL-mode-when-starting-a-n.patch -BuildRequires: wget -BuildRequires: rpm-build -BuildRequires: ninja-build -BuildRequires: meson >= 0.55.3-3 +# Source-git patches + +BuildRequires: meson >= %{meson_version} BuildRequires: zlib-devel BuildRequires: glib2-devel -BuildRequires: which BuildRequires: gnutls-devel BuildRequires: cyrus-sasl-devel -BuildRequires: libtool BuildRequires: libaio-devel -BuildRequires: rsync BuildRequires: python3-devel -BuildRequires: pciutils-devel BuildRequires: libiscsi-devel -BuildRequires: ncurses-devel BuildRequires: libattr-devel -BuildRequires: libusbx-devel >= 1.0.23 +BuildRequires: libusbx-devel >= %{libusbx_version} %if %{have_usbredir} -BuildRequires: usbredir-devel >= 0.7.1 +BuildRequires: usbredir-devel >= %{usbredir_version} %endif BuildRequires: texinfo BuildRequires: python3-sphinx -BuildRequires: libseccomp-devel >= 2.4.0 +BuildRequires: libseccomp-devel >= %{libseccomp_version} # For network block driver BuildRequires: libcurl-devel BuildRequires: libssh-devel -BuildRequires: librados-devel +%if %{have_block_rbd} BuildRequires: librbd-devel +%endif # We need both because the 'stap' binary is probed for by configure BuildRequires: systemtap BuildRequires: systemtap-sdt-devel # For VNC PNG support BuildRequires: libpng-devel -# For uuid generation -BuildRequires: libuuid-devel -# For Braille device support -BuildRequires: brlapi-devel -# For test suite -BuildRequires: check-devel # For virtiofs BuildRequires: libcap-ng-devel # Hard requirement for version >= 1.3 BuildRequires: pixman-devel -# Documentation requirement -BuildRequires: perl-podlators -BuildRequires: texinfo -BuildRequires: python3-sphinx # For rdma -%if 0%{?have_librdma} +%if %{have_librdma} BuildRequires: rdma-core-devel %endif %if %{have_fdt} -BuildRequires: libfdt-devel >= 1.6.0 -%endif -# iasl and cpp for acpi generation (not a hard requirement as we can use -# pre-compiled files, but it's better to use this) -%ifarch %{ix86} x86_64 -BuildRequires: iasl -BuildRequires: cpp +BuildRequires: libfdt-devel >= %{libfdt_version} %endif # For compressed guest memory dumps BuildRequires: lzo-devel snappy-devel # For NUMA memory binding -%ifnarch s390x +%if %{have_numactl} BuildRequires: numactl-devel %endif BuildRequires: libgcrypt-devel # qemu-pr-helper multipath support (requires libudev too) BuildRequires: device-mapper-multipath-devel BuildRequires: systemd-devel -# used by qemu-bridge-helper and qemu-pr-helper -BuildRequires: libcap-ng-devel - -BuildRequires: diffutils -%ifarch x86_64 +%if %{have_pmem} BuildRequires: libpmem-devel -Requires: libpmem %endif - # qemu-keymap BuildRequires: pkgconfig(xkbcommon) - -# For s390-pgste flag -%ifarch s390x -BuildRequires: binutils >= 2.27-16 -%endif - %if %{have_opengl} BuildRequires: pkgconfig(epoxy) BuildRequires: pkgconfig(libdrm) BuildRequires: pkgconfig(gbm) %endif - BuildRequires: perl-Test-Harness BuildRequires: libslirp-devel @@ -267,19 +262,17 @@ Requires: edk2-ovmf Requires: edk2-aarch64 %endif -Requires: libseccomp >= 2.4.0 -# For compressed guest memory dumps -Requires: lzo snappy +Requires: libseccomp >= %{libseccomp_version} %if %{have_kvm_setup} Requires(post): systemd-units Requires(preun): systemd-units %endif -Requires: libusbx >= 1.0.23 +Requires: libusbx >= %{libusbx_version} %if %{have_usbredir} -Requires: usbredir >= 0.7.1 +Requires: usbredir >= %{usbredir_version} %endif %if %{have_fdt} -Requires: libfdt >= 1.6.0 +Requires: libfdt >= %{libfdt_version} %endif # Since SPICE is removed from RHEL-9, the following Obsoletes: @@ -303,14 +296,12 @@ qemu-kvm-docs provides documentation files regarding qemu-kvm. %package -n qemu-img Summary: QEMU command line tool for manipulating disk images -Group: Development/Tools %description -n qemu-img This package provides a command line tool for manipulating disk images. %package -n qemu-kvm-common Summary: QEMU common files needed by all QEMU targets -Group: Development/Tools Requires(post): /usr/bin/getent Requires(post): /usr/sbin/groupadd Requires(post): /usr/sbin/useradd @@ -593,7 +584,7 @@ pushd %{qemu_kvm_build} --enable-curl \ --enable-debug-info \ --enable-docs \ -%if 0%{have_fdt} +%if %{have_fdt} --enable-fdt \ %endif --enable-gcrypt \ @@ -602,7 +593,7 @@ pushd %{qemu_kvm_build} --enable-iconv \ --enable-kvm \ --enable-libiscsi \ -%ifarch x86_64 +%if %{have_pmem} --enable-libpmem \ %endif --enable-libssh \ @@ -613,15 +604,17 @@ pushd %{qemu_kvm_build} --enable-malloc-trim \ --enable-modules \ --enable-mpath \ -%ifnarch s390x +%if %{have_numactl} --enable-numa \ %endif -%if 0%{have_opengl} +%if %{have_opengl} --enable-opengl \ %endif --enable-pie \ +%if %{have_block_rbd} --enable-rbd \ -%if 0%{have_librdma} +%endif +%if %{have_librdma} --enable-rdma \ %endif --enable-seccomp \ @@ -632,7 +625,7 @@ pushd %{qemu_kvm_build} --enable-tools \ --enable-tpm \ --enable-trace-backend=dtrace \ -%if 0%{have_usbredir} +%if %{have_usbredir} --enable-usb-redir \ %endif --enable-virtiofsd \ @@ -687,6 +680,12 @@ make V=1 %{?_smp_mflags} $buildldflags cp -a %{kvm_target}-softmmu/qemu-system-%{kvm_target} qemu-kvm +%ifarch s390x + # Copy the built new images into place for "make check": + cp pc-bios/s390-ccw/s390-ccw.img pc-bios/s390-ccw/s390-netboot.img pc-bios/ +%endif + + gcc %{SOURCE6} $RPM_OPT_FLAGS $RPM_LD_FLAGS -o ksmctl %endif popd @@ -872,6 +871,7 @@ rm -rf ${RPM_BUILD_ROOT}%{_datadir}/%{name}/skiboot.lid rm -rf ${RPM_BUILD_ROOT}%{_datadir}/%{name}/qboot.rom rm -rf ${RPM_BUILD_ROOT}%{_datadir}/%{name}/s390-ccw.img +rm -rf ${RPM_BUILD_ROOT}%{_datadir}/%{name}/s390-netboot.img rm -rf ${RPM_BUILD_ROOT}%{_datadir}/%{name}/hppa-firmware.img rm -rf ${RPM_BUILD_ROOT}%{_datadir}/%{name}/canyonlands.dtb rm -rf ${RPM_BUILD_ROOT}%{_datadir}/%{name}/u-boot-sam460-20100605.bin @@ -894,10 +894,10 @@ rm -rf ${RPM_BUILD_ROOT}%{_libexecdir}/virtfs-proxy-helper rm -rf ${RPM_BUILD_ROOT}%{_mandir}/man1/virtfs-proxy-helper* %ifarch s390x - # Use the s390-ccw.img that we've just built, not the pre-built one + # Use the s390-*.img that we've just built, not the pre-built ones install -m 0644 pc-bios/s390-ccw/s390-ccw.img $RPM_BUILD_ROOT%{_datadir}/%{name}/ + install -m 0644 pc-bios/s390-ccw/s390-netboot.img $RPM_BUILD_ROOT%{_datadir}/%{name}/ %else - rm -rf ${RPM_BUILD_ROOT}%{_datadir}/%{name}/s390-netboot.img rm -rf ${RPM_BUILD_ROOT}%{_libdir}/qemu-kvm/hw-s390x-virtio-gpu-ccw.so %endif @@ -962,13 +962,13 @@ rom_link() { rom_link ../sgabios/sgabios.bin sgabios.bin %endif -%if 0%{have_kvm_setup} +%if %{have_kvm_setup} install -D -p -m 755 %{SOURCE21} $RPM_BUILD_ROOT%{_prefix}/lib/systemd/kvm-setup install -D -p -m 644 %{SOURCE22} $RPM_BUILD_ROOT%{_unitdir}/kvm-setup.service install -D -p -m 644 %{SOURCE23} $RPM_BUILD_ROOT%{_presetdir}/85-kvm.preset %endif -%if 0%{have_memlock_limits} +%if %{have_memlock_limits} install -D -p -m 644 %{SOURCE28} $RPM_BUILD_ROOT%{_sysconfdir}/security/limits.d/95-kvm-memlock.conf %endif @@ -1000,7 +1000,7 @@ popd %check pushd %{qemu_kvm_build} echo "Testing qemu-kvm-build" -export DIFF=diff; make check V=1 +make check V=1 popd %post -n qemu-kvm-common @@ -1050,7 +1050,6 @@ sh %{_sysconfdir}/sysconfig/modules/kvm.modules &> /dev/null || : # Deliberately empty %files -n qemu-kvm-docs -%defattr(-,root,root) %dir %{qemudocdir} %doc %{qemudocdir}/genindex.html %doc %{qemudocdir}/search.html @@ -1071,7 +1070,6 @@ sh %{_sysconfdir}/sysconfig/modules/kvm.modules &> /dev/null || : %doc %{qemudocdir}/_static/* %files -n qemu-kvm-common -%defattr(-,root,root) %{_mandir}/man7/qemu-qmp-ref.7* %{_mandir}/man7/qemu-cpu-models.7* %{_bindir}/qemu-keymap @@ -1139,19 +1137,18 @@ sh %{_sysconfdir}/sysconfig/modules/kvm.modules &> /dev/null || : %{_datadir}/%{name}/linuxboot_dma.bin %{_datadir}/%{name}/dump-guest-memory.py* %{_datadir}/%{name}/trace-events-all -%if 0%{have_kvm_setup} +%if %{have_kvm_setup} %{_prefix}/lib/systemd/kvm-setup %{_unitdir}/kvm-setup.service %{_presetdir}/85-kvm.preset %endif -%if 0%{have_memlock_limits} +%if %{have_memlock_limits} %{_sysconfdir}/security/limits.d/95-kvm-memlock.conf %endif %{_libexecdir}/virtiofsd %{_datadir}/%{name}/vhost-user/50-qemu-virtiofsd.json %files -n qemu-kvm-core -%defattr(-,root,root) %{_libexecdir}/qemu-kvm %{_datadir}/systemtap/tapset/qemu-kvm.stp %{_datadir}/systemtap/tapset/qemu-kvm-log.stp @@ -1171,7 +1168,6 @@ sh %{_sysconfdir}/sysconfig/modules/kvm.modules &> /dev/null || : %endif %files -n qemu-img -%defattr(-,root,root) %{_bindir}/qemu-img %{_bindir}/qemu-io %{_bindir}/qemu-nbd @@ -1182,7 +1178,6 @@ sh %{_sysconfdir}/sysconfig/modules/kvm.modules &> /dev/null || : %{_mandir}/man7/qemu-storage-daemon-qmp-ref.7* %files -n qemu-guest-agent -%defattr(-,root,root,-) %doc COPYING README.rst %{_bindir}/qemu-ga %{_mandir}/man8/qemu-ga.8* @@ -1210,7 +1205,7 @@ sh %{_sysconfdir}/sysconfig/modules/kvm.modules &> /dev/null || : %files block-ssh %{_libdir}/qemu-kvm/block-ssh.so -%if 0%{have_opengl} +%if %{have_opengl} %files ui-opengl %{_libdir}/qemu-kvm/ui-egl-headless.so %{_libdir}/qemu-kvm/ui-opengl.so @@ -1218,6 +1213,24 @@ sh %{_sysconfdir}/sysconfig/modules/kvm.modules &> /dev/null || : %endif %changelog +* Mon Jun 21 2021 Miroslav Rezanina - 6.0.0-6 +- kvm-yank-Unregister-function-when-using-TLS-migration.patch [bz#1972462] +- kvm-pc-bios-s390-ccw-don-t-try-to-read-the-next-block-if.patch [bz#1957194] +- kvm-redhat-Install-the-s390-netboot.img-that-we-ve-built.patch [bz#1957194] +- kvm-sockets-update-SOCKET_ADDRESS_TYPE_FD-listen-2-backl.patch [bz#1957194] +- kvm-target-i386-sev-add-support-to-query-the-attestation.patch [bz#1957194] +- kvm-spapr-Don-t-hijack-current_machine-boot_order.patch [bz#1957194] +- kvm-target-i386-Add-CPU-model-versions-supporting-xsaves.patch [bz#1957194] +- kvm-spapr-Remove-stale-comment-about-power-saving-LPCR-b.patch [bz#1957194] +- kvm-spapr-Set-LPCR-to-current-AIL-mode-when-starting-a-n.patch [bz#1957194] +- Specfile cleanup [bz#1973029] +- Resolves: bz#1972462 + (QEMU core dump when doing TLS migration via TCP) +- Resolves: bz#1957194 + (Synchronize RHEL-AV 8.5.0 changes to RHEL 9.0.0 Beta) +- Resolves: bz#1973029 + (Spec file cleanups) + * Tue Jun 08 2021 Miroslav Rezanina - 6.0.0-5 - kvm-arm-virt-Register-highmem-and-gic-version-as-class-p.patch [bz#1952449] - kvm-hw-arm-virt-Add-8.5-and-9.0-machine-types-and-remove.patch [bz#1952449]