[libvirt] [perl PATCH] Only use perl-interpreter & perl-generators on Fedora / future RHEL
by Daniel P. Berrangé
These dependancies were newly introduced when perl core packaging was
changed in recentish Fedora, so aren't available on RHEL-7.
Signed-off-by: Daniel P. Berrangé <berrange(a)redhat.com>
---
perl-Sys-Virt.spec.PL | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/perl-Sys-Virt.spec.PL b/perl-Sys-Virt.spec.PL
index 451af27..660890e 100644
--- a/perl-Sys-Virt.spec.PL
+++ b/perl-Sys-Virt.spec.PL
@@ -40,9 +40,11 @@ BuildRequires: findutils
BuildRequires: gcc
BuildRequires: libvirt-devel >= %{version}
BuildRequires: make
-BuildRequires: perl-interpreter
BuildRequires: perl-devel
+%if 0%{?fedora} || 0%{?rhel} > 7
+BuildRequires: perl-interpreter
BuildRequires: perl-generators
+%endif
BuildRequires: perl(ExtUtils::CBuilder)
BuildRequires: perl(Module::Build)
BuildRequires: sed
--
2.17.0
6 years, 5 months
[libvirt] [PATCH 00/13] PCI passthrough support on s390
by Xiao Feng Ren
The PCI representation in QEMU has recently been extended for S390
allowing configuration of zPCI attributes like uid (user-defined
identifier) and fid (PCI function identifier).
The details can be found here:
https://lists.gnu.org/archive/html/qemu-devel/2016-06/msg07262.html
To support the new zPCI feature of the S390 platform, two new XML
attributes, @uid and @fid, are introduced for device addresses of type
'pci', i.e.:
<hostdev mode='subsystem' type='pci'>
<driver name='vfio'/>
<source>
<address domain='0x0001' bus='0x00' slot='0x00' function='0x0'/>
</source>
<address type='pci' domain='0x0000' bus='0x00' slot='0x01' function='0x0'
uid='0x0003' fid='0x00000027'/>
</hostdev>
uid and fid are optional attributes. If they are defined by the user,
unique values within the guest domain must be used. If they are not
specified and the architecture requires them, they are automatically
generated with non-conflicting values.
Current implementation is the most seamless one for the user as it
unites the address specific data of a PCI device on one XML element.
It could accommodate both specifying our special parameters (uid and fid)
and re-using standard statements (domain, bus, slot and function) for
PCI devices. User can still specify bus/slot/function for the virtualized
PCI devices in the XML.
Thus uid/fid act as an extension to the PCI address and are stored in
a new structure 'virZPCIDeviceAddress' which is a member of common PCI
Address structure. Additionally, two hashtables are used for assignment
and reservation of uid/fid.
In support of extending the PCI address, a new PCI address extension flag is
introduced. This extension flag allows is not only dedicated for the S390
platform but also other architectures needing certain extensions to PCI
address space.
Yi Min Zhao (13):
conf: Add definitions for 'uid' and 'fid' PCI address attributes
qemu: Introduce zPCI capability
conf: Introduce a new PCI address extension flag
qemu: Enable PCI multi bus for S390 guests
qemu: Auto add pci-root for s390/s390x guests
qemu: Generate and use zPCI device in QEMU command line
qemu: Add hotpluging support for PCI devices on S390 guests
conf: Introduce parser, formatter for uid and fid
conf: Introduce address caching for PCI extensions
conf: Allocate/release 'uid' and 'fid' in PCI address
tests: Add new tests for zPCI
docs: Add 'uid' and 'fid' information
news: Update news for PCI address extension attributes
docs/formatdomain.html.in | 9 +-
docs/news.xml | 11 +
docs/schemas/basictypes.rng | 28 ++
docs/schemas/domaincommon.rng | 1 +
src/conf/device_conf.c | 74 +++++
src/conf/device_conf.h | 1 +
src/conf/domain_addr.c | 346 +++++++++++++++++++++
src/conf/domain_addr.h | 29 ++
src/conf/domain_conf.c | 4 +
src/libvirt_private.syms | 4 +
src/qemu/qemu_capabilities.c | 5 +
src/qemu/qemu_capabilities.h | 1 +
src/qemu/qemu_command.c | 104 +++++++
src/qemu/qemu_command.h | 4 +
src/qemu/qemu_domain.c | 1 +
src/qemu/qemu_domain_address.c | 183 ++++++++++-
src/qemu/qemu_hotplug.c | 175 ++++++++++-
src/util/virpci.h | 13 +
tests/qemucapabilitiesdata/caps_2.10.0.s390x.xml | 1 +
tests/qemucapabilitiesdata/caps_2.11.0.s390x.xml | 1 +
tests/qemucapabilitiesdata/caps_2.12.0.s390x.xml | 1 +
tests/qemucapabilitiesdata/caps_2.7.0.s390x.xml | 1 +
tests/qemucapabilitiesdata/caps_2.8.0.s390x.xml | 1 +
tests/qemucapabilitiesdata/caps_2.9.0.s390x.xml | 1 +
tests/qemuxml2argvdata/disk-virtio-s390-zpci.args | 27 ++
tests/qemuxml2argvdata/disk-virtio-s390-zpci.xml | 17 +
.../hostdev-vfio-zpci-autogenerate.args | 24 ++
.../hostdev-vfio-zpci-autogenerate.xml | 18 ++
.../hostdev-vfio-zpci-boundaries.args | 27 ++
.../hostdev-vfio-zpci-boundaries.xml | 26 ++
.../hostdev-vfio-zpci-multidomain-many.args | 38 +++
.../hostdev-vfio-zpci-multidomain-many.xml | 67 ++++
tests/qemuxml2argvdata/hostdev-vfio-zpci.args | 24 ++
tests/qemuxml2argvdata/hostdev-vfio-zpci.xml | 19 ++
tests/qemuxml2argvtest.c | 21 ++
tests/qemuxml2xmloutdata/disk-virtio-s390-zpci.xml | 29 ++
tests/qemuxml2xmloutdata/hostdev-vfio-zpci.xml | 30 ++
tests/qemuxml2xmltest.c | 3 +
38 files changed, 1347 insertions(+), 22 deletions(-)
create mode 100644 tests/qemuxml2argvdata/disk-virtio-s390-zpci.args
create mode 100644 tests/qemuxml2argvdata/disk-virtio-s390-zpci.xml
create mode 100644 tests/qemuxml2argvdata/hostdev-vfio-zpci-autogenerate.args
create mode 100644 tests/qemuxml2argvdata/hostdev-vfio-zpci-autogenerate.xml
create mode 100644 tests/qemuxml2argvdata/hostdev-vfio-zpci-boundaries.args
create mode 100644 tests/qemuxml2argvdata/hostdev-vfio-zpci-boundaries.xml
create mode 100644 tests/qemuxml2argvdata/hostdev-vfio-zpci-multidomain-many.args
create mode 100644 tests/qemuxml2argvdata/hostdev-vfio-zpci-multidomain-many.xml
create mode 100644 tests/qemuxml2argvdata/hostdev-vfio-zpci.args
create mode 100644 tests/qemuxml2argvdata/hostdev-vfio-zpci.xml
create mode 100644 tests/qemuxml2xmloutdata/disk-virtio-s390-zpci.xml
create mode 100644 tests/qemuxml2xmloutdata/hostdev-vfio-zpci.xml
--
2.16.3
6 years, 5 months
[libvirt] [PATCH 00/10] Some CAT cleanups
by Martin Kletzander
Just so we have something before more code gets in, this makes future changes
more straight-forward.
Martin Kletzander (10):
util: Rename resctrl to alloc if it is virResctrlAllocPtr
util: Fix typo in error message %ud -> %u
util: Introduce virFileFlock
util: Avoid needless preprocessor conditionals in virresctrl
util: Use virFileFlock() in virresctrl
util: Reorder parts of virresctrl
util: Initialize virResctrlInfo struct right away
Move virCacheKernel enum implemetation from conf/ to util/
util: Remove cbm_mask from virResctrlInfoPerType
Move host cache handling from conf/ to util/
src/conf/capabilities.c | 403 ++++++-------------
src/conf/capabilities.h | 21 +-
src/libvirt_private.syms | 8 +-
src/qemu/qemu_process.c | 26 +-
src/util/virfile.c | 40 ++
src/util/virfile.h | 2 +
src/util/virresctrl.c | 823 +++++++++++++++++++++++++-------------
src/util/virresctrl.h | 64 +--
src/util/virresctrlpriv.h | 6 +-
tests/virresctrltest.c | 18 +-
10 files changed, 763 insertions(+), 648 deletions(-)
--
2.17.1
6 years, 5 months
[libvirt] [PATCH v2] tests: qemuxml2argv: Make tests based on DO_TEST_CAPS_LATEST stable
by Peter Krempa
To avoid problems with test cases specifying an alias machine type which
would change once capabilities for a newer version are added strip all
alias machine types for the DO_TEST_CAPS_LATEST based tests.
Signed-off-by: Peter Krempa <pkrempa(a)redhat.com>
---
src/qemu/qemu_capabilities.c | 17 +++++++++++++++++
src/qemu/qemu_capspriv.h | 3 +++
.../disk-virtio-scsi-reservations.x86_64-latest.args | 2 +-
tests/qemuxml2argvdata/genid-auto.x86_64-latest.args | 2 +-
tests/qemuxml2argvdata/genid.x86_64-latest.args | 2 +-
tests/qemuxml2argvtest.c | 8 +++++---
6 files changed, 28 insertions(+), 6 deletions(-)
diff --git a/src/qemu/qemu_capabilities.c b/src/qemu/qemu_capabilities.c
index b8764eacd8..a4a89cedfd 100644
--- a/src/qemu/qemu_capabilities.c
+++ b/src/qemu/qemu_capabilities.c
@@ -5156,3 +5156,20 @@ virQEMUCapsSetMicrocodeVersion(virQEMUCapsPtr qemuCaps,
{
qemuCaps->microcodeVersion = microcodeVersion;
}
+
+
+/**
+ * virQEMUCapsStripMachineAliases:
+ * @qemuCaps: capabilities object to process
+ *
+ * Remove all aliases so that the tests depending on the latest capabilities
+ * file can be stable when new files are added.
+ */
+void
+virQEMUCapsStripMachineAliases(virQEMUCapsPtr qemuCaps)
+{
+ size_t i;
+
+ for (i = 0; i < qemuCaps->nmachineTypes; i++)
+ VIR_FREE(qemuCaps->machineTypes[i].alias);
+}
diff --git a/src/qemu/qemu_capspriv.h b/src/qemu/qemu_capspriv.h
index fea039ef3a..021260de2f 100644
--- a/src/qemu/qemu_capspriv.h
+++ b/src/qemu/qemu_capspriv.h
@@ -97,4 +97,7 @@ virQEMUCapsProbeQMPCPUDefinitions(virQEMUCapsPtr qemuCaps,
void
virQEMUCapsSetMicrocodeVersion(virQEMUCapsPtr qemuCaps,
unsigned int microcodeVersion);
+
+void
+virQEMUCapsStripMachineAliases(virQEMUCapsPtr qemuCaps);
#endif
diff --git a/tests/qemuxml2argvdata/disk-virtio-scsi-reservations.x86_64-latest.args b/tests/qemuxml2argvdata/disk-virtio-scsi-reservations.x86_64-latest.args
index 768bc22f9f..927173fa03 100644
--- a/tests/qemuxml2argvdata/disk-virtio-scsi-reservations.x86_64-latest.args
+++ b/tests/qemuxml2argvdata/disk-virtio-scsi-reservations.x86_64-latest.args
@@ -13,7 +13,7 @@ file=/tmp/lib/domain--1-QEMUGuest1/master-key.aes \
path=/tmp/lib/domain--1-QEMUGuest1/pr-helper0.sock \
-object pr-manager-helper,id=pr-helper-scsi0-0-0-1,\
path=/path/to/qemu-pr-helper.sock \
--machine pc-i440fx-2.12,accel=tcg,usb=off,dump-guest-core=off \
+-machine pc,accel=tcg,usb=off,dump-guest-core=off \
-m 214 \
-realtime mlock=off \
-smp 8,sockets=8,cores=1,threads=1 \
diff --git a/tests/qemuxml2argvdata/genid-auto.x86_64-latest.args b/tests/qemuxml2argvdata/genid-auto.x86_64-latest.args
index ce163020b9..7412651479 100644
--- a/tests/qemuxml2argvdata/genid-auto.x86_64-latest.args
+++ b/tests/qemuxml2argvdata/genid-auto.x86_64-latest.args
@@ -9,7 +9,7 @@ QEMU_AUDIO_DRV=none \
-S \
-object secret,id=masterKey0,format=raw,\
file=/tmp/lib/domain--1-QEMUGuest1/master-key.aes \
--machine pc-i440fx-2.12,accel=tcg,usb=off,dump-guest-core=off \
+-machine pc,accel=tcg,usb=off,dump-guest-core=off \
-m 214 \
-realtime mlock=off \
-smp 1,sockets=1,cores=1,threads=1 \
diff --git a/tests/qemuxml2argvdata/genid.x86_64-latest.args b/tests/qemuxml2argvdata/genid.x86_64-latest.args
index 54e00f4bdb..dbffa7e1d2 100644
--- a/tests/qemuxml2argvdata/genid.x86_64-latest.args
+++ b/tests/qemuxml2argvdata/genid.x86_64-latest.args
@@ -9,7 +9,7 @@ QEMU_AUDIO_DRV=none \
-S \
-object secret,id=masterKey0,format=raw,\
file=/tmp/lib/domain--1-QEMUGuest1/master-key.aes \
--machine pc-i440fx-2.12,accel=tcg,usb=off,dump-guest-core=off \
+-machine pc,accel=tcg,usb=off,dump-guest-core=off \
-m 214 \
-realtime mlock=off \
-smp 1,sockets=1,cores=1,threads=1 \
diff --git a/tests/qemuxml2argvtest.c b/tests/qemuxml2argvtest.c
index 61c7ae59aa..693d623c17 100644
--- a/tests/qemuxml2argvtest.c
+++ b/tests/qemuxml2argvtest.c
@@ -695,7 +695,7 @@ mymain(void)
* version.
*/
# define DO_TEST_CAPS_INTERNAL(name, suffix, migrateFrom, flags, parseFlags, \
- arch, capsfile) \
+ arch, capsfile, stripmachinealiases) \
do { \
static struct testInfo info = { \
name, "." suffix, NULL, migrateFrom, migrateFrom ? 7 : -1,\
@@ -705,6 +705,8 @@ mymain(void)
if (!(info.qemuCaps = qemuTestParseCapabilitiesArch(virArchFromString(arch), \
capsfile))) \
return EXIT_FAILURE; \
+ if (stripmachinealiases) \
+ virQEMUCapsStripMachineAliases(info.qemuCaps); \
if (virTestRun("QEMU XML-2-ARGV " name "." suffix, \
testCompareXMLToArgv, &info) < 0) \
ret = -1; \
@@ -716,7 +718,7 @@ mymain(void)
# define DO_TEST_CAPS_ARCH_VER_FULL(name, flags, parseFlags, arch, ver) \
DO_TEST_CAPS_INTERNAL(name, arch "-" ver, NULL, flags, parseFlags, \
- arch, TEST_CAPS_PATH ver "." arch ".xml")
+ arch, TEST_CAPS_PATH ver "." arch ".xml", false)
# define DO_TEST_CAPS_ARCH_VER(name, arch, ver) \
DO_TEST_CAPS_ARCH_VER_FULL(name, 0, 0, arch, ver)
@@ -726,7 +728,7 @@ mymain(void)
# define DO_TEST_CAPS_LATEST(name) \
DO_TEST_CAPS_INTERNAL(name, "x86_64-latest", NULL, 0, 0, "x86_64", \
- capslatest_x86_64)
+ capslatest_x86_64, true)
/**
* The following test macros should be used only in cases when the tests require
--
2.16.2
6 years, 5 months
[libvirt] [PATCH 00/10] qemu: Drop 'allow_disk_format_probing' config option
by Peter Krempa
An upstream discussion resulted into an agreement that this can be
finally deleted.
https://www.redhat.com/archives/libvir-list/2018-June/msg00079.html
This applies on top of my branch collecting all ACKed postings of
recent blockdev-related work. Current version can be fetched by:
git fetch git://pipo.sk/pipo/libvirt.git blockdev-staging
Peter Krempa (10):
tests: Drop tests enabling allowDiskFormatProbing
qemu: conf: Remove 'allow_disk_format_probing' config option
qemu: driver: Remove impossible code path in
qemuDomainSnapshotCreateInactiveExternal
security: Remove VIR_SECURITY_MANAGER_ALLOW_DISK_PROBE
security: aa-helper: Remove the -p parameter
tests: virstoragetest: Add complementary test case for QED format
tests: storage: Absorb ALLOW_PROBE flag into the TEST_CHAIN macro
tests: storage: Drop format probing from tests
tests: storage: Drop duplicate tests with TEST_CHAIN
util: storage: remove 'allow_probe' from virStorageFileGetMetadata
src/qemu/qemu.conf | 12 ---
src/qemu/qemu_conf.c | 8 +-
src/qemu/qemu_conf.h | 1 -
src/qemu/qemu_domain.c | 56 +++--------
src/qemu/qemu_driver.c | 26 +----
src/qemu/test_libvirtd_qemu.aug.in | 1 -
src/security/security_apparmor.c | 6 +-
src/security/security_manager.c | 7 --
src/security/security_manager.h | 5 +-
src/security/virt-aa-helper.c | 15 +--
src/util/virstoragefile.c | 18 ++--
src/util/virstoragefile.h | 1 -
.../qemuxml2argvdata/disk-many-format-probing.args | 32 ------
.../qemuxml2argvdata/disk-many-format-probing.xml | 48 ---------
tests/qemuxml2argvtest.c | 6 --
.../disk-many-format-probing.xml | 52 ----------
tests/qemuxml2xmltest.c | 6 --
tests/virstoragetest.c | 109 ++++++---------------
18 files changed, 70 insertions(+), 339 deletions(-)
delete mode 100644 tests/qemuxml2argvdata/disk-many-format-probing.args
delete mode 100644 tests/qemuxml2argvdata/disk-many-format-probing.xml
delete mode 100644 tests/qemuxml2xmloutdata/disk-many-format-probing.xml
--
2.16.2
6 years, 5 months
[libvirt] [PATCH] Add Virtlyst web application to apps.html
by Daniel Nicoletti
Signed-off-by: Daniel Nicoletti <dantti12(a)gmail.com>
---
docs/apps.html.in | 15 +++++++++++++++
1 file changed, 15 insertions(+)
diff --git a/docs/apps.html.in b/docs/apps.html.in
index 863be4ff23..9b67fd5399 100644
--- a/docs/apps.html.in
+++ b/docs/apps.html.in
@@ -466,6 +466,21 @@
minutes. The only requirements for the users are a Web browser and
a lightweight remote viewer.
</dd>
+ <dt><a href="https://github.com/cutelyst/Virtlyst">Virtlyst</a></dt>
+ <dd>
+ Virtlyst is an open source web application built with C++11, Cutelyst and Qt.
+ It features:
+ <ul>
+ <li>Low memory usage (around 5 MiB of RAM)</li>
+ <li>Look and feel easily customized with HTML templates that use the Django syntax</li>
+ <li>VNC/Spice console directly in the browser using websockets on the same HTTP port</li>
+ <li>Host and Domain statistics graphs (CPU, Memory, IO, Network)</li>
+ <li>Connect to multiple libvirtd instances (over local Unix domain socket, SSH, TCP and TLS)</li>
+ <li>Manage Storage Pools, Storage Volumes, Networks, Interfaces, and Secrets</li>
+ <li>Create and launch VMs</li>
+ <li>Configure VMs with easy panels or go pro and edit the VM's XML</li>
+ </ul>
+ </dd>
</dl>
<h2><a id="mobile">Mobile applications</a></h2>
--
2.17.0
6 years, 5 months
[libvirt] [PATCH] nwfilter: fix build error when pcap-config is not present
by Brijesh Singh
The compilation fails with the following error when pcap-config
is not present on the host:
nwfilter/nwfilter_learnipaddr.c:824:1: error: conflicting types for 'virNWFilterLearnIPAddress'
virNWFilterLearnIPAddress(virNWFilterTechDriverPtr techdriver ATTRIBUTE_UNUSED,
In file included from nwfilter/nwfilter_learnipaddr.c:57:0:
nwfilter/nwfilter_learnipaddr.h:38:5: note: previous declaration of 'virNWFilterLearnIPAddress' was here
int virNWFilterLearnIPAddress(virNWFilterTechDriverPtr techdriver,
Signed-off-by: Brijesh Singh <brijesh.singh(a)amd.com>
---
src/nwfilter/nwfilter_learnipaddr.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/nwfilter/nwfilter_learnipaddr.c b/src/nwfilter/nwfilter_learnipaddr.c
index 52adc37..ce58f66 100644
--- a/src/nwfilter/nwfilter_learnipaddr.c
+++ b/src/nwfilter/nwfilter_learnipaddr.c
@@ -829,7 +829,7 @@ virNWFilterLearnIPAddress(virNWFilterTechDriverPtr techdriver ATTRIBUTE_UNUSED,
const char *filtername ATTRIBUTE_UNUSED,
virHashTablePtr filterparams ATTRIBUTE_UNUSED,
virNWFilterDriverStatePtr driver ATTRIBUTE_UNUSED,
- enum howDetect howDetect ATTRIBUTE_UNUSED)
+ int howDetect ATTRIBUTE_UNUSED)
{
virReportError(VIR_ERR_INTERNAL_ERROR, "%s",
_("IP parameter must be given since libvirt "
--
2.7.4
6 years, 5 months
[libvirt] [PATCH v8 0/9] x86: Secure Encrypted Virtualization (AMD)
by Brijesh Singh
This patch series provides support for launching an encrypted guest using
AMD's new Secure Encrypted Virtualization (SEV) feature.
SEV is an extension to the AMD-V architecture which supports running
multiple VMs under the control of a hypervisor. When enabled, SEV feature
allows the memory contents of a virtual machine (VM) to be transparently
encrypted with a key unique to the guest VM.
At very high level the flow looks this:
1. mgmt tool calls virConnectGetDomainCapabilities. This returns an XML document
that includes the following
<feature>
...
<sev supported='yes'>
<cbitpos> </cbitpos>
<reduced-phys-bits> </reduced-phys-bits>
</sev>
</feature>
If <sev> is provided then we indicate that hypervisor is capable of launching
SEV guest. mgmt tool can call virNodeGetSEVCapabilities() to get the additional
informations like PDH and certificate chain etc.
2. (optional) mgmt tool can provide the PDH and Cert-chain to guest owner in case
if guest owner wish to establish a secure connection with SEV firmware to
negotiate a key used for validating the measurement.
3. mgmt tool requests to start a guest calling virCreateXML(), passing \
VIR_DOMAIN_START_PAUSED. The xml would include
<launch-security type='sev'>
<cbitpos>47</cbitpos>
<reduced-phys-bits>1</reduced-phys-bits>
<policy>0x1</policy>
(optional)
<dh-cert> </dh-cert> /* Guest owners Diffie-Hellman key */
<session> </session> /* Guest owners Session blob */
</launch-security>
4. Libvirt generate the QEMU cli arg to enable the SEV feature, a typical
args looks like this:
# $QEMU ..
-machine memory-encryption=sev0 \
-object sev-guest,id=sev0,dh-cert-file=<file>....
5. Libvirt generates lifecycle VIR_DOMAIN_EVENT_SUSPENDED_PAUSED event
6. mgmt tool gets the VIR_DOMAIN_EVENT_SUSPENDED_PAUSED and calls \
virDomainGetLaunchSecretInfo() to retrieve the measurement of encrypted memory.
7. (optional) mgmt tool can provide the measurement value to guest owner, which can
validate the measurement and gives GO/NO-GO answer. If mgmt tool gets GO then
it resumes the guest otherwise it calls destroy() to kill the guest.
8. mgmt tool resumes the guest
TODO:
* SEV guest require to use DMA apis for the virtio devices. In order to use the DMA
apis the virtio devices must have this tag
<driver iommu=on ats=on>
It is a bit unclear to me where these changes need to go. Do we need to
modify the libvirt to automatically add these when SEV is enabled or
we ask mgmt tool to make sure that it creates XML with right tag to enable
the DMA APIs for virtio devices. I am looking for some suggestions.
Using these patches we have succesfully booted and tested a guest both with and
without SEV enabled.
SEV Firmware API spec is available at:
https://support.amd.com/TechDocs/55766_SEV-KM%20API_Specification.pdf
Change since v7:
* rename virNodeSEVCapability() -> virNodeSEVInfo()
* rebase the series
Changes since v6:
* add API to get SEV PDH and Certificate chain data
* drop virsh command changes. We can revisit this later when we have
more visibility on setter.
Change since v5:
* drop the seperate test patch and merge the code with other patches.
* rename the xml from sev -> launch-security-sev
* make policy field mandatory
* address multiple feedback from previous reviews.
Changes since v4:
* add /dev/sev in shared device list
Changes since v3:
* rename QEMU_CAPS_SEV -> QEMU_CAPS_SEV_GUEST
* update caps_2.12.0.x86_64.replies to include query-sev-capabilities data
Changes since v2:
* make cbitpos, policy and reduced-phys-bits as unsigned int
* update virDomainGetLaunchSecurityInfo to accept virTypedParameterPtr *params
instead of virTypedParameterPtr params.
Changes since v1:
* rename <sev> -> <launch-security> for domain
* add more information about policy and other fields in domaincaps.html
* split the domain_conf support in two patches
* add virDomainGetLaunchInfo() to retrieve the SEV measurement
* extend virsh command to show the domain's launch security information
* add test cases to validate newly added <launch-security> element
* fix issues reported with 'make check' and 'make syntax-check'
The complete git tree is available at:
https://github.com/codomania/libvirt/tree/v8
Brijesh Singh (11):
qemu: provide support to query the SEV capability
conf: expose SEV feature in domain capabilities
libvirt: add new public API to get SEV Info
remote: implement the remote protocol for virNodeSEVInfo()
qemu: Add support to get the SEV info
conf: introduce launch-security element in domain
qemu/cgroup: add /dev/sev in shared devices list
qemu: add support to launch SEV guest
libvirt: add new public API to get launch security info
remote: implement the remote protocol for launch security
qemu: Add support to launch security info
docs/drvqemu.html.in | 1 +
docs/formatdomain.html.in | 115 +++++++++++++++
docs/formatdomaincaps.html.in | 30 ++++
docs/schemas/domaincaps.rng | 14 ++
docs/schemas/domaincommon.rng | 37 +++++
include/libvirt/libvirt-domain.h | 17 +++
include/libvirt/libvirt-host.h | 42 ++++++
src/conf/domain_capabilities.c | 31 +++-
src/conf/domain_capabilities.h | 17 +++
src/conf/domain_conf.c | 133 +++++++++++++++++
src/conf/domain_conf.h | 27 ++++
src/driver-hypervisor.h | 14 ++
src/libvirt-domain.c | 48 +++++++
src/libvirt-host.c | 47 ++++++
src/libvirt_private.syms | 2 +-
src/libvirt_public.syms | 2 +
src/qemu/qemu.conf | 2 +-
src/qemu/qemu_capabilities.c | 90 +++++++++++-
src/qemu/qemu_capabilities.h | 4 +
src/qemu/qemu_capspriv.h | 4 +
src/qemu/qemu_cgroup.c | 2 +-
src/qemu/qemu_command.c | 41 ++++++
src/qemu/qemu_driver.c | 160 +++++++++++++++++++++
src/qemu/qemu_monitor.c | 18 +++
src/qemu/qemu_monitor.h | 6 +
src/qemu/qemu_monitor_json.c | 121 ++++++++++++++++
src/qemu/qemu_monitor_json.h | 5 +
src/qemu/qemu_process.c | 62 ++++++++
src/qemu/test_libvirtd_qemu.aug.in | 1 +
src/remote/remote_daemon_dispatch.c | 91 ++++++++++++
src/remote/remote_driver.c | 80 +++++++++++
src/remote/remote_protocol.x | 39 ++++-
src/remote_protocol-structs | 24 ++++
tests/genericxml2xmlindata/launch-security-sev.xml | 24 ++++
tests/genericxml2xmltest.c | 2 +
.../caps_2.12.0.x86_64.replies | 10 ++
tests/qemucapabilitiesdata/caps_2.12.0.x86_64.xml | 3 +-
tests/qemuxml2argvdata/launch-security-sev.args | 29 ++++
tests/qemuxml2argvdata/launch-security-sev.xml | 37 +++++
tests/qemuxml2argvtest.c | 4 +
40 files changed, 1429 insertions(+), 7 deletions(-)
create mode 100644 tests/genericxml2xmlindata/launch-security-sev.xml
create mode 100644 tests/qemuxml2argvdata/launch-security-sev.args
create mode 100644 tests/qemuxml2argvdata/launch-security-sev.xml
--
2.7.4
6 years, 5 months
[libvirt] [PATCH v9 00/17] Add support for TPM emulator
by Stefan Berger
This series of patches adds support for the TPM emulator backend that
is available in QEMU and based on swtpm + libtpms. It allows to attach a
TPM 1.2 or 2.0 to a QEMU VM. sVirt labels are used for labeling the swtpm
process, its Unix socket, and log file with the same label that the
QEMU process gets. Besides that swtpm is added to the emulator cgroup to
restrict its CPU usage.
The device XML can be changed from a TPM 1.2 to a TPM 2.0 and back to a
TPM 1.2. The device state is not removed during those changes but only
when the domain is undefined.
The swtpm needs persistent storage to store its state. For that I am
using the uuid of the VM as part of the path since the name of the VM
can be changed. Logfiles, PID files, and socket names are based on the
name of the VM, though.
Stefan
v8->v9:
- changed TPM 2 to 2.0 and version='2' in XML to version='2.0'
- squashed v8 15/18 patch into v9 10/17.
- Followed Ján Tomko's suggestions
- updated AppArmor related patch
v7->v8:
- Delaying this series for 4.5; adjusted references to 4.4
- Fixed a test case since version='1.2' is now formatted as well
- Appended patches for AppArmor and auditing
- Appended patches that improve / fix existing code
- patch for validating the TPM configuration rather than overwriting it;
a particular case is the CRB interface does not work with a TPM 1.2
- swtpm_setup can be run for a TPM 2 in unprivileged mode as well
v6->v7:
- followed Jan Tomko's suggestion with resulting changing to patch
10/12.
- re-added missing parts related to swtpm_setup and TPM that got lost
in v4
v5->v6:
- Addressed John Ferlan's comments
- rebased on latest tip
- Added patch 12.
v4->v5:
- Addressed John Ferlan's, Boris Fiuczysnki's and Marc Hartmayer's comments
- rebased on latest tip
v3->v4:
- Addressed John Ferlan's comments
- Fixed bugs I found while testing
- rebased on latest tip
Stefan Berger (17):
conf: Add support for external swtpm TPM emulator to domain XML
qemu: Extend QEMU capabilities with 'tpm-emulator'
util: Implement virFileChownFiles()
security: Add DAC and SELinux security for tpm-emulator
qemu: Extend qemu_conf with tpm-emulator support
qemu: Extend QEMU with external TPM support
qemu: Add support for external swtpm TPM emulator
tests: Add test cases for external swtpm TPM emulator
security: Label the external swtpm with SELinux labels
conf: Add support for choosing emulation of a TPM 2.0
qemu: Add swtpm to emulator cgroup
news: Update news with new TPM emulator feature
security: Add swtpm paths to the domain's AppArmor profile
qemu: Run swtpm_setup in unprivileged mode for a TPM 2.0
conf: Audit TPM emulator device at domain startup
conf: Use resrc=tpm in case of TPM passthrough following docs
conf: Use virDomainChrSourceDefClear() rather than VIR_FREE()
docs/auditlog.html.in | 2 +-
docs/formatdomain.html.in | 47 +-
docs/news.xml | 13 +
docs/schemas/domaincommon.rng | 17 +
examples/apparmor/libvirt-qemu | 3 +
libvirt.spec.in | 2 +
src/conf/domain_audit.c | 20 +-
src/conf/domain_conf.c | 56 +-
src/conf/domain_conf.h | 16 +
src/libvirt_private.syms | 3 +
src/qemu/Makefile.inc.am | 10 +
src/qemu/libvirtd_qemu.aug | 5 +
src/qemu/qemu.conf | 8 +
src/qemu/qemu_capabilities.c | 5 +
src/qemu/qemu_capabilities.h | 1 +
src/qemu/qemu_cgroup.c | 36 +
src/qemu/qemu_cgroup.h | 2 +
src/qemu/qemu_command.c | 34 +-
src/qemu/qemu_conf.c | 43 +
src/qemu/qemu_conf.h | 6 +
src/qemu/qemu_domain.c | 36 +-
src/qemu/qemu_extdevice.c | 180 ++++
src/qemu/qemu_extdevice.h | 59 ++
src/qemu/qemu_process.c | 16 +
src/qemu/qemu_security.c | 69 ++
src/qemu/qemu_security.h | 11 +
src/qemu/qemu_tpm.c | 925 +++++++++++++++++++++
src/qemu/qemu_tpm.h | 56 ++
src/qemu/test_libvirtd_qemu.aug.in | 2 +
src/security/security_dac.c | 7 +
src/security/security_driver.h | 7 +
src/security/security_manager.c | 36 +
src/security/security_manager.h | 6 +
src/security/security_selinux.c | 172 ++++
src/security/security_stack.c | 40 +
src/security/virt-aa-helper.c | 45 +
src/util/virfile.c | 55 ++
src/util/virfile.h | 3 +
tests/qemucapabilitiesdata/caps_2.11.0.s390x.xml | 1 +
tests/qemucapabilitiesdata/caps_2.12.0.aarch64.xml | 1 +
tests/qemucapabilitiesdata/caps_2.12.0.ppc64.xml | 1 +
tests/qemucapabilitiesdata/caps_2.12.0.s390x.xml | 1 +
tests/qemucapabilitiesdata/caps_2.12.0.x86_64.xml | 1 +
.../tpm-emulator-tpm2.x86_64-latest.args | 33 +
tests/qemuxml2argvdata/tpm-emulator-tpm2.xml | 30 +
.../tpm-emulator.x86_64-latest.args | 33 +
tests/qemuxml2argvdata/tpm-emulator.xml | 30 +
tests/qemuxml2argvtest.c | 16 +-
tests/qemuxml2xmloutdata/tpm-emulator-tpm2.xml | 34 +
tests/qemuxml2xmloutdata/tpm-emulator.xml | 34 +
tests/qemuxml2xmltest.c | 1 +
51 files changed, 2251 insertions(+), 19 deletions(-)
create mode 100644 src/qemu/qemu_extdevice.c
create mode 100644 src/qemu/qemu_extdevice.h
create mode 100644 src/qemu/qemu_tpm.c
create mode 100644 src/qemu/qemu_tpm.h
create mode 100644 tests/qemuxml2argvdata/tpm-emulator-tpm2.x86_64-latest.args
create mode 100644 tests/qemuxml2argvdata/tpm-emulator-tpm2.xml
create mode 100644 tests/qemuxml2argvdata/tpm-emulator.x86_64-latest.args
create mode 100644 tests/qemuxml2argvdata/tpm-emulator.xml
create mode 100644 tests/qemuxml2xmloutdata/tpm-emulator-tpm2.xml
create mode 100644 tests/qemuxml2xmloutdata/tpm-emulator.xml
--
2.14.3
6 years, 5 months
[libvirt] [PATCH 0/4] travis: Various cleanups
by Andrea Bolognani
Just getting rid of some useless stuff and making the whole
thing simpler and more consistent.
Andrea Bolognani (4):
travis: Skip macOS upgrade
travis: Don't duplicate Docker invocation
travis: Introduce MACOS_CMD
travis: Rename DOCKER_CMD to LINUX_CMD
.travis.yml | 65 ++++++++++++++++++++++++-----------------------------
1 file changed, 29 insertions(+), 36 deletions(-)
--
2.17.1
6 years, 5 months
