December 2020 - Devel - libvirt List Archives

Release of libvirt-6.5.0
by Daniel Veillard 04 Jan '21

04 Jan '21

Half a day late, but I pushed the 6.5.0 release out, it is as usual available as a signed tarball and source rpms from the server: https://libvirt.org/sources/ I also tagged and pushed the 6.5.0 python bindings that one can find at https://libvirt.org/sources/python/ This release includes a number of new features and some improvement, as well as a crash which had made its way in 6.4.0. It will also be my last release of libvirt after close to 15 years, so expect new releases to be signed by Jiri Denemark from now on. * New Features: - Allow firmware blobs configuration QEMU offers a way to tweak how firmware configures itself and/or provide new configuration blobs. New ``<sysinfo/>`` type is introduced that will hold these new blobs. It's possible to either specify new value as a string or provide a filename which contents then serve as the value. - nodedev: Add ability to create mediated devices Mediated devices can now be created with ``virNodeDeviceCreateXML()``. This functionality requires the ``mdevctl`` utility to be installed. The XML schema for node devices was expanded to support attributes for mediated devices. - QEMU: add TPM Proxy device support libvirt can now create guests using a new device type called "TPM Proxy". The TPM Proxy connects to a TPM Resource Manager present in the host, enabling the guest to run in secure virtual machine mode with the help of an Ultravisor. Adding a TPM Proxy to a pSeries guest brings no security benefits unless the guest is running on a PPC64 host that has Ultravisor and TPM Resource Manager support. Only one TPM Proxy is allowed per guest. A guest using a TPM Proxy device can instantiate another TPM device at the same time. This device is supported only for pSeries guests via the new 'spapr-tpm-proxy' model of the TPM 'passthrough' backend. - virhook: Support hooks placed in several files Running all scripts from directory /etc/libvirt/hooks/<driver>.d in alphabetical order. Hook script in old place will be executed as first for backward compatibility. - qemu: Add support for migratable host-passthrough CPU QEMU 2.12 made it possible for guests to use a migration-friendly version of the host-passthrough CPU. This feature is now exposed by libvirt. * Improvements: - network: Support NAT with IPv6 It's now possible to use ``<nat ipv6="yes"/>`` in a libvirt network. - qemu: Auto-fill NUMA information for incomplete topologies If the NUMA topology is not fully described in the guest XML, libvirt will complete it by putting all unspecified CPUs in the first NUMA node. This is only done in the QEMU binary itself supports disjointed CPU ranges for NUMA nodes. - qemu: Assign hostdev-backed interfaces to PCIe slots All SR-IOV capable devices are PCIe, so when their VFs are assigned to guests they should end up in PCIe slots rather than conventional PCI ones. * Bug fixes: - qemu: fixed crash in ``qemuDomainBlockCommit`` This release fixes a regression which was introduced in libvirt v6.4.0 where libvirtd always crashes when a block commit of a disk is requested. - qemu: fixed zPCI address auto generation on s390 Removes the correlation between the zPCI address attributes uid and fid. Fixes the validation and autogeneration of zPCI address attributes. - qemu: Skip pre-creation of NVMe disks during migration libvirt has no way to create NVMe devices on the target host, so it now just makes sure they exist and let the migration proceed in that case. Thanks everybody for the help on putting this release out, and the gazillion ones before :-) Enjoy and stay safe ! Daniel -- Daniel Veillard | Red Hat Developers Tools http://developer.redhat.com/ veillard(a)redhat.com | libxml Gnome XML XSLT toolkit http://xmlsoft.org/ http://veillard.com/ | virtualization library http://libvirt.org/

5 6

live migration is not using secondary interface
by Olaf Hering 04 Jan '21

04 Jan '21

A naive 'virsh migrate --live domU xen+tcp://cross-over-ip' uses the ordinary uplink instead of the requested IP address. According to the documentation an additional option has to be specified to really use the other network interface. However, neither 'tcp://cross-over-ip' nor 'xenmigr:cross-over-ip/' works, the migration does not start. 'xenmigr' was removed with 1dac5fbbbb06a0341e8087dc33af75c8352d77a4 and 7ed598438687feaddaf0a653d7cbb8a1c1ad4933, but the docs were not updated. This leaves 'tcp://ip'. What change needs to be done in the driver to support a secondary interface? Olaf

3 4

[RFC PATCH 0/3] Fix "virsh domfsinfo" on s390x (again)
by Thomas Huth 04 Jan '21

04 Jan '21

My previous attempts to fix "virsh domfsinfo" on s390x were unfortunately wrong due to some misunderstandings on my side. To correctly list the "Target" device in the output of "virsh domfsinfo", we need to search through the available devices using their CCW address on s390x. For this the QEMU guest agent will be enhanced to also send the CCW address of devices in the guest (see the following URL for details: https://lore.kernel.org/qemu-devel/20201125105417.380317-1-thuth@redhat.com/ ... but it has just been posted and will take some time to get merged, since QEMU is still in hard freeze, that's why I've labed this libvirt series here as RFC only). Using this CCW address, we then can look up the correct target devices on the libvirt side, too. See also https://bugzilla.redhat.com/show_bug.cgi?id=1858771 for some more information. Thomas Huth (3): qemu: agent: Store CCW address in qemuAgentDiskInfo if provided by the guest domain_conf: Allow to look up virtio-block devices by their CCW address domain_conf: Allow to look up scsi disks when controller uses a CCW address src/conf/domain_conf.c | 33 ++++++++++++++++++++++++++++++++- src/conf/domain_conf.h | 4 ++++ src/qemu/qemu_agent.c | 11 +++++++++++ src/qemu/qemu_agent.h | 2 ++ src/qemu/qemu_driver.c | 8 +++++--- 5 files changed, 54 insertions(+), 4 deletions(-) -- 2.18.4

3 12

[PATCH] virt-aa-helper: disallow graphics socket read permissions
by Simon Arlott 02 Jan '21

02 Jan '21

The VM does not need read permission for its own sockets to create(), bind(), accept() connections or to recv(), send(), etc. on connections. This was fixed in ab9569e5460d1e4737fe8b625c67687dc2204665 (virt-aa-helper: disallow VNC socket read permissions), but then b6465e1aa49397367a9cd0f27110b9c2280a7385 (graphics: introduce new listen type 'socket') and acc83afe333bfadd3f7f79091d38ca3d7da1eeb2 (acc83afe333bfadd3f7f79091d38ca3d7da1eeb2) reverted it. Unless the read permission is omitted, VMs can connect to each other's VNC/graphics sockets. Signed-off-by: Simon Arlott <libvirt(a)octiron.net> --- src/security/virt-aa-helper.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/security/virt-aa-helper.c b/src/security/virt-aa-helper.c index 6e6dd1b1db..fddbdafc41 100644 --- a/src/security/virt-aa-helper.c +++ b/src/security/virt-aa-helper.c @@ -1053,7 +1053,7 @@ get_files(vahControl * ctl) if (listenObj.type == VIR_DOMAIN_GRAPHICS_LISTEN_TYPE_SOCKET && listenObj.socket && - vah_add_file(&buf, listenObj.socket, "rw")) + vah_add_file(&buf, listenObj.socket, "w")) goto cleanup; } } -- 2.17.1 -- Simon Arlott

3 6

[PATCH] Deprecate pmem=on with non-DAX capable backend file
by Igor Mammedov 29 Dec '20

29 Dec '20

It is not safe to pretend that emulated NVDIMM supports persistence while backend actually failed to enable it and used non-persistent mapping as fall back. Instead of falling-back, QEMU should be more strict and error out with clear message that it's not supported. So if user asks for persistence (pmem=on), they should store backing file on NVDIMM. Signed-off-by: Igor Mammedov <imammedo(a)redhat.com> --- docs/system/deprecated.rst | 14 ++++++++++++++ util/mmap-alloc.c | 3 +++ 2 files changed, 17 insertions(+) diff --git a/docs/system/deprecated.rst b/docs/system/deprecated.rst index bacd76d7a5..ba4f6ed2fe 100644 --- a/docs/system/deprecated.rst +++ b/docs/system/deprecated.rst @@ -327,6 +327,20 @@ The Raspberry Pi machines come in various models (A, A+, B, B+). To be able to distinguish which model QEMU is implementing, the ``raspi2`` and ``raspi3`` machines have been renamed ``raspi2b`` and ``raspi3b``. +Backend options +--------------- + +Using non-persistent backing file with pmem=on (since 6.0) +'''''''''''''''''''''''''''''''''''''''''''''''''''''''''' + +This option is used when ``memory-backend-file`` is consumed by emulated NVDIMM +device. However enabling ``memory-backend-file.pmem`` option, when backing file +is not DAX capable or not on a filesystem that support direct mapping of persistent +memory, is not safe and may lead to data loss or corruption in case of host crash. +Using pmem=on option with such file will return error, instead of a warning. +Options are to move backing file to NVDIMM storage or modify VM configuration +to set ``pmem=off`` to continue using fake NVDIMM without persistence guaranties. + Device options -------------- diff --git a/util/mmap-alloc.c b/util/mmap-alloc.c index 27dcccd8ec..d226273a98 100644 --- a/util/mmap-alloc.c +++ b/util/mmap-alloc.c @@ -20,6 +20,7 @@ #include "qemu/osdep.h" #include "qemu/mmap-alloc.h" #include "qemu/host-utils.h" +#include "qemu/error-report.h" #define HUGETLBFS_MAGIC 0x958458f6 @@ -166,6 +167,8 @@ void *qemu_ram_mmap(int fd, "crash.\n", file_name); g_free(proc_link); g_free(file_name); + warn_report("Deprecated using non DAX backing file with" + " pmem=on option"); } /* * if map failed with MAP_SHARED_VALIDATE | MAP_SYNC, -- 2.27.0

2 2

RFC PATCH: Issue 90 (Test Clarification)
by Ryan Gahagan 29 Dec '20

29 Dec '20

We addressed the feedback from our previous RFC patch for the most part. Under src/util/virstoragefile.c, we left a cast to an integer pointer that Peter mentioned because we were unable to provide a better solution. We've written some tests for our code but our testing environment is not working locally (meson doesn't even recognize the project as a meson build project) and so we can't regenerate output or test our tests. It's probably bad practice but the only solution we could think of that would allow us to check our tests was just to email you what we've got. Sorry if it's not up to standard, but please let us know if there's a better way to do it or if you spot any problems in these tests. Under tests/qemuxml2xmltest.c: DO_TEST_CAPS_LATEST("disk-network-nfs"); The same line would be in tests/qemuxml2argvtest.c We created the file tests/qemuxml2argvdata/disk-network-nfs.xml: <domain type='qemu'> <name>QEMUGuest1</name> <uuid>c7a5fdbd-edaf-9455-926a-d65c16db1809</uuid> <memory unit='KiB'>219136</memory> <currentMemory unit='KiB'>219136</currentMemory> <vcpu placement='static'>1</vcpu> <os> <type arch='i686' machine='pc'>hvm</type> <boot dev='hd'/> </os> <clock offset='utc'/> <on_poweroff>destroy</on_poweroff> <on_reboot>restart</on_reboot> <on_crash>destroy</on_crash> <devices> <emulator>/usr/bin/qemu-system-x86_64</emulator> <disk type='network' device='disk'> <driver name='qemu' type='raw' cache='none'/> <source protocol='nfs' name='/foo/bar/baz'> <host name='example.com' port='2049'/> <nfs user='nfs-user' group='nfs-group'/> </source> <target dev='vda' bus='virtio'/> <serial>eb90327c-8302-4725-9e1b-4e85ed4dc251</serial> <address type='pci' domain='0x0000' bus='0x00' slot='0x04' function='0x0'/> </disk> <controller type='usb' index='0'/> <controller type='pci' index='0' model='pci-root'/> <input type='mouse' bus='ps2'/> <input type='keyboard' bus='ps2'/> <memballoon model='none'/> </devices> </domain> We have under tests/qemublocktest.c: TEST_JSON_FORMAT_NET(“<source protocol=’nfs’ name=’/foo/bar/baz’>\n” “ <host name=’example.com’ port=’2049’/>\n” “ <nfs user=’USER’ group=’GROUP’/>\n” "</source>\n”); and TEST_IMAGE_CREATE(“network-nfs-qcow2”, NULL); And finally under tests/virstoragetest.c: TEST_BACKING_PARSE(“json:{\”file\”:{\”driver\”:\”nfs\”,” “\”user\”:\”USER\”,” “\”group\”:\”GROUP\”,” “\”server\”: { \”host\”:\”example.com\”,” “\”port\”:\”2049\”” ”}” “}” “}”, “<source protocol=’nfs’ name=’/foo/bar/baz’>\n” “ <host name=’example.com’ port=’2049’/>\n” “ <nfs user=’USER’ group=’GROUP’/>\n” “</source>\n”); Again, sorry if this looks awful. Please let us know if there's a more practical way to do this because submitting a commit with these tests would guarantee that the tests fail and the commit wouldn't be mergeable due to our environment issues, or if you see anything wrong with these tests.

3 18

Re: [RFC PATCH] conf: Add support for keeping TPM emulator state
by Stefan Berger 27 Dec '20

27 Dec '20

On 12/22/20 7:12 PM, Eiichi Tsukata wrote: > Currently, swtpm TPM state file is removed when the transient domain is > powered off or the domain is undefined. When we store TPM state on a > shared storage such as NFS and use transient domain, TPM states should > be kept as it is. > > Add per-TPM emulator option `persistent_sate` for keeping TPM state. > This option only works for the emulator type backend and looks as follows: > > <tpm model='tpm-tis'> > <backend type='emulator' persistent_state='yes'/> > </tpm> > > Signed-off-by: Eiichi Tsukata <eiichi.tsukata(a)nutanix.com> > --- > docs/formatdomain.rst | 7 ++++ > docs/schemas/domaincommon.rng | 12 ++++++ > src/conf/domain_conf.c | 21 ++++++++++ > src/conf/domain_conf.h | 1 + > src/qemu/qemu_tpm.c | 3 +- > ...pm-emulator-tpm2-pstate.x86_64-latest.args | 38 +++++++++++++++++++ > .../tpm-emulator-tpm2-pstate.xml | 30 +++++++++++++++ > tests/qemuxml2argvtest.c | 1 + > ...tpm-emulator-tpm2-pstate.x86_64-latest.xml | 37 ++++++++++++++++++ > tests/qemuxml2xmltest.c | 1 + > 10 files changed, 150 insertions(+), 1 deletion(-) > create mode 100644 tests/qemuxml2argvdata/tpm-emulator-tpm2-pstate.x86_64-latest.args > create mode 100644 tests/qemuxml2argvdata/tpm-emulator-tpm2-pstate.xml > create mode 100644 tests/qemuxml2xmloutdata/tpm-emulator-tpm2-pstate.x86_64-latest.xml > > diff --git a/docs/formatdomain.rst b/docs/formatdomain.rst > index 512939679b..9e5f6340fb 100644 > --- a/docs/formatdomain.rst > +++ b/docs/formatdomain.rst > @@ -6986,6 +6986,13 @@ Example: usage of the TPM Emulator > - '1.2' : creates a TPM 1.2 > - '2.0' : creates a TPM 2.0 > > +``persistent_state`` > + The ``persistent_state`` attribute indicates whether 'swtpm' TPM state is > + kept or not when the transient domain is powered off or undefined. This Nit: the transient domain -> a transient domain > + option can be used for storing TPM state on shared storage. By default the Nit: storing -> preserving But this is not only related to shared storage, is it? Can we remove 'on shared storage'? > + value is ``no``. This attribute only works with the ``emulator`` backend. > + The accepted values are ``yes`` and ``no``. > + > ``encryption`` > The ``encryption`` element allows the state of a TPM emulator to be > encrypted. The ``secret`` must reference a secret object that holds the > diff --git a/docs/schemas/domaincommon.rng b/docs/schemas/domaincommon.rng > index 795b654feb..d7cedc014c 100644 > --- a/docs/schemas/domaincommon.rng > +++ b/docs/schemas/domaincommon.rng > @@ -4780,6 +4780,18 @@ > </optional> > </group> > </choice> > + <choice> > + <group> > + <optional> > + <attribute name="persistent_state"> > + <choice> > + <value>yes</value> > + <value>no</value> > + </choice> > + </attribute> > + </optional> > + </group> > + </choice> > </element> > </define> > > diff --git a/src/conf/domain_conf.c b/src/conf/domain_conf.c > index 23415b323c..82c3a68347 100644 > --- a/src/conf/domain_conf.c > +++ b/src/conf/domain_conf.c > @@ -13178,6 +13178,12 @@ virDomainSmartcardDefParseXML(virDomainXMLOptionPtr xmlopt, > * <encryption secret='32ee7e76-2178-47a1-ab7b-269e6e348015'/> > * </backend> > * </tpm> > + * > + * Emulator persistent_state is supported with the following: > + * > + * <tpm model='tpm-tis'> > + * <backend type='emulator' version='2.0' persistent_state='yes'> > + * </tpm> > */ > static virDomainTPMDefPtr > virDomainTPMDefParseXML(virDomainXMLOptionPtr xmlopt, > @@ -13193,6 +13199,7 @@ virDomainTPMDefParseXML(virDomainXMLOptionPtr xmlopt, > g_autofree char *backend = NULL; > g_autofree char *version = NULL; > g_autofree char *secretuuid = NULL; > + g_autofree char *persistent_state = NULL; > g_autofree xmlNodePtr *backends = NULL; > > def = g_new0(virDomainTPMDef, 1); > @@ -13265,6 +13272,18 @@ virDomainTPMDefParseXML(virDomainXMLOptionPtr xmlopt, > } > def->data.emulator.hassecretuuid = true; > } > + > + persistent_state = virXMLPropString(backends[0], "persistent_state"); > + if (persistent_state) { > + if (virStringParseYesNo(persistent_state, > + &def->data.emulator.persistent_state) < 0) { > + virReportError(VIR_ERR_INTERNAL_ERROR, "%s", > + _("Invalid persistent_state value, either 'yes' or 'no'")); > + goto error; > + } > + } else { > + def->data.emulator.persistent_state = false; > + } > break; > case VIR_DOMAIN_TPM_TYPE_LAST: > goto error; > @@ -26952,6 +26971,8 @@ virDomainTPMDefFormat(virBufferPtr buf, > case VIR_DOMAIN_TPM_TYPE_EMULATOR: > virBufferAsprintf(buf, " version='%s'", > virDomainTPMVersionTypeToString(def->version)); > + if (def->data.emulator.persistent_state) > + virBufferAddLit(buf, " persistent_state='yes'"); > if (def->data.emulator.hassecretuuid) { > char uuidstr[VIR_UUID_STRING_BUFLEN]; > virBufferAddLit(buf, ">\n"); > diff --git a/src/conf/domain_conf.h b/src/conf/domain_conf.h > index 72771c46b9..109625828a 100644 > --- a/src/conf/domain_conf.h > +++ b/src/conf/domain_conf.h > @@ -1362,6 +1362,7 @@ struct _virDomainTPMDef { > char *logfile; > unsigned char secretuuid[VIR_UUID_BUFLEN]; > bool hassecretuuid; > + bool persistent_state; > } emulator; > } data; > }; > diff --git a/src/qemu/qemu_tpm.c b/src/qemu/qemu_tpm.c > index 872be16570..532e0912bd 100644 > --- a/src/qemu/qemu_tpm.c > +++ b/src/qemu/qemu_tpm.c > @@ -729,7 +729,8 @@ qemuExtTPMCleanupHost(virDomainDefPtr def) > if (def->tpms[i]->type != VIR_DOMAIN_TPM_TYPE_EMULATOR) > continue; > > - qemuTPMDeleteEmulatorStorage(def->tpms[i]); > + if (!def->tpms[i]->data.emulator.persistent_state) > + qemuTPMDeleteEmulatorStorage(def->tpms[i]); > } > } > > diff --git a/tests/qemuxml2argvdata/tpm-emulator-tpm2-pstate.x86_64-latest.args b/tests/qemuxml2argvdata/tpm-emulator-tpm2-pstate.x86_64-latest.args > new file mode 100644 > index 0000000000..90505c7a76 > --- /dev/null > +++ b/tests/qemuxml2argvdata/tpm-emulator-tpm2-pstate.x86_64-latest.args > @@ -0,0 +1,38 @@ > +LC_ALL=C \ > +PATH=/bin \ > +HOME=/tmp/lib/domain--1-TPM-VM \ > +USER=test \ > +LOGNAME=test \ > +XDG_DATA_HOME=/tmp/lib/domain--1-TPM-VM/.local/share \ > +XDG_CACHE_HOME=/tmp/lib/domain--1-TPM-VM/.cache \ > +XDG_CONFIG_HOME=/tmp/lib/domain--1-TPM-VM/.config \ > +QEMU_AUDIO_DRV=none \ > +/usr/bin/qemu-system-x86_64 \ > +-name guest=TPM-VM,debug-threads=on \ > +-S \ > +-object secret,id=masterKey0,format=raw,\ > +file=/tmp/lib/domain--1-TPM-VM/master-key.aes \ > +-machine pc-i440fx-2.12,accel=tcg,usb=off,dump-guest-core=off,\ > +memory-backend=pc.ram \ > +-cpu qemu64 \ > +-m 2048 \ > +-object memory-backend-ram,id=pc.ram,size=2147483648 \ > +-overcommit mem-lock=off \ > +-smp 1,sockets=1,cores=1,threads=1 \ > +-uuid 11d7cd22-da89-3094-6212-079a48a309a1 \ > +-display none \ > +-no-user-config \ > +-nodefaults \ > +-chardev socket,id=charmonitor,fd=1729,server,nowait \ > +-mon chardev=charmonitor,id=monitor,mode=control \ > +-rtc base=utc \ > +-no-shutdown \ > +-boot menu=on,strict=on \ > +-device piix3-usb-uhci,id=usb,bus=pci.0,addr=0x1.0x2 \ > +-tpmdev emulator,id=tpm-tpm0,chardev=chrtpm \ > +-chardev socket,id=chrtpm,path=/dev/test \ > +-device tpm-tis,tpmdev=tpm-tpm0,id=tpm0 \ > +-device virtio-balloon-pci,id=balloon0,bus=pci.0,addr=0x2 \ > +-sandbox on,obsolete=deny,elevateprivileges=deny,spawn=deny,\ > +resourcecontrol=deny \ > +-msg timestamp=on > diff --git a/tests/qemuxml2argvdata/tpm-emulator-tpm2-pstate.xml b/tests/qemuxml2argvdata/tpm-emulator-tpm2-pstate.xml > new file mode 100644 > index 0000000000..45fc4c0e1a > --- /dev/null > +++ b/tests/qemuxml2argvdata/tpm-emulator-tpm2-pstate.xml > @@ -0,0 +1,30 @@ > +<domain type='qemu'> > + <name>TPM-VM</name> > + <uuid>11d7cd22-da89-3094-6212-079a48a309a1</uuid> > + <memory unit='KiB'>2097152</memory> > + <currentMemory unit='KiB'>512288</currentMemory> > + <vcpu placement='static'>1</vcpu> > + <os> > + <type arch='x86_64' machine='pc-i440fx-2.12'>hvm</type> > + <boot dev='hd'/> > + <bootmenu enable='yes'/> > + </os> > + <features> > + <acpi/> > + </features> > + <clock offset='utc'/> > + <on_poweroff>destroy</on_poweroff> > + <on_reboot>restart</on_reboot> > + <on_crash>destroy</on_crash> > + <devices> > + <emulator>/usr/bin/qemu-system-x86_64</emulator> > + <controller type='usb' index='0'/> > + <controller type='pci' index='0' model='pci-root'/> > + <input type='mouse' bus='ps2'/> > + <input type='keyboard' bus='ps2'/> > + <tpm model='tpm-tis'> > + <backend type='emulator' version='2.0' persistent_state='yes'/> > + </tpm> > + <memballoon model='virtio'/> > + </devices> > +</domain> > diff --git a/tests/qemuxml2argvtest.c b/tests/qemuxml2argvtest.c > index 9b853c6d59..e96a51d18b 100644 > --- a/tests/qemuxml2argvtest.c > +++ b/tests/qemuxml2argvtest.c > @@ -2460,6 +2460,7 @@ mymain(void) > DO_TEST_CAPS_LATEST("tpm-emulator"); > DO_TEST_CAPS_LATEST("tpm-emulator-tpm2"); > DO_TEST_CAPS_LATEST("tpm-emulator-tpm2-enc"); > + DO_TEST_CAPS_LATEST("tpm-emulator-tpm2-pstate"); > DO_TEST_CAPS_LATEST_PPC64("tpm-emulator-spapr"); > > DO_TEST_PARSE_ERROR("pci-domain-invalid", NONE); > diff --git a/tests/qemuxml2xmloutdata/tpm-emulator-tpm2-pstate.x86_64-latest.xml b/tests/qemuxml2xmloutdata/tpm-emulator-tpm2-pstate.x86_64-latest.xml > new file mode 100644 > index 0000000000..08bc8d690c > --- /dev/null > +++ b/tests/qemuxml2xmloutdata/tpm-emulator-tpm2-pstate.x86_64-latest.xml > @@ -0,0 +1,37 @@ > +<domain type='qemu'> > + <name>TPM-VM</name> > + <uuid>11d7cd22-da89-3094-6212-079a48a309a1</uuid> > + <memory unit='KiB'>2097152</memory> > + <currentMemory unit='KiB'>512288</currentMemory> > + <vcpu placement='static'>1</vcpu> > + <os> > + <type arch='x86_64' machine='pc-i440fx-2.12'>hvm</type> > + <boot dev='hd'/> > + <bootmenu enable='yes'/> > + </os> > + <features> > + <acpi/> > + </features> > + <cpu mode='custom' match='exact' check='none'> > + <model fallback='forbid'>qemu64</model> > + </cpu> > + <clock offset='utc'/> > + <on_poweroff>destroy</on_poweroff> > + <on_reboot>restart</on_reboot> > + <on_crash>destroy</on_crash> > + <devices> > + <emulator>/usr/bin/qemu-system-x86_64</emulator> > + <controller type='usb' index='0' model='piix3-uhci'> > + <address type='pci' domain='0x0000' bus='0x00' slot='0x01' function='0x2'/> > + </controller> > + <controller type='pci' index='0' model='pci-root'/> > + <input type='mouse' bus='ps2'/> > + <input type='keyboard' bus='ps2'/> > + <tpm model='tpm-tis'> > + <backend type='emulator' version='2.0' persistent_state='yes'/> > + </tpm> > + <memballoon model='virtio'> > + <address type='pci' domain='0x0000' bus='0x00' slot='0x02' function='0x0'/> > + </memballoon> > + </devices> > +</domain> > diff --git a/tests/qemuxml2xmltest.c b/tests/qemuxml2xmltest.c > index 1968be6782..f8bca9f559 100644 > --- a/tests/qemuxml2xmltest.c > +++ b/tests/qemuxml2xmltest.c > @@ -761,6 +761,7 @@ mymain(void) > DO_TEST_CAPS_LATEST("tpm-emulator"); > DO_TEST_CAPS_LATEST("tpm-emulator-tpm2"); > DO_TEST_CAPS_LATEST("tpm-emulator-tpm2-enc"); > + DO_TEST_CAPS_LATEST("tpm-emulator-tpm2-pstate"); > > DO_TEST("metadata", NONE); > DO_TEST("metadata-duplicate", NONE); Otherwise looks good to me. Reviewed-by: Stefan Berger <stefanb(a)linux.ibm.com>

2 1

Re: libvirt-lxc: Permission issue of /proc/net
by John Hurnett 24 Dec '20

24 Dec '20

Hi Daniel, My XML has an <interface> section. According to documentation https://libvirt.org/drvlxc.html#securenetworking I have also tried with and without <privnet/> parameter, but still files under /proc/net is owned by user: nobody. As might be expected there is no such problem in privileged containers, as root user is same as on host and files in /proc/net is then owned by root, but to follow best practices I would like to use unprivileged containers. I've used Fedora 33 as host and container. Could you check if this is reproducible on your setup? BR, John On Thu, Dec 24, 2020 at 12:21 PM Daniel P. Berrange <dan(a)berrange.com> wrote: > On Tue, Dec 22, 2020 at 07:14:23PM +0200, John Hurnett wrote: > > Hi, > > I've encountered a problem that some of /proc/net/ files can't be > accessed > > in unprivileged containers, because it is owned by nobody:nogroup (-1:-1) > > and have 440 permissions. > > This exact issue was solved in LXC project by unsharing netns: > > > https://github.com/lxc/lxc/commit/5b1e83cbc498cd3edeaf13afa987d530299a35a7 > > . Maybe it could be similarly fixed on libvirt-lxc? > > We already unshare netns when there is an <interface> in your XML > config for the container. Is that still leaving the permissions > issues ? If so maybe its an ordering issue for the unshare. > > Regards, > Daniel > -- > |: https://berrange.com -o- > https://www.flickr.com/photos/dberrange :| > |: https://libvirt.org -o- > https://fstop138.berrange.com :| > |: https://entangle-photo.org -o- > https://www.instagram.com/dberrange :| > >

1 0

[PATCH] docs/formatstorageencryption.html.in: support qcow2 format in luks encryption volume
by Meina Li 24 Dec '20

24 Dec '20

Signed-off-by: Meina Li <meili(a)redhat.com> --- docs/formatstorageencryption.html.in | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/docs/formatstorageencryption.html.in b/docs/formatstorageencryption.html.in index ea80a87cfb..7215c307d7 100644 --- a/docs/formatstorageencryption.html.in +++ b/docs/formatstorageencryption.html.in @@ -128,7 +128,9 @@ <p> Here is an example specifying use of the <code>luks</code> format for - a specific cipher algorithm for volume creation: + a specific cipher algorithm for volume creation. + <span class="since">Since 6.10.0,</span> the <code>target</code> format + can also support <code>qcow2</code> type with <code>luks</code> encryption. </p> <pre> <volume> -- 2.27.0

2 1

[RFC 3/5] pci: introduce apci-index property for PCI device
by Igor Mammedov 23 Dec '20

23 Dec '20

In x86/ACPI world, since systemd v197, linux distros are using predictable network interface naming since systemd v197. Which on QEMU based VMs results into path based naming scheme, that names network interfaces based on PCI topology. With this one has to plug NIC in exacly the same bus/slot, which was used when disk image was first provisioned/configured or one risks to loose network configuration due to NIC being renamed to actually used topology. That also restricts freedom reshape PCI configuration of VM without need to reconfigure used guest image. systemd also offers "onboard" naming scheme which is preffered over PCI slot/topology one, provided that firmware implements: " PCI Firmware Specification 3.1 4.6.7. DSM for Naming a PCI or PCI Express Device Under Operating Systems " that allows to assign user defined index to PCI device, which systemd will use to name NIC. For example, using -device e1000,acpi-index=100 guest will rename NIC to 'eno100', where 'eno' is default prefix for "onboard" naming scheme. This doesn't reqiure any advance configuration on guest side. Hope is that 'acpi-index' will be easier to consume by mangment layer, compared to forcing specic PCI topology and/or having several disk image templates for different topologies and will help to simplify process of spawning VM from the same template without need to reconfigure guest network configuration. this patch adds, 'acpi-index'* property and wires up (abuses) unused pci hotplug registers to pass index value to AML code at runtime. Following patch will add corresponding _DSM code and wire it up to PCI devices described in ACPI. *) name comes from linux kernel terminology Signed-off-by: Igor Mammedov <imammedo(a)redhat.com> --- CC: libvir-list(a)redhat.com include/hw/acpi/pcihp.h | 7 ++++++- include/hw/pci/pci.h | 1 + hw/acpi/pci.c | 6 ++++++ hw/acpi/pcihp.c | 25 ++++++++++++++++++++++++- hw/i386/acpi-build.c | 10 ++++++++++ hw/pci/pci.c | 1 + 6 files changed, 48 insertions(+), 2 deletions(-) diff --git a/include/hw/acpi/pcihp.h b/include/hw/acpi/pcihp.h index dfd375820f..72d1773ca1 100644 --- a/include/hw/acpi/pcihp.h +++ b/include/hw/acpi/pcihp.h @@ -46,6 +46,7 @@ typedef struct AcpiPciHpPciStatus { typedef struct AcpiPciHpState { AcpiPciHpPciStatus acpi_pcihp_pci_status[ACPI_PCIHP_MAX_HOTPLUG_BUS]; uint32_t hotplug_select; + uint32_t acpi_index; PCIBus *root; MemoryRegion io; bool legacy_piix; @@ -71,6 +72,8 @@ void acpi_pcihp_reset(AcpiPciHpState *s, bool acpihp_root_off); extern const VMStateDescription vmstate_acpi_pcihp_pci_status; +bool vmstate_acpi_pcihp_use_acpi_index(void *opaque, int version_id); + #define VMSTATE_PCI_HOTPLUG(pcihp, state, test_pcihp) \ VMSTATE_UINT32_TEST(pcihp.hotplug_select, state, \ test_pcihp), \ @@ -78,6 +81,8 @@ extern const VMStateDescription vmstate_acpi_pcihp_pci_status; ACPI_PCIHP_MAX_HOTPLUG_BUS, \ test_pcihp, 1, \ vmstate_acpi_pcihp_pci_status, \ - AcpiPciHpPciStatus) + AcpiPciHpPciStatus), \ + VMSTATE_UINT32_TEST(pcihp.acpi_index, state, \ + vmstate_acpi_pcihp_use_acpi_index) #endif diff --git a/include/hw/pci/pci.h b/include/hw/pci/pci.h index 259f9c992d..e592532558 100644 --- a/include/hw/pci/pci.h +++ b/include/hw/pci/pci.h @@ -357,6 +357,7 @@ struct PCIDevice { /* ID of standby device in net_failover pair */ char *failover_pair_id; + uint32_t acpi_index; }; void pci_register_bar(PCIDevice *pci_dev, int region_num, diff --git a/hw/acpi/pci.c b/hw/acpi/pci.c index 9510597a19..07d5101d83 100644 --- a/hw/acpi/pci.c +++ b/hw/acpi/pci.c @@ -27,6 +27,7 @@ #include "hw/acpi/aml-build.h" #include "hw/acpi/pci.h" #include "hw/pci/pcie_host.h" +#include "hw/acpi/pcihp.h" void build_mcfg(GArray *table_data, BIOSLinker *linker, AcpiMcfgInfo *info) { @@ -59,3 +60,8 @@ void build_mcfg(GArray *table_data, BIOSLinker *linker, AcpiMcfgInfo *info) "MCFG", table_data->len - mcfg_start, 1, NULL, NULL); } +bool vmstate_acpi_pcihp_use_acpi_index(void *opaque, int version_id) +{ + AcpiPciHpState *s = opaque; + return s->acpi_index; +} diff --git a/hw/acpi/pcihp.c b/hw/acpi/pcihp.c index 9dc4d3e2db..9634567e3a 100644 --- a/hw/acpi/pcihp.c +++ b/hw/acpi/pcihp.c @@ -347,7 +347,8 @@ static uint64_t pci_read(void *opaque, hwaddr addr, unsigned int size) trace_acpi_pci_down_read(val); break; case PCI_EJ_BASE: - /* No feature defined yet */ + val = s->acpi_index; + s->acpi_index = 0; trace_acpi_pci_features_read(val); break; case PCI_RMV_BASE: @@ -367,8 +368,30 @@ static uint64_t pci_read(void *opaque, hwaddr addr, unsigned int size) static void pci_write(void *opaque, hwaddr addr, uint64_t data, unsigned int size) { + int slot; + PCIBus *bus; + BusChild *kid, *next; AcpiPciHpState *s = opaque; + + s->acpi_index = 0; switch (addr) { + case PCI_UP_BASE: + slot = ctz32(data); + + if (s->hotplug_select >= ACPI_PCIHP_MAX_HOTPLUG_BUS) { + break; + } + + bus = acpi_pcihp_find_hotplug_bus(s, s->hotplug_select); + QTAILQ_FOREACH_SAFE(kid, &bus->qbus.children, sibling, next) { + Object *o = OBJECT(kid->child); + PCIDevice *dev = PCI_DEVICE(o); + if (PCI_SLOT(dev->devfn) == slot) { + s->acpi_index = object_property_get_uint(o, "acpi-index", NULL); + break; + } + } + break; case PCI_EJ_BASE: if (s->hotplug_select >= ACPI_PCIHP_MAX_HOTPLUG_BUS) { break; diff --git a/hw/i386/acpi-build.c b/hw/i386/acpi-build.c index f18b71dea9..27d2958e25 100644 --- a/hw/i386/acpi-build.c +++ b/hw/i386/acpi-build.c @@ -1132,6 +1132,16 @@ static void build_piix4_pci_hotplug(Aml *table) aml_append(method, aml_return(aml_int(0))); aml_append(scope, method); + method = aml_method("AIDX", 2, AML_NOTSERIALIZED); + aml_append(method, aml_acquire(aml_name("BLCK"), 0xFFFF)); + aml_append(method, aml_store(aml_arg(0), aml_name("BNUM"))); + aml_append(method, + aml_store(aml_shiftleft(aml_int(1), aml_arg(1)), aml_name("PCIU"))); + aml_append(method, aml_store(aml_name("B0EJ"), aml_local(0))); + aml_append(method, aml_release(aml_name("BLCK"))); + aml_append(method, aml_return(aml_local(0))); + aml_append(scope, method); + aml_append(table, scope); } diff --git a/hw/pci/pci.c b/hw/pci/pci.c index d4349ea577..617f48ff3b 100644 --- a/hw/pci/pci.c +++ b/hw/pci/pci.c @@ -76,6 +76,7 @@ static Property pci_props[] = { QEMU_PCIE_EXTCAP_INIT_BITNR, true), DEFINE_PROP_STRING("failover_pair_id", PCIDevice, failover_pair_id), + DEFINE_PROP_UINT32("acpi-index", PCIDevice, acpi_index, -1), DEFINE_PROP_END_OF_LIST() }; -- 2.27.0

1 0