October 2017 - Devel - libvirt List Archives

[libvirt] libvirt/QEMU/SEV interaction
by Brijesh Singh 20 Oct '17

20 Oct '17

Hi All, (sorry for the long message) CPUs from AMD EPYC family supports Secure Encrypted Virtualization (SEV) feature - the feature allows running encrypted VMs. To enable the feature, I have been submitting patches to Linux kernel [1], Qemu [2] and OVMF [3]. We have been making some good progress in getting patches accepted upstream in Linux and OVMF trees. SEV builds upon SME (Secure Memory Encryption) feature -- SME support just got pulled into 4.14 merge window. The base SEV patches are accepted in OVMF tree -- now we have SEV aware guest BIOS. I am getting ready to take off "RFC" tag from remaining patches to get them reviewed and accepted. The boot flow for launching an SEV guest is a bit different from a typical guest launch. In order to launch SEV guest from virt-manager or other high-level VM management tools, we need to design and implement new interface between libvirt and qemu, and probably add new APIs in libvirt to be used by VM management tools. I am new to the libvirt and need some expert advice while designing this interface. A pictorial representation for a SEV guest launch flow is available in SEV Spec Appendix A [4]. A typical flow looks like this: 1. Guest owner (GO) asks the cloud provider to launch SEV guest. 2. VM tool asks libvirt to provide its Platform Diffie-Hellman (PDH) key. 3. libvirt opens /dev/sev device to get its PDH and return the blob to the caller. 4. VM tool gives its PDH to GO. 5. GO provides its DH key, session-info and guest policy. 6. VM tool somehow communicates the GO provided information to libvirt. 7. libvirt adds "sev-guest" object in its xml file with all the information obtained from #5 (currently my xml file looks like this) <qemu:arg value='-object'> <qemu:arg value='sev-guest,id=sev0,policy=<GO_policy>,dh-key-file=<filename>,session-file=<filename>/> <qemu:arg value='-machine'/> <qemu:arg value='memory-encryption=sev0'/> 8. libvirt launches the guest with "-S" 9. While creating the SEV guest qemu does the following i) create encryption context using GO's DH, session-info and guest policy (LAUNCH_START) ii) encrypts the guest bios (LAUNCH_UPDATE_DATA) iii) calls LAUNCH_MEASUREMENT to get the encrypted bios measurement 10. By some interface we must propagate the measurement all the way to GO before libvirt starts the guest. 11. GO verifies the measurement and if measurement matches then it may give a secret blob -- which must be injected into the guest before libvirt starts the VM. If verification failed, GO will request cloud provider to destroy the VM. 12. After secret blob is injected into guest, we call LAUNCH_FINISH to destory the encryption context. 13. libvirt issues "continue" command to resume the guest boot. Please note that the measurement value is protected with transport encryption key (TIK) and it changes on each run. Similarly the secret blob provided by GO does not need to be protected using libvirt/qemu APIs. The secret is protected by TIK. From qemu and libvirt point of view these are blobs and must be passed as-is to the SEV FW. Questions: a) Do we need to add a new set of APIs in libvirt to return the PDH from libvirt and VM tool ? Or can we use some pre-existing APIs to pass the opaque blobs ? (this is mainly for step 3 and 6) b) do we need to define a new xml tag to for memory-encryption ? or just use the qemu:args tag ? (step 6) c) what existing communicate interface can be used between libvirt and qemu to get the measurement ? can we add a new qemu monitor command 'get_sev_measurement' to get the measurement ? (step 10) d) how to pass the secret blob from libvirt to qemu ? should we consider adding a new object (sev-guest-secret) -- libvirt can add the object through qemu monitor. [1] https://marc.info/?l=kvm&m=150092661105069&w=2 [2] https://marc.info/?l=qemu-devel&m=148901186615642&w=2 [3] https://lists.01.org/pipermail/edk2-devel/2017-July/012220.html [4] http://support.amd.com/TechDocs/55766_SEV-KM%20API_Specification.pdf Thanks Brijesh

8 35

[libvirt] [perl PATCH 0/2] Add missing bindings
by Pavel Hrdina 20 Oct '17

20 Oct '17

Pavel Hrdina (2): Add VIR_DOMAIN_JOB_MEMORY_PAGE_SIZE constant Add set_lifecycle_action Changes | 3 ++- Virt.xs | 24 ++++++++++++++++++++ lib/Sys/Virt/Domain.pm | 60 ++++++++++++++++++++++++++++++++++++++++++++++++++ 3 files changed, 86 insertions(+), 1 deletion(-) -- 2.13.6

2 3

[libvirt] [PATCH] util: Missing 'removeTimeoutImpl' check variable inside virEventRegisterImpl() function.
by Julio Faracco 20 Oct '17

20 Oct '17

The function virEventRegisterImpl() checks the attempt to replace the registered events. But there is a duplicate variable inside the IF statement. The variable 'removeHandleImpl' was wrongly repeated. One of them needs to be replaced by 'removeTimeoutImpl'. Signed-off-by: Julio Faracco <jcfaracco(a)gmail.com> --- src/util/virevent.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/util/virevent.c b/src/util/virevent.c index 51d8714..87069e3 100644 --- a/src/util/virevent.c +++ b/src/util/virevent.c @@ -241,7 +241,7 @@ void virEventRegisterImpl(virEventAddHandleFunc addHandle, addTimeout, updateTimeout, removeTimeout); if (addHandleImpl || updateHandleImpl || removeHandleImpl || - addTimeoutImpl || updateTimeoutImpl || removeHandleImpl) { + addTimeoutImpl || updateTimeoutImpl || removeTimeoutImpl) { VIR_WARN("Ignoring attempt to replace registered event loop"); return; } -- 2.7.4

3 2

[libvirt] [PATCH 0/7] Preparation for new QEMU migration states
by Jiri Denemark 20 Oct '17

20 Oct '17

Mostly refactoring of the horrible mess in qemuMigrationRun. Jiri Denemark (7): qemu: Use switch in qemuMigrationCompleted qemu: Refactor qemuMigrationRun a bit qemu: Split cleanup and error code in qemuMigrationRun qemu: Unite error handling in qemuMigrationRun qemu: Don't misuse "ret" in qemuMigrationRun qemu: Consistently use exit_monitor in qemuMigrationRun qemu: Set correct job status when qemuMigrationRun fails src/qemu/qemu_migration.c | 196 +++++++++++++++++++++++++--------------------- 1 file changed, 105 insertions(+), 91 deletions(-) -- 2.14.2

3 12

[libvirt] [jenkins-ci PATCH 0/2] guests: Minor fixes and tweaks
by Andrea Bolognani 20 Oct '17

20 Oct '17

1/2 is a bug fix, 2/2 a small improvement. Andrea Bolognani (2): guests: Reorder configuration steps for root authentication guests: Don't warn when bootstrapping package manager guests/tasks/base.yml | 14 ++++++++------ 1 file changed, 8 insertions(+), 6 deletions(-) -- 2.13.6

2 3

[libvirt] [go PATCH 0/2] Add missing bindings
by Pavel Hrdina 20 Oct '17

20 Oct '17

Pavel Hrdina (2): Add VIR_DOMAIN_JOB_MEMORY_PAGE_SIZE constant Add virDomainSetLifecycleAction API support domain.go | 39 +++++++++++++++++++++++++++++++++++++++ domain_compat.go | 12 ++++++++++++ domain_compat.h | 47 +++++++++++++++++++++++++++++++++++++++++++++++ 3 files changed, 98 insertions(+) -- 2.13.6

2 3

[libvirt] [PATCH v1 00/14] Never ending story of user supplied aliases
by Michal Privoznik 20 Oct '17

20 Oct '17

As discussed earlier [1], we should allow users to set device aliases at the define time. While the discussed approach calls for generating missing aliases too, I'm saving that for another patch set. There are couple of reasons for that: a) I don't think it's really necessary (if users are interested in a device they can just set the alias). b) This patch set is already big enough as is. c) Generating aliases is going to have its own problems. Therefore, for now I'm only proposing parsing user supplied aliases. The idea is that it's not enabled by default for all drivers. Any driver that want to/can provide this feature has to set VIR_DOMAIN_DEF_FEATURE_USER_ALIAS. Note that we have some drivers that don't have notion of device aliases. But the code is generic enough so that it should be easy to use in the drivers that do know what aliases are. 1: https://www.redhat.com/archives/libvir-list/2017-October/msg00201.html Michal Privoznik (14): conf: Fix virDomainDeviceGetInfo const correctness virDomainObjGetOneDefState: Fix error message qemuAssignDeviceAliases: Use qemuAssignDeviceRNGAlias for assigning RNG aliases qemu: Move device alias assignment to separate functions qemu: Be tolerant to preexisting aliases conf: Pass xmlopt down to virDomainDeviceInfoParseXML conf: Parse user supplied aliases conf: Validate user supplied aliases virDomainDeviceInfoCheckABIStability: Check for alias too qemuxml2argvdata: Drop device aliases qemuhotplugtest: Load active XML conf: Format alias even for inactive XMLs docs: Document user aliases qemu: Parse alias from inactive XMLs docs/formatdomain.html.in | 23 ++ src/conf/domain_conf.c | 353 ++++++++++++++++----- src/conf/domain_conf.h | 8 +- src/libvirt_private.syms | 1 + src/qemu/qemu_alias.c | 139 +++++++- src/qemu/qemu_domain.c | 3 +- src/qemu/qemu_driver.c | 3 + src/qemu/qemu_hotplug.c | 6 +- tests/qemuhotplugtest.c | 3 +- .../qemuxml2argv-disk-cdrom-network-ftp.xml | 1 - .../qemuxml2argv-disk-cdrom-network-ftps.xml | 1 - .../qemuxml2argv-disk-cdrom-network-http.xml | 1 - .../qemuxml2argv-disk-cdrom-network-https.xml | 1 - .../qemuxml2argv-disk-cdrom-network-tftp.xml | 1 - .../qemuxml2argv-usb-redir-filter.xml | 1 - 15 files changed, 444 insertions(+), 101 deletions(-) -- 2.13.6

4 26

[libvirt] [PATCH 0/5] qemu: Improve the way we handle migration capabilities
by Jiri Denemark 20 Oct '17

20 Oct '17

Jiri Denemark (5): qemu: Create a wrapper around qemuMonitorSetCapabilities qemu: Store supported migration capabilities in a bitmap qemu: Use bitmap with migration capabilities qemu: Drop qemuMonitorGetMigrationCapability qemu: Enhance debug message in qemuMonitorSetMigrationCapability src/qemu/qemu_domain.c | 75 ++++++++++++++++++++++++++++++++++++++++++++ src/qemu/qemu_domain.h | 9 ++++++ src/qemu/qemu_driver.c | 32 ++++++++----------- src/qemu/qemu_migration.c | 45 +++++++++++++++----------- src/qemu/qemu_migration.h | 4 +++ src/qemu/qemu_monitor.c | 22 ++----------- src/qemu/qemu_monitor.h | 2 -- src/qemu/qemu_monitor_json.c | 18 ----------- src/qemu/qemu_monitor_json.h | 2 -- src/qemu/qemu_process.c | 43 ++++++++++++++----------- tests/qemumonitorjsontest.c | 16 ++++++---- 11 files changed, 163 insertions(+), 105 deletions(-) -- 2.14.2

2 13

[libvirt] [PATCH 0/6] vbox: Improve handling of storage devices.
by Dawid Zamirski 19 Oct '17

19 Oct '17

Hello, This patch series reworks the VirtualBox storage device handling code, brief summary: * Extend libvirt schema to specify IDE controller model as VBox supports changing IDE model to PIIX3, PIIX4 or ICH6 and there are known cases of legacy guest OSes being very sensitive to that. * Make the driver recognize <controller> element at define time which allows to specify controller model. Previously the driver was completely ignoring that element. * Allow to create vbox SAS controllers via <controller type="scsi" model="lsisas1068" /> * Handle removable devices - define and dump devices without media. * Make sure media is closed when undefining VMs. Leaving media unclosed may cause errors when defining VMs pointing at the same local path. Dawid Zamirski (6): vbox: Close media when undefining domains. domain: Allow 'model' attribute for ide controller. docs: Add info about ide model attribute. vbox: Add more IStorageController API mappings. vbox: Process controller definitions from xml. vbox: Update XML dump of storage devices. docs/formatdomain.html.in | 3 + docs/schemas/domaincommon.rng | 18 +- src/conf/domain_conf.c | 9 + src/conf/domain_conf.h | 9 + src/libvirt_private.syms | 2 + src/vbox/vbox_common.c | 1212 +++++++++++++++++++++++------------------ src/vbox/vbox_common.h | 21 + src/vbox/vbox_tmpl.c | 87 +-- src/vbox/vbox_uniformed_api.h | 3 + 9 files changed, 790 insertions(+), 574 deletions(-) -- 2.14.2

3 18

[libvirt] [PATCH v5 00/16] Use secret objects to pass iSCSI passwords
by John Ferlan 19 Oct '17

19 Oct '17

v4: https://www.redhat.com/archives/libvir-list/2017-September/msg00944.html Changes since v4 are minor - mostly to change from 3.8.0 to 3.9.0... Update the news.xml once <auth> is allowed for <source>. Add a news.xml to describe the bug fix. Beyond that - merge changes up to git commit '5d7659027'. I ran the changes through my Coverity checker too. Repeated from the cover of v4: v3: https://www.redhat.com/archives/libvir-list/2017-September/msg00881.html Difference with v3: Add patch 3 to perform virStorageSourceCopy for qemu and storage source private data. Adjust the move encinfo from private disk to private disk src to handle the Copy for the @encinfo too Repeated from cover of v3 (although perhaps just too much information for the eyes to consume): v2: https://www.redhat.com/archives/libvir-list/2017-September/msg00466.html Changes since v2: * Former Patch 1 & 2 were pushed * New Patch 1 is former Patches 3 and parts of 4 combined appropriately -> Allow <auth> under <disk> or <source> - keep track of where it was found so that format prints in the right place -> Cleaned up the tests and new xml/args files * Patch 2 is part of the former patch 6 - just the new _virStorageSource * Patch 3 is new - to introduced an allocator for domain_conf to create a _virStorageSource * Patch 4 is new - as stated found that the @diskPriv->encinfo wasn't cleaned up properly * Patch 5 is the rest of the former patch 6 * Patch 6 is the former patch 7 with some minor adjustments to allow <encryption> to follow <auth> and be both child of <disk> and <source> * Patch 7 is the former patch 10 with minor change to perform free of encinfo properly (e.g. from patch 4) * Patch 8 is former patch 5 and 9 combined * Patch 9 is new - to use the virStorageSource for iscsisrc instead of just three fields we wanted * Patch 10 is new to alter the existing hostdevPriv to use diskSrcPriv * Patch 11 is new to remove the hostdevPriv as it's no longer necesary * Patch 12 is new to split up a change in qemuBuildSCSIiSCSIHostdevDrvStr from the last patch * Patch 13 is the former patch 13 * Patch 14 is altered to accomodate the hostdev usage if virStorageSource for iscsisrc->src instead of that hack that was there before. John Ferlan (16): conf: Add/Allow parsing the auth in the disk source qemu: Introduce privateData for _virStorageSource qemu: Introduce qemuDomainStorageSourceCopy conf: Introduce virDomainDiskStorageSourceNew qemu: Add missing encinfo cleanup qemu: Relocate qemuDomainSecretInfoPtr from disk private conf: Add/Allow parsing the encryption in the disk source qemu: Move encinfo from private disk to private disk src docs: Add news article regarding auth/encryption placement conf,qemu: Replace iscsisrc fields with virStorageSourcePtr qemu: Use private disksrc for iscsi instead of private hostdev qemu: Remove private hostdev qemu: Refactor qemuBuildSCSIiSCSIHostdevDrvStr slightly qemu: Get capabilities to use iscsi password-secret argument qemu: Use secret objects to pass iSCSI passwords docs: Add news article to describe iSCSI usage of secret object docs/formatdomain.html.in | 82 ++++--- docs/news.xml | 23 ++ docs/schemas/domaincommon.rng | 48 +++- src/conf/domain_conf.c | 255 ++++++++++++++++----- src/conf/domain_conf.h | 10 +- src/lxc/lxc_native.c | 2 +- src/qemu/qemu_block.c | 64 +++++- src/qemu/qemu_blockjob.c | 2 +- src/qemu/qemu_capabilities.c | 2 + src/qemu/qemu_capabilities.h | 1 + src/qemu/qemu_command.c | 84 +++++-- src/qemu/qemu_command.h | 3 +- src/qemu/qemu_domain.c | 162 +++++++++---- src/qemu/qemu_domain.h | 37 ++- src/qemu/qemu_driver.c | 8 +- src/qemu/qemu_hotplug.c | 71 +++++- src/qemu/qemu_parse_command.c | 4 +- src/util/virstoragefile.c | 2 + src/util/virstoragefile.h | 5 + src/vbox/vbox_common.c | 2 +- src/xenconfig/xen_common.c | 2 +- src/xenconfig/xen_sxpr.c | 2 +- src/xenconfig/xen_xl.c | 2 +- .../qemuargv2xml-disk-drive-network-rbd-auth.xml | 6 +- tests/qemucapabilitiesdata/caps_2.10.0.s390x.xml | 1 + tests/qemucapabilitiesdata/caps_2.10.0.x86_64.xml | 1 + tests/qemucapabilitiesdata/caps_2.9.0.ppc64le.xml | 1 + tests/qemucapabilitiesdata/caps_2.9.0.s390x.xml | 1 + tests/qemucapabilitiesdata/caps_2.9.0.x86_64.xml | 1 + ...xml2argv-disk-drive-network-iscsi-auth-AES.args | 41 ++++ ...uxml2argv-disk-drive-network-iscsi-auth-AES.xml | 43 ++++ ...ml2argv-disk-drive-network-source-auth-both.xml | 51 +++++ ...emuxml2argv-disk-drive-network-source-auth.args | 32 +++ ...qemuxml2argv-disk-drive-network-source-auth.xml | 45 ++++ ...ml2argv-hostdev-scsi-virtio-iscsi-auth-AES.args | 45 ++++ ...xml2argv-hostdev-scsi-virtio-iscsi-auth-AES.xml | 48 ++++ .../qemuxml2argv-luks-disks-source-both.xml | 40 ++++ .../qemuxml2argv-luks-disks-source.args | 62 +++++ .../qemuxml2argv-luks-disks-source.xml | 81 +++++++ tests/qemuxml2argvtest.c | 14 ++ ...muxml2xmlout-disk-drive-network-source-auth.xml | 49 ++++ .../qemuxml2xmlout-luks-disks-source.xml | 84 +++++++ .../qemuxml2xmlout-luks-disks.xml | 46 +++- tests/qemuxml2xmltest.c | 2 + tests/virhostdevtest.c | 2 +- tests/virstoragetest.c | 6 + 46 files changed, 1356 insertions(+), 219 deletions(-) create mode 100644 tests/qemuxml2argvdata/qemuxml2argv-disk-drive-network-iscsi-auth-AES.args create mode 100644 tests/qemuxml2argvdata/qemuxml2argv-disk-drive-network-iscsi-auth-AES.xml create mode 100644 tests/qemuxml2argvdata/qemuxml2argv-disk-drive-network-source-auth-both.xml create mode 100644 tests/qemuxml2argvdata/qemuxml2argv-disk-drive-network-source-auth.args create mode 100644 tests/qemuxml2argvdata/qemuxml2argv-disk-drive-network-source-auth.xml create mode 100644 tests/qemuxml2argvdata/qemuxml2argv-hostdev-scsi-virtio-iscsi-auth-AES.args create mode 100644 tests/qemuxml2argvdata/qemuxml2argv-hostdev-scsi-virtio-iscsi-auth-AES.xml create mode 100644 tests/qemuxml2argvdata/qemuxml2argv-luks-disks-source-both.xml create mode 100644 tests/qemuxml2argvdata/qemuxml2argv-luks-disks-source.args create mode 100644 tests/qemuxml2argvdata/qemuxml2argv-luks-disks-source.xml create mode 100644 tests/qemuxml2xmloutdata/qemuxml2xmlout-disk-drive-network-source-auth.xml create mode 100644 tests/qemuxml2xmloutdata/qemuxml2xmlout-luks-disks-source.xml mode change 120000 => 100644 tests/qemuxml2xmloutdata/qemuxml2xmlout-luks-disks.xml -- 2.13.6

2 19