July 2025 - Devel - libvirt List Archives

[PATCH 0/5] Cleanup of callers of virDomainDefGetVcpu
by Peter Krempa 12 Aug '25

12 Aug '25

Fix few issues with how virDomainDefGetVcpu is called and in related code. Peter Krempa (5): Unexport virCHProcessSetupVcpu virDomainVcpuDefPostParse: Remove impossible check qemu: domain: Remove unused qemuDomainGetVcpuHalted virCHDomainRefreshThreadInfo: Don't trust vcpu ID returned by hypervisor virCHDomainRefreshThreadInfo: Remove illusion that caller cares about return value src/ch/ch_domain.c | 17 ++++++++++------- src/ch/ch_domain.h | 2 +- src/ch/ch_process.c | 2 +- src/ch/ch_process.h | 3 --- src/conf/domain_postparse.c | 4 ---- src/qemu/qemu_domain.c | 15 --------------- src/qemu/qemu_domain.h | 1 - 7 files changed, 12 insertions(+), 32 deletions(-) -- 2.50.1

2 7

[RFC] x86 Host CPU features detection by MSRs
by Hector Cao 12 Aug '25

12 Aug '25

Hello, This mail is a Request for Comment. On recent Intel CPUs, some of the CPU features (mostly vmx-* subfeatures) are listed and controlled via the MSRs (Model Specific Registers) instead of the traditional CPUID instruction method. Right now, libvirt reads the MSR's values via /dev/cpu/*/cpu populated by the msr kernel module. src/cpu/cpu_x86.c: ... /* This is best effort since there might be no way to read the MSR * when we are not running as root. */ for (i = 0; i < nmsrs; i++) { if (virHostCPUGetMSR(msrs[i], &msr) == 0) { virCPUx86DataItem item = { .type = VIR_CPU_X86_DATA_MSR, .data.msr = { ... There are 2 potential issues: 1) As stated in the source code comment above, MSR values read might fail when libvirt is not run as root. 2) MSR values read might fail if the MSR kernel module is not loaded, this is still the case in some of the Linux distros. The issue 2) has been brought up in Ubuntu/Debian : https://salsa.debian.org/libvirt-team/libvirt/-/merge_requests/271 but the feedback was to try to fix the issue in the libvirt source code itself. Indeed, libvirt already loads some kernel modules it depends on. For example the NBD kernel module in src/util/virtfile.c ... static bool virFileNBDLoadDriver(void) { if (virKModIsProhibited(NBD_DRIVER)) { virReportError(VIR_ERR_INTERNAL_ERROR, "%s", _("Failed to load nbd module: administratively prohibited")); return false; } else { g_autofree char *errbuf = NULL; if ((errbuf = virKModLoad(NBD_DRIVER))) { virReportError(VIR_ERR_INTERNAL_ERROR, "%s", _("Failed to load nbd module")); ... Andrea Bolognani's proposal of an approach that could work: 1. try using the unprivileged KVM API is available (or maybe the necessary information is exposed via QMP too?) like how QEMU does; 2. if that fails, try using the privileged /dev API; 3. if that fails too, load the msr module and try again; I would like to have some feedback from the libvirt community about if that is worth tackling these issues and the right way to do that. If we can end up with an agreement in this mail thread, I can work on the solution implementation and send it in a separate submission. Best regards, Hector

3 15

[PATCH v2 0/2] Introduce hardware UUID (hwuuid) element
by Mark Cave-Ayland 04 Aug '25

04 Aug '25

Following on from the discussions at [1] and more recently [2], this series introduces a new hardware UUID (hwuuid) element that allows an external UUID to be provided to the guest, as opposed to the libvirt domain UUID. The use case for this feature is to allow a domain to cloned and then restarted without changing its guest-visible UUID e.g. via dmidecode. Patch 1 introduces the new hardware UUID (hwuuid) element along with an implementation for the QEMU driver, whilst patch 2 adds additional tests to ensure the hwuuid functionality is working as expected. Note that from reading the source it doesn't appear as if all virtualisation platforms will support this feature: I've included the relevant changes for the QEMU driver since that is what we use here at Nutanix. Signed-off-by: Mark Cave-Ayland <mark.caveayland(a)nutanix.com> [1] https://lists.libvirt.org/archives/list/devel@lists.libvirt.org/thread/YXN2… [2] https://lists.libvirt.org/archives/list/devel@lists.libvirt.org/thread/HGFT… v2: - Rebase onto master - Rework if() logic in virSysinfoSystemParseXML() in patch 1 as suggested by Daniel - Add R-B tag from Daniel to patch 2 Mark Cave-Ayland (2): conf: introduce hardware UUID (hwuuid) element qemuxmlconftest: add tests for new hardware UUID (hwuuid) element docs/formatdomain.rst | 7 +++ src/conf/domain_conf.c | 43 ++++++++++++++++--- src/conf/domain_conf.h | 1 + src/conf/schemas/domaincommon.rng | 5 +++ src/qemu/qemu_command.c | 6 ++- ...hwuuid-smbios-uuid-match.x86_64-latest.err | 1 + .../hwuuid-smbios-uuid-match.xml | 36 ++++++++++++++++ .../qemuxmlconfdata/hwuuid.x86_64-latest.args | 35 +++++++++++++++ .../qemuxmlconfdata/hwuuid.x86_64-latest.xml | 41 ++++++++++++++++++ tests/qemuxmlconfdata/hwuuid.xml | 30 +++++++++++++ tests/qemuxmlconftest.c | 3 ++ 11 files changed, 202 insertions(+), 6 deletions(-) create mode 100644 tests/qemuxmlconfdata/hwuuid-smbios-uuid-match.x86_64-latest.err create mode 100644 tests/qemuxmlconfdata/hwuuid-smbios-uuid-match.xml create mode 100644 tests/qemuxmlconfdata/hwuuid.x86_64-latest.args create mode 100644 tests/qemuxmlconfdata/hwuuid.x86_64-latest.xml create mode 100644 tests/qemuxmlconfdata/hwuuid.xml -- 2.43.0

2 5

[PATCH] conf: add support for 'edid' attribute to video model
by Mark Cave-Ayland 01 Aug '25

01 Aug '25

Add the ability to enable/disable exposing the EDID information to the guest. This allows migration from legacy machine types that have EDID disabled to a newer machine type without any change becoming visible to the guest. The edid attribute can specified in the domain XML as below: <video> <model type='virtio' edid='off'/> </video> If the edid attribute is unspecified, it is not generated so that the virtualisation platform will continue to use its default. The edid attribute is only valid for the vga, boch and virtio display models and is currently only implemented for the QEMU driver. Signed-off-by: Mark Cave-Ayland <mark.caveayland(a)nutanix.com> --- docs/formatdomain.rst | 8 ++++++++ src/conf/domain_conf.c | 5 +++++ src/conf/domain_conf.h | 1 + src/conf/domain_validate.c | 11 +++++++++++ src/conf/schemas/domaincommon.rng | 5 +++++ src/qemu/qemu_command.c | 7 +++++++ 6 files changed, 37 insertions(+) diff --git a/docs/formatdomain.rst b/docs/formatdomain.rst index 976746e292..7fe8b03a56 100644 --- a/docs/formatdomain.rst +++ b/docs/formatdomain.rst @@ -7103,6 +7103,14 @@ A video device. sub-element is valid for model types "vga", "qxl", "bochs", "gop", and "virtio". + :since:`Since 11.7.0` (QEMU driver only), the ``model`` element may have an + optional ``edid`` attribute that can be set to "on" or "off". If the ``edid`` + attribute is not specified then the device will use its default value. + Otherwise setting ``edid`` to "on" will expose the device EDID blob to the + guest, whilst setting it to "off" will hide the device EDID blob from the + guest. The ``edid`` attribute is only valid for model types "vga", "bochs", + and "virtio". + ``acceleration`` Configure if video acceleration should be enabled. diff --git a/src/conf/domain_conf.c b/src/conf/domain_conf.c index 59958c2f08..10cc6d7432 100644 --- a/src/conf/domain_conf.c +++ b/src/conf/domain_conf.c @@ -13535,6 +13535,9 @@ virDomainVideoModelDefParseXML(virDomainVideoDef *def, if (virXMLPropTristateSwitch(node, "blob", VIR_XML_PROP_NONE, &def->blob) < 0) return -1; + if (virXMLPropTristateSwitch(node, "edid", VIR_XML_PROP_NONE, &def->edid) < 0) + return -1; + return 0; } @@ -26629,6 +26632,8 @@ virDomainVideoDefFormat(virBuffer *buf, virBufferAddLit(buf, " primary='yes'"); if (def->blob != VIR_TRISTATE_SWITCH_ABSENT) virBufferAsprintf(buf, " blob='%s'", virTristateSwitchTypeToString(def->blob)); + if (def->edid != VIR_TRISTATE_SWITCH_ABSENT) + virBufferAsprintf(buf, " edid='%s'", virTristateSwitchTypeToString(def->edid)); if (def->accel || def->res) { virBufferAddLit(buf, ">\n"); virBufferAdjustIndent(buf, 2); diff --git a/src/conf/domain_conf.h b/src/conf/domain_conf.h index 596d138973..425ccfa97c 100644 --- a/src/conf/domain_conf.h +++ b/src/conf/domain_conf.h @@ -1895,6 +1895,7 @@ struct _virDomainVideoDef { virDomainDeviceInfo info; virDomainVirtioOptions *virtio; virDomainVideoBackendType backend; + virTristateSwitch edid; }; /* graphics console modes */ diff --git a/src/conf/domain_validate.c b/src/conf/domain_validate.c index 40edecef83..60a2e46b7e 100644 --- a/src/conf/domain_validate.c +++ b/src/conf/domain_validate.c @@ -231,6 +231,17 @@ virDomainVideoDefValidate(const virDomainVideoDef *video, } } + if ((video->type != VIR_DOMAIN_VIDEO_TYPE_BOCHS) && + (video->type != VIR_DOMAIN_VIDEO_TYPE_VGA) && + (video->type != VIR_DOMAIN_VIDEO_TYPE_VIRTIO)) { + if (video->edid != VIR_TRISTATE_SWITCH_ABSENT) { + virReportError(VIR_ERR_CONFIG_UNSUPPORTED, + _("video type '%1$s' does not support edid"), + virDomainVideoTypeToString(video->type)); + return -1; + } + } + return 0; } diff --git a/src/conf/schemas/domaincommon.rng b/src/conf/schemas/domaincommon.rng index a714c3fcc5..d84f20637c 100644 --- a/src/conf/schemas/domaincommon.rng +++ b/src/conf/schemas/domaincommon.rng @@ -4807,6 +4807,11 @@ <ref name="virOnOff"/> </attribute> </optional> + <optional> + <attribute name="edid"> + <ref name="virOnOff"/> + </attribute> + </optional> <optional> <element name="acceleration"> <optional> diff --git a/src/qemu/qemu_command.c b/src/qemu/qemu_command.c index 457dee7029..db00f9b173 100644 --- a/src/qemu/qemu_command.c +++ b/src/qemu/qemu_command.c @@ -4739,6 +4739,13 @@ qemuBuildDeviceVideoCmd(virCommand *cmd, return -1; } + if ((video->type == VIR_DOMAIN_VIDEO_TYPE_BOCHS) || + (video->type == VIR_DOMAIN_VIDEO_TYPE_VGA) || + (video->type == VIR_DOMAIN_VIDEO_TYPE_VIRTIO)) { + if (virJSONValueObjectAdd(&props, "T:edid", video->edid, NULL) < 0) + return -1; + } + if (video->res) { if (virJSONValueObjectAdd(&props, "p:xres", video->res->x, -- 2.43.0

3 6

[PATCH] NEWS: Mention RBD namespaces, and auto-shutdown/key encipherment fixes
by Peter Krempa 31 Jul '25

31 Jul '25

From: Peter Krempa <pkrempa(a)redhat.com> Signed-off-by: Peter Krempa <pkrempa(a)redhat.com> --- NEWS.rst | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) diff --git a/NEWS.rst b/NEWS.rst index 5a320b7f33..6db9c998d9 100644 --- a/NEWS.rst +++ b/NEWS.rst @@ -51,6 +51,10 @@ v11.6.0 (unreleased) Additionally, number of supported consoles increased to 4. + * qemu: Add support for RBD namespaces + + Allow specifying the 'namespace' within a RBD image pool. + * **Improvements** * qemu: Change default SCSI controller model to ``virtio-scsi`` for ARM and RISC-V @@ -83,6 +87,13 @@ v11.6.0 (unreleased) ``LIBVIRT_NSS_DEBUG`` environment variable. So far, there is no special meaning to its value. + * rpc: Removed requirement for TLS certificates to support 'key encipherment' + + With TLS 1.3, key encipherment is not required even for RSA keys. Other key + types didn't even support it so they were wrongly refused even in cases when + they would work with libvirt. The TLS certificate validation now no longer + requires 'key encipherment' to be enabled. + * **Bug fixes** * bhyve: Fix resetting of the autostart flag of the domain on destroy. @@ -96,6 +107,14 @@ v11.6.0 (unreleased) ebtables, creating the base chains only if they did not already exist. + * Fix systemd unit ordering for auto-shutdown of domains via the daemon + + The ordering of systemd units created by libvirt for individual machines + needed to be adapted when the shutdown of VMs on host shutdown is done + via the virt daemon itself (rather than ``libvirt-guests.service``) to + ensure that the VMs are not terminated before the virt daemon can deal with + them. + v11.5.0 (2025-07-01) ==================== -- 2.50.1

2 1

Question about SEV* guests and automatic firmware selection
by Jim Fehlig 31 Jul '25

31 Jul '25

Hi All, While investigating an internal bug report, we noticed that a minimal firmware auto-selection configuration along with SEV* fails to find a match. E.g. the following config <domain type="kvm"> <os firmware="efi"> <type arch="x86_64" machine="q35">hvm</type> <boot dev="hd"/> </os> <launchSecurity type="sev"> <policy>0x07</policy> </launchSecurity> ... </domain> Fails with "Unable to find 'efi' firmware that is compatible with the current configuration". A firmware that should match has the following json description { "description": "UEFI firmware for x86_64, with AMD SEV", "interface-types": [ "uefi" ], "mapping": { "device": "flash", "mode": "stateless", "executable": { "filename": "/usr/share/qemu/ovmf-x86_64-sev.bin", "format": "raw" } }, "targets": [ { "architecture": "x86_64", "machines": [ "pc-q35-*" ] } ], "features": [ "acpi-s4", "amd-sev", "amd-sev-es", "amd-sev-snp", "verbose-dynamic" ], "tags": [ ] } Auto-selection works fine if I specify a 'stateless' firmware, e.g. amend the above config with <os firmware="efi"> <type arch="x86_64" machine="q35">hvm</type> <loader stateless="yes"/> <boot dev="hd"/> </os> Being unfamiliar with the firmware auto-selection code, I tried the below naive hack, which only led to test failures and the subsequent runtime error "unable to find any master var store for loader: /usr/share/qemu/ovmf-x86_64-sev.bin". Should auto-selection work with the minimal config, or is it expected that user also specify a stateless firmware? Regards, Jim diff --git a/src/qemu/qemu_firmware.c b/src/qemu/qemu_firmware.c index 2d0ec0b4fa..660b74141a 100644 --- a/src/qemu/qemu_firmware.c +++ b/src/qemu/qemu_firmware.c @@ -1293,15 +1293,17 @@ qemuFirmwareMatchDomain(const virDomainDef *def, return false; } - if (loader && loader->stateless == VIR_TRISTATE_BOOL_YES) { - if (flash->mode != QEMU_FIRMWARE_FLASH_MODE_STATELESS) { - VIR_DEBUG("Discarding loader without stateless flash"); - return false; - } - } else { - if (flash->mode != QEMU_FIRMWARE_FLASH_MODE_SPLIT) { - VIR_DEBUG("Discarding loader without split flash"); - return false; + if (loader) { + if (loader->stateless == VIR_TRISTATE_BOOL_YES) { + if (flash->mode != QEMU_FIRMWARE_FLASH_MODE_STATELESS) { + VIR_DEBUG("Discarding loader without stateless flash"); + return false; + } + } else if (loader->stateless == VIR_TRISTATE_BOOL_NO) { + if (flash->mode != QEMU_FIRMWARE_FLASH_MODE_SPLIT) { + VIR_DEBUG("Discarding loader without split flash"); + return false; + } } }

3 6

[PATCH v4 00/23] LIBVIRT: X86: TDX support
by Zhenzhong Duan 31 Jul '25

31 Jul '25

Hi, This series brings libvirt the x86 TDX support. * What's TDX? TDX stands for Trust Domain Extensions which isolates VMs from the virtual-machine manager (VMM)/hypervisor and any other software on the platform. This patchset extends libvirt to support TDX, with which one can start a TDX guest from high level rather than running qemu directly. * Misc As QEMU use a software emulated way to reset guest which isn't supported by TDX guest for security reason. We simulate reboot for TDX guest by kill and create a new one in FakeReboot framework. Complete code can be found at [1]. * Test Tested with upstream qemu v10.0.0-1724-gf9a3def17b shutdown/reboot/reset with virsh shutdown/reboot trigger in guest shutdown with on_poweroff=destroy/restart reboot with on_reboot=destroy/restart GUEST_PANICKED event processing auto firmware matching * Patch organization - patch 1-4: Some preparing work - patch 5-6: Support query of TDX capabilities - patch 7-15: Add TDX type to launchsecurity framework - patch 16-21: Add reboot/reset support to TDX guest - patch 22: Add conf test dump/cases for '+inteltdx' variant - patch 23: Add docs TODO: - add reconnect logic in virsh command [1] https://github.com/intel/libvirt-tdx/commits/tdx_for_upstream_v4 Thanks Zhenzhong Changelog: v4: - add QGS config to qemuxmlconftest (Daniel) - use 0x10000000 policy value in test as debug isn't supported yet (Daniel) - s/mrowner/mrOwner/ s/mrownerconfig/mrOwnerConfig/ (Daniel) - s/quoteGenerationSocket/quoteGenerationService/ (Daniel) - handle "GUEST_PANICKED" event of type tdx (Daniel) - add automatic firmware matching (Daniel) v3: - fix a hiden failure in qemuBuildTDXQGSCommandLine() (Peter Krempa) - avoid the use of the ternary operator (Peter Krempa) - add capability test dump before capability introduced (Peter Krempa) - change tests version number from 11.0.0 to 10.1.0 (Peter Krempa) v2: - add capability and xmlconf test (Peter Krempa) v1: - s/virQEMUCapsKVMSupportsSecureGuestINTEL/virQEMUCapsKVMSupportsSecureGuestTDX (Daniel) - make policy element optional and expose to QEMU directly (Daniel) - s/qemuProcessSecFakeReboot/qemuProcessFakeRebootViaRecreate (Daniel) - simplify QGS element schema by supporting only UNIX socket (Daniel) - add new events VIR_DOMAIN_EVENT_[STOPPED|STARTED] for control plane (Daniel) - s/quoteGenerationService/quoteGenerationSocket as QEMU - add virsh reset support rfcv4: - add a check to tools/virt-host-validate-qemu.c (Daniel) - remove check of q35 (Daniel) - model 'SocktetAddress' QAPI in xml schema (Daniel) - s/Quote-Generation-Service/quoteGenerationService/ (Daniel) - define bits in tdx->policy and add validating logic (Daniel) - presume QEMU choose split kernel irqchip for TDX guest by default (Daniel) - utilize existing FakeReboot framework to do reboot for TDX guest (Daniel) - drop patch11 'conf: Add support to keep same domid for hard reboot' (Daniel) - add test in tests/ to validate parsing and formatting logic (Daniel) - add doc in docs/formatdomain.rst (Daniel) - add R-B rfcv3: - Change to generate qemu cmdline with -bios - drop firmware auto match as -bios is used - add a hard reboot method to reboot TDX guest rfcv3: https://www.mail-archive.com/devel@lists.libvirt.org/msg00385.html rfcv2: - give up using qmp cmd and check TDX directly on host for TDX capabilities. - use launchsecurity framework to support TDX - use <os>.<loader> for general loader - add auto firmware match feature for TDX A example TDVF fimware description file 70-edk2-x86_64-tdx.json: { "description": "UEFI firmware for x86_64, supporting Intel TDX", "interface-types": [ "uefi" ], "mapping": { "device": "generic", "filename": "/usr/share/OVMF/OVMF_CODE-tdx.fd" }, "targets": [ { "architecture": "x86_64", "machines": [ "pc-q35-*" ] } ], "features": [ "intel-tdx", "verbose-dynamic" ], "tags": [ ] } rfcv2: https://www.mail-archive.com/libvir-list@redhat.com/msg219378.html Zhenzhong Duan (23): tools: Secure guest check for Intel in virt-host-validate qemu: Check if INTEL Trust Domain Extention support is enabled qemucapabilitiesdata: Document '+inteltdx' variant qemucapabilitiestest: Add data for the qemu-10.1.0 dev cycle on x86_64 for the '+inteltdx' variant qemu: Add QEMU_CAPS_TDX_GUEST capability conf: Expose TDX feature in domain capabilities conf: Add tdx as launch security type conf: Validate TDX launchSecurity element mrConfigId/mrOwner/mrOwnerConfig qemu: Add command line and validation for TDX type conf: Expose TDX type in domain launch security capability qemu: Force special parameters enabled for TDX guest qemu: log the crash information for TDX qemu_firmware: Pick the right firmware for TDX guests conf: Add Intel TDX Quote Generation Service(QGS) support qemu: Add command line for TDX Quote Generation Service(QGS) qemu: Add FakeReboot support for TDX guest qemu: Support reboot command in guest qemu: Avoid duplicate FakeReboot for secure guest qemu: Send event VIR_DOMAIN_EVENT_[STOPPED|STARTED] during recreation qemu: Bypass sending VIR_DOMAIN_EVENT_RESUMED event when TD VM reboot qemu: Support domain reset command for TDX guest qemuxmlconftest: Add latest version of 'launch-security-tdx*' test data docs: domain: Add documentation for Intel TDX guest docs/formatdomain.rst | 63 + docs/formatdomaincaps.rst | 1 + examples/c/misc/event-test.c | 6 + include/libvirt/libvirt-domain.h | 2 + src/conf/domain_capabilities.c | 1 + src/conf/domain_capabilities.h | 1 + src/conf/domain_conf.c | 82 + src/conf/domain_conf.h | 21 + src/conf/domain_validate.c | 11 + src/conf/schemas/domaincaps.rng | 9 + src/conf/schemas/domaincommon.rng | 41 + src/conf/virconftypes.h | 2 + src/qemu/qemu_capabilities.c | 38 +- src/qemu/qemu_capabilities.h | 1 + src/qemu/qemu_cgroup.c | 1 + src/qemu/qemu_command.c | 43 + src/qemu/qemu_domain.h | 1 + src/qemu/qemu_driver.c | 11 +- src/qemu/qemu_firmware.c | 20 + src/qemu/qemu_monitor.c | 50 +- src/qemu/qemu_monitor.h | 13 +- src/qemu/qemu_monitor_json.c | 38 +- src/qemu/qemu_namespace.c | 1 + src/qemu/qemu_process.c | 104 +- src/qemu/qemu_process.h | 2 + src/qemu/qemu_validate.c | 45 + src/security/security_dac.c | 2 + .../qemu_10.1.0-q35.x86_64+inteltdx.xml | 783 + .../domaincapsdata/qemu_10.1.0-q35.x86_64.xml | 7 +- .../qemu_10.1.0-tcg.x86_64+inteltdx.xml | 1830 + .../domaincapsdata/qemu_10.1.0-tcg.x86_64.xml | 6 +- .../qemu_10.1.0.x86_64+inteltdx.xml | 783 + tests/domaincapsdata/qemu_10.1.0.x86_64.xml | 7 +- tests/domaincapsmock.c | 3 +- tests/qemucapabilitiesdata/README.rst | 5 + .../caps_10.1.0_x86_64+inteltdx.replies | 44552 ++++++++++++++++ .../caps_10.1.0_x86_64+inteltdx.xml | 3585 ++ .../caps_10.1.0_x86_64.xml | 1 + .../caps.x86_64+inteltdx.xml | 29 + .../firmware/60-edk2-ovmf-x64-inteltdx.json | 1 + ...h-security-tdx.x86_64-latest+inteltdx.args | 44 + ...ch-security-tdx.x86_64-latest+inteltdx.xml | 75 + tests/qemuxmlconfdata/launch-security-tdx.xml | 28 + tests/qemuxmlconftest.c | 3 + tools/virsh-domain-event.c | 6 +- tools/virt-host-validate-common.c | 31 +- tools/virt-host-validate-common.h | 1 + 47 files changed, 52372 insertions(+), 18 deletions(-) create mode 100644 tests/domaincapsdata/qemu_10.1.0-q35.x86_64+inteltdx.xml create mode 100644 tests/domaincapsdata/qemu_10.1.0-tcg.x86_64+inteltdx.xml create mode 100644 tests/domaincapsdata/qemu_10.1.0.x86_64+inteltdx.xml create mode 100644 tests/qemucapabilitiesdata/caps_10.1.0_x86_64+inteltdx.replies create mode 100644 tests/qemucapabilitiesdata/caps_10.1.0_x86_64+inteltdx.xml create mode 100644 tests/qemucaps2xmloutdata/caps.x86_64+inteltdx.xml create mode 100644 tests/qemuxmlconfdata/launch-security-tdx.x86_64-latest+inteltdx.args create mode 100644 tests/qemuxmlconfdata/launch-security-tdx.x86_64-latest+inteltdx.xml create mode 100644 tests/qemuxmlconfdata/launch-security-tdx.xml -- 2.47.1

4 37

[PATCH] news: document fixed nwfilter driver base chain creation
by Daniel P. Berrangé 30 Jul '25

30 Jul '25

From: Daniel P. Berrangé <berrange(a)redhat.com> Signed-off-by: Daniel P. Berrangé <berrange(a)redhat.com> --- NEWS.rst | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/NEWS.rst b/NEWS.rst index e5e8626729..c7bfac1db4 100644 --- a/NEWS.rst +++ b/NEWS.rst @@ -48,6 +48,14 @@ v11.6.0 (unreleased) * **Bug fixes** + * The nwfilter driver no longer recreates the base iptable/ip6tables chains + + The nwfilter driver had a impl mistake causing it to recreate the + base chains for iptables/ip6tables every time a VM was started. + This allowed a small window where traffic might not be fully + filtered. It now handles iptables/ip6tables the same way as + ebtables, creating the base chains only if they did not already + exist. v11.5.0 (2025-07-01) ==================== -- 2.50.1

2 1

[PATCH] NEWS: Document features/improvements/bug fixes I've participated in
by Michal Privoznik 30 Jul '25

30 Jul '25

From: Michal Privoznik <mprivozn(a)redhat.com> There are some features/improvements/bug fixes I've either contributed or reviewed/merged. Document them for upcoming release. Signed-off-by: Michal Privoznik <mprivozn(a)redhat.com> --- NEWS.rst | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/NEWS.rst b/NEWS.rst index 7f08e45537..d6919bdf4c 100644 --- a/NEWS.rst +++ b/NEWS.rst @@ -59,6 +59,12 @@ v11.6.0 (unreleased) This can be used to tell some guest operating systems (notably Windows) to not trim the disk. + * nss: Improve debugging + + Debugging printings from NSS modules can be now enabled by setting the + ``LIBVIRT_NSS_DEBUG`` environment variable. So far, there is no special + meaning to its value. + * **Bug fixes** -- 2.49.1

2 1

[PATCH] NEWS: document bhyve changes for the release
by Roman Bogorodskiy 30 Jul '25

30 Jul '25

Signed-off-by: Roman Bogorodskiy <bogorodskiy(a)gmail.com> --- NEWS.rst | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) diff --git a/NEWS.rst b/NEWS.rst index 6cc8f23225..447259d66e 100644 --- a/NEWS.rst +++ b/NEWS.rst @@ -40,6 +40,17 @@ v11.6.0 (unreleased) be modified by setting the ``default_cpu_deprecated_features`` option in the qemu.conf file. + * bhyve: Add TCP console support + + TCP serial devices can now be configured with ``<serial type='tcp'>``:: + + <serial type='tcp'> + <source mode='bind' host='127.0.0.1' service='12345'/> + <target type='serial' port='0'/> + </serial> + + Additionally, number of supported consoles increased to 4. + * **Improvements** * qemu: Change default SCSI controller model to ``virtio-scsi`` for ARM and RISC-V @@ -54,8 +65,16 @@ v11.6.0 (unreleased) supposed to be called on one of the hosts represented in the input CPU definitions. Otherwise the API will give unexpected results. + * bhyve: Add timeout handling for bhyveload + + It is now possible to run ``bhyveload`` with the ``timeout`` tool, which + can send ``SIGTERM`` and ``SIGKILL`` signals when timeout is reached. + Timeout values are set using the ``bhyveload_timeout`` and + ``bhyveload_timeout_kill`` configuration options in ``bhyve.conf``. + * **Bug fixes** + * bhyve: Fix resetting of the autostart flag of the domain on destroy. v11.5.0 (2025-07-01) ==================== -- 2.49.0

2 2