* Mon Jun 28 2021 Miroslav Rezanina <mrezanin@redhat.com> - 6.0.0-7

- kvm-aarch64-rh-devices-add-CONFIG_PXB.patch [bz#1967502]
- kvm-virtio-gpu-handle-partial-maps-properly.patch [bz#1974795]
- kvm-x86-Add-x86-rhel8.5-machine-types.patch [bz#1957194]
- kvm-redhat-x86-Enable-kvm-asyncpf-int-by-default.patch [bz#1957194]
- kvm-block-backend-add-drained_poll.patch [bz#1957194]
- kvm-nbd-server-Use-drained-block-ops-to-quiesce-the-serv.patch [bz#1957194]
- kvm-disable-CONFIG_USB_STORAGE_BOT.patch [bz#1957194]
- kvm-doc-Fix-some-mistakes-in-the-SEV-documentation.patch [bz#1957194]
- kvm-docs-Add-SEV-ES-documentation-to-amd-memory-encrypti.patch [bz#1957194]
- kvm-docs-interop-firmware.json-Add-SEV-ES-support.patch [bz#1957194]
- kvm-qga-drop-StandardError-syslog.patch [bz#1947977]
- kvm-Remove-iscsi-support.patch [bz#1967133]
- Resolves: bz#1967502
  ([aarch64] [qemu] Compile the PCIe expander bridge)
- Resolves: bz#1974795
  ([RHEL9-beta] [aarch64] Launch guest with virtio-gpu-pci and virtual smmu causes "virtio_gpu_dequeue_ctrl_func" ERROR)
- Resolves: bz#1957194
  (Synchronize RHEL-AV 8.5.0 changes to RHEL 9.0.0 Beta)
- Resolves: bz#1947977
  (remove StandardError=syslog from qemu-guest-agent.service)
- Resolves: bz#1967133
  (QEMU: disable libiscsi in RHEL-9)
This commit is contained in:
Miroslav Rezanina 2021-06-28 03:28:59 -04:00
parent 73d2f941db
commit 0253757df8
12 changed files with 1179 additions and 18 deletions

View File

@ -0,0 +1,37 @@
From d05ba1e2208cb17b8cf7dac050d95137a67dd988 Mon Sep 17 00:00:00 2001
From: Eric Auger <eric.auger@redhat.com>
Date: Thu, 24 Jun 2021 10:32:08 +0200
Subject: [PATCH 01/12] aarch64-rh-devices: add CONFIG_PXB
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
RH-Author: Eric Auger <eric.auger@redhat.com>
RH-MergeRequest: 14: aarch64-rh-devices: add CONFIG_PXB
RH-Commit: [1/1] 6a9e6a96ea6ba1bee220a60e5a691a174a0a044b (eauger1/centos-qemu-kvm)
RH-Bugzilla: 1967502
RH-Acked-by: Gavin Shan <gshan@redhat.com>
RH-Acked-by: Daniel P. Berrangé <berrange@redhat.com>
RH-Acked-by: Andrew Jones <drjones@redhat.com>
We want to enable the PCIe expander bridge on aarch64. So let's
set CONFIG_PXB.
Signed-off-by: Eric Auger <eric.auger@redhat.com>
Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
---
default-configs/devices/aarch64-rh-devices.mak | 1 +
1 file changed, 1 insertion(+)
diff --git a/default-configs/devices/aarch64-rh-devices.mak b/default-configs/devices/aarch64-rh-devices.mak
index 4220469178..d8ce902720 100644
--- a/default-configs/devices/aarch64-rh-devices.mak
+++ b/default-configs/devices/aarch64-rh-devices.mak
@@ -27,3 +27,4 @@ CONFIG_TPM_TIS_SYSBUS=y
CONFIG_PTIMER=y
CONFIG_ARM_COMPATIBLE_SEMIHOSTING=y
CONFIG_PVPANIC_PCI=y
+CONFIG_PXB=y
--
2.27.0

View File

@ -0,0 +1,74 @@
From e23a2be8c57666e091d9192e113a30ea06cd83ef Mon Sep 17 00:00:00 2001
From: Sergio Lopez Pascual <slp@redhat.com>
Date: Thu, 17 Jun 2021 09:13:20 -0400
Subject: [PATCH 05/12] block-backend: add drained_poll
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
RH-Author: Miroslav Rezanina <mrezanin@redhat.com>
RH-MergeRequest: 16: Synchronize with RHEL-AV 8.5 release 21 to RHEL 9
RH-Commit: [3/8] 4ad1f536b00a762a1b094d76383b74826228892a (mrezanin/centos-src-qemu-kvm)
RH-Bugzilla: 1957194
RH-Acked-by: Vitaly Kuznetsov <vkuznets@redhat.com>
RH-Acked-by: Daniel P. Berrangé <berrange@redhat.com>
Allow block backends to poll their devices/users to check if they have
been quiesced when entering a drained section.
This will be used in the next patch to wait for the NBD server to be
completely quiesced.
Suggested-by: Kevin Wolf <kwolf@redhat.com>
Reviewed-by: Kevin Wolf <kwolf@redhat.com>
Reviewed-by: Eric Blake <eblake@redhat.com>
Signed-off-by: Sergio Lopez <slp@redhat.com>
Message-Id: <20210602060552.17433-2-slp@redhat.com>
Reviewed-by: Vladimir Sementsov-Ogievskiy <vsementsov@virtuozzo.com>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
(cherry picked from commit 095cc4d0f62513d75e9bc1da37f08d9e97f267c4)
Signed-off-by: Sergio Lopez <slp@redhat.com>
Signed-off-by: Danilo C. L. de Paula <ddepaula@redhat.com>
Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
---
block/block-backend.c | 7 ++++++-
include/sysemu/block-backend.h | 4 ++++
2 files changed, 10 insertions(+), 1 deletion(-)
diff --git a/block/block-backend.c b/block/block-backend.c
index 413af51f3b..05d8e5fb5d 100644
--- a/block/block-backend.c
+++ b/block/block-backend.c
@@ -2378,8 +2378,13 @@ static void blk_root_drained_begin(BdrvChild *child)
static bool blk_root_drained_poll(BdrvChild *child)
{
BlockBackend *blk = child->opaque;
+ bool busy = false;
assert(blk->quiesce_counter);
- return !!blk->in_flight;
+
+ if (blk->dev_ops && blk->dev_ops->drained_poll) {
+ busy = blk->dev_ops->drained_poll(blk->dev_opaque);
+ }
+ return busy || !!blk->in_flight;
}
static void blk_root_drained_end(BdrvChild *child, int *drained_end_counter)
diff --git a/include/sysemu/block-backend.h b/include/sysemu/block-backend.h
index 880e903293..5423e3d9c6 100644
--- a/include/sysemu/block-backend.h
+++ b/include/sysemu/block-backend.h
@@ -66,6 +66,10 @@ typedef struct BlockDevOps {
* Runs when the backend's last drain request ends.
*/
void (*drained_end)(void *opaque);
+ /*
+ * Is the device still busy?
+ */
+ bool (*drained_poll)(void *opaque);
} BlockDevOps;
/* This struct is embedded in (the private) BlockBackend struct and contains
--
2.27.0

View File

@ -0,0 +1,49 @@
From 64ec0505fccf6f277430f3be1829a9e44cd00dbb Mon Sep 17 00:00:00 2001
From: Gerd Hoffmann <kraxel@redhat.com>
Date: Fri, 18 Jun 2021 12:04:24 -0400
Subject: [PATCH 07/12] disable CONFIG_USB_STORAGE_BOT
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
RH-Author: Miroslav Rezanina <mrezanin@redhat.com>
RH-MergeRequest: 16: Synchronize with RHEL-AV 8.5 release 21 to RHEL 9
RH-Commit: [5/8] 73d3ee0a17590c8cddf6bd812e6a758951c36ea4 (mrezanin/centos-src-qemu-kvm)
RH-Bugzilla: 1957194
RH-Acked-by: Vitaly Kuznetsov <vkuznets@redhat.com>
RH-Acked-by: Daniel P. Berrangé <berrange@redhat.com>
Signed-off-by: Danilo C. L. de Paula <ddepaula@redhat.com>
Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
---
default-configs/devices/ppc64-rh-devices.mak | 1 -
default-configs/devices/x86_64-rh-devices.mak | 1 -
2 files changed, 2 deletions(-)
diff --git a/default-configs/devices/ppc64-rh-devices.mak b/default-configs/devices/ppc64-rh-devices.mak
index 5b01b7fac0..3ec5603ace 100644
--- a/default-configs/devices/ppc64-rh-devices.mak
+++ b/default-configs/devices/ppc64-rh-devices.mak
@@ -15,7 +15,6 @@ CONFIG_USB=y
CONFIG_USB_OHCI=y
CONFIG_USB_OHCI_PCI=y
CONFIG_USB_SMARTCARD=y
-CONFIG_USB_STORAGE_BOT=y
CONFIG_USB_STORAGE_CORE=y
CONFIG_USB_STORAGE_CLASSIC=y
CONFIG_USB_XHCI=y
diff --git a/default-configs/devices/x86_64-rh-devices.mak b/default-configs/devices/x86_64-rh-devices.mak
index d09c138fc6..81bda09f4c 100644
--- a/default-configs/devices/x86_64-rh-devices.mak
+++ b/default-configs/devices/x86_64-rh-devices.mak
@@ -74,7 +74,6 @@ CONFIG_USB=y
CONFIG_USB_EHCI=y
CONFIG_USB_EHCI_PCI=y
CONFIG_USB_SMARTCARD=y
-CONFIG_USB_STORAGE_BOT=y
CONFIG_USB_STORAGE_CORE=y
CONFIG_USB_STORAGE_CLASSIC=y
CONFIG_USB_UHCI=y
--
2.27.0

View File

@ -0,0 +1,151 @@
From 17c1559139d6a58794944901f84dd4e8cd1f5335 Mon Sep 17 00:00:00 2001
From: Connor Kuehl <ckuehl@redhat.com>
Date: Tue, 22 Jun 2021 20:00:20 -0400
Subject: [PATCH 08/12] doc: Fix some mistakes in the SEV documentation
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
RH-Author: Miroslav Rezanina <mrezanin@redhat.com>
RH-MergeRequest: 16: Synchronize with RHEL-AV 8.5 release 21 to RHEL 9
RH-Commit: [6/8] ce828f81de1320a1833241700cb13dfdcf7d82e7 (mrezanin/centos-src-qemu-kvm)
RH-Bugzilla: 1957194
RH-Acked-by: Vitaly Kuznetsov <vkuznets@redhat.com>
RH-Acked-by: Daniel P. Berrangé <berrange@redhat.com>
From: Tom Lendacky <thomas.lendacky@amd.com>
Fix some spelling and grammar mistakes in the amd-memory-encryption.txt
file. No new information added.
Signed-off-by: Tom Lendacky <thomas.lendacky@amd.com>
Reviewed-by: Laszlo Ersek <lersek@redhat.com>
Reviewed-by: Connor Kuehl <ckuehl@redhat.com>
Message-Id: <a7c5ee6c056d840f46028f4a817c16a9862bdd9e.1619208498.git.thomas.lendacky@amd.com>
Signed-off-by: Eduardo Habkost <ehabkost@redhat.com>
(cherry picked from commit f538adeccf4554e6402fe661a0a51bcc8d6bd227)
Signed-off-by: Connor Kuehl <ckuehl@redhat.com>
Signed-off-by: Danilo C. L. de Paula <ddepaula@redhat.com>
Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
---
docs/amd-memory-encryption.txt | 59 +++++++++++++++++-----------------
1 file changed, 29 insertions(+), 30 deletions(-)
diff --git a/docs/amd-memory-encryption.txt b/docs/amd-memory-encryption.txt
index 145896aec7..ed85159ea7 100644
--- a/docs/amd-memory-encryption.txt
+++ b/docs/amd-memory-encryption.txt
@@ -1,38 +1,38 @@
Secure Encrypted Virtualization (SEV) is a feature found on AMD processors.
SEV is an extension to the AMD-V architecture which supports running encrypted
-virtual machine (VMs) under the control of KVM. Encrypted VMs have their pages
+virtual machines (VMs) under the control of KVM. Encrypted VMs have their pages
(code and data) secured such that only the guest itself has access to the
unencrypted version. Each encrypted VM is associated with a unique encryption
-key; if its data is accessed to a different entity using a different key the
+key; if its data is accessed by a different entity using a different key the
encrypted guests data will be incorrectly decrypted, leading to unintelligible
data.
-The key management of this feature is handled by separate processor known as
-AMD secure processor (AMD-SP) which is present in AMD SOCs. Firmware running
-inside the AMD-SP provide commands to support common VM lifecycle. This
+Key management for this feature is handled by a separate processor known as the
+AMD secure processor (AMD-SP), which is present in AMD SOCs. Firmware running
+inside the AMD-SP provides commands to support a common VM lifecycle. This
includes commands for launching, snapshotting, migrating and debugging the
-encrypted guest. Those SEV command can be issued via KVM_MEMORY_ENCRYPT_OP
+encrypted guest. These SEV commands can be issued via KVM_MEMORY_ENCRYPT_OP
ioctls.
Launching
---------
-Boot images (such as bios) must be encrypted before guest can be booted.
-MEMORY_ENCRYPT_OP ioctl provides commands to encrypt the images :LAUNCH_START,
+Boot images (such as bios) must be encrypted before a guest can be booted. The
+MEMORY_ENCRYPT_OP ioctl provides commands to encrypt the images: LAUNCH_START,
LAUNCH_UPDATE_DATA, LAUNCH_MEASURE and LAUNCH_FINISH. These four commands
together generate a fresh memory encryption key for the VM, encrypt the boot
-images and provide a measurement than can be used as an attestation of the
+images and provide a measurement than can be used as an attestation of a
successful launch.
LAUNCH_START is called first to create a cryptographic launch context within
-the firmware. To create this context, guest owner must provides guest policy,
+the firmware. To create this context, guest owner must provide a guest policy,
its public Diffie-Hellman key (PDH) and session parameters. These inputs
-should be treated as binary blob and must be passed as-is to the SEV firmware.
+should be treated as a binary blob and must be passed as-is to the SEV firmware.
-The guest policy is passed as plaintext and hypervisor may able to read it
+The guest policy is passed as plaintext. A hypervisor may choose to read it,
but should not modify it (any modification of the policy bits will result
in bad measurement). The guest policy is a 4-byte data structure containing
-several flags that restricts what can be done on running SEV guest.
+several flags that restricts what can be done on a running SEV guest.
See KM Spec section 3 and 6.2 for more details.
The guest policy can be provided via the 'policy' property (see below)
@@ -40,31 +40,30 @@ The guest policy can be provided via the 'policy' property (see below)
# ${QEMU} \
sev-guest,id=sev0,policy=0x1...\
-Guest owners provided DH certificate and session parameters will be used to
+The guest owner provided DH certificate and session parameters will be used to
establish a cryptographic session with the guest owner to negotiate keys used
for the attestation.
-The DH certificate and session blob can be provided via 'dh-cert-file' and
-'session-file' property (see below
+The DH certificate and session blob can be provided via the 'dh-cert-file' and
+'session-file' properties (see below)
# ${QEMU} \
sev-guest,id=sev0,dh-cert-file=<file1>,session-file=<file2>
LAUNCH_UPDATE_DATA encrypts the memory region using the cryptographic context
-created via LAUNCH_START command. If required, this command can be called
+created via the LAUNCH_START command. If required, this command can be called
multiple times to encrypt different memory regions. The command also calculates
the measurement of the memory contents as it encrypts.
-LAUNCH_MEASURE command can be used to retrieve the measurement of encrypted
-memory. This measurement is a signature of the memory contents that can be
-sent to the guest owner as an attestation that the memory was encrypted
-correctly by the firmware. The guest owner may wait to provide the guest
-confidential information until it can verify the attestation measurement.
-Since the guest owner knows the initial contents of the guest at boot, the
-attestation measurement can be verified by comparing it to what the guest owner
-expects.
+LAUNCH_MEASURE can be used to retrieve the measurement of encrypted memory.
+This measurement is a signature of the memory contents that can be sent to the
+guest owner as an attestation that the memory was encrypted correctly by the
+firmware. The guest owner may wait to provide the guest confidential information
+until it can verify the attestation measurement. Since the guest owner knows the
+initial contents of the guest at boot, the attestation measurement can be
+verified by comparing it to what the guest owner expects.
-LAUNCH_FINISH command finalizes the guest launch and destroy's the cryptographic
+LAUNCH_FINISH finalizes the guest launch and destroys the cryptographic
context.
See SEV KM API Spec [1] 'Launching a guest' usage flow (Appendix A) for the
@@ -78,10 +77,10 @@ To launch a SEV guest
Debugging
-----------
-Since memory contents of SEV guest is encrypted hence hypervisor access to the
-guest memory will get a cipher text. If guest policy allows debugging, then
-hypervisor can use DEBUG_DECRYPT and DEBUG_ENCRYPT commands access the guest
-memory region for debug purposes. This is not supported in QEMU yet.
+Since the memory contents of a SEV guest are encrypted, hypervisor access to
+the guest memory will return cipher text. If the guest policy allows debugging,
+then a hypervisor can use the DEBUG_DECRYPT and DEBUG_ENCRYPT commands to access
+the guest memory region for debug purposes. This is not supported in QEMU yet.
Snapshot/Restore
-----------------
--
2.27.0

View File

@ -0,0 +1,141 @@
From 1bd5660666d2a1f704ebabeed8a2bbfa02410f41 Mon Sep 17 00:00:00 2001
From: Connor Kuehl <ckuehl@redhat.com>
Date: Tue, 22 Jun 2021 20:00:21 -0400
Subject: [PATCH 09/12] docs: Add SEV-ES documentation to
amd-memory-encryption.txt
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
RH-Author: Miroslav Rezanina <mrezanin@redhat.com>
RH-MergeRequest: 16: Synchronize with RHEL-AV 8.5 release 21 to RHEL 9
RH-Commit: [7/8] 36e49577484813866132b90c64cf99779326db74 (mrezanin/centos-src-qemu-kvm)
RH-Bugzilla: 1957194
RH-Acked-by: Vitaly Kuznetsov <vkuznets@redhat.com>
RH-Acked-by: Daniel P. Berrangé <berrange@redhat.com>
From: Tom Lendacky <thomas.lendacky@amd.com>
Update the amd-memory-encryption.txt file with information about SEV-ES,
including how to launch an SEV-ES guest and some of the differences
between SEV and SEV-ES guests in regards to launching and measuring the
guest.
Signed-off-by: Tom Lendacky <thomas.lendacky@amd.com>
Acked-by: Laszlo Ersek <lersek@redhat.com>
Reviewed-by: Connor Kuehl <ckuehl@redhat.com>
Message-Id: <fa1825a5eb0290eac4712cde75ba4c6829946eac.1619208498.git.thomas.lendacky@amd.com>
Signed-off-by: Eduardo Habkost <ehabkost@redhat.com>
(cherry picked from commit 61b7d7098cd53dd386939610d534f8bd79240881)
Signed-off-by: Connor Kuehl <ckuehl@redhat.com>
Signed-off-by: Danilo C. L. de Paula <ddepaula@redhat.com>
Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
---
docs/amd-memory-encryption.txt | 54 +++++++++++++++++++++++++++++-----
1 file changed, 47 insertions(+), 7 deletions(-)
diff --git a/docs/amd-memory-encryption.txt b/docs/amd-memory-encryption.txt
index ed85159ea7..ffca382b5f 100644
--- a/docs/amd-memory-encryption.txt
+++ b/docs/amd-memory-encryption.txt
@@ -15,6 +15,13 @@ includes commands for launching, snapshotting, migrating and debugging the
encrypted guest. These SEV commands can be issued via KVM_MEMORY_ENCRYPT_OP
ioctls.
+Secure Encrypted Virtualization - Encrypted State (SEV-ES) builds on the SEV
+support to additionally protect the guest register state. In order to allow a
+hypervisor to perform functions on behalf of a guest, there is architectural
+support for notifying a guest's operating system when certain types of VMEXITs
+are about to occur. This allows the guest to selectively share information with
+the hypervisor to satisfy the requested function.
+
Launching
---------
Boot images (such as bios) must be encrypted before a guest can be booted. The
@@ -24,6 +31,9 @@ together generate a fresh memory encryption key for the VM, encrypt the boot
images and provide a measurement than can be used as an attestation of a
successful launch.
+For a SEV-ES guest, the LAUNCH_UPDATE_VMSA command is also used to encrypt the
+guest register state, or VM save area (VMSA), for all of the guest vCPUs.
+
LAUNCH_START is called first to create a cryptographic launch context within
the firmware. To create this context, guest owner must provide a guest policy,
its public Diffie-Hellman key (PDH) and session parameters. These inputs
@@ -40,6 +50,12 @@ The guest policy can be provided via the 'policy' property (see below)
# ${QEMU} \
sev-guest,id=sev0,policy=0x1...\
+Setting the "SEV-ES required" policy bit (bit 2) will launch the guest as a
+SEV-ES guest (see below)
+
+# ${QEMU} \
+ sev-guest,id=sev0,policy=0x5...\
+
The guest owner provided DH certificate and session parameters will be used to
establish a cryptographic session with the guest owner to negotiate keys used
for the attestation.
@@ -55,13 +71,19 @@ created via the LAUNCH_START command. If required, this command can be called
multiple times to encrypt different memory regions. The command also calculates
the measurement of the memory contents as it encrypts.
-LAUNCH_MEASURE can be used to retrieve the measurement of encrypted memory.
-This measurement is a signature of the memory contents that can be sent to the
-guest owner as an attestation that the memory was encrypted correctly by the
-firmware. The guest owner may wait to provide the guest confidential information
-until it can verify the attestation measurement. Since the guest owner knows the
-initial contents of the guest at boot, the attestation measurement can be
-verified by comparing it to what the guest owner expects.
+LAUNCH_UPDATE_VMSA encrypts all the vCPU VMSAs for a SEV-ES guest using the
+cryptographic context created via the LAUNCH_START command. The command also
+calculates the measurement of the VMSAs as it encrypts them.
+
+LAUNCH_MEASURE can be used to retrieve the measurement of encrypted memory and,
+for a SEV-ES guest, encrypted VMSAs. This measurement is a signature of the
+memory contents and, for a SEV-ES guest, the VMSA contents, that can be sent
+to the guest owner as an attestation that the memory and VMSAs were encrypted
+correctly by the firmware. The guest owner may wait to provide the guest
+confidential information until it can verify the attestation measurement.
+Since the guest owner knows the initial contents of the guest at boot, the
+attestation measurement can be verified by comparing it to what the guest owner
+expects.
LAUNCH_FINISH finalizes the guest launch and destroys the cryptographic
context.
@@ -75,6 +97,22 @@ To launch a SEV guest
-machine ...,confidential-guest-support=sev0 \
-object sev-guest,id=sev0,cbitpos=47,reduced-phys-bits=1
+To launch a SEV-ES guest
+
+# ${QEMU} \
+ -machine ...,confidential-guest-support=sev0 \
+ -object sev-guest,id=sev0,cbitpos=47,reduced-phys-bits=1,policy=0x5
+
+An SEV-ES guest has some restrictions as compared to a SEV guest. Because the
+guest register state is encrypted and cannot be updated by the VMM/hypervisor,
+a SEV-ES guest:
+ - Does not support SMM - SMM support requires updating the guest register
+ state.
+ - Does not support reboot - a system reset requires updating the guest register
+ state.
+ - Requires in-kernel irqchip - the burden is placed on the hypervisor to
+ manage booting APs.
+
Debugging
-----------
Since the memory contents of a SEV guest are encrypted, hypervisor access to
@@ -101,8 +139,10 @@ Secure Encrypted Virtualization Key Management:
KVM Forum slides:
http://www.linux-kvm.org/images/7/74/02x08A-Thomas_Lendacky-AMDs_Virtualizatoin_Memory_Encryption_Technology.pdf
+https://www.linux-kvm.org/images/9/94/Extending-Secure-Encrypted-Virtualization-with-SEV-ES-Thomas-Lendacky-AMD.pdf
AMD64 Architecture Programmer's Manual:
http://support.amd.com/TechDocs/24593.pdf
SME is section 7.10
SEV is section 15.34
+ SEV-ES is section 15.35
--
2.27.0

View File

@ -0,0 +1,110 @@
From e408203bab17e32f8d42ae9ad61e94a73bfaec67 Mon Sep 17 00:00:00 2001
From: Connor Kuehl <ckuehl@redhat.com>
Date: Tue, 22 Jun 2021 20:00:22 -0400
Subject: [PATCH 10/12] docs/interop/firmware.json: Add SEV-ES support
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
RH-Author: Miroslav Rezanina <mrezanin@redhat.com>
RH-MergeRequest: 16: Synchronize with RHEL-AV 8.5 release 21 to RHEL 9
RH-Commit: [8/8] b49ebbaf40b56d95c67475a0373d6906a3e4f0e3 (mrezanin/centos-src-qemu-kvm)
RH-Bugzilla: 1957194
RH-Acked-by: Vitaly Kuznetsov <vkuznets@redhat.com>
RH-Acked-by: Daniel P. Berrangé <berrange@redhat.com>
From: Tom Lendacky <thomas.lendacky@amd.com>
Create an enum definition, '@amd-sev-es', for SEV-ES and add documention
for the new enum. Add an example that shows some of the requirements for
SEV-ES, including not having SMM support and the requirement for an
X64-only build.
Signed-off-by: Tom Lendacky <thomas.lendacky@amd.com>
Reviewed-by: Laszlo Ersek <lersek@redhat.com>
Reviewed-by: Connor Kuehl <ckuehl@redhat.com>
Message-Id: <b941a7ee105dfeb67607cf2d24dafcb82658b212.1619208498.git.thomas.lendacky@amd.com>
Signed-off-by: Eduardo Habkost <ehabkost@redhat.com>
(cherry picked from commit d44df1d73ce04d7f4b8f94cba5f715e2dadc998b)
Signed-off-by: Connor Kuehl <ckuehl@redhat.com>
Signed-off-by: Danilo C. L. de Paula <ddepaula@redhat.com>
Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
---
docs/interop/firmware.json | 47 +++++++++++++++++++++++++++++++++++++-
1 file changed, 46 insertions(+), 1 deletion(-)
diff --git a/docs/interop/firmware.json b/docs/interop/firmware.json
index 9d94ccafa9..8d8b0be030 100644
--- a/docs/interop/firmware.json
+++ b/docs/interop/firmware.json
@@ -115,6 +115,12 @@
# this feature are documented in
# "docs/amd-memory-encryption.txt".
#
+# @amd-sev-es: The firmware supports running under AMD Secure Encrypted
+# Virtualization - Encrypted State, as specified in the AMD64
+# Architecture Programmer's Manual. QEMU command line options
+# related to this feature are documented in
+# "docs/amd-memory-encryption.txt".
+#
# @enrolled-keys: The variable store (NVRAM) template associated with
# the firmware binary has the UEFI Secure Boot
# operational mode turned on, with certificates
@@ -179,7 +185,7 @@
# Since: 3.0
##
{ 'enum' : 'FirmwareFeature',
- 'data' : [ 'acpi-s3', 'acpi-s4', 'amd-sev', 'enrolled-keys',
+ 'data' : [ 'acpi-s3', 'acpi-s4', 'amd-sev', 'amd-sev-es', 'enrolled-keys',
'requires-smm', 'secure-boot', 'verbose-dynamic',
'verbose-static' ] }
@@ -504,6 +510,45 @@
# }
#
# {
+# "description": "OVMF with SEV-ES support",
+# "interface-types": [
+# "uefi"
+# ],
+# "mapping": {
+# "device": "flash",
+# "executable": {
+# "filename": "/usr/share/OVMF/OVMF_CODE.fd",
+# "format": "raw"
+# },
+# "nvram-template": {
+# "filename": "/usr/share/OVMF/OVMF_VARS.fd",
+# "format": "raw"
+# }
+# },
+# "targets": [
+# {
+# "architecture": "x86_64",
+# "machines": [
+# "pc-q35-*"
+# ]
+# }
+# ],
+# "features": [
+# "acpi-s3",
+# "amd-sev",
+# "amd-sev-es",
+# "verbose-dynamic"
+# ],
+# "tags": [
+# "-a X64",
+# "-p OvmfPkg/OvmfPkgX64.dsc",
+# "-t GCC48",
+# "-b DEBUG",
+# "-D FD_SIZE_4MB"
+# ]
+# }
+#
+# {
# "description": "UEFI firmware for ARM64 virtual machines",
# "interface-types": [
# "uefi"
--
2.27.0

View File

@ -0,0 +1,191 @@
From 9182af6a819e60a079349fd6d8b28a28adea90b1 Mon Sep 17 00:00:00 2001
From: Sergio Lopez Pascual <slp@redhat.com>
Date: Thu, 17 Jun 2021 09:13:21 -0400
Subject: [PATCH 06/12] nbd/server: Use drained block ops to quiesce the server
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
RH-Author: Miroslav Rezanina <mrezanin@redhat.com>
RH-MergeRequest: 16: Synchronize with RHEL-AV 8.5 release 21 to RHEL 9
RH-Commit: [4/8] ca32c99563254a8a31104948e41fa691453d0399 (mrezanin/centos-src-qemu-kvm)
RH-Bugzilla: 1957194
RH-Acked-by: Vitaly Kuznetsov <vkuznets@redhat.com>
RH-Acked-by: Daniel P. Berrangé <berrange@redhat.com>
Before switching between AioContexts we need to make sure that we're
fully quiesced ("nb_requests == 0" for every client) when entering the
drained section.
To do this, we set "quiescing = true" for every client on
".drained_begin" to prevent new coroutines from being created, and
check if "nb_requests == 0" on ".drained_poll". Finally, once we're
exiting the drained section, on ".drained_end" we set "quiescing =
false" and call "nbd_client_receive_next_request()" to resume the
processing of new requests.
With these changes, "blk_aio_attach()" and "blk_aio_detach()" can be
reverted to be as simple as they were before f148ae7d36.
RHBZ: https://bugzilla.redhat.com/show_bug.cgi?id=1960137
Suggested-by: Kevin Wolf <kwolf@redhat.com>
Signed-off-by: Sergio Lopez <slp@redhat.com>
Message-Id: <20210602060552.17433-3-slp@redhat.com>
Reviewed-by: Vladimir Sementsov-Ogievskiy <vsementsov@virtuozzo.com>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
(cherry picked from commit fd6afc501a019682d1b8468b562355a2887087bd)
Signed-off-by: Sergio Lopez <slp@redhat.com>
Signed-off-by: Danilo C. L. de Paula <ddepaula@redhat.com>
Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
---
nbd/server.c | 82 ++++++++++++++++++++++++++++++++++++++--------------
1 file changed, 61 insertions(+), 21 deletions(-)
diff --git a/nbd/server.c b/nbd/server.c
index 86a44a9b41..b60ebc3ab6 100644
--- a/nbd/server.c
+++ b/nbd/server.c
@@ -1513,6 +1513,11 @@ static void nbd_request_put(NBDRequestData *req)
g_free(req);
client->nb_requests--;
+
+ if (client->quiescing && client->nb_requests == 0) {
+ aio_wait_kick();
+ }
+
nbd_client_receive_next_request(client);
nbd_client_put(client);
@@ -1530,49 +1535,68 @@ static void blk_aio_attached(AioContext *ctx, void *opaque)
QTAILQ_FOREACH(client, &exp->clients, next) {
qio_channel_attach_aio_context(client->ioc, ctx);
+ assert(client->nb_requests == 0);
assert(client->recv_coroutine == NULL);
assert(client->send_coroutine == NULL);
-
- if (client->quiescing) {
- client->quiescing = false;
- nbd_client_receive_next_request(client);
- }
}
}
-static void nbd_aio_detach_bh(void *opaque)
+static void blk_aio_detach(void *opaque)
{
NBDExport *exp = opaque;
NBDClient *client;
+ trace_nbd_blk_aio_detach(exp->name, exp->common.ctx);
+
QTAILQ_FOREACH(client, &exp->clients, next) {
qio_channel_detach_aio_context(client->ioc);
+ }
+
+ exp->common.ctx = NULL;
+}
+
+static void nbd_drained_begin(void *opaque)
+{
+ NBDExport *exp = opaque;
+ NBDClient *client;
+
+ QTAILQ_FOREACH(client, &exp->clients, next) {
client->quiescing = true;
+ }
+}
- if (client->recv_coroutine) {
- if (client->read_yielding) {
- qemu_aio_coroutine_enter(exp->common.ctx,
- client->recv_coroutine);
- } else {
- AIO_WAIT_WHILE(exp->common.ctx, client->recv_coroutine != NULL);
- }
- }
+static void nbd_drained_end(void *opaque)
+{
+ NBDExport *exp = opaque;
+ NBDClient *client;
- if (client->send_coroutine) {
- AIO_WAIT_WHILE(exp->common.ctx, client->send_coroutine != NULL);
- }
+ QTAILQ_FOREACH(client, &exp->clients, next) {
+ client->quiescing = false;
+ nbd_client_receive_next_request(client);
}
}
-static void blk_aio_detach(void *opaque)
+static bool nbd_drained_poll(void *opaque)
{
NBDExport *exp = opaque;
+ NBDClient *client;
- trace_nbd_blk_aio_detach(exp->name, exp->common.ctx);
+ QTAILQ_FOREACH(client, &exp->clients, next) {
+ if (client->nb_requests != 0) {
+ /*
+ * If there's a coroutine waiting for a request on nbd_read_eof()
+ * enter it here so we don't depend on the client to wake it up.
+ */
+ if (client->recv_coroutine != NULL && client->read_yielding) {
+ qemu_aio_coroutine_enter(exp->common.ctx,
+ client->recv_coroutine);
+ }
- aio_wait_bh_oneshot(exp->common.ctx, nbd_aio_detach_bh, exp);
+ return true;
+ }
+ }
- exp->common.ctx = NULL;
+ return false;
}
static void nbd_eject_notifier(Notifier *n, void *data)
@@ -1594,6 +1618,12 @@ void nbd_export_set_on_eject_blk(BlockExport *exp, BlockBackend *blk)
blk_add_remove_bs_notifier(blk, &nbd_exp->eject_notifier);
}
+static const BlockDevOps nbd_block_ops = {
+ .drained_begin = nbd_drained_begin,
+ .drained_end = nbd_drained_end,
+ .drained_poll = nbd_drained_poll,
+};
+
static int nbd_export_create(BlockExport *blk_exp, BlockExportOptions *exp_args,
Error **errp)
{
@@ -1715,8 +1745,17 @@ static int nbd_export_create(BlockExport *blk_exp, BlockExportOptions *exp_args,
exp->allocation_depth = arg->allocation_depth;
+ /*
+ * We need to inhibit request queuing in the block layer to ensure we can
+ * be properly quiesced when entering a drained section, as our coroutines
+ * servicing pending requests might enter blk_pread().
+ */
+ blk_set_disable_request_queuing(blk, true);
+
blk_add_aio_context_notifier(blk, blk_aio_attached, blk_aio_detach, exp);
+ blk_set_dev_ops(blk, &nbd_block_ops, exp);
+
QTAILQ_INSERT_TAIL(&exports, exp, next);
return 0;
@@ -1788,6 +1827,7 @@ static void nbd_export_delete(BlockExport *blk_exp)
}
blk_remove_aio_context_notifier(exp->common.blk, blk_aio_attached,
blk_aio_detach, exp);
+ blk_set_disable_request_queuing(exp->common.blk, false);
}
for (i = 0; i < exp->nr_export_bitmaps; i++) {
--
2.27.0

View File

@ -0,0 +1,49 @@
From a9546384e1fe8b4dad9ab00c52f45dac3a8fbc00 Mon Sep 17 00:00:00 2001
From: Vitaly Kuznetsov <vkuznets@redhat.com>
Date: Tue, 8 Jun 2021 10:29:07 -0400
Subject: [PATCH 04/12] redhat: x86: Enable 'kvm-asyncpf-int' by default
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
RH-Author: Miroslav Rezanina <mrezanin@redhat.com>
RH-MergeRequest: 16: Synchronize with RHEL-AV 8.5 release 21 to RHEL 9
RH-Commit: [2/8] 2ea940445291df74dfed2d2f9f2b1f88a3eca31b (mrezanin/centos-src-qemu-kvm)
RH-Bugzilla: 1957194
RH-Acked-by: Vitaly Kuznetsov <vkuznets@redhat.com>
RH-Acked-by: Daniel P. Berrangé <berrange@redhat.com>
'kvm-asyncpf-int' feature is supported by KVM starting with RHEL-8.4
kernel, enable the feature by default starting with RHEL-8.5 machine
type.
Signed-off-by: Vitaly Kuznetsov <vkuznets@redhat.com>
Signed-off-by: Danilo C. L. de Paula <ddepaula@redhat.com>
Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
---
hw/i386/pc.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/hw/i386/pc.c b/hw/i386/pc.c
index 0a374dec39..cdbfa84d2e 100644
--- a/hw/i386/pc.c
+++ b/hw/i386/pc.c
@@ -366,12 +366,15 @@ GlobalProperty pc_rhel_compat[] = {
{ TYPE_X86_CPU, "vmx-exit-load-perf-global-ctrl", "off" },
/* bz 1508330 */
{ "vfio-pci", "x-no-geforce-quirks", "on" },
+ /* bz 1941397 */
+ { TYPE_X86_CPU, "kvm-asyncpf-int", "on" },
};
const size_t pc_rhel_compat_len = G_N_ELEMENTS(pc_rhel_compat);
GlobalProperty pc_rhel_8_4_compat[] = {
/* pc_rhel_8_4_compat from pc_compat_5_2 */
{ "ICH9-LPC", "x-smi-cpu-hotunplug", "off" },
+ { TYPE_X86_CPU, "kvm-asyncpf-int", "off" },
};
const size_t pc_rhel_8_4_compat_len = G_N_ELEMENTS(pc_rhel_8_4_compat);
--
2.27.0

View File

@ -0,0 +1,201 @@
From cdc537ada9528e09f8c70219f5a9a1ce8a4efa7e Mon Sep 17 00:00:00 2001
From: Gerd Hoffmann <kraxel@redhat.com>
Date: Thu, 6 May 2021 11:10:01 +0200
Subject: [PATCH 02/12] virtio-gpu: handle partial maps properly
RH-Author: Eric Auger <eric.auger@redhat.com>
RH-MergeRequest: 15: virtio-gpu: handle partial maps properly
RH-Commit: [1/1] f2b0fd9758251d1f3a5ff9563911c8bdb4b191f0 (eauger1/centos-qemu-kvm)
RH-Bugzilla: 1974795
RH-Acked-by: Gavin Shan <gshan@redhat.com>
RH-Acked-by: Andrew Jones <drjones@redhat.com>
RH-Acked-by: Peter Xu <Peter Xu <peterx@redhat.com>
dma_memory_map() may map only a part of the request. Happens if the
request can't be mapped in one go, for example due to a iommu creating
a linear dma mapping for scattered physical pages. Should that be the
case virtio-gpu must call dma_memory_map() again with the remaining
range instead of simply throwing an error.
Note that this change implies the number of iov entries may differ from
the number of mapping entries sent by the guest. Therefore the iov_len
bookkeeping needs some updates too, we have to explicitly pass around
the iov length now.
Reported-by: Auger Eric <eric.auger@redhat.com>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Message-id: 20210506091001.1301250-1-kraxel@redhat.com
Reviewed-by: Eric Auger <eric.auger@redhat.com>
Tested-by: Eric Auger <eric.auger@redhat.com>
Message-Id: <20210506091001.1301250-1-kraxel@redhat.com>
(cherry picked from commit 9049f8bc445d50c0b5fe5500c0ec51fcc821c2ef)
Signed-off-by: Eric Auger <eric.auger@redhat.com>
Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
---
hw/display/virtio-gpu-3d.c | 7 ++--
hw/display/virtio-gpu.c | 76 ++++++++++++++++++++--------------
include/hw/virtio/virtio-gpu.h | 3 +-
3 files changed, 52 insertions(+), 34 deletions(-)
diff --git a/hw/display/virtio-gpu-3d.c b/hw/display/virtio-gpu-3d.c
index d98964858e..72c14d9132 100644
--- a/hw/display/virtio-gpu-3d.c
+++ b/hw/display/virtio-gpu-3d.c
@@ -283,22 +283,23 @@ static void virgl_resource_attach_backing(VirtIOGPU *g,
{
struct virtio_gpu_resource_attach_backing att_rb;
struct iovec *res_iovs;
+ uint32_t res_niov;
int ret;
VIRTIO_GPU_FILL_CMD(att_rb);
trace_virtio_gpu_cmd_res_back_attach(att_rb.resource_id);
- ret = virtio_gpu_create_mapping_iov(g, &att_rb, cmd, NULL, &res_iovs);
+ ret = virtio_gpu_create_mapping_iov(g, &att_rb, cmd, NULL, &res_iovs, &res_niov);
if (ret != 0) {
cmd->error = VIRTIO_GPU_RESP_ERR_UNSPEC;
return;
}
ret = virgl_renderer_resource_attach_iov(att_rb.resource_id,
- res_iovs, att_rb.nr_entries);
+ res_iovs, res_niov);
if (ret != 0)
- virtio_gpu_cleanup_mapping_iov(g, res_iovs, att_rb.nr_entries);
+ virtio_gpu_cleanup_mapping_iov(g, res_iovs, res_niov);
}
static void virgl_resource_detach_backing(VirtIOGPU *g,
diff --git a/hw/display/virtio-gpu.c b/hw/display/virtio-gpu.c
index c9f5e36fd0..6f3791deb3 100644
--- a/hw/display/virtio-gpu.c
+++ b/hw/display/virtio-gpu.c
@@ -608,11 +608,12 @@ static void virtio_gpu_set_scanout(VirtIOGPU *g,
int virtio_gpu_create_mapping_iov(VirtIOGPU *g,
struct virtio_gpu_resource_attach_backing *ab,
struct virtio_gpu_ctrl_command *cmd,
- uint64_t **addr, struct iovec **iov)
+ uint64_t **addr, struct iovec **iov,
+ uint32_t *niov)
{
struct virtio_gpu_mem_entry *ents;
size_t esize, s;
- int i;
+ int e, v;
if (ab->nr_entries > 16384) {
qemu_log_mask(LOG_GUEST_ERROR,
@@ -633,37 +634,53 @@ int virtio_gpu_create_mapping_iov(VirtIOGPU *g,
return -1;
}
- *iov = g_malloc0(sizeof(struct iovec) * ab->nr_entries);
+ *iov = NULL;
if (addr) {
- *addr = g_malloc0(sizeof(uint64_t) * ab->nr_entries);
+ *addr = NULL;
}
- for (i = 0; i < ab->nr_entries; i++) {
- uint64_t a = le64_to_cpu(ents[i].addr);
- uint32_t l = le32_to_cpu(ents[i].length);
- hwaddr len = l;
- (*iov)[i].iov_base = dma_memory_map(VIRTIO_DEVICE(g)->dma_as,
- a, &len, DMA_DIRECTION_TO_DEVICE);
- (*iov)[i].iov_len = len;
- if (addr) {
- (*addr)[i] = a;
- }
- if (!(*iov)[i].iov_base || len != l) {
- qemu_log_mask(LOG_GUEST_ERROR, "%s: failed to map MMIO memory for"
- " resource %d element %d\n",
- __func__, ab->resource_id, i);
- if ((*iov)[i].iov_base) {
- i++; /* cleanup the 'i'th map */
+ for (e = 0, v = 0; e < ab->nr_entries; e++) {
+ uint64_t a = le64_to_cpu(ents[e].addr);
+ uint32_t l = le32_to_cpu(ents[e].length);
+ hwaddr len;
+ void *map;
+
+ do {
+ len = l;
+ map = dma_memory_map(VIRTIO_DEVICE(g)->dma_as,
+ a, &len, DMA_DIRECTION_TO_DEVICE);
+ if (!map) {
+ qemu_log_mask(LOG_GUEST_ERROR, "%s: failed to map MMIO memory for"
+ " resource %d element %d\n",
+ __func__, ab->resource_id, e);
+ virtio_gpu_cleanup_mapping_iov(g, *iov, v);
+ g_free(ents);
+ *iov = NULL;
+ if (addr) {
+ g_free(*addr);
+ *addr = NULL;
+ }
+ return -1;
+ }
+
+ if (!(v % 16)) {
+ *iov = g_realloc(*iov, sizeof(struct iovec) * (v + 16));
+ if (addr) {
+ *addr = g_realloc(*addr, sizeof(uint64_t) * (v + 16));
+ }
}
- virtio_gpu_cleanup_mapping_iov(g, *iov, i);
- g_free(ents);
- *iov = NULL;
+ (*iov)[v].iov_base = map;
+ (*iov)[v].iov_len = len;
if (addr) {
- g_free(*addr);
- *addr = NULL;
+ (*addr)[v] = a;
}
- return -1;
- }
+
+ a += len;
+ l -= len;
+ v += 1;
+ } while (l > 0);
}
+ *niov = v;
+
g_free(ents);
return 0;
}
@@ -717,13 +734,12 @@ virtio_gpu_resource_attach_backing(VirtIOGPU *g,
return;
}
- ret = virtio_gpu_create_mapping_iov(g, &ab, cmd, &res->addrs, &res->iov);
+ ret = virtio_gpu_create_mapping_iov(g, &ab, cmd, &res->addrs,
+ &res->iov, &res->iov_cnt);
if (ret != 0) {
cmd->error = VIRTIO_GPU_RESP_ERR_UNSPEC;
return;
}
-
- res->iov_cnt = ab.nr_entries;
}
static void
diff --git a/include/hw/virtio/virtio-gpu.h b/include/hw/virtio/virtio-gpu.h
index fae149235c..0d15af41d9 100644
--- a/include/hw/virtio/virtio-gpu.h
+++ b/include/hw/virtio/virtio-gpu.h
@@ -209,7 +209,8 @@ void virtio_gpu_get_edid(VirtIOGPU *g,
int virtio_gpu_create_mapping_iov(VirtIOGPU *g,
struct virtio_gpu_resource_attach_backing *ab,
struct virtio_gpu_ctrl_command *cmd,
- uint64_t **addr, struct iovec **iov);
+ uint64_t **addr, struct iovec **iov,
+ uint32_t *niov);
void virtio_gpu_cleanup_mapping_iov(VirtIOGPU *g,
struct iovec *iov, uint32_t count);
void virtio_gpu_process_cmdq(VirtIOGPU *g);
--
2.27.0

View File

@ -0,0 +1,130 @@
From 1497b5d371a63dd20d3b14ca2f8cce99845a1c2c Mon Sep 17 00:00:00 2001
From: "Dr. David Alan Gilbert" <dgilbert@redhat.com>
Date: Wed, 19 May 2021 15:46:27 -0400
Subject: [PATCH 03/12] x86: Add x86 rhel8.5 machine types
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
RH-Author: Miroslav Rezanina <mrezanin@redhat.com>
RH-MergeRequest: 16: Synchronize with RHEL-AV 8.5 release 21 to RHEL 9
RH-Commit: [1/8] db81806d99b545abe4dcba576fb33c02ec283dd7 (mrezanin/centos-src-qemu-kvm)
RH-Bugzilla: 1957194
RH-Acked-by: Vitaly Kuznetsov <vkuznets@redhat.com>
RH-Acked-by: Daniel P. Berrangé <berrange@redhat.com>
From: "Dr. David Alan Gilbert" <dgilbert@redhat.com>
Add the 8.5 machine type and the compat entries.
Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
Signed-off-by: Danilo C. L. de Paula <ddepaula@redhat.com>
Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
---
hw/i386/pc.c | 6 ++++++
hw/i386/pc_piix.c | 2 ++
hw/i386/pc_q35.c | 24 ++++++++++++++++++++++--
include/hw/i386/pc.h | 3 +++
4 files changed, 33 insertions(+), 2 deletions(-)
diff --git a/hw/i386/pc.c b/hw/i386/pc.c
index edc02a68ca..0a374dec39 100644
--- a/hw/i386/pc.c
+++ b/hw/i386/pc.c
@@ -369,6 +369,12 @@ GlobalProperty pc_rhel_compat[] = {
};
const size_t pc_rhel_compat_len = G_N_ELEMENTS(pc_rhel_compat);
+GlobalProperty pc_rhel_8_4_compat[] = {
+ /* pc_rhel_8_4_compat from pc_compat_5_2 */
+ { "ICH9-LPC", "x-smi-cpu-hotunplug", "off" },
+};
+const size_t pc_rhel_8_4_compat_len = G_N_ELEMENTS(pc_rhel_8_4_compat);
+
GlobalProperty pc_rhel_8_3_compat[] = {
/* pc_rhel_8_3_compat from pc_compat_5_1 */
{ "ICH9-LPC", "x-smi-cpu-hotplug", "off" },
diff --git a/hw/i386/pc_piix.c b/hw/i386/pc_piix.c
index d9c5df16d8..5d61c9b833 100644
--- a/hw/i386/pc_piix.c
+++ b/hw/i386/pc_piix.c
@@ -971,6 +971,8 @@ static void pc_machine_rhel760_options(MachineClass *m)
pcmc->pci_root_uid = 1;
compat_props_add(m->compat_props, hw_compat_rhel_8_4,
hw_compat_rhel_8_4_len);
+ compat_props_add(m->compat_props, pc_rhel_8_4_compat,
+ pc_rhel_8_4_compat_len);
compat_props_add(m->compat_props, hw_compat_rhel_8_3,
hw_compat_rhel_8_3_len);
compat_props_add(m->compat_props, pc_rhel_8_3_compat,
diff --git a/hw/i386/pc_q35.c b/hw/i386/pc_q35.c
index 44109e4876..01ff3e0544 100644
--- a/hw/i386/pc_q35.c
+++ b/hw/i386/pc_q35.c
@@ -607,6 +607,24 @@ static void pc_q35_machine_rhel_options(MachineClass *m)
compat_props_add(m->compat_props, pc_rhel_compat, pc_rhel_compat_len);
}
+static void pc_q35_init_rhel850(MachineState *machine)
+{
+ pc_q35_init(machine);
+}
+
+static void pc_q35_machine_rhel850_options(MachineClass *m)
+{
+ PCMachineClass *pcmc = PC_MACHINE_CLASS(m);
+ pc_q35_machine_rhel_options(m);
+ m->desc = "RHEL-8.5.0 PC (Q35 + ICH9, 2009)";
+ pcmc->smbios_stream_product = "RHEL-AV";
+ pcmc->smbios_stream_version = "8.5.0";
+}
+
+DEFINE_PC_MACHINE(q35_rhel850, "pc-q35-rhel8.5.0", pc_q35_init_rhel850,
+ pc_q35_machine_rhel850_options);
+
+
static void pc_q35_init_rhel840(MachineState *machine)
{
pc_q35_init(machine);
@@ -615,12 +633,15 @@ static void pc_q35_init_rhel840(MachineState *machine)
static void pc_q35_machine_rhel840_options(MachineClass *m)
{
PCMachineClass *pcmc = PC_MACHINE_CLASS(m);
- pc_q35_machine_rhel_options(m);
+ pc_q35_machine_rhel850_options(m);
m->desc = "RHEL-8.4.0 PC (Q35 + ICH9, 2009)";
+ m->alias = NULL;
pcmc->smbios_stream_product = "RHEL-AV";
pcmc->smbios_stream_version = "8.4.0";
compat_props_add(m->compat_props, hw_compat_rhel_8_4,
hw_compat_rhel_8_4_len);
+ compat_props_add(m->compat_props, pc_rhel_8_4_compat,
+ pc_rhel_8_4_compat_len);
}
DEFINE_PC_MACHINE(q35_rhel840, "pc-q35-rhel8.4.0", pc_q35_init_rhel840,
@@ -637,7 +658,6 @@ static void pc_q35_machine_rhel830_options(MachineClass *m)
PCMachineClass *pcmc = PC_MACHINE_CLASS(m);
pc_q35_machine_rhel840_options(m);
m->desc = "RHEL-8.3.0 PC (Q35 + ICH9, 2009)";
- m->alias = NULL;
pcmc->smbios_stream_product = "RHEL-AV";
pcmc->smbios_stream_version = "8.3.0";
compat_props_add(m->compat_props, hw_compat_rhel_8_3,
diff --git a/include/hw/i386/pc.h b/include/hw/i386/pc.h
index 79a7803a2f..1980c93f41 100644
--- a/include/hw/i386/pc.h
+++ b/include/hw/i386/pc.h
@@ -281,6 +281,9 @@ extern const size_t pc_compat_1_4_len;
extern GlobalProperty pc_rhel_compat[];
extern const size_t pc_rhel_compat_len;
+extern GlobalProperty pc_rhel_8_4_compat[];
+extern const size_t pc_rhel_8_4_compat_len;
+
extern GlobalProperty pc_rhel_8_3_compat[];
extern const size_t pc_rhel_8_3_compat_len;
--
2.27.0

View File

@ -12,7 +12,6 @@ ExecStart=/usr/bin/qemu-ga \
--path=/dev/virtio-ports/org.qemu.guest_agent.0 \
--blacklist=${BLACKLIST_RPC} \
-F${FSFREEZE_HOOK_PATHNAME}
StandardError=syslog
Restart=always
RestartSec=0

View File

@ -67,14 +67,13 @@
Requires: %{name}-ui-opengl = %{epoch}:%{version}-%{release} \
%endif \
Requires: %{name}-block-curl = %{epoch}:%{version}-%{release} \
Requires: %{name}-block-iscsi = %{epoch}:%{version}-%{release} \
Requires: %{name}-block-rbd = %{epoch}:%{version}-%{release} \
Requires: %{name}-block-ssh = %{epoch}:%{version}-%{release}
Summary: QEMU is a machine emulator and virtualizer
Name: qemu-kvm
Version: 6.0.0
Release: 6%{?rcversion}%{?dist}
Release: 7%{?rcversion}%{?dist}
# Epoch because we pushed a qemu-1.0 package. AIUI this can't ever be dropped
# Epoch 15 used for RHEL 8
# Epoch 17 used for RHEL 9 (due to release versioning offset in RHEL 8.5)
@ -173,6 +172,26 @@ Patch40: kvm-target-i386-Add-CPU-model-versions-supporting-xsaves.patch
Patch41: kvm-spapr-Remove-stale-comment-about-power-saving-LPCR-b.patch
# For bz#1957194 - Synchronize RHEL-AV 8.5.0 changes to RHEL 9.0.0 Beta
Patch42: kvm-spapr-Set-LPCR-to-current-AIL-mode-when-starting-a-n.patch
# For bz#1967502 - [aarch64] [qemu] Compile the PCIe expander bridge
Patch43: kvm-aarch64-rh-devices-add-CONFIG_PXB.patch
# For bz#1974795 - [RHEL9-beta] [aarch64] Launch guest with virtio-gpu-pci and virtual smmu causes "virtio_gpu_dequeue_ctrl_func" ERROR
Patch44: kvm-virtio-gpu-handle-partial-maps-properly.patch
# For bz#1957194 - Synchronize RHEL-AV 8.5.0 changes to RHEL 9.0.0 Beta
Patch45: kvm-x86-Add-x86-rhel8.5-machine-types.patch
# For bz#1957194 - Synchronize RHEL-AV 8.5.0 changes to RHEL 9.0.0 Beta
Patch46: kvm-redhat-x86-Enable-kvm-asyncpf-int-by-default.patch
# For bz#1957194 - Synchronize RHEL-AV 8.5.0 changes to RHEL 9.0.0 Beta
Patch47: kvm-block-backend-add-drained_poll.patch
# For bz#1957194 - Synchronize RHEL-AV 8.5.0 changes to RHEL 9.0.0 Beta
Patch48: kvm-nbd-server-Use-drained-block-ops-to-quiesce-the-serv.patch
# For bz#1957194 - Synchronize RHEL-AV 8.5.0 changes to RHEL 9.0.0 Beta
Patch49: kvm-disable-CONFIG_USB_STORAGE_BOT.patch
# For bz#1957194 - Synchronize RHEL-AV 8.5.0 changes to RHEL 9.0.0 Beta
Patch50: kvm-doc-Fix-some-mistakes-in-the-SEV-documentation.patch
# For bz#1957194 - Synchronize RHEL-AV 8.5.0 changes to RHEL 9.0.0 Beta
Patch51: kvm-docs-Add-SEV-ES-documentation-to-amd-memory-encrypti.patch
# For bz#1957194 - Synchronize RHEL-AV 8.5.0 changes to RHEL 9.0.0 Beta
Patch52: kvm-docs-interop-firmware.json-Add-SEV-ES-support.patch
# Source-git patches
@ -183,7 +202,6 @@ BuildRequires: gnutls-devel
BuildRequires: cyrus-sasl-devel
BuildRequires: libaio-devel
BuildRequires: python3-devel
BuildRequires: libiscsi-devel
BuildRequires: libattr-devel
BuildRequires: libusbx-devel >= %{libusbx_version}
%if %{have_usbredir}
@ -281,6 +299,7 @@ Requires: libfdt >= %{libfdt_version}
# other words RHEL-9 rebases are done together/before RHEL-8 ones)
Obsoletes: qemu-kvm-ui-spice <= %{version}
Obsoletes: qemu-kvm-block-gluster <= %{version}
Obsoletes: %{name}-block-iscsi <= %{version}
%description -n qemu-kvm-core
qemu-kvm is an open source virtualizer that provides hardware
@ -363,16 +382,6 @@ Install this package if you want to access remote disks over
http, https, ftp and other transports provided by the CURL library.
%package block-iscsi
Summary: QEMU iSCSI block driver
Requires: %{name}-common%{?_isa} = %{epoch}:%{version}-%{release}
%description block-iscsi
This package provides the additional iSCSI block driver for QEMU.
Install this package if you want to access iSCSI volumes.
%package block-rbd
Summary: QEMU Ceph/RBD block driver
Requires: %{name}-common%{?_isa} = %{epoch}:%{version}-%{release}
@ -592,7 +601,6 @@ pushd %{qemu_kvm_build}
--enable-guest-agent \
--enable-iconv \
--enable-kvm \
--enable-libiscsi \
%if %{have_pmem}
--enable-libpmem \
%endif
@ -1196,9 +1204,6 @@ sh %{_sysconfdir}/sysconfig/modules/kvm.modules &> /dev/null || :
%files block-curl
%{_libdir}/qemu-kvm/block-curl.so
%files block-iscsi
%{_libdir}/qemu-kvm/block-iscsi.so
%files block-rbd
%{_libdir}/qemu-kvm/block-rbd.so
@ -1213,6 +1218,30 @@ sh %{_sysconfdir}/sysconfig/modules/kvm.modules &> /dev/null || :
%endif
%changelog
* Mon Jun 28 2021 Miroslav Rezanina <mrezanin@redhat.com> - 6.0.0-7
- kvm-aarch64-rh-devices-add-CONFIG_PXB.patch [bz#1967502]
- kvm-virtio-gpu-handle-partial-maps-properly.patch [bz#1974795]
- kvm-x86-Add-x86-rhel8.5-machine-types.patch [bz#1957194]
- kvm-redhat-x86-Enable-kvm-asyncpf-int-by-default.patch [bz#1957194]
- kvm-block-backend-add-drained_poll.patch [bz#1957194]
- kvm-nbd-server-Use-drained-block-ops-to-quiesce-the-serv.patch [bz#1957194]
- kvm-disable-CONFIG_USB_STORAGE_BOT.patch [bz#1957194]
- kvm-doc-Fix-some-mistakes-in-the-SEV-documentation.patch [bz#1957194]
- kvm-docs-Add-SEV-ES-documentation-to-amd-memory-encrypti.patch [bz#1957194]
- kvm-docs-interop-firmware.json-Add-SEV-ES-support.patch [bz#1957194]
- kvm-qga-drop-StandardError-syslog.patch [bz#1947977]
- kvm-Remove-iscsi-support.patch [bz#1967133]
- Resolves: bz#1967502
([aarch64] [qemu] Compile the PCIe expander bridge)
- Resolves: bz#1974795
([RHEL9-beta] [aarch64] Launch guest with virtio-gpu-pci and virtual smmu causes "virtio_gpu_dequeue_ctrl_func" ERROR)
- Resolves: bz#1957194
(Synchronize RHEL-AV 8.5.0 changes to RHEL 9.0.0 Beta)
- Resolves: bz#1947977
(remove StandardError=syslog from qemu-guest-agent.service)
- Resolves: bz#1967133
(QEMU: disable libiscsi in RHEL-9)
* Mon Jun 21 2021 Miroslav Rezanina <mrezanin@redhat.com> - 6.0.0-6
- kvm-yank-Unregister-function-when-using-TLS-migration.patch [bz#1972462]
- kvm-pc-bios-s390-ccw-don-t-try-to-read-the-next-block-if.patch [bz#1957194]