From 0253757df89621ab32fff3c84616f062b278a66b Mon Sep 17 00:00:00 2001 From: Miroslav Rezanina Date: Mon, 28 Jun 2021 03:28:59 -0400 Subject: [PATCH] * Mon Jun 28 2021 Miroslav Rezanina - 6.0.0-7 - kvm-aarch64-rh-devices-add-CONFIG_PXB.patch [bz#1967502] - kvm-virtio-gpu-handle-partial-maps-properly.patch [bz#1974795] - kvm-x86-Add-x86-rhel8.5-machine-types.patch [bz#1957194] - kvm-redhat-x86-Enable-kvm-asyncpf-int-by-default.patch [bz#1957194] - kvm-block-backend-add-drained_poll.patch [bz#1957194] - kvm-nbd-server-Use-drained-block-ops-to-quiesce-the-serv.patch [bz#1957194] - kvm-disable-CONFIG_USB_STORAGE_BOT.patch [bz#1957194] - kvm-doc-Fix-some-mistakes-in-the-SEV-documentation.patch [bz#1957194] - kvm-docs-Add-SEV-ES-documentation-to-amd-memory-encrypti.patch [bz#1957194] - kvm-docs-interop-firmware.json-Add-SEV-ES-support.patch [bz#1957194] - kvm-qga-drop-StandardError-syslog.patch [bz#1947977] - kvm-Remove-iscsi-support.patch [bz#1967133] - Resolves: bz#1967502 ([aarch64] [qemu] Compile the PCIe expander bridge) - Resolves: bz#1974795 ([RHEL9-beta] [aarch64] Launch guest with virtio-gpu-pci and virtual smmu causes "virtio_gpu_dequeue_ctrl_func" ERROR) - Resolves: bz#1957194 (Synchronize RHEL-AV 8.5.0 changes to RHEL 9.0.0 Beta) - Resolves: bz#1947977 (remove StandardError=syslog from qemu-guest-agent.service) - Resolves: bz#1967133 (QEMU: disable libiscsi in RHEL-9) --- kvm-aarch64-rh-devices-add-CONFIG_PXB.patch | 37 ++++ kvm-block-backend-add-drained_poll.patch | 74 +++++++ kvm-disable-CONFIG_USB_STORAGE_BOT.patch | 49 +++++ ...me-mistakes-in-the-SEV-documentation.patch | 151 +++++++++++++ ...documentation-to-amd-memory-encrypti.patch | 141 ++++++++++++ ...rop-firmware.json-Add-SEV-ES-support.patch | 110 ++++++++++ ...rained-block-ops-to-quiesce-the-serv.patch | 191 +++++++++++++++++ ...86-Enable-kvm-asyncpf-int-by-default.patch | 49 +++++ ...tio-gpu-handle-partial-maps-properly.patch | 201 ++++++++++++++++++ kvm-x86-Add-x86-rhel8.5-machine-types.patch | 130 +++++++++++ qemu-guest-agent.service | 1 - qemu-kvm.spec | 63 ++++-- 12 files changed, 1179 insertions(+), 18 deletions(-) create mode 100644 kvm-aarch64-rh-devices-add-CONFIG_PXB.patch create mode 100644 kvm-block-backend-add-drained_poll.patch create mode 100644 kvm-disable-CONFIG_USB_STORAGE_BOT.patch create mode 100644 kvm-doc-Fix-some-mistakes-in-the-SEV-documentation.patch create mode 100644 kvm-docs-Add-SEV-ES-documentation-to-amd-memory-encrypti.patch create mode 100644 kvm-docs-interop-firmware.json-Add-SEV-ES-support.patch create mode 100644 kvm-nbd-server-Use-drained-block-ops-to-quiesce-the-serv.patch create mode 100644 kvm-redhat-x86-Enable-kvm-asyncpf-int-by-default.patch create mode 100644 kvm-virtio-gpu-handle-partial-maps-properly.patch create mode 100644 kvm-x86-Add-x86-rhel8.5-machine-types.patch diff --git a/kvm-aarch64-rh-devices-add-CONFIG_PXB.patch b/kvm-aarch64-rh-devices-add-CONFIG_PXB.patch new file mode 100644 index 0000000..37b85fb --- /dev/null +++ b/kvm-aarch64-rh-devices-add-CONFIG_PXB.patch @@ -0,0 +1,37 @@ +From d05ba1e2208cb17b8cf7dac050d95137a67dd988 Mon Sep 17 00:00:00 2001 +From: Eric Auger +Date: Thu, 24 Jun 2021 10:32:08 +0200 +Subject: [PATCH 01/12] aarch64-rh-devices: add CONFIG_PXB +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +RH-Author: Eric Auger +RH-MergeRequest: 14: aarch64-rh-devices: add CONFIG_PXB +RH-Commit: [1/1] 6a9e6a96ea6ba1bee220a60e5a691a174a0a044b (eauger1/centos-qemu-kvm) +RH-Bugzilla: 1967502 +RH-Acked-by: Gavin Shan +RH-Acked-by: Daniel P. Berrangé +RH-Acked-by: Andrew Jones + +We want to enable the PCIe expander bridge on aarch64. So let's +set CONFIG_PXB. + +Signed-off-by: Eric Auger +Signed-off-by: Miroslav Rezanina +--- + default-configs/devices/aarch64-rh-devices.mak | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/default-configs/devices/aarch64-rh-devices.mak b/default-configs/devices/aarch64-rh-devices.mak +index 4220469178..d8ce902720 100644 +--- a/default-configs/devices/aarch64-rh-devices.mak ++++ b/default-configs/devices/aarch64-rh-devices.mak +@@ -27,3 +27,4 @@ CONFIG_TPM_TIS_SYSBUS=y + CONFIG_PTIMER=y + CONFIG_ARM_COMPATIBLE_SEMIHOSTING=y + CONFIG_PVPANIC_PCI=y ++CONFIG_PXB=y +-- +2.27.0 + diff --git a/kvm-block-backend-add-drained_poll.patch b/kvm-block-backend-add-drained_poll.patch new file mode 100644 index 0000000..b3cbc54 --- /dev/null +++ b/kvm-block-backend-add-drained_poll.patch @@ -0,0 +1,74 @@ +From e23a2be8c57666e091d9192e113a30ea06cd83ef Mon Sep 17 00:00:00 2001 +From: Sergio Lopez Pascual +Date: Thu, 17 Jun 2021 09:13:20 -0400 +Subject: [PATCH 05/12] block-backend: add drained_poll +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +RH-Author: Miroslav Rezanina +RH-MergeRequest: 16: Synchronize with RHEL-AV 8.5 release 21 to RHEL 9 +RH-Commit: [3/8] 4ad1f536b00a762a1b094d76383b74826228892a (mrezanin/centos-src-qemu-kvm) +RH-Bugzilla: 1957194 +RH-Acked-by: Vitaly Kuznetsov +RH-Acked-by: Daniel P. Berrangé + +Allow block backends to poll their devices/users to check if they have +been quiesced when entering a drained section. + +This will be used in the next patch to wait for the NBD server to be +completely quiesced. + +Suggested-by: Kevin Wolf +Reviewed-by: Kevin Wolf +Reviewed-by: Eric Blake +Signed-off-by: Sergio Lopez +Message-Id: <20210602060552.17433-2-slp@redhat.com> +Reviewed-by: Vladimir Sementsov-Ogievskiy +Signed-off-by: Kevin Wolf +(cherry picked from commit 095cc4d0f62513d75e9bc1da37f08d9e97f267c4) +Signed-off-by: Sergio Lopez +Signed-off-by: Danilo C. L. de Paula +Signed-off-by: Miroslav Rezanina +--- + block/block-backend.c | 7 ++++++- + include/sysemu/block-backend.h | 4 ++++ + 2 files changed, 10 insertions(+), 1 deletion(-) + +diff --git a/block/block-backend.c b/block/block-backend.c +index 413af51f3b..05d8e5fb5d 100644 +--- a/block/block-backend.c ++++ b/block/block-backend.c +@@ -2378,8 +2378,13 @@ static void blk_root_drained_begin(BdrvChild *child) + static bool blk_root_drained_poll(BdrvChild *child) + { + BlockBackend *blk = child->opaque; ++ bool busy = false; + assert(blk->quiesce_counter); +- return !!blk->in_flight; ++ ++ if (blk->dev_ops && blk->dev_ops->drained_poll) { ++ busy = blk->dev_ops->drained_poll(blk->dev_opaque); ++ } ++ return busy || !!blk->in_flight; + } + + static void blk_root_drained_end(BdrvChild *child, int *drained_end_counter) +diff --git a/include/sysemu/block-backend.h b/include/sysemu/block-backend.h +index 880e903293..5423e3d9c6 100644 +--- a/include/sysemu/block-backend.h ++++ b/include/sysemu/block-backend.h +@@ -66,6 +66,10 @@ typedef struct BlockDevOps { + * Runs when the backend's last drain request ends. + */ + void (*drained_end)(void *opaque); ++ /* ++ * Is the device still busy? ++ */ ++ bool (*drained_poll)(void *opaque); + } BlockDevOps; + + /* This struct is embedded in (the private) BlockBackend struct and contains +-- +2.27.0 + diff --git a/kvm-disable-CONFIG_USB_STORAGE_BOT.patch b/kvm-disable-CONFIG_USB_STORAGE_BOT.patch new file mode 100644 index 0000000..017b5ae --- /dev/null +++ b/kvm-disable-CONFIG_USB_STORAGE_BOT.patch @@ -0,0 +1,49 @@ +From 64ec0505fccf6f277430f3be1829a9e44cd00dbb Mon Sep 17 00:00:00 2001 +From: Gerd Hoffmann +Date: Fri, 18 Jun 2021 12:04:24 -0400 +Subject: [PATCH 07/12] disable CONFIG_USB_STORAGE_BOT +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +RH-Author: Miroslav Rezanina +RH-MergeRequest: 16: Synchronize with RHEL-AV 8.5 release 21 to RHEL 9 +RH-Commit: [5/8] 73d3ee0a17590c8cddf6bd812e6a758951c36ea4 (mrezanin/centos-src-qemu-kvm) +RH-Bugzilla: 1957194 +RH-Acked-by: Vitaly Kuznetsov +RH-Acked-by: Daniel P. Berrangé + +Signed-off-by: Danilo C. L. de Paula +Signed-off-by: Miroslav Rezanina +--- + default-configs/devices/ppc64-rh-devices.mak | 1 - + default-configs/devices/x86_64-rh-devices.mak | 1 - + 2 files changed, 2 deletions(-) + +diff --git a/default-configs/devices/ppc64-rh-devices.mak b/default-configs/devices/ppc64-rh-devices.mak +index 5b01b7fac0..3ec5603ace 100644 +--- a/default-configs/devices/ppc64-rh-devices.mak ++++ b/default-configs/devices/ppc64-rh-devices.mak +@@ -15,7 +15,6 @@ CONFIG_USB=y + CONFIG_USB_OHCI=y + CONFIG_USB_OHCI_PCI=y + CONFIG_USB_SMARTCARD=y +-CONFIG_USB_STORAGE_BOT=y + CONFIG_USB_STORAGE_CORE=y + CONFIG_USB_STORAGE_CLASSIC=y + CONFIG_USB_XHCI=y +diff --git a/default-configs/devices/x86_64-rh-devices.mak b/default-configs/devices/x86_64-rh-devices.mak +index d09c138fc6..81bda09f4c 100644 +--- a/default-configs/devices/x86_64-rh-devices.mak ++++ b/default-configs/devices/x86_64-rh-devices.mak +@@ -74,7 +74,6 @@ CONFIG_USB=y + CONFIG_USB_EHCI=y + CONFIG_USB_EHCI_PCI=y + CONFIG_USB_SMARTCARD=y +-CONFIG_USB_STORAGE_BOT=y + CONFIG_USB_STORAGE_CORE=y + CONFIG_USB_STORAGE_CLASSIC=y + CONFIG_USB_UHCI=y +-- +2.27.0 + diff --git a/kvm-doc-Fix-some-mistakes-in-the-SEV-documentation.patch b/kvm-doc-Fix-some-mistakes-in-the-SEV-documentation.patch new file mode 100644 index 0000000..7439afd --- /dev/null +++ b/kvm-doc-Fix-some-mistakes-in-the-SEV-documentation.patch @@ -0,0 +1,151 @@ +From 17c1559139d6a58794944901f84dd4e8cd1f5335 Mon Sep 17 00:00:00 2001 +From: Connor Kuehl +Date: Tue, 22 Jun 2021 20:00:20 -0400 +Subject: [PATCH 08/12] doc: Fix some mistakes in the SEV documentation +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +RH-Author: Miroslav Rezanina +RH-MergeRequest: 16: Synchronize with RHEL-AV 8.5 release 21 to RHEL 9 +RH-Commit: [6/8] ce828f81de1320a1833241700cb13dfdcf7d82e7 (mrezanin/centos-src-qemu-kvm) +RH-Bugzilla: 1957194 +RH-Acked-by: Vitaly Kuznetsov +RH-Acked-by: Daniel P. Berrangé + +From: Tom Lendacky + +Fix some spelling and grammar mistakes in the amd-memory-encryption.txt +file. No new information added. + +Signed-off-by: Tom Lendacky +Reviewed-by: Laszlo Ersek +Reviewed-by: Connor Kuehl +Message-Id: +Signed-off-by: Eduardo Habkost +(cherry picked from commit f538adeccf4554e6402fe661a0a51bcc8d6bd227) +Signed-off-by: Connor Kuehl +Signed-off-by: Danilo C. L. de Paula +Signed-off-by: Miroslav Rezanina +--- + docs/amd-memory-encryption.txt | 59 +++++++++++++++++----------------- + 1 file changed, 29 insertions(+), 30 deletions(-) + +diff --git a/docs/amd-memory-encryption.txt b/docs/amd-memory-encryption.txt +index 145896aec7..ed85159ea7 100644 +--- a/docs/amd-memory-encryption.txt ++++ b/docs/amd-memory-encryption.txt +@@ -1,38 +1,38 @@ + Secure Encrypted Virtualization (SEV) is a feature found on AMD processors. + + SEV is an extension to the AMD-V architecture which supports running encrypted +-virtual machine (VMs) under the control of KVM. Encrypted VMs have their pages ++virtual machines (VMs) under the control of KVM. Encrypted VMs have their pages + (code and data) secured such that only the guest itself has access to the + unencrypted version. Each encrypted VM is associated with a unique encryption +-key; if its data is accessed to a different entity using a different key the ++key; if its data is accessed by a different entity using a different key the + encrypted guests data will be incorrectly decrypted, leading to unintelligible + data. + +-The key management of this feature is handled by separate processor known as +-AMD secure processor (AMD-SP) which is present in AMD SOCs. Firmware running +-inside the AMD-SP provide commands to support common VM lifecycle. This ++Key management for this feature is handled by a separate processor known as the ++AMD secure processor (AMD-SP), which is present in AMD SOCs. Firmware running ++inside the AMD-SP provides commands to support a common VM lifecycle. This + includes commands for launching, snapshotting, migrating and debugging the +-encrypted guest. Those SEV command can be issued via KVM_MEMORY_ENCRYPT_OP ++encrypted guest. These SEV commands can be issued via KVM_MEMORY_ENCRYPT_OP + ioctls. + + Launching + --------- +-Boot images (such as bios) must be encrypted before guest can be booted. +-MEMORY_ENCRYPT_OP ioctl provides commands to encrypt the images :LAUNCH_START, ++Boot images (such as bios) must be encrypted before a guest can be booted. The ++MEMORY_ENCRYPT_OP ioctl provides commands to encrypt the images: LAUNCH_START, + LAUNCH_UPDATE_DATA, LAUNCH_MEASURE and LAUNCH_FINISH. These four commands + together generate a fresh memory encryption key for the VM, encrypt the boot +-images and provide a measurement than can be used as an attestation of the ++images and provide a measurement than can be used as an attestation of a + successful launch. + + LAUNCH_START is called first to create a cryptographic launch context within +-the firmware. To create this context, guest owner must provides guest policy, ++the firmware. To create this context, guest owner must provide a guest policy, + its public Diffie-Hellman key (PDH) and session parameters. These inputs +-should be treated as binary blob and must be passed as-is to the SEV firmware. ++should be treated as a binary blob and must be passed as-is to the SEV firmware. + +-The guest policy is passed as plaintext and hypervisor may able to read it ++The guest policy is passed as plaintext. A hypervisor may choose to read it, + but should not modify it (any modification of the policy bits will result + in bad measurement). The guest policy is a 4-byte data structure containing +-several flags that restricts what can be done on running SEV guest. ++several flags that restricts what can be done on a running SEV guest. + See KM Spec section 3 and 6.2 for more details. + + The guest policy can be provided via the 'policy' property (see below) +@@ -40,31 +40,30 @@ The guest policy can be provided via the 'policy' property (see below) + # ${QEMU} \ + sev-guest,id=sev0,policy=0x1...\ + +-Guest owners provided DH certificate and session parameters will be used to ++The guest owner provided DH certificate and session parameters will be used to + establish a cryptographic session with the guest owner to negotiate keys used + for the attestation. + +-The DH certificate and session blob can be provided via 'dh-cert-file' and +-'session-file' property (see below ++The DH certificate and session blob can be provided via the 'dh-cert-file' and ++'session-file' properties (see below) + + # ${QEMU} \ + sev-guest,id=sev0,dh-cert-file=,session-file= + + LAUNCH_UPDATE_DATA encrypts the memory region using the cryptographic context +-created via LAUNCH_START command. If required, this command can be called ++created via the LAUNCH_START command. If required, this command can be called + multiple times to encrypt different memory regions. The command also calculates + the measurement of the memory contents as it encrypts. + +-LAUNCH_MEASURE command can be used to retrieve the measurement of encrypted +-memory. This measurement is a signature of the memory contents that can be +-sent to the guest owner as an attestation that the memory was encrypted +-correctly by the firmware. The guest owner may wait to provide the guest +-confidential information until it can verify the attestation measurement. +-Since the guest owner knows the initial contents of the guest at boot, the +-attestation measurement can be verified by comparing it to what the guest owner +-expects. ++LAUNCH_MEASURE can be used to retrieve the measurement of encrypted memory. ++This measurement is a signature of the memory contents that can be sent to the ++guest owner as an attestation that the memory was encrypted correctly by the ++firmware. The guest owner may wait to provide the guest confidential information ++until it can verify the attestation measurement. Since the guest owner knows the ++initial contents of the guest at boot, the attestation measurement can be ++verified by comparing it to what the guest owner expects. + +-LAUNCH_FINISH command finalizes the guest launch and destroy's the cryptographic ++LAUNCH_FINISH finalizes the guest launch and destroys the cryptographic + context. + + See SEV KM API Spec [1] 'Launching a guest' usage flow (Appendix A) for the +@@ -78,10 +77,10 @@ To launch a SEV guest + + Debugging + ----------- +-Since memory contents of SEV guest is encrypted hence hypervisor access to the +-guest memory will get a cipher text. If guest policy allows debugging, then +-hypervisor can use DEBUG_DECRYPT and DEBUG_ENCRYPT commands access the guest +-memory region for debug purposes. This is not supported in QEMU yet. ++Since the memory contents of a SEV guest are encrypted, hypervisor access to ++the guest memory will return cipher text. If the guest policy allows debugging, ++then a hypervisor can use the DEBUG_DECRYPT and DEBUG_ENCRYPT commands to access ++the guest memory region for debug purposes. This is not supported in QEMU yet. + + Snapshot/Restore + ----------------- +-- +2.27.0 + diff --git a/kvm-docs-Add-SEV-ES-documentation-to-amd-memory-encrypti.patch b/kvm-docs-Add-SEV-ES-documentation-to-amd-memory-encrypti.patch new file mode 100644 index 0000000..2aabcbd --- /dev/null +++ b/kvm-docs-Add-SEV-ES-documentation-to-amd-memory-encrypti.patch @@ -0,0 +1,141 @@ +From 1bd5660666d2a1f704ebabeed8a2bbfa02410f41 Mon Sep 17 00:00:00 2001 +From: Connor Kuehl +Date: Tue, 22 Jun 2021 20:00:21 -0400 +Subject: [PATCH 09/12] docs: Add SEV-ES documentation to + amd-memory-encryption.txt +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +RH-Author: Miroslav Rezanina +RH-MergeRequest: 16: Synchronize with RHEL-AV 8.5 release 21 to RHEL 9 +RH-Commit: [7/8] 36e49577484813866132b90c64cf99779326db74 (mrezanin/centos-src-qemu-kvm) +RH-Bugzilla: 1957194 +RH-Acked-by: Vitaly Kuznetsov +RH-Acked-by: Daniel P. Berrangé + +From: Tom Lendacky + +Update the amd-memory-encryption.txt file with information about SEV-ES, +including how to launch an SEV-ES guest and some of the differences +between SEV and SEV-ES guests in regards to launching and measuring the +guest. + +Signed-off-by: Tom Lendacky +Acked-by: Laszlo Ersek +Reviewed-by: Connor Kuehl +Message-Id: +Signed-off-by: Eduardo Habkost +(cherry picked from commit 61b7d7098cd53dd386939610d534f8bd79240881) +Signed-off-by: Connor Kuehl +Signed-off-by: Danilo C. L. de Paula +Signed-off-by: Miroslav Rezanina +--- + docs/amd-memory-encryption.txt | 54 +++++++++++++++++++++++++++++----- + 1 file changed, 47 insertions(+), 7 deletions(-) + +diff --git a/docs/amd-memory-encryption.txt b/docs/amd-memory-encryption.txt +index ed85159ea7..ffca382b5f 100644 +--- a/docs/amd-memory-encryption.txt ++++ b/docs/amd-memory-encryption.txt +@@ -15,6 +15,13 @@ includes commands for launching, snapshotting, migrating and debugging the + encrypted guest. These SEV commands can be issued via KVM_MEMORY_ENCRYPT_OP + ioctls. + ++Secure Encrypted Virtualization - Encrypted State (SEV-ES) builds on the SEV ++support to additionally protect the guest register state. In order to allow a ++hypervisor to perform functions on behalf of a guest, there is architectural ++support for notifying a guest's operating system when certain types of VMEXITs ++are about to occur. This allows the guest to selectively share information with ++the hypervisor to satisfy the requested function. ++ + Launching + --------- + Boot images (such as bios) must be encrypted before a guest can be booted. The +@@ -24,6 +31,9 @@ together generate a fresh memory encryption key for the VM, encrypt the boot + images and provide a measurement than can be used as an attestation of a + successful launch. + ++For a SEV-ES guest, the LAUNCH_UPDATE_VMSA command is also used to encrypt the ++guest register state, or VM save area (VMSA), for all of the guest vCPUs. ++ + LAUNCH_START is called first to create a cryptographic launch context within + the firmware. To create this context, guest owner must provide a guest policy, + its public Diffie-Hellman key (PDH) and session parameters. These inputs +@@ -40,6 +50,12 @@ The guest policy can be provided via the 'policy' property (see below) + # ${QEMU} \ + sev-guest,id=sev0,policy=0x1...\ + ++Setting the "SEV-ES required" policy bit (bit 2) will launch the guest as a ++SEV-ES guest (see below) ++ ++# ${QEMU} \ ++ sev-guest,id=sev0,policy=0x5...\ ++ + The guest owner provided DH certificate and session parameters will be used to + establish a cryptographic session with the guest owner to negotiate keys used + for the attestation. +@@ -55,13 +71,19 @@ created via the LAUNCH_START command. If required, this command can be called + multiple times to encrypt different memory regions. The command also calculates + the measurement of the memory contents as it encrypts. + +-LAUNCH_MEASURE can be used to retrieve the measurement of encrypted memory. +-This measurement is a signature of the memory contents that can be sent to the +-guest owner as an attestation that the memory was encrypted correctly by the +-firmware. The guest owner may wait to provide the guest confidential information +-until it can verify the attestation measurement. Since the guest owner knows the +-initial contents of the guest at boot, the attestation measurement can be +-verified by comparing it to what the guest owner expects. ++LAUNCH_UPDATE_VMSA encrypts all the vCPU VMSAs for a SEV-ES guest using the ++cryptographic context created via the LAUNCH_START command. The command also ++calculates the measurement of the VMSAs as it encrypts them. ++ ++LAUNCH_MEASURE can be used to retrieve the measurement of encrypted memory and, ++for a SEV-ES guest, encrypted VMSAs. This measurement is a signature of the ++memory contents and, for a SEV-ES guest, the VMSA contents, that can be sent ++to the guest owner as an attestation that the memory and VMSAs were encrypted ++correctly by the firmware. The guest owner may wait to provide the guest ++confidential information until it can verify the attestation measurement. ++Since the guest owner knows the initial contents of the guest at boot, the ++attestation measurement can be verified by comparing it to what the guest owner ++expects. + + LAUNCH_FINISH finalizes the guest launch and destroys the cryptographic + context. +@@ -75,6 +97,22 @@ To launch a SEV guest + -machine ...,confidential-guest-support=sev0 \ + -object sev-guest,id=sev0,cbitpos=47,reduced-phys-bits=1 + ++To launch a SEV-ES guest ++ ++# ${QEMU} \ ++ -machine ...,confidential-guest-support=sev0 \ ++ -object sev-guest,id=sev0,cbitpos=47,reduced-phys-bits=1,policy=0x5 ++ ++An SEV-ES guest has some restrictions as compared to a SEV guest. Because the ++guest register state is encrypted and cannot be updated by the VMM/hypervisor, ++a SEV-ES guest: ++ - Does not support SMM - SMM support requires updating the guest register ++ state. ++ - Does not support reboot - a system reset requires updating the guest register ++ state. ++ - Requires in-kernel irqchip - the burden is placed on the hypervisor to ++ manage booting APs. ++ + Debugging + ----------- + Since the memory contents of a SEV guest are encrypted, hypervisor access to +@@ -101,8 +139,10 @@ Secure Encrypted Virtualization Key Management: + + KVM Forum slides: + http://www.linux-kvm.org/images/7/74/02x08A-Thomas_Lendacky-AMDs_Virtualizatoin_Memory_Encryption_Technology.pdf ++https://www.linux-kvm.org/images/9/94/Extending-Secure-Encrypted-Virtualization-with-SEV-ES-Thomas-Lendacky-AMD.pdf + + AMD64 Architecture Programmer's Manual: + http://support.amd.com/TechDocs/24593.pdf + SME is section 7.10 + SEV is section 15.34 ++ SEV-ES is section 15.35 +-- +2.27.0 + diff --git a/kvm-docs-interop-firmware.json-Add-SEV-ES-support.patch b/kvm-docs-interop-firmware.json-Add-SEV-ES-support.patch new file mode 100644 index 0000000..e900ba7 --- /dev/null +++ b/kvm-docs-interop-firmware.json-Add-SEV-ES-support.patch @@ -0,0 +1,110 @@ +From e408203bab17e32f8d42ae9ad61e94a73bfaec67 Mon Sep 17 00:00:00 2001 +From: Connor Kuehl +Date: Tue, 22 Jun 2021 20:00:22 -0400 +Subject: [PATCH 10/12] docs/interop/firmware.json: Add SEV-ES support +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +RH-Author: Miroslav Rezanina +RH-MergeRequest: 16: Synchronize with RHEL-AV 8.5 release 21 to RHEL 9 +RH-Commit: [8/8] b49ebbaf40b56d95c67475a0373d6906a3e4f0e3 (mrezanin/centos-src-qemu-kvm) +RH-Bugzilla: 1957194 +RH-Acked-by: Vitaly Kuznetsov +RH-Acked-by: Daniel P. Berrangé + +From: Tom Lendacky + +Create an enum definition, '@amd-sev-es', for SEV-ES and add documention +for the new enum. Add an example that shows some of the requirements for +SEV-ES, including not having SMM support and the requirement for an +X64-only build. + +Signed-off-by: Tom Lendacky +Reviewed-by: Laszlo Ersek +Reviewed-by: Connor Kuehl +Message-Id: +Signed-off-by: Eduardo Habkost +(cherry picked from commit d44df1d73ce04d7f4b8f94cba5f715e2dadc998b) +Signed-off-by: Connor Kuehl +Signed-off-by: Danilo C. L. de Paula +Signed-off-by: Miroslav Rezanina +--- + docs/interop/firmware.json | 47 +++++++++++++++++++++++++++++++++++++- + 1 file changed, 46 insertions(+), 1 deletion(-) + +diff --git a/docs/interop/firmware.json b/docs/interop/firmware.json +index 9d94ccafa9..8d8b0be030 100644 +--- a/docs/interop/firmware.json ++++ b/docs/interop/firmware.json +@@ -115,6 +115,12 @@ + # this feature are documented in + # "docs/amd-memory-encryption.txt". + # ++# @amd-sev-es: The firmware supports running under AMD Secure Encrypted ++# Virtualization - Encrypted State, as specified in the AMD64 ++# Architecture Programmer's Manual. QEMU command line options ++# related to this feature are documented in ++# "docs/amd-memory-encryption.txt". ++# + # @enrolled-keys: The variable store (NVRAM) template associated with + # the firmware binary has the UEFI Secure Boot + # operational mode turned on, with certificates +@@ -179,7 +185,7 @@ + # Since: 3.0 + ## + { 'enum' : 'FirmwareFeature', +- 'data' : [ 'acpi-s3', 'acpi-s4', 'amd-sev', 'enrolled-keys', ++ 'data' : [ 'acpi-s3', 'acpi-s4', 'amd-sev', 'amd-sev-es', 'enrolled-keys', + 'requires-smm', 'secure-boot', 'verbose-dynamic', + 'verbose-static' ] } + +@@ -504,6 +510,45 @@ + # } + # + # { ++# "description": "OVMF with SEV-ES support", ++# "interface-types": [ ++# "uefi" ++# ], ++# "mapping": { ++# "device": "flash", ++# "executable": { ++# "filename": "/usr/share/OVMF/OVMF_CODE.fd", ++# "format": "raw" ++# }, ++# "nvram-template": { ++# "filename": "/usr/share/OVMF/OVMF_VARS.fd", ++# "format": "raw" ++# } ++# }, ++# "targets": [ ++# { ++# "architecture": "x86_64", ++# "machines": [ ++# "pc-q35-*" ++# ] ++# } ++# ], ++# "features": [ ++# "acpi-s3", ++# "amd-sev", ++# "amd-sev-es", ++# "verbose-dynamic" ++# ], ++# "tags": [ ++# "-a X64", ++# "-p OvmfPkg/OvmfPkgX64.dsc", ++# "-t GCC48", ++# "-b DEBUG", ++# "-D FD_SIZE_4MB" ++# ] ++# } ++# ++# { + # "description": "UEFI firmware for ARM64 virtual machines", + # "interface-types": [ + # "uefi" +-- +2.27.0 + diff --git a/kvm-nbd-server-Use-drained-block-ops-to-quiesce-the-serv.patch b/kvm-nbd-server-Use-drained-block-ops-to-quiesce-the-serv.patch new file mode 100644 index 0000000..af8a82c --- /dev/null +++ b/kvm-nbd-server-Use-drained-block-ops-to-quiesce-the-serv.patch @@ -0,0 +1,191 @@ +From 9182af6a819e60a079349fd6d8b28a28adea90b1 Mon Sep 17 00:00:00 2001 +From: Sergio Lopez Pascual +Date: Thu, 17 Jun 2021 09:13:21 -0400 +Subject: [PATCH 06/12] nbd/server: Use drained block ops to quiesce the server +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +RH-Author: Miroslav Rezanina +RH-MergeRequest: 16: Synchronize with RHEL-AV 8.5 release 21 to RHEL 9 +RH-Commit: [4/8] ca32c99563254a8a31104948e41fa691453d0399 (mrezanin/centos-src-qemu-kvm) +RH-Bugzilla: 1957194 +RH-Acked-by: Vitaly Kuznetsov +RH-Acked-by: Daniel P. Berrangé + +Before switching between AioContexts we need to make sure that we're +fully quiesced ("nb_requests == 0" for every client) when entering the +drained section. + +To do this, we set "quiescing = true" for every client on +".drained_begin" to prevent new coroutines from being created, and +check if "nb_requests == 0" on ".drained_poll". Finally, once we're +exiting the drained section, on ".drained_end" we set "quiescing = +false" and call "nbd_client_receive_next_request()" to resume the +processing of new requests. + +With these changes, "blk_aio_attach()" and "blk_aio_detach()" can be +reverted to be as simple as they were before f148ae7d36. + +RHBZ: https://bugzilla.redhat.com/show_bug.cgi?id=1960137 +Suggested-by: Kevin Wolf +Signed-off-by: Sergio Lopez +Message-Id: <20210602060552.17433-3-slp@redhat.com> +Reviewed-by: Vladimir Sementsov-Ogievskiy +Signed-off-by: Kevin Wolf +(cherry picked from commit fd6afc501a019682d1b8468b562355a2887087bd) +Signed-off-by: Sergio Lopez +Signed-off-by: Danilo C. L. de Paula +Signed-off-by: Miroslav Rezanina +--- + nbd/server.c | 82 ++++++++++++++++++++++++++++++++++++++-------------- + 1 file changed, 61 insertions(+), 21 deletions(-) + +diff --git a/nbd/server.c b/nbd/server.c +index 86a44a9b41..b60ebc3ab6 100644 +--- a/nbd/server.c ++++ b/nbd/server.c +@@ -1513,6 +1513,11 @@ static void nbd_request_put(NBDRequestData *req) + g_free(req); + + client->nb_requests--; ++ ++ if (client->quiescing && client->nb_requests == 0) { ++ aio_wait_kick(); ++ } ++ + nbd_client_receive_next_request(client); + + nbd_client_put(client); +@@ -1530,49 +1535,68 @@ static void blk_aio_attached(AioContext *ctx, void *opaque) + QTAILQ_FOREACH(client, &exp->clients, next) { + qio_channel_attach_aio_context(client->ioc, ctx); + ++ assert(client->nb_requests == 0); + assert(client->recv_coroutine == NULL); + assert(client->send_coroutine == NULL); +- +- if (client->quiescing) { +- client->quiescing = false; +- nbd_client_receive_next_request(client); +- } + } + } + +-static void nbd_aio_detach_bh(void *opaque) ++static void blk_aio_detach(void *opaque) + { + NBDExport *exp = opaque; + NBDClient *client; + ++ trace_nbd_blk_aio_detach(exp->name, exp->common.ctx); ++ + QTAILQ_FOREACH(client, &exp->clients, next) { + qio_channel_detach_aio_context(client->ioc); ++ } ++ ++ exp->common.ctx = NULL; ++} ++ ++static void nbd_drained_begin(void *opaque) ++{ ++ NBDExport *exp = opaque; ++ NBDClient *client; ++ ++ QTAILQ_FOREACH(client, &exp->clients, next) { + client->quiescing = true; ++ } ++} + +- if (client->recv_coroutine) { +- if (client->read_yielding) { +- qemu_aio_coroutine_enter(exp->common.ctx, +- client->recv_coroutine); +- } else { +- AIO_WAIT_WHILE(exp->common.ctx, client->recv_coroutine != NULL); +- } +- } ++static void nbd_drained_end(void *opaque) ++{ ++ NBDExport *exp = opaque; ++ NBDClient *client; + +- if (client->send_coroutine) { +- AIO_WAIT_WHILE(exp->common.ctx, client->send_coroutine != NULL); +- } ++ QTAILQ_FOREACH(client, &exp->clients, next) { ++ client->quiescing = false; ++ nbd_client_receive_next_request(client); + } + } + +-static void blk_aio_detach(void *opaque) ++static bool nbd_drained_poll(void *opaque) + { + NBDExport *exp = opaque; ++ NBDClient *client; + +- trace_nbd_blk_aio_detach(exp->name, exp->common.ctx); ++ QTAILQ_FOREACH(client, &exp->clients, next) { ++ if (client->nb_requests != 0) { ++ /* ++ * If there's a coroutine waiting for a request on nbd_read_eof() ++ * enter it here so we don't depend on the client to wake it up. ++ */ ++ if (client->recv_coroutine != NULL && client->read_yielding) { ++ qemu_aio_coroutine_enter(exp->common.ctx, ++ client->recv_coroutine); ++ } + +- aio_wait_bh_oneshot(exp->common.ctx, nbd_aio_detach_bh, exp); ++ return true; ++ } ++ } + +- exp->common.ctx = NULL; ++ return false; + } + + static void nbd_eject_notifier(Notifier *n, void *data) +@@ -1594,6 +1618,12 @@ void nbd_export_set_on_eject_blk(BlockExport *exp, BlockBackend *blk) + blk_add_remove_bs_notifier(blk, &nbd_exp->eject_notifier); + } + ++static const BlockDevOps nbd_block_ops = { ++ .drained_begin = nbd_drained_begin, ++ .drained_end = nbd_drained_end, ++ .drained_poll = nbd_drained_poll, ++}; ++ + static int nbd_export_create(BlockExport *blk_exp, BlockExportOptions *exp_args, + Error **errp) + { +@@ -1715,8 +1745,17 @@ static int nbd_export_create(BlockExport *blk_exp, BlockExportOptions *exp_args, + + exp->allocation_depth = arg->allocation_depth; + ++ /* ++ * We need to inhibit request queuing in the block layer to ensure we can ++ * be properly quiesced when entering a drained section, as our coroutines ++ * servicing pending requests might enter blk_pread(). ++ */ ++ blk_set_disable_request_queuing(blk, true); ++ + blk_add_aio_context_notifier(blk, blk_aio_attached, blk_aio_detach, exp); + ++ blk_set_dev_ops(blk, &nbd_block_ops, exp); ++ + QTAILQ_INSERT_TAIL(&exports, exp, next); + + return 0; +@@ -1788,6 +1827,7 @@ static void nbd_export_delete(BlockExport *blk_exp) + } + blk_remove_aio_context_notifier(exp->common.blk, blk_aio_attached, + blk_aio_detach, exp); ++ blk_set_disable_request_queuing(exp->common.blk, false); + } + + for (i = 0; i < exp->nr_export_bitmaps; i++) { +-- +2.27.0 + diff --git a/kvm-redhat-x86-Enable-kvm-asyncpf-int-by-default.patch b/kvm-redhat-x86-Enable-kvm-asyncpf-int-by-default.patch new file mode 100644 index 0000000..7fd2a56 --- /dev/null +++ b/kvm-redhat-x86-Enable-kvm-asyncpf-int-by-default.patch @@ -0,0 +1,49 @@ +From a9546384e1fe8b4dad9ab00c52f45dac3a8fbc00 Mon Sep 17 00:00:00 2001 +From: Vitaly Kuznetsov +Date: Tue, 8 Jun 2021 10:29:07 -0400 +Subject: [PATCH 04/12] redhat: x86: Enable 'kvm-asyncpf-int' by default +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +RH-Author: Miroslav Rezanina +RH-MergeRequest: 16: Synchronize with RHEL-AV 8.5 release 21 to RHEL 9 +RH-Commit: [2/8] 2ea940445291df74dfed2d2f9f2b1f88a3eca31b (mrezanin/centos-src-qemu-kvm) +RH-Bugzilla: 1957194 +RH-Acked-by: Vitaly Kuznetsov +RH-Acked-by: Daniel P. Berrangé + +'kvm-asyncpf-int' feature is supported by KVM starting with RHEL-8.4 +kernel, enable the feature by default starting with RHEL-8.5 machine +type. + +Signed-off-by: Vitaly Kuznetsov +Signed-off-by: Danilo C. L. de Paula +Signed-off-by: Miroslav Rezanina +--- + hw/i386/pc.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/hw/i386/pc.c b/hw/i386/pc.c +index 0a374dec39..cdbfa84d2e 100644 +--- a/hw/i386/pc.c ++++ b/hw/i386/pc.c +@@ -366,12 +366,15 @@ GlobalProperty pc_rhel_compat[] = { + { TYPE_X86_CPU, "vmx-exit-load-perf-global-ctrl", "off" }, + /* bz 1508330 */ + { "vfio-pci", "x-no-geforce-quirks", "on" }, ++ /* bz 1941397 */ ++ { TYPE_X86_CPU, "kvm-asyncpf-int", "on" }, + }; + const size_t pc_rhel_compat_len = G_N_ELEMENTS(pc_rhel_compat); + + GlobalProperty pc_rhel_8_4_compat[] = { + /* pc_rhel_8_4_compat from pc_compat_5_2 */ + { "ICH9-LPC", "x-smi-cpu-hotunplug", "off" }, ++ { TYPE_X86_CPU, "kvm-asyncpf-int", "off" }, + }; + const size_t pc_rhel_8_4_compat_len = G_N_ELEMENTS(pc_rhel_8_4_compat); + +-- +2.27.0 + diff --git a/kvm-virtio-gpu-handle-partial-maps-properly.patch b/kvm-virtio-gpu-handle-partial-maps-properly.patch new file mode 100644 index 0000000..4028f08 --- /dev/null +++ b/kvm-virtio-gpu-handle-partial-maps-properly.patch @@ -0,0 +1,201 @@ +From cdc537ada9528e09f8c70219f5a9a1ce8a4efa7e Mon Sep 17 00:00:00 2001 +From: Gerd Hoffmann +Date: Thu, 6 May 2021 11:10:01 +0200 +Subject: [PATCH 02/12] virtio-gpu: handle partial maps properly + +RH-Author: Eric Auger +RH-MergeRequest: 15: virtio-gpu: handle partial maps properly +RH-Commit: [1/1] f2b0fd9758251d1f3a5ff9563911c8bdb4b191f0 (eauger1/centos-qemu-kvm) +RH-Bugzilla: 1974795 +RH-Acked-by: Gavin Shan +RH-Acked-by: Andrew Jones +RH-Acked-by: Peter Xu + +dma_memory_map() may map only a part of the request. Happens if the +request can't be mapped in one go, for example due to a iommu creating +a linear dma mapping for scattered physical pages. Should that be the +case virtio-gpu must call dma_memory_map() again with the remaining +range instead of simply throwing an error. + +Note that this change implies the number of iov entries may differ from +the number of mapping entries sent by the guest. Therefore the iov_len +bookkeeping needs some updates too, we have to explicitly pass around +the iov length now. + +Reported-by: Auger Eric +Signed-off-by: Gerd Hoffmann +Message-id: 20210506091001.1301250-1-kraxel@redhat.com +Reviewed-by: Eric Auger +Tested-by: Eric Auger +Message-Id: <20210506091001.1301250-1-kraxel@redhat.com> +(cherry picked from commit 9049f8bc445d50c0b5fe5500c0ec51fcc821c2ef) +Signed-off-by: Eric Auger +Signed-off-by: Miroslav Rezanina +--- + hw/display/virtio-gpu-3d.c | 7 ++-- + hw/display/virtio-gpu.c | 76 ++++++++++++++++++++-------------- + include/hw/virtio/virtio-gpu.h | 3 +- + 3 files changed, 52 insertions(+), 34 deletions(-) + +diff --git a/hw/display/virtio-gpu-3d.c b/hw/display/virtio-gpu-3d.c +index d98964858e..72c14d9132 100644 +--- a/hw/display/virtio-gpu-3d.c ++++ b/hw/display/virtio-gpu-3d.c +@@ -283,22 +283,23 @@ static void virgl_resource_attach_backing(VirtIOGPU *g, + { + struct virtio_gpu_resource_attach_backing att_rb; + struct iovec *res_iovs; ++ uint32_t res_niov; + int ret; + + VIRTIO_GPU_FILL_CMD(att_rb); + trace_virtio_gpu_cmd_res_back_attach(att_rb.resource_id); + +- ret = virtio_gpu_create_mapping_iov(g, &att_rb, cmd, NULL, &res_iovs); ++ ret = virtio_gpu_create_mapping_iov(g, &att_rb, cmd, NULL, &res_iovs, &res_niov); + if (ret != 0) { + cmd->error = VIRTIO_GPU_RESP_ERR_UNSPEC; + return; + } + + ret = virgl_renderer_resource_attach_iov(att_rb.resource_id, +- res_iovs, att_rb.nr_entries); ++ res_iovs, res_niov); + + if (ret != 0) +- virtio_gpu_cleanup_mapping_iov(g, res_iovs, att_rb.nr_entries); ++ virtio_gpu_cleanup_mapping_iov(g, res_iovs, res_niov); + } + + static void virgl_resource_detach_backing(VirtIOGPU *g, +diff --git a/hw/display/virtio-gpu.c b/hw/display/virtio-gpu.c +index c9f5e36fd0..6f3791deb3 100644 +--- a/hw/display/virtio-gpu.c ++++ b/hw/display/virtio-gpu.c +@@ -608,11 +608,12 @@ static void virtio_gpu_set_scanout(VirtIOGPU *g, + int virtio_gpu_create_mapping_iov(VirtIOGPU *g, + struct virtio_gpu_resource_attach_backing *ab, + struct virtio_gpu_ctrl_command *cmd, +- uint64_t **addr, struct iovec **iov) ++ uint64_t **addr, struct iovec **iov, ++ uint32_t *niov) + { + struct virtio_gpu_mem_entry *ents; + size_t esize, s; +- int i; ++ int e, v; + + if (ab->nr_entries > 16384) { + qemu_log_mask(LOG_GUEST_ERROR, +@@ -633,37 +634,53 @@ int virtio_gpu_create_mapping_iov(VirtIOGPU *g, + return -1; + } + +- *iov = g_malloc0(sizeof(struct iovec) * ab->nr_entries); ++ *iov = NULL; + if (addr) { +- *addr = g_malloc0(sizeof(uint64_t) * ab->nr_entries); ++ *addr = NULL; + } +- for (i = 0; i < ab->nr_entries; i++) { +- uint64_t a = le64_to_cpu(ents[i].addr); +- uint32_t l = le32_to_cpu(ents[i].length); +- hwaddr len = l; +- (*iov)[i].iov_base = dma_memory_map(VIRTIO_DEVICE(g)->dma_as, +- a, &len, DMA_DIRECTION_TO_DEVICE); +- (*iov)[i].iov_len = len; +- if (addr) { +- (*addr)[i] = a; +- } +- if (!(*iov)[i].iov_base || len != l) { +- qemu_log_mask(LOG_GUEST_ERROR, "%s: failed to map MMIO memory for" +- " resource %d element %d\n", +- __func__, ab->resource_id, i); +- if ((*iov)[i].iov_base) { +- i++; /* cleanup the 'i'th map */ ++ for (e = 0, v = 0; e < ab->nr_entries; e++) { ++ uint64_t a = le64_to_cpu(ents[e].addr); ++ uint32_t l = le32_to_cpu(ents[e].length); ++ hwaddr len; ++ void *map; ++ ++ do { ++ len = l; ++ map = dma_memory_map(VIRTIO_DEVICE(g)->dma_as, ++ a, &len, DMA_DIRECTION_TO_DEVICE); ++ if (!map) { ++ qemu_log_mask(LOG_GUEST_ERROR, "%s: failed to map MMIO memory for" ++ " resource %d element %d\n", ++ __func__, ab->resource_id, e); ++ virtio_gpu_cleanup_mapping_iov(g, *iov, v); ++ g_free(ents); ++ *iov = NULL; ++ if (addr) { ++ g_free(*addr); ++ *addr = NULL; ++ } ++ return -1; ++ } ++ ++ if (!(v % 16)) { ++ *iov = g_realloc(*iov, sizeof(struct iovec) * (v + 16)); ++ if (addr) { ++ *addr = g_realloc(*addr, sizeof(uint64_t) * (v + 16)); ++ } + } +- virtio_gpu_cleanup_mapping_iov(g, *iov, i); +- g_free(ents); +- *iov = NULL; ++ (*iov)[v].iov_base = map; ++ (*iov)[v].iov_len = len; + if (addr) { +- g_free(*addr); +- *addr = NULL; ++ (*addr)[v] = a; + } +- return -1; +- } ++ ++ a += len; ++ l -= len; ++ v += 1; ++ } while (l > 0); + } ++ *niov = v; ++ + g_free(ents); + return 0; + } +@@ -717,13 +734,12 @@ virtio_gpu_resource_attach_backing(VirtIOGPU *g, + return; + } + +- ret = virtio_gpu_create_mapping_iov(g, &ab, cmd, &res->addrs, &res->iov); ++ ret = virtio_gpu_create_mapping_iov(g, &ab, cmd, &res->addrs, ++ &res->iov, &res->iov_cnt); + if (ret != 0) { + cmd->error = VIRTIO_GPU_RESP_ERR_UNSPEC; + return; + } +- +- res->iov_cnt = ab.nr_entries; + } + + static void +diff --git a/include/hw/virtio/virtio-gpu.h b/include/hw/virtio/virtio-gpu.h +index fae149235c..0d15af41d9 100644 +--- a/include/hw/virtio/virtio-gpu.h ++++ b/include/hw/virtio/virtio-gpu.h +@@ -209,7 +209,8 @@ void virtio_gpu_get_edid(VirtIOGPU *g, + int virtio_gpu_create_mapping_iov(VirtIOGPU *g, + struct virtio_gpu_resource_attach_backing *ab, + struct virtio_gpu_ctrl_command *cmd, +- uint64_t **addr, struct iovec **iov); ++ uint64_t **addr, struct iovec **iov, ++ uint32_t *niov); + void virtio_gpu_cleanup_mapping_iov(VirtIOGPU *g, + struct iovec *iov, uint32_t count); + void virtio_gpu_process_cmdq(VirtIOGPU *g); +-- +2.27.0 + diff --git a/kvm-x86-Add-x86-rhel8.5-machine-types.patch b/kvm-x86-Add-x86-rhel8.5-machine-types.patch new file mode 100644 index 0000000..9100f47 --- /dev/null +++ b/kvm-x86-Add-x86-rhel8.5-machine-types.patch @@ -0,0 +1,130 @@ +From 1497b5d371a63dd20d3b14ca2f8cce99845a1c2c Mon Sep 17 00:00:00 2001 +From: "Dr. David Alan Gilbert" +Date: Wed, 19 May 2021 15:46:27 -0400 +Subject: [PATCH 03/12] x86: Add x86 rhel8.5 machine types +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +RH-Author: Miroslav Rezanina +RH-MergeRequest: 16: Synchronize with RHEL-AV 8.5 release 21 to RHEL 9 +RH-Commit: [1/8] db81806d99b545abe4dcba576fb33c02ec283dd7 (mrezanin/centos-src-qemu-kvm) +RH-Bugzilla: 1957194 +RH-Acked-by: Vitaly Kuznetsov +RH-Acked-by: Daniel P. Berrangé + +From: "Dr. David Alan Gilbert" + +Add the 8.5 machine type and the compat entries. + +Signed-off-by: Dr. David Alan Gilbert +Signed-off-by: Danilo C. L. de Paula +Signed-off-by: Miroslav Rezanina +--- + hw/i386/pc.c | 6 ++++++ + hw/i386/pc_piix.c | 2 ++ + hw/i386/pc_q35.c | 24 ++++++++++++++++++++++-- + include/hw/i386/pc.h | 3 +++ + 4 files changed, 33 insertions(+), 2 deletions(-) + +diff --git a/hw/i386/pc.c b/hw/i386/pc.c +index edc02a68ca..0a374dec39 100644 +--- a/hw/i386/pc.c ++++ b/hw/i386/pc.c +@@ -369,6 +369,12 @@ GlobalProperty pc_rhel_compat[] = { + }; + const size_t pc_rhel_compat_len = G_N_ELEMENTS(pc_rhel_compat); + ++GlobalProperty pc_rhel_8_4_compat[] = { ++ /* pc_rhel_8_4_compat from pc_compat_5_2 */ ++ { "ICH9-LPC", "x-smi-cpu-hotunplug", "off" }, ++}; ++const size_t pc_rhel_8_4_compat_len = G_N_ELEMENTS(pc_rhel_8_4_compat); ++ + GlobalProperty pc_rhel_8_3_compat[] = { + /* pc_rhel_8_3_compat from pc_compat_5_1 */ + { "ICH9-LPC", "x-smi-cpu-hotplug", "off" }, +diff --git a/hw/i386/pc_piix.c b/hw/i386/pc_piix.c +index d9c5df16d8..5d61c9b833 100644 +--- a/hw/i386/pc_piix.c ++++ b/hw/i386/pc_piix.c +@@ -971,6 +971,8 @@ static void pc_machine_rhel760_options(MachineClass *m) + pcmc->pci_root_uid = 1; + compat_props_add(m->compat_props, hw_compat_rhel_8_4, + hw_compat_rhel_8_4_len); ++ compat_props_add(m->compat_props, pc_rhel_8_4_compat, ++ pc_rhel_8_4_compat_len); + compat_props_add(m->compat_props, hw_compat_rhel_8_3, + hw_compat_rhel_8_3_len); + compat_props_add(m->compat_props, pc_rhel_8_3_compat, +diff --git a/hw/i386/pc_q35.c b/hw/i386/pc_q35.c +index 44109e4876..01ff3e0544 100644 +--- a/hw/i386/pc_q35.c ++++ b/hw/i386/pc_q35.c +@@ -607,6 +607,24 @@ static void pc_q35_machine_rhel_options(MachineClass *m) + compat_props_add(m->compat_props, pc_rhel_compat, pc_rhel_compat_len); + } + ++static void pc_q35_init_rhel850(MachineState *machine) ++{ ++ pc_q35_init(machine); ++} ++ ++static void pc_q35_machine_rhel850_options(MachineClass *m) ++{ ++ PCMachineClass *pcmc = PC_MACHINE_CLASS(m); ++ pc_q35_machine_rhel_options(m); ++ m->desc = "RHEL-8.5.0 PC (Q35 + ICH9, 2009)"; ++ pcmc->smbios_stream_product = "RHEL-AV"; ++ pcmc->smbios_stream_version = "8.5.0"; ++} ++ ++DEFINE_PC_MACHINE(q35_rhel850, "pc-q35-rhel8.5.0", pc_q35_init_rhel850, ++ pc_q35_machine_rhel850_options); ++ ++ + static void pc_q35_init_rhel840(MachineState *machine) + { + pc_q35_init(machine); +@@ -615,12 +633,15 @@ static void pc_q35_init_rhel840(MachineState *machine) + static void pc_q35_machine_rhel840_options(MachineClass *m) + { + PCMachineClass *pcmc = PC_MACHINE_CLASS(m); +- pc_q35_machine_rhel_options(m); ++ pc_q35_machine_rhel850_options(m); + m->desc = "RHEL-8.4.0 PC (Q35 + ICH9, 2009)"; ++ m->alias = NULL; + pcmc->smbios_stream_product = "RHEL-AV"; + pcmc->smbios_stream_version = "8.4.0"; + compat_props_add(m->compat_props, hw_compat_rhel_8_4, + hw_compat_rhel_8_4_len); ++ compat_props_add(m->compat_props, pc_rhel_8_4_compat, ++ pc_rhel_8_4_compat_len); + } + + DEFINE_PC_MACHINE(q35_rhel840, "pc-q35-rhel8.4.0", pc_q35_init_rhel840, +@@ -637,7 +658,6 @@ static void pc_q35_machine_rhel830_options(MachineClass *m) + PCMachineClass *pcmc = PC_MACHINE_CLASS(m); + pc_q35_machine_rhel840_options(m); + m->desc = "RHEL-8.3.0 PC (Q35 + ICH9, 2009)"; +- m->alias = NULL; + pcmc->smbios_stream_product = "RHEL-AV"; + pcmc->smbios_stream_version = "8.3.0"; + compat_props_add(m->compat_props, hw_compat_rhel_8_3, +diff --git a/include/hw/i386/pc.h b/include/hw/i386/pc.h +index 79a7803a2f..1980c93f41 100644 +--- a/include/hw/i386/pc.h ++++ b/include/hw/i386/pc.h +@@ -281,6 +281,9 @@ extern const size_t pc_compat_1_4_len; + extern GlobalProperty pc_rhel_compat[]; + extern const size_t pc_rhel_compat_len; + ++extern GlobalProperty pc_rhel_8_4_compat[]; ++extern const size_t pc_rhel_8_4_compat_len; ++ + extern GlobalProperty pc_rhel_8_3_compat[]; + extern const size_t pc_rhel_8_3_compat_len; + +-- +2.27.0 + diff --git a/qemu-guest-agent.service b/qemu-guest-agent.service index b33e951..b3157d5 100644 --- a/qemu-guest-agent.service +++ b/qemu-guest-agent.service @@ -12,7 +12,6 @@ ExecStart=/usr/bin/qemu-ga \ --path=/dev/virtio-ports/org.qemu.guest_agent.0 \ --blacklist=${BLACKLIST_RPC} \ -F${FSFREEZE_HOOK_PATHNAME} -StandardError=syslog Restart=always RestartSec=0 diff --git a/qemu-kvm.spec b/qemu-kvm.spec index e812783..65b0566 100644 --- a/qemu-kvm.spec +++ b/qemu-kvm.spec @@ -67,14 +67,13 @@ Requires: %{name}-ui-opengl = %{epoch}:%{version}-%{release} \ %endif \ Requires: %{name}-block-curl = %{epoch}:%{version}-%{release} \ -Requires: %{name}-block-iscsi = %{epoch}:%{version}-%{release} \ Requires: %{name}-block-rbd = %{epoch}:%{version}-%{release} \ Requires: %{name}-block-ssh = %{epoch}:%{version}-%{release} Summary: QEMU is a machine emulator and virtualizer Name: qemu-kvm Version: 6.0.0 -Release: 6%{?rcversion}%{?dist} +Release: 7%{?rcversion}%{?dist} # Epoch because we pushed a qemu-1.0 package. AIUI this can't ever be dropped # Epoch 15 used for RHEL 8 # Epoch 17 used for RHEL 9 (due to release versioning offset in RHEL 8.5) @@ -173,6 +172,26 @@ Patch40: kvm-target-i386-Add-CPU-model-versions-supporting-xsaves.patch Patch41: kvm-spapr-Remove-stale-comment-about-power-saving-LPCR-b.patch # For bz#1957194 - Synchronize RHEL-AV 8.5.0 changes to RHEL 9.0.0 Beta Patch42: kvm-spapr-Set-LPCR-to-current-AIL-mode-when-starting-a-n.patch +# For bz#1967502 - [aarch64] [qemu] Compile the PCIe expander bridge +Patch43: kvm-aarch64-rh-devices-add-CONFIG_PXB.patch +# For bz#1974795 - [RHEL9-beta] [aarch64] Launch guest with virtio-gpu-pci and virtual smmu causes "virtio_gpu_dequeue_ctrl_func" ERROR +Patch44: kvm-virtio-gpu-handle-partial-maps-properly.patch +# For bz#1957194 - Synchronize RHEL-AV 8.5.0 changes to RHEL 9.0.0 Beta +Patch45: kvm-x86-Add-x86-rhel8.5-machine-types.patch +# For bz#1957194 - Synchronize RHEL-AV 8.5.0 changes to RHEL 9.0.0 Beta +Patch46: kvm-redhat-x86-Enable-kvm-asyncpf-int-by-default.patch +# For bz#1957194 - Synchronize RHEL-AV 8.5.0 changes to RHEL 9.0.0 Beta +Patch47: kvm-block-backend-add-drained_poll.patch +# For bz#1957194 - Synchronize RHEL-AV 8.5.0 changes to RHEL 9.0.0 Beta +Patch48: kvm-nbd-server-Use-drained-block-ops-to-quiesce-the-serv.patch +# For bz#1957194 - Synchronize RHEL-AV 8.5.0 changes to RHEL 9.0.0 Beta +Patch49: kvm-disable-CONFIG_USB_STORAGE_BOT.patch +# For bz#1957194 - Synchronize RHEL-AV 8.5.0 changes to RHEL 9.0.0 Beta +Patch50: kvm-doc-Fix-some-mistakes-in-the-SEV-documentation.patch +# For bz#1957194 - Synchronize RHEL-AV 8.5.0 changes to RHEL 9.0.0 Beta +Patch51: kvm-docs-Add-SEV-ES-documentation-to-amd-memory-encrypti.patch +# For bz#1957194 - Synchronize RHEL-AV 8.5.0 changes to RHEL 9.0.0 Beta +Patch52: kvm-docs-interop-firmware.json-Add-SEV-ES-support.patch # Source-git patches @@ -183,7 +202,6 @@ BuildRequires: gnutls-devel BuildRequires: cyrus-sasl-devel BuildRequires: libaio-devel BuildRequires: python3-devel -BuildRequires: libiscsi-devel BuildRequires: libattr-devel BuildRequires: libusbx-devel >= %{libusbx_version} %if %{have_usbredir} @@ -281,6 +299,7 @@ Requires: libfdt >= %{libfdt_version} # other words RHEL-9 rebases are done together/before RHEL-8 ones) Obsoletes: qemu-kvm-ui-spice <= %{version} Obsoletes: qemu-kvm-block-gluster <= %{version} +Obsoletes: %{name}-block-iscsi <= %{version} %description -n qemu-kvm-core qemu-kvm is an open source virtualizer that provides hardware @@ -363,16 +382,6 @@ Install this package if you want to access remote disks over http, https, ftp and other transports provided by the CURL library. -%package block-iscsi -Summary: QEMU iSCSI block driver -Requires: %{name}-common%{?_isa} = %{epoch}:%{version}-%{release} - -%description block-iscsi -This package provides the additional iSCSI block driver for QEMU. - -Install this package if you want to access iSCSI volumes. - - %package block-rbd Summary: QEMU Ceph/RBD block driver Requires: %{name}-common%{?_isa} = %{epoch}:%{version}-%{release} @@ -592,7 +601,6 @@ pushd %{qemu_kvm_build} --enable-guest-agent \ --enable-iconv \ --enable-kvm \ - --enable-libiscsi \ %if %{have_pmem} --enable-libpmem \ %endif @@ -1196,9 +1204,6 @@ sh %{_sysconfdir}/sysconfig/modules/kvm.modules &> /dev/null || : %files block-curl %{_libdir}/qemu-kvm/block-curl.so -%files block-iscsi -%{_libdir}/qemu-kvm/block-iscsi.so - %files block-rbd %{_libdir}/qemu-kvm/block-rbd.so @@ -1213,6 +1218,30 @@ sh %{_sysconfdir}/sysconfig/modules/kvm.modules &> /dev/null || : %endif %changelog +* Mon Jun 28 2021 Miroslav Rezanina - 6.0.0-7 +- kvm-aarch64-rh-devices-add-CONFIG_PXB.patch [bz#1967502] +- kvm-virtio-gpu-handle-partial-maps-properly.patch [bz#1974795] +- kvm-x86-Add-x86-rhel8.5-machine-types.patch [bz#1957194] +- kvm-redhat-x86-Enable-kvm-asyncpf-int-by-default.patch [bz#1957194] +- kvm-block-backend-add-drained_poll.patch [bz#1957194] +- kvm-nbd-server-Use-drained-block-ops-to-quiesce-the-serv.patch [bz#1957194] +- kvm-disable-CONFIG_USB_STORAGE_BOT.patch [bz#1957194] +- kvm-doc-Fix-some-mistakes-in-the-SEV-documentation.patch [bz#1957194] +- kvm-docs-Add-SEV-ES-documentation-to-amd-memory-encrypti.patch [bz#1957194] +- kvm-docs-interop-firmware.json-Add-SEV-ES-support.patch [bz#1957194] +- kvm-qga-drop-StandardError-syslog.patch [bz#1947977] +- kvm-Remove-iscsi-support.patch [bz#1967133] +- Resolves: bz#1967502 + ([aarch64] [qemu] Compile the PCIe expander bridge) +- Resolves: bz#1974795 + ([RHEL9-beta] [aarch64] Launch guest with virtio-gpu-pci and virtual smmu causes "virtio_gpu_dequeue_ctrl_func" ERROR) +- Resolves: bz#1957194 + (Synchronize RHEL-AV 8.5.0 changes to RHEL 9.0.0 Beta) +- Resolves: bz#1947977 + (remove StandardError=syslog from qemu-guest-agent.service) +- Resolves: bz#1967133 + (QEMU: disable libiscsi in RHEL-9) + * Mon Jun 21 2021 Miroslav Rezanina - 6.0.0-6 - kvm-yank-Unregister-function-when-using-TLS-migration.patch [bz#1972462] - kvm-pc-bios-s390-ccw-don-t-try-to-read-the-next-block-if.patch [bz#1957194]