* Mon Jul 12 2021 Miroslav Rezanina <mrezanin@redhat.com> - 6.0.0-8

- kvm-Disable-TPM-passthrough.patch [bz#1978911] - kvm-redhat-Replace-the-kvm-setup.service-with-a-etc-modu.patch [bz#1978837] - Resolves: bz#1978911 (Remove TPM Passthrough option from RHEL 9) - Resolves: bz#1978837 (Remove/replace kvm-setup.service)
2021-07-12 03:27:57 -04:00 · 2021-07-12 03:27:57 -04:00 · 0cede3b3b7
commit 0cede3b3b7
parent 0253757df8
6 changed files with 73 additions and 100 deletions
--- a/85-kvm.preset
+++ b/85-kvm.preset
@ -1,5 +0,0 @@
-# Enable kvm-setup by default.  This can have odd side effects on
-# PowerNV systems that aren't intended as KVM hosts, but at present we
-# only support RHEL on PowerNV for the purpose of being a RHEV host.
-
-enable kvm-setup.service
--- a/kvm-Disable-TPM-passthrough.patch
+++ b/kvm-Disable-TPM-passthrough.patch
@ -0,0 +1,44 @@
+From 651798d03827dda7eb8dc33fb3482f872ec81d16 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Marc-Andr=C3=A9=20Lureau?= <marcandre.lureau@redhat.com>
+Date: Mon, 5 Jul 2021 15:23:48 +0400
+Subject: [PATCH 1/2] Disable TPM passthrough
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+RH-Author: Marc-André Lureau <None>
+RH-MergeRequest: 17: Disable TPM passthrough
+RH-Commit: [1/1] 735b79065149b968350b3f14d763030d5ef66457
+RH-Bugzilla: 1978911
+RH-Acked-by: Philippe Mathieu-Daudé <philmd@redhat.com>
+RH-Acked-by: Eric Auger <eric.auger@redhat.com>
+RH-Acked-by: Daniel P. Berrangé <berrange@redhat.com>
+
+Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
+Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
+---
+ default-configs/devices/ppc64-rh-devices.mak  | 1 -
+ default-configs/devices/x86_64-rh-devices.mak | 1 -
+ 2 files changed, 2 deletions(-)
+
+diff --git a/default-configs/devices/ppc64-rh-devices.mak b/default-configs/devices/ppc64-rh-devices.mak
+index 3ec5603ace..d6e424540e 100644
+--- a/default-configs/devices/ppc64-rh-devices.mak
+++ b/default-configs/devices/ppc64-rh-devices.mak
+@@ -32,4 +32,3 @@ CONFIG_XICS=y
+ CONFIG_XIVE=y
+ CONFIG_TPM_SPAPR=y
+ CONFIG_TPM_EMULATOR=y
+-CONFIG_TPM_PASSTHROUGH=y
+diff --git a/default-configs/devices/x86_64-rh-devices.mak b/default-configs/devices/x86_64-rh-devices.mak
+index 81bda09f4c..c2dd112f81 100644
+--- a/default-configs/devices/x86_64-rh-devices.mak
+++ b/default-configs/devices/x86_64-rh-devices.mak
+@@ -98,4 +98,3 @@ CONFIG_XIO3130=y
+ CONFIG_TPM_CRB=y
+ CONFIG_TPM_TIS_ISA=y
+ CONFIG_TPM_EMULATOR=y
+-CONFIG_TPM_PASSTHROUGH=y
+-- 
+2.27.0
+
--- a/49
+++ b/49
@ -1,49 +0,0 @@
-#! /bin/bash
-
-kvm_setup_powerpc () {
-    if grep '^platform[[:space:]]*:[[:space:]]*PowerNV' /proc/cpuinfo > /dev/null; then
-	# PowerNV platform, which is KVM HV capable
-
-	if [ -z "$SUBCORES" ]; then
-	    SUBCORES=1
-	fi
-
-	# Step 1. Load the KVM HVmodule
-	if ! modprobe -b kvm_hv; then
-	    return
-	fi
-
-	# On POWER8 a host core can only run threads of a single
-	# guest, meaning that SMT must be disabled on the host in
-	# order to run KVM guests. (Also applieds to POWER7, but we
-	# don't support that).
-	#
-	# POWER9 doesn't have this limitation (though it will for hash
-	# guests on radix host when that's implemented).  So, only set
-	# up subcores and disable SMT for POWER*.
-	if grep '^cpu[[:space:]]*:[[:space:]]*POWER8' /proc/cpuinfo > /dev/null; then
-	    # Step 2. Configure subcore mode
-	    /usr/sbin/ppc64_cpu --subcores-per-core=$SUBCORES
-
-	    # Step 3. Disable SMT (multithreading)
-	    /usr/sbin/ppc64_cpu --smt=off
-	fi
-    fi
-}
-
-kvm_setup_s390x () {
-    if grep -q "^features.*sie" /proc/cpuinfo; then
-        modprobe kvm
-    fi
-}
-
-case $(uname -m) in
-    ppc64|ppc64le)
-	kvm_setup_powerpc
-	;;
-    s390x)
-	kvm_setup_s390x
-	;;
-esac
-
-exit 0
--- a/kvm-setup.service
+++ b/kvm-setup.service
@ -1,14 +0,0 @@
-[Unit]
-Description=Perform system configuration to prepare system to run KVM guests
-# Offlining CPUs can cause irqbalance to throw warnings if it's running
-Before=irqbalance.service
-# libvirtd reads CPU topology at startup, so change it before
-Before=libvirtd.service
-
-[Service]
-Type=oneshot
-EnvironmentFile=-/etc/sysconfig/kvm
-ExecStart=/usr/lib/systemd/kvm-setup
-
-[Install]
-WantedBy=multi-user.target
--- a/modules-load.conf
+++ b/modules-load.conf
@ -0,0 +1,4 @@
+# When using SELinux in libvirt, automatic loading of the kvm.ko kernel
+# module might not work when qemu-kvm tries to access /dev/kvm - thus we
+# simply always load this module during the boot process already.
+kvm
--- a/qemu-kvm.spec
+++ b/qemu-kvm.spec
@ -7,7 +7,7 @@
 %global have_usbredir 1
 %global have_opengl   1
 %global have_fdt      0
-%global have_kvm_setup 0
+%global have_modules_load 0
 %global have_memlock_limits 0
 # have_block_rbd is not relevant for RHEL but makes it
 # easier to sync spec dependency list with Fedora
@ -44,12 +44,11 @@
 %ifarch %{power64}
    %global kvm_target    ppc64
    %global have_fdt     1
-    %global have_kvm_setup 1
    %global have_memlock_limits 1
 %endif
 %ifarch s390x
    %global kvm_target    s390x
-    %global have_kvm_setup 1
+    %global have_modules_load 1
 %endif
 %ifarch ppc
    %global kvm_target    ppc
@ -73,7 +72,7 @@ Requires: %{name}-block-ssh = %{epoch}:%{version}-%{release}
 Summary: QEMU is a machine emulator and virtualizer
 Name: qemu-kvm
 Version: 6.0.0
-Release: 7%{?rcversion}%{?dist}
+Release: 8%{?rcversion}%{?dist}
 # Epoch because we pushed a qemu-1.0 package. AIUI this can't ever be dropped
 # Epoch 15 used for RHEL 8
 # Epoch 17 used for RHEL 9 (due to release versioning offset in RHEL 8.5)
@ -96,9 +95,7 @@ Source10: qemu-guest-agent.service
 Source11: 99-qemu-guest-agent.rules
 Source12: bridge.conf
 Source13: qemu-ga.sysconfig
-Source21: kvm-setup
-Source22: kvm-setup.service
-Source23: 85-kvm.preset
+Source21: modules-load.conf
 Source26: vhost.conf
 Source27: kvm.conf
 Source28: 95-kvm-memlock.conf
@ -192,6 +189,8 @@ Patch50: kvm-doc-Fix-some-mistakes-in-the-SEV-documentation.patch
 Patch51: kvm-docs-Add-SEV-ES-documentation-to-amd-memory-encrypti.patch
 # For bz#1957194 - Synchronize RHEL-AV 8.5.0 changes to RHEL 9.0.0 Beta
 Patch52: kvm-docs-interop-firmware.json-Add-SEV-ES-support.patch
+# For bz#1978911 - Remove TPM Passthrough option from RHEL 9
+Patch53: kvm-Disable-TPM-passthrough.patch

 # Source-git patches

@ -281,10 +280,6 @@ Requires: edk2-aarch64
 %endif

 Requires: libseccomp >= %{libseccomp_version}
-%if %{have_kvm_setup}
-Requires(post): systemd-units
-Requires(preun): systemd-units
-%endif
 Requires: libusbx >= %{libusbx_version}
 %if %{have_usbredir}
 Requires: usbredir >= %{usbredir_version}
@ -970,10 +965,8 @@ rom_link() {
  rom_link ../sgabios/sgabios.bin sgabios.bin
 %endif

-%if %{have_kvm_setup}
-    install -D -p -m 755 %{SOURCE21} $RPM_BUILD_ROOT%{_prefix}/lib/systemd/kvm-setup
-    install -D -p -m 644 %{SOURCE22} $RPM_BUILD_ROOT%{_unitdir}/kvm-setup.service
-    install -D -p -m 644 %{SOURCE23} $RPM_BUILD_ROOT%{_presetdir}/85-kvm.preset
+%if %{have_modules_load}
+    install -D -p -m 644 %{SOURCE21} $RPM_BUILD_ROOT%{_sysconfdir}/modules-load.d/kvm.conf
 %endif

 %if %{have_memlock_limits}
@ -1021,25 +1014,19 @@ getent passwd qemu >/dev/null || \
 useradd -r -u 107 -g qemu -G kvm -d / -s /sbin/nologin \
  -c "qemu user" qemu

-# load kvm modules now, so we can make sure no reboot is needed.
-# If there's already a kvm module installed, we don't mess with it
-%udev_rules_update
-sh %{_sysconfdir}/sysconfig/modules/kvm.modules &> /dev/null || :
-    udevadm trigger --subsystem-match=misc --sysname-match=kvm --action=add || :
-%if %{have_kvm_setup}
-    systemctl daemon-reload # Make sure it sees the new presets and unitfile
-    %systemd_post kvm-setup.service
-    if systemctl is-enabled kvm-setup.service > /dev/null; then
-        systemctl start kvm-setup.service
+# If this is a new installation, then load kvm modules now, so we can make
+# sure that the user gets a system where KVM is ready to use. In case of
+# an upgrade, don't try to modprobe again in case the user unloaded the
+# kvm module on purpose.
+%if %{have_modules_load}
+    if [ "$1" = "1" ]; then
+        modprobe -b kvm  &> /dev/null || :
    fi
 %endif

 %preun -n qemu-kvm-common
 %systemd_preun ksm.service
 %systemd_preun ksmtuned.service
-%if %{have_kvm_setup}
-%systemd_preun kvm-setup.service
-%endif

 %postun -n qemu-kvm-common
 %systemd_postun_with_restart ksm.service
@ -1145,10 +1132,8 @@ sh %{_sysconfdir}/sysconfig/modules/kvm.modules &> /dev/null || :
 %{_datadir}/%{name}/linuxboot_dma.bin
 %{_datadir}/%{name}/dump-guest-memory.py*
 %{_datadir}/%{name}/trace-events-all
-%if %{have_kvm_setup}
-    %{_prefix}/lib/systemd/kvm-setup
-    %{_unitdir}/kvm-setup.service
-    %{_presetdir}/85-kvm.preset
+%if %{have_modules_load}
+    %{_sysconfdir}/modules-load.d/kvm.conf
 %endif
 %if %{have_memlock_limits}
    %{_sysconfdir}/security/limits.d/95-kvm-memlock.conf
@ -1218,6 +1203,14 @@ sh %{_sysconfdir}/sysconfig/modules/kvm.modules &> /dev/null || :
 %endif

 %changelog
+* Mon Jul 12 2021 Miroslav Rezanina <mrezanin@redhat.com> - 6.0.0-8
+- kvm-Disable-TPM-passthrough.patch [bz#1978911]
+- kvm-redhat-Replace-the-kvm-setup.service-with-a-etc-modu.patch [bz#1978837]
+- Resolves: bz#1978911
+  (Remove TPM Passthrough option from RHEL 9)
+- Resolves: bz#1978837
+  (Remove/replace kvm-setup.service)
+
 * Mon Jun 28 2021 Miroslav Rezanina <mrezanin@redhat.com> - 6.0.0-7
 - kvm-aarch64-rh-devices-add-CONFIG_PXB.patch [bz#1967502]
 - kvm-virtio-gpu-handle-partial-maps-properly.patch [bz#1974795]