From 0cede3b3b7196d0fcc95e638d7e5c74a39619e46 Mon Sep 17 00:00:00 2001 From: Miroslav Rezanina Date: Mon, 12 Jul 2021 03:27:57 -0400 Subject: [PATCH] * Mon Jul 12 2021 Miroslav Rezanina - 6.0.0-8 - kvm-Disable-TPM-passthrough.patch [bz#1978911] - kvm-redhat-Replace-the-kvm-setup.service-with-a-etc-modu.patch [bz#1978837] - Resolves: bz#1978911 (Remove TPM Passthrough option from RHEL 9) - Resolves: bz#1978837 (Remove/replace kvm-setup.service) --- 85-kvm.preset | 5 --- kvm-Disable-TPM-passthrough.patch | 44 ++++++++++++++++++++++++ kvm-setup | 49 -------------------------- kvm-setup.service | 14 -------- modules-load.conf | 4 +++ qemu-kvm.spec | 57 ++++++++++++++----------------- 6 files changed, 73 insertions(+), 100 deletions(-) delete mode 100644 85-kvm.preset create mode 100644 kvm-Disable-TPM-passthrough.patch delete mode 100644 kvm-setup delete mode 100644 kvm-setup.service create mode 100644 modules-load.conf diff --git a/85-kvm.preset b/85-kvm.preset deleted file mode 100644 index 8024052..0000000 --- a/85-kvm.preset +++ /dev/null @@ -1,5 +0,0 @@ -# Enable kvm-setup by default. This can have odd side effects on -# PowerNV systems that aren't intended as KVM hosts, but at present we -# only support RHEL on PowerNV for the purpose of being a RHEV host. - -enable kvm-setup.service diff --git a/kvm-Disable-TPM-passthrough.patch b/kvm-Disable-TPM-passthrough.patch new file mode 100644 index 0000000..b0cc0b7 --- /dev/null +++ b/kvm-Disable-TPM-passthrough.patch @@ -0,0 +1,44 @@ +From 651798d03827dda7eb8dc33fb3482f872ec81d16 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Marc-Andr=C3=A9=20Lureau?= +Date: Mon, 5 Jul 2021 15:23:48 +0400 +Subject: [PATCH 1/2] Disable TPM passthrough +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +RH-Author: Marc-André Lureau +RH-MergeRequest: 17: Disable TPM passthrough +RH-Commit: [1/1] 735b79065149b968350b3f14d763030d5ef66457 +RH-Bugzilla: 1978911 +RH-Acked-by: Philippe Mathieu-Daudé +RH-Acked-by: Eric Auger +RH-Acked-by: Daniel P. Berrangé + +Signed-off-by: Marc-André Lureau +Signed-off-by: Miroslav Rezanina +--- + default-configs/devices/ppc64-rh-devices.mak | 1 - + default-configs/devices/x86_64-rh-devices.mak | 1 - + 2 files changed, 2 deletions(-) + +diff --git a/default-configs/devices/ppc64-rh-devices.mak b/default-configs/devices/ppc64-rh-devices.mak +index 3ec5603ace..d6e424540e 100644 +--- a/default-configs/devices/ppc64-rh-devices.mak ++++ b/default-configs/devices/ppc64-rh-devices.mak +@@ -32,4 +32,3 @@ CONFIG_XICS=y + CONFIG_XIVE=y + CONFIG_TPM_SPAPR=y + CONFIG_TPM_EMULATOR=y +-CONFIG_TPM_PASSTHROUGH=y +diff --git a/default-configs/devices/x86_64-rh-devices.mak b/default-configs/devices/x86_64-rh-devices.mak +index 81bda09f4c..c2dd112f81 100644 +--- a/default-configs/devices/x86_64-rh-devices.mak ++++ b/default-configs/devices/x86_64-rh-devices.mak +@@ -98,4 +98,3 @@ CONFIG_XIO3130=y + CONFIG_TPM_CRB=y + CONFIG_TPM_TIS_ISA=y + CONFIG_TPM_EMULATOR=y +-CONFIG_TPM_PASSTHROUGH=y +-- +2.27.0 + diff --git a/kvm-setup b/kvm-setup deleted file mode 100644 index 3bfedf6..0000000 --- a/kvm-setup +++ /dev/null @@ -1,49 +0,0 @@ -#! /bin/bash - -kvm_setup_powerpc () { - if grep '^platform[[:space:]]*:[[:space:]]*PowerNV' /proc/cpuinfo > /dev/null; then - # PowerNV platform, which is KVM HV capable - - if [ -z "$SUBCORES" ]; then - SUBCORES=1 - fi - - # Step 1. Load the KVM HVmodule - if ! modprobe -b kvm_hv; then - return - fi - - # On POWER8 a host core can only run threads of a single - # guest, meaning that SMT must be disabled on the host in - # order to run KVM guests. (Also applieds to POWER7, but we - # don't support that). - # - # POWER9 doesn't have this limitation (though it will for hash - # guests on radix host when that's implemented). So, only set - # up subcores and disable SMT for POWER*. - if grep '^cpu[[:space:]]*:[[:space:]]*POWER8' /proc/cpuinfo > /dev/null; then - # Step 2. Configure subcore mode - /usr/sbin/ppc64_cpu --subcores-per-core=$SUBCORES - - # Step 3. Disable SMT (multithreading) - /usr/sbin/ppc64_cpu --smt=off - fi - fi -} - -kvm_setup_s390x () { - if grep -q "^features.*sie" /proc/cpuinfo; then - modprobe kvm - fi -} - -case $(uname -m) in - ppc64|ppc64le) - kvm_setup_powerpc - ;; - s390x) - kvm_setup_s390x - ;; -esac - -exit 0 diff --git a/kvm-setup.service b/kvm-setup.service deleted file mode 100644 index 9c4bf97..0000000 --- a/kvm-setup.service +++ /dev/null @@ -1,14 +0,0 @@ -[Unit] -Description=Perform system configuration to prepare system to run KVM guests -# Offlining CPUs can cause irqbalance to throw warnings if it's running -Before=irqbalance.service -# libvirtd reads CPU topology at startup, so change it before -Before=libvirtd.service - -[Service] -Type=oneshot -EnvironmentFile=-/etc/sysconfig/kvm -ExecStart=/usr/lib/systemd/kvm-setup - -[Install] -WantedBy=multi-user.target diff --git a/modules-load.conf b/modules-load.conf new file mode 100644 index 0000000..45b477d --- /dev/null +++ b/modules-load.conf @@ -0,0 +1,4 @@ +# When using SELinux in libvirt, automatic loading of the kvm.ko kernel +# module might not work when qemu-kvm tries to access /dev/kvm - thus we +# simply always load this module during the boot process already. +kvm diff --git a/qemu-kvm.spec b/qemu-kvm.spec index 65b0566..f43a170 100644 --- a/qemu-kvm.spec +++ b/qemu-kvm.spec @@ -7,7 +7,7 @@ %global have_usbredir 1 %global have_opengl 1 %global have_fdt 0 -%global have_kvm_setup 0 +%global have_modules_load 0 %global have_memlock_limits 0 # have_block_rbd is not relevant for RHEL but makes it # easier to sync spec dependency list with Fedora @@ -44,12 +44,11 @@ %ifarch %{power64} %global kvm_target ppc64 %global have_fdt 1 - %global have_kvm_setup 1 %global have_memlock_limits 1 %endif %ifarch s390x %global kvm_target s390x - %global have_kvm_setup 1 + %global have_modules_load 1 %endif %ifarch ppc %global kvm_target ppc @@ -73,7 +72,7 @@ Requires: %{name}-block-ssh = %{epoch}:%{version}-%{release} Summary: QEMU is a machine emulator and virtualizer Name: qemu-kvm Version: 6.0.0 -Release: 7%{?rcversion}%{?dist} +Release: 8%{?rcversion}%{?dist} # Epoch because we pushed a qemu-1.0 package. AIUI this can't ever be dropped # Epoch 15 used for RHEL 8 # Epoch 17 used for RHEL 9 (due to release versioning offset in RHEL 8.5) @@ -96,9 +95,7 @@ Source10: qemu-guest-agent.service Source11: 99-qemu-guest-agent.rules Source12: bridge.conf Source13: qemu-ga.sysconfig -Source21: kvm-setup -Source22: kvm-setup.service -Source23: 85-kvm.preset +Source21: modules-load.conf Source26: vhost.conf Source27: kvm.conf Source28: 95-kvm-memlock.conf @@ -192,6 +189,8 @@ Patch50: kvm-doc-Fix-some-mistakes-in-the-SEV-documentation.patch Patch51: kvm-docs-Add-SEV-ES-documentation-to-amd-memory-encrypti.patch # For bz#1957194 - Synchronize RHEL-AV 8.5.0 changes to RHEL 9.0.0 Beta Patch52: kvm-docs-interop-firmware.json-Add-SEV-ES-support.patch +# For bz#1978911 - Remove TPM Passthrough option from RHEL 9 +Patch53: kvm-Disable-TPM-passthrough.patch # Source-git patches @@ -281,10 +280,6 @@ Requires: edk2-aarch64 %endif Requires: libseccomp >= %{libseccomp_version} -%if %{have_kvm_setup} -Requires(post): systemd-units -Requires(preun): systemd-units -%endif Requires: libusbx >= %{libusbx_version} %if %{have_usbredir} Requires: usbredir >= %{usbredir_version} @@ -970,10 +965,8 @@ rom_link() { rom_link ../sgabios/sgabios.bin sgabios.bin %endif -%if %{have_kvm_setup} - install -D -p -m 755 %{SOURCE21} $RPM_BUILD_ROOT%{_prefix}/lib/systemd/kvm-setup - install -D -p -m 644 %{SOURCE22} $RPM_BUILD_ROOT%{_unitdir}/kvm-setup.service - install -D -p -m 644 %{SOURCE23} $RPM_BUILD_ROOT%{_presetdir}/85-kvm.preset +%if %{have_modules_load} + install -D -p -m 644 %{SOURCE21} $RPM_BUILD_ROOT%{_sysconfdir}/modules-load.d/kvm.conf %endif %if %{have_memlock_limits} @@ -1021,25 +1014,19 @@ getent passwd qemu >/dev/null || \ useradd -r -u 107 -g qemu -G kvm -d / -s /sbin/nologin \ -c "qemu user" qemu -# load kvm modules now, so we can make sure no reboot is needed. -# If there's already a kvm module installed, we don't mess with it -%udev_rules_update -sh %{_sysconfdir}/sysconfig/modules/kvm.modules &> /dev/null || : - udevadm trigger --subsystem-match=misc --sysname-match=kvm --action=add || : -%if %{have_kvm_setup} - systemctl daemon-reload # Make sure it sees the new presets and unitfile - %systemd_post kvm-setup.service - if systemctl is-enabled kvm-setup.service > /dev/null; then - systemctl start kvm-setup.service +# If this is a new installation, then load kvm modules now, so we can make +# sure that the user gets a system where KVM is ready to use. In case of +# an upgrade, don't try to modprobe again in case the user unloaded the +# kvm module on purpose. +%if %{have_modules_load} + if [ "$1" = "1" ]; then + modprobe -b kvm &> /dev/null || : fi %endif %preun -n qemu-kvm-common %systemd_preun ksm.service %systemd_preun ksmtuned.service -%if %{have_kvm_setup} -%systemd_preun kvm-setup.service -%endif %postun -n qemu-kvm-common %systemd_postun_with_restart ksm.service @@ -1145,10 +1132,8 @@ sh %{_sysconfdir}/sysconfig/modules/kvm.modules &> /dev/null || : %{_datadir}/%{name}/linuxboot_dma.bin %{_datadir}/%{name}/dump-guest-memory.py* %{_datadir}/%{name}/trace-events-all -%if %{have_kvm_setup} - %{_prefix}/lib/systemd/kvm-setup - %{_unitdir}/kvm-setup.service - %{_presetdir}/85-kvm.preset +%if %{have_modules_load} + %{_sysconfdir}/modules-load.d/kvm.conf %endif %if %{have_memlock_limits} %{_sysconfdir}/security/limits.d/95-kvm-memlock.conf @@ -1218,6 +1203,14 @@ sh %{_sysconfdir}/sysconfig/modules/kvm.modules &> /dev/null || : %endif %changelog +* Mon Jul 12 2021 Miroslav Rezanina - 6.0.0-8 +- kvm-Disable-TPM-passthrough.patch [bz#1978911] +- kvm-redhat-Replace-the-kvm-setup.service-with-a-etc-modu.patch [bz#1978837] +- Resolves: bz#1978911 + (Remove TPM Passthrough option from RHEL 9) +- Resolves: bz#1978837 + (Remove/replace kvm-setup.service) + * Mon Jun 28 2021 Miroslav Rezanina - 6.0.0-7 - kvm-aarch64-rh-devices-add-CONFIG_PXB.patch [bz#1967502] - kvm-virtio-gpu-handle-partial-maps-properly.patch [bz#1974795]