* Mon Jul 12 2021 Miroslav Rezanina <mrezanin@redhat.com> - 6.0.0-8

- kvm-Disable-TPM-passthrough.patch [bz#1978911]
- kvm-redhat-Replace-the-kvm-setup.service-with-a-etc-modu.patch [bz#1978837]
- Resolves: bz#1978911
  (Remove TPM Passthrough option from RHEL 9)
- Resolves: bz#1978837
  (Remove/replace kvm-setup.service)
This commit is contained in:
Miroslav Rezanina 2021-07-12 03:27:57 -04:00
parent 0253757df8
commit 0cede3b3b7
6 changed files with 73 additions and 100 deletions

View File

@ -1,5 +0,0 @@
# Enable kvm-setup by default. This can have odd side effects on
# PowerNV systems that aren't intended as KVM hosts, but at present we
# only support RHEL on PowerNV for the purpose of being a RHEV host.
enable kvm-setup.service

View File

@ -0,0 +1,44 @@
From 651798d03827dda7eb8dc33fb3482f872ec81d16 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Marc-Andr=C3=A9=20Lureau?= <marcandre.lureau@redhat.com>
Date: Mon, 5 Jul 2021 15:23:48 +0400
Subject: [PATCH 1/2] Disable TPM passthrough
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
RH-Author: Marc-André Lureau <None>
RH-MergeRequest: 17: Disable TPM passthrough
RH-Commit: [1/1] 735b79065149b968350b3f14d763030d5ef66457
RH-Bugzilla: 1978911
RH-Acked-by: Philippe Mathieu-Daudé <philmd@redhat.com>
RH-Acked-by: Eric Auger <eric.auger@redhat.com>
RH-Acked-by: Daniel P. Berrangé <berrange@redhat.com>
Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
---
default-configs/devices/ppc64-rh-devices.mak | 1 -
default-configs/devices/x86_64-rh-devices.mak | 1 -
2 files changed, 2 deletions(-)
diff --git a/default-configs/devices/ppc64-rh-devices.mak b/default-configs/devices/ppc64-rh-devices.mak
index 3ec5603ace..d6e424540e 100644
--- a/default-configs/devices/ppc64-rh-devices.mak
+++ b/default-configs/devices/ppc64-rh-devices.mak
@@ -32,4 +32,3 @@ CONFIG_XICS=y
CONFIG_XIVE=y
CONFIG_TPM_SPAPR=y
CONFIG_TPM_EMULATOR=y
-CONFIG_TPM_PASSTHROUGH=y
diff --git a/default-configs/devices/x86_64-rh-devices.mak b/default-configs/devices/x86_64-rh-devices.mak
index 81bda09f4c..c2dd112f81 100644
--- a/default-configs/devices/x86_64-rh-devices.mak
+++ b/default-configs/devices/x86_64-rh-devices.mak
@@ -98,4 +98,3 @@ CONFIG_XIO3130=y
CONFIG_TPM_CRB=y
CONFIG_TPM_TIS_ISA=y
CONFIG_TPM_EMULATOR=y
-CONFIG_TPM_PASSTHROUGH=y
--
2.27.0

View File

@ -1,49 +0,0 @@
#! /bin/bash
kvm_setup_powerpc () {
if grep '^platform[[:space:]]*:[[:space:]]*PowerNV' /proc/cpuinfo > /dev/null; then
# PowerNV platform, which is KVM HV capable
if [ -z "$SUBCORES" ]; then
SUBCORES=1
fi
# Step 1. Load the KVM HVmodule
if ! modprobe -b kvm_hv; then
return
fi
# On POWER8 a host core can only run threads of a single
# guest, meaning that SMT must be disabled on the host in
# order to run KVM guests. (Also applieds to POWER7, but we
# don't support that).
#
# POWER9 doesn't have this limitation (though it will for hash
# guests on radix host when that's implemented). So, only set
# up subcores and disable SMT for POWER*.
if grep '^cpu[[:space:]]*:[[:space:]]*POWER8' /proc/cpuinfo > /dev/null; then
# Step 2. Configure subcore mode
/usr/sbin/ppc64_cpu --subcores-per-core=$SUBCORES
# Step 3. Disable SMT (multithreading)
/usr/sbin/ppc64_cpu --smt=off
fi
fi
}
kvm_setup_s390x () {
if grep -q "^features.*sie" /proc/cpuinfo; then
modprobe kvm
fi
}
case $(uname -m) in
ppc64|ppc64le)
kvm_setup_powerpc
;;
s390x)
kvm_setup_s390x
;;
esac
exit 0

View File

@ -1,14 +0,0 @@
[Unit]
Description=Perform system configuration to prepare system to run KVM guests
# Offlining CPUs can cause irqbalance to throw warnings if it's running
Before=irqbalance.service
# libvirtd reads CPU topology at startup, so change it before
Before=libvirtd.service
[Service]
Type=oneshot
EnvironmentFile=-/etc/sysconfig/kvm
ExecStart=/usr/lib/systemd/kvm-setup
[Install]
WantedBy=multi-user.target

4
modules-load.conf Normal file
View File

@ -0,0 +1,4 @@
# When using SELinux in libvirt, automatic loading of the kvm.ko kernel
# module might not work when qemu-kvm tries to access /dev/kvm - thus we
# simply always load this module during the boot process already.
kvm

View File

@ -7,7 +7,7 @@
%global have_usbredir 1 %global have_usbredir 1
%global have_opengl 1 %global have_opengl 1
%global have_fdt 0 %global have_fdt 0
%global have_kvm_setup 0 %global have_modules_load 0
%global have_memlock_limits 0 %global have_memlock_limits 0
# have_block_rbd is not relevant for RHEL but makes it # have_block_rbd is not relevant for RHEL but makes it
# easier to sync spec dependency list with Fedora # easier to sync spec dependency list with Fedora
@ -44,12 +44,11 @@
%ifarch %{power64} %ifarch %{power64}
%global kvm_target ppc64 %global kvm_target ppc64
%global have_fdt 1 %global have_fdt 1
%global have_kvm_setup 1
%global have_memlock_limits 1 %global have_memlock_limits 1
%endif %endif
%ifarch s390x %ifarch s390x
%global kvm_target s390x %global kvm_target s390x
%global have_kvm_setup 1 %global have_modules_load 1
%endif %endif
%ifarch ppc %ifarch ppc
%global kvm_target ppc %global kvm_target ppc
@ -73,7 +72,7 @@ Requires: %{name}-block-ssh = %{epoch}:%{version}-%{release}
Summary: QEMU is a machine emulator and virtualizer Summary: QEMU is a machine emulator and virtualizer
Name: qemu-kvm Name: qemu-kvm
Version: 6.0.0 Version: 6.0.0
Release: 7%{?rcversion}%{?dist} Release: 8%{?rcversion}%{?dist}
# Epoch because we pushed a qemu-1.0 package. AIUI this can't ever be dropped # Epoch because we pushed a qemu-1.0 package. AIUI this can't ever be dropped
# Epoch 15 used for RHEL 8 # Epoch 15 used for RHEL 8
# Epoch 17 used for RHEL 9 (due to release versioning offset in RHEL 8.5) # Epoch 17 used for RHEL 9 (due to release versioning offset in RHEL 8.5)
@ -96,9 +95,7 @@ Source10: qemu-guest-agent.service
Source11: 99-qemu-guest-agent.rules Source11: 99-qemu-guest-agent.rules
Source12: bridge.conf Source12: bridge.conf
Source13: qemu-ga.sysconfig Source13: qemu-ga.sysconfig
Source21: kvm-setup Source21: modules-load.conf
Source22: kvm-setup.service
Source23: 85-kvm.preset
Source26: vhost.conf Source26: vhost.conf
Source27: kvm.conf Source27: kvm.conf
Source28: 95-kvm-memlock.conf Source28: 95-kvm-memlock.conf
@ -192,6 +189,8 @@ Patch50: kvm-doc-Fix-some-mistakes-in-the-SEV-documentation.patch
Patch51: kvm-docs-Add-SEV-ES-documentation-to-amd-memory-encrypti.patch Patch51: kvm-docs-Add-SEV-ES-documentation-to-amd-memory-encrypti.patch
# For bz#1957194 - Synchronize RHEL-AV 8.5.0 changes to RHEL 9.0.0 Beta # For bz#1957194 - Synchronize RHEL-AV 8.5.0 changes to RHEL 9.0.0 Beta
Patch52: kvm-docs-interop-firmware.json-Add-SEV-ES-support.patch Patch52: kvm-docs-interop-firmware.json-Add-SEV-ES-support.patch
# For bz#1978911 - Remove TPM Passthrough option from RHEL 9
Patch53: kvm-Disable-TPM-passthrough.patch
# Source-git patches # Source-git patches
@ -281,10 +280,6 @@ Requires: edk2-aarch64
%endif %endif
Requires: libseccomp >= %{libseccomp_version} Requires: libseccomp >= %{libseccomp_version}
%if %{have_kvm_setup}
Requires(post): systemd-units
Requires(preun): systemd-units
%endif
Requires: libusbx >= %{libusbx_version} Requires: libusbx >= %{libusbx_version}
%if %{have_usbredir} %if %{have_usbredir}
Requires: usbredir >= %{usbredir_version} Requires: usbredir >= %{usbredir_version}
@ -970,10 +965,8 @@ rom_link() {
rom_link ../sgabios/sgabios.bin sgabios.bin rom_link ../sgabios/sgabios.bin sgabios.bin
%endif %endif
%if %{have_kvm_setup} %if %{have_modules_load}
install -D -p -m 755 %{SOURCE21} $RPM_BUILD_ROOT%{_prefix}/lib/systemd/kvm-setup install -D -p -m 644 %{SOURCE21} $RPM_BUILD_ROOT%{_sysconfdir}/modules-load.d/kvm.conf
install -D -p -m 644 %{SOURCE22} $RPM_BUILD_ROOT%{_unitdir}/kvm-setup.service
install -D -p -m 644 %{SOURCE23} $RPM_BUILD_ROOT%{_presetdir}/85-kvm.preset
%endif %endif
%if %{have_memlock_limits} %if %{have_memlock_limits}
@ -1021,25 +1014,19 @@ getent passwd qemu >/dev/null || \
useradd -r -u 107 -g qemu -G kvm -d / -s /sbin/nologin \ useradd -r -u 107 -g qemu -G kvm -d / -s /sbin/nologin \
-c "qemu user" qemu -c "qemu user" qemu
# load kvm modules now, so we can make sure no reboot is needed. # If this is a new installation, then load kvm modules now, so we can make
# If there's already a kvm module installed, we don't mess with it # sure that the user gets a system where KVM is ready to use. In case of
%udev_rules_update # an upgrade, don't try to modprobe again in case the user unloaded the
sh %{_sysconfdir}/sysconfig/modules/kvm.modules &> /dev/null || : # kvm module on purpose.
udevadm trigger --subsystem-match=misc --sysname-match=kvm --action=add || : %if %{have_modules_load}
%if %{have_kvm_setup} if [ "$1" = "1" ]; then
systemctl daemon-reload # Make sure it sees the new presets and unitfile modprobe -b kvm &> /dev/null || :
%systemd_post kvm-setup.service
if systemctl is-enabled kvm-setup.service > /dev/null; then
systemctl start kvm-setup.service
fi fi
%endif %endif
%preun -n qemu-kvm-common %preun -n qemu-kvm-common
%systemd_preun ksm.service %systemd_preun ksm.service
%systemd_preun ksmtuned.service %systemd_preun ksmtuned.service
%if %{have_kvm_setup}
%systemd_preun kvm-setup.service
%endif
%postun -n qemu-kvm-common %postun -n qemu-kvm-common
%systemd_postun_with_restart ksm.service %systemd_postun_with_restart ksm.service
@ -1145,10 +1132,8 @@ sh %{_sysconfdir}/sysconfig/modules/kvm.modules &> /dev/null || :
%{_datadir}/%{name}/linuxboot_dma.bin %{_datadir}/%{name}/linuxboot_dma.bin
%{_datadir}/%{name}/dump-guest-memory.py* %{_datadir}/%{name}/dump-guest-memory.py*
%{_datadir}/%{name}/trace-events-all %{_datadir}/%{name}/trace-events-all
%if %{have_kvm_setup} %if %{have_modules_load}
%{_prefix}/lib/systemd/kvm-setup %{_sysconfdir}/modules-load.d/kvm.conf
%{_unitdir}/kvm-setup.service
%{_presetdir}/85-kvm.preset
%endif %endif
%if %{have_memlock_limits} %if %{have_memlock_limits}
%{_sysconfdir}/security/limits.d/95-kvm-memlock.conf %{_sysconfdir}/security/limits.d/95-kvm-memlock.conf
@ -1218,6 +1203,14 @@ sh %{_sysconfdir}/sysconfig/modules/kvm.modules &> /dev/null || :
%endif %endif
%changelog %changelog
* Mon Jul 12 2021 Miroslav Rezanina <mrezanin@redhat.com> - 6.0.0-8
- kvm-Disable-TPM-passthrough.patch [bz#1978911]
- kvm-redhat-Replace-the-kvm-setup.service-with-a-etc-modu.patch [bz#1978837]
- Resolves: bz#1978911
(Remove TPM Passthrough option from RHEL 9)
- Resolves: bz#1978837
(Remove/replace kvm-setup.service)
* Mon Jun 28 2021 Miroslav Rezanina <mrezanin@redhat.com> - 6.0.0-7 * Mon Jun 28 2021 Miroslav Rezanina <mrezanin@redhat.com> - 6.0.0-7
- kvm-aarch64-rh-devices-add-CONFIG_PXB.patch [bz#1967502] - kvm-aarch64-rh-devices-add-CONFIG_PXB.patch [bz#1967502]
- kvm-virtio-gpu-handle-partial-maps-properly.patch [bz#1974795] - kvm-virtio-gpu-handle-partial-maps-properly.patch [bz#1974795]