* Mon Jul 12 2021 Miroslav Rezanina <mrezanin@redhat.com> - 6.0.0-8
- kvm-Disable-TPM-passthrough.patch [bz#1978911] - kvm-redhat-Replace-the-kvm-setup.service-with-a-etc-modu.patch [bz#1978837] - Resolves: bz#1978911 (Remove TPM Passthrough option from RHEL 9) - Resolves: bz#1978837 (Remove/replace kvm-setup.service)
This commit is contained in:
parent
0253757df8
commit
0cede3b3b7
@ -1,5 +0,0 @@
|
|||||||
# Enable kvm-setup by default. This can have odd side effects on
|
|
||||||
# PowerNV systems that aren't intended as KVM hosts, but at present we
|
|
||||||
# only support RHEL on PowerNV for the purpose of being a RHEV host.
|
|
||||||
|
|
||||||
enable kvm-setup.service
|
|
44
kvm-Disable-TPM-passthrough.patch
Normal file
44
kvm-Disable-TPM-passthrough.patch
Normal file
@ -0,0 +1,44 @@
|
|||||||
|
From 651798d03827dda7eb8dc33fb3482f872ec81d16 Mon Sep 17 00:00:00 2001
|
||||||
|
From: =?UTF-8?q?Marc-Andr=C3=A9=20Lureau?= <marcandre.lureau@redhat.com>
|
||||||
|
Date: Mon, 5 Jul 2021 15:23:48 +0400
|
||||||
|
Subject: [PATCH 1/2] Disable TPM passthrough
|
||||||
|
MIME-Version: 1.0
|
||||||
|
Content-Type: text/plain; charset=UTF-8
|
||||||
|
Content-Transfer-Encoding: 8bit
|
||||||
|
|
||||||
|
RH-Author: Marc-André Lureau <None>
|
||||||
|
RH-MergeRequest: 17: Disable TPM passthrough
|
||||||
|
RH-Commit: [1/1] 735b79065149b968350b3f14d763030d5ef66457
|
||||||
|
RH-Bugzilla: 1978911
|
||||||
|
RH-Acked-by: Philippe Mathieu-Daudé <philmd@redhat.com>
|
||||||
|
RH-Acked-by: Eric Auger <eric.auger@redhat.com>
|
||||||
|
RH-Acked-by: Daniel P. Berrangé <berrange@redhat.com>
|
||||||
|
|
||||||
|
Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
|
||||||
|
Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
|
||||||
|
---
|
||||||
|
default-configs/devices/ppc64-rh-devices.mak | 1 -
|
||||||
|
default-configs/devices/x86_64-rh-devices.mak | 1 -
|
||||||
|
2 files changed, 2 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/default-configs/devices/ppc64-rh-devices.mak b/default-configs/devices/ppc64-rh-devices.mak
|
||||||
|
index 3ec5603ace..d6e424540e 100644
|
||||||
|
--- a/default-configs/devices/ppc64-rh-devices.mak
|
||||||
|
+++ b/default-configs/devices/ppc64-rh-devices.mak
|
||||||
|
@@ -32,4 +32,3 @@ CONFIG_XICS=y
|
||||||
|
CONFIG_XIVE=y
|
||||||
|
CONFIG_TPM_SPAPR=y
|
||||||
|
CONFIG_TPM_EMULATOR=y
|
||||||
|
-CONFIG_TPM_PASSTHROUGH=y
|
||||||
|
diff --git a/default-configs/devices/x86_64-rh-devices.mak b/default-configs/devices/x86_64-rh-devices.mak
|
||||||
|
index 81bda09f4c..c2dd112f81 100644
|
||||||
|
--- a/default-configs/devices/x86_64-rh-devices.mak
|
||||||
|
+++ b/default-configs/devices/x86_64-rh-devices.mak
|
||||||
|
@@ -98,4 +98,3 @@ CONFIG_XIO3130=y
|
||||||
|
CONFIG_TPM_CRB=y
|
||||||
|
CONFIG_TPM_TIS_ISA=y
|
||||||
|
CONFIG_TPM_EMULATOR=y
|
||||||
|
-CONFIG_TPM_PASSTHROUGH=y
|
||||||
|
--
|
||||||
|
2.27.0
|
||||||
|
|
49
kvm-setup
49
kvm-setup
@ -1,49 +0,0 @@
|
|||||||
#! /bin/bash
|
|
||||||
|
|
||||||
kvm_setup_powerpc () {
|
|
||||||
if grep '^platform[[:space:]]*:[[:space:]]*PowerNV' /proc/cpuinfo > /dev/null; then
|
|
||||||
# PowerNV platform, which is KVM HV capable
|
|
||||||
|
|
||||||
if [ -z "$SUBCORES" ]; then
|
|
||||||
SUBCORES=1
|
|
||||||
fi
|
|
||||||
|
|
||||||
# Step 1. Load the KVM HVmodule
|
|
||||||
if ! modprobe -b kvm_hv; then
|
|
||||||
return
|
|
||||||
fi
|
|
||||||
|
|
||||||
# On POWER8 a host core can only run threads of a single
|
|
||||||
# guest, meaning that SMT must be disabled on the host in
|
|
||||||
# order to run KVM guests. (Also applieds to POWER7, but we
|
|
||||||
# don't support that).
|
|
||||||
#
|
|
||||||
# POWER9 doesn't have this limitation (though it will for hash
|
|
||||||
# guests on radix host when that's implemented). So, only set
|
|
||||||
# up subcores and disable SMT for POWER*.
|
|
||||||
if grep '^cpu[[:space:]]*:[[:space:]]*POWER8' /proc/cpuinfo > /dev/null; then
|
|
||||||
# Step 2. Configure subcore mode
|
|
||||||
/usr/sbin/ppc64_cpu --subcores-per-core=$SUBCORES
|
|
||||||
|
|
||||||
# Step 3. Disable SMT (multithreading)
|
|
||||||
/usr/sbin/ppc64_cpu --smt=off
|
|
||||||
fi
|
|
||||||
fi
|
|
||||||
}
|
|
||||||
|
|
||||||
kvm_setup_s390x () {
|
|
||||||
if grep -q "^features.*sie" /proc/cpuinfo; then
|
|
||||||
modprobe kvm
|
|
||||||
fi
|
|
||||||
}
|
|
||||||
|
|
||||||
case $(uname -m) in
|
|
||||||
ppc64|ppc64le)
|
|
||||||
kvm_setup_powerpc
|
|
||||||
;;
|
|
||||||
s390x)
|
|
||||||
kvm_setup_s390x
|
|
||||||
;;
|
|
||||||
esac
|
|
||||||
|
|
||||||
exit 0
|
|
@ -1,14 +0,0 @@
|
|||||||
[Unit]
|
|
||||||
Description=Perform system configuration to prepare system to run KVM guests
|
|
||||||
# Offlining CPUs can cause irqbalance to throw warnings if it's running
|
|
||||||
Before=irqbalance.service
|
|
||||||
# libvirtd reads CPU topology at startup, so change it before
|
|
||||||
Before=libvirtd.service
|
|
||||||
|
|
||||||
[Service]
|
|
||||||
Type=oneshot
|
|
||||||
EnvironmentFile=-/etc/sysconfig/kvm
|
|
||||||
ExecStart=/usr/lib/systemd/kvm-setup
|
|
||||||
|
|
||||||
[Install]
|
|
||||||
WantedBy=multi-user.target
|
|
4
modules-load.conf
Normal file
4
modules-load.conf
Normal file
@ -0,0 +1,4 @@
|
|||||||
|
# When using SELinux in libvirt, automatic loading of the kvm.ko kernel
|
||||||
|
# module might not work when qemu-kvm tries to access /dev/kvm - thus we
|
||||||
|
# simply always load this module during the boot process already.
|
||||||
|
kvm
|
@ -7,7 +7,7 @@
|
|||||||
%global have_usbredir 1
|
%global have_usbredir 1
|
||||||
%global have_opengl 1
|
%global have_opengl 1
|
||||||
%global have_fdt 0
|
%global have_fdt 0
|
||||||
%global have_kvm_setup 0
|
%global have_modules_load 0
|
||||||
%global have_memlock_limits 0
|
%global have_memlock_limits 0
|
||||||
# have_block_rbd is not relevant for RHEL but makes it
|
# have_block_rbd is not relevant for RHEL but makes it
|
||||||
# easier to sync spec dependency list with Fedora
|
# easier to sync spec dependency list with Fedora
|
||||||
@ -44,12 +44,11 @@
|
|||||||
%ifarch %{power64}
|
%ifarch %{power64}
|
||||||
%global kvm_target ppc64
|
%global kvm_target ppc64
|
||||||
%global have_fdt 1
|
%global have_fdt 1
|
||||||
%global have_kvm_setup 1
|
|
||||||
%global have_memlock_limits 1
|
%global have_memlock_limits 1
|
||||||
%endif
|
%endif
|
||||||
%ifarch s390x
|
%ifarch s390x
|
||||||
%global kvm_target s390x
|
%global kvm_target s390x
|
||||||
%global have_kvm_setup 1
|
%global have_modules_load 1
|
||||||
%endif
|
%endif
|
||||||
%ifarch ppc
|
%ifarch ppc
|
||||||
%global kvm_target ppc
|
%global kvm_target ppc
|
||||||
@ -73,7 +72,7 @@ Requires: %{name}-block-ssh = %{epoch}:%{version}-%{release}
|
|||||||
Summary: QEMU is a machine emulator and virtualizer
|
Summary: QEMU is a machine emulator and virtualizer
|
||||||
Name: qemu-kvm
|
Name: qemu-kvm
|
||||||
Version: 6.0.0
|
Version: 6.0.0
|
||||||
Release: 7%{?rcversion}%{?dist}
|
Release: 8%{?rcversion}%{?dist}
|
||||||
# Epoch because we pushed a qemu-1.0 package. AIUI this can't ever be dropped
|
# Epoch because we pushed a qemu-1.0 package. AIUI this can't ever be dropped
|
||||||
# Epoch 15 used for RHEL 8
|
# Epoch 15 used for RHEL 8
|
||||||
# Epoch 17 used for RHEL 9 (due to release versioning offset in RHEL 8.5)
|
# Epoch 17 used for RHEL 9 (due to release versioning offset in RHEL 8.5)
|
||||||
@ -96,9 +95,7 @@ Source10: qemu-guest-agent.service
|
|||||||
Source11: 99-qemu-guest-agent.rules
|
Source11: 99-qemu-guest-agent.rules
|
||||||
Source12: bridge.conf
|
Source12: bridge.conf
|
||||||
Source13: qemu-ga.sysconfig
|
Source13: qemu-ga.sysconfig
|
||||||
Source21: kvm-setup
|
Source21: modules-load.conf
|
||||||
Source22: kvm-setup.service
|
|
||||||
Source23: 85-kvm.preset
|
|
||||||
Source26: vhost.conf
|
Source26: vhost.conf
|
||||||
Source27: kvm.conf
|
Source27: kvm.conf
|
||||||
Source28: 95-kvm-memlock.conf
|
Source28: 95-kvm-memlock.conf
|
||||||
@ -192,6 +189,8 @@ Patch50: kvm-doc-Fix-some-mistakes-in-the-SEV-documentation.patch
|
|||||||
Patch51: kvm-docs-Add-SEV-ES-documentation-to-amd-memory-encrypti.patch
|
Patch51: kvm-docs-Add-SEV-ES-documentation-to-amd-memory-encrypti.patch
|
||||||
# For bz#1957194 - Synchronize RHEL-AV 8.5.0 changes to RHEL 9.0.0 Beta
|
# For bz#1957194 - Synchronize RHEL-AV 8.5.0 changes to RHEL 9.0.0 Beta
|
||||||
Patch52: kvm-docs-interop-firmware.json-Add-SEV-ES-support.patch
|
Patch52: kvm-docs-interop-firmware.json-Add-SEV-ES-support.patch
|
||||||
|
# For bz#1978911 - Remove TPM Passthrough option from RHEL 9
|
||||||
|
Patch53: kvm-Disable-TPM-passthrough.patch
|
||||||
|
|
||||||
# Source-git patches
|
# Source-git patches
|
||||||
|
|
||||||
@ -281,10 +280,6 @@ Requires: edk2-aarch64
|
|||||||
%endif
|
%endif
|
||||||
|
|
||||||
Requires: libseccomp >= %{libseccomp_version}
|
Requires: libseccomp >= %{libseccomp_version}
|
||||||
%if %{have_kvm_setup}
|
|
||||||
Requires(post): systemd-units
|
|
||||||
Requires(preun): systemd-units
|
|
||||||
%endif
|
|
||||||
Requires: libusbx >= %{libusbx_version}
|
Requires: libusbx >= %{libusbx_version}
|
||||||
%if %{have_usbredir}
|
%if %{have_usbredir}
|
||||||
Requires: usbredir >= %{usbredir_version}
|
Requires: usbredir >= %{usbredir_version}
|
||||||
@ -970,10 +965,8 @@ rom_link() {
|
|||||||
rom_link ../sgabios/sgabios.bin sgabios.bin
|
rom_link ../sgabios/sgabios.bin sgabios.bin
|
||||||
%endif
|
%endif
|
||||||
|
|
||||||
%if %{have_kvm_setup}
|
%if %{have_modules_load}
|
||||||
install -D -p -m 755 %{SOURCE21} $RPM_BUILD_ROOT%{_prefix}/lib/systemd/kvm-setup
|
install -D -p -m 644 %{SOURCE21} $RPM_BUILD_ROOT%{_sysconfdir}/modules-load.d/kvm.conf
|
||||||
install -D -p -m 644 %{SOURCE22} $RPM_BUILD_ROOT%{_unitdir}/kvm-setup.service
|
|
||||||
install -D -p -m 644 %{SOURCE23} $RPM_BUILD_ROOT%{_presetdir}/85-kvm.preset
|
|
||||||
%endif
|
%endif
|
||||||
|
|
||||||
%if %{have_memlock_limits}
|
%if %{have_memlock_limits}
|
||||||
@ -1021,25 +1014,19 @@ getent passwd qemu >/dev/null || \
|
|||||||
useradd -r -u 107 -g qemu -G kvm -d / -s /sbin/nologin \
|
useradd -r -u 107 -g qemu -G kvm -d / -s /sbin/nologin \
|
||||||
-c "qemu user" qemu
|
-c "qemu user" qemu
|
||||||
|
|
||||||
# load kvm modules now, so we can make sure no reboot is needed.
|
# If this is a new installation, then load kvm modules now, so we can make
|
||||||
# If there's already a kvm module installed, we don't mess with it
|
# sure that the user gets a system where KVM is ready to use. In case of
|
||||||
%udev_rules_update
|
# an upgrade, don't try to modprobe again in case the user unloaded the
|
||||||
sh %{_sysconfdir}/sysconfig/modules/kvm.modules &> /dev/null || :
|
# kvm module on purpose.
|
||||||
udevadm trigger --subsystem-match=misc --sysname-match=kvm --action=add || :
|
%if %{have_modules_load}
|
||||||
%if %{have_kvm_setup}
|
if [ "$1" = "1" ]; then
|
||||||
systemctl daemon-reload # Make sure it sees the new presets and unitfile
|
modprobe -b kvm &> /dev/null || :
|
||||||
%systemd_post kvm-setup.service
|
|
||||||
if systemctl is-enabled kvm-setup.service > /dev/null; then
|
|
||||||
systemctl start kvm-setup.service
|
|
||||||
fi
|
fi
|
||||||
%endif
|
%endif
|
||||||
|
|
||||||
%preun -n qemu-kvm-common
|
%preun -n qemu-kvm-common
|
||||||
%systemd_preun ksm.service
|
%systemd_preun ksm.service
|
||||||
%systemd_preun ksmtuned.service
|
%systemd_preun ksmtuned.service
|
||||||
%if %{have_kvm_setup}
|
|
||||||
%systemd_preun kvm-setup.service
|
|
||||||
%endif
|
|
||||||
|
|
||||||
%postun -n qemu-kvm-common
|
%postun -n qemu-kvm-common
|
||||||
%systemd_postun_with_restart ksm.service
|
%systemd_postun_with_restart ksm.service
|
||||||
@ -1145,10 +1132,8 @@ sh %{_sysconfdir}/sysconfig/modules/kvm.modules &> /dev/null || :
|
|||||||
%{_datadir}/%{name}/linuxboot_dma.bin
|
%{_datadir}/%{name}/linuxboot_dma.bin
|
||||||
%{_datadir}/%{name}/dump-guest-memory.py*
|
%{_datadir}/%{name}/dump-guest-memory.py*
|
||||||
%{_datadir}/%{name}/trace-events-all
|
%{_datadir}/%{name}/trace-events-all
|
||||||
%if %{have_kvm_setup}
|
%if %{have_modules_load}
|
||||||
%{_prefix}/lib/systemd/kvm-setup
|
%{_sysconfdir}/modules-load.d/kvm.conf
|
||||||
%{_unitdir}/kvm-setup.service
|
|
||||||
%{_presetdir}/85-kvm.preset
|
|
||||||
%endif
|
%endif
|
||||||
%if %{have_memlock_limits}
|
%if %{have_memlock_limits}
|
||||||
%{_sysconfdir}/security/limits.d/95-kvm-memlock.conf
|
%{_sysconfdir}/security/limits.d/95-kvm-memlock.conf
|
||||||
@ -1218,6 +1203,14 @@ sh %{_sysconfdir}/sysconfig/modules/kvm.modules &> /dev/null || :
|
|||||||
%endif
|
%endif
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Mon Jul 12 2021 Miroslav Rezanina <mrezanin@redhat.com> - 6.0.0-8
|
||||||
|
- kvm-Disable-TPM-passthrough.patch [bz#1978911]
|
||||||
|
- kvm-redhat-Replace-the-kvm-setup.service-with-a-etc-modu.patch [bz#1978837]
|
||||||
|
- Resolves: bz#1978911
|
||||||
|
(Remove TPM Passthrough option from RHEL 9)
|
||||||
|
- Resolves: bz#1978837
|
||||||
|
(Remove/replace kvm-setup.service)
|
||||||
|
|
||||||
* Mon Jun 28 2021 Miroslav Rezanina <mrezanin@redhat.com> - 6.0.0-7
|
* Mon Jun 28 2021 Miroslav Rezanina <mrezanin@redhat.com> - 6.0.0-7
|
||||||
- kvm-aarch64-rh-devices-add-CONFIG_PXB.patch [bz#1967502]
|
- kvm-aarch64-rh-devices-add-CONFIG_PXB.patch [bz#1967502]
|
||||||
- kvm-virtio-gpu-handle-partial-maps-properly.patch [bz#1974795]
|
- kvm-virtio-gpu-handle-partial-maps-properly.patch [bz#1974795]
|
||||||
|
Loading…
Reference in New Issue
Block a user