diff --git a/kvm-s390x-pv-Implement-a-CGS-check-helper.patch b/kvm-s390x-pv-Implement-a-CGS-check-helper.patch new file mode 100644 index 0000000..b952448 --- /dev/null +++ b/kvm-s390x-pv-Implement-a-CGS-check-helper.patch @@ -0,0 +1,109 @@ +From 2fc8489b70445a3db0a2e72c1f1edb4d61d404d6 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?C=C3=A9dric=20Le=20Goater?= +Date: Mon, 16 Jan 2023 18:46:05 +0100 +Subject: [PATCH] s390x/pv: Implement a CGS check helper +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +RH-Author: Cédric Le Goater +RH-MergeRequest: 271: Secure guest can't boot with maximal number of vcpus (248) +RH-Bugzilla: 2187159 +RH-Acked-by: Thomas Huth +RH-Acked-by: Cornelia Huck +RH-Acked-by: Jon Maloy +RH-Commit: [1/1] c870d525c48ab6d0df964b5abe48efe2528c9883 + +When a protected VM is started with the maximum number of CPUs (248), +the service call providing information on the CPUs requires more +buffer space than allocated and QEMU disgracefully aborts : + + LOADPARM=[........] + Using virtio-blk. + Using SCSI scheme. + ................................................................................... + qemu-system-s390x: KVM_S390_MEM_OP failed: Argument list too long + +When protected virtualization is initialized, compute the maximum +number of vCPUs supported by the machine and return useful information +to the user before the machine starts in case of error. + +Suggested-by: Thomas Huth +Reviewed-by: Thomas Huth +Signed-off-by: Cédric Le Goater +Message-Id: <20230116174607.2459498-2-clg@kaod.org> +Signed-off-by: Thomas Huth +(cherry picked from commit 75d7150c636569f6687f7e70a33be893be43eb5f) +Signed-off-by: Cédric Le Goater +--- + hw/s390x/pv.c | 40 ++++++++++++++++++++++++++++++++++++++++ + 1 file changed, 40 insertions(+) + +diff --git a/hw/s390x/pv.c b/hw/s390x/pv.c +index 728ba24547..749e5db1ce 100644 +--- a/hw/s390x/pv.c ++++ b/hw/s390x/pv.c +@@ -20,6 +20,7 @@ + #include "exec/confidential-guest-support.h" + #include "hw/s390x/ipl.h" + #include "hw/s390x/pv.h" ++#include "hw/s390x/sclp.h" + #include "target/s390x/kvm/kvm_s390x.h" + + static bool info_valid; +@@ -249,6 +250,41 @@ struct S390PVGuestClass { + ConfidentialGuestSupportClass parent_class; + }; + ++/* ++ * If protected virtualization is enabled, the amount of data that the ++ * Read SCP Info Service Call can use is limited to one page. The ++ * available space also depends on the Extended-Length SCCB (ELS) ++ * feature which can take more buffer space to store feature ++ * information. This impacts the maximum number of CPUs supported in ++ * the machine. ++ */ ++static uint32_t s390_pv_get_max_cpus(void) ++{ ++ int offset_cpu = s390_has_feat(S390_FEAT_EXTENDED_LENGTH_SCCB) ? ++ offsetof(ReadInfo, entries) : SCLP_READ_SCP_INFO_FIXED_CPU_OFFSET; ++ ++ return (TARGET_PAGE_SIZE - offset_cpu) / sizeof(CPUEntry); ++} ++ ++static bool s390_pv_check_cpus(Error **errp) ++{ ++ MachineState *ms = MACHINE(qdev_get_machine()); ++ uint32_t pv_max_cpus = s390_pv_get_max_cpus(); ++ ++ if (ms->smp.max_cpus > pv_max_cpus) { ++ error_setg(errp, "Protected VMs support a maximum of %d CPUs", ++ pv_max_cpus); ++ return false; ++ } ++ ++ return true; ++} ++ ++static bool s390_pv_guest_check(ConfidentialGuestSupport *cgs, Error **errp) ++{ ++ return s390_pv_check_cpus(errp); ++} ++ + int s390_pv_kvm_init(ConfidentialGuestSupport *cgs, Error **errp) + { + if (!object_dynamic_cast(OBJECT(cgs), TYPE_S390_PV_GUEST)) { +@@ -261,6 +297,10 @@ int s390_pv_kvm_init(ConfidentialGuestSupport *cgs, Error **errp) + return -1; + } + ++ if (!s390_pv_guest_check(cgs, errp)) { ++ return -1; ++ } ++ + cgs->ready = true; + + return 0; +-- +2.39.1 + diff --git a/qemu-kvm.spec b/qemu-kvm.spec index b2f9cff..75e3f75 100644 --- a/qemu-kvm.spec +++ b/qemu-kvm.spec @@ -83,7 +83,7 @@ Obsoletes: %1-rhev <= %{epoch}:%{version}-%{release} Summary: QEMU is a machine emulator and virtualizer Name: qemu-kvm Version: 6.2.0 -Release: 32%{?rcrel}%{?dist} +Release: 33%{?rcrel}%{?dist} # Epoch because we pushed a qemu-1.0 package. AIUI this can't ever be dropped Epoch: 15 License: GPLv2 and GPLv2+ and CC-BY @@ -652,6 +652,8 @@ Patch255: kvm-scsi-protect-req-aiocb-with-AioContext-lock.patch Patch256: kvm-dma-helpers-prevent-dma_blk_cb-vs-dma_aio_cancel-rac.patch # For bz#2090990 - qemu crash with error scsi_req_unref(SCSIRequest *): Assertion `req->refcount > 0' failed or scsi_dma_complete(void *, int): Assertion `r->req.aiocb != NULL' failed [8.7.0] Patch257: kvm-virtio-scsi-reset-SCSI-devices-from-main-loop-thread.patch +# For bz#2187159 - RHEL8.8 - KVM - Secure Guest crashed during booting with 248 vcpus +Patch258: kvm-s390x-pv-Implement-a-CGS-check-helper.patch BuildRequires: wget BuildRequires: rpm-build @@ -1821,6 +1823,11 @@ sh %{_sysconfdir}/sysconfig/modules/kvm.modules &> /dev/null || : %changelog +* Tue Apr 25 2023 Miroslav Rezanina - 6.2.0-33 +- kvm-s390x-pv-Implement-a-CGS-check-helper.patch [bz#2187159] +- Resolves: bz#2187159 + (RHEL8.8 - KVM - Secure Guest crashed during booting with 248 vcpus) + * Mon Mar 13 2023 Jon Maloy - 6.2.0-32.el8_8 - kvm-aio_wait_kick-add-missing-memory-barrier.patch [bz#2168472] - kvm-qatomic-add-smp_mb__before-after_rmw.patch [bz#2168472]