import virt-manager-2.0.0-5.1.el8_0
This commit is contained in:
parent
b005b2e064
commit
42d2793fa4
@ -0,0 +1,61 @@
|
||||
From 6ba190915ed0be80b67423003dfdf183c47a2fb8 Mon Sep 17 00:00:00 2001
|
||||
Message-Id: <6ba190915ed0be80b67423003dfdf183c47a2fb8@dist-git>
|
||||
From: Pavel Hrdina <phrdina@redhat.com>
|
||||
Date: Wed, 15 May 2019 10:37:55 +0200
|
||||
Subject: [PATCH] DomainCpu: check CPU model name only if model exists
|
||||
|
||||
For CPU modes other then "custom" there is no model so we should not
|
||||
check the suffix of model name.
|
||||
|
||||
Signed-off-by: Pavel Hrdina <phrdina@redhat.com>
|
||||
Reviewed-by: Cole Robinson <crobinso@redhat.com>
|
||||
(cherry picked from commit c1ebd6730cb25b57124fad6c4030345356703320)
|
||||
|
||||
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1716402
|
||||
|
||||
Signed-off-by: Pavel Hrdina <phrdina@redhat.com>
|
||||
---
|
||||
tests/xmlparse.py | 4 ++++
|
||||
virtinst/domain/cpu.py | 9 +++++----
|
||||
2 files changed, 9 insertions(+), 4 deletions(-)
|
||||
|
||||
diff --git a/tests/xmlparse.py b/tests/xmlparse.py
|
||||
index c9828fc8..58d3c1a6 100644
|
||||
--- a/tests/xmlparse.py
|
||||
+++ b/tests/xmlparse.py
|
||||
@@ -335,8 +335,12 @@ class XMLParseTest(unittest.TestCase):
|
||||
check = self._make_checker(guest.cpu)
|
||||
check("mode", "host-passthrough", "custom")
|
||||
check("mode", "custom", "host-model")
|
||||
+ guest.cpu.check_security_features(guest)
|
||||
+ check("secure", False)
|
||||
guest.cpu.set_model(guest, "qemu64")
|
||||
check("model", "qemu64")
|
||||
+ guest.cpu.check_security_features(guest)
|
||||
+ check("secure", False)
|
||||
|
||||
self._alter_compare(guest.get_xml(), outfile)
|
||||
|
||||
diff --git a/virtinst/domain/cpu.py b/virtinst/domain/cpu.py
|
||||
index 1d468468..66fa649b 100644
|
||||
--- a/virtinst/domain/cpu.py
|
||||
+++ b/virtinst/domain/cpu.py
|
||||
@@ -136,10 +136,11 @@ class DomainCpu(XMLBuilder):
|
||||
return
|
||||
|
||||
guestFeatures = [f.name for f in self.features if f.policy == "require"]
|
||||
- if self.model.endswith("IBRS"):
|
||||
- guestFeatures.append("spec-ctrl")
|
||||
- if self.model.endswith("IBPB"):
|
||||
- guestFeatures.append("ibpb")
|
||||
+ if self.model:
|
||||
+ if self.model.endswith("IBRS"):
|
||||
+ guestFeatures.append("spec-ctrl")
|
||||
+ if self.model.endswith("IBPB"):
|
||||
+ guestFeatures.append("ibpb")
|
||||
|
||||
self.secure = set(features) <= set(guestFeatures)
|
||||
|
||||
--
|
||||
2.21.0
|
||||
|
@ -0,0 +1,56 @@
|
||||
From 703abe06db1ecfadb7e5a5f877f86d41f367300d Mon Sep 17 00:00:00 2001
|
||||
Message-Id: <703abe06db1ecfadb7e5a5f877f86d41f367300d@dist-git>
|
||||
From: Pavel Hrdina <phrdina@redhat.com>
|
||||
Date: Wed, 15 May 2019 10:37:54 +0200
|
||||
Subject: [PATCH] DomainCpu: fix detection of CPU security features
|
||||
|
||||
VM configured with mode="host-model" will have the CPU definition
|
||||
expanded once the VM is started. Libvirt will try to use the closest
|
||||
CPU model with some features enabled/disabled.
|
||||
|
||||
The issue is that there are some models that include spec-ctrl or ibpb
|
||||
features and they will not appear in the explicit list of features and
|
||||
virt-manager will not correctly detect if all security features are
|
||||
enabled or not. As a workaround we can check the suffix of CPU model to
|
||||
figure out which security features are enabled by the model itself.
|
||||
|
||||
Signed-off-by: Pavel Hrdina <phrdina@redhat.com>
|
||||
(cherry picked from commit 291f2ef21486cb54aadd40f07052aedfebef3792)
|
||||
|
||||
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1716402
|
||||
|
||||
Signed-off-by: Pavel Hrdina <phrdina@redhat.com>
|
||||
---
|
||||
virtinst/domain/cpu.py | 16 +++++++---------
|
||||
1 file changed, 7 insertions(+), 9 deletions(-)
|
||||
|
||||
diff --git a/virtinst/domain/cpu.py b/virtinst/domain/cpu.py
|
||||
index c6a411bb..1d468468 100644
|
||||
--- a/virtinst/domain/cpu.py
|
||||
+++ b/virtinst/domain/cpu.py
|
||||
@@ -135,15 +135,13 @@ class DomainCpu(XMLBuilder):
|
||||
self.secure = False
|
||||
return
|
||||
|
||||
- for feature in features:
|
||||
- exists = False
|
||||
- for f in self.features:
|
||||
- if f.name == feature and f.policy == "require":
|
||||
- exists = True
|
||||
- break
|
||||
- if not exists:
|
||||
- self.secure = False
|
||||
- return
|
||||
+ guestFeatures = [f.name for f in self.features if f.policy == "require"]
|
||||
+ if self.model.endswith("IBRS"):
|
||||
+ guestFeatures.append("spec-ctrl")
|
||||
+ if self.model.endswith("IBPB"):
|
||||
+ guestFeatures.append("ibpb")
|
||||
+
|
||||
+ self.secure = set(features) <= set(guestFeatures)
|
||||
|
||||
def _remove_security_features(self, guest):
|
||||
domcaps = guest.lookup_domcaps()
|
||||
--
|
||||
2.21.0
|
||||
|
@ -0,0 +1,45 @@
|
||||
From 8f09b85515f78b8e73e71abcd8f0a61cbab7d7ff Mon Sep 17 00:00:00 2001
|
||||
Message-Id: <8f09b85515f78b8e73e71abcd8f0a61cbab7d7ff@dist-git>
|
||||
From: Pavel Hrdina <phrdina@redhat.com>
|
||||
Date: Wed, 15 May 2019 08:06:09 -0400
|
||||
Subject: [PATCH] cli: Fix pool=default when path belongs to another pool (bz
|
||||
1692489)
|
||||
|
||||
From: Cole Robinson <crobinso@redhat.com>
|
||||
|
||||
Using 'virt-install --disk size=X' implicitly uses pool=default. If
|
||||
a pool named 'default' exists we use that; if not, and a pool using
|
||||
the default path exists under a different name, we attempt to use
|
||||
that as well, and if that doesn't exist, we create pool=default
|
||||
|
||||
The second case is broken, so if there's no pool=default and eg.
|
||||
pool=FOO points to /var/lib/libvirt/images, we still attempt to
|
||||
look up pool=default which understandably fails
|
||||
|
||||
https://bugzilla.redhat.com/show_bug.cgi?id=1692489
|
||||
(cherry picked from commit a0ca387aad0fde19683aa8b5b5636add6455b8b4)
|
||||
Signed-off-by: Cole Robinson <crobinso@redhat.com>
|
||||
|
||||
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1714752
|
||||
---
|
||||
virtinst/cli.py | 4 +++-
|
||||
1 file changed, 3 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/virtinst/cli.py b/virtinst/cli.py
|
||||
index 21467a4d..63acb642 100644
|
||||
--- a/virtinst/cli.py
|
||||
+++ b/virtinst/cli.py
|
||||
@@ -2029,7 +2029,9 @@ class ParserDisk(VirtCLIParser):
|
||||
poolobj = None
|
||||
if poolname:
|
||||
if poolname == "default":
|
||||
- StoragePool.build_default_pool(self.guest.conn)
|
||||
+ poolxml = StoragePool.build_default_pool(self.guest.conn)
|
||||
+ if poolxml:
|
||||
+ poolname = poolxml.name
|
||||
poolobj = self.guest.conn.storagePoolLookupByName(poolname)
|
||||
|
||||
if volname:
|
||||
--
|
||||
2.21.0
|
||||
|
@ -0,0 +1,40 @@
|
||||
From dc5ec3458d325c3824c62517d72d802b2c3caee2 Mon Sep 17 00:00:00 2001
|
||||
Message-Id: <dc5ec3458d325c3824c62517d72d802b2c3caee2@dist-git>
|
||||
From: Pavel Hrdina <phrdina@redhat.com>
|
||||
Date: Wed, 22 May 2019 18:08:31 +0200
|
||||
Subject: [PATCH] cli: fix cpu secure option to actually work
|
||||
|
||||
The 'secure' option is processed after the model is already set.
|
||||
CPU security options are resolved while setting CPU model so we need
|
||||
to know the 'secure' option value before we set the CPU model.
|
||||
|
||||
Signed-off-by: Pavel Hrdina <phrdina@redhat.com>
|
||||
(cherry picked from commit 06c2f873972fd4c60a57c8b8f07fe3cec4ddfcf4)
|
||||
|
||||
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1716402
|
||||
|
||||
Signed-off-by: Pavel Hrdina <phrdina@redhat.com>
|
||||
---
|
||||
virtinst/cli.py | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/virtinst/cli.py b/virtinst/cli.py
|
||||
index 0bfa3b94..139be8f9 100644
|
||||
--- a/virtinst/cli.py
|
||||
+++ b/virtinst/cli.py
|
||||
@@ -1493,11 +1493,11 @@ class ParserCPU(VirtCLIParser):
|
||||
|
||||
|
||||
_register_virt_parser(ParserCPU)
|
||||
+ParserCPU.add_arg("secure", "secure", is_onoff=True)
|
||||
ParserCPU.add_arg(None, "model", cb=ParserCPU.set_model_cb)
|
||||
ParserCPU.add_arg("mode", "mode")
|
||||
ParserCPU.add_arg("match", "match")
|
||||
ParserCPU.add_arg("vendor", "vendor")
|
||||
-ParserCPU.add_arg("secure", "secure", is_onoff=True)
|
||||
|
||||
ParserCPU.add_arg(None, "force", is_list=True, cb=ParserCPU.set_feature_cb)
|
||||
ParserCPU.add_arg(None, "require", is_list=True, cb=ParserCPU.set_feature_cb)
|
||||
--
|
||||
2.21.0
|
||||
|
202
SOURCES/virt-manager-cli-introduce-CPU-secure-parameter.patch
Normal file
202
SOURCES/virt-manager-cli-introduce-CPU-secure-parameter.patch
Normal file
@ -0,0 +1,202 @@
|
||||
From 55e2f03d72ecab6bd0e42a31a07b4d3f2471fd7e Mon Sep 17 00:00:00 2001
|
||||
Message-Id: <55e2f03d72ecab6bd0e42a31a07b4d3f2471fd7e@dist-git>
|
||||
From: Pavel Hrdina <phrdina@redhat.com>
|
||||
Date: Wed, 15 May 2019 10:37:51 +0200
|
||||
Subject: [PATCH] cli: introduce CPU secure parameter
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
This will allow users to override the default behavior of virt-install
|
||||
which copies CPU security features available on the host to the guest
|
||||
XML if specific CPU model is configured.
|
||||
|
||||
Signed-off-by: Pavel Hrdina <phrdina@redhat.com>
|
||||
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
|
||||
(cherry picked from commit 22342ef7ee526f8a5b5a65266363c33c70c8be43)
|
||||
|
||||
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1716402
|
||||
|
||||
Signed-off-by: Pavel Hrdina <phrdina@redhat.com>
|
||||
---
|
||||
man/virt-install.pod | 11 ++-
|
||||
.../compare/virt-install-cpu-disable-sec.xml | 93 +++++++++++++++++++
|
||||
tests/clitest.py | 1 +
|
||||
virtinst/cli.py | 1 +
|
||||
virtinst/domain/cpu.py | 7 +-
|
||||
5 files changed, 111 insertions(+), 2 deletions(-)
|
||||
create mode 100644 tests/cli-test-xml/compare/virt-install-cpu-disable-sec.xml
|
||||
|
||||
diff --git a/man/virt-install.pod b/man/virt-install.pod
|
||||
index 5b7a784c..1cd31fa2 100644
|
||||
--- a/man/virt-install.pod
|
||||
+++ b/man/virt-install.pod
|
||||
@@ -216,7 +216,16 @@ required value is MODEL, which is a valid CPU model as known to libvirt.
|
||||
|
||||
Libvirt's feature policy values force, require, optional, disable, or forbid,
|
||||
or with the shorthand '+feature' and '-feature', which equal 'force=feature'
|
||||
-and 'disable=feature' respectively
|
||||
+and 'disable=feature' respectively.
|
||||
+
|
||||
+If exact CPU model is specified virt-install will automatically copy CPU
|
||||
+features available on the host to mitigate recent CPU speculative execution
|
||||
+side channel security vulnerabilities. This however will have some impact
|
||||
+on performance and will break migration to hosts without security patches.
|
||||
+In order to control this behavior there is a B<secure> parameter. Possible
|
||||
+values are I<on> and I<off>, with I<on> as the default. It is highly
|
||||
+recommended to leave this enabled and ensure all virtualization hosts have
|
||||
+fully up to date microcode, kernel & virtualization software installed.
|
||||
|
||||
Some examples:
|
||||
|
||||
diff --git a/tests/cli-test-xml/compare/virt-install-cpu-disable-sec.xml b/tests/cli-test-xml/compare/virt-install-cpu-disable-sec.xml
|
||||
new file mode 100644
|
||||
index 00000000..a86d6926
|
||||
--- /dev/null
|
||||
+++ b/tests/cli-test-xml/compare/virt-install-cpu-disable-sec.xml
|
||||
@@ -0,0 +1,93 @@
|
||||
+<domain type="kvm">
|
||||
+ <name>foobar</name>
|
||||
+ <uuid>00000000-1111-2222-3333-444444444444</uuid>
|
||||
+ <memory>65536</memory>
|
||||
+ <currentMemory>65536</currentMemory>
|
||||
+ <vcpu>1</vcpu>
|
||||
+ <os>
|
||||
+ <type arch="x86_64" machine="pc">hvm</type>
|
||||
+ <boot dev="network"/>
|
||||
+ </os>
|
||||
+ <features>
|
||||
+ <acpi/>
|
||||
+ <apic/>
|
||||
+ </features>
|
||||
+ <cpu mode="custom" match="exact">
|
||||
+ <model>qemu64</model>
|
||||
+ </cpu>
|
||||
+ <clock offset="utc">
|
||||
+ <timer name="rtc" tickpolicy="catchup"/>
|
||||
+ <timer name="pit" tickpolicy="delay"/>
|
||||
+ <timer name="hpet" present="no"/>
|
||||
+ </clock>
|
||||
+ <on_reboot>destroy</on_reboot>
|
||||
+ <pm>
|
||||
+ <suspend-to-mem enabled="no"/>
|
||||
+ <suspend-to-disk enabled="no"/>
|
||||
+ </pm>
|
||||
+ <devices>
|
||||
+ <emulator>/usr/bin/qemu-kvm</emulator>
|
||||
+ <controller type="usb" index="0" model="ich9-ehci1"/>
|
||||
+ <controller type="usb" index="0" model="ich9-uhci1">
|
||||
+ <master startport="0"/>
|
||||
+ </controller>
|
||||
+ <controller type="usb" index="0" model="ich9-uhci2">
|
||||
+ <master startport="2"/>
|
||||
+ </controller>
|
||||
+ <controller type="usb" index="0" model="ich9-uhci3">
|
||||
+ <master startport="4"/>
|
||||
+ </controller>
|
||||
+ <interface type="bridge">
|
||||
+ <source bridge="eth0"/>
|
||||
+ <mac address="00:11:22:33:44:55"/>
|
||||
+ <model type="e1000"/>
|
||||
+ </interface>
|
||||
+ <console type="pty"/>
|
||||
+ </devices>
|
||||
+</domain>
|
||||
+<domain type="kvm">
|
||||
+ <name>foobar</name>
|
||||
+ <uuid>00000000-1111-2222-3333-444444444444</uuid>
|
||||
+ <memory>65536</memory>
|
||||
+ <currentMemory>65536</currentMemory>
|
||||
+ <vcpu>1</vcpu>
|
||||
+ <os>
|
||||
+ <type arch="x86_64" machine="pc">hvm</type>
|
||||
+ <boot dev="network"/>
|
||||
+ </os>
|
||||
+ <features>
|
||||
+ <acpi/>
|
||||
+ <apic/>
|
||||
+ </features>
|
||||
+ <cpu mode="custom" match="exact">
|
||||
+ <model>qemu64</model>
|
||||
+ </cpu>
|
||||
+ <clock offset="utc">
|
||||
+ <timer name="rtc" tickpolicy="catchup"/>
|
||||
+ <timer name="pit" tickpolicy="delay"/>
|
||||
+ <timer name="hpet" present="no"/>
|
||||
+ </clock>
|
||||
+ <pm>
|
||||
+ <suspend-to-mem enabled="no"/>
|
||||
+ <suspend-to-disk enabled="no"/>
|
||||
+ </pm>
|
||||
+ <devices>
|
||||
+ <emulator>/usr/bin/qemu-kvm</emulator>
|
||||
+ <controller type="usb" index="0" model="ich9-ehci1"/>
|
||||
+ <controller type="usb" index="0" model="ich9-uhci1">
|
||||
+ <master startport="0"/>
|
||||
+ </controller>
|
||||
+ <controller type="usb" index="0" model="ich9-uhci2">
|
||||
+ <master startport="2"/>
|
||||
+ </controller>
|
||||
+ <controller type="usb" index="0" model="ich9-uhci3">
|
||||
+ <master startport="4"/>
|
||||
+ </controller>
|
||||
+ <interface type="bridge">
|
||||
+ <source bridge="eth0"/>
|
||||
+ <mac address="00:11:22:33:44:55"/>
|
||||
+ <model type="e1000"/>
|
||||
+ </interface>
|
||||
+ <console type="pty"/>
|
||||
+ </devices>
|
||||
+</domain>
|
||||
diff --git a/tests/clitest.py b/tests/clitest.py
|
||||
index ecdf3731..32ce66e6 100644
|
||||
--- a/tests/clitest.py
|
||||
+++ b/tests/clitest.py
|
||||
@@ -568,6 +568,7 @@ c.add_invalid("--clock foo_tickpolicy=merge") # Unknown timer
|
||||
c.add_invalid("--security foobar") # Busted --security
|
||||
c.add_compare("--cpuset auto --vcpus 2", "cpuset-auto") # --cpuset=auto actually works
|
||||
c.add_compare("--memory 1024,hotplugmemorymax=2048,hotplugmemoryslots=2 --cpu cell0.cpus=0,cell0.memory=1048576 --memdev dimm,access=private,target_size=512,target_node=0,source_pagesize=4,source_nodemask=1-2 --memdev nvdimm,source_path=/path/to/nvdimm,target_size=512,target_node=0,target_label_size=128", "memory-hotplug")
|
||||
+c.add_compare("--connect " + utils.URIs.kvm_q35 + " --cpu qemu64,secure=off", "cpu-disable-sec") # disable security features that are added by default
|
||||
|
||||
|
||||
|
||||
diff --git a/virtinst/cli.py b/virtinst/cli.py
|
||||
index b10c22aa..0bfa3b94 100644
|
||||
--- a/virtinst/cli.py
|
||||
+++ b/virtinst/cli.py
|
||||
@@ -1497,6 +1497,7 @@ ParserCPU.add_arg(None, "model", cb=ParserCPU.set_model_cb)
|
||||
ParserCPU.add_arg("mode", "mode")
|
||||
ParserCPU.add_arg("match", "match")
|
||||
ParserCPU.add_arg("vendor", "vendor")
|
||||
+ParserCPU.add_arg("secure", "secure", is_onoff=True)
|
||||
|
||||
ParserCPU.add_arg(None, "force", is_list=True, cb=ParserCPU.set_feature_cb)
|
||||
ParserCPU.add_arg(None, "require", is_list=True, cb=ParserCPU.set_feature_cb)
|
||||
diff --git a/virtinst/domain/cpu.py b/virtinst/domain/cpu.py
|
||||
index e3992cf4..ab40f788 100644
|
||||
--- a/virtinst/domain/cpu.py
|
||||
+++ b/virtinst/domain/cpu.py
|
||||
@@ -65,6 +65,8 @@ class DomainCpu(XMLBuilder):
|
||||
_XML_PROP_ORDER = ["mode", "match", "model", "vendor",
|
||||
"sockets", "cores", "threads", "features"]
|
||||
|
||||
+ secure = True
|
||||
+
|
||||
special_mode_was_set = False
|
||||
# These values are exposed on the command line, so are stable API
|
||||
SPECIAL_MODE_HOST_MODEL_ONLY = "host-model-only"
|
||||
@@ -127,7 +129,10 @@ class DomainCpu(XMLBuilder):
|
||||
self.mode = "custom"
|
||||
if not self.match:
|
||||
self.match = "exact"
|
||||
- self._add_security_features(guest)
|
||||
+ if self.secure:
|
||||
+ self._add_security_features(guest)
|
||||
+ else:
|
||||
+ self._remove_security_features(guest)
|
||||
self.model = val
|
||||
|
||||
def add_feature(self, name, policy="require"):
|
||||
--
|
||||
2.21.0
|
||||
|
@ -0,0 +1,180 @@
|
||||
From 9080810abab3d5679d20b3b8874d2fce2c28d522 Mon Sep 17 00:00:00 2001
|
||||
Message-Id: <9080810abab3d5679d20b3b8874d2fce2c28d522@dist-git>
|
||||
From: Pavel Hrdina <phrdina@redhat.com>
|
||||
Date: Wed, 15 May 2019 10:37:48 +0200
|
||||
Subject: [PATCH] domain: cpu: automatically add CPU security features for
|
||||
"custom" mode
|
||||
|
||||
If user selects specific CPU model to be configured for guest we will
|
||||
automatically add CPU security features to make sure that the guest is
|
||||
not vulnerable to these CPU HW bugs.
|
||||
|
||||
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1582667
|
||||
|
||||
Signed-off-by: Pavel Hrdina <phrdina@redhat.com>
|
||||
Reviewed-by: Cole Robinson <crobinso@redhat.com>
|
||||
(cherry picked from commit fb5136a6a9457894ff1e24a1f9d5f0af0a8e8bd1)
|
||||
|
||||
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1716402
|
||||
|
||||
Signed-off-by: Pavel Hrdina <phrdina@redhat.com>
|
||||
---
|
||||
.../compare/virt-install-qemu-plain.xml | 2 ++
|
||||
.../virt-install-singleton-config-2.xml | 4 ++++
|
||||
tests/xmlparse.py | 6 +++---
|
||||
virtManager/domain.py | 2 +-
|
||||
virtinst/cli.py | 2 +-
|
||||
virtinst/domain/cpu.py | 20 +++++++++++++++----
|
||||
6 files changed, 27 insertions(+), 9 deletions(-)
|
||||
|
||||
diff --git a/tests/cli-test-xml/compare/virt-install-qemu-plain.xml b/tests/cli-test-xml/compare/virt-install-qemu-plain.xml
|
||||
index d00e0cf4..eb1542c3 100644
|
||||
--- a/tests/cli-test-xml/compare/virt-install-qemu-plain.xml
|
||||
+++ b/tests/cli-test-xml/compare/virt-install-qemu-plain.xml
|
||||
@@ -20,6 +20,8 @@
|
||||
</features>
|
||||
<cpu mode="custom" match="exact">
|
||||
<model>Penryn</model>
|
||||
+ <feature policy="require" name="pcid"/>
|
||||
+ <feature policy="require" name="pdpe1gb"/>
|
||||
</cpu>
|
||||
<clock offset="utc">
|
||||
<timer name="rtc" tickpolicy="catchup"/>
|
||||
diff --git a/tests/cli-test-xml/compare/virt-install-singleton-config-2.xml b/tests/cli-test-xml/compare/virt-install-singleton-config-2.xml
|
||||
index 621639e1..0861f62a 100644
|
||||
--- a/tests/cli-test-xml/compare/virt-install-singleton-config-2.xml
|
||||
+++ b/tests/cli-test-xml/compare/virt-install-singleton-config-2.xml
|
||||
@@ -93,6 +93,8 @@
|
||||
<model>foobar</model>
|
||||
<vendor>meee</vendor>
|
||||
<topology sockets="2" cores="2" threads="2"/>
|
||||
+ <feature policy="require" name="pcid"/>
|
||||
+ <feature policy="require" name="pdpe1gb"/>
|
||||
<feature policy="force" name="x2apic"/>
|
||||
<feature policy="force" name="x2apicagain"/>
|
||||
<feature policy="require" name="reqtest"/>
|
||||
@@ -282,6 +284,8 @@
|
||||
<model>foobar</model>
|
||||
<vendor>meee</vendor>
|
||||
<topology sockets="2" cores="2" threads="2"/>
|
||||
+ <feature policy="require" name="pcid"/>
|
||||
+ <feature policy="require" name="pdpe1gb"/>
|
||||
<feature policy="force" name="x2apic"/>
|
||||
<feature policy="force" name="x2apicagain"/>
|
||||
<feature policy="require" name="reqtest"/>
|
||||
diff --git a/tests/xmlparse.py b/tests/xmlparse.py
|
||||
index 61552720..c9828fc8 100644
|
||||
--- a/tests/xmlparse.py
|
||||
+++ b/tests/xmlparse.py
|
||||
@@ -176,7 +176,7 @@ class XMLParseTest(unittest.TestCase):
|
||||
|
||||
check = self._make_checker(guest.cpu)
|
||||
check("match", "exact", "strict")
|
||||
- guest.cpu.set_model("qemu64")
|
||||
+ guest.cpu.set_model(guest, "qemu64")
|
||||
check("model", "qemu64")
|
||||
check("vendor", "Intel", "qemuvendor")
|
||||
check("threads", 2, 1)
|
||||
@@ -269,7 +269,7 @@ class XMLParseTest(unittest.TestCase):
|
||||
|
||||
check = self._make_checker(guest.cpu)
|
||||
check("model", None)
|
||||
- guest.cpu.set_model("foobar")
|
||||
+ guest.cpu.set_model(guest, "foobar")
|
||||
check("model", "foobar")
|
||||
check("model_fallback", None, "allow")
|
||||
check("cores", None, 4)
|
||||
@@ -335,7 +335,7 @@ class XMLParseTest(unittest.TestCase):
|
||||
check = self._make_checker(guest.cpu)
|
||||
check("mode", "host-passthrough", "custom")
|
||||
check("mode", "custom", "host-model")
|
||||
- guest.cpu.set_model("qemu64")
|
||||
+ guest.cpu.set_model(guest, "qemu64")
|
||||
check("model", "qemu64")
|
||||
|
||||
self._alter_compare(guest.get_xml(), outfile)
|
||||
diff --git a/virtManager/domain.py b/virtManager/domain.py
|
||||
index 96469969..5b3f1e44 100644
|
||||
--- a/virtManager/domain.py
|
||||
+++ b/virtManager/domain.py
|
||||
@@ -513,7 +513,7 @@ class vmmDomain(vmmLibvirtObject):
|
||||
if model in guest.cpu.SPECIAL_MODES:
|
||||
guest.cpu.set_special_mode(guest, model)
|
||||
else:
|
||||
- guest.cpu.set_model(model)
|
||||
+ guest.cpu.set_model(guest, model)
|
||||
self._redefine_xmlobj(guest)
|
||||
|
||||
def define_memory(self, memory=_SENTINEL, maxmem=_SENTINEL):
|
||||
diff --git a/virtinst/cli.py b/virtinst/cli.py
|
||||
index e384b03a..b10c22aa 100644
|
||||
--- a/virtinst/cli.py
|
||||
+++ b/virtinst/cli.py
|
||||
@@ -1442,7 +1442,7 @@ class ParserCPU(VirtCLIParser):
|
||||
if val in inst.SPECIAL_MODES:
|
||||
inst.set_special_mode(self.guest, val)
|
||||
else:
|
||||
- inst.set_model(val)
|
||||
+ inst.set_model(self.guest, val)
|
||||
|
||||
def set_feature_cb(self, inst, val, virtarg):
|
||||
policy = virtarg.cliname
|
||||
diff --git a/virtinst/domain/cpu.py b/virtinst/domain/cpu.py
|
||||
index 0673324c..e3992cf4 100644
|
||||
--- a/virtinst/domain/cpu.py
|
||||
+++ b/virtinst/domain/cpu.py
|
||||
@@ -103,19 +103,31 @@ class DomainCpu(XMLBuilder):
|
||||
elif val == self.SPECIAL_MODE_HOST_MODEL_ONLY:
|
||||
if self.conn.caps.host.cpu.model:
|
||||
self.clear()
|
||||
- self.set_model(self.conn.caps.host.cpu.model)
|
||||
+ self.set_model(guest, self.conn.caps.host.cpu.model)
|
||||
else:
|
||||
raise RuntimeError("programming error: unknown "
|
||||
"special cpu mode '%s'" % val)
|
||||
|
||||
self.special_mode_was_set = True
|
||||
|
||||
- def set_model(self, val):
|
||||
+ def _add_security_features(self, guest):
|
||||
+ domcaps = guest.lookup_domcaps()
|
||||
+ for feature in domcaps.get_cpu_security_features():
|
||||
+ exists = False
|
||||
+ for f in self.features:
|
||||
+ if f.name == feature:
|
||||
+ exists = True
|
||||
+ break
|
||||
+ if not exists:
|
||||
+ self.add_feature(feature)
|
||||
+
|
||||
+ def set_model(self, guest, val):
|
||||
logging.debug("setting cpu model %s", val)
|
||||
if val:
|
||||
self.mode = "custom"
|
||||
if not self.match:
|
||||
self.match = "exact"
|
||||
+ self._add_security_features(guest)
|
||||
self.model = val
|
||||
|
||||
def add_feature(self, name, policy="require"):
|
||||
@@ -147,7 +159,7 @@ class DomainCpu(XMLBuilder):
|
||||
|
||||
self.mode = "custom"
|
||||
self.match = "exact"
|
||||
- self.set_model(model)
|
||||
+ self.set_model(guest, model)
|
||||
if fallback:
|
||||
self.model_fallback = fallback
|
||||
self.vendor = cpu.vendor
|
||||
@@ -271,7 +283,7 @@ class DomainCpu(XMLBuilder):
|
||||
|
||||
elif guest.os.is_arm64() and guest.os.is_arm_machvirt():
|
||||
# -M virt defaults to a 32bit CPU, even if using aarch64
|
||||
- self.set_model("cortex-a57")
|
||||
+ self.set_model(guest, "cortex-a57")
|
||||
|
||||
elif guest.os.is_x86() and guest.type == "kvm":
|
||||
self._set_cpu_x86_kvm_default(guest)
|
||||
--
|
||||
2.21.0
|
||||
|
@ -0,0 +1,161 @@
|
||||
From 220390ebd48b33d1d1fae747dc41f1aedd7646e0 Mon Sep 17 00:00:00 2001
|
||||
Message-Id: <220390ebd48b33d1d1fae747dc41f1aedd7646e0@dist-git>
|
||||
From: Pavel Hrdina <phrdina@redhat.com>
|
||||
Date: Wed, 15 May 2019 10:37:47 +0200
|
||||
Subject: [PATCH] domain: cpu: introduce set_model function
|
||||
|
||||
We will need to pass another variable into the setter so we cannot use
|
||||
the property setter.
|
||||
|
||||
Signed-off-by: Pavel Hrdina <phrdina@redhat.com>
|
||||
Reviewed-by: Cole Robinson <crobinso@redhat.com>
|
||||
(cherry picked from commit 6423f653fd2d895d5addf37a6d504dbc9a4a0d6f)
|
||||
|
||||
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1716402
|
||||
|
||||
Signed-off-by: Pavel Hrdina <phrdina@redhat.com>
|
||||
---
|
||||
tests/xmlparse.py | 11 +++++++----
|
||||
virtManager/domain.py | 2 +-
|
||||
virtinst/cli.py | 2 +-
|
||||
virtinst/domain/cpu.py | 28 +++++++++++++---------------
|
||||
4 files changed, 22 insertions(+), 21 deletions(-)
|
||||
|
||||
diff --git a/tests/xmlparse.py b/tests/xmlparse.py
|
||||
index 709bc48f..61552720 100644
|
||||
--- a/tests/xmlparse.py
|
||||
+++ b/tests/xmlparse.py
|
||||
@@ -176,7 +176,8 @@ class XMLParseTest(unittest.TestCase):
|
||||
|
||||
check = self._make_checker(guest.cpu)
|
||||
check("match", "exact", "strict")
|
||||
- check("model", "footest", "qemu64")
|
||||
+ guest.cpu.set_model("qemu64")
|
||||
+ check("model", "qemu64")
|
||||
check("vendor", "Intel", "qemuvendor")
|
||||
check("threads", 2, 1)
|
||||
check("cores", 5, 3)
|
||||
@@ -267,7 +268,9 @@ class XMLParseTest(unittest.TestCase):
|
||||
guest.seclabels[0].get_xml().startswith("<seclabel"))
|
||||
|
||||
check = self._make_checker(guest.cpu)
|
||||
- check("model", None, "foobar")
|
||||
+ check("model", None)
|
||||
+ guest.cpu.set_model("foobar")
|
||||
+ check("model", "foobar")
|
||||
check("model_fallback", None, "allow")
|
||||
check("cores", None, 4)
|
||||
guest.cpu.add_feature("x2apic", "forbid")
|
||||
@@ -332,8 +335,8 @@ class XMLParseTest(unittest.TestCase):
|
||||
check = self._make_checker(guest.cpu)
|
||||
check("mode", "host-passthrough", "custom")
|
||||
check("mode", "custom", "host-model")
|
||||
- # mode will be "custom"
|
||||
- check("model", None, "qemu64")
|
||||
+ guest.cpu.set_model("qemu64")
|
||||
+ check("model", "qemu64")
|
||||
|
||||
self._alter_compare(guest.get_xml(), outfile)
|
||||
|
||||
diff --git a/virtManager/domain.py b/virtManager/domain.py
|
||||
index 4fcc716e..96469969 100644
|
||||
--- a/virtManager/domain.py
|
||||
+++ b/virtManager/domain.py
|
||||
@@ -513,7 +513,7 @@ class vmmDomain(vmmLibvirtObject):
|
||||
if model in guest.cpu.SPECIAL_MODES:
|
||||
guest.cpu.set_special_mode(guest, model)
|
||||
else:
|
||||
- guest.cpu.model = model
|
||||
+ guest.cpu.set_model(model)
|
||||
self._redefine_xmlobj(guest)
|
||||
|
||||
def define_memory(self, memory=_SENTINEL, maxmem=_SENTINEL):
|
||||
diff --git a/virtinst/cli.py b/virtinst/cli.py
|
||||
index 63acb642..e384b03a 100644
|
||||
--- a/virtinst/cli.py
|
||||
+++ b/virtinst/cli.py
|
||||
@@ -1442,7 +1442,7 @@ class ParserCPU(VirtCLIParser):
|
||||
if val in inst.SPECIAL_MODES:
|
||||
inst.set_special_mode(self.guest, val)
|
||||
else:
|
||||
- inst.model = val
|
||||
+ inst.set_model(val)
|
||||
|
||||
def set_feature_cb(self, inst, val, virtarg):
|
||||
policy = virtarg.cliname
|
||||
diff --git a/virtinst/domain/cpu.py b/virtinst/domain/cpu.py
|
||||
index d66704c1..0673324c 100644
|
||||
--- a/virtinst/domain/cpu.py
|
||||
+++ b/virtinst/domain/cpu.py
|
||||
@@ -62,7 +62,7 @@ class DomainCpu(XMLBuilder):
|
||||
Class for generating <cpu> XML
|
||||
"""
|
||||
XML_NAME = "cpu"
|
||||
- _XML_PROP_ORDER = ["mode", "match", "_model", "vendor",
|
||||
+ _XML_PROP_ORDER = ["mode", "match", "model", "vendor",
|
||||
"sockets", "cores", "threads", "features"]
|
||||
|
||||
special_mode_was_set = False
|
||||
@@ -103,13 +103,21 @@ class DomainCpu(XMLBuilder):
|
||||
elif val == self.SPECIAL_MODE_HOST_MODEL_ONLY:
|
||||
if self.conn.caps.host.cpu.model:
|
||||
self.clear()
|
||||
- self.model = self.conn.caps.host.cpu.model
|
||||
+ self.set_model(self.conn.caps.host.cpu.model)
|
||||
else:
|
||||
raise RuntimeError("programming error: unknown "
|
||||
"special cpu mode '%s'" % val)
|
||||
|
||||
self.special_mode_was_set = True
|
||||
|
||||
+ def set_model(self, val):
|
||||
+ logging.debug("setting cpu model %s", val)
|
||||
+ if val:
|
||||
+ self.mode = "custom"
|
||||
+ if not self.match:
|
||||
+ self.match = "exact"
|
||||
+ self.model = val
|
||||
+
|
||||
def add_feature(self, name, policy="require"):
|
||||
feature = self.features.add_new()
|
||||
feature.name = name
|
||||
@@ -139,7 +147,7 @@ class DomainCpu(XMLBuilder):
|
||||
|
||||
self.mode = "custom"
|
||||
self.match = "exact"
|
||||
- self.model = model
|
||||
+ self.set_model(model)
|
||||
if fallback:
|
||||
self.model_fallback = fallback
|
||||
self.vendor = cpu.vendor
|
||||
@@ -201,17 +209,7 @@ class DomainCpu(XMLBuilder):
|
||||
# XML properties #
|
||||
##################
|
||||
|
||||
- def _set_model(self, val):
|
||||
- if val:
|
||||
- self.mode = "custom"
|
||||
- if not self.match:
|
||||
- self.match = "exact"
|
||||
- self._model = val
|
||||
- def _get_model(self):
|
||||
- return self._model
|
||||
- _model = XMLProperty("./model")
|
||||
- model = property(_get_model, _set_model)
|
||||
-
|
||||
+ model = XMLProperty("./model")
|
||||
model_fallback = XMLProperty("./model/@fallback")
|
||||
|
||||
match = XMLProperty("./@match")
|
||||
@@ -273,7 +271,7 @@ class DomainCpu(XMLBuilder):
|
||||
|
||||
elif guest.os.is_arm64() and guest.os.is_arm_machvirt():
|
||||
# -M virt defaults to a 32bit CPU, even if using aarch64
|
||||
- self.model = "cortex-a57"
|
||||
+ self.set_model("cortex-a57")
|
||||
|
||||
elif guest.os.is_x86() and guest.type == "kvm":
|
||||
self._set_cpu_x86_kvm_default(guest)
|
||||
--
|
||||
2.21.0
|
||||
|
@ -0,0 +1,64 @@
|
||||
From 0424ece6003d2a06f41f4277bb258d6f753c70c6 Mon Sep 17 00:00:00 2001
|
||||
Message-Id: <0424ece6003d2a06f41f4277bb258d6f753c70c6@dist-git>
|
||||
From: Pavel Hrdina <phrdina@redhat.com>
|
||||
Date: Wed, 15 May 2019 10:37:52 +0200
|
||||
Subject: [PATCH] domcapabilities: add caching of CPU security features
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
We will call this function multiple times so it makes sense to cache the
|
||||
result so we don't have to call libvirt APIs every time we will check
|
||||
what security features are available on the host.
|
||||
|
||||
Signed-off-by: Pavel Hrdina <phrdina@redhat.com>
|
||||
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
|
||||
(cherry picked from commit 00f8dea370ae0874dc655d3718978a6a8e397a34)
|
||||
|
||||
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1716402
|
||||
|
||||
Signed-off-by: Pavel Hrdina <phrdina@redhat.com>
|
||||
---
|
||||
virtinst/domcapabilities.py | 11 ++++++++---
|
||||
1 file changed, 8 insertions(+), 3 deletions(-)
|
||||
|
||||
diff --git a/virtinst/domcapabilities.py b/virtinst/domcapabilities.py
|
||||
index 2905aa9e..6636addf 100644
|
||||
--- a/virtinst/domcapabilities.py
|
||||
+++ b/virtinst/domcapabilities.py
|
||||
@@ -260,6 +260,8 @@ class DomainCapabilities(XMLBuilder):
|
||||
|
||||
return DomainCpu(self.conn, expandedXML)
|
||||
|
||||
+ _features = None
|
||||
+
|
||||
def get_cpu_security_features(self):
|
||||
sec_features = [
|
||||
'spec-ctrl',
|
||||
@@ -267,7 +269,10 @@ class DomainCapabilities(XMLBuilder):
|
||||
'ibpb',
|
||||
'virt-ssbd']
|
||||
|
||||
- features = []
|
||||
+ if self._features:
|
||||
+ return self._features
|
||||
+
|
||||
+ self._features = []
|
||||
|
||||
for m in self.cpu.modes:
|
||||
if m.name != "host-model" or not m.supported:
|
||||
@@ -281,9 +286,9 @@ class DomainCapabilities(XMLBuilder):
|
||||
|
||||
for feature in cpu.features:
|
||||
if feature.name in sec_features:
|
||||
- features.append(feature.name)
|
||||
+ self._features.append(feature.name)
|
||||
|
||||
- return features
|
||||
+ return self._features
|
||||
|
||||
|
||||
XML_NAME = "domainCapabilities"
|
||||
--
|
||||
2.21.0
|
||||
|
@ -0,0 +1,61 @@
|
||||
From 961ffb1709e7af8c394093aca94f64b4c5ffda36 Mon Sep 17 00:00:00 2001
|
||||
Message-Id: <961ffb1709e7af8c394093aca94f64b4c5ffda36@dist-git>
|
||||
From: Pavel Hrdina <phrdina@redhat.com>
|
||||
Date: Wed, 15 May 2019 10:37:56 +0200
|
||||
Subject: [PATCH] domcapabilities: detect MDS new vulnerability
|
||||
|
||||
There is a new security feature 'md-clear' that mitigates recent CPU
|
||||
Microarchitectural Store Buffer Data vulnerability.
|
||||
|
||||
Signed-off-by: Pavel Hrdina <phrdina@redhat.com>
|
||||
(cherry picked from commit c11d6ba4d7024eaac83b6e2d6ae88172f4c01e98)
|
||||
|
||||
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1716402
|
||||
|
||||
Signed-off-by: Pavel Hrdina <phrdina@redhat.com>
|
||||
---
|
||||
man/virt-install.pod | 13 +++++++------
|
||||
virtinst/domcapabilities.py | 3 ++-
|
||||
2 files changed, 9 insertions(+), 7 deletions(-)
|
||||
|
||||
diff --git a/man/virt-install.pod b/man/virt-install.pod
|
||||
index 1cd31fa2..f845ccb3 100644
|
||||
--- a/man/virt-install.pod
|
||||
+++ b/man/virt-install.pod
|
||||
@@ -220,12 +220,13 @@ and 'disable=feature' respectively.
|
||||
|
||||
If exact CPU model is specified virt-install will automatically copy CPU
|
||||
features available on the host to mitigate recent CPU speculative execution
|
||||
-side channel security vulnerabilities. This however will have some impact
|
||||
-on performance and will break migration to hosts without security patches.
|
||||
-In order to control this behavior there is a B<secure> parameter. Possible
|
||||
-values are I<on> and I<off>, with I<on> as the default. It is highly
|
||||
-recommended to leave this enabled and ensure all virtualization hosts have
|
||||
-fully up to date microcode, kernel & virtualization software installed.
|
||||
+side channel and Microarchitectural Store Buffer Data security vulnerabilities.
|
||||
+This however will have some impact on performance and will break migration
|
||||
+to hosts without security patches. In order to control this behavior there
|
||||
+is a B<secure> parameter. Possible values are I<on> and I<off>, with I<on>
|
||||
+as the default. It is highly recommended to leave this enabled and ensure all
|
||||
+virtualization hosts have fully up to date microcode, kernel & virtualization
|
||||
+software installed.
|
||||
|
||||
Some examples:
|
||||
|
||||
diff --git a/virtinst/domcapabilities.py b/virtinst/domcapabilities.py
|
||||
index 6636addf..74e5c842 100644
|
||||
--- a/virtinst/domcapabilities.py
|
||||
+++ b/virtinst/domcapabilities.py
|
||||
@@ -267,7 +267,8 @@ class DomainCapabilities(XMLBuilder):
|
||||
'spec-ctrl',
|
||||
'ssbd',
|
||||
'ibpb',
|
||||
- 'virt-ssbd']
|
||||
+ 'virt-ssbd',
|
||||
+ 'md-clear']
|
||||
|
||||
if self._features:
|
||||
return self._features
|
||||
--
|
||||
2.21.0
|
||||
|
@ -0,0 +1,45 @@
|
||||
From 7c3db309efe09e0bdf8834842525c5aa91a80387 Mon Sep 17 00:00:00 2001
|
||||
Message-Id: <7c3db309efe09e0bdf8834842525c5aa91a80387@dist-git>
|
||||
From: Pavel Hrdina <phrdina@redhat.com>
|
||||
Date: Wed, 15 May 2019 10:37:50 +0200
|
||||
Subject: [PATCH] domcapabilities: fix typo in function name
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
Signed-off-by: Pavel Hrdina <phrdina@redhat.com>
|
||||
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
|
||||
(cherry picked from commit b711b28b1af6998f57d5610139439518545663f0)
|
||||
|
||||
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1716402
|
||||
|
||||
Signed-off-by: Pavel Hrdina <phrdina@redhat.com>
|
||||
---
|
||||
virtinst/domcapabilities.py | 4 ++--
|
||||
1 file changed, 2 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/virtinst/domcapabilities.py b/virtinst/domcapabilities.py
|
||||
index 42a18f1e..2905aa9e 100644
|
||||
--- a/virtinst/domcapabilities.py
|
||||
+++ b/virtinst/domcapabilities.py
|
||||
@@ -244,7 +244,7 @@ class DomainCapabilities(XMLBuilder):
|
||||
arch.text = self.arch
|
||||
return ET.tostring(root, encoding="unicode")
|
||||
|
||||
- def _get_expandned_cpu(self, mode):
|
||||
+ def _get_expanded_cpu(self, mode):
|
||||
cpuXML = self._convert_mode_to_cpu(mode.get_xml())
|
||||
logging.debug("CPU XML for security flag baseline: %s", cpuXML)
|
||||
|
||||
@@ -274,7 +274,7 @@ class DomainCapabilities(XMLBuilder):
|
||||
continue
|
||||
|
||||
try:
|
||||
- cpu = self._get_expandned_cpu(m)
|
||||
+ cpu = self._get_expanded_cpu(m)
|
||||
except libvirt.libvirtError as e:
|
||||
logging.warning(_("Failed to get expanded CPU XML: %s"), e)
|
||||
break
|
||||
--
|
||||
2.21.0
|
||||
|
@ -0,0 +1,108 @@
|
||||
From 6088fe594a3a5d383e345029473e2dd933dc8220 Mon Sep 17 00:00:00 2001
|
||||
Message-Id: <6088fe594a3a5d383e345029473e2dd933dc8220@dist-git>
|
||||
From: Pavel Hrdina <phrdina@redhat.com>
|
||||
Date: Wed, 15 May 2019 10:37:46 +0200
|
||||
Subject: [PATCH] domcapabilities: introduce get_cpu_security_features
|
||||
|
||||
Get all CPU security features that we should enable for guests.
|
||||
|
||||
In order to do that we need to get CPU definition from domain
|
||||
capabilities and modify the XML so it is in required format for
|
||||
libvirt CPU baseline APIs. We will prefer the baselineHypervisorCPU
|
||||
API because that considers what QEMU actually supports and we will
|
||||
fallback to baselineCPU API if the better one is not supported by
|
||||
libvirt.
|
||||
|
||||
This way we can figure out which of the security features are actually
|
||||
available on that specific host for that specific QEMU binary.
|
||||
|
||||
Signed-off-by: Pavel Hrdina <phrdina@redhat.com>
|
||||
Reviewed-by: Cole Robinson <crobinso@redhat.com>
|
||||
(cherry picked from commit 4a8b6363c0891e37d9532213a046c5c57aedfd8b)
|
||||
|
||||
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1716402
|
||||
|
||||
Signed-off-by: Pavel Hrdina <phrdina@redhat.com>
|
||||
---
|
||||
virtinst/domcapabilities.py | 57 +++++++++++++++++++++++++++++++++++++
|
||||
1 file changed, 57 insertions(+)
|
||||
|
||||
diff --git a/virtinst/domcapabilities.py b/virtinst/domcapabilities.py
|
||||
index 4cbb7f20..28ed8630 100644
|
||||
--- a/virtinst/domcapabilities.py
|
||||
+++ b/virtinst/domcapabilities.py
|
||||
@@ -8,7 +8,11 @@
|
||||
|
||||
import logging
|
||||
import re
|
||||
+import xml.etree.ElementTree as ET
|
||||
|
||||
+import libvirt
|
||||
+
|
||||
+from .domain import DomainCpu
|
||||
from .xmlbuilder import XMLBuilder, XMLChildProperty, XMLProperty
|
||||
|
||||
|
||||
@@ -232,6 +236,59 @@ class DomainCapabilities(XMLBuilder):
|
||||
return [(m.name == "host-model" and m.supported)
|
||||
for m in self.cpu.modes]
|
||||
|
||||
+ def _convert_mode_to_cpu(self, xml):
|
||||
+ root = ET.fromstring(xml)
|
||||
+ root.tag = "cpu"
|
||||
+ root.attrib = None
|
||||
+ arch = ET.SubElement(root, "arch")
|
||||
+ arch.text = self.arch
|
||||
+ return ET.tostring(root, encoding="unicode")
|
||||
+
|
||||
+ def _get_expandned_cpu(self, mode):
|
||||
+ cpuXML = self._convert_mode_to_cpu(mode.get_xml())
|
||||
+ logging.debug("CPU XML for security flag baseline: %s", cpuXML)
|
||||
+
|
||||
+ try:
|
||||
+ expandedXML = self.conn.baselineHypervisorCPU(
|
||||
+ self.path, self.arch, self.machine, self.domain, [cpuXML],
|
||||
+ libvirt.VIR_CONNECT_BASELINE_CPU_EXPAND_FEATURES)
|
||||
+ except libvirt.libvirtError:
|
||||
+ expandedXML = self.conn.baselineCPU([cpuXML],
|
||||
+ libvirt.VIR_CONNECT_BASELINE_CPU_EXPAND_FEATURES)
|
||||
+
|
||||
+ logging.debug("Expanded CPU XML: %s", expandedXML)
|
||||
+
|
||||
+ return DomainCpu(self.conn, expandedXML)
|
||||
+
|
||||
+ def get_cpu_security_features(self):
|
||||
+ sec_features = [
|
||||
+ 'pcid',
|
||||
+ 'spec-ctrl',
|
||||
+ 'ssbd',
|
||||
+ 'pdpe1gb',
|
||||
+ 'ibpb',
|
||||
+ 'virt-ssbd',
|
||||
+ 'amd-ssbd',
|
||||
+ 'amd-no-ssb']
|
||||
+
|
||||
+ features = []
|
||||
+
|
||||
+ for m in self.cpu.modes:
|
||||
+ if m.name != "host-model" or not m.supported:
|
||||
+ continue
|
||||
+
|
||||
+ try:
|
||||
+ cpu = self._get_expandned_cpu(m)
|
||||
+ except libvirt.libvirtError as e:
|
||||
+ logging.warning(_("Failed to get expanded CPU XML: %s"), e)
|
||||
+ break
|
||||
+
|
||||
+ for feature in cpu.features:
|
||||
+ if feature.name in sec_features:
|
||||
+ features.append(feature.name)
|
||||
+
|
||||
+ return features
|
||||
+
|
||||
|
||||
XML_NAME = "domainCapabilities"
|
||||
os = XMLChildProperty(_OS, is_single=True)
|
||||
--
|
||||
2.21.0
|
||||
|
@ -0,0 +1,99 @@
|
||||
From 1e605c106819be56f16e6e057015d7a42600c0ba Mon Sep 17 00:00:00 2001
|
||||
Message-Id: <1e605c106819be56f16e6e057015d7a42600c0ba@dist-git>
|
||||
From: Pavel Hrdina <phrdina@redhat.com>
|
||||
Date: Wed, 15 May 2019 10:37:49 +0200
|
||||
Subject: [PATCH] domcapabilities: remove recommended CPU features from
|
||||
security features
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
These features are only recommended to be enabled since they improve
|
||||
performance of the VMs if security features are enabled.
|
||||
|
||||
pcid is a very useful perf feature, but missing in some silicon
|
||||
so not portable.
|
||||
|
||||
pdpe1gb lets the guest use 1 GB pages which is good for perf
|
||||
but again not all silicon can do it.
|
||||
|
||||
amd-ssbd is a security feature which fixes the same SSBD flaws as the
|
||||
virt-ssbd feature does. virt-ssbd is usable across all CPU models
|
||||
affected by SSBD, while amd-ssbd is only available in very new silicon.
|
||||
So virt-ssbd is the bette rchoice.
|
||||
|
||||
amd-no-ssb just indicates that the CPU is not affected by SSBD, so not
|
||||
critical to expose. I expect a future named CPU model will include that
|
||||
where appropriate.
|
||||
|
||||
Signed-off-by: Pavel Hrdina <phrdina@redhat.com>
|
||||
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
|
||||
(cherry picked from commit 29f815fbd23082dff79d2d716e32a644b5a15d4a)
|
||||
|
||||
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1716402
|
||||
|
||||
Signed-off-by: Pavel Hrdina <phrdina@redhat.com>
|
||||
---
|
||||
tests/cli-test-xml/compare/virt-install-qemu-plain.xml | 2 --
|
||||
.../compare/virt-install-singleton-config-2.xml | 4 ----
|
||||
virtinst/domcapabilities.py | 6 +-----
|
||||
3 files changed, 1 insertion(+), 11 deletions(-)
|
||||
|
||||
diff --git a/tests/cli-test-xml/compare/virt-install-qemu-plain.xml b/tests/cli-test-xml/compare/virt-install-qemu-plain.xml
|
||||
index eb1542c3..d00e0cf4 100644
|
||||
--- a/tests/cli-test-xml/compare/virt-install-qemu-plain.xml
|
||||
+++ b/tests/cli-test-xml/compare/virt-install-qemu-plain.xml
|
||||
@@ -20,8 +20,6 @@
|
||||
</features>
|
||||
<cpu mode="custom" match="exact">
|
||||
<model>Penryn</model>
|
||||
- <feature policy="require" name="pcid"/>
|
||||
- <feature policy="require" name="pdpe1gb"/>
|
||||
</cpu>
|
||||
<clock offset="utc">
|
||||
<timer name="rtc" tickpolicy="catchup"/>
|
||||
diff --git a/tests/cli-test-xml/compare/virt-install-singleton-config-2.xml b/tests/cli-test-xml/compare/virt-install-singleton-config-2.xml
|
||||
index 0861f62a..621639e1 100644
|
||||
--- a/tests/cli-test-xml/compare/virt-install-singleton-config-2.xml
|
||||
+++ b/tests/cli-test-xml/compare/virt-install-singleton-config-2.xml
|
||||
@@ -93,8 +93,6 @@
|
||||
<model>foobar</model>
|
||||
<vendor>meee</vendor>
|
||||
<topology sockets="2" cores="2" threads="2"/>
|
||||
- <feature policy="require" name="pcid"/>
|
||||
- <feature policy="require" name="pdpe1gb"/>
|
||||
<feature policy="force" name="x2apic"/>
|
||||
<feature policy="force" name="x2apicagain"/>
|
||||
<feature policy="require" name="reqtest"/>
|
||||
@@ -284,8 +282,6 @@
|
||||
<model>foobar</model>
|
||||
<vendor>meee</vendor>
|
||||
<topology sockets="2" cores="2" threads="2"/>
|
||||
- <feature policy="require" name="pcid"/>
|
||||
- <feature policy="require" name="pdpe1gb"/>
|
||||
<feature policy="force" name="x2apic"/>
|
||||
<feature policy="force" name="x2apicagain"/>
|
||||
<feature policy="require" name="reqtest"/>
|
||||
diff --git a/virtinst/domcapabilities.py b/virtinst/domcapabilities.py
|
||||
index 28ed8630..42a18f1e 100644
|
||||
--- a/virtinst/domcapabilities.py
|
||||
+++ b/virtinst/domcapabilities.py
|
||||
@@ -262,14 +262,10 @@ class DomainCapabilities(XMLBuilder):
|
||||
|
||||
def get_cpu_security_features(self):
|
||||
sec_features = [
|
||||
- 'pcid',
|
||||
'spec-ctrl',
|
||||
'ssbd',
|
||||
- 'pdpe1gb',
|
||||
'ibpb',
|
||||
- 'virt-ssbd',
|
||||
- 'amd-ssbd',
|
||||
- 'amd-no-ssb']
|
||||
+ 'virt-ssbd']
|
||||
|
||||
features = []
|
||||
|
||||
--
|
||||
2.21.0
|
||||
|
@ -0,0 +1,102 @@
|
||||
From c4ce5e02fededc9121c181a7b20ea0e6ebd1c1de Mon Sep 17 00:00:00 2001
|
||||
Message-Id: <c4ce5e02fededc9121c181a7b20ea0e6ebd1c1de@dist-git>
|
||||
From: Pavel Hrdina <phrdina@redhat.com>
|
||||
Date: Wed, 15 May 2019 08:06:10 -0400
|
||||
Subject: [PATCH] tests: clitest: Add a test case for the last commit
|
||||
|
||||
From: Cole Robinson <crobinso@redhat.com>
|
||||
|
||||
We need a custom test driver input to reproduce the pool collision
|
||||
|
||||
(cherry picked from commit fcabcb7a95c9dd81fb7c1335c3c181bb08a31ad0)
|
||||
Signed-off-by: Cole Robinson <crobinso@redhat.com>
|
||||
|
||||
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1714752
|
||||
---
|
||||
.../testdriver-defaultpool-collision.xml | 47 +++++++++++++++++++
|
||||
tests/clitest.py | 1 +
|
||||
tests/utils.py | 2 +
|
||||
3 files changed, 50 insertions(+)
|
||||
create mode 100644 tests/cli-test-xml/testdriver-defaultpool-collision.xml
|
||||
|
||||
diff --git a/tests/cli-test-xml/testdriver-defaultpool-collision.xml b/tests/cli-test-xml/testdriver-defaultpool-collision.xml
|
||||
new file mode 100644
|
||||
index 00000000..1343f812
|
||||
--- /dev/null
|
||||
+++ b/tests/cli-test-xml/testdriver-defaultpool-collision.xml
|
||||
@@ -0,0 +1,47 @@
|
||||
+<node>
|
||||
+
|
||||
+ <cpu>
|
||||
+ <nodes>1</nodes>
|
||||
+ <sockets>4</sockets>
|
||||
+ <cores>4</cores>
|
||||
+ <threads>1</threads>
|
||||
+ <active>4</active>
|
||||
+ <mhz>4000</mhz>
|
||||
+ <model>i686</model>
|
||||
+ </cpu>
|
||||
+ <memory>10000000</memory>
|
||||
+
|
||||
+
|
||||
+<network>
|
||||
+ <name>default</name>
|
||||
+ <uuid>715666b7-dbd4-6c78-fa55-94863da09f2d</uuid>
|
||||
+ <forward mode='nat'/>
|
||||
+ <bridge name='virbr0' stp='on' forwardDelay='0' />
|
||||
+ <ip address='192.168.122.1' netmask='255.255.255.0'>
|
||||
+ <dhcp>
|
||||
+ <range start='192.168.122.2' end='192.168.122.254' />
|
||||
+ </dhcp>
|
||||
+ </ip>
|
||||
+</network>
|
||||
+
|
||||
+
|
||||
+
|
||||
+<pool type='dir'>
|
||||
+ <name>default-pool-path-collision</name>
|
||||
+ <uuid>35bb2ad9-388a-cdfe-461a-b8907f6e53fe</uuid>
|
||||
+ <capacity>107374182400</capacity>
|
||||
+ <allocation>0</allocation>
|
||||
+ <available>107374182400</available>
|
||||
+ <source>
|
||||
+ </source>
|
||||
+ <target>
|
||||
+ <path>/var/lib/libvirt/images</path>
|
||||
+ <permissions>
|
||||
+ <mode>0700</mode>
|
||||
+ <owner>10736</owner>
|
||||
+ <group>10736</group>
|
||||
+ </permissions>
|
||||
+ </target>
|
||||
+</pool>
|
||||
+
|
||||
+</node>
|
||||
diff --git a/tests/clitest.py b/tests/clitest.py
|
||||
index 824293e4..ecdf3731 100644
|
||||
--- a/tests/clitest.py
|
||||
+++ b/tests/clitest.py
|
||||
@@ -684,6 +684,7 @@ c.add_valid("--nodisks --pxe", grep="VM performance may suffer") # os variant w
|
||||
c.add_invalid("--hvm --nodisks --pxe foobar") # Positional arguments error
|
||||
c.add_invalid("--nodisks --pxe --name test") # Colliding name
|
||||
c.add_compare("--cdrom %(EXISTIMG1)s --disk size=1 --disk %(EXISTIMG2)s,device=cdrom", "cdrom-double") # ensure --disk device=cdrom is ordered after --cdrom, this is important for virtio-win installs with a driver ISO
|
||||
+c.add_valid("--connect %s --pxe --disk size=1" % utils.URIs.test_defaultpool_collision) # testdriver already has a pool using the 'default' path, make sure we don't error
|
||||
|
||||
|
||||
|
||||
diff --git a/tests/utils.py b/tests/utils.py
|
||||
index d22933d3..ef7c613a 100644
|
||||
--- a/tests/utils.py
|
||||
+++ b/tests/utils.py
|
||||
@@ -56,6 +56,8 @@ class _URIs(object):
|
||||
self.test_full = _testtmpl % (os.getcwd() + "/tests/testdriver.xml")
|
||||
self.test_suite = _testtmpl % (os.getcwd() + "/tests/testsuite.xml")
|
||||
self.test_remote = self.test_full + ",remote"
|
||||
+ self.test_defaultpool_collision = (_testtmpl % (os.getcwd() +
|
||||
+ "/tests/cli-test-xml/testdriver-defaultpool-collision.xml"))
|
||||
|
||||
self.xen = self.test_full + _caps("xen-rhel5.4.xml") + ",xen"
|
||||
self.lxc = self.test_full + _caps("lxc.xml") + ",lxc"
|
||||
--
|
||||
2.21.0
|
||||
|
@ -0,0 +1,186 @@
|
||||
From c05e60de1acb174bb40257d3481267e35dc62960 Mon Sep 17 00:00:00 2001
|
||||
Message-Id: <c05e60de1acb174bb40257d3481267e35dc62960@dist-git>
|
||||
From: Pavel Hrdina <phrdina@redhat.com>
|
||||
Date: Wed, 15 May 2019 10:37:53 +0200
|
||||
Subject: [PATCH] virt-manager: add new checkbox to control CPU security
|
||||
features
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
By default we copy CPU security features to the guest if specific CPU
|
||||
model is selected. However, this may break migration and will affect
|
||||
performance of the guest. This adds an option to disable this default
|
||||
behavior.
|
||||
|
||||
The checkbox is clickable only on x86 and only on host where we can
|
||||
detect any CPU security features, otherwise a tooltip is set to notify
|
||||
users that there is nothing to copy.
|
||||
|
||||
Signed-off-by: Pavel Hrdina <phrdina@redhat.com>
|
||||
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
|
||||
(cherry picked from commit 8720637cff7b0766d9e27a60b0f81740176d70c8)
|
||||
|
||||
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1716402
|
||||
|
||||
Signed-off-by: Pavel Hrdina <phrdina@redhat.com>
|
||||
---
|
||||
ui/details.ui | 15 +++++++++++++++
|
||||
virtManager/details.py | 21 +++++++++++++++++++++
|
||||
virtManager/domain.py | 5 +++--
|
||||
virtinst/domain/cpu.py | 30 ++++++++++++++++++++++++++++++
|
||||
4 files changed, 69 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/ui/details.ui b/ui/details.ui
|
||||
index c18070c8..1e1be759 100644
|
||||
--- a/ui/details.ui
|
||||
+++ b/ui/details.ui
|
||||
@@ -2122,6 +2122,21 @@
|
||||
<property name="top_attach">1</property>
|
||||
</packing>
|
||||
</child>
|
||||
+ <child>
|
||||
+ <object class="GtkCheckButton" id="cpu-secure">
|
||||
+ <property name="label" translatable="yes">Enable available CPU security flaw mitigations</property>
|
||||
+ <property name="visible">True</property>
|
||||
+ <property name="can_focus">True</property>
|
||||
+ <property name="receives_default">False</property>
|
||||
+ <property name="draw_indicator">True</property>
|
||||
+ <signal name="toggled" handler="on_cpu_secure_toggled" swapped="no"/>
|
||||
+ </object>
|
||||
+ <packing>
|
||||
+ <property name="left_attach">0</property>
|
||||
+ <property name="top_attach">2</property>
|
||||
+ <property name="width">2</property>
|
||||
+ </packing>
|
||||
+ </child>
|
||||
</object>
|
||||
</child>
|
||||
</object>
|
||||
diff --git a/virtManager/details.py b/virtManager/details.py
|
||||
index b7e7fc14..b8899d77 100644
|
||||
--- a/virtManager/details.py
|
||||
+++ b/virtManager/details.py
|
||||
@@ -523,6 +523,7 @@ class vmmDetails(vmmGObjectUI):
|
||||
"on_cpu_maxvcpus_changed": self.config_maxvcpus_changed,
|
||||
"on_cpu_model_changed": lambda *x: self.config_cpu_model_changed(x),
|
||||
"on_cpu_copy_host_clicked": self.on_cpu_copy_host_clicked,
|
||||
+ "on_cpu_secure_toggled": self.on_cpu_secure_toggled,
|
||||
"on_cpu_cores_changed": self.config_cpu_topology_changed,
|
||||
"on_cpu_sockets_changed": self.config_cpu_topology_changed,
|
||||
"on_cpu_threads_changed": self.config_cpu_topology_changed,
|
||||
@@ -1716,6 +1717,11 @@ class vmmDetails(vmmGObjectUI):
|
||||
def on_cpu_copy_host_clicked(self, src):
|
||||
uiutil.set_grid_row_visible(
|
||||
self.widget("cpu-model"), not src.get_active())
|
||||
+ uiutil.set_grid_row_visible(
|
||||
+ self.widget("cpu-secure"), not src.get_active())
|
||||
+ self.enable_apply(EDIT_CPU)
|
||||
+
|
||||
+ def on_cpu_secure_toggled(self, ignore):
|
||||
self.enable_apply(EDIT_CPU)
|
||||
|
||||
def config_cpu_model_changed(self, ignore):
|
||||
@@ -2014,6 +2020,7 @@ class vmmDetails(vmmGObjectUI):
|
||||
|
||||
if self.edited(EDIT_CPU):
|
||||
kwargs["model"] = self.get_config_cpu_model()
|
||||
+ kwargs["secure"] = self.widget("cpu-secure").get_active()
|
||||
|
||||
if self.edited(EDIT_TOPOLOGY):
|
||||
do_top = self.widget("cpu-topology-enable").get_active()
|
||||
@@ -2574,6 +2581,11 @@ class vmmDetails(vmmGObjectUI):
|
||||
n1, n2 = self.vm.network_traffic_vectors()
|
||||
self.network_traffic_graph.set_property("data_array", n1 + n2)
|
||||
|
||||
+ def _cpu_secure_is_available(self):
|
||||
+ domcaps = self.vm.get_domain_capabilities()
|
||||
+ features = domcaps.get_cpu_security_features()
|
||||
+ return self.vm.get_xmlobj().os.is_x86() and len(features) > 0
|
||||
+
|
||||
def refresh_config_cpu(self):
|
||||
# Set topology first, because it impacts maxvcpus values
|
||||
cpu = self.vm.get_cpu_config()
|
||||
@@ -2627,6 +2639,15 @@ class vmmDetails(vmmGObjectUI):
|
||||
self.widget("cpu-copy-host").set_active(bool(is_host))
|
||||
self.on_cpu_copy_host_clicked(self.widget("cpu-copy-host"))
|
||||
|
||||
+ if not self._cpu_secure_is_available():
|
||||
+ self.widget("cpu-secure").set_sensitive(False)
|
||||
+ self.widget("cpu-secure").set_tooltip_text(
|
||||
+ "No security features to copy, the host is missing "
|
||||
+ "security patches or the host CPU is not vulnerable.")
|
||||
+
|
||||
+ cpu.check_security_features(self.vm.get_xmlobj())
|
||||
+ self.widget("cpu-secure").set_active(cpu.secure)
|
||||
+
|
||||
def refresh_config_memory(self):
|
||||
host_mem_widget = self.widget("state-host-memory")
|
||||
host_mem = self.vm.conn.host_memory_size() // 1024
|
||||
diff --git a/virtManager/domain.py b/virtManager/domain.py
|
||||
index 5b3f1e44..c8f4e822 100644
|
||||
--- a/virtManager/domain.py
|
||||
+++ b/virtManager/domain.py
|
||||
@@ -495,7 +495,7 @@ class vmmDomain(vmmLibvirtObject):
|
||||
self._redefine_xmlobj(xmlobj)
|
||||
|
||||
def define_cpu(self, vcpus=_SENTINEL, maxvcpus=_SENTINEL,
|
||||
- model=_SENTINEL, sockets=_SENTINEL,
|
||||
+ model=_SENTINEL, secure=_SENTINEL, sockets=_SENTINEL,
|
||||
cores=_SENTINEL, threads=_SENTINEL):
|
||||
guest = self._make_xmlobj_to_define()
|
||||
|
||||
@@ -509,7 +509,8 @@ class vmmDomain(vmmLibvirtObject):
|
||||
guest.cpu.cores = cores
|
||||
guest.cpu.threads = threads
|
||||
|
||||
- if model != _SENTINEL:
|
||||
+ if secure != _SENTINEL or model != _SENTINEL:
|
||||
+ guest.cpu.secure = secure
|
||||
if model in guest.cpu.SPECIAL_MODES:
|
||||
guest.cpu.set_special_mode(guest, model)
|
||||
else:
|
||||
diff --git a/virtinst/domain/cpu.py b/virtinst/domain/cpu.py
|
||||
index ab40f788..c6a411bb 100644
|
||||
--- a/virtinst/domain/cpu.py
|
||||
+++ b/virtinst/domain/cpu.py
|
||||
@@ -123,6 +123,36 @@ class DomainCpu(XMLBuilder):
|
||||
if not exists:
|
||||
self.add_feature(feature)
|
||||
|
||||
+ def check_security_features(self, guest):
|
||||
+ """
|
||||
+ Since 'secure' property is not exported into the domain XML
|
||||
+ we might need to refresh its state.
|
||||
+ """
|
||||
+ domcaps = guest.lookup_domcaps()
|
||||
+ features = domcaps.get_cpu_security_features()
|
||||
+
|
||||
+ if len(features) == 0:
|
||||
+ self.secure = False
|
||||
+ return
|
||||
+
|
||||
+ for feature in features:
|
||||
+ exists = False
|
||||
+ for f in self.features:
|
||||
+ if f.name == feature and f.policy == "require":
|
||||
+ exists = True
|
||||
+ break
|
||||
+ if not exists:
|
||||
+ self.secure = False
|
||||
+ return
|
||||
+
|
||||
+ def _remove_security_features(self, guest):
|
||||
+ domcaps = guest.lookup_domcaps()
|
||||
+ for feature in domcaps.get_cpu_security_features():
|
||||
+ for f in self.features:
|
||||
+ if f.name == feature and f.policy == "require":
|
||||
+ self.remove_child(f)
|
||||
+ break
|
||||
+
|
||||
def set_model(self, guest, val):
|
||||
logging.debug("setting cpu model %s", val)
|
||||
if val:
|
||||
--
|
||||
2.21.0
|
||||
|
@ -13,7 +13,7 @@
|
||||
|
||||
Name: virt-manager
|
||||
Version: 2.0.0
|
||||
Release: 5%{?dist}%{?extra_release}
|
||||
Release: 5.1%{?dist}%{?extra_release}
|
||||
%global verrel %{version}-%{release}
|
||||
|
||||
Summary: Desktop tool for managing virtual machines via libvirt
|
||||
@ -32,6 +32,20 @@ Patch6: virt-manager-cli-s390x-graphics-specified-use-video-virtio-bz-1654994.pa
|
||||
Patch7: virt-manager-diskbackend-Fix-backtrace-cloning-with-block-storage-bz-1661986.patch
|
||||
Patch8: virt-manager-inspection-fix-check-of-null-icon.patch
|
||||
Patch9: virt-manager-urldetect-Check-also-for-treeinfo-bz-1689252.patch
|
||||
Patch10: virt-manager-cli-Fix-pool-default-when-path-belongs-to-another-pool-bz-1692489.patch
|
||||
Patch11: virt-manager-tests-clitest-Add-a-test-case-for-the-last-commit.patch
|
||||
Patch12: virt-manager-domcapabilities-introduce-get_cpu_security_features.patch
|
||||
Patch13: virt-manager-domain-cpu-introduce-set_model-function.patch
|
||||
Patch14: virt-manager-domain-cpu-automatically-add-CPU-security-features-for-custom-mode.patch
|
||||
Patch15: virt-manager-domcapabilities-remove-recommended-CPU-features-from-security-features.patch
|
||||
Patch16: virt-manager-domcapabilities-fix-typo-in-function-name.patch
|
||||
Patch17: virt-manager-cli-introduce-CPU-secure-parameter.patch
|
||||
Patch18: virt-manager-domcapabilities-add-caching-of-CPU-security-features.patch
|
||||
Patch19: virt-manager-virt-manager-add-new-checkbox-to-control-CPU-security-features.patch
|
||||
Patch20: virt-manager-DomainCpu-fix-detection-of-CPU-security-features.patch
|
||||
Patch21: virt-manager-DomainCpu-check-CPU-model-name-only-if-model-exists.patch
|
||||
Patch22: virt-manager-domcapabilities-detect-MDS-new-vulnerability.patch
|
||||
Patch23: virt-manager-cli-fix-cpu-secure-option-to-actually-work.patch
|
||||
|
||||
|
||||
Requires: virt-manager-common = %{verrel}
|
||||
@ -217,6 +231,22 @@ done
|
||||
|
||||
|
||||
%changelog
|
||||
* Mon Jun 3 2019 Pavel Hrdina <phrdina@redhat.com> - 2.0.0-5.1.el8
|
||||
- cli: Fix pool=default when path belongs to another pool (bz 1692489) (rhbz#1714752)
|
||||
- tests: clitest: Add a test case for the last commit (rhbz#1714752)
|
||||
- domcapabilities: introduce get_cpu_security_features (rhbz#1716402)
|
||||
- domain: cpu: introduce set_model function (rhbz#1716402)
|
||||
- domain: cpu: automatically add CPU security features for "custom" mode (rhbz#1716402)
|
||||
- domcapabilities: remove recommended CPU features from security features (rhbz#1716402)
|
||||
- domcapabilities: fix typo in function name (rhbz#1716402)
|
||||
- cli: introduce CPU secure parameter (rhbz#1716402)
|
||||
- domcapabilities: add caching of CPU security features (rhbz#1716402)
|
||||
- virt-manager: add new checkbox to control CPU security features (rhbz#1716402)
|
||||
- DomainCpu: fix detection of CPU security features (rhbz#1716402)
|
||||
- DomainCpu: check CPU model name only if model exists (rhbz#1716402)
|
||||
- domcapabilities: detect MDS new vulnerability (rhbz#1716402)
|
||||
- cli: fix cpu secure option to actually work (rhbz#1716402)
|
||||
|
||||
* Thu Mar 21 2019 Pavel Hrdina <phrdina@redhat.com> - 2.0.0-5
|
||||
- urldetect: Check also for 'treeinfo' (bz 1689252) (rhbz#1689252)
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user