Bug 1671791
| Summary: | Libvirt reports SEV feature as unsupported even though the platform provides the feature | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux Advanced Virtualization | Reporter: | Erik Skultety <eskultet> |
| Component: | libvirt | Assignee: | Erik Skultety <eskultet> |
| Status: | CLOSED ERRATA | QA Contact: | Luyao Huang <lhuang> |
| Severity: | high | Docs Contact: | |
| Priority: | high | ||
| Version: | 8.0 | CC: | jdenemar, rbalakri, xuzhang |
| Target Milestone: | rc | ||
| Target Release: | 8.0 | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | libvirt-5.0.0-2.el8 | Doc Type: | If docs needed, set a value |
| Doc Text: | Story Points: | --- | |
| Clone Of: | 1665400 | Environment: | |
| Last Closed: | 2019-05-29 16:05:30 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 1665400, 1665469, 1672188 | ||
| Bug Blocks: | 1501607, 1654309 | ||
|
Description
Erik Skultety
2019-02-01 16:39:05 UTC
Test with upstream libvirt build on RHEL8:
1. libvirt can probe sev supported status without change the /dev/sev file permissions:
# virsh domcapabilities
<sev supported='yes'>
<cbitpos>47</cbitpos>
<reducedPhysBits>1</reducedPhysBits>
</sev>
# ll -Z /dev/sev
crw-------. 1 root root system_u:object_r:device_t:s0 10, 58 Feb 1 03:13 /dev/sev
2. still require user manually change /dev/sev selinux label before start guest:
# virsh start ovmf.rhel7.sev.q35
error: Failed to start domain ovmf.rhel7.sev.q35
error: internal error: process exited while connecting to monitor: 2019-02-02T07:28:18.990508Z qemu-kvm: sev_guest_init: Failed to open /dev/sev 'Permission denied'
2019-02-02T07:28:18.993993Z qemu-kvm: failed to initialize KVM: Operation not permitted
AVC error:
type=AVC msg=audit(1549079965.416:866): avc: denied { read write } for pid=39969 comm="qemu-kvm" name="sev" dev="tmpfs" ino=302314 scontext=system_u:system_r:svirt_t:s0:c227,c466 tcontext=system_u:object_r:device_t:s0 tclass=chr_file permissive=0
3. /dev/sev DAC label only changed in guest namesapce:
# nsenter --target 46747 -m ls -lZ /dev/sev
crw-------. 1 qemu qemu system_u:object_r:device_t:s0 10, 58 Feb 2 02:32 /dev/sev
# ll -Z /dev/sev
crw-------. 1 root root system_u:object_r:device_t:s0 10, 58 Feb 1 03:13 /dev/sev
4. libvirt won't relabel /dev/sev if forbid libvirt run qemu in mount namespace (set namespaces = [ ] in qemu.conf)
(In reply to Luyao Huang from comment #4) > Test with upstream libvirt build on RHEL8: > > 1. libvirt can probe sev supported status without change the /dev/sev file > permissions: > > > # virsh domcapabilities > <sev supported='yes'> > <cbitpos>47</cbitpos> > <reducedPhysBits>1</reducedPhysBits> > </sev> > > # ll -Z /dev/sev > crw-------. 1 root root system_u:object_r:device_t:s0 10, 58 Feb 1 03:13 > /dev/sev > > 2. still require user manually change /dev/sev selinux label before start > guest: > > # virsh start ovmf.rhel7.sev.q35 > error: Failed to start domain ovmf.rhel7.sev.q35 > error: internal error: process exited while connecting to monitor: > 2019-02-02T07:28:18.990508Z qemu-kvm: sev_guest_init: Failed to open > /dev/sev 'Permission denied' > 2019-02-02T07:28:18.993993Z qemu-kvm: failed to initialize KVM: Operation > not permitted > > AVC error: > > type=AVC msg=audit(1549079965.416:866): avc: denied { read write } for > pid=39969 comm="qemu-kvm" name="sev" dev="tmpfs" ino=302314 > scontext=system_u:system_r:svirt_t:s0:c227,c466 > tcontext=system_u:object_r:device_t:s0 tclass=chr_file permissive=0 This is not libvirt's fault, I'm planning on filing a BZ on selinux-policy to add a rule for /dev/sev, so that svirt_t can access it > > 3. /dev/sev DAC label only changed in guest namesapce: > > # nsenter --target 46747 -m ls -lZ /dev/sev > crw-------. 1 qemu qemu system_u:object_r:device_t:s0 10, 58 Feb 2 02:32 > /dev/sev > > # ll -Z /dev/sev > crw-------. 1 root root system_u:object_r:device_t:s0 10, 58 Feb 1 03:13 > /dev/sev > > 4. libvirt won't relabel /dev/sev if forbid libvirt run qemu in mount > namespace (set namespaces = [ ] in qemu.conf) ^This is by design, we don't want to expose /dev/sev to all qemu processes, only to those that need SEV and since libvirt runs QEMU in a namespace by default, I explicitly forbade relabeling without namespaces, leaving the decision to the platform admin. (In reply to Erik Skultety from comment #5) > (In reply to Luyao Huang from comment #4) > > Test with upstream libvirt build on RHEL8: > > > > This is not libvirt's fault, I'm planning on filing a BZ on selinux-policy > to add a rule for /dev/sev, so that svirt_t can access it > > > > > 3. /dev/sev DAC label only changed in guest namesapce: > > > > # nsenter --target 46747 -m ls -lZ /dev/sev > > crw-------. 1 qemu qemu system_u:object_r:device_t:s0 10, 58 Feb 2 02:32 > > /dev/sev > > > > # ll -Z /dev/sev > > crw-------. 1 root root system_u:object_r:device_t:s0 10, 58 Feb 1 03:13 > > /dev/sev > > > > 4. libvirt won't relabel /dev/sev if forbid libvirt run qemu in mount > > namespace (set namespaces = [ ] in qemu.conf) > > ^This is by design, we don't want to expose /dev/sev to all qemu processes, > only to those that need SEV and since libvirt runs QEMU in a namespace by > default, I explicitly forbade relabeling without namespaces, leaving the > decision to the platform admin. I see, thanks a lot for your clearly explanation ! Verify this bug with libvirt-5.0.0-2.module+el8+2779+3106feb7.x86_64:
1. check /dev/sev device permission:
# ll -Z /dev/sev
crw-------. 1 root root system_u:object_r:sev_device_t:s0 10, 58 Feb 9 13:14 /dev/sev
2. install libvirt and check domcapabilities output:
# virsh domcapabilities
<sev supported='yes'>
<cbitpos>47</cbitpos>
<reducedPhysBits>1</reducedPhysBits>
</sev>
3. start a guest with sev launchSecurity:
# virsh dumpxml sev-q35
<launchSecurity type='sev'>
<cbitpos>47</cbitpos>
<reducedPhysBits>1</reducedPhysBits>
<policy>0x0001</policy>
</launchSecurity>
# virsh start sev-q35
Domain sev-q35 started
4. check /dev/sev device label:
# ll -Z /dev/sev
crw-------. 1 root root system_u:object_r:sev_device_t:s0 10, 58 Feb 9 13:14 /dev/sev
5. set namespaces = [ ] in qemu.conf to disable guest mount namespace
6. restart libvirtd and start sev guest:
# virsh start sev-q35
error: Failed to start domain sev-q35
error: internal error: process exited while connecting to monitor: 2019-02-11T03:17:25.192428Z qemu-kvm: sev_guest_init: Failed to open /dev/sev 'Permission denied'
2019-02-11T03:17:25.196308Z qemu-kvm: failed to initialize KVM: Operation not permitted
7. check /dev/sev device label:
# ll -Z /dev/sev
crw-------. 1 root root system_u:object_r:sev_device_t:s0 10, 58 Feb 9 13:14 /dev/sev
8. check domcapabilities output in non-root user:
$ virsh domcapabilities
<sev supported='no'/>
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2019:1293 |