Bug 1672188
Summary: | AMD SEV: Add new managed file /dev/sev for svirt_t | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 8 | Reporter: | Erik Skultety <eskultet> |
Component: | selinux-policy | Assignee: | Lukas Vrabec <lvrabec> |
Status: | CLOSED CURRENTRELEASE | QA Contact: | Milos Malik <mmalik> |
Severity: | high | Docs Contact: | |
Priority: | high | ||
Version: | 8.0 | CC: | eskultet, lvrabec, mmalik, mthacker, plautrba, ssekidde, zpytela |
Target Milestone: | rc | ||
Target Release: | 8.0 | ||
Hardware: | Unspecified | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | If docs needed, set a value | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2019-06-14 01:12:50 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | |||
Bug Blocks: | 1654309, 1665400, 1671791 |
Description
Erik Skultety
2019-02-04 08:14:56 UTC
> Steps to Reproduce: > 1. remove cached libvirt capabilities > > # rm -f /var/cache/libvirt/qemu/capabilities/* > > 2. restart libvirtd > > # systemctl restart libvirtd > > 3. check domain capabilities > > # virsh domcapabilities > > ... > <features> > ... > <sev supported='no'/> > ... > </features> > ... Please ignore ^these steps which are wrong and were caused by some left-over settings on the testing machine, follow these steps instead: Prerequisite: whatever version of libvirt that fixed https://bugzilla.redhat.com/show_bug.cgi?id=1665400 1) enable the SEV feature in a VM XML: //Set memory hard_limit setting, 256MiB and more of what the currentMemory value says should do ... <memory unit='KiB'>4194304</memory> <currentMemory unit='KiB'>4194304</currentMemory> <memtune> <hard_limit unit='KiB'>4456448</hard_limit> </memtune> ... //All virtio devices need to add a <driver iommu='on'/> element ... <devices> ... <controller type='virtio-serial' index='0'> <driver iommu='on'/> </controller> ... <controller type='scsi' index='0' model='virtio-scsi'> <driver iommu='on'/> </controller> ... <memballoon model='virtio'> <driver iommu='on'/> </memballoon> ... <rng model='virtio'> ... <driver iommu='on'/> </rng> ... </devices> //Add the launchSecurity element to enable SEV ... </devices> <launchSecurity type='sev'> <cbitpos>47</cbitpos> <reducedPhysBits>1</reducedPhysBits> <policy>0x0001</policy> </launchSecurity> ... 2) upon successful edit of the XML, start the VM: # virsh start <my_domain> error: Failed to start domain <my_domain> error: internal error: process exited while connecting to monitor: 2019-02-04T14:17:55.700481Z qemu-kvm: sev_guest_init: Failed to open /dev/sev 'Permission denied' 2019-02-04T14:17:55.701107Z qemu-kvm: failed to initialize KVM: Operation not permitted Actual results: QEMU fails to start a SEV VM because it fails to open /dev/sev device. Expected results: QEMU can start a SEV VM successfully. Additional info: The current SELinux context of /dev/sev is as follows: system_u:object_r:device_t:s0, qemu-kvm which runs as svirt_t is denied access to device_t: type=AVC msg=audit(1549289875.700:1137): avc: denied { read write } for pid=92694 comm="qemu-kvm" name="sev" dev="tmpfs" ino=455238 scontext=system_u:system_r:svirt_t:s0:c691,c888 tcontext=system_u:object_r:device_t:s0 tclass=chr_file permissive=0 |