Bug 1732642

Summary: enable the virtio-net frontend to work with the vhost-net backend in SEV guests
Product: Red Hat Enterprise Linux 8 Reporter: Laszlo Ersek <lersek>
Component: qemu-kvmAssignee: Laszlo Ersek <lersek>
Status: CLOSED ERRATA QA Contact: Quan Wenli <wquan>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 8.1CC: areis, chayang, ddepaula, jinzhao, juzhang, knoel, pezhang, rbalakri, virt-maint, zhguo
Target Milestone: rc   
Target Release: 8.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: qemu-kvm-2.12.0-83.module+el8.1.0+3852+0ba8aef0 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-11-05 20:51:02 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Laszlo Ersek 2019-07-24 00:22:37 UTC 
* Description of problem:
In order to use virtio-net-pci in SEV guests, vhost-net has to be
disabled, and the QEMU-internal device model has to be forced.

* Version-Release number of selected component (if applicable):
2.12.0-81.module+el8.1.0+3619+dfe1ae01

* How reproducible:
always

* Steps to Reproduce:

1. define a SEV domain; refer to e.g.
   https://bugzilla.redhat.com/show_bug.cgi?id=1531543#c48 [domain XML]
   https://bugzilla.redhat.com/show_bug.cgi?id=1531543#c49 [QEMU cmd]

2. enable vhost:

    <controller type='pci' index='5' model='pcie-root-port'>
      <model name='pcie-root-port'/>
      <target chassis='5' port='0x14'/>
      <address type='pci' domain='0x0000' bus='0x00' slot='0x01'
       function='0x4'/>
    </controller>

    <interface type='network'>
      <mac address='52:54:00:e9:f0:cf'/>
      <source network='default'/>
      <model type='virtio'/>
      <driver name='vhost' iommu='on'/>
                    ^^^^^
      <rom enabled='no'/>
      <address type='pci' domain='0x0000' bus='0x05' slot='0x00'
       function='0x0'/>
    </interface>

   (equivalently, on the QEMU command line, set the "vhost=on" property
   for "-netdev tap")

3. boot OVMF

4. enter the UEFI setup TUI by pressing ESC

5. launch the UEFI shell by booting UefiShell.iso explicitly from the
   boot manager submenu

6. In the UEFI shell, run

   ifconfig -s eth0 dhcp
   ifconfig -l           /* repeat until you get an IP address */
   ping 8.8.8.8

* Actual results:
Step 4 hangs.

* Expected results:
Step 6 is reached and it succeeds.

* Additional info:

- The issue can be worked around by setting

      <driver name='qemu' iommu='on'/>
                    ^^^^

in the domain XML, or (equivalently) by setting "vhost=off" for "-netdev
tap".

(The default is vhost=on, from simply omitting the "name" attribute:

      <driver iommu='on'/>
)

- The fix is to backport
<https://github.com/qemu/qemu/commit/d542800d1edc62f63f8a29cfa6bdd1a9536ae11c>,
which I have already built & tested, (Brew taskid=22757028). It's a
simple cherry-pick.

- The backport has been identified (and the original patch was written)
by Brijesh Singh @ AMD.

- The upstream patch was backported to v2.12.1 stable (2f2b18923502),
but we still lack it down-stream. The original upstream commit is part
of v3.0.0 (hence no RHEL-AV backport should be necessary).
Comment 16 Quan Wenli 2019-08-20 09:25:54 UTC 
Reproduce it with qemu-kvm-2.12.0-82.module+el8.1.0+3738+0d8c0249

steps:
1. using sev domain from https://bugzilla.redhat.com/show_bug.cgi?id=1531543#c48 [domain XML]
2. check the qemu command line like:
-netdev tap,fd=31,id=hostnet0,vhost=on,vhostfd=32 
-device virtio-net-pci,netdev=hostnet0,id=net0,mac=52:54:00:51:4b:77,bus=pci.4,addr=0x0,romfile=,iommu_platform=on


Verified with qemu-kvm-2.12.0-83.module+el8.1.0+3852+0ba8aef0
steps:
1. using sev domain from https://bugzilla.redhat.com/show_bug.cgi?id=1531543#c48 [domain XML]
2. check the qemu command line, there is no vhostfd passed.
-netdev tap,fd=31,id=hostnet0 
-device virtio-net-pci,netdev=hostnet0,id=net0,mac=52:54:00:51:4b:77,bus=pci.4,addr=0x0,romfile=,iommu_platform=on 

3.boot sev guest like:
/usr/libexec/qemu-kvm \
        -name guest=rhel8 \
        -drive if=pflash,format=raw,unit=0,file=/usr/share/edk2/ovmf/sev/OVMF_CODE.secboot.fd,readonly \
        -drive if=pflash,format=raw,unit=1,file=/usr/share/edk2/ovmf/sev/OVMF_VARS.fd \
        -object sev-guest,id=sev0,cbitpos=47,reduced-phys-bits=1 \
        -serial unix:/tmp/console,server,nowait \
        -machine pc-q35-rhel7.6.0,accel=kvm,usb=off,dump-guest-core=off,memory-encryption=sev0 \
        -cpu EPYC-IBPB \
        -m 8192 \
        -realtime mlock=off \
        -smp 2,sockets=1,cores=1,threads=2 \
        -uuid 33d3c713-b645-4e93-95d0-25a7952571ac \
        -no-user-config \
        -device pcie-root-port,port=0x10,chassis=1,id=pci.1,bus=pcie.0,multifunction=on,addr=0x2 \
        -device pcie-root-port,port=0x11,chassis=2,id=pci.2,bus=pcie.0,addr=0x2.0x1 \
        -device pcie-root-port,port=0x12,chassis=3,id=pci.3,bus=pcie.0,addr=0x2.0x2 \
        -device pcie-root-port,port=0x13,chassis=4,id=pci.4,bus=pcie.0,addr=0x2.0x3 \
        -device pcie-root-port,port=0x14,chassis=5,id=pci.5,bus=pcie.0,addr=0x2.0x4 \
        -device pcie-root-port,port=0x15,chassis=6,id=pci.6,bus=pcie.0,addr=0x2.0x5 \
        -device pcie-root-port,port=0x16,chassis=7,id=pci.7,bus=pcie.0,addr=0x2.0x6 \
        -device pcie-root-port,port=0x17,chassis=8,id=pci.8,bus=pcie.0,addr=0x2.0x7 \
        -device qemu-xhci,p2=15,p3=15,id=usb,bus=pci.3,addr=0x0 \
        -device virtio-scsi-pci,id=scsi0,bus=pci.2,addr=0x0,disable-legacy=on,iommu_platform=true \
        -device virtio-serial-pci,id=virtio-serial0,bus=pci.4,addr=0x0,disable-legacy=on,iommu_platform=true \
        -drive file=/home/vm-images/ovmf.rhel8.sev.q35.img,format=qcow2,if=none,id=drive-scsi0-0-0-0,werror=enospc,cache=writeback,discard=unmap \
        -device scsi-hd,bus=scsi0.0,channel=0,scsi-id=0,lun=0,drive=drive-scsi0-0-0-0,id=scsi0-0-0-0,bootindex=1,write-cache=on \
        -drive file=/home/kvm_autotest_root/iso/linux/RHEL-8.1.0-20190806.2-x86_64-dvd1.iso,format=raw,if=none,id=drive-scsi0-0-0-1,readonly=on,cache=writeback \
        -device scsi-cd,bus=scsi0.0,channel=0,scsi-id=0,lun=1,share-rw=on,drive=drive-scsi0-0-0-1,id=scsi0-0-0-1,bootindex=2,write-cache=on \
        -netdev tap,id=hostnet0,vhost=on \
        -device virtio-net-pci,netdev=hostnet0,id=net0,mac=52:54:00:97:13:cd,bus=pci.1,addr=0x0,disable-legacy=on,iommu_platform=true,romfile='' \
        -device virtserialport,bus=virtio-serial0.0,name=org.qemu.guest_agent.0 \
        -device usb-tablet,id=input0,bus=usb.0,port=1 \
        -vnc 0.0.0.0:0 \
        -device qxl-vga,max_outputs=1,bus=pcie.0,addr=0x1 \
        -device virtio-tablet-pci,disable-legacy=on,iommu_platform=true,bus=pci.6 \
        -device virtio-balloon-pci,disable-legacy=on,iommu_platform=true,bus=pci.7 \
        -device virtio-rng-pci,disable-legacy=on,iommu_platform=true,bus=pci.8 \
        -monitor stdio \
        -boot menu=on,splash-time=20000,strict=on \
        -drive id=drive_cd1,if=none,snapshot=off,cache=none,media=cdrom,file=/usr/share/edk2/ovmf/UefiShell.iso \
        -device scsi-cd,id=cd1,drive=drive_cd1 \
4. boot OVMF
5. enter the UEFI setup TUI by pressing ESC
6. launch the UEFI shell by booting UefiShell.iso explicitly from the
   boot manager submenu
7. In the UEFI shell, run

   ifconfig -s eth0 dhcp
   ifconfig -l           /* repeat until you get an IP address */
   ping 10.73.8.2   /*network reached and it succeeds.


Base on above, set it to verified.
Comment 18 errata-xmlrpc 2019-11-05 20:51:02 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2019:3345