Bug 1953389
| Summary: | libvirt qemu capabilities cache not invalidated after TSX enable/disable. | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 8 | Reporter: | Germano Veit Michel <gveitmic> |
| Component: | libvirt | Assignee: | Tim Wiederhake <twiederh> |
| Status: | CLOSED ERRATA | QA Contact: | Luyao Huang <lhuang> |
| Severity: | high | Docs Contact: | |
| Priority: | high | ||
| Version: | 8.0 | CC: | jdenemar, jsuchane, kchamart, klaas, lhuang, lmen, mkalinin, virt-maint, xuzhang |
| Target Milestone: | pre-dev-freeze | Keywords: | AutomationTriaged, Triaged |
| Target Release: | --- | ||
| Hardware: | x86_64 | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | libvirt-7.10.0-1.module+el8.6.0+13502+4f24a11d | Doc Type: | If docs needed, set a value |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2022-05-10 13:18:42 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | 7.10.0 |
| Embargoed: | |||
Bulk update - Move RHEL-AV bugs to RHEL merged upstream: https://gitlab.com/libvirt/libvirt/-/commit/3bc6f46d305ed82f7314ffc4c2a66847b831a6bd Verify this bug with libvirt-daemon-7.10.0-1.module+el8.6.0+13502+4f24a11d.x86_64:
1. prepare a Cascadelake system
2. Check if TSX is disabled
# cat /sys/devices/system/cpu/vulnerabilities/tsx_async_abort
Mitigation: TSX disabled
3. virsh domcapabilities output, hle and rtm have been disabled
# virsh domcapabilities
<mode name='host-model' supported='yes'>
<model fallback='forbid'>Cascadelake-Server</model>
<vendor>Intel</vendor>
<feature policy='require' name='ss'/>
<feature policy='require' name='vmx'/>
<feature policy='require' name='pdcm'/>
<feature policy='require' name='hypervisor'/>
<feature policy='require' name='tsc_adjust'/>
<feature policy='require' name='umip'/>
<feature policy='require' name='pku'/>
<feature policy='require' name='md-clear'/>
<feature policy='require' name='stibp'/>
<feature policy='require' name='arch-capabilities'/>
<feature policy='require' name='xsaves'/>
<feature policy='require' name='ibpb'/>
<feature policy='require' name='ibrs'/>
<feature policy='require' name='amd-stibp'/>
<feature policy='require' name='amd-ssbd'/>
<feature policy='require' name='rdctl-no'/>
<feature policy='require' name='ibrs-all'/>
<feature policy='require' name='skip-l1dfl-vmentry'/>
<feature policy='require' name='mds-no'/>
<feature policy='require' name='pschange-mc-no'/>
<feature policy='require' name='tsx-ctrl'/>
<feature policy='disable' name='hle'/>
<feature policy='disable' name='rtm'/>
</mode>
4. add tsx=on in kernel commandline and reboot
# cat /boot/grub2/grubenv
... console=ttyS0,115200 tsx=on
# reboot
5. recheck virsh domcapabilities output, hle and rtm have been enabled(notice that hle and rtm is part of Cascadelake-Server model's features)
# virsh domcapabilities
<mode name='host-model' supported='yes'>
<model fallback='forbid'>Cascadelake-Server</model>
<vendor>Intel</vendor>
<feature policy='require' name='ss'/>
<feature policy='require' name='vmx'/>
<feature policy='require' name='pdcm'/>
<feature policy='require' name='hypervisor'/>
<feature policy='require' name='tsc_adjust'/>
<feature policy='require' name='umip'/>
<feature policy='require' name='pku'/>
<feature policy='require' name='md-clear'/>
<feature policy='require' name='stibp'/>
<feature policy='require' name='arch-capabilities'/>
<feature policy='require' name='xsaves'/>
<feature policy='require' name='ibpb'/>
<feature policy='require' name='ibrs'/>
<feature policy='require' name='amd-stibp'/>
<feature policy='require' name='amd-ssbd'/>
<feature policy='require' name='rdctl-no'/>
<feature policy='require' name='ibrs-all'/>
<feature policy='require' name='skip-l1dfl-vmentry'/>
<feature policy='require' name='mds-no'/>
<feature policy='require' name='pschange-mc-no'/>
<feature policy='require' name='tsx-ctrl'/>
</mode>
6. check libvirtd debug log and can find debug log like this:
2021-12-07 09:09:27.842+0000: 953: debug : virQEMUCapsIsValid:4950 : Outdated capabilities for '/usr/libexec/qemu-kvm': host cpuid changed
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Moderate: virt:rhel and virt-devel:rhel security, bug fix, and enhancement update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2022:1759 |
Description of problem: virsh domcapabilities does not change after reboot when enabling/disabling tsx on the kernel command line, is re-using cache from previous tsx state. Version-Release number of selected component (if applicable): libvirt-daemon-6.6.0-13.2.module+el8.3.1+10483+85317cf0.x86_64 qemu-kvm-5.1.0-21.module+el8.3.1+10464+8ad18d1a.x86_64 kernel-4.18.0-240.22.1.el8_3.x86_64 How reproducible: Always Steps to Reproduce: 1. Install 8.3.1 AV 2. Check if TSX is disabled $ cat /sys/devices/system/cpu/vulnerabilities/tsx_async_abort Mitigation: TSX disabled 3. virsh domcapabilities, note down if rtm/hle is disabled <feature policy='disable' name='hle'/> <feature policy='disable' name='rtm'/> 4. Enable tsx and reboot $ grubby --update-kernel=ALL --args="tsx=on" 5. virsh domcapabilities, still disabled <feature policy='disable' name='hle'/> <feature policy='disable' name='rtm'/> 6. Delete cache and restart libvirtd $ rm /var/cache/libvirt/qemu/capabilities/*.xml $ systemctl restart libvirtd 7. virsh domcapabilities now shows TSX <feature policy='require' name='hle'/> <feature policy='require' name='rtm'/> NOTE: the bug works both ways, from enable to disable and from disable to enable. Actual results: - domcapabilities reporting outdated info Expected results: - domcapabilities to report current info