Bug 1953389

Summary:	libvirt qemu capabilities cache not invalidated after TSX enable/disable.
Product:	Red Hat Enterprise Linux 8	Reporter:	Germano Veit Michel <gveitmic>
Component:	libvirt	Assignee:	Tim Wiederhake <twiederh>
Status:	CLOSED ERRATA	QA Contact:	Luyao Huang <lhuang>
Severity:	high	Docs Contact:
Priority:	high
Version:	8.0	CC:	jdenemar, jsuchane, kchamart, klaas, lhuang, lmen, mkalinin, virt-maint, xuzhang
Target Milestone:	pre-dev-freeze	Keywords:	AutomationTriaged, Triaged
Target Release:	---	Flags:	pm-rhel: mirror+
Hardware:	x86_64
OS:	Linux
Whiteboard:
Fixed In Version:	libvirt-7.10.0-1.module+el8.6.0+13502+4f24a11d	Doc Type:	If docs needed, set a value
Doc Text:		Story Points:	---
Clone Of:		Environment:
Last Closed:	2022-05-10 13:18:42 UTC	Type:	Bug
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:	7.10.0
Embargoed:

Description Germano Veit Michel 2021-04-26 00:33:03 UTC

Description of problem:

virsh domcapabilities does not change after reboot when enabling/disabling tsx on the kernel command line, is re-using cache from previous tsx state.

Version-Release number of selected component (if applicable):
libvirt-daemon-6.6.0-13.2.module+el8.3.1+10483+85317cf0.x86_64
qemu-kvm-5.1.0-21.module+el8.3.1+10464+8ad18d1a.x86_64
kernel-4.18.0-240.22.1.el8_3.x86_64

How reproducible:
Always

Steps to Reproduce:
1. Install 8.3.1 AV

2. Check if TSX is disabled 
   $ cat /sys/devices/system/cpu/vulnerabilities/tsx_async_abort
   Mitigation: TSX disabled

3. virsh domcapabilities, note down if rtm/hle is disabled
      <feature policy='disable' name='hle'/>
      <feature policy='disable' name='rtm'/>
4. Enable tsx and reboot
   $ grubby --update-kernel=ALL --args="tsx=on"

5. virsh domcapabilities, still disabled
      <feature policy='disable' name='hle'/>
      <feature policy='disable' name='rtm'/>

6. Delete cache and restart libvirtd
   $ rm /var/cache/libvirt/qemu/capabilities/*.xml
   $ systemctl restart libvirtd

7. virsh domcapabilities now shows TSX
      <feature policy='require' name='hle'/>
      <feature policy='require' name='rtm'/>

NOTE: the bug works both ways, from enable to disable and from disable to enable.

Actual results:
- domcapabilities reporting outdated info

Expected results:
- domcapabilities to report current info

Comment 4 John Ferlan 2021-09-08 13:19:35 UTC

Bulk update - Move RHEL-AV bugs to RHEL

Comment 5 Tim Wiederhake 2021-11-08 08:27:13 UTC

merged upstream:
https://gitlab.com/libvirt/libvirt/-/commit/3bc6f46d305ed82f7314ffc4c2a66847b831a6bd

Comment 9 Luyao Huang 2021-12-07 09:20:08 UTC

Verify this bug with libvirt-daemon-7.10.0-1.module+el8.6.0+13502+4f24a11d.x86_64:

1. prepare a Cascadelake system

2. Check if TSX is disabled
# cat /sys/devices/system/cpu/vulnerabilities/tsx_async_abort
Mitigation: TSX disabled

3. virsh domcapabilities output, hle and rtm have been disabled
# virsh domcapabilities
    <mode name='host-model' supported='yes'>
      <model fallback='forbid'>Cascadelake-Server</model>
      <vendor>Intel</vendor>
      <feature policy='require' name='ss'/>
      <feature policy='require' name='vmx'/>
      <feature policy='require' name='pdcm'/>
      <feature policy='require' name='hypervisor'/>
      <feature policy='require' name='tsc_adjust'/>
      <feature policy='require' name='umip'/>
      <feature policy='require' name='pku'/>
      <feature policy='require' name='md-clear'/>
      <feature policy='require' name='stibp'/>
      <feature policy='require' name='arch-capabilities'/>
      <feature policy='require' name='xsaves'/>
      <feature policy='require' name='ibpb'/>
      <feature policy='require' name='ibrs'/>
      <feature policy='require' name='amd-stibp'/>
      <feature policy='require' name='amd-ssbd'/>
      <feature policy='require' name='rdctl-no'/>
      <feature policy='require' name='ibrs-all'/>
      <feature policy='require' name='skip-l1dfl-vmentry'/>
      <feature policy='require' name='mds-no'/>
      <feature policy='require' name='pschange-mc-no'/>
      <feature policy='require' name='tsx-ctrl'/>
      <feature policy='disable' name='hle'/>
      <feature policy='disable' name='rtm'/>
    </mode>

4. add tsx=on in kernel commandline and reboot

# cat /boot/grub2/grubenv 
... console=ttyS0,115200 tsx=on

# reboot

5. recheck virsh domcapabilities output, hle and rtm have been enabled(notice that hle and rtm is part of Cascadelake-Server model's features)
# virsh domcapabilities
    <mode name='host-model' supported='yes'>
      <model fallback='forbid'>Cascadelake-Server</model>
      <vendor>Intel</vendor>
      <feature policy='require' name='ss'/>
      <feature policy='require' name='vmx'/>
      <feature policy='require' name='pdcm'/>
      <feature policy='require' name='hypervisor'/>
      <feature policy='require' name='tsc_adjust'/>
      <feature policy='require' name='umip'/>
      <feature policy='require' name='pku'/>
      <feature policy='require' name='md-clear'/>
      <feature policy='require' name='stibp'/>
      <feature policy='require' name='arch-capabilities'/>
      <feature policy='require' name='xsaves'/>
      <feature policy='require' name='ibpb'/>
      <feature policy='require' name='ibrs'/>
      <feature policy='require' name='amd-stibp'/>
      <feature policy='require' name='amd-ssbd'/>
      <feature policy='require' name='rdctl-no'/>
      <feature policy='require' name='ibrs-all'/>
      <feature policy='require' name='skip-l1dfl-vmentry'/>
      <feature policy='require' name='mds-no'/>
      <feature policy='require' name='pschange-mc-no'/>
      <feature policy='require' name='tsx-ctrl'/>
    </mode>

6. check libvirtd debug log and can find debug log like this:
2021-12-07 09:09:27.842+0000: 953: debug : virQEMUCapsIsValid:4950 : Outdated capabilities for '/usr/libexec/qemu-kvm': host cpuid changed

Comment 11 errata-xmlrpc 2022-05-10 13:18:42 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: virt:rhel and virt-devel:rhel security, bug fix, and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2022:1759