Bug 1961032

Summary: Update libvirt to use qemu's new confidential-guest-support syntax
Product: Red Hat Enterprise Linux Advanced Virtualization Reporter: David Gibson <dgibson>
Component: libvirtAssignee: Pavel Hrdina <phrdina>
Status: CLOSED ERRATA QA Contact: Luyao Huang <lhuang>
Severity: medium Docs Contact:
Priority: unspecified    
Version: ---CC: abologna, dbarboza, dzheng, iranna.ankad, jdenemar, lmen, ngu, phrdina, qzhang, virt-maint, xuzhang, zixchen
Target Milestone: rcKeywords: Triaged
Target Release: 8.5   
Hardware: All   
OS: Unspecified   
Whiteboard:
Fixed In Version: libvirt-7.5.0-1.el8 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-11-16 07:53:34 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version: 7.5.0
Embargoed:

Description David Gibson 2021-05-17 05:29:58 UTC 
Description of problem:

For qemu-6.0, qemu has introduced a new more general way of configuring Confidential Computing systems like AMD SEV, Intel's TDX or POWER's PEF.  libvirt continues to support SEV, but uses the older memory-encryption= options to do so

How reproducible:

100%

Steps to Reproduce:
1. Create libvirt domain XML with AMD SEV enabled
2. Run a guest using the XML
3. Examine generated qemu command line

Actual results:

libvirt generates a command line with the memory-encryption= machine option to enable SEV support.

Expected results:

libvirt generates a command line using the confidential-guest-support= machine option on qemu versions which support it.
Comment 1 Pavel Hrdina 2021-06-15 09:44:35 UTC 
Upstream commits:

a323c5e8b7 tests: add launch-security-sev test with latest capabilities
dbdc6d52ff tests: use newer machine in qemuxml2argv launch-security-sev
0b0a633d1a tests: add AMD SEV bits into qemu-6.0.0 replies
241969d465 qemu_command: use confidential-guest-support if available
b560d1c876 qemu_capabilities: detect if confidential-guest-support is available
af5828bc91 qemu_capabilities: introduce confidential-guest-support capability
Comment 2 zixchen 2021-07-09 10:43:50 UTC 
Since it relates to SEV, SEV QE tests it from SEV perspective, no issue found.

Version:
qemu-kvm-6.0.0-23.module+el8.5.0+11740+35571f13.x86_64
libvirt-7.5.0-1.module+el8.5.0+11664+59f87560.x86_64
kernel-4.18.0-320.el8.x86_64
 
Steps:
1. Install a SEV-ES guest without adding driver,iommu=on:
virt-install  --name rhel85_sev --mac 52:56:00:00:00:0b --location http://link*** --cpu host-model --memory 4096 --memtune hard_limit=4718592 --vcpus=4,sockets=1,cores=4,threads=1 --boot loader=/usr/share/edk2/ovmf/OVMF_CODE.cc.fd,loader_ro=yes,loader_type=pflash,nvram.template=/usr/share/edk2/ovmf/OVMF_VARS.fd --disk path=/home/rhel83_sev.qcow2,size=40,cache=none,bus=scsi,format=qcow2 --controller type=scsi,model=virtio-scsi --os-variant rhel8.3 --os-type=linux --graphics spice,listen=0.0.0.0 --video virtio --controller type=virtio-serial --rng type=/dev/random --launchSecurity sev,policy=0x07 --debug --network bridge:br1,model=virtio --serial file,path=/mnt/tests/distribution/virt/install/guests/rhel83_sev/logs/rhel83_sev_console.log --serial pty --console pty --extra-args "ksdevice=eth0 ks=http://beaker.engineering.redhat.com/kickstart/8432459 serial console=tty0 console=ttyS0,115200 net.ifnames=0 biosdevname=0 swiotlb=262144" --noreboot 


Actual/Expected result:
1. Guest installed successfully and SEV enabled in the guest.
# journalctl| grep -i sev
Jul 08 22:17:10 localhost.localdomain kernel: AMD Memory Encryption Features active: SEV SEV-ES
2. Check qemu command line, includes -machine confidential-guest-support=sev0
Comment 5 Luyao Huang 2021-07-21 02:10:41 UTC 
Verify this bug with libvirt-daemon-7.5.0-1.module+el8.5.0+11664+59f87560.x86_64:

1. enable sev and sev-es
# rmmod kvm_amd
# modprobe kvm_amd sev=1 sev-es=1

2. prepare a guest which have memtune,sev,ovmf settings:
# virsh dumpxml vm1

  <memtune>
    <hard_limit unit='KiB'>5242880</hard_limit>
  </memtune>
...
  <os>
    <type arch='x86_64' machine='pc-q35-rhel8.5.0'>hvm</type>
    <loader readonly='yes' type='pflash'>/usr/share/edk2/ovmf/OVMF_CODE.cc.fd</loader>
    <nvram template='/usr/share/edk2/ovmf/OVMF_VARS.fd'>/var/lib/libvirt/qemu/nvram/vm1_VARS.fd</nvram>
    <boot dev='hd'/>
  </os>
...
  <launchSecurity type='sev'>
    <cbitpos>51</cbitpos>
    <reducedPhysBits>1</reducedPhysBits>
    <policy>0x0007</policy>
  </launchSecurity>

3. start guest
# virsh start vm1
Domain 'vm1' started

4. check qemu command line and make sure libvirt use confidential-guest-support:
# ps aux|grep qemu
...-machine pc-q35-rhel8.5.0,accel=kvm,usb=off,dump-guest-core=off,confidential-guest-support=sev0...

5. login guest and check dmesg:

# dmesg |grep -in sev
191:[    0.001000] AMD Memory Encryption Features active: SEV SEV-ES
Comment 6 Luyao Huang 2021-10-12 09:12:35 UTC 
In libvirt-daemon-7.6.0-4.module+el8.5.0+12786+c4633d9a.x86_64, qemu command line have been changed:

In steps 4:

# ps aux|grep qemu
...-machine pc-q35-rhel8.5.0,accel=kvm,usb=off,vmport=off,dump-guest-core=off,confidential-guest-support=lsec0
Comment 8 errata-xmlrpc 2021-11-16 07:53:34 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (virt:av bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2021:4684