Bug 2122534

Summary: Misleading error message when missing kernel parameter for SE
Product: Red Hat Enterprise Linux 9 Reporter: smitterl
Component: libvirtAssignee: Peter Krempa <pkrempa>
libvirt sub component: CLI & API QA Contact: smitterl
Status: CLOSED ERRATA Docs Contact:
Severity: medium    
Priority: medium CC: bfu, jdenemar, lmen, pkrempa, thuth, tstaudt, virt-maint, yalzhang
Version: 9.1Keywords: Triaged
Target Milestone: rc   
Target Release: ---   
Hardware: s390x   
OS: Linux   
Whiteboard:
Fixed In Version: libvirt-8.8.0-1.el9 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2023-05-09 07:27:05 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version: 8.8.0
Embargoed:
Bug Depends On:    
Bug Blocks: 2066305    

Description smitterl 2022-08-30 09:03:18 UTC 
Description of problem:
For SE, the host kernel has to be run with prot_virt=1. If this is not the case, libvirt will show an error message pointing to the QEMU binary to be the issue which it isn't. After setting the kernel parameter correctly the SE guest can start successfully.

Version-Release number of selected component (if applicable):


How reproducible:
100%

Steps to Reproduce:
1. Set up an SE with //launchSecurity@type=s390-pv and confirm it runs successfully.
2. Remove "prot_virt=1" from BLS entry, run 'zipl' and reboot.
3. Start SE from 1. via 'virsh start vm'

Actual results:
The VM doesn't start.
error: unsupported configuration: S390 PV launch security is not supported with this QEMU binary


Expected results:
The error message points to the SE being disabled in the kernel, e.g. (from virt-host-validate) "IBM Secure Execution appears to be disabled in kernel. Add prot_virt=1 to kernel cmdline arguments"

Additional info:
Under conditions of 3. the virt-host-validate will show a warning
"""
QEMU: Checking for secure guest support                                    : WARN (IBM Secure Execution appears to be disabled in kernel. Add prot_virt=1 to kernel cmdline arguments)
"""
Comment 1 Peter Krempa 2022-08-30 11:49:39 UTC 
https://listman.redhat.com/archives/libvir-list/2022-August/234020.html
Comment 2 Peter Krempa 2022-09-01 11:25:59 UTC 
Fixed upstream:

commit f2f5090ef1158af5928aab32d210f0c9c13318aa
Author: Peter Krempa <pkrempa>
Date:   Tue Aug 30 13:46:06 2022 +0200

    qemuValidateDomainDef: Clarify error message when S390 PV launch security is unsupported by the kernel
    
    Split up the condition and report a different error message when the
    host or host config results in S390 PV launch security being
    unavailable.
    
    Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2122534
    Signed-off-by: Peter Krempa <pkrempa>
    Reviewed-by: Marc Hartmayer <mhartmay.com>

v8.7.0-39-gf2f5090ef1
Comment 3 IBM Bug Proxy 2022-09-14 12:41:13 UTC 
------- Comment From tstaudt.com 2022-09-14 08:32 EDT-------
from Boris Fiuczynski 2022-09-12 08:12:14 CDT
...
Patch looks good.
Comment 4 smitterl 2022-10-11 12:06:10 UTC 
Manually confirmed. Automated regression test out of scope.

# rpm -q libvirt
libvirt-8.8.0-1.el9.s390x
# virt-host-validate 
  QEMU: Checking for hardware virtualization                                 : PASS
  QEMU: Checking if device /dev/kvm exists                                   : PASS
  QEMU: Checking if device /dev/kvm is accessible                            : PASS
  QEMU: Checking if device /dev/vhost-net exists                             : PASS
  QEMU: Checking if device /dev/net/tun exists                               : PASS
  QEMU: Checking for cgroup 'cpu' controller support                         : PASS
  QEMU: Checking for cgroup 'cpuacct' controller support                     : PASS
  QEMU: Checking for cgroup 'cpuset' controller support                      : PASS
  QEMU: Checking for cgroup 'memory' controller support                      : PASS
  QEMU: Checking for cgroup 'devices' controller support                     : PASS
  QEMU: Checking for cgroup 'blkio' controller support                       : PASS
  QEMU: Checking for device assignment IOMMU support                         : PASS
  QEMU: Checking if IOMMU is enabled by kernel                               : PASS
  QEMU: Checking for secure guest support                                    : PASS
# grubby --remove-args="prot_virt=1" --update-kernel=ALL
# reboot
# virt-host-validate 
  QEMU: Checking for hardware virtualization                                 : PASS
  QEMU: Checking if device /dev/kvm exists                                   : PASS
  QEMU: Checking if device /dev/kvm is accessible                            : PASS
  QEMU: Checking if device /dev/vhost-net exists                             : PASS
  QEMU: Checking if device /dev/net/tun exists                               : PASS
  QEMU: Checking for cgroup 'cpu' controller support                         : PASS
  QEMU: Checking for cgroup 'cpuacct' controller support                     : PASS
  QEMU: Checking for cgroup 'cpuset' controller support                      : PASS
  QEMU: Checking for cgroup 'memory' controller support                      : PASS
  QEMU: Checking for cgroup 'devices' controller support                     : PASS
  QEMU: Checking for cgroup 'blkio' controller support                       : PASS
  QEMU: Checking for device assignment IOMMU support                         : PASS
  QEMU: Checking if IOMMU is enabled by kernel                               : PASS
  QEMU: Checking for secure guest support                                    : WARN (IBM Secure Execution appears to be disabled in kernel. Add prot_virt=1 to kernel cmdline arguments)
# virsh edit avocado-vt-vm1 
error: unsupported configuration: S390 PV launch security is not supported by this host or kernel
 # virsh define vm.xml 
error: Failed to define domain from vm.xml
error: unsupported configuration: S390 PV launch security is not supported by this host or kernel
Comment 9 errata-xmlrpc 2023-05-09 07:27:05 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (libvirt bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2023:2171