Bug 1118834 (vmgenid) - [RFE] VM-Generation-ID - Detection of cloned environment using a unique, inmutable, intelligent identifier programmically accessible [NEEDINFO]
Summary: [RFE] VM-Generation-ID - Detection of cloned environment using a unique, inmu...
Keywords:
Status: CLOSED ERRATA
Alias: vmgenid
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: qemu-kvm-rhev
Version: 7.1
Hardware: All
OS: Linux
unspecified
medium
Target Milestone: rc
: ---
Assignee: Michael S. Tsirkin
QA Contact: Guo, Zhiyi
Jiri Herrmann
URL:
Whiteboard:
: 1139005 (view as bug list)
Depends On:
Blocks: 1159983 1598348 1118825 vmgenid-libvirt 1159981 1288337 1598350
TreeView+ depends on / blocked
 
Reported: 2014-07-11 16:01 UTC by Karen Noel
Modified: 2018-11-14 08:38 UTC (History)
24 users (show)

Fixed In Version: qemu-kvm-rhev-2.12.0-1.el7
Doc Type: Technology Preview
Doc Text:
As a Technology Preview, qemu-kvm-rhev introduces the Virtual Machine Generation ID feature, which enables the VM BIOS to expose ID integers that help prevent the corruption of virtual file systems during higher-risk operations, such as restoring a snapshot or loading a configuration backup. This feature is available on VMs that use the following guest operating systems: - Windows 8 or later - Windows Server 2012 or later Note that it is currently only possible to access this feature using arbitrary QEMU commands. However, virtual machines modified by such commands cannot be supported by Red Hat.
Clone Of: 1118825
: vmgenid-libvirt 1159983 (view as bug list)
Environment:
Last Closed: 2018-11-01 11:01:10 UTC
yisun: needinfo? (mst)


Attachments (Terms of Use)
win2012result (88.13 KB, image/png)
2018-06-05 05:30 UTC, jingzhao
no flags Details

Description Karen Noel 2014-07-11 16:01:25 UTC
+++ This bug was initially created as a clone of Bug #1118825 +++

Description of problem:
Making copies of VMs is great - until it isn't. The typical window's example: some clones a VM that is running active directory - and now - there are two sources of truth of authentication/authorization- a bad thing.

Microsoft has established a standard identifier-using the ACPI driver to identify when a clone has been creating in a "bad way." This standard is now supported by VMware, Xen Server and, of course, HyperV. See http://go.microsoft.com/fwlink/?LinkId=260709 for more information.

Flexera Software takes advantage of this standard to detect when a user has incorrectly cloned a license server (where a user then has 2 license servers running licenses-same as having 2 active directory). We then enable the producers to implement policies such as "render the license server inoperable" or "give user time to fix this." We have data to show that this particular scenario happens to roughly 20% of all global software licenses (and often by accident).

Our ask is that Red Hat/the linux community also establish something of the same flavor so that software producers can help customers stay compliant with their software licenses.


Version-Release number of selected component (if applicable): All


How reproducible: N/A


Steps to Reproduce: 
1.
2.
3.

Actual results:


Expected results:


Additional info:

Comment 1 Ronen Hod 2014-10-05 08:42:26 UTC
Closing bug#1139005 as duplicate.
There it says:
This functionality is new to Hyper-V in Windows Server 2012 or Windows 8 and is designed to differentiate (security-wise) between instances of a VM that were generated using the exact same disk image / snapshot.
The implementation is based on a new hypervisor's device, that returns a 128-bit, cryptographically random integer value identifier that will be different every time the virtual machine executes from a different configuration file—such as executing from a recovered snapshot, or executing after restoring from backup.

Comment 2 Ronen Hod 2014-10-05 08:44:02 UTC
*** Bug 1139005 has been marked as a duplicate of this bug. ***

Comment 3 Gal Hammer 2014-12-07 14:33:42 UTC
A patch was posted and is expected to be applied after qemu's 2.2 release.

Comment 4 Miroslav Rezanina 2015-06-18 07:27:29 UTC
Hi Gal,
is patch in 2.2/2.3 upstream release? In case it is, please move the bz to modified state and fill fixed in field with proper version.

Comment 5 Gal Hammer 2015-06-18 07:34:39 UTC
(In reply to Miroslav Rezanina from comment #4)
> Hi Gal,
> is patch in 2.2/2.3 upstream release? In case it is, please move the bz to
> modified state and fill fixed in field with proper version.

The patch was not accepted it.

Comment 6 juzhang 2015-09-07 02:44:56 UTC
(In reply to Gal Hammer from comment #5)
> (In reply to Miroslav Rezanina from comment #4)
> > Hi Gal,
> > is patch in 2.2/2.3 upstream release? In case it is, please move the bz to
> > modified state and fill fixed in field with proper version.
> 
> The patch was not accepted it.

Hi mrezanin,

According to comment5, seems we need to update the bz status from post to assigned status?

Best Regards,
Junyi

Comment 13 Laszlo Ersek 2016-01-19 14:14:20 UTC
Igor posted:
[PATCH v17 0/9] Virtual Machine Generation ID
http://thread.gmane.org/gmane.comp.emulators.qemu/387810

Comment 21 Laszlo Ersek 2017-06-02 13:36:43 UTC
Upstream testing:
http://mid.mail-archive.com/c052d05e-71a5-1a6a-f34f-17d14167c2f6@redhat.com

Comment 24 Michael S. Tsirkin 2018-03-12 14:53:29 UTC
Note for qe:
Verifying functionality in a Windows guest is tricky, but in Linux
you can build and load this (old and badly written) device driver:

https://github.com/ben-skyportsystems/vmgenid-test

You should see the 'notices' number increment after restoring a snapshot.

Comment 25 Michael S. Tsirkin 2018-03-12 14:54:54 UTC
notes on testing with windows guests:
https://www.mail-archive.com/qemu-devel@nongnu.org/msg430714.html

Comment 33 jingzhao 2018-06-05 05:30:09 UTC
Test against with qemu-kvm-rhev-2.12.0-2.el7.x86_64

1. RHEL guest:

a) Boot up guest with "-device vmgenid,id=testvgid,guid=auto"

b) Check the vmgenid in the guest
[root@dhcp-8-106 vmgenid-test]# cat /sys/firmware/acpi/vmgenid/guid
90231d05-db32-1345-bbbe-3cf3a49ab372
[root@dhcp-8-106 vmgenid-test]# cat /sys/firmware/acpi/vmgenid/notices
0

c) Do the migration in hmp
(qemu) stop
(qemu) info status
VM status: paused
(qemu) migrate -d "exec: gzip -c >/home/test.gz"

d) Then boot up snapshot with "-incoming "exec: gzip -c -d /home/test.gz" "

e) check vmgenid in the guest again
[root@dhcp-8-106 vmgenid-test]# cat /sys/firmware/acpi/vmgenid/guid
6c934afe-384e-274b-b4ac-5dbada48940b
[root@dhcp-8-106 vmgenid-test]# cat /sys/firmware/acpi/vmgenid/notices
1

2. Windows server 2012 guest:

test it with above steps, and can see the different vmgenid, please check the attachment(win2012result)

Hi Michael

Could you double check it? is it enough?

Thanks
Jing

Comment 34 jingzhao 2018-06-05 05:30:58 UTC
Created attachment 1447709 [details]
win2012result

Comment 36 Michael S. Tsirkin 2018-08-07 16:38:25 UTC
Looks good to me.

Comment 39 errata-xmlrpc 2018-11-01 11:01:10 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:3443

Comment 40 yisun 2018-11-14 08:38:45 UTC
(In reply to Michael S. Tsirkin from comment #24)
> Note for qe:
> Verifying functionality in a Windows guest is tricky, but in Linux
> you can build and load this (old and badly written) device driver:
> 
> https://github.com/ben-skyportsystems/vmgenid-test
> 
> You should see the 'notices' number increment after restoring a snapshot.

Hi Micheal,
with the tool in this github repo, I found following issue, not sure if it's a data sequence problem.

steps:
1. start a vm with genid=29aba8fd-899f-4f0e-baca-b4d28262918a
# ps -ef | grep genid
qemu     19733     1  0 03:29 ?        00:00:02 /usr/libexec/qemu-kvm -name guest=avocado-vt-vm1,debug-threads=on ...-device vmgenid,guid=29aba8fd-899f-4f0e-baca-b4d28262918a

2. login vm and use the tool you provided to print the guid
[root@localhost vmgenid]# cat /sys/firmware/acpi/vmgenid/guid 
fda8ab29-9f89-0e4f-baca-b4d28262918a

problem:
the guid in step 1&2 are different, seems big/little endian mixed... is this a problem?


Note You need to log in before you can comment on or make changes to this bug.