RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1118834 (vmgenid) - [RFE] VM-Generation-ID - Detection of cloned environment using a unique, inmutable, intelligent identifier programmically accessible
Summary: [RFE] VM-Generation-ID - Detection of cloned environment using a unique, inmu...
Keywords:
Status: CLOSED ERRATA
Alias: vmgenid
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: qemu-kvm-rhev
Version: 7.1
Hardware: All
OS: Linux
unspecified
medium
Target Milestone: rc
: ---
Assignee: Michael S. Tsirkin
QA Contact: Guo, Zhiyi
Jiri Herrmann
URL:
Whiteboard:
: 1139005 (view as bug list)
Depends On:
Blocks: 1118825 vmgenid-libvirt 1159981 1159983 1288337 1598348 1598350 2000506
TreeView+ depends on / blocked
 
Reported: 2014-07-11 16:01 UTC by Karen Noel
Modified: 2023-09-14 23:57 UTC (History)
24 users (show)

Fixed In Version: qemu-kvm-rhev-2.12.0-1.el7
Doc Type: Technology Preview
Doc Text:
As a Technology Preview, qemu-kvm-rhev introduces the Virtual Machine Generation ID feature, which enables the VM BIOS to expose ID integers that help prevent the corruption of virtual file systems during higher-risk operations, such as restoring a snapshot or loading a configuration backup. This feature is available on VMs that use the following guest operating systems: - Windows 8 or later - Windows Server 2012 or later Note that it is currently only possible to access this feature using arbitrary QEMU commands. However, virtual machines modified by such commands cannot be supported by Red Hat.
Clone Of: 1118825
: vmgenid-libvirt 1159983 (view as bug list)
Environment:
Last Closed: 2018-11-01 11:01:10 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)
win2012result (88.13 KB, image/png)
2018-06-05 05:30 UTC, jingzhao 		no flags Details
View All

Description Karen Noel 2014-07-11 16:01:25 UTC 
+++ This bug was initially created as a clone of Bug #1118825 +++

Description of problem:
Making copies of VMs is great - until it isn't. The typical window's example: some clones a VM that is running active directory - and now - there are two sources of truth of authentication/authorization- a bad thing.

Microsoft has established a standard identifier-using the ACPI driver to identify when a clone has been creating in a "bad way." This standard is now supported by VMware, Xen Server and, of course, HyperV. See http://go.microsoft.com/fwlink/?LinkId=260709 for more information.

Flexera Software takes advantage of this standard to detect when a user has incorrectly cloned a license server (where a user then has 2 license servers running licenses-same as having 2 active directory). We then enable the producers to implement policies such as "render the license server inoperable" or "give user time to fix this." We have data to show that this particular scenario happens to roughly 20% of all global software licenses (and often by accident).

Our ask is that Red Hat/the linux community also establish something of the same flavor so that software producers can help customers stay compliant with their software licenses.


Version-Release number of selected component (if applicable): All


How reproducible: N/A


Steps to Reproduce: 
1.
2.
3.

Actual results:


Expected results:


Additional info:
Comment 1 Ronen Hod 2014-10-05 08:42:26 UTC 
Closing bug#1139005 as duplicate.
There it says:
This functionality is new to Hyper-V in Windows Server 2012 or Windows 8 and is designed to differentiate (security-wise) between instances of a VM that were generated using the exact same disk image / snapshot.
The implementation is based on a new hypervisor's device, that returns a 128-bit, cryptographically random integer value identifier that will be different every time the virtual machine executes from a different configuration file—such as executing from a recovered snapshot, or executing after restoring from backup.
Comment 2 Ronen Hod 2014-10-05 08:44:02 UTC 
*** Bug 1139005 has been marked as a duplicate of this bug. ***
Comment 3 Gal Hammer 2014-12-07 14:33:42 UTC 
A patch was posted and is expected to be applied after qemu's 2.2 release.
Comment 4 Miroslav Rezanina 2015-06-18 07:27:29 UTC 
Hi Gal,
is patch in 2.2/2.3 upstream release? In case it is, please move the bz to modified state and fill fixed in field with proper version.
Comment 5 Gal Hammer 2015-06-18 07:34:39 UTC 
(In reply to Miroslav Rezanina from comment #4)
> Hi Gal,
> is patch in 2.2/2.3 upstream release? In case it is, please move the bz to
> modified state and fill fixed in field with proper version.

The patch was not accepted it.
Comment 6 juzhang 2015-09-07 02:44:56 UTC 
(In reply to Gal Hammer from comment #5)
> (In reply to Miroslav Rezanina from comment #4)
> > Hi Gal,
> > is patch in 2.2/2.3 upstream release? In case it is, please move the bz to
> > modified state and fill fixed in field with proper version.
> 
> The patch was not accepted it.

Hi mrezanin,

According to comment5, seems we need to update the bz status from post to assigned status?

Best Regards,
Junyi
Comment 13 Laszlo Ersek 2016-01-19 14:14:20 UTC 
Igor posted:
[PATCH v17 0/9] Virtual Machine Generation ID
http://thread.gmane.org/gmane.comp.emulators.qemu/387810
Comment 21 Laszlo Ersek 2017-06-02 13:36:43 UTC 
Upstream testing:
http://mid.mail-archive.com/c052d05e-71a5-1a6a-f34f-17d14167c2f6@redhat.com
Comment 24 Michael S. Tsirkin 2018-03-12 14:53:29 UTC 
Note for qe:
Verifying functionality in a Windows guest is tricky, but in Linux
you can build and load this (old and badly written) device driver:

https://github.com/ben-skyportsystems/vmgenid-test

You should see the 'notices' number increment after restoring a snapshot.
Comment 25 Michael S. Tsirkin 2018-03-12 14:54:54 UTC 
notes on testing with windows guests:
https://www.mail-archive.com/qemu-devel@nongnu.org/msg430714.html
Comment 33 jingzhao 2018-06-05 05:30:09 UTC 
Test against with qemu-kvm-rhev-2.12.0-2.el7.x86_64

1. RHEL guest:

a) Boot up guest with "-device vmgenid,id=testvgid,guid=auto"

b) Check the vmgenid in the guest
[root@dhcp-8-106 vmgenid-test]# cat /sys/firmware/acpi/vmgenid/guid
90231d05-db32-1345-bbbe-3cf3a49ab372
[root@dhcp-8-106 vmgenid-test]# cat /sys/firmware/acpi/vmgenid/notices
0

c) Do the migration in hmp
(qemu) stop
(qemu) info status
VM status: paused
(qemu) migrate -d "exec: gzip -c >/home/test.gz"

d) Then boot up snapshot with "-incoming "exec: gzip -c -d /home/test.gz" "

e) check vmgenid in the guest again
[root@dhcp-8-106 vmgenid-test]# cat /sys/firmware/acpi/vmgenid/guid
6c934afe-384e-274b-b4ac-5dbada48940b
[root@dhcp-8-106 vmgenid-test]# cat /sys/firmware/acpi/vmgenid/notices
1

2. Windows server 2012 guest:

test it with above steps, and can see the different vmgenid, please check the attachment(win2012result)

Hi Michael

Could you double check it? is it enough?

Thanks
Jing
Comment 34 jingzhao 2018-06-05 05:30:58 UTC 
Created attachment 1447709 [details]
win2012result
Comment 36 Michael S. Tsirkin 2018-08-07 16:38:25 UTC 
Looks good to me.
Comment 39 errata-xmlrpc 2018-11-01 11:01:10 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:3443
Comment 40 yisun 2018-11-14 08:38:45 UTC 
(In reply to Michael S. Tsirkin from comment #24)
> Note for qe:
> Verifying functionality in a Windows guest is tricky, but in Linux
> you can build and load this (old and badly written) device driver:
> 
> https://github.com/ben-skyportsystems/vmgenid-test
> 
> You should see the 'notices' number increment after restoring a snapshot.

Hi Micheal,
with the tool in this github repo, I found following issue, not sure if it's a data sequence problem.

steps:
1. start a vm with genid=29aba8fd-899f-4f0e-baca-b4d28262918a
# ps -ef | grep genid
qemu     19733     1  0 03:29 ?        00:00:02 /usr/libexec/qemu-kvm -name guest=avocado-vt-vm1,debug-threads=on ...-device vmgenid,guid=29aba8fd-899f-4f0e-baca-b4d28262918a

2. login vm and use the tool you provided to print the guid
[root@localhost vmgenid]# cat /sys/firmware/acpi/vmgenid/guid 
fda8ab29-9f89-0e4f-baca-b4d28262918a

problem:
the guid in step 1&2 are different, seems big/little endian mixed... is this a problem?
Comment 41 Red Hat Bugzilla 2023-09-14 23:57:45 UTC 
The needinfo request[s] on this closed bug have been removed as they have been unresolved for 500 days
Note You need to log in before you can comment on or make changes to this bug.