Bug 1672188 - AMD SEV: Add new managed file /dev/sev for svirt_t
Summary: AMD SEV: Add new managed file /dev/sev for svirt_t
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Red Hat Enterprise Linux 8
Classification: Red Hat
Component: selinux-policy
Version: 8.0
Hardware: Unspecified
OS: Linux
high
high
Target Milestone: rc
: 8.0
Assignee: Lukas Vrabec 🐦
QA Contact: Milos Malik ♈🏡🍅
URL:
Whiteboard:
Depends On:
Blocks: 1654309 1665400 1671791
TreeView+ depends on / blocked
 
Reported: 2019-02-04 08:14 UTC by Erik Skultety
Modified: 2019-06-14 01:12 UTC (History)
7 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2019-06-14 01:12:50 UTC
Type: Bug
Target Upstream Version:


Attachments (Terms of Use)

Description Erik Skultety 2019-02-04 08:14:56 UTC
Description of problem:
By default, /dev/sev device has file context device_t which will trigger an AVC for svirt_t. We need a new label for the device, e.g. sev_device_t (using kvm_device_t as precedent) and a rule to allow svirt_t access. 

Version-Release number of selected component (if applicable):
3.14.1-51.el8

How reproducible:


Steps to Reproduce:
1. remove cached libvirt capabilities

# rm -f /var/cache/libvirt/qemu/capabilities/*

2. restart libvirtd

# systemctl restart libvirtd

3. check domain capabilities

# virsh domcapabilities

...
<features>
  ...
  <sev supported='no'/>
  ...
</features>
...

Actual results:
QEMU reports that SEV feature is unavailable on the platform because it gets EPERM when it tries to open the device during probing.

Expected results:

...
<sev supported='yes'>
  <cbitpos>47</cbitpos>
  <reducedPhysBits>1</reducedPhysBits>
</sev>
...

Additional info:

Comment 4 Erik Skultety 2019-02-04 14:41:49 UTC
> Steps to Reproduce:
> 1. remove cached libvirt capabilities
> 
> # rm -f /var/cache/libvirt/qemu/capabilities/*
> 
> 2. restart libvirtd
> 
> # systemctl restart libvirtd
> 
> 3. check domain capabilities
> 
> # virsh domcapabilities
> 
> ...
> <features>
>   ...
>   <sev supported='no'/>
>   ...
> </features>
> ...

Please ignore ^these steps which are wrong and were caused by some left-over settings on the testing machine, follow these steps instead:

Prerequisite: whatever version of libvirt that fixed https://bugzilla.redhat.com/show_bug.cgi?id=1665400

1) enable the SEV feature in a VM XML:

//Set memory hard_limit setting, 256MiB and more of what the currentMemory value says should do
...
 <memory unit='KiB'>4194304</memory>
  <currentMemory unit='KiB'>4194304</currentMemory>
  <memtune>
    <hard_limit unit='KiB'>4456448</hard_limit>
  </memtune>
...

//All virtio devices need to add a <driver iommu='on'/> element
...
  <devices>
  ...
    <controller type='virtio-serial' index='0'>
      <driver iommu='on'/>
    </controller>
    ...
    <controller type='scsi' index='0' model='virtio-scsi'>
      <driver iommu='on'/>
    </controller>
    ...
    <memballoon model='virtio'>
      <driver iommu='on'/>
    </memballoon>
    ...
    <rng model='virtio'>
      ...
      <driver iommu='on'/>
    </rng>
  ...
  </devices>

//Add the launchSecurity element to enable SEV
...
  </devices>
  <launchSecurity type='sev'>
    <cbitpos>47</cbitpos>
    <reducedPhysBits>1</reducedPhysBits>
    <policy>0x0001</policy>
  </launchSecurity>
...

2) upon successful edit of the XML, start the VM:

# virsh start <my_domain>
error: Failed to start domain <my_domain>
error: internal error: process exited while connecting to monitor: 2019-02-04T14:17:55.700481Z qemu-kvm: sev_guest_init: Failed to open /dev/sev 'Permission denied'         
2019-02-04T14:17:55.701107Z qemu-kvm: failed to initialize KVM: Operation not permitted       

Actual results:
QEMU fails to start a SEV VM because it fails to open /dev/sev device.

Expected results:
QEMU can start a SEV VM successfully.

Additional info:
The current SELinux context of /dev/sev is as follows: system_u:object_r:device_t:s0, qemu-kvm which runs as svirt_t is denied access to device_t:

type=AVC msg=audit(1549289875.700:1137): avc:  denied  { read write } for  pid=92694 comm="qemu-kvm" name="sev" dev="tmpfs" ino=455238 scontext=system_u:system_r:svirt_t:s0:c691,c888 tcontext=system_u:object_r:device_t:s0 tclass=chr_file permissive=0


Note You need to log in before you can comment on or make changes to this bug.