Hide Forgot
* Description of problem: In order to use virtio-net-pci in SEV guests, vhost-net has to be disabled, and the QEMU-internal device model has to be forced. * Version-Release number of selected component (if applicable): 2.12.0-81.module+el8.1.0+3619+dfe1ae01 * How reproducible: always * Steps to Reproduce: 1. define a SEV domain; refer to e.g. https://bugzilla.redhat.com/show_bug.cgi?id=1531543#c48 [domain XML] https://bugzilla.redhat.com/show_bug.cgi?id=1531543#c49 [QEMU cmd] 2. enable vhost: <controller type='pci' index='5' model='pcie-root-port'> <model name='pcie-root-port'/> <target chassis='5' port='0x14'/> <address type='pci' domain='0x0000' bus='0x00' slot='0x01' function='0x4'/> </controller> <interface type='network'> <mac address='52:54:00:e9:f0:cf'/> <source network='default'/> <model type='virtio'/> <driver name='vhost' iommu='on'/> ^^^^^ <rom enabled='no'/> <address type='pci' domain='0x0000' bus='0x05' slot='0x00' function='0x0'/> </interface> (equivalently, on the QEMU command line, set the "vhost=on" property for "-netdev tap") 3. boot OVMF 4. enter the UEFI setup TUI by pressing ESC 5. launch the UEFI shell by booting UefiShell.iso explicitly from the boot manager submenu 6. In the UEFI shell, run ifconfig -s eth0 dhcp ifconfig -l /* repeat until you get an IP address */ ping 8.8.8.8 * Actual results: Step 4 hangs. * Expected results: Step 6 is reached and it succeeds. * Additional info: - The issue can be worked around by setting <driver name='qemu' iommu='on'/> ^^^^ in the domain XML, or (equivalently) by setting "vhost=off" for "-netdev tap". (The default is vhost=on, from simply omitting the "name" attribute: <driver iommu='on'/> ) - The fix is to backport <https://github.com/qemu/qemu/commit/d542800d1edc62f63f8a29cfa6bdd1a9536ae11c>, which I have already built & tested, (Brew taskid=22757028). It's a simple cherry-pick. - The backport has been identified (and the original patch was written) by Brijesh Singh @ AMD. - The upstream patch was backported to v2.12.1 stable (2f2b18923502), but we still lack it down-stream. The original upstream commit is part of v3.0.0 (hence no RHEL-AV backport should be necessary).
Reproduce it with qemu-kvm-2.12.0-82.module+el8.1.0+3738+0d8c0249 steps: 1. using sev domain from https://bugzilla.redhat.com/show_bug.cgi?id=1531543#c48 [domain XML] 2. check the qemu command line like: -netdev tap,fd=31,id=hostnet0,vhost=on,vhostfd=32 -device virtio-net-pci,netdev=hostnet0,id=net0,mac=52:54:00:51:4b:77,bus=pci.4,addr=0x0,romfile=,iommu_platform=on Verified with qemu-kvm-2.12.0-83.module+el8.1.0+3852+0ba8aef0 steps: 1. using sev domain from https://bugzilla.redhat.com/show_bug.cgi?id=1531543#c48 [domain XML] 2. check the qemu command line, there is no vhostfd passed. -netdev tap,fd=31,id=hostnet0 -device virtio-net-pci,netdev=hostnet0,id=net0,mac=52:54:00:51:4b:77,bus=pci.4,addr=0x0,romfile=,iommu_platform=on 3.boot sev guest like: /usr/libexec/qemu-kvm \ -name guest=rhel8 \ -drive if=pflash,format=raw,unit=0,file=/usr/share/edk2/ovmf/sev/OVMF_CODE.secboot.fd,readonly \ -drive if=pflash,format=raw,unit=1,file=/usr/share/edk2/ovmf/sev/OVMF_VARS.fd \ -object sev-guest,id=sev0,cbitpos=47,reduced-phys-bits=1 \ -serial unix:/tmp/console,server,nowait \ -machine pc-q35-rhel7.6.0,accel=kvm,usb=off,dump-guest-core=off,memory-encryption=sev0 \ -cpu EPYC-IBPB \ -m 8192 \ -realtime mlock=off \ -smp 2,sockets=1,cores=1,threads=2 \ -uuid 33d3c713-b645-4e93-95d0-25a7952571ac \ -no-user-config \ -device pcie-root-port,port=0x10,chassis=1,id=pci.1,bus=pcie.0,multifunction=on,addr=0x2 \ -device pcie-root-port,port=0x11,chassis=2,id=pci.2,bus=pcie.0,addr=0x2.0x1 \ -device pcie-root-port,port=0x12,chassis=3,id=pci.3,bus=pcie.0,addr=0x2.0x2 \ -device pcie-root-port,port=0x13,chassis=4,id=pci.4,bus=pcie.0,addr=0x2.0x3 \ -device pcie-root-port,port=0x14,chassis=5,id=pci.5,bus=pcie.0,addr=0x2.0x4 \ -device pcie-root-port,port=0x15,chassis=6,id=pci.6,bus=pcie.0,addr=0x2.0x5 \ -device pcie-root-port,port=0x16,chassis=7,id=pci.7,bus=pcie.0,addr=0x2.0x6 \ -device pcie-root-port,port=0x17,chassis=8,id=pci.8,bus=pcie.0,addr=0x2.0x7 \ -device qemu-xhci,p2=15,p3=15,id=usb,bus=pci.3,addr=0x0 \ -device virtio-scsi-pci,id=scsi0,bus=pci.2,addr=0x0,disable-legacy=on,iommu_platform=true \ -device virtio-serial-pci,id=virtio-serial0,bus=pci.4,addr=0x0,disable-legacy=on,iommu_platform=true \ -drive file=/home/vm-images/ovmf.rhel8.sev.q35.img,format=qcow2,if=none,id=drive-scsi0-0-0-0,werror=enospc,cache=writeback,discard=unmap \ -device scsi-hd,bus=scsi0.0,channel=0,scsi-id=0,lun=0,drive=drive-scsi0-0-0-0,id=scsi0-0-0-0,bootindex=1,write-cache=on \ -drive file=/home/kvm_autotest_root/iso/linux/RHEL-8.1.0-20190806.2-x86_64-dvd1.iso,format=raw,if=none,id=drive-scsi0-0-0-1,readonly=on,cache=writeback \ -device scsi-cd,bus=scsi0.0,channel=0,scsi-id=0,lun=1,share-rw=on,drive=drive-scsi0-0-0-1,id=scsi0-0-0-1,bootindex=2,write-cache=on \ -netdev tap,id=hostnet0,vhost=on \ -device virtio-net-pci,netdev=hostnet0,id=net0,mac=52:54:00:97:13:cd,bus=pci.1,addr=0x0,disable-legacy=on,iommu_platform=true,romfile='' \ -device virtserialport,bus=virtio-serial0.0,name=org.qemu.guest_agent.0 \ -device usb-tablet,id=input0,bus=usb.0,port=1 \ -vnc 0.0.0.0:0 \ -device qxl-vga,max_outputs=1,bus=pcie.0,addr=0x1 \ -device virtio-tablet-pci,disable-legacy=on,iommu_platform=true,bus=pci.6 \ -device virtio-balloon-pci,disable-legacy=on,iommu_platform=true,bus=pci.7 \ -device virtio-rng-pci,disable-legacy=on,iommu_platform=true,bus=pci.8 \ -monitor stdio \ -boot menu=on,splash-time=20000,strict=on \ -drive id=drive_cd1,if=none,snapshot=off,cache=none,media=cdrom,file=/usr/share/edk2/ovmf/UefiShell.iso \ -device scsi-cd,id=cd1,drive=drive_cd1 \ 4. boot OVMF 5. enter the UEFI setup TUI by pressing ESC 6. launch the UEFI shell by booting UefiShell.iso explicitly from the boot manager submenu 7. In the UEFI shell, run ifconfig -s eth0 dhcp ifconfig -l /* repeat until you get an IP address */ ping 10.73.8.2 /*network reached and it succeeds. Base on above, set it to verified.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2019:3345