Bug 1732642 - enable the virtio-net frontend to work with the vhost-net backend in SEV guests
Summary: enable the virtio-net frontend to work with the vhost-net backend in SEV guests
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 8
Classification: Red Hat
Component: qemu-kvm
Version: 8.1
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
: 8.0
Assignee: Laszlo Ersek
QA Contact: Quan Wenli
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2019-07-24 00:22 UTC by Laszlo Ersek
Modified: 2020-01-20 03:55 UTC (History)
10 users (show)

Fixed In Version: qemu-kvm-2.12.0-83.module+el8.1.0+3852+0ba8aef0
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2019-11-05 20:51:02 UTC
Type: Bug
Target Upstream Version:

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2019:3345 0 None None None 2019-11-05 20:51:32 UTC

Description Laszlo Ersek 2019-07-24 00:22:37 UTC 
* Description of problem:
In order to use virtio-net-pci in SEV guests, vhost-net has to be
disabled, and the QEMU-internal device model has to be forced.

* Version-Release number of selected component (if applicable):
2.12.0-81.module+el8.1.0+3619+dfe1ae01

* How reproducible:
always

* Steps to Reproduce:

1. define a SEV domain; refer to e.g.
   https://bugzilla.redhat.com/show_bug.cgi?id=1531543#c48 [domain XML]
   https://bugzilla.redhat.com/show_bug.cgi?id=1531543#c49 [QEMU cmd]

2. enable vhost:

    <controller type='pci' index='5' model='pcie-root-port'>
      <model name='pcie-root-port'/>
      <target chassis='5' port='0x14'/>
      <address type='pci' domain='0x0000' bus='0x00' slot='0x01'
       function='0x4'/>
    </controller>

    <interface type='network'>
      <mac address='52:54:00:e9:f0:cf'/>
      <source network='default'/>
      <model type='virtio'/>
      <driver name='vhost' iommu='on'/>
                    ^^^^^
      <rom enabled='no'/>
      <address type='pci' domain='0x0000' bus='0x05' slot='0x00'
       function='0x0'/>
    </interface>

   (equivalently, on the QEMU command line, set the "vhost=on" property
   for "-netdev tap")

3. boot OVMF

4. enter the UEFI setup TUI by pressing ESC

5. launch the UEFI shell by booting UefiShell.iso explicitly from the
   boot manager submenu

6. In the UEFI shell, run

   ifconfig -s eth0 dhcp
   ifconfig -l           /* repeat until you get an IP address */
   ping 8.8.8.8

* Actual results:
Step 4 hangs.

* Expected results:
Step 6 is reached and it succeeds.

* Additional info:

- The issue can be worked around by setting

      <driver name='qemu' iommu='on'/>
                    ^^^^

in the domain XML, or (equivalently) by setting "vhost=off" for "-netdev
tap".

(The default is vhost=on, from simply omitting the "name" attribute:

      <driver iommu='on'/>
)

- The fix is to backport
<https://github.com/qemu/qemu/commit/d542800d1edc62f63f8a29cfa6bdd1a9536ae11c>,
which I have already built & tested, (Brew taskid=22757028). It's a
simple cherry-pick.

- The backport has been identified (and the original patch was written)
by Brijesh Singh @ AMD.

- The upstream patch was backported to v2.12.1 stable (2f2b18923502),
but we still lack it down-stream. The original upstream commit is part
of v3.0.0 (hence no RHEL-AV backport should be necessary).
Comment 16 Quan Wenli 2019-08-20 09:25:54 UTC 
Reproduce it with qemu-kvm-2.12.0-82.module+el8.1.0+3738+0d8c0249

steps:
1. using sev domain from https://bugzilla.redhat.com/show_bug.cgi?id=1531543#c48 [domain XML]
2. check the qemu command line like:
-netdev tap,fd=31,id=hostnet0,vhost=on,vhostfd=32 
-device virtio-net-pci,netdev=hostnet0,id=net0,mac=52:54:00:51:4b:77,bus=pci.4,addr=0x0,romfile=,iommu_platform=on


Verified with qemu-kvm-2.12.0-83.module+el8.1.0+3852+0ba8aef0
steps:
1. using sev domain from https://bugzilla.redhat.com/show_bug.cgi?id=1531543#c48 [domain XML]
2. check the qemu command line, there is no vhostfd passed.
-netdev tap,fd=31,id=hostnet0 
-device virtio-net-pci,netdev=hostnet0,id=net0,mac=52:54:00:51:4b:77,bus=pci.4,addr=0x0,romfile=,iommu_platform=on 

3.boot sev guest like:
/usr/libexec/qemu-kvm \
        -name guest=rhel8 \
        -drive if=pflash,format=raw,unit=0,file=/usr/share/edk2/ovmf/sev/OVMF_CODE.secboot.fd,readonly \
        -drive if=pflash,format=raw,unit=1,file=/usr/share/edk2/ovmf/sev/OVMF_VARS.fd \
        -object sev-guest,id=sev0,cbitpos=47,reduced-phys-bits=1 \
        -serial unix:/tmp/console,server,nowait \
        -machine pc-q35-rhel7.6.0,accel=kvm,usb=off,dump-guest-core=off,memory-encryption=sev0 \
        -cpu EPYC-IBPB \
        -m 8192 \
        -realtime mlock=off \
        -smp 2,sockets=1,cores=1,threads=2 \
        -uuid 33d3c713-b645-4e93-95d0-25a7952571ac \
        -no-user-config \
        -device pcie-root-port,port=0x10,chassis=1,id=pci.1,bus=pcie.0,multifunction=on,addr=0x2 \
        -device pcie-root-port,port=0x11,chassis=2,id=pci.2,bus=pcie.0,addr=0x2.0x1 \
        -device pcie-root-port,port=0x12,chassis=3,id=pci.3,bus=pcie.0,addr=0x2.0x2 \
        -device pcie-root-port,port=0x13,chassis=4,id=pci.4,bus=pcie.0,addr=0x2.0x3 \
        -device pcie-root-port,port=0x14,chassis=5,id=pci.5,bus=pcie.0,addr=0x2.0x4 \
        -device pcie-root-port,port=0x15,chassis=6,id=pci.6,bus=pcie.0,addr=0x2.0x5 \
        -device pcie-root-port,port=0x16,chassis=7,id=pci.7,bus=pcie.0,addr=0x2.0x6 \
        -device pcie-root-port,port=0x17,chassis=8,id=pci.8,bus=pcie.0,addr=0x2.0x7 \
        -device qemu-xhci,p2=15,p3=15,id=usb,bus=pci.3,addr=0x0 \
        -device virtio-scsi-pci,id=scsi0,bus=pci.2,addr=0x0,disable-legacy=on,iommu_platform=true \
        -device virtio-serial-pci,id=virtio-serial0,bus=pci.4,addr=0x0,disable-legacy=on,iommu_platform=true \
        -drive file=/home/vm-images/ovmf.rhel8.sev.q35.img,format=qcow2,if=none,id=drive-scsi0-0-0-0,werror=enospc,cache=writeback,discard=unmap \
        -device scsi-hd,bus=scsi0.0,channel=0,scsi-id=0,lun=0,drive=drive-scsi0-0-0-0,id=scsi0-0-0-0,bootindex=1,write-cache=on \
        -drive file=/home/kvm_autotest_root/iso/linux/RHEL-8.1.0-20190806.2-x86_64-dvd1.iso,format=raw,if=none,id=drive-scsi0-0-0-1,readonly=on,cache=writeback \
        -device scsi-cd,bus=scsi0.0,channel=0,scsi-id=0,lun=1,share-rw=on,drive=drive-scsi0-0-0-1,id=scsi0-0-0-1,bootindex=2,write-cache=on \
        -netdev tap,id=hostnet0,vhost=on \
        -device virtio-net-pci,netdev=hostnet0,id=net0,mac=52:54:00:97:13:cd,bus=pci.1,addr=0x0,disable-legacy=on,iommu_platform=true,romfile='' \
        -device virtserialport,bus=virtio-serial0.0,name=org.qemu.guest_agent.0 \
        -device usb-tablet,id=input0,bus=usb.0,port=1 \
        -vnc 0.0.0.0:0 \
        -device qxl-vga,max_outputs=1,bus=pcie.0,addr=0x1 \
        -device virtio-tablet-pci,disable-legacy=on,iommu_platform=true,bus=pci.6 \
        -device virtio-balloon-pci,disable-legacy=on,iommu_platform=true,bus=pci.7 \
        -device virtio-rng-pci,disable-legacy=on,iommu_platform=true,bus=pci.8 \
        -monitor stdio \
        -boot menu=on,splash-time=20000,strict=on \
        -drive id=drive_cd1,if=none,snapshot=off,cache=none,media=cdrom,file=/usr/share/edk2/ovmf/UefiShell.iso \
        -device scsi-cd,id=cd1,drive=drive_cd1 \
4. boot OVMF
5. enter the UEFI setup TUI by pressing ESC
6. launch the UEFI shell by booting UefiShell.iso explicitly from the
   boot manager submenu
7. In the UEFI shell, run

   ifconfig -s eth0 dhcp
   ifconfig -l           /* repeat until you get an IP address */
   ping 10.73.8.2   /*network reached and it succeeds.


Base on above, set it to verified.
Comment 18 errata-xmlrpc 2019-11-05 20:51:02 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2019:3345
Note You need to log in before you can comment on or make changes to this bug.