1839999 – cpu fea-ture policy do not work as expected with cpu mode=passthrough

Bug 1839999 - cpu fea-ture policy do not work as expected with cpu mode=passthrough

Summary: cpu fea-ture policy do not work as expected with cpu mode=passthrough

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux Advanced Virtualization
Classification:	Red Hat
Component:	libvirt
Sub Component:
Version:	8.0
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	rc
Target Release:	8.2
Assignee:	Jiri Denemark
QA Contact:	Jing Qi
Docs Contact:
URL:
Whiteboard:
Depends On:	1515677
Blocks:
TreeView+	depends on / blocked

Reported:	2020-05-26 08:24 UTC by Jiri Denemark
Modified:	2020-07-28 07:14 UTC (History)
CC List:	6 users (show)
Fixed In Version:	libvirt-6.0.0-21.el8
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:	1515677
Environment:
Last Closed:	2020-07-28 07:13:31 UTC
Type:	Bug
Target Upstream Version:
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2020:3172	0	None	None	None	2020-07-28 07:14:27 UTC

Description Jiri Denemark 2020-05-26 08:24:38 UTC

+++ This bug was initially created as a clone of Bug #1515677 +++

Description of problem:
cpu feature policy do not work as expected with cpu mode=passthrough

Version-Release number of selected component (if applicable):
libvirt-3.9.0-2.el7.x86_64
qemu-kvm-rhev-2.9.0-16.el7_4.12.x86_64

How reproducible:
100%

Steps to Reproduce:

forbid
1. On host support avx
2. Edit the vm's xml  with below section
# virsh edit rhel7
  <cpu mode='host-passthrough' check='full'>
    <feature policy='forbid' name='avx'/>
  </cpu>

3. vm can start successfully
# virsh start rhel7
Domain rhel7 started

# ps aux | grep rhel7
...-machine pc-i440fx-rhel7.4.0,accel=kvm,usb=off,vmport=off,dump-guest-core=off -cpu host,avx=off...


require
1. on intel host do not support cr8legacy
# cat /proc/cpuinfo | grep cr8legacy ===> no output

2. # virsh dumpxml rhel7 | grep /cpu -B2
  <cpu mode='host-passthrough' check='full'>
    <feature policy='require' name='cr8legacy'/>
  </cpu>

3. # virsh start rhel7
Domain rhel7 started

# ps aux | grep rhel7 
...-cpu host,cr8legacy=on...


Actual results:
For forbid, the guest can start but it support avx.
For require, the guest can start but it do not support cr8legacy.

Expected results:
For forbid, the guest should not start as it support avx.
For require, the guest should not start as it do not support cr8legacy.
Or for host-passthrough do not support require and forbid? better to document somewhere.

Additional info:

Fixed upstream by

commit ac36a824641862dcac057c6403b27ab1e91874f5
Refs: v6.1.0-175-gac36a82464
Author:     Jiri Denemark <jdenemar>
AuthorDate: Mon Mar 9 14:14:04 2020 +0100
Commit:     Jiri Denemark <jdenemar>
CommitDate: Tue Mar 17 22:53:53 2020 +0100

    cpu: Honor check='full' for host-passthrough CPUs

    The check attribute was completely ignored for host-passthrough CPUs
    even if they explicitly requested some features to be enabled. For
    example, a domain with the following CPU definition

      <cpu mode='host-passthrough' check='full'>
       	<feature policy='require' name='svm'/>
      </cpu>

    would happily start even when 'svm' cannot be enabled.

    Let's call virCPUArchUpdateLive for host-passthrough CPUs with
    VIR_CPU_CHECK_FULL to make sure the architecture specific code can
    validate the provided virtual CPU against the desired definition.

    https://bugzilla.redhat.com/show_bug.cgi?id=1515677

    Signed-off-by: Jiri Denemark <jdenemar>
    Reviewed-by: Ján Tomko <jtomko>

Comment 4 Jing Qi 2020-06-01 10:33:48 UTC

verified with version: 
libvirt-6.0.0-22.module+el8.2.1+6815+1c792dc8.x86_64
qemu-kvm-4.2.0-22.module+el8.2.1+6758+cb8d64c2.x86_64

A host without cr8legacy supported:
#cat /proc/cpuinfo |grep cr8legacy
No output.

1. Start a VM with below cpu xml:
  <cpu mode='host-passthrough' check='full'>
    <feature policy='require' name='cr8legacy'/>
  </cpu>


# virsh start avocado-vt-vm1
error: Failed to start domain avocado-vt-vm1
error: operation failed: guest CPU doesn't match specification: missing features: cr8legacy

2. In host,vmx is supported-
# cat /proc/cpuinfo |grep vmx
flags		: fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush dts acpi mmx fxsr sse sse2 ss ht tm pbe syscall nx pdpe1gb rdtscp lm constant_tsc art arch_perfmon pebs bts rep_good nopl xtopology nonstop_tsc cpuid aperfmperf pni pclmulqdq dtes64 monitor ds_cpl vmx smx est tm2 ssse3 sdbg fma cx16 xtpr pdcm pcid dca sse4_1 sse4_2 x2apic movbe popcnt tsc_deadline_timer aes xsave avx f16c rdrand lahf_lm abm 3dnowprefetch cpuid_fault epb cat_l3 cdp_l3 invpcid_single intel_ppin ssbd mba ibrs ibpb stibp ibrs_enhanced tpr_shadow vnmi flexpriority ept vpid fsgsbase tsc_adjust bmi1 hle avx2 smep bmi2 erms invpcid rtm cqm mpx rdt_a avx512f avx512dq rdseed adx smap clflushopt clwb intel_pt avx512cd avx512bw avx512vl xsaveopt xsavec xgetbv1 xsaves cqm_llc cqm_occup_llc cqm_mbm_total cqm_mbm_local dtherm ida arat pln pts pku ospke avx512_vnni md_clear

Start a VM with below cpu xml:

<cpu mode='host-passthrough' check='full'>
    <feature policy='disable' name='vmx'/>
  </cpu>

# virsh start avocado-vt-vm1
Domain avocado-vt-vm1 started

Check in the vm:

#cat /proc/cpuinfo |grep vmx

No output.

Comment 6 errata-xmlrpc 2020-07-28 07:13:31 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:3172

Note You need to log in before you can comment on or make changes to this bug.