1961032 – Update libvirt to use qemu's new confidential-guest-support syntax

Bug 1961032 - Update libvirt to use qemu's new confidential-guest-support syntax

Summary: Update libvirt to use qemu's new confidential-guest-support syntax

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux Advanced Virtualization
Classification:	Red Hat
Component:	libvirt
Sub Component:
Version:	---
Hardware:	All
OS:	Unspecified
Priority:	unspecified
Severity:	medium
Target Milestone:	rc
Target Release:	8.5
Assignee:	Pavel Hrdina
QA Contact:	Luyao Huang
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2021-05-17 05:29 UTC by David Gibson
Modified:	2021-11-16 08:38 UTC (History)
CC List:	12 users (show)
Fixed In Version:	libvirt-7.5.0-1.el8
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2021-11-16 07:53:34 UTC
Type:	Bug
Target Upstream Version:	7.5.0
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2021:4684	0	None	None	None	2021-11-16 07:54:08 UTC

Description David Gibson 2021-05-17 05:29:58 UTC

Description of problem:

For qemu-6.0, qemu has introduced a new more general way of configuring Confidential Computing systems like AMD SEV, Intel's TDX or POWER's PEF.  libvirt continues to support SEV, but uses the older memory-encryption= options to do so

How reproducible:

100%

Steps to Reproduce:
1. Create libvirt domain XML with AMD SEV enabled
2. Run a guest using the XML
3. Examine generated qemu command line

Actual results:

libvirt generates a command line with the memory-encryption= machine option to enable SEV support.

Expected results:

libvirt generates a command line using the confidential-guest-support= machine option on qemu versions which support it.

Comment 1 Pavel Hrdina 2021-06-15 09:44:35 UTC

Upstream commits:

a323c5e8b7 tests: add launch-security-sev test with latest capabilities
dbdc6d52ff tests: use newer machine in qemuxml2argv launch-security-sev
0b0a633d1a tests: add AMD SEV bits into qemu-6.0.0 replies
241969d465 qemu_command: use confidential-guest-support if available
b560d1c876 qemu_capabilities: detect if confidential-guest-support is available
af5828bc91 qemu_capabilities: introduce confidential-guest-support capability

Comment 2 zixchen 2021-07-09 10:43:50 UTC

Since it relates to SEV, SEV QE tests it from SEV perspective, no issue found.

Version:
qemu-kvm-6.0.0-23.module+el8.5.0+11740+35571f13.x86_64
libvirt-7.5.0-1.module+el8.5.0+11664+59f87560.x86_64
kernel-4.18.0-320.el8.x86_64
 
Steps:
1. Install a SEV-ES guest without adding driver,iommu=on:
virt-install  --name rhel85_sev --mac 52:56:00:00:00:0b --location http://link*** --cpu host-model --memory 4096 --memtune hard_limit=4718592 --vcpus=4,sockets=1,cores=4,threads=1 --boot loader=/usr/share/edk2/ovmf/OVMF_CODE.cc.fd,loader_ro=yes,loader_type=pflash,nvram.template=/usr/share/edk2/ovmf/OVMF_VARS.fd --disk path=/home/rhel83_sev.qcow2,size=40,cache=none,bus=scsi,format=qcow2 --controller type=scsi,model=virtio-scsi --os-variant rhel8.3 --os-type=linux --graphics spice,listen=0.0.0.0 --video virtio --controller type=virtio-serial --rng type=/dev/random --launchSecurity sev,policy=0x07 --debug --network bridge:br1,model=virtio --serial file,path=/mnt/tests/distribution/virt/install/guests/rhel83_sev/logs/rhel83_sev_console.log --serial pty --console pty --extra-args "ksdevice=eth0 ks=http://beaker.engineering.redhat.com/kickstart/8432459 serial console=tty0 console=ttyS0,115200 net.ifnames=0 biosdevname=0 swiotlb=262144" --noreboot 


Actual/Expected result:
1. Guest installed successfully and SEV enabled in the guest.
# journalctl| grep -i sev
Jul 08 22:17:10 localhost.localdomain kernel: AMD Memory Encryption Features active: SEV SEV-ES
2. Check qemu command line, includes -machine confidential-guest-support=sev0

Comment 5 Luyao Huang 2021-07-21 02:10:41 UTC

Verify this bug with libvirt-daemon-7.5.0-1.module+el8.5.0+11664+59f87560.x86_64:

1. enable sev and sev-es
# rmmod kvm_amd
# modprobe kvm_amd sev=1 sev-es=1

2. prepare a guest which have memtune,sev,ovmf settings:
# virsh dumpxml vm1

  <memtune>
    <hard_limit unit='KiB'>5242880</hard_limit>
  </memtune>
...
  <os>
    <type arch='x86_64' machine='pc-q35-rhel8.5.0'>hvm</type>
    <loader readonly='yes' type='pflash'>/usr/share/edk2/ovmf/OVMF_CODE.cc.fd</loader>
    <nvram template='/usr/share/edk2/ovmf/OVMF_VARS.fd'>/var/lib/libvirt/qemu/nvram/vm1_VARS.fd</nvram>
    <boot dev='hd'/>
  </os>
...
  <launchSecurity type='sev'>
    <cbitpos>51</cbitpos>
    <reducedPhysBits>1</reducedPhysBits>
    <policy>0x0007</policy>
  </launchSecurity>

3. start guest
# virsh start vm1
Domain 'vm1' started

4. check qemu command line and make sure libvirt use confidential-guest-support:
# ps aux|grep qemu
...-machine pc-q35-rhel8.5.0,accel=kvm,usb=off,dump-guest-core=off,confidential-guest-support=sev0...

5. login guest and check dmesg:

# dmesg |grep -in sev
191:[    0.001000] AMD Memory Encryption Features active: SEV SEV-ES

Comment 6 Luyao Huang 2021-10-12 09:12:35 UTC

In libvirt-daemon-7.6.0-4.module+el8.5.0+12786+c4633d9a.x86_64, qemu command line have been changed:

In steps 4:

# ps aux|grep qemu
...-machine pc-q35-rhel8.5.0,accel=kvm,usb=off,vmport=off,dump-guest-core=off,confidential-guest-support=lsec0

Comment 8 errata-xmlrpc 2021-11-16 07:53:34 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (virt:av bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2021:4684

Note You need to log in before you can comment on or make changes to this bug.