Note: This bug is displayed in read-only format because
the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
.VMs with 3rd generation AMD EPYC processors support memory protection keys
RHEL 8.6 introduces support for memory protection keys in virtual machines (VMs) that use the 3rd generation AMD EPYC processors, also known as EPYC Milan. As a result, VMs with the `EPYC-Milan` CPU can be secured with a mechanism for enforcing page-based protections, but without requiring modification of the page tables when an application changes protection domains.
DescriptionTerry Bowman (AMD)
2021-07-29 18:38:21 UTC
+++ This bug was initially created as a clone of Bug #1972419 +++
Description of problem:
Subject: [RFC PATCH 0/7] Support protection keys in an AMD EPYC-Milan VM
Date: Thu, 20 May 2021 15:56:40 +0100
Message-ID: <20210520145647.3483809-1-david.edmondson> (raw)
AMD EPYC-Milan CPUs introduced support for protection keys, previously
available only with Intel CPUs.
AMD chose to place the XSAVE state component for the protection keys
at a different offset in the XSAVE state area than that chosen by
Intel.
To accommodate this, modify QEMU to behave appropriately on AMD
systems, allowing a VM to properly take advantage of the new feature.
Further, avoid manipulating XSAVE state components that are not
present on AMD systems.
The code in patch 6 that changes the CPUID 0x0d leaf is mostly dumped
somewhere that seemed to work - I'm not sure where it really belongs.
David Edmondson (7):
target/i386: Declare constants for XSAVE offsets
target/i386: Use constants for XSAVE offsets
target/i386: Clarify the padding requirements of X86XSaveArea
target/i386: Prepare for per-vendor X86XSaveArea layout
target/i386: Introduce AMD X86XSaveArea sub-union
target/i386: Adjust AMD XSAVE PKRU area offset in CPUID leaf 0xd
target/i386: Manipulate only AMD XSAVE state on AMD
target/i386/cpu.c | 19 +++++----
target/i386/cpu.h | 80 ++++++++++++++++++++++++++++--------
target/i386/kvm/kvm.c | 57 +++++++++----------------
target/i386/tcg/fpu_helper.c | 20 ++++++---
target/i386/xsave_helper.c | 70 +++++++++++++++++++------------
5 files changed, 152 insertions(+), 94 deletions(-)
Additional info:
Patchset is [RFC] at https://lore.kernel.org/qemu-devel/20210520145647.3483809-1-david.edmondson@oracle.com/
--- Additional comment from John Ferlan on 2021-07-07 18:50:10 UTC ---
Assigned to Amnon for initial triage per bz process and age of bug created or assigned to virt-maint without triage.
Dave, assigning to you since you own the cloned from bug 1972419
Comment 2Dr. David Alan Gilbert
2022-02-10 13:21:06 UTC
I believe this is already in 8.6 since it uses qemu 6.2 that has this set of patches.
Marking on QA;
Terry: Can you check this on 8.6 please?
(I've been backporting these patches to earlier versions as well, because Milan is hitting crashes even for guests not using protection keys)
Hi,
Would you please help to set the ITR? Thanks.
Best regards
Liu Nana
Comment 5Nitesh Narayan Lal
2022-02-23 13:57:59 UTC
Wei, can you please help by answering Dave's question in comment#2?
Thanks
Comment 6Terry Bowman (AMD)
2022-03-02 18:07:36 UTC
Created attachment 1863870[details]
pkeys-test-results.txt
Results from running tools/testing/selftests/vm/protection_keys_64
Comment 7Terry Bowman (AMD)
2022-03-02 18:08:36 UTC
(In reply to Dr. David Alan Gilbert from comment #2)
> I believe this is already in 8.6 since it uses qemu 6.2 that has this set of
> patches.
> Marking on QA;
> Terry: Can you check this on 8.6 please?
>
> (I've been backporting these patches to earlier versions as well, because
> Milan is hitting crashes even for guests not using protection keys)
Hi David,
Sorry, for the late response. In addition to visually checking I wanted to also test. I attached the results in pkeys-test-results. This is the results from running tools/testing/selftests/vm/protection_keys_64.
Everything passed.
Regards,
Terry
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.
For information on the advisory (Moderate: virt:rhel and virt-devel:rhel security, bug fix, and enhancement update), and where to find the updated
files, follow the link below.
If the solution does not work for you, open a new bug report.
https://access.redhat.com/errata/RHSA-2022:1759