RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 2122534 - Misleading error message when missing kernel parameter for SE
Summary: Misleading error message when missing kernel parameter for SE
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 9
Classification: Red Hat
Component: libvirt
Version: 9.1
Hardware: s390x
OS: Linux
medium
medium
Target Milestone: rc
: ---
Assignee: Peter Krempa
QA Contact: smitterl
URL:
Whiteboard:
Depends On:
Blocks: 2066305
TreeView+ depends on / blocked
 
Reported: 2022-08-30 09:03 UTC by smitterl
Modified: 2023-05-09 08:08 UTC (History)
8 users (show)

Fixed In Version: libvirt-8.8.0-1.el9
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2023-05-09 07:27:05 UTC
Type: Bug
Target Upstream Version: 8.8.0
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
IBM Linux Technology Center 199852 0 None None None 2022-09-01 06:45:55 UTC
Red Hat Issue Tracker RHELPLAN-132677 0 None None None 2022-08-30 09:05:27 UTC
Red Hat Product Errata RHBA-2023:2171 0 None None None 2023-05-09 07:27:29 UTC

Description smitterl 2022-08-30 09:03:18 UTC 
Description of problem:
For SE, the host kernel has to be run with prot_virt=1. If this is not the case, libvirt will show an error message pointing to the QEMU binary to be the issue which it isn't. After setting the kernel parameter correctly the SE guest can start successfully.

Version-Release number of selected component (if applicable):


How reproducible:
100%

Steps to Reproduce:
1. Set up an SE with //launchSecurity@type=s390-pv and confirm it runs successfully.
2. Remove "prot_virt=1" from BLS entry, run 'zipl' and reboot.
3. Start SE from 1. via 'virsh start vm'

Actual results:
The VM doesn't start.
error: unsupported configuration: S390 PV launch security is not supported with this QEMU binary


Expected results:
The error message points to the SE being disabled in the kernel, e.g. (from virt-host-validate) "IBM Secure Execution appears to be disabled in kernel. Add prot_virt=1 to kernel cmdline arguments"

Additional info:
Under conditions of 3. the virt-host-validate will show a warning
"""
QEMU: Checking for secure guest support                                    : WARN (IBM Secure Execution appears to be disabled in kernel. Add prot_virt=1 to kernel cmdline arguments)
"""
Comment 1 Peter Krempa 2022-08-30 11:49:39 UTC 
https://listman.redhat.com/archives/libvir-list/2022-August/234020.html
Comment 2 Peter Krempa 2022-09-01 11:25:59 UTC 
Fixed upstream:

commit f2f5090ef1158af5928aab32d210f0c9c13318aa
Author: Peter Krempa <pkrempa>
Date:   Tue Aug 30 13:46:06 2022 +0200

    qemuValidateDomainDef: Clarify error message when S390 PV launch security is unsupported by the kernel
    
    Split up the condition and report a different error message when the
    host or host config results in S390 PV launch security being
    unavailable.
    
    Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2122534
    Signed-off-by: Peter Krempa <pkrempa>
    Reviewed-by: Marc Hartmayer <mhartmay.com>

v8.7.0-39-gf2f5090ef1
Comment 3 IBM Bug Proxy 2022-09-14 12:41:13 UTC 
------- Comment From tstaudt.com 2022-09-14 08:32 EDT-------
from Boris Fiuczynski 2022-09-12 08:12:14 CDT
...
Patch looks good.
Comment 4 smitterl 2022-10-11 12:06:10 UTC 
Manually confirmed. Automated regression test out of scope.

# rpm -q libvirt
libvirt-8.8.0-1.el9.s390x
# virt-host-validate 
  QEMU: Checking for hardware virtualization                                 : PASS
  QEMU: Checking if device /dev/kvm exists                                   : PASS
  QEMU: Checking if device /dev/kvm is accessible                            : PASS
  QEMU: Checking if device /dev/vhost-net exists                             : PASS
  QEMU: Checking if device /dev/net/tun exists                               : PASS
  QEMU: Checking for cgroup 'cpu' controller support                         : PASS
  QEMU: Checking for cgroup 'cpuacct' controller support                     : PASS
  QEMU: Checking for cgroup 'cpuset' controller support                      : PASS
  QEMU: Checking for cgroup 'memory' controller support                      : PASS
  QEMU: Checking for cgroup 'devices' controller support                     : PASS
  QEMU: Checking for cgroup 'blkio' controller support                       : PASS
  QEMU: Checking for device assignment IOMMU support                         : PASS
  QEMU: Checking if IOMMU is enabled by kernel                               : PASS
  QEMU: Checking for secure guest support                                    : PASS
# grubby --remove-args="prot_virt=1" --update-kernel=ALL
# reboot
# virt-host-validate 
  QEMU: Checking for hardware virtualization                                 : PASS
  QEMU: Checking if device /dev/kvm exists                                   : PASS
  QEMU: Checking if device /dev/kvm is accessible                            : PASS
  QEMU: Checking if device /dev/vhost-net exists                             : PASS
  QEMU: Checking if device /dev/net/tun exists                               : PASS
  QEMU: Checking for cgroup 'cpu' controller support                         : PASS
  QEMU: Checking for cgroup 'cpuacct' controller support                     : PASS
  QEMU: Checking for cgroup 'cpuset' controller support                      : PASS
  QEMU: Checking for cgroup 'memory' controller support                      : PASS
  QEMU: Checking for cgroup 'devices' controller support                     : PASS
  QEMU: Checking for cgroup 'blkio' controller support                       : PASS
  QEMU: Checking for device assignment IOMMU support                         : PASS
  QEMU: Checking if IOMMU is enabled by kernel                               : PASS
  QEMU: Checking for secure guest support                                    : WARN (IBM Secure Execution appears to be disabled in kernel. Add prot_virt=1 to kernel cmdline arguments)
# virsh edit avocado-vt-vm1 
error: unsupported configuration: S390 PV launch security is not supported by this host or kernel
 # virsh define vm.xml 
error: Failed to define domain from vm.xml
error: unsupported configuration: S390 PV launch security is not supported by this host or kernel
Comment 9 errata-xmlrpc 2023-05-09 07:27:05 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (libvirt bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2023:2171
Note You need to log in before you can comment on or make changes to this bug.