[UBUNTU 20.04] Vsock can't be used with Secure Execution, required argument not supported
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Ubuntu on IBM z Systems |
Fix Released
|
Medium
|
Skipper Bug Screeners | ||
libvirt (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned | ||
Focal |
Fix Released
|
Undecided
|
Unassigned | ||
Groovy |
Fix Released
|
Undecided
|
Unassigned | ||
Hirsute |
Fix Released
|
Undecided
|
Unassigned |
Bug Description
[Impact]
* Support for secure execution environments was in Focal since release,
but a few more use-cases were found that don't work well in those
conditions. This is one of them and fixing it shall further complete
the capabilities in SE as part of the "SRU for HW exploitation".
* Qemu already has the code needed, but libvirt needs to be able to pass
the right options which hereby is implemented.
[Test Case]
* Get a KVM/Qemu guest on s390x
* Edit the guest defninition and add a vsock device like
<vsock model='virtio'>
<cid auto='no' address='3'/>
<driver iommu='on'/>
</vsock>
* Starting the guest should
a) in any environment now render iommu_platform=on into the qemu
commandline
b) in a Secure Execution environment allow the guest to start (due to
that extra argument that now is configurable)
[Where problems could occur]
* The code it changes is mostly specific around vsock and to some extend
on a more generic level around qemu command validation. Therefore the
places to look out for (of the many very different qemu/kvm/libvirt use
cases are a) vsock usage and b) commandline generation
[Other Info]
* n/a
---
Problem:
vsock can't be used with Secure Execution
---uname output---
Linux se1 5.4.0-62-generic #70-Ubuntu SMP Tue Jan 12 16:27:38 UTC 2021 s390x s390x s390x GNU/Linux
Machine Type = z15 8562
---Debugger---
A debugger is not configured
---Steps to Reproduce---
In a Secure Execution environment the Qemu driver vhost-vsock-ccw driver requires the argument "iommu_
E.g. "qemu-system-s390x -device vhost-vsock-
Currently Libvirt does not support this argument. Therfore Vsock can't be defined in XML correctly. Libvirt Version is 6.0.0-0ubuntu8.5.
Userspace tool common name: virsh
The userspace tool has the following bit modes: 64
Userspace rpm: libvirt-clients
Userspace tool obtained from project website: na
Please apply this update to 21.04, 20.10 and 20.04 !
Related branches
- Sergio Durigan Junior (community): Approve
- Canonical Server: Pending requested
- git-ubuntu developers: Pending requested
-
Diff: 375 lines (+353/-0)3 files modifieddebian/changelog (+7/-0)
debian/patches/series (+1/-0)
debian/patches/ubuntu/lp-1913266-qemu-Add-virtio-related-options-to-vsock.patch (+345/-0)
- Sergio Durigan Junior (community): Approve
- Canonical Server: Pending requested
- git-ubuntu developers: Pending requested
-
Diff: 352 lines (+330/-0)3 files modifieddebian/changelog (+7/-0)
debian/patches/series (+1/-0)
debian/patches/ubuntu/lp-1913266-qemu-Add-virtio-related-options-to-vsock.patch (+322/-0)
- Frank Heimes (community): Approve
- Sergio Durigan Junior (community): Approve
- Canonical Server packageset reviewers: Pending requested
- Canonical Server: Pending requested
-
Diff: 10260 lines (+9247/-87)39 files modifieddebian/changelog (+7336/-23)
debian/control (+33/-24)
debian/libvirt-clients.install (+1/-0)
debian/libvirt-clients.lintian-overrides (+1/-0)
debian/libvirt-daemon-system.dirs (+2/-0)
debian/libvirt-daemon-system.install (+1/-1)
debian/libvirt-daemon-system.postinst (+113/-0)
debian/libvirt-daemon-system.postrm (+24/-1)
debian/libvirt-daemon.README.Debian (+82/-22)
debian/libvirt-daemon.apport (+22/-0)
debian/libvirt-daemon.dnsmasq (+2/-0)
debian/libvirt-daemon.install (+1/-0)
debian/libvirt-uri.sh (+27/-0)
debian/patches/series (+23/-1)
debian/patches/ubuntu-aa/0020-virt-aa-helper-ubuntu-storage-paths.patch (+37/-0)
debian/patches/ubuntu-aa/0029-appmor-libvirt-qemu-Add-9p-support.patch (+34/-0)
debian/patches/ubuntu-aa/0031-virt-aa-helper-Ask-for-no-deny-rule-for-readonly-dis.patch (+43/-0)
debian/patches/ubuntu-aa/0032-apparmor-libvirt-qemu-Allow-reading-charm-specific-c.patch (+34/-0)
debian/patches/ubuntu-aa/0033-UBUNTU-only-apparmor-for-kvm.powerpc-LP-1680384.patch (+41/-0)
debian/patches/ubuntu-aa/0034-apparmor-virt-aa-helper-access-for-snapped-nova.patch (+33/-0)
debian/patches/ubuntu-aa/lp-1815910-allow-vhost-hotplug.patch (+57/-0)
debian/patches/ubuntu/Allow-libvirt-group-to-access-the-socket.patch (+50/-0)
debian/patches/ubuntu/daemon-augeas-fix-expected.patch (+21/-0)
debian/patches/ubuntu/dnsmasq-as-priv-user (+290/-0)
debian/patches/ubuntu/lp-1861125-ubuntu-models.patch (+21/-0)
debian/patches/ubuntu/lp-1913266-conf-Drop-empty-virDomainNetDefPostParse.patch (+62/-0)
debian/patches/ubuntu/lp-1913266-conf-Improve-virDomainVirtioOptionsCheckABIStability.patch (+135/-0)
debian/patches/ubuntu/lp-1913266-conf-Move-virDomainCheckVirtioOptions-into-domain_va.patch (+178/-0)
debian/patches/ubuntu/lp-1913266-qemu-Add-virtio-related-options-to-vsock.patch (+318/-0)
debian/patches/ubuntu/ovmf_paths.patch (+60/-0)
debian/patches/ubuntu/parallel-shutdown.patch (+25/-0)
debian/patches/ubuntu/set-default-machine-to-ubuntu.patch (+45/-0)
debian/patches/ubuntu/ubuntu_machine_type.patch (+14/-0)
debian/patches/ubuntu/wait-for-qemu-kvm.patch (+23/-0)
debian/rules (+18/-7)
debian/tests/control (+3/-2)
debian/tests/smoke-lxc (+30/-4)
debian/tests/smoke-qemu-session (+5/-0)
debian/tests/smoke-qemu-session.xml (+2/-2)
tags: | added: architecture-s39064 bugnameltc-191018 severity-medium targetmilestone-inin2104 |
Changed in ubuntu: | |
assignee: | nobody → Skipper Bug Screeners (skipper-screen-team) |
affects: | ubuntu → linux (Ubuntu) |
Changed in linux (Ubuntu): | |
status: | New → Incomplete |
Changed in ubuntu-z-systems: | |
status: | Incomplete → Triaged |
Changed in qemu (Ubuntu Hirsute): | |
importance: | Undecided → Medium |
Changed in qemu (Ubuntu Groovy): | |
importance: | Undecided → Medium |
Changed in qemu (Ubuntu Focal): | |
importance: | Undecided → Medium |
Changed in qemu (Ubuntu Hirsute): | |
assignee: | nobody → Canonical Server Team (canonical-server) |
tags: | added: qemu-21.04 server-next |
Changed in libvirt (Ubuntu Hirsute): | |
status: | New → In Progress |
Changed in ubuntu-z-systems: | |
status: | Triaged → In Progress |
Changed in libvirt (Ubuntu Focal): | |
status: | New → Incomplete |
Changed in libvirt (Ubuntu Groovy): | |
status: | New → Incomplete |
Changed in ubuntu-z-systems: | |
status: | In Progress → Fix Committed |
Changed in ubuntu-z-systems: | |
status: | Fix Committed → Fix Released |
Please add a reference (or references) to the upstream fix(es).