From 672f70aa3d2c3223f150ec67347694d9de40fdbae6fd2329d079262ec6362790 Mon Sep 17 00:00:00 2001 From: Bruce Rogers Date: Thu, 22 Feb 2018 22:01:24 +0000 Subject: [PATCH] Accepting request 579209 from home:bfrogers:branches:Virtualization Update to 2.11.1, plus a few other fixes. OBS-URL: https://build.opensuse.org/request/show/579209 OBS-URL: https://build.opensuse.org/package/show/Virtualization/qemu?expand=0&rev=392 --- 0001-XXX-dont-dump-core-on-sigabort.patch | 4 +- ...-qemu-binfmt-conf-Modify-default-pat.patch | 2 +- 0003-qemu-cvs-gettimeofday.patch | 2 +- 0004-qemu-cvs-ioctl_debug.patch | 2 +- 0005-qemu-cvs-ioctl_nodirection.patch | 2 +- ...-linux-user-add-binfmt-wrapper-for-a.patch | 2 +- 0007-PPC-KVM-Disable-mmu-notifier-check.patch | 2 +- 0008-linux-user-fix-segfault-deadlock.patch | 2 +- ...-linux-user-binfmt-support-host-bina.patch | 2 +- 0010-linux-user-Fake-proc-cpuinfo.patch | 2 +- 0011-linux-user-XXX-disable-fiemap.patch | 2 +- 0012-linux-user-use-target_ulong.patch | 2 +- ...-Make-char-muxer-more-robust-wrt-sma.patch | 2 +- ...-linux-user-lseek-explicitly-cast-no.patch | 2 +- ...-AIO-Reduce-number-of-threads-for-32.patch | 2 +- ...-xen_disk-Add-suse-specific-flush-di.patch | 2 +- ...-qemu-bridge-helper-reduce-security-.patch | 2 +- ...-qemu-binfmt-conf-use-qemu-ARCH-binf.patch | 2 +- ...-linux-user-properly-test-for-infini.patch | 2 +- ...-roms-Makefile-pass-a-packaging-time.patch | 2 +- ...-Raise-soft-address-space-limit-to-h.patch | 2 +- ...-increase-x86_64-physical-bits-to-42.patch | 6 +- ...-vga-Raise-VRAM-to-16-MiB-for-pc-0.1.patch | 2 +- 0024-i8254-Fix-migration-from-SLE11-SP2.patch | 2 +- ...-acpi_piix4-Fix-migration-from-SLE11.patch | 2 +- 0026-Fix-tigervnc-long-press-issue.patch | 6 +- ...-string-input-visitor-Fix-uint64-par.patch | 2 +- ...-test-string-input-visitor-Add-int-t.patch | 2 +- ...-test-string-input-visitor-Add-uint6.patch | 2 +- 0030-tests-Add-QOM-property-unit-tests.patch | 2 +- 0031-tests-Add-scsi-disk-test.patch | 2 +- ...-Switch-order-of-libraries-for-mpath.patch | 2 +- ...-i386-kvm-MSR_IA32_SPEC_CTRL-and-MSR.patch | 160 -------- 0033-memfd-fix-configure-test.patch | 55 +++ ...-qapi-use-items-values-intead-of-ite.patch | 2 +- ...-qapi-Use-OrderedDict-from-standard-.patch | 2 +- ...-qapi-adapt-to-moved-location-of-Str.patch | 2 +- ...-qapi-Adapt-to-moved-location-of-mak.patch | 2 +- ...-qapi-remove-q-arg-to-diff-when-comp.patch | 2 +- ...-qapi-ensure-stable-sort-ordering-wh.patch | 2 +- ...-qapi-force-a-UTF-8-locale-for-runni.patch | 2 +- ...-scripts-ensure-signrom-treats-data-.patch | 2 +- 0042-configure-allow-use-of-python-3.patch | 4 +- ...-input-add-missing-JIS-keys-to-virti.patch | 2 +- ...-Make-installed-scripts-explicitly-p.patch | 2 +- ...-pc-fail-memory-hot-plug-unplug-with.patch | 2 +- 0046-memattrs-add-debug-attribute.patch | 8 +- 0047-exec-add-ram_debug_ops-support.patch | 104 ++--- ...-exec-add-debug-version-of-physical-.patch | 23 +- ...-monitor-i386-use-debug-APIs-when-ac.patch | 16 +- ...-machine-add-memory-encryption-prope.patch | 6 +- ...-target-i386-add-memory-encryption-f.patch | 137 ------- ...-kvm-update-kvm.h-to-include-memory-.patch | 8 +- ...-docs-add-AMD-Secure-Encrypted-Virtu.patch | 4 +- ...-target-i386-add-Secure-Encrypted-Vi.patch | 368 ++++++++++-------- ...ch => 0054-qmp-add-query-sev-command.patch | 55 +-- ...-sev-i386-add-command-to-initialize-.patch | 304 +++++++++------ ...-qmp-populate-SevInfo-fields-with-SE.patch | 43 ++ ...-sev-i386-register-the-guest-memory-.patch | 40 +- ...-kvm-introduce-memory-encryption-API.patch | 10 +- 0059-hmp-add-info-sev-command.patch | 9 +- ...-sev-i386-add-command-to-create-laun.patch | 102 ++--- ...-sev-i386-add-command-to-encrypt-gue.patch | 87 +++-- 0062-target-i386-encrypt-bios-rom.patch | 4 +- ...-sev-i386-add-support-to-LAUNCH_MEAS.patch | 127 +++--- ...-sev-i386-finalize-the-SEV-guest-lau.patch | 35 +- ...-hw-i386-set-ram_debug_ops-when-memo.patch | 6 +- ...-sev-i386-add-debug-encrypt-and-decr.patch | 88 +++-- ...-target-i386-clear-C-bit-when-walkin.patch | 4 +- 0068-include-add-psp-sev.h-header-file.patch | 7 +- ...-sev-i386-add-support-to-query-PLATF.patch | 23 +- ...-sev-i386-add-support-to-KVM_SEV_GUE.patch | 27 +- ...-qmp-add-query-sev-launch-measure-co.patch | 34 +- 0072-sev-Fix-build-for-non-x86-hosts.patch | 45 --- ...-tests-qmp-test-blacklist-query-sev-.patch | 36 ++ 0073-sev-i386-add-migration-blocker.patch | 60 +++ ...-cpu-i386-populate-CPUID-0x8000_001F.patch | 60 +++ ...-migration-warn-about-inconsistent-s.patch | 75 ++++ ...-i386-Compensate-for-KVM-SPEC_CTRL-f.patch | 37 ++ qemu-2.11.0.tar.xz | 3 - qemu-2.11.0.tar.xz.sig | Bin 287 -> 0 bytes qemu-2.11.1.tar.xz | 3 + qemu-2.11.1.tar.xz.sig | Bin 0 -> 287 bytes qemu-linux-user.changes | 48 +++ qemu-linux-user.spec | 50 ++- qemu-linux-user.spec.in | 4 +- qemu-testsuite.changes | 82 ++++ qemu-testsuite.spec | 55 +-- qemu.changes | 82 ++++ qemu.spec | 55 +-- qemu.spec.in | 9 +- update_git.sh | 2 +- 92 files changed, 1520 insertions(+), 1180 deletions(-) delete mode 100644 0033-i386-kvm-MSR_IA32_SPEC_CTRL-and-MSR.patch create mode 100644 0033-memfd-fix-configure-test.patch rename 0051-machine-add-memory-encryption-prope.patch => 0050-machine-add-memory-encryption-prope.patch (95%) delete mode 100644 0050-target-i386-add-memory-encryption-f.patch rename 0052-kvm-update-kvm.h-to-include-memory-.patch => 0051-kvm-update-kvm.h-to-include-memory-.patch (93%) rename 0053-docs-add-AMD-Secure-Encrypted-Virtu.patch => 0052-docs-add-AMD-Secure-Encrypted-Virtu.patch (97%) rename 0054-accel-add-Secure-Encrypted-Virtuliz.patch => 0053-target-i386-add-Secure-Encrypted-Vi.patch (83%) rename 0058-qmp-add-query-sev-command.patch => 0054-qmp-add-query-sev-command.patch (63%) rename 0055-sev-add-command-to-initialize-the-m.patch => 0055-sev-i386-add-command-to-initialize-.patch (62%) create mode 100644 0056-qmp-populate-SevInfo-fields-with-SE.patch rename 0056-sev-register-the-guest-memory-range.patch => 0057-sev-i386-register-the-guest-memory-.patch (71%) rename 0057-kvm-introduce-memory-encryption-API.patch => 0058-kvm-introduce-memory-encryption-API.patch (93%) rename 0060-sev-add-command-to-create-launch-me.patch => 0060-sev-i386-add-command-to-create-laun.patch (60%) rename 0061-sev-add-command-to-encrypt-guest-me.patch => 0061-sev-i386-add-command-to-encrypt-gue.patch (62%) rename 0063-sev-add-support-to-LAUNCH_MEASURE-c.patch => 0063-sev-i386-add-support-to-LAUNCH_MEAS.patch (65%) rename 0064-sev-Finalize-the-SEV-guest-launch-f.patch => 0064-sev-i386-finalize-the-SEV-guest-lau.patch (65%) rename 0066-sev-add-debug-encrypt-and-decrypt-c.patch => 0066-sev-i386-add-debug-encrypt-and-decr.patch (69%) rename 0069-sev-add-support-to-query-PLATFORM_S.patch => 0069-sev-i386-add-support-to-query-PLATF.patch (72%) rename 0070-sev-add-support-to-KVM_SEV_GUEST_ST.patch => 0070-sev-i386-add-support-to-KVM_SEV_GUE.patch (56%) delete mode 100644 0072-sev-Fix-build-for-non-x86-hosts.patch create mode 100644 0072-tests-qmp-test-blacklist-query-sev-.patch create mode 100644 0073-sev-i386-add-migration-blocker.patch create mode 100644 0074-cpu-i386-populate-CPUID-0x8000_001F.patch create mode 100644 0075-migration-warn-about-inconsistent-s.patch create mode 100644 0076-i386-Compensate-for-KVM-SPEC_CTRL-f.patch delete mode 100644 qemu-2.11.0.tar.xz delete mode 100644 qemu-2.11.0.tar.xz.sig create mode 100644 qemu-2.11.1.tar.xz create mode 100644 qemu-2.11.1.tar.xz.sig diff --git a/0001-XXX-dont-dump-core-on-sigabort.patch b/0001-XXX-dont-dump-core-on-sigabort.patch index a234b5e..1fa502c 100644 --- a/0001-XXX-dont-dump-core-on-sigabort.patch +++ b/0001-XXX-dont-dump-core-on-sigabort.patch @@ -1,4 +1,4 @@ -From caaf3654f521627c6c669667a34b022d7aaf6d98 Mon Sep 17 00:00:00 2001 +From 1a51a6b423402ce1cf03188d5b47d47c07854349 Mon Sep 17 00:00:00 2001 From: Alexander Graf Date: Mon, 21 Nov 2011 23:50:36 +0100 Subject: [PATCH] XXX dont dump core on sigabort @@ -8,7 +8,7 @@ Subject: [PATCH] XXX dont dump core on sigabort 1 file changed, 6 insertions(+) diff --git a/linux-user/signal.c b/linux-user/signal.c -index cf35473671..9fd0155498 100644 +index b858f1b0f1..752e814bc4 100644 --- a/linux-user/signal.c +++ b/linux-user/signal.c @@ -560,6 +560,10 @@ static void QEMU_NORETURN dump_core_and_abort(int target_sig) diff --git a/0002-qemu-binfmt-conf-Modify-default-pat.patch b/0002-qemu-binfmt-conf-Modify-default-pat.patch index ae995d6..c1c2d30 100644 --- a/0002-qemu-binfmt-conf-Modify-default-pat.patch +++ b/0002-qemu-binfmt-conf-Modify-default-pat.patch @@ -1,4 +1,4 @@ -From b34188124a7c7d2a59fcf25f69fde293dd46e639 Mon Sep 17 00:00:00 2001 +From 4f39ca8b4bfa8077b05faf7cfe5e15f326e7b5c4 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Andreas=20F=C3=A4rber?= Date: Wed, 10 Aug 2016 19:00:24 +0200 Subject: [PATCH] qemu-binfmt-conf: Modify default path diff --git a/0003-qemu-cvs-gettimeofday.patch b/0003-qemu-cvs-gettimeofday.patch index 2dd3d49..7b13ee6 100644 --- a/0003-qemu-cvs-gettimeofday.patch +++ b/0003-qemu-cvs-gettimeofday.patch @@ -1,4 +1,4 @@ -From dc56d2a61411efc8ba57905117e2adc126a8e5c7 Mon Sep 17 00:00:00 2001 +From 1fcc7fdc072463a0954e7c0c934080058a8fb0d4 Mon Sep 17 00:00:00 2001 From: Ulrich Hecht Date: Tue, 14 Apr 2009 16:25:41 +0200 Subject: [PATCH] qemu-cvs-gettimeofday diff --git a/0004-qemu-cvs-ioctl_debug.patch b/0004-qemu-cvs-ioctl_debug.patch index c4f9388..353222d 100644 --- a/0004-qemu-cvs-ioctl_debug.patch +++ b/0004-qemu-cvs-ioctl_debug.patch @@ -1,4 +1,4 @@ -From 28b90ae8573a1b760f80ba928157d6df563d6c8b Mon Sep 17 00:00:00 2001 +From 22461f1aeea83aecb71dfeaf8b90ffb74216fa6a Mon Sep 17 00:00:00 2001 From: Alexander Graf Date: Tue, 14 Apr 2009 16:26:33 +0200 Subject: [PATCH] qemu-cvs-ioctl_debug diff --git a/0005-qemu-cvs-ioctl_nodirection.patch b/0005-qemu-cvs-ioctl_nodirection.patch index 3e4fd06..d5c6f7b 100644 --- a/0005-qemu-cvs-ioctl_nodirection.patch +++ b/0005-qemu-cvs-ioctl_nodirection.patch @@ -1,4 +1,4 @@ -From ef7b5a6e1179b26e10461ffcc619e405f6e5adef Mon Sep 17 00:00:00 2001 +From 66779c72be83467bd5053d40f6c189c5238fc97a Mon Sep 17 00:00:00 2001 From: Alexander Graf Date: Tue, 14 Apr 2009 16:27:36 +0200 Subject: [PATCH] qemu-cvs-ioctl_nodirection diff --git a/0006-linux-user-add-binfmt-wrapper-for-a.patch b/0006-linux-user-add-binfmt-wrapper-for-a.patch index ca4b879..b087b8b 100644 --- a/0006-linux-user-add-binfmt-wrapper-for-a.patch +++ b/0006-linux-user-add-binfmt-wrapper-for-a.patch @@ -1,4 +1,4 @@ -From b9c2beb358233531af35e2583fec914dc11545f8 Mon Sep 17 00:00:00 2001 +From 66515950d58fda6057d0d17dbea2490d60f5bd0b Mon Sep 17 00:00:00 2001 From: Alexander Graf Date: Fri, 30 Sep 2011 19:40:36 +0200 Subject: [PATCH] linux-user: add binfmt wrapper for argv[0] handling diff --git a/0007-PPC-KVM-Disable-mmu-notifier-check.patch b/0007-PPC-KVM-Disable-mmu-notifier-check.patch index 8320644..f372f75 100644 --- a/0007-PPC-KVM-Disable-mmu-notifier-check.patch +++ b/0007-PPC-KVM-Disable-mmu-notifier-check.patch @@ -1,4 +1,4 @@ -From 7b5988dd911b6af4745d34e0c8cfc1e95518d80a Mon Sep 17 00:00:00 2001 +From 954d17d5ccae3340de3893872bc306542c2ad492 Mon Sep 17 00:00:00 2001 From: Alexander Graf Date: Fri, 6 Jan 2012 01:05:55 +0100 Subject: [PATCH] PPC: KVM: Disable mmu notifier check diff --git a/0008-linux-user-fix-segfault-deadlock.patch b/0008-linux-user-fix-segfault-deadlock.patch index e3e1aa7..8e69591 100644 --- a/0008-linux-user-fix-segfault-deadlock.patch +++ b/0008-linux-user-fix-segfault-deadlock.patch @@ -1,4 +1,4 @@ -From d7114fd9a14209b60ba65f1990034dc8e9670d32 Mon Sep 17 00:00:00 2001 +From e61d37b1ec17800a82e06a9231a4708f232da4ea Mon Sep 17 00:00:00 2001 From: Alexander Graf Date: Fri, 13 Jan 2012 17:05:41 +0100 Subject: [PATCH] linux-user: fix segfault deadlock diff --git a/0009-linux-user-binfmt-support-host-bina.patch b/0009-linux-user-binfmt-support-host-bina.patch index c12748f..94f42ac 100644 --- a/0009-linux-user-binfmt-support-host-bina.patch +++ b/0009-linux-user-binfmt-support-host-bina.patch @@ -1,4 +1,4 @@ -From 61aab3ec914ad269f11f6c2a34f738b839b3e495 Mon Sep 17 00:00:00 2001 +From 9ae09852f058ac34d118cdde08082cbd37f86c2b Mon Sep 17 00:00:00 2001 From: Alexander Graf Date: Thu, 2 Feb 2012 18:02:33 +0100 Subject: [PATCH] linux-user: binfmt: support host binaries diff --git a/0010-linux-user-Fake-proc-cpuinfo.patch b/0010-linux-user-Fake-proc-cpuinfo.patch index 291c6e7..7bb4768 100644 --- a/0010-linux-user-Fake-proc-cpuinfo.patch +++ b/0010-linux-user-Fake-proc-cpuinfo.patch @@ -1,4 +1,4 @@ -From c323c1f97f0fe389da384e64a35c9307735a1cd5 Mon Sep 17 00:00:00 2001 +From 09f0630a44d60be34c6fae2a875e57ac72e4d276 Mon Sep 17 00:00:00 2001 From: Alexander Graf Date: Mon, 23 Jul 2012 10:24:14 +0200 Subject: [PATCH] linux-user: Fake /proc/cpuinfo diff --git a/0011-linux-user-XXX-disable-fiemap.patch b/0011-linux-user-XXX-disable-fiemap.patch index ad990aa..9cce019 100644 --- a/0011-linux-user-XXX-disable-fiemap.patch +++ b/0011-linux-user-XXX-disable-fiemap.patch @@ -1,4 +1,4 @@ -From 22681343ff83b0ab4664fd741145cb098398c366 Mon Sep 17 00:00:00 2001 +From 5cd617b2b651852a98f5e3c4f3631fd461349410 Mon Sep 17 00:00:00 2001 From: Alexander Graf Date: Tue, 21 Aug 2012 14:20:40 +0200 Subject: [PATCH] linux-user: XXX disable fiemap diff --git a/0012-linux-user-use-target_ulong.patch b/0012-linux-user-use-target_ulong.patch index 091f74a..9e2bc7d 100644 --- a/0012-linux-user-use-target_ulong.patch +++ b/0012-linux-user-use-target_ulong.patch @@ -1,4 +1,4 @@ -From 48f19b6362b58c5fef53965b5b7a136f42fe78a9 Mon Sep 17 00:00:00 2001 +From 9a7bc05f85db8f058793c5d5709b453ad0d0542b Mon Sep 17 00:00:00 2001 From: Alexander Graf Date: Tue, 9 Oct 2012 09:06:49 +0200 Subject: [PATCH] linux-user: use target_ulong diff --git a/0013-Make-char-muxer-more-robust-wrt-sma.patch b/0013-Make-char-muxer-more-robust-wrt-sma.patch index 4f64c39..988f3c5 100644 --- a/0013-Make-char-muxer-more-robust-wrt-sma.patch +++ b/0013-Make-char-muxer-more-robust-wrt-sma.patch @@ -1,4 +1,4 @@ -From 0bfbec0356fcf27a378144048a5dbc5bc97b6d94 Mon Sep 17 00:00:00 2001 +From 87982f31e45440ef105d24afffbfd3023ce80331 Mon Sep 17 00:00:00 2001 From: Alexander Graf Date: Thu, 1 Apr 2010 17:36:23 +0200 Subject: [PATCH] Make char muxer more robust wrt small FIFOs diff --git a/0014-linux-user-lseek-explicitly-cast-no.patch b/0014-linux-user-lseek-explicitly-cast-no.patch index 567128f..42e321a 100644 --- a/0014-linux-user-lseek-explicitly-cast-no.patch +++ b/0014-linux-user-lseek-explicitly-cast-no.patch @@ -1,4 +1,4 @@ -From 261a9b540c31dc0812158924bbae63e5ce50baf3 Mon Sep 17 00:00:00 2001 +From 5e10b103a7060771d8314aa50f809a5097a7288c Mon Sep 17 00:00:00 2001 From: Alexander Graf Date: Thu, 13 Dec 2012 14:29:22 +0100 Subject: [PATCH] linux-user: lseek: explicitly cast non-set offsets to signed diff --git a/0015-AIO-Reduce-number-of-threads-for-32.patch b/0015-AIO-Reduce-number-of-threads-for-32.patch index 1fe9ff0..2bfeb39 100644 --- a/0015-AIO-Reduce-number-of-threads-for-32.patch +++ b/0015-AIO-Reduce-number-of-threads-for-32.patch @@ -1,4 +1,4 @@ -From dd9661d5900c9eb71a17be2d8b31078dac418296 Mon Sep 17 00:00:00 2001 +From 0fc340f81a8d6ef82e99d1767103a1e775400ed1 Mon Sep 17 00:00:00 2001 From: Alexander Graf Date: Wed, 14 Jan 2015 01:32:11 +0100 Subject: [PATCH] AIO: Reduce number of threads for 32bit hosts diff --git a/0016-xen_disk-Add-suse-specific-flush-di.patch b/0016-xen_disk-Add-suse-specific-flush-di.patch index 14d8938..3ecefd8 100644 --- a/0016-xen_disk-Add-suse-specific-flush-di.patch +++ b/0016-xen_disk-Add-suse-specific-flush-di.patch @@ -1,4 +1,4 @@ -From 6474f499d5e3b489aab3ef145d4b35c0ba298a45 Mon Sep 17 00:00:00 2001 +From 45783db0ed8628cb9cdb4d3ebbf7471f2f88db9b Mon Sep 17 00:00:00 2001 From: Bruce Rogers Date: Wed, 9 Mar 2016 15:18:11 -0700 Subject: [PATCH] xen_disk: Add suse specific flush disable handling and map to diff --git a/0017-qemu-bridge-helper-reduce-security-.patch b/0017-qemu-bridge-helper-reduce-security-.patch index 4936240..f292dec 100644 --- a/0017-qemu-bridge-helper-reduce-security-.patch +++ b/0017-qemu-bridge-helper-reduce-security-.patch @@ -1,4 +1,4 @@ -From f60bc92930645ca449a5711300fac7ef22f37127 Mon Sep 17 00:00:00 2001 +From 7d8219b4427779376c0d6405c169fb950ea1f43b Mon Sep 17 00:00:00 2001 From: Bruce Rogers Date: Tue, 2 Aug 2016 11:36:02 -0600 Subject: [PATCH] qemu-bridge-helper: reduce security profile diff --git a/0018-qemu-binfmt-conf-use-qemu-ARCH-binf.patch b/0018-qemu-binfmt-conf-use-qemu-ARCH-binf.patch index cbcb36e..af0ddbe 100644 --- a/0018-qemu-binfmt-conf-use-qemu-ARCH-binf.patch +++ b/0018-qemu-binfmt-conf-use-qemu-ARCH-binf.patch @@ -1,4 +1,4 @@ -From d688c4968074f983fde5be296487bb540e9a3396 Mon Sep 17 00:00:00 2001 +From 467907dc59bb7b955d78f37a190958cbb4cc837d Mon Sep 17 00:00:00 2001 From: Andreas Schwab Date: Fri, 12 Aug 2016 18:20:49 +0200 Subject: [PATCH] qemu-binfmt-conf: use qemu-ARCH-binfmt diff --git a/0019-linux-user-properly-test-for-infini.patch b/0019-linux-user-properly-test-for-infini.patch index d0ac008..5812fad 100644 --- a/0019-linux-user-properly-test-for-infini.patch +++ b/0019-linux-user-properly-test-for-infini.patch @@ -1,4 +1,4 @@ -From 182bbee4da8555984ca47867e035e62a943d6ed8 Mon Sep 17 00:00:00 2001 +From f885b1a3afadad00b6a28af2ce25ecebe4cc32cb Mon Sep 17 00:00:00 2001 From: Andreas Schwab Date: Thu, 8 Sep 2016 11:21:05 +0200 Subject: [PATCH] linux-user: properly test for infinite timeout in poll (#8) diff --git a/0020-roms-Makefile-pass-a-packaging-time.patch b/0020-roms-Makefile-pass-a-packaging-time.patch index 92fc7ac..c840a66 100644 --- a/0020-roms-Makefile-pass-a-packaging-time.patch +++ b/0020-roms-Makefile-pass-a-packaging-time.patch @@ -1,4 +1,4 @@ -From d9fe5283089876e70d7d5d37bc37c772d991fbee Mon Sep 17 00:00:00 2001 +From 6d5775e5a6a2ef48703c545772c6f0a0ab9ed887 Mon Sep 17 00:00:00 2001 From: Bruce Rogers Date: Sat, 19 Nov 2016 08:06:30 -0700 Subject: [PATCH] roms/Makefile: pass a packaging timestamp to subpackages with diff --git a/0021-Raise-soft-address-space-limit-to-h.patch b/0021-Raise-soft-address-space-limit-to-h.patch index 0e24e48..21633e5 100644 --- a/0021-Raise-soft-address-space-limit-to-h.patch +++ b/0021-Raise-soft-address-space-limit-to-h.patch @@ -1,4 +1,4 @@ -From 7c7cdde1614864ef3304fd5f28a6e2a7b3de9ae4 Mon Sep 17 00:00:00 2001 +From 34dc5aecd47ac65b43fda0d85c17ea33f333b9ce Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Andreas=20F=C3=A4rber?= Date: Sun, 15 Jan 2012 19:53:49 +0100 Subject: [PATCH] Raise soft address space limit to hard limit diff --git a/0022-increase-x86_64-physical-bits-to-42.patch b/0022-increase-x86_64-physical-bits-to-42.patch index 80d2800..10b4421 100644 --- a/0022-increase-x86_64-physical-bits-to-42.patch +++ b/0022-increase-x86_64-physical-bits-to-42.patch @@ -1,4 +1,4 @@ -From e4e996c7352a5563dae701ee9880ed48a132f696 Mon Sep 17 00:00:00 2001 +From 43638ed256283e67877d0c18f38f0b8b2a132116 Mon Sep 17 00:00:00 2001 From: Bruce Rogers Date: Fri, 17 May 2013 16:49:58 -0600 Subject: [PATCH] increase x86_64 physical bits to 42 @@ -19,10 +19,10 @@ Signed-off-by: Andreas Färber 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/target/i386/cpu.h b/target/i386/cpu.h -index b086b1528b..cbdd631e2e 100644 +index f3d0ebb673..4e66a0404e 100644 --- a/target/i386/cpu.h +++ b/target/i386/cpu.h -@@ -1501,7 +1501,7 @@ uint64_t cpu_get_tsc(CPUX86State *env); +@@ -1508,7 +1508,7 @@ uint64_t cpu_get_tsc(CPUX86State *env); /* XXX: This value should match the one returned by CPUID * and in exec.c */ # if defined(TARGET_X86_64) diff --git a/0023-vga-Raise-VRAM-to-16-MiB-for-pc-0.1.patch b/0023-vga-Raise-VRAM-to-16-MiB-for-pc-0.1.patch index 579ee59..f13312d 100644 --- a/0023-vga-Raise-VRAM-to-16-MiB-for-pc-0.1.patch +++ b/0023-vga-Raise-VRAM-to-16-MiB-for-pc-0.1.patch @@ -1,4 +1,4 @@ -From ec1a9384505f5e372b3d5225fcada36ea35ac045 Mon Sep 17 00:00:00 2001 +From 46f00361392e6b37f7784759fa0bafaba4f53ccc Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Andreas=20F=C3=A4rber?= Date: Wed, 12 Jun 2013 19:26:37 +0200 Subject: [PATCH] vga: Raise VRAM to 16 MiB for pc-0.15 and below diff --git a/0024-i8254-Fix-migration-from-SLE11-SP2.patch b/0024-i8254-Fix-migration-from-SLE11-SP2.patch index 0574c36..88d432e 100644 --- a/0024-i8254-Fix-migration-from-SLE11-SP2.patch +++ b/0024-i8254-Fix-migration-from-SLE11-SP2.patch @@ -1,4 +1,4 @@ -From 745af73eab8459b7b8d6889850943afba3aeb6fd Mon Sep 17 00:00:00 2001 +From cb942fa994767ed596877a74d12c07469941e4a3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Andreas=20F=C3=A4rber?= Date: Wed, 31 Jul 2013 17:05:29 +0200 Subject: [PATCH] i8254: Fix migration from SLE11 SP2 diff --git a/0025-acpi_piix4-Fix-migration-from-SLE11.patch b/0025-acpi_piix4-Fix-migration-from-SLE11.patch index 18737c2..29fc814 100644 --- a/0025-acpi_piix4-Fix-migration-from-SLE11.patch +++ b/0025-acpi_piix4-Fix-migration-from-SLE11.patch @@ -1,4 +1,4 @@ -From cc5b2a3c40b43326c1f555e8f46f61bb10812cd3 Mon Sep 17 00:00:00 2001 +From b95747d42aadcc6555a98eb2c5db15cae291b0b0 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Andreas=20F=C3=A4rber?= Date: Wed, 31 Jul 2013 17:32:35 +0200 Subject: [PATCH] acpi_piix4: Fix migration from SLE11 SP2 diff --git a/0026-Fix-tigervnc-long-press-issue.patch b/0026-Fix-tigervnc-long-press-issue.patch index 98fe939..edfc434 100644 --- a/0026-Fix-tigervnc-long-press-issue.patch +++ b/0026-Fix-tigervnc-long-press-issue.patch @@ -1,4 +1,4 @@ -From ea79d0cc0c448c2d04bba7cdcf686ea18aa3a0ae Mon Sep 17 00:00:00 2001 +From 14812344beb127d20d9fc58d9283d78946b432e6 Mon Sep 17 00:00:00 2001 From: Chunyan Liu Date: Thu, 3 Mar 2016 16:48:17 +0800 Subject: [PATCH] Fix tigervnc long press issue @@ -24,10 +24,10 @@ Signed-off-by: Chunyan Liu 1 file changed, 19 insertions(+) diff --git a/ui/vnc.c b/ui/vnc.c -index 9f8d5a1b1f..5bf1130486 100644 +index 06abe7360e..cb425f0aed 100644 --- a/ui/vnc.c +++ b/ui/vnc.c -@@ -1662,6 +1662,25 @@ static void do_key_event(VncState *vs, int down, int keycode, int sym) +@@ -1802,6 +1802,25 @@ static void do_key_event(VncState *vs, int down, int keycode, int sym) if (down) vs->modifiers_state[keycode] ^= 1; break; diff --git a/0027-string-input-visitor-Fix-uint64-par.patch b/0027-string-input-visitor-Fix-uint64-par.patch index f9f7f55..aff5cc8 100644 --- a/0027-string-input-visitor-Fix-uint64-par.patch +++ b/0027-string-input-visitor-Fix-uint64-par.patch @@ -1,4 +1,4 @@ -From 594154fd98941c5740ce595a252834040f6ae655 Mon Sep 17 00:00:00 2001 +From 467310d802cf7790129dbd2f0559da13c08c4718 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Andreas=20F=C3=A4rber?= Date: Thu, 24 Sep 2015 19:21:11 +0200 Subject: [PATCH] string-input-visitor: Fix uint64 parsing diff --git a/0028-test-string-input-visitor-Add-int-t.patch b/0028-test-string-input-visitor-Add-int-t.patch index 3e5466b..44ad30a 100644 --- a/0028-test-string-input-visitor-Add-int-t.patch +++ b/0028-test-string-input-visitor-Add-int-t.patch @@ -1,4 +1,4 @@ -From d98ad37e0fa5c3d254a016b5a2de2bc5a36ac603 Mon Sep 17 00:00:00 2001 +From 33c5e0f025d380144fcd310fc67d69cf57e2100f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Andreas=20F=C3=A4rber?= Date: Thu, 24 Sep 2015 19:23:50 +0200 Subject: [PATCH] test-string-input-visitor: Add int test case diff --git a/0029-test-string-input-visitor-Add-uint6.patch b/0029-test-string-input-visitor-Add-uint6.patch index c0344f7..529ce8f 100644 --- a/0029-test-string-input-visitor-Add-uint6.patch +++ b/0029-test-string-input-visitor-Add-uint6.patch @@ -1,4 +1,4 @@ -From 7b6711a0a89635a57773ed8dff4e8543b199b161 Mon Sep 17 00:00:00 2001 +From 5f820fc473f23dc626d0314082072a8fccdb43f6 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Andreas=20F=C3=A4rber?= Date: Thu, 24 Sep 2015 19:24:23 +0200 Subject: [PATCH] test-string-input-visitor: Add uint64 test diff --git a/0030-tests-Add-QOM-property-unit-tests.patch b/0030-tests-Add-QOM-property-unit-tests.patch index 9f680d4..14f513f 100644 --- a/0030-tests-Add-QOM-property-unit-tests.patch +++ b/0030-tests-Add-QOM-property-unit-tests.patch @@ -1,4 +1,4 @@ -From b7f197720e170281c479d2b892c45e598f428a27 Mon Sep 17 00:00:00 2001 +From 466bf8436ac9720529c5a9baae4a901f4988da0b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Andreas=20F=C3=A4rber?= Date: Sun, 6 Sep 2015 20:12:42 +0200 Subject: [PATCH] tests: Add QOM property unit tests diff --git a/0031-tests-Add-scsi-disk-test.patch b/0031-tests-Add-scsi-disk-test.patch index 9bc2ab7..6a9718a 100644 --- a/0031-tests-Add-scsi-disk-test.patch +++ b/0031-tests-Add-scsi-disk-test.patch @@ -1,4 +1,4 @@ -From a3cb893add9ad07fd3c971aed8e38f11496f9b9c Mon Sep 17 00:00:00 2001 +From e500d6e4a2f964c2718686731113336da7c013c6 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Andreas=20F=C3=A4rber?= Date: Fri, 25 Sep 2015 12:31:11 +0200 Subject: [PATCH] tests: Add scsi-disk test diff --git a/0032-Switch-order-of-libraries-for-mpath.patch b/0032-Switch-order-of-libraries-for-mpath.patch index 6551edb..0ce0e56 100644 --- a/0032-Switch-order-of-libraries-for-mpath.patch +++ b/0032-Switch-order-of-libraries-for-mpath.patch @@ -1,4 +1,4 @@ -From da5c27969ecbaf94d9615a2bff11447e479382a7 Mon Sep 17 00:00:00 2001 +From df14b8456cc69b8948786a8008840418d5008fa5 Mon Sep 17 00:00:00 2001 From: Bruce Rogers Date: Fri, 3 Nov 2017 11:12:40 -0600 Subject: [PATCH] Switch order of libraries for mpath support diff --git a/0033-i386-kvm-MSR_IA32_SPEC_CTRL-and-MSR.patch b/0033-i386-kvm-MSR_IA32_SPEC_CTRL-and-MSR.patch deleted file mode 100644 index de15833..0000000 --- a/0033-i386-kvm-MSR_IA32_SPEC_CTRL-and-MSR.patch +++ /dev/null @@ -1,160 +0,0 @@ -From 386bbf8992317f3106d45dbfdb4b577029e9091f Mon Sep 17 00:00:00 2001 -From: Wei Wang -Date: Tue, 7 Nov 2017 16:39:49 +0800 -Subject: [PATCH] i386/kvm: MSR_IA32_SPEC_CTRL and MSR_IA32_PRED_CMD - -CPUID(EAX=0X7,ECX=0).EDX[26]/[27] indicates the support of -MSR_IA32_SPEC_CTRL and MSR_IA32_PRED_CMD. Expose the CPUID -to the guest. Also add the support of transferring the MSRs during live -migration. - -Signed-off-by: Wei Wang -[BR: BSC#1068032 CVE-2017-5715] -Signed-off-by: Bruce Rogers ---- - target/i386/cpu.c | 3 ++- - target/i386/cpu.h | 4 ++++ - target/i386/kvm.c | 14 +++++++++++++- - target/i386/machine.c | 20 ++++++++++++++++++++ - 4 files changed, 39 insertions(+), 2 deletions(-) - -diff --git a/target/i386/cpu.c b/target/i386/cpu.c -index 045d66191f..4a403b1e7b 100644 ---- a/target/i386/cpu.c -+++ b/target/i386/cpu.c -@@ -2880,13 +2880,14 @@ void cpu_x86_cpuid(CPUX86State *env, uint32_t index, uint32_t count, - case 7: - /* Structured Extended Feature Flags Enumeration Leaf */ - if (count == 0) { -+ host_cpuid(index, 0, eax, ebx, ecx, edx); - *eax = 0; /* Maximum ECX value for sub-leaves */ - *ebx = env->features[FEAT_7_0_EBX]; /* Feature flags */ - *ecx = env->features[FEAT_7_0_ECX]; /* Feature flags */ - if ((*ecx & CPUID_7_0_ECX_PKU) && env->cr[4] & CR4_PKE_MASK) { - *ecx |= CPUID_7_0_ECX_OSPKE; - } -- *edx = env->features[FEAT_7_0_EDX]; /* Feature flags */ -+ *edx = env->features[FEAT_7_0_EDX] | *edx; - } else { - *eax = 0; - *ebx = 0; -diff --git a/target/i386/cpu.h b/target/i386/cpu.h -index cbdd631e2e..d9ecf7a368 100644 ---- a/target/i386/cpu.h -+++ b/target/i386/cpu.h -@@ -335,6 +335,7 @@ - #define MSR_IA32_APICBASE_BASE (0xfffffU<<12) - #define MSR_IA32_FEATURE_CONTROL 0x0000003a - #define MSR_TSC_ADJUST 0x0000003b -+#define MSR_IA32_SPEC_CTRL 0x00000048 - #define MSR_IA32_TSCDEADLINE 0x6e0 - - #define FEATURE_CONTROL_LOCKED (1<<0) -@@ -641,6 +642,8 @@ typedef uint32_t FeatureWordArray[FEATURE_WORDS]; - - #define CPUID_7_0_EDX_AVX512_4VNNIW (1U << 2) /* AVX512 Neural Network Instructions */ - #define CPUID_7_0_EDX_AVX512_4FMAPS (1U << 3) /* AVX512 Multiply Accumulation Single Precision */ -+#define CPUID_7_0_EDX_SPEC_CTRL (1U << 26) -+#define CPUID_7_0_EDX_PRED_CMD (1U << 27) - - #define CPUID_XSAVE_XSAVEOPT (1U << 0) - #define CPUID_XSAVE_XSAVEC (1U << 1) -@@ -1183,6 +1186,7 @@ typedef struct CPUX86State { - - uint64_t xss; - -+ uint64_t spec_ctrl; - TPRAccess tpr_access_type; - } CPUX86State; - -diff --git a/target/i386/kvm.c b/target/i386/kvm.c -index b1e32e95d3..d0041e6285 100644 ---- a/target/i386/kvm.c -+++ b/target/i386/kvm.c -@@ -76,6 +76,7 @@ static bool has_msr_star; - static bool has_msr_hsave_pa; - static bool has_msr_tsc_aux; - static bool has_msr_tsc_adjust; -+static bool has_msr_spec_ctrl; - static bool has_msr_tsc_deadline; - static bool has_msr_feature_control; - static bool has_msr_misc_enable; -@@ -1108,6 +1109,9 @@ static int kvm_get_supported_msrs(KVMState *s) - case MSR_TSC_ADJUST: - has_msr_tsc_adjust = true; - break; -+ case MSR_IA32_SPEC_CTRL: -+ has_msr_spec_ctrl = true; -+ break; - case MSR_IA32_TSCDEADLINE: - has_msr_tsc_deadline = true; - break; -@@ -1626,6 +1630,9 @@ static int kvm_put_msrs(X86CPU *cpu, int level) - if (has_msr_xss) { - kvm_msr_entry_add(cpu, MSR_IA32_XSS, env->xss); - } -+ if (has_msr_spec_ctrl) { -+ kvm_msr_entry_add(cpu, MSR_IA32_SPEC_CTRL, env->spec_ctrl); -+ } - #ifdef TARGET_X86_64 - if (lm_capable_kernel) { - kvm_msr_entry_add(cpu, MSR_CSTAR, env->cstar); -@@ -1998,7 +2005,9 @@ static int kvm_get_msrs(X86CPU *cpu) - if (has_msr_xss) { - kvm_msr_entry_add(cpu, MSR_IA32_XSS, 0); - } -- -+ if (has_msr_spec_ctrl) { -+ kvm_msr_entry_add(cpu, MSR_IA32_SPEC_CTRL, 0); -+ } - - if (!env->tsc_valid) { - kvm_msr_entry_add(cpu, MSR_IA32_TSC, 0); -@@ -2220,6 +2229,9 @@ static int kvm_get_msrs(X86CPU *cpu) - case MSR_IA32_XSS: - env->xss = msrs[i].data; - break; -+ case MSR_IA32_SPEC_CTRL: -+ env->spec_ctrl = msrs[i].data; -+ break; - default: - if (msrs[i].index >= MSR_MC0_CTL && - msrs[i].index < MSR_MC0_CTL + (env->mcg_cap & 0xff) * 4) { -diff --git a/target/i386/machine.c b/target/i386/machine.c -index df5ec359eb..d561a65153 100644 ---- a/target/i386/machine.c -+++ b/target/i386/machine.c -@@ -759,6 +759,25 @@ static const VMStateDescription vmstate_xss = { - } - }; - -+static bool spec_ctrl_needed(void *opaque) -+{ -+ X86CPU *cpu = opaque; -+ CPUX86State *env = &cpu->env; -+ -+ return env->spec_ctrl != 0; -+} -+ -+static const VMStateDescription vmstate_spec_ctrl = { -+ .name = "cpu/spec_ctrl", -+ .version_id = 1, -+ .minimum_version_id = 1, -+ .needed = spec_ctrl_needed, -+ .fields = (VMStateField[]) { -+ VMSTATE_UINT64(env.spec_ctrl, X86CPU), -+ VMSTATE_END_OF_LIST() -+ } -+}; -+ - #ifdef TARGET_X86_64 - static bool pkru_needed(void *opaque) - { -@@ -932,6 +951,7 @@ VMStateDescription vmstate_x86_cpu = { - &vmstate_msr_hyperv_stimer, - &vmstate_avx512, - &vmstate_xss, -+ &vmstate_spec_ctrl, - &vmstate_tsc_khz, - #ifdef TARGET_X86_64 - &vmstate_pkru, diff --git a/0033-memfd-fix-configure-test.patch b/0033-memfd-fix-configure-test.patch new file mode 100644 index 0000000..66db164 --- /dev/null +++ b/0033-memfd-fix-configure-test.patch @@ -0,0 +1,55 @@ +From 7c2613d2ed9d35c8634248204acdffcf96e1e6b2 Mon Sep 17 00:00:00 2001 +From: Paolo Bonzini +Date: Tue, 28 Nov 2017 11:51:27 +0100 +Subject: [PATCH] memfd: fix configure test +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Recent glibc added memfd_create in sys/mman.h. This conflicts with +the definition in util/memfd.c: + + /builddir/build/BUILD/qemu-2.11.0-rc1/util/memfd.c:40:12: error: static declaration of memfd_create follows non-static declaration + +Fix the configure test, and remove the sys/memfd.h inclusion since the +file actually does not exist---it is a typo in the memfd_create(2) man +page. + +Cc: Marc-André Lureau +Signed-off-by: Paolo Bonzini +(cherry picked from commit 75e5b70e6b5dcc4f2219992d7cffa462aa406af0) +[BR: BOO#1081154] +Signed-off-by: Bruce Rogers +--- + configure | 2 +- + util/memfd.c | 4 +--- + 2 files changed, 2 insertions(+), 4 deletions(-) + +diff --git a/configure b/configure +index 01e1d15fa4..71b8b473fc 100755 +--- a/configure ++++ b/configure +@@ -3920,7 +3920,7 @@ fi + # check if memfd is supported + memfd=no + cat > $TMPC << EOF +-#include ++#include + + int main(void) + { +diff --git a/util/memfd.c b/util/memfd.c +index 4571d1aba8..412e94a405 100644 +--- a/util/memfd.c ++++ b/util/memfd.c +@@ -31,9 +31,7 @@ + + #include "qemu/memfd.h" + +-#ifdef CONFIG_MEMFD +-#include +-#elif defined CONFIG_LINUX ++#if defined CONFIG_LINUX && !defined CONFIG_MEMFD + #include + #include + diff --git a/0034-qapi-use-items-values-intead-of-ite.patch b/0034-qapi-use-items-values-intead-of-ite.patch index 8e58ad1..3b5bc7a 100644 --- a/0034-qapi-use-items-values-intead-of-ite.patch +++ b/0034-qapi-use-items-values-intead-of-ite.patch @@ -1,4 +1,4 @@ -From 3d847a60ddc9b6310b08c4264d1cbdbee4cfb0ef Mon Sep 17 00:00:00 2001 +From b644653df5e25a922d5bb7d9fb9c86bfe9dda86c Mon Sep 17 00:00:00 2001 From: "Daniel P. Berrange" Date: Tue, 16 Jan 2018 13:42:05 +0000 Subject: [PATCH] qapi: use items()/values() intead of iteritems()/itervalues() diff --git a/0035-qapi-Use-OrderedDict-from-standard-.patch b/0035-qapi-Use-OrderedDict-from-standard-.patch index b79bf38..8d9732d 100644 --- a/0035-qapi-Use-OrderedDict-from-standard-.patch +++ b/0035-qapi-Use-OrderedDict-from-standard-.patch @@ -1,4 +1,4 @@ -From f38441aecb1a927d05b3fc47c34852169eb9c8c6 Mon Sep 17 00:00:00 2001 +From a1cd35be6c021ebea74d43da4ebb3b92b7064b72 Mon Sep 17 00:00:00 2001 From: "Daniel P. Berrange" Date: Tue, 16 Jan 2018 13:42:06 +0000 Subject: [PATCH] qapi: Use OrderedDict from standard library if available diff --git a/0036-qapi-adapt-to-moved-location-of-Str.patch b/0036-qapi-adapt-to-moved-location-of-Str.patch index 236b837..5483c79 100644 --- a/0036-qapi-adapt-to-moved-location-of-Str.patch +++ b/0036-qapi-adapt-to-moved-location-of-Str.patch @@ -1,4 +1,4 @@ -From 16d6ac6a4239900f57ce871bd447c7371c3e07ca Mon Sep 17 00:00:00 2001 +From 474475499831d76f92dcdde71ff2d0a29205f2ff Mon Sep 17 00:00:00 2001 From: "Daniel P. Berrange" Date: Tue, 16 Jan 2018 13:42:07 +0000 Subject: [PATCH] qapi: adapt to moved location of StringIO module in py3 diff --git a/0037-qapi-Adapt-to-moved-location-of-mak.patch b/0037-qapi-Adapt-to-moved-location-of-mak.patch index baa1eb7..42134da 100644 --- a/0037-qapi-Adapt-to-moved-location-of-mak.patch +++ b/0037-qapi-Adapt-to-moved-location-of-mak.patch @@ -1,4 +1,4 @@ -From d4df07ca6bc5fb2ff8faa2d74c854be921b1f5bf Mon Sep 17 00:00:00 2001 +From 038a061ce8a984ae6de48ceb247033e7799a72fb Mon Sep 17 00:00:00 2001 From: "Daniel P. Berrange" Date: Tue, 16 Jan 2018 13:42:08 +0000 Subject: [PATCH] qapi: Adapt to moved location of 'maketrans' function in py3 diff --git a/0038-qapi-remove-q-arg-to-diff-when-comp.patch b/0038-qapi-remove-q-arg-to-diff-when-comp.patch index 1365a19..49a68f3 100644 --- a/0038-qapi-remove-q-arg-to-diff-when-comp.patch +++ b/0038-qapi-remove-q-arg-to-diff-when-comp.patch @@ -1,4 +1,4 @@ -From 0b18b7d8af17cb10779ca45efd40d791595d7cf5 Mon Sep 17 00:00:00 2001 +From c3577e33fd92f1d5d3632620f0b74f38b3b23ed8 Mon Sep 17 00:00:00 2001 From: "Daniel P. Berrange" Date: Tue, 16 Jan 2018 13:42:09 +0000 Subject: [PATCH] qapi: remove '-q' arg to diff when comparing QAPI output diff --git a/0039-qapi-ensure-stable-sort-ordering-wh.patch b/0039-qapi-ensure-stable-sort-ordering-wh.patch index 22da18d..ec9bc55 100644 --- a/0039-qapi-ensure-stable-sort-ordering-wh.patch +++ b/0039-qapi-ensure-stable-sort-ordering-wh.patch @@ -1,4 +1,4 @@ -From a16a7259aace92ff5cf815b31e1201310fc344a0 Mon Sep 17 00:00:00 2001 +From 23ef1eee49f51e6fcae2c1676e9b71b0a9d1436b Mon Sep 17 00:00:00 2001 From: "Daniel P. Berrange" Date: Tue, 16 Jan 2018 13:42:10 +0000 Subject: [PATCH] qapi: ensure stable sort ordering when checking QAPI entities diff --git a/0040-qapi-force-a-UTF-8-locale-for-runni.patch b/0040-qapi-force-a-UTF-8-locale-for-runni.patch index 04b55e7..e54f365 100644 --- a/0040-qapi-force-a-UTF-8-locale-for-runni.patch +++ b/0040-qapi-force-a-UTF-8-locale-for-runni.patch @@ -1,4 +1,4 @@ -From 125a29fae71588b8857f1a513bf03ec6ef52f713 Mon Sep 17 00:00:00 2001 +From 178826a44b2d08e69dc7128cb3f47cea32912e37 Mon Sep 17 00:00:00 2001 From: "Daniel P. Berrange" Date: Tue, 16 Jan 2018 13:42:11 +0000 Subject: [PATCH] qapi: force a UTF-8 locale for running Python diff --git a/0041-scripts-ensure-signrom-treats-data-.patch b/0041-scripts-ensure-signrom-treats-data-.patch index a05e904..d745773 100644 --- a/0041-scripts-ensure-signrom-treats-data-.patch +++ b/0041-scripts-ensure-signrom-treats-data-.patch @@ -1,4 +1,4 @@ -From 680774bf1e3bfd349b503e375f01244a04ca975b Mon Sep 17 00:00:00 2001 +From 93a3811284417987034a0c72387db589760fcaaa Mon Sep 17 00:00:00 2001 From: "Daniel P. Berrange" Date: Tue, 16 Jan 2018 13:42:12 +0000 Subject: [PATCH] scripts: ensure signrom treats data as bytes diff --git a/0042-configure-allow-use-of-python-3.patch b/0042-configure-allow-use-of-python-3.patch index 614ac0b..5bc9202 100644 --- a/0042-configure-allow-use-of-python-3.patch +++ b/0042-configure-allow-use-of-python-3.patch @@ -1,4 +1,4 @@ -From bb4e9dd3678fe461b85345736cb296641be01413 Mon Sep 17 00:00:00 2001 +From 9ef8e6f7a53e7790187a810495e428a7556ead6e Mon Sep 17 00:00:00 2001 From: "Daniel P. Berrange" Date: Tue, 16 Jan 2018 13:42:13 +0000 Subject: [PATCH] configure: allow use of python 3 @@ -15,7 +15,7 @@ Signed-off-by: Bruce Rogers 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/configure b/configure -index 01e1d15fa4..46e2853ee3 100755 +index 71b8b473fc..62d66a6819 100755 --- a/configure +++ b/configure @@ -1573,9 +1573,8 @@ fi diff --git a/0043-input-add-missing-JIS-keys-to-virti.patch b/0043-input-add-missing-JIS-keys-to-virti.patch index f3d3b94..b6e0949 100644 --- a/0043-input-add-missing-JIS-keys-to-virti.patch +++ b/0043-input-add-missing-JIS-keys-to-virti.patch @@ -1,4 +1,4 @@ -From 88c1526efb8132cc1ea6d4dcb8ef84daa08a1d9d Mon Sep 17 00:00:00 2001 +From 47dfdc212f68d2ab3d06db162bff907c4922e67d Mon Sep 17 00:00:00 2001 From: Miika S Date: Tue, 16 Jan 2018 13:42:14 +0000 Subject: [PATCH] input: add missing JIS keys to virtio input diff --git a/0044-Make-installed-scripts-explicitly-p.patch b/0044-Make-installed-scripts-explicitly-p.patch index 6e67250..5cc4a9f 100644 --- a/0044-Make-installed-scripts-explicitly-p.patch +++ b/0044-Make-installed-scripts-explicitly-p.patch @@ -1,4 +1,4 @@ -From 8bcfb45ee625f82a7324491c2640c5dfb60465a9 Mon Sep 17 00:00:00 2001 +From 8635ebbf94af8dbcd20da8f52e8081f1be8c977c Mon Sep 17 00:00:00 2001 From: Bruce Rogers Date: Thu, 25 Jan 2018 14:16:10 -0700 Subject: [PATCH] Make installed scripts explicitly python2 diff --git a/0045-pc-fail-memory-hot-plug-unplug-with.patch b/0045-pc-fail-memory-hot-plug-unplug-with.patch index 60d7def..29c6e49 100644 --- a/0045-pc-fail-memory-hot-plug-unplug-with.patch +++ b/0045-pc-fail-memory-hot-plug-unplug-with.patch @@ -1,4 +1,4 @@ -From c97089489583ab5e1b748a5731915bc3727931b4 Mon Sep 17 00:00:00 2001 +From 097f317248eb261968efb30755e3c91fd9311cea Mon Sep 17 00:00:00 2001 From: Haozhong Zhang Date: Fri, 22 Dec 2017 09:51:20 +0800 Subject: [PATCH] pc: fail memory hot-plug/unplug with -no-acpi and Q35 machine diff --git a/0046-memattrs-add-debug-attribute.patch b/0046-memattrs-add-debug-attribute.patch index 676afc9..ea600ed 100644 --- a/0046-memattrs-add-debug-attribute.patch +++ b/0046-memattrs-add-debug-attribute.patch @@ -1,6 +1,6 @@ -From 8e76b032dc33ce4330da6ec73c10113cdc172b25 Mon Sep 17 00:00:00 2001 +From 631811d80a534654f23009e86cf9b9b942d53a48 Mon Sep 17 00:00:00 2001 From: Brijesh Singh -Date: Tue, 6 Feb 2018 19:08:07 -0600 +Date: Thu, 15 Feb 2018 09:03:19 -0600 Subject: [PATCH] memattrs: add debug attribute Extend the MemTxAttrs to include 'debug' flag. The flag can be used as @@ -13,10 +13,10 @@ will need to use encryption APIs to access the guest memory. Cc: Alistair Francis Cc: Peter Maydell -Cc: Edgar E. Iglesias" +Cc: "Edgar E. Iglesias" Cc: Richard Henderson Cc: Paolo Bonzini -Reviewed-by: Edgar E. Iglesias" +Reviewed-by: "Edgar E. Iglesias" Signed-off-by: Brijesh Singh [BR: FATE#322124] Signed-off-by: Bruce Rogers diff --git a/0047-exec-add-ram_debug_ops-support.patch b/0047-exec-add-ram_debug_ops-support.patch index efe343a..846e752 100644 --- a/0047-exec-add-ram_debug_ops-support.patch +++ b/0047-exec-add-ram_debug_ops-support.patch @@ -1,6 +1,6 @@ -From faf4862946a9e236e8e4fb956adad2dc11577fe0 Mon Sep 17 00:00:00 2001 +From a8955ac9aa33e2d3edb4ea948d74cf52fc9771a2 Mon Sep 17 00:00:00 2001 From: Brijesh Singh -Date: Tue, 6 Feb 2018 19:08:07 -0600 +Date: Thu, 15 Feb 2018 09:03:19 -0600 Subject: [PATCH] exec: add ram_debug_ops support Currently, the guest memory access for the debug purpose is performed @@ -30,12 +30,12 @@ Signed-off-by: Brijesh Singh [BR: FATE#322124] Signed-off-by: Bruce Rogers --- - exec.c | 66 ++++++++++++++++++++++++++++++++++++++------------- - include/exec/memory.h | 28 ++++++++++++++++++++++ - 2 files changed, 78 insertions(+), 16 deletions(-) + exec.c | 43 ++++++++++++++++++++++++++++++++----------- + include/exec/memory.h | 30 +++++++++++++++++++++++++++++- + 2 files changed, 61 insertions(+), 12 deletions(-) diff --git a/exec.c b/exec.c -index 1ca0f9e0ab..5da6a782e1 100644 +index 1ca0f9e0ab..fe49807f58 100644 --- a/exec.c +++ b/exec.c @@ -2983,7 +2983,11 @@ static MemTxResult flatview_write_continue(FlatView *fv, hwaddr addr, @@ -64,47 +64,19 @@ index 1ca0f9e0ab..5da6a782e1 100644 } if (release_lock) { -@@ -3151,11 +3159,13 @@ void cpu_physical_memory_rw(hwaddr addr, uint8_t *buf, - - enum write_rom_type { - WRITE_DATA, -+ READ_DATA, - FLUSH_CACHE, +@@ -3155,7 +3163,8 @@ enum write_rom_type { }; --static inline void cpu_physical_memory_write_rom_internal(AddressSpace *as, + static inline void cpu_physical_memory_write_rom_internal(AddressSpace *as, - hwaddr addr, const uint8_t *buf, int len, enum write_rom_type type) -+static inline void cpu_physical_memory_rw_internal(AddressSpace *as, -+ hwaddr addr, uint8_t *buf, int len, MemTxAttrs attrs, ++ hwaddr addr, const uint8_t *buf, int len, MemTxAttrs attrs, + enum write_rom_type type) { hwaddr l; uint8_t *ptr; -@@ -3170,12 +3180,33 @@ static inline void cpu_physical_memory_write_rom_internal(AddressSpace *as, - if (!(memory_region_is_ram(mr) || - memory_region_is_romd(mr))) { - l = memory_access_size(mr, l, addr1); -+ /* Pass MMIO down to address address_space_rw */ -+ switch (type) { -+ case READ_DATA: -+ case WRITE_DATA: -+ address_space_rw(as, addr1, attrs, buf, l, -+ type == WRITE_DATA); -+ break; -+ case FLUSH_CACHE: -+ break; -+ } - } else { - /* ROM/RAM case */ +@@ -3175,7 +3184,11 @@ static inline void cpu_physical_memory_write_rom_internal(AddressSpace *as, ptr = qemu_map_ram_ptr(mr->ram_block, addr1); switch (type) { -+ case READ_DATA: -+ if (mr->ram_debug_ops) { -+ mr->ram_debug_ops->read(buf, ptr, l, attrs); -+ } else { -+ memcpy(buf, ptr, l); -+ } -+ break; case WRITE_DATA: - memcpy(ptr, buf, l); + if (mr->ram_debug_ops) { @@ -115,38 +87,30 @@ index 1ca0f9e0ab..5da6a782e1 100644 invalidate_and_set_dirty(mr, addr1, l); break; case FLUSH_CACHE: -@@ -3194,7 +3225,8 @@ static inline void cpu_physical_memory_write_rom_internal(AddressSpace *as, +@@ -3194,7 +3207,9 @@ static inline void cpu_physical_memory_write_rom_internal(AddressSpace *as, void cpu_physical_memory_write_rom(AddressSpace *as, hwaddr addr, const uint8_t *buf, int len) { - cpu_physical_memory_write_rom_internal(as, addr, buf, len, WRITE_DATA); -+ cpu_physical_memory_rw_internal(as, addr, (uint8_t *)buf, len, -+ MEMTXATTRS_UNSPECIFIED, WRITE_DATA); ++ cpu_physical_memory_write_rom_internal(as, addr, buf, len, ++ MEMTXATTRS_UNSPECIFIED, ++ WRITE_DATA); } void cpu_flush_icache_range(hwaddr start, int len) -@@ -3209,8 +3241,10 @@ void cpu_flush_icache_range(hwaddr start, int len) +@@ -3209,8 +3224,9 @@ void cpu_flush_icache_range(hwaddr start, int len) return; } - cpu_physical_memory_write_rom_internal(&address_space_memory, - start, NULL, len, FLUSH_CACHE); -+ cpu_physical_memory_rw_internal(&address_space_memory, -+ start, NULL, len, -+ MEMTXATTRS_UNSPECIFIED, -+ FLUSH_CACHE); ++ cpu_physical_memory_write_rom_internal(&address_space_memory, start, NULL, ++ len, MEMTXATTRS_UNSPECIFIED, ++ FLUSH_CACHE); } typedef struct { -@@ -3516,6 +3550,7 @@ int cpu_memory_rw_debug(CPUState *cpu, target_ulong addr, - int l; - hwaddr phys_addr; - target_ulong page; -+ int type = is_write ? WRITE_DATA : READ_DATA; - - cpu_synchronize_state(cpu); - while (len > 0) { -@@ -3525,6 +3560,10 @@ int cpu_memory_rw_debug(CPUState *cpu, target_ulong addr, +@@ -3525,6 +3541,10 @@ int cpu_memory_rw_debug(CPUState *cpu, target_ulong addr, page = addr & TARGET_PAGE_MASK; phys_addr = cpu_get_phys_page_attrs_debug(cpu, page, &attrs); asidx = cpu_asidx_from_attrs(cpu, attrs); @@ -157,26 +121,27 @@ index 1ca0f9e0ab..5da6a782e1 100644 /* if no physical page mapped, return an error */ if (phys_addr == -1) return -1; -@@ -3532,14 +3571,9 @@ int cpu_memory_rw_debug(CPUState *cpu, target_ulong addr, - if (l > len) +@@ -3533,13 +3553,14 @@ int cpu_memory_rw_debug(CPUState *cpu, target_ulong addr, l = len; phys_addr += (addr & ~TARGET_PAGE_MASK); -- if (is_write) { + if (is_write) { - cpu_physical_memory_write_rom(cpu->cpu_ases[asidx].as, - phys_addr, buf, l); -- } else { -- address_space_rw(cpu->cpu_ases[asidx].as, phys_addr, ++ cpu_physical_memory_write_rom_internal(cpu->cpu_ases[asidx].as, ++ phys_addr, buf, l, attrs, ++ WRITE_DATA); + } else { + address_space_rw(cpu->cpu_ases[asidx].as, phys_addr, - MEMTXATTRS_UNSPECIFIED, - buf, l, 0); -- } -+ cpu_physical_memory_rw_internal(cpu->cpu_ases[asidx].as, -+ phys_addr, buf, l, attrs, -+ type); ++ attrs, buf, l, 0); + } ++ len -= l; buf += l; addr += l; diff --git a/include/exec/memory.h b/include/exec/memory.h -index 5ed4042f87..557f75c7ae 100644 +index 5ed4042f87..8d3b99cba8 100644 --- a/include/exec/memory.h +++ b/include/exec/memory.h @@ -215,6 +215,18 @@ typedef struct IOMMUMemoryRegionClass { @@ -228,3 +193,12 @@ index 5ed4042f87..557f75c7ae 100644 /** * memory_region_init_reservation: Initialize a memory region that reserves * I/O space. +@@ -1928,7 +1956,7 @@ MemTxResult flatview_read(FlatView *fv, hwaddr addr, MemTxAttrs attrs, + void *ptr; + MemoryRegion *mr; + +- if (__builtin_constant_p(len)) { ++ if (__builtin_constant_p(len) && !attrs.debug) { + if (len) { + rcu_read_lock(); + l = len; diff --git a/0048-exec-add-debug-version-of-physical-.patch b/0048-exec-add-debug-version-of-physical-.patch index 935a42b..8131372 100644 --- a/0048-exec-add-debug-version-of-physical-.patch +++ b/0048-exec-add-debug-version-of-physical-.patch @@ -1,6 +1,6 @@ -From 8c55cf176a4b6d6411e8b1e6385ff6a78b0e55f2 Mon Sep 17 00:00:00 2001 +From bb5805ddc9a5bfbf78d4ce81b6395452c783ca77 Mon Sep 17 00:00:00 2001 From: Brijesh Singh -Date: Tue, 6 Feb 2018 19:08:07 -0600 +Date: Thu, 15 Feb 2018 09:03:20 -0600 Subject: [PATCH] exec: add debug version of physical memory read and write API Adds the following new APIs @@ -18,15 +18,15 @@ Reviewed-by: Paolo Bonzini [BR: FATE#322124] Signed-off-by: Bruce Rogers --- - exec.c | 41 +++++++++++++++++++++++++++++++++++++++++ + exec.c | 40 ++++++++++++++++++++++++++++++++++++++++ include/exec/cpu-common.h | 15 +++++++++++++++ - 2 files changed, 56 insertions(+) + 2 files changed, 55 insertions(+) diff --git a/exec.c b/exec.c -index 5da6a782e1..561e4290dc 100644 +index fe49807f58..2a297de819 100644 --- a/exec.c +++ b/exec.c -@@ -3543,6 +3543,47 @@ void address_space_cache_destroy(MemoryRegionCache *cache) +@@ -3525,6 +3525,46 @@ void address_space_cache_destroy(MemoryRegionCache *cache) #define RCU_READ_UNLOCK() rcu_read_unlock() #include "memory_ldst.inc.c" @@ -39,9 +39,9 @@ index 5da6a782e1..561e4290dc 100644 + /* set debug attrs to indicate memory access is from the debugger */ + attrs.debug = 1; + -+ cpu_physical_memory_rw_internal(cpu->cpu_ases[asidx].as, -+ addr, (void *) &val, -+ 4, attrs, READ_DATA); ++ address_space_rw(cpu->cpu_ases[asidx].as, addr, attrs, ++ (void *) &val, 4, 0); ++ + return tswap32(val); +} + @@ -54,9 +54,8 @@ index 5da6a782e1..561e4290dc 100644 + /* set debug attrs to indicate memory access is from the debugger */ + attrs.debug = 1; + -+ cpu_physical_memory_rw_internal(cpu->cpu_ases[asidx].as, -+ addr, (void *) &val, -+ 8, attrs, READ_DATA); ++ address_space_rw(cpu->cpu_ases[asidx].as, addr, attrs, ++ (void *) &val, 8, 0); + return val; +} + diff --git a/0049-monitor-i386-use-debug-APIs-when-ac.patch b/0049-monitor-i386-use-debug-APIs-when-ac.patch index cf8d367..4a42c3b 100644 --- a/0049-monitor-i386-use-debug-APIs-when-ac.patch +++ b/0049-monitor-i386-use-debug-APIs-when-ac.patch @@ -1,6 +1,6 @@ -From 5a0c3e3ff1a772c572b810851e04e0deb2930367 Mon Sep 17 00:00:00 2001 +From 6dd6cff79148e79a45da6277fd7f9b5de4f41d20 Mon Sep 17 00:00:00 2001 From: Brijesh Singh -Date: Tue, 6 Feb 2018 19:08:07 -0600 +Date: Thu, 15 Feb 2018 09:03:20 -0600 Subject: [PATCH] monitor/i386: use debug APIs when accessing guest memory Updates HMP commands to use the debug version of APIs when accessing the @@ -18,10 +18,10 @@ Signed-off-by: Bruce Rogers --- cpus.c | 2 +- disas.c | 2 +- - monitor.c | 8 ++++--- + monitor.c | 6 +++--- target/i386/helper.c | 14 ++++++------ target/i386/monitor.c | 60 +++++++++++++++++++++++++++------------------------ - 5 files changed, 46 insertions(+), 40 deletions(-) + 5 files changed, 44 insertions(+), 40 deletions(-) diff --git a/cpus.c b/cpus.c index 114c29b6a0..d1e7e28993 100644 @@ -50,7 +50,7 @@ index d4ad1089ef..fcedbf2633 100644 } diff --git a/monitor.c b/monitor.c -index e36fb5308d..3b456fc6c5 100644 +index e36fb5308d..6b484e3e0d 100644 --- a/monitor.c +++ b/monitor.c @@ -1359,7 +1359,7 @@ static void memory_dump(Monitor *mon, int count, int format, int wsize, @@ -62,16 +62,14 @@ index e36fb5308d..3b456fc6c5 100644 } else { if (cpu_memory_rw_debug(cs, addr, buf, l, 0) < 0) { monitor_printf(mon, " Cannot access memory\n"); -@@ -1565,8 +1565,10 @@ static void hmp_sum(Monitor *mon, const QDict *qdict) +@@ -1565,8 +1565,8 @@ static void hmp_sum(Monitor *mon, const QDict *qdict) sum = 0; for(addr = start; addr < (start + size); addr++) { - uint8_t val = address_space_ldub(&address_space_memory, addr, - MEMTXATTRS_UNSPECIFIED, NULL); -+ uint8_t buf[0]; + uint8_t val; -+ cpu_physical_memory_read_debug(addr, buf, 1); -+ val = ldub_p(buf); ++ cpu_physical_memory_read_debug(addr, &val, 1); /* BSD sum algorithm ('sum' Unix command) */ sum = (sum >> 1) | (sum << 15); sum += val; diff --git a/0051-machine-add-memory-encryption-prope.patch b/0050-machine-add-memory-encryption-prope.patch similarity index 95% rename from 0051-machine-add-memory-encryption-prope.patch rename to 0050-machine-add-memory-encryption-prope.patch index ec7ad76..0ff81bb 100644 --- a/0051-machine-add-memory-encryption-prope.patch +++ b/0050-machine-add-memory-encryption-prope.patch @@ -1,6 +1,6 @@ -From 80b31eed583af21eee2e2f152d2c24e6aa13b2b7 Mon Sep 17 00:00:00 2001 +From 969964dd7f15ac507887f58fccbb2623110bd8f6 Mon Sep 17 00:00:00 2001 From: Brijesh Singh -Date: Tue, 6 Feb 2018 19:08:08 -0600 +Date: Thu, 15 Feb 2018 09:03:20 -0600 Subject: [PATCH] machine: add -memory-encryption property When CPU supports memory encryption feature, the property can be used to @@ -72,7 +72,7 @@ index 156b16f7a6..41fa577955 100644 ram_addr_t ram_size; ram_addr_t maxram_size; diff --git a/qemu-options.hx b/qemu-options.hx -index f11c4ac960..5385832707 100644 +index 57f2c6a75f..617e5d5c20 100644 --- a/qemu-options.hx +++ b/qemu-options.hx @@ -104,6 +104,8 @@ code to send configuration section even if the machine-type sets the diff --git a/0050-target-i386-add-memory-encryption-f.patch b/0050-target-i386-add-memory-encryption-f.patch deleted file mode 100644 index 2e3e0a5..0000000 --- a/0050-target-i386-add-memory-encryption-f.patch +++ /dev/null @@ -1,137 +0,0 @@ -From 7fee871608f1ab458151d03712fb0b89cf5c5668 Mon Sep 17 00:00:00 2001 -From: Brijesh Singh -Date: Tue, 6 Feb 2018 19:08:07 -0600 -Subject: [PATCH] target/i386: add memory encryption feature cpuid support - -AMD EPYC processors support memory encryption feature. The feature -is reported through CPUID 8000_001F[EAX]. - -Fn8000_001F [EAX]: - Bit 0 Secure Memory Encryption (SME) supported - Bit 1 Secure Encrypted Virtualization (SEV) supported - Bit 2 Page flush MSR supported - Bit 3 Ecrypted State (SEV-ES) support - -when memory encryption feature is reported, CPUID 8000_001F[EBX] should -provide additional information regarding the feature (such as which page -table bit is used to mark pages as encrypted etc). The information in EBX -and ECX may vary from one family to another hence we use the host cpuid -to populate the EBX information. - -The details for memory encryption CPUID is available in AMD APM -(https://support.amd.com/TechDocs/24594.pdf) Section E.4.17 - -Cc: Paolo Bonzini -Cc: Richard Henderson -Cc: Eduardo Habkost -Signed-off-by: Brijesh Singh -[BR: FATE#322124] -Signed-off-by: Bruce Rogers ---- - target/i386/cpu.c | 36 ++++++++++++++++++++++++++++++++++++ - target/i386/cpu.h | 6 ++++++ - 2 files changed, 42 insertions(+) - -diff --git a/target/i386/cpu.c b/target/i386/cpu.c -index 4a403b1e7b..98cd293c4f 100644 ---- a/target/i386/cpu.c -+++ b/target/i386/cpu.c -@@ -233,6 +233,7 @@ static void x86_cpu_vendor_words2str(char *dst, uint32_t vendor1, - #define TCG_EXT4_FEATURES 0 - #define TCG_SVM_FEATURES 0 - #define TCG_KVM_FEATURES 0 -+#define TCG_MEM_ENCRYPT_FEATURES 0 - #define TCG_7_0_EBX_FEATURES (CPUID_7_0_EBX_SMEP | CPUID_7_0_EBX_SMAP | \ - CPUID_7_0_EBX_BMI1 | CPUID_7_0_EBX_BMI2 | CPUID_7_0_EBX_ADX | \ - CPUID_7_0_EBX_PCOMMIT | CPUID_7_0_EBX_CLFLUSHOPT | \ -@@ -528,6 +529,20 @@ static FeatureWordInfo feature_word_info[FEATURE_WORDS] = { - .cpuid_reg = R_EDX, - .tcg_features = ~0U, - }, -+ [FEAT_MEM_ENCRYPT] = { -+ .feat_names = { -+ "sme", "sev", "page-flush-msr", "sev-es", -+ NULL, NULL, NULL, NULL, -+ NULL, NULL, NULL, NULL, -+ NULL, NULL, NULL, NULL, -+ NULL, NULL, NULL, NULL, -+ NULL, NULL, NULL, NULL, -+ NULL, NULL, NULL, NULL, -+ NULL, NULL, NULL, NULL, -+ }, -+ .cpuid_eax = 0x8000001F, .cpuid_reg = R_EAX, -+ .tcg_features = TCG_MEM_ENCRYPT_FEATURES, -+ } - }; - - typedef struct X86RegisterInfo32 { -@@ -1562,6 +1577,9 @@ static X86CPUDefinition builtin_x86_defs[] = { - CPUID_XSAVE_XGETBV1, - .features[FEAT_6_EAX] = - CPUID_6_EAX_ARAT, -+ /* Missing: SEV_ES */ -+ .features[FEAT_MEM_ENCRYPT] = -+ CPUID_8000_001F_EAX_SME | CPUID_8000_001F_EAX_SEV, - .xlevel = 0x8000000A, - .model_id = "AMD EPYC Processor", - }, -@@ -3111,6 +3129,19 @@ void cpu_x86_cpuid(CPUX86State *env, uint32_t index, uint32_t count, - *edx = 0; - } - break; -+ case 0x8000001F: -+ if (env->features[FEAT_MEM_ENCRYPT] & CPUID_8000_001F_EAX_SEV) { -+ *eax = env->features[FEAT_MEM_ENCRYPT]; -+ host_cpuid(0x8000001F, 0, NULL, ebx, NULL, NULL); -+ *ecx = 0; -+ *edx = 0; -+ } else { -+ *eax = 0; -+ *ebx = 0; -+ *ecx = 0; -+ *edx = 0; -+ } -+ break; - case 0xC0000000: - *eax = env->cpuid_xlevel2; - *ebx = 0; -@@ -3550,10 +3581,15 @@ static void x86_cpu_expand_features(X86CPU *cpu, Error **errp) - x86_cpu_adjust_feat_level(cpu, FEAT_C000_0001_EDX); - x86_cpu_adjust_feat_level(cpu, FEAT_SVM); - x86_cpu_adjust_feat_level(cpu, FEAT_XSAVE); -+ x86_cpu_adjust_feat_level(cpu, FEAT_MEM_ENCRYPT); - /* SVM requires CPUID[0x8000000A] */ - if (env->features[FEAT_8000_0001_ECX] & CPUID_EXT3_SVM) { - x86_cpu_adjust_level(cpu, &env->cpuid_min_xlevel, 0x8000000A); - } -+ /* SEV requires CPUID[0x8000001F] */ -+ if ((env->features[FEAT_MEM_ENCRYPT] & CPUID_8000_001F_EAX_SEV)) { -+ x86_cpu_adjust_level(cpu, &env->cpuid_min_xlevel, 0x8000001F); -+ } - } - - /* Set cpuid_*level* based on cpuid_min_*level, if not explicitly set */ -diff --git a/target/i386/cpu.h b/target/i386/cpu.h -index d9ecf7a368..224ac5413f 100644 ---- a/target/i386/cpu.h -+++ b/target/i386/cpu.h -@@ -464,6 +464,7 @@ typedef enum FeatureWord { - FEAT_6_EAX, /* CPUID[6].EAX */ - FEAT_XSAVE_COMP_LO, /* CPUID[EAX=0xd,ECX=0].EAX */ - FEAT_XSAVE_COMP_HI, /* CPUID[EAX=0xd,ECX=0].EDX */ -+ FEAT_MEM_ENCRYPT, /* CPUID[8000_001F].EAX */ - FEATURE_WORDS, - } FeatureWord; - -@@ -652,6 +653,11 @@ typedef uint32_t FeatureWordArray[FEATURE_WORDS]; - - #define CPUID_6_EAX_ARAT (1U << 2) - -+#define CPUID_8000_001F_EAX_SME (1U << 0) /* SME */ -+#define CPUID_8000_001F_EAX_SEV (1U << 1) /* SEV */ -+#define CPUID_8000_001F_EAX_PAGE_FLUSH_MSR (1U << 2) /* Page flush MSR */ -+#define CPUID_8000_001F_EAX_SEV_ES (1U << 3) /* SEV-ES */ -+ - /* CPUID[0x80000007].EDX flags: */ - #define CPUID_APM_INVTSC (1U << 8) - diff --git a/0052-kvm-update-kvm.h-to-include-memory-.patch b/0051-kvm-update-kvm.h-to-include-memory-.patch similarity index 93% rename from 0052-kvm-update-kvm.h-to-include-memory-.patch rename to 0051-kvm-update-kvm.h-to-include-memory-.patch index 108dbc7..566c843 100644 --- a/0052-kvm-update-kvm.h-to-include-memory-.patch +++ b/0051-kvm-update-kvm.h-to-include-memory-.patch @@ -1,6 +1,6 @@ -From fd981d8bae5ef3b9056845add32a0830356b3b7f Mon Sep 17 00:00:00 2001 +From f62e734e8cbb2b31f23b9c0e8cb69ae1500a200b Mon Sep 17 00:00:00 2001 From: Brijesh Singh -Date: Tue, 6 Feb 2018 19:08:08 -0600 +Date: Thu, 15 Feb 2018 09:03:20 -0600 Subject: [PATCH] kvm: update kvm.h to include memory encryption ioctls Updates kmv.h to include memory encryption ioctls and SEV commands. @@ -16,10 +16,10 @@ Signed-off-by: Bruce Rogers 1 file changed, 90 insertions(+) diff --git a/linux-headers/linux/kvm.h b/linux-headers/linux/kvm.h -index dd8a91801e..04b5801d03 100644 +index d92c9b2f0e..aed2230995 100644 --- a/linux-headers/linux/kvm.h +++ b/linux-headers/linux/kvm.h -@@ -1356,6 +1356,96 @@ struct kvm_s390_ucas_mapping { +@@ -1362,6 +1362,96 @@ struct kvm_s390_ucas_mapping { /* Available with KVM_CAP_S390_CMMA_MIGRATION */ #define KVM_S390_GET_CMMA_BITS _IOWR(KVMIO, 0xb8, struct kvm_s390_cmma_log) #define KVM_S390_SET_CMMA_BITS _IOW(KVMIO, 0xb9, struct kvm_s390_cmma_log) diff --git a/0053-docs-add-AMD-Secure-Encrypted-Virtu.patch b/0052-docs-add-AMD-Secure-Encrypted-Virtu.patch similarity index 97% rename from 0053-docs-add-AMD-Secure-Encrypted-Virtu.patch rename to 0052-docs-add-AMD-Secure-Encrypted-Virtu.patch index 12bf04c..5fc11fe 100644 --- a/0053-docs-add-AMD-Secure-Encrypted-Virtu.patch +++ b/0052-docs-add-AMD-Secure-Encrypted-Virtu.patch @@ -1,6 +1,6 @@ -From e31dff17694578d6f14f94fce81f446827502318 Mon Sep 17 00:00:00 2001 +From 23745abd0c79cea6c85622263a46a33c3a96fefb Mon Sep 17 00:00:00 2001 From: Brijesh Singh -Date: Tue, 6 Feb 2018 19:08:08 -0600 +Date: Thu, 15 Feb 2018 09:03:20 -0600 Subject: [PATCH] docs: add AMD Secure Encrypted Virtualization (SEV) Create a documentation entry to describe the AMD Secure Encrypted diff --git a/0054-accel-add-Secure-Encrypted-Virtuliz.patch b/0053-target-i386-add-Secure-Encrypted-Vi.patch similarity index 83% rename from 0054-accel-add-Secure-Encrypted-Virtuliz.patch rename to 0053-target-i386-add-Secure-Encrypted-Vi.patch index aedc426..1b9aec2 100644 --- a/0054-accel-add-Secure-Encrypted-Virtuliz.patch +++ b/0053-target-i386-add-Secure-Encrypted-Vi.patch @@ -1,7 +1,7 @@ -From 725b55269e39ee0c64daf556b019d1eb70940b21 Mon Sep 17 00:00:00 2001 +From 3ab22b287a2ea323cb0b4d6daf9fc2177b6dec1c Mon Sep 17 00:00:00 2001 From: Brijesh Singh -Date: Tue, 6 Feb 2018 19:08:08 -0600 -Subject: [PATCH] accel: add Secure Encrypted Virtulization (SEV) object +Date: Thu, 15 Feb 2018 09:03:21 -0600 +Subject: [PATCH] target/i386: add Secure Encrypted Virtulization (SEV) object Add a new memory encryption object 'sev-guest'. The object will be used to create enrypted VMs on AMD EPYC CPU. The object provides the properties @@ -15,32 +15,186 @@ e.g to launch SEV guest -machine ....,memory-encryption=sev0 Cc: Paolo Bonzini +Cc: Richard Henderson +Cc: Eduardo Habkost Signed-off-by: Brijesh Singh [BR: FATE#322124] Signed-off-by: Bruce Rogers --- - accel/kvm/Makefile.objs | 2 +- - accel/kvm/sev.c | 214 +++++++++++++++++++++++++++++++++++++++++ - docs/amd-memory-encryption.txt | 17 ++++ - include/sysemu/sev.h | 54 +++++++++++ + docs/amd-memory-encryption.txt | 17 +++ + include/sysemu/sev.h | 54 ++++++++++ qemu-options.hx | 36 +++++++ - 5 files changed, 322 insertions(+), 1 deletion(-) - create mode 100644 accel/kvm/sev.c + target/i386/Makefile.objs | 2 +- + target/i386/sev.c | 228 +++++++++++++++++++++++++++++++++++++++++ + 5 files changed, 336 insertions(+), 1 deletion(-) create mode 100644 include/sysemu/sev.h + create mode 100644 target/i386/sev.c -diff --git a/accel/kvm/Makefile.objs b/accel/kvm/Makefile.objs -index 85351e7de7..666ceef3da 100644 ---- a/accel/kvm/Makefile.objs -+++ b/accel/kvm/Makefile.objs -@@ -1 +1 @@ --obj-$(CONFIG_KVM) += kvm-all.o -+obj-$(CONFIG_KVM) += kvm-all.o sev.o -diff --git a/accel/kvm/sev.c b/accel/kvm/sev.c +diff --git a/docs/amd-memory-encryption.txt b/docs/amd-memory-encryption.txt +index 72a92b6c63..1527f603ea 100644 +--- a/docs/amd-memory-encryption.txt ++++ b/docs/amd-memory-encryption.txt +@@ -35,10 +35,21 @@ in bad measurement). The guest policy is a 4-byte data structure containing + several flags that restricts what can be done on running SEV guest. + See KM Spec section 3 and 6.2 for more details. + ++The guest policy can be provided via the 'policy' property (see below) ++ ++# ${QEMU} \ ++ sev-guest,id=sev0,policy=0x1...\ ++ + Guest owners provided DH certificate and session parameters will be used to + establish a cryptographic session with the guest owner to negotiate keys used + for the attestation. + ++The DH certificate and session blob can be provided via 'dh-cert-file' and ++'session-file' property (see below ++ ++# ${QEMU} \ ++ sev-guest,id=sev0,dh-cert-file=,session-file= ++ + LAUNCH_UPDATE_DATA encrypts the memory region using the cryptographic context + created via LAUNCH_START command. If required, this command can be called + multiple times to encrypt different memory regions. The command also calculates +@@ -59,6 +70,12 @@ context. + See SEV KM API Spec [1] 'Launching a guest' usage flow (Appendix A) for the + complete flow chart. + ++To launch a SEV guest ++ ++# ${QEMU} \ ++ -machine ...,memory-encryption=sev0 \ ++ -object sev-guest,id=sev0 ++ + Debugging + ----------- + Since memory contents of SEV guest is encrypted hence hypervisor access to the +diff --git a/include/sysemu/sev.h b/include/sysemu/sev.h new file mode 100644 -index 0000000000..57e092a0bd +index 0000000000..a1936a7a79 --- /dev/null -+++ b/accel/kvm/sev.c -@@ -0,0 +1,214 @@ ++++ b/include/sysemu/sev.h +@@ -0,0 +1,54 @@ ++/* ++ * QEMU Secure Encrypted Virutualization (SEV) support ++ * ++ * Copyright: Advanced Micro Devices, 2016-2018 ++ * ++ * Authors: ++ * Brijesh Singh ++ * ++ * This work is licensed under the terms of the GNU GPL, version 2 or later. ++ * See the COPYING file in the top-level directory. ++ * ++ */ ++ ++#ifndef QEMU_SEV_H ++#define QEMU_SEV_H ++ ++#include "qom/object.h" ++#include "qapi/error.h" ++#include "sysemu/kvm.h" ++#include "qemu/error-report.h" ++ ++#define TYPE_QSEV_GUEST_INFO "sev-guest" ++#define QSEV_GUEST_INFO(obj) \ ++ OBJECT_CHECK(QSevGuestInfo, (obj), TYPE_QSEV_GUEST_INFO) ++ ++typedef struct QSevGuestInfo QSevGuestInfo; ++typedef struct QSevGuestInfoClass QSevGuestInfoClass; ++ ++/** ++ * QSevGuestInfo: ++ * ++ * The QSevGuestInfo object is used for creating a SEV guest. ++ * ++ * # $QEMU \ ++ * -object sev-guest,id=sev0 \ ++ * -machine ...,memory-encryption=sev0 ++ */ ++struct QSevGuestInfo { ++ Object parent_obj; ++ ++ char *sev_device; ++ uint32_t policy; ++ uint32_t handle; ++ char *dh_cert_file; ++ char *session_file; ++ uint32_t cbitpos; ++ uint32_t reduced_phys_bits; ++}; ++ ++struct QSevGuestInfoClass { ++ ObjectClass parent_class; ++}; ++ ++#endif +diff --git a/qemu-options.hx b/qemu-options.hx +index 617e5d5c20..ab8d089f29 100644 +--- a/qemu-options.hx ++++ b/qemu-options.hx +@@ -4471,6 +4471,42 @@ contents of @code{iv.b64} to the second secret + data=$SECRET,iv=$(reduced_phys_bits = value; ++} ++ ++static void +qsev_guest_get_policy(Object *obj, Visitor *v, const char *name, + void *opaque, Error **errp) +{ @@ -207,14 +372,15 @@ index 0000000000..57e092a0bd + visit_type_uint32(v, name, &value, errp); +} + -+static uint32_t -+sev_get_host_cbitpos(void) ++static void ++qsev_guest_get_reduced_phys_bits(Object *obj, Visitor *v, const char *name, ++ void *opaque, Error **errp) +{ -+ uint32_t ebx; ++ uint32_t value; ++ QSevGuestInfo *sev = QSEV_GUEST_INFO(obj); + -+ host_cpuid(0x8000001F, 0, NULL, &ebx, NULL, NULL); -+ -+ return ebx & 0x3f; ++ value = sev->reduced_phys_bits; ++ visit_type_uint32(v, name, &value, errp); +} + +static void @@ -224,13 +390,15 @@ index 0000000000..57e092a0bd + + sev->sev_device = g_strdup(DEFAULT_SEV_DEVICE); + sev->policy = DEFAULT_GUEST_POLICY; -+ sev->cbitpos = sev_get_host_cbitpos(); + object_property_add(obj, "policy", "uint32", qsev_guest_get_policy, + qsev_guest_set_policy, NULL, NULL, NULL); + object_property_add(obj, "handle", "uint32", qsev_guest_get_handle, + qsev_guest_set_handle, NULL, NULL, NULL); + object_property_add(obj, "cbitpos", "uint32", qsev_guest_get_cbitpos, + qsev_guest_set_cbitpos, NULL, NULL, NULL); ++ object_property_add(obj, "reduced-phys-bits", "uint32", ++ qsev_guest_get_reduced_phys_bits, ++ qsev_guest_set_reduced_phys_bits, NULL, NULL, NULL); +} + +/* sev guest info */ @@ -255,149 +423,3 @@ index 0000000000..57e092a0bd +} + +type_init(sev_register_types); -diff --git a/docs/amd-memory-encryption.txt b/docs/amd-memory-encryption.txt -index 72a92b6c63..1527f603ea 100644 ---- a/docs/amd-memory-encryption.txt -+++ b/docs/amd-memory-encryption.txt -@@ -35,10 +35,21 @@ in bad measurement). The guest policy is a 4-byte data structure containing - several flags that restricts what can be done on running SEV guest. - See KM Spec section 3 and 6.2 for more details. - -+The guest policy can be provided via the 'policy' property (see below) -+ -+# ${QEMU} \ -+ sev-guest,id=sev0,policy=0x1...\ -+ - Guest owners provided DH certificate and session parameters will be used to - establish a cryptographic session with the guest owner to negotiate keys used - for the attestation. - -+The DH certificate and session blob can be provided via 'dh-cert-file' and -+'session-file' property (see below -+ -+# ${QEMU} \ -+ sev-guest,id=sev0,dh-cert-file=,session-file= -+ - LAUNCH_UPDATE_DATA encrypts the memory region using the cryptographic context - created via LAUNCH_START command. If required, this command can be called - multiple times to encrypt different memory regions. The command also calculates -@@ -59,6 +70,12 @@ context. - See SEV KM API Spec [1] 'Launching a guest' usage flow (Appendix A) for the - complete flow chart. - -+To launch a SEV guest -+ -+# ${QEMU} \ -+ -machine ...,memory-encryption=sev0 \ -+ -object sev-guest,id=sev0 -+ - Debugging - ----------- - Since memory contents of SEV guest is encrypted hence hypervisor access to the -diff --git a/include/sysemu/sev.h b/include/sysemu/sev.h -new file mode 100644 -index 0000000000..eed679653d ---- /dev/null -+++ b/include/sysemu/sev.h -@@ -0,0 +1,54 @@ -+/* -+ * QEMU Secure Encrypted Virutualization (SEV) support -+ * -+ * Copyright: Advanced Micro Devices, 2016-2018 -+ * -+ * Authors: -+ * Brijesh Singh -+ * -+ * This work is licensed under the terms of the GNU GPL, version 2 or later. -+ * See the COPYING file in the top-level directory. -+ * -+ */ -+ -+#ifndef QEMU_SEV_H -+#define QEMU_SEV_H -+ -+#include "qom/object.h" -+#include "qapi/error.h" -+#include "sysemu/kvm.h" -+#include "qemu/error-report.h" -+ -+#define TYPE_QSEV_GUEST_INFO "sev-guest" -+#define QSEV_GUEST_INFO(obj) \ -+ OBJECT_CHECK(QSevGuestInfo, (obj), TYPE_QSEV_GUEST_INFO) -+ -+typedef struct QSevGuestInfo QSevGuestInfo; -+typedef struct QSevGuestInfoClass QSevGuestInfoClass; -+ -+/** -+ * QSevGuestInfo: -+ * -+ * The QSevGuestInfo object is used for creating a SEV guest. -+ * -+ * # $QEMU \ -+ * -object sev-guest,id=sev0 \ -+ * -machine ...,memory-encryption=sev0 -+ */ -+struct QSevGuestInfo { -+ Object parent_obj; -+ -+ char *sev_device; -+ uint32_t policy; -+ uint32_t handle; -+ char *dh_cert_file; -+ char *session_file; -+ uint32_t cbitpos; -+}; -+ -+struct QSevGuestInfoClass { -+ ObjectClass parent_class; -+}; -+ -+#endif -+ -diff --git a/qemu-options.hx b/qemu-options.hx -index 5385832707..5acf180991 100644 ---- a/qemu-options.hx -+++ b/qemu-options.hx -@@ -4470,6 +4470,42 @@ contents of @code{iv.b64} to the second secret - data=$SECRET,iv=$( -Date: Tue, 6 Feb 2018 19:08:09 -0600 +Date: Thu, 15 Feb 2018 09:03:21 -0600 Subject: [PATCH] qmp: add query-sev command MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 @@ -9,6 +9,7 @@ Content-Transfer-Encoding: 8bit The QMP query command can used to retrieve the SEV information when memory encryption is enabled on AMD platform. +Cc: Eric Blake Cc: "Daniel P. Berrangé" Cc: "Dr. David Alan Gilbert" Cc: Markus Armbruster @@ -16,31 +17,41 @@ Signed-off-by: Brijesh Singh [BR: FATE#322124] Signed-off-by: Bruce Rogers --- - qapi-schema.json | 47 +++++++++++++++++++++++++++++++++++++++++++++++ - qmp.c | 16 ++++++++++++++++ + qapi-schema.json | 57 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++ + qmp.c | 6 ++++++ 2 files changed, 63 insertions(+) diff --git a/qapi-schema.json b/qapi-schema.json -index 18457954a8..40c2de3026 100644 +index 18457954a8..91a8a74f81 100644 --- a/qapi-schema.json +++ b/qapi-schema.json -@@ -3200,3 +3200,50 @@ +@@ -3200,3 +3200,60 @@ # Since: 2.11 ## { 'command': 'watchdog-set-action', 'data' : {'action': 'WatchdogAction'} } + +## ++# @SevState: ++# ++# An enumeration of SEV state information used during @query-sev. ++# ++# Since: 2.12 ++## ++{ 'enum': 'SevState', ++ 'data': ['uninit', 'lupdate', 'lsecret', 'running', 'supdate', 'rupdate' ] } ++ ++## +# @SevInfo: +# -+# Information about SEV support ++# Information about Secure Encrypted Virtualization (SEV) support +# +# @enabled: true if SEV is active +# -+# @api_major: SEV API major version ++# @api-major: SEV API major version +# -+# @api_minor: SEV API minor version ++# @api-minor: SEV API minor version +# -+# @build_id: SEV FW build id ++# @build-id: SEV FW build id +# +# @policy: SEV policy value +# @@ -50,11 +61,11 @@ index 18457954a8..40c2de3026 100644 +## +{ 'struct': 'SevInfo', + 'data': { 'enabled': 'bool', -+ 'api_major': 'uint8', -+ 'api_minor' : 'uint8', -+ 'build_id' : 'uint8', ++ 'api-major': 'uint8', ++ 'api-minor' : 'uint8', ++ 'build-id' : 'uint8', + 'policy' : 'uint32', -+ 'state' : 'str' ++ 'state' : 'SevState' + } +} + @@ -76,7 +87,7 @@ index 18457954a8..40c2de3026 100644 +## +{ 'command': 'query-sev', 'returns': 'SevInfo' } diff --git a/qmp.c b/qmp.c -index e8c303116a..4cd01ea666 100644 +index e8c303116a..75b5a349b0 100644 --- a/qmp.c +++ b/qmp.c @@ -37,6 +37,7 @@ @@ -87,22 +98,12 @@ index e8c303116a..4cd01ea666 100644 NameInfo *qmp_query_name(Error **errp) { -@@ -722,3 +723,18 @@ MemoryInfo *qmp_query_memory_size_summary(Error **errp) +@@ -722,3 +723,8 @@ MemoryInfo *qmp_query_memory_size_summary(Error **errp) return mem_info; } + +SevInfo *qmp_query_sev(Error **errp) +{ -+ SevInfo *info = g_malloc0(sizeof(*info)); -+ -+ info->enabled = sev_enabled(); -+ if (info->enabled) { -+ sev_get_fw_version(&info->api_major, -+ &info->api_minor, &info->build_id); -+ sev_get_policy(&info->policy); -+ sev_get_current_state(&info->state); -+ } -+ -+ return info; ++ return NULL; +} diff --git a/0055-sev-add-command-to-initialize-the-m.patch b/0055-sev-i386-add-command-to-initialize-.patch similarity index 62% rename from 0055-sev-add-command-to-initialize-the-m.patch rename to 0055-sev-i386-add-command-to-initialize-.patch index cec0976..e7cd839 100644 --- a/0055-sev-add-command-to-initialize-the-m.patch +++ b/0055-sev-i386-add-command-to-initialize-.patch @@ -1,7 +1,8 @@ -From 8ed2f96e975993d82495273bca7be2e6a8eb81ed Mon Sep 17 00:00:00 2001 +From dcba83a5b2ba19c6b143734ac392e678e8e710c2 Mon Sep 17 00:00:00 2001 From: Brijesh Singh -Date: Tue, 6 Feb 2018 19:08:08 -0600 -Subject: [PATCH] sev: add command to initialize the memory encryption context +Date: Thu, 15 Feb 2018 09:03:21 -0600 +Subject: [PATCH] sev/i386: add command to initialize the memory encryption + context When memory encryption is enabled, KVM_SEV_INIT command is used to initialize the platform. The command loads the SEV related persistent @@ -10,16 +11,20 @@ This command should be first issued before invoking any other guest commands provided by the SEV firmware. Cc: Paolo Bonzini +Cc: Richard Henderson +Cc: Eduardo Habkost Signed-off-by: Brijesh Singh [BR: FATE#322124] Signed-off-by: Bruce Rogers --- - accel/kvm/kvm-all.c | 15 +++++ - accel/kvm/sev.c | 161 +++++++++++++++++++++++++++++++++++++++++++++++++ - accel/kvm/trace-events | 2 + - accel/stubs/kvm-stub.c | 28 +++++++++ - include/sysemu/sev.h | 16 +++++ - 5 files changed, 222 insertions(+) + accel/kvm/kvm-all.c | 15 ++++ + include/sysemu/sev.h | 19 +++++ + stubs/Makefile.objs | 1 + + stubs/sev.c | 54 ++++++++++++++ + target/i386/sev.c | 191 +++++++++++++++++++++++++++++++++++++++++++++++ + target/i386/trace-events | 3 + + 6 files changed, 283 insertions(+) + create mode 100644 stubs/sev.c diff --git a/accel/kvm/kvm-all.c b/accel/kvm/kvm-all.c index f290f487a5..6e5f3fd650 100644 @@ -61,11 +66,124 @@ index f290f487a5..6e5f3fd650 100644 ret = kvm_arch_init(ms, s); if (ret < 0) { goto err; -diff --git a/accel/kvm/sev.c b/accel/kvm/sev.c -index 57e092a0bd..d5fd975792 100644 ---- a/accel/kvm/sev.c -+++ b/accel/kvm/sev.c -@@ -18,10 +18,74 @@ +diff --git a/include/sysemu/sev.h b/include/sysemu/sev.h +index a1936a7a79..5c8c549b68 100644 +--- a/include/sysemu/sev.h ++++ b/include/sysemu/sev.h +@@ -14,15 +14,26 @@ + #ifndef QEMU_SEV_H + #define QEMU_SEV_H + ++#include ++ + #include "qom/object.h" + #include "qapi/error.h" + #include "sysemu/kvm.h" + #include "qemu/error-report.h" ++#include "qapi-types.h" + + #define TYPE_QSEV_GUEST_INFO "sev-guest" + #define QSEV_GUEST_INFO(obj) \ + OBJECT_CHECK(QSevGuestInfo, (obj), TYPE_QSEV_GUEST_INFO) + ++extern bool sev_enabled(void); ++extern uint64_t sev_get_me_mask(void); ++extern SevState sev_get_current_state(void); ++extern void sev_get_fw_version(uint8_t *major, uint8_t *minor, uint8_t *build); ++extern void sev_get_policy(uint32_t *policy); ++extern uint32_t sev_get_cbit_position(void); ++extern uint32_t sev_get_reduced_phys_bits(void); ++ + typedef struct QSevGuestInfo QSevGuestInfo; + typedef struct QSevGuestInfoClass QSevGuestInfoClass; + +@@ -51,4 +62,12 @@ struct QSevGuestInfoClass { + ObjectClass parent_class; + }; + ++struct SEVState { ++ QSevGuestInfo *sev_info; ++}; ++ ++typedef struct SEVState SEVState; ++ ++void *sev_guest_init(const char *id); ++ + #endif +diff --git a/stubs/Makefile.objs b/stubs/Makefile.objs +index 8cfe34328a..b3bbbe62c0 100644 +--- a/stubs/Makefile.objs ++++ b/stubs/Makefile.objs +@@ -42,3 +42,4 @@ stub-obj-y += vmgenid.o + stub-obj-y += xen-common.o + stub-obj-y += xen-hvm.o + stub-obj-y += pci-host-piix.o ++stub-obj-y += sev.o +diff --git a/stubs/sev.c b/stubs/sev.c +new file mode 100644 +index 0000000000..24c7b0c3e0 +--- /dev/null ++++ b/stubs/sev.c +@@ -0,0 +1,54 @@ ++/* ++ * QEMU SEV stub ++ * ++ * Copyright Advanced Micro Devices 2018 ++ * ++ * Authors: ++ * Brijesh Singh ++ * ++ * This work is licensed under the terms of the GNU GPL, version 2 or later. ++ * See the COPYING file in the top-level directory. ++ * ++ */ ++ ++#include "qemu/osdep.h" ++#include "qemu-common.h" ++#include "sysemu/sev.h" ++ ++SevState sev_get_current_state(void) ++{ ++ return SEV_STATE_UNINIT; ++} ++ ++bool sev_enabled(void) ++{ ++ return false; ++} ++ ++void *sev_guest_init(const char *id) ++{ ++ return NULL; ++} ++ ++uint64_t sev_get_me_mask(void) ++{ ++ return ~0UL; ++} ++ ++uint32_t sev_get_cbit_position(void) ++{ ++ return 0; ++} ++ ++uint32_t sev_get_reduced_phys_bits(void) ++{ ++ return 0; ++} ++ ++void sev_get_fw_version(uint8_t *major, uint8_t *minor, uint8_t *build) ++{ ++} ++ ++void sev_get_policy(uint32_t *policy) ++{ ++} +diff --git a/target/i386/sev.c b/target/i386/sev.c +index f07c646577..f9a8748d19 100644 +--- a/target/i386/sev.c ++++ b/target/i386/sev.c +@@ -18,10 +18,76 @@ #include "sysemu/kvm.h" #include "sysemu/sev.h" #include "sysemu/sysemu.h" @@ -77,8 +195,8 @@ index 57e092a0bd..d5fd975792 100644 +static uint64_t me_mask; +static bool sev_active; +static int sev_fd; -+ -+#define SEV_FW_MAX_ERROR 0x17 ++static uint32_t x86_cbitpos; ++static uint32_t x86_reduced_phys_bits; + +static const char *const sev_fw_errlist[] = { + "", @@ -106,6 +224,8 @@ index 57e092a0bd..d5fd975792 100644 + "Invalid parameter" +}; + ++#define SEV_FW_MAX_ERROR ARRAY_SIZE(sev_fw_errlist) ++ +static int +sev_ioctl(int cmd, void *data, int *error) +{ @@ -140,7 +260,7 @@ index 57e092a0bd..d5fd975792 100644 static void qsev_guest_finalize(Object *obj) { -@@ -205,6 +269,103 @@ static const TypeInfo qsev_guest_info = { +@@ -219,6 +285,131 @@ static const TypeInfo qsev_guest_info = { } }; @@ -170,9 +290,22 @@ index 57e092a0bd..d5fd975792 100644 + return ~me_mask; +} + -+void -+sev_get_current_state(char **state) ++uint32_t ++sev_get_cbit_position(void) +{ ++ return x86_cbitpos; ++} ++ ++uint32_t ++sev_get_reduced_phys_bits(void) ++{ ++ return x86_reduced_phys_bits; ++} ++ ++SevState ++sev_get_current_state(void) ++{ ++ return SEV_STATE_UNINIT; +} + +bool @@ -197,7 +330,9 @@ index 57e092a0bd..d5fd975792 100644 + SEVState *s; + char *devname; + int ret, fw_error; ++ uint32_t ebx; + uint32_t host_cbitpos, cbitpos; ++ uint32_t host_reduced_phys_bits, reduced_phys_bits; + + s = g_new0(SEVState, 1); + s->sev_info = lookup_sev_guest_info(id); @@ -207,15 +342,25 @@ index 57e092a0bd..d5fd975792 100644 + goto err; + } + -+ host_cbitpos = sev_get_host_cbitpos(); ++ host_cpuid(0x8000001F, 0, NULL, &ebx, NULL, NULL); ++ host_cbitpos = ebx & 0x3f; ++ host_reduced_phys_bits = (ebx >> 6) & 0x3f; ++ + cbitpos = object_property_get_int(OBJECT(s->sev_info), "cbitpos", NULL); + if (host_cbitpos != cbitpos) { -+ error_report("%s: cbitpos check failed, host '%d' request '%d'", ++ error_report("%s: cbitpos check failed, host '%d' requested '%d'", + __func__, host_cbitpos, cbitpos); + goto err; + } + -+ me_mask = (1UL << cbitpos); ++ reduced_phys_bits = object_property_get_int(OBJECT(s->sev_info), ++ "reduced-phys-bits", NULL); ++ if (host_reduced_phys_bits != reduced_phys_bits) { ++ error_report("%s: reduced_phys_bits check failed," ++ "host '%d' requested '%d'", __func__, ++ host_reduced_phys_bits, reduced_phys_bits); ++ goto err; ++ } + + devname = object_property_get_str(OBJECT(s->sev_info), "sev-device", NULL); + sev_fd = open(devname, O_RDWR); @@ -234,6 +379,9 @@ index 57e092a0bd..d5fd975792 100644 + goto err; + } + ++ me_mask = (1UL << cbitpos); ++ x86_reduced_phys_bits = reduced_phys_bits; ++ x86_cbitpos = cbitpos; + sev_active = true; + return s; +err: @@ -244,106 +392,14 @@ index 57e092a0bd..d5fd975792 100644 static void sev_register_types(void) { -diff --git a/accel/kvm/trace-events b/accel/kvm/trace-events -index f89ba5578d..ea487e5a59 100644 ---- a/accel/kvm/trace-events -+++ b/accel/kvm/trace-events -@@ -13,3 +13,5 @@ kvm_irqchip_add_msi_route(char *name, int vector, int virq) "dev %s vector %d vi - kvm_irqchip_update_msi_route(int virq) "Updating MSI route virq=%d" - kvm_irqchip_release_virq(int virq) "virq %d" - -+# sev.c +diff --git a/target/i386/trace-events b/target/i386/trace-events +index 3153fd4454..797b716751 100644 +--- a/target/i386/trace-events ++++ b/target/i386/trace-events +@@ -5,3 +5,6 @@ kvm_x86_fixup_msi_error(uint32_t gsi) "VT-d failed to remap interrupt for GSI %" + kvm_x86_add_msi_route(int virq) "Adding route entry for virq %d" + kvm_x86_remove_msi_route(int virq) "Removing route entry for virq %d" + kvm_x86_update_msi_routes(int num) "Updated %d MSI routes" ++ ++# target/i386/sev.c +kvm_sev_init(void) "" -diff --git a/accel/stubs/kvm-stub.c b/accel/stubs/kvm-stub.c -index c964af3e1c..bb78a1f1b9 100644 ---- a/accel/stubs/kvm-stub.c -+++ b/accel/stubs/kvm-stub.c -@@ -14,6 +14,7 @@ - #include "qemu-common.h" - #include "cpu.h" - #include "sysemu/kvm.h" -+#include "sysemu/sev.h" - - #ifndef CONFIG_USER_ONLY - #include "hw/pci/msi.h" -@@ -33,6 +34,11 @@ bool kvm_readonly_mem_allowed; - bool kvm_ioeventfd_any_length_allowed; - bool kvm_msi_use_devid; - -+bool sev_allowed; -+uint8_t sev_fw_major; -+uint8_t sev_fw_minor; -+uint8_t sev_fw_build; -+ - int kvm_destroy_vcpu(CPUState *cpu) - { - return -ENOSYS; -@@ -105,6 +111,28 @@ int kvm_on_sigbus(int code, void *addr) - return 1; - } - -+void sev_get_current_state(char **state) -+{ -+} -+ -+bool sev_enabled(void) -+{ -+ return false; -+} -+ -+uint64_t sev_get_me_mask(void) -+{ -+ return ~0UL; -+} -+ -+void sev_get_fw_version(uint8_t *major, uint8_t *minor, uint8_t *build) -+{ -+} -+ -+void sev_get_policy(uint32_t *policy) -+{ -+} -+ - #ifndef CONFIG_USER_ONLY - int kvm_irqchip_add_msi_route(KVMState *s, int vector, PCIDevice *dev) - { -diff --git a/include/sysemu/sev.h b/include/sysemu/sev.h -index eed679653d..121e7e4aa4 100644 ---- a/include/sysemu/sev.h -+++ b/include/sysemu/sev.h -@@ -14,6 +14,8 @@ - #ifndef QEMU_SEV_H - #define QEMU_SEV_H - -+#include -+ - #include "qom/object.h" - #include "qapi/error.h" - #include "sysemu/kvm.h" -@@ -23,6 +25,12 @@ - #define QSEV_GUEST_INFO(obj) \ - OBJECT_CHECK(QSevGuestInfo, (obj), TYPE_QSEV_GUEST_INFO) - -+extern bool sev_enabled(void); -+extern uint64_t sev_get_me_mask(void); -+extern void sev_get_current_state(char **state); -+extern void sev_get_fw_version(uint8_t *major, uint8_t *minor, uint8_t *build); -+extern void sev_get_policy(uint32_t *policy); -+ - typedef struct QSevGuestInfo QSevGuestInfo; - typedef struct QSevGuestInfoClass QSevGuestInfoClass; - -@@ -50,5 +58,13 @@ struct QSevGuestInfoClass { - ObjectClass parent_class; - }; - -+struct SEVState { -+ QSevGuestInfo *sev_info; -+}; -+ -+typedef struct SEVState SEVState; -+ -+void *sev_guest_init(const char *id); -+ - #endif - diff --git a/0056-qmp-populate-SevInfo-fields-with-SE.patch b/0056-qmp-populate-SevInfo-fields-with-SE.patch new file mode 100644 index 0000000..27ede4c --- /dev/null +++ b/0056-qmp-populate-SevInfo-fields-with-SE.patch @@ -0,0 +1,43 @@ +From 0b770bea4deaa363b1eff696402057d55d9721b6 Mon Sep 17 00:00:00 2001 +From: Brijesh Singh +Date: Thu, 15 Feb 2018 09:03:21 -0600 +Subject: [PATCH] qmp: populate SevInfo fields with SEV guest information +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +query-sev command is used to get the SEV guest information, fill the +SevInfo fields with SEV guest information. + +Cc: Eric Blake +Cc: "Daniel P. Berrangé" +Cc: "Dr. David Alan Gilbert" +Cc: Markus Armbruster +Signed-off-by: Brijesh Singh +[BR: FATE#322124] +Signed-off-by: Bruce Rogers +--- + qmp.c | 12 +++++++++++- + 1 file changed, 11 insertions(+), 1 deletion(-) + +diff --git a/qmp.c b/qmp.c +index 75b5a349b0..3c2d573384 100644 +--- a/qmp.c ++++ b/qmp.c +@@ -726,5 +726,15 @@ MemoryInfo *qmp_query_memory_size_summary(Error **errp) + + SevInfo *qmp_query_sev(Error **errp) + { +- return NULL; ++ SevInfo *info = g_malloc0(sizeof(*info)); ++ ++ info->enabled = sev_enabled(); ++ if (info->enabled) { ++ sev_get_fw_version(&info->api_major, ++ &info->api_minor, &info->build_id); ++ sev_get_policy(&info->policy); ++ info->state = sev_get_current_state(); ++ } ++ ++ return info; + } diff --git a/0056-sev-register-the-guest-memory-range.patch b/0057-sev-i386-register-the-guest-memory-.patch similarity index 71% rename from 0056-sev-register-the-guest-memory-range.patch rename to 0057-sev-i386-register-the-guest-memory-.patch index 29b9323..134673d 100644 --- a/0056-sev-register-the-guest-memory-range.patch +++ b/0057-sev-i386-register-the-guest-memory-.patch @@ -1,7 +1,7 @@ -From 127890da09ac0ebb4945f52b0e23e582d93fc698 Mon Sep 17 00:00:00 2001 +From c6101a4c186abcc2d3b78972a534cbe1907bea57 Mon Sep 17 00:00:00 2001 From: Brijesh Singh -Date: Tue, 6 Feb 2018 19:08:09 -0600 -Subject: [PATCH] sev: register the guest memory range which may contain +Date: Thu, 15 Feb 2018 09:03:21 -0600 +Subject: [PATCH] sev/i386: register the guest memory range which may contain encrypted data When SEV is enabled, the hardware encryption engine uses a tweak such @@ -15,19 +15,21 @@ encrypted data. KVM driver will internally handle the relocating physical backing pages of registered memory regions. Cc: Paolo Bonzini +Cc: Richard Henderson +Cc: Eduardo Habkost Signed-off-by: Brijesh Singh [BR: FATE#322124] Signed-off-by: Bruce Rogers --- - accel/kvm/sev.c | 41 +++++++++++++++++++++++++++++++++++++++++ - accel/kvm/trace-events | 2 ++ + target/i386/sev.c | 41 +++++++++++++++++++++++++++++++++++++++++ + target/i386/trace-events | 2 ++ 2 files changed, 43 insertions(+) -diff --git a/accel/kvm/sev.c b/accel/kvm/sev.c -index d5fd975792..2c4bbba3c3 100644 ---- a/accel/kvm/sev.c -+++ b/accel/kvm/sev.c -@@ -86,6 +86,45 @@ fw_error_to_str(int code) +diff --git a/target/i386/sev.c b/target/i386/sev.c +index f9a8748d19..de5c8d4675 100644 +--- a/target/i386/sev.c ++++ b/target/i386/sev.c +@@ -88,6 +88,45 @@ fw_error_to_str(int code) return sev_fw_errlist[code]; } @@ -73,22 +75,22 @@ index d5fd975792..2c4bbba3c3 100644 static void qsev_guest_finalize(Object *obj) { -@@ -360,6 +399,8 @@ sev_guest_init(const char *id) - } - +@@ -404,6 +443,8 @@ sev_guest_init(const char *id) + x86_reduced_phys_bits = reduced_phys_bits; + x86_cbitpos = cbitpos; sev_active = true; + ram_block_notifier_add(&sev_ram_notifier); + return s; err: g_free(s); -diff --git a/accel/kvm/trace-events b/accel/kvm/trace-events -index ea487e5a59..364c84bd7a 100644 ---- a/accel/kvm/trace-events -+++ b/accel/kvm/trace-events -@@ -15,3 +15,5 @@ kvm_irqchip_release_virq(int virq) "virq %d" +diff --git a/target/i386/trace-events b/target/i386/trace-events +index 797b716751..ffa3d22504 100644 +--- a/target/i386/trace-events ++++ b/target/i386/trace-events +@@ -8,3 +8,5 @@ kvm_x86_update_msi_routes(int num) "Updated %d MSI routes" - # sev.c + # target/i386/sev.c kvm_sev_init(void) "" +kvm_memcrypt_register_region(void *addr, size_t len) "addr %p len 0x%lu" +kvm_memcrypt_unregister_region(void *addr, size_t len) "addr %p len 0x%lu" diff --git a/0057-kvm-introduce-memory-encryption-API.patch b/0058-kvm-introduce-memory-encryption-API.patch similarity index 93% rename from 0057-kvm-introduce-memory-encryption-API.patch rename to 0058-kvm-introduce-memory-encryption-API.patch index 901d6b8..cc4aca0 100644 --- a/0057-kvm-introduce-memory-encryption-API.patch +++ b/0058-kvm-introduce-memory-encryption-API.patch @@ -1,6 +1,6 @@ -From f2a1359c865cf33fc5960e1b9e6912827075f567 Mon Sep 17 00:00:00 2001 +From da8eb76eb09a056b7107bc27f790c715fba088d7 Mon Sep 17 00:00:00 2001 From: Brijesh Singh -Date: Tue, 6 Feb 2018 19:08:09 -0600 +Date: Thu, 15 Feb 2018 09:03:22 -0600 Subject: [PATCH] kvm: introduce memory encryption APIs Inorder to integerate the Secure Encryption Virtualization (SEV) support @@ -67,11 +67,11 @@ index 6e5f3fd650..f1fb826f06 100644 { KVMState *s = kvm_state; diff --git a/accel/stubs/kvm-stub.c b/accel/stubs/kvm-stub.c -index bb78a1f1b9..e7d579e3e5 100644 +index c964af3e1c..5739712a67 100644 --- a/accel/stubs/kvm-stub.c +++ b/accel/stubs/kvm-stub.c -@@ -133,6 +133,20 @@ void sev_get_policy(uint32_t *policy) - { +@@ -105,6 +105,20 @@ int kvm_on_sigbus(int code, void *addr) + return 1; } +bool kvm_memcrypt_enabled(void) diff --git a/0059-hmp-add-info-sev-command.patch b/0059-hmp-add-info-sev-command.patch index 9d94716..6442dc3 100644 --- a/0059-hmp-add-info-sev-command.patch +++ b/0059-hmp-add-info-sev-command.patch @@ -1,6 +1,6 @@ -From d363eb37dad9acacbcd688f8275c16334ca69fbe Mon Sep 17 00:00:00 2001 +From ae854a2255006d807366a2b2529311b1dcaaed17 Mon Sep 17 00:00:00 2001 From: Brijesh Singh -Date: Tue, 6 Feb 2018 19:08:09 -0600 +Date: Thu, 15 Feb 2018 09:03:22 -0600 Subject: [PATCH] hmp: add 'info sev' command MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 @@ -9,6 +9,7 @@ Content-Transfer-Encoding: 8bit The command can be used to show the SEV information when memory encryption is enabled on AMD platform. +Cc: Eric Blake Cc: "Daniel P. Berrangé" Cc: "Dr. David Alan Gilbert" Cc: Markus Armbruster @@ -47,7 +48,7 @@ index 54c3e5eac6..83491f84f6 100644 STEXI diff --git a/hmp.c b/hmp.c -index 35a7041824..7214a904dd 100644 +index 35a7041824..f3898347b8 100644 --- a/hmp.c +++ b/hmp.c @@ -2918,3 +2918,22 @@ void hmp_info_memory_size_summary(Monitor *mon, const QDict *qdict) @@ -64,7 +65,7 @@ index 35a7041824..7214a904dd 100644 + monitor_printf(mon, "%s\n", info->enabled ? "enabled" : "disabled"); + + if (info->enabled) { -+ monitor_printf(mon, "state: %s\n", info->state); ++ monitor_printf(mon, "state: %s\n", SevState_str(info->state)); + monitor_printf(mon, "policy: 0x%x\n", info->policy); + monitor_printf(mon, "build id: %u\n", info->build_id); + monitor_printf(mon, "api version: %u.%u\n", diff --git a/0060-sev-add-command-to-create-launch-me.patch b/0060-sev-i386-add-command-to-create-laun.patch similarity index 60% rename from 0060-sev-add-command-to-create-launch-me.patch rename to 0060-sev-i386-add-command-to-create-laun.patch index 04f59d7..297fab8 100644 --- a/0060-sev-add-command-to-create-launch-me.patch +++ b/0060-sev-i386-add-command-to-create-laun.patch @@ -1,71 +1,64 @@ -From 5abfa90f247fb546167b2f3a8d201f10707cca30 Mon Sep 17 00:00:00 2001 +From 0c5346f2b8f38e938f277c9df91068cbcad12ad2 Mon Sep 17 00:00:00 2001 From: Brijesh Singh -Date: Tue, 6 Feb 2018 19:08:09 -0600 -Subject: [PATCH] sev: add command to create launch memory encryption context +Date: Thu, 15 Feb 2018 09:03:22 -0600 +Subject: [PATCH] sev/i386: add command to create launch memory encryption + context The KVM_SEV_LAUNCH_START command creates a new VM encryption key (VEK). The encryption key created with the command will be used for encrypting the bootstrap images (such as guest bios). Cc: Paolo Bonzini -Cc: kvm@vger.kernel.org +Cc: Richard Henderson +Cc: Eduardo Habkost Signed-off-by: Brijesh Singh [BR: FATE#322124] Signed-off-by: Bruce Rogers --- - accel/kvm/sev.c | 99 ++++++++++++++++++++++++++++++++++++++++++++++++++ - accel/kvm/trace-events | 2 + - include/sysemu/sev.h | 10 +++++ - 3 files changed, 111 insertions(+) + target/i386/sev.c | 91 +++++++++++++++++++++++++++++++++++++++++++++++- + target/i386/trace-events | 2 ++ + 2 files changed, 92 insertions(+), 1 deletion(-) -diff --git a/accel/kvm/sev.c b/accel/kvm/sev.c -index 2c4bbba3c3..2ecc6a1d1a 100644 ---- a/accel/kvm/sev.c -+++ b/accel/kvm/sev.c -@@ -29,6 +29,17 @@ static int sev_fd; +diff --git a/target/i386/sev.c b/target/i386/sev.c +index de5c8d4675..6f767084fd 100644 +--- a/target/i386/sev.c ++++ b/target/i386/sev.c +@@ -29,6 +29,8 @@ static int sev_fd; + static uint32_t x86_cbitpos; + static uint32_t x86_reduced_phys_bits; - #define SEV_FW_MAX_ERROR 0x17 - -+static SevGuestState current_sev_guest_state = SEV_STATE_UNINIT; -+ -+static const char *const sev_state_str[] = { -+ "uninit", -+ "lupdate", -+ "secret", -+ "running", -+ "supdate", -+ "rupdate", -+}; ++static SevState current_sev_guest_state = SEV_STATE_UNINIT; + static const char *const sev_fw_errlist[] = { "", "Platform state is invalid", -@@ -86,6 +97,16 @@ fw_error_to_str(int code) +@@ -88,6 +90,16 @@ fw_error_to_str(int code) return sev_fw_errlist[code]; } +static void -+sev_set_guest_state(SevGuestState new_state) ++sev_set_guest_state(SevState new_state) +{ -+ assert(new_state < SEV_STATE_MAX); ++ assert(new_state < SEV_STATE__MAX); + -+ trace_kvm_sev_change_state(sev_state_str[current_sev_guest_state], -+ sev_state_str[new_state]); ++ trace_kvm_sev_change_state(SevState_str(current_sev_guest_state), ++ SevState_str(new_state)); + current_sev_guest_state = new_state; +} + static void sev_ram_block_added(RAMBlockNotifier *n, void *host, size_t size) { -@@ -337,6 +358,7 @@ sev_get_me_mask(void) - void - sev_get_current_state(char **state) +@@ -365,7 +377,7 @@ sev_get_reduced_phys_bits(void) + SevState + sev_get_current_state(void) { -+ *state = g_strdup(sev_state_str[current_sev_guest_state]); +- return SEV_STATE_UNINIT; ++ return current_sev_guest_state; } bool -@@ -355,6 +377,76 @@ sev_get_policy(uint32_t *policy) +@@ -384,6 +396,76 @@ sev_get_policy(uint32_t *policy) { } @@ -142,7 +135,7 @@ index 2c4bbba3c3..2ecc6a1d1a 100644 void * sev_guest_init(const char *id) { -@@ -398,6 +490,13 @@ sev_guest_init(const char *id) +@@ -439,6 +521,13 @@ sev_guest_init(const char *id) goto err; } @@ -153,37 +146,16 @@ index 2c4bbba3c3..2ecc6a1d1a 100644 + } + + - sev_active = true; - ram_block_notifier_add(&sev_ram_notifier); - -diff --git a/accel/kvm/trace-events b/accel/kvm/trace-events -index 364c84bd7a..5d993ca08e 100644 ---- a/accel/kvm/trace-events -+++ b/accel/kvm/trace-events -@@ -17,3 +17,5 @@ kvm_irqchip_release_virq(int virq) "virq %d" + me_mask = (1UL << cbitpos); + x86_reduced_phys_bits = reduced_phys_bits; + x86_cbitpos = cbitpos; +diff --git a/target/i386/trace-events b/target/i386/trace-events +index ffa3d22504..9402251e99 100644 +--- a/target/i386/trace-events ++++ b/target/i386/trace-events +@@ -10,3 +10,5 @@ kvm_x86_update_msi_routes(int num) "Updated %d MSI routes" kvm_sev_init(void) "" kvm_memcrypt_register_region(void *addr, size_t len) "addr %p len 0x%lu" kvm_memcrypt_unregister_region(void *addr, size_t len) "addr %p len 0x%lu" +kvm_sev_change_state(const char *old, const char *new) "%s -> %s" +kvm_sev_launch_start(int policy, void *session, void *pdh) "policy 0x%x session %p pdh %p" -diff --git a/include/sysemu/sev.h b/include/sysemu/sev.h -index 121e7e4aa4..08014a9c94 100644 ---- a/include/sysemu/sev.h -+++ b/include/sysemu/sev.h -@@ -58,6 +58,16 @@ struct QSevGuestInfoClass { - ObjectClass parent_class; - }; - -+typedef enum { -+ SEV_STATE_UNINIT = 0, -+ SEV_STATE_LUPDATE, -+ SEV_STATE_SECRET, -+ SEV_STATE_RUNNING, -+ SEV_STATE_SUPDATE, -+ SEV_STATE_RUPDATE, -+ SEV_STATE_MAX -+} SevGuestState; -+ - struct SEVState { - QSevGuestInfo *sev_info; - }; diff --git a/0061-sev-add-command-to-encrypt-guest-me.patch b/0061-sev-i386-add-command-to-encrypt-gue.patch similarity index 62% rename from 0061-sev-add-command-to-encrypt-guest-me.patch rename to 0061-sev-i386-add-command-to-encrypt-gue.patch index d855f98..ff25f3f 100644 --- a/0061-sev-add-command-to-encrypt-guest-me.patch +++ b/0061-sev-i386-add-command-to-encrypt-gue.patch @@ -1,20 +1,24 @@ -From bcbe925e0f93234b0f0f6ecf4e5b8d400a46a691 Mon Sep 17 00:00:00 2001 +From b7326c19d0504bb913c80075648a71c9830cda10 Mon Sep 17 00:00:00 2001 From: Brijesh Singh -Date: Tue, 6 Feb 2018 19:08:10 -0600 -Subject: [PATCH] sev: add command to encrypt guest memory region +Date: Thu, 15 Feb 2018 09:03:22 -0600 +Subject: [PATCH] sev/i386: add command to encrypt guest memory region The KVM_SEV_LAUNCH_UPDATE_DATA command is used to encrypt a guest memory region using the VM Encryption Key created using LAUNCH_START. +Cc: Paolo Bonzini +Cc: Richard Henderson +Cc: Eduardo Habkost Signed-off-by: Brijesh Singh [BR: FATE#322124] Signed-off-by: Bruce Rogers --- - accel/kvm/kvm-all.c | 2 ++ - accel/kvm/sev.c | 49 +++++++++++++++++++++++++++++++++++++++++++++++++ - accel/kvm/trace-events | 1 + - include/sysemu/sev.h | 1 + - 4 files changed, 53 insertions(+) + accel/kvm/kvm-all.c | 2 ++ + include/sysemu/sev.h | 1 + + stubs/sev.c | 5 +++++ + target/i386/sev.c | 49 ++++++++++++++++++++++++++++++++++++++++++++++++ + target/i386/trace-events | 1 + + 5 files changed, 58 insertions(+) diff --git a/accel/kvm/kvm-all.c b/accel/kvm/kvm-all.c index f1fb826f06..37f7c442dc 100644 @@ -29,24 +33,51 @@ index f1fb826f06..37f7c442dc 100644 } ret = kvm_arch_init(ms, s); -diff --git a/accel/kvm/sev.c b/accel/kvm/sev.c -index 2ecc6a1d1a..4414bda255 100644 ---- a/accel/kvm/sev.c -+++ b/accel/kvm/sev.c -@@ -97,6 +97,12 @@ fw_error_to_str(int code) +diff --git a/include/sysemu/sev.h b/include/sysemu/sev.h +index 5c8c549b68..c16102b05e 100644 +--- a/include/sysemu/sev.h ++++ b/include/sysemu/sev.h +@@ -69,5 +69,6 @@ struct SEVState { + typedef struct SEVState SEVState; + + void *sev_guest_init(const char *id); ++int sev_encrypt_data(void *handle, uint8_t *ptr, uint64_t len); + + #endif +diff --git a/stubs/sev.c b/stubs/sev.c +index 24c7b0c3e0..74182bb545 100644 +--- a/stubs/sev.c ++++ b/stubs/sev.c +@@ -15,6 +15,11 @@ + #include "qemu-common.h" + #include "sysemu/sev.h" + ++int sev_encrypt_data(void *handle, uint8_t *ptr, uint64_t len) ++{ ++ return 1; ++} ++ + SevState sev_get_current_state(void) + { + return SEV_STATE_UNINIT; +diff --git a/target/i386/sev.c b/target/i386/sev.c +index 6f767084fd..04a64b5bc6 100644 +--- a/target/i386/sev.c ++++ b/target/i386/sev.c +@@ -90,6 +90,12 @@ fw_error_to_str(int code) return sev_fw_errlist[code]; } +static bool -+sev_check_state(SevGuestState state) ++sev_check_state(SevState state) +{ + return current_sev_guest_state == state ? true : false; +} + static void - sev_set_guest_state(SevGuestState new_state) + sev_set_guest_state(SevState new_state) { -@@ -447,6 +453,36 @@ sev_launch_start(SEVState *s) +@@ -466,6 +472,36 @@ sev_launch_start(SEVState *s) return 0; } @@ -83,7 +114,7 @@ index 2ecc6a1d1a..4414bda255 100644 void * sev_guest_init(const char *id) { -@@ -506,6 +542,19 @@ err: +@@ -540,6 +576,19 @@ err: return NULL; } @@ -103,24 +134,12 @@ index 2ecc6a1d1a..4414bda255 100644 static void sev_register_types(void) { -diff --git a/accel/kvm/trace-events b/accel/kvm/trace-events -index 5d993ca08e..bd92f868b7 100644 ---- a/accel/kvm/trace-events -+++ b/accel/kvm/trace-events -@@ -19,3 +19,4 @@ kvm_memcrypt_register_region(void *addr, size_t len) "addr %p len 0x%lu" +diff --git a/target/i386/trace-events b/target/i386/trace-events +index 9402251e99..c0cd8e9321 100644 +--- a/target/i386/trace-events ++++ b/target/i386/trace-events +@@ -12,3 +12,4 @@ kvm_memcrypt_register_region(void *addr, size_t len) "addr %p len 0x%lu" kvm_memcrypt_unregister_region(void *addr, size_t len) "addr %p len 0x%lu" kvm_sev_change_state(const char *old, const char *new) "%s -> %s" kvm_sev_launch_start(int policy, void *session, void *pdh) "policy 0x%x session %p pdh %p" +kvm_sev_launch_update_data(void *addr, uint64_t len) "addr %p len 0x%" PRIu64 -diff --git a/include/sysemu/sev.h b/include/sysemu/sev.h -index 08014a9c94..f7af1a00c5 100644 ---- a/include/sysemu/sev.h -+++ b/include/sysemu/sev.h -@@ -75,6 +75,7 @@ struct SEVState { - typedef struct SEVState SEVState; - - void *sev_guest_init(const char *id); -+int sev_encrypt_data(void *handle, uint8_t *ptr, uint64_t len); - - #endif - diff --git a/0062-target-i386-encrypt-bios-rom.patch b/0062-target-i386-encrypt-bios-rom.patch index b71c877..84d40b2 100644 --- a/0062-target-i386-encrypt-bios-rom.patch +++ b/0062-target-i386-encrypt-bios-rom.patch @@ -1,6 +1,6 @@ -From 6301b846ebcf3ff2afb0cefbb480447383dc2814 Mon Sep 17 00:00:00 2001 +From e6990d56a3b6d4702cec1c3d35c037e906eb39c0 Mon Sep 17 00:00:00 2001 From: Brijesh Singh -Date: Tue, 6 Feb 2018 19:08:10 -0600 +Date: Thu, 15 Feb 2018 09:03:22 -0600 Subject: [PATCH] target/i386: encrypt bios rom SEV requires that guest bios must be encrypted before booting the guest. diff --git a/0063-sev-add-support-to-LAUNCH_MEASURE-c.patch b/0063-sev-i386-add-support-to-LAUNCH_MEAS.patch similarity index 65% rename from 0063-sev-add-support-to-LAUNCH_MEASURE-c.patch rename to 0063-sev-i386-add-support-to-LAUNCH_MEAS.patch index 8909fc8..80237c7 100644 --- a/0063-sev-add-support-to-LAUNCH_MEASURE-c.patch +++ b/0063-sev-i386-add-support-to-LAUNCH_MEAS.patch @@ -1,7 +1,7 @@ -From 8593c38925a2c54bceb27e16f1ad9f02789afbf4 Mon Sep 17 00:00:00 2001 +From 0bc4fd78361c340ad4ee0c77bfde2d487fb580f5 Mon Sep 17 00:00:00 2001 From: Brijesh Singh -Date: Tue, 6 Feb 2018 19:08:10 -0600 -Subject: [PATCH] sev: add support to LAUNCH_MEASURE command +Date: Thu, 15 Feb 2018 09:03:23 -0600 +Subject: [PATCH] sev/i386: add support to LAUNCH_MEASURE command During machine creation we encrypted the guest bios image, the LAUNCH_MEASURE command can be used to retrieve the measurement of @@ -9,24 +9,58 @@ the encrypted memory region. This measurement is a signature of the memory contents that can be sent to the guest owner as an attestation that the memory was encrypted correctly by the firmware. VM management tools like libvirt can query the measurement using -query-launch-measure QMP command. +query-sev-launch-measure QMP command. Cc: Paolo Bonzini -Cc: kvm@vger.kernel.org +Cc: Richard Henderson +Cc: Eduardo Habkost Signed-off-by: Brijesh Singh [BR: FATE#322124] Signed-off-by: Bruce Rogers --- - accel/kvm/sev.c | 67 ++++++++++++++++++++++++++++++++++++++++++++++++++ - accel/kvm/trace-events | 1 + - accel/stubs/kvm-stub.c | 5 ++++ - include/sysemu/sev.h | 2 ++ - 4 files changed, 75 insertions(+) + include/sysemu/sev.h | 2 ++ + stubs/sev.c | 5 ++++ + target/i386/sev.c | 68 ++++++++++++++++++++++++++++++++++++++++++++++++ + target/i386/trace-events | 1 + + 4 files changed, 76 insertions(+) -diff --git a/accel/kvm/sev.c b/accel/kvm/sev.c -index 4414bda255..8d99c6cda4 100644 ---- a/accel/kvm/sev.c -+++ b/accel/kvm/sev.c +diff --git a/include/sysemu/sev.h b/include/sysemu/sev.h +index c16102b05e..ad4a1f1338 100644 +--- a/include/sysemu/sev.h ++++ b/include/sysemu/sev.h +@@ -33,6 +33,7 @@ extern void sev_get_fw_version(uint8_t *major, uint8_t *minor, uint8_t *build); + extern void sev_get_policy(uint32_t *policy); + extern uint32_t sev_get_cbit_position(void); + extern uint32_t sev_get_reduced_phys_bits(void); ++extern char *sev_get_launch_measurement(void); + + typedef struct QSevGuestInfo QSevGuestInfo; + typedef struct QSevGuestInfoClass QSevGuestInfoClass; +@@ -64,6 +65,7 @@ struct QSevGuestInfoClass { + + struct SEVState { + QSevGuestInfo *sev_info; ++ gchar *measurement; + }; + + typedef struct SEVState SEVState; +diff --git a/stubs/sev.c b/stubs/sev.c +index 74182bb545..5420ada7fd 100644 +--- a/stubs/sev.c ++++ b/stubs/sev.c +@@ -57,3 +57,8 @@ void sev_get_fw_version(uint8_t *major, uint8_t *minor, uint8_t *build) + void sev_get_policy(uint32_t *policy) + { + } ++ ++char *sev_get_launch_measurement(void) ++{ ++ return NULL; ++} +diff --git a/target/i386/sev.c b/target/i386/sev.c +index 04a64b5bc6..401b2a33d7 100644 +--- a/target/i386/sev.c ++++ b/target/i386/sev.c @@ -19,6 +19,7 @@ #include "sysemu/sev.h" #include "sysemu/sysemu.h" @@ -35,15 +69,15 @@ index 4414bda255..8d99c6cda4 100644 #define DEFAULT_GUEST_POLICY 0x1 /* disable debug */ #define DEFAULT_SEV_DEVICE "/dev/sev" -@@ -26,6 +27,7 @@ - static uint64_t me_mask; - static bool sev_active; +@@ -28,6 +29,7 @@ static bool sev_active; static int sev_fd; + static uint32_t x86_cbitpos; + static uint32_t x86_reduced_phys_bits; +static SEVState *sev_state; - #define SEV_FW_MAX_ERROR 0x17 + static SevState current_sev_guest_state = SEV_STATE_UNINIT; -@@ -483,6 +485,68 @@ err: +@@ -502,6 +504,69 @@ err: return ret; } @@ -87,7 +121,7 @@ index 4414bda255..8d99c6cda4 100644 + goto free_data; + } + -+ sev_set_guest_state(SEV_STATE_SECRET); ++ sev_set_guest_state(SEV_STATE_LSECRET); + + /* encode the measurement value and emit the event */ + s->measurement = g_base64_encode(data, measurement->len); @@ -102,7 +136,8 @@ index 4414bda255..8d99c6cda4 100644 +char * +sev_get_launch_measurement(void) +{ -+ return g_strdup(sev_state->measurement); ++ return current_sev_guest_state >= SEV_STATE_LSECRET ? ++ g_strdup(sev_state->measurement) : NULL; +} + +static Notifier sev_machine_done_notify = { @@ -112,8 +147,8 @@ index 4414bda255..8d99c6cda4 100644 void * sev_guest_init(const char *id) { -@@ -535,6 +599,9 @@ sev_guest_init(const char *id) - +@@ -569,6 +634,9 @@ sev_guest_init(const char *id) + x86_cbitpos = cbitpos; sev_active = true; ram_block_notifier_add(&sev_ram_notifier); + qemu_add_machine_init_done_notifier(&sev_machine_done_notify); @@ -122,48 +157,12 @@ index 4414bda255..8d99c6cda4 100644 return s; err: -diff --git a/accel/kvm/trace-events b/accel/kvm/trace-events -index bd92f868b7..19742bf9dd 100644 ---- a/accel/kvm/trace-events -+++ b/accel/kvm/trace-events -@@ -20,3 +20,4 @@ kvm_memcrypt_unregister_region(void *addr, size_t len) "addr %p len 0x%lu" +diff --git a/target/i386/trace-events b/target/i386/trace-events +index c0cd8e9321..f7a1a1e6b8 100644 +--- a/target/i386/trace-events ++++ b/target/i386/trace-events +@@ -13,3 +13,4 @@ kvm_memcrypt_unregister_region(void *addr, size_t len) "addr %p len 0x%lu" kvm_sev_change_state(const char *old, const char *new) "%s -> %s" kvm_sev_launch_start(int policy, void *session, void *pdh) "policy 0x%x session %p pdh %p" kvm_sev_launch_update_data(void *addr, uint64_t len) "addr %p len 0x%" PRIu64 +kvm_sev_launch_measurement(const char *value) "data %s" -diff --git a/accel/stubs/kvm-stub.c b/accel/stubs/kvm-stub.c -index e7d579e3e5..d0f1aa6d6f 100644 ---- a/accel/stubs/kvm-stub.c -+++ b/accel/stubs/kvm-stub.c -@@ -133,6 +133,11 @@ void sev_get_policy(uint32_t *policy) - { - } - -+char *sev_get_launch_measurement(void) -+{ -+ return NULL; -+} -+ - bool kvm_memcrypt_enabled(void) - { - return false; -diff --git a/include/sysemu/sev.h b/include/sysemu/sev.h -index f7af1a00c5..c173ad33f8 100644 ---- a/include/sysemu/sev.h -+++ b/include/sysemu/sev.h -@@ -30,6 +30,7 @@ extern uint64_t sev_get_me_mask(void); - extern void sev_get_current_state(char **state); - extern void sev_get_fw_version(uint8_t *major, uint8_t *minor, uint8_t *build); - extern void sev_get_policy(uint32_t *policy); -+extern char *sev_get_launch_measurement(void); - - typedef struct QSevGuestInfo QSevGuestInfo; - typedef struct QSevGuestInfoClass QSevGuestInfoClass; -@@ -70,6 +71,7 @@ typedef enum { - - struct SEVState { - QSevGuestInfo *sev_info; -+ gchar *measurement; - }; - - typedef struct SEVState SEVState; diff --git a/0064-sev-Finalize-the-SEV-guest-launch-f.patch b/0064-sev-i386-finalize-the-SEV-guest-lau.patch similarity index 65% rename from 0064-sev-Finalize-the-SEV-guest-launch-f.patch rename to 0064-sev-i386-finalize-the-SEV-guest-lau.patch index f731f7a..69d2bc6 100644 --- a/0064-sev-Finalize-the-SEV-guest-launch-f.patch +++ b/0064-sev-i386-finalize-the-SEV-guest-lau.patch @@ -1,26 +1,27 @@ -From 5f926f58bd02e7c42d7840a653cc33d83c90a5af Mon Sep 17 00:00:00 2001 +From 15ba1a246b2e68d9dbb6d8db3e065f26b33062cc Mon Sep 17 00:00:00 2001 From: Brijesh Singh -Date: Tue, 6 Feb 2018 19:08:10 -0600 -Subject: [PATCH] sev: Finalize the SEV guest launch flow +Date: Thu, 15 Feb 2018 09:03:23 -0600 +Subject: [PATCH] sev/i386: finalize the SEV guest launch flow SEV launch flow requires us to issue LAUNCH_FINISH command before guest is ready to run. Cc: Paolo Bonzini -Cc: kvm@vger.kernel.org +Cc: Richard Henderson +Cc: Eduardo Habkost Signed-off-by: Brijesh Singh [BR: FATE#322124] Signed-off-by: Bruce Rogers --- - accel/kvm/sev.c | 29 +++++++++++++++++++++++++++++ - accel/kvm/trace-events | 1 + + target/i386/sev.c | 29 +++++++++++++++++++++++++++++ + target/i386/trace-events | 1 + 2 files changed, 30 insertions(+) -diff --git a/accel/kvm/sev.c b/accel/kvm/sev.c -index 8d99c6cda4..e422f43caa 100644 ---- a/accel/kvm/sev.c -+++ b/accel/kvm/sev.c -@@ -547,6 +547,34 @@ static Notifier sev_machine_done_notify = { +diff --git a/target/i386/sev.c b/target/i386/sev.c +index 401b2a33d7..305ef65191 100644 +--- a/target/i386/sev.c ++++ b/target/i386/sev.c +@@ -567,6 +567,34 @@ static Notifier sev_machine_done_notify = { .notify = sev_launch_get_measure, }; @@ -55,7 +56,7 @@ index 8d99c6cda4..e422f43caa 100644 void * sev_guest_init(const char *id) { -@@ -600,6 +628,7 @@ sev_guest_init(const char *id) +@@ -635,6 +663,7 @@ sev_guest_init(const char *id) sev_active = true; ram_block_notifier_add(&sev_ram_notifier); qemu_add_machine_init_done_notifier(&sev_machine_done_notify); @@ -63,11 +64,11 @@ index 8d99c6cda4..e422f43caa 100644 sev_state = s; -diff --git a/accel/kvm/trace-events b/accel/kvm/trace-events -index 19742bf9dd..e810d75ea1 100644 ---- a/accel/kvm/trace-events -+++ b/accel/kvm/trace-events -@@ -21,3 +21,4 @@ kvm_sev_change_state(const char *old, const char *new) "%s -> %s" +diff --git a/target/i386/trace-events b/target/i386/trace-events +index f7a1a1e6b8..b1fbde6e40 100644 +--- a/target/i386/trace-events ++++ b/target/i386/trace-events +@@ -14,3 +14,4 @@ kvm_sev_change_state(const char *old, const char *new) "%s -> %s" kvm_sev_launch_start(int policy, void *session, void *pdh) "policy 0x%x session %p pdh %p" kvm_sev_launch_update_data(void *addr, uint64_t len) "addr %p len 0x%" PRIu64 kvm_sev_launch_measurement(const char *value) "data %s" diff --git a/0065-hw-i386-set-ram_debug_ops-when-memo.patch b/0065-hw-i386-set-ram_debug_ops-when-memo.patch index 6fc43e2..20cac4f 100644 --- a/0065-hw-i386-set-ram_debug_ops-when-memo.patch +++ b/0065-hw-i386-set-ram_debug_ops-when-memo.patch @@ -1,7 +1,7 @@ -From 730e2bc55583c1ae7ba0aff4b26975f51c2442cd Mon Sep 17 00:00:00 2001 +From 6d17c0a5da11a757f26db7763823fcb53a79d445 Mon Sep 17 00:00:00 2001 From: Brijesh Singh -Date: Tue, 6 Feb 2018 19:08:10 -0600 -Subject: [PATCH] hw: i386: set ram_debug_ops when memory encryption is enabled +Date: Thu, 15 Feb 2018 09:03:23 -0600 +Subject: [PATCH] hw/i386: set ram_debug_ops when memory encryption is enabled When memory encryption is enabled, the guest RAM and boot flash ROM will contain the encrypted data. By setting the debug ops allow us to invoke diff --git a/0066-sev-add-debug-encrypt-and-decrypt-c.patch b/0066-sev-i386-add-debug-encrypt-and-decr.patch similarity index 69% rename from 0066-sev-add-debug-encrypt-and-decrypt-c.patch rename to 0066-sev-i386-add-debug-encrypt-and-decr.patch index 246aed0..2101feb 100644 --- a/0066-sev-add-debug-encrypt-and-decrypt-c.patch +++ b/0066-sev-i386-add-debug-encrypt-and-decr.patch @@ -1,23 +1,25 @@ -From ed8f2531e1b008cedfaca01980641c2432693fb3 Mon Sep 17 00:00:00 2001 +From 42f8013adf0a5f8ca17212ee54a8009471d6c8f3 Mon Sep 17 00:00:00 2001 From: Brijesh Singh -Date: Tue, 6 Feb 2018 19:08:11 -0600 -Subject: [PATCH] sev: add debug encrypt and decrypt commands +Date: Thu, 15 Feb 2018 09:03:23 -0600 +Subject: [PATCH] sev/i386: add debug encrypt and decrypt commands KVM_SEV_DBG_DECRYPT and KVM_SEV_DBG_ENCRYPT commands are used for decrypting and encrypting guest memory region. The command works only if the guest policy allows the debugging. Cc: Paolo Bonzini -Cc: kvm@vger.kernel.org +Cc: Richard Henderson +Cc: Eduardo Habkost Signed-off-by: Brijesh Singh [BR: FATE#322124] Signed-off-by: Bruce Rogers --- - accel/kvm/kvm-all.c | 1 + - accel/kvm/sev.c | 72 ++++++++++++++++++++++++++++++++++++++++++++++++++ - accel/kvm/trace-events | 1 + - include/sysemu/sev.h | 1 + - 4 files changed, 75 insertions(+) + accel/kvm/kvm-all.c | 1 + + include/sysemu/sev.h | 1 + + stubs/sev.c | 4 +++ + target/i386/sev.c | 72 ++++++++++++++++++++++++++++++++++++++++++++++++ + target/i386/trace-events | 1 + + 5 files changed, 79 insertions(+) diff --git a/accel/kvm/kvm-all.c b/accel/kvm/kvm-all.c index 37f7c442dc..7d3b7b4107 100644 @@ -31,11 +33,37 @@ index 37f7c442dc..7d3b7b4107 100644 } ret = kvm_arch_init(ms, s); -diff --git a/accel/kvm/sev.c b/accel/kvm/sev.c -index e422f43caa..7b57575e2f 100644 ---- a/accel/kvm/sev.c -+++ b/accel/kvm/sev.c -@@ -23,11 +23,13 @@ +diff --git a/include/sysemu/sev.h b/include/sysemu/sev.h +index ad4a1f1338..ac70c7a00b 100644 +--- a/include/sysemu/sev.h ++++ b/include/sysemu/sev.h +@@ -72,5 +72,6 @@ typedef struct SEVState SEVState; + + void *sev_guest_init(const char *id); + int sev_encrypt_data(void *handle, uint8_t *ptr, uint64_t len); ++void sev_set_debug_ops(void *handle, MemoryRegion *mr); + + #endif +diff --git a/stubs/sev.c b/stubs/sev.c +index 5420ada7fd..8ea167031e 100644 +--- a/stubs/sev.c ++++ b/stubs/sev.c +@@ -15,6 +15,10 @@ + #include "qemu-common.h" + #include "sysemu/sev.h" + ++void sev_set_debug_ops(void *handle, MemoryRegion *mr) ++{ ++} ++ + int sev_encrypt_data(void *handle, uint8_t *ptr, uint64_t len) + { + return 1; +diff --git a/target/i386/sev.c b/target/i386/sev.c +index 305ef65191..1fbc3beb16 100644 +--- a/target/i386/sev.c ++++ b/target/i386/sev.c +@@ -23,6 +23,7 @@ #define DEFAULT_GUEST_POLICY 0x1 /* disable debug */ #define DEFAULT_SEV_DEVICE "/dev/sev" @@ -43,13 +71,15 @@ index e422f43caa..7b57575e2f 100644 static uint64_t me_mask; static bool sev_active; - static int sev_fd; +@@ -30,6 +31,7 @@ static int sev_fd; + static uint32_t x86_cbitpos; + static uint32_t x86_reduced_phys_bits; static SEVState *sev_state; +static MemoryRegionRAMReadWriteOps sev_ops; - #define SEV_FW_MAX_ERROR 0x17 + static SevState current_sev_guest_state = SEV_STATE_UNINIT; -@@ -575,6 +577,51 @@ sev_vm_state_change(void *opaque, int running, RunState state) +@@ -595,6 +597,51 @@ sev_vm_state_change(void *opaque, int running, RunState state) } } @@ -101,7 +131,7 @@ index e422f43caa..7b57575e2f 100644 void * sev_guest_init(const char *id) { -@@ -651,6 +698,31 @@ sev_encrypt_data(void *handle, uint8_t *ptr, uint64_t len) +@@ -686,6 +733,31 @@ sev_encrypt_data(void *handle, uint8_t *ptr, uint64_t len) return 0; } @@ -133,24 +163,12 @@ index e422f43caa..7b57575e2f 100644 static void sev_register_types(void) { -diff --git a/accel/kvm/trace-events b/accel/kvm/trace-events -index e810d75ea1..de6a12c51e 100644 ---- a/accel/kvm/trace-events -+++ b/accel/kvm/trace-events -@@ -22,3 +22,4 @@ kvm_sev_launch_start(int policy, void *session, void *pdh) "policy 0x%x session +diff --git a/target/i386/trace-events b/target/i386/trace-events +index b1fbde6e40..00aa6e98d8 100644 +--- a/target/i386/trace-events ++++ b/target/i386/trace-events +@@ -15,3 +15,4 @@ kvm_sev_launch_start(int policy, void *session, void *pdh) "policy 0x%x session kvm_sev_launch_update_data(void *addr, uint64_t len) "addr %p len 0x%" PRIu64 kvm_sev_launch_measurement(const char *value) "data %s" kvm_sev_launch_finish(void) "" +kvm_sev_debug(const char *op, const uint8_t *src, uint8_t *dst, int len) "(%s) src %p dst %p len %d" -diff --git a/include/sysemu/sev.h b/include/sysemu/sev.h -index c173ad33f8..186ebca0f9 100644 ---- a/include/sysemu/sev.h -+++ b/include/sysemu/sev.h -@@ -78,6 +78,7 @@ typedef struct SEVState SEVState; - - void *sev_guest_init(const char *id); - int sev_encrypt_data(void *handle, uint8_t *ptr, uint64_t len); -+void sev_set_debug_ops(void *handle, MemoryRegion *mr); - - #endif - diff --git a/0067-target-i386-clear-C-bit-when-walkin.patch b/0067-target-i386-clear-C-bit-when-walkin.patch index 336cb92..8d966ec 100644 --- a/0067-target-i386-clear-C-bit-when-walkin.patch +++ b/0067-target-i386-clear-C-bit-when-walkin.patch @@ -1,6 +1,6 @@ -From 5be49d786b9d9a39cd2bae56032a6f92a59de93a Mon Sep 17 00:00:00 2001 +From a8962df0b33d17e6af91ec6c3d0f2bf0e866c84e Mon Sep 17 00:00:00 2001 From: Brijesh Singh -Date: Tue, 6 Feb 2018 19:08:11 -0600 +Date: Thu, 15 Feb 2018 09:03:23 -0600 Subject: [PATCH] target/i386: clear C-bit when walking SEV guest page table In SEV-enabled guest the pte entry will have C-bit set, we need to diff --git a/0068-include-add-psp-sev.h-header-file.patch b/0068-include-add-psp-sev.h-header-file.patch index fdf5007..15e7659 100644 --- a/0068-include-add-psp-sev.h-header-file.patch +++ b/0068-include-add-psp-sev.h-header-file.patch @@ -1,13 +1,14 @@ -From 94e76aa9e24ad99ae746fa717ab4c721160128c1 Mon Sep 17 00:00:00 2001 +From 8ff5e32ef7eb6d2a9a34dbdf78003a6e1cb9fa42 Mon Sep 17 00:00:00 2001 From: Brijesh Singh -Date: Tue, 6 Feb 2018 19:08:11 -0600 +Date: Thu, 15 Feb 2018 09:03:23 -0600 Subject: [PATCH] include: add psp-sev.h header file The header file provide the ioctl command and structure to communicate with /dev/sev device. Cc: Paolo Bonzini -Cc: kvm@vger.kernel.org +Cc: Richard Henderson +Cc: Eduardo Habkost Signed-off-by: Brijesh Singh [BR: FATE#322124] Signed-off-by: Bruce Rogers diff --git a/0069-sev-add-support-to-query-PLATFORM_S.patch b/0069-sev-i386-add-support-to-query-PLATF.patch similarity index 72% rename from 0069-sev-add-support-to-query-PLATFORM_S.patch rename to 0069-sev-i386-add-support-to-query-PLATF.patch index a0e1f14..e3d3f24 100644 --- a/0069-sev-add-support-to-query-PLATFORM_S.patch +++ b/0069-sev-i386-add-support-to-query-PLATF.patch @@ -1,23 +1,24 @@ -From 8798ba8f4a4ba43cf7a34960ed70b32cbe69a4f6 Mon Sep 17 00:00:00 2001 +From fea1c51414bedfc61e5ee31b15e58d638acee4fe Mon Sep 17 00:00:00 2001 From: Brijesh Singh -Date: Tue, 6 Feb 2018 19:08:11 -0600 -Subject: [PATCH] sev: add support to query PLATFORM_STATUS command +Date: Thu, 15 Feb 2018 09:03:24 -0600 +Subject: [PATCH] sev/i386: add support to query PLATFORM_STATUS command The command is used to query the SEV API version and build id. Cc: Paolo Bonzini -Cc: kvm@vger.kernel.org +Cc: Richard Henderson +Cc: Eduardo Habkost Signed-off-by: Brijesh Singh [BR: FATE#322124] Signed-off-by: Bruce Rogers --- - accel/kvm/sev.c | 33 +++++++++++++++++++++++++++++++++ + target/i386/sev.c | 33 +++++++++++++++++++++++++++++++++ 1 file changed, 33 insertions(+) -diff --git a/accel/kvm/sev.c b/accel/kvm/sev.c -index 7b57575e2f..186834364e 100644 ---- a/accel/kvm/sev.c -+++ b/accel/kvm/sev.c +diff --git a/target/i386/sev.c b/target/i386/sev.c +index 1fbc3beb16..e3236f5bb7 100644 +--- a/target/i386/sev.c ++++ b/target/i386/sev.c @@ -21,6 +21,9 @@ #include "trace.h" #include "qapi-event.h" @@ -28,7 +29,7 @@ index 7b57575e2f..186834364e 100644 #define DEFAULT_GUEST_POLICY 0x1 /* disable debug */ #define DEFAULT_SEV_DEVICE "/dev/sev" #define GUEST_POLICY_DBG_BIT 0x1 -@@ -91,6 +94,22 @@ sev_ioctl(int cmd, void *data, int *error) +@@ -84,6 +87,22 @@ sev_ioctl(int cmd, void *data, int *error) return r; } @@ -51,7 +52,7 @@ index 7b57575e2f..186834364e 100644 static const char * fw_error_to_str(int code) { -@@ -380,6 +399,20 @@ sev_enabled(void) +@@ -399,6 +418,20 @@ sev_enabled(void) void sev_get_fw_version(uint8_t *major, uint8_t *minor, uint8_t *build) { diff --git a/0070-sev-add-support-to-KVM_SEV_GUEST_ST.patch b/0070-sev-i386-add-support-to-KVM_SEV_GUE.patch similarity index 56% rename from 0070-sev-add-support-to-KVM_SEV_GUEST_ST.patch rename to 0070-sev-i386-add-support-to-KVM_SEV_GUE.patch index cf4624a..b94762e 100644 --- a/0070-sev-add-support-to-KVM_SEV_GUEST_ST.patch +++ b/0070-sev-i386-add-support-to-KVM_SEV_GUE.patch @@ -1,31 +1,36 @@ -From 0139a4366095226b25d4f3f819fc0b0c260ce46b Mon Sep 17 00:00:00 2001 +From b4998b726af3a1da2dc346cac8796ca8fd6b88cd Mon Sep 17 00:00:00 2001 From: Brijesh Singh -Date: Tue, 6 Feb 2018 19:08:11 -0600 -Subject: [PATCH] sev: add support to KVM_SEV_GUEST_STATUS +Date: Thu, 15 Feb 2018 09:03:24 -0600 +Subject: [PATCH] sev/i386: add support to KVM_SEV_GUEST_STATUS The command is used to query the current SEV guest status. We use this command to query the guest policy for QMP query-sev command. Cc: Paolo Bonzini -Cc: kvm@vger.kernel.org +Cc: Richard Henderson +Cc: Eduardo Habkost Signed-off-by: Brijesh Singh [BR: FATE#322124] Signed-off-by: Bruce Rogers --- - accel/kvm/sev.c | 12 ++++++++++++ - 1 file changed, 12 insertions(+) + target/i386/sev.c | 16 ++++++++++++++++ + 1 file changed, 16 insertions(+) -diff --git a/accel/kvm/sev.c b/accel/kvm/sev.c -index 186834364e..b149f4ae64 100644 ---- a/accel/kvm/sev.c -+++ b/accel/kvm/sev.c -@@ -418,6 +418,18 @@ sev_get_fw_version(uint8_t *major, uint8_t *minor, uint8_t *build) +diff --git a/target/i386/sev.c b/target/i386/sev.c +index e3236f5bb7..559881084d 100644 +--- a/target/i386/sev.c ++++ b/target/i386/sev.c +@@ -437,6 +437,22 @@ sev_get_fw_version(uint8_t *major, uint8_t *minor, uint8_t *build) void sev_get_policy(uint32_t *policy) { + struct kvm_sev_guest_status status = {}; + int r, err; + ++ if (current_sev_guest_state == SEV_STATE_UNINIT) { ++ return; ++ } ++ + r = sev_ioctl(KVM_SEV_GUEST_STATUS, &status, &err); + if (r) { + error_report("%s: failed to get platform status ret=%d " diff --git a/0071-qmp-add-query-sev-launch-measure-co.patch b/0071-qmp-add-query-sev-launch-measure-co.patch index 76c4e6c..57a0505 100644 --- a/0071-qmp-add-query-sev-launch-measure-co.patch +++ b/0071-qmp-add-query-sev-launch-measure-co.patch @@ -1,6 +1,6 @@ -From 49a869039c960dbc02e6bbee9d0f0d0ce39003d5 Mon Sep 17 00:00:00 2001 +From 53ad8885ec786df6820288255a312e802839ecc4 Mon Sep 17 00:00:00 2001 From: Brijesh Singh -Date: Tue, 6 Feb 2018 19:08:11 -0600 +Date: Thu, 15 Feb 2018 09:03:24 -0600 Subject: [PATCH] qmp: add query-sev-launch-measure command MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 @@ -17,15 +17,15 @@ Signed-off-by: Brijesh Singh [BR: FATE#322124] Signed-off-by: Bruce Rogers --- - qapi-schema.json | 30 ++++++++++++++++++++++++++++++ - qmp.c | 14 ++++++++++++++ - 2 files changed, 44 insertions(+) + qapi-schema.json | 29 +++++++++++++++++++++++++++++ + qmp.c | 17 +++++++++++++++++ + 2 files changed, 46 insertions(+) diff --git a/qapi-schema.json b/qapi-schema.json -index 40c2de3026..8ab8e74956 100644 +index 91a8a74f81..215681fbd7 100644 --- a/qapi-schema.json +++ b/qapi-schema.json -@@ -3247,3 +3247,33 @@ +@@ -3257,3 +3257,32 @@ # ## { 'command': 'query-sev', 'returns': 'SevInfo' } @@ -39,7 +39,6 @@ index 40c2de3026..8ab8e74956 100644 +# +# Since: 2.12 +# -+# Notes: If measurement is not available then a null measurement is returned. +## +{ 'struct': 'SevLaunchMeasureInfo', 'data': {'data': 'str'} } + @@ -60,24 +59,27 @@ index 40c2de3026..8ab8e74956 100644 +## +{ 'command': 'query-sev-launch-measure', 'returns': 'SevLaunchMeasureInfo' } diff --git a/qmp.c b/qmp.c -index 4cd01ea666..d9ec4bf18e 100644 +index 3c2d573384..445c668428 100644 --- a/qmp.c +++ b/qmp.c -@@ -738,3 +738,17 @@ SevInfo *qmp_query_sev(Error **errp) +@@ -738,3 +738,20 @@ SevInfo *qmp_query_sev(Error **errp) return info; } + +SevLaunchMeasureInfo *qmp_query_sev_launch_measure(Error **errp) +{ -+ SevLaunchMeasureInfo *info = NULL; ++ char *data; ++ SevLaunchMeasureInfo *info; + -+ if (sev_enabled()) { -+ info = g_malloc0(sizeof(*info)); -+ info->data = sev_get_launch_measurement(); -+ } else { -+ error_setg(errp, "SEV is not enabled"); ++ data = sev_get_launch_measurement(); ++ if (!data) { ++ error_setg(errp, "Measurement is not available"); ++ return NULL; + } + ++ info = g_malloc0(sizeof(*info)); ++ info->data = data; ++ + return info; +} diff --git a/0072-sev-Fix-build-for-non-x86-hosts.patch b/0072-sev-Fix-build-for-non-x86-hosts.patch deleted file mode 100644 index 2ac8e4e..0000000 --- a/0072-sev-Fix-build-for-non-x86-hosts.patch +++ /dev/null @@ -1,45 +0,0 @@ -From 5c1a357744cfd2917705907bc3d50efd1184b7d9 Mon Sep 17 00:00:00 2001 -From: Bruce Rogers -Date: Wed, 7 Feb 2018 14:01:55 -0700 -Subject: [PATCH] sev: Fix build for non-x86 hosts - -I imagine the upstream code will still change in a way to not -require this work around, but for now this works. -Also bypass the test for query-sev-launch-measure qmp command test, -since it causes the qemu-testsuite package to fail to build. - -[BR: FATE#322124] -Signed-off-by: Bruce Rogers ---- - accel/kvm/sev.c | 4 ++++ - tests/qmp-test.c | 1 + - 2 files changed, 5 insertions(+) - -diff --git a/accel/kvm/sev.c b/accel/kvm/sev.c -index b149f4ae64..0e48d1f249 100644 ---- a/accel/kvm/sev.c -+++ b/accel/kvm/sev.c -@@ -322,7 +322,11 @@ sev_get_host_cbitpos(void) - { - uint32_t ebx; - -+#ifdef TARGET_X86_64 - host_cpuid(0x8000001F, 0, NULL, &ebx, NULL, NULL); -+#else -+ ebx = 0; -+#endif - - return ebx & 0x3f; - } -diff --git a/tests/qmp-test.c b/tests/qmp-test.c -index c5a5c10b41..2b2d9b2a4a 100644 ---- a/tests/qmp-test.c -+++ b/tests/qmp-test.c -@@ -200,6 +200,7 @@ static bool query_is_blacklisted(const char *cmd) - "query-gic-capabilities", /* arm */ - /* Success depends on target-specific build configuration: */ - "query-pci", /* CONFIG_PCI */ -+ "query-sev-launch-measure", /* not fully cooked yet */ - NULL - }; - int i; diff --git a/0072-tests-qmp-test-blacklist-query-sev-.patch b/0072-tests-qmp-test-blacklist-query-sev-.patch new file mode 100644 index 0000000..a71ba14 --- /dev/null +++ b/0072-tests-qmp-test-blacklist-query-sev-.patch @@ -0,0 +1,36 @@ +From 00751496fa11ed34f0849cb969d794ac1a0b1391 Mon Sep 17 00:00:00 2001 +From: Brijesh Singh +Date: Thu, 15 Feb 2018 09:03:24 -0600 +Subject: [PATCH] tests/qmp-test: blacklist query-sev-launch-measure command +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +The query-sev-launch-measure command returns a measurement of encrypted +memory when SEV is enabled otherwise it returns an error. Blacklist the +command in qmp-test to fix the 'make check' failure. + +Cc: "Daniel P. Berrangé" +Cc: "Dr. David Alan Gilbert" +Cc: Markus Armbruster +Reviewed-by: "Dr. David Alan Gilbert" +Signed-off-by: Brijesh Singh +[BR: FATE#322124] +Signed-off-by: Bruce Rogers +--- + tests/qmp-test.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/tests/qmp-test.c b/tests/qmp-test.c +index c5a5c10b41..06fe0b6f7a 100644 +--- a/tests/qmp-test.c ++++ b/tests/qmp-test.c +@@ -200,6 +200,8 @@ static bool query_is_blacklisted(const char *cmd) + "query-gic-capabilities", /* arm */ + /* Success depends on target-specific build configuration: */ + "query-pci", /* CONFIG_PCI */ ++ /* Success depends on launching SEV guest */ ++ "query-sev-launch-measure", + NULL + }; + int i; diff --git a/0073-sev-i386-add-migration-blocker.patch b/0073-sev-i386-add-migration-blocker.patch new file mode 100644 index 0000000..bbe2266 --- /dev/null +++ b/0073-sev-i386-add-migration-blocker.patch @@ -0,0 +1,60 @@ +From 2957d1d9d2494b2a8582f778e342fb7430fc1406 Mon Sep 17 00:00:00 2001 +From: Brijesh Singh +Date: Thu, 15 Feb 2018 09:03:24 -0600 +Subject: [PATCH] sev/i386: add migration blocker + +SEV guest migration is not implemented yet. + +Signed-off-by: Brijesh Singh +Reviewed-by: Dr. David Alan Gilbert +[BR: FATE#322124] +Signed-off-by: Bruce Rogers +--- + target/i386/sev.c | 13 +++++++++++++ + 1 file changed, 13 insertions(+) + +diff --git a/target/i386/sev.c b/target/i386/sev.c +index 559881084d..a4f5a87e9b 100644 +--- a/target/i386/sev.c ++++ b/target/i386/sev.c +@@ -20,6 +20,7 @@ + #include "sysemu/sysemu.h" + #include "trace.h" + #include "qapi-event.h" ++#include "migration/blocker.h" + + #include + #include +@@ -35,6 +36,7 @@ static uint32_t x86_cbitpos; + static uint32_t x86_reduced_phys_bits; + static SEVState *sev_state; + static MemoryRegionRAMReadWriteOps sev_ops; ++static Error *sev_mig_blocker; + + static SevState current_sev_guest_state = SEV_STATE_UNINIT; + +@@ -622,6 +624,7 @@ static void + sev_launch_finish(SEVState *s) + { + int ret, error; ++ Error *local_err = NULL; + + trace_kvm_sev_launch_finish(); + ret = sev_ioctl(KVM_SEV_LAUNCH_FINISH, 0, &error); +@@ -632,6 +635,16 @@ sev_launch_finish(SEVState *s) + } + + sev_set_guest_state(SEV_STATE_RUNNING); ++ ++ /* add migration blocker */ ++ error_setg(&sev_mig_blocker, ++ "SEV: Migration is not implemented"); ++ ret = migrate_add_blocker(sev_mig_blocker, &local_err); ++ if (local_err) { ++ error_report_err(local_err); ++ error_free(sev_mig_blocker); ++ exit(1); ++ } + } + + static void diff --git a/0074-cpu-i386-populate-CPUID-0x8000_001F.patch b/0074-cpu-i386-populate-CPUID-0x8000_001F.patch new file mode 100644 index 0000000..c5adc63 --- /dev/null +++ b/0074-cpu-i386-populate-CPUID-0x8000_001F.patch @@ -0,0 +1,60 @@ +From 28839121aa98b7e126a7770200041203acd077bb Mon Sep 17 00:00:00 2001 +From: Brijesh Singh +Date: Thu, 15 Feb 2018 09:03:25 -0600 +Subject: [PATCH] cpu/i386: populate CPUID 0x8000_001F when SEV is active + +When SEV is enabled, CPUID 0x8000_001F should provide additional +information regarding the feature (such as which page table bit is used +to mark the pages as encrypted etc). + +The details for memory encryption CPUID is available in AMD APM +(https://support.amd.com/TechDocs/24594.pdf) Section E.4.17 + +Cc: Paolo Bonzini +Cc: Richard Henderson +Cc: Eduardo Habkost +Signed-off-by: Brijesh Singh +[BR: FATE#322124] +Signed-off-by: Bruce Rogers +--- + target/i386/cpu.c | 13 +++++++++++++ + 1 file changed, 13 insertions(+) + +diff --git a/target/i386/cpu.c b/target/i386/cpu.c +index 70c8ae82d5..a7e27f3bbf 100644 +--- a/target/i386/cpu.c ++++ b/target/i386/cpu.c +@@ -23,6 +23,7 @@ + #include "exec/exec-all.h" + #include "sysemu/kvm.h" + #include "sysemu/cpus.h" ++#include "sysemu/sev.h" + #include "kvm_i386.h" + + #include "qemu/error-report.h" +@@ -3578,6 +3579,13 @@ void cpu_x86_cpuid(CPUX86State *env, uint32_t index, uint32_t count, + *ecx = 0; + *edx = 0; + break; ++ case 0x8000001F: ++ *eax = sev_enabled() ? 0x2 : 0; ++ *ebx = sev_get_cbit_position(); ++ *ebx |= sev_get_reduced_phys_bits() << 6; ++ *ecx = 0; ++ *edx = 0; ++ break; + default: + /* reserved values: zero */ + *eax = 0; +@@ -4000,6 +4008,11 @@ static void x86_cpu_expand_features(X86CPU *cpu, Error **errp) + if (env->features[FEAT_8000_0001_ECX] & CPUID_EXT3_SVM) { + x86_cpu_adjust_level(cpu, &env->cpuid_min_xlevel, 0x8000000A); + } ++ ++ /* SEV requires CPUID[0x8000001F] */ ++ if (sev_enabled()) { ++ x86_cpu_adjust_level(cpu, &env->cpuid_min_xlevel, 0x8000001F); ++ } + } + + /* Set cpuid_*level* based on cpuid_min_*level, if not explicitly set */ diff --git a/0075-migration-warn-about-inconsistent-s.patch b/0075-migration-warn-about-inconsistent-s.patch new file mode 100644 index 0000000..e9e98c7 --- /dev/null +++ b/0075-migration-warn-about-inconsistent-s.patch @@ -0,0 +1,75 @@ +From 2b3e17db667199d2df374f2537f0ef60c86add2f Mon Sep 17 00:00:00 2001 +From: Bruce Rogers +Date: Wed, 21 Feb 2018 14:00:52 -0700 +Subject: [PATCH] migration: warn about inconsistent spec_ctrl state + +As an attempt to help the user do the right thing, warn if we +detect spec_ctrl data in the migration stream, but where the +cpu defined doesn't have the feature. This would indicate the +migration is from the quick and dirty qemu produced in January +2018 to handle Spectre v2. That qemu version exposed the IBRS +cpu feature to all vcpu types, which helped in the short term +but wasn't a well designed approach. +Warn the user that the now migrated guest needs to be restarted +as soon as possible, using the spec_ctrl cpu feature flag or a +*-IBRS vcpu model specified as appropriate. + +Signed-off-by: Bruce Rogers +--- + cpus.c | 12 ++++++++++++ + include/qemu/thread.h | 1 + + migration/migration.c | 8 ++++++++ + 3 files changed, 21 insertions(+) + +diff --git a/cpus.c b/cpus.c +index d1e7e28993..238570badc 100644 +--- a/cpus.c ++++ b/cpus.c +@@ -2039,6 +2039,18 @@ exit: + fclose(f); + } + ++bool spec_ctrl_is_inconsistent(void) ++{ ++#if defined(TARGET_I386) ++ X86CPU *x86_cpu = X86_CPU(current_cpu); ++ CPUX86State *env = &x86_cpu->env; ++ if (!(env->features[FEAT_7_0_EDX] & CPUID_7_0_EDX_SPEC_CTRL) && ++ env->spec_ctrl) ++ return true; ++#endif ++ return false; ++} ++ + void qmp_inject_nmi(Error **errp) + { + nmi_monitor_handle(monitor_get_cpu_index(), errp); +diff --git a/include/qemu/thread.h b/include/qemu/thread.h +index 9910f49b3a..c5803bfacc 100644 +--- a/include/qemu/thread.h ++++ b/include/qemu/thread.h +@@ -210,4 +210,5 @@ void qemu_lockcnt_inc_and_unlock(QemuLockCnt *lockcnt); + */ + unsigned qemu_lockcnt_count(QemuLockCnt *lockcnt); + ++bool spec_ctrl_is_inconsistent(void); + #endif +diff --git a/migration/migration.c b/migration/migration.c +index d780601f0c..d39c43c6b7 100644 +--- a/migration/migration.c ++++ b/migration/migration.c +@@ -2121,6 +2121,14 @@ static void migration_completion(MigrationState *s, int current_active_state, + migrate_set_state(&s->state, current_active_state, + MIGRATION_STATUS_COMPLETED); + } ++ if (spec_ctrl_is_inconsistent()) { ++ fprintf(stderr, "WARNING! Migration from qemu with rudimentary " ++ "Spectre v2 support to newer qemu\ndetected! To " ++ "maintain proper protection, restart the guest as " ++ "soon as possible\nusing the spec_ctrl cpu feature " ++ "flag or a *-IBRS vcpu model specified\nas appropriate." ++ "\n"); ++ } + + return; + diff --git a/0076-i386-Compensate-for-KVM-SPEC_CTRL-f.patch b/0076-i386-Compensate-for-KVM-SPEC_CTRL-f.patch new file mode 100644 index 0000000..cd88f26 --- /dev/null +++ b/0076-i386-Compensate-for-KVM-SPEC_CTRL-f.patch @@ -0,0 +1,37 @@ +From d3e377d2c0d2ab163482f3eaccdfc4c7e291ac7e Mon Sep 17 00:00:00 2001 +From: Bruce Rogers +Date: Thu, 22 Feb 2018 04:48:07 -0700 +Subject: [PATCH] i386: Compensate for KVM SPEC_CTRL feature availability bug + +As we move away from the quick and dirty qemu solution for +Spectre v2, it was found that KVM wasn't reporting the SPEC_CTRL +feature when it in fact was present due to microcode update. +This patch compensates for that bug by checking for the feature +in QEMU code (like the quick and dirty solution did), instead of +simply relying on KVM for that information. +[BR: BSC#1082276] + +Signed-off-by: Bruce Rogers +--- + target/i386/cpu.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/target/i386/cpu.c b/target/i386/cpu.c +index a7e27f3bbf..5c34175f3f 100644 +--- a/target/i386/cpu.c ++++ b/target/i386/cpu.c +@@ -2824,6 +2824,14 @@ static uint32_t x86_cpu_get_supported_feature_word(FeatureWord w, + r = kvm_arch_get_supported_cpuid(kvm_state, wi->cpuid_eax, + wi->cpuid_ecx, + wi->cpuid_reg); ++ // BUG!!! We need to compensate for a KVM bug where it doesn't ++ // correctly report support for IBRS (bsc#1082276) ++ if (w == FEAT_7_0_EDX) { ++ uint32_t edx; ++ host_cpuid(7, 0, NULL, NULL, NULL, &edx); ++#define CPUID_7_0_EDX_PRED_CMD (1U << 27) ++ r |= edx & (CPUID_7_0_EDX_SPEC_CTRL | CPUID_7_0_EDX_PRED_CMD); ++ } + } else if (tcg_enabled()) { + r = wi->tcg_features; + } else { diff --git a/qemu-2.11.0.tar.xz b/qemu-2.11.0.tar.xz deleted file mode 100644 index a43a511..0000000 --- a/qemu-2.11.0.tar.xz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:c9d34a79024eae080ce3853aa9afe503824520eefb440190383003081ce7f437 -size 28984736 diff --git a/qemu-2.11.0.tar.xz.sig b/qemu-2.11.0.tar.xz.sig deleted file mode 100644 index b4fcdab4801da405acaf824a3d0db46d6c380fe1b2e90de825d9277ce43a72aa..0000000000000000000000000000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 287 zcmV+)0pR|L0UQJX0SEvF1p-7w%3 zsroF~5j6Ij`-yA`(3JSvzeo9E*3p|jF))Wy>+)HrSeiNG?` l{kk_1QJ3eFS|4K=oo75XjClVmB1%AUfW>adMrgn&98xsSfGGd~ diff --git a/qemu-2.11.1.tar.xz b/qemu-2.11.1.tar.xz new file mode 100644 index 0000000..096cb62 --- /dev/null +++ b/qemu-2.11.1.tar.xz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:8a5145d1f8bd2eadc6776f3e13c68cd28d01349e30639bdbcb26ac588d668686 +size 28992188 diff --git a/qemu-2.11.1.tar.xz.sig b/qemu-2.11.1.tar.xz.sig new file mode 100644 index 0000000000000000000000000000000000000000000000000000000000000000..5079b8c960bfc6a6891df446a9d381ba0d9865f730c5174e7e40ae97e017f353 GIT binary patch literal 287 zcmV+)0pR|L0UQJX0SEvF1p-=xx>^7V2@o?=$ 0050-machine-add-memory-encryption-prope.patch + 0052-kvm-update-kvm.h-to-include-memory-.patch + -> 0051-kvm-update-kvm.h-to-include-memory-.patch + 0053-docs-add-AMD-Secure-Encrypted-Virtu.patch + -> 0052-docs-add-AMD-Secure-Encrypted-Virtu.patch + 0056-sev-register-the-guest-memory-range.patch + -> 0057-sev-i386-register-the-guest-memory-.patch + 0057-kvm-introduce-memory-encryption-API.patch + -> 0058-kvm-introduce-memory-encryption-API.patch + 0058-qmp-add-query-sev-command.patch + -> 0054-qmp-add-query-sev-command.patch + 0060-sev-add-command-to-create-launch-me.patch + -> 0060-sev-i386-add-command-to-create-laun.patch + 0061-sev-add-command-to-encrypt-guest-me.patch + -> 0061-sev-i386-add-command-to-encrypt-gue.patch + 0063-sev-add-support-to-LAUNCH_MEASURE-c.patch + -> 0063-sev-i386-add-support-to-LAUNCH_MEAS.patch + 0064-sev-Finalize-the-SEV-guest-launch-f.patch + -> 0064-sev-i386-finalize-the-SEV-guest-lau.patch + 0066-sev-add-debug-encrypt-and-decrypt-c.patch + -> 0066-sev-i386-add-debug-encrypt-and-decr.patch + 0069-sev-add-support-to-query-PLATFORM_S.patch + -> 0069-sev-i386-add-support-to-query-PLATF.patch + 0070-sev-add-support-to-KVM_SEV_GUEST_ST.patch + -> 0070-sev-i386-add-support-to-KVM_SEV_GUE.patch +- Patch queue updated from git://github.com/openSUSE/qemu.git opensuse-2.11 + ------------------------------------------------------------------- Thu Feb 8 18:30:53 UTC 2018 - brogers@suse.com diff --git a/qemu-linux-user.spec b/qemu-linux-user.spec index 168e0ea..a0bb48d 100644 --- a/qemu-linux-user.spec +++ b/qemu-linux-user.spec @@ -21,9 +21,9 @@ Url: http://www.qemu.org/ Summary: CPU emulator for user space License: BSD-3-Clause AND GPL-2.0 AND GPL-2.0+ AND LGPL-2.1+ AND MIT Group: System/Emulators/PC -Version: 2.11.0 +Version: 2.11.1 Release: 0 -Source: qemu-2.11.0.tar.xz +Source: qemu-2.11.1.tar.xz # Upstream First -- http://wiki.qemu-project.org/Contribute/SubmitAPatch # This patch queue is auto-generated from https://github.com/openSUSE/qemu Patch0001: 0001-XXX-dont-dump-core-on-sigabort.patch @@ -58,7 +58,7 @@ Patch0029: 0029-test-string-input-visitor-Add-uint6.patch Patch0030: 0030-tests-Add-QOM-property-unit-tests.patch Patch0031: 0031-tests-Add-scsi-disk-test.patch Patch0032: 0032-Switch-order-of-libraries-for-mpath.patch -Patch0033: 0033-i386-kvm-MSR_IA32_SPEC_CTRL-and-MSR.patch +Patch0033: 0033-memfd-fix-configure-test.patch Patch0034: 0034-qapi-use-items-values-intead-of-ite.patch Patch0035: 0035-qapi-Use-OrderedDict-from-standard-.patch Patch0036: 0036-qapi-adapt-to-moved-location-of-Str.patch @@ -75,29 +75,33 @@ Patch0046: 0046-memattrs-add-debug-attribute.patch Patch0047: 0047-exec-add-ram_debug_ops-support.patch Patch0048: 0048-exec-add-debug-version-of-physical-.patch Patch0049: 0049-monitor-i386-use-debug-APIs-when-ac.patch -Patch0050: 0050-target-i386-add-memory-encryption-f.patch -Patch0051: 0051-machine-add-memory-encryption-prope.patch -Patch0052: 0052-kvm-update-kvm.h-to-include-memory-.patch -Patch0053: 0053-docs-add-AMD-Secure-Encrypted-Virtu.patch -Patch0054: 0054-accel-add-Secure-Encrypted-Virtuliz.patch -Patch0055: 0055-sev-add-command-to-initialize-the-m.patch -Patch0056: 0056-sev-register-the-guest-memory-range.patch -Patch0057: 0057-kvm-introduce-memory-encryption-API.patch -Patch0058: 0058-qmp-add-query-sev-command.patch +Patch0050: 0050-machine-add-memory-encryption-prope.patch +Patch0051: 0051-kvm-update-kvm.h-to-include-memory-.patch +Patch0052: 0052-docs-add-AMD-Secure-Encrypted-Virtu.patch +Patch0053: 0053-target-i386-add-Secure-Encrypted-Vi.patch +Patch0054: 0054-qmp-add-query-sev-command.patch +Patch0055: 0055-sev-i386-add-command-to-initialize-.patch +Patch0056: 0056-qmp-populate-SevInfo-fields-with-SE.patch +Patch0057: 0057-sev-i386-register-the-guest-memory-.patch +Patch0058: 0058-kvm-introduce-memory-encryption-API.patch Patch0059: 0059-hmp-add-info-sev-command.patch -Patch0060: 0060-sev-add-command-to-create-launch-me.patch -Patch0061: 0061-sev-add-command-to-encrypt-guest-me.patch +Patch0060: 0060-sev-i386-add-command-to-create-laun.patch +Patch0061: 0061-sev-i386-add-command-to-encrypt-gue.patch Patch0062: 0062-target-i386-encrypt-bios-rom.patch -Patch0063: 0063-sev-add-support-to-LAUNCH_MEASURE-c.patch -Patch0064: 0064-sev-Finalize-the-SEV-guest-launch-f.patch +Patch0063: 0063-sev-i386-add-support-to-LAUNCH_MEAS.patch +Patch0064: 0064-sev-i386-finalize-the-SEV-guest-lau.patch Patch0065: 0065-hw-i386-set-ram_debug_ops-when-memo.patch -Patch0066: 0066-sev-add-debug-encrypt-and-decrypt-c.patch +Patch0066: 0066-sev-i386-add-debug-encrypt-and-decr.patch Patch0067: 0067-target-i386-clear-C-bit-when-walkin.patch Patch0068: 0068-include-add-psp-sev.h-header-file.patch -Patch0069: 0069-sev-add-support-to-query-PLATFORM_S.patch -Patch0070: 0070-sev-add-support-to-KVM_SEV_GUEST_ST.patch +Patch0069: 0069-sev-i386-add-support-to-query-PLATF.patch +Patch0070: 0070-sev-i386-add-support-to-KVM_SEV_GUE.patch Patch0071: 0071-qmp-add-query-sev-launch-measure-co.patch -Patch0072: 0072-sev-Fix-build-for-non-x86-hosts.patch +Patch0072: 0072-tests-qmp-test-blacklist-query-sev-.patch +Patch0073: 0073-sev-i386-add-migration-blocker.patch +Patch0074: 0074-cpu-i386-populate-CPUID-0x8000_001F.patch +Patch0075: 0075-migration-warn-about-inconsistent-s.patch +Patch0076: 0076-i386-Compensate-for-KVM-SPEC_CTRL-f.patch # Please do not add QEMU patches manually here. # Run update_git.sh to regenerate this queue. Source400: update_git.sh @@ -126,7 +130,7 @@ architecture. The syscall interface is intercepted and execution below the syscall layer occurs on the native hardware and operating system. %prep -%setup -q -n qemu-2.11.0 +%setup -q -n qemu-2.11.1 %patch0001 -p1 %patch0002 -p1 %patch0003 -p1 @@ -199,6 +203,10 @@ syscall layer occurs on the native hardware and operating system. %patch0070 -p1 %patch0071 -p1 %patch0072 -p1 +%patch0073 -p1 +%patch0074 -p1 +%patch0075 -p1 +%patch0076 -p1 %build ./configure \ diff --git a/qemu-linux-user.spec.in b/qemu-linux-user.spec.in index eb00c1e..25406d7 100644 --- a/qemu-linux-user.spec.in +++ b/qemu-linux-user.spec.in @@ -23,7 +23,7 @@ License: BSD-3-Clause AND GPL-2.0 AND GPL-2.0+ AND LGPL-2.1+ AND MIT Group: System/Emulators/PC QEMU_VERSION Release: 0 -Source: qemu-2.11.0.tar.xz +Source: qemu-2.11.1.tar.xz # Upstream First -- http://wiki.qemu-project.org/Contribute/SubmitAPatch # This patch queue is auto-generated from https://github.com/openSUSE/qemu PATCH_FILES @@ -55,7 +55,7 @@ architecture. The syscall interface is intercepted and execution below the syscall layer occurs on the native hardware and operating system. %prep -%setup -q -n qemu-2.11.0 +%setup -q -n qemu-2.11.1 PATCH_EXEC %build diff --git a/qemu-testsuite.changes b/qemu-testsuite.changes index 2d90e62..8355312 100644 --- a/qemu-testsuite.changes +++ b/qemu-testsuite.changes @@ -1,3 +1,85 @@ +------------------------------------------------------------------- +Thu Feb 22 12:01:21 UTC 2018 - brogers@suse.com + +- Update to v2.11.1, a stable, (mostly) bug-fix-only release + In addition to bug fixes, of necessity fixes are needed to + address the Spectre v2 vulnerability by passing along to the + guest new hardware features introduced by host microcode updates. + A January 2018 release of qemu initially addressed this issue + by exposing the feature for all x86 vcpu types, which was the + quick and dirty approach, but not the proper solution. We remove + that initial patch and now rely on the upstream solution. This + update instead defines spec_ctrl and ibpb cpu feature flags as + well as new cpu models which are clones of existing models with + either -IBRS or -IBPB added to the end of the model name. These + new vcpu models explicitly include the new feature(s), whereas + the feature flags can be added to the cpu parameter as with other + features. In short, for continued Spectre v2 protection, ensure + that either the appropriate cpu feature flag is added to the QEMU + command-line, or one of the new cpu models is used. Although + migration from older versions is supported, the new cpu features + won't be properly exposed to the guest until it is restarted with + the cpu features explicitly added. A reboot is insufficient. + A warning patch is added which attempts to detect a migration + from a qemu version which had the quick and dirty fix (it only + detects certain cases, but hopefully is helpful.) + s390x guest vulnerability to Spectre v2 is also addressed in this + update by including support for bpb and ppa/stfle.81 features. + (CVE-2017-5715 bsc#1068032) + For additional information on Spectre v2 as it relates to QEMU, + see: https://www.qemu.org/2018/02/14/qemu-2-11-1-and-spectre-update/ +- Unfortunately, it was found that our current KVM isn't correctly + indicating support for the spec-ctrl feature, so I've added a patch + to still detect that support within QEMU. This is of course a + temporary kludge until KVM gets fixed. (bsc#1082276) +- The SEV support patches are updated to the v9 series. +- Fix incompatibility with recent glibc (boo#1081154) +- Add Supplements tags for the guest agent package in an attempt to + auto-install for QEMU and Xen SUSE Linux guests (fate#323570) +* Patches dropped (subsumed by stable update, or reworked in v9): + 0033-i386-kvm-MSR_IA32_SPEC_CTRL-and-MSR.patch + 0050-target-i386-add-memory-encryption-f.patch + 0054-accel-add-Secure-Encrypted-Virtuliz.patch + 0055-sev-add-command-to-initialize-the-m.patch + 0072-sev-Fix-build-for-non-x86-hosts.patch +* Patches added: + 0033-memfd-fix-configure-test.patch + 0053-target-i386-add-Secure-Encrypted-Vi.patch + 0056-qmp-populate-SevInfo-fields-with-SE.patch + 0072-tests-qmp-test-blacklist-query-sev-.patch + 0073-sev-i386-add-migration-blocker.patch + 0074-cpu-i386-populate-CPUID-0x8000_001F.patch + 0075-migration-warn-about-inconsistent-s.patch + 0076-i386-Compensate-for-KVM-SPEC_CTRL-f.patch +* Patches renamed (plus some minor code changes): + 0051-machine-add-memory-encryption-prope.patch + -> 0050-machine-add-memory-encryption-prope.patch + 0052-kvm-update-kvm.h-to-include-memory-.patch + -> 0051-kvm-update-kvm.h-to-include-memory-.patch + 0053-docs-add-AMD-Secure-Encrypted-Virtu.patch + -> 0052-docs-add-AMD-Secure-Encrypted-Virtu.patch + 0056-sev-register-the-guest-memory-range.patch + -> 0057-sev-i386-register-the-guest-memory-.patch + 0057-kvm-introduce-memory-encryption-API.patch + -> 0058-kvm-introduce-memory-encryption-API.patch + 0058-qmp-add-query-sev-command.patch + -> 0054-qmp-add-query-sev-command.patch + 0060-sev-add-command-to-create-launch-me.patch + -> 0060-sev-i386-add-command-to-create-laun.patch + 0061-sev-add-command-to-encrypt-guest-me.patch + -> 0061-sev-i386-add-command-to-encrypt-gue.patch + 0063-sev-add-support-to-LAUNCH_MEASURE-c.patch + -> 0063-sev-i386-add-support-to-LAUNCH_MEAS.patch + 0064-sev-Finalize-the-SEV-guest-launch-f.patch + -> 0064-sev-i386-finalize-the-SEV-guest-lau.patch + 0066-sev-add-debug-encrypt-and-decrypt-c.patch + -> 0066-sev-i386-add-debug-encrypt-and-decr.patch + 0069-sev-add-support-to-query-PLATFORM_S.patch + -> 0069-sev-i386-add-support-to-query-PLATF.patch + 0070-sev-add-support-to-KVM_SEV_GUEST_ST.patch + -> 0070-sev-i386-add-support-to-KVM_SEV_GUE.patch +- Patch queue updated from git://github.com/openSUSE/qemu.git opensuse-2.11 + ------------------------------------------------------------------- Thu Feb 8 18:29:30 UTC 2018 - brogers@suse.com diff --git a/qemu-testsuite.spec b/qemu-testsuite.spec index b1d1650..ae65b22 100644 --- a/qemu-testsuite.spec +++ b/qemu-testsuite.spec @@ -109,10 +109,10 @@ Url: http://www.qemu.org/ Summary: Machine emulator and virtualizer License: BSD-3-Clause AND GPL-2.0 AND GPL-2.0+ AND LGPL-2.1+ AND MIT Group: System/Emulators/PC -Version: 2.11.0 +Version: 2.11.1 Release: 0 -Source: http://wiki.qemu.org/download/qemu-2.11.0.tar.xz -Source99: http://wiki.qemu.org/download/qemu-2.11.0.tar.xz.sig +Source: http://wiki.qemu.org/download/qemu-2.11.1.tar.xz +Source99: http://wiki.qemu.org/download/qemu-2.11.1.tar.xz.sig Source1: 80-kvm.rules Source2: qemu-ifup Source3: kvm_stat @@ -162,7 +162,7 @@ Patch0029: 0029-test-string-input-visitor-Add-uint6.patch Patch0030: 0030-tests-Add-QOM-property-unit-tests.patch Patch0031: 0031-tests-Add-scsi-disk-test.patch Patch0032: 0032-Switch-order-of-libraries-for-mpath.patch -Patch0033: 0033-i386-kvm-MSR_IA32_SPEC_CTRL-and-MSR.patch +Patch0033: 0033-memfd-fix-configure-test.patch Patch0034: 0034-qapi-use-items-values-intead-of-ite.patch Patch0035: 0035-qapi-Use-OrderedDict-from-standard-.patch Patch0036: 0036-qapi-adapt-to-moved-location-of-Str.patch @@ -179,29 +179,33 @@ Patch0046: 0046-memattrs-add-debug-attribute.patch Patch0047: 0047-exec-add-ram_debug_ops-support.patch Patch0048: 0048-exec-add-debug-version-of-physical-.patch Patch0049: 0049-monitor-i386-use-debug-APIs-when-ac.patch -Patch0050: 0050-target-i386-add-memory-encryption-f.patch -Patch0051: 0051-machine-add-memory-encryption-prope.patch -Patch0052: 0052-kvm-update-kvm.h-to-include-memory-.patch -Patch0053: 0053-docs-add-AMD-Secure-Encrypted-Virtu.patch -Patch0054: 0054-accel-add-Secure-Encrypted-Virtuliz.patch -Patch0055: 0055-sev-add-command-to-initialize-the-m.patch -Patch0056: 0056-sev-register-the-guest-memory-range.patch -Patch0057: 0057-kvm-introduce-memory-encryption-API.patch -Patch0058: 0058-qmp-add-query-sev-command.patch +Patch0050: 0050-machine-add-memory-encryption-prope.patch +Patch0051: 0051-kvm-update-kvm.h-to-include-memory-.patch +Patch0052: 0052-docs-add-AMD-Secure-Encrypted-Virtu.patch +Patch0053: 0053-target-i386-add-Secure-Encrypted-Vi.patch +Patch0054: 0054-qmp-add-query-sev-command.patch +Patch0055: 0055-sev-i386-add-command-to-initialize-.patch +Patch0056: 0056-qmp-populate-SevInfo-fields-with-SE.patch +Patch0057: 0057-sev-i386-register-the-guest-memory-.patch +Patch0058: 0058-kvm-introduce-memory-encryption-API.patch Patch0059: 0059-hmp-add-info-sev-command.patch -Patch0060: 0060-sev-add-command-to-create-launch-me.patch -Patch0061: 0061-sev-add-command-to-encrypt-guest-me.patch +Patch0060: 0060-sev-i386-add-command-to-create-laun.patch +Patch0061: 0061-sev-i386-add-command-to-encrypt-gue.patch Patch0062: 0062-target-i386-encrypt-bios-rom.patch -Patch0063: 0063-sev-add-support-to-LAUNCH_MEASURE-c.patch -Patch0064: 0064-sev-Finalize-the-SEV-guest-launch-f.patch +Patch0063: 0063-sev-i386-add-support-to-LAUNCH_MEAS.patch +Patch0064: 0064-sev-i386-finalize-the-SEV-guest-lau.patch Patch0065: 0065-hw-i386-set-ram_debug_ops-when-memo.patch -Patch0066: 0066-sev-add-debug-encrypt-and-decrypt-c.patch +Patch0066: 0066-sev-i386-add-debug-encrypt-and-decr.patch Patch0067: 0067-target-i386-clear-C-bit-when-walkin.patch Patch0068: 0068-include-add-psp-sev.h-header-file.patch -Patch0069: 0069-sev-add-support-to-query-PLATFORM_S.patch -Patch0070: 0070-sev-add-support-to-KVM_SEV_GUEST_ST.patch +Patch0069: 0069-sev-i386-add-support-to-query-PLATF.patch +Patch0070: 0070-sev-i386-add-support-to-KVM_SEV_GUE.patch Patch0071: 0071-qmp-add-query-sev-launch-measure-co.patch -Patch0072: 0072-sev-Fix-build-for-non-x86-hosts.patch +Patch0072: 0072-tests-qmp-test-blacklist-query-sev-.patch +Patch0073: 0073-sev-i386-add-migration-blocker.patch +Patch0074: 0074-cpu-i386-populate-CPUID-0x8000_001F.patch +Patch0075: 0075-migration-warn-about-inconsistent-s.patch +Patch0076: 0076-i386-Compensate-for-KVM-SPEC_CTRL-f.patch # Please do not add QEMU patches manually here. # Run update_git.sh to regenerate this queue. @@ -722,6 +726,9 @@ Group: System/Emulators/PC Provides: qemu:%_bindir/qemu-ga Requires(pre): shadow Requires(post): udev +Supplements: modalias(acpi*:QEMU0002:*) +Supplements: modalias(pci:v0000FFFDd00000101sv*sd*bc*sc*i*) +Supplements: modalias(pci:v00005853d00000001sv*sd*bc*sc*i*) %{?systemd_requires} %description guest-agent @@ -797,7 +804,7 @@ This package provides a service file for starting and stopping KSM. %endif # !qemu-testsuite %prep -%setup -q -n qemu-2.11.0 +%setup -q -n qemu-2.11.1 %patch0001 -p1 %patch0002 -p1 %patch0003 -p1 @@ -870,6 +877,10 @@ This package provides a service file for starting and stopping KSM. %patch0070 -p1 %patch0071 -p1 %patch0072 -p1 +%patch0073 -p1 +%patch0074 -p1 +%patch0075 -p1 +%patch0076 -p1 %if 0%{?suse_version} > 1320 %patch1000 -p1 diff --git a/qemu.changes b/qemu.changes index 2d90e62..8355312 100644 --- a/qemu.changes +++ b/qemu.changes @@ -1,3 +1,85 @@ +------------------------------------------------------------------- +Thu Feb 22 12:01:21 UTC 2018 - brogers@suse.com + +- Update to v2.11.1, a stable, (mostly) bug-fix-only release + In addition to bug fixes, of necessity fixes are needed to + address the Spectre v2 vulnerability by passing along to the + guest new hardware features introduced by host microcode updates. + A January 2018 release of qemu initially addressed this issue + by exposing the feature for all x86 vcpu types, which was the + quick and dirty approach, but not the proper solution. We remove + that initial patch and now rely on the upstream solution. This + update instead defines spec_ctrl and ibpb cpu feature flags as + well as new cpu models which are clones of existing models with + either -IBRS or -IBPB added to the end of the model name. These + new vcpu models explicitly include the new feature(s), whereas + the feature flags can be added to the cpu parameter as with other + features. In short, for continued Spectre v2 protection, ensure + that either the appropriate cpu feature flag is added to the QEMU + command-line, or one of the new cpu models is used. Although + migration from older versions is supported, the new cpu features + won't be properly exposed to the guest until it is restarted with + the cpu features explicitly added. A reboot is insufficient. + A warning patch is added which attempts to detect a migration + from a qemu version which had the quick and dirty fix (it only + detects certain cases, but hopefully is helpful.) + s390x guest vulnerability to Spectre v2 is also addressed in this + update by including support for bpb and ppa/stfle.81 features. + (CVE-2017-5715 bsc#1068032) + For additional information on Spectre v2 as it relates to QEMU, + see: https://www.qemu.org/2018/02/14/qemu-2-11-1-and-spectre-update/ +- Unfortunately, it was found that our current KVM isn't correctly + indicating support for the spec-ctrl feature, so I've added a patch + to still detect that support within QEMU. This is of course a + temporary kludge until KVM gets fixed. (bsc#1082276) +- The SEV support patches are updated to the v9 series. +- Fix incompatibility with recent glibc (boo#1081154) +- Add Supplements tags for the guest agent package in an attempt to + auto-install for QEMU and Xen SUSE Linux guests (fate#323570) +* Patches dropped (subsumed by stable update, or reworked in v9): + 0033-i386-kvm-MSR_IA32_SPEC_CTRL-and-MSR.patch + 0050-target-i386-add-memory-encryption-f.patch + 0054-accel-add-Secure-Encrypted-Virtuliz.patch + 0055-sev-add-command-to-initialize-the-m.patch + 0072-sev-Fix-build-for-non-x86-hosts.patch +* Patches added: + 0033-memfd-fix-configure-test.patch + 0053-target-i386-add-Secure-Encrypted-Vi.patch + 0056-qmp-populate-SevInfo-fields-with-SE.patch + 0072-tests-qmp-test-blacklist-query-sev-.patch + 0073-sev-i386-add-migration-blocker.patch + 0074-cpu-i386-populate-CPUID-0x8000_001F.patch + 0075-migration-warn-about-inconsistent-s.patch + 0076-i386-Compensate-for-KVM-SPEC_CTRL-f.patch +* Patches renamed (plus some minor code changes): + 0051-machine-add-memory-encryption-prope.patch + -> 0050-machine-add-memory-encryption-prope.patch + 0052-kvm-update-kvm.h-to-include-memory-.patch + -> 0051-kvm-update-kvm.h-to-include-memory-.patch + 0053-docs-add-AMD-Secure-Encrypted-Virtu.patch + -> 0052-docs-add-AMD-Secure-Encrypted-Virtu.patch + 0056-sev-register-the-guest-memory-range.patch + -> 0057-sev-i386-register-the-guest-memory-.patch + 0057-kvm-introduce-memory-encryption-API.patch + -> 0058-kvm-introduce-memory-encryption-API.patch + 0058-qmp-add-query-sev-command.patch + -> 0054-qmp-add-query-sev-command.patch + 0060-sev-add-command-to-create-launch-me.patch + -> 0060-sev-i386-add-command-to-create-laun.patch + 0061-sev-add-command-to-encrypt-guest-me.patch + -> 0061-sev-i386-add-command-to-encrypt-gue.patch + 0063-sev-add-support-to-LAUNCH_MEASURE-c.patch + -> 0063-sev-i386-add-support-to-LAUNCH_MEAS.patch + 0064-sev-Finalize-the-SEV-guest-launch-f.patch + -> 0064-sev-i386-finalize-the-SEV-guest-lau.patch + 0066-sev-add-debug-encrypt-and-decrypt-c.patch + -> 0066-sev-i386-add-debug-encrypt-and-decr.patch + 0069-sev-add-support-to-query-PLATFORM_S.patch + -> 0069-sev-i386-add-support-to-query-PLATF.patch + 0070-sev-add-support-to-KVM_SEV_GUEST_ST.patch + -> 0070-sev-i386-add-support-to-KVM_SEV_GUE.patch +- Patch queue updated from git://github.com/openSUSE/qemu.git opensuse-2.11 + ------------------------------------------------------------------- Thu Feb 8 18:29:30 UTC 2018 - brogers@suse.com diff --git a/qemu.spec b/qemu.spec index 8746996..b3e1016 100644 --- a/qemu.spec +++ b/qemu.spec @@ -109,10 +109,10 @@ Url: http://www.qemu.org/ Summary: Machine emulator and virtualizer License: BSD-3-Clause AND GPL-2.0 AND GPL-2.0+ AND LGPL-2.1+ AND MIT Group: System/Emulators/PC -Version: 2.11.0 +Version: 2.11.1 Release: 0 -Source: http://wiki.qemu.org/download/qemu-2.11.0.tar.xz -Source99: http://wiki.qemu.org/download/qemu-2.11.0.tar.xz.sig +Source: http://wiki.qemu.org/download/qemu-2.11.1.tar.xz +Source99: http://wiki.qemu.org/download/qemu-2.11.1.tar.xz.sig Source1: 80-kvm.rules Source2: qemu-ifup Source3: kvm_stat @@ -162,7 +162,7 @@ Patch0029: 0029-test-string-input-visitor-Add-uint6.patch Patch0030: 0030-tests-Add-QOM-property-unit-tests.patch Patch0031: 0031-tests-Add-scsi-disk-test.patch Patch0032: 0032-Switch-order-of-libraries-for-mpath.patch -Patch0033: 0033-i386-kvm-MSR_IA32_SPEC_CTRL-and-MSR.patch +Patch0033: 0033-memfd-fix-configure-test.patch Patch0034: 0034-qapi-use-items-values-intead-of-ite.patch Patch0035: 0035-qapi-Use-OrderedDict-from-standard-.patch Patch0036: 0036-qapi-adapt-to-moved-location-of-Str.patch @@ -179,29 +179,33 @@ Patch0046: 0046-memattrs-add-debug-attribute.patch Patch0047: 0047-exec-add-ram_debug_ops-support.patch Patch0048: 0048-exec-add-debug-version-of-physical-.patch Patch0049: 0049-monitor-i386-use-debug-APIs-when-ac.patch -Patch0050: 0050-target-i386-add-memory-encryption-f.patch -Patch0051: 0051-machine-add-memory-encryption-prope.patch -Patch0052: 0052-kvm-update-kvm.h-to-include-memory-.patch -Patch0053: 0053-docs-add-AMD-Secure-Encrypted-Virtu.patch -Patch0054: 0054-accel-add-Secure-Encrypted-Virtuliz.patch -Patch0055: 0055-sev-add-command-to-initialize-the-m.patch -Patch0056: 0056-sev-register-the-guest-memory-range.patch -Patch0057: 0057-kvm-introduce-memory-encryption-API.patch -Patch0058: 0058-qmp-add-query-sev-command.patch +Patch0050: 0050-machine-add-memory-encryption-prope.patch +Patch0051: 0051-kvm-update-kvm.h-to-include-memory-.patch +Patch0052: 0052-docs-add-AMD-Secure-Encrypted-Virtu.patch +Patch0053: 0053-target-i386-add-Secure-Encrypted-Vi.patch +Patch0054: 0054-qmp-add-query-sev-command.patch +Patch0055: 0055-sev-i386-add-command-to-initialize-.patch +Patch0056: 0056-qmp-populate-SevInfo-fields-with-SE.patch +Patch0057: 0057-sev-i386-register-the-guest-memory-.patch +Patch0058: 0058-kvm-introduce-memory-encryption-API.patch Patch0059: 0059-hmp-add-info-sev-command.patch -Patch0060: 0060-sev-add-command-to-create-launch-me.patch -Patch0061: 0061-sev-add-command-to-encrypt-guest-me.patch +Patch0060: 0060-sev-i386-add-command-to-create-laun.patch +Patch0061: 0061-sev-i386-add-command-to-encrypt-gue.patch Patch0062: 0062-target-i386-encrypt-bios-rom.patch -Patch0063: 0063-sev-add-support-to-LAUNCH_MEASURE-c.patch -Patch0064: 0064-sev-Finalize-the-SEV-guest-launch-f.patch +Patch0063: 0063-sev-i386-add-support-to-LAUNCH_MEAS.patch +Patch0064: 0064-sev-i386-finalize-the-SEV-guest-lau.patch Patch0065: 0065-hw-i386-set-ram_debug_ops-when-memo.patch -Patch0066: 0066-sev-add-debug-encrypt-and-decrypt-c.patch +Patch0066: 0066-sev-i386-add-debug-encrypt-and-decr.patch Patch0067: 0067-target-i386-clear-C-bit-when-walkin.patch Patch0068: 0068-include-add-psp-sev.h-header-file.patch -Patch0069: 0069-sev-add-support-to-query-PLATFORM_S.patch -Patch0070: 0070-sev-add-support-to-KVM_SEV_GUEST_ST.patch +Patch0069: 0069-sev-i386-add-support-to-query-PLATF.patch +Patch0070: 0070-sev-i386-add-support-to-KVM_SEV_GUE.patch Patch0071: 0071-qmp-add-query-sev-launch-measure-co.patch -Patch0072: 0072-sev-Fix-build-for-non-x86-hosts.patch +Patch0072: 0072-tests-qmp-test-blacklist-query-sev-.patch +Patch0073: 0073-sev-i386-add-migration-blocker.patch +Patch0074: 0074-cpu-i386-populate-CPUID-0x8000_001F.patch +Patch0075: 0075-migration-warn-about-inconsistent-s.patch +Patch0076: 0076-i386-Compensate-for-KVM-SPEC_CTRL-f.patch # Please do not add QEMU patches manually here. # Run update_git.sh to regenerate this queue. @@ -722,6 +726,9 @@ Group: System/Emulators/PC Provides: qemu:%_bindir/qemu-ga Requires(pre): shadow Requires(post): udev +Supplements: modalias(acpi*:QEMU0002:*) +Supplements: modalias(pci:v0000FFFDd00000101sv*sd*bc*sc*i*) +Supplements: modalias(pci:v00005853d00000001sv*sd*bc*sc*i*) %{?systemd_requires} %description guest-agent @@ -797,7 +804,7 @@ This package provides a service file for starting and stopping KSM. %endif # !qemu-testsuite %prep -%setup -q -n qemu-2.11.0 +%setup -q -n qemu-2.11.1 %patch0001 -p1 %patch0002 -p1 %patch0003 -p1 @@ -870,6 +877,10 @@ This package provides a service file for starting and stopping KSM. %patch0070 -p1 %patch0071 -p1 %patch0072 -p1 +%patch0073 -p1 +%patch0074 -p1 +%patch0075 -p1 +%patch0076 -p1 %if 0%{?suse_version} > 1320 %patch1000 -p1 diff --git a/qemu.spec.in b/qemu.spec.in index 375f5b1..065e4f4 100644 --- a/qemu.spec.in +++ b/qemu.spec.in @@ -111,8 +111,8 @@ License: BSD-3-Clause AND GPL-2.0 AND GPL-2.0+ AND LGPL-2.1+ AND MIT Group: System/Emulators/PC QEMU_VERSION Release: 0 -Source: http://wiki.qemu.org/download/qemu-2.11.0.tar.xz -Source99: http://wiki.qemu.org/download/qemu-2.11.0.tar.xz.sig +Source: http://wiki.qemu.org/download/qemu-2.11.1.tar.xz +Source99: http://wiki.qemu.org/download/qemu-2.11.1.tar.xz.sig Source1: 80-kvm.rules Source2: qemu-ifup Source3: kvm_stat @@ -652,6 +652,9 @@ Group: System/Emulators/PC Provides: qemu:%_bindir/qemu-ga Requires(pre): shadow Requires(post): udev +Supplements: modalias(acpi*:QEMU0002:*) +Supplements: modalias(pci:v0000FFFDd00000101sv*sd*bc*sc*i*) +Supplements: modalias(pci:v00005853d00000001sv*sd*bc*sc*i*) %{?systemd_requires} %description guest-agent @@ -727,7 +730,7 @@ This package provides a service file for starting and stopping KSM. %endif # !qemu-testsuite %prep -%setup -q -n qemu-2.11.0 +%setup -q -n qemu-2.11.1 PATCH_EXEC %if 0%{?suse_version} > 1320 diff --git a/update_git.sh b/update_git.sh index 7ba16fc..59220e7 100644 --- a/update_git.sh +++ b/update_git.sh @@ -14,7 +14,7 @@ set -e GIT_TREE=git://github.com/openSUSE/qemu.git GIT_LOCAL_TREE=~/git/qemu-opensuse GIT_BRANCH=opensuse-2.11 -GIT_UPSTREAM_TAG=v2.11.0 +GIT_UPSTREAM_TAG=v2.11.1 GIT_DIR=/dev/shm/qemu-factory-git-dir CMP_DIR=/dev/shm/qemu-factory-cmp-dir