SHA256
1
0
forked from pool/qemu

Accepting request 959502 from home:dfaggioli:experimental:Virtualization

- Build PPC firmwares from sources on non-PPC builds as well (bsc#1193545)
- Build RiscV firmwares on non-RiscV builds as well
- While there, refactor (and simplify!) the firmware building logic and code
  * Patches added:
     Makefile-define-endianess-for-cross-buil.patch
- Include vmxcap in the qemu-tools package (is being very useful for debugging bsc#1193364)
- The qemu package should require qemu-x86, qemu-arm, etc, as there's no point installing it without _any_ of them. Additionally, right now, the user does not get a working qemu, if recommended packages are disabled (e.g., on MicroOS or SLE Micro). bsc#1196087
- Give clearer instructions on how to modify the package patches from the output of update_git.sh (docs change only, no functional change)
- qemu,kvm: potential privilege escalation via virtiofsd (bsc#1195161, CVE-2022-0358)
  * Patches added:
     virtiofsd-Drop-membership-of-all-supplem.patch

OBS-URL: https://build.opensuse.org/request/show/959502
OBS-URL: https://build.opensuse.org/package/show/Virtualization/qemu?expand=0&rev=691
This commit is contained in:
Dario Faggioli 2022-03-04 18:04:00 +00:00 committed by Git OBS Bridge
parent 5435e8a804
commit 0251d2a2c0
7 changed files with 569 additions and 359 deletions

View File

@ -0,0 +1,28 @@
From: Dario Faggioli <dfaggioli@suse.com>
Date: Wed, 16 Feb 2022 19:22:01 +0100
Subject: Makefile: define endianess for cross-building on aarch64
Git-commit: 0000000000000000000000000000000000000000
References: bsc#1193545
Include aarch64 in the endianess check, so we can cross-build from
there too.
Signed-of-by: Dario Faggioli <dfaggioli@suse.com>
---
Makefile.main | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/roms/skiboot/Makefile.main b/roms/skiboot/Makefile.main
index c8a63e8b110f3c6bf115314da7bf..98790ec5c3b0f35272f032798353 100644
--- a/roms/skiboot/Makefile.main
+++ b/roms/skiboot/Makefile.main
@@ -50,7 +50,7 @@ endif
# Host tools and options
HOSTCC=gcc
-HOSTEND=$(shell uname -m | sed -e 's/^i.*86$$/LITTLE/' -e 's/^x86.*/LITTLE/' -e 's/^ppc64le/LITTLE/' -e 's/^ppc.*/BIG/')
+HOSTEND=$(shell uname -m | sed -e 's/^i.*86$$/LITTLE/' -e 's/^x86.*/LITTLE/' -e 's/^ppc64le/LITTLE/' -e 's/^aarch64/LITTLE/' -e 's/^ppc.*/BIG/')
HOSTCFLAGS:=-O1 $(CWARNS) -DHAVE_$(HOSTEND)_ENDIAN -MMD
HOSTCFLAGS += $(call try-cflag,$(HOSTCC),-std=gnu11)
HOSTCFLAGS += $(call try-cflag,$(HOSTCC),-m64)

View File

@ -1,3 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:c193bc35a37fe2cdcac868f1c4be435022839ea65dab738da7ad58ae0e173c9f
size 74216
oid sha256:0dcea7c34fdbef6dc0537f15260f037d6c3e3513315749018555dfbf45745691
size 76160

View File

@ -1,3 +1,43 @@
-------------------------------------------------------------------
Tue Mar 1 16:58:31 UTC 2022 - Dario Faggioli <dfaggioli@suse.com>
- Build PPC firmwares from sources on non-PPC builds as well
(bsc#1193545)
- Build RiscV firmwares on non-RiscV builds as well
- While there, refactor (and simplify!) the firmware building
logic and code
* Patches added:
Makefile-define-endianess-for-cross-buil.patch
-------------------------------------------------------------------
Fri Feb 18 18:39:54 UTC 2022 - Dario Faggioli <dfaggioli@suse.com>
- Include vmxcap in the qemu-tools package (is being very useful
for debugging bsc#1193364)
-------------------------------------------------------------------
Fri Feb 18 18:26:26 UTC 2022 - Dario Faggioli <dfaggioli@suse.com>
- The qemu package should require qemu-x86, qemu-arm, etc, as there's
no point installing it without _any_ of them. Additionally, right
now, the user does not get a working qemu, if recommended packages
are disabled (e.g., on MicroOS or SLE Micro). bsc#1196087
-------------------------------------------------------------------
Wed Feb 18 15:31:48 UTC 2022 - Dario Faggioli <dfaggioli@suse.com>
- Give clearer instructions on how to modify the package patches
from the output of update_git.sh (docs change only, no functional
change)
-------------------------------------------------------------------
Wed Feb 18 12:25:15 UTC 2022 - Dario Faggioli <dfaggioli@suse.com>
- qemu,kvm: potential privilege escalation via virtiofsd
(bsc#1195161, CVE-2022-0358)
* Patches added:
virtiofsd-Drop-membership-of-all-supplem.patch
-------------------------------------------------------------------
Fri Feb 18 11:47:54 UTC 2022 - Li Zhang <li.zhang@suse.com>

378
qemu.spec
View File

@ -1,5 +1,5 @@
#
# spec file for package qemu
# spec file
#
# Copyright (c) 2022 SUSE LLC
#
@ -22,39 +22,50 @@
%define _buildshell /bin/bash
%define build_x86_firmware_from_source 0
%define build_skiboot_from_source 0
%define build_slof_from_source 0
%define build_opensbi_from_source 0
%define build_x86_firmware 0
%define build_ppc_firmware 0
%define build_opensbi_firmware 0
%define kvm_available 0
%define legacy_qemu_kvm 0
%define force_fit_virtio_pxe_rom 1
%define build_rom_arch %ix86 x86_64 aarch64
%if "%{?distribution}" == ""
%define distro private-build
%else
%define distro %{distribution}
%endif
%ifarch %{build_rom_arch}
# choice of building all from source or using provided binary x86 blobs
%define build_x86_firmware_from_source 1
%endif
# So, we have openSUSE:Factory, and we have "ports". In openSUSE:Factory, we
# have i586 and x86_64. In the :ARM port, we have aarch64, armv6l and armv7l.
# In the :PowerPC port, we have ppc64, ppc and ppc64le. In the :zSystems port
# we have s390x. And in the :RISCV we have riscv.
#
# Ideally, we'd want to build the firmwares at least once per port, and then
# share the resulting packages among the arch-es within each port (check the
# `ExportFilter` directives in the project config).
#
# Of course, we always build the "native fimrwares" (e.g., x86 firmwares on
# x86_64, PPC firmwares on ppc64le, etc). But we also cross compile as much
# firmwares as we can (e.g., both x86 and PPC firmwares on aarch64) so they'll
# be available in as many ports as possible (as noarch packages).
%ifarch ppc64
%define build_skiboot_from_source 0
%define build_slof_from_source 1
%ifarch x86_64 aarch64
%define build_ppc_firmware 1
# Currently, opensbi does not cross build cleanly on 15.3 and 15.4
%if ! 0%{?sle_version}
%define build_opensbi_firmware 1
%endif
%ifarch ppc64le
%define build_skiboot_from_source 0
%define build_slof_from_source 1
%define build_x86_firmware 1
%endif
%ifarch ppc64 ppc64le
%define build_ppc_firmware 1
%if ! 0%{?sle_version}
%define build_opensbi_firmware 1
%endif
# FIXME: Try to enable cross building of x86 firmwares here on PPC
%endif
%ifarch riscv64
%define build_opensbi_from_source 1
%define build_opensbi_firmware 1
%endif
%ifarch %ix86 x86_64 ppc ppc64 ppc64le s390x armv7hl aarch64
@ -202,6 +213,7 @@ Patch00066: iotests-60-more-accurate-set-dirty-bit-i.patch
Patch00067: iotest-214-explicit-compression-type.patch
Patch00068: iotests-declare-lack-of-support-for-comp.patch
Patch00069: block-backend-Retain-permissions-after-m.patch
Patch00070: virtiofsd-Drop-membership-of-all-supplem.patch
# Patches applied in roms/seabios/:
Patch01000: seabios-use-python2-explicitly-as-needed.patch
Patch01001: seabios-switch-to-python3-as-needed.patch
@ -215,6 +227,8 @@ Patch02003: help-compiler-out-by-initializing-array.patch
# Patches applied in roms/sgabios/:
Patch03000: sgabios-Makefile-fix-issues-of-build-rep.patch
Patch03001: roms-sgabios-Fix-csum8-to-be-built-by-ho.patch
# Patches applied in roms/skiboot/:
Patch05000: Makefile-define-endianess-for-cross-buil.patch
# Patches applied in roms/qboot/:
Patch11000: qboot-add-cross.ini-file-to-handle-aarch.patch
# Patches applied in roms/edk2/BaseTools/Source/C/BrotliCompress/brotli/:
@ -250,47 +264,52 @@ syscall layer occurs on the native hardware and operating system.
# above section is for qemu-linux-user
# ------------------------------------------------------------------------
%else
%if %{build_x86_firmware_from_source}
%if %{build_x86_firmware}
BuildRequires: acpica
%endif
BuildRequires: pkgconfig(alsa)
%if %{build_x86_firmware_from_source}
BuildRequires: binutils-devel
%endif
BuildRequires: bison
BuildRequires: brlapi-devel
%if %{build_x86_firmware_from_source}
%ifnarch %{ix86} x86_64
BuildRequires: dos2unix
BuildRequires: glibc-devel-32bit
BuildRequires: pkgconfig(liblzma)
%ifnarch %ix86 x86_64
# We must cross-compile on non-x86*
BuildRequires: cross-x86_64-binutils
BuildRequires: cross-x86_64-gcc%gcc_version
%endif
%endif
BuildRequires: pkgconfig(libcurl) >= 7.29
BuildRequires: pkgconfig(libsasl2)
%if %{build_x86_firmware_from_source}
BuildRequires: dos2unix
%if %{build_opensbi_firmware}
%ifnarch riscv64
BuildRequires: cross-riscv64-binutils
BuildRequires: cross-riscv64-gcc%gcc_version
%endif
%endif
%if %{build_ppc_firmware}
%ifnarch ppc64 ppc64le
BuildRequires: cross-ppc64-binutils
BuildRequires: cross-ppc64-gcc%gcc_version
%endif
%endif
BuildRequires: bison
BuildRequires: brlapi-devel
BuildRequires: flex
BuildRequires: pkgconfig(glib-2.0) >= 2.56
%if %{build_x86_firmware_from_source}
BuildRequires: glibc-devel-32bit
%endif
BuildRequires: libaio-devel
BuildRequires: libattr-devel
BuildRequires: libbz2-devel
BuildRequires: libfdt-devel >= 1.4.2
BuildRequires: libgcrypt-devel >= 1.8.0
BuildRequires: pkgconfig(alsa)
BuildRequires: pkgconfig(epoxy)
BuildRequires: pkgconfig(gbm)
BuildRequires: pkgconfig(glib-2.0) >= 2.56
BuildRequires: pkgconfig(glusterfs-api) >= 3
BuildRequires: pkgconfig(gnutls) >= 3.5.18
BuildRequires: pkgconfig(gtk+-3.0) >= 3.22
BuildRequires: pkgconfig(libcacard) >= 2.5.1
BuildRequires: pkgconfig(libcap-ng)
BuildRequires: pkgconfig(libcurl) >= 7.29
BuildRequires: pkgconfig(libdrm)
BuildRequires: pkgconfig(libiscsi) >= 1.9.0
BuildRequires: pkgconfig(libjpeg)
BuildRequires: pkgconfig(libsasl2)
%if 0%{?with_daxctl}
BuildRequires: pkgconfig(libndctl)
%endif
@ -342,9 +361,6 @@ BuildRequires: pkgconfig(vte-2.91)
BuildRequires: xen-devel >= 4.2
%endif
BuildRequires: xfsprogs-devel
%if %{build_x86_firmware_from_source}
BuildRequires: pkgconfig(liblzma)
%endif
BuildRequires: pkgconfig(libzstd)
BuildRequires: pkgconfig(zlib)
%if "%{name}" == "qemu"
@ -358,6 +374,26 @@ Requires(post): udev
%ifarch s390x
Requires(post): procps
%endif
%ifarch %ix86 x86_64
Requires: qemu-x86
%else
Suggests: qemu-x86
%endif
%ifarch ppc ppc64 ppc64le
Requires: qemu-ppc
%else
Suggests: qemu-ppc
%endif
%ifarch s390x
Requires: qemu-s390x
%else
Suggests: qemu-s390x
%endif
%ifarch %arm aarch64
Requires: qemu-arm
%else
Suggests: qemu-arm
%endif
Recommends: kvm_stat
%endif
Recommends: qemu-block-curl
@ -377,26 +413,6 @@ Recommends: qemu-hw-usb-smartcard
Recommends: qemu-ui-gtk
Recommends: qemu-ui-spice-app
%endif
%ifarch %{ix86} x86_64
Recommends: qemu-x86
%else
Suggests: qemu-x86
%endif
%ifarch ppc ppc64 ppc64le
Recommends: qemu-ppc
%else
Suggests: qemu-ppc
%endif
%ifarch s390x
Recommends: qemu-s390x
%else
Suggests: qemu-s390x
%endif
%ifarch %arm aarch64
Recommends: qemu-arm
%else
Suggests: qemu-arm
%endif
Suggests: qemu-block-dmg
Suggests: qemu-block-gluster
Suggests: qemu-block-iscsi
@ -453,6 +469,7 @@ Group: System/Emulators/PC
Version: %{qemuver}
Release: 0
Requires: %name = %{qemuver}
Requires: qemu-SLOF
Recommends: qemu-ipxe
Recommends: qemu-vgabios
@ -915,7 +932,7 @@ Supplements: modalias(pci:v0000FFFDd00000101sv*sd*bc*sc*i*)
This package contains the QEMU guest agent. It is installed in the linux guest
to provide information and control at the guest OS level.
%ifarch %{build_rom_arch}
%if %{build_x86_firmware}
%package microvm
Summary: x86 MicroVM firmware for QEMU
Group: System/Emulators/PC
@ -980,6 +997,7 @@ Provides Preboot Execution Environment (PXE) ROM support for various emulated
network adapters available with QEMU.
%endif
%if %{build_ppc_firmware}
%package skiboot
Summary: OPAL firmware (aka skiboot), used in booting OpenPOWER systems
Group: System/Emulators/PC
@ -994,6 +1012,18 @@ Provides: %name:%_datadir/%name/forsplits/06
Provides OPAL (OpenPower Abstraction Layer) firmware, aka skiboot, as
traditionally packaged with QEMU.
%package SLOF
Summary: Slimline Open Firmware - SLOF
Group: System/Emulators/PC
Version: %{qemuver}
Release: 0
BuildArch: noarch
%description SLOF
Slimline Open Firmware (SLOF) is an implementation of the IEEE 1275 standard.
It can be used as partition firmware for pSeries machines running on QEMU or KVM.
%endif
%package ksm
Summary: Kernel Samepage Merging services
Group: System/Emulators/PC
@ -1171,6 +1201,7 @@ This package records qemu testsuite results and represents successful testing.
%patch00067 -p1
%patch00068 -p1
%patch00069 -p1
%patch00070 -p1
%patch01000 -p1
%patch01001 -p1
%patch01002 -p1
@ -1183,6 +1214,7 @@ This package records qemu testsuite results and represents successful testing.
%patch02003 -p1
%patch03000 -p1
%patch03001 -p1
%patch05000 -p1
%patch11000 -p1
%patch27000 -p1
@ -1194,85 +1226,69 @@ This package records qemu testsuite results and represents successful testing.
# u-boot.e500 u-boot-sam460-20100605.bin opensbi-riscv32-generic-fw_dynamic.bin
# opensbi-riscv32-generic-fw_dynamic.elfnpcm7xx_bootrom.bin
# This first list group isn't specific to what this instance builds
%define ppc_default_firmware {%nil}
# Note that:
# - default firmwares are built "by default", i.e., they're built automatically
# during the process of building QEMU (on each specific arch)
# - extra firmwares are built "manually" (see below) from their own sources
# (which, typically, are submodules checked out in the {srcdi}r/roms directory)
%define ppc_default_firmware %{nil}
%define ppc_extra_firmware {skiboot.lid slof.bin}
%define ppc64_only_default_firmware {%nil}
%define ppc64_only_extra_firmware {%nil}
%define riscv64_default_firmware {opensbi-riscv64-generic-fw_dynamic.bin \
%define riscv64_default_firmware %{nil}
%define riscv64_extra_firmware {opensbi-riscv64-generic-fw_dynamic.bin \
opensbi-riscv64-generic-fw_dynamic.elf}
%define riscv64_extra_firmware {%nil}
%define s390x_default_firmware {s390-ccw.img s390-netboot.img}
%define s390x_extra_firmware {%nil}
%define s390x_extra_firmware %{nil}
%define x86_default_firmware {linuxboot.bin linuxboot_dma.bin multiboot.bin \
multiboot_dma.bin kvmvapic.bin pvh.bin}
%define x86_extra_firmware {bios.bin bios-256k.bin bios-microvm.bin qboot.rom \
pxe-e1000.rom pxe-eepro100.rom pxe-ne2k_pci.rom pxe-pcnet.rom pxe-rtl8139.rom \
pxe-virtio.rom sgabios.bin vgabios-ati.bin vgabios-bochs-display.bin \
vgabios.bin vgabios-cirrus.bin vgabios-qxl.bin vgabios-ramfb.bin \
vgabios-stdvga.bin vgabios-virtio.bin vgabios-vmware.bin}
%define x86_64_only_default_firmware {%nil}
%define x86_64_only_extra_firmware {efi-e1000.rom efi-e1000e.rom \
efi-eepro100.rom efi-ne2k_pci.rom efi-pcnet.rom efi-rtl8139.rom efi-virtio.rom \
efi-vmxnet3.rom}
vgabios-stdvga.bin vgabios-virtio.bin vgabios-vmware.bin \
efi-e1000.rom efi-e1000e.rom efi-eepro100.rom efi-ne2k_pci.rom efi-pcnet.rom \
efi-rtl8139.rom efi-virtio.rom efi-vmxnet3.rom}
# Complete list of all the firmwares that we build, if we consider
# all the builds, on all the arches.
%define firmware { \
%{?ppc_default_firmware} %{?ppc_extra_firmware} \
%{?ppc64_only_default_firmware} %{?ppc64_only_extra_firmware} \
%{?riscv64_default_firmware} %{?riscv64_extra_firmware} \
%{?s390x_default_firmware} %{?s390x_extra_firmware} \
%{?x86_default_firmware} %{?x86_extra_firmware} \
%{?x86_64_only_default_firmware} %{?x86_64_only_extra_firmware} }
%{ppc_default_firmware} %{ppc_extra_firmware} \
%{riscv64_default_firmware} %{riscv64_extra_firmware} \
%{s390x_default_firmware} %{s390x_extra_firmware} \
%{x86_default_firmware} %{x86_extra_firmware} }
# This second list group is specific to what this instance builds
# Note that:
# - {arch}_default_built_firmware are the firmwares that we will be built by
# default in this particular build, on the arch where we currently are on
# - {arch}_extra_built_fimrware, likewise, but for extra firmwares, built manually
%ifarch ppc64 ppc64le
%define ppc_default_built_firmware %{ppc_default_firmware}
%if %{build_skiboot_from_source} && %{build_slof_from_source}
%define ppc_extra_built_firmware %{ppc_extra_firmware}
%else
%if %{build_skiboot_from_source}
%define ppc_extra_built_firmware {skiboot.lid}
%endif
%if %{build_slof_from_source}
%define ppc_extra_built_firmware {slof.bin}
%endif
%endif
%ifarch ppc64
%define ppc64_only_default_built_firmware %{ppc64_only_default_firmware}
%define ppc64_only_extra_built_firmware %{ppc64_only_extra_firmware}
%endif
%ifarch riscv64
%define riscv64_default_built_firmware %{riscv64_default_firmware}
%define riscv64_extra_built_firmware %{riscv64_extra_firmware}
%endif
%ifarch s390x
%define s390x_default_built_firmware %{s390x_default_firmware}
%define s390x_extra_built_firmware %{s390x_extra_firmware}
%endif
%ifarch %ix86 x86_64
%define x86_default_built_firmware %{x86_default_firmware}
%ifarch x86_64
%define x86_64_only_default_built_firmware %{x86_64_only_default_firmware}
%endif
%endif
%if %{build_x86_firmware_from_source}
%if %{build_opensbi_firmware}
%define riscv64_extra_built_firmware %{riscv64_extra_firmware}
%endif
%if %{build_ppc_firmware}
%define ppc_extra_built_firmware %{ppc_extra_firmware}
%endif
%if %{build_x86_firmware}
%define x86_extra_built_firmware %{x86_extra_firmware}
%ifarch x86_64
%define x86_64_only_extra_built_firmware %{x86_64_only_extra_firmware}
%endif
%endif
# List of only firmwares that will actually be built, in this instance
%define built_firmware { \
%{?ppc_default_built_firmware} %{?ppc_extra_built_firmware} \
%{?ppc64_only_default_built_firmware} %{?ppc64_only_extra_built_firmware} \
%{?riscv64_default_built_firmware} %{?riscv64_extra_built_firmware} \
%{?s390x_default_built_firmware} %{?s390x_extra_built_firmware} \
%{?x86_default_built_firmware} %{?x86_extra_built_firmware} \
%{?x86_64_only_default_built_firmware} %{?x86_64_only_extra_built_firmware} }
%{?x86_default_built_firmware} %{?x86_extra_built_firmware} }
# above section is for qemu and qemu-testsuite
%endif
@ -1503,7 +1519,9 @@ cd %blddir
%if "%{name}" == "qemu"
# delete the firmware files that we intend to build
# Let's build QEMU (and all the "default" firmwares, for each arch)
# First, delete the firmware files that we intend to build...
for i in %built_firmware
do
unlink %srcdir/pc-bios/$i
@ -1511,68 +1529,57 @@ done
make %{?_smp_mflags} V=1
# Firmware
%ifarch s390x
for i in %s390x_default_built_firmware
# ... And then, reinstate the firmwares that have been built already
for i in %{?s390x_default_built_firmware}
do
cp pc-bios/s390-ccw/$i %srcdir/pc-bios/
done
%endif
%ifarch ppc64
for i in %ppc64_only_default_built_firmware
do
cp pc-bios/spapr-rtas/$i %srcdir/pc-bios/
done
%endif
%ifarch %ix86 x86_64
for i in %x86_default_built_firmware
for i in %{?x86_default_built_firmware}
do
cp pc-bios/optionrom/$i %srcdir/pc-bios/
done
%ifarch x86_64
for i in %x86_64_only_default_built_firmware
do
cp pc-bios/optionrom/$i %srcdir/pc-bios/
done
%endif
# Build the "extra" firmwares. Note that the QEMU Makefile in {srcdir}/roms
# does some cross-compiler auto detection. So we often don't need to define
# or pass CROSS= and CROSS_COMPILE ourselves.
%if %{build_ppc_firmware}
# FIXME: check if we can upstream: Makefile-define-endianess-for-cross-buil.patch
make %{?_smp_mflags} -C %srcdir/roms skiboot
make %{?_smp_mflags} -C %srcdir/roms slof
%endif
%if %{build_x86_firmware_from_source}
%ifnarch %{ix86} x86_64
export CC=x86_64-suse-linux-gcc
export LD=x86_64-suse-linux-ld
%if %{build_opensbi_firmware}
make %{?_smp_mflags} -C %srcdir/roms opensbi64-generic
%endif
%if %{build_x86_firmware}
make %{?_smp_mflags} -C %srcdir/roms bios \
SEABIOS_EXTRAVERSION="-rebuilt.opensuse.org" \
%ifnarch %ix86 x86_64
HOSTCC=cc \
%endif
# FIXME: check if we can upstream: roms-Makefile-add-cross-file-to-qboot-me.patch
# and qboot-add-cross.ini-file-to-handle-aarch.patch
make %{?_smp_mflags} -C %srcdir/roms qboot
make %{?_smp_mflags} -C %srcdir/roms seavgabios \
%ifnarch %ix86 x86_64
HOSTCC=cc \
%endif
make %{?_smp_mflags} -C %srcdir/roms seavgabios-ati \
%ifnarch %ix86 x86_64
HOSTCC=cc \
%endif
make %{?_smp_mflags} -C %srcdir/roms pxerom
%ifnarch %ix86
make %{?_smp_mflags} -C %srcdir/roms efirom \
EDK2_BASETOOLS_OPTFLAGS='-fPIE'
%endif
make -C %srcdir/roms sgabios \
HOSTCC=cc
# We're currently not building firmware on ix86, but let's make sure this works
# fine if one enables it, e.g., locally (for debugging or something).
# FIXME: check if we can get rid or upstream: roms-sgabios-Fix-csum8-to-be-built-by-ho.patch
make -C %srcdir/roms sgabios HOSTCC=cc \
%ifnarch %ix86 x86_64
CC=x86_64-suse-linux-gcc LD=x86_64-suse-linux-ld \
%endif
%if %{force_fit_virtio_pxe_rom}
pushd %srcdir
@ -1607,26 +1614,13 @@ for i in %supported_nics_small
exit 1
fi
done
%ifnarch %{ix86} x86_64
unset CC
unset LD
%endif
%endif
%if %{build_skiboot_from_source}
make %{?_smp_mflags} -C %srcdir/roms skiboot CROSS=
%endif
# End of {build_x86_firmware}
%if %{build_slof_from_source}
make %{?_smp_mflags} -C %srcdir/roms slof
%endif
# End of "{name}" == "qemu"
%if %{build_opensbi_from_source}
make %{?_smp_mflags} -C %srcdir/roms opensbi64-generic CROSS_COMPILE=
%endif
# above section is for qemu
%endif
# ------------------------------------------------------------------------
%if "%{name}" == "qemu-testsuite"
@ -1778,15 +1772,7 @@ ln -s qemu-binfmt %{buildroot}%_bindir/qemu-xtensaeb-binfmt
%if "%{name}" == "qemu"
make %{?_smp_mflags} install DESTDIR=%{buildroot}
%ifarch %{build_rom_arch}
install -D -m 0644 %{SOURCE14} %{buildroot}%_datadir/%name/firmware/50-seabios-256k.json
install -D -m 0644 %{SOURCE15} %{buildroot}%_datadir/%name/firmware/60-seabios-128k.json
%else
for f in %{x86_extra_firmware} \
%{x86_64_only_extra_firmware}; do
unlink %{buildroot}%_datadir/%name/$f
done
%endif
%find_lang %name
install -d -m 0755 %{buildroot}%_datadir/%name/firmware
install -d -m 0755 %{buildroot}/usr/lib/supportconfig/plugins
@ -1796,6 +1782,7 @@ install -D -m 0755 %{SOURCE3} %{buildroot}%_datadir/%name/qemu-ifup
install -D -p -m 0644 %{SOURCE8} %{buildroot}/usr/lib/udev/rules.d/80-qemu-ga.rules
install -D -m 0755 scripts/analyze-migration.py %{buildroot}%_bindir/analyze-migration.py
install -D -m 0755 scripts/vmstate-static-checker.py %{buildroot}%_bindir/vmstate-static-checker.py
install -D -m 0755 scripts/kvm/vmxcap %{buildroot}%_bindir/vmxcap
install -D -m 0755 %{SOURCE9} %{buildroot}/usr/lib/supportconfig/plugins/%name
install -D -m 0644 %{SOURCE10} %{buildroot}%_docdir/qemu-arm/supported.txt
install -D -m 0644 %{SOURCE11} %{buildroot}%_docdir/qemu-ppc/supported.txt
@ -1843,17 +1830,43 @@ unlink %{buildroot}%_datadir/%name/edk2-x86_64-secure-code.fd
# this was never meant for customer consumption - delete even though installed
unlink %{buildroot}%_bindir/elf2dmp
install -D -m 0644 %{SOURCE201} %{buildroot}%_datadir/%name/forsplits/pkg-split.txt
for X in 00 01 02 03 04 05 07 08 09 10 11 12 13 14 15 16 17 18 19
do
ln -s pkg-split.txt %{buildroot}%_datadir/%name/forsplits/$X
done
# For PPC and x86 firmwares, there are a few extra install steps necessary.
# In general, if we know that we have not built a firmware, remove it from the
# install base, as the one that we have there is the upstream binary, that got
# copied there during `make install`.
%if %{build_ppc_firmware}
# in support of update-alternatives
mv %{buildroot}%_datadir/%name/skiboot.lid %{buildroot}%_datadir/%name/skiboot.lid.qemu
# create a dummy target for /etc/alternatives/skiboot.lid
mkdir -p %{buildroot}%{_sysconfdir}/alternatives
ln -s -f %{_sysconfdir}/alternatives/skiboot.lid %{buildroot}%{_datadir}/%name/skiboot.lid
install -D -m 0644 %{SOURCE201} %{buildroot}%_datadir/%name/forsplits/pkg-split.txt
for X in 00 01 02 03 04 05 06 07 08 09 10 11 12 13 14 15 16 17 18 19
do
ln -s pkg-split.txt %{buildroot}%_datadir/%name/forsplits/$X
ln -s pkg-split.txt %{buildroot}%_datadir/%name/forsplits/06
%else
for f in %{ppc_extra_firmware} ; do
unlink %{buildroot}%_datadir/%name/$f
done
%endif
# For riscv64 firmwares (currently, only opensbi), we leave them there in
# any case, because they're part of the qemu-extra package, and riscv is
# a bit special in many ways already.
%if %{build_x86_firmware}
install -D -m 0644 %{SOURCE14} %{buildroot}%_datadir/%name/firmware/50-seabios-256k.json
install -D -m 0644 %{SOURCE15} %{buildroot}%_datadir/%name/firmware/60-seabios-128k.json
%else
for f in %{x86_extra_firmware} ; do
unlink %{buildroot}%_datadir/%name/$f
done
%endif
%suse_update_desktop_file qemu
%fdupes -s %{buildroot}
@ -1918,6 +1931,7 @@ fi
%postun ksm
%service_del_postun ksm.service
%if %{build_ppc_firmware}
%post skiboot
update-alternatives --install \
%{_datadir}/%name/skiboot.lid skiboot.lid %{_datadir}/%name/skiboot.lid.qemu 15
@ -1926,6 +1940,7 @@ update-alternatives --install \
if [ ! -f %{_datadir}/%name/skiboot.lid.qemu ] ; then
update-alternatives --remove skiboot.lid %{_datadir}/%name/skiboot.lid.qemu
fi
%endif
# above section is for qemu
%endif
@ -2212,7 +2227,6 @@ fi
%_datadir/%name/canyonlands.dtb
%_datadir/%name/openbios-ppc
%_datadir/%name/qemu_vga.ndrv
%_datadir/%name/slof.bin
%_datadir/%name/u-boot.e500
%_datadir/%name/u-boot-sam460-20100605.bin
%dir %_docdir/qemu-ppc
@ -2464,7 +2478,7 @@ fi
%files lang -f %blddir/%name.lang
%defattr(-, root, root)
%ifarch %{build_rom_arch}
%if %{build_x86_firmware}
%files seabios
%defattr(-, root, root)
%dir %_datadir/%name
@ -2516,6 +2530,7 @@ fi
%_datadir/%name/pxe-virtio.rom
%endif
%if %{build_ppc_firmware}
%files skiboot
%defattr(-, root, root)
%dir %_datadir/%name
@ -2525,6 +2540,12 @@ fi
%_datadir/%name/skiboot.lid.qemu
%ghost %_sysconfdir/alternatives/skiboot.lid
%files SLOF
%defattr(-, root, root)
%dir %_datadir/%name
%_datadir/%name/slof.bin
%endif
%files vhost-user-gpu
%defattr(-, root, root)
%dir %_datadir/%name/vhost-user
@ -2542,6 +2563,7 @@ fi
%_bindir/qemu-pr-helper
%_bindir/qemu-storage-daemon
%_bindir/vmstate-static-checker.py
%_bindir/vmxcap
%verify(not mode) %attr(4750,root,kvm) %_libexecdir/qemu-bridge-helper
%_libexecdir/virtfs-proxy-helper
%_libexecdir/virtiofsd

View File

@ -22,39 +22,50 @@
%define _buildshell /bin/bash
%define build_x86_firmware_from_source 0
%define build_skiboot_from_source 0
%define build_slof_from_source 0
%define build_opensbi_from_source 0
%define build_x86_firmware 0
%define build_ppc_firmware 0
%define build_opensbi_firmware 0
%define kvm_available 0
%define legacy_qemu_kvm 0
%define force_fit_virtio_pxe_rom 1
%define build_rom_arch %ix86 x86_64 aarch64
%if "%{?distribution}" == ""
%define distro private-build
%else
%define distro %{distribution}
%endif
%ifarch %{build_rom_arch}
# choice of building all from source or using provided binary x86 blobs
%define build_x86_firmware_from_source 1
%endif
# So, we have openSUSE:Factory, and we have "ports". In openSUSE:Factory, we
# have i586 and x86_64. In the :ARM port, we have aarch64, armv6l and armv7l.
# In the :PowerPC port, we have ppc64, ppc and ppc64le. In the :zSystems port
# we have s390x. And in the :RISCV we have riscv.
#
# Ideally, we'd want to build the firmwares at least once per port, and then
# share the resulting packages among the arch-es within each port (check the
# `ExportFilter` directives in the project config).
#
# Of course, we always build the "native fimrwares" (e.g., x86 firmwares on
# x86_64, PPC firmwares on ppc64le, etc). But we also cross compile as much
# firmwares as we can (e.g., both x86 and PPC firmwares on aarch64) so they'll
# be available in as many ports as possible (as noarch packages).
%ifarch ppc64
%define build_skiboot_from_source 0
%define build_slof_from_source 1
%ifarch x86_64 aarch64
%define build_ppc_firmware 1
# Currently, opensbi does not cross build cleanly on 15.3 and 15.4
%if ! 0%{?sle_version}
%define build_opensbi_firmware 1
%endif
%ifarch ppc64le
%define build_skiboot_from_source 0
%define build_slof_from_source 1
%define build_x86_firmware 1
%endif
%ifarch ppc64 ppc64le
%define build_ppc_firmware 1
%if ! 0%{?sle_version}
%define build_opensbi_firmware 1
%endif
# FIXME: Try to enable cross building of x86 firmwares here on PPC
%endif
%ifarch riscv64
%define build_opensbi_from_source 1
%define build_opensbi_firmware 1
%endif
%ifarch %ix86 x86_64 ppc ppc64 ppc64le s390x armv7hl aarch64
@ -160,32 +171,37 @@ syscall layer occurs on the native hardware and operating system.
# above section is for qemu-linux-user
# ------------------------------------------------------------------------
%else
%if %{build_x86_firmware_from_source}
%if %{build_x86_firmware}
BuildRequires: acpica
%endif
BuildRequires: pkgconfig(alsa)
%if %{build_x86_firmware_from_source}
BuildRequires: binutils-devel
%endif
BuildRequires: bison
BuildRequires: brlapi-devel
%if %{build_x86_firmware_from_source}
%ifnarch %{ix86} x86_64
BuildRequires: dos2unix
BuildRequires: glibc-devel-32bit
BuildRequires: pkgconfig(liblzma)
%ifnarch %ix86 x86_64
# We must cross-compile on non-x86*
BuildRequires: cross-x86_64-binutils
BuildRequires: cross-x86_64-gcc%gcc_version
%endif
%endif
%if %{build_opensbi_firmware}
%ifnarch riscv64
BuildRequires: cross-riscv64-binutils
BuildRequires: cross-riscv64-gcc%gcc_version
%endif
%endif
%if %{build_ppc_firmware}
%ifnarch ppc64 ppc64le
BuildRequires: cross-ppc64-binutils
BuildRequires: cross-ppc64-gcc%gcc_version
%endif
%endif
BuildRequires: pkgconfig(alsa)
BuildRequires: bison
BuildRequires: brlapi-devel
BuildRequires: pkgconfig(libcurl) >= 7.29
BuildRequires: pkgconfig(libsasl2)
%if %{build_x86_firmware_from_source}
BuildRequires: dos2unix
%endif
BuildRequires: flex
BuildRequires: pkgconfig(glib-2.0) >= 2.56
%if %{build_x86_firmware_from_source}
BuildRequires: glibc-devel-32bit
%endif
BuildRequires: libaio-devel
BuildRequires: libattr-devel
BuildRequires: libbz2-devel
@ -252,9 +268,6 @@ BuildRequires: pkgconfig(vte-2.91)
BuildRequires: xen-devel >= 4.2
%endif
BuildRequires: xfsprogs-devel
%if %{build_x86_firmware_from_source}
BuildRequires: pkgconfig(liblzma)
%endif
BuildRequires: pkgconfig(zlib)
BuildRequires: pkgconfig(libzstd)
%if "%{name}" == "qemu"
@ -268,6 +281,26 @@ Requires(post): udev
%ifarch s390x
Requires(post): procps
%endif
%ifarch %ix86 x86_64
Requires: qemu-x86
%else
Suggests: qemu-x86
%endif
%ifarch ppc ppc64 ppc64le
Requires: qemu-ppc
%else
Suggests: qemu-ppc
%endif
%ifarch s390x
Requires: qemu-s390x
%else
Suggests: qemu-s390x
%endif
%ifarch %arm aarch64
Requires: qemu-arm
%else
Suggests: qemu-arm
%endif
Recommends: kvm_stat
%endif
Recommends: qemu-block-curl
@ -287,26 +320,6 @@ Recommends: qemu-hw-usb-smartcard
Recommends: qemu-ui-gtk
Recommends: qemu-ui-spice-app
%endif
%ifarch %{ix86} x86_64
Recommends: qemu-x86
%else
Suggests: qemu-x86
%endif
%ifarch ppc ppc64 ppc64le
Recommends: qemu-ppc
%else
Suggests: qemu-ppc
%endif
%ifarch s390x
Recommends: qemu-s390x
%else
Suggests: qemu-s390x
%endif
%ifarch %arm aarch64
Recommends: qemu-arm
%else
Suggests: qemu-arm
%endif
Suggests: qemu-block-dmg
Suggests: qemu-block-gluster
Suggests: qemu-block-iscsi
@ -363,6 +376,7 @@ Group: System/Emulators/PC
Version: %{qemuver}
Release: 0
Requires: %name = %{qemuver}
Requires: qemu-SLOF
Recommends: qemu-ipxe
Recommends: qemu-vgabios
@ -825,7 +839,7 @@ Supplements: modalias(pci:v0000FFFDd00000101sv*sd*bc*sc*i*)
This package contains the QEMU guest agent. It is installed in the linux guest
to provide information and control at the guest OS level.
%ifarch %{build_rom_arch}
%if %{build_x86_firmware}
%package microvm
Summary: x86 MicroVM firmware for QEMU
Group: System/Emulators/PC
@ -890,6 +904,7 @@ Provides Preboot Execution Environment (PXE) ROM support for various emulated
network adapters available with QEMU.
%endif
%if %{build_ppc_firmware}
%package skiboot
Summary: OPAL firmware (aka skiboot), used in booting OpenPOWER systems
Group: System/Emulators/PC
@ -904,6 +919,18 @@ Provides: %name:%_datadir/%name/forsplits/06
Provides OPAL (OpenPower Abstraction Layer) firmware, aka skiboot, as
traditionally packaged with QEMU.
%package SLOF
Summary: Slimline Open Firmware - SLOF
Group: System/Emulators/PC
Version: %{qemuver}
Release: 0
BuildArch: noarch
%description SLOF
Slimline Open Firmware (SLOF) is an implementation of the IEEE 1275 standard.
It can be used as partition firmware for pSeries machines running on QEMU or KVM.
%endif
%package ksm
Summary: Kernel Samepage Merging services
Group: System/Emulators/PC
@ -1015,85 +1042,69 @@ PATCH_EXEC
# u-boot.e500 u-boot-sam460-20100605.bin opensbi-riscv32-generic-fw_dynamic.bin
# opensbi-riscv32-generic-fw_dynamic.elfnpcm7xx_bootrom.bin
# This first list group isn't specific to what this instance builds
%define ppc_default_firmware {%nil}
# Note that:
# - default firmwares are built "by default", i.e., they're built automatically
# during the process of building QEMU (on each specific arch)
# - extra firmwares are built "manually" (see below) from their own sources
# (which, typically, are submodules checked out in the {srcdi}r/roms directory)
%define ppc_default_firmware %{nil}
%define ppc_extra_firmware {skiboot.lid slof.bin}
%define ppc64_only_default_firmware {%nil}
%define ppc64_only_extra_firmware {%nil}
%define riscv64_default_firmware {opensbi-riscv64-generic-fw_dynamic.bin \
%define riscv64_default_firmware %{nil}
%define riscv64_extra_firmware {opensbi-riscv64-generic-fw_dynamic.bin \
opensbi-riscv64-generic-fw_dynamic.elf}
%define riscv64_extra_firmware {%nil}
%define s390x_default_firmware {s390-ccw.img s390-netboot.img}
%define s390x_extra_firmware {%nil}
%define s390x_extra_firmware %{nil}
%define x86_default_firmware {linuxboot.bin linuxboot_dma.bin multiboot.bin \
multiboot_dma.bin kvmvapic.bin pvh.bin}
%define x86_extra_firmware {bios.bin bios-256k.bin bios-microvm.bin qboot.rom \
pxe-e1000.rom pxe-eepro100.rom pxe-ne2k_pci.rom pxe-pcnet.rom pxe-rtl8139.rom \
pxe-virtio.rom sgabios.bin vgabios-ati.bin vgabios-bochs-display.bin \
vgabios.bin vgabios-cirrus.bin vgabios-qxl.bin vgabios-ramfb.bin \
vgabios-stdvga.bin vgabios-virtio.bin vgabios-vmware.bin}
%define x86_64_only_default_firmware {%nil}
%define x86_64_only_extra_firmware {efi-e1000.rom efi-e1000e.rom \
efi-eepro100.rom efi-ne2k_pci.rom efi-pcnet.rom efi-rtl8139.rom efi-virtio.rom \
efi-vmxnet3.rom}
vgabios-stdvga.bin vgabios-virtio.bin vgabios-vmware.bin \
efi-e1000.rom efi-e1000e.rom efi-eepro100.rom efi-ne2k_pci.rom efi-pcnet.rom \
efi-rtl8139.rom efi-virtio.rom efi-vmxnet3.rom}
# Complete list of all the firmwares that we build, if we consider
# all the builds, on all the arches.
%define firmware { \
%{?ppc_default_firmware} %{?ppc_extra_firmware} \
%{?ppc64_only_default_firmware} %{?ppc64_only_extra_firmware} \
%{?riscv64_default_firmware} %{?riscv64_extra_firmware} \
%{?s390x_default_firmware} %{?s390x_extra_firmware} \
%{?x86_default_firmware} %{?x86_extra_firmware} \
%{?x86_64_only_default_firmware} %{?x86_64_only_extra_firmware} }
%{ppc_default_firmware} %{ppc_extra_firmware} \
%{riscv64_default_firmware} %{riscv64_extra_firmware} \
%{s390x_default_firmware} %{s390x_extra_firmware} \
%{x86_default_firmware} %{x86_extra_firmware} }
# This second list group is specific to what this instance builds
# Note that:
# - {arch}_default_built_firmware are the firmwares that we will be built by
# default in this particular build, on the arch where we currently are on
# - {arch}_extra_built_fimrware, likewise, but for extra firmwares, built manually
%ifarch ppc64 ppc64le
%define ppc_default_built_firmware %{ppc_default_firmware}
%if %{build_skiboot_from_source} && %{build_slof_from_source}
%define ppc_extra_built_firmware %{ppc_extra_firmware}
%else
%if %{build_skiboot_from_source}
%define ppc_extra_built_firmware {skiboot.lid}
%endif
%if %{build_slof_from_source}
%define ppc_extra_built_firmware {slof.bin}
%endif
%endif
%ifarch ppc64
%define ppc64_only_default_built_firmware %{ppc64_only_default_firmware}
%define ppc64_only_extra_built_firmware %{ppc64_only_extra_firmware}
%endif
%ifarch riscv64
%define riscv64_default_built_firmware %{riscv64_default_firmware}
%define riscv64_extra_built_firmware %{riscv64_extra_firmware}
%endif
%ifarch s390x
%define s390x_default_built_firmware %{s390x_default_firmware}
%define s390x_extra_built_firmware %{s390x_extra_firmware}
%endif
%ifarch %ix86 x86_64
%define x86_default_built_firmware %{x86_default_firmware}
%ifarch x86_64
%define x86_64_only_default_built_firmware %{x86_64_only_default_firmware}
%endif
%endif
%if %{build_x86_firmware_from_source}
%if %{build_opensbi_firmware}
%define riscv64_extra_built_firmware %{riscv64_extra_firmware}
%endif
%if %{build_ppc_firmware}
%define ppc_extra_built_firmware %{ppc_extra_firmware}
%endif
%if %{build_x86_firmware}
%define x86_extra_built_firmware %{x86_extra_firmware}
%ifarch x86_64
%define x86_64_only_extra_built_firmware %{x86_64_only_extra_firmware}
%endif
%endif
# List of only firmwares that will actually be built, in this instance
%define built_firmware { \
%{?ppc_default_built_firmware} %{?ppc_extra_built_firmware} \
%{?ppc64_only_default_built_firmware} %{?ppc64_only_extra_built_firmware} \
%{?riscv64_default_built_firmware} %{?riscv64_extra_built_firmware} \
%{?s390x_default_built_firmware} %{?s390x_extra_built_firmware} \
%{?x86_default_built_firmware} %{?x86_extra_built_firmware} \
%{?x86_64_only_default_built_firmware} %{?x86_64_only_extra_built_firmware} }
%{?x86_default_built_firmware} %{?x86_extra_built_firmware} }
# above section is for qemu and qemu-testsuite
%endif
@ -1324,7 +1335,9 @@ cd %blddir
%if "%{name}" == "qemu"
# delete the firmware files that we intend to build
# Let's build QEMU (and all the "default" firmwares, for each arch)
# First, delete the firmware files that we intend to build...
for i in %built_firmware
do
unlink %srcdir/pc-bios/$i
@ -1332,68 +1345,57 @@ done
make %{?_smp_mflags} V=1
# Firmware
%ifarch s390x
for i in %s390x_default_built_firmware
# ... And then, reinstate the firmwares that have been built already
for i in %{?s390x_default_built_firmware}
do
cp pc-bios/s390-ccw/$i %srcdir/pc-bios/
done
%endif
%ifarch ppc64
for i in %ppc64_only_default_built_firmware
do
cp pc-bios/spapr-rtas/$i %srcdir/pc-bios/
done
%endif
%ifarch %ix86 x86_64
for i in %x86_default_built_firmware
for i in %{?x86_default_built_firmware}
do
cp pc-bios/optionrom/$i %srcdir/pc-bios/
done
%ifarch x86_64
for i in %x86_64_only_default_built_firmware
do
cp pc-bios/optionrom/$i %srcdir/pc-bios/
done
%endif
# Build the "extra" firmwares. Note that the QEMU Makefile in {srcdir}/roms
# does some cross-compiler auto detection. So we often don't need to define
# or pass CROSS= and CROSS_COMPILE ourselves.
%if %{build_ppc_firmware}
# FIXME: check if we can upstream: Makefile-define-endianess-for-cross-buil.patch
make %{?_smp_mflags} -C %srcdir/roms skiboot
make %{?_smp_mflags} -C %srcdir/roms slof
%endif
%if %{build_x86_firmware_from_source}
%ifnarch %{ix86} x86_64
export CC=x86_64-suse-linux-gcc
export LD=x86_64-suse-linux-ld
%if %{build_opensbi_firmware}
make %{?_smp_mflags} -C %srcdir/roms opensbi64-generic
%endif
%if %{build_x86_firmware}
make %{?_smp_mflags} -C %srcdir/roms bios \
SEABIOS_EXTRAVERSION="-rebuilt.opensuse.org" \
%ifnarch %ix86 x86_64
HOSTCC=cc \
%endif
# FIXME: check if we can upstream: roms-Makefile-add-cross-file-to-qboot-me.patch
# and qboot-add-cross.ini-file-to-handle-aarch.patch
make %{?_smp_mflags} -C %srcdir/roms qboot
make %{?_smp_mflags} -C %srcdir/roms seavgabios \
%ifnarch %ix86 x86_64
HOSTCC=cc \
%endif
make %{?_smp_mflags} -C %srcdir/roms seavgabios-ati \
%ifnarch %ix86 x86_64
HOSTCC=cc \
%endif
make %{?_smp_mflags} -C %srcdir/roms pxerom
%ifnarch %ix86
make %{?_smp_mflags} -C %srcdir/roms efirom \
EDK2_BASETOOLS_OPTFLAGS='-fPIE'
%endif
make -C %srcdir/roms sgabios \
HOSTCC=cc
# We're currently not building firmware on ix86, but let's make sure this works
# fine if one enables it, e.g., locally (for debugging or something).
# FIXME: check if we can get rid or upstream: roms-sgabios-Fix-csum8-to-be-built-by-ho.patch
make -C %srcdir/roms sgabios HOSTCC=cc \
%ifnarch %ix86 x86_64
CC=x86_64-suse-linux-gcc LD=x86_64-suse-linux-ld \
%endif
%if %{force_fit_virtio_pxe_rom}
pushd %srcdir
@ -1428,26 +1430,13 @@ for i in %supported_nics_small
exit 1
fi
done
%ifnarch %{ix86} x86_64
unset CC
unset LD
%endif
%endif
%if %{build_skiboot_from_source}
make %{?_smp_mflags} -C %srcdir/roms skiboot CROSS=
%endif
# End of {build_x86_firmware}
%if %{build_slof_from_source}
make %{?_smp_mflags} -C %srcdir/roms slof
%endif
# End of "{name}" == "qemu"
%if %{build_opensbi_from_source}
make %{?_smp_mflags} -C %srcdir/roms opensbi64-generic CROSS_COMPILE=
%endif
# above section is for qemu
%endif
# ------------------------------------------------------------------------
%if "%{name}" == "qemu-testsuite"
@ -1599,15 +1588,7 @@ ln -s qemu-binfmt %{buildroot}%_bindir/qemu-xtensaeb-binfmt
%if "%{name}" == "qemu"
make %{?_smp_mflags} install DESTDIR=%{buildroot}
%ifarch %{build_rom_arch}
install -D -m 0644 %{SOURCE14} %{buildroot}%_datadir/%name/firmware/50-seabios-256k.json
install -D -m 0644 %{SOURCE15} %{buildroot}%_datadir/%name/firmware/60-seabios-128k.json
%else
for f in %{x86_extra_firmware} \
%{x86_64_only_extra_firmware}; do
unlink %{buildroot}%_datadir/%name/$f
done
%endif
%find_lang %name
install -d -m 0755 %{buildroot}%_datadir/%name/firmware
install -d -m 0755 %{buildroot}/usr/lib/supportconfig/plugins
@ -1617,6 +1598,7 @@ install -D -m 0755 %{SOURCE3} %{buildroot}%_datadir/%name/qemu-ifup
install -D -p -m 0644 %{SOURCE8} %{buildroot}/usr/lib/udev/rules.d/80-qemu-ga.rules
install -D -m 0755 scripts/analyze-migration.py %{buildroot}%_bindir/analyze-migration.py
install -D -m 0755 scripts/vmstate-static-checker.py %{buildroot}%_bindir/vmstate-static-checker.py
install -D -m 0755 scripts/kvm/vmxcap %{buildroot}%_bindir/vmxcap
install -D -m 0755 %{SOURCE9} %{buildroot}/usr/lib/supportconfig/plugins/%name
install -D -m 0644 %{SOURCE10} %{buildroot}%_docdir/qemu-arm/supported.txt
install -D -m 0644 %{SOURCE11} %{buildroot}%_docdir/qemu-ppc/supported.txt
@ -1664,17 +1646,43 @@ unlink %{buildroot}%_datadir/%name/edk2-x86_64-secure-code.fd
# this was never meant for customer consumption - delete even though installed
unlink %{buildroot}%_bindir/elf2dmp
install -D -m 0644 %{SOURCE201} %{buildroot}%_datadir/%name/forsplits/pkg-split.txt
for X in 00 01 02 03 04 05 07 08 09 10 11 12 13 14 15 16 17 18 19
do
ln -s pkg-split.txt %{buildroot}%_datadir/%name/forsplits/$X
done
# For PPC and x86 firmwares, there are a few extra install steps necessary.
# In general, if we know that we have not built a firmware, remove it from the
# install base, as the one that we have there is the upstream binary, that got
# copied there during `make install`.
%if %{build_ppc_firmware}
# in support of update-alternatives
mv %{buildroot}%_datadir/%name/skiboot.lid %{buildroot}%_datadir/%name/skiboot.lid.qemu
# create a dummy target for /etc/alternatives/skiboot.lid
mkdir -p %{buildroot}%{_sysconfdir}/alternatives
ln -s -f %{_sysconfdir}/alternatives/skiboot.lid %{buildroot}%{_datadir}/%name/skiboot.lid
install -D -m 0644 %{SOURCE201} %{buildroot}%_datadir/%name/forsplits/pkg-split.txt
for X in 00 01 02 03 04 05 06 07 08 09 10 11 12 13 14 15 16 17 18 19
do
ln -s pkg-split.txt %{buildroot}%_datadir/%name/forsplits/$X
ln -s pkg-split.txt %{buildroot}%_datadir/%name/forsplits/06
%else
for f in %{ppc_extra_firmware} ; do
unlink %{buildroot}%_datadir/%name/$f
done
%endif
# For riscv64 firmwares (currently, only opensbi), we leave them there in
# any case, because they're part of the qemu-extra package, and riscv is
# a bit special in many ways already.
%if %{build_x86_firmware}
install -D -m 0644 %{SOURCE14} %{buildroot}%_datadir/%name/firmware/50-seabios-256k.json
install -D -m 0644 %{SOURCE15} %{buildroot}%_datadir/%name/firmware/60-seabios-128k.json
%else
for f in %{x86_extra_firmware} ; do
unlink %{buildroot}%_datadir/%name/$f
done
%endif
%suse_update_desktop_file qemu
%fdupes -s %{buildroot}
@ -1739,6 +1747,7 @@ fi
%postun ksm
%service_del_postun ksm.service
%if %{build_ppc_firmware}
%post skiboot
update-alternatives --install \
%{_datadir}/%name/skiboot.lid skiboot.lid %{_datadir}/%name/skiboot.lid.qemu 15
@ -1747,6 +1756,7 @@ update-alternatives --install \
if [ ! -f %{_datadir}/%name/skiboot.lid.qemu ] ; then
update-alternatives --remove skiboot.lid %{_datadir}/%name/skiboot.lid.qemu
fi
%endif
# above section is for qemu
%endif
@ -2033,7 +2043,6 @@ fi
%_datadir/%name/canyonlands.dtb
%_datadir/%name/openbios-ppc
%_datadir/%name/qemu_vga.ndrv
%_datadir/%name/slof.bin
%_datadir/%name/u-boot.e500
%_datadir/%name/u-boot-sam460-20100605.bin
%dir %_docdir/qemu-ppc
@ -2285,7 +2294,7 @@ fi
%files lang -f %blddir/%name.lang
%defattr(-, root, root)
%ifarch %{build_rom_arch}
%if %{build_x86_firmware}
%files seabios
%defattr(-, root, root)
%dir %_datadir/%name
@ -2337,6 +2346,7 @@ fi
%_datadir/%name/pxe-virtio.rom
%endif
%if %{build_ppc_firmware}
%files skiboot
%defattr(-, root, root)
%dir %_datadir/%name
@ -2346,6 +2356,12 @@ fi
%_datadir/%name/skiboot.lid.qemu
%ghost %_sysconfdir/alternatives/skiboot.lid
%files SLOF
%defattr(-, root, root)
%dir %_datadir/%name
%_datadir/%name/slof.bin
%endif
%files vhost-user-gpu
%defattr(-, root, root)
%dir %_datadir/%name/vhost-user
@ -2363,6 +2379,7 @@ fi
%_bindir/qemu-pr-helper
%_bindir/qemu-storage-daemon
%_bindir/vmstate-static-checker.py
%_bindir/vmxcap
%verify(not mode) %attr(4750,root,kvm) %_libexecdir/qemu-bridge-helper
%_libexecdir/virtfs-proxy-helper
%_libexecdir/virtiofsd

View File

@ -1049,8 +1049,10 @@ else # not LATEST
bundle2local &> ~/pkg2git.log
echo "SUCCESS"
echo "To modify package patches, use the frombundle branch as the basis for updating"
echo "the $GIT_BRANCH branch with the new patch queue."
echo "Then export the changes back to the package using update_git.sh git2pkg"
echo "the $GIT_BRANCH branch with the new patch queue, e.g., like this:"
echo " git checkout -f --recurse-submodules -B $GIT_BRANCH frombundle"
echo "Then make your changes and, when done, export them back to the package with:"
echo " bash ./update_git.sh git2pkg"
;;
refresh )
echo "Updating the spec file and patches from the spec file template and the bundle"

View File

@ -0,0 +1,101 @@
From: Vivek Goyal <vgoyal@redhat.com>
Date: Tue, 25 Jan 2022 13:51:14 -0500
Subject: virtiofsd: Drop membership of all supplementary groups
(CVE-2022-0358)
Git-commit: 449e8171f96a6a944d1f3b7d3627ae059eae21ca
References: bsc#1195161
At the start, drop membership of all supplementary groups. This is
not required.
If we have membership of "root" supplementary group and when we switch
uid/gid using setresuid/setsgid, we still retain membership of existing
supplemntary groups. And that can allow some operations which are not
normally allowed.
For example, if root in guest creates a dir as follows.
$ mkdir -m 03777 test_dir
This sets SGID on dir as well as allows unprivileged users to write into
this dir.
And now as unprivileged user open file as follows.
$ su test
$ fd = open("test_dir/priviledge_id", O_RDWR|O_CREAT|O_EXCL, 02755);
This will create SGID set executable in test_dir/.
And that's a problem because now an unpriviliged user can execute it,
get egid=0 and get access to resources owned by "root" group. This is
privilege escalation.
Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=2044863
Fixes: CVE-2022-0358
Reported-by: JIETAO XIAO <shawtao1125@gmail.com>
Suggested-by: Miklos Szeredi <mszeredi@redhat.com>
Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
Reviewed-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
Signed-off-by: Vivek Goyal <vgoyal@redhat.com>
Message-Id: <YfBGoriS38eBQrAb@redhat.com>
Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
dgilbert: Fixed missing {}'s style nit
Signed-off-by: Dario Faggioli <dfaggioli@suse.com>
---
tools/virtiofsd/passthrough_ll.c | 27 +++++++++++++++++++++++++++
1 file changed, 27 insertions(+)
diff --git a/tools/virtiofsd/passthrough_ll.c b/tools/virtiofsd/passthrough_ll.c
index 64b5b4fbb18670075eedd1f3d158..b3d0674f6d2f267664d1c4558856 100644
--- a/tools/virtiofsd/passthrough_ll.c
+++ b/tools/virtiofsd/passthrough_ll.c
@@ -54,6 +54,7 @@
#include <sys/wait.h>
#include <sys/xattr.h>
#include <syslog.h>
+#include <grp.h>
#include "qemu/cutils.h"
#include "passthrough_helpers.h"
@@ -1161,6 +1162,30 @@ static void lo_lookup(fuse_req_t req, fuse_ino_t parent, const char *name)
#define OURSYS_setresuid SYS_setresuid
#endif
+static void drop_supplementary_groups(void)
+{
+ int ret;
+
+ ret = getgroups(0, NULL);
+ if (ret == -1) {
+ fuse_log(FUSE_LOG_ERR, "getgroups() failed with error=%d:%s\n",
+ errno, strerror(errno));
+ exit(1);
+ }
+
+ if (!ret) {
+ return;
+ }
+
+ /* Drop all supplementary groups. We should not need it */
+ ret = setgroups(0, NULL);
+ if (ret == -1) {
+ fuse_log(FUSE_LOG_ERR, "setgroups() failed with error=%d:%s\n",
+ errno, strerror(errno));
+ exit(1);
+ }
+}
+
/*
* Change to uid/gid of caller so that file is created with
* ownership of caller.
@@ -3926,6 +3951,8 @@ int main(int argc, char *argv[])
qemu_init_exec_dir(argv[0]);
+ drop_supplementary_groups();
+
pthread_mutex_init(&lo.mutex, NULL);
lo.inodes = g_hash_table_new(lo_key_hash, lo_key_equal);
lo.root.fd = -1;