SHA256
1
0
forked from pool/qemu

Accepting request 674747 from home:bfrogers:branches:Virtualization

AMD SEV related fix: bsc#1124842 and bsc#1102604

OBS-URL: https://build.opensuse.org/request/show/674747
OBS-URL: https://build.opensuse.org/package/show/Virtualization/qemu?expand=0&rev=454
This commit is contained in:
Bruce Rogers 2019-02-13 21:52:43 +00:00 committed by Git OBS Bridge
parent 0e4704d430
commit 367159087c
6 changed files with 32 additions and 43 deletions

View File

@ -1 +0,0 @@
KERNEL=="sev", MODE="0660", GROUP="kvm"

View File

@ -1,3 +1,13 @@
-------------------------------------------------------------------
Mon Feb 11 15:41:02 UTC 2019 - Bruce Rogers <brogers@suse.com>
- Remove 71-sev.rules, which modifies the default permissions of
/dev/sev by adding the kvm group as reader/writer. Upstream
decided to take a different approach for libvirt to manage SEV
due to security concerns which I agree overrides the convenience
of providing /dev/sev access to all the kvm group (bsc#1124842
bsc#1102604)
------------------------------------------------------------------- -------------------------------------------------------------------
Fri Feb 1 23:34:52 UTC 2019 - Bruce Rogers <brogers@suse.com> Fri Feb 1 23:34:52 UTC 2019 - Bruce Rogers <brogers@suse.com>

View File

@ -118,7 +118,7 @@ Source: https://wiki.qemu.org/download/%{srcname}-%{srcver}.tar.xz
Source99: https://wiki.qemu.org/download/%{srcname}-%{srcver}.tar.xz.sig Source99: https://wiki.qemu.org/download/%{srcname}-%{srcver}.tar.xz.sig
Source100: %{srcname}.keyring Source100: %{srcname}.keyring
Source1: 80-kvm.rules Source1: 80-kvm.rules
Source2: 71-sev.rules Source2: kvm.conf
Source3: qemu-ifup Source3: qemu-ifup
Source4: bridge.conf Source4: bridge.conf
Source5: qemu-kvm.1.gz Source5: qemu-kvm.1.gz
@ -126,11 +126,10 @@ Source6: ksm.service
Source7: qemu-ga@.service Source7: qemu-ga@.service
Source8: 80-qemu-ga.rules Source8: 80-qemu-ga.rules
Source9: qemu-supportconfig Source9: qemu-supportconfig
Source10: kvm.conf Source10: supported.arm.txt
Source11: supported.ppc.txt Source11: supported.ppc.txt
Source12: supported.x86.txt Source12: supported.x86.txt
Source13: supported.s390.txt Source13: supported.s390.txt
Source14: supported.arm.txt
# this is to make lint happy # this is to make lint happy
Source300: qemu-rpmlintrc Source300: qemu-rpmlintrc
Source301: ipxe-stub-out-the-SAN-req-s-in-int13.patch Source301: ipxe-stub-out-the-SAN-req-s-in-int13.patch
@ -1360,10 +1359,10 @@ install -D -m 0755 scripts/vmstate-static-checker.py %{buildroot}%_bindir/vmsta
mkdir -p %{buildroot}%_libexecdir/supportconfig/plugins mkdir -p %{buildroot}%_libexecdir/supportconfig/plugins
install -D -m 0755 %{SOURCE9} %{buildroot}%_libexecdir/supportconfig/plugins/%name install -D -m 0755 %{SOURCE9} %{buildroot}%_libexecdir/supportconfig/plugins/%name
%if 0%{?is_opensuse} == 0 %if 0%{?is_opensuse} == 0
install -D -m 0644 %{SOURCE10} %{buildroot}%_docdir/qemu-arm/supported.txt
install -D -m 0644 %{SOURCE11} %{buildroot}%_docdir/qemu-ppc/supported.txt install -D -m 0644 %{SOURCE11} %{buildroot}%_docdir/qemu-ppc/supported.txt
install -D -m 0644 %{SOURCE12} %{buildroot}%_docdir/qemu-x86/supported.txt install -D -m 0644 %{SOURCE12} %{buildroot}%_docdir/qemu-x86/supported.txt
install -D -m 0644 %{SOURCE13} %{buildroot}%_docdir/qemu-s390/supported.txt install -D -m 0644 %{SOURCE13} %{buildroot}%_docdir/qemu-s390/supported.txt
install -D -m 0644 %{SOURCE14} %{buildroot}%_docdir/qemu-arm/supported.txt
%endif %endif
%if %{legacy_qemu_kvm} %if %{legacy_qemu_kvm}
cat > %{buildroot}%_bindir/qemu-kvm << 'EOF' cat > %{buildroot}%_bindir/qemu-kvm << 'EOF'
@ -1387,9 +1386,6 @@ ln -s ../qemu-x86/supported.txt %{buildroot}%_docdir/qemu-kvm/kvm-supported.txt
%endif %endif
%endif %endif
%if %{kvm_available} %if %{kvm_available}
%ifarch %ix86 x86_64
install -D -m 0644 %{SOURCE2} %{buildroot}%{_udevrulesdir}/71-sev.rules
%endif
install -D -m 0644 %{SOURCE1} %{buildroot}%{_udevrulesdir}/80-kvm.rules install -D -m 0644 %{SOURCE1} %{buildroot}%{_udevrulesdir}/80-kvm.rules
%endif %endif
install -D -p -m 0644 %{SOURCE7} %{buildroot}%{_unitdir}/qemu-ga@.service install -D -p -m 0644 %{SOURCE7} %{buildroot}%{_unitdir}/qemu-ga@.service
@ -1397,7 +1393,7 @@ install -D -p -m 0644 %{SOURCE7} %{buildroot}%{_unitdir}/qemu-ga@.service
install -D -p -m 0644 %{SOURCE6} %{buildroot}%{_unitdir}/ksm.service install -D -p -m 0644 %{SOURCE6} %{buildroot}%{_unitdir}/ksm.service
%endif %endif
%ifarch s390x %ifarch s390x
install -D -m 0644 %{SOURCE10} %{buildroot}%_libexecdir/modules-load.d/kvm.conf install -D -m 0644 %{SOURCE2} %{buildroot}%_libexecdir/modules-load.d/kvm.conf
%endif %endif
%fdupes -s %{buildroot} %fdupes -s %{buildroot}
@ -1429,9 +1425,6 @@ if [ $(stat -L -c "%i" /proc/1/root/) = $(stat -L -c "%i" /) ]; then
fi fi
%endif %endif
%udev_rules_update %udev_rules_update
%ifarch %ix86 x86_64
%_bindir/udevadm trigger -y sev || :
%endif
%_bindir/udevadm trigger -y kvm || : %_bindir/udevadm trigger -y kvm || :
%ifarch s390x %ifarch s390x
sysctl vm.allocate_pgste=1 || : sysctl vm.allocate_pgste=1 || :
@ -1508,9 +1501,6 @@ fi
%dir %_libexecdir/supportconfig/plugins %dir %_libexecdir/supportconfig/plugins
%_libexecdir/supportconfig/plugins/%name %_libexecdir/supportconfig/plugins/%name
%if %{kvm_available} %if %{kvm_available}
%ifarch %ix86 x86_64
%{_udevrulesdir}/71-sev.rules
%endif
%{_udevrulesdir}/80-kvm.rules %{_udevrulesdir}/80-kvm.rules
%ifarch s390x %ifarch s390x
%_libexecdir/modules-load.d/kvm.conf %_libexecdir/modules-load.d/kvm.conf

View File

@ -1,3 +1,13 @@
-------------------------------------------------------------------
Mon Feb 11 15:41:02 UTC 2019 - Bruce Rogers <brogers@suse.com>
- Remove 71-sev.rules, which modifies the default permissions of
/dev/sev by adding the kvm group as reader/writer. Upstream
decided to take a different approach for libvirt to manage SEV
due to security concerns which I agree overrides the convenience
of providing /dev/sev access to all the kvm group (bsc#1124842
bsc#1102604)
------------------------------------------------------------------- -------------------------------------------------------------------
Fri Feb 1 23:34:52 UTC 2019 - Bruce Rogers <brogers@suse.com> Fri Feb 1 23:34:52 UTC 2019 - Bruce Rogers <brogers@suse.com>

View File

@ -118,7 +118,7 @@ Source: https://wiki.qemu.org/download/%{srcname}-%{srcver}.tar.xz
Source99: https://wiki.qemu.org/download/%{srcname}-%{srcver}.tar.xz.sig Source99: https://wiki.qemu.org/download/%{srcname}-%{srcver}.tar.xz.sig
Source100: %{srcname}.keyring Source100: %{srcname}.keyring
Source1: 80-kvm.rules Source1: 80-kvm.rules
Source2: 71-sev.rules Source2: kvm.conf
Source3: qemu-ifup Source3: qemu-ifup
Source4: bridge.conf Source4: bridge.conf
Source5: qemu-kvm.1.gz Source5: qemu-kvm.1.gz
@ -126,11 +126,10 @@ Source6: ksm.service
Source7: qemu-ga@.service Source7: qemu-ga@.service
Source8: 80-qemu-ga.rules Source8: 80-qemu-ga.rules
Source9: qemu-supportconfig Source9: qemu-supportconfig
Source10: kvm.conf Source10: supported.arm.txt
Source11: supported.ppc.txt Source11: supported.ppc.txt
Source12: supported.x86.txt Source12: supported.x86.txt
Source13: supported.s390.txt Source13: supported.s390.txt
Source14: supported.arm.txt
# this is to make lint happy # this is to make lint happy
Source300: qemu-rpmlintrc Source300: qemu-rpmlintrc
Source301: ipxe-stub-out-the-SAN-req-s-in-int13.patch Source301: ipxe-stub-out-the-SAN-req-s-in-int13.patch
@ -1360,10 +1359,10 @@ install -D -m 0755 scripts/vmstate-static-checker.py %{buildroot}%_bindir/vmsta
mkdir -p %{buildroot}%_libexecdir/supportconfig/plugins mkdir -p %{buildroot}%_libexecdir/supportconfig/plugins
install -D -m 0755 %{SOURCE9} %{buildroot}%_libexecdir/supportconfig/plugins/%name install -D -m 0755 %{SOURCE9} %{buildroot}%_libexecdir/supportconfig/plugins/%name
%if 0%{?is_opensuse} == 0 %if 0%{?is_opensuse} == 0
install -D -m 0644 %{SOURCE10} %{buildroot}%_docdir/qemu-arm/supported.txt
install -D -m 0644 %{SOURCE11} %{buildroot}%_docdir/qemu-ppc/supported.txt install -D -m 0644 %{SOURCE11} %{buildroot}%_docdir/qemu-ppc/supported.txt
install -D -m 0644 %{SOURCE12} %{buildroot}%_docdir/qemu-x86/supported.txt install -D -m 0644 %{SOURCE12} %{buildroot}%_docdir/qemu-x86/supported.txt
install -D -m 0644 %{SOURCE13} %{buildroot}%_docdir/qemu-s390/supported.txt install -D -m 0644 %{SOURCE13} %{buildroot}%_docdir/qemu-s390/supported.txt
install -D -m 0644 %{SOURCE14} %{buildroot}%_docdir/qemu-arm/supported.txt
%endif %endif
%if %{legacy_qemu_kvm} %if %{legacy_qemu_kvm}
cat > %{buildroot}%_bindir/qemu-kvm << 'EOF' cat > %{buildroot}%_bindir/qemu-kvm << 'EOF'
@ -1387,9 +1386,6 @@ ln -s ../qemu-x86/supported.txt %{buildroot}%_docdir/qemu-kvm/kvm-supported.txt
%endif %endif
%endif %endif
%if %{kvm_available} %if %{kvm_available}
%ifarch %ix86 x86_64
install -D -m 0644 %{SOURCE2} %{buildroot}%{_udevrulesdir}/71-sev.rules
%endif
install -D -m 0644 %{SOURCE1} %{buildroot}%{_udevrulesdir}/80-kvm.rules install -D -m 0644 %{SOURCE1} %{buildroot}%{_udevrulesdir}/80-kvm.rules
%endif %endif
install -D -p -m 0644 %{SOURCE7} %{buildroot}%{_unitdir}/qemu-ga@.service install -D -p -m 0644 %{SOURCE7} %{buildroot}%{_unitdir}/qemu-ga@.service
@ -1397,7 +1393,7 @@ install -D -p -m 0644 %{SOURCE7} %{buildroot}%{_unitdir}/qemu-ga@.service
install -D -p -m 0644 %{SOURCE6} %{buildroot}%{_unitdir}/ksm.service install -D -p -m 0644 %{SOURCE6} %{buildroot}%{_unitdir}/ksm.service
%endif %endif
%ifarch s390x %ifarch s390x
install -D -m 0644 %{SOURCE10} %{buildroot}%_libexecdir/modules-load.d/kvm.conf install -D -m 0644 %{SOURCE2} %{buildroot}%_libexecdir/modules-load.d/kvm.conf
%endif %endif
%fdupes -s %{buildroot} %fdupes -s %{buildroot}
@ -1429,9 +1425,6 @@ if [ $(stat -L -c "%i" /proc/1/root/) = $(stat -L -c "%i" /) ]; then
fi fi
%endif %endif
%udev_rules_update %udev_rules_update
%ifarch %ix86 x86_64
%_bindir/udevadm trigger -y sev || :
%endif
%_bindir/udevadm trigger -y kvm || : %_bindir/udevadm trigger -y kvm || :
%ifarch s390x %ifarch s390x
sysctl vm.allocate_pgste=1 || : sysctl vm.allocate_pgste=1 || :
@ -1508,9 +1501,6 @@ fi
%dir %_libexecdir/supportconfig/plugins %dir %_libexecdir/supportconfig/plugins
%_libexecdir/supportconfig/plugins/%name %_libexecdir/supportconfig/plugins/%name
%if %{kvm_available} %if %{kvm_available}
%ifarch %ix86 x86_64
%{_udevrulesdir}/71-sev.rules
%endif
%{_udevrulesdir}/80-kvm.rules %{_udevrulesdir}/80-kvm.rules
%ifarch s390x %ifarch s390x
%_libexecdir/modules-load.d/kvm.conf %_libexecdir/modules-load.d/kvm.conf

View File

@ -115,7 +115,7 @@ Release: 0
Source: https://wiki.qemu.org/download/%{srcname}-%{srcver}.tar.xz Source: https://wiki.qemu.org/download/%{srcname}-%{srcver}.tar.xz
Source100: %{srcname}.keyring Source100: %{srcname}.keyring
Source1: 80-kvm.rules Source1: 80-kvm.rules
Source2: 71-sev.rules Source2: kvm.conf
Source3: qemu-ifup Source3: qemu-ifup
Source4: bridge.conf Source4: bridge.conf
Source5: qemu-kvm.1.gz Source5: qemu-kvm.1.gz
@ -123,11 +123,10 @@ Source6: ksm.service
Source7: qemu-ga@.service Source7: qemu-ga@.service
Source8: 80-qemu-ga.rules Source8: 80-qemu-ga.rules
Source9: qemu-supportconfig Source9: qemu-supportconfig
Source10: kvm.conf Source10: supported.arm.txt
Source11: supported.ppc.txt Source11: supported.ppc.txt
Source12: supported.x86.txt Source12: supported.x86.txt
Source13: supported.s390.txt Source13: supported.s390.txt
Source14: supported.arm.txt
# this is to make lint happy # this is to make lint happy
Source300: qemu-rpmlintrc Source300: qemu-rpmlintrc
Source301: ipxe-stub-out-the-SAN-req-s-in-int13.patch Source301: ipxe-stub-out-the-SAN-req-s-in-int13.patch
@ -1245,10 +1244,10 @@ install -D -m 0755 scripts/vmstate-static-checker.py %{buildroot}%_bindir/vmsta
mkdir -p %{buildroot}%_libexecdir/supportconfig/plugins mkdir -p %{buildroot}%_libexecdir/supportconfig/plugins
install -D -m 0755 %{SOURCE9} %{buildroot}%_libexecdir/supportconfig/plugins/%name install -D -m 0755 %{SOURCE9} %{buildroot}%_libexecdir/supportconfig/plugins/%name
%if 0%{?is_opensuse} == 0 %if 0%{?is_opensuse} == 0
install -D -m 0644 %{SOURCE10} %{buildroot}%_docdir/qemu-arm/supported.txt
install -D -m 0644 %{SOURCE11} %{buildroot}%_docdir/qemu-ppc/supported.txt install -D -m 0644 %{SOURCE11} %{buildroot}%_docdir/qemu-ppc/supported.txt
install -D -m 0644 %{SOURCE12} %{buildroot}%_docdir/qemu-x86/supported.txt install -D -m 0644 %{SOURCE12} %{buildroot}%_docdir/qemu-x86/supported.txt
install -D -m 0644 %{SOURCE13} %{buildroot}%_docdir/qemu-s390/supported.txt install -D -m 0644 %{SOURCE13} %{buildroot}%_docdir/qemu-s390/supported.txt
install -D -m 0644 %{SOURCE14} %{buildroot}%_docdir/qemu-arm/supported.txt
%endif %endif
%if %{legacy_qemu_kvm} %if %{legacy_qemu_kvm}
cat > %{buildroot}%_bindir/qemu-kvm << 'EOF' cat > %{buildroot}%_bindir/qemu-kvm << 'EOF'
@ -1272,9 +1271,6 @@ ln -s ../qemu-x86/supported.txt %{buildroot}%_docdir/qemu-kvm/kvm-supported.txt
%endif %endif
%endif %endif
%if %{kvm_available} %if %{kvm_available}
%ifarch %ix86 x86_64
install -D -m 0644 %{SOURCE2} %{buildroot}%{_udevrulesdir}/71-sev.rules
%endif
install -D -m 0644 %{SOURCE1} %{buildroot}%{_udevrulesdir}/80-kvm.rules install -D -m 0644 %{SOURCE1} %{buildroot}%{_udevrulesdir}/80-kvm.rules
%endif %endif
install -D -p -m 0644 %{SOURCE7} %{buildroot}%{_unitdir}/qemu-ga@.service install -D -p -m 0644 %{SOURCE7} %{buildroot}%{_unitdir}/qemu-ga@.service
@ -1282,7 +1278,7 @@ install -D -p -m 0644 %{SOURCE7} %{buildroot}%{_unitdir}/qemu-ga@.service
install -D -p -m 0644 %{SOURCE6} %{buildroot}%{_unitdir}/ksm.service install -D -p -m 0644 %{SOURCE6} %{buildroot}%{_unitdir}/ksm.service
%endif %endif
%ifarch s390x %ifarch s390x
install -D -m 0644 %{SOURCE10} %{buildroot}%_libexecdir/modules-load.d/kvm.conf install -D -m 0644 %{SOURCE2} %{buildroot}%_libexecdir/modules-load.d/kvm.conf
%endif %endif
%fdupes -s %{buildroot} %fdupes -s %{buildroot}
@ -1314,9 +1310,6 @@ if [ $(stat -L -c "%i" /proc/1/root/) = $(stat -L -c "%i" /) ]; then
fi fi
%endif %endif
%udev_rules_update %udev_rules_update
%ifarch %ix86 x86_64
%_bindir/udevadm trigger -y sev || :
%endif
%_bindir/udevadm trigger -y kvm || : %_bindir/udevadm trigger -y kvm || :
%ifarch s390x %ifarch s390x
sysctl vm.allocate_pgste=1 || : sysctl vm.allocate_pgste=1 || :
@ -1393,9 +1386,6 @@ fi
%dir %_libexecdir/supportconfig/plugins %dir %_libexecdir/supportconfig/plugins
%_libexecdir/supportconfig/plugins/%name %_libexecdir/supportconfig/plugins/%name
%if %{kvm_available} %if %{kvm_available}
%ifarch %ix86 x86_64
%{_udevrulesdir}/71-sev.rules
%endif
%{_udevrulesdir}/80-kvm.rules %{_udevrulesdir}/80-kvm.rules
%ifarch s390x %ifarch s390x
%_libexecdir/modules-load.d/kvm.conf %_libexecdir/modules-load.d/kvm.conf