From baeaa1ef15ccda7592815d97f554228ec33cc11cd5997a6f0eed63482aeab29e Mon Sep 17 00:00:00 2001
From: Bruce Rogers <brogers@suse.com>
Date: Wed, 13 Feb 2019 21:52:43 +0000
Subject: [PATCH] Accepting request 674747 from
 home:bfrogers:branches:Virtualization

AMD SEV related fix: bsc#1124842 and bsc#1102604

OBS-URL: https://build.opensuse.org/request/show/674747
OBS-URL: https://build.opensuse.org/package/show/Virtualization/qemu?expand=0&rev=454
---
 71-sev.rules           |  1 -
 qemu-testsuite.changes | 10 ++++++++++
 qemu-testsuite.spec    | 18 ++++--------------
 qemu.changes           | 10 ++++++++++
 qemu.spec              | 18 ++++--------------
 qemu.spec.in           | 18 ++++--------------
 6 files changed, 32 insertions(+), 43 deletions(-)
 delete mode 100644 71-sev.rules

diff --git a/71-sev.rules b/71-sev.rules
deleted file mode 100644
index 00c3eba2..00000000
--- a/71-sev.rules
+++ /dev/null
@@ -1 +0,0 @@
-KERNEL=="sev", MODE="0660", GROUP="kvm"
diff --git a/qemu-testsuite.changes b/qemu-testsuite.changes
index fda88be7..5fc83bd9 100644
--- a/qemu-testsuite.changes
+++ b/qemu-testsuite.changes
@@ -1,3 +1,13 @@
+-------------------------------------------------------------------
+Mon Feb 11 15:41:02 UTC 2019 - Bruce Rogers <brogers@suse.com>
+
+- Remove 71-sev.rules, which modifies the default permissions of
+  /dev/sev by adding the kvm group as reader/writer. Upstream
+  decided to take a different approach for libvirt to manage SEV
+  due to security concerns which I agree overrides the convenience
+  of providing /dev/sev access to all the kvm group (bsc#1124842
+  bsc#1102604)
+
 -------------------------------------------------------------------
 Fri Feb  1 23:34:52 UTC 2019 - Bruce Rogers <brogers@suse.com>
 
diff --git a/qemu-testsuite.spec b/qemu-testsuite.spec
index 10a546dd..7ba04d8e 100644
--- a/qemu-testsuite.spec
+++ b/qemu-testsuite.spec
@@ -118,7 +118,7 @@ Source:         https://wiki.qemu.org/download/%{srcname}-%{srcver}.tar.xz
 Source99:       https://wiki.qemu.org/download/%{srcname}-%{srcver}.tar.xz.sig
 Source100:      %{srcname}.keyring
 Source1:        80-kvm.rules
-Source2:        71-sev.rules
+Source2:        kvm.conf
 Source3:        qemu-ifup
 Source4:        bridge.conf
 Source5:        qemu-kvm.1.gz
@@ -126,11 +126,10 @@ Source6:        ksm.service
 Source7:        qemu-ga@.service
 Source8:        80-qemu-ga.rules
 Source9:        qemu-supportconfig
-Source10:       kvm.conf
+Source10:       supported.arm.txt
 Source11:       supported.ppc.txt
 Source12:       supported.x86.txt
 Source13:       supported.s390.txt
-Source14:       supported.arm.txt
 # this is to make lint happy
 Source300:      qemu-rpmlintrc
 Source301:      ipxe-stub-out-the-SAN-req-s-in-int13.patch
@@ -1360,10 +1359,10 @@ install -D -m 0755 scripts/vmstate-static-checker.py  %{buildroot}%_bindir/vmsta
 mkdir -p %{buildroot}%_libexecdir/supportconfig/plugins
 install -D -m 0755 %{SOURCE9} %{buildroot}%_libexecdir/supportconfig/plugins/%name
 %if 0%{?is_opensuse} == 0
+install -D -m 0644 %{SOURCE10} %{buildroot}%_docdir/qemu-arm/supported.txt
 install -D -m 0644 %{SOURCE11} %{buildroot}%_docdir/qemu-ppc/supported.txt
 install -D -m 0644 %{SOURCE12} %{buildroot}%_docdir/qemu-x86/supported.txt
 install -D -m 0644 %{SOURCE13} %{buildroot}%_docdir/qemu-s390/supported.txt
-install -D -m 0644 %{SOURCE14} %{buildroot}%_docdir/qemu-arm/supported.txt
 %endif
 %if %{legacy_qemu_kvm}
 cat > %{buildroot}%_bindir/qemu-kvm << 'EOF'
@@ -1387,9 +1386,6 @@ ln -s ../qemu-x86/supported.txt %{buildroot}%_docdir/qemu-kvm/kvm-supported.txt
 %endif
 %endif
 %if %{kvm_available}
-%ifarch %ix86 x86_64
-install -D -m 0644 %{SOURCE2} %{buildroot}%{_udevrulesdir}/71-sev.rules
-%endif
 install -D -m 0644 %{SOURCE1} %{buildroot}%{_udevrulesdir}/80-kvm.rules
 %endif
 install -D -p -m 0644 %{SOURCE7} %{buildroot}%{_unitdir}/qemu-ga@.service
@@ -1397,7 +1393,7 @@ install -D -p -m 0644 %{SOURCE7} %{buildroot}%{_unitdir}/qemu-ga@.service
 install -D -p -m 0644 %{SOURCE6} %{buildroot}%{_unitdir}/ksm.service
 %endif
 %ifarch s390x
-install -D -m 0644 %{SOURCE10} %{buildroot}%_libexecdir/modules-load.d/kvm.conf
+install -D -m 0644 %{SOURCE2} %{buildroot}%_libexecdir/modules-load.d/kvm.conf
 %endif
 %fdupes -s %{buildroot}
 
@@ -1429,9 +1425,6 @@ if [ $(stat -L -c "%i" /proc/1/root/) = $(stat -L -c "%i" /) ]; then
   fi
 %endif
   %udev_rules_update
-  %ifarch %ix86 x86_64
-    %_bindir/udevadm trigger -y sev || :
-  %endif
   %_bindir/udevadm trigger -y kvm || :
 %ifarch s390x
   sysctl vm.allocate_pgste=1 || :
@@ -1508,9 +1501,6 @@ fi
 %dir %_libexecdir/supportconfig/plugins
 %_libexecdir/supportconfig/plugins/%name
 %if %{kvm_available}
-%ifarch %ix86 x86_64
-%{_udevrulesdir}/71-sev.rules
-%endif
 %{_udevrulesdir}/80-kvm.rules
 %ifarch s390x
 %_libexecdir/modules-load.d/kvm.conf
diff --git a/qemu.changes b/qemu.changes
index fda88be7..5fc83bd9 100644
--- a/qemu.changes
+++ b/qemu.changes
@@ -1,3 +1,13 @@
+-------------------------------------------------------------------
+Mon Feb 11 15:41:02 UTC 2019 - Bruce Rogers <brogers@suse.com>
+
+- Remove 71-sev.rules, which modifies the default permissions of
+  /dev/sev by adding the kvm group as reader/writer. Upstream
+  decided to take a different approach for libvirt to manage SEV
+  due to security concerns which I agree overrides the convenience
+  of providing /dev/sev access to all the kvm group (bsc#1124842
+  bsc#1102604)
+
 -------------------------------------------------------------------
 Fri Feb  1 23:34:52 UTC 2019 - Bruce Rogers <brogers@suse.com>
 
diff --git a/qemu.spec b/qemu.spec
index 8ac30410..4bcac178 100644
--- a/qemu.spec
+++ b/qemu.spec
@@ -118,7 +118,7 @@ Source:         https://wiki.qemu.org/download/%{srcname}-%{srcver}.tar.xz
 Source99:       https://wiki.qemu.org/download/%{srcname}-%{srcver}.tar.xz.sig
 Source100:      %{srcname}.keyring
 Source1:        80-kvm.rules
-Source2:        71-sev.rules
+Source2:        kvm.conf
 Source3:        qemu-ifup
 Source4:        bridge.conf
 Source5:        qemu-kvm.1.gz
@@ -126,11 +126,10 @@ Source6:        ksm.service
 Source7:        qemu-ga@.service
 Source8:        80-qemu-ga.rules
 Source9:        qemu-supportconfig
-Source10:       kvm.conf
+Source10:       supported.arm.txt
 Source11:       supported.ppc.txt
 Source12:       supported.x86.txt
 Source13:       supported.s390.txt
-Source14:       supported.arm.txt
 # this is to make lint happy
 Source300:      qemu-rpmlintrc
 Source301:      ipxe-stub-out-the-SAN-req-s-in-int13.patch
@@ -1360,10 +1359,10 @@ install -D -m 0755 scripts/vmstate-static-checker.py  %{buildroot}%_bindir/vmsta
 mkdir -p %{buildroot}%_libexecdir/supportconfig/plugins
 install -D -m 0755 %{SOURCE9} %{buildroot}%_libexecdir/supportconfig/plugins/%name
 %if 0%{?is_opensuse} == 0
+install -D -m 0644 %{SOURCE10} %{buildroot}%_docdir/qemu-arm/supported.txt
 install -D -m 0644 %{SOURCE11} %{buildroot}%_docdir/qemu-ppc/supported.txt
 install -D -m 0644 %{SOURCE12} %{buildroot}%_docdir/qemu-x86/supported.txt
 install -D -m 0644 %{SOURCE13} %{buildroot}%_docdir/qemu-s390/supported.txt
-install -D -m 0644 %{SOURCE14} %{buildroot}%_docdir/qemu-arm/supported.txt
 %endif
 %if %{legacy_qemu_kvm}
 cat > %{buildroot}%_bindir/qemu-kvm << 'EOF'
@@ -1387,9 +1386,6 @@ ln -s ../qemu-x86/supported.txt %{buildroot}%_docdir/qemu-kvm/kvm-supported.txt
 %endif
 %endif
 %if %{kvm_available}
-%ifarch %ix86 x86_64
-install -D -m 0644 %{SOURCE2} %{buildroot}%{_udevrulesdir}/71-sev.rules
-%endif
 install -D -m 0644 %{SOURCE1} %{buildroot}%{_udevrulesdir}/80-kvm.rules
 %endif
 install -D -p -m 0644 %{SOURCE7} %{buildroot}%{_unitdir}/qemu-ga@.service
@@ -1397,7 +1393,7 @@ install -D -p -m 0644 %{SOURCE7} %{buildroot}%{_unitdir}/qemu-ga@.service
 install -D -p -m 0644 %{SOURCE6} %{buildroot}%{_unitdir}/ksm.service
 %endif
 %ifarch s390x
-install -D -m 0644 %{SOURCE10} %{buildroot}%_libexecdir/modules-load.d/kvm.conf
+install -D -m 0644 %{SOURCE2} %{buildroot}%_libexecdir/modules-load.d/kvm.conf
 %endif
 %fdupes -s %{buildroot}
 
@@ -1429,9 +1425,6 @@ if [ $(stat -L -c "%i" /proc/1/root/) = $(stat -L -c "%i" /) ]; then
   fi
 %endif
   %udev_rules_update
-  %ifarch %ix86 x86_64
-    %_bindir/udevadm trigger -y sev || :
-  %endif
   %_bindir/udevadm trigger -y kvm || :
 %ifarch s390x
   sysctl vm.allocate_pgste=1 || :
@@ -1508,9 +1501,6 @@ fi
 %dir %_libexecdir/supportconfig/plugins
 %_libexecdir/supportconfig/plugins/%name
 %if %{kvm_available}
-%ifarch %ix86 x86_64
-%{_udevrulesdir}/71-sev.rules
-%endif
 %{_udevrulesdir}/80-kvm.rules
 %ifarch s390x
 %_libexecdir/modules-load.d/kvm.conf
diff --git a/qemu.spec.in b/qemu.spec.in
index 90046661..a0e81c93 100644
--- a/qemu.spec.in
+++ b/qemu.spec.in
@@ -115,7 +115,7 @@ Release:        0
 Source:         https://wiki.qemu.org/download/%{srcname}-%{srcver}.tar.xz
 Source100:      %{srcname}.keyring
 Source1:        80-kvm.rules
-Source2:        71-sev.rules
+Source2:        kvm.conf
 Source3:        qemu-ifup
 Source4:        bridge.conf
 Source5:        qemu-kvm.1.gz
@@ -123,11 +123,10 @@ Source6:        ksm.service
 Source7:        qemu-ga@.service
 Source8:        80-qemu-ga.rules
 Source9:        qemu-supportconfig
-Source10:       kvm.conf
+Source10:       supported.arm.txt
 Source11:       supported.ppc.txt
 Source12:       supported.x86.txt
 Source13:       supported.s390.txt
-Source14:       supported.arm.txt
 # this is to make lint happy
 Source300:      qemu-rpmlintrc
 Source301:      ipxe-stub-out-the-SAN-req-s-in-int13.patch
@@ -1245,10 +1244,10 @@ install -D -m 0755 scripts/vmstate-static-checker.py  %{buildroot}%_bindir/vmsta
 mkdir -p %{buildroot}%_libexecdir/supportconfig/plugins
 install -D -m 0755 %{SOURCE9} %{buildroot}%_libexecdir/supportconfig/plugins/%name
 %if 0%{?is_opensuse} == 0
+install -D -m 0644 %{SOURCE10} %{buildroot}%_docdir/qemu-arm/supported.txt
 install -D -m 0644 %{SOURCE11} %{buildroot}%_docdir/qemu-ppc/supported.txt
 install -D -m 0644 %{SOURCE12} %{buildroot}%_docdir/qemu-x86/supported.txt
 install -D -m 0644 %{SOURCE13} %{buildroot}%_docdir/qemu-s390/supported.txt
-install -D -m 0644 %{SOURCE14} %{buildroot}%_docdir/qemu-arm/supported.txt
 %endif
 %if %{legacy_qemu_kvm}
 cat > %{buildroot}%_bindir/qemu-kvm << 'EOF'
@@ -1272,9 +1271,6 @@ ln -s ../qemu-x86/supported.txt %{buildroot}%_docdir/qemu-kvm/kvm-supported.txt
 %endif
 %endif
 %if %{kvm_available}
-%ifarch %ix86 x86_64
-install -D -m 0644 %{SOURCE2} %{buildroot}%{_udevrulesdir}/71-sev.rules
-%endif
 install -D -m 0644 %{SOURCE1} %{buildroot}%{_udevrulesdir}/80-kvm.rules
 %endif
 install -D -p -m 0644 %{SOURCE7} %{buildroot}%{_unitdir}/qemu-ga@.service
@@ -1282,7 +1278,7 @@ install -D -p -m 0644 %{SOURCE7} %{buildroot}%{_unitdir}/qemu-ga@.service
 install -D -p -m 0644 %{SOURCE6} %{buildroot}%{_unitdir}/ksm.service
 %endif
 %ifarch s390x
-install -D -m 0644 %{SOURCE10} %{buildroot}%_libexecdir/modules-load.d/kvm.conf
+install -D -m 0644 %{SOURCE2} %{buildroot}%_libexecdir/modules-load.d/kvm.conf
 %endif
 %fdupes -s %{buildroot}
 
@@ -1314,9 +1310,6 @@ if [ $(stat -L -c "%i" /proc/1/root/) = $(stat -L -c "%i" /) ]; then
   fi
 %endif
   %udev_rules_update
-  %ifarch %ix86 x86_64
-    %_bindir/udevadm trigger -y sev || :
-  %endif
   %_bindir/udevadm trigger -y kvm || :
 %ifarch s390x
   sysctl vm.allocate_pgste=1 || :
@@ -1393,9 +1386,6 @@ fi
 %dir %_libexecdir/supportconfig/plugins
 %_libexecdir/supportconfig/plugins/%name
 %if %{kvm_available}
-%ifarch %ix86 x86_64
-%{_udevrulesdir}/71-sev.rules
-%endif
 %{_udevrulesdir}/80-kvm.rules
 %ifarch s390x
 %_libexecdir/modules-load.d/kvm.conf