diff --git a/0013-conf-qemu-Fix-some-code-about-Reuse-ASID-for-Hygon-C.patch b/0013-conf-qemu-Fix-some-code-about-Reuse-ASID-for-Hygon-C.patch new file mode 100644 index 0000000000000000000000000000000000000000..cead11ef065e6bf5664bb203407c3de4fb606bb8 --- /dev/null +++ b/0013-conf-qemu-Fix-some-code-about-Reuse-ASID-for-Hygon-C.patch @@ -0,0 +1,129 @@ +From aaa3414042ee5600f9d0e59fdc1dd2952198a892 Mon Sep 17 00:00:00 2001 +From: hanliyang +Date: Thu, 26 Dec 2024 21:46:00 +0800 +Subject: [PATCH 1/2] conf: qemu: Fix some code about Reuse ASID for Hygon CSV + +Fix 3 issues: +1. The `user-id` was not the member of Capabilities from the Qemu VMM. +2. Memory leak on `user-id` element. +3. The debug log for `user-id` breaks the native code. + +Fixes: f313104440 ("conf: qemu: add libvirt support reuse id for hygon CSV") +Signed-off-by: hanliyang +--- + include/libvirt/libvirt-host.h | 9 --------- + src/conf/domain_capabilities.c | 3 --- + src/conf/domain_capabilities.h | 1 - + src/conf/domain_conf.c | 1 + + src/qemu/qemu_capabilities.c | 1 - + src/qemu/qemu_command.c | 8 +++++--- + src/qemu/qemu_driver.c | 4 ---- + 7 files changed, 6 insertions(+), 21 deletions(-) + +diff --git a/include/libvirt/libvirt-host.h b/include/libvirt/libvirt-host.h +index 0caf16a..af7dede 100644 +--- a/include/libvirt/libvirt-host.h ++++ b/include/libvirt/libvirt-host.h +@@ -587,15 +587,6 @@ typedef virNodeMemoryStats *virNodeMemoryStatsPtr; + */ + # define VIR_NODE_SEV_MAX_ES_GUESTS "max-es-guests" + +-/** +- * VIR_NODE_SEV_USER_ID: +- * +- * Macro represents the user id string,enable reuse asid feature +- * +- * Since: 9.10.0 +- */ +-# define VIR_NODE_SEV_USER_ID "user-id" +- + int virNodeGetSEVInfo (virConnectPtr conn, + virTypedParameterPtr *params, + int *nparams, +diff --git a/src/conf/domain_capabilities.c b/src/conf/domain_capabilities.c +index 51adc48..f6e09dc 100644 +--- a/src/conf/domain_capabilities.c ++++ b/src/conf/domain_capabilities.c +@@ -654,9 +654,6 @@ virDomainCapsFeatureSEVFormat(virBuffer *buf, + if (sev->cpu0_id != NULL) + virBufferAsprintf(buf, "%s\n", sev->cpu0_id); + +- if (sev->user_id != NULL) +- virBufferAsprintf(buf, "%s\n", sev->user_id); +- + virBufferAdjustIndent(buf, -2); + virBufferAddLit(buf, "\n"); + } +diff --git a/src/conf/domain_capabilities.h b/src/conf/domain_capabilities.h +index 20cff85..01bcfa2 100644 +--- a/src/conf/domain_capabilities.h ++++ b/src/conf/domain_capabilities.h +@@ -213,7 +213,6 @@ struct _virSEVCapability { + unsigned int reduced_phys_bits; + unsigned int max_guests; + unsigned int max_es_guests; +- char *user_id; + }; + + typedef struct _virSGXSection virSGXSection; +diff --git a/src/conf/domain_conf.c b/src/conf/domain_conf.c +index b40f924..31f0cdd 100644 +--- a/src/conf/domain_conf.c ++++ b/src/conf/domain_conf.c +@@ -3822,6 +3822,7 @@ virDomainSecDefFree(virDomainSecDef *def) + case VIR_DOMAIN_LAUNCH_SECURITY_SEV: + g_free(def->data.sev.dh_cert); + g_free(def->data.sev.session); ++ g_free(def->data.sev.user_id); + break; + case VIR_DOMAIN_LAUNCH_SECURITY_PV: + case VIR_DOMAIN_LAUNCH_SECURITY_CVM: +diff --git a/src/qemu/qemu_capabilities.c b/src/qemu/qemu_capabilities.c +index 520af43..cf6416f 100644 +--- a/src/qemu/qemu_capabilities.c ++++ b/src/qemu/qemu_capabilities.c +@@ -4868,7 +4868,6 @@ virQEMUCapsFormatSEVInfo(virQEMUCaps *qemuCaps, virBuffer *buf) + virBufferAsprintf(buf, "%u\n", sev->cbitpos); + virBufferAsprintf(buf, "%u\n", + sev->reduced_phys_bits); +- virBufferEscapeString(buf, "%s\n", sev->user_id); + virBufferEscapeString(buf, "%s\n", sev->pdh); + virBufferEscapeString(buf, "%s\n", + sev->cert_chain); +diff --git a/src/qemu/qemu_command.c b/src/qemu/qemu_command.c +index a0ebe8d..77900be 100644 +--- a/src/qemu/qemu_command.c ++++ b/src/qemu/qemu_command.c +@@ -9676,9 +9676,11 @@ qemuBuildSEVCommandLine(virDomainObj *vm, virCommand *cmd, + g_autofree char *dhpath = NULL; + g_autofree char *sessionpath = NULL; + +- VIR_DEBUG("policy=0x%x cbitpos=%d reduced_phys_bits=%d user_id=%s", +- sev->policy, sev->cbitpos, sev->reduced_phys_bits, +- sev->user_id ? : "(nil)"); ++ VIR_DEBUG("policy=0x%x cbitpos=%d reduced_phys_bits=%d", ++ sev->policy, sev->cbitpos, sev->reduced_phys_bits); ++ ++ if (sev->user_id) ++ VIR_DEBUG("user_id=%s", sev->user_id); + + if (sev->dh_cert) + dhpath = g_strdup_printf("%s/dh_cert.base64", priv->libDir); +diff --git a/src/qemu/qemu_driver.c b/src/qemu/qemu_driver.c +index 0229f47..bf755c7 100644 +--- a/src/qemu/qemu_driver.c ++++ b/src/qemu/qemu_driver.c +@@ -18976,10 +18976,6 @@ qemuGetSEVInfoToParams(virQEMUCaps *qemuCaps, + sev->max_es_guests) < 0) + goto cleanup; + +- if (virTypedParamsAddString(&sevParams, &n, &maxpar, +- VIR_NODE_SEV_USER_ID, sev->user_id) < 0) +- goto cleanup; +- + *params = g_steal_pointer(&sevParams); + *nparams = n; + return 0; +-- +2.41.0 + diff --git a/0014-conf-qemu-support-provide-inject-secret-for-Hygon-CS.patch b/0014-conf-qemu-support-provide-inject-secret-for-Hygon-CS.patch new file mode 100644 index 0000000000000000000000000000000000000000..699e0bc080e0e65cdeaa90e51dfd0a58c98b7d2a --- /dev/null +++ b/0014-conf-qemu-support-provide-inject-secret-for-Hygon-CS.patch @@ -0,0 +1,129 @@ +From 0dee562faf9d6e6fb0d715cb7b5b9426345ab074 Mon Sep 17 00:00:00 2001 +From: hanliyang +Date: Wed, 13 Nov 2024 16:12:57 +0800 +Subject: [PATCH 2/2] conf: qemu: support provide inject secret for Hygon CSV + +csv xml format: + + 0x0001 + 47 + 5 + U2FsdGVkX1+rW6B/JbYqNA== + 5aeG4mH2E/OqN1a3uT8hfg== + gW3E30rG/I3L1nD/YfG+DA== + zP1oY9W7ZcPFtL0QeN11vQ== + + +Signed-off-by: hanliyang +--- + src/conf/domain_conf.c | 8 ++++++++ + src/conf/domain_conf.h | 2 ++ + src/qemu/qemu_command.c | 10 ++++++++++ + src/qemu/qemu_process.c | 10 ++++++++++ + 4 files changed, 30 insertions(+) + +diff --git a/src/conf/domain_conf.c b/src/conf/domain_conf.c +index 31f0cdd..833904b 100644 +--- a/src/conf/domain_conf.c ++++ b/src/conf/domain_conf.c +@@ -3823,6 +3823,8 @@ virDomainSecDefFree(virDomainSecDef *def) + g_free(def->data.sev.dh_cert); + g_free(def->data.sev.session); + g_free(def->data.sev.user_id); ++ g_free(def->data.sev.secret_header); ++ g_free(def->data.sev.secret); + break; + case VIR_DOMAIN_LAUNCH_SECURITY_PV: + case VIR_DOMAIN_LAUNCH_SECURITY_CVM: +@@ -13490,6 +13492,8 @@ virDomainSEVDefParseXML(virDomainSEVDef *def, + def->dh_cert = virXPathString("string(./dhCert)", ctxt); + def->session = virXPathString("string(./session)", ctxt); + def->user_id = virXPathString("string(./userid)", ctxt); ++ def->secret_header = virXPathString("string(./secretHeader)", ctxt); ++ def->secret = virXPathString("string(./secret)", ctxt); + + return 0; + } +@@ -26535,6 +26539,10 @@ virDomainSecDefFormat(virBuffer *buf, virDomainSecDef *sec) + + if (sev->user_id) + virBufferEscapeString(&childBuf, "%s\n", sev->user_id); ++ if (sev->secret_header) ++ virBufferEscapeString(&childBuf, "%s\n", sev->secret_header); ++ if (sev->secret) ++ virBufferEscapeString(&childBuf, "%s\n", sev->secret); + + break; + } +diff --git a/src/conf/domain_conf.h b/src/conf/domain_conf.h +index ddbe288..b5c0302 100644 +--- a/src/conf/domain_conf.h ++++ b/src/conf/domain_conf.h +@@ -2862,6 +2862,8 @@ struct _virDomainSEVDef { + unsigned int reduced_phys_bits; + virTristateBool kernel_hashes; + char *user_id; ++ char *secret_header; ++ char *secret; + }; + + struct _virDomainSecDef { +diff --git a/src/qemu/qemu_command.c b/src/qemu/qemu_command.c +index 77900be..f7142d7 100644 +--- a/src/qemu/qemu_command.c ++++ b/src/qemu/qemu_command.c +@@ -9675,6 +9675,8 @@ qemuBuildSEVCommandLine(virDomainObj *vm, virCommand *cmd, + qemuDomainObjPrivate *priv = vm->privateData; + g_autofree char *dhpath = NULL; + g_autofree char *sessionpath = NULL; ++ g_autofree char *secretheaderpath = NULL; ++ g_autofree char *secretpath = NULL; + + VIR_DEBUG("policy=0x%x cbitpos=%d reduced_phys_bits=%d", + sev->policy, sev->cbitpos, sev->reduced_phys_bits); +@@ -9688,6 +9690,12 @@ qemuBuildSEVCommandLine(virDomainObj *vm, virCommand *cmd, + if (sev->session) + sessionpath = g_strdup_printf("%s/session.base64", priv->libDir); + ++ if (sev->secret_header) ++ secretheaderpath = g_strdup_printf("%s/secret_header.base64", priv->libDir); ++ ++ if (sev->secret) ++ secretpath = g_strdup_printf("%s/secret.base64", priv->libDir); ++ + if (qemuMonitorCreateObjectProps(&props, "sev-guest", "lsec0", + "u:cbitpos", sev->cbitpos, + "u:reduced-phys-bits", sev->reduced_phys_bits, +@@ -9696,6 +9704,8 @@ qemuBuildSEVCommandLine(virDomainObj *vm, virCommand *cmd, + "S:dh-cert-file", dhpath, + "S:session-file", sessionpath, + "T:kernel-hashes", sev->kernel_hashes, ++ "S:secret-header-file", secretheaderpath, ++ "S:secret-file", secretpath, + NULL) < 0) + return -1; + +diff --git a/src/qemu/qemu_process.c b/src/qemu/qemu_process.c +index 15f4104..0082049 100644 +--- a/src/qemu/qemu_process.c ++++ b/src/qemu/qemu_process.c +@@ -6729,6 +6729,16 @@ qemuProcessPrepareSEVGuestInput(virDomainObj *vm) + return -1; + } + ++ if (sev->secret_header) { ++ if (qemuProcessSEVCreateFile(vm, "secret_header", sev->secret_header) < 0) ++ return -1; ++ } ++ ++ if (sev->secret) { ++ if (qemuProcessSEVCreateFile(vm, "secret", sev->secret) < 0) ++ return -1; ++ } ++ + return 0; + } + +-- +2.41.0 + diff --git a/libvirt.spec b/libvirt.spec index c1205cca307c3eb392044673a74a845c776d187b..bd266a6afcfdf9cfde8421de64d0ab32f70c57c8 100644 --- a/libvirt.spec +++ b/libvirt.spec @@ -1,4 +1,4 @@ -%define anolis_release 9 +%define anolis_release 10 %define arches_qemu_kvm x86_64 aarch64 loongarch64 sw_64 @@ -174,6 +174,10 @@ Patch0009: Add-cvm-parameter-into-the-type-of-LaunchSecurity.patch Patch0010: Add-get-tmm-memory-info-API-into-libvirt-host.patch Patch0011: Make-daemons-depend-on-generated-protocol.patch Patch0012: Add-sw64-architecture-support-for-libvirt-9.10.0.patch +# Fix logic error and memleak about Hygon Reuse ASID +Patch0013: 0013-conf-qemu-Fix-some-code-about-Reuse-ASID-for-Hygon-C.patch +# Support provide blobs for secret injection for Hygon Confidential VMs +Patch0014: 0014-conf-qemu-support-provide-inject-secret-for-Hygon-CS.patch Requires: libvirt-daemon = %{version}-%{release} Requires: libvirt-daemon-config-network = %{version}-%{release} @@ -2153,6 +2157,10 @@ exit 0 %changelog +* Wed Jan 01 2025 hanliyang - 9.10.0-10 +- Fix logic error and memleak about Hygon Reuse ASID +- Support provide blobs for secret injection for Hygon Confidential VMs + * Tue Dec 24 2024 lufeifei - 9.10.0-9 - Add sw64arch support