|
 |
3d61c0 |
From 6ad26e9c4702cd1732e7d8ee8c9b9e9d6ba37678 Mon Sep 17 00:00:00 2001
|
|
|
3d61c0 |
Message-Id: <6ad26e9c4702cd1732e7d8ee8c9b9e9d6ba37678@dist-git>
|
|
|
3d61c0 |
From: Pavel Hrdina <phrdina@redhat.com>
|
|
|
3d61c0 |
Date: Fri, 29 Mar 2019 10:59:25 +0100
|
|
|
3d61c0 |
Subject: [PATCH] cli: introduce CPU secure parameter
|
|
|
3d61c0 |
MIME-Version: 1.0
|
|
|
3d61c0 |
Content-Type: text/plain; charset=UTF-8
|
|
|
3d61c0 |
Content-Transfer-Encoding: 8bit
|
|
|
3d61c0 |
|
|
|
3d61c0 |
This will allow users to override the default behavior of virt-install
|
|
|
3d61c0 |
which copies CPU security features available on the host to the guest
|
|
|
3d61c0 |
XML if specific CPU model is configured.
|
|
|
3d61c0 |
|
|
|
3d61c0 |
Signed-off-by: Pavel Hrdina <phrdina@redhat.com>
|
|
|
3d61c0 |
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
|
|
|
3d61c0 |
(cherry picked from commit 22342ef7ee526f8a5b5a65266363c33c70c8be43)
|
|
|
3d61c0 |
|
|
|
3d61c0 |
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1582667
|
|
|
3d61c0 |
|
|
|
3d61c0 |
Signed-off-by: Pavel Hrdina <phrdina@redhat.com>
|
|
|
3d61c0 |
Reviewed-by: Cole Robinson <crobinso@redhat.com>
|
|
|
3d61c0 |
---
|
|
|
3d61c0 |
man/virt-install.pod | 11 ++-
|
|
|
3d61c0 |
.../compare/virt-install-cpu-disable-sec.xml | 93 +++++++++++++++++++
|
|
|
3d61c0 |
tests/clitest.py | 1 +
|
|
|
3d61c0 |
virtinst/cli.py | 1 +
|
|
|
3d61c0 |
virtinst/cpu.py | 7 +-
|
|
|
3d61c0 |
5 files changed, 111 insertions(+), 2 deletions(-)
|
|
|
3d61c0 |
create mode 100644 tests/cli-test-xml/compare/virt-install-cpu-disable-sec.xml
|
|
|
3d61c0 |
|
|
|
3d61c0 |
diff --git a/man/virt-install.pod b/man/virt-install.pod
|
|
|
3d61c0 |
index b57316c2..d90c2b8e 100644
|
|
|
3d61c0 |
--- a/man/virt-install.pod
|
|
|
3d61c0 |
+++ b/man/virt-install.pod
|
|
|
3d61c0 |
@@ -215,7 +215,16 @@ required value is MODEL, which is a valid CPU model as known to libvirt.
|
|
|
3d61c0 |
|
|
|
3d61c0 |
Libvirt's feature policy values force, require, optional, disable, or forbid,
|
|
|
3d61c0 |
or with the shorthand '+feature' and '-feature', which equal 'force=feature'
|
|
|
3d61c0 |
-and 'disable=feature' respectively
|
|
|
3d61c0 |
+and 'disable=feature' respectively.
|
|
|
3d61c0 |
+
|
|
|
3d61c0 |
+If exact CPU model is specified virt-install will automatically copy CPU
|
|
|
3d61c0 |
+features available on the host to mitigate recent CPU speculative execution
|
|
|
3d61c0 |
+side channel security vulnerabilities. This however will have some impact
|
|
|
3d61c0 |
+on performance and will break migration to hosts without security patches.
|
|
|
3d61c0 |
+In order to control this behavior there is a B<secure> parameter. Possible
|
|
|
3d61c0 |
+values are I<on> and I<off>, with I<on> as the default. It is highly
|
|
|
3d61c0 |
+recommended to leave this enabled and ensure all virtualization hosts have
|
|
|
3d61c0 |
+fully up to date microcode, kernel & virtualization software installed.
|
|
|
3d61c0 |
|
|
|
3d61c0 |
Some examples:
|
|
|
3d61c0 |
|
|
|
3d61c0 |
diff --git a/tests/cli-test-xml/compare/virt-install-cpu-disable-sec.xml b/tests/cli-test-xml/compare/virt-install-cpu-disable-sec.xml
|
|
|
3d61c0 |
new file mode 100644
|
|
|
3d61c0 |
index 00000000..a86d6926
|
|
|
3d61c0 |
--- /dev/null
|
|
|
3d61c0 |
+++ b/tests/cli-test-xml/compare/virt-install-cpu-disable-sec.xml
|
|
|
3d61c0 |
@@ -0,0 +1,93 @@
|
|
|
3d61c0 |
+<domain type="kvm">
|
|
|
3d61c0 |
+ <name>foobar</name>
|
|
|
3d61c0 |
+ <uuid>00000000-1111-2222-3333-444444444444</uuid>
|
|
|
3d61c0 |
+ <memory>65536</memory>
|
|
|
3d61c0 |
+ <currentMemory>65536</currentMemory>
|
|
|
3d61c0 |
+ <vcpu>1</vcpu>
|
|
|
3d61c0 |
+ <os>
|
|
|
3d61c0 |
+ <type arch="x86_64" machine="pc">hvm</type>
|
|
|
3d61c0 |
+ <boot dev="network"/>
|
|
|
3d61c0 |
+ </os>
|
|
|
3d61c0 |
+ <features>
|
|
|
3d61c0 |
+ <acpi/>
|
|
|
3d61c0 |
+ <apic/>
|
|
|
3d61c0 |
+ </features>
|
|
|
3d61c0 |
+ <cpu mode="custom" match="exact">
|
|
|
3d61c0 |
+ <model>qemu64</model>
|
|
|
3d61c0 |
+ </cpu>
|
|
|
3d61c0 |
+ <clock offset="utc">
|
|
|
3d61c0 |
+ <timer name="rtc" tickpolicy="catchup"/>
|
|
|
3d61c0 |
+ <timer name="pit" tickpolicy="delay"/>
|
|
|
3d61c0 |
+ <timer name="hpet" present="no"/>
|
|
|
3d61c0 |
+ </clock>
|
|
|
3d61c0 |
+ <on_reboot>destroy</on_reboot>
|
|
|
3d61c0 |
+ <pm>
|
|
|
3d61c0 |
+ <suspend-to-mem enabled="no"/>
|
|
|
3d61c0 |
+ <suspend-to-disk enabled="no"/>
|
|
|
3d61c0 |
+ </pm>
|
|
|
3d61c0 |
+ <devices>
|
|
|
3d61c0 |
+ <emulator>/usr/bin/qemu-kvm</emulator>
|
|
|
3d61c0 |
+ <controller type="usb" index="0" model="ich9-ehci1"/>
|
|
|
3d61c0 |
+ <controller type="usb" index="0" model="ich9-uhci1">
|
|
|
3d61c0 |
+ <master startport="0"/>
|
|
|
3d61c0 |
+ </controller>
|
|
|
3d61c0 |
+ <controller type="usb" index="0" model="ich9-uhci2">
|
|
|
3d61c0 |
+ <master startport="2"/>
|
|
|
3d61c0 |
+ </controller>
|
|
|
3d61c0 |
+ <controller type="usb" index="0" model="ich9-uhci3">
|
|
|
3d61c0 |
+ <master startport="4"/>
|
|
|
3d61c0 |
+ </controller>
|
|
|
3d61c0 |
+ <interface type="bridge">
|
|
|
3d61c0 |
+ <source bridge="eth0"/>
|
|
|
3d61c0 |
+ <mac address="00:11:22:33:44:55"/>
|
|
|
3d61c0 |
+ <model type="e1000"/>
|
|
|
3d61c0 |
+ </interface>
|
|
|
3d61c0 |
+ <console type="pty"/>
|
|
|
3d61c0 |
+ </devices>
|
|
|
3d61c0 |
+</domain>
|
|
|
3d61c0 |
+<domain type="kvm">
|
|
|
3d61c0 |
+ <name>foobar</name>
|
|
|
3d61c0 |
+ <uuid>00000000-1111-2222-3333-444444444444</uuid>
|
|
|
3d61c0 |
+ <memory>65536</memory>
|
|
|
3d61c0 |
+ <currentMemory>65536</currentMemory>
|
|
|
3d61c0 |
+ <vcpu>1</vcpu>
|
|
|
3d61c0 |
+ <os>
|
|
|
3d61c0 |
+ <type arch="x86_64" machine="pc">hvm</type>
|
|
|
3d61c0 |
+ <boot dev="network"/>
|
|
|
3d61c0 |
+ </os>
|
|
|
3d61c0 |
+ <features>
|
|
|
3d61c0 |
+ <acpi/>
|
|
|
3d61c0 |
+ <apic/>
|
|
|
3d61c0 |
+ </features>
|
|
|
3d61c0 |
+ <cpu mode="custom" match="exact">
|
|
|
3d61c0 |
+ <model>qemu64</model>
|
|
|
3d61c0 |
+ </cpu>
|
|
|
3d61c0 |
+ <clock offset="utc">
|
|
|
3d61c0 |
+ <timer name="rtc" tickpolicy="catchup"/>
|
|
|
3d61c0 |
+ <timer name="pit" tickpolicy="delay"/>
|
|
|
3d61c0 |
+ <timer name="hpet" present="no"/>
|
|
|
3d61c0 |
+ </clock>
|
|
|
3d61c0 |
+ <pm>
|
|
|
3d61c0 |
+ <suspend-to-mem enabled="no"/>
|
|
|
3d61c0 |
+ <suspend-to-disk enabled="no"/>
|
|
|
3d61c0 |
+ </pm>
|
|
|
3d61c0 |
+ <devices>
|
|
|
3d61c0 |
+ <emulator>/usr/bin/qemu-kvm</emulator>
|
|
|
3d61c0 |
+ <controller type="usb" index="0" model="ich9-ehci1"/>
|
|
|
3d61c0 |
+ <controller type="usb" index="0" model="ich9-uhci1">
|
|
|
3d61c0 |
+ <master startport="0"/>
|
|
|
3d61c0 |
+ </controller>
|
|
|
3d61c0 |
+ <controller type="usb" index="0" model="ich9-uhci2">
|
|
|
3d61c0 |
+ <master startport="2"/>
|
|
|
3d61c0 |
+ </controller>
|
|
|
3d61c0 |
+ <controller type="usb" index="0" model="ich9-uhci3">
|
|
|
3d61c0 |
+ <master startport="4"/>
|
|
|
3d61c0 |
+ </controller>
|
|
|
3d61c0 |
+ <interface type="bridge">
|
|
|
3d61c0 |
+ <source bridge="eth0"/>
|
|
|
3d61c0 |
+ <mac address="00:11:22:33:44:55"/>
|
|
|
3d61c0 |
+ <model type="e1000"/>
|
|
|
3d61c0 |
+ </interface>
|
|
|
3d61c0 |
+ <console type="pty"/>
|
|
|
3d61c0 |
+ </devices>
|
|
|
3d61c0 |
+</domain>
|
|
|
3d61c0 |
diff --git a/tests/clitest.py b/tests/clitest.py
|
|
|
3d61c0 |
index b869ef55..c6ae68f3 100644
|
|
|
3d61c0 |
--- a/tests/clitest.py
|
|
|
3d61c0 |
+++ b/tests/clitest.py
|
|
|
3d61c0 |
@@ -610,6 +610,7 @@ c.add_valid("--security label=foobar.label,a1,z2,b3") # --security static with
|
|
|
3d61c0 |
c.add_compare("--cpuset auto --vcpus 2", "cpuset-auto") # --cpuset=auto actually works
|
|
|
3d61c0 |
c.add_invalid("--clock foo_tickpolicy=merge") # Unknown timer
|
|
|
3d61c0 |
c.add_invalid("--security foobar") # Busted --security
|
|
|
3d61c0 |
+c.add_compare("--connect " + utils.uri_kvm_q35 + " --cpu qemu64,secure=off", "cpu-disable-sec") # disable security features that are added by default
|
|
|
3d61c0 |
|
|
|
3d61c0 |
|
|
|
3d61c0 |
|
|
|
3d61c0 |
diff --git a/virtinst/cli.py b/virtinst/cli.py
|
|
|
3d61c0 |
index 9baad9d4..31678591 100644
|
|
|
3d61c0 |
--- a/virtinst/cli.py
|
|
|
3d61c0 |
+++ b/virtinst/cli.py
|
|
|
3d61c0 |
@@ -1532,6 +1532,7 @@ ParserCPU.add_arg(None, "model", cb=ParserCPU.set_model_cb)
|
|
|
3d61c0 |
ParserCPU.add_arg("mode", "mode")
|
|
|
3d61c0 |
ParserCPU.add_arg("match", "match")
|
|
|
3d61c0 |
ParserCPU.add_arg("vendor", "vendor")
|
|
|
3d61c0 |
+ParserCPU.add_arg("secure", "secure", is_onoff=True)
|
|
|
3d61c0 |
|
|
|
3d61c0 |
ParserCPU.add_arg(None, "force", is_list=True, cb=ParserCPU.set_feature_cb)
|
|
|
3d61c0 |
ParserCPU.add_arg(None, "require", is_list=True, cb=ParserCPU.set_feature_cb)
|
|
|
3d61c0 |
diff --git a/virtinst/cpu.py b/virtinst/cpu.py
|
|
|
3d61c0 |
index 7d6d57a3..4776f90e 100644
|
|
|
3d61c0 |
--- a/virtinst/cpu.py
|
|
|
3d61c0 |
+++ b/virtinst/cpu.py
|
|
|
3d61c0 |
@@ -87,6 +87,8 @@ class CPU(XMLBuilder):
|
|
|
3d61c0 |
_XML_PROP_ORDER = ["mode", "match", "model", "vendor",
|
|
|
3d61c0 |
"sockets", "cores", "threads", "features"]
|
|
|
3d61c0 |
|
|
|
3d61c0 |
+ secure = True
|
|
|
3d61c0 |
+
|
|
|
3d61c0 |
special_mode_was_set = False
|
|
|
3d61c0 |
# These values are exposed on the command line, so are stable API
|
|
|
3d61c0 |
SPECIAL_MODE_HOST_MODEL_ONLY = "host-model-only"
|
|
|
3d61c0 |
@@ -149,7 +151,10 @@ class CPU(XMLBuilder):
|
|
|
3d61c0 |
self.mode = "custom"
|
|
|
3d61c0 |
if not self.match:
|
|
|
3d61c0 |
self.match = "exact"
|
|
|
3d61c0 |
- self._add_security_features(guest)
|
|
|
3d61c0 |
+ if self.secure:
|
|
|
3d61c0 |
+ self._add_security_features(guest)
|
|
|
3d61c0 |
+ else:
|
|
|
3d61c0 |
+ self._remove_security_features(guest)
|
|
|
3d61c0 |
self.model = val
|
|
|
3d61c0 |
|
|
|
3d61c0 |
def add_feature(self, name, policy="require"):
|
|
|
3d61c0 |
--
|
|
|
3d61c0 |
2.20.1
|
|
|
3d61c0 |
|