Commit Graph

77 Commits

Author SHA1 Message Date
Andrea Bolognani
2a52d77096 domcapabilities: Add firmware patterns for loongarch64
Signed-off-by: Andrea Bolognani <abologna@redhat.com>
2024-09-10 12:56:38 -04:00
Andrea Bolognani
dc603792bf domcapabilities: Add firmware patterns for riscv64
Signed-off-by: Andrea Bolognani <abologna@redhat.com>
2024-09-10 12:54:35 -04:00
Andrea Bolognani
5d5da5ff6e domcapabilities: Update comment
Fedora uses the same paths as Gerd's packages these days.

Signed-off-by: Andrea Bolognani <abologna@redhat.com>
2024-09-10 10:54:53 +02:00
Pavel Hrdina
c279c17e6c domcapabilities: get list of supported Hyper-V features
Signed-off-by: Pavel Hrdina <phrdina@redhat.com>
2024-09-06 14:15:09 -04:00
Lin Ma
180154d752 guest: Query availability of spicevmc channels in domcaps
Signed-off-by: Lin Ma <lma@suse.com>
2022-12-14 12:44:54 -05:00
Lin Ma
8cc6ee8da3 guest: Query availability of usb redirdevs in domcaps
Signed-off-by: Lin Ma <lma@suse.com>
2022-12-14 12:44:54 -05:00
Cole Robinson
bb1afaba29 Fix pylint/pycodestyle warnings with latest versions
Signed-off-by: Cole Robinson <crobinso@redhat.com>
2022-12-13 11:23:45 -05:00
Charles Arnold
424283ad1d launch_security: Use SEV-ES policy=0x07 if host supports it 2022-08-03 08:47:35 -04:00
Daniel P. Berrangé
fec5fd84a7 virtinst: include domain capbilities in debug log
This is critical information when debugging many user problems.

Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
2022-07-27 17:53:14 -04:00
Cole Robinson
48f66f27fd domcaps: armv7l doesn't support tpm-tis
Libvirt domcaps can advertise armv7l support for tpm-tis, even though
it will explicitly reject that config:

https://gitlab.com/libvirt/libvirt/-/issues/329

Work around that in domcaps. Without this, UEFI arm32 VMs generate
default configs that libvirt will reject

https://bugzilla.redhat.com/show_bug.cgi?id=2078995

Signed-off-by: Cole Robinson <crobinso@redhat.com>
2022-06-17 13:09:39 -04:00
Cole Robinson
e0c5d74e82 domain: launch_security: simplify defaults and validation
* libvirt fills in cbitpos and reducedPhysBits for us
* libvirt errors if type is missing
* libvirt errors if host/qemu doesn't support sev

So drop it all. This simplifies testing because we don't need
sev domcaps in place just to generate the XML

Signed-off-by: Cole Robinson <crobinso@redhat.com>
2022-02-28 08:45:18 -05:00
Cole Robinson
d70d4e6e7a devices: tpm: Rework defaults
The code previously was just encoding the same defaults as libvirt,
which doesn't really add anything.

Instead, let's prefer type='emulator' model='tpm-crb', which
gives the most modern virtualization friendly config. When we don't
know if that will work, we mostly leave things up to libvirt to fill
in.

Signed-off-by: Cole Robinson <crobinso@redhat.com>
2022-02-19 08:36:28 -05:00
Cole Robinson
46d6491eae domcapabilities: Organize methods a bit
Break out the CPU secure stuff from being inline in the class, most
of the logic there is not relevant to understanding what the
domcapabilities API provides

Signed-off-by: Cole Robinson <crobinso@redhat.com>
2022-02-17 14:15:46 -05:00
Cole Robinson
f7f390836a domcapabilities: Add has_value() helper and use it
Signed-off-by: Cole Robinson <crobinso@redhat.com>
2022-02-17 14:00:22 -05:00
Cole Robinson
2c477f3302 domain: cpu: Use host-passthrough by default on x86
When libvirt and qemu are new enough, use host-passthrough for the
CPU default. Nowadays this is recommended over host-model for most
end user usage where migration isn't a critical feature.

Signed-off-by: Cole Robinson <crobinso@redhat.com>
2022-02-16 14:03:44 -05:00
Cole Robinson
49f54a294b virtinst: cpu: drop host-copy support
host-copy was the old default, but it's fundamentally flawed. Since
we switched to host-model default a few years back, it's not advertised
in the docs or selectable via virt-manager any more.

Have it print a warning and invoke host-model-only

Signed-off-by: Cole Robinson <crobinso@redhat.com>
2022-02-16 12:31:52 -05:00
Cole Robinson
1ab6dd50be devices: video: Use virtio default more often
This is from Gerd's suggestions here:
https://www.kraxel.org/blog/2019/09/display-devices-in-qemu/

When the guest supports it, we should use virtio. qxl is on the way
out, and the benefits are marginal and add a security and maintenance
burden.

While here, check domcaps that qxl or virtio are actually available.
Modern qemu has device modules, so device support may not be installed.

Signed-off-by: Cole Robinson <crobinso@redhat.com>
2022-02-03 13:42:49 -05:00
Cole Robinson
1498085ff9 domcapabilities: Remove redundant check
get_enum() will always succeed, so the first check is redundant

Signed-off-by: Cole Robinson <crobinso@redhat.com>
2022-02-03 13:42:43 -05:00
Cole Robinson
5003f0432e details: Add os.firmware=efi in the firmware selector UI
Let users choose libvirt's os.firmware=efi setting in the UI, putting
it about the firmware path list, since it's the preferred default
these days.

Signed-off-by: Cole Robinson <crobinso@redhat.com>
2022-01-26 13:23:27 -05:00
Cole Robinson
3013889727 guest: Use os.firmware=efi for --boot uefi, if it is supported
<os firmware='efi'> is the libvirt official way to do what we
historically implement with `--boot uefi`, and UEFI setup in
virt-manager.

Let's prefer libvirt's official method if the support is advertised
in domcapabilities.

Signed-off-by: Cole Robinson <crobinso@redhat.com>
2022-01-26 11:59:51 -05:00
Cole Robinson
245e89ac38 guest: Rework set/get_uefi entry points
This replaces the pattern:

  Guest.set_uefi_path(Guest.get_uefi_path())

With a single entrypoint

  Guest.enable_uefi()

to immediately change the guest config to use UEFI, using our
default logic.

This will make it easier to change that logic in the future, like
using <os firmware='efi'> instead of hardcoded paths

Signed-off-by: Cole Robinson <crobinso@redhat.com>
2022-01-26 11:59:42 -05:00
Lin Ma
c55a5b2d6d domcapabilities: Add supports_memorybacking_memfd()
Linux memfd memory backend doesn't require any host setup, We prefer to
use it as the simplest memory XML adjustments to make virtiofs works.

Signed-off-by: Lin Ma <lma@suse.com>
2022-01-25 12:26:14 -05:00
Lin Ma
546010ff94 domcapabilities: Add supports_filesystem_virtiofs()
Check whether virtiofs is exposed in domcapabilities, We can use it as a
proxy for 'libvirt is new enough to allow bare memory access mode=shared'
as well.

Signed-off-by: Lin Ma <lma@suse.com>
2022-01-25 12:26:14 -05:00
Lin Ma
a608a8c710 domcapabilities: Get filesystem devices
Signed-off-by: Lin Ma <lma@suse.com>
2022-01-25 12:26:14 -05:00
Daniel P. Berrangé
eb58c09f48 virtinst/guest: enable a TPM by default if UEFI is present
The bare metal world is moving to a situation where UEFI is going to be
the only supported firmware and there will be a strong expectation for
TPM and SecureBoot support.

With this in mind, if we're enabling UEFI on a VM, it makes sense to
also provide a TPM alongside it.

Since this requires swtpm to be installed we can't do this
unconditionally. The forthcoming libvirt release expands the domain
capabilities to report whether TPMs are supported, so we check that.

The user can disable the default TPM by requesting --tpm none

https://github.com/virt-manager/virt-manager/issues/310
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
2022-01-21 17:49:15 -05:00
Cole Robinson
30382d57f1 graphics: Check domcaps for whether spice is available
This has been reported for the libvirt qemu driver since v1.3.5,
released June 2016. But we need to keep some fallback logic for
the test driver, and to keep the testsuite happy

Signed-off-by: Cole Robinson <crobinso@redhat.com>
2021-06-08 10:36:19 -04:00
Cole Robinson
d304a9b205 tests: More bhyve UEFI testing
Signed-off-by: Cole Robinson <crobinso@redhat.com>
2021-02-15 13:39:16 -05:00
Roman Bogorodskiy
6c7080a39b virtinst: bhyve: properly configure loader
Bhyve requires explicit loader configuration. So query
domain capabilities, try to find the "official"
firmware and configure all the necessary loader options.

Reviewed-by: Cole Robinson <crobinso@redhat.com>
Signed-off-by: Roman Bogorodskiy <bogorodskiy@gmail.com>
2021-02-15 13:27:48 -05:00
emojifreak
04ad8df752 Added Debian's armv7l UEFI binary. Closes #174 2020-11-03 13:49:27 -05:00
Cole Robinson
f7bd274a55 domcaps: Fix error if enum not found
https://bugzilla.redhat.com/show_bug.cgi?id=1883008

In the example above this is because the VM XML has an invalid machine
type, so domcaps fetching entirely fails, and a get_enum() call
then fails. But this could happen if using virt-manager against an
older libvirt that doesn't advertise the enum

Signed-off-by: Cole Robinson <crobinso@redhat.com>
2020-09-28 13:44:34 -04:00
Cole Robinson
bea401a2cf domcapabilities: Fix backtrace on python3.9
Apparently we can't set etree 'root.attrib = None' anymore

https://bugzilla.redhat.com/show_bug.cgi?id=1869046

Signed-off-by: Cole Robinson <crobinso@redhat.com>
2020-08-18 13:49:16 -04:00
Daniel Henrique Barboza
bdb2bed3e9 virtinst: trivial codespell fixes
Reviewed-by: Cole Robinson <crobinso@redhat.com>
Signed-off-by: Daniel Henrique Barboza <danielhb413@gmail.com>
2020-07-04 17:56:57 -04:00
Cole Robinson
c64009ecdd domaincapabilities: Finish test coverage
Signed-off-by: Cole Robinson <crobinso@redhat.com>
2020-01-27 13:08:12 -05:00
Michal Privoznik
66be1d009f domcapabilities: Whitelist upstream qemu edk2 paths
Upstream qemu installs
/usr/share/qemu/edk2-$ARCH-(?secure-)code.fd FW images. Whitelist
them too.

Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
2019-12-17 16:27:49 -05:00
Cole Robinson
5d91237386 domcaps: Tweak cpu security feature log statements
Signed-off-by: Cole Robinson <crobinso@redhat.com>
2019-11-12 14:17:21 -05:00
Cole Robinson
d934d6f266 domcaps: Fix check for uncached security features
We need to check against None, which is the initial value, otherwise
a host with none of the security features present will repeatedly poll
libvirt baseline APIs

Signed-off-by: Cole Robinson <crobinso@redhat.com>
2019-11-12 14:17:21 -05:00
Pavel Hrdina
df48a77e6a virtinst: fix detection if baselineHypervisorCPU API is available
With libvirt-python >= 4.4.0 and libvirt < 4.4.0 we would receive
libvirt.libvirtError exception because the python binding knows about
the function but it's not supported by libvirt.  However, in case that
the python binding is older then 4.4.0 it will raise AttributeError
because the function is not implemented in python binding as well.

Signed-off-by: Pavel Hrdina <phrdina@redhat.com>
2019-10-22 13:42:21 +02:00
Fabiano Fidêncio
2e20b128a1 domcapabilities: Add supports_video_bochs()
Returns whether bochs display is supported, according to the domain
capabilities.

Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
2019-10-04 11:15:09 -04:00
Fabiano Fidêncio
1547e16d62 domcapabilities: Get video devices
domcapabilities already handles disk and hostdev. Let's add support for
getting video devices as well.

Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
2019-10-04 11:15:09 -04:00
Cole Robinson
f107e39989 Switch to more traditional logging structure
Init a shared log instance in virtinst/logger.py, and use that
throughout the code base, so we aren't calling directly into
'logging'. This helps protect our logging output from being
cluttered with other library output, as happens with some
'requests' usage
2019-06-17 00:12:31 -04:00
Erik Skultety
8ab9dcd33f virtinst: guest: Provide further SEV support checks
These include platform checks - libvirt & QEMU - as well as
configuration - SEV is only supported with UEFI.
Another configuration requirement made in this patch is Q35 machine,
since ADM recommends Q35 in their setups even though SEV can work with
the legacy PC machine type, but we'd have to turn on
virtio-non-transitional for all virtio devices with some other potential
pitfalls along the way.

Reviewed-by: Cole Robinson <crobinso@redhat.com>
Signed-off-by: Erik Skultety <eskultet@redhat.com>
2019-06-11 13:00:34 -04:00
Erik Skultety
1a8728fc2d virtinst: guest: Fill in SEV platform specific data automatically
The data in question are 'cbitpos' denoting which addressing bit is the
encryption bit and 'reduced_phys_bits' denoting how many physical
address space we lose by turning on the encryption. Both of these are
hypervisor dependent and thus will be the same for all the guest
residing on the same host, but need to be specified for future migration
purposes.
But given we can probe them from domain capabilities, we don't need the
user to provide them and thus enhancing cli user experience. This
requires a new _SEV domaincapabilities XML class to be created so that
we can query the specific properties.

Reviewed-by: Cole Robinson <crobinso@redhat.com>
Signed-off-by: Erik Skultety <eskultet@redhat.com>
2019-06-11 13:00:34 -04:00
Cole Robinson
f85e6def55 support: Convert callers to the new format 2019-06-07 16:26:03 -04:00
Pavel Hrdina
c11d6ba4d7 domcapabilities: detect MDS new vulnerability
There is a new security feature 'md-clear' that mitigates recent CPU
Microarchitectural Store Buffer Data vulnerability.

Signed-off-by: Pavel Hrdina <phrdina@redhat.com>
2019-05-14 20:11:39 +02:00
Pavel Hrdina
413858f3dc domcapabilities: actually fix detection if host-model is safe to use
The original code created a new list which had True/False items.  The
only case where the returned value would be False is for empty list
which never happens in real environment.

Signed-off-by: Pavel Hrdina <phrdina@redhat.com>
2019-04-11 15:13:29 +02:00
Pavel Hrdina
00f8dea370 domcapabilities: add caching of CPU security features
We will call this function multiple times so it makes sense to cache the
result so we don't have to call libvirt APIs every time we will check
what security features are available on the host.

Signed-off-by: Pavel Hrdina <phrdina@redhat.com>
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
2019-04-04 13:40:45 +02:00
Pavel Hrdina
b711b28b1a domcapabilities: fix typo in function name
Signed-off-by: Pavel Hrdina <phrdina@redhat.com>
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
2019-04-04 11:51:03 +02:00
Pavel Hrdina
29f815fbd2 domcapabilities: remove recommended CPU features from security features
These features are only recommended to be enabled since they improve
performance of the VMs if security features are enabled.

pcid is a very useful perf feature, but missing in some silicon
so not portable.

pdpe1gb lets the guest use 1 GB pages which is good for perf
but again not all silicon can do it.

amd-ssbd is a security feature which fixes the same SSBD flaws as the
virt-ssbd feature does. virt-ssbd is usable across all CPU models
affected by SSBD, while amd-ssbd is only available in very new silicon.
So virt-ssbd is the bette rchoice.

amd-no-ssb just indicates that the CPU is not affected by SSBD, so not
critical to expose. I expect a future named CPU model will include that
where appropriate.

Signed-off-by: Pavel Hrdina <phrdina@redhat.com>
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
2019-04-04 11:49:29 +02:00
Pavel Hrdina
4a8b6363c0 domcapabilities: introduce get_cpu_security_features
Get all CPU security features that we should enable for guests.

In order to do that we need to get CPU definition from domain
capabilities and modify the XML so it is in required format for
libvirt CPU baseline APIs.  We will prefer the baselineHypervisorCPU
API because that considers what QEMU actually supports and we will
fallback to baselineCPU API if the better one is not supported by
libvirt.

This way we can figure out which of the security features are actually
available on that specific host for that specific QEMU binary.

Signed-off-by: Pavel Hrdina <phrdina@redhat.com>
Reviewed-by: Cole Robinson <crobinso@redhat.com>
2019-03-19 13:45:49 +01:00
Pavel Hrdina
95d1275f57 domcapabilities: get list of CPU models from domcapabilities
Currently we just call libvirt API which will return all CPU models for
specific architecture known to libvirt and we offer all of them to users
in GUI.  Let's switch to domain capabilities where we have more details
about these CPUs such as whether each model is usable with current QEMU
binary.  If libvirt can detect the usability we will offer only CPU
models that QEMU can actually run.

Signed-off-by: Pavel Hrdina <phrdina@redhat.com>
Reviewed-by: Cole Robinson <crobinso@redhat.com>
2019-03-19 13:41:53 +01:00