Backport commits required for confidential VMs
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
linux-azure-cvm (Ubuntu) |
Invalid
|
Undecided
|
Unassigned | ||
Focal |
Fix Released
|
Undecided
|
Marcelo Cerri |
Bug Description
Below are two sets of commits required for CVM:
1. Core enablement of Linux to run as a Hyper-V guest with the SNP-enabled HCL.
2. VMbus hardening.
Patches related to core enablement of Linux to run as a Hyper-V guest with the SNP-enabled HCL are below:
HV/Storvsc: Add bounce buffer support for Storvsc - https:/
HV/Netvsc: Add SNP support for netvsc driver - https:/
x86/Hyper-V: Copy data from/to bounce buffer during IO operation - https:/
x86/Hyper-V: Add new parameter for vmbus_sendpacke
x86/Hyper-V: Initialize bounce buffer page cache and list - https:/
hv/vmbus: Initialize VMbus ring buffer for Isolated VM - https:/
HV/Vmbus: Add SNP support for VMbus channel initiate message - https:/
HV: Add ghcb hvcall support for SNP VM - https:/
HV: Add Write/Read MSR registers via ghcb - https:/
HV: Get Hyper-V Isolated VM capability - https:/
x86/Hyper-V: Add new hvcall guest address host visibility support - https:/
x86/Hyper-V: Add visibility parameter for vmbus_establish
The following commit is also required by CVM support. It has been upstreamed. If ubuntu kernel doesn't contain the patch, it's necessary to backport the patch.
x86/hyperv: Initialize clockevents earlier in CPU onlining - https:/
VMbus hardening patches:
https:/
https:/
https:/
https:/
https:/
https:/
https:/
https:/
https:/
https:/
https:/
https:/
https:/
https:/
https:/
https:/
https:/
https:/
https:/
https:/
CVE References
tags: |
added: verification-done-focal removed: verification-needed-focal |
affects: | linux-azure (Ubuntu) → linux-azure-cvm (Ubuntu) |
Changed in linux-azure-cvm (Ubuntu): | |
status: | In Progress → Invalid |
Changed in linux-azure-cvm (Ubuntu Focal): | |
status: | New → Fix Committed |
assignee: | nobody → Marcelo Cerri (mhcerri) |
Changed in linux-azure-cvm (Ubuntu): | |
assignee: | Marcelo Cerri (mhcerri) → nobody |
This bug is awaiting verification that the linux-azure- cvm/5.4. 0-1063. 66+cvm2 kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification- needed- focal' to 'verification- done-focal' . If the problem still exists, change the tag 'verification- needed- focal' to 'verification- failed- focal'.
If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.
See https:/ /wiki.ubuntu. com/Testing/ EnableProposed for documentation how to enable and use -proposed. Thank you!