SEV does not enable IOMMU on SCSI controller

Bug #1845986 reported by Adam Spiers on 2019-09-30
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Compute (nova)
High
Boris Bobrov
Train
Undecided
Adam Spiers

Bug Description

https://review.opendev.org/#/c/644565/ added logic to libvirt/designer.py for enabling iommu for certain devices where virtio is used. This is required for AMD SEV[0]. However it missed the case of a SCSI controller where the model is virtio-scsi, e.g.:

    <controller type='scsi' index='0' model='virtio-scsi'>

As with other virtio devices, here a child element needs to be added to the config when SEV is enabled:

    <driver iommu="on" />

[0] http://specs.openstack.org/openstack/nova-specs/specs/train/approved/amd-sev-libvirt-support.html#proposed-change

Changed in nova:
assignee: nobody → Adam Spiers (adam.spiers)

Fix proposed to branch: stable/train
Review: https://review.opendev.org/685756

Changed in nova:
status: New → In Progress
Eric Fried (efried) wrote :

Can you please explain more about what actually breaks?

Eric Fried (efried) wrote :

Fix proposed to branch: master (before the bug, so didn't get picked up by the bot)
Review: https://review.opendev.org/684825

Eric Fried (efried) on 2019-09-30
Changed in nova:
importance: Undecided → High
tags: added: train-rc-potential
Matt Riedemann (mriedem) on 2019-09-30
Changed in nova:
assignee: Adam Spiers (adam.spiers) → Boris Bobrov (bbobrov)

As noted by Sean at [1]

> right so to clarify, in its current state on master,
> SEV will only cause the error below if you enable have the following image metadata properties are set
>
> (hw_disk_bus=scsi or hw_cdrom_bus=scsi) and hw_scsi_modle=virtio-scsi
> hw_video_model=virtio (this is the default on arm but SEV only works on AMD x86_64
> hw_qemu_guest_agent=yes
>
> in all other cases it should work correctly.
>
> the error is caused because when any of the above combination of image properties are set a virio devices
> is created without instruct qemu to use dma mappable memory for the device by setting driver=iommu.
>
> as a result SEV will try to encrypt the device memory which will cause the guest kernel to lockup when udev tries to initialise the devices.
>
> sev will be functional if the default disk/video models are used and if the qemu disk agent is not used.

[1] https://review.opendev.org/#/c/686414/1/releasenotes/notes/bug-1845986-95cbede0a296b088.yaml@5

Reviewed: https://review.opendev.org/686414
Committed: https://git.openstack.org/cgit/openstack/nova/commit/?id=9545edc79d75e75d47c51d5da651975c01e919ec
Submitter: Zuul
Branch: stable/train

commit 9545edc79d75e75d47c51d5da651975c01e919ec
Author: Stephen Finucane <email address hidden>
Date: Thu Oct 3 15:23:53 2019 +0100

    docs: Highlight the current broken state of SEV

    This won't be resolved in time for Train GA, so add a release note
    highlighting the problem until such a time as the release is fixed.

    Change-Id: Iae30e12084640d1c0f072d2db18653111988929e
    Signed-off-by: Stephen Finucane <email address hidden>
    Related-Bug: #1845986
    Stable-Only

tags: added: in-stable-train

Change abandoned by Matt Riedemann (<email address hidden>) on branch: stable/train
Review: https://review.opendev.org/685756
Reason: This is definitely not ready and the change on master looks semi-abandoned since there has been radio silence from the SUSE team for the past couple of weeks. We can restore and update this if/when the fix is approved on master.

Fix proposed to branch: master
Review: https://review.opendev.org/696697

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers