Bug #1959966 “[23.04 FEAT] KVM: Secure Execution guest dump encr...” : Bugs : qemu package : Ubuntu

bugproxy (bugproxy) on 2022-02-03

tags:	added: architecture-s39064 bugnameltc-196317 severity-high targetmilestone-inin2204
Changed in ubuntu:
assignee:	nobody → Skipper Bug Screeners (skipper-screen-team)
affects:	ubuntu → linux (Ubuntu)

Revision history for this message

bugproxy (bugproxy) wrote on 2022-02-03: Comment bridged from LTC Bugzilla

#1

------- Comment From <email address hidden> 2022-02-03 17:25 EDT-------
This also has an kernel and s390-tools part:

IBM BZ 196316 - LP#1959940 : [22.04 FEAT] KVM: Secure Execution guest dump encryption with customer keys - kernel part
IBM BZ 196318 - LP1#959965 : [22.04 FEAT] KVM: Secure Execution guest dump encryption with customer keys - s390-tools part

Frank Heimes (fheimes) on 2022-02-04

affects:	linux (Ubuntu) → qemu (Ubuntu)
Changed in ubuntu-z-systems:
assignee:	nobody → Skipper Bug Screeners (skipper-screen-team)
Changed in qemu (Ubuntu):
importance:	Undecided → High
Changed in ubuntu-z-systems:
importance:	Undecided → High
Changed in qemu (Ubuntu):
status:	New → Incomplete
Changed in ubuntu-z-systems:
status:	New → Incomplete
tags:	added: qemu-22.04

Revision history for this message

bugproxy (bugproxy) wrote on 2022-03-20:

#2

------- Comment From <email address hidden> 2022-03-20 19:31 EDT-------
Item didn't make it in time for jammy / 22.04, therefore we need to move this to Ubuntu 22.10.
Changing Target Milestone: from 22.04 ==> 22.10

tags:

added: targetmilestone-inin2210
removed: targetmilestone-inin2204

Frank Heimes (fheimes) on 2022-03-21

summary:

- [22.04 FEAT] KVM: Secure Execution guest dump encryption with customer
+ [22.10 FEAT] KVM: Secure Execution guest dump encryption with customer
keys - qemu part

Revision history for this message

bugproxy (bugproxy) wrote on 2022-09-12:

#3

------- Comment From <email address hidden> 2022-09-12 00:57 EDT-------
This item didn't make it in time for kinetic / 22.10, therefore we have to move it to Ubuntu 23.04.
Changing Target Milestone to: 23.04

tags:

added: targetmilestone-inin2304
removed: targetmilestone-inin2210

Frank Heimes (fheimes) on 2022-09-12

summary:	- [22.10 FEAT] KVM: Secure Execution guest dump encryption with customer + [23.04 FEAT] KVM: Secure Execution guest dump encryption with customer keys - qemu part
tags:	added: qemu-23.04 removed: qemu-22.04

Frank Heimes (fheimes) on 2022-11-17

Changed in ubuntu-z-systems:
status:	Incomplete → New
Changed in qemu (Ubuntu):
status:	Incomplete → New

Revision history for this message

Christian Ehrhardt  (paelzer) wrote on 2023-01-05:

#4

Hi,
I'm merging qemu 7.2 now, is this completed upstream by now?
Either in 7.2 or at least in the latest main branch to pick from?

Revision history for this message

bugproxy (bugproxy) wrote on 2023-01-09:

#5

------- Comment From <email address hidden> 2023-01-09 03:03 EDT-------
It's both in master and 7.2 AFAIK

Frank Heimes (fheimes) on 2023-01-09

Changed in ubuntu-z-systems:
status:	New → Confirmed
Changed in qemu (Ubuntu):
status:	New → Confirmed

Frank Heimes (fheimes) on 2023-01-25

Changed in qemu (Ubuntu):
status:	Confirmed → In Progress
Changed in ubuntu-z-systems:
status:	Confirmed → In Progress

Revision history for this message

bugproxy (bugproxy) wrote on 2023-02-14:

#6

------- Comment From <email address hidden> 2023-02-14 10:18 EDT-------
For this item there's a fix available but it's not yet merged into qemu:
https://<email address hidden>/T/#t

Revision history for this message

Frank Heimes (fheimes) wrote on 2023-02-15:

#7

Meanwhile 7.2 landed in lunar-proposed:
qemu | 1:7.2+dfsg-3ubuntu1 | lunar-proposed
hence updating ticket status to Fix Committed.

Changed in qemu (Ubuntu):
status:	In Progress → Fix Committed
Changed in ubuntu-z-systems:
status:	In Progress → Fix Committed

Revision history for this message

Launchpad Janitor (janitor) wrote on 2023-03-06:

#8

Download full text (9.9 KiB)

This bug was fixed in the package qemu - 1:7.2+dfsg-4ubuntu1

---------------
qemu (1:7.2+dfsg-4ubuntu1) lunar; urgency=medium

  * Merge with Debian unstable (LP: #1993438), among many other fixes
    this resolvs these bugs:
    (LP: #1957924) - support for querying stats,
    (LP: #1853307) - Enhanced Interpretation for PCI Functions (s390x)
    (LP: #1959966) - guest dump encryption with customer keys (s390x)
    (LP: #1999885) - pv: don't allow userspace to set the clock under PV
    (LP: #1957924) - add filtering of statistics by target vCPU
    remaining changes:
    - qemu-kvm to systemd unit
      - d/qemu-kvm-init: script for QEMU KVM preparation modules, ksm,
        hugepages and architecture specifics
      - d/qemu-system-common.qemu-kvm.service: systemd unit to call
        qemu-kvm-init
      - d/qemu-system-common.install: install helper script
      - d/qemu-system-common.qemu-kvm.default: defaults for
        /etc/default/qemu-kvm
      - d/rules: call dh_installinit and dh_installsystemd for qemu-kvm
    - Distribution specific machine type
      (LP: 1304107 1621042 1776189 1761372 1761372 1776189)
      - d/p/ubuntu/define-ubuntu-machine-types.patch: define distro machine
        types containing release versioned machine attributes
      - d/qemu-system-x86.NEWS Info on fixed machine type defintions
        for host-phys-bits=true
      - Add an info about -hpb machine type in debian/qemu-system-x86.NEWS
      - ubuntu-q35 alias added to auto-select the most recent q35 ubuntu type
    - Enable nesting by default
      - d/p/ubuntu/enable-svm-by-default.patch: Enable nested svm by default
        in qemu64 on amd
        [ No more strictly needed, but required for backward compatibility ]
    - tolerate ipxe size change on migrations to >=18.04 (LP: 1713490)
      - d/p/ubuntu/pre-bionic-256k-ipxe-efi-roms.patch: old machine types
        reference 256k path
      - d/control-in: depend on ipxe-qemu-256k-compat-efi-roms to be able to
        handle incoming migrations from former releases.
    - d/qemu-system-x86.README.Debian: add info about updated nesting changes
    - Ease the use of module retention on upgrades (LP 1913421)
      - debian/qemu-block-extra.postinst: enable mount unit on install/upgrade
    - d/control-in: switch qemu-system-x86-xen to qemu-system-xen as this
      landed in Debian but under a different name.
    - Remaining GCC-12 FTBFS (LP 1988710 + LP 1921664)
      + d/p/u/qboot-Disable-LTO-for-ELF-binary-build-step.patch:
        fix qboot FTBFS with LTO
  * Dropped Changes [now part of upstream v7.2.0]
    - d/p/u/lp1994002-migration-Read-state-once.patch: Fix for libvirt
      error 'migration was active, but no RAM info was set' (LP 1994002)
    - d/p/u/ebpf-replace-deprecated-bpf_program__set_socket_filt.patch:
      Fix FTBFS with libbpf 1.0.1-2.
      + Header updates that were added as part of the libbpf fixes
        but not mentioned in changelog
    - d/p/u/lp-1981339-*: fix s390x system emulation (LP 1981339)
    - Fix I/O stalls when using NVMe storage (LP 1970737).
      + d/p/lp1970737-linux-aio-*.patch: Fix unbalanced plugged counter
        in laio_io_unplug.
    - SECURITY UPDATE...

This bug was fixed in the package qemu - 1:7.2+dfsg-4ubuntu1

---------------
qemu (1:7.2+dfsg-4ubuntu1) lunar; urgency=medium

* Merge with Debian unstable (LP: #1993438), among many other fixes
    this resolvs these bugs:
    (LP: #1957924) - support for querying stats,
    (LP: #1853307) - Enhanced Interpretation for PCI Functions (s390x)
    (LP: #1959966) - guest dump encryption with customer keys (s390x)
    (LP: #1999885) - pv: don't allow userspace to set the clock under PV
    (LP: #1957924) - add filtering of statistics by target vCPU
    remaining changes:
    - qemu-kvm to systemd unit
      - d/qemu-kvm-init: script for QEMU KVM preparation modules, ksm,
        hugepages and architecture specifics
      - d/qemu-system-common.qemu-kvm.service: systemd unit to call
        qemu-kvm-init
      - d/qemu-system-common.install: install helper script
      - d/qemu-system-common.qemu-kvm.default: defaults for
        /etc/default/qemu-kvm
      - d/rules: call dh_installinit and dh_installsystemd for qemu-kvm
    - Distribution specific machine type
      (LP: 1304107 1621042 1776189 1761372 1761372 1776189)
      - d/p/ubuntu/define-ubuntu-machine-types.patch: define distro machine
        types containing release versioned machine attributes
      - d/qemu-system-x86.NEWS Info on fixed machine type defintions
        for host-phys-bits=true
      - Add an info about -hpb machine type in debian/qemu-system-x86.NEWS
      - ubuntu-q35 alias added to auto-select the most recent q35 ubuntu type
    - Enable nesting by default
      - d/p/ubuntu/enable-svm-by-default.patch: Enable nested svm by default
        in qemu64 on amd
        [ No more strictly needed, but required for backward compatibility ]
    - tolerate ipxe size change on migrations to >=18.04 (LP: 1713490)
      - d/p/ubuntu/pre-bionic-256k-ipxe-efi-roms.patch: old machine types
        reference 256k path
      - d/control-in: depend on ipxe-qemu-256k-compat-efi-roms to be able to
        handle incoming migrations from former releases.
    - d/qemu-system-x86.README.Debian: add info about updated nesting changes
    - Ease the use of module retention on upgrades (LP 1913421)
      - debian/qemu-block-extra.postinst: enable mount unit on install/upgrade
    - d/control-in: switch qemu-system-x86-xen to qemu-system-xen as this
      landed in Debian but under a different name.
    - Remaining GCC-12 FTBFS (LP 1988710 + LP 1921664)
      + d/p/u/qboot-Disable-LTO-for-ELF-binary-build-step.patch:
        fix qboot FTBFS with LTO
  * Dropped Changes [now part of upstream v7.2.0]
    - d/p/u/lp1994002-migration-Read-state-once.patch: Fix for libvirt
      error 'migration was active, but no RAM info was set' (LP 1994002)
    - d/p/u/ebpf-replace-deprecated-bpf_program__set_socket_filt.patch:
      Fix FTBFS with libbpf 1.0.1-2.
      + Header updates that were added as part of the libbpf fixes
        but not mentioned in changelog
    - d/p/u/lp-1981339-*: fix s390x system emulation (LP 1981339)
    - Fix I/O stalls when using NVMe storage (LP 1970737).
      + d/p/lp1970737-linux-aio-*.patch: Fix unbalanced plugged counter
        in laio_io_unplug.
    - SECURITY UPDATE: heap overflow in floppy disk emulator
      + debian/patches/CVE-2021-3507.patch: prevent end-of-track overrun in
        hw/block/fdc.c.
    - SECURITY UPDATE: use-after-free vulnerability
      + debian/patches/CVE-2022-0216-*.patch: fix use-after-free in
        lsi_do_msgout
    - SECURITY UPDATE: heap overflow vulnerability
      + debian/patches/CVE-2022-2962.patch: tulip: Restrict DMA engine to
        memories
    - SECURITY UPDATE: integer underflow vulnerability
      + debian/patches/CVE-2022-3165.patch: fix integer underflow in
        vnc_client_cut_text_ext
  * Dropped Changes in regard to GCC-12 FTBFS (LP 1988710)
    [not all are needed in lunar]
    -  d/p/u/lp1988710-silence-openbios-array-bounds-false-positive.patch.
       Silence -Warray-bounds false positive [no more needed]
    - d/rules: set -O1 for alpha firmware build
    - d/p/u/lp1988710-opensbi-Makefile-fix-build-with-binutils-2.38.patch:
      further FTBFS fixup
  * Dropped Changes [in Debian 1:7.2+dfsg-3]
    - d/rules: disable LTO on non-amd64 builds (LP 1921664)
  * Added Changes
    - d/control-in: libnfs is in main since focal, enable direct nfs
      storage support (LP: #1988704)
    - d/control-in: libsndio is in universe in ubuntu

qemu (1:7.2+dfsg-4) unstable; urgency=medium

* block-fix-detect-zeroes-with-BDRV_REQ_REGISTERED_BUF.patch:
    re-pick now from master (the same patch, moved to master/).
  * revert x86-don-t-let-decompressed-kernel-image-clobber-setu.patch
    Closes: ##1031682 .
    This turned out to be wrong move, breaking more stuff than fixing.
    Upstream is going to revert it too.

qemu (1:7.2+dfsg-3) unstable; urgency=medium

[ Paride Legovini ]
  * Disable LTO on non-amd64 builds (LP: #1921664)

[ Michael Tokarev ]
  * target-arm-Fix-physical-address-resolution-for-Stage2.patch:
    re-fetch now from master branch
  * 4 more patches picked from master:
    x86-don-t-let-decompressed-kernel-image-clobber-setu.patch
    migration-ram-Fix-error-handling-in-ram_write_tracki.patch
    migration-ram-Fix-populate_read_range.patch
    qcow2-Fix-theoretical-corruption-in-store_bitmap-err.patch
  * 5 fixes picked from current pullreqs:
    block-fix-detect-zeroes-with-BDRV_REQ_REGISTERED_BUF.patch
    tests_tcg_i386-introduce-and-use-reg_t-consistently.patch
    target_i386-fix-BEXTR-instruction.patch
    target_i386-fix-C-flag-for-BLSI-BLSMSK-BLSR.patch
    target_i386-fix-ADOX-followed-by-ADCX.patch
  * disable dwz on certain architectures for older dwz
    (FTBFS on bullseye, #968670)

qemu (1:7.2+dfsg-2) unstable; urgency=medium

* d/rules: add -ffile-prefix-map when building skiboot
  * d/control: provide qemu-kvm in qemu-system-misc on s390x
    (Closes: #1029309)
  * d/control: drop dependency of qemu-guest-agent on lsb-base
  * Picked patches from qemu master branch tagged for qemu-stable
    up to commit deabea6e88 (2023-02-02):
    target-sh4-Mask-restore-of-env-flags-from-tb-flags.patch
    vhost-fix-vq-dirty-bitmap-syncing-when-vIOMMU-is-ena.patch
    virtio-mem-Fix-the-bitmap-index-of-the-section-offse.patch
    virtio-mem-Fix-the-iterator-variable-in-a-vmem-rdl_l.patch
    target-arm-fix-handling-of-HLT-semihosting-in-system.patch
    meson-accept-relative-symlinks-in-meson-introspect-i.patch
    target-riscv-Set-pc_succ_insn-for-rvc-illegal-insn.patch
    acpi-cpuhp-fix-guest-visible-maximum-access-size-to-.patch
    hw-nvme-fix-missing-endian-conversions-for-doorbell-.patch
    hw-nvme-fix-missing-cq-eventidx-update.patch
    configure-fix-GLIB_VERSION-for-cross-compilation.patch
    target-arm-Fix-sve_probe_page.patch
    target-arm-allow-writes-to-SCR_EL3.HXEn-bit-when-FEA.patch
    target-arm-Fix-in_debug-path-in-S1_ptw_translate.patch
  * Also: target-arm-Fix-physical-address-resolution-for-Stage.patch

qemu (1:7.2+dfsg-1) unstable; urgency=medium

* new upstream release
    Closes: #1025123 CVE-2022-4172
    (erst: undefined behavior in memcpy in write_erst_record)
    Closes: #1021981 qemu-user: faccessat2 is not implemented
    Closes: #1021019 CVE-2022-3165 (VNC: integer underflow in
    vnc_client_cut_text_ext leads to CPU exhaustion)
  * remove patches applied upstream
  * refresh note-missing-module-pkg-name.diff
  * slirp is always external package now, not a submodule anymore
  * d/control: require meson >> 0.61.5~ for build
  * spelling.diff: update with more spelling error
  * add some lintian-overrides
  * fix minor spelling errors in patches
  * d/control: Bump Standards-Version to 4.6.1
  * debian shell programs use "which" instead of the "command -v",
    fix that (Closes: #1018254)
  * Better fix for #1019011 (gcc ICE building palcode-clipper), use -O1
    instead of -O2 for the failing compile when it actually fails
    (no need to depend on gcc-11, Closes: #1011003)

qemu (1:7.1+dfsg-2) unstable; urgency=medium

* tulip-restrict-DMA-engine-to-memories-CVE-2022-2962.patch
    fix possible stack or heap overflow (tulip: DMA reentrancy issue)
    Closes: #1018055, CVE-2022-2962
  * hw-pvrdma-protect-against-guest-driver-CVE-2022-1050.patch
    fix possible use-after-free in paravirtual RDMA device.
    Closes: #1014589, CVE-2022-1050
  * mention closing of #979677 (CVE-2020-14394) by 7.1
  * d/rules: parametrify extra-cflags & extra-ldflags
  * d/rules: explicitly disable pie on arm64 due to
    https://sourceware.org/bugzilla/show_bug.cgi?id=29514
    Fixes FTBFS.

qemu (1:7.1+dfsg-1) unstable; urgency=medium

* new upstream release (7.1)
    Closes: #1014958, CVE-2022-35414
    Closes: #1014590, CVE-2022-0216
    Closes: #979677, CVE-2020-14394
    Closes: #987410, CVE-2021-3507
    Closes: #988333, #1018913
  * d/copyright:
   - remove mentions of slirp (packaged separately)
   - blindly convert to dep-5 (it needs a complete rewrite)
   - add Files-Excluded from d/get-orig-source.sh
  * d/gbp.conf: remove filter= (and whole [import-orig])
  * d/watch: verify upstream tarballs
  * d/rules: stop faking skiboot version, it is now properly included in
    roms/skiboot/.version file. Add a dependency on this file too
  * d/patches:
   - remove use-fixed-data-path.patch: not needed anymore
   - linux-user-binfmt-P.diff: refresh
   - remove patches applied upstream
  * d/control:
   - it is --enable-capstone now, not --enable-capstone=system
   - it is --enable-png now, not --enable-vnc-png
  * d/rules: fix --enable-vhost-* options
  * d/rules: remove vnc-png for xen too
  * openbios-array-bounds-gcc12.patch
  * opensbi-fix-build-with-binutils-2.38.patch
  * d/rules: adopt vof build changes
  * d/qemu-system-data.docs: omit ccid.txt (removed)
  * temporary workaround for gcc-12 bug #1019011: use gcc-11-alpha-linux-gnu
    instead of gcc-alpha-linux-gnu (another option is to use -Os)
  * d/control: temporarily build-depend on libva-dev till #1019485 is fixed
  * add loongarch64 qemu-user and qemu-user arch

-- Christian Ehrhardt <christian.ehrhardt@canonical.com>  Wed, 04 Jan 2023 13:18:43 +0100

Changed in qemu (Ubuntu):
status:	Fix Committed → Fix Released

Frank Heimes (fheimes) on 2023-03-06

Changed in ubuntu-z-systems:
status:	Fix Committed → Fix Released
information type:	Private → Public

Revision history for this message

Frank Heimes (fheimes) wrote on 2024-07-29:

#9

To get this as SRU into jammy/22.04, we would need a list of commits (maybe backports) that fit to qemu 6.2 that we have in jammy.

Revision history for this message

bugproxy (bugproxy) wrote on 2024-08-08:

#10

------- Comment From <email address hidden> 2024-08-08 08:53 EDT-------
Hey Frank, could you give me a repo url for qemu as well?

Revision history for this message

bugproxy (bugproxy) wrote on 2024-08-15:

#11

------- Comment From <email address hidden> 2024-08-15 09:00 EDT-------
I have a lot of problems when trying to compile a jammy qemu and I haven't yet been able to fix them.
Fortunately I was at least able to apply the following patches on top of the qemu jammy-devel source git (after a quilt push -a). If possible try to compile them and send me a ppa or deb file for testing.

These patches include the fix for paused VMs if a dump is being written onto a file system that's too small.

d12a91e0ba target/s390x/arch_dump: Add arch cleanup function for PV dumps
e72629e514 dump: Add arch cleanup function
816644b121 target/s390x/dump: Remove unneeded dump info function pointer init
4376a770c7 target/s390x/arch_dump: Simplify memory allocation in s390x_write_elf64_notes()
eb60026120 target/s390x/arch_dump: Fix memory corruption in s390x_write_elf64_notes()
ad3b2e693d s390x: Add protected dump cap
113d8f4e95 s390x: pv: Add dump support
1af0006ab9 dump: Replace opaque DumpState pointer with a typed one
9b72224f44 dump: Add architecture section and section string table support
13fd417ddc dump: Reintroduce memory_offset and section_offset
cb415fd61e dump: Write ELF section headers right after ELF header
e41ed29bce dump: Use a buffer for ELF section data and headers
94d788408d dump: fix kdump to work over non-aligned blocks
08df343874 dump: simplify a bit kdump get_next_page()
2341a94d3a dump: Rename write_elf*_phdr_note to prepare_elf*_phdr_note
670e76998a dump: Split elf header functions into prepare and write
c370d5300f dump: Rework dump_calculate_size function
dddf725f70 dump: Rework filter area variables
0c2994ac90 dump: Rework get_start_block
1e8113032f dump: Refactor dump_iterate and introduce dump_filter_memblock_*()
afae6056ea dump: Rename write_elf_loads to write_elf_phdr_loads
c68124738b dump: Consolidate elf note function
5ff2e5a3e1 dump: Cleanup dump_begin write functions
bc7d558017 dump: Consolidate phdr note writes
05bbaa5040 dump: Introduce dump_is_64bit() helper function
e71d353360 dump: Add more offset variables
344107e07b dump: Remove the section if when calculating the memory offset
862a395858 dump: Introduce shdr_num to decrease complexity
046bc4160b dump: Remove the sh_info variable
86a518bba4 dump: Use ERRP_GUARD()

------- Comment From frankja@de.ibm.com 2024-08-15 09:00 EDT-------
I have a lot of problems when trying to compile a jammy qemu and I haven't yet been able to fix them.
Fortunately I was at least able to apply the following patches on top of the qemu jammy-devel source git (after a quilt push -a). If possible try to compile them and send me a ppa or deb file for testing.

These patches include the fix for paused VMs if a dump is being written onto a file system that's too small.

d12a91e0ba target/s390x/arch_dump: Add arch cleanup function for PV dumps
e72629e514 dump: Add arch cleanup function
816644b121 target/s390x/dump: Remove unneeded dump info function pointer init
4376a770c7 target/s390x/arch_dump: Simplify memory allocation in s390x_write_elf64_notes()
eb60026120 target/s390x/arch_dump: Fix memory corruption in s390x_write_elf64_notes()
ad3b2e693d s390x: Add protected dump cap
113d8f4e95 s390x: pv: Add dump support
1af0006ab9 dump: Replace opaque DumpState pointer with a typed one
9b72224f44 dump: Add architecture section and section string table support
13fd417ddc dump: Reintroduce memory_offset and section_offset
cb415fd61e dump: Write ELF section headers right after ELF header
e41ed29bce dump: Use a buffer for ELF section data and headers
94d788408d dump: fix kdump to work over non-aligned blocks
08df343874 dump: simplify a bit kdump get_next_page()
2341a94d3a dump: Rename write_elf*_phdr_note to prepare_elf*_phdr_note
670e76998a dump: Split elf header functions into prepare and write
c370d5300f dump: Rework dump_calculate_size function
dddf725f70 dump: Rework filter area variables
0c2994ac90 dump: Rework get_start_block
1e8113032f dump: Refactor dump_iterate and introduce dump_filter_memblock_*()
afae6056ea dump: Rename write_elf_loads to write_elf_phdr_loads
c68124738b dump: Consolidate elf note function
5ff2e5a3e1 dump: Cleanup dump_begin write functions
bc7d558017 dump: Consolidate phdr note writes
05bbaa5040 dump: Introduce dump_is_64bit() helper function
e71d353360 dump: Add more offset variables
344107e07b dump: Remove the section if when calculating the memory offset
862a395858 dump: Introduce shdr_num to decrease complexity
046bc4160b dump: Remove the sh_info variable
86a518bba4 dump: Use ERRP_GUARD()

Revision history for this message

Mitchell Dzurick (mitchdz) wrote on 2024-08-16:

#12

I just checked trying to apply those patches. I was able to apply the following on top of jammy-devel:

113d8f4e95 s390x: pv: Add dump support
1af0006ab9 dump: Replace opaque DumpState pointer with a typed one
9b72224f44 dump: Add architecture section and section string table support
13fd417ddc dump: Reintroduce memory_offset and section_offset
cb415fd61e dump: Write ELF section headers right after ELF header
e41ed29bce dump: Use a buffer for ELF section data and headers
94d788408d dump: fix kdump to work over non-aligned blocks
08df343874 dump: simplify a bit kdump get_next_page()
2341a94d3a dump: Rename write_elf*_phdr_note to prepare_elf*_phdr_note
670e76998a dump: Split elf header functions into prepare and write
c370d5300f dump: Rework dump_calculate_size function
dddf725f70 dump: Rework filter area variables
0c2994ac90 dump: Rework get_start_block
1e8113032f dump: Refactor dump_iterate and introduce dump_filter_memblock_*()
afae6056ea dump: Rename write_elf_loads to write_elf_phdr_loads
c68124738b dump: Consolidate elf note function
5ff2e5a3e1 dump: Cleanup dump_begin write functions
bc7d558017 dump: Consolidate phdr note writes
05bbaa5040 dump: Introduce dump_is_64bit() helper function
e71d353360 dump: Add more offset variables
344107e07b dump: Remove the section if when calculating the memory offset
862a395858 dump: Introduce shdr_num to decrease complexity
046bc4160b dump: Remove the sh_info variable
86a518bba4 dump: Use ERRP_GUARD()

However

ad3b2e693d s390x: Add protected dump cap

Fails to apply. Were you able to apply all of those patches without issue?

I see ad3b2e693d conflicts with the file `target/s390x/kvm/kvm.c`

Revision history for this message

bugproxy (bugproxy) wrote on 2024-08-19:

#13

------- Comment From <email address hidden> 2024-08-19 02:50 EDT-------
Commit ad3b2e693d applies cleanly for me on the following base commit + quilt patches
8a4bd971eb (tag: import/1%6.2+dfsg-2ubuntu6.22)

Does the git cherry-pick fail and if yes, where?
That's one of the easiest patches to have a conflict, so I'm surprised.

Revision history for this message

Sergio Durigan Junior (sergiodj) wrote on 2024-08-20:

#14

Hi Frank,

Apologies for taking a while to reply; I've been very busy adjusting QEMU on Oracular, since we're on Feature Freeze right now.

Anyway, I will be taking another look at this bug first thing tomorrow morning and will report back.

Thanks for providing the list of patches.

Changed in qemu (Ubuntu Jammy):
status:	New → Triaged
assignee:	nobody → Sergio Durigan Junior (sergiodj)
tags:	added: server-todo

Revision history for this message

Sergio Durigan Junior (sergiodj) wrote on 2024-08-20:

#15

Hi again,

I've backported and applied all patches on top of Jammy's QEMU. The package (version 1:6.2+dfsg-2ubuntu6.23~ppa1) is now building here:

https://launchpad.net/~sergiodj/+archive/ubuntu/qemu/+packages

Assuming that the build passes, could you please give it a try and see if it works?

Thanks.

Revision history for this message

Sergio Durigan Junior (sergiodj) wrote on 2024-08-20:

#16

Spoke too soon. There's a build failure:

../../target/s390x/arch_dump.c: In function ‘s390x_write_elf64_pv’:
../../target/s390x/arch_dump.c:191:36: error: ‘NT_S390_PV_CPU_DATA’ undeclared (first use in this function)
  191 | note->hdr.n_type = cpu_to_be32(NT_S390_PV_CPU_DATA);
      | ^~~~~~~~~~~~~~~~~~~
../../target/s390x/arch_dump.c:191:36: note: each undeclared identifier is reported only once for each function it appears in
../../target/s390x/arch_dump.c:195:5: warning: implicit declaration of function ‘kvm_s390_dump_cpu’; did you mean ‘kvm_s390_mem_op’? [-Wimplicit-function-declaration]
  195 | kvm_s390_dump_cpu(cpu, &note->contents.dynamic);
      | ^~~~~~~~~~~~~~~~~
      | kvm_s390_mem_op
../../target/s390x/arch_dump.c:195:5: warning: nested extern declaration of ‘kvm_s390_dump_cpu’ [-Wnested-externs]
../../target/s390x/arch_dump.c: At top level:
../../target/s390x/arch_dump.c:220:9: error: ‘kvm_s390_pv_dmp_get_size_cpu’ undeclared here (not in a function)
  220 | {0, kvm_s390_pv_dmp_get_size_cpu, s390x_write_elf64_pv, true},
      | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~

It looks like we'll need to backport more patches? I'll look into it.

Revision history for this message

Sergio Durigan Junior (sergiodj) wrote on 2024-08-20:

#17

5433669c7a1 include/elf.h: add s390x note types

and

03d83ecfae4 s390x: Introduce PV query interface

seem to be missing.

Revision history for this message

Sergio Durigan Junior (sergiodj) wrote on 2024-08-20:

#18

753ca06f470 s390x: Add KVM PV dump interface

is also missing.

Revision history for this message

Sergio Durigan Junior (sergiodj) wrote on 2024-08-20:

#19

@Frank,

OK, I think I found all the missing commits and backported them. Could you please give the package a try? The version now is 1:6.2+dfsg-2ubuntu6.23~ppa3.

Thanks.

Revision history for this message

bugproxy (bugproxy) wrote on 2024-08-22:

#20

------- Comment From <email address hidden> 2024-08-22 04:09 EDT-------
Hey Sergio, I was unavailable the last two days, but I'll test your package today.
Sorry that I missed those commits and caused more work.

On a side note: My first name is Janosch and it makes sense to use it when mentioning me, since fheimes is also around.

Revision history for this message

bugproxy (bugproxy) wrote on 2024-08-22:

#21

------- Comment From <email address hidden> 2024-08-22 09:50 EDT-------
The provided package works without a problem and I've verified that the guest keeps on running when dumping to a file system that's smaller than the dump size.

I've used the patches that I've attached to the kernel bug to add the feature to KVM and built s390-tools from the latest git since there's no backport yet for 22.04.

Revision history for this message

Sergio Durigan Junior (sergiodj) wrote on 2024-08-22:

#22

Hi Janosch :-),

Thanks for the tests. I'll talk to Frank and proceed with the SRU process.

Frank Heimes (fheimes) on 2024-08-29

description:

updated

Frank Heimes (fheimes) on 2024-08-29

Changed in qemu (Ubuntu Jammy):
status:	Triaged → In Progress

Frank Heimes (fheimes) on 2024-08-30

description:	updated
description:	updated

Revision history for this message

bugproxy (bugproxy) wrote on 2024-09-09:

#23

------- Comment From <email address hidden> 2024-09-09 10:11 EDT-------
Verified with 5.15.0-118-generic #128~lp1959940-Ubuntu and QEMU 1:6.2+dfsg-2ubuntu6.23~ppa4
Also tested the pause fix.

Revision history for this message

Sergio Durigan Junior (sergiodj) wrote on 2024-09-09:

#24

Hi Janosch,

Thanks for the verification.

I talked to Frank and decided to proceed with the upload now. This will allow the SRU team to "digest" the changes until the kernel changes are SRU'ed.

Thanks.

Ubuntu
qemu package

[23.04 FEAT] KVM: Secure Execution guest dump encryption with customer keys - qemu part

Bug Description

Related branches

CVE References

Other bug subscribers

Remote bug watches

	Status	Importance	Assigned to
Ubuntu on IBM z Systems	Fix Released	High	Skipper Bug Screeners
qemu (Ubuntu)	Fix Released	High	Skipper Bug Screeners
Jammy	In Progress	Undecided	Sergio Durigan Junior

Ubuntuqemu package

[23.04 FEAT] KVM: Secure Execution guest dump encryption with customer keys - qemu part

Bug Description

Related branches

CVE References

Other bug subscribers

Remote bug watches

Ubuntu
qemu package