diff options
Diffstat (limited to 'external/meta-virtualization/recipes-extended/libvirt')
27 files changed, 453 insertions, 2011 deletions
diff --git a/external/meta-virtualization/recipes-extended/libvirt/README b/external/meta-virtualization/recipes-extended/libvirt/README new file mode 100644 index 00000000..af4fd170 --- /dev/null +++ b/external/meta-virtualization/recipes-extended/libvirt/README @@ -0,0 +1,26 @@ +libvirt default connection mode between client(where for example virsh runs) and +server(where libvirtd runs) is tls which requires keys and certificates for +certificate authority, client and server to be properly generated and deployed. +Otherwise, servers and clients cannot be connected. + +recipes-extended/libvirt/libvirt/gnutls-help.py is provided to help generate +required keys and certificates. + +Usage: +gnutls-help.py [-a|--ca-info] <ca.info> [-b|--server-info] <server.info> [-c|--client-info] <client.info> +If ca.info or server.info or client.info is not provided, a corresponding sample file will be generated. + +!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! +!! "ip_address" field of server.info must be IP address of the server. !! +!! For more details, please refer to: !! +!! https://libvirt.org/remote.html#Remote_certificates !! +!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! + +Please deploy cacert.pem to CA and server and client /etc/pki/CA/cacert.pem +Please deploy serverkey.pem to server /etc/pki/libvirt/private/serverkey.pem +Please deploy servercert.pem to server /etc/pki/libvirt/servercert.pem +Please deploy clientkey.pem to client /etc/pki/libvirt/private/clientkey.pem +Please deploy clientcert.pem to client /etc/pki/libvirt/clientcert.pem" + +For more details please refer to libvirt official document, +https://libvirt.org/remote.html#Remote_certificates diff --git a/external/meta-virtualization/recipes-extended/libvirt/libvirt-python.inc b/external/meta-virtualization/recipes-extended/libvirt/libvirt-python.inc index be9079d7..c5b0fbd2 100644 --- a/external/meta-virtualization/recipes-extended/libvirt/libvirt-python.inc +++ b/external/meta-virtualization/recipes-extended/libvirt/libvirt-python.inc @@ -1,11 +1,11 @@ -inherit pythonnative python-dir +inherit python3native python3-dir export STAGING_INCDIR export STAGING_LIBDIR export BUILD_SYS export HOST_SYS -RDEPENDS_${PN}-python += "python" +RDEPENDS_${PN}-python += "python3" PACKAGECONFIG_${PN}-python[xen] = ",,,xen-python" PACKAGES += "${PN}-python-staticdev ${PN}-python-dev ${PN}-python-dbg ${PN}-python" @@ -16,10 +16,9 @@ FILES_${PN}-python-dbg += "${PYTHON_SITEPACKAGES_DIR}/.debug/" FILES_${PN}-python = "${bindir}/* ${libdir}/* ${libdir}/${PYTHON_DIR}/*" SRC_URI += "http://libvirt.org/sources/python/libvirt-python-${PV}.tar.gz;name=libvirt_python" -SRC_URI += "file://libvirt_api_xml_path.patch;patchdir=../libvirt-python-${PV}" -SRC_URI[libvirt_python.md5sum] = "32cf281199367aec2881c96d1bd80dc6" -SRC_URI[libvirt_python.sha256sum] = "e36fee5898de3550ed7e63d5d0a8447f9d78f06574634855dee59eae27930908" +SRC_URI[libvirt_python.md5sum] = "2834626b07da6ac4ca1559abfd55c118" +SRC_URI[libvirt_python.sha256sum] = "be644f4809c0e1d368e3ac065df3c66a26dcfe61ecb607ee9706e1799f22c35a" export LIBVIRT_API_PATH = "${S}/docs/libvirt-api.xml" export LIBVIRT_CFLAGS = "-I${S}/include" @@ -41,15 +40,23 @@ python __anonymous () { do_compile_append() { if [ "${LIBVIRT_PYTHON_ENABLE}" = "1" ]; then + # we need the python bindings to look into our source dir, not + # the syroot staged pkgconfig entries. So we clear the sysroot + # for just this portion. + export PKG_CONFIG_SYSROOT_DIR= cd ${WORKDIR}/${BPN}-python-${PV} && \ - ${STAGING_BINDIR_NATIVE}/python-native/python setup.py build + ${STAGING_BINDIR_NATIVE}/python3-native/python3 setup.py build fi } do_install_append() { if [ "${LIBVIRT_PYTHON_ENABLE}" = "1" ]; then + # we need the python bindings to look into our source dir, not + # the syroot staged pkgconfig entries. So we clear the sysroot + # for just this portion. + export PKG_CONFIG_SYSROOT_DIR= cd ${WORKDIR}/${BPN}-python-${PV} && \ - ${STAGING_BINDIR_NATIVE}/python-native/python setup.py install \ + ${STAGING_BINDIR_NATIVE}/python3-native/python3 setup.py install \ --install-lib=${D}/${PYTHON_SITEPACKAGES_DIR} ${LIBVIRT_INSTALL_ARGS} fi } diff --git a/external/meta-virtualization/recipes-extended/libvirt/libvirt/0001-build-drop-unnecessary-libgnu.la-reference.patch b/external/meta-virtualization/recipes-extended/libvirt/libvirt/0001-build-drop-unnecessary-libgnu.la-reference.patch new file mode 100644 index 00000000..952e8eb0 --- /dev/null +++ b/external/meta-virtualization/recipes-extended/libvirt/libvirt/0001-build-drop-unnecessary-libgnu.la-reference.patch @@ -0,0 +1,33 @@ +From 4945576d6c5c7cc9a21a58aaa312829567af13db Mon Sep 17 00:00:00 2001 +From: Bruce Ashfield <bruce.ashfield@gmail.com> +Date: Sat, 7 Mar 2020 21:36:27 -0500 +Subject: [PATCH] build: drop unnecessary libgnu.la reference + +Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com> +--- + tools/Makefile.am | 2 -- + 1 file changed, 2 deletions(-) + +diff --git a/tools/Makefile.am b/tools/Makefile.am +index 2a0a989..93fe283 100644 +--- a/tools/Makefile.am ++++ b/tools/Makefile.am +@@ -168,7 +168,6 @@ virt_host_validate_LDADD = \ + + if WITH_GNUTLS + virt_host_validate_LDADD += ../src/libvirt-net-rpc.la \ +- ../gnulib/lib/libgnu.la \ + $(NULL) + endif + +@@ -270,7 +269,6 @@ BUILT_SOURCES = + + if WITH_GNUTLS + virsh_LDADD += ../src/libvirt-net-rpc.la \ +- ../gnulib/lib/libgnu.la \ + $(NULL) + endif + +-- +2.19.1 + diff --git a/external/meta-virtualization/recipes-extended/libvirt/libvirt/0001-cpu_x86-Do-not-cache-microcode-version.patch b/external/meta-virtualization/recipes-extended/libvirt/libvirt/0001-cpu_x86-Do-not-cache-microcode-version.patch deleted file mode 100644 index 4413d5fb..00000000 --- a/external/meta-virtualization/recipes-extended/libvirt/libvirt/0001-cpu_x86-Do-not-cache-microcode-version.patch +++ /dev/null @@ -1,59 +0,0 @@ -From 33998cdd47300fc3ca6cb8f85714c149440b9c8b Mon Sep 17 00:00:00 2001 -From: Jiri Denemark <jdenemar@redhat.com> -Date: Fri, 5 Apr 2019 11:33:32 +0200 -Subject: [PATCH 01/11] cpu_x86: Do not cache microcode version -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -The microcode version checks are used to invalidate cached CPU data we -get from QEMU. To minimize /proc/cpuinfo parsing the microcode version -was only read when libvirtd started and cached for the daemon's -lifetime. However, the CPU microcode can change anytime (updating the -microcode package can automatically upload it to the CPU) and we need to -stop caching it to avoid using stale CPU model data. - -Signed-off-by: Jiri Denemark <jdenemar@redhat.com> -Reviewed-by: Ján Tomko <jtomko@redhat.com> -(cherry picked from commit be46f613261d3b655a1f15afd635087e68a9c39b) - -Upstream-Status: Backport -Signed-off-by: Armin Kuster <akuster@mvista.com> - ---- - src/cpu/cpu_x86.c | 5 +---- - 1 file changed, 1 insertion(+), 4 deletions(-) - -diff --git a/src/cpu/cpu_x86.c b/src/cpu/cpu_x86.c -index cb27550..ce48ca6 100644 ---- a/src/cpu/cpu_x86.c -+++ b/src/cpu/cpu_x86.c -@@ -163,7 +163,6 @@ struct _virCPUx86Map { - }; - - static virCPUx86MapPtr cpuMap; --static unsigned int microcodeVersion; - - int virCPUx86DriverOnceInit(void); - VIR_ONCE_GLOBAL_INIT(virCPUx86Driver); -@@ -1331,8 +1330,6 @@ virCPUx86DriverOnceInit(void) - if (!(cpuMap = virCPUx86LoadMap())) - return -1; - -- microcodeVersion = virHostCPUGetMicrocodeVersion(); -- - return 0; - } - -@@ -2372,7 +2369,7 @@ virCPUx86GetHost(virCPUDefPtr cpu, - goto cleanup; - - ret = x86DecodeCPUData(cpu, cpuData, models); -- cpu->microcodeVersion = microcodeVersion; -+ cpu->microcodeVersion = virHostCPUGetMicrocodeVersion(); - - cleanup: - virCPUx86DataFree(cpuData); --- -2.7.4 - diff --git a/external/meta-virtualization/recipes-extended/libvirt/libvirt/0001-ptest-Remove-Windows-1252-check-from-esxutilstest.patch b/external/meta-virtualization/recipes-extended/libvirt/libvirt/0001-ptest-Remove-Windows-1252-check-from-esxutilstest.patch index 217bdbc5..02e99ecd 100644 --- a/external/meta-virtualization/recipes-extended/libvirt/libvirt/0001-ptest-Remove-Windows-1252-check-from-esxutilstest.patch +++ b/external/meta-virtualization/recipes-extended/libvirt/libvirt/0001-ptest-Remove-Windows-1252-check-from-esxutilstest.patch @@ -1,4 +1,4 @@ -From ffc71da15c3da068f85d16617b6e0c0175fc0110 Mon Sep 17 00:00:00 2001 +From 1601c21b653bf2bea2547e5efcf1f3cbb8b73f65 Mon Sep 17 00:00:00 2001 From: He Zhe <zhe.he@windriver.com> Date: Tue, 23 Aug 2016 02:28:47 -0400 Subject: [PATCH] ptest: Remove Windows-1252 check from esxutilstest @@ -7,15 +7,16 @@ Currently we use iconv from glibc-locale and it does not support Windows-1252 and we don't need support windows character encoding. Signed-off-by: He Zhe <zhe.he@windriver.com> + --- tests/esxutilstest.c | 1 - 1 file changed, 1 deletion(-) diff --git a/tests/esxutilstest.c b/tests/esxutilstest.c -index 44bdc84..3223de3 100644 +index 2e20200..6c57889 100644 --- a/tests/esxutilstest.c +++ b/tests/esxutilstest.c -@@ -258,7 +258,6 @@ mymain(void) +@@ -256,7 +256,6 @@ mymain(void) DO_TEST(ParseDatastorePath); DO_TEST(ConvertDateTimeToCalendarTime); DO_TEST(EscapeDatastoreItem); @@ -23,6 +24,3 @@ index 44bdc84..3223de3 100644 return result == 0 ? EXIT_SUCCESS : EXIT_FAILURE; } --- -2.8.1 - diff --git a/external/meta-virtualization/recipes-extended/libvirt/libvirt/0001-to-fix-build-error.patch b/external/meta-virtualization/recipes-extended/libvirt/libvirt/0001-to-fix-build-error.patch index c920139e..33231960 100644 --- a/external/meta-virtualization/recipes-extended/libvirt/libvirt/0001-to-fix-build-error.patch +++ b/external/meta-virtualization/recipes-extended/libvirt/libvirt/0001-to-fix-build-error.patch @@ -1,4 +1,4 @@ -From 8353dc1e642011199c3b3ba057d51d8768e4cd54 Mon Sep 17 00:00:00 2001 +From 7cf1d66c4b01c40b45b8a38370c7ffee46dfb10a Mon Sep 17 00:00:00 2001 From: Lei Maohui <leimaohui@cn.fujitsu.com> Date: Fri, 31 Jul 2015 03:17:07 +0900 Subject: [PATCH] to fix build error @@ -17,26 +17,27 @@ Signed-off-by: Lei Maohui <leimaohui@cn.fujitsu.com> Signed-off-by: Yunguo Wei <yunguo.wei@windriver.com> [MA: rebase to v4.3.0] Signed-off-by: Mark Asselstine <mark.asselstine@windriver.com> + --- docs/Makefile.am | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/docs/Makefile.am b/docs/Makefile.am -index 9620587..060a82b 100644 +index 61862c4..c259535 100644 --- a/docs/Makefile.am +++ b/docs/Makefile.am -@@ -183,7 +183,7 @@ EXTRA_DIST= \ - hvsupport.pl \ +@@ -360,7 +360,7 @@ EXTRA_DIST= \ + aclperms.htmlinc \ $(schema_DATA) -acl_generated = aclperms.htmlinc +acl.html:: $(srcdir)/aclperms.htmlinc - $(srcdir)/aclperms.htmlinc: $(top_srcdir)/src/access/viraccessperm.h \ - $(srcdir)/genaclperms.pl Makefile.am -@@ -247,8 +247,7 @@ MAINTAINERCLEANFILES += \ - %.png: %.fig - convert -rotate 90 $< $@ + aclperms.htmlinc: $(top_srcdir)/src/access/viraccessperm.h \ + $(top_srcdir)/scripts/genaclperms.py Makefile.am +@@ -426,8 +426,7 @@ manpages/%.html.in: manpages/%.rst + $(AM_V_GEN)$(MKDIR_P) `dirname $@` && \ + $(RST2HTML) --strict $< > $@ || { rm $@ && exit 1; } -%.html.tmp: %.html.in site.xsl subsite.xsl page.xsl \ - $(acl_generated) @@ -44,6 +45,3 @@ index 9620587..060a82b 100644 $(AM_V_GEN)name=`echo $@ | sed -e 's/.tmp//'`; \ dir=`dirname $@` ; \ if test "$$dir" = "."; \ --- -1.9.1 - diff --git a/external/meta-virtualization/recipes-extended/libvirt/libvirt/0002-qemu-Don-t-cache-microcode-version.patch b/external/meta-virtualization/recipes-extended/libvirt/libvirt/0002-qemu-Don-t-cache-microcode-version.patch deleted file mode 100644 index 6d0f2986..00000000 --- a/external/meta-virtualization/recipes-extended/libvirt/libvirt/0002-qemu-Don-t-cache-microcode-version.patch +++ /dev/null @@ -1,155 +0,0 @@ -From d606ac113007901522dab6c4b3979686d43eaa87 Mon Sep 17 00:00:00 2001 -From: Jiri Denemark <jdenemar@redhat.com> -Date: Fri, 12 Apr 2019 21:21:05 +0200 -Subject: [PATCH 02/11] qemu: Don't cache microcode version -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -My earlier commit be46f61326 was incomplete. It removed caching of -microcode version in the CPU driver, which means the capabilities XML -will see the correct microcode version. But it is also cached in the -QEMU capabilities cache where it is used to detect whether we need to -reprobe QEMU. By missing the second place, the original commit -be46f61326 made the situation even worse since libvirt would report -correct microcode version while still using the old host CPU model -(visible in domain capabilities XML). - -Signed-off-by: Jiri Denemark <jdenemar@redhat.com> -Reviewed-by: Ján Tomko <jtomko@redhat.com> -(cherry picked from commit 673c62a3b7855a0685d8f116e227c402720b9ee9) - -Conflicts: - src/qemu/qemu_capabilities.c - - virQEMUCapsCacheLookupByArch refactoring (commits - 7948ad4129a and 1a3de67001c) are missing - -Signed-off-by: Daniel P. Berrangé <berrange@redhat.com> - -Upstream-Status: Backport -Signed-off-by: Armin Kuster <akuster@mvista.com> - ---- - src/qemu/qemu_capabilities.c | 12 ++++++++---- - src/qemu/qemu_capabilities.h | 3 +-- - src/qemu/qemu_driver.c | 9 +-------- - tests/testutilsqemu.c | 2 +- - 4 files changed, 11 insertions(+), 15 deletions(-) - -diff --git a/src/qemu/qemu_capabilities.c b/src/qemu/qemu_capabilities.c -index a075677..eaf369f 100644 ---- a/src/qemu/qemu_capabilities.c -+++ b/src/qemu/qemu_capabilities.c -@@ -4700,7 +4700,7 @@ virQEMUCapsNewData(const char *binary, - priv->libDir, - priv->runUid, - priv->runGid, -- priv->microcodeVersion, -+ virHostCPUGetMicrocodeVersion(), - priv->kernelVersion); - } - -@@ -4783,8 +4783,7 @@ virFileCachePtr - virQEMUCapsCacheNew(const char *libDir, - const char *cacheDir, - uid_t runUid, -- gid_t runGid, -- unsigned int microcodeVersion) -+ gid_t runGid) - { - char *capsCacheDir = NULL; - virFileCachePtr cache = NULL; -@@ -4808,7 +4807,6 @@ virQEMUCapsCacheNew(const char *libDir, - - priv->runUid = runUid; - priv->runGid = runGid; -- priv->microcodeVersion = microcodeVersion; - - if (uname(&uts) == 0 && - virAsprintf(&priv->kernelVersion, "%s %s", uts.release, uts.version) < 0) -@@ -4829,8 +4827,11 @@ virQEMUCapsPtr - virQEMUCapsCacheLookup(virFileCachePtr cache, - const char *binary) - { -+ virQEMUCapsCachePrivPtr priv = virFileCacheGetPriv(cache); - virQEMUCapsPtr ret = NULL; - -+ priv->microcodeVersion = virHostCPUGetMicrocodeVersion(); -+ - ret = virFileCacheLookup(cache, binary); - - VIR_DEBUG("Returning caps %p for %s", ret, binary); -@@ -4876,10 +4877,13 @@ virQEMUCapsPtr - virQEMUCapsCacheLookupByArch(virFileCachePtr cache, - virArch arch) - { -+ virQEMUCapsCachePrivPtr priv = virFileCacheGetPriv(cache); - virQEMUCapsPtr ret = NULL; - virArch target; - struct virQEMUCapsSearchData data = { .arch = arch }; - -+ priv->microcodeVersion = virHostCPUGetMicrocodeVersion(); -+ - ret = virFileCacheLookupByFunc(cache, virQEMUCapsCompareArch, &data); - if (!ret) { - /* If the first attempt at finding capabilities has failed, try -diff --git a/src/qemu/qemu_capabilities.h b/src/qemu/qemu_capabilities.h -index 3d3a978..956babc 100644 ---- a/src/qemu/qemu_capabilities.h -+++ b/src/qemu/qemu_capabilities.h -@@ -574,8 +574,7 @@ void virQEMUCapsFilterByMachineType(virQEMUCapsPtr qemuCaps, - virFileCachePtr virQEMUCapsCacheNew(const char *libDir, - const char *cacheDir, - uid_t uid, -- gid_t gid, -- unsigned int microcodeVersion); -+ gid_t gid); - virQEMUCapsPtr virQEMUCapsCacheLookup(virFileCachePtr cache, - const char *binary); - virQEMUCapsPtr virQEMUCapsCacheLookupCopy(virFileCachePtr cache, -diff --git a/src/qemu/qemu_driver.c b/src/qemu/qemu_driver.c -index a0f7c71..75f8699 100644 ---- a/src/qemu/qemu_driver.c -+++ b/src/qemu/qemu_driver.c -@@ -592,8 +592,6 @@ qemuStateInitialize(bool privileged, - char *hugepagePath = NULL; - char *memoryBackingPath = NULL; - size_t i; -- virCPUDefPtr hostCPU = NULL; -- unsigned int microcodeVersion = 0; - - if (VIR_ALLOC(qemu_driver) < 0) - return -1; -@@ -813,15 +811,10 @@ qemuStateInitialize(bool privileged, - run_gid = cfg->group; - } - -- if ((hostCPU = virCPUProbeHost(virArchFromHost()))) -- microcodeVersion = hostCPU->microcodeVersion; -- virCPUDefFree(hostCPU); -- - qemu_driver->qemuCapsCache = virQEMUCapsCacheNew(cfg->libDir, - cfg->cacheDir, - run_uid, -- run_gid, -- microcodeVersion); -+ run_gid); - if (!qemu_driver->qemuCapsCache) - goto error; - -diff --git a/tests/testutilsqemu.c b/tests/testutilsqemu.c -index 8438613..4e53f03 100644 ---- a/tests/testutilsqemu.c -+++ b/tests/testutilsqemu.c -@@ -707,7 +707,7 @@ int qemuTestDriverInit(virQEMUDriver *driver) - - /* Using /dev/null for libDir and cacheDir automatically produces errors - * upon attempt to use any of them */ -- driver->qemuCapsCache = virQEMUCapsCacheNew("/dev/null", "/dev/null", 0, 0, 0); -+ driver->qemuCapsCache = virQEMUCapsCacheNew("/dev/null", "/dev/null", 0, 0); - if (!driver->qemuCapsCache) - goto error; - --- -2.7.4 - diff --git a/external/meta-virtualization/recipes-extended/libvirt/libvirt/CVE-2018-12126_CVE-2018-12127_CVE-2018-12130_CVE-2019-11091_p1.patch b/external/meta-virtualization/recipes-extended/libvirt/libvirt/CVE-2018-12126_CVE-2018-12127_CVE-2018-12130_CVE-2019-11091_p1.patch deleted file mode 100644 index 45f51d4a..00000000 --- a/external/meta-virtualization/recipes-extended/libvirt/libvirt/CVE-2018-12126_CVE-2018-12127_CVE-2018-12130_CVE-2019-11091_p1.patch +++ /dev/null @@ -1,894 +0,0 @@ -From b15a3c9f9bd24d12082b5a6ea505eb3ea48137cb Mon Sep 17 00:00:00 2001 -From: Jiri Denemark <jdenemar@redhat.com> -Date: Fri, 5 Apr 2019 11:19:30 +0200 -Subject: [PATCH 03/11] cputest: Add data for Intel(R) Xeon(R) CPU E3-1225 v5 -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Signed-off-by: Jiri Denemark <jdenemar@redhat.com> -(cherry picked from commit 5cd9db3ac11e88846cbcf95fad9f6fae9d880dee) - -CVE-2018-12126, CVE-2018-12127, CVE-2018-12130, CVE-2019-11091 - -Conflicts: - tests/cputestdata/x86_64-cpuid-Xeon-E3-1225-v5-guest.xml - tests/cputestdata/x86_64-cpuid-Xeon-E3-1225-v5-host.xml - - intel-pt feature is missing - - stibp feature is missing - -Signed-off-by: Daniel P. Berrangé <berrange@redhat.com> - -Upstream-Status: Backport - -CVE: CVE-2018-12126 -CVE: CVE-2018-12127 -CVE: CVE-2018-12130 -CVE: CVE-2019-11091 - -Signed-off-by: Armin Kuster <akuster@mvista.com> - ---- - tests/cputest.c | 1 + - .../x86_64-cpuid-Xeon-E3-1225-v5-disabled.xml | 7 + - .../x86_64-cpuid-Xeon-E3-1225-v5-enabled.xml | 8 + - .../x86_64-cpuid-Xeon-E3-1225-v5-guest.xml | 26 + - .../x86_64-cpuid-Xeon-E3-1225-v5-host.xml | 27 + - .../x86_64-cpuid-Xeon-E3-1225-v5-json.xml | 10 + - .../cputestdata/x86_64-cpuid-Xeon-E3-1225-v5.json | 652 +++++++++++++++++++++ - tests/cputestdata/x86_64-cpuid-Xeon-E3-1225-v5.sig | 4 + - tests/cputestdata/x86_64-cpuid-Xeon-E3-1225-v5.xml | 47 ++ - 9 files changed, 782 insertions(+) - create mode 100644 tests/cputestdata/x86_64-cpuid-Xeon-E3-1225-v5-disabled.xml - create mode 100644 tests/cputestdata/x86_64-cpuid-Xeon-E3-1225-v5-enabled.xml - create mode 100644 tests/cputestdata/x86_64-cpuid-Xeon-E3-1225-v5-guest.xml - create mode 100644 tests/cputestdata/x86_64-cpuid-Xeon-E3-1225-v5-host.xml - create mode 100644 tests/cputestdata/x86_64-cpuid-Xeon-E3-1225-v5-json.xml - create mode 100644 tests/cputestdata/x86_64-cpuid-Xeon-E3-1225-v5.json - create mode 100644 tests/cputestdata/x86_64-cpuid-Xeon-E3-1225-v5.sig - create mode 100644 tests/cputestdata/x86_64-cpuid-Xeon-E3-1225-v5.xml - -diff --git a/tests/cputest.c b/tests/cputest.c -index baf2b3c..fbb2a86 100644 ---- a/tests/cputest.c -+++ b/tests/cputest.c -@@ -1190,6 +1190,7 @@ mymain(void) - DO_TEST_CPUID(VIR_ARCH_X86_64, "Phenom-B95", JSON_HOST); - DO_TEST_CPUID(VIR_ARCH_X86_64, "Ryzen-7-1800X-Eight-Core", JSON_HOST); - DO_TEST_CPUID(VIR_ARCH_X86_64, "Xeon-5110", JSON_NONE); -+ DO_TEST_CPUID(VIR_ARCH_X86_64, "Xeon-E3-1225-v5", JSON_MODELS); - DO_TEST_CPUID(VIR_ARCH_X86_64, "Xeon-E3-1245-v5", JSON_MODELS); - DO_TEST_CPUID(VIR_ARCH_X86_64, "Xeon-E5-2609-v3", JSON_MODELS); - DO_TEST_CPUID(VIR_ARCH_X86_64, "Xeon-E5-2623-v4", JSON_MODELS); -diff --git a/tests/cputestdata/x86_64-cpuid-Xeon-E3-1225-v5-disabled.xml b/tests/cputestdata/x86_64-cpuid-Xeon-E3-1225-v5-disabled.xml -new file mode 100644 -index 0000000..ce51903 ---- /dev/null -+++ b/tests/cputestdata/x86_64-cpuid-Xeon-E3-1225-v5-disabled.xml -@@ -0,0 +1,7 @@ -+<!-- Features disabled by QEMU --> -+<cpudata arch='x86'> -+ <cpuid eax_in='0x00000001' ecx_in='0x00' eax='0x00000000' ebx='0x00000000' ecx='0x0800c1fc' edx='0xb0600000'/> -+ <cpuid eax_in='0x00000007' ecx_in='0x00' eax='0x00000000' ebx='0x02000000' ecx='0x00000000' edx='0x00000000'/> -+ <cpuid eax_in='0x0000000d' ecx_in='0x01' eax='0x00000008' ebx='0x00000000' ecx='0x00000000' edx='0x00000000'/> -+ <cpuid eax_in='0x80000007' ecx_in='0x00' eax='0x00000000' ebx='0x00000000' ecx='0x00000000' edx='0x00000100'/> -+</cpudata> -diff --git a/tests/cputestdata/x86_64-cpuid-Xeon-E3-1225-v5-enabled.xml b/tests/cputestdata/x86_64-cpuid-Xeon-E3-1225-v5-enabled.xml -new file mode 100644 -index 0000000..0deca9f ---- /dev/null -+++ b/tests/cputestdata/x86_64-cpuid-Xeon-E3-1225-v5-enabled.xml -@@ -0,0 +1,8 @@ -+<!-- Features enabled by QEMU --> -+<cpudata arch='x86'> -+ <cpuid eax_in='0x00000001' ecx_in='0x00' eax='0x00000000' ebx='0x00000000' ecx='0xf7fa3203' edx='0x0f8bfbff'/> -+ <cpuid eax_in='0x00000006' ecx_in='0x00' eax='0x00000004' ebx='0x00000000' ecx='0x00000000' edx='0x00000000'/> -+ <cpuid eax_in='0x00000007' ecx_in='0x00' eax='0x00000000' ebx='0x009c4fbb' ecx='0x00000000' edx='0x8c000000'/> -+ <cpuid eax_in='0x0000000d' ecx_in='0x01' eax='0x00000007' ebx='0x00000000' ecx='0x00000000' edx='0x00000000'/> -+ <cpuid eax_in='0x80000001' ecx_in='0x00' eax='0x00000000' ebx='0x00000000' ecx='0x00000121' edx='0x2c100800'/> -+</cpudata> -diff --git a/tests/cputestdata/x86_64-cpuid-Xeon-E3-1225-v5-guest.xml b/tests/cputestdata/x86_64-cpuid-Xeon-E3-1225-v5-guest.xml -new file mode 100644 -index 0000000..993db80 ---- /dev/null -+++ b/tests/cputestdata/x86_64-cpuid-Xeon-E3-1225-v5-guest.xml -@@ -0,0 +1,26 @@ -+<cpu mode='custom' match='exact'> -+ <model fallback='forbid'>Skylake-Client-IBRS</model> -+ <vendor>Intel</vendor> -+ <feature policy='require' name='ds'/> -+ <feature policy='require' name='acpi'/> -+ <feature policy='require' name='ss'/> -+ <feature policy='require' name='ht'/> -+ <feature policy='require' name='tm'/> -+ <feature policy='require' name='pbe'/> -+ <feature policy='require' name='dtes64'/> -+ <feature policy='require' name='monitor'/> -+ <feature policy='require' name='ds_cpl'/> -+ <feature policy='require' name='vmx'/> -+ <feature policy='require' name='smx'/> -+ <feature policy='require' name='est'/> -+ <feature policy='require' name='tm2'/> -+ <feature policy='require' name='xtpr'/> -+ <feature policy='require' name='pdcm'/> -+ <feature policy='require' name='osxsave'/> -+ <feature policy='require' name='tsc_adjust'/> -+ <feature policy='require' name='clflushopt'/> -+ <feature policy='require' name='ssbd'/> -+ <feature policy='require' name='xsaves'/> -+ <feature policy='require' name='pdpe1gb'/> -+ <feature policy='require' name='invtsc'/> -+</cpu> -diff --git a/tests/cputestdata/x86_64-cpuid-Xeon-E3-1225-v5-host.xml b/tests/cputestdata/x86_64-cpuid-Xeon-E3-1225-v5-host.xml -new file mode 100644 -index 0000000..074a39b ---- /dev/null -+++ b/tests/cputestdata/x86_64-cpuid-Xeon-E3-1225-v5-host.xml -@@ -0,0 +1,27 @@ -+<cpu> -+ <arch>x86_64</arch> -+ <model>Skylake-Client-IBRS</model> -+ <vendor>Intel</vendor> -+ <feature name='ds'/> -+ <feature name='acpi'/> -+ <feature name='ss'/> -+ <feature name='ht'/> -+ <feature name='tm'/> -+ <feature name='pbe'/> -+ <feature name='dtes64'/> -+ <feature name='monitor'/> -+ <feature name='ds_cpl'/> -+ <feature name='vmx'/> -+ <feature name='smx'/> -+ <feature name='est'/> -+ <feature name='tm2'/> -+ <feature name='xtpr'/> -+ <feature name='pdcm'/> -+ <feature name='osxsave'/> -+ <feature name='tsc_adjust'/> -+ <feature name='clflushopt'/> -+ <feature name='ssbd'/> -+ <feature name='xsaves'/> -+ <feature name='pdpe1gb'/> -+ <feature name='invtsc'/> -+</cpu> -diff --git a/tests/cputestdata/x86_64-cpuid-Xeon-E3-1225-v5-json.xml b/tests/cputestdata/x86_64-cpuid-Xeon-E3-1225-v5-json.xml -new file mode 100644 -index 0000000..1984bd4 ---- /dev/null -+++ b/tests/cputestdata/x86_64-cpuid-Xeon-E3-1225-v5-json.xml -@@ -0,0 +1,10 @@ -+<cpu mode='custom' match='exact'> -+ <model fallback='forbid'>Skylake-Client-IBRS</model> -+ <vendor>Intel</vendor> -+ <feature policy='require' name='ss'/> -+ <feature policy='require' name='hypervisor'/> -+ <feature policy='require' name='tsc_adjust'/> -+ <feature policy='require' name='clflushopt'/> -+ <feature policy='require' name='ssbd'/> -+ <feature policy='require' name='pdpe1gb'/> -+</cpu> -diff --git a/tests/cputestdata/x86_64-cpuid-Xeon-E3-1225-v5.json b/tests/cputestdata/x86_64-cpuid-Xeon-E3-1225-v5.json -new file mode 100644 -index 0000000..0847475 ---- /dev/null -+++ b/tests/cputestdata/x86_64-cpuid-Xeon-E3-1225-v5.json -@@ -0,0 +1,652 @@ -+{ -+ "return": { -+ "model": { -+ "name": "base", -+ "props": { -+ "phys-bits": 0, -+ "core-id": -1, -+ "xlevel": 2147483656, -+ "cmov": true, -+ "ia64": false, -+ "aes": true, -+ "mmx": true, -+ "rdpid": false, -+ "arat": true, -+ "gfni": false, -+ "pause-filter": false, -+ "xsavec": true, -+ "intel-pt": false, -+ "osxsave": false, -+ "hv-frequencies": false, -+ "tsc-frequency": 0, -+ "xd": true, -+ "hv-vendor-id": "", -+ "kvm-asyncpf": true, -+ "kvm_asyncpf": true, -+ "perfctr_core": false, -+ "perfctr-core": false, -+ "mpx": true, -+ "pbe": false, -+ "decodeassists": false, -+ "avx512cd": false, -+ "sse4_1": true, -+ "sse4.1": true, -+ "sse4-1": true, -+ "family": 6, -+ "legacy-cache": true, -+ "vmware-cpuid-freq": true, -+ "avx512f": false, -+ "msr": true, -+ "mce": true, -+ "mca": true, -+ "hv-runtime": false, -+ "xcrypt": false, -+ "thread-id": -1, -+ "min-level": 13, -+ "xgetbv1": true, -+ "cid": false, -+ "hv-relaxed": false, -+ "hv-crash": false, -+ "ds": false, -+ "fxsr": true, -+ "xsaveopt": true, -+ "xtpr": false, -+ "avx512vl": false, -+ "avx512-vpopcntdq": false, -+ "phe": false, -+ "extapic": false, -+ "3dnowprefetch": true, -+ "avx512vbmi2": false, -+ "cr8legacy": false, -+ "stibp": true, -+ "cpuid-0xb": true, -+ "xcrypt-en": false, -+ "kvm_pv_eoi": true, -+ "apic-id": 4294967295, -+ "pn": false, -+ "dca": false, -+ "vendor": "GenuineIntel", -+ "pku": false, -+ "smx": false, -+ "cmp_legacy": false, -+ "cmp-legacy": false, -+ "node-id": -1, -+ "avx512-4fmaps": false, -+ "vmcb_clean": false, -+ "vmcb-clean": false, -+ "3dnowext": false, -+ "hle": true, -+ "npt": false, -+ "memory": "/machine/unattached/system[0]", -+ "clwb": false, -+ "lbrv": false, -+ "adx": true, -+ "ss": true, -+ "pni": true, -+ "svm_lock": false, -+ "svm-lock": false, -+ "pfthreshold": false, -+ "smep": true, -+ "smap": true, -+ "x2apic": true, -+ "avx512vbmi": false, -+ "avx512vnni": false, -+ "hv-stimer": false, -+ "i64": true, -+ "flushbyasid": false, -+ "f16c": true, -+ "ace2-en": false, -+ "pat": true, -+ "pae": true, -+ "sse": true, -+ "phe-en": false, -+ "kvm_nopiodelay": true, -+ "kvm-nopiodelay": true, -+ "tm": false, -+ "kvmclock-stable-bit": true, -+ "hypervisor": true, -+ "socket-id": -1, -+ "pcommit": false, -+ "syscall": true, -+ "level": 13, -+ "avx512dq": false, -+ "svm": false, -+ "full-cpuid-auto-level": true, -+ "hv-reset": false, -+ "invtsc": false, -+ "sse3": true, -+ "sse2": true, -+ "ssbd": true, -+ "est": false, -+ "avx512ifma": false, -+ "tm2": false, -+ "kvm-pv-eoi": true, -+ "cx8": true, -+ "kvm_mmu": false, -+ "kvm-mmu": false, -+ "sse4_2": true, -+ "sse4.2": true, -+ "sse4-2": true, -+ "pge": true, -+ "fill-mtrr-mask": true, -+ "avx512bitalg": false, -+ "nodeid_msr": false, -+ "pdcm": false, -+ "movbe": true, -+ "model": 94, -+ "nrip_save": false, -+ "nrip-save": false, -+ "kvm_pv_unhalt": true, -+ "ssse3": true, -+ "sse4a": false, -+ "invpcid": true, -+ "pdpe1gb": true, -+ "tsc-deadline": true, -+ "fma": true, -+ "cx16": true, -+ "de": true, -+ "enforce": false, -+ "stepping": 3, -+ "xsave": true, -+ "clflush": true, -+ "skinit": false, -+ "tsc": true, -+ "tce": false, -+ "fpu": true, -+ "ibs": false, -+ "ds_cpl": false, -+ "ds-cpl": false, -+ "host-phys-bits": true, -+ "fma4": false, -+ "la57": false, -+ "osvw": false, -+ "check": true, -+ "hv-spinlocks": -1, -+ "pmu": false, -+ "pmm": false, -+ "apic": true, -+ "spec-ctrl": true, -+ "min-xlevel2": 0, -+ "tsc-adjust": true, -+ "tsc_adjust": true, -+ "kvm-steal-time": true, -+ "kvm_steal_time": true, -+ "kvmclock": true, -+ "l3-cache": true, -+ "lwp": false, -+ "ibpb": false, -+ "xop": false, -+ "avx": true, -+ "ospke": false, -+ "ace2": false, -+ "avx512bw": false, -+ "acpi": false, -+ "hv-vapic": false, -+ "fsgsbase": true, -+ "ht": false, -+ "nx": true, -+ "pclmulqdq": true, -+ "mmxext": false, -+ "vaes": false, -+ "popcnt": true, -+ "xsaves": false, -+ "tcg-cpuid": true, -+ "lm": true, -+ "umip": false, -+ "pse": true, -+ "avx2": true, -+ "sep": true, -+ "pclmuldq": true, -+ "virt-ssbd": false, -+ "x-hv-max-vps": -1, -+ "nodeid-msr": false, -+ "md-clear": true, -+ "kvm": true, -+ "misalignsse": false, -+ "min-xlevel": 2147483656, -+ "kvm-pv-unhalt": true, -+ "bmi2": true, -+ "bmi1": true, -+ "realized": false, -+ "tsc_scale": false, -+ "tsc-scale": false, -+ "topoext": false, -+ "hv-vpindex": false, -+ "xlevel2": 0, -+ "clflushopt": true, -+ "kvm-no-smi-migration": false, -+ "monitor": false, -+ "avx512er": false, -+ "pmm-en": false, -+ "pcid": true, -+ "3dnow": false, -+ "erms": true, -+ "lahf-lm": true, -+ "lahf_lm": true, -+ "vpclmulqdq": false, -+ "fxsr-opt": false, -+ "hv-synic": false, -+ "xstore": false, -+ "fxsr_opt": false, -+ "kvm-hint-dedicated": false, -+ "rtm": true, -+ "lmce": true, -+ "hv-time": false, -+ "perfctr-nb": false, -+ "perfctr_nb": false, -+ "ffxsr": false, -+ "rdrand": true, -+ "rdseed": true, -+ "avx512-4vnniw": false, -+ "vmx": false, -+ "vme": true, -+ "dtes64": false, -+ "mtrr": true, -+ "rdtscp": true, -+ "pse36": true, -+ "kvm-pv-tlb-flush": false, -+ "tbm": false, -+ "wdt": false, -+ "pause_filter": false, -+ "sha-ni": false, -+ "model-id": "Intel(R) Xeon(R) CPU E3-1225 v5 @ 3.30GHz", -+ "abm": true, -+ "avx512pf": false, -+ "xstore-en": false -+ } -+ } -+ }, -+ "id": "model-expansion" -+} -+ -+{ -+ "return": [ -+ { -+ "name": "max", -+ "typename": "max-x86_64-cpu", -+ "unavailable-features": [], -+ "static": false, -+ "migration-safe": false -+ }, -+ { -+ "name": "host", -+ "typename": "host-x86_64-cpu", -+ "unavailable-features": [], -+ "static": false, -+ "migration-safe": false -+ }, -+ { -+ "name": "base", -+ "typename": "base-x86_64-cpu", -+ "unavailable-features": [], -+ "static": true, -+ "migration-safe": true -+ }, -+ { -+ "name": "qemu64", -+ "typename": "qemu64-x86_64-cpu", -+ "unavailable-features": [], -+ "static": false, -+ "migration-safe": true -+ }, -+ { -+ "name": "qemu32", -+ "typename": "qemu32-x86_64-cpu", -+ "unavailable-features": [], -+ "static": false, -+ "migration-safe": true -+ }, -+ { -+ "name": "phenom", -+ "typename": "phenom-x86_64-cpu", -+ "unavailable-features": [ -+ "mmxext", -+ "fxsr-opt", -+ "3dnowext", -+ "3dnow", -+ "sse4a", -+ "npt" -+ ], -+ "static": false, -+ "migration-safe": true -+ }, -+ { -+ "name": "pentium3", -+ "typename": "pentium3-x86_64-cpu", -+ "unavailable-features": [], -+ "static": false, -+ "migration-safe": true -+ }, -+ { -+ "name": "pentium2", -+ "typename": "pentium2-x86_64-cpu", -+ "unavailable-features": [], -+ "static": false, -+ "migration-safe": true -+ }, -+ { -+ "name": "pentium", -+ "typename": "pentium-x86_64-cpu", -+ "unavailable-features": [], -+ "static": false, -+ "migration-safe": true -+ }, -+ { -+ "name": "n270", -+ "typename": "n270-x86_64-cpu", -+ "unavailable-features": [], -+ "static": false, -+ "migration-safe": true -+ }, -+ { -+ "name": "kvm64", -+ "typename": "kvm64-x86_64-cpu", -+ "unavailable-features": [], -+ "static": false, -+ "migration-safe": true -+ }, -+ { -+ "name": "kvm32", -+ "typename": "kvm32-x86_64-cpu", -+ "unavailable-features": [], -+ "static": false, -+ "migration-safe": true -+ }, -+ { -+ "name": "cpu64-rhel6", -+ "typename": "cpu64-rhel6-x86_64-cpu", -+ "unavailable-features": [ -+ "sse4a" -+ ], -+ "static": false, -+ "migration-safe": true -+ }, -+ { -+ "name": "coreduo", -+ "typename": "coreduo-x86_64-cpu", -+ "unavailable-features": [], -+ "static": false, -+ "migration-safe": true -+ }, -+ { -+ "name": "core2duo", -+ "typename": "core2duo-x86_64-cpu", -+ "unavailable-features": [], -+ "static": false, -+ "migration-safe": true -+ }, -+ { -+ "name": "athlon", -+ "typename": "athlon-x86_64-cpu", -+ "unavailable-features": [ -+ "mmxext", -+ "3dnowext", -+ "3dnow" -+ ], -+ "static": false, -+ "migration-safe": true -+ }, -+ { -+ "name": "Westmere", -+ "typename": "Westmere-x86_64-cpu", -+ "unavailable-features": [], -+ "static": false, -+ "migration-safe": true -+ }, -+ { -+ "name": "Westmere-IBRS", -+ "typename": "Westmere-IBRS-x86_64-cpu", -+ "unavailable-features": [], -+ "static": false, -+ "migration-safe": true -+ }, -+ { -+ "name": "Skylake-Server", -+ "typename": "Skylake-Server-x86_64-cpu", -+ "unavailable-features": [ -+ "avx512f", -+ "avx512dq", -+ "clwb", -+ "avx512cd", -+ "avx512bw", -+ "avx512vl", -+ "avx512f", -+ "avx512f", -+ "avx512f" -+ ], -+ "static": false, -+ "migration-safe": true -+ }, -+ { -+ "name": "Skylake-Server-IBRS", -+ "typename": "Skylake-Server-IBRS-x86_64-cpu", -+ "unavailable-features": [ -+ "avx512f", -+ "avx512dq", -+ "clwb", -+ "avx512cd", -+ "avx512bw", -+ "avx512vl", -+ "avx512f", -+ "avx512f", -+ "avx512f" -+ ], -+ "static": false, -+ "migration-safe": true -+ }, -+ { -+ "name": "Skylake-Client", -+ "typename": "Skylake-Client-x86_64-cpu", -+ "unavailable-features": [], -+ "static": false, -+ "migration-safe": true -+ }, -+ { -+ "name": "Skylake-Client-IBRS", -+ "typename": "Skylake-Client-IBRS-x86_64-cpu", -+ "unavailable-features": [], -+ "static": false, -+ "migration-safe": true -+ }, -+ { -+ "name": "SandyBridge", -+ "typename": "SandyBridge-x86_64-cpu", -+ "unavailable-features": [], -+ "static": false, -+ "migration-safe": true -+ }, -+ { -+ "name": "SandyBridge-IBRS", -+ "typename": "SandyBridge-IBRS-x86_64-cpu", -+ "unavailable-features": [], -+ "static": false, -+ "migration-safe": true -+ }, -+ { -+ "name": "Penryn", -+ "typename": "Penryn-x86_64-cpu", -+ "unavailable-features": [], -+ "static": false, -+ "migration-safe": true -+ }, -+ { -+ "name": "Opteron_G5", -+ "typename": "Opteron_G5-x86_64-cpu", -+ "unavailable-features": [ -+ "sse4a", -+ "misalignsse", -+ "xop", -+ "fma4", -+ "tbm" -+ ], -+ "static": false, -+ "migration-safe": true -+ }, -+ { -+ "name": "Opteron_G4", -+ "typename": "Opteron_G4-x86_64-cpu", -+ "unavailable-features": [ -+ "sse4a", -+ "misalignsse", -+ "xop", -+ "fma4" -+ ], -+ "static": false, -+ "migration-safe": true -+ }, -+ { -+ "name": "Opteron_G3", -+ "typename": "Opteron_G3-x86_64-cpu", -+ "unavailable-features": [ -+ "sse4a", -+ "misalignsse" -+ ], -+ "static": false, -+ "migration-safe": true -+ }, -+ { -+ "name": "Opteron_G2", -+ "typename": "Opteron_G2-x86_64-cpu", -+ "unavailable-features": [], -+ "static": false, -+ "migration-safe": true -+ }, -+ { -+ "name": "Opteron_G1", -+ "typename": "Opteron_G1-x86_64-cpu", -+ "unavailable-features": [], -+ "static": false, -+ "migration-safe": true -+ }, -+ { -+ "name": "Nehalem", -+ "typename": "Nehalem-x86_64-cpu", -+ "unavailable-features": [], -+ "static": false, -+ "migration-safe": true -+ }, -+ { -+ "name": "Nehalem-IBRS", -+ "typename": "Nehalem-IBRS-x86_64-cpu", -+ "unavailable-features": [], -+ "static": false, -+ "migration-safe": true -+ }, -+ { -+ "name": "IvyBridge", -+ "typename": "IvyBridge-x86_64-cpu", -+ "unavailable-features": [], -+ "static": false, -+ "migration-safe": true -+ }, -+ { -+ "name": "IvyBridge-IBRS", -+ "typename": "IvyBridge-IBRS-x86_64-cpu", -+ "unavailable-features": [], -+ "static": false, -+ "migration-safe": true -+ }, -+ { -+ "name": "Haswell", -+ "typename": "Haswell-x86_64-cpu", -+ "unavailable-features": [], -+ "static": false, -+ "migration-safe": true -+ }, -+ { -+ "name": "Haswell-noTSX", -+ "typename": "Haswell-noTSX-x86_64-cpu", -+ "unavailable-features": [], -+ "static": false, -+ "migration-safe": true -+ }, -+ { -+ "name": "Haswell-noTSX-IBRS", -+ "typename": "Haswell-noTSX-IBRS-x86_64-cpu", -+ "unavailable-features": [], -+ "static": false, -+ "migration-safe": true -+ }, -+ { -+ "name": "Haswell-IBRS", -+ "typename": "Haswell-IBRS-x86_64-cpu", -+ "unavailable-features": [], -+ "static": false, -+ "migration-safe": true -+ }, -+ { -+ "name": "EPYC", -+ "typename": "EPYC-x86_64-cpu", -+ "unavailable-features": [ -+ "sha-ni", -+ "mmxext", -+ "fxsr-opt", -+ "cr8legacy", -+ "sse4a", -+ "misalignsse", -+ "osvw" -+ ], -+ "static": false, -+ "migration-safe": true -+ }, -+ { -+ "name": "EPYC-IBPB", -+ "typename": "EPYC-IBPB-x86_64-cpu", -+ "unavailable-features": [ -+ "sha-ni", -+ "mmxext", -+ "fxsr-opt", -+ "cr8legacy", -+ "sse4a", -+ "misalignsse", -+ "osvw", -+ "ibpb" -+ ], -+ "static": false, -+ "migration-safe": true -+ }, -+ { -+ "name": "Conroe", -+ "typename": "Conroe-x86_64-cpu", -+ "unavailable-features": [], -+ "static": false, -+ "migration-safe": true -+ }, -+ { -+ "name": "Broadwell", -+ "typename": "Broadwell-x86_64-cpu", -+ "unavailable-features": [], -+ "static": false, -+ "migration-safe": true -+ }, -+ { -+ "name": "Broadwell-noTSX", -+ "typename": "Broadwell-noTSX-x86_64-cpu", -+ "unavailable-features": [], -+ "static": false, -+ "migration-safe": true -+ }, -+ { -+ "name": "Broadwell-noTSX-IBRS", -+ "typename": "Broadwell-noTSX-IBRS-x86_64-cpu", -+ "unavailable-features": [], -+ "static": false, -+ "migration-safe": true -+ }, -+ { -+ "name": "Broadwell-IBRS", -+ "typename": "Broadwell-IBRS-x86_64-cpu", -+ "unavailable-features": [], -+ "static": false, -+ "migration-safe": true -+ }, -+ { -+ "name": "486", -+ "typename": "486-x86_64-cpu", -+ "unavailable-features": [], -+ "static": false, -+ "migration-safe": true -+ } -+ ], -+ "id": "definitions" -+} -diff --git a/tests/cputestdata/x86_64-cpuid-Xeon-E3-1225-v5.sig b/tests/cputestdata/x86_64-cpuid-Xeon-E3-1225-v5.sig -new file mode 100644 -index 0000000..7e57c2d ---- /dev/null -+++ b/tests/cputestdata/x86_64-cpuid-Xeon-E3-1225-v5.sig -@@ -0,0 +1,4 @@ -+0506e3 -+family: 6 (0x06) -+model: 94 (0x5e) -+stepping: 3 (0x03) -diff --git a/tests/cputestdata/x86_64-cpuid-Xeon-E3-1225-v5.xml b/tests/cputestdata/x86_64-cpuid-Xeon-E3-1225-v5.xml -new file mode 100644 -index 0000000..437429d ---- /dev/null -+++ b/tests/cputestdata/x86_64-cpuid-Xeon-E3-1225-v5.xml -@@ -0,0 +1,47 @@ -+<!-- Intel(R) Xeon(R) CPU E3-1225 v5 @ 3.30GHz --> -+<cpudata arch='x86'> -+ <cpuid eax_in='0x00000000' ecx_in='0x00' eax='0x00000016' ebx='0x756e6547' ecx='0x6c65746e' edx='0x49656e69'/> -+ <cpuid eax_in='0x00000001' ecx_in='0x00' eax='0x000506e3' ebx='0x06100800' ecx='0x7ffafbff' edx='0xbfebfbff'/> -+ <cpuid eax_in='0x00000002' ecx_in='0x00' eax='0x76036301' ebx='0x00f0b6ff' ecx='0x00000000' edx='0x00c30000'/> -+ <cpuid eax_in='0x00000003' ecx_in='0x00' eax='0x00000000' ebx='0x00000000' ecx='0x00000000' edx='0x00000000'/> -+ <cpuid eax_in='0x00000004' ecx_in='0x00' eax='0x1c004121' ebx='0x01c0003f' ecx='0x0000003f' edx='0x00000000'/> -+ <cpuid eax_in='0x00000004' ecx_in='0x01' eax='0x1c004122' ebx='0x01c0003f' ecx='0x0000003f' edx='0x00000000'/> -+ <cpuid eax_in='0x00000004' ecx_in='0x02' eax='0x1c004143' ebx='0x00c0003f' ecx='0x000003ff' edx='0x00000000'/> -+ <cpuid eax_in='0x00000004' ecx_in='0x03' eax='0x1c03c163' ebx='0x03c0003f' ecx='0x00001fff' edx='0x00000006'/> -+ <cpuid eax_in='0x00000005' ecx_in='0x00' eax='0x00000040' ebx='0x00000040' ecx='0x00000003' edx='0x00142120'/> -+ <cpuid eax_in='0x00000006' ecx_in='0x00' eax='0x000027f7' ebx='0x00000002' ecx='0x00000009' edx='0x00000000'/> -+ <cpuid eax_in='0x00000007' ecx_in='0x00' eax='0x00000000' ebx='0x029c6fbf' ecx='0x00000000' edx='0x9c002400'/> -+ <cpuid eax_in='0x00000008' ecx_in='0x00' eax='0x00000000' ebx='0x00000000' ecx='0x00000000' edx='0x00000000'/> -+ <cpuid eax_in='0x00000009' ecx_in='0x00' eax='0x00000000' ebx='0x00000000' ecx='0x00000000' edx='0x00000000'/> -+ <cpuid eax_in='0x0000000a' ecx_in='0x00' eax='0x07300804' ebx='0x00000000' ecx='0x00000000' edx='0x00000603'/> -+ <cpuid eax_in='0x0000000b' ecx_in='0x00' eax='0x00000001' ebx='0x00000001' ecx='0x00000100' edx='0x00000006'/> -+ <cpuid eax_in='0x0000000b' ecx_in='0x01' eax='0x00000004' ebx='0x00000004' ecx='0x00000201' edx='0x00000006'/> -+ <cpuid eax_in='0x0000000c' ecx_in='0x00' eax='0x00000000' ebx='0x00000000' ecx='0x00000000' edx='0x00000000'/> -+ <cpuid eax_in='0x0000000d' ecx_in='0x00' eax='0x0000001f' ebx='0x00000440' ecx='0x00000440' edx='0x00000000'/> -+ <cpuid eax_in='0x0000000d' ecx_in='0x01' eax='0x0000000f' ebx='0x000003c0' ecx='0x00000100' edx='0x00000000'/> -+ <cpuid eax_in='0x0000000d' ecx_in='0x02' eax='0x00000100' ebx='0x00000240' ecx='0x00000000' edx='0x00000000'/> -+ <cpuid eax_in='0x0000000d' ecx_in='0x03' eax='0x00000040' ebx='0x000003c0' ecx='0x00000000' edx='0x00000000'/> -+ <cpuid eax_in='0x0000000d' ecx_in='0x04' eax='0x00000040' ebx='0x00000400' ecx='0x00000000' edx='0x00000000'/> -+ <cpuid eax_in='0x0000000d' ecx_in='0x08' eax='0x00000080' ebx='0x00000000' ecx='0x00000001' edx='0x00000000'/> -+ <cpuid eax_in='0x0000000e' ecx_in='0x00' eax='0x00000000' ebx='0x00000000' ecx='0x00000000' edx='0x00000000'/> -+ <cpuid eax_in='0x0000000f' ecx_in='0x00' eax='0x00000000' ebx='0x00000000' ecx='0x00000000' edx='0x00000000'/> -+ <cpuid eax_in='0x00000010' ecx_in='0x00' eax='0x00000000' ebx='0x00000000' ecx='0x00000000' edx='0x00000000'/> -+ <cpuid eax_in='0x00000011' ecx_in='0x00' eax='0x00000000' ebx='0x00000000' ecx='0x00000000' edx='0x00000000'/> -+ <cpuid eax_in='0x00000012' ecx_in='0x00' eax='0x00000000' ebx='0x00000000' ecx='0x00000000' edx='0x00000000'/> -+ <cpuid eax_in='0x00000013' ecx_in='0x00' eax='0x00000000' ebx='0x00000000' ecx='0x00000000' edx='0x00000000'/> -+ <cpuid eax_in='0x00000014' ecx_in='0x00' eax='0x00000001' ebx='0x0000000f' ecx='0x00000007' edx='0x00000000'/> -+ <cpuid eax_in='0x00000014' ecx_in='0x01' eax='0x02490002' ebx='0x003f3fff' ecx='0x00000000' edx='0x00000000'/> -+ <cpuid eax_in='0x00000015' ecx_in='0x00' eax='0x00000002' ebx='0x00000114' ecx='0x00000000' edx='0x00000000'/> -+ <cpuid eax_in='0x00000016' ecx_in='0x00' eax='0x00000ce4' ebx='0x00000e74' ecx='0x00000064' edx='0x00000000'/> -+ <cpuid eax_in='0x80000000' ecx_in='0x00' eax='0x80000008' ebx='0x00000000' ecx='0x00000000' edx='0x00000000'/> -+ <cpuid eax_in='0x80000001' ecx_in='0x00' eax='0x00000000' ebx='0x00000000' ecx='0x00000121' edx='0x2c100800'/> -+ <cpuid eax_in='0x80000002' ecx_in='0x00' eax='0x65746e49' ebx='0x2952286c' ecx='0x6f655820' edx='0x2952286e'/> -+ <cpuid eax_in='0x80000003' ecx_in='0x00' eax='0x55504320' ebx='0x2d334520' ecx='0x35323231' edx='0x20357620'/> -+ <cpuid eax_in='0x80000004' ecx_in='0x00' eax='0x2e332040' ebx='0x48473033' ecx='0x0000007a' edx='0x00000000'/> -+ <cpuid eax_in='0x80000005' ecx_in='0x00' eax='0x00000000' ebx='0x00000000' ecx='0x00000000' edx='0x00000000'/> -+ <cpuid eax_in='0x80000006' ecx_in='0x00' eax='0x00000000' ebx='0x00000000' ecx='0x01006040' edx='0x00000000'/> -+ <cpuid eax_in='0x80000007' ecx_in='0x00' eax='0x00000000' ebx='0x00000000' ecx='0x00000000' edx='0x00000100'/> -+ <cpuid eax_in='0x80000008' ecx_in='0x00' eax='0x00003027' ebx='0x00000000' ecx='0x00000000' edx='0x00000000'/> -+ <cpuid eax_in='0x80860000' ecx_in='0x00' eax='0x00000ce4' ebx='0x00000e74' ecx='0x00000064' edx='0x00000000'/> -+ <cpuid eax_in='0xc0000000' ecx_in='0x00' eax='0x00000ce4' ebx='0x00000e74' ecx='0x00000064' edx='0x00000000'/> -+</cpudata> --- -2.7.4 - diff --git a/external/meta-virtualization/recipes-extended/libvirt/libvirt/CVE-2018-12126_CVE-2018-12127_CVE-2018-12130_CVE-2019-11091_p2.patch b/external/meta-virtualization/recipes-extended/libvirt/libvirt/CVE-2018-12126_CVE-2018-12127_CVE-2018-12130_CVE-2019-11091_p2.patch deleted file mode 100644 index b39e8662..00000000 --- a/external/meta-virtualization/recipes-extended/libvirt/libvirt/CVE-2018-12126_CVE-2018-12127_CVE-2018-12130_CVE-2019-11091_p2.patch +++ /dev/null @@ -1,116 +0,0 @@ -From c811c618c114c4a6493ede602bdca22d33c1972a Mon Sep 17 00:00:00 2001 -From: Jiri Denemark <jdenemar@redhat.com> -Date: Tue, 9 Apr 2019 12:35:52 +0200 -Subject: [PATCH 04/11] cpu_map: Define md-clear CPUID bit -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -CVE-2018-12126, CVE-2018-12127, CVE-2018-12130, CVE-2019-11091 - -The bit is set when microcode provides the mechanism to invoke a flush -of various exploitable CPU buffers by invoking the VERW instruction. - -Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> -Signed-off-by: Jiri Denemark <jdenemar@redhat.com> -Reviewed-by: Daniel P. Berrangé <berrange@redhat.com> -(cherry picked from commit 538d873571d7a682852dc1d70e5f4478f4d64e85) - -Conflicts: - src/cpu_map/x86_features.xml - - missing pconfig feature - - tests/cputestdata/x86_64-cpuid-Xeon-Platinum-8268-guest.xml - tests/cputestdata/x86_64-cpuid-Xeon-Platinum-8268-host.xml - - test data missing downstream - - tests/cputestdata/x86_64-cpuid-Xeon-E3-1225-v5-guest.xml - tests/cputestdata/x86_64-cpuid-Xeon-E3-1225-v5-host.xml - - intel-pt feature is missing - - stibp feature is missing - -Signed-off-by: Daniel P. Berrangé <berrange@redhat.com> - -Upstream-Status: Backport - -CVE: CVE-2018-12126 -CVE: CVE-2018-12127 -CVE: CVE-2018-12130 -CVE: CVE-2019-11091 - -Signed-off-by: Armin Kuster <akuster@mvista.com> - ---- - src/cpu_map/x86_features.xml | 3 +++ - tests/cputestdata/x86_64-cpuid-Xeon-E3-1225-v5-enabled.xml | 2 +- - tests/cputestdata/x86_64-cpuid-Xeon-E3-1225-v5-guest.xml | 1 + - tests/cputestdata/x86_64-cpuid-Xeon-E3-1225-v5-host.xml | 1 + - tests/cputestdata/x86_64-cpuid-Xeon-E3-1225-v5-json.xml | 1 + - 5 files changed, 7 insertions(+), 1 deletion(-) - -diff --git a/src/cpu_map/x86_features.xml b/src/cpu_map/x86_features.xml -index 109c653..c8ae540 100644 ---- a/src/cpu_map/x86_features.xml -+++ b/src/cpu_map/x86_features.xml -@@ -290,6 +290,9 @@ - <feature name='avx512-4fmaps'> - <cpuid eax_in='0x07' ecx_in='0x00' edx='0x00000008'/> - </feature> -+ <feature name='md-clear'> <!-- md_clear --> -+ <cpuid eax_in='0x07' ecx_in='0x00' edx='0x00000400'/> -+ </feature> - <feature name='spec-ctrl'> - <cpuid eax_in='0x07' ecx_in='0x00' edx='0x04000000'/> - </feature> -diff --git a/tests/cputestdata/x86_64-cpuid-Xeon-E3-1225-v5-enabled.xml b/tests/cputestdata/x86_64-cpuid-Xeon-E3-1225-v5-enabled.xml -index 0deca9f..74763a4 100644 ---- a/tests/cputestdata/x86_64-cpuid-Xeon-E3-1225-v5-enabled.xml -+++ b/tests/cputestdata/x86_64-cpuid-Xeon-E3-1225-v5-enabled.xml -@@ -2,7 +2,7 @@ - <cpudata arch='x86'> - <cpuid eax_in='0x00000001' ecx_in='0x00' eax='0x00000000' ebx='0x00000000' ecx='0xf7fa3203' edx='0x0f8bfbff'/> - <cpuid eax_in='0x00000006' ecx_in='0x00' eax='0x00000004' ebx='0x00000000' ecx='0x00000000' edx='0x00000000'/> -- <cpuid eax_in='0x00000007' ecx_in='0x00' eax='0x00000000' ebx='0x009c4fbb' ecx='0x00000000' edx='0x8c000000'/> -+ <cpuid eax_in='0x00000007' ecx_in='0x00' eax='0x00000000' ebx='0x009c4fbb' ecx='0x00000000' edx='0x8c000400'/> - <cpuid eax_in='0x0000000d' ecx_in='0x01' eax='0x00000007' ebx='0x00000000' ecx='0x00000000' edx='0x00000000'/> - <cpuid eax_in='0x80000001' ecx_in='0x00' eax='0x00000000' ebx='0x00000000' ecx='0x00000121' edx='0x2c100800'/> - </cpudata> -diff --git a/tests/cputestdata/x86_64-cpuid-Xeon-E3-1225-v5-guest.xml b/tests/cputestdata/x86_64-cpuid-Xeon-E3-1225-v5-guest.xml -index 993db80..29c1fdb 100644 ---- a/tests/cputestdata/x86_64-cpuid-Xeon-E3-1225-v5-guest.xml -+++ b/tests/cputestdata/x86_64-cpuid-Xeon-E3-1225-v5-guest.xml -@@ -19,6 +19,7 @@ - <feature policy='require' name='osxsave'/> - <feature policy='require' name='tsc_adjust'/> - <feature policy='require' name='clflushopt'/> -+ <feature policy='require' name='md-clear'/> - <feature policy='require' name='ssbd'/> - <feature policy='require' name='xsaves'/> - <feature policy='require' name='pdpe1gb'/> -diff --git a/tests/cputestdata/x86_64-cpuid-Xeon-E3-1225-v5-host.xml b/tests/cputestdata/x86_64-cpuid-Xeon-E3-1225-v5-host.xml -index 074a39b..2003ca9 100644 ---- a/tests/cputestdata/x86_64-cpuid-Xeon-E3-1225-v5-host.xml -+++ b/tests/cputestdata/x86_64-cpuid-Xeon-E3-1225-v5-host.xml -@@ -20,6 +20,7 @@ - <feature name='osxsave'/> - <feature name='tsc_adjust'/> - <feature name='clflushopt'/> -+ <feature name='md-clear'/> - <feature name='ssbd'/> - <feature name='xsaves'/> - <feature name='pdpe1gb'/> -diff --git a/tests/cputestdata/x86_64-cpuid-Xeon-E3-1225-v5-json.xml b/tests/cputestdata/x86_64-cpuid-Xeon-E3-1225-v5-json.xml -index 1984bd4..d6529c5 100644 ---- a/tests/cputestdata/x86_64-cpuid-Xeon-E3-1225-v5-json.xml -+++ b/tests/cputestdata/x86_64-cpuid-Xeon-E3-1225-v5-json.xml -@@ -5,6 +5,7 @@ - <feature policy='require' name='hypervisor'/> - <feature policy='require' name='tsc_adjust'/> - <feature policy='require' name='clflushopt'/> -+ <feature policy='require' name='md-clear'/> - <feature policy='require' name='ssbd'/> - <feature policy='require' name='pdpe1gb'/> - </cpu> --- -2.7.4 - diff --git a/external/meta-virtualization/recipes-extended/libvirt/libvirt/CVE-2019-10132_p1.patch b/external/meta-virtualization/recipes-extended/libvirt/libvirt/CVE-2019-10132_p1.patch deleted file mode 100644 index 11c1c5df..00000000 --- a/external/meta-virtualization/recipes-extended/libvirt/libvirt/CVE-2019-10132_p1.patch +++ /dev/null @@ -1,63 +0,0 @@ -From dfd22fc50f8f268b9810d2ef21adada021f740eb Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com> -Date: Tue, 30 Apr 2019 17:26:13 +0100 -Subject: [PATCH 05/11] admin: reject clients unless their UID matches the - current UID -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -The admin protocol RPC messages are only intended for use by the user -running the daemon. As such they should not be allowed for any client -UID that does not match the server UID. - -Fixes CVE-2019-10132 - -Reviewed-by: Ján Tomko <jtomko@redhat.com> -Signed-off-by: Daniel P. Berrangé <berrange@redhat.com> -(cherry picked from commit 96f41cd765c9e525fe28ee5abbfbf4a79b3720c7) - -Upstream-Status: Backport -CVE: CVE-2019-10132 -Signed-off-by: Armin Kuster <akuster@mvista.com> - ---- - src/admin/admin_server_dispatch.c | 22 ++++++++++++++++++++++ - 1 file changed, 22 insertions(+) - -diff --git a/src/admin/admin_server_dispatch.c b/src/admin/admin_server_dispatch.c -index b78ff90..9f25813 100644 ---- a/src/admin/admin_server_dispatch.c -+++ b/src/admin/admin_server_dispatch.c -@@ -66,6 +66,28 @@ remoteAdmClientNew(virNetServerClientPtr client ATTRIBUTE_UNUSED, - void *opaque) - { - struct daemonAdmClientPrivate *priv; -+ uid_t clientuid; -+ gid_t clientgid; -+ pid_t clientpid; -+ unsigned long long timestamp; -+ -+ if (virNetServerClientGetUNIXIdentity(client, -+ &clientuid, -+ &clientgid, -+ &clientpid, -+ ×tamp) < 0) -+ return NULL; -+ -+ VIR_DEBUG("New client pid %lld uid %lld", -+ (long long)clientpid, -+ (long long)clientuid); -+ -+ if (geteuid() != clientuid) { -+ virReportRestrictedError(_("Disallowing client %lld with uid %lld"), -+ (long long)clientpid, -+ (long long)clientuid); -+ return NULL; -+ } - - if (VIR_ALLOC(priv) < 0) - return NULL; --- -2.7.4 - diff --git a/external/meta-virtualization/recipes-extended/libvirt/libvirt/CVE-2019-10132_p2.patch b/external/meta-virtualization/recipes-extended/libvirt/libvirt/CVE-2019-10132_p2.patch deleted file mode 100644 index 860c1e53..00000000 --- a/external/meta-virtualization/recipes-extended/libvirt/libvirt/CVE-2019-10132_p2.patch +++ /dev/null @@ -1,56 +0,0 @@ -From 54005b84b0165b62b2ef88c7df229bddbaa29e76 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com> -Date: Tue, 30 Apr 2019 16:51:37 +0100 -Subject: [PATCH 06/11] locking: restrict sockets to mode 0600 -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -The virtlockd daemon's only intended client is the libvirtd daemon. As -such it should never allow clients from other user accounts to connect. -The code already enforces this and drops clients from other UIDs, but -we can get earlier (and thus stronger) protection against DoS by setting -the socket permissions to 0600 - -Fixes CVE-2019-10132 - -Reviewed-by: Ján Tomko <jtomko@redhat.com> -Signed-off-by: Daniel P. Berrangé <berrange@redhat.com> -(cherry picked from commit f111e09468693909b1f067aa575efdafd9a262a1) - -Upstream-Status: Backport -CVE: CVE-2019-10132 -Signed-off-by: Armin Kuster <akuster@mvista.com> - ---- - src/locking/virtlockd-admin.socket.in | 1 + - src/locking/virtlockd.socket.in | 1 + - 2 files changed, 2 insertions(+) - -diff --git a/src/locking/virtlockd-admin.socket.in b/src/locking/virtlockd-admin.socket.in -index 2a7500f..f674c49 100644 ---- a/src/locking/virtlockd-admin.socket.in -+++ b/src/locking/virtlockd-admin.socket.in -@@ -5,6 +5,7 @@ Before=libvirtd.service - [Socket] - ListenStream=@localstatedir@/run/libvirt/virtlockd-admin-sock - Service=virtlockd.service -+SocketMode=0600 - - [Install] - WantedBy=sockets.target -diff --git a/src/locking/virtlockd.socket.in b/src/locking/virtlockd.socket.in -index 45e0f20..d701b27 100644 ---- a/src/locking/virtlockd.socket.in -+++ b/src/locking/virtlockd.socket.in -@@ -4,6 +4,7 @@ Before=libvirtd.service - - [Socket] - ListenStream=@localstatedir@/run/libvirt/virtlockd-sock -+SocketMode=0600 - - [Install] - WantedBy=sockets.target --- -2.7.4 - diff --git a/external/meta-virtualization/recipes-extended/libvirt/libvirt/CVE-2019-10132_p3.patch b/external/meta-virtualization/recipes-extended/libvirt/libvirt/CVE-2019-10132_p3.patch deleted file mode 100644 index ddd0740e..00000000 --- a/external/meta-virtualization/recipes-extended/libvirt/libvirt/CVE-2019-10132_p3.patch +++ /dev/null @@ -1,56 +0,0 @@ -From 030fdf57255f97289a407529194bf26c77548acb Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com> -Date: Tue, 30 Apr 2019 17:27:41 +0100 -Subject: [PATCH 07/11] logging: restrict sockets to mode 0600 -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -The virtlogd daemon's only intended client is the libvirtd daemon. As -such it should never allow clients from other user accounts to connect. -The code already enforces this and drops clients from other UIDs, but -we can get earlier (and thus stronger) protection against DoS by setting -the socket permissions to 0600 - -Fixes CVE-2019-10132 - -Reviewed-by: Ján Tomko <jtomko@redhat.com> -Signed-off-by: Daniel P. Berrangé <berrange@redhat.com> -(cherry picked from commit e37bd65f9948c1185456b2cdaa3bd6e875af680f) - -Upstream-Status: Backport -CVE: CVE-2019-10132 -Signed-off-by: Armin Kuster <akuster@mvista.com> - ---- - src/logging/virtlogd-admin.socket.in | 1 + - src/logging/virtlogd.socket.in | 1 + - 2 files changed, 2 insertions(+) - -diff --git a/src/logging/virtlogd-admin.socket.in b/src/logging/virtlogd-admin.socket.in -index 595e6c4..5c41dfe 100644 ---- a/src/logging/virtlogd-admin.socket.in -+++ b/src/logging/virtlogd-admin.socket.in -@@ -5,6 +5,7 @@ Before=libvirtd.service - [Socket] - ListenStream=@localstatedir@/run/libvirt/virtlogd-admin-sock - Service=virtlogd.service -+SocketMode=0600 - - [Install] - WantedBy=sockets.target -diff --git a/src/logging/virtlogd.socket.in b/src/logging/virtlogd.socket.in -index 22b9360..ae48cda 100644 ---- a/src/logging/virtlogd.socket.in -+++ b/src/logging/virtlogd.socket.in -@@ -4,6 +4,7 @@ Before=libvirtd.service - - [Socket] - ListenStream=@localstatedir@/run/libvirt/virtlogd-sock -+SocketMode=0600 - - [Install] - WantedBy=sockets.target --- -2.7.4 - diff --git a/external/meta-virtualization/recipes-extended/libvirt/libvirt/CVE-2019-10161.patch b/external/meta-virtualization/recipes-extended/libvirt/libvirt/CVE-2019-10161.patch deleted file mode 100644 index 118ece4c..00000000 --- a/external/meta-virtualization/recipes-extended/libvirt/libvirt/CVE-2019-10161.patch +++ /dev/null @@ -1,99 +0,0 @@ -From 3352c8af264a7b9b741208790ecca0bbc6733f42 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?J=C3=A1n=20Tomko?= <jtomko@redhat.com> -Date: Fri, 14 Jun 2019 08:47:42 +0200 -Subject: [PATCH 08/11] api: disallow virDomainSaveImageGetXMLDesc on read-only - connections -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -The virDomainSaveImageGetXMLDesc API is taking a path parameter, -which can point to any path on the system. This file will then be -read and parsed by libvirtd running with root privileges. - -Forbid it on read-only connections. - -Fixes: CVE-2019-10161 -Reported-by: Matthias Gerstner <mgerstner@suse.de> -Signed-off-by: Ján Tomko <jtomko@redhat.com> -Reviewed-by: Daniel P. Berrangé <berrange@redhat.com> -(cherry picked from commit aed6a032cead4386472afb24b16196579e239580) -Signed-off-by: Ján Tomko <jtomko@redhat.com> - -Conflicts: - src/libvirt-domain.c - src/remote/remote_protocol.x - -Upstream commit 12a51f372 which introduced the VIR_DOMAIN_SAVE_IMAGE_XML_SECURE -alias for VIR_DOMAIN_XML_SECURE is not backported. -Just skip the commit since we now disallow the whole API on read-only -connections, regardless of the flag. - -Signed-off-by: Ján Tomko <jtomko@redhat.com> - -Upstream-Status: Backport -CVE: CVE-2019-10161 -Signed-off-by: Armin Kuster <akuster@mvista.com> - ---- - src/libvirt-domain.c | 11 ++--------- - src/qemu/qemu_driver.c | 2 +- - src/remote/remote_protocol.x | 3 +-- - 3 files changed, 4 insertions(+), 12 deletions(-) - -Index: libvirt-4.7.0/src/libvirt-domain.c -=================================================================== ---- libvirt-4.7.0.orig/src/libvirt-domain.c -+++ libvirt-4.7.0/src/libvirt-domain.c -@@ -1073,9 +1073,7 @@ virDomainRestoreFlags(virConnectPtr conn - * previously by virDomainSave() or virDomainSaveFlags(). - * - * No security-sensitive data will be included unless @flags contains -- * VIR_DOMAIN_XML_SECURE; this flag is rejected on read-only -- * connections. For this API, @flags should not contain either -- * VIR_DOMAIN_XML_INACTIVE or VIR_DOMAIN_XML_UPDATE_CPU. -+ * VIR_DOMAIN_XML_SECURE. - * - * Returns a 0 terminated UTF-8 encoded XML instance, or NULL in case of - * error. The caller must free() the returned value. -@@ -1091,12 +1089,7 @@ virDomainSaveImageGetXMLDesc(virConnectP - - virCheckConnectReturn(conn, NULL); - virCheckNonNullArgGoto(file, error); -- -- if ((conn->flags & VIR_CONNECT_RO) && (flags & VIR_DOMAIN_XML_SECURE)) { -- virReportError(VIR_ERR_OPERATION_DENIED, "%s", -- _("virDomainSaveImageGetXMLDesc with secure flag")); -- goto error; -- } -+ virCheckReadOnlyGoto(conn->flags, error); - - if (conn->driver->domainSaveImageGetXMLDesc) { - char *ret; -Index: libvirt-4.7.0/src/qemu/qemu_driver.c -=================================================================== ---- libvirt-4.7.0.orig/src/qemu/qemu_driver.c -+++ libvirt-4.7.0/src/qemu/qemu_driver.c -@@ -6791,7 +6791,7 @@ qemuDomainSaveImageGetXMLDesc(virConnect - if (fd < 0) - goto cleanup; - -- if (virDomainSaveImageGetXMLDescEnsureACL(conn, def, flags) < 0) -+ if (virDomainSaveImageGetXMLDescEnsureACL(conn, def) < 0) - goto cleanup; - - ret = qemuDomainDefFormatXML(driver, def, flags); -Index: libvirt-4.7.0/src/remote/remote_protocol.x -=================================================================== ---- libvirt-4.7.0.orig/src/remote/remote_protocol.x -+++ libvirt-4.7.0/src/remote/remote_protocol.x -@@ -5226,8 +5226,7 @@ enum remote_procedure { - /** - * @generate: both - * @priority: high -- * @acl: domain:read -- * @acl: domain:read_secure:VIR_DOMAIN_XML_SECURE -+ * @acl: domain:write - */ - REMOTE_PROC_DOMAIN_SAVE_IMAGE_GET_XML_DESC = 235, - diff --git a/external/meta-virtualization/recipes-extended/libvirt/libvirt/CVE-2019-10166.patch b/external/meta-virtualization/recipes-extended/libvirt/libvirt/CVE-2019-10166.patch deleted file mode 100644 index 12ab5436..00000000 --- a/external/meta-virtualization/recipes-extended/libvirt/libvirt/CVE-2019-10166.patch +++ /dev/null @@ -1,43 +0,0 @@ -From 6da721ea37bf3624ff9922637cfa657d2dcb20f9 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?J=C3=A1n=20Tomko?= <jtomko@redhat.com> -Date: Fri, 14 Jun 2019 09:14:53 +0200 -Subject: [PATCH 09/11] api: disallow virDomainManagedSaveDefineXML on - read-only connections -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -The virDomainManagedSaveDefineXML can be used to alter the domain's -config used for managedsave or even execute arbitrary emulator binaries. -Forbid it on read-only connections. - -Fixes: CVE-2019-10166 -Reported-by: Matthias Gerstner <mgerstner@suse.de> -Signed-off-by: Ján Tomko <jtomko@redhat.com> -Reviewed-by: Daniel P. Berrangé <berrange@redhat.com> -(cherry picked from commit db0b78457f183e4c7ac45bc94de86044a1e2056a) -Signed-off-by: Ján Tomko <jtomko@redhat.com> - -Upstream-Status: Backport -CVE: CVE-2019-10166 -Signed-off-by: Armin Kuster <akuster@mvista.com> - ---- - src/libvirt-domain.c | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/src/libvirt-domain.c b/src/libvirt-domain.c -index 270e10e..5c764aa 100644 ---- a/src/libvirt-domain.c -+++ b/src/libvirt-domain.c -@@ -9482,6 +9482,7 @@ virDomainManagedSaveDefineXML(virDomainPtr domain, const char *dxml, - - virCheckDomainReturn(domain, -1); - conn = domain->conn; -+ virCheckReadOnlyGoto(conn->flags, error); - - if (conn->driver->domainManagedSaveDefineXML) { - int ret; --- -2.7.4 - diff --git a/external/meta-virtualization/recipes-extended/libvirt/libvirt/CVE-2019-10167.patch b/external/meta-virtualization/recipes-extended/libvirt/libvirt/CVE-2019-10167.patch deleted file mode 100644 index 576f46c7..00000000 --- a/external/meta-virtualization/recipes-extended/libvirt/libvirt/CVE-2019-10167.patch +++ /dev/null @@ -1,41 +0,0 @@ -From 5441f05a42a90779b0df86518286bf527e94aafb Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?J=C3=A1n=20Tomko?= <jtomko@redhat.com> -Date: Fri, 14 Jun 2019 09:16:14 +0200 -Subject: [PATCH 10/11] api: disallow virConnectGetDomainCapabilities on - read-only connections -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -This API can be used to execute arbitrary emulators. -Forbid it on read-only connections. - -Fixes: CVE-2019-10167 -Signed-off-by: Ján Tomko <jtomko@redhat.com> -Reviewed-by: Daniel P. Berrangé <berrange@redhat.com> -(cherry picked from commit 8afa68bac0cf99d1f8aaa6566685c43c22622f26) -Signed-off-by: Ján Tomko <jtomko@redhat.com> - -Upstream-Status: Backport -CVE: CVE-2019-10167 -Signed-off-by: Armin Kuster <akuster@mvista.com> - ---- - src/libvirt-domain.c | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/src/libvirt-domain.c b/src/libvirt-domain.c -index 5c764aa..9862a5d 100644 ---- a/src/libvirt-domain.c -+++ b/src/libvirt-domain.c -@@ -11274,6 +11274,7 @@ virConnectGetDomainCapabilities(virConnectPtr conn, - virResetLastError(); - - virCheckConnectReturn(conn, NULL); -+ virCheckReadOnlyGoto(conn->flags, error); - - if (conn->driver->connectGetDomainCapabilities) { - char *ret; --- -2.7.4 - diff --git a/external/meta-virtualization/recipes-extended/libvirt/libvirt/CVE-2019-10168.patch b/external/meta-virtualization/recipes-extended/libvirt/libvirt/CVE-2019-10168.patch deleted file mode 100644 index 16f1a6d9..00000000 --- a/external/meta-virtualization/recipes-extended/libvirt/libvirt/CVE-2019-10168.patch +++ /dev/null @@ -1,49 +0,0 @@ -From f5ace9c05d59b70d4899199a187cb32ec6f600d8 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?J=C3=A1n=20Tomko?= <jtomko@redhat.com> -Date: Fri, 14 Jun 2019 09:17:39 +0200 -Subject: [PATCH 11/11] api: disallow virConnect*HypervisorCPU on read-only - connections -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -These APIs can be used to execute arbitrary emulators. -Forbid them on read-only connections. - -Fixes: CVE-2019-10168 -Signed-off-by: Ján Tomko <jtomko@redhat.com> -Reviewed-by: Daniel P. Berrangé <berrange@redhat.com> -(cherry picked from commit bf6c2830b6c338b1f5699b095df36f374777b291) -Signed-off-by: Ján Tomko <jtomko@redhat.com> - -Upstream-Status: Backport -CVE: CVE-2019-10168 -Signed-off-by: Armin Kuster <akuster@mvista.com> - ---- - src/libvirt-host.c | 2 ++ - 1 file changed, 2 insertions(+) - -diff --git a/src/libvirt-host.c b/src/libvirt-host.c -index e20d6ee..2978825 100644 ---- a/src/libvirt-host.c -+++ b/src/libvirt-host.c -@@ -1041,6 +1041,7 @@ virConnectCompareHypervisorCPU(virConnectPtr conn, - - virCheckConnectReturn(conn, VIR_CPU_COMPARE_ERROR); - virCheckNonNullArgGoto(xmlCPU, error); -+ virCheckReadOnlyGoto(conn->flags, error); - - if (conn->driver->connectCompareHypervisorCPU) { - int ret; -@@ -1234,6 +1235,7 @@ virConnectBaselineHypervisorCPU(virConnectPtr conn, - - virCheckConnectReturn(conn, NULL); - virCheckNonNullArgGoto(xmlCPUs, error); -+ virCheckReadOnlyGoto(conn->flags, error); - - if (conn->driver->connectBaselineHypervisorCPU) { - char *cpu; --- -2.7.4 - diff --git a/external/meta-virtualization/recipes-extended/libvirt/libvirt/CVE-2019-3840.patch b/external/meta-virtualization/recipes-extended/libvirt/libvirt/CVE-2019-3840.patch deleted file mode 100644 index 8cca8216..00000000 --- a/external/meta-virtualization/recipes-extended/libvirt/libvirt/CVE-2019-3840.patch +++ /dev/null @@ -1,39 +0,0 @@ -From 9ed175fbc2deecfdaeabca7bc77c7e7ae33a3377 Mon Sep 17 00:00:00 2001 -From: John Ferlan <jferlan@redhat.com> -Date: Fri, 7 Sep 2018 16:01:27 -0400 -Subject: [PATCH] qemu: Remove duplicated qemuAgentCheckError - -Commit 5b3492fadb moved qemuAgentCheckError calls into -qemuAgentCommand for various reasons; however, subsequent -commit 0977b8aa0 adding a new command made call again -So let's just remove the duplicitous call from -qemuAgentGetInterfaces. - -Signed-off-by: John Ferlan <jferlan@redhat.com> -ACKed-by: Michal Privoznik <mprivozn@redhat.com> - -Upstream-Status: Backport -CVE: CVE-2019-3840 -Signed-off-by: Armin Kuster <akuster@mvista.com> - ---- - src/qemu/qemu_agent.c | 5 ++--- - 1 file changed, 2 insertions(+), 3 deletions(-) - -Index: libvirt-4.7.0/src/qemu/qemu_agent.c -=================================================================== ---- libvirt-4.7.0.orig/src/qemu/qemu_agent.c -+++ libvirt-4.7.0/src/qemu/qemu_agent.c -@@ -1987,10 +1987,9 @@ qemuAgentGetInterfaces(qemuAgentPtr mon, - if (!(cmd = qemuAgentMakeCommand("guest-network-get-interfaces", NULL))) - goto cleanup; - -- if (qemuAgentCommand(mon, cmd, &reply, false, VIR_DOMAIN_QEMU_AGENT_COMMAND_BLOCK) < 0 || -- qemuAgentCheckError(cmd, reply) < 0) { -+ if (qemuAgentCommand(mon, cmd, &reply, false, -+ VIR_DOMAIN_QEMU_AGENT_COMMAND_BLOCK) < 0) - goto cleanup; -- } - - if (!(ret_array = virJSONValueObjectGet(reply, "return"))) { - virReportError(VIR_ERR_INTERNAL_ERROR, "%s", diff --git a/external/meta-virtualization/recipes-extended/libvirt/libvirt/configure.ac-search-for-rpc-rpc.h-in-the-sysroot.patch b/external/meta-virtualization/recipes-extended/libvirt/libvirt/configure.ac-search-for-rpc-rpc.h-in-the-sysroot.patch index 0a9d5f48..eb75b5a4 100644 --- a/external/meta-virtualization/recipes-extended/libvirt/libvirt/configure.ac-search-for-rpc-rpc.h-in-the-sysroot.patch +++ b/external/meta-virtualization/recipes-extended/libvirt/libvirt/configure.ac-search-for-rpc-rpc.h-in-the-sysroot.patch @@ -1,4 +1,4 @@ -From f10477f0fe5e4b7487a4a41faa216d10cd2bc7c3 Mon Sep 17 00:00:00 2001 +From d074f34dd0fc671ab05367eda9cc7a965708fbed Mon Sep 17 00:00:00 2001 From: Mark Asselstine <mark.asselstine@windriver.com> Date: Thu, 10 May 2018 12:05:04 -0400 Subject: [PATCH] configure.ac: search for rpc/rpc.h in the sysroot @@ -10,20 +10,21 @@ for libtirpc's rpc.h header. Upstream-Status: Inappropriate [old release] Signed-off-by: Mark Asselstine <mark.asselstine@windriver.com> + --- m4/virt-xdr.m4 | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/m4/virt-xdr.m4 b/m4/virt-xdr.m4 -index 5a6408c..6c19f6d 100644 +index 8375415..12b51f7 100644 --- a/m4/virt-xdr.m4 +++ b/m4/virt-xdr.m4 -@@ -33,10 +33,10 @@ if test x"$with_remote" = x"yes" || test x"$with_libvirtd" = x"yes"; then - dnl check for cygwin's variation in xdr function names - AC_CHECK_FUNCS([xdr_u_int64_t],[],[],[#include <rpc/xdr.h>]) +@@ -30,10 +30,10 @@ AC_DEFUN([LIBVIRT_CHECK_XDR], [ + ]) + with_xdr="yes" -- dnl Cygwin/recent glibc requires -I/usr/include/tirpc for <rpc/rpc.h> -+ dnl Cygwin/recent glibc requires -I=/usr/include/tirpc for <rpc/rpc.h> +- dnl Recent glibc requires -I/usr/include/tirpc for <rpc/rpc.h> ++ dnl Recent glibc requires -I=/usr/include/tirpc for <rpc/rpc.h> old_CFLAGS=$CFLAGS AC_CACHE_CHECK([where to find <rpc/rpc.h>], [lv_cv_xdr_cflags], [ - for add_CFLAGS in '' '-I/usr/include/tirpc' 'missing'; do @@ -31,6 +32,3 @@ index 5a6408c..6c19f6d 100644 if test x"$add_CFLAGS" = xmissing; then lv_cv_xdr_cflags=missing; break fi --- -2.7.4 - diff --git a/external/meta-virtualization/recipes-extended/libvirt/libvirt/gnutls-helper.py b/external/meta-virtualization/recipes-extended/libvirt/libvirt/gnutls-helper.py new file mode 100755 index 00000000..b9949469 --- /dev/null +++ b/external/meta-virtualization/recipes-extended/libvirt/libvirt/gnutls-helper.py @@ -0,0 +1,136 @@ +#!/usr/bin/env python3 +# +# Copyright (C) 2019 Wind River Systems, Inc. +# +# SPDX-License-Identifier: GPL-2.0-only +# + +import os, sys, getopt + +banner = \ +'''\ +!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! +!! "ip_address" field of server.info must be IP address of the server. !! +!! For more details, please refer to: !! +!! https://libvirt.org/remote.html#Remote_certificates !! +!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! + +Please deploy cacert.pem to CA and server and client /etc/pki/CA/cacert.pem +Please deploy serverkey.pem to server /etc/pki/libvirt/private/serverkey.pem +Please deploy servercert.pem to server /etc/pki/libvirt/servercert.pem +Please deploy clientkey.pem to client /etc/pki/libvirt/private/clientkey.pem +Please deploy clientcert.pem to client /etc/pki/libvirt/clientcert.pem" +''' + +if os.system('which certtool > /dev/null 2>&1') != 0: + print('certtool is not available. It is provided by \n\ +gnutls-bin on Yocto like Linux or \n\ +gnutls-bin on Debian like distribution or \n\ +gnutls-utils on Redhat like distribution.') + sys.exit() + +cainfo = "" +serverinfo = "" +clientinfo = "" +yes = 0 + +try: + opts, args = getopt.getopt(sys.argv[1:], "ha:b:c:y", ["help", "ca-info=", "server-info=", "client-info=", "yes"]) +except getopt.GetoptError: + print('Usage:\n{} [-a|--ca-info] <ca.info> [-b|--server-info] <server.info> [-c|--client-info] <client.info> [-y|--yes]'.format(sys.argv[0])) + print('If ca.info or server.info or client.info is not provided, a corresponding sample file will be generated.') + sys.exit(2) +for opt, arg in opts: + if opt in ("-h", "--help"): + print('Usage:\n{} [-a|--ca-info] <ca.info> [-b|--server-info] <server.info> [-c|--client-info] <client.info> [-y|--yes]'.format(sys.argv[0])) + print('If ca.info or server.info or client.info is not provided, a corresponding sample file will be generated.\n') + print(banner) + sys.exit() + elif opt in ("-a", "--ca-info"): + cainfo = arg + elif opt in ("-b", "--server-info"): + serverinfo = arg + elif opt in ("-c", "--client-info"): + clientinfo = arg + elif opt in ("-y", "--yes"): + yes = 1 + +cainfodefault = \ +'''cn = CA +ca +cert_signing_key +''' + +serverinfodefault = \ +'''organization = Organization +cn = Server +dns_name = DNS Name +ip_address = 127.0.0.1 +tls_www_server +encryption_key +signing_key +''' + +clientinfodefault = \ +'''country = Country +state = State +locality = Locality +organization = Organization +cn = Client +tls_www_client +encryption_key +signing_key +''' + +if not cainfo: + if yes == 0: + opt = input('{}\nca.info not provided by -a, the above will be used [y/n]?'.format(cainfodefault)) + if opt != 'y': + exit() + cainfo = "ca.info" + with open(cainfo, mode='w') as f: + f.write(cainfodefault) + +if not serverinfo: + if yes == 0: + opt = input('{}\nserver.info not provided by -b, the above will be used [y/n]?'.format(serverinfodefault)) + if opt != 'y': + exit() + serverinfo = "server.info" + with open(serverinfo, mode='w') as f: + f.write(serverinfodefault) + +if not clientinfo: + if yes == 0: + opt = input('{}\nclient.info not provided by -c, the above will be used [y/n]?'.format(clientinfodefault)) + if opt != 'y': + sys.exit() + clientinfo = "client.info" + with open(clientinfo, mode='w') as f: + f.write(clientinfodefault) + +if os.system("certtool --generate-privkey > cakey.pem") != 0: + print('ca private key failed.') + sys.exit() + +if os.system("certtool --generate-self-signed --load-privkey cakey.pem --template {} --outfile cacert.pem".format(cainfo)) != 0: + print('ca cert failed.') + sys.exit() + +if os.system("certtool --generate-privkey > serverkey.pem") != 0: + print('server private key failed.') + sys.exit() + +if os.system("certtool --generate-certificate --load-privkey serverkey.pem --load-ca-certificate cacert.pem --load-ca-privkey cakey.pem --template {} --outfile servercert.pem".format(serverinfo)) != 0: + print('server cert failed.') + sys.exit() + +if os.system("certtool --generate-privkey > clientkey.pem") != 0: + print('client private key failed.') + sys.exit() + +if os.system("certtool --generate-certificate --load-privkey clientkey.pem --load-ca-certificate cacert.pem --load-ca-privkey cakey.pem --template {} --outfile clientcert.pem".format(clientinfo)) != 0: + print('client cert failed.') + sys.exit() + +print(banner) diff --git a/external/meta-virtualization/recipes-extended/libvirt/libvirt/hook_support.py b/external/meta-virtualization/recipes-extended/libvirt/libvirt/hook_support.py new file mode 100755 index 00000000..7c5e2a94 --- /dev/null +++ b/external/meta-virtualization/recipes-extended/libvirt/libvirt/hook_support.py @@ -0,0 +1,55 @@ +#!/usr/bin/env python3 +# +# Copyright (C) 2014 Wind River Systems, Inc. +# +# Description: Calls other scripts in order, so that there can be multiple +# scripts for a particular hook tied to libvirt. +# +# For example: If this script is called "qemu" and is in the +# "/etc/libvirt/hooks/" directory. This script will be called by libvirt +# when certain actions are performed on a qemu guest. This script then +# will in turn call any executable file in the same directory matching +# "qemu-" followed by at least one alpha-numeric character. The scripts +# are called in order (based on the python sorted function), and once any +# sub-script returns a non-zero exit code no futher scripts are called. +# This script passes any arguments it retrieves on the command line and a +# copy of stdin to the sub-scripts it calls. + +import os +import re +import subprocess +import sys + +def main(): + return_value = 0 + hook_name = os.path.basename( __file__ ) + try: + hook_dir = os.path.dirname( __file__ ) + hook_args = sys.argv + del hook_args[ 0 ] # Remove executable from argument list + + # Save stdin, so we can pass it to each sub-script. + if sys.stdin.isatty(): + stdin_save = [ "" ] + else: + stdin_save = sys.stdin.readlines() + # Match the name name of the hook + a dash + atleast + # one alpha-numeric character. + matcher = re.compile( "%s-\w+" % hook_name ) + for file_name in sorted( os.listdir( hook_dir ) ): + file_path = os.path.join( hook_dir, file_name ) + if matcher.match( file_name ) \ + and os.access( file_path, os.X_OK ) \ + and os.path.isfile( file_path ) \ + and return_value == 0: + cmd = [ file_path ] + hook_args + p = subprocess.Popen( cmd, stdin=subprocess.PIPE ) + p.communicate( input = ''.join( stdin_save ) )[0] + return_value = p.wait() + except Exception as e: + sys.stderr.write( "%s hook error: %s\n" % ( hook_name, str( e ) ) ) + return_value = 1 + return return_value + +if __name__ == '__main__': + sys.exit( main() ) diff --git a/external/meta-virtualization/recipes-extended/libvirt/libvirt/install-missing-file.patch b/external/meta-virtualization/recipes-extended/libvirt/libvirt/install-missing-file.patch index cb5a20e3..f9341491 100644 --- a/external/meta-virtualization/recipes-extended/libvirt/libvirt/install-missing-file.patch +++ b/external/meta-virtualization/recipes-extended/libvirt/libvirt/install-missing-file.patch @@ -1,6 +1,6 @@ -From 0780181a3285511f166487a54ebc231fc657edfe Mon Sep 17 00:00:00 2001 -From: Catalin Enache <catalin.enache@windriver.com> -Date: Mon, 25 Jul 2016 16:38:51 +0300 +From 75c974d28133ff85d299b7a53427653c47513a45 Mon Sep 17 00:00:00 2001 +From: Dengke Du <dengke.du@windriver.com> +Date: Wed, 8 May 2019 17:24:17 +0800 Subject: [PATCH] Install missing conf file openvzutilstest.conf file is needed by openvzutilstest test. @@ -12,15 +12,18 @@ Signed-off-by: Catalin Enache <catalin.enache@windriver.com> Signed-off-by: Kai Kang <kai.kang@windriver.com> [MA: Update context for v4.3.0] Signed-off-by: Mark Asselstine <mark.asselstine@windriver.com> +[DDU: Update context for v5.3.0] +Signed-off-by: Dengke Du <dengke.du@windriver.com> + --- tests/Makefile.am | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/tests/Makefile.am b/tests/Makefile.am -index 65f776e..8a6fd44 100644 +index 7a0aee3..380637d 100644 --- a/tests/Makefile.am +++ b/tests/Makefile.am -@@ -173,6 +173,7 @@ EXTRA_DIST = \ +@@ -172,6 +172,7 @@ EXTRA_DIST = \ $(NULL) test_helpers = commandhelper ssh @@ -28,7 +31,7 @@ index 65f776e..8a6fd44 100644 test_programs = virshtest sockettest \ virhostcputest virbuftest \ commandtest seclabeltest \ -@@ -305,6 +306,7 @@ endif WITH_LXC +@@ -310,6 +311,7 @@ endif WITH_LXC if WITH_OPENVZ test_programs += openvzutilstest @@ -36,7 +39,7 @@ index 65f776e..8a6fd44 100644 endif WITH_OPENVZ if WITH_ESX -@@ -1488,7 +1490,7 @@ endif ! WITH_CIL +@@ -1553,7 +1555,7 @@ endif ! WITH_LINUX buildtest-TESTS: $(TESTS) $(test_libraries) $(test_helpers) @@ -45,7 +48,3 @@ index 65f776e..8a6fd44 100644 install-ptest: list='$(TESTS) $(test_helpers) test-lib.sh virschematest' - --- -2.7.4 - diff --git a/external/meta-virtualization/recipes-extended/libvirt/libvirt/libvirt-use-pkg-config-to-locate-libcap.patch b/external/meta-virtualization/recipes-extended/libvirt/libvirt/libvirt-use-pkg-config-to-locate-libcap.patch index 635d1e81..e6c7cae5 100644 --- a/external/meta-virtualization/recipes-extended/libvirt/libvirt/libvirt-use-pkg-config-to-locate-libcap.patch +++ b/external/meta-virtualization/recipes-extended/libvirt/libvirt/libvirt-use-pkg-config-to-locate-libcap.patch @@ -1,4 +1,4 @@ -From 3e271f6db12ffe34843428ec2f0bca7a8fe3aa65 Mon Sep 17 00:00:00 2001 +From 57b645c6db405bf2e22f4589ea5560a14975058f Mon Sep 17 00:00:00 2001 From: Bruce Ashfield <bruce.ashfield@windriver.com> Date: Wed, 8 Apr 2015 13:03:03 -0400 Subject: [PATCH] libvirt: use pkg-config to locate libcap @@ -14,18 +14,19 @@ locate the correct libraries. Signed-off-by: Bruce Ashfield <bruce.ashfield@windriver.com> [MA: Update to apply agains v4.3.0] Signed-off-by: Mark Asselstine <mark.asselstine@windriver.com> + --- m4/virt-libpcap.m4 | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/m4/virt-libpcap.m4 b/m4/virt-libpcap.m4 -index 8fa4889..08b2f53 100644 +index 605c2fd..e0ab018 100644 --- a/m4/virt-libpcap.m4 +++ b/m4/virt-libpcap.m4 @@ -23,14 +23,14 @@ AC_DEFUN([LIBVIRT_ARG_LIBPCAP], [ AC_DEFUN([LIBVIRT_CHECK_LIBPCAP], [ - LIBPCAP_REQUIRED="1.0.0" + LIBPCAP_REQUIRED="1.5.0" - LIBPCAP_CONFIG="pcap-config" + LIBPCAP_CONFIG="pkg-config libpcap" LIBPCAP_CFLAGS="" @@ -40,6 +41,3 @@ index 8fa4889..08b2f53 100644 esac AS_IF([test "x$LIBPCAP_CONFIG" != "x"], [ AC_MSG_CHECKING(libpcap $LIBPCAP_CONFIG >= $LIBPCAP_REQUIRED ) --- -2.1.0 - diff --git a/external/meta-virtualization/recipes-extended/libvirt/libvirt/libvirt_api_xml_path.patch b/external/meta-virtualization/recipes-extended/libvirt/libvirt/libvirt_api_xml_path.patch deleted file mode 100644 index 30c30e88..00000000 --- a/external/meta-virtualization/recipes-extended/libvirt/libvirt/libvirt_api_xml_path.patch +++ /dev/null @@ -1,87 +0,0 @@ -Adding support for LIBVIRT_CFLAGS and LIBVIRT_LIBS - -Signed-off-by: Amy Fong <amy.fong@windriver.com> - - -Adding a support for LIBVIRT_API_PATH evironment variable, which can -control where the script should look for the 'libvirt-api.xml' file. -This allows building libvirt-python against different libvirt than the -one installed in the system. This may be used for example in autotest -or by packagers without the need to install libvirt into the system. - -Signed-off-by: Martin Kletzander <mkletzan redhat com> -[ywei: rebased to 1.3.2] -Signed-off-by: Yunguo Wei <yunguo.wei@windriver.com> ---- - setup.py | 35 ++++++++++++++++++++++++----------- - 1 file changed, 24 insertions(+), 11 deletions(-) - -diff --git a/setup.py b/setup.py -index eff9d54..48ec4fe 100755 ---- a/setup.py -+++ b/setup.py -@@ -43,13 +43,7 @@ def check_minimum_libvirt_version(): - "libvirt"]) - - def have_libvirt_lxc(): -- try: -- spawn([get_pkgcfg(), -- "--atleast-version=%s" % MIN_LIBVIRT_LXC, -- "libvirt"]) -- return True -- except DistutilsExecError: -- return False -+ return True - - def have_libvirtaio(): - # This depends on asyncio, which in turn depends on "yield from" syntax. -@@ -77,7 +71,17 @@ def get_api_xml_files(): - """Check with pkg-config that libvirt is present and extract - the API XML file paths we need from it""" - -- libvirt_api = get_pkgconfig_data(["--variable", "libvirt_api"], "libvirt") -+ libvirt_api = os.getenv("LIBVIRT_API_PATH") -+ -+ if libvirt_api: -+ if not libvirt_api.endswith("-api.xml"): -+ raise ValueError("Invalid path '%s' for API XML" % libvirt_api) -+ if not os.path.exists(libvirt_api): -+ raise ValueError("API XML '%s' does not exist, " -+ "have you built libvirt?" % libvirt_api) -+ else: -+ libvirt_api = get_pkgconfig_data(["--variable", "libvirt_api"], -+ "libvirt") - - offset = libvirt_api.index("-api.xml") - libvirt_qemu_api = libvirt_api[0:offset] + "-qemu-api.xml" -@@ -97,8 +101,17 @@ def get_module_lists(): - - c_modules = [] - py_modules = [] -- ldflags = get_pkgconfig_data(["--libs-only-L"], "libvirt", False).split() -- cflags = get_pkgconfig_data(["--cflags"], "libvirt", False).split() -+ libvirt_cflags = os.getenv("LIBVIRT_CFLAGS") -+ if libvirt_cflags: -+ cflags = libvirt_cflags.split() -+ else: -+ cflags = get_pkgconfig_data(["--cflags"], "libvirt", False).split() -+ -+ libvirt_libs = os.getenv("LIBVIRT_LIBS") -+ if libvirt_libs: -+ ldflags = libvirt_libs.split() -+ else: -+ ldflags = get_pkgconfig_data(["--libs-only-L"], "libvirt", False).split() - - module = Extension('libvirtmod', - sources = ['libvirt-override.c', 'build/libvirt.c', 'typewrappers.c', 'libvirt-utils.c'], -@@ -144,7 +157,7 @@ def get_module_lists(): - class my_build(build): - - def run(self): -- check_minimum_libvirt_version() -+# check_minimum_libvirt_version() - apis = get_api_xml_files() - - self.spawn([sys.executable, "generator.py", "libvirt", apis[0]]) --- -2.17.0 diff --git a/external/meta-virtualization/recipes-extended/libvirt/libvirt/lxc_monitor-Avoid-AB-BA-lock-race.patch b/external/meta-virtualization/recipes-extended/libvirt/libvirt/lxc_monitor-Avoid-AB-BA-lock-race.patch deleted file mode 100644 index fc3880fb..00000000 --- a/external/meta-virtualization/recipes-extended/libvirt/libvirt/lxc_monitor-Avoid-AB-BA-lock-race.patch +++ /dev/null @@ -1,106 +0,0 @@ -From 7882c6eca53fe9abe253497a50f6c5ae062176d3 Mon Sep 17 00:00:00 2001 -From: Mark Asselstine <mark.asselstine@windriver.com> -Date: Mon, 24 Sep 2018 11:11:35 -0400 -Subject: [PATCH] lxc_monitor: Avoid AB / BA lock race - -A deadlock situation can occur when autostarting a LXC domain 'guest' -due to two threads attempting to take opposing locks while holding -opposing locks (AB BA problem). Thread A takes and holds the 'vm' lock -while attempting to take the 'client' lock, meanwhile, thread B takes -and holds the 'client' lock while attempting to take the 'vm' lock. - -The potential for this can be seen as follows: - -Thread A: -virLXCProcessAutostartDomain (takes vm lock) - --> virLXCProcessStart - --> virLXCProcessConnectMonitor - --> virLXCMonitorNew - --> virNetClientSetCloseCallback (wants client lock) - -Thread B: -virNetClientIncomingEvent (takes client lock) - --> virNetClientIOHandleInput - --> virNetClientCallDispatch - --> virNetClientCallDispatchMessage - --> virNetClientProgramDispatch - --> virLXCMonitorHandleEventInit - --> virLXCProcessMonitorInitNotify (wants vm lock) - -Since these threads are scheduled independently and are preemptible it -is possible for the deadlock scenario to occur where each thread locks -their first lock but both will fail to get their second lock and just -spin forever. You get something like: - -virLXCProcessAutostartDomain (takes vm lock) - --> virLXCProcessStart - --> virLXCProcessConnectMonitor - --> virLXCMonitorNew -<...> -virNetClientIncomingEvent (takes client lock) - --> virNetClientIOHandleInput - --> virNetClientCallDispatch - --> virNetClientCallDispatchMessage - --> virNetClientProgramDispatch - --> virLXCMonitorHandleEventInit - --> virLXCProcessMonitorInitNotify (wants vm lock but spins) -<...> - --> virNetClientSetCloseCallback (wants client lock but spins) - -Neither thread ever gets the lock it needs to be able to continue -while holding the lock that the other thread needs. - -The actual window for preemption which can cause this deadlock is -rather small, between the calls to virNetClientProgramNew() and -execution of virNetClientSetCloseCallback(), both in -virLXCMonitorNew(). But it can be seen in real world use that this -small window is enough. - -By moving the call to virNetClientSetCloseCallback() ahead of -virNetClientProgramNew() we can close any possible chance of the -deadlock taking place. There should be no other implications to the -move since the close callback (in the unlikely event was called) will -spin on the vm lock. The remaining work that takes place between the -old call location of virNetClientSetCloseCallback() and the new -location is unaffected by the move. - -Upstream-Status: Backport commit 7882c6eca53f - -Signed-off-by: Mark Asselstine <mark.asselstine@windriver.com> -Signed-off-by: Michal Privoznik <mprivozn@redhat.com> ---- - src/lxc/lxc_monitor.c | 11 +++++++---- - 1 file changed, 7 insertions(+), 4 deletions(-) - -diff --git a/src/lxc/lxc_monitor.c b/src/lxc/lxc_monitor.c -index e765c16..0b18a14 100644 ---- a/src/lxc/lxc_monitor.c -+++ b/src/lxc/lxc_monitor.c -@@ -161,6 +161,13 @@ virLXCMonitorPtr virLXCMonitorNew(virDomainObjPtr vm, - if (virNetClientRegisterAsyncIO(mon->client) < 0) - goto error; - -+ /* avoid deadlock by making this call before assigning virLXCMonitorEvents */ -+ virNetClientSetCloseCallback(mon->client, virLXCMonitorEOFNotify, mon, -+ virLXCMonitorCloseFreeCallback); -+ -+ /* close callback now has its own reference */ -+ virObjectRef(mon); -+ - if (!(mon->program = virNetClientProgramNew(VIR_LXC_MONITOR_PROGRAM, - VIR_LXC_MONITOR_PROGRAM_VERSION, - virLXCMonitorEvents, -@@ -175,10 +182,6 @@ virLXCMonitorPtr virLXCMonitorNew(virDomainObjPtr vm, - mon->vm = virObjectRef(vm); - memcpy(&mon->cb, cb, sizeof(mon->cb)); - -- virObjectRef(mon); -- virNetClientSetCloseCallback(mon->client, virLXCMonitorEOFNotify, mon, -- virLXCMonitorCloseFreeCallback); -- - cleanup: - VIR_FREE(sockpath); - return mon; --- -2.7.4 - diff --git a/external/meta-virtualization/recipes-extended/libvirt/libvirt/runptest.patch b/external/meta-virtualization/recipes-extended/libvirt/libvirt/runptest.patch index 457e8218..9f3ad678 100644 --- a/external/meta-virtualization/recipes-extended/libvirt/libvirt/runptest.patch +++ b/external/meta-virtualization/recipes-extended/libvirt/libvirt/runptest.patch @@ -1,7 +1,7 @@ -From 94478517c4f9950b28be3a348387db6ede3db812 Mon Sep 17 00:00:00 2001 -From: Mark Asselstine <mark.asselstine@windriver.com> -Date: Mon, 4 Jun 2018 11:55:37 -0400 -Subject: [PATCH] Add 'install-ptest' rule. +From 9d6bfb4a5e9b44c080ddf3bad4c364ffb0e9d84a Mon Sep 17 00:00:00 2001 +From: Dengke Du <dengke.du@windriver.com> +Date: Wed, 8 May 2019 10:20:47 +0800 +Subject: [PATCH] Add 'install-ptest' rule Change TESTS_ENVIRONMENT to allow running outside build dir. @@ -15,15 +15,18 @@ Signed-off-by: Mark Asselstine <mark.asselstine@windriver.com> Signed-off-by: He Zhe <zhe.he@windriver.com> [MA: Update context for v4.3.0] Signed-off-by: Mark Asselstine <mark.asselstine@windriver.com> +[DDU: Update context for v5.3.0] +Signed-off-by: Dengke Du <dengke.du@windriver.com> + --- - tests/Makefile.am | 74 +++++++++++++++++++++++++++++++++++++++++++++---------- - 1 file changed, 61 insertions(+), 13 deletions(-) + tests/Makefile.am | 68 +++++++++++++++++++++++++++++++++++++++++------ + 1 file changed, 60 insertions(+), 8 deletions(-) diff --git a/tests/Makefile.am b/tests/Makefile.am -index 7b93fbd..edc1eb9 100644 +index 83326db..7a0aee3 100644 --- a/tests/Makefile.am +++ b/tests/Makefile.am -@@ -35,11 +35,13 @@ INCLUDES = \ +@@ -28,11 +28,13 @@ AM_CPPFLAGS = \ WARN_CFLAGS += $(RELAXED_FRAME_LIMIT_CFLAGS) @@ -31,52 +34,34 @@ index 7b93fbd..edc1eb9 100644 + AM_CFLAGS = \ - -Dabs_builddir="\"$(abs_builddir)\"" \ -- -Dabs_topbuilddir="\"$(abs_topbuilddir)\"" \ +- -Dabs_top_builddir="\"$(abs_top_builddir)\"" \ - -Dabs_srcdir="\"$(abs_srcdir)\"" \ -- -Dabs_topsrcdir="\"$(abs_topsrcdir)\"" \ +- -Dabs_top_srcdir="\"$(abs_top_srcdir)\"" \ + -Dabs_builddir="\"$(PTEST_DIR)/tests\"" \ -+ -Dabs_topbuilddir="\"$(PTEST_DIR)\"" \ ++ -Dabs_top_builddir="\"$(PTEST_DIR)\"" \ + -Dabs_srcdir="\"$(PTEST_DIR)/tests\"" \ -+ -Dabs_topsrcdir="\"$(PTEST_DIR)\"" \ ++ -Dabs_top_srcdir="\"$(PTEST_DIR)\"" \ $(LIBXML_CFLAGS) \ + $(GLIB_CFLAGS) \ $(LIBNL_CFLAGS) \ - $(GNUTLS_CFLAGS) \ -@@ -64,7 +66,7 @@ QEMULIB_LDFLAGS = \ - $(MINGW_EXTRA_LDFLAGS) - - INCLUDES += \ -- -DTEST_DRIVER_DIR=\"$(top_builddir)/src/.libs\" -+ -DTEST_DRIVER_DIR=\"$(PTEST_DIR)/src/.libs\" +@@ -472,10 +474,10 @@ TESTS = $(test_programs) \ - PROBES_O = - if WITH_DTRACE_PROBES -@@ -466,17 +468,15 @@ TESTS = $(test_programs) \ - # Also, BSD sh doesn't like 'a=b b=$$a', so we can't use an - # intermediate shell variable, but must do all the expansion in make - --lv_abs_top_builddir=$(shell cd '$(top_builddir)' && pwd) -- VIR_TEST_EXPENSIVE ?= $(VIR_TEST_EXPENSIVE_DEFAULT) TESTS_ENVIRONMENT = \ -- abs_top_builddir=$(lv_abs_top_builddir) \ -- abs_top_srcdir=`cd '$(top_srcdir)'; pwd` \ -- abs_builddir=$(abs_builddir) \ -- abs_srcdir=$(abs_srcdir) \ -- CONFIG_HEADER="$(lv_abs_top_builddir)/config.h" \ +- abs_top_builddir="$(abs_top_builddir)" \ +- abs_top_srcdir="$(abs_top_srcdir)" \ +- abs_builddir="$(abs_builddir)" \ +- abs_srcdir="$(abs_srcdir)" \ + abs_top_builddir="$(PTEST_DIR)" \ + abs_top_srcdir="$(PTEST_DIR)" \ + abs_builddir="$(PTEST_DIR)/tests" \ + abs_srcdir="$(PTEST_DIR)/tests" \ -+ CONFIG_HEADER="$(PTEST_DIR)/config.h" \ - SHELL="$(SHELL)" \ -- LIBVIRT_DRIVER_DIR="$(lv_abs_top_builddir)/src/.libs" \ -+ LIBVIRT_DRIVER_DIR="$(PTEST_DIR)/src/.libs" \ LIBVIRT_AUTOSTART=0 \ LC_ALL=C \ VIR_TEST_EXPENSIVE=$(VIR_TEST_EXPENSIVE) \ -@@ -1486,5 +1486,55 @@ else ! WITH_CIL - EXTRA_DIST += objectlocking.ml - endif ! WITH_CIL +@@ -1549,4 +1551,54 @@ else ! WITH_LINUX + EXTRA_DIST += virscsitest.c + endif ! WITH_LINUX +buildtest-TESTS: $(TESTS) $(test_libraries) $(test_helpers) + @@ -94,7 +79,7 @@ index 7b93fbd..edc1eb9 100644 + install ../src/libvirt_iohelper $(DEST_DIR)/src + install -D ../src/libvirtd $(DEST_DIR)/src/libvirtd + install -d $(DEST_DIR)/src/remote -+ install -D $(top_srcdir)/src/remote/libvirtd.conf $(DEST_DIR)/src/remote/libvirtd.conf ++ install -D $(top_srcdir)/../build/src/remote/libvirtd.conf $(DEST_DIR)/src/remote/libvirtd.conf + install -d $(DEST_DIR)/src/remote/.libs + @(if [ -d ../src/remote/.libs ] ; then cd ../src/remote/.libs; fi; \ + install * $(DEST_DIR)/src/remote/.libs) @@ -128,8 +113,4 @@ index 7b93fbd..edc1eb9 100644 + sed -i -e 's|$(BUILD_DIR)|$(PTEST_DIR)|g' $(DEST_DIR)/Makefile + sed -i -e 's|^\(.*\.log:\) \(.*EXEEXT.*\)|\1|g' $(DEST_DIR)/tests/Makefile + - CLEANFILES = *.cov *.gcov .libs/*.gcda .libs/*.gcno *.gcno *.gcda *.cmi *.cmx \ - objectlocking-files.txt --- -2.7.4 - + CLEANFILES = *.cov *.gcov .libs/*.gcda .libs/*.gcno *.gcno *.gcda diff --git a/external/meta-virtualization/recipes-extended/libvirt/libvirt/tools-add-libvirt-net-rpc-to-virt-host-validate-when.patch b/external/meta-virtualization/recipes-extended/libvirt/libvirt/tools-add-libvirt-net-rpc-to-virt-host-validate-when.patch index 5f6f9502..f03cc890 100644 --- a/external/meta-virtualization/recipes-extended/libvirt/libvirt/tools-add-libvirt-net-rpc-to-virt-host-validate-when.patch +++ b/external/meta-virtualization/recipes-extended/libvirt/libvirt/tools-add-libvirt-net-rpc-to-virt-host-validate-when.patch @@ -1,6 +1,6 @@ -From f73c5c61c921bf773dcba5e4234e23afce5dbe7f Mon Sep 17 00:00:00 2001 -From: Bruce Ashfield <bruce.ashfield@windriver.com> -Date: Fri, 2 Aug 2013 11:38:43 -0400 +From a1696741375c6faca0d09ae6b271a2c56fc2b6fe Mon Sep 17 00:00:00 2001 +From: Dengke Du <dengke.du@windriver.com> +Date: Tue, 7 May 2019 15:26:32 +0800 Subject: [PATCH] tools: add libvirt-net-rpc to virt-host-validate when TLS is enabled @@ -13,30 +13,34 @@ Signed-off-by: Bruce Ashfield <bruce.ashfield@windriver.com> Signed-off-by: Yunguo Wei <yunguo.wei@windriver.com> [MA: rebase to v4.3.0] Signed-off-by: Mark Asselstine <mark.asselstine@windriver.com> +[ddu: rebase to v5.3.0] +Signed-off-by: Dengke Du <dengke.du@windriver.com> + --- - examples/Makefile.am | 19 +++++++++++++++++++ - tools/Makefile.am | 13 +++++++++++++ + examples/Makefile.am | 20 ++++++++++++++++++++ + tools/Makefile.am | 12 ++++++++++++ 2 files changed, 32 insertions(+) diff --git a/examples/Makefile.am b/examples/Makefile.am -index 7069d74..c8893e3 100644 +index ad635bd..a94f41d 100644 --- a/examples/Makefile.am +++ b/examples/Makefile.am -@@ -39,6 +39,10 @@ LDADD = $(STATIC_BINARIES) $(WARN_CFLAGS) $(COVERAGE_LDFLAGS) \ - $(top_builddir)/src/libvirt.la $(top_builddir)/gnulib/lib/libgnu.la \ - $(top_builddir)/src/libvirt-admin.la +@@ -74,6 +74,10 @@ LDADD = \ + $(top_builddir)/src/libvirt-admin.la \ + $(NULL) +if WITH_GNUTLS +LDADD += $(top_builddir)/src/libvirt-net-rpc.la +endif + - noinst_PROGRAMS=dominfo/info1 dommigrate/dommigrate domsuspend/suspend \ - domtop/domtop hellolibvirt/hellolibvirt object-events/event-test \ - openauth/openauth rename/rename admin/list_servers admin/list_clients \ -@@ -70,6 +74,21 @@ admin_logging_SOURCES = admin/logging.c - INSTALL_DATA_LOCAL = - UNINSTALL_LOCAL = + noinst_PROGRAMS = \ + c/admin/client_close \ + c/admin/client_info \ +@@ -111,6 +115,22 @@ c_misc_openauth_SOURCES = c/misc/openauth.c + examplesdir = $(docdir)/examples + adminexamplesdir = $(examplesdir)/c/admin ++ +if WITH_GNUTLS +dominfo_info1_LDADD = $(top_builddir)/src/libvirt-net-rpc.la \ + $(LDADD) \ @@ -52,15 +56,15 @@ index 7069d74..c8893e3 100644 + $(NULL) +endif + - if WITH_APPARMOR_PROFILES - apparmordir = $(sysconfdir)/apparmor.d/ - apparmor_DATA = \ + adminexamples_DATA = $(ADMIN_EXAMPLES) + + domainexamplesdir = $(examplesdir)/c/domain diff --git a/tools/Makefile.am b/tools/Makefile.am -index 1452d98..204e772 100644 +index 53df930..2a0a989 100644 --- a/tools/Makefile.am +++ b/tools/Makefile.am -@@ -188,6 +188,13 @@ virt_host_validate_LDADD = \ - ../gnulib/lib/libgnu.la \ +@@ -166,6 +166,12 @@ virt_host_validate_LDADD = \ + $(GLIB_LIBS) \ $(NULL) +if WITH_GNUTLS @@ -69,11 +73,10 @@ index 1452d98..204e772 100644 + $(NULL) +endif + -+ virt_host_validate_CFLAGS = \ $(AM_CFLAGS) \ $(NULL) -@@ -268,6 +275,12 @@ virt_admin_CFLAGS = \ +@@ -262,6 +268,12 @@ virt_admin_CFLAGS = \ $(READLINE_CFLAGS) BUILT_SOURCES = @@ -86,6 +89,3 @@ index 1452d98..204e772 100644 if WITH_WIN_ICON virsh_LDADD += virsh_win_icon.$(OBJEXT) --- -2.7.4 - diff --git a/external/meta-virtualization/recipes-extended/libvirt/libvirt_4.7.0.bb b/external/meta-virtualization/recipes-extended/libvirt/libvirt_6.1.0.bb index 1d3b48e8..9aa78b77 100644 --- a/external/meta-virtualization/recipes-extended/libvirt/libvirt_4.7.0.bb +++ b/external/meta-virtualization/recipes-extended/libvirt/libvirt_6.1.0.bb @@ -8,7 +8,9 @@ SECTION = "console/tools" DEPENDS = "bridge-utils gnutls libxml2 lvm2 avahi parted curl libpcap util-linux e2fsprogs pm-utils \ iptables dnsmasq readline libtasn1 libxslt-native acl libdevmapper libtirpc \ - ${@bb.utils.contains('PACKAGECONFIG', 'polkit', 'shadow-native', '', d)}" + python3-docutils-native \ + ${@bb.utils.contains('PACKAGECONFIG', 'polkit', 'shadow-native', '', d)} \ + ${@bb.utils.contains('PACKAGECONFIG', 'gnutls', 'gnutls-native', '', d)}" # libvirt-guests.sh needs gettext.sh # @@ -35,25 +37,18 @@ SRC_URI = "http://libvirt.org/sources/libvirt-${PV}.tar.xz;name=libvirt \ file://install-missing-file.patch \ file://0001-ptest-Remove-Windows-1252-check-from-esxutilstest.patch \ file://configure.ac-search-for-rpc-rpc.h-in-the-sysroot.patch \ - file://lxc_monitor-Avoid-AB-BA-lock-race.patch \ - file://CVE-2019-3840.patch \ - file://0001-cpu_x86-Do-not-cache-microcode-version.patch \ - file://0002-qemu-Don-t-cache-microcode-version.patch \ - file://CVE-2018-12126_CVE-2018-12127_CVE-2018-12130_CVE-2019-11091_p1.patch \ - file://CVE-2018-12126_CVE-2018-12127_CVE-2018-12130_CVE-2019-11091_p2.patch \ - file://CVE-2019-10132_p1.patch \ - file://CVE-2019-10132_p2.patch \ - file://CVE-2019-10132_p3.patch \ - file://CVE-2019-10161.patch \ - file://CVE-2019-10166.patch \ - file://CVE-2019-10167.patch \ - file://CVE-2019-10168.patch \ + file://0001-build-drop-unnecessary-libgnu.la-reference.patch \ + file://hook_support.py \ + file://gnutls-helper.py \ " -SRC_URI[libvirt.md5sum] = "38da6c33250dcbc0a6d68de5c758262b" -SRC_URI[libvirt.sha256sum] = "92c279f7321624ac5a37a81f8bbe8c8d2a16781da04c63c99c92d3de035767e4" +SRC_URI[libvirt.md5sum] = "a870e63f20fac2ccf98e716d05256145" +SRC_URI[libvirt.sha256sum] = "167c185be45560e73dd3e14ed375778b555c01455192de2dafc4d0f74fabebc0" -inherit autotools gettext update-rc.d pkgconfig ptest systemd +inherit autotools gettext update-rc.d pkgconfig ptest systemd useradd perlnative +USERADD_PACKAGES = "${PN}" +GROUPADD_PARAM_${PN} = "-r qemu; -r kvm" +USERADD_PARAM_${PN} = "-r -g qemu -G kvm qemu" # Override the default set in autotools.bbclass so that we will use relative pathnames # to our local m4 files. This prevents an "Argument list too long" error during configuration @@ -128,6 +123,7 @@ FILES_${PN}-libvirtd = " \ ${sbindir}/libvirtd \ ${systemd_unitdir}/system/* \ ${@bb.utils.contains('DISTRO_FEATURES', 'sysvinit', '', '${libexecdir}/libvirt-guests.sh', d)} \ + ${@bb.utils.contains('PACKAGECONFIG', 'gnutls', '${sysconfdir}/pki/libvirt/* ${sysconfdir}/pki/CA/*', '', d)} \ " FILES_${PN}-virsh = " \ @@ -140,6 +136,7 @@ FILES_${PN} += "${libdir}/libvirt/connection-driver \ ${@bb.utils.contains('PACKAGECONFIG', 'polkit', '${datadir}/polkit-1', '', d)} \ ${datadir}/bash-completion/completions/vsh \ ${datadir}/bash-completion/completions/virt-admin \ + /usr/lib/firewalld/zones/libvirt.xml \ " FILES_${PN}-dbg += "${libdir}/libvirt/connection-driver/.debug ${libdir}/libvirt/lock-driver/.debug" @@ -191,27 +188,30 @@ PRIVATE_LIBS_${PN}-ptest = " \ #PACKAGECONFIG ??= "xen libxl xen-inotify test remote libvirtd" # full config -PACKAGECONFIG ??= "qemu yajl uml openvz vmware vbox esx iproute2 lxc test \ +PACKAGECONFIG ??= "qemu yajl openvz vmware vbox esx iproute2 lxc test \ remote macvtap libvirtd netcf udev python ebtables \ + fuse iproute2 firewalld libpcap \ ${@bb.utils.contains('DISTRO_FEATURES', 'selinux', 'selinux audit libcap-ng', '', d)} \ ${@bb.utils.contains('DISTRO_FEATURES', 'xen', 'libxl', '', d)} \ - ${@bb.utils.contains('DISTRO_FEATURES', 'x11', 'polkit', '', d)} \ + ${@bb.utils.contains('DISTRO_FEATURES', 'polkit', 'polkit', '', d)} \ " # qemu is NOT compatible with mips64 PACKAGECONFIG_remove_mipsarchn32 = "qemu" PACKAGECONFIG_remove_mipsarchn64 = "qemu" +# numactl is NOT compatible with arm +PACKAGECONFIG_remove_arm = "numactl" +PACKAGECONFIG_remove_armeb = "numactl" + # enable,disable,depends,rdepends # -PACKAGECONFIG[qemu] = "--with-qemu,--without-qemu,qemu," +PACKAGECONFIG[gnutls] = ",,,gnutls-bin" +PACKAGECONFIG[qemu] = "--with-qemu --with-qemu-user=qemu --with-qemu-group=qemu,--without-qemu,qemu," PACKAGECONFIG[yajl] = "--with-yajl,--without-yajl,yajl,yajl" -PACKAGECONFIG[xenapi] = "--with-xenapi,--without-xenapi,," -PACKAGECONFIG[libxl] = "--with-libxl=${STAGING_DIR_TARGET}/lib,--without-libxl,libxl," -PACKAGECONFIG[uml] = "--with-uml, --without-uml,," +PACKAGECONFIG[libxl] = "--with-libxl=${STAGING_DIR_TARGET}/lib,--without-libxl,xen," PACKAGECONFIG[openvz] = "--with-openvz,--without-openvz,," PACKAGECONFIG[vmware] = "--with-vmware,--without-vmware,," -PACKAGECONFIG[phyp] = "--with-phyp,--without-phyp,," PACKAGECONFIG[vbox] = "--with-vbox,--without-vbox,," PACKAGECONFIG[esx] = "--with-esx,--without-esx,," PACKAGECONFIG[hyperv] = "--with-hyperv,--without-hyperv,," @@ -226,7 +226,7 @@ PACKAGECONFIG[dtrace] = "--with-dtrace,--without-dtrace,," PACKAGECONFIG[udev] = "--with-udev --with-pciaccess,--without-udev,udev libpciaccess," PACKAGECONFIG[selinux] = "--with-selinux,--without-selinux,libselinux," PACKAGECONFIG[ebtables] = "ac_cv_path_EBTABLES_PATH=/sbin/ebtables,ac_cv_path_EBTABLES_PATH=,ebtables,ebtables" -PACKAGECONFIG[python] = ",,python," +PACKAGECONFIG[python] = ",,python3," PACKAGECONFIG[sasl] = "--with-sasl,--without-sasl,cyrus-sasl,cyrus-sasl" PACKAGECONFIG[iproute2] = "ac_cv_path_IP_PATH=/sbin/ip,ac_cv_path_IP_PATH=,iproute2,iproute2" PACKAGECONFIG[numactl] = "--with-numactl,--without-numactl,numactl," @@ -234,10 +234,34 @@ PACKAGECONFIG[fuse] = "--with-fuse,--without-fuse,fuse," PACKAGECONFIG[audit] = "--with-audit,--without-audit,audit," PACKAGECONFIG[libcap-ng] = "--with-capng,--without-capng,libcap-ng," PACKAGECONFIG[wireshark] = "--with-wireshark-dissector,--without-wireshark-dissector,wireshark libwsutil," +PACKAGECONFIG[apparmor-profiles] = "--with-apparmor-profiles, --without-apparmor-profiles," +PACKAGECONFIG[firewalld] = "--with-firewalld, --without-firewalld," +PACKAGECONFIG[libpcap] = "--with-libpcap, --without-libpcap,libpcap,libpcap" +PACKAGECONFIG[numad] = "--with-numad, --without-numad," # Enable the Python tool support require libvirt-python.inc +do_compile() { + cd ${B}/src + # There may be race condition, but without creating these directories + # in the source tree, generation of files fails. + for i in access admin logging esx locking rpc hyperv lxc \ + remote network storage interface nwfilter node_device \ + secret vbox qemu; do + mkdir -p $i; + done + + cd ${B} + export PKG_CONFIG_PATH="$PKG_CONFIG_PATH:${B}/src:" + oe_runmake all +} + +do_install_prepend() { + # so the install routines can find the libvirt.pc in the source dir + export PKG_CONFIG_PATH="$PKG_CONFIG_PATH:${B}/src:" +} + do_install_append() { install -d ${D}/etc/init.d install -d ${D}/etc/libvirt @@ -294,6 +318,10 @@ do_install_append() { # Add hook support for libvirt mkdir -p ${D}/etc/libvirt/hooks + for hook in "daemon" "lxc" "network" "qemu" + do + install -m 0755 ${WORKDIR}/hook_support.py ${D}/etc/libvirt/hooks/${hook} + done # Force the main dnsmasq instance to bind only to specified interfaces and # to not bind to virbr0. Libvirt will run its own instance on this interface. @@ -303,6 +331,46 @@ do_install_append() { for i in `find ${D}${libdir} -type f -name *.la`; do sed -i -e 's#-L${B}/src/.libs##g' $i done + + sed -i -e 's/^\(unix_sock_group\ =\ \).*/\1"kvm"/' ${D}/etc/libvirt/libvirtd.conf + sed -i -e 's/^\(unix_sock_rw_perms\ =\ \).*/\1"0776"/' ${D}/etc/libvirt/libvirtd.conf + + case ${MACHINE_ARCH} in + *mips*) + break + ;; + *) + chown -R qemu:qemu ${D}/${localstatedir}/lib/libvirt/qemu + echo "d qemu qemu 0755 ${localstatedir}/cache/libvirt/qemu none" \ + >> ${D}${sysconfdir}/default/volatiles/99_libvirt + break + ;; + esac + + if ${@bb.utils.contains('PACKAGECONFIG','gnutls','true','false',d)}; then + # Generate sample keys and certificates. + cd ${WORKDIR} + ${WORKDIR}/gnutls-helper.py -y + + # Deploy all sample keys and certificates of CA, server and client + # to target so that libvirtd is able to boot successfully and local + # connection via 127.0.0.1 is available out of box. + install -d ${D}/etc/pki/CA + install -d ${D}/etc/pki/libvirt/private + install -m 0755 ${WORKDIR}/gnutls-helper.py ${D}/${bindir} + install -m 0644 ${WORKDIR}/cakey.pem ${D}/${sysconfdir}/pki/libvirt/private/cakey.pem + install -m 0644 ${WORKDIR}/cacert.pem ${D}/${sysconfdir}/pki/CA/cacert.pem + install -m 0644 ${WORKDIR}/serverkey.pem ${D}/${sysconfdir}/pki/libvirt/private/serverkey.pem + install -m 0644 ${WORKDIR}/servercert.pem ${D}/${sysconfdir}/pki/libvirt/servercert.pem + install -m 0644 ${WORKDIR}/clientkey.pem ${D}/${sysconfdir}/pki/libvirt/private/clientkey.pem + install -m 0644 ${WORKDIR}/clientcert.pem ${D}/${sysconfdir}/pki/libvirt/clientcert.pem + + # Force the connection to be tls. + sed -i -e 's/^\(listen_tls\ =\ .*\)/#\1/' -e 's/^\(listen_tcp\ =\ .*\)/#\1/' ${D}/etc/libvirt/libvirtd.conf + fi + + # virt-login-shell needs to run with setuid permission + chmod 4755 ${D}${bindir}/virt-login-shell } EXTRA_OECONF += " \ @@ -310,8 +378,15 @@ EXTRA_OECONF += " \ --with-test-suite \ " +# gcc9 end up mis-compiling qemuxml2argvtest.o with Og which then +# crashes on target, so remove -Og and use -O2 as workaround +SELECTED_OPTIMIZATION_remove_virtclass-multilib-lib32_mipsarch = "-Og" +SELECTED_OPTIMIZATION_append_virtclass-multilib-lib32_mipsarch = " -O2" + EXTRA_OEMAKE = "BUILD_DIR=${B} DEST_DIR=${D}${PTEST_PATH} PTEST_DIR=${PTEST_PATH} SYSTEMD_UNIT_DIR=${systemd_system_unitdir}" +PRIVATE_LIBS_${PN}-ptest_append = "libvirt-admin.so.0" + do_compile_ptest() { oe_runmake -C tests buildtest-TESTS } @@ -331,6 +406,7 @@ pkg_postinst_${PN}() { if [ -z "$D" ] && [ -e /etc/init.d/populate-volatile.sh ] ; then /etc/init.d/populate-volatile.sh update fi + mkdir -m 711 -p $D/data/images } python () { |