Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-18212

[RHEL9][Secure-execution][s390x] The error message is not clear when boot up a SE guest with wrong encryption

XMLWordPrintable

    • qemu-kvm-8.2.0-3.el9
    • None
    • Critical
    • rhel-sst-virtualization
    • ssg_virtualization
    • 22
    • 24
    • None
    • False
    • Hide

      None

      Show
      None
    • No
    • Red Hat Enterprise Linux
    • None
    • s390x
    • None

      What were you trying to do that didn't work?

      The error message is not clear when boot up a SE guest with wrong notification on Z16 host and with Z15 notification

      Please provide the package NVR for which bug is seen:

      qemu version: qemu-kvm-8.1.0-4.el9.s390x

      kernel version: kernel-5.14.0-386.el9.s390x

      How reproducible:

      100%

      Steps to reproduce

      1.  set LPAR kernel command for SE guest
        1. grubby --update-kernel='/boot/vmlinuz-5.14.0-386.el9.s390x' --args="prot_virt=1"
        2. zipl
        3. reboot
      2. boot a SE guest
      3.  

      Expected results

      the error message could show more details about the root cause

      Actual results

      ([root@rdu-z16-l26 home]# cat /sys/firmware/uv/prot_virt_host
      1
      [root@rdu-z16-l26 home]# sh se.sh 
      QEMU 8.1.0 monitor - type 'help' for more information
      (qemu) qemu-kvm: KVM PV command 2 (KVM_PV_SET_SEC_PARMS) failed: header rc 108 rrc 5 IOCTL rc: -22
      [root@rdu-z16-l26 home]

            [RHEL-18212] [RHEL9][Secure-execution][s390x] The error message is not clear when boot up a SE guest with wrong encryption

            Errata Tool added a comment -

            Since the problem described in this issue should be resolved in a recent advisory, it has been closed.

            For information on the advisory (Moderate: qemu-kvm security update), and where to find the updated files, follow the link below.

            If the solution does not work for you, open a new bug report.
            https://access.redhat.com/errata/RHSA-2024:2135

            Errata Tool added a comment - Since the problem described in this issue should be resolved in a recent advisory, it has been closed. For information on the advisory (Moderate: qemu-kvm security update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2024:2135

            Sebastian Mitterle added a comment -

            No issues for vfio_X, setting Release pending (bfu@redhat.com it was still in preliminary = requested)

             

            libvirt    libvirt-10.0.0-2.el9.s390x
            qemu-kvm    qemu-kvm-8.2.0-4.el9.s390x
            kernel    kernel-5.14.0-414.el9.s390x

             

            https://libvirt-jenkins.rhev-ci-vms.eng.rdu2.redhat.com/job/libvirt-RHEL-9.4-runtest-s390x-function-vfio/2/testReport/

            Sebastian Mitterle added a comment - No issues for vfio_X, setting Release pending ( bfu@redhat.com it was still in preliminary = requested)   libvirt    libvirt-10.0.0-2.el9.s390x qemu-kvm    qemu-kvm-8.2.0-4.el9.s390x kernel    kernel-5.14.0-414.el9.s390x   https://libvirt-jenkins.rhev-ci-vms.eng.rdu2.redhat.com/job/libvirt-RHEL-9.4-runtest-s390x-function-vfio/2/testReport/

            Leo Fu added a comment - - edited

            Test result:

            specific test result:

            QEMU 8.2.0 monitor - type 'help' for more information
            (qemu) qemu-kvm: KVM PV command 2 (KVM_PV_SET_SEC_PARMS) failed: header rc 108 rrc 5 IOCTL rc: -22
            qemu-kvm: Failed to set secure execution parameters
            Please check whether the image is correctly encrypted for this host

             

            Normal guest:

            From 103 tests executed, 101 passed, 2 did not pass, and 0 warned

            Failed cases got PASS after re-trigger

            http://10.0.136.47/bfu/s390x/jira-bugs/RHEL-18212/results.html

            http://10.0.136.47/bfu/s390x/jira-bugs/RHEL-18212-1/results.html

             

            SE guest:

            From 160 tests executed, 154 passed, 6 did not pass, and 0 warned

            Failed cases got PASS after re-trigger

            http://10.0.136.47/bfu/s390x/jira-bugs/RHEL-18212-se/results.html

            http://10.0.136.47/bfu/s390x/jira-bugs/RHEL-18212-se-1/results.html

             

            smitterl@redhat.com Hi Sebas, please help me trigger the passthrough tests and set the status to release-pending

            Leo Fu added a comment - - edited Test result: specific test result: QEMU 8.2.0 monitor - type 'help' for more information (qemu) qemu-kvm: KVM PV command 2 (KVM_PV_SET_SEC_PARMS) failed: header rc 108 rrc 5 IOCTL rc: -22 qemu-kvm: Failed to set secure execution parameters Please check whether the image is correctly encrypted for this host   Normal guest: From 103 tests executed, 101 passed, 2 did not pass, and 0 warned Failed cases got PASS after re-trigger http://10.0.136.47/bfu/s390x/jira-bugs/RHEL-18212/results.html http://10.0.136.47/bfu/s390x/jira-bugs/RHEL-18212-1/results.html   SE guest: From 160 tests executed, 154 passed, 6 did not pass, and 0 warned Failed cases got PASS after re-trigger http://10.0.136.47/bfu/s390x/jira-bugs/RHEL-18212-se/results.html http://10.0.136.47/bfu/s390x/jira-bugs/RHEL-18212-se-1/results.html   smitterl@redhat.com Hi Sebas, please help me trigger the passthrough tests and set the status to release-pending

            Leo Fu added a comment -

            Hi, mrezanin I start the regression test today and it will finish by tomorrow or this Friday, cause we have three part of regression test on s390x, sorry for the late reply, this was blocked by https://issues.redhat.com/browse/RHEL-22465

            Leo Fu added a comment - Hi, mrezanin I start the regression test today and it will finish by tomorrow or this Friday, cause we have three part of regression test on s390x, sorry for the late reply, this was blocked by https://issues.redhat.com/browse/RHEL-22465

            Miroslav Rezanina added a comment -

            Hi bfu@redhat.com, can you handle preverification so we can add build to errata? Thanks

            Miroslav Rezanina added a comment - Hi bfu@redhat.com , can you handle preverification so we can add build to errata? Thanks

            Miroslav Rezanina added a comment -

            Fix included in qemu-kvm-8.2.0-3.el9

            Fixed by merge request 's390x: Provide some more useful information if decryption of a PV image fails' ( https://gitlab.com/redhat/centos-stream/src/qemu-kvm/-/merge_requests/213 )

            Miroslav Rezanina added a comment - Fix included in qemu-kvm-8.2.0-3.el9 Fixed by merge request 's390x: Provide some more useful information if decryption of a PV image fails' ( https://gitlab.com/redhat/centos-stream/src/qemu-kvm/-/merge_requests/213 )

            gitlab-bot added a comment -

            Miroslav Rezanina mentioned this issue in a merge request of Red Hat / centos-stream / rpms / qemu-kvm on branch next:

            Update to qemu-kvm-8.2.0-3.el9

            gitlab-bot added a comment - Miroslav Rezanina mentioned this issue in a merge request of Red Hat / centos-stream / rpms / qemu-kvm on branch next : Update to qemu-kvm-8.2.0-3.el9

            Thomas Huth added a comment -

            @bfu : Could you please provide an ITM for this ticket here? Thanks!

            Thomas Huth added a comment - @bfu : Could you please provide an ITM for this ticket here? Thanks!

            Thomas Huth added a comment -

            I now suggested a patch here:

            https://lore.kernel.org/qemu-devel/20240109143038.155512-1-thuth@redhat.com/

            Thomas Huth added a comment - I now suggested a patch here: https://lore.kernel.org/qemu-devel/20240109143038.155512-1-thuth@redhat.com/

            Cédric Le Goater added a comment -

            We should include several error_reports() calls in s390_machine_protect() 

            Cédric Le Goater added a comment - We should include several error_reports() calls in s390_machine_protect() 

              thuth@redhat.com Thomas Huth
              bfu@redhat.com Leo Fu
              Thomas Huth Thomas Huth
              Leo Fu Leo Fu
              Votes:
              0 Vote for this issue
              Watchers:
              12 Start watching this issue

                Created:
                Updated:
                Resolved: