Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-58218

SE can't be memory backed with file set by libvirt, other than /dev/shm

Linking RHIVOS CVEs to...Migration: Automation ...SWIFT: POC ConversionSync from "Extern...XMLWordPrintable

    • kernel-6.12.0-109.el10
    • Yes
    • Low
    • CustomerScenariosInitiative
    • 2
    • rhel-virt-hwe-s390x
    • ssg_virtualization
    • 21
    • 23
    • 400
    • False
    • False
    • Hide

      None

      Show
      None
    • Yes
    • Red Hat Enterprise Linux
    • zKVM CY25Q1, zKVM CY25 sprint 3
    • Known Issue
    • Hide
      .Secure Execution VMs cannot boot with file-backed memory backing

      If you configure a virtual machines (VMs) with enabled Secure Execution to use file-backed memory backing, the VM currently fails to boot, and instead displays a `Protected boot has failed` error.

      Workaround: Edit the `/etc/libvirt/qemu.conf` file and set the `memory_backing_dir` line to the following value:

      ----
      memory_backing_dir = "/dev/shm/"
      ----

      Afterwards, the affected VMs can boot as expected.
      Show
      .Secure Execution VMs cannot boot with file-backed memory backing If you configure a virtual machines (VMs) with enabled Secure Execution to use file-backed memory backing, the VM currently fails to boot, and instead displays a `Protected boot has failed` error. Workaround: Edit the `/etc/libvirt/qemu.conf` file and set the `memory_backing_dir` line to the following value: ---- memory_backing_dir = "/dev/shm/" ---- Afterwards, the affected VMs can boot as expected.
    • Done
    • s390x
    • None
    • Merge Request passes all submitter checks, Merge Request finished CI testing, Merge Request passed CI testing, Merge Request approved by peer review

      What were you trying to do that didn't work?

      Use a virtiofs filesystem on an SE guest with memory backing source a file.

      What is the impact of this issue to you?

      VMs must be defined to use memory backing with memfd.

      Please provide the package NVR for which the bug is seen:

      host
      kernel-6.11.0-0.rc5.22.el10.s390x
      qemu-kvm-9.1.0-1.el10.s390x
      libvirt-10.5.0-5.el10.s390x

      guest
      kernel-6.11.0-0.rc5.22.el10.s390x

      How reproducible is this bug?:

      100%

      Steps to reproduce

      1. Set memory backing 
        <memoryBacking><source type="file"/><access mode="shared"/></memoryBacking>

        on a VM with

        <launchSecurity type="s390-pv"/>

        The VM has sufficient memory of 2GB.

      1. Start VM

      Expected results

      The VM boots correctly. I can log in.

      Actual results

      The boot sequence gets stuck very early:

      Escape character is ^] (Ctrl + ])
LOADPARM=[        ]
Using virtio-blk.
Using SCSI scheme.
.........................................................................................................................

      Additional notes

      1. When SE was introduced virtiofs was not supported. At some point we got it from upstream. For SE we only run a critical subset of known test cases. Therefore we only covered //source@type=file in the past.
      2. There are three memory backing types: memfd, file, hugepages. On 9.5 memfd and file worked, hugepages never worked, but there's an additional line in the guest output: 
        Escape character is ^] (Ctrl + ])
LOADPARM=[        ]
Using virtio-blk.
Using SCSI scheme.
.........................................................................................................................
Protected boot has failed: 0xa02
      1. From the following two test cases, only the 'memfd_backed' now passes on 10.0.beta: 
        JOB ID     : ffab891ab8f7015665bc7c0a848332fffeaf90e2
JOB LOG    : /var/log/avocado/job-results/job-2024-09-10T09.17-ffab891/job.log
 (1/2) type_specific.io-github-autotest-libvirt.virtual_devices.filesystem_device.positive_test.file_backed.nop.fs_test.xattr_on.cache_mode_auto.thread_pool_noset.one_fs.one_guest: PASS (26.22 s)
 (2/2) type_specific.io-github-autotest-libvirt.virtual_devices.filesystem_device.positive_test.memfd_backed.nop.fs_test.xattr_on.cache_mode_auto.thread_pool_noset.one_fs.one_guest: PASS (24.33 s)
RESULTS    : PASS 2 | ERROR 0 | FAIL 0 | SKIP 0 | WARN 0 | INTERRUPT 0 | CANCEL 0
JOB HTML   : /var/log/avocado/job-results/job-2024-09-10T09.17-ffab891/results.html
JOB TIME   : 50.98 s
      2. I noticed when the VM is stuck as described with type=file, I can't even take a memory dump (virsh dump --memory-only).
      3. Libvirt starts the file backed VM with qemu cmdline 
        -machine s390-ccw-virtio-rhel9.4.0,usb=off,dump-guest-core=off,memory-backend=s390.ram,confidential-guest-support=lsec0  -object {"qom-type":"memory-backend-file","id":"s390.ram","mem-path":"/var/lib/libvirt/qemu/ram/1-avocado-vt-vm1/s390.ram","share":true,"x-use-canonical-path-for-ramblock-id":false,"size":1073741824}

        .

        1. kvm-uv.sprintf.log
          3 kB
        2. kvm-pid.sprintf.log
          12 kB
        3. audit.log
          11 kB

              rhn-support-xuma Xujun Ma
              smitterl@redhat.com Sebastian Mitterle
              David Hildenbrand David Hildenbrand
              Leo Fu Leo Fu
              Jiří Herrmann Jiří Herrmann
              Votes:
              0 Vote for this issue
              Watchers:
              15 Start watching this issue

                Created:
                Updated: