| 2022-07-26 22:20:51 |
Juro Bystricky |
bug |
|
|
added bug |
| 2022-07-27 04:02:34 |
Juro Bystricky |
attachment added |
|
Patches and a sample VM xml file. https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1982896/+attachment/5605471/+files/referenced-files.zip |
|
| 2022-07-27 10:32:06 |
Christian Ehrhardt |
tags |
libvirt sgx |
libvirt libvirt-22.10 sgx |
|
| 2022-07-27 10:38:35 |
Christian Ehrhardt |
nominated for series |
|
Ubuntu Jammy |
|
| 2022-07-27 10:38:35 |
Christian Ehrhardt |
bug task added |
|
libvirt (Ubuntu Jammy) |
|
| 2022-07-27 10:38:40 |
Christian Ehrhardt |
libvirt (Ubuntu Jammy): status |
New |
Triaged |
|
| 2022-07-27 10:38:41 |
Christian Ehrhardt |
libvirt (Ubuntu): status |
New |
Triaged |
|
| 2022-07-27 10:38:43 |
Christian Ehrhardt |
libvirt (Ubuntu): importance |
Undecided |
High |
|
| 2022-07-27 10:38:45 |
Christian Ehrhardt |
libvirt (Ubuntu Jammy): importance |
Undecided |
Medium |
|
| 2022-08-12 06:24:10 |
Christian Ehrhardt |
libvirt (Ubuntu): status |
Triaged |
In Progress |
|
| 2022-08-12 06:24:13 |
Christian Ehrhardt |
libvirt (Ubuntu): assignee |
|
Christian Ehrhardt (paelzer) |
|
| 2022-08-12 06:24:36 |
Christian Ehrhardt |
bug |
|
|
added subscriber Ubuntu Server |
| 2022-08-22 16:27:39 |
Launchpad Janitor |
libvirt (Ubuntu): status |
In Progress |
Fix Released |
|
| 2022-08-22 16:27:39 |
Launchpad Janitor |
cve linked |
|
2022-0897 |
|
| 2023-04-19 08:12:43 |
Christian Ehrhardt |
tags |
libvirt libvirt-22.10 sgx |
libvirt libvirt-22.10 server-todo sgx |
|
| 2023-04-26 12:37:13 |
Launchpad Janitor |
merge proposal linked |
|
https://code.launchpad.net/~michal-maloszewski99/ubuntu/+source/libvirt/+git/libvirt/+merge/441945 |
|
| 2023-04-26 14:58:52 |
Michał Małoszewski |
libvirt (Ubuntu Jammy): assignee |
|
Michał Małoszewski (michal-maloszewski99) |
|
| 2023-07-27 19:51:14 |
Launchpad Janitor |
merge proposal unlinked |
https://code.launchpad.net/~michal-maloszewski99/ubuntu/+source/libvirt/+git/libvirt/+merge/441945 |
|
|
| 2023-07-28 13:01:53 |
Michał Małoszewski |
merge proposal linked |
|
https://code.launchpad.net/~michal-maloszewski99/ubuntu/+source/libvirt/+git/libvirt/+merge/441945 |
|
| 2023-07-28 13:06:58 |
Michał Małoszewski |
libvirt (Ubuntu Jammy): status |
Triaged |
In Progress |
|
| 2023-08-02 15:25:28 |
Juro Bystricky |
attachment added |
|
Screenshot from 2023-08-02 08-14-17.png https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1982896/+attachment/5690006/+files/Screenshot%20from%202023-08-02%2008-14-17.png |
|
| 2023-08-04 10:28:14 |
Michał Małoszewski |
description |
$ lsb_release -rd
Description: Ubuntu 22.04 LTS
Release: 22.04
Package: libvirt-daemon-system (8.0.0-1ubuntu7.1).
Note that Ubuntu kernel and qemu-system-x86_64 support SGX.
However, when attempting to launch a VM with SGX enabled, the following error is reported:
libvirt.libvirtError: internal error: unable to execute QEMU command 'qom-get': Property 'sgx-epc.unavailable-features' not found
This issue was fixed in libvirt 8.1. Please see the attached file for relevant patches.
Considering Ubuntu 22.04 is LTS distribution, please back port the libvirt 8.1 SGX functionality to liibvirt 8.0.0 (or upgrade the whole libvirt).
Being able to launch VMs with SGX support is a very important security feature.
=====
Steps to reproduce
1. Create a simple VM image:
$ wget https://cloud.centos.org/centos/8-stream/x86_64/images/CentOS-Stream-GenericCloud-8-20220125.1.x86_64.qcow2
$ sudo cp https://cloud.centos.org/centos/8-stream/x86_64/images/CentOS-Stream-GenericCloud-8-20220125.1.x86_64.qcow2 /var/lib/libvirt/images
$ virt-customize -a /var/lib/libvirt/images/CentOS-Stream-GenericCloud-8-20220125.1.x86_64.qcow2 --root-password password:123456
2. Launch the VM (cs8-vm-sgx.xml is attached):
$ sudo virsh define cs8-vm-sgx.xml
Domain 'cs8-vm-sgx' defined from cs8-vm-sgx.xml
$ sudo virsh start cs8-vm-sgx |
[Impact]
* Users of libvirt reported an issue on Jammy while launching a VM where the SGX is enabled.
* This crash is caused by the code that was using 'QOM_CPU_PATH' macro and was not accepting the QOM path as an argument and moreover, the code that is querying the CPU flags via 'qom-get' did not have a valid QOM path to the vCPU, plus the fact that 'qemuProcessGetVCPUQOMPath' was not used properly. The fix is to change that behavior in some functions and moreover, move the call to qemuProcessRefreshCPU after the CPU probe.
[Test Plan]
You need to have a machine that supports SGX.
lxc launch ubuntu:22.04 test1
lxc shell test1
Install libvirt, libguestfs-tools, virt-manager.
Modify /etc/libvirt/qemu.conf, editing:
cgroup_device_acl = [
"/dev/null", "/dev/full", "/dev/zero",
"/dev/random", "/dev/urandom",
"/dev/ptmx", "/dev/kvm",
"/dev/rtc","/dev/hpet",
"/dev/sgx_enclave", "/dev/sgx_provision", "/dev/sgx_vepc"
]
user = "root"
security_driver = “none”
Start libvirtd:
$sudo systemctl start libvirtd
$ wget https://cloud.centos.org/centos/8-stream/x86_64/images/CentOS-Stream-GenericCloud-8-20230710.0.x86_64.qcow2
$ sudo mv CentOS-Stream-GenericCloud-8-20230710.0.x86_64.qcow2 /var/lib/libvirt/images
$ sudo virt-customize -a /var/lib/libvirt/images/CentOS-Stream-GenericCloud-8-20230710.0.x86_64.qcow2 --root-password password:123456
Edit cs8-vm-sgx.xml with the new qcow2 image name and launch the VM:
$ sudo virsh define cs8-vm-sgx1.xml
$ sudo virsh start cs8-vm-sgx1
Then open the running VM in virt-manager, log into CS8 VM and verify VM supports SGX.
Example of failed output:
The user is not able to launch a VM supporting SGX.
Example of successful output:
The user is able to launch a VM supporting SGX.
[Where problems could occur]
* The patch itself modifies mainly the monitor, domain and process files of qemu, so regressions should be limited to the behavior of managing qemu processes (start, stop, monitor) and affect functions and structures related to creating, managing and interacting with virtual machine domains using QEMU.
* Since the arguments of some functions are modified it can possibly affect the API in the future.
* Finally, since the patch modifies C code, issues typical of C code (segfaults, memory leaks, …) would be possible.
---------------------------------original report--------------------------
$ lsb_release -rd
Description: Ubuntu 22.04 LTS
Release: 22.04
Package: libvirt-daemon-system (8.0.0-1ubuntu7.1).
Note that Ubuntu kernel and qemu-system-x86_64 support SGX.
However, when attempting to launch a VM with SGX enabled, the following error is reported:
libvirt.libvirtError: internal error: unable to execute QEMU command 'qom-get': Property 'sgx-epc.unavailable-features' not found
This issue was fixed in libvirt 8.1. Please see the attached file for relevant patches.
Considering Ubuntu 22.04 is LTS distribution, please back port the libvirt 8.1 SGX functionality to liibvirt 8.0.0 (or upgrade the whole libvirt).
Being able to launch VMs with SGX support is a very important security feature.
=====
Steps to reproduce
1. Create a simple VM image:
$ wget https://cloud.centos.org/centos/8-stream/x86_64/images/CentOS-Stream-GenericCloud-8-20220125.1.x86_64.qcow2
$ sudo cp https://cloud.centos.org/centos/8-stream/x86_64/images/CentOS-Stream-GenericCloud-8-20220125.1.x86_64.qcow2 /var/lib/libvirt/images
$ virt-customize -a /var/lib/libvirt/images/CentOS-Stream-GenericCloud-8-20220125.1.x86_64.qcow2 --root-password password:123456
2. Launch the VM (cs8-vm-sgx.xml is attached):
$ sudo virsh define cs8-vm-sgx.xml
Domain 'cs8-vm-sgx' defined from cs8-vm-sgx.xml
$ sudo virsh start cs8-vm-sgx |
|
| 2023-08-09 21:42:46 |
Ubuntu Archive Robot |
bug |
|
|
added subscriber Lena Voytek |
| 2023-08-10 20:19:13 |
Michał Małoszewski |
description |
[Impact]
* Users of libvirt reported an issue on Jammy while launching a VM where the SGX is enabled.
* This crash is caused by the code that was using 'QOM_CPU_PATH' macro and was not accepting the QOM path as an argument and moreover, the code that is querying the CPU flags via 'qom-get' did not have a valid QOM path to the vCPU, plus the fact that 'qemuProcessGetVCPUQOMPath' was not used properly. The fix is to change that behavior in some functions and moreover, move the call to qemuProcessRefreshCPU after the CPU probe.
[Test Plan]
You need to have a machine that supports SGX.
lxc launch ubuntu:22.04 test1
lxc shell test1
Install libvirt, libguestfs-tools, virt-manager.
Modify /etc/libvirt/qemu.conf, editing:
cgroup_device_acl = [
"/dev/null", "/dev/full", "/dev/zero",
"/dev/random", "/dev/urandom",
"/dev/ptmx", "/dev/kvm",
"/dev/rtc","/dev/hpet",
"/dev/sgx_enclave", "/dev/sgx_provision", "/dev/sgx_vepc"
]
user = "root"
security_driver = “none”
Start libvirtd:
$sudo systemctl start libvirtd
$ wget https://cloud.centos.org/centos/8-stream/x86_64/images/CentOS-Stream-GenericCloud-8-20230710.0.x86_64.qcow2
$ sudo mv CentOS-Stream-GenericCloud-8-20230710.0.x86_64.qcow2 /var/lib/libvirt/images
$ sudo virt-customize -a /var/lib/libvirt/images/CentOS-Stream-GenericCloud-8-20230710.0.x86_64.qcow2 --root-password password:123456
Edit cs8-vm-sgx.xml with the new qcow2 image name and launch the VM:
$ sudo virsh define cs8-vm-sgx1.xml
$ sudo virsh start cs8-vm-sgx1
Then open the running VM in virt-manager, log into CS8 VM and verify VM supports SGX.
Example of failed output:
The user is not able to launch a VM supporting SGX.
Example of successful output:
The user is able to launch a VM supporting SGX.
[Where problems could occur]
* The patch itself modifies mainly the monitor, domain and process files of qemu, so regressions should be limited to the behavior of managing qemu processes (start, stop, monitor) and affect functions and structures related to creating, managing and interacting with virtual machine domains using QEMU.
* Since the arguments of some functions are modified it can possibly affect the API in the future.
* Finally, since the patch modifies C code, issues typical of C code (segfaults, memory leaks, …) would be possible.
---------------------------------original report--------------------------
$ lsb_release -rd
Description: Ubuntu 22.04 LTS
Release: 22.04
Package: libvirt-daemon-system (8.0.0-1ubuntu7.1).
Note that Ubuntu kernel and qemu-system-x86_64 support SGX.
However, when attempting to launch a VM with SGX enabled, the following error is reported:
libvirt.libvirtError: internal error: unable to execute QEMU command 'qom-get': Property 'sgx-epc.unavailable-features' not found
This issue was fixed in libvirt 8.1. Please see the attached file for relevant patches.
Considering Ubuntu 22.04 is LTS distribution, please back port the libvirt 8.1 SGX functionality to liibvirt 8.0.0 (or upgrade the whole libvirt).
Being able to launch VMs with SGX support is a very important security feature.
=====
Steps to reproduce
1. Create a simple VM image:
$ wget https://cloud.centos.org/centos/8-stream/x86_64/images/CentOS-Stream-GenericCloud-8-20220125.1.x86_64.qcow2
$ sudo cp https://cloud.centos.org/centos/8-stream/x86_64/images/CentOS-Stream-GenericCloud-8-20220125.1.x86_64.qcow2 /var/lib/libvirt/images
$ virt-customize -a /var/lib/libvirt/images/CentOS-Stream-GenericCloud-8-20220125.1.x86_64.qcow2 --root-password password:123456
2. Launch the VM (cs8-vm-sgx.xml is attached):
$ sudo virsh define cs8-vm-sgx.xml
Domain 'cs8-vm-sgx' defined from cs8-vm-sgx.xml
$ sudo virsh start cs8-vm-sgx |
[Impact]
* Users of libvirt reported an issue on Jammy while launching a VM where the SGX is enabled.
* This crash is caused by the code that was using 'QOM_CPU_PATH' macro and was not accepting the QOM path as an argument and moreover, the code that is querying the CPU flags via 'qom-get' did not have a valid QOM path to the vCPU, plus the fact that 'qemuProcessGetVCPUQOMPath' was not used properly. The fix is to change that behavior in some functions and moreover, move the call to qemuProcessRefreshCPU after the CPU probe.
[Test Plan]
You need to have a machine that supports SGX.
lxc launch ubuntu:22.04 test1
lxc shell test1
Install libvirt, libguestfs-tools, virt-manager.
Modify /etc/libvirt/qemu.conf, editing:
cgroup_device_acl = [
"/dev/null", "/dev/full", "/dev/zero",
"/dev/random", "/dev/urandom",
"/dev/ptmx", "/dev/kvm",
"/dev/rtc","/dev/hpet",
"/dev/sgx_enclave", "/dev/sgx_provision", "/dev/sgx_vepc"
]
user = "root"
security_driver = “none”
Start libvirtd:
$sudo systemctl start libvirtd
$ wget https://cloud.centos.org/centos/8-stream/x86_64/images/CentOS-Stream-GenericCloud-8-20230710.0.x86_64.qcow2
$ sudo mv CentOS-Stream-GenericCloud-8-20230710.0.x86_64.qcow2 /var/lib/libvirt/images
$ sudo virt-customize -a /var/lib/libvirt/images/CentOS-Stream-GenericCloud-8-20230710.0.x86_64.qcow2 --root-password password:123456
Edit cs8-vm-sgx.xml with the new qcow2 image name and launch the VM:
$ sudo virsh define cs8-vm-sgx1.xml
$ sudo virsh start cs8-vm-sgx1
Then open the running VM in virt-manager, log into CS8 VM and verify VM supports SGX.
Example of failed output:
The user is not able to launch a VM supporting SGX.
Example of successful output:
The user is able to launch a VM supporting SGX.
[Where problems could occur]
* The patch itself modifies mainly the monitor, domain and process files of qemu, so regressions should be limited to the behavior of managing qemu processes (start, stop, monitor) and affect functions and structures related to creating, managing and interacting with virtual machine domains using QEMU.
* Finally, since the patch modifies C code, issues typical of C code (segfaults, memory leaks, …) would be possible.
---------------------------------original report--------------------------
$ lsb_release -rd
Description: Ubuntu 22.04 LTS
Release: 22.04
Package: libvirt-daemon-system (8.0.0-1ubuntu7.1).
Note that Ubuntu kernel and qemu-system-x86_64 support SGX.
However, when attempting to launch a VM with SGX enabled, the following error is reported:
libvirt.libvirtError: internal error: unable to execute QEMU command 'qom-get': Property 'sgx-epc.unavailable-features' not found
This issue was fixed in libvirt 8.1. Please see the attached file for relevant patches.
Considering Ubuntu 22.04 is LTS distribution, please back port the libvirt 8.1 SGX functionality to liibvirt 8.0.0 (or upgrade the whole libvirt).
Being able to launch VMs with SGX support is a very important security feature.
=====
Steps to reproduce
1. Create a simple VM image:
$ wget https://cloud.centos.org/centos/8-stream/x86_64/images/CentOS-Stream-GenericCloud-8-20220125.1.x86_64.qcow2
$ sudo cp https://cloud.centos.org/centos/8-stream/x86_64/images/CentOS-Stream-GenericCloud-8-20220125.1.x86_64.qcow2 /var/lib/libvirt/images
$ virt-customize -a /var/lib/libvirt/images/CentOS-Stream-GenericCloud-8-20220125.1.x86_64.qcow2 --root-password password:123456
2. Launch the VM (cs8-vm-sgx.xml is attached):
$ sudo virsh define cs8-vm-sgx.xml
Domain 'cs8-vm-sgx' defined from cs8-vm-sgx.xml
$ sudo virsh start cs8-vm-sgx |
|
| 2023-08-10 21:37:22 |
Andreas Hasenack |
bug |
|
|
added subscriber Andreas Hasenack |
| 2023-08-10 21:42:24 |
Andreas Hasenack |
libvirt (Ubuntu Jammy): status |
In Progress |
Fix Committed |
|
| 2023-08-10 21:42:25 |
Andreas Hasenack |
bug |
|
|
added subscriber Ubuntu Stable Release Updates Team |
| 2023-08-10 21:42:26 |
Andreas Hasenack |
bug |
|
|
added subscriber SRU Verification |
| 2023-08-10 21:42:30 |
Andreas Hasenack |
tags |
libvirt libvirt-22.10 server-todo sgx |
libvirt libvirt-22.10 server-todo sgx verification-needed verification-needed-jammy |
|
| 2023-09-19 06:12:35 |
Christian Ehrhardt |
tags |
libvirt libvirt-22.10 server-todo sgx verification-needed verification-needed-jammy |
libvirt libvirt-22.10 server-todo sgx verification-done verification-done-jammy |
|
| 2023-09-20 07:12:47 |
Launchpad Janitor |
libvirt (Ubuntu Jammy): status |
Fix Committed |
Fix Released |
|
| 2023-09-20 07:12:53 |
Chris Halse Rogers |
removed subscriber Ubuntu Stable Release Updates Team |
|
|
|
