It is easy to create only self-referential refblocks, but there are
cases where that is impossible. This adds a test for two of those cases
(combined in a single test case).
Suggested-by: Eric Blake <eblake@redhat.com>
Signed-off-by: Max Reitz <mreitz@redhat.com>
Message-id: 1417798412-15330-1-git-send-email-mreitz@redhat.com
Reviewed-by: Eric Blake <eblake@redhat.com>
Signed-off-by: Max Reitz <mreitz@redhat.com>
Signed-off-by: Max Reitz <mreitz@redhat.com>
Message-id: 1423598552-24301-3-git-send-email-mreitz@redhat.com
Reviewed-by: Eric Blake <eblake@redhat.com>
Reviewed-by: Kevin Wolf <kwolf@redhat.com>
Signed-off-by: Max Reitz <mreitz@redhat.com>
When choosing a new place for the refcount table, alloc_refcount_block()
tries to infer the number of clusters used so far from its argument
cluster_index (which comes from the idea that if any cluster with an
index greater than cluster_index was in use, the refcount table would
have to be big enough already to describe cluster_index).
However, there is a cluster that may be at or after cluster_index, and
which is not covered by the refcount structures, and that is the new
refcount block new_block. Therefore, it should be taken into account for
the blocks_used calculation.
Also, because new_block already describes (or is intended to describe)
cluster_index, we may not put the new refcount structures there.
Signed-off-by: Max Reitz <mreitz@redhat.com>
Message-id: 1423598552-24301-2-git-send-email-mreitz@redhat.com
Reviewed-by: Eric Blake <eblake@redhat.com>
Reviewed-by: Kevin Wolf <kwolf@redhat.com>
Signed-off-by: Max Reitz <mreitz@redhat.com>
qerror_report_err() is a transitional interface to help with
converting existing monitor commands to QMP. It should not be used
elsewhere. Replace by error_report_err().
Commit 6936f29 cleaned that up in qemu-img.c, but two calls have crept
in since. Take care of them the same way.
Signed-off-by: Markus Armbruster <armbru@redhat.com>
Reviewed-by: Eric Blake <eblake@redhat.com>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
Error classes are a leftover from the days of "rich" error objects.
New code should always use ERROR_CLASS_GENERIC_ERROR. Commit e246211
added a use of ERROR_CLASS_DEVICE_NOT_FOUND. Replace it.
Signed-off-by: Markus Armbruster <armbru@redhat.com>
Reviewed-by: Eric Blake <eblake@redhat.com>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
We've steered users away from QCOW/QCOW2 encryption for a while,
because it's a flawed design (commit 136cd19 Describe flaws in
qcow/qcow2 encryption in the docs).
In addition to flawed crypto, we have comically bad usability, and
plain old bugs. Let me show you.
= Example images =
I'm going to use a raw image as backing file, and two QCOW2 images,
one encrypted, and one not:
$ qemu-img create -f raw backing.img 4m
Formatting 'backing.img', fmt=raw size=4194304
$ qemu-img create -f qcow2 -o encryption,backing_file=backing.img,backing_fmt=raw geheim.qcow2 4m
Formatting 'geheim.qcow2', fmt=qcow2 size=4194304 backing_file='backing.img' backing_fmt='raw' encryption=on cluster_size=65536 lazy_refcounts=off
$ qemu-img create -f qcow2 -o backing_file=backing.img,backing_fmt=raw normal.qcow2 4m
Formatting 'normal.qcow2', fmt=qcow2 size=4194304 backing_file='backing.img' backing_fmt='raw' encryption=off cluster_size=65536 lazy_refcounts=off
= Usability issues =
== Confusing startup ==
When no image is encrypted, and you don't give -S, QEMU starts the
guest immediately:
$ qemu-system-x86_64 -nodefaults -display none -monitor stdio normal.qcow2
QEMU 2.2.50 monitor - type 'help' for more information
(qemu) info status
VM status: running
But as soon as there's an encrypted image in play, the guest is *not*
started, with no notification whatsoever:
$ qemu-system-x86_64 -nodefaults -display none -monitor stdio geheim.qcow2
QEMU 2.2.50 monitor - type 'help' for more information
(qemu) info status
VM status: paused (prelaunch)
If the user figured out that he needs to type "cont" to enter his
keys, the confusion enters the next level: "cont" asks for at most
*one* key. If more are needed, it then silently does nothing. The
user has to type "cont" once per encrypted image:
$ qemu-system-x86_64 -nodefaults -display none -monitor stdio -drive if=none,file=geheim.qcow2 -drive if=none,file=geheim.qcow2
QEMU 2.2.50 monitor - type 'help' for more information
(qemu) info status
VM status: paused (prelaunch)
(qemu) c
none0 (geheim.qcow2) is encrypted.
Password: ******
(qemu) info status
VM status: paused (prelaunch)
(qemu) c
none1 (geheim.qcow2) is encrypted.
Password: ******
(qemu) info status
VM status: running
== Incorrect passwords not caught ==
All existing encryption schemes give you the GIGO treatment: garbage
password in, garbage data out. Guests usually refuse to mount
garbage, but other usage is prone to data loss.
== Need to stop the guest to add an encrypted image ==
$ qemu-system-x86_64 -nodefaults -display none -monitor stdio
QEMU 2.2.50 monitor - type 'help' for more information
(qemu) info status
VM status: running
(qemu) drive_add "" if=none,file=geheim.qcow2
Guest must be stopped for opening of encrypted image
(qemu) stop
(qemu) drive_add "" if=none,file=geheim.qcow2
OK
Commit c3adb58 added this restriction. Before, we could expose images
lacking an encryption key to guests, with potentially catastrophic
results. See also "Use without key is not always caught".
= Bugs =
== Use without key is not always caught ==
Encrypted images can be in an intermediate state "opened, but no key".
The weird startup behavior and the need to stop the guest are there to
ensure the guest isn't exposed to that state. But other things still
are!
* drive_backup
$ qemu-system-x86_64 -nodefaults -display none -monitor stdio geheim.qcow2
QEMU 2.2.50 monitor - type 'help' for more information
(qemu) drive_backup -f ide0-hd0 out.img raw
Formatting 'out.img', fmt=raw size=4194304
I guess this writes encrypted data to raw image out.img. Good luck
with figuring out how to decrypt that again.
* commit
$ qemu-system-x86_64 -nodefaults -display none -monitor stdio geheim.qcow2
QEMU 2.2.50 monitor - type 'help' for more information
(qemu) commit ide0-hd0
I guess this writes encrypted data into the unencrypted raw backing
image, effectively destroying it.
== QMP device_add of usb-storage fails when it shouldn't ==
When the image is encrypted, device_add creates the device, defers
actually attaching it to when the key becomes available, then fails.
This is wrong. device_add must either create the device and succeed,
or do nothing and fail.
$ qemu-system-x86_64 -nodefaults -display none -usb -qmp stdio -drive if=none,id=foo,file=geheim.qcow2
{"QMP": {"version": {"qemu": {"micro": 50, "minor": 2, "major": 2}, "package": ""}, "capabilities": []}}
{ "execute": "qmp_capabilities" }
{"return": {}}
{ "execute": "device_add", "arguments": { "driver": "usb-storage", "id": "bar", "drive": "foo" } }
{"error": {"class": "DeviceEncrypted", "desc": "'foo' (geheim.qcow2) is encrypted"}}
{"execute":"device_del","arguments": { "id": "bar" } }
{"timestamp": {"seconds": 1426003440, "microseconds": 237181}, "event": "DEVICE_DELETED", "data": {"path": "/machine/peripheral/bar/bar.0/legacy[0]"}}
{"timestamp": {"seconds": 1426003440, "microseconds": 238231}, "event": "DEVICE_DELETED", "data": {"device": "bar", "path": "/machine/peripheral/bar"}}
{"return": {}}
This stuff is worse than useless, it's a trap for users.
If people become sufficiently interested in encrypted images to
contribute a cryptographically sane implementation for QCOW2 (or
whatever other format), then rewriting the necessary support around it
from scratch will likely be easier and yield better results than
fixing up the existing mess.
Let's deprecate the mess now, drop it after a grace period, and move
on.
Signed-off-by: Markus Armbruster <armbru@redhat.com>
Reviewed-by: Eric Blake <eblake@redhat.com>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
Commit c4bacaf improved error reporting, but neglected to update
051.out. Commit 2726958 tried to redress, but didn't get it quite
right (punctuation difference), and shortly after commit
ae071cc..master improved error reporting some more, neglecting 051.out
some more. Sorry!
Signed-off-by: Markus Armbruster <armbru@redhat.com>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
* fix handling of execute-never bits in page table walks
* tell kernel to initialize KVM GIC in realize function
* fix handling of STM (user) with r15 in register list
* ignore low bit of PC in M-profile exception return
* fix linux-user get/set_tls syscalls on CPUs with TZ
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAABCAAGBQJVBs7oAAoJEDwlJe0UNgzeyFMP/Re3884RXnk5Mc9+57mwJOCh
NjVOiNskvFWwSxmOBWK0Zestr1MWp9zsnr27dj6wu9EqIlSTLbknl8ttnHnHdSrj
C21mD3H/1DXmQyIysHa3g61BQAuOU9UGgG8PSgK6z8IFM7x0+ntcyEzR8BL2qjHU
9YyvENrmbbVaY8/YfvAdqs0d4mp6RVwzPrb/t35CkX0nI2rgGX+wNTsqH/UCIpNb
eD1YeSaUJnaxODhZlZUcTR/D7wAzUmPtp7Le5qwMSH4jm6LTPSAQ2B5WFAfLodGO
Tpb8sXUAAJymnLOjPchYACEH/tS+yLTN40aTYXgq/sc7b6uCwRvEfZzVjJ3cn6Cf
ZEtP2ZwevzS2Uy17tfYs6fxgAdh07dB/lUif5lCg5tvlYa531HhH1uq0QplSxhDR
/uXvl8Q/tAVXLnWDh0uydZ7NuqEv7P+25feL7sAT5I/VUWgYCs3RhwE1lU1JMwih
yMKipD93bg+z7PqtOW/GHjIKyai7yTKhaVNS+BGZaqOIfqWSTFJ0NPFK0SK67kou
+38OMHtORaAnKGFbkBnJQGVjHTgzWPol9r1KuVgsa5zZvhDtNGNhk0A0xLil/Qkh
jwj1O5y+xtYI+JXIDucbcEySwL/RpzEOSKbd7OTsmTVNqhKqoomKUy5e0w/zG1v6
RFuUdUzabLTzT3uqwL+I
=uK1h
-----END PGP SIGNATURE-----
Merge remote-tracking branch 'remotes/pmaydell/tags/pull-target-arm-20150316' into staging
target-arm queue:
* fix handling of execute-never bits in page table walks
* tell kernel to initialize KVM GIC in realize function
* fix handling of STM (user) with r15 in register list
* ignore low bit of PC in M-profile exception return
* fix linux-user get/set_tls syscalls on CPUs with TZ
# gpg: Signature made Mon Mar 16 12:39:04 2015 GMT using RSA key ID 14360CDE
# gpg: Good signature from "Peter Maydell <peter.maydell@linaro.org>"
* remotes/pmaydell/tags/pull-target-arm-20150316:
linux-user: Access correct register for get/set_tls syscalls on ARM TZ CPUs
target-arm: Ignore low bit of PC in M-profile exception return
target-arm: Fix handling of STM (user) with r15 in register list
hw/intc/arm_gic: Initialize the vgic in the realize function
target-arm: get_phys_addr_lpae: more xn control
target-arm: fix get_phys_addr_v6/SCTLR_AFE access check
target-arm: convert check_ap to ap_to_rw_prot
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
* remotes/kvaneesh/for-upstream:
virtio: Fix memory leaks reported by Coverity
virtfs-proxy: Fix possible overflow
fsdev/virtfs-proxy-helper: Fix improper use of negative value
hw/9pfs/virtio-9p-posix-acl: Fix out-of-bounds access
9pfs-proxy: tiny cleanups in proxy_pwritev and proxy_preadv
9pfs-local: simplify/optimize local_mapped_attr_path()
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
When support was added for TrustZone to ARM CPU emulation, we failed
to correctly update the support for the linux-user implementation of
the get/set_tls syscalls. This meant that accesses to the TPIDRURO
register via the syscalls were always using the non-secure copy of
the register even if native MRC/MCR accesses were using the secure
register. This inconsistency caused most binaries to segfault on startup
if the CPU type was explicitly set to one of the TZ-enabled ones like
cortex-a15. (The default "any" CPU doesn't have TZ enabled and so is
not affected.)
Use access_secure_reg() to determine whether we should be using
the secure or the nonsecure copy of TPIDRURO when emulating these
syscalls.
Signed-off-by: Mikhail Ilyin <m.ilin@samsung.com>
Message-id: 1426505198-2411-1-git-send-email-m.ilin@samsung.com
[PMM: rewrote commit message to more clearly explain the issue
and its consequences.]
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
For the ARM M-profile cores, exception return pops various registers
including the PC from the stack. The architecture defines that if the
lowest bit in the new PC value is set (ie the PC is not halfword
aligned) then behaviour is UNPREDICTABLE. In practice hardware
implementations seem to simply ignore the low bit, and some buggy
RTOSes incorrectly rely on this. QEMU's behaviour was architecturally
permitted, but bringing QEMU into line with the hardware behaviour
allows more guest code to run. We log the situation as a guest error.
This was reported as LP:1428657.
Reported-by: Anders Esbensen <anders@lyes.dk>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
The A32 encoding of LDM distinguishes LDM (user) from LDM (exception
return) based on whether r15 is in the register list. However for
STM (user) there is no equivalent distinction. We were incorrectly
treating "r15 in list" as indicating exception return for both LDM
and STM, with the result that an STM (user) involving r15 went into
an infinite loop. Fix this; note that the value stored for r15
in this case is the current PC regardless of our current mode.
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Message-id: 1426015125-5521-1-git-send-email-peter.maydell@linaro.org
This patch forces vgic initialization in the vgic realize function.
It uses a new group/attribute that allows such operation:
KVM_DEV_ARM_VGIC_GRP_CTRL/KVM_DEV_ARM_VGIC_CTRL_INIT
This earlier initialization allows, for example, to setup VFIO
signaling and irqfd after vgic initialization, on a reset notifier.
Signed-off-by: Eric Auger <eric.auger@linaro.org>
Message-id: 1426094226-8515-1-git-send-email-eric.auger@linaro.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
This patch makes the following changes to the determination of
whether an address is executable, when translating addresses
using LPAE.
1. No longer assumes that PL0 can't execute when it can't read.
It can in AArch64, a difference from AArch32.
2. Use va_size == 64 to determine we're in AArch64, rather than
arm_feature(env, ARM_FEATURE_V8), which is insufficient.
3. Add additional XN determinants
- NS && is_secure && (SCR & SCR_SIF)
- WXN && (prot & PAGE_WRITE)
- AArch64: (prot_PL0 & PAGE_WRITE)
- AArch32: UWXN && (prot_PL0 & PAGE_WRITE)
- XN determination should also work in secure mode (untested)
- XN may even work in EL2 (currently impossible to test)
4. Cleans up the bloated PAGE_EXEC condition - by removing it.
The helper get_S1prot is introduced. It may even work in EL2,
when support for that comes, but, as the function name implies,
it only works for stage 1 translations.
Signed-off-by: Andrew Jones <drjones@redhat.com>
Message-id: 1426099139-14463-4-git-send-email-drjones@redhat.com
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Introduce simple_ap_to_rw_prot(), which has the same behavior as
ap_to_rw_prot(), but takes the 2-bit simple AP[2:1] instead of
the 3-bit AP[2:0]. Use this in get_phys_addr_v6 when SCTLR_AFE
is set, as that bit indicates we should be using the simple AP
format.
It's unlikely this path is getting used. I don't see CR_AFE
getting used by Linux, so possibly not. If it had been, then
the check would have been wrong for all but AP[2:1] = 0b11.
Anyway, this should fix it up, in case it ever does get used.
Signed-off-by: Andrew Jones <drjones@redhat.com>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Message-id: 1426099139-14463-3-git-send-email-drjones@redhat.com
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Instead of mixing access permission checking with access permissions
to page protection flags translation, just do the translation, and
leave it to the caller to check the protection flags against the access
type. Also rename to ap_to_rw_prot to better describe the new behavior.
Signed-off-by: Andrew Jones <drjones@redhat.com>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Message-id: 1426099139-14463-2-git-send-email-drjones@redhat.com
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
- handle TOD clock during migration
- CPACF key wrap options
- limit amount of pci device code we build
- ensure big endian accesses for ccws
- various fixes and cleanups
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
iQIcBAABAgAGBQJVBqoIAAoJEN7Pa5PG8C+v1XQP/2eZN3Ok9XjpHS/+tGSKcS7k
1UIFffWRoez5bcBez6EMaenOeI6PbBGX/6V+MRmdDCjijcvxcTYeXjbhOOLAmEaN
ByKLEOVKkuYTKn3jdffWa9wU9f0tyAqeRs2wJPGFUtYEQ/mxR+A4zJAXFJPzr+ZU
RoghwK7ii7CACsarVKShQSVvfj33Ick3f1t3bB031Rq4yBdPP+fubKBp4DyYgPui
fU5NpkPDcblBfXTnwqOeCgxCR6JF9KuEvLsiGgb62zZrXcu/1kluROEUkgBSxdBs
DLui2plFbx7RYxzJIH+wOl3ENwhbuPg54hXSd1JVFDBA4kiDepTjRzo3fcLzBHZZ
PLf6Awf7xCmJluwHwlv9rkkNCJiGKabiI2vmQ+G8uIXMR23VGjuNKcOy2ugPX0RJ
/dyn9to44TWpyc9uVmMTQh7qTx4wJbw8FjqJOlMObeswUwwjAWYVKa+Kwk/bur0H
FFCHrqgrmPobI0x0xgYznKojJkZ/cHr7FkJTGrYxk05vu7wPV2mkBXxN9uVq9F0e
byTk3/IrBtDdj1UlLHJLGfRrleLMFkRb74FqvFYAOZlg8K5z0hXIoZiV10V6QEVU
dFD//CFPCO3KxeB8Mcak6osO2thEScNZurq3x5QrebeMUW7gwAwDYvzT8OPdmqR9
yLmGZ8KJ8pE5OVzW23Yq
=wS11
-----END PGP SIGNATURE-----
Merge remote-tracking branch 'remotes/cohuck/tags/s390x-20150316' into staging
Final batch of s390x enhancements/fixes for 2.3:
- handle TOD clock during migration
- CPACF key wrap options
- limit amount of pci device code we build
- ensure big endian accesses for ccws
- various fixes and cleanups
# gpg: Signature made Mon Mar 16 10:01:44 2015 GMT using RSA key ID C6F02FAF
# gpg: Good signature from "Cornelia Huck <huckc@linux.vnet.ibm.com>"
# gpg: aka "Cornelia Huck <cornelia.huck@de.ibm.com>"
* remotes/cohuck/tags/s390x-20150316:
s390x/config: Do not include full pci.mak
s390x/pci: fix length in sei_nt2 event
s390x/ipl: remove dead code
s390x/virtio-bus: Remove unused function s390_virtio_bus_console()
s390x: CPACF: Handle key wrap machine options
s390x/kvm: make use of generic vm attribute check
kvm: encapsulate HAS_DEVICE for vm attrs
virtio-ccw: assure BE accesses
s390x/kvm: Guest Migration TOD clock synchronization
s390x: Replace unchecked qdev_init() by qdev_init_nofail()
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQEcBAABAgAGBQJVA0PlAAoJEK0ScMxN0CebQcsIAJDr/1Vg0iRhxPaH5ZlsEq68
VemwuXJ4pu+W96wtUIZlV/Gy6lYfHxxNxveQcrsycYiIKOgjmsuVvf16yN4v81Y0
l6ue+mQPjl8UTD1ky3VCHBZzZr3TAju6jhbXEbXVBAT+gm+rJYXiOfWTJK2TVoNb
7FvITuQIatUN29zfT+fEINUUeCxnJbmauOvRjmWLwsj7WRC+TnYqj+RI3+dr85al
HLs5AkZou5hCL7BKW7EQXKYzXcMvP5f/aXD4ETebrSbdGldy/Rb6Bxe6d0V9yqtB
rQunvNu92jGiDgE3Da2VGZMkt7/KleiuqMHlJtS7RuVcRbgz+SZeu5a4AnQNfWA=
=oPMh
-----END PGP SIGNATURE-----
Merge remote-tracking branch 'remotes/rth/tags/tcg-pull-20150313' into staging
Pool TCG data, and ALWAYS/NEVER fix
# gpg: Signature made Fri Mar 13 20:09:09 2015 GMT using RSA key ID 4DD0279B
# gpg: Good signature from "Richard Henderson <rth7680@gmail.com>"
# gpg: aka "Richard Henderson <rth@redhat.com>"
# gpg: aka "Richard Henderson <rth@twiddle.net>"
* remotes/rth/tags/tcg-pull-20150313:
tcg: Complete handling of ALWAYS and NEVER
tcg: Use tcg_malloc to allocate TCGLabel
tcg: Change generator-side labels to a pointer
tcg: Change translator-side labels to a pointer
tcg-ia64: Use tcg_malloc to allocate TCGLabelQemuLdst
tcg: Use tcg_malloc to allocate TCGLabelQemuLdst
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
pci.mak includes a lot of devices - and most of them do not make
sense on s390x, like USB controllers or audio cards. These devices
also show up when running "qemu-system-s390x -device help" and thus
could raise the hope for the users that they could use these kind
of devices with qemu-system-s390x. To avoid this confusion, we
should not include pci.mak and rather include the bare minimum
manually instead.
Signed-off-by: Thomas Huth <thuth@linux.vnet.ibm.com>
Acked-by: Frank Blaschka <blaschka@linux.vnet.ibm.com>
Message-Id: <1426169954-6062-1-git-send-email-thuth@linux.vnet.ibm.com>
Signed-off-by: Cornelia Huck <cornelia.huck@de.ibm.com>
The sei_nt2 event must contain the length of the event.
Signed-off-by: Frank Blaschka <blaschka@linux.vnet.ibm.com>
Signed-off-by: Jens Freimann <jfrei@linux.vnet.ibm.com>
Message-Id: <1426164834-38648-7-git-send-email-jfrei@linux.vnet.ibm.com>
Signed-off-by: Cornelia Huck <cornelia.huck@de.ibm.com>
load_image_targphys already checks the max size and will return
an error code. So the follow-on check will never trigger.
Signed-off-by: Dominik Dingel <dingel@linux.vnet.ibm.com>
Reviewed-by: Cornelia Huck <cornelia.huck@de.ibm.com>
Reviewed-by: Thomas Huth <thuth@linux.vnet.ibm.com>
Signed-off-by: Jens Freimann <jfrei@linux.vnet.ibm.com>
Message-Id: <1426164834-38648-6-git-send-email-jfrei@linux.vnet.ibm.com>
Signed-off-by: Cornelia Huck <cornelia.huck@de.ibm.com>
The function s390_virtio_bus_console() is completely unused and thus
can be removed safely.
Signed-off-by: Thomas Huth <thuth@linux.vnet.ibm.com>
Reviewed-by: Jens Freimann <jfrei@linux.vnet.ibm.com>
Signed-off-by: Jens Freimann <jfrei@linux.vnet.ibm.com>
Message-Id: <1426164834-38648-5-git-send-email-jfrei@linux.vnet.ibm.com>
Signed-off-by: Cornelia Huck <cornelia.huck@de.ibm.com>
Check for the aes_key_wrap and dea_key_wrap machine options and set the
appropriate KVM device attribute(s) to tell the kernel to enable or disable
the AES/DEA protected key functions for the guest domain.
This patch introduces two new machine options for indicating the state of
AES/DEA key wrapping functions. This controls whether the guest will
have access to the AES/DEA crypto functions.
aes_key_wrap="on | off" is changed to aes-key-wrap="on | off"
dea_key_wrap="on | off" is changed to dea-key-wrap="on | off"
Check for the aes-key-wrap and dea-key-wrap machine options and set the
appropriate KVM device attribute(s) to tell the kernel to enable or disable
the AES/DEA protected key functions for the guest domain.
Reviewed-by: David Hildenbrand <dahi@linux.vnet.ibm.com>
Signed-off-by: Tony Krowiak <akrowiak@linux.vnet.ibm.com>
Signed-off-by: Jens Freimann <jfrei@linux.vnet.ibm.com>
Message-Id: <1426164834-38648-4-git-send-email-jfrei@linux.vnet.ibm.com>
Signed-off-by: Cornelia Huck <cornelia.huck@de.ibm.com>
By using the new introduced generic interface we
can remove redundancies and clean up.
Reviewed-by: Thomas Huth <thuth@linux.vnet.ibm.com>
Suggested-by: Thomas Huth <thuth@linux.vnet.ibm.com>
Signed-off-by: Dominik Dingel <dingel@linux.vnet.ibm.com>
Signed-off-by: Jens Freimann <jfrei@linux.vnet.ibm.com>
Message-Id: <1426164834-38648-3-git-send-email-jfrei@linux.vnet.ibm.com>
Signed-off-by: Cornelia Huck <cornelia.huck@de.ibm.com>
More and more virtual machine specifics between kvm and qemu will be
transferred with vm attributes.
So we encapsulate the common logic in a generic function.
Additionally we need only to check during initialization if kvm supports
virtual machine attributes.
Cc: Paolo Bonzini <pbonzini@redhat.com>
Suggested-by: Thomas Huth <thuth@linux.vnet.ibm.com>
Reviewed-by: Thomas Huth <thuth@linux.vnet.ibm.com>
Signed-off-by: Dominik Dingel <dingel@linux.vnet.ibm.com>
Signed-off-by: Jens Freimann <jfrei@linux.vnet.ibm.com>
Message-Id: <1426164834-38648-2-git-send-email-jfrei@linux.vnet.ibm.com>
Acked-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Cornelia Huck <cornelia.huck@de.ibm.com>
All fields in structures transmitted by ccws are big endian; assure
we handle them as such.
Reviewed-by: Thomas Huth <thuth@linux.vnet.ibm.com>
Reviewed-by: David Hildenbrand <dahi@linux.vnet.ibm.com>
Signed-off-by: Cornelia Huck <cornelia.huck@de.ibm.com>
Message-Id: <1426067871-17693-2-git-send-email-cornelia.huck@de.ibm.com>
Synchronizes the guest TOD clock across a migration by sending the guest TOD
clock value to the destination system. If the guest TOD clock is not preserved
across a migration then the guest's view of time will snap backwards if the
destination host clock is behind the source host clock. This will cause the
guest to hang immediately upon resuming on the destination system.
Reviewed-by: David Hildenbrand <dahi@linux.vnet.ibm.com>
Signed-off-by: Jason J. Herne <jjherne@linux.vnet.ibm.com>
Signed-off-by: Jens Freimann <jfrei@linux.vnet.ibm.com>
Message-Id: <1425912968-54387-1-git-send-email-jfrei@linux.vnet.ibm.com>
Signed-off-by: Cornelia Huck <cornelia.huck@de.ibm.com>
s390_flic_init() is a helper to create and realize either
"s390-flic-kvm" or "s390-flic-qemu". When qdev_init() fails, it
complains to stderr and succeeds.
Except it can't actually fail, because the "s390-flic-qemu" is a dummy
without a realize method, and "s390-flic-kvm"'s realize can't fail,
even when the kernel device is really unavailable. Odd.
Replace qdev_init() by qdev_init_nofail() to make "can't fail" locally
obvious, and get rid of the unreachable error reporting.
Cc: Christian Borntraeger <borntraeger@de.ibm.com>
Cc: Cornelia Huck <cornelia.huck@de.ibm.com>
Cc: Alexander Graf <agraf@suse.de>
Signed-off-by: Markus Armbruster <armbru@redhat.com>
Acked-by: Cornelia Huck <cornelia.huck@de.ibm.com>
Message-Id: <1423128889-18260-4-git-send-email-armbru@redhat.com>
Signed-off-by: Cornelia Huck <cornelia.huck@de.ibm.com>
Carries two bugfixes and support for multiple pci root buses.
git shortlog rel-1.8.0..rel-1.8.1
=================================
Ameya Palande (1):
x86: add barrier to read{b,w,l} and write{b,w,l} functions
Kevin O'Connor (1):
smp: Fix smp race introduced in 0673b787
Marcel Apfelbaum (2):
fw/pci: scan all buses if extraroots romfile is present
fw/pci: map memory and IO regions for multiple pci root buses
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
All four leaks are similar, so fix them in one patch.
Success path was not doing memory free.
Signed-off-by: Stefan Weil <sw@weilnetz.de>
Signed-off-by: Aneesh Kumar K.V <aneesh.kumar@linux.vnet.ibm.com>
It's detected by coverity. The socket name specified
should fit in the sockadd_un.sun_path. If not abort.
Signed-off-by: Shannon Zhao <zhaoshenglong@huawei.com>
Signed-off-by: Shannon Zhao <shannon.zhao@linaro.org>
Signed-off-by: Aneesh Kumar K.V <aneesh.kumar@linux.vnet.ibm.com>
Pre-allocating 512 of them per TB is a waste.
Reviewed-by: Bastian Koppelmann <kbastian@mail.uni-paderborn.de>
Signed-off-by: Richard Henderson <rth@twiddle.net>
This is less about improved type checking than enabling a
subsequent change to the representation of labels.
Acked-by: Claudio Fontana <claudio.fontana@huawei.com>
Tested-by: Claudio Fontana <claudio.fontana@huawei.com>
Cc: Andrzej Zaborowski <balrogg@gmail.com>
Cc: Peter Maydell <peter.maydell@linaro.org>
Cc: Aurelien Jarno <aurelien@aurel32.net>
Cc: Blue Swirl <blauwirbel@gmail.com>
Cc: Stefan Weil <sw@weilnetz.de>
Reviewed-by: Bastian Koppelmann <kbastian@mail.uni-paderborn.de>
Signed-off-by: Richard Henderson <rth@twiddle.net>
This is improved type checking for the translators -- it's no longer
possible to accidentally swap arguments to the branch functions.
Note that the code generating backends still manipulate labels as int.
With notable exceptions, the scope of the change is just a few lines
for each target, so it's not worth building extra machinery to do this
change in per-target increments.
Cc: Peter Maydell <peter.maydell@linaro.org>
Cc: Edgar E. Iglesias <edgar.iglesias@gmail.com>
Cc: Michael Walle <michael@walle.cc>
Cc: Leon Alrae <leon.alrae@imgtec.com>
Cc: Anthony Green <green@moxielogic.com>
Cc: Jia Liu <proljc@gmail.com>
Cc: Alexander Graf <agraf@suse.de>
Cc: Aurelien Jarno <aurelien@aurel32.net>
Cc: Blue Swirl <blauwirbel@gmail.com>
Cc: Guan Xuetao <gxt@mprc.pku.edu.cn>
Cc: Paolo Bonzini <pbonzini@redhat.com>
Cc: Max Filippov <jcmvbkbc@gmail.com>
Reviewed-by: Bastian Koppelmann <kbastian@mail.uni-paderborn.de>
Signed-off-by: Richard Henderson <rth@twiddle.net>
Pre-allocating 640 of them per TB is a waste.
Reviewed-by: Bastian Koppelmann <kbastian@mail.uni-paderborn.de>
Signed-off-by: Richard Henderson <rth@twiddle.net>
A couple of #ifdef changes necessary to use NetBSD's ucontext
structs on sparc64 and arm.
Signed-off-by: Tobias Nygren <tnn@NetBSD.org>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Message-id: 1425591461-17550-1-git-send-email-tnn@NetBSD.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Test behaviour of timers and interrupts related to timeouts.
Signed-off-by: Frediano Ziglio <freddy77@gmail.com>
Reviewed-by: Paolo Bonzini <pbonzini@redhat.com>
Message-id: 1420742303-3030-1-git-send-email-freddy77@gmail.com
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
Fam Zheng
Max Reitz
Markus Armbruster
Peter Maydell
Mikhail Ilyin
Eric Auger
Andrew Jones
Thomas Huth
Frank Blaschka
Dominik Dingel
Tony Krowiak
Cornelia Huck
Jason J. Herne
Gerd Hoffmann
Stefan Weil
Shannon Zhao
Richard Henderson
Tobias Nygren
Mark Cave-Ayland
Frediano Ziglio