aboutsummaryrefslogtreecommitdiff
path: root/docs
AgeCommit message (Collapse)Author
2019-07-19doc: document that the monitor console is a privileged control interfaceDaniel P. Berrangé
A supposed exploit of QEMU was recently announced as CVE-2019-12928 claiming that the monitor console was insecure because the "migrate" command enabled arbitrary command execution for a remote attacker. To be a security risk the user launching QEMU must have configured the monitor in a way that allows for other users to access it. The exploit report quoted use of the "tcp" character device backend for QMP. This would indeed allow any network user to connect to QEMU and execute arbitrary commands, however, this is not a flaw in QEMU. It is the normal expected behaviour of the monitor console and the commands it supports. Given a monitor connection, there are many ways to access host file system content besides the migrate command. The reality is that the monitor console (whether QMP or HMP) is considered a privileged interface to QEMU and as such must only be made available to trusted users. IOW, making it available with no authentication over TCP is simply a, very serious, user configuration error not a security flaw in QEMU itself. The one thing this bogus security report highlights though is that we have not clearly documented the security implications around the use of the monitor. Add a few paragraphs of text to the security docs explaining why the monitor is a privileged interface and making a recommendation to only use the UNIX socket character device backend. Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com> Reviewed-by: Alex Bennée <alex.bennee@linaro.org> Reviewed-by: Markus Armbruster <armbru@redhat.com> Reviewed-by: Prasad J Pandit <pjp@fedoraproject.org> Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com> Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
2019-07-10docs/bitmaps: use QMP lexer instead of jsonJohn Snow
The annotated style json we use in QMP documentation is not strict json and depending on the version of Sphinx (2.0+) or Pygments installed, might cause the build to fail. Use the new QMP lexer. Further, some versions of Sphinx can not apply custom lexers to "code" directives and require the use of "code-block" directives instead, so make that change at this time as well. Tested under: - Sphinx 1.3.6 and Pygments 2.4 - Sphinx 1.7.6 and Pygments 2.2 (Fedora 29 packages) - Sphinx 2.0.1 and Pygments 2.4 - Sphinx 3.0.0+/f396b3a783 and Pygments 2.4 (From Sphinx git c4f44bdd) Reported-by: Aarushi Mehta <mehta.aaru20@gmail.com> Signed-off-by: John Snow <jsnow@redhat.com> Reviewed-by: Eduardo Habkost <ehabkost@redhat.com> Message-id: 20190603214653.29369-4-jsnow@redhat.com Signed-off-by: John Snow <jsnow@redhat.com>
2019-07-10sphinx: add qmp_lexerJohn Snow
Sphinx, through Pygments, does not like annotated json examples very much. In some versions of Sphinx (1.7), it will render the non-json portions of code blocks in red, but in newer versions (2.0) it will throw an exception and not highlight the block at all. Though we can suppress this warning, it doesn't bring back highlighting on non-strict json blocks. We can alleviate this by creating a custom lexer for QMP examples that allows us to properly highlight these examples in a robust way, keeping our directionality and elision notations. Signed-off-by: Eduardo Habkost <ehabkost@redhat.com> Signed-off-by: John Snow <jsnow@redhat.com> Reported-by: Aarushi Mehta <mehta.aaru20@gmail.com> Reviewed-by: Peter Maydell <peter.maydell@linaro.org> Message-id: 20190603214653.29369-3-jsnow@redhat.com Signed-off-by: John Snow <jsnow@redhat.com>
2019-07-10docs/interop/bitmaps.rst: Fix typosJohn Snow
Pygments and Sphinx get pickier all the time; Sphinx 2.1+ now catches these errors. Signed-off-by: John Snow <jsnow@redhat.com> Reported-by: Aarushi Mehta <mehta.aaru20@gmail.com> Reviewed-by: Vladimir Sementsov-Ogievskiy <vsementsov@virtuozzo.com> Message-id: 20190603214653.29369-2-jsnow@redhat.com Signed-off-by: John Snow <jsnow@redhat.com>
2019-07-05Merge remote-tracking branch ↵Peter Maydell
'remotes/vivier2/tags/trivial-branch-pull-request' into staging Fix typo, change virtio-rng default to urandom # gpg: Signature made Wed 03 Jul 2019 16:24:53 BST # gpg: using RSA key CD2F75DDC8E3A4DC2E4F5173F30C38BD3F2FBE3C # gpg: issuer "laurent@vivier.eu" # gpg: Good signature from "Laurent Vivier <lvivier@redhat.com>" [full] # gpg: aka "Laurent Vivier <laurent@vivier.eu>" [full] # gpg: aka "Laurent Vivier (Red Hat) <lvivier@redhat.com>" [full] # Primary key fingerprint: CD2F 75DD C8E3 A4DC 2E4F 5173 F30C 38BD 3F2F BE3C * remotes/vivier2/tags/trivial-branch-pull-request: docs/devel/testing: Fix typo in dockerfile path VirtIO-RNG: Update default entropy source to `/dev/urandom` Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2019-07-05Merge remote-tracking branch ↵Peter Maydell
'remotes/stsquad/tags/pull-testing-next-050719-3' into staging Various testing fixes: - tests/vm updates and clean-ups - tests/vm serial autobuild on host (-netbsd v3) - ensure MacOS builds do "brew update" - ensure we test --static user builds - fix hyperv compile failure - fix missing var warning for OpenBSD (v2) This brings my testing back to green on all CI services. Please note the BSD installs will throw out some warnings during the setup phase. They shouldn't re-occur once the images are built. NetBSD has been dropped for now given slow install issues. # gpg: Signature made Fri 05 Jul 2019 11:15:21 BST # gpg: using RSA key 6685AE99E75167BCAFC8DF35FBD0DB095A9E2A44 # gpg: Good signature from "Alex Bennée (Master Work Key) <alex.bennee@linaro.org>" [full] # Primary key fingerprint: 6685 AE99 E751 67BC AFC8 DF35 FBD0 DB09 5A9E 2A44 * remotes/stsquad/tags/pull-testing-next-050719-3: migration: move port_attr inside CONFIG_LINUX target/i386: fix feature check in hyperv-stub.c Makefile: Rename the 'vm-test' target as 'vm-help' .travis.yml: force a brew update for MacOS builds .travis.yml: default the --disable-system build to --static tests/vm: ubuntu.i386: apt proxy setup tests/vm: fedora autoinstall, using serial console tests/vm: freebsd autoinstall, using serial console tests/vm: openbsd autoinstall, using serial console tests/vm: serial console support helpers tests/vm: add vm-boot-{ssh,serial}-<guest> targets tests/vm: proper guest shutdown tests/vm: run test builds on snapshot tests/vm: use ssh with pty unconditionally tests/vm: send proxy environment variables over ssh tests/vm: add source repos on ubuntu.i386 tests/vm: pin ubuntu.i386 image tests/vm: avoid image presence check and removal tests/vm: avoid extra compressed image copy Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2019-07-05Merge remote-tracking branch 'remotes/mst/tags/for_upstream' into stagingPeter Maydell
virtio, pc, pci: features, fixes, cleanups virtio-pmem support. libvhost user mq support. A bunch of fixes all over the place. Signed-off-by: Michael S. Tsirkin <mst@redhat.com> # gpg: Signature made Thu 04 Jul 2019 22:00:49 BST # gpg: using RSA key 281F0DB8D28D5469 # gpg: Good signature from "Michael S. Tsirkin <mst@kernel.org>" [full] # gpg: aka "Michael S. Tsirkin <mst@redhat.com>" [full] # Primary key fingerprint: 0270 606B 6F3C DF3D 0B17 0970 C350 3912 AFBE 8E67 # Subkey fingerprint: 5D09 FD08 71C8 F85B 94CA 8A0D 281F 0DB8 D28D 5469 * remotes/mst/tags/for_upstream: (22 commits) docs: avoid vhost-user-net specifics in multiqueue section libvhost-user: implement VHOST_USER_PROTOCOL_F_MQ libvhost-user: support many virtqueues libvhost-user: add vmsg_set_reply_u64() helper pc: Move compat_apic_id_mode variable to PCMachineClass virtio: Don't change "started" flag on virtio_vmstate_change() virtio: Make sure we get correct state of device on handle_aio_output() virtio: Set "start_on_kick" on virtio_set_features() virtio: Set "start_on_kick" for legacy devices virtio: add "use-started" property virtio-pci: fix missing device properties pc: Support for virtio-pmem-pci numa: Handle virtio-pmem in NUMA stats hmp: Handle virtio-pmem when printing memory device infos virtio-pci: Proxy for virtio-pmem virtio-pmem: sync linux headers virtio-pci: Allow to specify additional interfaces for the base type virtio-pmem: add virtio device pcie: minor cleanups for slot control/status pcie: work around for racy guest init ... Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2019-07-04docs: avoid vhost-user-net specifics in multiqueue sectionStefan Hajnoczi
The "Multiple queue support" section makes references to vhost-user-net "queue pairs". This is confusing for two reasons: 1. This actually applies to all device types, not just vhost-user-net. 2. VHOST_USER_GET_QUEUE_NUM returns the number of virtqueues, not the number of queue pairs. Reword the section so that the vhost-user-net specific part is relegated to the very end: we acknowledge that vhost-user-net historically automatically enabled the first queue pair. Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com> Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com> Message-Id: <20190626074815.19994-5-stefanha@redhat.com> Reviewed-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
2019-07-04Makefile: Rename the 'vm-test' target as 'vm-help'Philippe Mathieu-Daudé
We already have 'make check-help', use the 'make vm-help' form to display helps about VM testing. Keep the old target to not bother old customs. Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com> Reviewed-by: Stefano Garzarella <sgarzare@redhat.com> Message-Id: <20190531064341.29730-1-philmd@redhat.com> Signed-off-by: Alex Bennée <alex.bennee@linaro.org>
2019-07-03docs/devel/testing: Fix typo in dockerfile pathLiam Merwick
Signed-off-by: Liam Merwick <liam.merwick@oracle.com> Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com> Reviewed-by: Alex Bennée <alex.bennee@linaro.org> Reviewed-by: Li Qiang <liq3ea@gmail.com> Message-Id: <1561727317-30655-1-git-send-email-liam.merwick@oracle.com> Signed-off-by: Laurent Vivier <laurent@vivier.eu>
2019-07-02xics/spapr: Detect old KVM XICS on POWER9 hostsGreg Kurz
Older KVMs on POWER9 don't support destroying/recreating a KVM XICS device, which is required by 'dual' interrupt controller mode. This causes QEMU to emit a warning when the guest is rebooted and to fall back on XICS emulation: qemu-system-ppc64: warning: kernel_irqchip allowed but unavailable: Error on KVM_CREATE_DEVICE for XICS: File exists If kernel irqchip is required, QEMU will thus exit when the guest is first rebooted. Failing QEMU this late may be a painful experience for the user. Detect that and exit at machine init instead. Signed-off-by: Greg Kurz <groug@kaod.org> Message-Id: <156044430517.125694.6207865998817342638.stgit@bahia.lab.toulouse-stg.fr.ibm.com> Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
2019-07-02docs: updates on the POWER9 XIVE interrupt controller documentationCédric Le Goater
This includes various small updates and a better description of the chosen interrupt mode resulting from the combination of the 'ic-mode' machine option, the 'kernel_irqchip' option, guest support and KVM support. Signed-off-by: Cédric Le Goater <clg@kaod.org> Message-Id: <20190612160425.27670-1-clg@kaod.org> Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
2019-06-24ssh: switch from libssh2 to libsshPino Toscano
Rewrite the implementation of the ssh block driver to use libssh instead of libssh2. The libssh library has various advantages over libssh2: - easier API for authentication (for example for using ssh-agent) - easier API for known_hosts handling - supports newer types of keys in known_hosts Use APIs/features available in libssh 0.8 conditionally, to support older versions (which are not recommended though). Adjust the iotest 207 according to the different error message, and to find the default key type for localhost (to properly compare the fingerprint with). Contributed-by: Max Reitz <mreitz@redhat.com> Adjust the various Docker/Travis scripts to use libssh when available instead of libssh2. The mingw/mxe testing is dropped for now, as there are no packages for it. Signed-off-by: Pino Toscano <ptoscano@redhat.com> Tested-by: Philippe Mathieu-Daudé <philmd@redhat.com> Acked-by: Alex Bennée <alex.bennee@linaro.org> Message-id: 20190620200840.17655-1-ptoscano@redhat.com Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com> Message-id: 5873173.t2JhDm7DL7@lindworm.usersys.redhat.com Signed-off-by: Max Reitz <mreitz@redhat.com>
2019-06-21i386/kvm: add support for Direct Mode for Hyper-V synthetic timersVitaly Kuznetsov
Hyper-V on KVM can only use Synthetic timers with Direct Mode (opting for an interrupt instead of VMBus message). This new capability is only announced in KVM_GET_SUPPORTED_HV_CPUID. Signed-off-by: Vitaly Kuznetsov <vkuznets@redhat.com> Message-Id: <20190517141924.19024-10-vkuznets@redhat.com> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2019-06-21i386/kvm: implement 'hv-passthrough' modeVitaly Kuznetsov
In many case we just want to give Windows guests all currently supported Hyper-V enlightenments and that's where this new mode may come handy. We pass through what was returned by KVM_GET_SUPPORTED_HV_CPUID. hv_cpuid_check_and_set() is modified to also set cpu->hyperv_* flags as we may want to check them later (and we actually do for hv_runtime, hv_synic,...). 'hv-passthrough' is a development only feature, a migration blocker is added to prevent issues while migrating between hosts with different feature sets. Signed-off-by: Vitaly Kuznetsov <vkuznets@redhat.com> Message-Id: <20190517141924.19024-6-vkuznets@redhat.com> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2019-06-21i386/kvm: document existing Hyper-V enlightenmentsVitaly Kuznetsov
Currently, there is no doc describing hv-* CPU flags, people are encouraged to get the information from Microsoft Hyper-V Top Level Functional specification (TLFS). There is, however, a bit of QEMU specifics. Signed-off-by: Vitaly Kuznetsov <vkuznets@redhat.com> Message-Id: <20190517141924.19024-5-vkuznets@redhat.com> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2019-06-17monitor: Move {hmp, qmp}.c to monitor/{hmp, qmp}-cmds.cKevin Wolf
Now that we have a monitor/ subdirectory, let's move hmp.c and qmp.c from the root directory there. As they contain implementations of monitor commands, rename them to {hmp,qmp}-cmds.c, so that {hmp,qmp}.c are free for the HMP and QMP infrastructure. Signed-off-by: Kevin Wolf <kwolf@redhat.com> Reviewed-by: Dr. David Alan Gilbert <dgilbert@redhat.com> Reviewed-by: Markus Armbruster <armbru@redhat.com> Message-Id: <20190613153405.24769-9-kwolf@redhat.com> Signed-off-by: Markus Armbruster <armbru@redhat.com>
2019-06-17Move monitor.c to monitor/misc.cKevin Wolf
Create a new monitor/ subdirectory and move monitor.c there. As the plan is to move the monitor core into separate files, use the chance to rename it to misc.c. Signed-off-by: Kevin Wolf <kwolf@redhat.com> Reviewed-by: Dr. David Alan Gilbert <dgilbert@redhat.com> Reviewed-by: Markus Armbruster <armbru@redhat.com> Message-Id: <20190613153405.24769-8-kwolf@redhat.com> Signed-off-by: Markus Armbruster <armbru@redhat.com>
2019-06-17docs: Build and install specs manualPeter Maydell
Now we have some rST format docs in the docs/specs/ manual, we should actually build and install it. Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Acked-by: Aleksandar Markovic <amarkovic@wavecomp.com> Message-id: 20190610152444.20859-3-peter.maydell@linaro.org
2019-06-17docs/specs/index.rst: Fix minor syntax issuesPeter Maydell
The docs/specs/index.rst has a couple of minor issues which we didn't notice because we weren't building the manual: * the ToC entry for the new PPC XIVE docs points to a nonexistent file * the initial comment needs to be marked by '..', not '.', or it will appear in the output * the title doesn't match the capitialization used by the existing interop or devel manuals, and uses 'full-system emulation' rather than the 'system emulation' that the interop manual title uses Fix these minor issues before we start trying to build the manual. Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Cédric Le Goater <clg@kaod.org> Acked-by: Aleksandar Markovic <amarkovic@wavecomp.com> Message-id: 20190610152444.20859-2-peter.maydell@linaro.org
2019-06-17Convert "translator internals" docs to RST, move to devel manualPeter Maydell
Our user-facing manual currently has a section "translator internals" which has some high-level information about the design of the TCG translator. This should really be in our new devel/ manual. Convert it to RST format and move it there. Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Acked-by: Richard Henderson <richard.henderson@linaro.org> Message-id: 20190607152827.18003-2-peter.maydell@linaro.org Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
2019-06-16docs/vhost-user.json: some firmware.json copy leftoversMarc-André Lureau
Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com> Message-Id: <20190605131221.29432-1-marcandre.lureau@redhat.com> Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com> Reviewed-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
2019-06-12qapi: Add feature flags to struct typesKevin Wolf
Sometimes, the behaviour of QEMU changes without a change in the QMP syntax (usually by allowing values or operations that previously resulted in an error). QMP clients may still need to know whether they can rely on the changed behavior. Let's add feature flags to the QAPI schema language, so that we can make such changes visible with schema introspection. An example for a schema definition using feature flags looks like this: { 'struct': 'TestType', 'data': { 'number': 'int' }, 'features': [ 'allow-negative-numbers' ] } Introspection information then looks like this: { "name": "TestType", "meta-type": "object", "members": [ { "name": "number", "type": "int" } ], "features": [ "allow-negative-numbers" ] } This patch implements feature flags only for struct types. We'll implement them more widely as needed. Signed-off-by: Kevin Wolf <kwolf@redhat.com> Message-Id: <20190606153803.5278-2-armbru@redhat.com> Reviewed-by: Markus Armbruster <armbru@redhat.com> Signed-off-by: Markus Armbruster <armbru@redhat.com>
2019-06-10cpu: Replace ENV_GET_CPU with env_cpuRichard Henderson
Now that we have both ArchCPU and CPUArchState, we can define this generically instead of via macro in each target's cpu.h. Reviewed-by: Peter Maydell <peter.maydell@linaro.org> Acked-by: Alistair Francis <alistair.francis@wdc.com> Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
2019-06-06docs/devel/build-system: Update an examplePhilippe Mathieu-Daudé
The default-configs/ example added in 717171bd2025 is no more accurate since fa212a2b8b60 (and various further other commits). The Kconfig build system is now in place. Use the aarch64-softmmu config as example. Reviewed-by: Thomas Huth <thuth@redhat.com> Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com> Message-Id: <20190529140504.21580-1-philmd@redhat.com> Signed-off-by: Laurent Vivier <laurent@vivier.eu>
2019-06-04block: Remove bdrv_set_aio_context()Kevin Wolf
All callers of bdrv_set_aio_context() are eliminated now, they have moved to bdrv_try_set_aio_context() and related safe functions. Remove bdrv_set_aio_context(). With this, we can now know that the .set_aio_ctx callback must be present in bdrv_set_aio_context_ignore() because bdrv_can_set_aio_context() would have returned false previously, so instead of checking the condition, we can assert it. Signed-off-by: Kevin Wolf <kwolf@redhat.com>
2019-05-30Merge remote-tracking branch 'remotes/dgibson/tags/ppc-for-4.1-20190529' ↵Peter Maydell
into staging ppc patch queue 2019-05-29 Next pull request against qemu-4.1. Highlights: * KVM accelerated support for the XIVE interrupt controller in PAPR guests * A number of TCG vector fixes * Fixes for the PReP / 40p machine * Improvements to make check-tcg test coverage Other than that it's just a bunch of assorted fixes, cleanups and minor improvements. This supersedes both the pull request dated 2019-05-21 and the one dated 2019-05-22. I've dropped one hunk which I think may have caused the check-tcg failure that Peter saw (by enabling the ppc64abi32 build, which I think has been broken for ages). I'm not entirely certain, since I haven't reproduced exactly the same failure. # gpg: Signature made Wed 29 May 2019 07:49:04 BST # gpg: using RSA key 75F46586AE61A66CC44E87DC6C38CACA20D9B392 # gpg: Good signature from "David Gibson <david@gibson.dropbear.id.au>" [full] # gpg: aka "David Gibson (Red Hat) <dgibson@redhat.com>" [full] # gpg: aka "David Gibson (ozlabs.org) <dgibson@ozlabs.org>" [full] # gpg: aka "David Gibson (kernel.org) <dwg@kernel.org>" [unknown] # Primary key fingerprint: 75F4 6586 AE61 A66C C44E 87DC 6C38 CACA 20D9 B392 * remotes/dgibson/tags/ppc-for-4.1-20190529: (44 commits) ppc/pnv: add dummy XSCOM registers for PRD initialization ppc/pnv: introduce new skiboot platform properties spapr: Don't migrate the hpt_maxpagesize cap to older machine types spapr: change default interrupt mode to 'dual' spapr/xive: fix multiple resets when using the 'dual' interrupt mode docs: provide documentation on the POWER9 XIVE interrupt controller spapr/irq: add KVM support to the 'dual' machine ppc/xics: fix irq priority in ics_set_irq_type() spapr/irq: initialize the IRQ device only once spapr/irq: introduce a spapr_irq_init_device() helper spapr: check for the activation of the KVM IRQ device spapr: introduce routines to delete the KVM IRQ device sysbus: add a sysbus_mmio_unmap() helper spapr/xive: activate KVM support spapr/xive: add migration support for KVM spapr/xive: introduce a VM state change handler spapr/xive: add state synchronization with KVM spapr/xive: add hcall support when under KVM spapr/xive: add KVM support spapr: Print out extra hints when CAS negotiation of interrupt mode fails ... Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2019-05-29vhost-user: add vhost_user_gpu_set_socket()Marc-André Lureau
Add a new vhost-user message to give a unix socket to a vhost-user backend for GPU display updates. Back when I started that work, I added a new GPU channel because the vhost-user protocol wasn't bidirectional. Since then, there is a vhost-user-slave channel for the slave to send requests to the master. We could extend it with GPU messages. However, the GPU protocol is quite orthogonal to vhost-user, thus I chose to have a new dedicated channel. See vhost-user-gpu.rst for the protocol details. Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com> Message-id: 20190524130946.31736-2-marcandre.lureau@redhat.com Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2019-05-29docs: provide documentation on the POWER9 XIVE interrupt controllerCédric Le Goater
This documents the overall XIVE architecture and the XIVE support for sPAPR guest machines (pseries). It also provides documentation on the 'info pic' command. Signed-off-by: Cédric Le Goater <clg@kaod.org> Message-Id: <20190521082411.24719-1-clg@kaod.org> Reviewed-by: Satheesh Rajendran <sathnaga@linux.vnet.ibm.com> Reviewed-by: Greg Kurz <groug@kaod.org> Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
2019-05-21docs: recommend use of md-clear feature on all Intel CPUsDaniel P. Berrangé
Update x86 CPU model guidance to recommend that the md-clear feature is manually enabled with all Intel CPU models, when supported by the host microcode. Signed-off-by: Daniel P. Berrangé <berrange@redhat.com> Message-Id: <20190515141011.5315-3-berrange@redhat.com> Signed-off-by: Eduardo Habkost <ehabkost@redhat.com>
2019-05-20docs: reST-ify vhost-user documentationMarc-André Lureau
Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com> Message-Id: <20190315180735.13096-1-marcandre.lureau@redhat.com> Reviewed-by: Jens Freimann <jfreimann@redhat.com> Reviewed-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
2019-05-13Makefile: Fix inclusion of the config-devices.mak.d Kconfig dependenciesThomas Huth
The Makefile tries to include device Kconfig dependencies via -include $(SUBDIR_DEVICES_MAK_DEP) and thus expects files that match *-softmmu/config-devices.mak.d ... however, the minikconf script currently generates files a la "*-softmmu-config.devices.mak.d" instead, so the dependency files simply got ignored so far. For example, after a "touch hw/arm/Kconfig", the arm-softmmu/config-devices.mak file is currently not re-generated. Fix it by putting the dependency files in the *-softmmu folders now. Reported-by: Peter Maydell <peter.maydell@linaro.org> Signed-off-by: Thomas Huth <thuth@redhat.com>
2019-05-10docs: add Security chapter to the documentationStefan Hajnoczi
This new chapter in the QEMU documentation covers the security requirements that QEMU is designed to meet and principles for securely deploying QEMU. It is just a starting point that can be extended in the future with more information. Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com> Acked-by: Stefano Garzarella <sgarzare@redhat.com> Reviewed-by: Alex Bennée <alex.bennee@linaro.org> Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com> Reviewed-by: Daniel P. Berrangé <berrange@redhat.com> Reviewed-by: Li Qiang <liq3ea@gmail.com> Message-id: 20190509121820.16294-3-stefanha@redhat.com Message-Id: <20190509121820.16294-3-stefanha@redhat.com> Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
2019-05-10docs: add Secure Coding Practices to developer docsStefan Hajnoczi
At KVM Forum 2018 I gave a presentation on security in QEMU: https://www.youtube.com/watch?v=YAdRf_hwxU8 (video) https://vmsplice.net/~stefan/stefanha-kvm-forum-2018.pdf (slides) This patch adds a guide to secure coding practices. This document covers things that developers should know about security in QEMU. It is just a starting point that we can expand on later. I hope it will be useful as a resource for new contributors and will save code reviewers from explaining the same concepts many times. Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com> Acked-by: Stefano Garzarella <sgarzare@redhat.com> Reviewed-by: Alex Bennée <alex.bennee@linaro.org> Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com> Reviewed-by: Daniel P. Berrangé <berrange@redhat.com> Reviewed-by: Li Qiang <liq3ea@gmail.com> Message-id: 20190509121820.16294-2-stefanha@redhat.com Message-Id: <20190509121820.16294-2-stefanha@redhat.com> Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
2019-05-02tests/acceptance: look for target architecture in test tags firstCleber Rosa
A test can, optionally, be tagged for one or many architectures. If a test has been tagged for a single architecture, there's a high chance that the test won't run on other architectures. This changes the default order of choosing a default target architecture to use based on the 'arch' tag value first. The precedence order is for choosing a QEMU binary to use for a test is now: * qemu_bin parameter * arch parameter * arch tag value (for example, x86_64 if ":avocado: tags=arch:x86_64 is used) This means that if one runs: $ avocado run -p qemu_bin=/usr/bin/qemu-system-x86_64 test.py No arch parameter or tag will influence the selection of the QEMU target binary. If one runs: $ avocado run -p arch=ppc64 test.py The target binary selection mechanism will attempt to find a binary such as "ppc64-softmmu/qemu-system-ppc64". And finally, if one runs a test that is tagged (in its docstring) with "arch:aarch64": $ avocado run aarch64.py The target binary selection mechanism will attempt to find a binary such as "aarch64-softmmu/qemu-system-aarch64". At this time, no provision is made to cancel the execution of tests if the arch parameter given (manually) does not match the test "arch" tag, but it may be a useful default behavior to be added in the future. Signed-off-by: Cleber Rosa <crosa@redhat.com> Reviewed-by: Cornelia Huck <cohuck@redhat.com> Message-Id: <20190312171824.5134-7-crosa@redhat.com> Signed-off-by: Eduardo Habkost <ehabkost@redhat.com>
2019-05-02tests/acceptance: introduce arch parameter and attributeCleber Rosa
It's useful to define the architecture that should be used in situations such as: * the intended target of the QEMU binary to be used on tests * the architecture of code to be run within the QEMU binary, such as a kernel image or a full blown guest OS image This commit introduces both a test parameter and a test instance attribute, that will contain such a value. Now, when the "arch" test parameter is given, it will influence the selection of the default QEMU binary, if one is not given explicitly by means of the "qemu_img" parameter. Signed-off-by: Cleber Rosa <crosa@redhat.com> Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com> Reviewed-by: Cornelia Huck <cohuck@redhat.com> Message-Id: <20190312171824.5134-5-crosa@redhat.com> Signed-off-by: Eduardo Habkost <ehabkost@redhat.com>
2019-05-02tests/acceptance: fix doc reference to avocado_qemu directoryCleber Rosa
The "this directory" reference is misleading and confusing, it's a leftover from when this text was proposed in a README file inside the "tests/acceptance/avocado_qemu" directory. When that text was moved to the top level docs directory, the reference was not updated. Signed-off-by: Cleber Rosa <crosa@redhat.com> Reviewed-by: Caio Carrara <ccarrara@redhat.com> Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com> Reviewed-by: Cornelia Huck <cohuck@redhat.com> Message-Id: <20190312171824.5134-4-crosa@redhat.com> Signed-off-by: Eduardo Habkost <ehabkost@redhat.com>
2019-05-02Merge remote-tracking branch 'remotes/jnsnow/tags/bitmaps-pull-request' into ↵Peter Maydell
staging Pull request # gpg: Signature made Wed 01 May 2019 21:24:16 BST # gpg: using RSA key F9B7ABDBBCACDF95BE76CBD07DEF8106AAFC390E # gpg: Good signature from "John Snow (John Huston) <jsnow@redhat.com>" [full] # Primary key fingerprint: FAEB 9711 A12C F475 812F 18F2 88A9 064D 1835 61EB # Subkey fingerprint: F9B7 ABDB BCAC DF95 BE76 CBD0 7DEF 8106 AAFC 390E * remotes/jnsnow/tags/bitmaps-pull-request: docs/interop/bitmaps: rewrite and modernize doc Makefile: add nit-picky mode to sphinx-build Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2019-05-01docs/interop/bitmaps: rewrite and modernize docJohn Snow
This just about rewrites the entirety of the bitmaps.rst document to make it consistent with the 4.0 release. I have added new features seen in the 4.0 release, as well as tried to clarify some points that keep coming up when discussing this feature both in-house and upstream. It does not yet cover pull backups or migration details, but I intend to keep extending this document to cover those cases. Signed-off-by: John Snow <jsnow@redhat.com> Reviewed-by: Vladimir Sementsov-Ogievskiy <vsementsov@virtuozzo.com> Message-id: 20190426221528.30293-3-jsnow@redhat.com [Adjusted commit message. --js] Signed-off-by: John Snow <jsnow@redhat.com>
2019-04-26Merge remote-tracking branch ↵Peter Maydell
'remotes/ehabkost/tags/machine-next-pull-request' into staging Machine queue, 2019-04-25 * 4.1 machine-types (Cornelia Huck) * Support MAP_SYNC on pmem memory backends (Zhang Yi) * -cpu parsing fixes and cleanups (Eduardo Habkost) * machine initialization cleanups (Wei Yang, Markus Armbruster) # gpg: Signature made Thu 25 Apr 2019 18:54:57 BST # gpg: using RSA key 2807936F984DC5A6 # gpg: Good signature from "Eduardo Habkost <ehabkost@redhat.com>" [full] # Primary key fingerprint: 5A32 2FD5 ABC4 D3DB ACCF D1AA 2807 936F 984D C5A6 * remotes/ehabkost/tags/machine-next-pull-request: util/mmap-alloc: support MAP_SYNC in qemu_ram_mmap() linux-headers: add linux/mman.h. scripts/update-linux-headers: add linux/mman.h util/mmap-alloc: Add a 'is_pmem' parameter to qemu_ram_mmap cpu: Fix crash with empty -cpu option cpu: Rename parse_cpu_model() to parse_cpu_option() vl: Simplify machine_parse() vl: Clean up after previous commit vl.c: allocate TYPE_MACHINE list once during bootup vl.c: make find_default_machine() local hw: add compat machines for 4.1 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2019-04-25util/mmap-alloc: support MAP_SYNC in qemu_ram_mmap()Zhang Yi
When a file supporting DAX is used as vNVDIMM backend, mmap it with MAP_SYNC flag in addition which can ensure file system metadata synced in each guest writes to the backend file, without other QEMU actions (e.g., periodic fsync() by QEMU). Current, We have below different possible use cases: 1. pmem=on is set, shared=on is set, MAP_SYNC supported: a: backend is a dax supporting file. - MAP_SYNC will active. b: backend is not a dax supporting file. - mmap will trigger a warning. then MAP_SYNC flag will be ignored 2. The rest of cases: - we will never pass the MAP_SYNC to mmap2 Signed-off-by: Haozhong Zhang <haozhong.zhang@intel.com> Signed-off-by: Zhang Yi <yi.z.zhang@linux.intel.com> [ehabkost: Rebased patch to latest code on master] Signed-off-by: Eduardo Habkost <ehabkost@redhat.com> Signed-off-by: Wei Yang <richardw.yang@linux.intel.com> Tested-by: Wei Yang <richardw.yang@linux.intel.com> Message-Id: <20190422004849.26463-2-richardw.yang@linux.intel.com> [ehabkost: squashed documentation patch] Message-Id: <20190422004849.26463-3-richardw.yang@linux.intel.com> [ehabkost: documentation fixup] Reviewed-by: Michael S. Tsirkin <mst@redhat.com> Reviewed-by: Pankaj Gupta <pagupta@redhat.com> Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com> Signed-off-by: Eduardo Habkost <ehabkost@redhat.com>
2019-04-12s390-bios: Support booting from real dasd deviceJason J. Herne
Allows guest to boot from a vfio configured real dasd device. Signed-off-by: Jason J. Herne <jjherne@linux.ibm.com> Reviewed-by: Cornelia Huck <cohuck@redhat.com> Message-Id: <1554388475-18329-16-git-send-email-jjherne@linux.ibm.com> Signed-off-by: Thomas Huth <thuth@redhat.com>
2019-03-20docs: add note about stibp CPU feature for spectre v2Daniel P. Berrangé
While the stibp CPU feature is not commonly used by guest OS for spectre mitigation due to its performance impact, it is none the less best practice to expose it to all guest OS. This allows the guest OS to decide whether to make use or it. Signed-off-by: Daniel P. Berrangé <berrange@redhat.com> Message-Id: <20190307121838.6345-3-berrange@redhat.com> Signed-off-by: Eduardo Habkost <ehabkost@redhat.com>
2019-03-20docs: clarify that spec-ctrl is only needed for Spectre v2Daniel P. Berrangé
The docs currently say that the spec-ctrl feature is needed for both Spectre variants, but it is only used to address Spectre v2. Also remove the note about retpolines. The guest OS is usually treated as a blackbox from host mgmt pov, so it won't have knowledge about use of retpolines and thus should unconditionally expose spec-ctrl, allowing the guest to decide whether to use it or not. Signed-off-by: Daniel P. Berrangé <berrange@redhat.com> Message-Id: <20190307121838.6345-2-berrange@redhat.com> Signed-off-by: Eduardo Habkost <ehabkost@redhat.com>
2019-03-13Merge remote-tracking branch 'remotes/mst/tags/for_upstream' into stagingPeter Maydell
pci, pc, virtio: features, fixes, cleanups intel-iommu scalable option pcie acs emulation beginning for vhost-user-blk reconnect and of vhost-user backend work misc fixes and cleanups Signed-off-by: Michael S. Tsirkin <mst@redhat.com> # gpg: Signature made Wed 13 Mar 2019 02:52:02 GMT # gpg: using RSA key 281F0DB8D28D5469 # gpg: Good signature from "Michael S. Tsirkin <mst@kernel.org>" [full] # gpg: aka "Michael S. Tsirkin <mst@redhat.com>" [full] # Primary key fingerprint: 0270 606B 6F3C DF3D 0B17 0970 C350 3912 AFBE 8E67 # Subkey fingerprint: 5D09 FD08 71C8 F85B 94CA 8A0D 281F 0DB8 D28D 5469 * remotes/mst/tags/for_upstream: (26 commits) i386, acpi: check acpi_memory_hotplug capacity in pre_plug gen_pcie_root_port: Add ACS (Access Control Services) capability pcie: Add a simple PCIe ACS (Access Control Services) helper function vhost-user-blk: Add support to get/set inflight buffer libvhost-user: Support tracking inflight I/O in shared memory libvhost-user: Introduce vu_queue_map_desc() libvhost-user: Remove unnecessary FD flag check for event file descriptors vhost-user: Support transferring inflight buffer between qemu and backend nvdimm: use NVDIMM_ACPI_IO_LEN for the proper IO size nvdimm: use *function* directly instead of allocating it again nvdimm: fix typo in nvdimm_build_nvdimm_devices argument intel_iommu: add scalable-mode option to make scalable mode work intel_iommu: add 256 bits qi_desc support intel_iommu: scalable mode emulation libvhost-user: add vu_queue_unpop() libvhost-user-glib: export vug_source_new() vhost-user: split vhost_user_read() vhost-user: wrap some read/write with retry handling libvhost-user: exit by default on VHOST_USER_NONE vhost-user: simplify vhost_user_init/vhost_user_cleanup ... Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2019-03-13Merge remote-tracking branch 'remotes/jnsnow/tags/bitmaps-pull-request' into ↵Peter Maydell
staging Pull request # gpg: Signature made Tue 12 Mar 2019 20:23:08 GMT # gpg: using RSA key F9B7ABDBBCACDF95BE76CBD07DEF8106AAFC390E # gpg: Good signature from "John Snow (John Huston) <jsnow@redhat.com>" [full] # Primary key fingerprint: FAEB 9711 A12C F475 812F 18F2 88A9 064D 1835 61EB # Subkey fingerprint: F9B7 ABDB BCAC DF95 BE76 CBD0 7DEF 8106 AAFC 390E * remotes/jnsnow/tags/bitmaps-pull-request: (22 commits) tests/qemu-iotests: add bitmap resize test 246 block/qcow2-bitmap: Allow resizes with persistent bitmaps block/qcow2-bitmap: Don't check size for IN_USE bitmap docs/interop/qcow2: Improve bitmap flag in_use specification bitmaps: Fix typo in function name block/dirty-bitmaps: implement inconsistent bit block/dirty-bitmaps: disallow busy bitmaps as merge source block/dirty-bitmaps: prohibit removing readonly bitmaps block/dirty-bitmaps: prohibit readonly bitmaps for backups block/dirty-bitmaps: add block_dirty_bitmap_check function block/dirty-bitmap: add inconsistent status block/dirty-bitmaps: add inconsistent bit iotests: add busy/recording bit test to 124 blockdev: remove unused paio parameter documentation block/dirty-bitmaps: move comment block block/dirty-bitmaps: unify qmp_locked and user_locked calls block/dirty-bitmap: explicitly lock bitmaps with successors nbd: change error checking order for bitmaps block/dirty-bitmap: change semantics of enabled predicate block/dirty-bitmap: remove set/reset assertions against enabled bit ... Signed-off-by: Peter Maydell <peter.maydell@linaro.org> # Conflicts: # tests/qemu-iotests/group
2019-03-12vhost-user: Support transferring inflight buffer between qemu and backendXie Yongji
This patch introduces two new messages VHOST_USER_GET_INFLIGHT_FD and VHOST_USER_SET_INFLIGHT_FD to support transferring a shared buffer between qemu and backend. Firstly, qemu uses VHOST_USER_GET_INFLIGHT_FD to get the shared buffer from backend. Then qemu should send it back through VHOST_USER_SET_INFLIGHT_FD each time we start vhost-user. This shared buffer is used to track inflight I/O by backend. Qemu should retrieve a new one when vm reset. Signed-off-by: Xie Yongji <xieyongji@baidu.com> Signed-off-by: Chai Wen <chaiwen@baidu.com> Signed-off-by: Zhang Yu <zhangyu31@baidu.com> Message-Id: <20190228085355.9614-2-xieyongji@baidu.com> Reviewed-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: Michael S. Tsirkin <mst@redhat.com> Reviewed-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
2019-03-12vhost-user: define conventions for vhost-user backendsMarc-André Lureau
As discussed during "[PATCH v4 00/29] vhost-user for input & GPU" review, let's define a common set of backend conventions to help with management layer implementation, and interoperability. Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com> Reviewed-by: Daniel P. Berrangé <berrange@redhat.com> Message-Id: <20190308140454.32437-3-marcandre.lureau@redhat.com> Reviewed-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
2019-03-12decodetree: Allow grouping of overlapping patternsRichard Henderson
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
2019-03-12decodetree: Document the usefulness of argument setsRichard Henderson
Reviewed-by: Bastian Koppelmann <kbastian@mail.uni-paderborn.de> Signed-off-by: Richard Henderson <richard.henderson@linaro.org>