Merge ~paelzer/ubuntu/+source/qemu:groovy-merge-pick-5.0-14 into ubuntu/+source/qemu:ubuntu/groovy-devel

Proposed by Christian Ehrhardt 
Status: Merged
Approved by: Christian Ehrhardt 
Approved revision: dab4e218ab8bff5e5b81393c08a9c7a1e3279edc
Merge reported by: Christian Ehrhardt 
Merged at revision: 1dea878593449839e9244d33abfd190673f46806
Proposed branch: ~paelzer/ubuntu/+source/qemu:groovy-merge-pick-5.0-14
Merge into: ubuntu/+source/qemu:ubuntu/groovy-devel
Diff against target: 150 lines (+105/-0)
5 files modified
debian/changelog (+10/-0)
debian/patches/lp-1890154-s390x-protvirt-allow-to-IPL-secure-guests-with-no-re.patch (+52/-0)
debian/patches/series (+2/-0)
debian/patches/ubuntu/lp-1883984-target-s390x-Fix-SQXBR.patch (+37/-0)
debian/rules (+4/-0)
Reviewer Review Type Date Requested Status
Rafael David Tinoco (community) Approve
Canonical Server Team Pending
Canonical Server packageset reviewers Pending
Review via email: mp+388545@code.launchpad.net
To post a comment you must log in.
Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

PPA: https://launchpad.net/~ci-train-ppa-service/+archive/ubuntu/4175/+packages

Minor, but worthwile fixes for groovy (one CVE, one follow up to the further modularization).

Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

Adding one more fix for our minimal xen delta in a minute ...

38edad2... by Christian Ehrhardt 

d/rules: xen: compat links (LP: #1890005)

libxen-dev reports where to find the qemu binaries as if they
would have been built with xen. Obviously this isn't the case
but tools like libvirt will rely on the output of libxen-dev.

To avoid users having to modify the guest defaults provide a
symlink from the expected place to where qemu packaging
places it.

Note: we can't just place the binary there as that would kill
plenty of apparmor assumptions in libvirt.

Signed-off-by: Christian Ehrhardt <email address hidden>

6cf35f5... by Christian Ehrhardt 

d/p/ubuntu/lp-1883984-target-s390x-Fix-SQXBR.patch: avoid crash on SQXBR (LP: #1883984)

Signed-off-by: Christian Ehrhardt <email address hidden>

Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

And a breakage on s390x - this doesn't seem to stop ...

Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

Forgot to mention here.
The module fix isn't needed for us since it is only needed after "1f9685e build all modules since there are modules anyway, no need to hack them in d/rules" which I have postponed to 21.04 for reasons just like that.

Taken the commit out of the presented MR

Revision history for this message
Rafael David Tinoco (rafaeldtinoco) wrote :

# CHECKLIST
----------------------------
 [.] changelog entry correct
 [.] targeted to correct codename
 [.] version number is correct
 [.] update-maintainer has been run before
 ----
 [.] changes forwarded upstream/debian (if appropriate)
 [.] patches match what was proposed upstream
 ----
 [.] patches correctly included in debian/patches/series?
 [!] patches have correct DEP3 metadata
 - small typo in commit 15b2a2e318:
   - "...xen sepcific qemu binary in the qemu-default"
 ----
 [.] relying on PPA only for build check ?
 [.] if relying on PPA, did it install correctly ?
 ----
 [-] was autopkgtest tested ?
 ----
 [-] is this a SRU ?
 [-] if a SRU, does the public bug have a template ?
 [-] is this a bundle of fixes ?
 [-] is this a single fix ?
 ----
 [-] if single fix, was testcase provided ?
 [-] if single fix, and testcase provided, could I reproduce it ?
 [-] if single fix, and testcase provided, did it work ?
 ----
 [.] is this a MERGE ?
 [.] if MERGE, is there a public bug referred ?
 [.] if MERGE, does it add/remove existing packages ?
 [.] if MERGE, does it bump library SONAME ?
----------------------------
 [.] = ok | [x] = not ok | [?] = question | [!] = note | [-] = n/a
----------------------------

# comments:

dab4e218ab changelog: xen and s390x-emu fixes for groovy (LP: #1890005) (LP: #1883984)
5a51f1f398 d/p/ubuntu/lp-1883984-target-s390x-Fix-SQXBR.patch: avoid crash on SQXBR (LP: #1883984)
15b2a2e318 xen: place binary in the path xen-devel & libvirt expect it

# changelog:

qemu (1:5.0-5ubuntu4) groovy; urgency=medium

  * xen: place binary in the path xen-devel and libvirt expect it
    (LP: #1890005)
  * d/p/ubuntu/lp-1883984-target-s390x-Fix-SQXBR.patch: avoid crash on
    SQXBR (LP: #1883984)

# files touched:

$ git log -3 -p | diffstat
 changelog | 9 +++++++++
 control | 1 -
 control-in | 1 -
 patches/series | 1 +
 patches/ubuntu/lp-1883984-target-s390x-Fix-SQXBR.patch | 37 +++++++++++++++++++++++++++++++++++++
 rules | 13 ++++++-------
 6 files changed, 53 insertions(+), 9 deletions(-)

review: Approve
Revision history for this message
Rafael David Tinoco (rafaeldtinoco) wrote :

+1 after minimum typo fix in patch git log desc.

Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

I also did a full upgrade on my xen host and tried xen with virt-manager without the former symlink workaround in place.

The new qemu-system-x86-xen slots into place nicely:.

ubuntu@ubuntu:~$ virsh capabilities | grep emu
      <emulator>/usr/lib/xen-4.11/bin/qemu-system-i386</emulator>
      <emulator>/usr/lib/xen-4.11/bin/qemu-system-i386</emulator>
      <emulator>/usr/lib/xen-4.11/bin/qemu-system-i386</emulator>
      <emulator>/usr/lib/xen-4.11/bin/qemu-system-i386</emulator>
      <emulator>/usr/lib/xen-4.11/bin/qemu-system-i386</emulator>
      <emulator>/usr/lib/xen-4.11/bin/qemu-system-i386</emulator>
ubuntu@ubuntu:~$ ll /usr/lib/xen-4.11/bin/qemu-system-i386
-rwxr-xr-x 1 root root 15355976 Aug 3 05:15 /usr/lib/xen-4.11/bin/qemu-system-i386*

But - then all of the apparmor isolation will fall apart.
As it will not allow this path to be executed.

Aug 04 06:31:13 ubuntu audit[115176]: AVC apparmor="DENIED" operation="exec" profile="libvirtd" name="/usr/lib/xen-4.11/bin/qemu-system-i386" pid=115176 comm="libvirtd" requested_mask="x" denied_mask="x" fsuid=0 ouid=0
Aug 04 06:31:13 ubuntu kernel: audit: type=1400 audit(1596522673.656:146): apparmor="DENIED" operation="exec" profile="libvirtd" name="/usr/lib/xen-4.11/bin/qemu-system-i386" pid=115176 comm="libvirtd" requested_mask="x" denied_mask="x" fsuid=0 ouid=0
Aug 04 06:31:13 ubuntu libvirtd[85510]: internal error: Child process (/usr/lib/xen-4.11/bin/qemu-system-i386 -help) unexpected exit status 126: libvirt: error : cannot execute binary /usr/lib/xen-4.11/bin/qemu-system-i386: Permission denied

So we want to keep things much more than they already are - but with a symlink in place (as my manual workaround was).

4d0ba8d... by Christian Ehrhardt 

d/p/lp-1890154-*: fix -no-reboot on s390x secure boot (LP: #1890154)

Signed-off-by: Christian Ehrhardt <email address hidden>

1dea878... by Christian Ehrhardt 

changelog: fix -no-reboot on s390x secure boot (LP: #1890154)

Signed-off-by: Christian Ehrhardt <email address hidden>

Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

And another fix for s390x - clean fix directly form IBM.
This week keeps on giving ...

Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

ubuntu@ubuntu:~$ ll /usr/lib/xen-4.11/bin/qemu-system-*
lrwxrwxrwx 1 root root 29 Aug 3 05:15 /usr/lib/xen-4.11/bin/qemu-system-i386 -> ../../../bin/qemu-system-i386*
lrwxrwxrwx 1 root root 31 Aug 3 05:15 /usr/lib/xen-4.11/bin/qemu-system-x86_64 -> ../../../bin/qemu-system-x86_64*

Working well now:
ubuntu@ubuntu:~$ virsh dumpxml ubuntu20.04 | grep emul
    <emulator>/usr/lib/xen-4.11/bin/qemu-system-i386</emulator>

ubuntu@ubuntu:~$ virsh start ubuntu20.04
Domain ubuntu20.04 started

So the xen cleanup to match the expected defaults are good.
Builds are also good and the other patches are small and work fine.

Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

To ssh://git.launchpad.net/~usd-import-team/ubuntu/+source/qemu
 * [new tag] upload/1%5.0-5ubuntu4 -> upload/1%5.0-5ubuntu4

Uploading to ubuntu (via ftp to upload.ubuntu.com):
  Uploading qemu_5.0-5ubuntu4.dsc: done.
  Uploading qemu_5.0-5ubuntu4.debian.tar.xz: done.
  Uploading qemu_5.0-5ubuntu4_source.buildinfo: done.
  Uploading qemu_5.0-5ubuntu4_source.changes: done.
Successfully uploaded packages.

Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

this migrated

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1diff --git a/debian/changelog b/debian/changelog
2index d2f09cf..ea3bc89 100644
3--- a/debian/changelog
4+++ b/debian/changelog
5@@ -1,3 +1,13 @@
6+qemu (1:5.0-5ubuntu4) groovy; urgency=medium
7+
8+ * xen: provide compat links to what libxen-dev reports where to find
9+ the binaries (LP: #1890005)
10+ * d/p/ubuntu/lp-1883984-target-s390x-Fix-SQXBR.patch: avoid crash on
11+ SQXBR (LP: #1883984)
12+ * d/p/lp-1890154-*: fix -no-reboot on s390x secure boot (LP: #1890154)
13+
14+ -- Christian Ehrhardt <christian.ehrhardt@canonical.com> Mon, 03 Aug 2020 07:15:28 +0200
15+
16 qemu (1:5.0-5ubuntu3) groovy; urgency=medium
17
18 * d/p/ubuntu/lp-1887763-*: fix TCG sizing that OOMed many small CI
19diff --git a/debian/patches/lp-1890154-s390x-protvirt-allow-to-IPL-secure-guests-with-no-re.patch b/debian/patches/lp-1890154-s390x-protvirt-allow-to-IPL-secure-guests-with-no-re.patch
20new file mode 100644
21index 0000000..0f25ca9
22--- /dev/null
23+++ b/debian/patches/lp-1890154-s390x-protvirt-allow-to-IPL-secure-guests-with-no-re.patch
24@@ -0,0 +1,52 @@
25+From d1bb69db4ceb6897ef6a17bf263146b53a123632 Mon Sep 17 00:00:00 2001
26+From: Christian Borntraeger <borntraeger@de.ibm.com>
27+Date: Tue, 21 Jul 2020 06:32:02 -0400
28+Subject: [PATCH] s390x/protvirt: allow to IPL secure guests with -no-reboot
29+
30+Right now, -no-reboot prevents secure guests from running. This is
31+correct from an implementation point of view, as we have modeled the
32+transition from non-secure to secure as a program directed IPL. From
33+a user perspective, this is not the behavior of least surprise.
34+
35+We should implement the IPL into protected mode similar to the
36+functions that we use for kdump/kexec. In other words, we do not stop
37+here when -no-reboot is specified on the command line. Like function 0
38+or function 1, function 10 is not a classic reboot. For example, it
39+can only be called once. Before calling it a second time, a real
40+reboot/reset must happen in-between. So function code 10 is more or
41+less a state transition reset, but not a "standard" reset or reboot.
42+
43+Fixes: 4d226deafc44 ("s390x: protvirt: Support unpack facility")
44+Signed-off-by: Christian Borntraeger <borntraeger@de.ibm.com>
45+Reviewed-by: Janosch Frank <frankja@linux.ibm.com>
46+Reviewed-by: David Hildenbrand <david@redhat.com>
47+Acked-by: Viktor Mihajlovski <mihajlov@linux.ibm.com>
48+Message-Id: <20200721103202.30610-1-borntraeger@de.ibm.com>
49+[CH: tweaked description]
50+Signed-off-by: Cornelia Huck <cohuck@redhat.com>
51+
52+Origin: upstream, https://git.qemu.org/?p=qemu.git;a=commit;h=d1bb69db4ceb6897ef6a17bf263146b53a123632
53+Bug-Ubuntu: https://bugs.launchpad.net/bugs/1890154
54+Last-Update: 2020-08-05
55+
56+---
57+ hw/s390x/ipl.c | 3 ++-
58+ 1 file changed, 2 insertions(+), 1 deletion(-)
59+
60+diff --git a/hw/s390x/ipl.c b/hw/s390x/ipl.c
61+index d46b1f094f..3d2652d75a 100644
62+--- a/hw/s390x/ipl.c
63++++ b/hw/s390x/ipl.c
64+@@ -630,7 +630,8 @@ void s390_ipl_reset_request(CPUState *cs, enum s390_reset reset_type)
65+ }
66+ }
67+ if (reset_type == S390_RESET_MODIFIED_CLEAR ||
68+- reset_type == S390_RESET_LOAD_NORMAL) {
69++ reset_type == S390_RESET_LOAD_NORMAL ||
70++ reset_type == S390_RESET_PV) {
71+ /* ignore -no-reboot, send no event */
72+ qemu_system_reset_request(SHUTDOWN_CAUSE_SUBSYSTEM_RESET);
73+ } else {
74+--
75+2.27.0
76+
77diff --git a/debian/patches/series b/debian/patches/series
78index 58c5039..c1c26c4 100644
79--- a/debian/patches/series
80+++ b/debian/patches/series
81@@ -71,3 +71,5 @@ ubuntu/lp-1835546-s390x-pv-Fix-KVM_PV_PREP_RESET-command-wrapper-name.patch
82 ubuntu/virtio-net-fix-rsc_ext-compat-handling.patch
83 ubuntu/lp-1887763-util-add-qemu_get_host_physmem-utility-function.patch
84 ubuntu/lp-1887763-accel-tcg-better-handle-memory-constrained-systems.patch
85+ubuntu/lp-1883984-target-s390x-Fix-SQXBR.patch
86+lp-1890154-s390x-protvirt-allow-to-IPL-secure-guests-with-no-re.patch
87diff --git a/debian/patches/ubuntu/lp-1883984-target-s390x-Fix-SQXBR.patch b/debian/patches/ubuntu/lp-1883984-target-s390x-Fix-SQXBR.patch
88new file mode 100644
89index 0000000..34fb95c
90--- /dev/null
91+++ b/debian/patches/ubuntu/lp-1883984-target-s390x-Fix-SQXBR.patch
92@@ -0,0 +1,37 @@
93+From 9bf728a09bf7509b27543664f9cca6f4f337f608 Mon Sep 17 00:00:00 2001
94+From: Richard Henderson <richard.henderson@linaro.org>
95+Date: Fri, 19 Jun 2020 21:21:40 -0700
96+Subject: [PATCH] target/s390x: Fix SQXBR
97+
98+The output is 128-bit, and thus requires a pair of 64-bit temps.
99+
100+Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
101+Reviewed-by: David Hildenbrand <david@redhat.com>
102+Buglink: https://bugs.launchpad.net/bugs/1883984
103+Message-Id: <20200620042140.42070-1-richard.henderson@linaro.org>
104+Signed-off-by: Cornelia Huck <cohuck@redhat.com>
105+
106+Origin: upstream, https://git.qemu.org/?p=qemu.git;a=commit;h=9bf728a09bf7509b27543664f9cca6f4f337f608
107+Bug-Ubuntu: https://bugs.launchpad.net/bugs/1883984
108+Last-Update: 2020-08-03
109+
110+---
111+ target/s390x/insn-data.def | 2 +-
112+ 1 file changed, 1 insertion(+), 1 deletion(-)
113+
114+diff --git a/target/s390x/insn-data.def b/target/s390x/insn-data.def
115+index 91ddaedd84..d79ae9e3f1 100644
116+--- a/target/s390x/insn-data.def
117++++ b/target/s390x/insn-data.def
118+@@ -798,7 +798,7 @@
119+ /* SQUARE ROOT */
120+ F(0xb314, SQEBR, RRE, Z, 0, e2, new, e1, sqeb, 0, IF_BFP)
121+ F(0xb315, SQDBR, RRE, Z, 0, f2, new, f1, sqdb, 0, IF_BFP)
122+- F(0xb316, SQXBR, RRE, Z, x2h, x2l, new, x1, sqxb, 0, IF_BFP)
123++ F(0xb316, SQXBR, RRE, Z, x2h, x2l, new_P, x1, sqxb, 0, IF_BFP)
124+ F(0xed14, SQEB, RXE, Z, 0, m2_32u, new, e1, sqeb, 0, IF_BFP)
125+ F(0xed15, SQDB, RXE, Z, 0, m2_64, new, f1, sqdb, 0, IF_BFP)
126+
127+--
128+2.27.0
129+
130diff --git a/debian/rules b/debian/rules
131index 0fa1f5b..87afc09 100755
132--- a/debian/rules
133+++ b/debian/rules
134@@ -17,6 +17,7 @@ libdir = /usr/lib/${DEB_HOST_MULTIARCH}
135 ifeq ($(shell dpkg-vendor --derives-from Ubuntu && echo yes),yes)
136 VENDOR := UBUNTU
137 DEB_BUILD_PARALLEL = yes
138+XENBINPATH := $(shell pkg-config --variable libexec_bin xenlight)
139 else
140 VENDOR := DEBIAN
141 endif
142@@ -299,6 +300,9 @@ ifneq ($(filter $(DEB_HOST_ARCH),amd64 i386),)
143 echo ".so man1/qemu-system.1" > debian/qemu-system-x86-xen/usr/share/man/man1/qemu-system-x86_64.1
144 echo ".so man1/qemu-system.1" > debian/qemu-system-x86-xen/usr/share/man/man1/qemu-system-i386.1
145 dh_link -pqemu-system-x86-xen usr/share/doc/qemu-system-common usr/share/doc/qemu-system-x86-xen/common
146+ # compat links to what libxen-dev reports where to find the binaries
147+ dh_link -pqemu-system-x86-xen /usr/bin/qemu-system-i386 ${XENBINPATH}/qemu-system-i386
148+ dh_link -pqemu-system-x86-xen /usr/bin/qemu-system-x86_64 ${XENBINPATH}/qemu-system-x86_64
149 endif
150 endif
151

Subscribers

People subscribed via source and target branches