Merge tag 'for-upstream' of https://gitlab.com/bonzini/qemu into staging

* cleanups for stubs
* do not link pixman automatically into all targets
* optimize computation of VGA dirty memory region
*

Merge tag 'for-upstream' of https://gitlab.com/bonzini/qemu into staging

* cleanups for stubs
* do not link pixman automatically into all targets
* optimize computation of VGA dirty memory region
* kvm: use configs/ definition to conditionalize debug support
* hw: Add compat machines for 9.1
* target/i386: add guest-phys-bits cpu property
* target/i386: Introduce Icelake-Server-v7 and SierraForest models
* target/i386: Export RFDS bit to guests
* q35: SMM ranges cleanups
* target/i386: basic support for confidential guests
* linux-headers: update headers
* target/i386: SEV: use KVM_SEV_INIT2 if possible
* kvm: Introduce support for memory_attributes
* RAMBlock: Add support of KVM private guest memfd
* Consolidate use of warn_report_once()
* pythondeps.toml: warn about updates needed to docs/requirements.txt
* target/i386: always write 32-bits for SGDT and SIDT

# -----BEGIN PGP SIGNATURE-----
#
# iQFIBAABCAAyFiEE8TM4V0tmI4mGbHaCv/vSX3jHroMFAmYn1UkUHHBib256aW5p
# QHJlZGhhdC5jb20ACgkQv/vSX3jHroO1nwgAhRQhkYcdtFc649WJWTNvJCNzmek0
# Sg7trH2NKlwA75zG8Qv4TR3E71UrXoY9oItwYstc4Erz+tdf73WyaHMF3cEk1p82
# xx3LcBYhP7jGSjabxTkZsFU8+MM1raOjRN/tHvfcjYLaJOqJZplnkaVhMbNPsVuM
# IPJ5bVQohxpmHKPbeFNpF4QJ9wGyZAYOfJOFCk09xQtHnA8CtFjS9to33QPAR/Se
# OVZwRCigVjf0KNmCnHC8tJHoW8pG/cdQAr3qqd397XbM1vVELv9fiXiMoGF78UsY
# trO4K2yg6N5Sly4Qv/++zZ0OZNkL3BREGp3wf4eTSvLXxqSGvfi8iLpFGA==
# =lwSL
# -----END PGP SIGNATURE-----
# gpg: Signature made Tue 23 Apr 2024 08:35:37 AM PDT
# gpg: using RSA key F13338574B662389866C7682BFFBD25F78C7AE83
# gpg: issuer "pbonzini@redhat.com"
# gpg: Good signature from "Paolo Bonzini <bonzini@gnu.org>" [undefined]
# gpg: aka "Paolo Bonzini <pbonzini@redhat.com>" [undefined]
# gpg: WARNING: This key is not certified with a trusted signature!
# gpg: There is no indication that the signature belongs to the owner.
# Primary key fingerprint: 46F5 9FBD 57D6 12E7 BFD4 E2F7 7E15 100C CD36 69B1
# Subkey fingerprint: F133 3857 4B66 2389 866C 7682 BFFB D25F 78C7 AE83

* tag 'for-upstream' of https://gitlab.com/bonzini/qemu: (63 commits)
target/i386/translate.c: always write 32-bits for SGDT and SIDT
pythondeps.toml: warn about updates needed to docs/requirements.txt
accel/tcg/icount-common: Consolidate the use of warn_report_once()
target/i386/cpu: Merge the warning and error messages for AMD HT check
target/i386/cpu: Consolidate the use of warn_report_once()
target/i386/host-cpu: Consolidate the use of warn_report_once()
kvm/tdx: Ignore memory conversion to shared of unassigned region
kvm/tdx: Don't complain when converting vMMIO region to shared
kvm: handle KVM_EXIT_MEMORY_FAULT
physmem: Introduce ram_block_discard_guest_memfd_range()
RAMBlock: make guest_memfd require uncoordinated discard
HostMem: Add mechanism to opt in kvm guest memfd via MachineState
kvm/memory: Make memory type private by default if it has guest memfd backend
kvm: Enable KVM_SET_USER_MEMORY_REGION2 for memslot
RAMBlock: Add support of KVM private guest memfd
kvm: Introduce support for memory_attributes
trace/kvm: Split address space and slot id in trace_kvm_set_user_memory()
hw/i386/sev: Use legacy SEV VM types for older machine types
i386/sev: Add 'legacy-vm-type' parameter for SEV guest objects
target/i386: SEV: use KVM_SEV_INIT2 if possible
...

Signed-off-by: Richard Henderson <richard.henderson@linaro.org>

show more ...

ppc/pef: switch to use confidential_guest_kvm_init/reset()

Use the unified interface to call confidential guest related kvm_init()
and kvm_reset(), to avoid exposing pef specific functions.

As a bo

ppc/pef: switch to use confidential_guest_kvm_init/reset()

Use the unified interface to call confidential guest related kvm_init()
and kvm_reset(), to avoid exposing pef specific functions.

As a bonus, pef.h goes away since there is no direct call from sPAPR
board code to PEF code anymore.

Signed-off-by: Xiaoyao Li <xiaoyao.li@intel.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>

show more ...

Merge tag 'migration-20231020-pull-request' of https://gitlab.com/juan.quintela/qemu into staging

Migration Pull request (20231020)

In this pull request:
- disable analyze-migration on s390x (thoma

Merge tag 'migration-20231020-pull-request' of https://gitlab.com/juan.quintela/qemu into staging

Migration Pull request (20231020)

In this pull request:
- disable analyze-migration on s390x (thomas)
- Fix parse_ramblock() (peter)
- start merging live update (steve)
- migration-test support for using several binaries (fabiano)
- multifd cleanups (fabiano)

CI: https://gitlab.com/juan.quintela/qemu/-/pipelines/1042492801

Please apply.

# -----BEGIN PGP SIGNATURE-----
#
# iQIzBAABCAAdFiEEGJn/jt6/WMzuA0uC9IfvGFhy1yMFAmUyJMsACgkQ9IfvGFhy
# 1yP0AQ/9ELr6VJ0crqzfGm2dy2emnZMaQhDtzR4Kk4ciZF6U+GiATdGN9hK499mP
# 6WzRIjtSzwD8YZvhLfegxIVTGcEttaM93uXFPznWrk7gwny6QTvuA4qtcRYejTSl
# wE4GQQOsSrukVCUlqcZtY/t2aphVWQzlx8RRJE3XGaodT1gNLMjd+xp34NbbOoR3
# 32ixpSPUCOGvCd7hb+HG7pEzk+905Pn2URvbdiP71uqhgJZdjMAv8ehSGD3kufdg
# FMrZyIEq7Eguk2bO1+7ZiVuIafXXRloIVqi1ENmjIyNDa/Rlv2CA85u0CfgeP6qY
# Ttj+MZaz8PIhf97IJEILFn+NDXYgsGqEFl//uNbLuTeCpmr9NPhBzLw8CvCefPrR
# rwBs3J+QbDHWX9EYjk6QZ9QfYJy/DXkl0KfdNtQy9Wf+0o1mHDn5/y3s782T24aJ
# lGo0ph4VJLBNOx58rpgmoO5prRIjqzF5w4j8pCSeGUC4Bcub5af4TufYrwaf+cps
# iIbNFx79dLXBlfkKIn7i9RLpz7641Fs/iTQ/MZh1eyvX++UDXAPWnbd4GDYOEewA
# U3WKsTs/ipIbY8nqaO4j1VMzADPUfetBXznBw60xsZcfjynFJsPV6/F/0OpUupdv
# qPEY4LZ2uwP4K7AlzrUzUn2f3BKrspL0ObX0qTn0WJ8WX5Jp/YA=
# =m+uB
# -----END PGP SIGNATURE-----
# gpg: Signature made Thu 19 Oct 2023 23:57:15 PDT
# gpg: using RSA key 1899FF8EDEBF58CCEE034B82F487EF185872D723
# gpg: Good signature from "Juan Quintela <quintela@redhat.com>" [full]
# gpg: aka "Juan Quintela <quintela@trasno.org>" [full]
# Primary key fingerprint: 1899 FF8E DEBF 58CC EE03 4B82 F487 EF18 5872 D723

* tag 'migration-20231020-pull-request' of https://gitlab.com/juan.quintela/qemu:
tests/qtest: Don't print messages from query instances
tests/qtest/migration: Allow user to specify a machine type
tests/qtest/migration: Support more than one QEMU binary
tests/qtest/migration: Set q35 as the default machine for x86_86
tests/qtest/migration: Specify the geometry of the bootsector
tests/qtest/migration: Define a machine for all architectures
tests/qtest/migration: Introduce find_common_machine_version
tests/qtest: Introduce qtest_resolve_machine_alias
tests/qtest: Introduce qtest_has_machine_with_env
tests/qtest: Allow qtest_get_machines to use an alternate QEMU binary
tests/qtest: Introduce qtest_init_with_env
tests/qtest: Allow qtest_qemu_binary to use a custom environment variable
migration/multifd: Stop checking p->quit in multifd_send_thread
migration: simplify notifiers
migration: Fix parse_ramblock() on overwritten retvals
migration: simplify blockers
tests/qtest/migration-test: Disable the analyze-migration.py test on s390x

Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>

show more ...

migration: simplify blockers

Modify migrate_add_blocker and migrate_del_blocker to take an Error **
reason. This allows migration to own the Error object, so that if
an error occurs in migrate_add_

migration: simplify blockers

Modify migrate_add_blocker and migrate_del_blocker to take an Error **
reason. This allows migration to own the Error object, so that if
an error occurs in migrate_add_blocker, migration code can free the Error
and clear the client handle, simplifying client code. It also simplifies
the migrate_del_blocker call site.

In addition, this is a pre-requisite for a proposed future patch that would
add a mode argument to migration requests to support live update, and
maintain a list of blockers for each mode. A blocker may apply to a single
mode or to multiple modes, and passing Error** will allow one Error object
to be registered for multiple modes.

No functional change.

Signed-off-by: Steve Sistare <steven.sistare@oracle.com>
Tested-by: Michael Galaxy <mgalaxy@akamai.com>
Reviewed-by: Michael Galaxy <mgalaxy@akamai.com>
Reviewed-by: Peter Xu <peterx@redhat.com>
Reviewed-by: Juan Quintela <quintela@redhat.com>
Signed-off-by: Juan Quintela <quintela@redhat.com>
Message-ID: <1697634216-84215-1-git-send-email-steven.sistare@oracle.com>

show more ...

Merge remote-tracking branch 'remotes/dg-gitlab/tags/ppc-for-6.1-20210603' into staging

ppc patch queue 2021-06-03

Next batch of ppc target patches. Highlights are:
* A fix for a regression with

Merge remote-tracking branch 'remotes/dg-gitlab/tags/ppc-for-6.1-20210603' into staging

ppc patch queue 2021-06-03

Next batch of ppc target patches. Highlights are:
* A fix for a regression with single-step mode
* Start of moving ppc to use decodetree
* Implementation of some POWER10 64-bit prefixed instructions
* Several cleanups to softmmu code
* Continued progress towards allowing --disable-tcg
* Fix for the POWER PEF implementation
* Fix for LPCR handling of hotplugged CPUs
* Assorted other bugfixes and cleanups

This patchset does contain a couple of changes to code outside my
normal scope of maintainership, related to the removal of cpu_dump and
cpu_statistics hooks. ppc was the last target arch implementing these
at all, and they didn't really do anything there either. The patches
should have relevant acks.

# gpg: Signature made Thu 03 Jun 2021 09:20:59 BST
# gpg: using RSA key 75F46586AE61A66CC44E87DC6C38CACA20D9B392
# gpg: Good signature from "David Gibson <david@gibson.dropbear.id.au>" [full]
# gpg: aka "David Gibson (Red Hat) <dgibson@redhat.com>" [full]
# gpg: aka "David Gibson (ozlabs.org) <dgibson@ozlabs.org>" [full]
# gpg: aka "David Gibson (kernel.org) <dwg@kernel.org>" [unknown]
# Primary key fingerprint: 75F4 6586 AE61 A66C C44E 87DC 6C38 CACA 20D9 B392

* remotes/dg-gitlab/tags/ppc-for-6.1-20210603: (42 commits)
target/ppc: fix single-step exception regression
target/ppc: Move cmp/cmpi/cmpl/cmpli to decodetree
target/ppc: Move addpcis to decodetree
target/ppc: Implement vcfuged instruction
target/ppc: Implement cfuged instruction
target/ppc: Implement setbc/setbcr/stnbc/setnbcr instructions
target/ppc: Implement prefixed integer store instructions
target/ppc: Move D/DS/X-form integer stores to decodetree
target/ppc: Implement prefixed integer load instructions
target/ppc: Move D/DS/X-form integer loads to decodetree
target/ppc: Implement PNOP
target/ppc: Move ADDI, ADDIS to decodetree, implement PADDI
target/ppc: Add infrastructure for prefixed insns
target/ppc: Move page crossing check to ppc_tr_translate_insn
target/ppc: Introduce macros to check isa extensions
target/ppc: powerpc_excp: Consolidade TLB miss code
target/ppc: powerpc_excp: Remove dump_syscall_vectored
target/ppc: powerpc_excp: Move lpes code to where it is used
target/ppc: overhauled and moved logic of storing fpscr
target/ppc: removed all mentions to PPC_DUMP_CPU
...

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>

show more ...

ppc/pef.c: initialize cgs->ready in kvmppc_svm_init()

QEMU is failing to launch a CGS pSeries guest in a host that has PEF
support:

qemu-system-ppc64: ../softmmu/vl.c:2585: qemu_machine_creation_do

ppc/pef.c: initialize cgs->ready in kvmppc_svm_init()

QEMU is failing to launch a CGS pSeries guest in a host that has PEF
support:

qemu-system-ppc64: ../softmmu/vl.c:2585: qemu_machine_creation_done: Assertion `machine->cgs->ready' failed.
Aborted

This is happening because we're not setting the cgs->ready flag that is
asserted in qemu_machine_creation_done() during machine start.

cgs->ready is set in s390_pv_kvm_init() and sev_kvm_init(). Let's set it
in kvmppc_svm_init() as well.

Reported-by: Ram Pai <linuxram@us.ibm.com>
Signed-off-by: Daniel Henrique Barboza <danielhb413@gmail.com>
Message-Id: <20210528201619.52363-1-danielhb413@gmail.com>
Acked-by: Ram Pai <linuxram@us.ibm.com>
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>

show more ...

Merge remote-tracking branch 'remotes/dg-gitlab/tags/cgs-pull-request' into staging

Generalize memory encryption models

A number of hardware platforms are implementing mechanisms whereby the
hyperv

Merge remote-tracking branch 'remotes/dg-gitlab/tags/cgs-pull-request' into staging

Generalize memory encryption models

A number of hardware platforms are implementing mechanisms whereby the
hypervisor does not have unfettered access to guest memory, in order
to mitigate the security impact of a compromised hypervisor.

AMD's SEV implements this with in-cpu memory encryption, and Intel has
its own memory encryption mechanism. POWER has an upcoming mechanism
to accomplish this in a different way, using a new memory protection
level plus a small trusted ultravisor. s390 also has a protected
execution environment.

The current code (committed or draft) for these features has each
platform's version configured entirely differently. That doesn't seem
ideal for users, or particularly for management layers.

AMD SEV introduces a notionally generic machine option
"machine-encryption", but it doesn't actually cover any cases other
than SEV.

This series is a proposal to at least partially unify configuration
for these mechanisms, by renaming and generalizing AMD's
"memory-encryption" property. It is replaced by a
"confidential-guest-support" property pointing to a platform specific
object which configures and manages the specific details.

Note to Ram Pai: the documentation I've included for PEF is very
minimal. If you could send a patch expanding on that, it would be
very helpful.

Changes since v8:
* Rebase
* Fixed some cosmetic typos
Changes since v7:
* Tweaked and clarified meaning of the 'ready' flag
* Polished the interface to the PEF internals
* Shifted initialization for s390 PV later (I hope I've finally got
this after apply_cpu_model() where it needs to be)
Changes since v6:
* Moved to using OBJECT_DECLARE_TYPE and OBJECT_DEFINE_TYPE macros
* Assorted minor fixes
Changes since v5:
* Renamed from "securable guest memory" to "confidential guest
support"
* Simpler reworking of x86 boot time flash encryption
* Added a bunch of documentation
* Fixed some compile errors on POWER
Changes since v4:
* Renamed from "host trust limitation" to "securable guest memory",
which I think is marginally more descriptive
* Re-organized initialization, because the previous model called at
kvm_init didn't work for s390
* Assorted fixes to the s390 implementation; rudimentary testing
(gitlab CI) only
Changes since v3:
* Rebased
* Added first cut at handling of s390 protected virtualization
Changes since RFCv2:
* Rebased
* Removed preliminary SEV cleanups (they've been merged)
* Changed name to "host trust limitation"
* Added migration blocker to the PEF code (based on SEV's version)
Changes since RFCv1:
* Rebased
* Fixed some errors pointed out by Dave Gilbert

# gpg: Signature made Mon 08 Feb 2021 06:07:27 GMT
# gpg: using RSA key 75F46586AE61A66CC44E87DC6C38CACA20D9B392
# gpg: Good signature from "David Gibson <david@gibson.dropbear.id.au>" [full]
# gpg: aka "David Gibson (Red Hat) <dgibson@redhat.com>" [full]
# gpg: aka "David Gibson (ozlabs.org) <dgibson@ozlabs.org>" [full]
# gpg: aka "David Gibson (kernel.org) <dwg@kernel.org>" [unknown]
# Primary key fingerprint: 75F4 6586 AE61 A66C C44E 87DC 6C38 CACA 20D9 B392

* remotes/dg-gitlab/tags/cgs-pull-request:
s390: Recognize confidential-guest-support option
confidential guest support: Alter virtio default properties for protected guests
spapr: PEF: prevent migration
spapr: Add PEF based confidential guest support
confidential guest support: Update documentation
confidential guest support: Move SEV initialization into arch specific code
confidential guest support: Introduce cgs "ready" flag
sev: Add Error ** to sev_kvm_init()
confidential guest support: Rework the "memory-encryption" property
confidential guest support: Move side effect out of machine_set_memory_encryption()
sev: Remove false abstraction of flash encryption
confidential guest support: Introduce new confidential guest support class
qom: Allow optional sugar props

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>

show more ...

spapr: PEF: prevent migration

We haven't yet implemented the fairly involved handshaking that will be
needed to migrate PEF protected guests. For now, just use a migration
blocker so we get a meani

spapr: PEF: prevent migration

We haven't yet implemented the fairly involved handshaking that will be
needed to migrate PEF protected guests. For now, just use a migration
blocker so we get a meaningful error if someone attempts this (this is the
same approach used by AMD SEV).

Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
Reviewed-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
Reviewed-by: Greg Kurz <groug@kaod.org>

show more ...

spapr: Add PEF based confidential guest support

Some upcoming POWER machines have a system called PEF (Protected
Execution Facility) which uses a small ultravisor to allow guests to
run in a way tha

spapr: Add PEF based confidential guest support

Some upcoming POWER machines have a system called PEF (Protected
Execution Facility) which uses a small ultravisor to allow guests to
run in a way that they can't be eavesdropped by the hypervisor. The
effect is roughly similar to AMD SEV, although the mechanisms are
quite different.

Most of the work of this is done between the guest, KVM and the
ultravisor, with little need for involvement by qemu. However qemu
does need to tell KVM to allow secure VMs.

Because the availability of secure mode is a guest visible difference
which depends on having the right hardware and firmware, we don't
enable this by default. In order to run a secure guest you need to
create a "pef-guest" object and set the confidential-guest-support
property to point to it.

Note that this just *allows* secure guests, the architecture of PEF is
such that the guest still needs to talk to the ultravisor to enter
secure mode. Qemu has no direct way of knowing if the guest is in
secure mode, and certainly can't know until well after machine
creation time.

To start a PEF-capable guest, use the command line options:
-object pef-guest,id=pef0 -machine confidential-guest-support=pef0

Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
Reviewed-by: Greg Kurz <groug@kaod.org>

show more ...