[virt-tools-list] [virt-manager PATCH 3/5] cli: introduce CPU secure parameter

Pavel Hrdina phrdina at redhat.com
Wed Apr 3 13:52:49 UTC 2019 

This will allow users to override the default behavior of virt-install
which copies CPU security features available on the host to the guest
XML if specific CPU model is configured.

Signed-off-by: Pavel Hrdina <phrdina at redhat.com>
---
 man/virt-install.pod                          |  8 +-
 .../compare/virt-install-cpu-disable-sec.xml  | 93 +++++++++++++++++++
 tests/clitest.py                              |  1 +
 virtinst/cli.py                               |  1 +
 virtinst/domain/cpu.py                        |  7 +-
 5 files changed, 108 insertions(+), 2 deletions(-)
 create mode 100644 tests/cli-test-xml/compare/virt-install-cpu-disable-sec.xml

diff --git a/man/virt-install.pod b/man/virt-install.pod
index 8407e795..18d44808 100644
--- a/man/virt-install.pod
+++ b/man/virt-install.pod
@@ -216,7 +216,13 @@ required value is MODEL, which is a valid CPU model as known to libvirt.
 
 Libvirt's feature policy values force, require, optional, disable, or forbid,
 or with the shorthand '+feature' and '-feature', which equal 'force=feature'
-and 'disable=feature' respectively
+and 'disable=feature' respectively.
+
+If exact CPU model is specified virt-install will automatically copy CPU
+security features available on the host to mitigate recent CPU CVEs.
+This however will have some impact on performance and will break migration
+to hosts without security patches.  In order to turn off this default behavior
+there is a B<secure> parameter.  Possible values are I<on> and I<off>.
 
 Some examples:
 
diff --git a/tests/cli-test-xml/compare/virt-install-cpu-disable-sec.xml b/tests/cli-test-xml/compare/virt-install-cpu-disable-sec.xml
new file mode 100644
index 00000000..a86d6926
--- /dev/null
+++ b/tests/cli-test-xml/compare/virt-install-cpu-disable-sec.xml
@@ -0,0 +1,93 @@
+<domain type="kvm">
+  <name>foobar</name>
+  <uuid>00000000-1111-2222-3333-444444444444</uuid>
+  <memory>65536</memory>
+  <currentMemory>65536</currentMemory>
+  <vcpu>1</vcpu>
+  <os>
+    <type arch="x86_64" machine="pc">hvm</type>
+    <boot dev="network"/>
+  </os>
+  <features>
+    <acpi/>
+    <apic/>
+  </features>
+  <cpu mode="custom" match="exact">
+    <model>qemu64</model>
+  </cpu>
+  <clock offset="utc">
+    <timer name="rtc" tickpolicy="catchup"/>
+    <timer name="pit" tickpolicy="delay"/>
+    <timer name="hpet" present="no"/>
+  </clock>
+  <on_reboot>destroy</on_reboot>
+  <pm>
+    <suspend-to-mem enabled="no"/>
+    <suspend-to-disk enabled="no"/>
+  </pm>
+  <devices>
+    <emulator>/usr/bin/qemu-kvm</emulator>
+    <controller type="usb" index="0" model="ich9-ehci1"/>
+    <controller type="usb" index="0" model="ich9-uhci1">
+      <master startport="0"/>
+    </controller>
+    <controller type="usb" index="0" model="ich9-uhci2">
+      <master startport="2"/>
+    </controller>
+    <controller type="usb" index="0" model="ich9-uhci3">
+      <master startport="4"/>
+    </controller>
+    <interface type="bridge">
+      <source bridge="eth0"/>
+      <mac address="00:11:22:33:44:55"/>
+      <model type="e1000"/>
+    </interface>
+    <console type="pty"/>
+  </devices>
+</domain>
+<domain type="kvm">
+  <name>foobar</name>
+  <uuid>00000000-1111-2222-3333-444444444444</uuid>
+  <memory>65536</memory>
+  <currentMemory>65536</currentMemory>
+  <vcpu>1</vcpu>
+  <os>
+    <type arch="x86_64" machine="pc">hvm</type>
+    <boot dev="network"/>
+  </os>
+  <features>
+    <acpi/>
+    <apic/>
+  </features>
+  <cpu mode="custom" match="exact">
+    <model>qemu64</model>
+  </cpu>
+  <clock offset="utc">
+    <timer name="rtc" tickpolicy="catchup"/>
+    <timer name="pit" tickpolicy="delay"/>
+    <timer name="hpet" present="no"/>
+  </clock>
+  <pm>
+    <suspend-to-mem enabled="no"/>
+    <suspend-to-disk enabled="no"/>
+  </pm>
+  <devices>
+    <emulator>/usr/bin/qemu-kvm</emulator>
+    <controller type="usb" index="0" model="ich9-ehci1"/>
+    <controller type="usb" index="0" model="ich9-uhci1">
+      <master startport="0"/>
+    </controller>
+    <controller type="usb" index="0" model="ich9-uhci2">
+      <master startport="2"/>
+    </controller>
+    <controller type="usb" index="0" model="ich9-uhci3">
+      <master startport="4"/>
+    </controller>
+    <interface type="bridge">
+      <source bridge="eth0"/>
+      <mac address="00:11:22:33:44:55"/>
+      <model type="e1000"/>
+    </interface>
+    <console type="pty"/>
+  </devices>
+</domain>
diff --git a/tests/clitest.py b/tests/clitest.py
index d3bd6044..e5abb0c0 100644
--- a/tests/clitest.py
+++ b/tests/clitest.py
@@ -603,6 +603,7 @@ c.add_invalid("--clock foo_tickpolicy=merge")  # Unknown timer
 c.add_invalid("--security foobar")  # Busted --security
 c.add_compare("--cpuset auto --vcpus 2", "cpuset-auto")  # --cpuset=auto actually works
 c.add_compare("--memory 1024,hotplugmemorymax=2048,hotplugmemoryslots=2 --cpu cell0.cpus=0,cell0.memory=1048576 --memdev dimm,access=private,target_size=512,target_node=0,source_pagesize=4,source_nodemask=1-2 --memdev nvdimm,source_path=/path/to/nvdimm,target_size=512,target_node=0,target_label_size=128", "memory-hotplug")
+c.add_compare("--connect " + utils.URIs.kvm_q35 + " --cpu qemu64,secure=off", "cpu-disable-sec")  # disable security features that are added by default
 
 
 
diff --git a/virtinst/cli.py b/virtinst/cli.py
index 5e90e225..dbb9cfd5 100644
--- a/virtinst/cli.py
+++ b/virtinst/cli.py
@@ -1791,6 +1791,7 @@ class ParserCPU(VirtCLIParser):
         cls.add_arg("mode", "mode")
         cls.add_arg("match", "match")
         cls.add_arg("vendor", "vendor")
+        cls.add_arg("secure", "secure", is_onoff=True)
 
         cls.add_arg(None, "force", is_list=True, cb=cls.set_feature_cb)
         cls.add_arg(None, "require", is_list=True, cb=cls.set_feature_cb)
diff --git a/virtinst/domain/cpu.py b/virtinst/domain/cpu.py
index 34f34168..bf553449 100644
--- a/virtinst/domain/cpu.py
+++ b/virtinst/domain/cpu.py
@@ -64,6 +64,8 @@ class DomainCpu(XMLBuilder):
     _XML_PROP_ORDER = ["mode", "match", "model", "vendor",
                        "sockets", "cores", "threads", "features"]
 
+    secure = True
+
     special_mode_was_set = False
     # These values are exposed on the command line, so are stable API
     SPECIAL_MODE_HOST_MODEL_ONLY = "host-model-only"
@@ -126,7 +128,10 @@ class DomainCpu(XMLBuilder):
             self.mode = "custom"
             if not self.match:
                 self.match = "exact"
-            self._add_security_features(guest)
+            if self.secure:
+                self._add_security_features(guest)
+            else:
+                self._remove_security_features(guest)
         self.model = val
 
     def add_feature(self, name, policy="require"):
-- 
2.20.1

More information about the virt-tools-list mailing list