The default_tls_x509_verify (and related) parameters in qemu.conf
control whether the QEMU TLS servers request & verify certificates
from clients. This works as a simple access control system for
servers by requiring the CA to issue certs to permitted clients.
This use of client certificates is disabled by default, since it
requires extra work to issue client certificates.

Unfortunately the code was using this configuration parameter when
setting up both TLS clients and servers in QEMU. The result was that
TLS clients for character devices and disk devices had verification
turned off, meaning they would ignore errors while validating the
server certificate.

This allows for trivial MITM attacks between client and server,
as any certificate returned by the attacker will be accepted by
the client.

This is assigned CVE-2017-1000256  / LSN-2017-0002
Reviewed-by: NEric Blake <eblake@redhat.com>
Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>
(cherry picked from commit 441d3eb6)

When LIBXL_HAVE_QED is defined, xlconfigtest fails

 9) Xen XL-2-XML Format disk-qed  ... command line: config parsing error
 in disk specification: no vdev specified in
 `target=/var/lib/libvirt/images/XenGuest2,format=qed,backendtype=qdisk,vdev=hda,access=rw'
FAILED

As per the xl-disk-configuration(5) man page, target= must come
last in the disk specification when specified by name:

When this parameter is specified by name, ie with the target=
syntax in the configuration file, it consumes the whole rest of the
DISKSPEC including trailing whitespaces.  Therefore in that case
it must come last.

Change tests/xlconfigdata/test-disk-qed.cfg to adhere to this
restriction.

This reverts commit ae16c95f.

Set the VIR_PCI_CONNECT_AGGREGATE_SLOT flag for pcie-root-ports so
that they will be assigned to all the functions on a slot.

Some qemu test case outputs had to be adjusted due to the
pcie-root-ports now being put on multiple functions.

If there are multiple devices assigned to the different functions of a
single PCI slot, they will not work properly if the device at function
0 doesn't have its "multi" attribute turned on, so it makes sense for
libvirt to turn it on during PCI address assignment. Setting multi
then assures that the new setting is stored in the config (so it will
be used next time the domain is started), preventing any potential
problems in the case that a future change in the configuration
eliminates the devices on all non-0 functions (multi will still be set
for function 0 even though it is the only function in use on the slot,
which has no useful purpose, but also doesn't cause any problems).

(NB: If we were to instead just decide on the setting for
multifunction at runtime, a later removal of the non-0 functions of a
slot would result in a silent change in the guest ABI for the
remaining device on function 0 (although it may seem like an
inconsequential guest ABI change, it *is* a guest ABI change to turn
off the multi bit).)

virtio-pci is the way forward for aarch64 guests: it's faster
and less alien to people coming from other architectures.
Now that guest support is finally getting there (Fedora 24,
CentOS 7.3, Ubuntu 16.04 and Debian testing all support
virtio-pci out of the box), we'd like to start using it by
default instead of virtio-mmio.

Users and applications can already opt-in by explicitly using

  <address type='pci'/>

inside the relevant elements, but that's kind of cumbersome and
requires all users and management applications to adapt, which
we'd really like to avoid.

What we can do instead is use virtio-mmio only if the guest
already has at least one virtio-mmio device, and use virtio-pci
in all other situations.

That means existing virtio-mmio guests will keep using the old
addressing scheme, and new guests will automatically be created
using virtio-pci instead. Users can still override the default
in either direction.

Existing tests such as aarch64-aavmf-virtio-mmio and
aarch64-virtio-pci-default already cover all possible
scenarios, so no additions to the test suites are necessary.

This patch adds support and documentation for
a generalized hardware cache event called cache_l1d
perf event.
Signed-off-by: NNitesh Konkar <nitkon12@linux.vnet.ibm.com>

Add a test case for when the QEMU_CAPS_NO_KVM_PIT capability is set.
This capability is mutually exclusive to QEMU_CAPS_KVM_PIT_TICK_POLICY
and results in the same output regardless of whether "discard" or
"delay" was specified in the guest XML for 'tickpolicy'.
Signed-off-by: NMaxim Nestratov <mnestratov@virtuozzo.com>

Separate out the "policy=discard" into it's own specific
qemu command line.

We'll rename "kvm-pit-device" test case to be "kvm-pit-discard"
since it has the syntax we'd be using.
Signed-off-by: NMaxim Nestratov <mnestratov@virtuozzo.com>

By a mistake, for the VIR_DOMAIN_TIMER_TICKPOLICY_DELAY qemu
command line creation, 'discard' was used instead of 'delay'
in commit id '1569fa14'.

Test "kvm-pit-delay" is fixed accordingly to show the correct
option being generated.

Remove the (now) redundant kvm-pit-device tests. As it turns
out there is no need to specify both QEMU_CAPS_NO_KVM_PIT and
QEMU_CAPS_KVM_PIT_TICK_POLICY since they are mutually exclusive
and "kvm-pit-device" becomes just the same as "kvm-pit-delay".
Signed-off-by: NMaxim Nestratov <mnestratov@virtuozzo.com>

Qemu has abandoned the +/-feature syntax in favor of key=value. Some
architectures (s390) do not support +/-feature. So we update libvirt to handle
both formats.

If we detect a sufficiently new Qemu (indicated by support for qmp
query-cpu-model-expansion) we use key=value else we fall back to +/-feature.
Signed-off-by: NCollin L. Walling <walling@linux.vnet.ibm.com>
Signed-off-by: NJason J. Herne <jjherne@linux.vnet.ibm.com>

Test cases for qemu s390x cpu model argument generation.
Signed-off-by: NJason J. Herne <jjherne@linux.vnet.ibm.com>

When qmp query-cpu-model-expansion is available probe Qemu for its view of the
host model. In kvm environments this can provide a more complete view of the
host model because features supported by Qemu and Kvm can be considered.
Signed-off-by: NCollin L. Walling <walling@linux.vnet.ibm.com>
Signed-off-by: NJason J. Herne <jjherne@linux.vnet.ibm.com>

query-cpu-model-expansion is used to get a list of features for a given cpu
model name or to get the model and features of the host hardware/environment
as seen by Qemu/kvm.
Signed-off-by: NCollin L. Walling <walling@linux.vnet.ibm.com>
Signed-off-by: NJason J. Herne <jjherne@linux.vnet.ibm.com>

Tests domain capabilities on s390x using the Qemu 2.8 capabilities data.
Signed-off-by: NCollin L. Walling <walling@linux.vnet.ibm.com>
Signed-off-by: NJason J. Herne <jjherne@linux.vnet.ibm.com>

Expected Qemu replies for versions 2.7 and 2.8 from the s390x
Qemu binary.
Signed-off-by: NCollin L. Walling <walling@linux.vnet.ibm.com>
Signed-off-by: NJason J. Herne <jjherne@linux.vnet.ibm.com>

Our STREQ_NULLABLE and STRNEQ_NULLABLE macros are too
complicated. This was a result of some broken version of gcc.
However, that is long gone and therefore we can simplify the
macros.
Signed-off-by: NMichal Privoznik <mprivozn@redhat.com>

Just a name, I know, but it bothered me a lot since it does not refer
to XML.
Signed-off-by: NMartin Kletzander <mkletzan@redhat.com>

Currently, bhyvexml2xmltest does only one test. We can do better.
Signed-off-by: NMichal Privoznik <mprivozn@redhat.com>

In the next patch we will need a stable mac address for
<interface/>.
Signed-off-by: NMichal Privoznik <mprivozn@redhat.com>

After c07d1c1c got merged it uncovered couple of broken domain
XMLs for bhyvexml2argv test. Some disk drives had incompatible
type of address configured.
Signed-off-by: NMichal Privoznik <mprivozn@redhat.com>

After 478ddedc a bug is fixed where we wrongly presumed loopack
device name on non-Linux systems. It's lo0. However, the fix is
not reflected in the tests which are failing now.
Signed-off-by: NMichal Privoznik <mprivozn@redhat.com>

If the nss module is disabled we shouldn't run the tests that
include it either.
Signed-off-by: NMichal Privoznik <mprivozn@redhat.com>

In the Makefile in tests/ we initialize couple of variables like
test_programs, test_libraries and test_helpers. These variables
contain all the targets that we need to build in order to run
the test suite. So we initialize test_programs and test_helpers
and then conditionally add targets to them depending on what we
are building with. Then we repeat the same process with
test_libraries. It makes no sense to have two separate if-endif
sequences.
Signed-off-by: NMichal Privoznik <mprivozn@redhat.com>

Since the internal implementation relies on a json parser being
available, it make no sense to run this test if there's none
available.
Signed-off-by: NMichal Privoznik <mprivozn@redhat.com>

This tests uses preload, which should work on any ELF-based platform
(and indeed it passes on Linux, GNU/kFreeBSD, and FreeBSD).

Also remove the WITH_DBUS conditional, as the test is already built
based on that conditional.

Follow up of commit 340bb6b7 to add unit tests for the QED format
support. Also add missing QED case in xenFormatXLDisk()

Add tests for controller based disks to check disk address compatibility
with disk bus types.
Signed-off-by: NMarc Hartmayer <mhartmay@linux.vnet.ibm.com>
Reviewed-by: NBoris Fiuczynski <fiuczy@linux.vnet.ibm.com>
Reviewed-by: NBjoern Walk <bwalk@linux.vnet.ibm.com>

Similarly to localOnly DNS domain, localPtr attribute can be used to
tell the DNS server not to forward reverse lookups for unknown IPs which
belong to the virtual network.
Signed-off-by: NJiri Denemark <jdenemar@redhat.com>

This patch adds support and documentation for
the ref_cpu_cycles perf event.
Signed-off-by: NNitesh Konkar <nitkon12@linux.vnet.ibm.com>

This patch adds support and documentation for
the stalled_cycles_backend perf event.
Signed-off-by: NNitesh Konkar <nitkon12@linux.vnet.ibm.com>

This patch adds support and documentation
for the stalled_cycles_frontend perf event.
Signed-off-by: NNitesh Konkar <nitkon12@linux.vnet.ibm.com>

This patch adds support and documentation
for the bus_cycles perf event.
Signed-off-by: NNitesh Konkar <nitkon12@linux.vnet.ibm.com>

Signed-off-by: NJiri Denemark <jdenemar@redhat.com>

This revealed bugs in RNG schema for /network/dns/srv.
Signed-off-by: NJiri Denemark <jdenemar@redhat.com>

This patch adds support and documentation
for the branch_misses perf event.
Signed-off-by: NNitesh Konkar <nitkon12@linux.vnet.ibm.com>

If the allocation fails in DO_TEST_FLUSH_PROLOGUE, then 'mgr == NULL',
but the code continues on - which won't be good. So modify the macro
to cause an immediate failure and jump to a cleanup label.

Found by Coverity as FORWARD_NULL event.

If you've ever tried running a huge page backed guest under
different user than in qemu.conf, you probably failed. Problem is
even though we have corresponding APIs in the security drivers,
there's no implementation and thus we don't relabel the huge page
path. But even if we did, so far all of the domains share the
same path:

   /hugepageMount/libvirt/qemu

Our only option there would be to set 0777 mode on the qemu dir
which is totally unsafe. Therefore, we can create dir on
per-domain basis, i.e.:

   /hugepageMount/libvirt/qemu/domainName

and chown domainName dir to the user that domain is configured to
run under.
Signed-off-by: NMichal Privoznik <mprivozn@redhat.com>

Since the great rework of how we store vcpu- and iothread-related
data, we have overly complex part of code that is trying to format the
scheduler tuning data in as less lines as possible by grouping
settings for multiple threads.  That was designed as an input syntax
sugar for users, but we don't need to also use that when formatting
the XML.  Switching to simple enumeration makes the code nicer,
shorter and more welcoming to future changes.
Signed-off-by: NMartin Kletzander <mkletzan@redhat.com>

Qemu 2.8.0+ changes arguments structure for blockdev-add in the effort
to make it finally stable. Since libvirt recently added the detection of
gluster debug support relying on the old syntax we need to add the new
as well.