Add comma escaping for cfg->spiceTLSx509certdir and
graphics->data.spice.rendernode.
Signed-off-by: NAnya Harter <aharter@redhat.com>
Reviewed-by: NJohn Ferlan <jferlan@redhat.com>

Add comma escaping for smartcard->data.cert.file[i] and
smartcard->data.cert.database.
Signed-off-by: NAnya Harter <aharter@redhat.com>
Reviewed-by: NJohn Ferlan <jferlan@redhat.com>

Add comma escaping for fileval.
Signed-off-by: NAnya Harter <aharter@redhat.com>
Reviewed-by: NJohn Ferlan <jferlan@redhat.com>

Add comma escaping for dev->data.file.path in cases
VIR_DOMAIN_CHR_TYPE_DEV and VIR_DOMAIN_CHR_TYPE_PIPE.
Signed-off-by: NAnya Harter <aharter@redhat.com>
Reviewed-by: NJohn Ferlan <jferlan@redhat.com>

Fix the return value status comparison checking for call to
virJSONValueObjectCreateVArgs introduced by commit id f0a23c0c.

If a NULL arglist is passed, then a 0 is returned which is a
valid status and we only should fail when the return is < 0.

This resolves an issue seen for "virsh iothreadadd $dom $iothread"
where a "error: An error occurred, but the cause is unknown" error
was generated when trying to hotplug an IOThread to a domain since
qemuDomainHotplugAddIOThread passes a NULL arglist.
Signed-off-by: NJohn Ferlan <jferlan@redhat.com>

https://bugzilla.redhat.com/show_bug.cgi?id=1591561

For reasons I don't understand my original patch of 75f0fd51
freed not only the chardev from domain but also the one from
passed virDomainDeviceDefPtr. This caused no troubles until now,
because those two pointers were separate, but after I've
introduced virDomainDetachDeviceAlias() they became the same
resulting in double free on detach.
Signed-off-by: NMichal Privoznik <mprivozn@redhat.com>
Reviewed-by: NJán Tomko <jtomko@redhat.com>

The query-sev-capabilities command fails if SEV is not compiled in,
even though both the command and -object sev-guest are present
in that case :/

Ignore the errors to avoid spamming the logs:
internal error: unable to execute QEMU command 'query-sev-capabilities': SEV feature is not available
Signed-off-by: NJán Tomko <jtomko@redhat.com>
Reviewed-by: NDaniel P. Berrangé <berrange@redhat.com>
Reviewed-by: NAndrea Bolognani <abologna@redhat.com>

Signed-off-by: NJán Tomko <jtomko@redhat.com>
Reviewed-by: NBrijesh Singh <brijesh.singh@amd.com>
Tested-by: NBrijesh Singh <brijesh.singh@amd.com>
Reviewed-by: NDaniel P. Berrangé <berrange@redhat.com>

Some identifiers use Sev, some SEV. Prefer the latter.
Signed-off-by: NJán Tomko <jtomko@redhat.com>
Reviewed-by: NBrijesh Singh <brijesh.singh@amd.com>
Tested-by: NBrijesh Singh <brijesh.singh@amd.com>
Reviewed-by: NDaniel P. Berrangé <berrange@redhat.com>

A common cleanup path for both the success and the error case.
Signed-off-by: NJán Tomko <jtomko@redhat.com>
Reviewed-by: NBrijesh Singh <brijesh.singh@amd.com>
Tested-by: NBrijesh Singh <brijesh.singh@amd.com>
Reviewed-by: NDaniel P. Berrangé <berrange@redhat.com>

Make the function prefix match the file it's in.
Signed-off-by: NJán Tomko <jtomko@redhat.com>
Reviewed-by: NBrijesh Singh <brijesh.singh@amd.com>
Tested-by: NBrijesh Singh <brijesh.singh@amd.com>
Reviewed-by: NDaniel P. Berrangé <berrange@redhat.com>

Free tmp even on failure.
Signed-off-by: NJán Tomko <jtomko@redhat.com>
Reviewed-by: NBrijesh Singh <brijesh.singh@amd.com>
Tested-by: NBrijesh Singh <brijesh.singh@amd.com>
Reviewed-by: NDaniel P. Berrangé <berrange@redhat.com>

It is only used in one place.
Signed-off-by: NJán Tomko <jtomko@redhat.com>
Reviewed-by: NBrijesh Singh <brijesh.singh@amd.com>
Tested-by: NBrijesh Singh <brijesh.singh@amd.com>
Reviewed-by: NDaniel P. Berrangé <berrange@redhat.com>

The buffer is not freed anywhere. Nor in the error paths. Also
the usage virCommand with respect to buffer is very odd.

==2504== 1,100 bytes in 1 blocks are definitely lost in loss record 167 of 175
==2504==    at 0x4C2CE3F: malloc (vg_replace_malloc.c:298)
==2504==    by 0x4C2F1BF: realloc (vg_replace_malloc.c:785)
==2504==    by 0x5D32EE2: virReallocN (viralloc.c:245)
==2504==    by 0x5D37278: virBufferGrow (virbuffer.c:150)
==2504==    by 0x5D3783E: virBufferVasprintf (virbuffer.c:408)
==2504==    by 0x5D377A9: virBufferAsprintf (virbuffer.c:381)
==2504==    by 0x57017C1: qemuBuildSevCommandLine (qemu_command.c:9707)
==2504==    by 0x57030F7: qemuBuildCommandLine (qemu_command.c:10324)
==2504==    by 0x575FA48: qemuProcessCreatePretendCmd (qemu_process.c:6644)
==2504==    by 0x11351A: testCompareXMLToArgv (qemuxml2argvtest.c:564)
==2504==    by 0x1392F7: virTestRun (testutils.c:180)
==2504==    by 0x137895: mymain (qemuxml2argvtest.c:2900)
Signed-off-by: NMichal Privoznik <mprivozn@redhat.com>
Reviewed-by: NJán Tomko <jtomko@redhat.com>

The variable points to a buffer not a domain object therefore its
current name is misleading.
Signed-off-by: NMichal Privoznik <mprivozn@redhat.com>
Reviewed-by: NJán Tomko <jtomko@redhat.com>

And replace all calls with virObjectEventStateQueue such that:

    qemuDomainEventQueue(driver, event);

becomes:

    virObjectEventStateQueue(driver->domainEventState, event);

And remove NULL checking from all callers.
Signed-off-by: NAnya Harter <aharter@redhat.com>
Reviewed-by: NJán Tomko <jtomko@redhat.com>
Signed-off-by: NJán Tomko <jtomko@redhat.com>

Signed-off-by: NDaniel P. Berrangé <berrange@redhat.com>

qemucapabilitiestest for simplicity uses one test monitor object for
simulating work of two separate inquiries of the qemu process. To allow
better testing in the future it will be required to reset the counter
so that it accurately simulates how qemu would behave.

This patch adds a private monitor API which allows to reset the counter
which will be usable only in tests.
Signed-off-by: NPeter Krempa <pkrempa@redhat.com>
Reviewed-by: NJohn Ferlan <jferlan@redhat.com>

Since virConfGetValueBool() can return earlier, the parameter 'value'
might be not initialised properly inside this method. Another proof:
Valgrind is returning this error during the libvirtd daemon startup:

==16199== Conditional jump or move depends on uninitialised value(s)
==16199==    at 0x27FFFEF4: virQEMUDriverConfigLoadFile (qemu_conf.c:809)
==16199==    by 0x2807665C: qemuStateInitialize (qemu_driver.c:654)
==16199==    by 0x5535428: virStateInitialize (libvirt.c:662)
==16199==    by 0x12AED8: daemonRunStateInit (remote_daemon.c:802)
==16199==    by 0x536DE18: virThreadHelper (virthread.c:206)
==16199==    by 0x6CB36DA: start_thread (pthread_create.c:463)
==16199==    by 0x6FEC88E: clone (clone.S:95)
Signed-off-by: NJulio Faracco <jcfaracco@gmail.com>
Reviewed-by: NJán Tomko <jtomko@redhat.com>
Signed-off-by: NJán Tomko <jtomko@redhat.com>

This patch implements the internal driver API for launch event into
qemu driver. When SEV is enabled, execute 'query-sev-launch-measurement'
to get the measurement of memory encrypted through launch sequence.
Signed-off-by: NBrijesh Singh <brijesh.singh@amd.com>
Reviewed-by: NErik Skultety <eskultet@redhat.com>

QEMU >= 2.12 provides 'sev-guest' object which is used to launch encrypted
VMs on AMD platform using SEV feature. The various inputs required to
launch SEV guest is provided through the <launch-security> tag. A typical
SEV guest launch command line looks like this:

  -object sev-guest,id=sev0,cbitpos=47,reduced-phys-bits=5 ...\
  -machine memory-encryption=sev0 \
Signed-off-by: NBrijesh Singh <brijesh.singh@amd.com>
Reviewed-by: NErik Skultety <eskultet@redhat.com>

QEMU uses /dev/sev device while creating the SEV guest, lets add /dev/sev
in the list of devices allowed to be accessed by the QEMU.
Signed-off-by: NBrijesh Singh <brijesh.singh@amd.com>
Reviewed-by: NErik Skultety <eskultet@redhat.com>

Signed-off-by: NBrijesh Singh <brijesh.singh@amd.com>
Reviewed-by: NErik Skultety <eskultet@redhat.com>

Extend hypervisor capabilities to include sev feature. When available,
hypervisor supports launching an encrypted VM on AMD platform. The
sev feature tag provides additional details like Platform Diffie-Hellman
(PDH) key and certificate chain which can be used by the guest owner to
establish a cryptographic session with the SEV firmware to negotiate
keys used for attestation or to provide secret during launch.
Signed-off-by: NBrijesh Singh <brijesh.singh@amd.com>
Reviewed-by: NErik Skultety <eskultet@redhat.com>

QEMU version >= 2.12 provides support for launching an encrypted VMs on
AMD x86 platform using Secure Encrypted Virtualization (SEV) feature.
This patch adds support to query the SEV capability from the qemu.
Signed-off-by: NBrijesh Singh <brijesh.singh@amd.com>
Reviewed-by: NErik Skultety <eskultet@redhat.com>

And remove NULL checking from all callers.
Signed-off-by: NAnya Harter <aharter@redhat.com>

https://bugzilla.redhat.com/show_bug.cgi?id=1583623

When attaching a virtio-scsi with IOThreads for the config of a
live domain, allow the <address> to not be defined thus allowing
post parse processing to fill in the address. This allows parsing
of an individual device to succeed for attach config.
Signed-off-by: NJohn Ferlan <jferlan@redhat.com>
Reviewed-by: NJán Tomko <jtomko@redhat.com>

Make the error a bit clearer that virtio-scsi IOThreads require
virtio pci or ccw controller address types.
Signed-off-by: NJohn Ferlan <jferlan@redhat.com>
Reviewed-by: NJán Tomko <jtomko@redhat.com>

Fix the error message to indicate what exactly is failing - that
the controller index provided matches an existing controller.
Signed-off-by: NJohn Ferlan <jferlan@redhat.com>
Reviewed-by: NJán Tomko <jtomko@redhat.com>

Commit id '7ef0471b' added a new parameter to qemuMonitorOpen,
but didn't update the ATTTRIBUTE_NONNULL for the @CB (param 5).
Signed-off-by: NJohn Ferlan <jferlan@redhat.com>
Reviewed-by: NKaterina Koukiou <kkoukiou@redhat.com>

On start up of libvirtd the worker pool of the QEMU driver must be
initialized before trying to reconnect to all the running QEMU
instances. Otherwise segmentation faults can occur if there are QEMU
monitor events emitted.

 #0  __GI___pthread_mutex_lock
 #1  0x000003fffdba9e62 in virMutexLock
 #2  0x000003fffdbab2dc in virThreadPoolSendJob
 #3  0x000003ffd8343b70 in qemuProcessHandleSerialChanged
 #4  0x000003ffd836a776 in qemuMonitorEmitSerialChange
 #5  0x000003ffd8378e52 in qemuMonitorJSONHandleSerialChange
 #6  0x000003ffd8378930 in qemuMonitorJSONIOProcessEvent
 #7  0x000003ffd837edee in qemuMonitorJSONIOProcessLine
 #8  0x000003ffd837ef86 in qemuMonitorJSONIOProcess
 #9  0x000003ffd836757a in qemuMonitorIOProcess
 #10 0x000003ffd836863e in qemuMonitorIO
 #11 0x000003fffdb4033a in virEventPollDispatchHandles
 #12 0x000003fffdb4055e in virEventPollRunOnce
 #13 0x000003fffdb3e782 in virEventRunDefaultImpl
 #14 0x000003fffdc89400 in virNetDaemonRun
 #15 0x000000010002a816 in main
Signed-off-by: NMarc Hartmayer <mhartmay@linux.ibm.com>
Reviewed-by: NBjoern Walk <bwalk@linux.ibm.com>
Reviewed-by: NBoris Fiuczynski <fiuczy@linux.ibm.com>
Reviewed-by: NErik Skultety <eskultet@redhat.com>

The default is stable per machine type so there should be no need to keep that.

Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1469338Signed-off-by: NMartin Kletzander <mkletzan@redhat.com>
Reviewed-by: NJán Tomko <jtomko@redhat.com>

For getting the reply I queried the newest and oldest QEMU using
test/qemucapsprobe.  From the differences I only extracted the reply to the new
QMP command and discarded the rest.  For all the versions below the one which
added support for the new option I used the output from the oldest QEMU release
and for those that support it I used the output from the newest one.

In order to make doubly sure the reply is where it is supposed to be (the
replies files are very forgiving) I added the property to all the replies files,
reran the tests again and fixed the order in replies files so that all the
versions are reporting the new capability.  Then removed that one property.

After that I used test/qemucapsfixreplies to fix the reply IDs.
Signed-off-by: NMartin Kletzander <mkletzan@redhat.com>
Reviewed-by: NJán Tomko <jtomko@redhat.com>

One of the things that this is improving is the fact that instead of error
message (that was wrong) you get when starting a domain with SMM and i440fx we
allow the setting to go through.  SMM option exists and makes sense on i440fx as
well (basically whenever that _SMM_OPT capability is set).
Signed-off-by: NMartin Kletzander <mkletzan@redhat.com>
Reviewed-by: NJán Tomko <jtomko@redhat.com>

We are still hoping all of such checks will be moved there and this is one small
step in that direction.
Signed-off-by: NMartin Kletzander <mkletzan@redhat.com>
Reviewed-by: NJán Tomko <jtomko@redhat.com>

To avoid problems with test cases specifying an alias machine type which
would change once capabilities for a newer version are added strip all
alias machine types for the DO_TEST_CAPS_LATEST based tests.
Signed-off-by: NPeter Krempa <pkrempa@redhat.com>
Reviewed-by: NJohn Ferlan <jferlan@redhat.com>

All callers pass 'false' now so it's no longer needed.
Signed-off-by: NPeter Krempa <pkrempa@redhat.com>
Reviewed-by: NJán Tomko <jtomko@redhat.com>

Previous patch naively removed all code relevant to disk format
checking. The semantics now dictate that the format check when creating
external snapshots is now impossible as we always fill in the format for
disks in domain definition in the post-parse callback.

Remove the impossible code path.
Signed-off-by: NPeter Krempa <pkrempa@redhat.com>
Reviewed-by: NJán Tomko <jtomko@redhat.com>

The option is insecure and it has been long enough for users to migrate
their disk files to use explicit format. Drop the option and related
code.

The config parser still parses it and rejects statup if it's still
present in the config in enabled state.

The augeas lens is also kept so that users can disable it.
Signed-off-by: NPeter Krempa <pkrempa@redhat.com>
Reviewed-by: NJán Tomko <jtomko@redhat.com>

qemu_tpm.c is not calling any capng_* functions. Let's drop this
include then. This also fixes a build failure without capng.
Signed-off-by: NMichal Privoznik <mprivozn@redhat.com>