Signed-off-by: NMichal Privoznik <mprivozn@redhat.com>

In qemu, enabling this feature boils down to adding the following
onto the command line:

  -global driver=cfi.pflash01,property=secure,value=on

However, there are some constraints resulting from the
implementation. For instance, System Management Mode (SMM) is
required to be enabled, the machine type must be q35-2.4 or
later, and the guest should be x86_64. While technically it is
possible to have 32 bit guests with secure boot, some non-trivial
CPU flags tuning is required (for instance lm and nx flags must
be prohibited). Given complexity of our CPU driver, this is not
trivial. Therefore I've chosen to forbid 32 bit guests for now.
If there's ever need, we can refine the check later.
Signed-off-by: NMichal Privoznik <mprivozn@redhat.com>

This element will control secure boot implemented by some
firmwares. If the firmware used in <loader/> does support the
feature we must tell it to the underlying hypervisor. However, we
can't know whether loader does support it or not just by looking
at the file. Therefore we have to have an attribute to the
element where users can tell us whether the firmware is secure
boot enabled or not.
Signed-off-by: NMichal Privoznik <mprivozn@redhat.com>

Since its release of 2.4.0 qemu is able to enable System
Management Module in the firmware, or disable it. We should
expose this capability in the XML. Unfortunately, there's no good
way to determine whether the binary we are talking to supports
it. I mean, if qemu's run with real machine type, the smm
attribute can be seen in 'qom-list /machine' output. But it's not
there when qemu's run with -M none. Therefore we're stuck with
version based check.
Signed-off-by: NMichal Privoznik <mprivozn@redhat.com>

We use 'goto cleanup' for a reason. If a function can exit at
many places but doesn't follow the pattern, it has to copy the
free code in multiple places.
Signed-off-by: NMichal Privoznik <mprivozn@redhat.com>

With newest gnutls available in Fedora 25/rawhide, it is
possible to have TLS priority fallbacks, so we can finally
use --tls-priority=@LIBVIRT,SYSTEM
Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>

All these configurations are already covered for qemuxml2argv,
but there were no equivalent tests for qemuxml2xml.

Now that DO_TEST() can be passed capabilities, there is little
need to use DO_TEST_FULL() instead of DO_TEST().

This will allow us to remove most DO_TEST_FULL() usages. For the
time being, just add the extra argument to all DO_TEST() calls.

A bunch of cases were only being tested for WHEN_ACTIVE or
WHEN_INACTIVE. Use WHEN_BOTH for all except the very few that
actually require the existing setup.

Instead of testing it twice using WHEN_ACTIVE and WHEN_INACTIVE
separately, just use WHEN_BOTH.

The test case uses DO_TEST_PARSE_FLAGS_ERROR(), but doesn't
pass any parse flag. Use DO_TEST_PARSE_ERROR() instead.

DO_TEST_FAILURE() doesn't take a GIC version, but the GIC flag
was passed anyway. Get rid of all such occurrences.

While no leak was observed yet, there might be one if
virObjectEventClass is ever derived from another class. Because
in that case plain VIR_FREE() will not call dispose() from parent
classes possibly leaking some memory.
Signed-off-by: NMichal Privoznik <mprivozn@redhat.com>

In the cleanup path, @vm cannot be possibly NULL. If it were so,
we would receive SIGSEGV much earlier. At the beginning of the
function we do libxlDomainObjBeginJob(.., vm, ..); and so on.
Signed-off-by: NMichal Privoznik <mprivozn@redhat.com>

In our attempts to reconnect, we may create a polkit daemon.
However, it may happen that we would rewrite the variable that
already holds pointer to the agent.
Signed-off-by: NMichal Privoznik <mprivozn@redhat.com>

At the beginning of the test, some preparation work is done. For
instance new virSecurityManager is created. If this fails for
whatever reason, we try to fetch the latest error and print the
error message contained in it. However, if there's a bug in our
code and no error is reported, this approach will lead to crash,
while with virGetLastErrorMessage() it won't.
Signed-off-by: NMichal Privoznik <mprivozn@redhat.com>

The virJSONValueArraySize() function return ssize_t (with
possibly returning -1 if the passed json is not an array).
Storing the return value into size_t is possibly dangerous then.
Signed-off-by: NMichal Privoznik <mprivozn@redhat.com>

Call the vcpu thread info validation separately to decrease complexity
of returned values by qemuDomainRefreshVcpuInfo.

This function now returns 0 on success and -1 on error. Certain
failures of qemu to report data are still considered as success. Any
error reported now is fatal.

Validate the presence of the thread id according to state of the vCPU
rather than just checking the vCPU count. Additionally put the new
validation code into a separate function so that the information
retrieval can be split from the validation.

Use a name that contains the command used to get the information.

The function will eventually do more useful stuff than just detection of
thread ids.

If the VM is offline we can't retrieve the runtime statistical
information. Pinning could be retrieved but there are separate APIs for
that.

Assure that it's just one statement to avoid problems when used with
conditions.

Rather than formatting a string and splitting it back to a JSON object
add API that will take a JSON object directly.

Since 2bfa7513 virObjectEventNew can be passed a NULL 'uuid' value,
so drop the ATTRIBUTE_NONNULL annotation

Long, long ago before libxl_get_required_shadow_memory() was
made publicly available, its code was copied to the libxl driver
for calculating shadow memory requirements of HVM domains.

Long ago, libxl_get_required_shadow_memory() was exported in
libxl_utils.h and included in xen-devel packages everywhere.

Remove the copied code, which has become stale, and let libxl
provode a proper shadow memory value.

https://bugzilla.redhat.com/show_bug.cgi?id=1356937

Add support for IOThread quota/bandwidth and period parameters for non
session mode. If in session mode, then error out.  Uses all the same
places where {vcpu|emulator|global}_{period|quota} are adjusted and
adds the iothread values.

https://bugzilla.redhat.com/show_bug.cgi?id=1356937

Add the definitions to allow for viewing/setting cgroup period and quota
limits for IOThreads.

This is similar to the work done for emulator quota and period by
commit ids 'b65dafa8' and 'e051c482'.

Being able to view/set the IOThread specific values is related to more
recent changes adding global period (commmit id '4d92d58f') and global
quota (commit id '55ecdae0') definitions and qemu support (commit id
'4e17ff79' and 'fbcbd1b2'). With a global setting though, if somehow
the IOThread value in the cgroup hierarchy was set "outside of libvirt"
to a value that is incompatible with the global value.

Allowing control over IOThread specific values provides the capability
to alter the IOThread values as necessary.

If you invoke virDomainLxcEnterSecurityLabel() on security
model of "none" it will report an error. Logically a "none"
security model should be treated as a no-op, so we should
just return success immediately, instead of an error.
Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>

Avoid reporting a stale errno value when the syscall succeeds,
instead always pass 0.
Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>

The prettified JSON string already contains a newline so don't print
another one. This allows to pipe the json output (in conjunction with
the --quiet option) to files without having to truncate them afterwards.

Failure to parse the schema file would not trigger a test suite failure.

In addition to making the test fail it's necessary to split up the
parsing of the schema file into a separate test.

This is necessary as the XML validator uses libvirt errors to report
problems parsing of the actual schema RNG needs to be split out into a
separate function and called via virTestRun which has the
infrastructure to report them.

https://bugzilla.redhat.com/show_bug.cgi?id=1289391

Rather than pass the whole drive string (which contained the alias),
pass only the alias for the qemuMonitorDriveDel call in the error
path when adding a host device in the monitor fails.

When building the command line alias and for SCSI Host Device deletion,
use the common API to build the alias

Introduce a common API to generate the alias for a host device

Completion of fix for:
    https://bugzilla.redhat.com/show_bug.cgi?id=1336225

Similar to the other disk types, add the qemuMonitorDriveDel in the failure
to add/hotplug a SCSI disk.

Partial fix for:
    https://bugzilla.redhat.com/show_bug.cgi?id=1336225

Similar to the other disk types, add the qemuMonitorDriveDel in the failure
to add/hotplug a USB.

Added a couple of other formatting changes just to have a less cluttered look

Move QEMU_DRIVE_HOST_PREFIX into the qemu_alias.c to dissuade future
callers from using it. Create qemuAliasDiskDriveSkipPrefix in order
to handle the current consumers that desire to check if an alias has
the drive- prefix and "get beyond it" in order to get the disk alias.