From nobody Mon Feb 9 10:57:45 2026 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of redhat.com designates 209.132.183.28 as permitted sender) client-ip=209.132.183.28; envelope-from=libvir-list-bounces@redhat.com; helo=mx1.redhat.com; Authentication-Results: mx.zoho.com; spf=pass (zoho.com: domain of redhat.com designates 209.132.183.28 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; Return-Path: Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28]) by mx.zohomail.com with SMTPS id 1490360715273476.78623948133713; Fri, 24 Mar 2017 06:05:15 -0700 (PDT) Received: from smtp.corp.redhat.com (int-mx05.intmail.prod.int.phx2.redhat.com [10.5.11.15]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 87B8A1B1771; Fri, 24 Mar 2017 13:05:14 +0000 (UTC) Received: from colo-mx.corp.redhat.com (unknown [10.5.11.21]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 51AC37D675; Fri, 24 Mar 2017 13:05:13 +0000 (UTC) Received: from lists01.pubmisc.prod.ext.phx2.redhat.com (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33]) by colo-mx.corp.redhat.com (Postfix) with ESMTP id D80995EC63; Fri, 24 Mar 2017 13:05:12 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx01.intmail.prod.int.phx2.redhat.com [10.5.11.11]) by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id v2OD4u0i032529 for ; Fri, 24 Mar 2017 09:04:56 -0400 Received: by smtp.corp.redhat.com (Postfix) id 4D9CF84401; Fri, 24 Mar 2017 13:04:56 +0000 (UTC) Received: from angien.brq.redhat.com (dhcp129-47.brq.redhat.com [10.34.129.47]) by smtp.corp.redhat.com (Postfix) with ESMTP id 8DFCE84414; Fri, 24 Mar 2017 13:04:55 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.3.2 mx1.redhat.com 87B8A1B1771 Authentication-Results: ext-mx04.extmail.prod.ext.phx2.redhat.com; dmarc=none (p=none dis=none) header.from=redhat.com Authentication-Results: ext-mx04.extmail.prod.ext.phx2.redhat.com; spf=pass smtp.mailfrom=libvir-list-bounces@redhat.com DKIM-Filter: OpenDKIM Filter v2.11.0 mx1.redhat.com 87B8A1B1771 From: Peter Krempa To: libvir-list@redhat.com Date: Fri, 24 Mar 2017 14:05:42 +0100 Message-Id: <7aaf2a7a68217f92a31004671138f002e0a6612a.1490360622.git.pkrempa@redhat.com> In-Reply-To: References: In-Reply-To: References: X-Scanned-By: MIMEDefang 2.79 on 10.5.11.11 X-loop: libvir-list@redhat.com Cc: Peter Krempa Subject: [libvirt] [PATCH v3 3/3] qemu: snapshot: Forbid internal snapshots with pflash firmware X-BeenThere: libvir-list@redhat.com X-Mailman-Version: 2.1.12 Precedence: junk List-Id: Development discussions about the libvirt library & tools List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Sender: libvir-list-bounces@redhat.com Errors-To: libvir-list-bounces@redhat.com X-Scanned-By: MIMEDefang 2.79 on 10.5.11.15 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.28]); Fri, 24 Mar 2017 13:05:15 +0000 (UTC) X-ZohoMail: RSF_0 Z_629925259 SPT_0 Content-Type: text/plain; charset="utf-8" If the variable store () file is raw qemu can't do a snapshot of it and thus the snapshot would be incomplete. QEMU does no reject such snapshot. Additionally allowing to use a qcow2 variable store backing file would solve this issue but then it would become eligible to become target of the memory dump. Offline internal snapshot would be incomplete too with either storage format since libvirt does not handle the pflash file in this case. Forbid such snapshot so that we can avoid problems. --- Notes: v3: - allow overriding of the check by specifying VIR_DOMAIN_SNAPSHOT_CREAT= E_UNSAFE - report VIR_ERR_OPERATION_UNSAFE (instead of VIR_ERR_OPERATION_UNSUPPO= RTED) - tweaked commend in code (since it's not forbidden completely) - tweaked error message =20 v2: - changed error code to OPERATION_UNSUPPORTED (from CONFIG_UNSUPPORTED) - dropped mention of QEMU from the error message - dropped mentions of OVMF or the firmware itself altoghether, the culp= rit is the pflash device regardless of the software it contains - mentioned all the stuff in the commit message and comment =20 We also will need to introduce a way to snapshot the pflash for external snapshots which is currently impossible as well, but fortunately does n= ot have inherent drawbacks as internal snapshots. src/qemu/qemu_driver.c | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/src/qemu/qemu_driver.c b/src/qemu/qemu_driver.c index 02cdd2f6b..2ca839f1c 100644 --- a/src/qemu/qemu_driver.c +++ b/src/qemu/qemu_driver.c @@ -13754,6 +13754,7 @@ qemuDomainSnapshotPrepare(virConnectPtr conn, bool active =3D virDomainObjIsActive(vm); bool reuse =3D (*flags & VIR_DOMAIN_SNAPSHOT_CREATE_REUSE_EXT) !=3D 0; bool atomic =3D (*flags & VIR_DOMAIN_SNAPSHOT_CREATE_ATOMIC) !=3D 0; + bool unsafe =3D (*flags & VIR_DOMAIN_SNAPSHOT_CREATE_UNSAFE) !=3D 0; bool found_internal =3D false; bool forbid_internal =3D false; int external =3D 0; @@ -13873,6 +13874,20 @@ qemuDomainSnapshotPrepare(virConnectPtr conn, goto cleanup; } + /* internal snapshots + pflash based loader have the following problem= s: + * - if the variable store is raw, the snapshot is incomplete + * - alowing a qcow2 image as the varstore would make it eligible to r= eceive + * the vmstate dump, which would make it huge + * - offline snapshot would not snapshot the varstore at all + */ + if (!unsafe && found_internal && + vm->def->os.loader->type =3D=3D VIR_DOMAIN_LOADER_TYPE_PFLASH) { + virReportError(VIR_ERR_OPERATION_UNSAFE, "%s", + _("internal snapshots of a VM with pflash based " + "firmware can corrupt the nvram data")); + goto cleanup; + } + /* Alter flags to let later users know what we learned. */ if (external && !active) *flags |=3D VIR_DOMAIN_SNAPSHOT_CREATE_DISK_ONLY; --=20 2.12.1 -- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list