The Ubuntu-power-systems project

power8 machines need FW update or qemu/libvirt code - cap-cfpc=broken

Bug #1839065 reported by Christian Ehrhardt  on 2019-08-06

This bug affects 2 people

Affects		Status	Importance	Assigned to	Milestone
	The Ubuntu-power-systems project	Fix Released	High	Unassigned

Bug Description

I just tried (first time for a while) a very recent qemu on a power8 machine.

I ran into this:
qemu-system-ppc64le: Requested safe cache capability level not supported by kvm, try cap-cfpc=broken

Now I wonder, do we "just" need a FW update for the scope of spectre/meltdown&co.
Or does the qemu actually need extra pacthes to work well again with power8 machines?

Steps to reproduce:
- power8 machine
- install eoan (qemu 4.0)
- try to start a KVM guest

Current vulnerabilities as reported by the kernel:
/sys/devices/system/cpu/vulnerabilities/l1tf
Not affected
/sys/devices/system/cpu/vulnerabilities/mds
Not affected
/sys/devices/system/cpu/vulnerabilities/meltdown
Mitigation: RFI Flush
/sys/devices/system/cpu/vulnerabilities/spec_store_bypass
Mitigation: Kernel entry/exit barrier (hwsync)
/sys/devices/system/cpu/vulnerabilities/spectre_v1
Mitigation: __user pointer sanitization
/sys/devices/system/cpu/vulnerabilities/spectre_v2
Vulnerable

Caps and Domcaps:
$ virsh capabilities
<capabilities>

  <host>
    <uuid>de868906-44ea-4d29-85dd-138f8daf2d49</uuid>
    <cpu>
      <arch>ppc64le</arch>
      <model>POWER8</model>
      <vendor>IBM</vendor>
      <topology sockets='1' cores='5' threads='8'/>
      <pages unit='KiB' size='64'/>
      <pages unit='KiB' size='16384'/>
      <pages unit='KiB' size='16777216'/>
    </cpu>
    <power_management>
      <suspend_mem/>
    </power_management>
    <iommu support='yes'/>
    <migration_features>
      <live/>
      <uri_transports>
        <uri_transport>tcp</uri_transport>
        <uri_transport>rdma</uri_transport>
      </uri_transports>
    </migration_features>
    <topology>
...

$ virsh domcapabilities
<domainCapabilities>
  <path>/usr/bin/qemu-system-ppc64</path>
  <domain>kvm</domain>
  <machine>pseries-eoan</machine>
  <arch>ppc64le</arch>
  <vcpu max='1024'/>
  <iothreads supported='yes'/>
  <os supported='yes'>
    <enum name='firmware'/>
    <loader supported='yes'>
      <enum name='type'>
        <value>rom</value>
        <value>pflash</value>
      </enum>
      <enum name='readonly'>
        <value>yes</value>
        <value>no</value>
      </enum>
      <enum name='secure'>
        <value>no</value>
      </enum>
    </loader>
  </os>
  <cpu>
    <mode name='host-passthrough' supported='yes'/>
    <mode name='host-model' supported='yes'>
      <model fallback='allow'>POWER8</model>
      <vendor>IBM</vendor>
    </mode>
    <mode name='custom' supported='no'/>
  </cpu>
...

As a fallback, I haven't foudn the right libvirt'y way to specify cap-cfpc to qemu.
I know we did with HTM but it seems all other controls but HTM got dropped?
=> https://www.redhat.com/archives/libvir-list/2018-March/msg00474.html

Sorry, but I'm lost and trying random optins seems wrong.
I'm sure you run P8 regularly and know what we'd need.
=> how would I get to use a guest on these machines?

Tags:

Revision history for this message

Christian Ehrhardt  (paelzer) wrote on 2019-08-06:

I need "-machine pseries-eoan,cap-cfpc=broken,cap-sbbc=broken,cap-ibs=broken" to get further.
So all the list that was discussed back then.
Hopefully this is just a loack of knowledge on my side how to start ppc guests on these machines these days.

Frank Heimes (fheimes) on 2019-08-06

tags:	added: ppc64el
Changed in ubuntu-power-systems:
importance:	Undecided → High
assignee:	nobody → bugproxy (bugproxy)

Frank Heimes (fheimes) on 2019-08-12

tags:

added: reverse-proxy-bugzilla

Revision history for this message

Launchpad Janitor (janitor) wrote on 2019-08-19:

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in qemu (Ubuntu):
status:	New → Confirmed

Revision history for this message

Mike Ranweiler (mranweil) wrote on 2019-08-19:

This should be fixed with a firmware update - I'm getting those together, I assume for all. I don't know if this was on a garrison or tuleta, etc, but at least one of those needs an update for this issue.

Revision history for this message

Frank Heimes (fheimes) wrote on 2019-08-19:

Hi Michael, a Tuleta system was used in this case (P8, 8247, 22L).

Revision history for this message

Andrew Cloke (andrew-cloke) wrote on 2019-08-19:

Marking as "in progress" while awaiting the f/w update.

Changed in ubuntu-power-systems:
status:	New → In Progress

Revision history for this message

Christian Ehrhardt  (paelzer) wrote on 2019-08-22:

Workaround for now (until FW updates?)
Copy the -machine that libvirt would emit (in my case pseries-eoan,accel=kvm,usb=off,dump-guest-core=off) append it with the broken states and force it to the commandline.

$ virt-xml test-huge-mem-init --edit --confirm --qemu-commandline '-machine pseries-eoan,accel=kvm,usb=off,dump-guest-core=off,cap-cfpc=broken,cap-sbbc=broken,cap-ibs=broken'

That makes the guest start for now, but is a very ugly workaround

Revision history for this message

Andrew Cloke (andrew-cloke) wrote on 2019-09-02:

Moving to "Incomplete" while awaiting f/w update.

Changed in ubuntu-power-systems:
status:	In Progress → Incomplete

Revision history for this message

Andrew Cloke (andrew-cloke) wrote on 2019-09-09:

Firmware update now communicated. Moving to "in progress".

Changed in ubuntu-power-systems:
status:	Incomplete → In Progress

Revision history for this message

Christian Ehrhardt  (paelzer) wrote on 2019-09-24:

FYI: Wichita (which we updated) is locked by the kernel team atm. I pinged to release once their tests are done.

Revision history for this message

Christian Ehrhardt  (paelzer) wrote on 2019-09-24:

#10

Ok, I can confirm that with:
Version of System Firmware is FW860.70 (SV860_205) (t) FW860.70 (SV860_205) (p) FW860.70 (SV860_205) (b)

Guests now run fine not crashing into the issue they had before.

This FW still has:
ubuntu@wichita:~$ sudo qemu-system-ppc64 -enable-kvm -nographic -machine pseries-3.1,cap-cfpc=fixed
qemu-system-ppc64: Requested safe cache capability level not supported by kvm, try cap-cfpc=workaround

The same happens to many other P9 only features, but that is fine.
At least broken and workaround work now (and the default without adding an argument).

Marking as resolved.

Changed in qemu (Ubuntu):
status:	Confirmed → Invalid
Changed in ubuntu-power-systems:
status:	In Progress → Fix Released
assignee:	bugproxy (bugproxy) → nobody