yahoo-eng-team team mailing list archive

Thread
Date
[Bug 2117170] Re: vmcoreinfo should not be automatically added to encrypted guests

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: OpenStack Infra <2117170@xxxxxxxxxxxxxxxxxx>
Date: Fri, 05 Sep 2025 17:45:55 -0000
Reply-to: Bug 2117170 <2117170@xxxxxxxxxxxxxxxxxx>
Sender: noreply@xxxxxxxxxxxxx
Reviewed:  https://review.opendev.org/c/openstack/nova/+/958868
Committed: https://opendev.org/openstack/nova/commit/79846eb0d08e289326af372db87762d66e0c688f
Submitter: "Zuul (22348)"
Branch:    master

commit 79846eb0d08e289326af372db87762d66e0c688f
Author: Takashi Kajinami <kajinamit@xxxxxxxxxxxxxxx>
Date:   Fri Aug 29 21:10:05 2025 +0900

    libvirt: Disable VMCoreInfo device for SEV-encrypted instances
    
    When VMCoreInfo device is enabled, the QEMU fw_cfg device in guest OS
    requires DMA between host OS and guest OS through the device. However
    DMA is prohibited when guest memory is encrypted using SEV, and
    the attempt results in kernel crash.
    
    Do not add VMCoreInfo when memory encryption is enabled.
    
    Closes-Bug: #2117170
    Change-Id: I05c7b1ae46ccd8d9aa42456b493ac6ee7ddd8bae
    Signed-off-by: Takashi Kajinami <kajinamit@xxxxxxxxxxxxxxx>


** Changed in: nova
       Status: In Progress => Fix Released

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Compute (nova).
https://bugs.launchpad.net/bugs/2117170

Title:
  vmcoreinfo should not be automatically added to encrypted guests

Status in OpenStack Compute (nova):
  Fix Released
Status in OpenStack Compute (nova) 2024.1 series:
  Confirmed
Status in OpenStack Compute (nova) 2024.2 series:
  Triaged
Status in OpenStack Compute (nova) 2025.1 series:
  In Progress
Status in OpenStack Compute (nova) 2025.2 series:
  Fix Released

Bug description:
  Nova automatically adds `-device vmcoreinfo`, to support processing
  kernel dump with KASLR enabled. When this feature is enabled in
  conjunction with deploying an encrypted guest on AMD-Sev, the guest os
  fails to fully boot e.g.:

  sh-5.1$ openstack console log show 86158e5e-22df-4453-969b-d0879c1d1dc2
  [2J[01;01H[=3h[2J[01;01H[2J[01;01H[=3h[2J[01;01H[2J[01;01H[=3h[2J[01;01HBdsDxe: loading Boot0001 "UEFI Misc Device" from PciRoot(0x0)/Pci(0x2,0x2)/Pci(0x0,0x0)
  BdsDxe: starting Boot0001 "UEFI Misc Device" from PciRoot(0x0)/Pci(0x2,0x2)/Pci(0x0,0x0)
  Booting `Red Hat Enterprise Linux (5.14.0-277.el9.x86_64) 9.2 (Plow)'
  [ 0.000000] Linux version 5.14.0-277.el9.x86_64 (mockbuild@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx) (gcc (GCC) 11.3.1 20221121 (Red Hat 11.3.1-4), GNU ld version 2.35.2-37.el9) #1 SMP PREEMPT_DYNAMIC Fri Feb 17 09:45:09 EST 2023
  [ 0.000000] The list of certified hardware and cloud instances for Red Hat Enterprise Linux 9 can be viewed at the Red Hat Ecosystem Catalog, https://catalog.redhat.com.
  [ 0.000000] Command line: BOOT_IMAGE=(hd0,gpt3)/vmlinuz-5.14.0-277.el9.x86_64 root=UUID=6089295f-e6a6-4d0c-8096-5996a463fd35 console=tty0 console=ttyS0,115200n8 no_timer_check net.ifnames=0 crashkernel=1G-4G:192M,4G-64G:256M,64G-:512M
  [ 0.000000] x86/fpu: Supporting XSAVE feature 0x001: 'x87 floating point registers'
  [ 0.000000] x86/fpu: Supporting XSAVE feature 0x002: 'SSE registers'
  [ 0.000000] x86/fpu: Supporting XSAVE feature 0x004: 'AVX registers'
  [ 0.000000] x86/fpu: xstate_offset[2]: 576, xstate_sizes[2]: 256
  [ 0.000000] x86/fpu: Enabled xstate features 0x7, context size is 832 bytes, using 'compacted' format.
  ....REMOVED FOR BREVITY....
  [    2.948593] input: VirtualPS/2 VMware VMMouse as /devices/platform/i8042/serio1/input/input3
  [   28.266697] watchdog: BUG: soft lockup - CPU#0 stuck for 26s! [swapper/0:1]
  [   28.266697] Modules linked in:
  [   28.266697] CPU: 0 PID: 1 Comm: swapper/0 Not tainted 5.14.0-277.el9.x86_64 #1
  [   28.266697] Hardware name: Red Hat OpenStack Compute/RHEL, BIOS edk2-20231122-6.el9 11/22/2023
  [   28.266697] RIP: 0010:fw_cfg_write_vmcoreinfo+0x154/0x210
  [   28.266697] Code: 1a 02 48 89 d8 48 c1 e8 20 48 89 c7 e8 f5 8c d0 ff 0f ae f8 48 8b 05 0b f4 1a 02 89 df 48 8d 70 04 e8 e0 8c d0 ff eb 02 f3 90 <8b> 45 00 0f c8 0f ae e8 83 e0 fe 75 f1 8b 45 00 0f c8 83 e0 01 83
  [   28.266697] RSP: 0018:ffffa8178001fc10 EFLAGS: 00000206
  [   28.266697] RAX: 0000000051946f84 RBX: 0000000002107590 RCX: 0000000000000001
  [   28.266697] RDX: 0000000000010518 RSI: 0000000000010518 RDI: 0000000090751002
  [   28.266697] RBP: ffff9aa002107590 R08: 0000000000000010 R09: ffffffffb34eff80
  [   28.282722] R10: ffff9aa002b14948 R11: 0000000000000000 R12: ffff9aa082107540
  [   28.282722] R13: ffff9aa030b94000 R14: ffff9aa0311d2128 R15: 0000000000000000
  [   28.282722] FS:  0000000000000000(0000) GS:ffff9aa03ca00000(0000) knlGS:0000000000000000
  [   28.282722] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
  [   28.282722] CR2: 0000000000000000 CR3: 000080001b410000 CR4: 0000000000350ef0
  [   28.282722] Call Trace:
  [   28.282722]  <TASK>
  [   28.282722]  fw_cfg_register_file+0x196/0x1c0
  [   28.282722]  fw_cfg_register_dir_entries+0xa4/0xf0
  [   28.282722]  fw_cfg_sysfs_probe+0x112/0x180
  [   28.293721]  platform_probe+0x3f/0xa0
  [   28.293721]  really_probe+0xe1/0x3a0
  [   28.293721]  ? pm_runtime_barrier+0x50/0x90
  [   28.293721]  __driver_probe_device+0x105/0x180
  [   28.293721]  driver_probe_device+0x1e/0x90
  [   28.293721]  __driver_attach+0x9d/0x1f0
  [   28.293721]  ? __device_attach_driver+0x110/0x110
  [   28.293721]  ? __device_attach_driver+0x110/0x110
  [   28.293721]  bus_for_each_dev+0x78/0xc0
  [   28.293721]  bus_add_driver+0x15c/0x210
  [   28.293721]  driver_register+0x8f/0xf0
  [   28.293721]  ? firmware_map_add_early+0x56/0x56
  [   28.293721]  fw_cfg_sysfs_init+0x3b/0x64
  [   28.293721]  ? firmware_map_add_early+0x56/0x56
  [   28.293721]  do_one_initcall+0x44/0x200
  [   28.293721]  do_initcalls+0xc6/0xdf
  [   28.293721]  kernel_init_freeable+0x153/0x1a2
  [   28.293721]  ? rest_init+0xd0/0xd0
  [   28.293721]  kernel_init+0x16/0x130
  [   28.293721]  ret_from_fork+0x22/0x30
  [   28.293721]  </TASK>
  [   56.266735] watchdog: BUG: soft lockup - CPU#0 stuck for 52s! [swapper/0:1]
  [   56.266735] Modules linked in:
  [   56.266735] CPU: 0 PID: 1 Comm: swapper/0 Tainted: G             L   --------  ---  5.14.0-277.el9.x86_64 #1
  [   56.269723] Hardware name: Red Hat OpenStack Compute/RHEL, BIOS edk2-20231122-6.el9 11/22/2023
  [   56.269723] RIP: 0010:fw_cfg_write_vmcoreinfo+0x154/0x210
  [   56.269723] Code: 1a 02 48 89 d8 48 c1 e8 20 48 89 c7 e8 f5 8c d0 ff 0f ae f8 48 8b 05 0b f4 1a 02 89 df 48 8d 70 04 e8 e0 8c d0 ff eb 02 f3 90 <8b> 45 00 0f c8 0f ae e8 83 e0 fe 75 f1 8b 45 00 0f c8 83 e0 01 83
  [   56.269723] RSP: 0018:ffffa8178001fc10 EFLAGS: 00000206
  [   56.269723] RAX: 0000000051946f84 RBX: 0000000002107590 RCX: 0000000000000001
  [   56.269723] RDX: 0000000000010518 RSI: 0000000000010518 RDI: 0000000090751002
  [   56.269723] RBP: ffff9aa002107590 R08: 0000000000000010 R09: ffffffffb34eff80
  [   56.282723] R10: ffff9aa002b14948 R11: 0000000000000000 R12: ffff9aa082107540
  [   56.282723] R13: ffff9aa030b94000 R14: ffff9aa0311d2128 R15: 0000000000000000
  [   56.285724] FS:  0000000000000000(0000) GS:ffff9aa03ca00000(0000) knlGS:0000000000000000
  [   56.285724] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
  [   56.285724] CR2: 0000000000000000 CR3: 000080001b410000 CR4: 0000000000350ef0
  [   56.285724] Call Trace:
  [   56.285724]  <TASK>
  [   56.285724]  fw_cfg_register_file+0x196/0x1c0
  [   56.285724]  fw_cfg_register_dir_entries+0xa4/0xf0
  [   56.285724]  fw_cfg_sysfs_probe+0x112/0x180
  [   56.285724]  platform_probe+0x3f/0xa0
  [   56.285724]  really_probe+0xe1/0x3a0
  [   56.285724]  ? pm_runtime_barrier+0x50/0x90
  [   56.285724]  __driver_probe_device+0x105/0x180
  [   56.285724]  driver_probe_device+0x1e/0x90
  [   56.285724]  __driver_attach+0x9d/0x1f0
  [   56.285724]  ? __device_attach_driver+0x110/0x110
  [   56.285724]  ? __device_attach_driver+0x110/0x110
  [   56.285724]  bus_for_each_dev+0x78/0xc0
  [   56.285724]  bus_add_driver+0x15c/0x210
  [   56.285724]  driver_register+0x8f/0xf0
  [   56.285724]  ? firmware_map_add_early+0x56/0x56
  [   56.285724]  fw_cfg_sysfs_init+0x3b/0x64
  [   56.285724]  ? firmware_map_add_early+0x56/0x56
  [   56.285724]  do_one_initcall+0x44/0x200
  [   56.285724]  do_initcalls+0xc6/0xdf
  [   56.285724]  kernel_init_freeable+0x153/0x1a2
  [   56.285724]  ? rest_init+0xd0/0xd0
  [   56.285724]  kernel_init+0x16/0x130
  [   56.285724]  ret_from_fork+0x22/0x30
  [   56.285724]  </TASK>
  ...

  
  Steps to reproduce
  ==================
  1. Deploy an environment that supports AMD Sev.
  2. Create a flavor with hw:mem_encryption": 'true' and image with "hw_firmware_type": "uefi", "hw_machine_type": "q35". 
  3. Boot a guest with the flavor/image combination and inspect the console logs.

  Expected result
  ===============
  Guest fully boots

  Actual result
  ===============
  Guest fails to fully boot

  Environment
  ===========
  1. This was found in downstream RHOSO 18

  2. Libvirt + KVM with AMD EPYC 7402

  2. LVM

  3. OVN

To manage notifications about this bug go to:
https://bugs.launchpad.net/nova/+bug/2117170/+subscriptions
References

[Bug 2117170] [NEW] vmcoreinfo should not be automatically added to encrypted guests
From: James Parker, 2025-07-17