Hey @MotorCityCobra , if you're just looking to use the patch on Fedora 36 or 37, you can download the latest RPMs from the Actions workflow. It uploads them as a build artifact in a zip file.

If you're looking to rebuild it following the same steps for FC36/37, you can follow along by running the commands in the Dockerfile, followed by the entrypoint script.

Since I shoved this into a GitHub Action, sed is used to modify the specfile without being interactive (manpage). You can do the same thing interactively with nano or vim.

If you're looking to move this patch to another platform, good luck! The add-acs-override.patch file is complete, but where that goes in your chosen platform's version of the kernel and the build tools available to you are well beyond the scope of anything I could provide insight to.

Best of luck!

from fedora-acs-override.

Please have a look into https://github.com/some-natalie/fedora-acs-override/blob/main/fc36-action/entrypoint.sh#L20.
There you can find the sed commands which insert the patch definitions into the kernel.spec.

from fedora-acs-override.

There you can find the sed commands which insert the patch definitions into the kernel.spec

Edit the spec file with some sed magics

sed -i 's/# define buildid .local/%define buildid .acs/g' ~/rpmbuild/SPECS/kernel.spec
sed -i '/^Patch1:/a Patch1000: add-acs-override.patch' ~/rpmbuild/SPECS/kernel.spec
sed -i '/^ApplyOptionalPatch patch-/a ApplyOptionalPatch add-acs-override.patch' ~/rpmbuild/SPECS/kernel.spec

"sed magics"?
I hate to ask for a hand holding, but this ... sed... thing... I use it to derive something that I paste into ~/rpmbuild/SPECS/kernel.spec?

from fedora-acs-override.

To add the patch, add the two lines below to the spec file in the section for patches (usually right below the sources).

I probably sound like I'm nitpicking at this point, but the word 'patches' is in this file dozens of times. Is there a better landmark?

# ACS override patch
Patch1000: add-acs-override.patch
Then tell it to apply the patch in the prep section. It will be below the ApplyOptionalPatch() function definition, normally right above the # END OF PATCH APPLICATIONS comment.

ApplyOptionalPatch add-acs-override.patch

I'm adding 'ApplyOptionalPatch add-acs-override.patch'?

from fedora-acs-override.

ERROR: Patch add-acs-override.patch not listed as a source patch in specfile

The add-acs-override.patch is in the right place

[star@fedora SPECS]$ cd ~/rpmbuild/SOURCES/
[star@fedora SOURCES]$ ls
add-acs-override.patch                      kernel-kabi-dw-5.17.12-300.tar.bz2  Module.kabi_dup_ppc64le
check-kabi                                  kernel-local                        Module.kabi_dup_s390x
cpupower.config                             kernel-ppc64le-debug-fedora.config  Module.kabi_dup_x86_64
cpupower.service                            kernel-ppc64le-debug-rhel.config    Module.kabi_ppc64le
filter-aarch64.sh.fedora                    kernel-ppc64le-fedora.config        Module.kabi_s390x
filter-aarch64.sh.rhel

From the spec file. And %define buildid .acs is at the top.

cd linux-%{KVERREL}
cp -a %{SOURCE1} .
%if !%{nopatches}
ApplyOptionalPatch patch-%{patchversion}-redhat.patch
%endif
ApplyOptionalPatch linux-kernel-test.patch
ApplyOptionalPatch add-acs-override.patch

# END OF PATCH APPLICATIONS
# Any further pre-build tree manipulations happen here.   
chmod +x scripts/checkpatch.pl
mv COPYING COPYING-%{version}-%{release}

# This Prevents scripts/setlocalversion from mucking with our version numbers.
touch .scmversion

## Patches needed for building this package
%if !%{nopatches}
#ACS override patch
Patch1000: add-acs-override.patch
Patch1: patch-%{patchversion}-redhat.patch
%endif
# empty final patch to facilitate testing of kernel patches
Patch999999: linux-kernel-test.patch
# END OF PATCH DEFINITIONS         

from fedora-acs-override.

Lastly, thanks @stefanleh for answering questions and generally being awesome! I appreciate it! ❤️

from fedora-acs-override.

Lastly ❤️

I'm having trouble with libvirt and kvm with this kernel. Is AMD not supported for virtualization with Fedora 36?

[star@fedora ~]$ sudo systemctl status libvirtd
● libvirtd.service - Virtualization daemon
Loaded: loaded (/usr/lib/systemd/system/libvirtd.service; enabled; vendor preset: disabled)
Active: active (running) since Mon 2023-04-10 21:08:11 EDT; 8s ago
TriggeredBy: ● libvirtd-ro.socket
● libvirtd.socket
○ libvirtd-tls.socket
● libvirtd-admin.socket
○ libvirtd-tcp.socket
Docs: man:libvirtd(8)
https://libvirt.org
Main PID: 1334 (libvirtd)
Tasks: 19 (limit: 32768)
Memory: 15.2M
CPU: 148ms
CGroup: /system.slice/libvirtd.service
└─ 1334 /usr/sbin/libvirtd --timeout 120

Apr 10 21:08:11 fedora systemd[1]: Starting libvirtd.service - Virtualization daemon...
Apr 10 21:08:11 fedora systemd[1]: Started libvirtd.service - Virtualization daemon.
Apr 10 21:08:11 fedora libvirtd[1334]: libvirt version: 8.1.0, package: 2.fc36 (Fedora Project, 2022-03-13-01:12:58, )
Apr 10 21:08:11 fedora libvirtd[1334]: hostname: fedora
Apr 10 21:08:11 fedora libvirtd[1334]: Unable to open /dev/kvm: No such file or directory
[star@fedora ~]$
[star@fedora ~]$
[star@fedora ~]$ sudo modprobe kvm
[star@fedora ~]$ sudo modprobe kvm_amd # for AMD CPUs
modprobe: ERROR: could not insert 'kvm_amd': Operation not supported

from fedora-acs-override.

I'm having trouble with libvirt and kvm with this kernel. Is AMD not supported for virtualization with Fedora 36?

Sorry to say I have no idea - I'd assume it'd work. Fedora help is probably a much better place to ask. ❤️

from fedora-acs-override.

In my NAS Server im using a AMD Ryzen 7 PRO 5750G CPU which should have the same virtualisation features as every Ryzen CPU since Ryzen 7 1700 times. Maybe you need to activate SMV or the like in your Bios first?

[root@server ~]# lsmod | grep kvm
kvm_amd               204800  8
kvm                  1318912  1 kvm_amd
irqbypass              16384  35 vfio_pci_core,kvm
ccp                   143360  1 kvm_amd

[root@server ~]# lscpu 
Architecture:            x86_64
  CPU op-mode(s):        32-bit, 64-bit
  Address sizes:         48 bits physical, 48 bits virtual
  Byte Order:            Little Endian
CPU(s):                  16
  On-line CPU(s) list:   0-15
Vendor ID:               AuthenticAMD
  BIOS Vendor ID:        Advanced Micro Devices, Inc.
  Model name:            AMD Ryzen 7 PRO 5750G with Radeon Graphics
    BIOS Model name:     AMD Ryzen 7 PRO 5750G with Radeon Graphics      Unknown CPU @ 3.8GHz
    BIOS CPU family:     107
    CPU family:          25
    Model:               80
    Thread(s) per core:  2
    Core(s) per socket:  8
    Socket(s):           1
    Stepping:            0
    Frequency boost:     enabled
    CPU(s) scaling MHz:  75%
    CPU max MHz:         4672.0698
    CPU min MHz:         1400.0000
    BogoMIPS:            7585.79
    Flags:               fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush mmx fxsr sse sse2 ht syscall nx mmxext fxsr_opt pdpe1gb rdtscp lm constant_tsc rep_good nopl nonstop_tsc cpuid extd_apicid aperfmperf rapl pni pclmulqdq monitor ssse3 fma cx16 sse4_1 sse4_2 movbe popcnt aes xsave avx f16c rdrand lahf_lm cmp_legacy svm extapic cr8_legacy abm sse4a mis
                         alignsse 3dnowprefetch osvw ibs skinit wdt tce topoext perfctr_core perfctr_nb bpext perfctr_llc mwaitx cpb cat_l3 cdp_l3 hw_pstate ssbd mba ibrs ibpb stibp vmmcall fsgsbase bmi1 avx2 smep bmi2 erms invpcid cqm rdt_a rdseed adx smap clflushopt clwb sha_ni xsaveopt xsavec xgetbv1 xsaves cqm_llc cqm_occup_llc cqm_mbm_total cqm_mbm_local clzero irperf xsaveerptr rd
                         pru wbnoinvd cppc arat npt lbrv svm_lock nrip_save tsc_scale vmcb_clean flushbyasid decodeassists pausefilter pfthreshold avic v_vmsave_vmload vgif v_spec_ctrl umip pku ospke vaes vpclmulqdq rdpid overflow_recov succor smca fsrm
Virtualization features: 
  Virtualization:        AMD-V

from fedora-acs-override.

Also pls read here: https://www.alibabacloud.com/tech-news/virtualization/2dv-how-to-check-hardware-virtualization-support-in-linux

There are some hints on how to check if virtualisation support is given and active.

from fedora-acs-override.

Maybe you need to activate SMV or the like in your Bios first?

It was this. *SVM actually, but I knew what you meant. I needed to enable it. Duh. I thought all my virtualization setting were on because I was creating VMs with all the same settings on a Ubuntu Server install. So, KVM for AMD works now, and I also made this change...

sudo systemctl disable --now libvirtd.service
sudo systemctl disable --now libvirtd.socket

sudo systemctl enable --now virtqemud.socket
sudo systemctl enable --now virtqemud.service

sudo systemctl status virtqemud.service

VMs working with most devices in their own IOMMU groups now. Thank you.

from fedora-acs-override.

I'd like to glomb some more information if either would care to indulge, since you two know so much. I see that it does not separate every single device into its own IOMMU like other patches I've used in the past. Is this patch more secure as a result?

from fedora-acs-override.

There are some "modes" you can pick from which define how the ACS patch acts regarding seperation.
Please see "6.5 Bypassing the IOMMU groups (ACS override patch)" here https://wiki.archlinux.org/title/PCI_passthrough_via_OVMF on how to set the mode fitting your needs.
For example my kernel options for ACS are: pcie_acs_override=downstream,multifunction

from fedora-acs-override.

And about security: the ACS patch lowers security by overriding the seperation provided by IOMMU - the more patch needs to tweak hardware/firmware seperation the more your security will suffer - but of course it depends what you do with the system - do you let strangers access some of your VMs? the worst scenario is that an attacker gets high rights on a VM a device is passed through and he can use the weakened seperation to get access to another device via DMA

from fedora-acs-override.