libvirt: Update to version 12.3.0

- Update from version 11.7.0 to 12.3.0
- Update of rootfile
- 2 CVE fixes in 11.10.0
- Changelog
12.3.0
New features
  * bhyve: Add blkiotune support
    The bhyve driver now supports guest I/O throttling configuration::
     <blkiotune>
       <device>
         <path>*</path>
         <read_iops_sec>20000</read_iops_sec>
         <write_iops_sec>20000</write_iops_sec>
         <read_bytes_sec>10000</read_bytes_sec>
         <write_bytes_sec>10000</write_bytes_sec>
       </device>
     </blkiotune>
    It uses the ``rctl(4)`` framework to apply these limits.
  * bhyve: Implement ``virDomainInterfaceAddresses()`` and ``virDomainGetHostname()``
    The bhyve driver now implements APIs allowing to fetch address of
    VM's interfaces (accessible via ``virsh domifaddr``) and the hostname
    of the VM (``virsh domhostname``).
  * hyperv: Implement ``virDomainGetGuestInfo()``
    The hyperv driver now implements API for fetching guest information
    (``virsh guestinfo``).
Improvements
  * security: Don't error out on security labels of type='none'
    Previously, libvirt reported an error if a domain with seclabel of
    type='none' (meaning do not take this security model into account for this
    domain) was being started and the model wasn't available (for instance, in
    case of SELinux it was disabled at boot).
  * Allow for multiple PCI root buses, not just for a single one numbered '0'
    `virPCIDeviceReset()` and `virPCIDeviceIsBehindSwitchLackingACS()` no
    longer use a hardcoded check (e.g bus == 0 ) to determine if a device is
    attached to a "root bus". This allows for better support on more complex
    PCI topologies.
  * Add mechanism to prevent accidental shrink of device with ``virsh blockresize``
    A new flag ``VIR_DOMAIN_BLOCK_RESIZE_EXTEND`` was introduced which prevents
    accidental shrinking of the block device of the VM. The flag is exposed
    as ``virsh blockresize --extend``.
  * Expose ``MemAvailable`` field from kernel's meminfo as ``VIR_NODE_MEMORY_STATS_AVAILABLE``
Bug fixes
  * virnetdevmacvlan: Wait for udev to settle after creating macvtap
    When starting a domain with a macvtap device (or when hotplugging one),
    libvirt creates the device and opens its ``/dev`` representation in order
    to set it according to the ``<interface/>`` XML (e.g. MAC address, queues,
    etc.). But if the system is under heavy load, it might happen that after
    the device creation the udev daemon was triggered, but did not have enough
    time to set the ``/dev`` representation fully. This may result in various
    misconfiguration or even failed ``open()``. Therefore, libvirt waits after
    device creation for udev daemon to settle down.
  * apparmor: Don't drop macvtap devices from profile on blockjobs
12.2.0
Removed features
  * qemu: Stop advertising support for ``handle`` backend of 9p filesystems
    QEMU removed the feature in the 4.0 release, but our capability XML
    still reported it.
New features
  * qemu: Add support to configure IOMMUFD backend for whole VM
    In addition to setting IOMMUFD backend for each device it is possible
    to use the new ``<iommufd>`` element to enable IOMMUFD backend for all
    host devices. Users can still change it per device.
  * qemu: Add support to pass FD for IOMMUFD when starting VM
    Management applications running unprivileged libvirt can open /dev/iommu
    and pass FD to libvirt in order to change locked memory accounting.
    This is done via new ``<iommufd>`` element.
  * qemu: Add support for declaring that storage was zeroed for storage copy APIs
    The qemu driver now can skip zeroing of the storage during
    ``virDomainBlockCopy`` or migration with non-shared storage with the
    appropriate flags. This can be used for storage technologies which lack
    efficient zeroing support.
  * hyperv: Add basic snapshot functionality
    The hyperv driver now implements the following libvirt APIs:
    ``virDomainDefineXMLFlags()``, ``virDomainSnapshotLookupByName()``,
    ``virDomainListAllSnapshots()``, ``virDomainSnapshotNum()``,
    ``virDomainSnapshotGetXMLDesc()``, ``virDomainSnapshotCurrent()``,
    ``virDomainHasCurrentSnapshot()``, ``virDomainSnapshotGetParent()``.
Improvements
  * conf: support more than 255 vCPUs with amd-iommu
    With 256 or more vCPUs libvirt previously required EIM enabled for all
    models of IOMMU. This is not valid for AMD model and validation was changed
    so that XTSup is required there. Additionally, it is automatically enabled
    if needed.
  * Introduce VIR_CONNECT_GET_DOMAIN_CAPABILITIES_EXPAND_CPU_FEATURES flag
    This new flag for virConnectGetDomainCapabilities can be used to request
    the host-model CPU definition to include all supported features (normally
    only extra features relative to the selected CPU model are listed).
  * qemu: Add statistics for ``<dataStore>`` storage
    The bulk statistics (``virsh domstats --block --backing``) now report also
    information about the ``<dataStore>`` if given disk uses this feature.
  * hyperv: Hyper-V guests now report TPM device status in their domain xml
    definition.
Bug fixes
  * qemu: Fix crash when attaching network inteface with hostdev network
    Introduced in v12.1.0 by implementing IOMMUFD backend support for
    host devices.
12.1.0
New features
  * qemu: Advertise firmware features in domain capabilities XML
    The contents of the ``<firmwareFeatures/>`` element can be used to determine
    ahead of time whether a firmware matching certain characteristics, for
    example Secure Boot support, is available for the selected architecture and
    machine type.
  * qemu: Add support for uefi-vars device and firmware builds using it
    This is particularly noteworthy for people running aarch64 VMs with the
    'virt' machine type, as it makes it finally possible to use Secure Boot
    with that combination.
    In most cases, no special steps are needed to take advantage of this:
    assuming that you have installed a recent version of QEMU, as well as a
    build of edk2 that includes the necessary binaries, you can just `enable
    Secure Boot <kbase/secureboot.html>`__ as you normally would.
    To explicitly request that the uefi-vars device is used even for scenarios
    where that would normally not be the case, it's enough to add an empty
    ``<varstore/>`` element in the domain XML. More details are available in
    the `guest firmware configuration <formatdomain.html#guest-firmware>`__
    section of the documentation.
  * hyperv: improve API coverage for the hyperv driver
    The `virDomainInterfaceAddresses()` and `virDomainGetBlockInfo()` APIs are
    now supported by the hyperv driver. In addition, the domain xml for hyperv
    domains will indicate via firmware features whether secure boot is enabled.
    It also honors these firmware features when creating new domains.
  * bhyve: Add support for vCPU pinning configuration
    Bhyve guests can now have vCPU pinning configured::
     <cputune>
       <vcpupin vcpu="0" cpuset="1,2,3"/>
     </cputune>
    Additionally, the ``domainGetVcpuPinInfo`` API is implemented for
    querying vCPU pinning information.
  * qemu: Support block operation latency histograms
    Libvirt now allows configuring qemu's block latency histogram collection
    as well as returns them via the bulk stats API.
Improvements
  * Introduce granule attribute for virtio-iommu
    In case when guest page size doesn't match the host page size (typically
    aarch64) the ``virtio-iommu`` needs to know the guest page size so it can
    allocate memory aligned to guest page size.
  * Parse hyperv features even for host-model
    Two releases ago, in v11.9.0 new ``host-model`` mode for Hyper-V
    enlightenments was introduced. Starting with this release, users can
    additionally override the defaults that are picked when domain is started
    and features are expanded.
  * bhyve: Improve loader configuration for arm64 guests
    If loader is not explicitly configured, use the loader
    from the ``sysutils/u-boot-bhyve-arm64`` port/package for the
    arm64 guests.
Bug fixes
  * Fix build with remote driver disabled
    Some parts of code were wrongly annotated as depended on remote driver.
    But they were used even from client side drivers. This is now fixed and
    libvirt builds properly even with remote driver disabled.
  * Various fixes to libvirt-guests.sh
    Firstly, the exit code of various commands was ignored (which may lead the
    script to wrongly determine persistent/transient domain state, for
    instance). Secondly, due to logical error, the script might have
    incorrectly asses state a domain is in.
  * AppArmor: Ask for no deny rule for readonly disk elements
    For read only disks, libvirt created an AppArmor profile which disallowed
    any future write rules. But when doing a blockcommit, libvirt needs to
    allow hypervisor to write to even readonly disks. The rule in the profile
    was changed so that future write rules can be added, temporarily.
  * esx: Allow connecting to IPv6 server
    Due to a bug in our code, if an IPv6 address was provided in connection
    URI, libvirt would fail to connect to VMWare server. This is now fixed.
  * qemu: Use device alias if interface has no name
    The ``virDomainInterfaceAddresses()`` API (or ``virsh domifaddr``) returns
    an array interfaces among with their addresses. But some interface names
    might be unknown, for instance if the API is told to parse host's ARP table
    then PCI assigned NICs or slirp/passt lack interface name. If that's the
    case, let the API return domain's ``<interface/>`` alias.
  * bhyve: hyperv: Various memory leak fixes
  * qemu: Fix failures when restoring save/managed-save images with upcoming qemu versions
    Current git version of qemu would return an error when attempting to load
    an existing (managed) save image as we relied on deprecated features that
    were now removed.
12.0.0
New features
  * bhyve: SLIRP networking support
    Domain XMLs now can use SLIRP user-mode networking::
     <interface type='user'>
       <model type='virtio'/>
     </interface>
  * bhyve: virtio-scsi support
    Domain XMLs now can use ``virtio-scsi`` devices::
     <disk type='ctl'>
       <source dev='/dev/cam/ctl'/>
       <target dev='sda' bus='scsi'/>
     </disk>
  * bhyve: initial ARM64 support
    The bhyve driver now supports booting ARM64 domains on ARM64 hosts.
    This support is still in early stage of development and has some
    limitations. For example, it requires using
    ``<clock offset='localtime'/>`` in domain XMLs, and
    bootrom autofill is not implemented.
Improvements
  * qemu: Improvements and fixes to firmware selection
    Firmware selection now works more reliably and predictably in many
    scenarios.
    Notably, issues that were preventing the use of firmware designed for
    confidential VMs on aarch64 have been addressed.
  * network: Introduce port for DNS forwarder
    In the ``<dns/>`` section of network configuration users can set up
    forwarding of DNS requests to custom DNS servers. These are specified using
    ``addr`` attribute. But configuring port wasn't possible, until now. New
    ``port`` attribute is introduced, which allows overriding the default DNS
    port for given address.
Bug fixes
  * qemu: Fix startup of VMs with more than ~25 external snapshots
    After switch to json-c VMs with too deeply nested image chains would fail
    to start due to nesting depth limit in json-c, which is now increased to once
    again support backing chains up to 200 images deep.
  * qemu: TPM: Properly handle migration when storage resides on NFS
    The VM now can be properly migrated in scenarios where TPM data is stored
    on a shared filesystem on the destination but on the source it's either
    on a different NFS or unshared completely.
  * qemu: Treat memory device source nodemask as strict NUMA policy
    Until now, the NUMA policy for ``<memory/>`` devices was taken either from
    the guest NUMA node or ``<numatune/>``. But this may lead to discrepancies,
    where the memory device is configured to bind to a set of host NUMA nodes,
    but the guest NUMA node is to bind to a disjoint set of host NUMA nodes. To
    resolve this, specifying ``<nodemask/>`` for a memory device implies
    ``strict`` policy.
  * qemu: Relax validation of some hyperv features
    Since 11.9.0 release, libvirt performs dependency checks for hyperv
    features, for instance ``stimer`` requires ``synic``. But as it turned out,
    for some ancient machine types (e.g. 'pc-i440fx-3.0' or 'pc-q35-3.0') some
    dependencies are not true. Corresponding checks were removed.
  * esx: URI encode inventory objects twice
    Formatting domain XML for domains on an ESX server might fail if
    corresponding datacenter or datastore contained special characters (e.g.
    '+'). This is now fixed.
  * Fix race when checking whether a path is on a shared file system
    Finding an existing parent of a given path and checking whether it's on a
    shared file system was not atomic and thus the path could have been
    misinterpreted as non-shared if it was removed between these two
    operations. This could cause migration with an emulated TPM device stored
    on a shared file system to fail with the following bogus error::
     Operation not supported: the running swtpm does not support migration with
	shared storage
11.10.0
Security
  * CVE-2025-12748: Denial of service by some ACL-limited accounts
    Parsing of user provided XMLs in APIs which needed the identification
    information from those XML definitions was done in full before ACL checks
    were performed.  Some valid, but useless, definitions could cause allocation
    of too much memory, leading to denial of service. APIs which do equate to
    full root access (such as ``domain:write``), and were parsing XML
    definitions in full before performing ACL checks could, potentially, be
    exploited in a way that would allow users (which were about to be denied the
    API call) to cause aforementioned overallocation even before the ACL checks
    were performed.
    A change was made so that parsing before ACL checks are done only for the
    identification parts of the XML definition (which is needed to perform the
    checks) and full parsing is done only after checking all ACLs.
  * CVE-2025-13193: Incorrect permissions on images after external snapshot of an inactive VM
    The overlay ``qcow2`` images which are created as part of creation of an
    external snapshot of an inactive VM had world-readable (644) permissions
    which would allow unauthorized users to see contents of blocks written by
    the VM after snapshot was taken. Libvirt now sets proper umask so that
    the images are created with 600 mode.
New features
  * Hyper-V virttype support for Qemu domains
    Libvirt now supports Hyper-V virttype while lauching QEMU domains. This
    feature requires Qemu version 10.2.0 or later and is available on Linux
    hosts where the /dev/mshv is present.
  * Add more statistics for block devices on QEMU domains
    The block devices now report optimal access request sizes as well as
    statistics such as the queue depth.
Improvements
  * bhyve: VNC ``wait`` attribute support
    Bhyve guests can now be configured to wait for a VNC connection before
    booting.
  * remote: multiple certificate support
    The remote daemon and client can be configured to load multiple x509
    certificate identities. This facilitates a transition to certificates
    supporting Post-Quantum Crytographic algorithms.
  * tools: improved virt-host-validate output
    The virt-host-validate tool will now report extra details when certain
    checks pass.
  * qemu: Allow backup jobs to continue if guest OS shuts down
    When starting a backup job users can now use a flag which prevents the VM
    to be completely cleaned up if the guest OS shuts down while the backup is
    running so that the backup can be finalized.
Bug fixes
  * ch: Use correct domain definition in chDomainGetXMLDesc()
    Cloud-Hypervisor driver claims to support ``VIR_DOMAIN_XML_INACTIVE`` but
    in fact it never formatted the inactive XML. This is now fixed.
  * esx: Allow disk images in subdirectories
    If a domain has a disk image that's not in a datastore path but in a
    subdirectory, the ESX driver would have failed to parse that and an error
    was reported when obtaining domain XML. This is now fixed.
  * qemu: Fix incoming migration to QEMU 10.0.0 and newer
    Due to a change in the way QEMU 10.0.0 reports the state of "ht" CPU
    feature, incoming migration of a domain with multiple CPU threads would
    fail with "guest CPU doesn't match specification: extra features: ht"
    error.
  * qemu: fix incorrect reporting of the TDX launch security type
    The TDX launch security type was incorrectly reported on all platforms
    if the QEMU binary had it built-in. It is now limited to only platforms
    with the TDX kernel feature available for use.
  * qemu: set ``detect_zeroes`` for all backing chain layers
    Some block jobs (snapshots, block commit) could modify the backing chain in
    a way where ``detect_zeroes`` would no longer be honoured. We now set
    it for all images in the backing chain, so that it will behave correctly
    even after those operations.
11.9.0
New features
  * Introduce Hyper-V ``host-model`` mode
    Similarly to CPUs, ``host-model`` mode expands available Hyper-V
    enlightenments at domain startup into the live XML so that's obvious which
    enlightenments are enabled.
  * Add support for Hyper-V ``spinlocks`` "never notify" mechanism
    The ``retries`` attribute - which defines after how many failed
    acquisition attempts to notify the hypervisor - can now hold the
    special value of 4294967295 which means to never notify the
    hypervisor.
    If the ``retries`` attribute is omitted this value is used.
  * ch: Network hotplug Support
    Users can now attach and detach network interfaces of Cloud Hypervisor
    domains at runtime.
  * bhyve: NVMe device support
    Domain XMLs now can use NVMe devices::
     <disk type='file'>
       <driver name='file' type='raw'/>
       <source file='/path/to/disk.img'/>
       <target dev='nvme0n1' bus='nvme'/>
     </disk>
Improvements
  * qemu: Improvements to USB controller model selection
    Virtualization-friendly USB3 controllers are now used in more situations,
    Intel-specific USB controllers are relegated to x86 guests, and model
    selection overall behaves more consistently across architectures.
  * qemu: Validate Hyper-V enlightenment dependencies
    Some Hyper-V enlightenments may require some other enlightenments to be
    turned on. Libvirt now validates these for new domains.
  * qemu: Introduce virtio options for virtio memory models
    Both virtio-mem and virtio-pmem memory models are virtio devices and as
    such now support setting various virtio knobs (iommu, ats, packed,
    page_per_vq) common to other virtio devices.
  * wireshark: Adapt to wireshark-4.6.0
    Libvirt's wireshark dissector plugin adapted to changes made to wireshark
    dissector API in its 4.6.0 release.
  * qemu: 'manual' disk snapshot mode improvements
    The 'manual' snapshot mode now ensures that also metadata of the images is
    written out to disk so that user can take snapshots of e.g. qcow2 image
    safely.
Bug fixes
  * ch: Load ``ch.conf`` from ``SYSCONFDIR``
    Previously, the ``ch.conf`` file for ``ch:///system`` URI was mistakenly
    loaded from a path under ``LOCALSTATEDIR`` (``/var/...``). This is now
    fixed and the configuration file is loaded from the ``SYSCONFDIR``
    (``/etc/...``) location where it's also installed.
11.8.0
New features
  * ch: Disk hotplug Support
    Users can now attach and detach disks of Cloud Hypervisor domains at
    runtime.
  * qemu: Add support for NUMA affinity of PCI devices
    To support NVIDIA Multi-Instance GPU (MIG) configurations, libvirt now
    handles QEMU's acpi-generic-initiator device internally. MIG enables
    partitioning a physical GPU into multiple isolated instances, each
    associated with one or more virtual NUMA nodes.
    On the XML side, the existing ``<acpi>`` element has been extended with a
    ``nodeset`` attribute to specify the NUMA node affinity of a PCI device.
  * qemu: Add support for hostname and FQDN configration of passt backend
    The attributes ``hostname`` and ``fqdn`` for passt backend configure
    the guest interface with hostname and FQDN.
Improvements
  * ch: Events emitting
    The CH driver not only emits more domain lifecycle events but also
    implements ``virConnectDomainEventRegister()`` and
    ``virConnectDomainEventDeregister()`` APIs for management applications to
    listen on those events.
Bug fixes
  * qemu: Fix selection of stateless/combined firmware
    A stateless firmware will now be correctly chosen when appropriate,
    e.g. for domains configured to use SEV-SNP.
  * ch: Make sure the cloud-hypervisor process is killed in ``virCHProcessStop()``
    Due to wrong assumptions in the CH driver, calling ``virDomainDestroy()``
    did not kill the corresponding cloud-hypervisor process. Domains can be now
    destroyed reliably.

Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
---
 config/rootfiles/packages/libvirt | 34 ++++++++++++++++++++++++++-----
 lfs/libvirt                       |  8 ++++----
 2 files changed, 33 insertions(+), 9 deletions(-)