Bug 2037961
| Summary: | Rebase sevctl for RHEL8 | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 8 | Reporter: | John Ferlan <jferlan> |
| Component: | sevctl | Assignee: | Tyler Fanelli <tfanelli> |
| Status: | CLOSED ERRATA | QA Contact: | zixchen |
| Severity: | high | Docs Contact: | |
| Priority: | high | ||
| Version: | 8.6 | CC: | coli, jinzhao, juzhang, tfanelli, virt-bugs, zixchen |
| Target Milestone: | rc | Keywords: | Rebase, Triaged |
| Target Release: | --- | Flags: | pm-rhel:
mirror+
|
| Hardware: | x86_64 | ||
| OS: | Linux | ||
| Whiteboard: | rebase | ||
| Fixed In Version: | sevctl-0.2.0-1.el8 | Doc Type: | If docs needed, set a value |
| Doc Text: | Story Points: | --- | |
| Clone Of: | 2037953 | Environment: | |
| Last Closed: | 2022-05-10 14:25:47 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 2037953 | ||
| Bug Blocks: | 2037963, 2037966 | ||
|
Description
John Ferlan
2022-01-06 22:01:58 UTC
Note: there is still one manual test waiting for QA to enable. I've tried myself but no avail. Sent a message to #osci which directed me to download OpenSSL certificates and I'd be able to access the CI machine: https://hdn.corp.redhat.com/rhel8-csb/repoview/redhat-internal-NetworkManager-openvpn-profiles.html After downloading, still not able to locate cyborg-jenkins.osci.redhat.com sevctl-0.2.0-4.el9 unit test failed, test snp_platform_status ... FAILED on Milan.
Version:
sevctl-0.2.0-4.el9.x86_64
qemu-kvm-6.2.0-3.el9.x86_64
Hi Tyler, could you please help to check if this is a bug?
Steps:
Sevctl unit test:
# rpm2cpio ./sevctl-0.2.0-4.el9.src.rpm | cpio -idmv
# tar xvfz sevctl-0.2.0-vendor.tar.gz
# cd sevctl-0.2.0-vendor/sev/
# cargo test --features=hw_tests,openssl --test api
Finished test [unoptimized + debuginfo] target(s) in 0.04s
Running tests/api.rs (target/debug/deps/api-2fd9ed450b0596dc)
running 9 tests
test pdh_generate ... ignored
test pek_cert_import ... ignored
test pek_generate ... ignored
test platform_reset ... ignored
test get_identifier ... ok
test pek_csr ... ok
test platform_status ... ok
test snp_platform_status ... FAILED
test pdh_cert_export ... ok
failures:
---- snp_platform_status stdout ----
thread 'snp_platform_status' panicked at 'called `Result::unwrap()` on an `Err` value: Known(IoError(Os { code: 22, kind: InvalidInput, message: "Invalid argument" }))', tests/api.rs:127:43
note: run with `RUST_BACKTRACE=1` environment variable to display a backtrace
failures:
snp_platform_status
test result: FAILED. 4 passed; 1 failed; 4 ignored; 0 measured; 0 filtered out; finished in 0.01s
error: test failed, to rerun pass '--test api'
(In reply to zixchen from comment #6) > sevctl-0.2.0-4.el9 unit test failed, test snp_platform_status ... FAILED on > Milan. > > Version: > sevctl-0.2.0-4.el9.x86_64 > qemu-kvm-6.2.0-3.el9.x86_64 > > > Hi Tyler, could you please help to check if this is a bug? > > Steps: > Sevctl unit test: > # rpm2cpio ./sevctl-0.2.0-4.el9.src.rpm | cpio -idmv > # tar xvfz sevctl-0.2.0-vendor.tar.gz > # cd sevctl-0.2.0-vendor/sev/ > # cargo test --features=hw_tests,openssl --test api > Finished test [unoptimized + debuginfo] target(s) in 0.04s > Running tests/api.rs (target/debug/deps/api-2fd9ed450b0596dc) > > running 9 tests > test pdh_generate ... ignored > test pek_cert_import ... ignored > test pek_generate ... ignored > test platform_reset ... ignored > test get_identifier ... ok > test pek_csr ... ok > test platform_status ... ok > test snp_platform_status ... FAILED > test pdh_cert_export ... ok > > failures: > > ---- snp_platform_status stdout ---- > thread 'snp_platform_status' panicked at 'called `Result::unwrap()` on an > `Err` value: Known(IoError(Os { code: 22, kind: InvalidInput, message: > "Invalid argument" }))', tests/api.rs:127:43 > note: run with `RUST_BACKTRACE=1` environment variable to display a backtrace > > > failures: > snp_platform_status > > test result: FAILED. 4 passed; 1 failed; 4 ignored; 0 measured; 0 filtered > out; finished in 0.01s > > error: test failed, to rerun pass '--test api' is I am sorry I add the wrong sevctl version, should be sevctl-0.2.0-1.el8.x86_64, but the unit test result is the same. Version: sevctl-0.2.0-1.el8.x86_64 qemu-kvm-6.2.0-5.module+el8.6.0+14025+ca131e0a.x86_64 Steps: # cargo test --features=hw_tests,openssl -- --skip=sev Finished test [unoptimized + debuginfo] target(s) in 0.01s Running unittests (target/debug/deps/sev-3263d7f8e5c5e733) running 5 tests test util::impl_const_id::tests::test_const_id_macro ... ok test session::key::mac ... ok test session::key::derive ... ok test session::initialized::verify ... ok test session::initialized::session ... ok test result: ok. 5 passed; 0 failed; 0 ignored; 0 measured; 0 filtered out; finished in 0.00s Running tests/api.rs (target/debug/deps/api-ac8f84d06458c71c) running 9 tests test pdh_generate ... ignored test pek_cert_import ... ignored test pek_generate ... ignored test platform_reset ... ignored test get_identifier ... ok test pek_csr ... ok test snp_platform_status ... FAILED test platform_status ... ok test pdh_cert_export ... ok failures: ---- snp_platform_status stdout ---- thread 'snp_platform_status' panicked at 'called `Result::unwrap()` on an `Err` value: Known(IoError(Os { code: 22, kind: InvalidInput, message: "Invalid argument" }))', tests/api.rs:127:43 note: run with `RUST_BACKTRACE=1` environment variable to display a backtrace failures: snp_platform_status test result: FAILED. 4 passed; 1 failed; 4 ignored; 0 measured; 0 filtered out; finished in 0.01s error: test failed, to rerun pass '--test api' Perhaps showing output of a run with `RUST_BACKTRACE=1` as shown in the output may help. Let's remember that AMD-SNP is still evolving (requires a special kernel build at this point) and the issue could be some sort of mismatch. Maybe we should just log the details in a separate bug. Thanks John, according to Tyler's explanation, snp_platform_status failed has been waived in the gating test.
Test new sevctl cmd, no issue found, move to verified.
Verison:
sevctl-0.2.0-1.el8.x86_64
qemu-kvm-6.2.0-5.module+el8.6.0+14025+ca131e0a.x86_64
kernel-4.18.0-364.el8.x86_64
Steps and results:
1. sevctl provision
# sevctl generate /home/czx.cert /home/czx.key
# sevctl verify
PDH EP384 D256 ba3ca11b1fdbeaa636cc57853a570e98c6e777b1c61a3fdf42f5b13c55b13fa2
⬑ PEK EP384 E256 4a8fe457a0ba046ac47cc177fea262767a52f26891b0e2e01c6beb38b0ad204c
•⬑ OCA EP384 E256 6149540f8c61e94e4feda43dc8e1d9f7baebe078f2061626e9c623bca77eb733
⬑ CEK EP384 E256 f9bc6116c817c63158f7da1487a07794ccfecb8767277dfece3791b24b90df4d
⬑ ASK R4096 R384 95cba79ba3c77daea79f741bade8156a50b1c59f6d6fda104d16dd264729f5ee8989522f3711fc7c84719921ceb31bc0
•⬑ ARK R4096 R384 569da618dfe64015c343db6d975e77b72fdeacd16edd02d9d09b889b8f0f1d91ffa5dfbd86f7ac574a1a7883b7a1e737
• = self signed, ⬑ = signs, •̷ = invalid self sign, ⬑̸ = invalid signs
# sevctl provision /home/czx.cert /home/czx.key
# sevctl verify
PDH EP384 D256 8c4b7f53fb63ae35115bc87795052465074f32d50bb7b16a5a484b10c3b74b11
⬑ PEK EP384 E256 4a8fe457a0ba046ac47cc177fea262767a52f26891b0e2e01c6beb38b0ad204c
•⬑ OCA EP384 E256 e32ca63349c9d45c8c88b0d0c4fe389b1b5bf203fd8572a0bde9d9ef78310e67
⬑ CEK EP384 E256 f9bc6116c817c63158f7da1487a07794ccfecb8767277dfece3791b24b90df4d
⬑ ASK R4096 R384 95cba79ba3c77daea79f741bade8156a50b1c59f6d6fda104d16dd264729f5ee8989522f3711fc7c84719921ceb31bc0
•⬑ ARK R4096 R384 569da618dfe64015c343db6d975e77b72fdeacd16edd02d9d09b889b8f0f1d91ffa5dfbd86f7ac574a1a7883b7a1e737
• = self signed, ⬑ = signs, •̷ = invalid self sign, ⬑̸ = invalid signs
2. sevctl ok
On Milan # sevctl ok
[ PASS ] - AMD CPU
[ PASS ] - Microcode support
[ PASS ] - Secure Memory Encryption (SME)
[ PASS ] - Secure Encrypted Virtualization (SEV)
[ PASS ] - Encrypted State (SEV-ES)
[ PASS ] - Secure Nested Paging (SEV-SNP)
[ PASS ] - VM Permission Levels
[ PASS ] - Number of VMPLs: 4
[ PASS ] - Physical address bit reduction: 51
[ PASS ] - C-bit location: 51
[ PASS ] - Number of encrypted guests supported simultaneously: 509
[ PASS ] - Minimum ASID value for SEV-enabled, SEV-ES disabled guest: 100
[ PASS ] - SEV enabled in KVM: enabled
[ PASS ] - Reading /dev/sev: /dev/sev readable
[ PASS ] - Writing /dev/sev: /dev/sev writable
[ PASS ] - Page flush MSR
[ PASS ] - KVM supported: API version: 12
[ PASS ] - Memlock resource limit: Soft: 65536 | Hard: 65536
On Rome # sevctl ok
[ PASS ] - AMD CPU
[ PASS ] - Microcode support
[ PASS ] - Secure Memory Encryption (SME)
[ PASS ] - Secure Encrypted Virtualization (SEV)
[ PASS ] - Encrypted State (SEV-ES)
[ FAIL ] - Secure Nested Paging (SEV-SNP)
[ SKIP ] - VM Permission Levels
[ SKIP ] - Number of VMPLs
[ PASS ] - Physical address bit reduction: 47
[ PASS ] - C-bit location: 47
[ PASS ] - Number of encrypted guests supported simultaneously: 509
[ PASS ] - Minimum ASID value for SEV-enabled, SEV-ES disabled guest: 99
[ PASS ] - SEV enabled in KVM: enabled
[ PASS ] - Reading /dev/sev: /dev/sev readable
[ PASS ] - Writing /dev/sev: /dev/sev writable
[ PASS ] - Page flush MSR
[ PASS ] - KVM supported: API version: 12
[ PASS ] - Memlock resource limit: Soft: 65536 | Hard: 65536
Moving back to MODIFIED in order to go through the Errata process Clearing the needinfo on Tyler since the question was answered in https://bugzilla.redhat.com/show_bug.cgi?id=2037953#c15 Updated the Fixed in Version and changed DTM=24 to avoid the RHEL bot messages since it's expected to work through Errata Tool today. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (sevctl bug fix and enhancement update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2022:1945 |