Bug 2151892

Summary: Add Genoa Certificates to sev/sevctl
Product: Red Hat Enterprise Linux 9 Reporter: John Ferlan <jferlan>
Component: sevctlAssignee: Tyler Fanelli <tfanelli>
Status: CLOSED CURRENTRELEASE QA Contact: zixchen
Severity: medium Docs Contact:
Priority: medium    
Version: 9.2CC: coli, jinzhao, juzhang, tfanelli, ymankad, zixchen
Target Milestone: rcKeywords: FutureFeature, Triaged
Target Release: 9.2   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: sevctl-0.4.1-2.el9 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2023-07-26 07:52:55 UTC Type: Feature Request
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2222104    
Bug Blocks:    

Description John Ferlan 2022-12-08 13:38:57 UTC 
Description of problem:

From https://bugzilla.redhat.com/show_bug.cgi?id=2103630#c15 Larry Dewey notes that the Genoa certificates were added to sev. We should backport this into sevctl for the current release. So let's include

https://github.com/virtee/sev/pull/50

after we've completed the rebase bug 2135744
Comment 1 John Ferlan 2023-02-14 21:15:09 UTC 
Given some issues building a backported patch, we'll just move this to 9.3.0 for now and have it addressed by rebase. If something changes, we can always move it back to 9.2.0.
Comment 3 Tyler Fanelli 2023-07-05 15:00:58 UTC 
@zixchen Hello. Yes, I'm planning to rebase sevctl on 9.3 within the week. This issue would be fixed with this rebase.
Comment 4 John Ferlan 2023-07-11 19:54:20 UTC 
Moving to POST making dependent upon rebase bug 2222104
Comment 7 zixchen 2023-07-26 07:47:20 UTC 
Verify genoa cert fix with sevctl-0.4.1-2.el9.x86_64, no issue on this feature. 

Version:
sevctl-0.4.1-2.el9.x86_64

Steps:
https://bugzilla.redhat.com/show_bug.cgi?id=2222104#c13 verifies the new sevctl functions on Genoa. 
Regression test on Genoa: https://beaker-archive.hosts.prod.psi.bos.redhat.com/beaker-logs/2023/07/80876/8087612/14257789/163096533/taskout.log, failed cases is discussed on rebase bug bz2222104
Enable SNP on a Genoa host.
# sevctl ok
[ PASS ] - AMD CPU
[ PASS ]   - Microcode support
[ PASS ]   - Secure Memory Encryption (SME)
[ PASS ]   - Secure Encrypted Virtualization (SEV)
[ PASS ]     - Encrypted State (SEV-ES)
[ PASS ]     - Secure Nested Paging (SEV-SNP)
[ PASS ]       - VM Permission Levels
[ PASS ]         - Number of VMPLs: 4
[ PASS ]     - Physical address bit reduction: 5
[ PASS ]     - C-bit location: 51
[ PASS ]     - Number of encrypted guests supported simultaneously: 509
[ PASS ]     - Minimum ASID value for SEV-enabled, SEV-ES disabled guest: 100
[ PASS ]     - SEV enabled in KVM: enabled
[ PASS ]     - SEV-ES enabled in KVM: enabled
[ PASS ]     - Reading /dev/sev: /dev/sev readable
[ PASS ]     - Writing /dev/sev: /dev/sev writable
[ PASS ]   - Page flush MSR: ENABLED
[ PASS ] - KVM supported: API version: 12
[ PASS ] - Memlock resource limit: Soft: 8388608 | Hard: 8388608
Comment 8 zixchen 2023-07-26 07:52:55 UTC 
Since rebase bug includes all commits needed in this bug, close this as CURRENTRELEASE