Bug 2172347
| Summary: | 3 minor issues related to virt-qemu-sev-validate command | |||
|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 9 | Reporter: | Luyao Huang <lhuang> | |
| Component: | libvirt | Assignee: | Daniel Berrangé <berrange> | |
| libvirt sub component: | CLI & API | QA Contact: | Luyao Huang <lhuang> | |
| Status: | CLOSED ERRATA | Docs Contact: | ||
| Severity: | medium | |||
| Priority: | medium | CC: | berrange, jdenemar, lmen, pvlasin, virt-maint, ymankad | |
| Version: | 9.2 | Keywords: | Triaged | |
| Target Milestone: | rc | |||
| Target Release: | --- | |||
| Hardware: | x86_64 | |||
| OS: | Linux | |||
| Whiteboard: | ||||
| Fixed In Version: | libvirt-9.0.0-8.el9_2 | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | ||
| Clone Of: | ||||
| : | 2176917 (view as bug list) | Environment: | ||
| Last Closed: | 2023-05-09 07:27:59 UTC | Type: | Bug | |
| Regression: | --- | Mount Type: | --- | |
| Documentation: | --- | CRM: | ||
| Verified Versions: | Category: | --- | ||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
| Cloudforms Team: | --- | Target Upstream Version: | ||
| Embargoed: | ||||
| Bug Depends On: | ||||
| Bug Blocks: | 2176917 | |||
Patches were posted upstream: https://listman.redhat.com/archives/libvir-list/2023-February/238038.html I noticed there is one mistake in manpages of virt-qemu-sev-validate:
# man virt-qemu-sev-validate |grep disk-password
--disk-password passwd.txt \
--disk-password passwd.txt
--disk-password passwd.txt
# rpm -q libvirt
libvirt-9.0.0-8.el9_2.x86_64
Verify this bug with libvirt-9.0.0-8.el9_2.x86_64:
1.
# dnf install libvirt-client-qemu-9.0.0-8.el9_2.x86_64.rpm
...
Installing:
libvirt-client-qemu x86_64 9.0.0-8.el9_2 @commandline 42 k
Installing dependencies:
python3-cffi x86_64 1.14.5-5.el9 BaseOS 257 k
python3-cryptography x86_64 36.0.1-2.el9 BaseOS 1.2 M
python3-libvirt x86_64 9.0.0-1.el9 AppStream 341 k
python3-lxml x86_64 4.6.5-3.el9 AppStream 1.2 M
python3-ply noarch 3.11-14.el9 BaseOS 111 k
python3-pycparser noarch 2.20-6.el9 BaseOS 139 k
...
# virt-qemu-sev-validate --help
usage: virt-qemu-sev-validate [-h] [--debug] [--quiet] [--measurement MEASUREMENT] [--api-major API_MAJOR] [--api-minor API_MINOR] [--build-id BUILD_ID]
[--policy POLICY] [--firmware FIRMWARE] [--kernel KERNEL] [--initrd INITRD] [--cmdline CMDLINE] [--num-cpus NUM_CPUS]
[--vmsa-cpu0 VMSA_CPU0] [--vmsa-cpu1 VMSA_CPU1] [--cpu-family CPU_FAMILY] [--cpu-model CPU_MODEL]
[--cpu-stepping CPU_STEPPING] [--tik TIK] [--tek TEK] [--tk TK] [--connect CONNECT] [--domain DOMAIN] [--insecure]
[--ignore-config] [--inject-secret INJECT_SECRET] [--secret-payload SECRET_PAYLOAD] [--secret-header SECRET_HEADER]
Validate guest AMD SEV launch measurement
...
2.
# man virt-qemu-sev-validate | grep "\--loader"
# man virt-qemu-sev-validate | grep "virt-dom-sev-validate"
this mistake still exist, --disk-password passwd.txt should be --inject-secret luks-key:passwd.txt.
I don't think this small mistake block this bug verification.
# man virt-qemu-sev-validate | grep "\--disk-password passwd.txt"
--disk-password passwd.txt \
--disk-password passwd.txt
--disk-password passwd.txt
3.
# cat /usr/share/doc/libvirt-docs/html/kbase/launch_security_sev.html |grep -a6 "\--firmware"
<pre class="literal-block">$ virt-qemu-sev-validate \
--measurement LMnv8i8N2QejezMPkscShF0cyPYCslgUoCxGWRqQuyt0Q0aUjVkH/T6NcmkwZkWp \
--api-major 0 \
--api-minor 24 \
--build-id 15 \
--policy 3 \
--firmware /path/to/OVMF.sev.fd \
--tik ${myvmname}_tik.bin \
--tek ${myvmname}_tek.bin
OK: Looks good to me</pre>
<p>The <a class="reference external" href="../manpages/virt-qemu-sev-validate.html">man page</a> for
<span class="docutils literal"><span class="pre">virt-qemu-sev-validate</span></span> outlines a great many other ways to invoke this
tool.</p>
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (libvirt bug fix and enhancement update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2023:2171 |
Description of problem: 3 minor issues related to virt-qemu-sev-validate command Version-Release number of selected component (if applicable): libvirt-9.0.0-6.el9.x86_64 How reproducible: 100% Steps to Reproduce: 1. Cannot use virt-qemu-sev-validate after install libvirt-client-qemu # virt-qemu-sev-validate --help Traceback (most recent call last): File "/usr/bin/virt-qemu-sev-validate", line 50, in <module> from cryptography.hazmat.primitives.ciphers import Cipher, algorithms, modes ModuleNotFoundError: No module named 'cryptography' # dnf install python-cryptography # virt-qemu-sev-validate --help Traceback (most recent call last): File "/usr/bin/virt-qemu-sev-validate", line 53, in <module> from lxml import etree ModuleNotFoundError: No module named 'lxml' # dnf install python-lxml 2. Some small mistakes in the man page of virt-qemu-sev-validate virt-dom-sev-validate should be virt-qemu-sev-validate --disk-password passwd.txt should be --inject-secret luks-key:passwd.txt --loader should be --firmware 3. Incorrect example in https://libvirt.org/kbase/launch_security_sev.html#guest-attestation-for-sev-sev-es-from-a-trusted-host Example: $ virt-qemu-sev-validate \ --measurement LMnv8i8N2QejezMPkscShF0cyPYCslgUoCxGWRqQuyt0Q0aUjVkH/T6NcmkwZkWp --api-major 0 --api-minor 24 --build-id 15 --policy 3 --tik ${myvmname}_tik.bin --tek ${myvmname}_tek.bin OK: Looks good to me Test Result: # virt-qemu-sev-validate --tik vm1_tik.bin --tek vm1_tek.bin --measurement Tco/y8PzIlUMuHrJXjxYU5D/43ZAcAu8mrrsnx1CYihG0byA8nQWpTPk8PfnMPz5 --api-major 1 --api-minor 51 --build-id 3 --policy 7 ERROR: Either --firmware or --domain is required Actual results: 1. libvirt-client-qemu rpm missed the dependency of python-cryptography and python-lxml 2. Some small mistakes in the man page of virt-qemu-sev-validate 3. Incorrect example in https://libvirt.org/kbase/launch_security_sev.html#guest-attestation-for-sev-sev-es-from-a-trusted-host Expected results: Additional info: