Bug 2176917
| Summary: | 3 minor issues related to virt-qemu-sev-validate command [rhel-9.3.0] | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 9 | Reporter: | RHEL Program Management Team <pgm-rhel-tools> |
| Component: | libvirt | Assignee: | Daniel Berrangé <berrange> |
| libvirt sub component: | CLI & API | QA Contact: | Luyao Huang <lhuang> |
| Status: | VERIFIED --- | Docs Contact: | |
| Severity: | medium | ||
| Priority: | medium | CC: | berrange, jdenemar, lmen, virt-maint, ymankad |
| Version: | 9.2 | Keywords: | Triaged |
| Target Milestone: | rc | ||
| Target Release: | --- | ||
| Hardware: | x86_64 | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | libvirt-9.1.0-1.el9 | Doc Type: | If docs needed, set a value |
| Doc Text: | Story Points: | --- | |
| Clone Of: | 2172347 | Environment: | |
| Last Closed: | Type: | --- | |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | 9.1.0 |
| Embargoed: | |||
| Bug Depends On: | 2172347 | ||
| Bug Blocks: | |||
| Deadline: | 2023-04-10 | ||
(In reply to Luyao Huang from comment #1) > I noticed there is one mistake in manpages of virt-qemu-sev-validate: > > # man virt-qemu-sev-validate |grep disk-password > --disk-password passwd.txt \ > --disk-password passwd.txt > --disk-password passwd.txt You need to look at the full context here. The first '--disk-password' has a trailing '\' because there are further args following it on the next line. The other '--disk-password' usage has no following args, so does not need a trailing '\'. (In reply to Daniel Berrangé from comment #2) > (In reply to Luyao Huang from comment #1) > > I noticed there is one mistake in manpages of virt-qemu-sev-validate: > > > > # man virt-qemu-sev-validate |grep disk-password > > --disk-password passwd.txt \ > > --disk-password passwd.txt > > --disk-password passwd.txt > > You need to look at the full context here. The first '--disk-password' has a > trailing '\' because there are further args following it on the next line. > The other '--disk-password' usage has no following args, so does not need a > trailing '\'. Thanks for your quick reply! I think my short comment cause a misunderstanding here, what I want to point out is that virt-qemu-sev-validate not support --disk-password options but I still can find it in the manpages. I think we should replace them to --inject-secret luks-key:passwd.txt. Test on libvirt-9.1.0-1.el9.x86_64: # virt-qemu-sev-validate --disk-password passwd.txt usage: virt-qemu-sev-validate [-h] [--debug] [--quiet] [--measurement MEASUREMENT] [--api-major API_MAJOR] [--api-minor API_MINOR] [--build-id BUILD_ID] [--policy POLICY] [--firmware FIRMWARE] [--kernel KERNEL] [--initrd INITRD] [--cmdline CMDLINE] [--num-cpus NUM_CPUS] [--vmsa-cpu0 VMSA_CPU0] [--vmsa-cpu1 VMSA_CPU1] [--cpu-family CPU_FAMILY] [--cpu-model CPU_MODEL] [--cpu-stepping CPU_STEPPING] [--tik TIK] [--tek TEK] [--tk TK] [--connect CONNECT] [--domain DOMAIN] [--insecure] [--ignore-config] [--inject-secret INJECT_SECRET] [--secret-payload SECRET_PAYLOAD] [--secret-header SECRET_HEADER] virt-qemu-sev-validate: error: unrecognized arguments: --disk-password passwd.txt # virt-qemu-sev-validate --help | grep "\--disk-password" Verify this bug with libvirt-9.3.0-2.el9.x86_64:
1.
# rpm -qpR libvirt-client-qemu-9.3.0-2.el9.x86_64.rpm
/usr/bin/python3
libvirt-libs = 9.3.0-2.el9
python3-cryptography
python3-libvirt >= 3.7.0
python3-lxml
rpmlib(CompressedFileNames) <= 3.0.4-1
rpmlib(FileDigests) <= 4.6.0-1
rpmlib(PayloadFilesHavePrefix) <= 4.0-1
rpmlib(PayloadIsZstd) <= 5.4.18-1
# dnf install libvirt-client-qemu-9.3.0-2.el9.x86_64.rpm
# virt-qemu-sev-validate --help
usage: virt-qemu-sev-validate [-h] [--debug] [--quiet] [--measurement MEASUREMENT] [--api-major API_MAJOR] [--api-minor API_MINOR]
[--build-id BUILD_ID] [--policy POLICY] [--firmware FIRMWARE] [--kernel KERNEL] [--initrd INITRD] [--cmdline CMDLINE]
[--num-cpus NUM_CPUS] [--vmsa-cpu0 VMSA_CPU0] [--vmsa-cpu1 VMSA_CPU1] [--cpu-family CPU_FAMILY]
[--cpu-model CPU_MODEL] [--cpu-stepping CPU_STEPPING] [--tik TIK] [--tek TEK] [--tk TK] [--connect CONNECT]
[--domain DOMAIN] [--insecure] [--ignore-config] [--inject-secret INJECT_SECRET] [--secret-payload SECRET_PAYLOAD]
[--secret-header SECRET_HEADER]
Validate guest AMD SEV launch measurement
...
2.
# man virt-qemu-sev-validate | grep "\--loader"
# man virt-qemu-sev-validate | grep "virt-dom-sev-validate"
# man virt-qemu-sev-validate | grep "\--disk-password passwd.txt"
3.
# cat /usr/share/doc/libvirt-docs/html/kbase/launch_security_sev.html |grep -a6 "\--firmware"
<pre class="literal-block">$ virt-qemu-sev-validate \
--measurement LMnv8i8N2QejezMPkscShF0cyPYCslgUoCxGWRqQuyt0Q0aUjVkH/T6NcmkwZkWp \
--api-major 0 \
--api-minor 24 \
--build-id 15 \
--policy 3 \
--firmware /path/to/OVMF.sev.fd \
--tik ${myvmname}_tik.bin \
--tek ${myvmname}_tek.bin
OK: Looks good to me</pre>
<p>The <a class="reference external" href="../manpages/virt-qemu-sev-validate.html">man page</a> for
<span class="docutils literal"><span class="pre">virt-qemu-sev-validate</span></span> outlines a great many other ways to invoke this
tool.</p>
|
I noticed there is one mistake in manpages of virt-qemu-sev-validate: # man virt-qemu-sev-validate |grep disk-password --disk-password passwd.txt \ --disk-password passwd.txt --disk-password passwd.txt # rpm -q libvirt libvirt-9.1.0-1.el9.x86_64