Bug 2222043
| Summary: | Release new version of sevctl for RHEL 8.9.0 | |||
|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 8 | Reporter: | Tyler Fanelli <tfanelli> | |
| Component: | sevctl | Assignee: | Tyler Fanelli <tfanelli> | |
| Status: | CLOSED ERRATA | QA Contact: | zixchen | |
| Severity: | low | Docs Contact: | ||
| Priority: | medium | |||
| Version: | 8.8 | CC: | coli, jinzhao, juzhang, mrezanin, yfu, zixchen | |
| Target Milestone: | rc | Keywords: | Rebase, Triaged | |
| Target Release: | --- | Flags: | pm-rhel:
mirror+
|
|
| Hardware: | x86_64 | |||
| OS: | Linux | |||
| Whiteboard: | ||||
| Fixed In Version: | sevctl-0.4.2-1.el8 | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | ||
| Clone Of: | ||||
| : | 2222104 (view as bug list) | Environment: | ||
| Last Closed: | 2023-11-14 15:36:29 UTC | Type: | Bug | |
| Regression: | --- | Mount Type: | --- | |
| Documentation: | --- | CRM: | ||
| Verified Versions: | Category: | --- | ||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
| Cloudforms Team: | --- | Target Upstream Version: | ||
| Embargoed: | ||||
| Bug Depends On: | ||||
| Bug Blocks: | 2222104 | |||
|
Description
Tyler Fanelli
2023-07-11 16:21:09 UTC
Build successful and merged: https://gitlab.com/redhat/centos-stream/rpms/sevctl/-/merge_requests/14 @ @ Apologies for the confusion, as I'm still a bit unfamiliar with the CentOS process. Once the RPMs are successfully built and merged, is there any steps I need to take? Or can I move forward to the errata process? (In reply to Tyler Fanelli from comment #3) > Apologies for the confusion, as I'm still a bit unfamiliar with the CentOS > process. Once the RPMs are successfully built and merged, is there any steps > I need to take? Or can I move forward to the errata process? QE not familiar with the packaging process too. Miroslav, do you know Tyler's questions? From the above - at the very least we'll need to get a qa_ack+ and an ITM set in order to get release+. Same for bug 2222104. I'll let Mirek help with other steps as I'm less aware of how to get through build, gating, etc. (In reply to Tyler Fanelli from comment #3) > Apologies for the confusion, as I'm still a bit unfamiliar with the CentOS > process. Once the RPMs are successfully built and merged, is there any steps > I need to take? Or can I move forward to the errata process? Have you build the package? I do not see sevctl 0.4.1 in neither centos or rhel koji. Anyway process is as follow: 1) Build centos page - after build is finished, rhel build is started by automation 2) RHEL build needs to pass gating to get candidate tag 3) After getting candidate tag, this BZ has to be preverified (Verified:Tested needs to be set) 4) After thet, you can add build and BZ to errata (or create new one if not exists) Build succeeded: https://brewweb.engineering.redhat.com/brew/search?match=glob&type=build&terms=+sevctl-0.4.1-2.el8 Gating passed: https://dashboard.osci.redhat.com/#/artifact/brew-build/aid/54014276
> 2) RHEL build needs to pass gating to get candidate tag
Build + gating have passed. When can I expect a candidate tag?
QE bot(pre verify): Set 'Verified:Tested,SanityOnly' as gating/tier1 test pass. (In reply to Tyler Fanelli from comment #8) > > 2) RHEL build needs to pass gating to get candidate tag > > Build + gating have passed. When can I expect a candidate tag? Candidate tag is usually set few minutes after gating is passed. RHEL 8 test result is the same wit rhel9. Issues: 1. sevctl ok failed on SNP capable host without enable SNP. :: [ 23:20:59 ] :: [ BEGIN ] :: Running 'sevctl ok' STDOUT: [ [38;5;2mPASS[0m ] - AMD CPU STDOUT: [ [38;5;2mPASS[0m ] - Microcode support STDOUT: [ [38;5;2mPASS[0m ] - Secure Memory Encryption (SME) STDOUT: [ [38;5;2mPASS[0m ] - Secure Encrypted Virtualization (SEV) STDOUT: [ [38;5;2mPASS[0m ] - Encrypted State (SEV-ES) STDOUT: [ [38;5;1mFAIL[0m ] - Secure Nested Paging (SEV-SNP) STDOUT: [ [38;5;3mSKIP[0m ] - VM Permission Levels STDERR: Error: One or more tests in sevctl-ok reported a failure STDOUT: [ [38;5;3mSKIP[0m ] - Number of VMPLs STDOUT: [ [38;5;2mPASS[0m ] - Physical address bit reduction: 5 STDOUT: [ [38;5;2mPASS[0m ] - C-bit location: 51 STDOUT: [ [38;5;2mPASS[0m ] - Number of encrypted guests supported simultaneously: 509 STDOUT: [ [38;5;2mPASS[0m ] - Minimum ASID value for SEV-enabled, SEV-ES disabled guest: 100 STDOUT: [ [38;5;2mPASS[0m ] - SEV enabled in KVM: enabled STDOUT: [ [38;5;2mPASS[0m ] - SEV-ES enabled in KVM: enabled STDOUT: [ [38;5;2mPASS[0m ] - Reading /dev/sev: /dev/sev readable STDOUT: [ [38;5;2mPASS[0m ] - Writing /dev/sev: /dev/sev writable STDOUT: [ [38;5;2mPASS[0m ] - Page flush MSR: [38;5;2mENABLED[0m STDOUT: [ [38;5;2mPASS[0m ] - KVM supported: API version: 12 STDOUT: [ [38;5;2mPASS[0m ] - Memlock resource limit: Soft: 65536 | Hard: 65536 :: [ 23:20:59 ] :: [ FAIL ] :: Command 'sevctl ok' (Expected 0, got 1) 2. ON SNP enabled platform, show flags is es. # sevctl show flags owned es 3. On Genoa, vcek URL shows Milan # sevctl show vcek-url https://kdsintf.amd.com/vcek/v1/Milan/06503099CAF846EC9ADD8BC419ED84071B968CC01F218A25B2534D33DD91B082B12E45830D1AA2BEA481383FAA4110984BD8E8058487303D60FAB9A363E32657?blSPL=07&teeSPL=00&snpSPL=12&ucodeSPL=33 Version: sevctl-0.4.1-2.el8.x86_64 Steps: Milan/Genoa regression test log: http://lab-04.rhts.eng.pek2.redhat.com/beaker/logs/tasks/163670+/163670040/taskout.log 1. # sevctl measurement build --api-major 01 --api-minor 53 --build-id 5 --policy 0x07 --tik sev_es_dhcert_tik.bin --firmware /usr/share/edk2/ovmf/OVMF_CODE.cc.fd --num-cpus 4 --vmsa-cpu0 NEW-VMSA0.bin --vmsa-cpu1 NEW-VMSA1.bin --launch-measure-blob sev_es_dhcert_session.b64 M9zsBsc7vjRGpq+uS73iTF2CR6AEjOkxETavi0033UV3b3g1VmhOamR3QXZRQkNScC8xSEs4Zk50SGNRcjVLb0J6a2dtOFg3R3ZsU1JnNUgwbzJxenFHU21zZldpUC8xaXNadHZkRXNsUVZ0ZU5iaXN1R0VpOS83V29nNlhmb2pkOHd1Z3lweHVpWExmN1NiaXVwRGdvRVRGakxJWFJvczlwWWhESjd2Z0JjPQ== 2. # # sevctl secret build --tik sev_es_dhcert_tik.bin --tek sev_es_dhcert_tek.bin --launch-measure-blob sev_es_dhcert_session.b64 --secret 736869e5-84f0-4973-92ec-06879ce3da0b:secret.txt secret_header.bin secret_payload.bin Wrote header to: secret_header.bin Wrote payload to: secret_payload.bin 3. # sevctl show identifier E18AB8A566916516B72307B543C9B4A4DFB10D28217252018EC5705A145B3DF8D6705EBAB5CF342A68CB074CFDC99B299E6394DE8FED0F46EABA2F850718F069 4. # sevctl show snp-status SnpStatus { build: SnpBuild { version: Version { major: 1, minor: 53, }, build: 5, }, state: Initialized, is_rmp_init: true, mask_chip_id: false, guests: 0, tcb: SnpTcbStatus { platform_version: TcbVersion { bootloader: 3, tee: 0, _reserved: [ 0, 0, 0, 0, ], snp: 10, microcode: 206, }, reported_version: TcbVersion { bootloader: 3, tee: 0, _reserved: [ 0, 0, 0, 0, ], snp: 10, microcode: 206, }, }, } 5. # sevctl show vcek-url https://kdsintf.amd.com/vcek/v1/Milan/19CC95980B305B6DB7C8B7C435A093656E215FEE00D3EC171400CE234562D2FAAAFB28B46236266947A52F081D0FD06161936D6F2B200511D954B71DF5705E53?blSPL=03&teeSPL=00&snpSPL=10&ucodeSPL=206 I've removed the vcek-url subcommand (i.e. moved to snphost) and rebased to 0.4.2. Build here: https://gitlab.com/redhat/centos-stream/rpms/sevctl/-/merge_requests/26 Build completed: https://kojihub.stream.rdu2.redhat.com/koji/taskinfo?taskID=2630977 Verified with sevctl-0.4.2-1.el8.x86_64, regression test pass and snp host functions are removed. Version: sevctl-0.4.2-1.el8.x86_64 Steps: please check attachment test log. # sevctl show identifier E18AB8A566916516B72307B543C9B4A4DFB10D28217252018EC5705A145B3DF8D6705EBAB5CF342A68CB074CFDC99B299E6394DE8FED0F46EABA2F850718F069 sevctl Vcek-url and snp-status are removed. Result: No issue found. clearing needinfo on Mirek since Tyler has moved bug to on_qa now Based on comment 15, move this bug to VERIFIED. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (sevctl bug fix and enhancement update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2023:7051 |