2037961 – Rebase sevctl for RHEL8

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 2037961 - Rebase sevctl for RHEL8

Summary: Rebase sevctl for RHEL8

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 8
Classification:	Red Hat
Component:	sevctl
Sub Component:
Version:	8.6
Hardware:	x86_64
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	rc
Target Release:	---
Assignee:	Tyler Fanelli
QA Contact:	zixchen
Docs Contact:
URL:
Whiteboard:	rebase
Depends On:	2037953
Blocks:	2037963 2037966
TreeView+	depends on / blocked

Reported:	2022-01-06 22:01 UTC by John Ferlan
Modified:	2022-05-10 14:52 UTC (History)
CC List:	6 users (show)
Fixed In Version:	sevctl-0.2.0-1.el8
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:	2037953
Environment:
Last Closed:	2022-05-10 14:25:47 UTC
Type:	Bug
Target Upstream Version:
Embargoed:
Dependent Products:
Flags:	pm-rhel: mirror+

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Issue Tracker	RHELPLAN-107026	0	None	None	None	2022-01-06 22:11:48 UTC
Red Hat Product Errata	RHBA-2022:1945	0	None	None	None	2022-05-10 14:25:52 UTC

Description John Ferlan 2022-01-06 22:01:58 UTC

+++ This bug was initially created as a clone of Bug #2037953 +++

Let's rebase sevctl-0.0.2 into RHEL 9.0.

There are some new commands and options that we should make sure are added to the upstream sevctl-test package and that we list so that QE can add them to their test plan.

--- Additional comment from John Ferlan on 2022-01-06 21:59:05 UTC ---

Added 2 other bugs that will be resolved by this rebase.

--- Additional comment from John Ferlan on 2022-01-06 22:01:02 UTC ---

Upstream has already generated the sevctl-0.0.2, now it's just doing the rebase.

Comment 5 Tyler Fanelli 2022-02-02 21:52:52 UTC

Note: there is still one manual test waiting for QA to enable. I've tried myself but no avail. Sent a message to #osci which directed me to download OpenSSL certificates and I'd be able to access the CI machine: https://hdn.corp.redhat.com/rhel8-csb/repoview/redhat-internal-NetworkManager-openvpn-profiles.html

After downloading, still not able to locate cyborg-jenkins.osci.redhat.com

Comment 6 zixchen 2022-02-07 07:38:29 UTC

sevctl-0.2.0-4.el9 unit test failed, test snp_platform_status ... FAILED on Milan.

Version:
sevctl-0.2.0-4.el9.x86_64
qemu-kvm-6.2.0-3.el9.x86_64


Hi Tyler, could you please help to check if this is a bug?

Steps:
Sevctl unit test:
# rpm2cpio ./sevctl-0.2.0-4.el9.src.rpm | cpio -idmv
# tar xvfz sevctl-0.2.0-vendor.tar.gz
# cd sevctl-0.2.0-vendor/sev/
# cargo test --features=hw_tests,openssl --test api
    Finished test [unoptimized + debuginfo] target(s) in 0.04s
     Running tests/api.rs (target/debug/deps/api-2fd9ed450b0596dc)

running 9 tests
test pdh_generate ... ignored
test pek_cert_import ... ignored
test pek_generate ... ignored
test platform_reset ... ignored
test get_identifier ... ok
test pek_csr ... ok
test platform_status ... ok
test snp_platform_status ... FAILED
test pdh_cert_export ... ok

failures:

---- snp_platform_status stdout ----
thread 'snp_platform_status' panicked at 'called `Result::unwrap()` on an `Err` value: Known(IoError(Os { code: 22, kind: InvalidInput, message: "Invalid argument" }))', tests/api.rs:127:43
note: run with `RUST_BACKTRACE=1` environment variable to display a backtrace


failures:
    snp_platform_status

test result: FAILED. 4 passed; 1 failed; 4 ignored; 0 measured; 0 filtered out; finished in 0.01s

error: test failed, to rerun pass '--test api'

Comment 7 zixchen 2022-02-07 10:25:57 UTC

(In reply to zixchen from comment #6)
> sevctl-0.2.0-4.el9 unit test failed, test snp_platform_status ... FAILED on
> Milan.
> 
> Version:
> sevctl-0.2.0-4.el9.x86_64
> qemu-kvm-6.2.0-3.el9.x86_64
> 
> 
> Hi Tyler, could you please help to check if this is a bug?
> 
> Steps:
> Sevctl unit test:
> # rpm2cpio ./sevctl-0.2.0-4.el9.src.rpm | cpio -idmv
> # tar xvfz sevctl-0.2.0-vendor.tar.gz
> # cd sevctl-0.2.0-vendor/sev/
> # cargo test --features=hw_tests,openssl --test api
>     Finished test [unoptimized + debuginfo] target(s) in 0.04s
>      Running tests/api.rs (target/debug/deps/api-2fd9ed450b0596dc)
> 
> running 9 tests
> test pdh_generate ... ignored
> test pek_cert_import ... ignored
> test pek_generate ... ignored
> test platform_reset ... ignored
> test get_identifier ... ok
> test pek_csr ... ok
> test platform_status ... ok
> test snp_platform_status ... FAILED
> test pdh_cert_export ... ok
> 
> failures:
> 
> ---- snp_platform_status stdout ----
> thread 'snp_platform_status' panicked at 'called `Result::unwrap()` on an
> `Err` value: Known(IoError(Os { code: 22, kind: InvalidInput, message:
> "Invalid argument" }))', tests/api.rs:127:43
> note: run with `RUST_BACKTRACE=1` environment variable to display a backtrace
> 
> 
> failures:
>     snp_platform_status
> 
> test result: FAILED. 4 passed; 1 failed; 4 ignored; 0 measured; 0 filtered
> out; finished in 0.01s
> 
> error: test failed, to rerun pass '--test api'
 is 
I am sorry I add the wrong sevctl version, should be sevctl-0.2.0-1.el8.x86_64, but the unit test result is the same.
Version:
sevctl-0.2.0-1.el8.x86_64
qemu-kvm-6.2.0-5.module+el8.6.0+14025+ca131e0a.x86_64

Steps:
# cargo test --features=hw_tests,openssl -- --skip=sev
    Finished test [unoptimized + debuginfo] target(s) in 0.01s
     Running unittests (target/debug/deps/sev-3263d7f8e5c5e733)

running 5 tests
test util::impl_const_id::tests::test_const_id_macro ... ok
test session::key::mac ... ok
test session::key::derive ... ok
test session::initialized::verify ... ok
test session::initialized::session ... ok

test result: ok. 5 passed; 0 failed; 0 ignored; 0 measured; 0 filtered out; finished in 0.00s

     Running tests/api.rs (target/debug/deps/api-ac8f84d06458c71c)

running 9 tests
test pdh_generate ... ignored
test pek_cert_import ... ignored
test pek_generate ... ignored
test platform_reset ... ignored
test get_identifier ... ok
test pek_csr ... ok
test snp_platform_status ... FAILED
test platform_status ... ok
test pdh_cert_export ... ok

failures:

---- snp_platform_status stdout ----
thread 'snp_platform_status' panicked at 'called `Result::unwrap()` on an `Err` value: Known(IoError(Os { code: 22, kind: InvalidInput, message: "Invalid argument" }))', tests/api.rs:127:43
note: run with `RUST_BACKTRACE=1` environment variable to display a backtrace


failures:
    snp_platform_status

test result: FAILED. 4 passed; 1 failed; 4 ignored; 0 measured; 0 filtered out; finished in 0.01s

error: test failed, to rerun pass '--test api'

Comment 8 John Ferlan 2022-02-08 12:21:45 UTC

Perhaps showing output of a run with `RUST_BACKTRACE=1` as shown in the output may help.

Let's remember that AMD-SNP is still evolving (requires a special kernel build at this point) and the issue could be some sort of mismatch.

Maybe we should just log the details in a separate bug.

Comment 10 zixchen 2022-02-09 08:29:23 UTC

Thanks John, according to Tyler's explanation, snp_platform_status failed has been waived in the gating test.

Test new sevctl cmd, no issue found, move to verified.
Verison:
sevctl-0.2.0-1.el8.x86_64
qemu-kvm-6.2.0-5.module+el8.6.0+14025+ca131e0a.x86_64
kernel-4.18.0-364.el8.x86_64

Steps and results:
1. sevctl provision
# sevctl generate /home/czx.cert /home/czx.key
# sevctl verify
PDH EP384 D256 ba3ca11b1fdbeaa636cc57853a570e98c6e777b1c61a3fdf42f5b13c55b13fa2
 ⬑ PEK EP384 E256 4a8fe457a0ba046ac47cc177fea262767a52f26891b0e2e01c6beb38b0ad204c
   •⬑ OCA EP384 E256 6149540f8c61e94e4feda43dc8e1d9f7baebe078f2061626e9c623bca77eb733
    ⬑ CEK EP384 E256 f9bc6116c817c63158f7da1487a07794ccfecb8767277dfece3791b24b90df4d
       ⬑ ASK R4096 R384 95cba79ba3c77daea79f741bade8156a50b1c59f6d6fda104d16dd264729f5ee8989522f3711fc7c84719921ceb31bc0
         •⬑ ARK R4096 R384 569da618dfe64015c343db6d975e77b72fdeacd16edd02d9d09b889b8f0f1d91ffa5dfbd86f7ac574a1a7883b7a1e737

 • = self signed, ⬑ = signs, •̷ = invalid self sign, ⬑̸ = invalid signs
# sevctl provision /home/czx.cert /home/czx.key
# sevctl verify
PDH EP384 D256 8c4b7f53fb63ae35115bc87795052465074f32d50bb7b16a5a484b10c3b74b11
 ⬑ PEK EP384 E256 4a8fe457a0ba046ac47cc177fea262767a52f26891b0e2e01c6beb38b0ad204c
   •⬑ OCA EP384 E256 e32ca63349c9d45c8c88b0d0c4fe389b1b5bf203fd8572a0bde9d9ef78310e67
    ⬑ CEK EP384 E256 f9bc6116c817c63158f7da1487a07794ccfecb8767277dfece3791b24b90df4d
       ⬑ ASK R4096 R384 95cba79ba3c77daea79f741bade8156a50b1c59f6d6fda104d16dd264729f5ee8989522f3711fc7c84719921ceb31bc0
         •⬑ ARK R4096 R384 569da618dfe64015c343db6d975e77b72fdeacd16edd02d9d09b889b8f0f1d91ffa5dfbd86f7ac574a1a7883b7a1e737

 • = self signed, ⬑ = signs, •̷ = invalid self sign, ⬑̸ = invalid signs
2. sevctl ok
On Milan # sevctl ok
[ PASS ] - AMD CPU
[ PASS ]   - Microcode support
[ PASS ]   - Secure Memory Encryption (SME)
[ PASS ]   - Secure Encrypted Virtualization (SEV)
[ PASS ]     - Encrypted State (SEV-ES)
[ PASS ]     - Secure Nested Paging (SEV-SNP)
[ PASS ]       - VM Permission Levels
[ PASS ]         - Number of VMPLs: 4
[ PASS ]     - Physical address bit reduction: 51
[ PASS ]     - C-bit location: 51
[ PASS ]     - Number of encrypted guests supported simultaneously: 509
[ PASS ]     - Minimum ASID value for SEV-enabled, SEV-ES disabled guest: 100
[ PASS ]     - SEV enabled in KVM: enabled
[ PASS ]     - Reading /dev/sev: /dev/sev readable
[ PASS ]     - Writing /dev/sev: /dev/sev writable
[ PASS ]   - Page flush MSR
[ PASS ] - KVM supported: API version: 12
[ PASS ] - Memlock resource limit: Soft: 65536 | Hard: 65536
On Rome # sevctl ok
[ PASS ] - AMD CPU
[ PASS ]   - Microcode support
[ PASS ]   - Secure Memory Encryption (SME)
[ PASS ]   - Secure Encrypted Virtualization (SEV)
[ PASS ]     - Encrypted State (SEV-ES)
[ FAIL ]     - Secure Nested Paging (SEV-SNP)
[ SKIP ]       - VM Permission Levels
[ SKIP ]         - Number of VMPLs
[ PASS ]     - Physical address bit reduction: 47
[ PASS ]     - C-bit location: 47
[ PASS ]     - Number of encrypted guests supported simultaneously: 509
[ PASS ]     - Minimum ASID value for SEV-enabled, SEV-ES disabled guest: 99
[ PASS ]     - SEV enabled in KVM: enabled
[ PASS ]     - Reading /dev/sev: /dev/sev readable
[ PASS ]     - Writing /dev/sev: /dev/sev writable
[ PASS ]   - Page flush MSR
[ PASS ] - KVM supported: API version: 12
[ PASS ] - Memlock resource limit: Soft: 65536 | Hard: 65536

Comment 13 John Ferlan 2022-02-11 12:04:58 UTC

Moving back to MODIFIED in order to go through the Errata process

Clearing the needinfo on Tyler since the question was answered in https://bugzilla.redhat.com/show_bug.cgi?id=2037953#c15

Updated the Fixed in Version and changed DTM=24 to avoid the RHEL bot messages since it's expected to work through Errata Tool today.

Comment 17 errata-xmlrpc 2022-05-10 14:25:47 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (sevctl bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2022:1945

Note You need to log in before you can comment on or make changes to this bug.