Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 2037963

Summary: sevctl verify could not find a matching builtin certificate on AMD Milan
Product: Red Hat Enterprise Linux 8 Reporter: John Ferlan <jferlan>
Component: sevctlAssignee: Tyler Fanelli <tfanelli>
Status: CLOSED ERRATA QA Contact: zixchen
Severity: medium Docs Contact:
Priority: medium    
Version: 8.6CC: coli, jferlan, tfanelli, zixchen
Target Milestone: rcKeywords: Triaged
Target Release: ---Flags: pm-rhel: mirror+
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: sevctl-0.2.0-1.el8 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: 2012046 Environment:
Last Closed: 2022-05-10 14:25:47 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2012046, 2037961    
Bug Blocks:    

Description John Ferlan 2022-01-06 22:04:16 UTC 
+++ This bug was initially created as a clone of Bug #2012046 +++

Description of problem:
On Milan, sevctl verify fails with both rhel8 and rhel9 version. 

Version-Release number of selected component (if applicable):
sevctl-0.1.0-3.el9

How reproducible:
100%

Steps to Reproduce:
1.# sevctl verify
error: failed to deduce platform generation
caused by: could not find a matching builtin certificate


Actual results:
sevctl fails to verify 

Expected results:
sevctl verify success

Additional info:

--- Additional comment from John Ferlan on 2021-10-29 18:51:04 UTC ---

Tyler Fanelli (intern w/ virt team) noted to me that he has tested using an upstream version of sevctl and this has been fixed

Perhaps related to upstream commits:

 https://github.com/enarx/sev/pull/52

or perhaps

 https://github.com/enarx/sev/pull/54

In any case, should be resolved by next rebase.
Comment 1 John Ferlan 2022-01-06 22:05:58 UTC 
This is the RHEL8 clone for the RHEL9 bug - just for completeness.
Comment 2 John Ferlan 2022-02-01 20:52:08 UTC 
Part of the rebase bug 2037961
Comment 3 Tyler Fanelli 2022-02-02 21:55:45 UTC 
Fixed-in-Version: sevctl-0.2.0-1.el8
Comment 5 zixchen 2022-02-07 10:37:06 UTC 
Test with sevctl-0.2.0-1.el8.x86_64, the issue is fixed on Milan.

Version:
sevctl-0.2.0-1.el8.x86_64

Steps:
# sevctl verify
PDH EP384 D256 ba3ca11b1fdbeaa636cc57853a570e98c6e777b1c61a3fdf42f5b13c55b13fa2
 ⬑ PEK EP384 E256 4a8fe457a0ba046ac47cc177fea262767a52f26891b0e2e01c6beb38b0ad204c
   •⬑ OCA EP384 E256 6149540f8c61e94e4feda43dc8e1d9f7baebe078f2061626e9c623bca77eb733
    ⬑ CEK EP384 E256 f9bc6116c817c63158f7da1487a07794ccfecb8767277dfece3791b24b90df4d
       ⬑ ASK R4096 R384 95cba79ba3c77daea79f741bade8156a50b1c59f6d6fda104d16dd264729f5ee8989522f3711fc7c84719921ceb31bc0
         •⬑ ARK R4096 R384 569da618dfe64015c343db6d975e77b72fdeacd16edd02d9d09b889b8f0f1d91ffa5dfbd86f7ac574a1a7883b7a1e737

 • = self signed, ⬑ = signs, •̷ = invalid self sign, ⬑̸ = invalid signs

Results:
Sevctl verify cmd works on Milan.
Comment 7 John Ferlan 2022-02-11 12:05:48 UTC 
Moving back to MODIFIED in order to go through the Errata process

Clearing the needinfo on Tyler since the Fixed in Version was updated.

Changed DTM=24 to avoid the RHEL bot messages since it's expected to work through Errata Tool today.
Comment 11 errata-xmlrpc 2022-05-10 14:25:47 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (sevctl bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2022:1945
Comment 12 John Ferlan 2022-06-16 18:47:40 UTC 
Just clearing needinfo.