Bug 2176917 - 3 minor issues related to virt-qemu-sev-validate command [rhel-9.3.0]
Summary: 3 minor issues related to virt-qemu-sev-validate command [rhel-9.3.0]
Keywords:
Status: VERIFIED
Alias: None
Deadline: 2023-04-10
Product: Red Hat Enterprise Linux 9
Classification: Red Hat
Component: libvirt
Version: 9.2
Hardware: x86_64
OS: Linux
medium
medium
Target Milestone: rc
: ---
Assignee: Daniel Berrangé
QA Contact: Luyao Huang
URL:
Whiteboard:
Depends On: 2172347
Blocks:
TreeView+ depends on / blocked
 
Reported: 2023-03-09 16:22 UTC by RHEL Program Management Team
Modified: 2023-07-22 08:27 UTC (History)
5 users (show)

Fixed In Version: libvirt-9.1.0-1.el9
Doc Type: If docs needed, set a value
Doc Text:
Clone Of: 2172347
Environment:
Last Closed:
Type: ---
Target Upstream Version: 9.1.0
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Issue Tracker RHELPLAN-151286 0 None None None 2023-03-09 16:23:45 UTC

Comment 1 Luyao Huang 2023-03-15 09:37:28 UTC 
I noticed there is one mistake in manpages of virt-qemu-sev-validate:

# man virt-qemu-sev-validate |grep disk-password
              --disk-password passwd.txt \
              --disk-password passwd.txt
              --disk-password passwd.txt

# rpm -q libvirt
libvirt-9.1.0-1.el9.x86_64
Comment 2 Daniel Berrangé 2023-03-15 10:50:11 UTC 
(In reply to Luyao Huang from comment #1)
> I noticed there is one mistake in manpages of virt-qemu-sev-validate:
> 
> # man virt-qemu-sev-validate |grep disk-password
>               --disk-password passwd.txt \
>               --disk-password passwd.txt
>               --disk-password passwd.txt

You need to look at the full context here. The first '--disk-password' has a trailing '\' because there are further args following it on the next line. The other '--disk-password' usage has no following args, so does not need a trailing '\'.
Comment 3 Luyao Huang 2023-03-15 13:09:15 UTC 
(In reply to Daniel Berrangé from comment #2)
> (In reply to Luyao Huang from comment #1)
> > I noticed there is one mistake in manpages of virt-qemu-sev-validate:
> > 
> > # man virt-qemu-sev-validate |grep disk-password
> >               --disk-password passwd.txt \
> >               --disk-password passwd.txt
> >               --disk-password passwd.txt
> 
> You need to look at the full context here. The first '--disk-password' has a
> trailing '\' because there are further args following it on the next line.
> The other '--disk-password' usage has no following args, so does not need a
> trailing '\'.

Thanks for your quick reply! I think my short comment cause a misunderstanding here, what I want to point out is that virt-qemu-sev-validate not support --disk-password options but I still can find it in the manpages. I think we should replace them to --inject-secret luks-key:passwd.txt.

Test on libvirt-9.1.0-1.el9.x86_64:

# virt-qemu-sev-validate --disk-password passwd.txt
usage: virt-qemu-sev-validate [-h] [--debug] [--quiet] [--measurement MEASUREMENT]
                              [--api-major API_MAJOR] [--api-minor API_MINOR] [--build-id BUILD_ID]
                              [--policy POLICY] [--firmware FIRMWARE] [--kernel KERNEL]
                              [--initrd INITRD] [--cmdline CMDLINE] [--num-cpus NUM_CPUS]
                              [--vmsa-cpu0 VMSA_CPU0] [--vmsa-cpu1 VMSA_CPU1] [--cpu-family CPU_FAMILY]
                              [--cpu-model CPU_MODEL] [--cpu-stepping CPU_STEPPING] [--tik TIK]
                              [--tek TEK] [--tk TK] [--connect CONNECT] [--domain DOMAIN] [--insecure]
                              [--ignore-config] [--inject-secret INJECT_SECRET]
                              [--secret-payload SECRET_PAYLOAD] [--secret-header SECRET_HEADER]
virt-qemu-sev-validate: error: unrecognized arguments: --disk-password passwd.txt

# virt-qemu-sev-validate --help | grep "\--disk-password"
Comment 7 Luyao Huang 2023-05-18 07:27:22 UTC 
Verify this bug with libvirt-9.3.0-2.el9.x86_64:

1. 
# rpm -qpR libvirt-client-qemu-9.3.0-2.el9.x86_64.rpm 
/usr/bin/python3
libvirt-libs = 9.3.0-2.el9
python3-cryptography
python3-libvirt >= 3.7.0
python3-lxml
rpmlib(CompressedFileNames) <= 3.0.4-1
rpmlib(FileDigests) <= 4.6.0-1
rpmlib(PayloadFilesHavePrefix) <= 4.0-1
rpmlib(PayloadIsZstd) <= 5.4.18-1

# dnf install libvirt-client-qemu-9.3.0-2.el9.x86_64.rpm

# virt-qemu-sev-validate --help
usage: virt-qemu-sev-validate [-h] [--debug] [--quiet] [--measurement MEASUREMENT] [--api-major API_MAJOR] [--api-minor API_MINOR]
                              [--build-id BUILD_ID] [--policy POLICY] [--firmware FIRMWARE] [--kernel KERNEL] [--initrd INITRD] [--cmdline CMDLINE]
                              [--num-cpus NUM_CPUS] [--vmsa-cpu0 VMSA_CPU0] [--vmsa-cpu1 VMSA_CPU1] [--cpu-family CPU_FAMILY]
                              [--cpu-model CPU_MODEL] [--cpu-stepping CPU_STEPPING] [--tik TIK] [--tek TEK] [--tk TK] [--connect CONNECT]
                              [--domain DOMAIN] [--insecure] [--ignore-config] [--inject-secret INJECT_SECRET] [--secret-payload SECRET_PAYLOAD]
                              [--secret-header SECRET_HEADER]

Validate guest AMD SEV launch measurement
...

2.
# man virt-qemu-sev-validate | grep "\--loader"
# man virt-qemu-sev-validate | grep "virt-dom-sev-validate"
# man virt-qemu-sev-validate | grep "\--disk-password passwd.txt"

3.
# cat /usr/share/doc/libvirt-docs/html/kbase/launch_security_sev.html |grep -a6 "\--firmware"
<pre class="literal-block">$ virt-qemu-sev-validate \
    --measurement LMnv8i8N2QejezMPkscShF0cyPYCslgUoCxGWRqQuyt0Q0aUjVkH/T6NcmkwZkWp \
    --api-major 0 \
    --api-minor 24 \
    --build-id 15 \
    --policy 3 \
    --firmware /path/to/OVMF.sev.fd \
    --tik ${myvmname}_tik.bin \
    --tek ${myvmname}_tek.bin
OK: Looks good to me</pre>
<p>The <a class="reference external" href="../manpages/virt-qemu-sev-validate.html">man page</a> for
<span class="docutils literal"><span class="pre">virt-qemu-sev-validate</span></span> outlines a great many other ways to invoke this
tool.</p>
Note You need to log in before you can comment on or make changes to this bug.