2222043 – Release new version of sevctl for RHEL 8.9.0

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 2222043 - Release new version of sevctl for RHEL 8.9.0

Summary: Release new version of sevctl for RHEL 8.9.0

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 8
Classification:	Red Hat
Component:	sevctl
Sub Component:
Version:	8.8
Hardware:	x86_64
OS:	Linux
Priority:	medium
Severity:	low
Target Milestone:	rc
Target Release:	---
Assignee:	Tyler Fanelli
QA Contact:	zixchen
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	2222104
TreeView+	depends on / blocked

Reported:	2023-07-11 16:21 UTC by Tyler Fanelli
Modified:	2023-11-14 17:06 UTC (History)
CC List:	6 users (show)
Fixed In Version:	sevctl-0.4.2-1.el8
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Clones:	2222104 (view as bug list)
Environment:
Last Closed:	2023-11-14 15:36:29 UTC
Type:	Bug
Target Upstream Version:
Embargoed:
Dependent Products:
Flags:	pm-rhel: mirror+

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Issue Tracker	RHELPLAN-162041	0	None	None	None	2023-07-11 16:25:00 UTC
Red Hat Product Errata	RHBA-2023:7051	0	None	None	None	2023-11-14 15:36:32 UTC

Description Tyler Fanelli 2023-07-11 16:21:09 UTC

Release a new version of the sevctl package for RHEL 8.9.0

Comment 1 Tyler Fanelli 2023-07-13 00:11:28 UTC

Build successful and merged: https://gitlab.com/redhat/centos-stream/rpms/sevctl/-/merge_requests/14

@

Comment 2 Tyler Fanelli 2023-07-13 00:12:05 UTC

Comment 3 Tyler Fanelli 2023-07-13 01:26:36 UTC

Apologies for the confusion, as I'm still a bit unfamiliar with the CentOS process. Once the RPMs are successfully built and merged, is there any steps I need to take? Or can I move forward to the errata process?

Comment 4 zixchen 2023-07-13 07:48:16 UTC

(In reply to Tyler Fanelli from comment #3)
> Apologies for the confusion, as I'm still a bit unfamiliar with the CentOS
> process. Once the RPMs are successfully built and merged, is there any steps
> I need to take? Or can I move forward to the errata process?

QE not familiar with the packaging process too. 
Miroslav, do you know Tyler's questions?

Comment 5 John Ferlan 2023-07-13 16:26:19 UTC

From the above - at the very least we'll need to get a qa_ack+ and an ITM set in order to get release+. Same for bug 2222104.

I'll let Mirek help with other steps as I'm less aware of how to get through build, gating, etc.

Comment 6 Miroslav Rezanina 2023-07-17 12:45:16 UTC

(In reply to Tyler Fanelli from comment #3)
> Apologies for the confusion, as I'm still a bit unfamiliar with the CentOS
> process. Once the RPMs are successfully built and merged, is there any steps
> I need to take? Or can I move forward to the errata process?

Have you build the package? I do not see sevctl 0.4.1 in neither centos or rhel koji.

Anyway process is as follow:

1) Build centos page - after build is finished, rhel build is started by automation

2) RHEL build needs to pass gating to get candidate tag

3) After getting candidate tag, this BZ has to be preverified (Verified:Tested needs to be set)

4) After thet, you can add build and BZ to errata (or create new one if not exists)

Comment 7 Tyler Fanelli 2023-07-19 16:19:49 UTC

Build succeeded: https://brewweb.engineering.redhat.com/brew/search?match=glob&type=build&terms=+sevctl-0.4.1-2.el8
Gating passed: https://dashboard.osci.redhat.com/#/artifact/brew-build/aid/54014276

Comment 8 Tyler Fanelli 2023-07-20 00:38:44 UTC

> 2) RHEL build needs to pass gating to get candidate tag

Build + gating have passed. When can I expect a candidate tag?

Comment 9 Yanan Fu 2023-07-20 04:00:15 UTC

QE bot(pre verify): Set 'Verified:Tested,SanityOnly' as gating/tier1 test pass.

Comment 10 Miroslav Rezanina 2023-07-25 10:25:27 UTC

(In reply to Tyler Fanelli from comment #8)
> > 2) RHEL build needs to pass gating to get candidate tag
> 
> Build + gating have passed. When can I expect a candidate tag?

Candidate tag is usually set few minutes after gating is passed.

Comment 11 zixchen 2023-07-27 09:18:41 UTC

RHEL 8 test result is the same wit rhel9.
Issues:
1. sevctl ok failed on SNP capable host without enable SNP. 
:: [ 23:20:59 ] :: [  BEGIN   ] :: Running 'sevctl ok'
STDOUT: [ [38;5;2mPASS[0m ] - AMD CPU
STDOUT: [ [38;5;2mPASS[0m ]   - Microcode support
STDOUT: [ [38;5;2mPASS[0m ]   - Secure Memory Encryption (SME)
STDOUT: [ [38;5;2mPASS[0m ]   - Secure Encrypted Virtualization (SEV)
STDOUT: [ [38;5;2mPASS[0m ]     - Encrypted State (SEV-ES)
STDOUT: [ [38;5;1mFAIL[0m ]     - Secure Nested Paging (SEV-SNP)
STDOUT: [ [38;5;3mSKIP[0m ]       - VM Permission Levels
STDERR: Error: One or more tests in sevctl-ok reported a failure
STDOUT: [ [38;5;3mSKIP[0m ]         - Number of VMPLs
STDOUT: [ [38;5;2mPASS[0m ]     - Physical address bit reduction: 5
STDOUT: [ [38;5;2mPASS[0m ]     - C-bit location: 51
STDOUT: [ [38;5;2mPASS[0m ]     - Number of encrypted guests supported simultaneously: 509
STDOUT: [ [38;5;2mPASS[0m ]     - Minimum ASID value for SEV-enabled, SEV-ES disabled guest: 100
STDOUT: [ [38;5;2mPASS[0m ]     - SEV enabled in KVM: enabled
STDOUT: [ [38;5;2mPASS[0m ]     - SEV-ES enabled in KVM: enabled
STDOUT: [ [38;5;2mPASS[0m ]     - Reading /dev/sev: /dev/sev readable
STDOUT: [ [38;5;2mPASS[0m ]     - Writing /dev/sev: /dev/sev writable
STDOUT: [ [38;5;2mPASS[0m ]   - Page flush MSR: [38;5;2mENABLED[0m
STDOUT: [ [38;5;2mPASS[0m ] - KVM supported: API version: 12
STDOUT: [ [38;5;2mPASS[0m ] - Memlock resource limit: Soft: 65536 | Hard: 65536
:: [ 23:20:59 ] :: [   FAIL   ] :: Command 'sevctl ok' (Expected 0, got 1)
2. ON SNP enabled platform, show flags is es. 
# sevctl show flags
owned
es 
3. On Genoa, vcek URL shows Milan
# sevctl show vcek-url
https://kdsintf.amd.com/vcek/v1/Milan/06503099CAF846EC9ADD8BC419ED84071B968CC01F218A25B2534D33DD91B082B12E45830D1AA2BEA481383FAA4110984BD8E8058487303D60FAB9A363E32657?blSPL=07&teeSPL=00&snpSPL=12&ucodeSPL=33

Version:
sevctl-0.4.1-2.el8.x86_64

Steps:
Milan/Genoa
regression test log: http://lab-04.rhts.eng.pek2.redhat.com/beaker/logs/tasks/163670+/163670040/taskout.log
1. # sevctl measurement build     --api-major 01 --api-minor 53 --build-id 5     --policy 0x07     --tik sev_es_dhcert_tik.bin     --firmware /usr/share/edk2/ovmf/OVMF_CODE.cc.fd     --num-cpus 4     --vmsa-cpu0 NEW-VMSA0.bin     --vmsa-cpu1 NEW-VMSA1.bin     --launch-measure-blob sev_es_dhcert_session.b64
M9zsBsc7vjRGpq+uS73iTF2CR6AEjOkxETavi0033UV3b3g1VmhOamR3QXZRQkNScC8xSEs4Zk50SGNRcjVLb0J6a2dtOFg3R3ZsU1JnNUgwbzJxenFHU21zZldpUC8xaXNadHZkRXNsUVZ0ZU5iaXN1R0VpOS83V29nNlhmb2pkOHd1Z3lweHVpWExmN1NiaXVwRGdvRVRGakxJWFJvczlwWWhESjd2Z0JjPQ==
2. # # sevctl secret build     --tik sev_es_dhcert_tik.bin     --tek sev_es_dhcert_tek.bin     --launch-measure-blob sev_es_dhcert_session.b64     --secret 736869e5-84f0-4973-92ec-06879ce3da0b:secret.txt     secret_header.bin     secret_payload.bin
Wrote header to: secret_header.bin
Wrote payload to: secret_payload.bin
3. # sevctl show identifier
E18AB8A566916516B72307B543C9B4A4DFB10D28217252018EC5705A145B3DF8D6705EBAB5CF342A68CB074CFDC99B299E6394DE8FED0F46EABA2F850718F069
4. # sevctl show snp-status
SnpStatus {
    build: SnpBuild {
        version: Version {
            major: 1,
            minor: 53,
        },
        build: 5,
    },
    state: Initialized,
    is_rmp_init: true,
    mask_chip_id: false,
    guests: 0,
    tcb: SnpTcbStatus {
        platform_version: TcbVersion {
            bootloader: 3,
            tee: 0,
            _reserved: [
                0,
                0,
                0,
                0,
            ],
            snp: 10,
            microcode: 206,
        },
        reported_version: TcbVersion {
            bootloader: 3,
            tee: 0,
            _reserved: [
                0,
                0,
                0,
                0,
            ],
            snp: 10,
            microcode: 206,
        },
    },
}
5. # sevctl show vcek-url
https://kdsintf.amd.com/vcek/v1/Milan/19CC95980B305B6DB7C8B7C435A093656E215FEE00D3EC171400CE234562D2FAAAFB28B46236266947A52F081D0FD06161936D6F2B200511D954B71DF5705E53?blSPL=03&teeSPL=00&snpSPL=10&ucodeSPL=206

Comment 12 Tyler Fanelli 2023-07-28 22:48:43 UTC

I've removed the vcek-url subcommand (i.e. moved to snphost) and rebased to 0.4.2. Build here: https://gitlab.com/redhat/centos-stream/rpms/sevctl/-/merge_requests/26

Comment 14 Tyler Fanelli 2023-08-06 23:55:06 UTC

Build completed: https://kojihub.stream.rdu2.redhat.com/koji/taskinfo?taskID=2630977

Comment 15 zixchen 2023-08-07 09:39:58 UTC

Verified with sevctl-0.4.2-1.el8.x86_64, regression test pass and snp host functions are removed.

Version:
sevctl-0.4.2-1.el8.x86_64

Steps:
please check attachment test log.
# sevctl show identifier
E18AB8A566916516B72307B543C9B4A4DFB10D28217252018EC5705A145B3DF8D6705EBAB5CF342A68CB074CFDC99B299E6394DE8FED0F46EABA2F850718F069

sevctl Vcek-url and snp-status are removed. 

Result:
No issue found.

Comment 23 John Ferlan 2023-08-10 11:54:27 UTC

clearing needinfo on Mirek since Tyler has moved bug to on_qa now

Comment 24 CongLi 2023-08-15 06:46:11 UTC

Based on comment 15, move this bug to VERIFIED.

Comment 26 errata-xmlrpc 2023-11-14 15:36:29 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (sevctl bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2023:7051

Note You need to log in before you can comment on or make changes to this bug.