@

It seems that although this is a 9.3 release, the c9s policy at the moment has target release for 9.2.0?

https://gitlab.com/redhat/centos-stream/rpms/sevctl/-/jobs/4644186646

Build successful and merged: https://gitlab.com/redhat/centos-stream/rpms/sevctl/-/merge_requests/20

Hi Tyler, you need to create centos build and then rhel build first to change this bug to MODIFIED. please check Miroslav 8.9 rebase comment https://bugzilla.redhat.com/show_bug.cgi?id=2222043#c6.
Now Fixed In Version: sevctl-0.4.1 build is not in centos or rhel build yet. 
Once the rhel build gets gating pass, Verified:Tested then be set, and the bug will move from MODIFIED from ON_QA.

(In reply to Tyler Fanelli from comment #5)
> Build successful and merged:
> https://gitlab.com/redhat/centos-stream/rpms/sevctl/-/merge_requests/20

The mock build in MR, there are snphost and snpguest packages except sevctl, but I don't find these 2 packages in brew web https://brewweb.engineering.redhat.com/brew/buildinfo?buildID=2600146.
Tyler could you please check are we missing these 2 packages?

(In reply to zixchen from comment #7)
> (In reply to Tyler Fanelli from comment #5)
> > Build successful and merged:
> > https://gitlab.com/redhat/centos-stream/rpms/sevctl/-/merge_requests/20
> 
> The mock build in MR, there are snphost and snpguest packages except sevctl,
> but I don't find these 2 packages in brew web
> https://brewweb.engineering.redhat.com/brew/buildinfo?buildID=2600146.
> Tyler could you please check are we missing these 2 packages?

Our latest commit removed the snphost and snpguest tools. We're going to release them in their own packages.

Build succeeded: https://brewweb.engineering.redhat.com/brew/search?match=glob&type=build&terms=+sevctl-0.4.1-2.el9
Gating passed: https://dashboard.osci.redhat.com/#/artifact/brew-build/aid/54014154

(In reply to Tyler Fanelli from comment #8)
> (In reply to zixchen from comment #7)
> > (In reply to Tyler Fanelli from comment #5)
> > > Build successful and merged:
> > > https://gitlab.com/redhat/centos-stream/rpms/sevctl/-/merge_requests/20
> > 
> > The mock build in MR, there are snphost and snpguest packages except sevctl,
> > but I don't find these 2 packages in brew web
> > https://brewweb.engineering.redhat.com/brew/buildinfo?buildID=2600146.
> > Tyler could you please check are we missing these 2 packages?
> 
> Our latest commit removed the snphost and snpguest tools. We're going to
> release them in their own packages.

Would snphost and snpguest target in 9.3 too? I've tried the centos mock build, snpguest all functions work on a snp enabled VM. Since we have enabled snp guest since 9.1, IMO, it's better to have snpguest as soon as possible.

(In reply to zixchen from comment #9)
> (In reply to Tyler Fanelli from comment #8)
> > (In reply to zixchen from comment #7)
> > > (In reply to Tyler Fanelli from comment #5)
> > > > Build successful and merged:
> > > > https://gitlab.com/redhat/centos-stream/rpms/sevctl/-/merge_requests/20
> > > 
> > > The mock build in MR, there are snphost and snpguest packages except sevctl,
> > > but I don't find these 2 packages in brew web
> > > https://brewweb.engineering.redhat.com/brew/buildinfo?buildID=2600146.
> > > Tyler could you please check are we missing these 2 packages?
> > 
> > Our latest commit removed the snphost and snpguest tools. We're going to
> > release them in their own packages.
> 
> Would snphost and snpguest target in 9.3 too? I've tried the centos mock
> build, snpguest all functions work on a snp enabled VM. Since we have
> enabled snp guest since 9.1, IMO, it's better to have snpguest as soon as
> possible.

Sure, I'll just have to create a package request for it. Will notify when that's completed.

QE bot(pre verify): Set 'Verified:Tested,SanityOnly' as gating/tier1 test pass.

Regression test reports 1 fail. After sevctl-0.4.1-2.el9.x86_64 sevctl ok will return error when supporting SNP system doesn't enable SNP. Before it will all pass. Tyler could you please check is this expected? 
# sevctl ok
[ PASS ] - AMD CPU
[ PASS ]   - Microcode support
[ PASS ]   - Secure Memory Encryption (SME)
[ PASS ]   - Secure Encrypted Virtualization (SEV)
[ PASS ]     - Encrypted State (SEV-ES)
[ FAIL ]     - Secure Nested Paging (SEV-SNP)
[ SKIP ]       - VM Permission Levels
[ SKIP ]         - Number of VMPLs
[ PASS ]     - Physical address bit reduction: 5
[ PASS ]     - C-bit location: 51
[ PASS ]     - Number of encrypted guests supported simultaneously: 509
[ PASS ]     - Minimum ASID value for SEV-enabled, SEV-ES disabled guest: 100
[ PASS ]     - SEV enabled in KVM: enabled
[ PASS ]     - SEV-ES enabled in KVM: enabled
[ PASS ]     - Reading /dev/sev: /dev/sev readable
[ PASS ]     - Writing /dev/sev: /dev/sev writable
[ PASS ]   - Page flush MSR: ENABLED
[ PASS ] - KVM supported: API version: 12
[ PASS ] - Memlock resource limit: Soft: 8388608 | Hard: 8388608
Error: One or more tests in sevctl-ok reported a failure

Verify new functions of sevctl. Tyler, please check the last part "Failed cases", if the failed cases are bugs. Thanks.
sev-es: sanity test pass except sevctl ok returns failed in comment 12. 

Version:
sevctl-0.4.1-2.el9.x86_64

Milan:
# sevctl measurement build \
    --api-major 01 --api-minor 53 --build-id 5 \
    --policy 0x07 \
    --tik sev_es_dhcert_tik.bin \
    --firmware /usr/share/edk2/ovmf/OVMF_CODE.fd \
    --num-cpus 4 \
    --vmsa-cpu0 NEW-VMSA0.bin \
    --vmsa-cpu1 NEW-VMSA1.bin \
    --launch-measure-blob sev_es_dhcert_session.b64
K9GWQoy7SlOnfJbZfhqNbG1pxVNU3oUG6Tets09lH645dnRMdThMd2YrSENxb0lrYXkwZUs4Q01raTdaemFNaUhtZ0RHMmFtY1NEdVVEWENyZnJZNER1S0h5MFMzNUgvK2VLUkNwZkRxSFVnSStHODJVcHJtelR1QjJSOE9tTXhDZ2x3Zms2YnNERkNyTTZQNEdRZVR1aGNuWlNiU1RKNTczZVRVSmlNNHJFPQ==

# sevctl secret build \
    --tik sev_es_dhcert_tik.bin \
    --tek sev_es_dhcert_tek.bin \
    --launch-measure-blob sev_es_dhcert_session.b64 \
    --secret 736869e5-84f0-4973-92ec-06879ce3da0b:secret.txt \
    secret_header.bin \
    secret_payload.bin
Wrote header to: secret_header.bin
Wrote payload to: secret_payload.bin

# sevctl show identifier
19CC95980B305B6DB7C8B7C435A093656E215FEE00D3EC171400CE234562D2FAAAFB28B46236266947A52F081D0FD06161936D6F2B200511D954B71DF5705E53
# sevctl show vcek-url
https://kdsintf.amd.com/vcek/v1/Milan/19CC95980B305B6DB7C8B7C435A093656E215FEE00D3EC171400CE234562D2FAAAFB28B46236266947A52F081D0FD06161936D6F2B200511D954B71DF5705E53?blSPL=03&teeSPL=00&snpSPL=10&ucodeSPL=206
# sevctl show snp-status
SnpStatus {
    build: SnpBuild {
        version: Version {
            major: 1,
            minor: 53,
        },
        build: 5,
    },
    state: Initialized,
    is_rmp_init: true,
    mask_chip_id: false,
    guests: 0,
    tcb: SnpTcbStatus {
        platform_version: TcbVersion {
            bootloader: 3,
            tee: 0,
            _reserved: [
                0,
                0,
                0,
                0,
            ],
            snp: 10,
            microcode: 206,
        },
        reported_version: TcbVersion {
            bootloader: 3,
            tee: 0,
            _reserved: [
                0,
                0,
                0,
                0,
            ],
            snp: 10,
            microcode: 206,
        },
    },
}

Passed cases on Genoa:
# sevctl measurement build     --api-major 01 --api-minor 55 --build-id 5     --policy 0x07     --tik sev_es_dhcert_tik.bin     --firmware /usr/share/edk2/ovmf/OVMF_CODE.fd     --num-cpus 4     --vmsa-cpu0 NEW-VMSA0.bin     --vmsa-cpu1 NEW-VMSA1.bin     --launch-measure-blob sev_es_dhcert_session.b64 
Oj4PgW0K7O42JJtM/N/PeGOb7+zmRc2Kfmr5O2tbQvgvRm1PWkltNmNYQTh6SWl3MXZ3bXpVUXRsMEQwd04zdlFBa3VpQzluV2ZPTy9JNUt5VDNFV2w5SUxrNjVsL3ZRdVN1MnJxZ1BMK0w3MHVWRHB3R04rSjlpK3lMWTNyQUZhb25hYWhDcnVhTFZKT0ZiQU1ka1dBRzRka0NYMDdqRkFZVWtseW1uRlpvPQ==

# sevctl secret build \
    --tik sev_es_dhcert_tik.bin \
    --tek sev_es_dhcert_tek.bin \
    --launch-measure-blob sev_es_dhcert_session.b64 \
    --secret 736869e5-84f0-4973-92ec-06879ce3da0b:secret.txt \
    secret_header.bin \
    secret_payload.bin 
Wrote header to: secret_header.bin
Wrote payload to: secret_payload.bin

# sevctl show identifier
06503099CAF846EC9ADD8BC419ED84071B968CC01F218A25B2534D33DD91B082B12E45830D1AA2BEA481383FAA4110984BD8E8058487303D60FAB9A363E32657
# sevctl show snp-status
SnpStatus {
    build: SnpBuild {
        version: Version {
            major: 1,
            minor: 55,
        },
        build: 5,
    },
    state: Initialized,
    is_rmp_init: true,
    mask_chip_id: false,
    guests: 0,
    tcb: SnpTcbStatus {
        platform_version: TcbVersion {
            bootloader: 7,
            tee: 0,
            _reserved: [
                0,
                0,
                0,
                0,
            ],
            snp: 12,
            microcode: 33,
        },
        reported_version: TcbVersion {
            bootloader: 7,
            tee: 0,
            _reserved: [
                0,
                0,
                0,
                0,
            ],
            snp: 12,
            microcode: 33,
        },
    },
}


Failed cases:
On SNP capable host(both Milan and Genoa), sevctl show flags should be snp. 
# dmesg|grep -i sev
[    4.750584] SEV-SNP: RMP table physical address 0x0000000025e00000 - 0x00000000566fffff
[   10.829914] ccp 0000:26:00.1: sev enabled
[   14.268520] ccp 0000:26:00.1: SEV API:1.53 build:5
[   14.273324] ccp 0000:26:00.1: SEV-SNP API:1.53 build:5
[   22.192447] SEV supported: 410 ASIDs
[   22.196024] SEV-ES and SEV-SNP supported: 99 ASIDs
# sevctl show flags
es

Vcek-url format should be URL=https://kdsintf.amd.com/vcek/v1/{product_name}/crl. On Genoa, the product name should be Genoa, not Milan 
# sevctl show vcek-url
https://kdsintf.amd.com/vcek/v1/Milan/06503099CAF846EC9ADD8BC419ED84071B968CC01F218A25B2534D33DD91B082B12E45830D1AA2BEA481383FAA4110984BD8E8058487303D60FAB9A363E32657?blSPL=07&teeSPL=00&snpSPL=12&ucodeSPL=33

Hi Zixi, what is the processor ID of the Genoa machine that you're testing with?

(In reply to Tyler Fanelli from comment #14)
> Hi Zixi, what is the processor ID of the Genoa machine that you're testing
> with?

Genoa: AMD EPYC 9654 96-Core Processor

> 
> Failed cases:
> On SNP capable host(both Milan and Genoa), sevctl show flags should be snp. 
> # dmesg|grep -i sev
> [    4.750584] SEV-SNP: RMP table physical address 0x0000000025e00000 -
> 0x00000000566fffff
> [   10.829914] ccp 0000:26:00.1: sev enabled
> [   14.268520] ccp 0000:26:00.1: SEV API:1.53 build:5
> [   14.273324] ccp 0000:26:00.1: SEV-SNP API:1.53 build:5
> [   22.192447] SEV supported: 410 ASIDs
> [   22.196024] SEV-ES and SEV-SNP supported: 99 ASIDs
> # sevctl show flags
> es

No, this command follows the SEV_PLATFORM_STATUS ioctl and its flags. There is no "SNP" flag for this.

> 
> Vcek-url format should be
> URL=https://kdsintf.amd.com/vcek/v1/{product_name}/crl. On Genoa, the
> product name should be Genoa, not Milan 
> # sevctl show vcek-url
> https://kdsintf.amd.com/vcek/v1/Milan/
> 06503099CAF846EC9ADD8BC419ED84071B968CC01F218A25B2534D33DD91B082B12E45830D1AA
> 2BEA481383FAA4110984BD8E8058487303D60FAB9A363E32657?blSPL=07&teeSPL=00&snpSPL
> =12&ucodeSPL=33

Investigating now.

> Vcek-url format should be
> URL=https://kdsintf.amd.com/vcek/v1/{product_name}/crl. On Genoa, the
> product name should be Genoa, not Milan 
> # sevctl show vcek-url
> https://kdsintf.amd.com/vcek/v1/Milan/
> 06503099CAF846EC9ADD8BC419ED84071B968CC01F218A25B2534D33DD91B082B12E45830D1AA
> 2BEA481383FAA4110984BD8E8058487303D60FAB9A363E32657?blSPL=07&teeSPL=00&snpSPL
> =12&ucodeSPL=33

I think we should remove this altogether, as it was put in before snphost was created (and before Genoa was online, so "Milan" was hardcoded in the string). Finding a VCEK URL is SEV-SNP specific, and thus is more suited for snphost.

(In reply to zixchen from comment #12)
> Regression test reports 1 fail. After sevctl-0.4.1-2.el9.x86_64 sevctl ok
> will return error when supporting SNP system doesn't enable SNP. Before it
> will all pass. Tyler could you please check is this expected? 
> # sevctl ok
> [ PASS ] - AMD CPU
> [ PASS ]   - Microcode support
> [ PASS ]   - Secure Memory Encryption (SME)
> [ PASS ]   - Secure Encrypted Virtualization (SEV)
> [ PASS ]     - Encrypted State (SEV-ES)
> [ FAIL ]     - Secure Nested Paging (SEV-SNP)
> [ SKIP ]       - VM Permission Levels
> [ SKIP ]         - Number of VMPLs
> [ PASS ]     - Physical address bit reduction: 5
> [ PASS ]     - C-bit location: 51
> [ PASS ]     - Number of encrypted guests supported simultaneously: 509
> [ PASS ]     - Minimum ASID value for SEV-enabled, SEV-ES disabled guest: 100
> [ PASS ]     - SEV enabled in KVM: enabled
> [ PASS ]     - SEV-ES enabled in KVM: enabled
> [ PASS ]     - Reading /dev/sev: /dev/sev readable
> [ PASS ]     - Writing /dev/sev: /dev/sev writable
> [ PASS ]   - Page flush MSR: ENABLED
> [ PASS ] - KVM supported: API version: 12
> [ PASS ] - Memlock resource limit: Soft: 8388608 | Hard: 8388608
> Error: One or more tests in sevctl-ok reported a failure

Tyler could you please also check this?

(In reply to Tyler Fanelli from comment #17)
> > Vcek-url format should be
> > URL=https://kdsintf.amd.com/vcek/v1/{product_name}/crl. On Genoa, the
> > product name should be Genoa, not Milan 
> > # sevctl show vcek-url
> > https://kdsintf.amd.com/vcek/v1/Milan/
> > 06503099CAF846EC9ADD8BC419ED84071B968CC01F218A25B2534D33DD91B082B12E45830D1AA
> > 2BEA481383FAA4110984BD8E8058487303D60FAB9A363E32657?blSPL=07&teeSPL=00&snpSPL
> > =12&ucodeSPL=33
> 
> I think we should remove this altogether, as it was put in before snphost
> was created (and before Genoa was online, so "Milan" was hardcoded in the
> string). Finding a VCEK URL is SEV-SNP specific, and thus is more suited for
> snphost.

From QE side, it is ok to support sevctl snphost functions when we enable snp host, but the decision should be consistent with other sevctl snp host cmd on Milan and Genoa. 
I just have one concern about Genoa, Genoa already launched to market. When you mentioned "before Genoa online", does Genoa have other things not ready?

(In reply to zixchen from comment #18)
> (In reply to zixchen from comment #12)
> > Regression test reports 1 fail. After sevctl-0.4.1-2.el9.x86_64 sevctl ok
> > will return error when supporting SNP system doesn't enable SNP. Before it
> > will all pass. Tyler could you please check is this expected? 
> > # sevctl ok
> > [ PASS ] - AMD CPU
> > [ PASS ]   - Microcode support
> > [ PASS ]   - Secure Memory Encryption (SME)
> > [ PASS ]   - Secure Encrypted Virtualization (SEV)
> > [ PASS ]     - Encrypted State (SEV-ES)
> > [ FAIL ]     - Secure Nested Paging (SEV-SNP)
> > [ SKIP ]       - VM Permission Levels
> > [ SKIP ]         - Number of VMPLs
> > [ PASS ]     - Physical address bit reduction: 5
> > [ PASS ]     - C-bit location: 51
> > [ PASS ]     - Number of encrypted guests supported simultaneously: 509
> > [ PASS ]     - Minimum ASID value for SEV-enabled, SEV-ES disabled guest: 100
> > [ PASS ]     - SEV enabled in KVM: enabled
> > [ PASS ]     - SEV-ES enabled in KVM: enabled
> > [ PASS ]     - Reading /dev/sev: /dev/sev readable
> > [ PASS ]     - Writing /dev/sev: /dev/sev writable
> > [ PASS ]   - Page flush MSR: ENABLED
> > [ PASS ] - KVM supported: API version: 12
> > [ PASS ] - Memlock resource limit: Soft: 8388608 | Hard: 8388608
> > Error: One or more tests in sevctl-ok reported a failure
> 
> Tyler could you please also check this?

If a host system doesn't support ALL of the sevctl-ok checks, we would want to indicate that to a user via an error message. This is intended.

Regarding the vcek-url test, I've removed that subcommand (i.e. it was moved to snphost instead) and rebased to 0.4.2. The build succeeded here: https://gitlab.com/redhat/centos-stream/rpms/sevctl/-/merge_requests/25

Build complete: https://kojihub.stream.rdu2.redhat.com/koji/taskinfo?taskID=2630874

Correct comment 26, sevctl version should be sevctl-0.4.2-1.el9
Verified with sevctl-0.4.2-1.el9.x86_64, regression test pass and snp host functions are removed.

Version:
sevctl-0.4.2-1.el9.x86_64

Steps:
please check attachment test log.
# sevctl show identifier
19CC95980B305B6DB7C8B7C435A093656E215FEE00D3EC171400CE234562D2FAAAFB28B46236266947A52F081D0FD06161936D6F2B200511D954B71DF5705E53
sevctl Vcek-url and snp-status are removed. 

Result:
No issue found.

Change status to verified, please check test result in comment 27.

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (sevctl enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2023:6546

The needinfo request[s] on this closed bug have been removed as they have been unresolved for 120 days