+++ This bug was initially created as a clone of Bug #2222043 +++ Release a new version of the sevctl package for RHEL 9.3
@
It seems that although this is a 9.3 release, the c9s policy at the moment has target release for 9.2.0? https://gitlab.com/redhat/centos-stream/rpms/sevctl/-/jobs/4644186646
Build successful and merged: https://gitlab.com/redhat/centos-stream/rpms/sevctl/-/merge_requests/20
Hi Tyler, you need to create centos build and then rhel build first to change this bug to MODIFIED. please check Miroslav 8.9 rebase comment https://bugzilla.redhat.com/show_bug.cgi?id=2222043#c6. Now Fixed In Version: sevctl-0.4.1 build is not in centos or rhel build yet. Once the rhel build gets gating pass, Verified:Tested then be set, and the bug will move from MODIFIED from ON_QA.
(In reply to Tyler Fanelli from comment #5) > Build successful and merged: > https://gitlab.com/redhat/centos-stream/rpms/sevctl/-/merge_requests/20 The mock build in MR, there are snphost and snpguest packages except sevctl, but I don't find these 2 packages in brew web https://brewweb.engineering.redhat.com/brew/buildinfo?buildID=2600146. Tyler could you please check are we missing these 2 packages?
(In reply to zixchen from comment #7) > (In reply to Tyler Fanelli from comment #5) > > Build successful and merged: > > https://gitlab.com/redhat/centos-stream/rpms/sevctl/-/merge_requests/20 > > The mock build in MR, there are snphost and snpguest packages except sevctl, > but I don't find these 2 packages in brew web > https://brewweb.engineering.redhat.com/brew/buildinfo?buildID=2600146. > Tyler could you please check are we missing these 2 packages? Our latest commit removed the snphost and snpguest tools. We're going to release them in their own packages. Build succeeded: https://brewweb.engineering.redhat.com/brew/search?match=glob&type=build&terms=+sevctl-0.4.1-2.el9 Gating passed: https://dashboard.osci.redhat.com/#/artifact/brew-build/aid/54014154
(In reply to Tyler Fanelli from comment #8) > (In reply to zixchen from comment #7) > > (In reply to Tyler Fanelli from comment #5) > > > Build successful and merged: > > > https://gitlab.com/redhat/centos-stream/rpms/sevctl/-/merge_requests/20 > > > > The mock build in MR, there are snphost and snpguest packages except sevctl, > > but I don't find these 2 packages in brew web > > https://brewweb.engineering.redhat.com/brew/buildinfo?buildID=2600146. > > Tyler could you please check are we missing these 2 packages? > > Our latest commit removed the snphost and snpguest tools. We're going to > release them in their own packages. Would snphost and snpguest target in 9.3 too? I've tried the centos mock build, snpguest all functions work on a snp enabled VM. Since we have enabled snp guest since 9.1, IMO, it's better to have snpguest as soon as possible.
(In reply to zixchen from comment #9) > (In reply to Tyler Fanelli from comment #8) > > (In reply to zixchen from comment #7) > > > (In reply to Tyler Fanelli from comment #5) > > > > Build successful and merged: > > > > https://gitlab.com/redhat/centos-stream/rpms/sevctl/-/merge_requests/20 > > > > > > The mock build in MR, there are snphost and snpguest packages except sevctl, > > > but I don't find these 2 packages in brew web > > > https://brewweb.engineering.redhat.com/brew/buildinfo?buildID=2600146. > > > Tyler could you please check are we missing these 2 packages? > > > > Our latest commit removed the snphost and snpguest tools. We're going to > > release them in their own packages. > > Would snphost and snpguest target in 9.3 too? I've tried the centos mock > build, snpguest all functions work on a snp enabled VM. Since we have > enabled snp guest since 9.1, IMO, it's better to have snpguest as soon as > possible. Sure, I'll just have to create a package request for it. Will notify when that's completed.
QE bot(pre verify): Set 'Verified:Tested,SanityOnly' as gating/tier1 test pass.
Regression test reports 1 fail. After sevctl-0.4.1-2.el9.x86_64 sevctl ok will return error when supporting SNP system doesn't enable SNP. Before it will all pass. Tyler could you please check is this expected? # sevctl ok [ PASS ] - AMD CPU [ PASS ] - Microcode support [ PASS ] - Secure Memory Encryption (SME) [ PASS ] - Secure Encrypted Virtualization (SEV) [ PASS ] - Encrypted State (SEV-ES) [ FAIL ] - Secure Nested Paging (SEV-SNP) [ SKIP ] - VM Permission Levels [ SKIP ] - Number of VMPLs [ PASS ] - Physical address bit reduction: 5 [ PASS ] - C-bit location: 51 [ PASS ] - Number of encrypted guests supported simultaneously: 509 [ PASS ] - Minimum ASID value for SEV-enabled, SEV-ES disabled guest: 100 [ PASS ] - SEV enabled in KVM: enabled [ PASS ] - SEV-ES enabled in KVM: enabled [ PASS ] - Reading /dev/sev: /dev/sev readable [ PASS ] - Writing /dev/sev: /dev/sev writable [ PASS ] - Page flush MSR: ENABLED [ PASS ] - KVM supported: API version: 12 [ PASS ] - Memlock resource limit: Soft: 8388608 | Hard: 8388608 Error: One or more tests in sevctl-ok reported a failure
Verify new functions of sevctl. Tyler, please check the last part "Failed cases", if the failed cases are bugs. Thanks. sev-es: sanity test pass except sevctl ok returns failed in comment 12. Version: sevctl-0.4.1-2.el9.x86_64 Milan: # sevctl measurement build \ --api-major 01 --api-minor 53 --build-id 5 \ --policy 0x07 \ --tik sev_es_dhcert_tik.bin \ --firmware /usr/share/edk2/ovmf/OVMF_CODE.fd \ --num-cpus 4 \ --vmsa-cpu0 NEW-VMSA0.bin \ --vmsa-cpu1 NEW-VMSA1.bin \ --launch-measure-blob sev_es_dhcert_session.b64 K9GWQoy7SlOnfJbZfhqNbG1pxVNU3oUG6Tets09lH645dnRMdThMd2YrSENxb0lrYXkwZUs4Q01raTdaemFNaUhtZ0RHMmFtY1NEdVVEWENyZnJZNER1S0h5MFMzNUgvK2VLUkNwZkRxSFVnSStHODJVcHJtelR1QjJSOE9tTXhDZ2x3Zms2YnNERkNyTTZQNEdRZVR1aGNuWlNiU1RKNTczZVRVSmlNNHJFPQ== # sevctl secret build \ --tik sev_es_dhcert_tik.bin \ --tek sev_es_dhcert_tek.bin \ --launch-measure-blob sev_es_dhcert_session.b64 \ --secret 736869e5-84f0-4973-92ec-06879ce3da0b:secret.txt \ secret_header.bin \ secret_payload.bin Wrote header to: secret_header.bin Wrote payload to: secret_payload.bin # sevctl show identifier 19CC95980B305B6DB7C8B7C435A093656E215FEE00D3EC171400CE234562D2FAAAFB28B46236266947A52F081D0FD06161936D6F2B200511D954B71DF5705E53 # sevctl show vcek-url https://kdsintf.amd.com/vcek/v1/Milan/19CC95980B305B6DB7C8B7C435A093656E215FEE00D3EC171400CE234562D2FAAAFB28B46236266947A52F081D0FD06161936D6F2B200511D954B71DF5705E53?blSPL=03&teeSPL=00&snpSPL=10&ucodeSPL=206 # sevctl show snp-status SnpStatus { build: SnpBuild { version: Version { major: 1, minor: 53, }, build: 5, }, state: Initialized, is_rmp_init: true, mask_chip_id: false, guests: 0, tcb: SnpTcbStatus { platform_version: TcbVersion { bootloader: 3, tee: 0, _reserved: [ 0, 0, 0, 0, ], snp: 10, microcode: 206, }, reported_version: TcbVersion { bootloader: 3, tee: 0, _reserved: [ 0, 0, 0, 0, ], snp: 10, microcode: 206, }, }, } Passed cases on Genoa: # sevctl measurement build --api-major 01 --api-minor 55 --build-id 5 --policy 0x07 --tik sev_es_dhcert_tik.bin --firmware /usr/share/edk2/ovmf/OVMF_CODE.fd --num-cpus 4 --vmsa-cpu0 NEW-VMSA0.bin --vmsa-cpu1 NEW-VMSA1.bin --launch-measure-blob sev_es_dhcert_session.b64 Oj4PgW0K7O42JJtM/N/PeGOb7+zmRc2Kfmr5O2tbQvgvRm1PWkltNmNYQTh6SWl3MXZ3bXpVUXRsMEQwd04zdlFBa3VpQzluV2ZPTy9JNUt5VDNFV2w5SUxrNjVsL3ZRdVN1MnJxZ1BMK0w3MHVWRHB3R04rSjlpK3lMWTNyQUZhb25hYWhDcnVhTFZKT0ZiQU1ka1dBRzRka0NYMDdqRkFZVWtseW1uRlpvPQ== # sevctl secret build \ --tik sev_es_dhcert_tik.bin \ --tek sev_es_dhcert_tek.bin \ --launch-measure-blob sev_es_dhcert_session.b64 \ --secret 736869e5-84f0-4973-92ec-06879ce3da0b:secret.txt \ secret_header.bin \ secret_payload.bin Wrote header to: secret_header.bin Wrote payload to: secret_payload.bin # sevctl show identifier 06503099CAF846EC9ADD8BC419ED84071B968CC01F218A25B2534D33DD91B082B12E45830D1AA2BEA481383FAA4110984BD8E8058487303D60FAB9A363E32657 # sevctl show snp-status SnpStatus { build: SnpBuild { version: Version { major: 1, minor: 55, }, build: 5, }, state: Initialized, is_rmp_init: true, mask_chip_id: false, guests: 0, tcb: SnpTcbStatus { platform_version: TcbVersion { bootloader: 7, tee: 0, _reserved: [ 0, 0, 0, 0, ], snp: 12, microcode: 33, }, reported_version: TcbVersion { bootloader: 7, tee: 0, _reserved: [ 0, 0, 0, 0, ], snp: 12, microcode: 33, }, }, } Failed cases: On SNP capable host(both Milan and Genoa), sevctl show flags should be snp. # dmesg|grep -i sev [ 4.750584] SEV-SNP: RMP table physical address 0x0000000025e00000 - 0x00000000566fffff [ 10.829914] ccp 0000:26:00.1: sev enabled [ 14.268520] ccp 0000:26:00.1: SEV API:1.53 build:5 [ 14.273324] ccp 0000:26:00.1: SEV-SNP API:1.53 build:5 [ 22.192447] SEV supported: 410 ASIDs [ 22.196024] SEV-ES and SEV-SNP supported: 99 ASIDs # sevctl show flags es Vcek-url format should be URL=https://kdsintf.amd.com/vcek/v1/{product_name}/crl. On Genoa, the product name should be Genoa, not Milan # sevctl show vcek-url https://kdsintf.amd.com/vcek/v1/Milan/06503099CAF846EC9ADD8BC419ED84071B968CC01F218A25B2534D33DD91B082B12E45830D1AA2BEA481383FAA4110984BD8E8058487303D60FAB9A363E32657?blSPL=07&teeSPL=00&snpSPL=12&ucodeSPL=33
Hi Zixi, what is the processor ID of the Genoa machine that you're testing with?
(In reply to Tyler Fanelli from comment #14) > Hi Zixi, what is the processor ID of the Genoa machine that you're testing > with? Genoa: AMD EPYC 9654 96-Core Processor
> > Failed cases: > On SNP capable host(both Milan and Genoa), sevctl show flags should be snp. > # dmesg|grep -i sev > [ 4.750584] SEV-SNP: RMP table physical address 0x0000000025e00000 - > 0x00000000566fffff > [ 10.829914] ccp 0000:26:00.1: sev enabled > [ 14.268520] ccp 0000:26:00.1: SEV API:1.53 build:5 > [ 14.273324] ccp 0000:26:00.1: SEV-SNP API:1.53 build:5 > [ 22.192447] SEV supported: 410 ASIDs > [ 22.196024] SEV-ES and SEV-SNP supported: 99 ASIDs > # sevctl show flags > es No, this command follows the SEV_PLATFORM_STATUS ioctl and its flags. There is no "SNP" flag for this. > > Vcek-url format should be > URL=https://kdsintf.amd.com/vcek/v1/{product_name}/crl. On Genoa, the > product name should be Genoa, not Milan > # sevctl show vcek-url > https://kdsintf.amd.com/vcek/v1/Milan/ > 06503099CAF846EC9ADD8BC419ED84071B968CC01F218A25B2534D33DD91B082B12E45830D1AA > 2BEA481383FAA4110984BD8E8058487303D60FAB9A363E32657?blSPL=07&teeSPL=00&snpSPL > =12&ucodeSPL=33 Investigating now.
> Vcek-url format should be > URL=https://kdsintf.amd.com/vcek/v1/{product_name}/crl. On Genoa, the > product name should be Genoa, not Milan > # sevctl show vcek-url > https://kdsintf.amd.com/vcek/v1/Milan/ > 06503099CAF846EC9ADD8BC419ED84071B968CC01F218A25B2534D33DD91B082B12E45830D1AA > 2BEA481383FAA4110984BD8E8058487303D60FAB9A363E32657?blSPL=07&teeSPL=00&snpSPL > =12&ucodeSPL=33 I think we should remove this altogether, as it was put in before snphost was created (and before Genoa was online, so "Milan" was hardcoded in the string). Finding a VCEK URL is SEV-SNP specific, and thus is more suited for snphost.
(In reply to zixchen from comment #12) > Regression test reports 1 fail. After sevctl-0.4.1-2.el9.x86_64 sevctl ok > will return error when supporting SNP system doesn't enable SNP. Before it > will all pass. Tyler could you please check is this expected? > # sevctl ok > [ PASS ] - AMD CPU > [ PASS ] - Microcode support > [ PASS ] - Secure Memory Encryption (SME) > [ PASS ] - Secure Encrypted Virtualization (SEV) > [ PASS ] - Encrypted State (SEV-ES) > [ FAIL ] - Secure Nested Paging (SEV-SNP) > [ SKIP ] - VM Permission Levels > [ SKIP ] - Number of VMPLs > [ PASS ] - Physical address bit reduction: 5 > [ PASS ] - C-bit location: 51 > [ PASS ] - Number of encrypted guests supported simultaneously: 509 > [ PASS ] - Minimum ASID value for SEV-enabled, SEV-ES disabled guest: 100 > [ PASS ] - SEV enabled in KVM: enabled > [ PASS ] - SEV-ES enabled in KVM: enabled > [ PASS ] - Reading /dev/sev: /dev/sev readable > [ PASS ] - Writing /dev/sev: /dev/sev writable > [ PASS ] - Page flush MSR: ENABLED > [ PASS ] - KVM supported: API version: 12 > [ PASS ] - Memlock resource limit: Soft: 8388608 | Hard: 8388608 > Error: One or more tests in sevctl-ok reported a failure Tyler could you please also check this?
(In reply to Tyler Fanelli from comment #17) > > Vcek-url format should be > > URL=https://kdsintf.amd.com/vcek/v1/{product_name}/crl. On Genoa, the > > product name should be Genoa, not Milan > > # sevctl show vcek-url > > https://kdsintf.amd.com/vcek/v1/Milan/ > > 06503099CAF846EC9ADD8BC419ED84071B968CC01F218A25B2534D33DD91B082B12E45830D1AA > > 2BEA481383FAA4110984BD8E8058487303D60FAB9A363E32657?blSPL=07&teeSPL=00&snpSPL > > =12&ucodeSPL=33 > > I think we should remove this altogether, as it was put in before snphost > was created (and before Genoa was online, so "Milan" was hardcoded in the > string). Finding a VCEK URL is SEV-SNP specific, and thus is more suited for > snphost. From QE side, it is ok to support sevctl snphost functions when we enable snp host, but the decision should be consistent with other sevctl snp host cmd on Milan and Genoa. I just have one concern about Genoa, Genoa already launched to market. When you mentioned "before Genoa online", does Genoa have other things not ready?
(In reply to zixchen from comment #18) > (In reply to zixchen from comment #12) > > Regression test reports 1 fail. After sevctl-0.4.1-2.el9.x86_64 sevctl ok > > will return error when supporting SNP system doesn't enable SNP. Before it > > will all pass. Tyler could you please check is this expected? > > # sevctl ok > > [ PASS ] - AMD CPU > > [ PASS ] - Microcode support > > [ PASS ] - Secure Memory Encryption (SME) > > [ PASS ] - Secure Encrypted Virtualization (SEV) > > [ PASS ] - Encrypted State (SEV-ES) > > [ FAIL ] - Secure Nested Paging (SEV-SNP) > > [ SKIP ] - VM Permission Levels > > [ SKIP ] - Number of VMPLs > > [ PASS ] - Physical address bit reduction: 5 > > [ PASS ] - C-bit location: 51 > > [ PASS ] - Number of encrypted guests supported simultaneously: 509 > > [ PASS ] - Minimum ASID value for SEV-enabled, SEV-ES disabled guest: 100 > > [ PASS ] - SEV enabled in KVM: enabled > > [ PASS ] - SEV-ES enabled in KVM: enabled > > [ PASS ] - Reading /dev/sev: /dev/sev readable > > [ PASS ] - Writing /dev/sev: /dev/sev writable > > [ PASS ] - Page flush MSR: ENABLED > > [ PASS ] - KVM supported: API version: 12 > > [ PASS ] - Memlock resource limit: Soft: 8388608 | Hard: 8388608 > > Error: One or more tests in sevctl-ok reported a failure > > Tyler could you please also check this? If a host system doesn't support ALL of the sevctl-ok checks, we would want to indicate that to a user via an error message. This is intended.
Regarding the vcek-url test, I've removed that subcommand (i.e. it was moved to snphost instead) and rebased to 0.4.2. The build succeeded here: https://gitlab.com/redhat/centos-stream/rpms/sevctl/-/merge_requests/25
Build complete: https://kojihub.stream.rdu2.redhat.com/koji/taskinfo?taskID=2630874
Correct comment 26, sevctl version should be sevctl-0.4.2-1.el9 Verified with sevctl-0.4.2-1.el9.x86_64, regression test pass and snp host functions are removed. Version: sevctl-0.4.2-1.el9.x86_64 Steps: please check attachment test log. # sevctl show identifier 19CC95980B305B6DB7C8B7C435A093656E215FEE00D3EC171400CE234562D2FAAAFB28B46236266947A52F081D0FD06161936D6F2B200511D954B71DF5705E53 sevctl Vcek-url and snp-status are removed. Result: No issue found.
Change status to verified, please check test result in comment 27.