virtee / sevctl Goto Github PK
View Code? Open in Web Editor NEWAdministrative utility for AMD SEV
License: Apache License 2.0
Administrative utility for AMD SEV
License: Apache License 2.0
I was using the sevctl ok
command to check if SEV is enabled in the BIOS and the output below suggests that it is; however, a dmesg message says otherwise ccp 0000:24:00.1: SEV: memory encryption not enabled by BIOS
. I am wondering if the kernel ccp and sevctl are using different methods to check if the SEV is enabled in the BIOS.
I think the SEV-SNP check may also have issues because it is returning PASS, but this AMD milan system has hardware support only for SEV and SEV-ES, and AFAIK they were not enabled in the BIOS.
The system is running RHEL 8.7 (kernel 4.18.0) and sevctl-0.3.0.
[cclaudio@milan ~]$ sudo sevctl ok
[ PASS ] - AMD CPU
[ PASS ] - Microcode support
[ PASS ] - Secure Memory Encryption (SME)
[ PASS ] - Secure Encrypted Virtualization (SEV)
[ PASS ] - Encrypted State (SEV-ES)
[ PASS ] - Secure Nested Paging (SEV-SNP)
[ PASS ] - VM Permission Levels
[ PASS ] - Number of VMPLs: 4
[ PASS ] - Physical address bit reduction: 5
[ PASS ] - C-bit location: 51
[ PASS ] - Number of encrypted guests supported simultaneously: 509
[ PASS ] - Minimum ASID value for SEV-enabled, SEV-ES disabled guest: 1
[ FAIL ] - SEV enabled in KVM: Error - contents read from /sys/module/kvm_amd/parameters/sev: N
[ FAIL ] - Reading /dev/sev: /dev/sev not readable: No such file or directory (os error 2)
[ FAIL ] - Writing /dev/sev: /dev/sev not writable: No such file or directory (os error 2)
[ PASS ] - Page flush MSR: ENABLED
[ PASS ] - KVM supported: API version: 12
[ PASS ] - Memlock resource limit: Soft: 65536 | Hard: 65536
error: One or more tests in sevctl-ok reported a failure
[cclaudio@milan ~]$
Currently in the tests there is a pass/fail check for the VM Page Flush MSR at 0x8000001F_EAX[2]. This should be treated more as an enabled/disabled flag than a pass/fail flag.
Hi, there.
I was trying to write a kbs in Golang. However, when trying it with sev and Qemu I got a "bad measurement" error from sev. It seems that the SEV cannot validate the "WRAP_MAC" with my godh and launch_blob file. I tried to learn from your repo but I don't know much about Rust. So could you plz tell me your launch_blob format? Is it the same as the LAUNCH_START Session Data Buffer specified in SEV API specification(Table 45)? Is it little endian or big endian formatted?
Best regards
I have successfully installed the secvtl and provisioned the OCA by the following instructions:
$ sevctl generate oca.cert oca.key
$ sevctl provision oca.cert oca.key
$ sevctl export --full /opt/sev/cert_chain.cert
The sevctl verify command executes well:
~/opt/sev ❯ sevctl verify --sev cert_chain.cert
PDH EP384 D256 3a1cd0a787bf1b951730b1689f5417b39833eccd408b0978d657cb118518a486
⬑ PEK EP384 E256 71953375e148a693e0785bdaeb13404ca40eaae4e6b477292e19417a8d1bf21d
•⬑ OCA EP384 E256 2b13c5a6ba06e0d6f3375e9d5d1c3709b69461ae0f011d2689e1193af869c48e
⬑ CEK EP384 E256 d80941025278e9efcc43143571710152e3978630429e2a105f2ea718e3f686db
⬑ ASK R4096 R384 95cba79ba3c77daea79f741bade8156a50b1c59f6d6fda104d16dd264729f5ee8989522f3711fc7c84719921ceb31bc0
•⬑ ARK R4096 R384 569da618dfe64015c343db6d975e77b72fdeacd16edd02d9d09b889b8f0f1d91ffa5dfbd86f7ac574a1a7883b7a1e737
• = self signed, ⬑ = signs, •̷ = invalid self sign, ⬑̸ = invalid signs
My question is can I export/extract the specific cert, like ark_ask_cert, pek_cert, cek_cert, or pdh_cert? Does the current sevctl support it? It seems like the deprecated repos. sevtool has related support although I haven't tried that.
sevclt export
doesn't create the cerficate file if basedir doesn't exist:
$ sudo ./sevctl export --full /opt/sev/cert_chain.cert
error: unable to create output file
It works if I create /opt/sev
beforehand.
Even if it works as designed, I think the error message could be clear.
I am thinking there is a better way for us to identify the models supported. We should discuss this more in-depth so we can iron out a less brittle approach.
For me to build sevctl
on Ubuntu I had to install the following OS packages:
sudo apt install -y pkg-config libssl-dev asciidoctor
And then I could build using the following command:
cargo build
For me to build sevctl
on Ubuntu I had to install the following OS packages:
sudo apt install -y pkg-config libssl-dev asciidoctor
And then I could build using the following command:
cargo build
As SEV-SNP becomes more widely used, we've noticed that most commands currently in sevctl would not be useful for SNP. I currently see 2 options for the future:
sevctl **sev** measurement ... // For SEV(-ES) commands
sevctl **snp** measurement ... // For SNP commands.
**sevctl** measurement ... // For SEV(-ES) commands.
**snpctl** measurement ... // For SNP commands.
@crobinso What do you think?
Running sevctl export
fails with HTTP400:
# sevctl export --full /opt/sev/cert_chain.cert
error: final http request failed: Status(400, Response { status: 400, headers: {"date": "Tue, 27 Sep 2022 08:16:59 GMT", "content-type": "text/html;charset=ISO-8859-1", "content-length": "25", "set-cookie": "JSESSIONID=BF211667273C8442B60BFF9856368DD3; Path=/cek; Secure; HttpOnly", "connection": "close", "": ""}, body: [13, 10, 13, 10, 13, 10, 52, 48, 48, 13, 10, 45, 13, 10, 66, 97, 100, 32, 82, 101, 113, 117, 101, 115, 116] })
caused by: http request #1 failed: Response { status: 400, headers: {"content-length": "25", "": "", "content-type": "text/html;charset=ISO-8859-1", "set-cookie": "JSESSIONID=B96B8FA7F1DD7CF8A6BA36E2602D24AF; Path=/cek; Secure; HttpOnly", "date": "Tue, 27 Sep 2022 08:16:44 GMT", "connection": "close"}, body: [13, 10, 13, 10, 13, 10, 52, 48, 48, 13, 10, 45, 13, 10, 66, 97, 100, 32, 82, 101, 113, 117, 101, 115, 116] }; http request #2 failed: Response { status: 400, headers: {"date": "Tue, 27 Sep 2022 08:16:49 GMT", "content-type": "text/html;charset=ISO-8859-1", "connection": "close", "": "", "set-cookie": "JSESSIONID=36115A083C50C75DDA3E74DFD20DA589; Path=/cek; Secure; HttpOnly", "content-length": "25"}, body: [13, 10, 13, 10, 13, 10, 52, 48, 48, 13, 10, 45, 13, 10, 66, 97, 100, 32, 82, 101, 113, 117, 101, 115, 116] }; http request #3 failed: Response { status: 400, headers: {"content-length": "25", "connection": "close", "": "", "set-cookie": "JSESSIONID=860A83BB61210C249C6497BB964AC2DA; Path=/cek; Secure; HttpOnly", "content-type": "text/html;charset=ISO-8859-1", "date": "Tue, 27 Sep 2022 08:16:54 GMT"}, body: [13, 10, 13, 10, 13, 10, 52, 48, 48, 13, 10, 45, 13, 10, 66, 97, 100, 32, 82, 101, 113, 117, 101, 115, 116] }
The decoded chain boils down to:
400
-
Bad Request
I started a SEV-SNP VM (using https://github.com/AMDESE/AMDSEV), no I want to precalculate measurement value of attestation report, but I'm not sure in the command sevctl measurement build
which parameters should be provided for --tik and --launch-measure-blob? What are these attributes?
The full flag is missing from the documentation.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.