Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package sevctl for openSUSE:Factory checked in at 2023-03-15 18:54:28 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/sevctl (Old) and /work/SRC/openSUSE:Factory/.sevctl.new.31432 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "sevctl" Wed Mar 15 18:54:28 2023 rev:4 rq:1071848 version:0.3.2+git.255d370 Changes: -------- --- /work/SRC/openSUSE:Factory/sevctl/sevctl.changes 2023-02-16 16:56:45.746918992 +0100 +++ /work/SRC/openSUSE:Factory/.sevctl.new.31432/sevctl.changes 2023-03-15 18:54:44.760459456 +0100 @@ -1,0 +2,10 @@ +Tue Mar 14 15:25:33 UTC 2023 - Caleb Crane <caleb.cr...@suse.com> + +- Update to v0.3.2 + git commit 255d370 + dependency: Enable vendored feature for openssl + Add show commands for identifier, SNP status and VCEK URL. + readme: Add some basic provisioning instructions + Update sev library to version 1.1.0 + ok: Find singular model and family on processor ID + +------------------------------------------------------------------- Old: ---- sevctl-0.3.2+git.e37c4d6.tar.xz New: ---- sevctl-0.3.2+git.255d370.tar.xz ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ sevctl.spec ++++++ --- /var/tmp/diff_new_pack.THbs4e/_old 2023-03-15 18:54:45.516463478 +0100 +++ /var/tmp/diff_new_pack.THbs4e/_new 2023-03-15 18:54:45.524463520 +0100 @@ -17,7 +17,7 @@ Name: sevctl -Version: 0.3.2+git.e37c4d6 +Version: 0.3.2+git.255d370 Release: 0 Summary: Administrative utility for AMD SEV Group: Development/Libraries/Rust ++++++ _service ++++++ --- /var/tmp/diff_new_pack.THbs4e/_old 2023-03-15 18:54:45.552463669 +0100 +++ /var/tmp/diff_new_pack.THbs4e/_new 2023-03-15 18:54:45.556463691 +0100 @@ -3,7 +3,7 @@ <param name="url">https://github.com/virtee/sevctl.git</param> <param name="scm">git</param> <param name="filename">sevctl</param> - <param name="revision">e37c4d6868b8144b547ade68eff6062771c67eb0</param> + <param name="revision">255d370</param> <param name="version">0.3.2</param> <param name="versionformat">0.3.2+git.%h</param> </service> ++++++ sevctl-0.3.2+git.e37c4d6.tar.xz -> sevctl-0.3.2+git.255d370.tar.xz ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/sevctl-0.3.2+git.e37c4d6/Cargo.lock new/sevctl-0.3.2+git.255d370/Cargo.lock --- old/sevctl-0.3.2+git.e37c4d6/Cargo.lock 2023-01-24 20:51:41.000000000 +0100 +++ new/sevctl-0.3.2+git.255d370/Cargo.lock 2023-03-03 04:21:10.000000000 +0100 @@ -276,9 +276,9 @@ [[package]] name = "kvm-ioctls" -version = "0.11.0" +version = "0.13.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "97422ba48d7ffb66fd4d18130f72ab66f9bbbf791fb7a87b9291cdcfec437593" +checksum = "b8f8dc9c1896e5f144ec5d07169bc29f39a047686d29585a91f30489abfaeb6b" dependencies = [ "kvm-bindings", "libc", @@ -375,6 +375,15 @@ checksum = "28988d872ab76095a6e6ac88d99b54fd267702734fd7ffe610ca27f533ddb95a" [[package]] +name = "openssl-src" +version = "111.25.0+1.1.1t" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "3173cd3626c43e3854b1b727422a276e568d9ec5fe8cec197822cf52cfb743d6" +dependencies = [ + "cc", +] + +[[package]] name = "openssl-sys" version = "0.9.73" source = "registry+https://github.com/rust-lang/crates.io-index" @@ -383,6 +392,7 @@ "autocfg", "cc", "libc", + "openssl-src", "pkg-config", "vcpkg", ] @@ -576,10 +586,11 @@ [[package]] name = "sev" -version = "1.0.1" +version = "1.1.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "343ca80f0f064f0f293a6066e81c2977e819e909b348634701ab8fe4304e7749" +checksum = "a8c8ec2a5131be61bba9ffad92aead45bd27805c9701d265b7196d4914299b98" dependencies = [ + "bincode", "bitfield", "bitflags", "codicon", @@ -591,6 +602,7 @@ "serde-big-array", "serde_bytes", "static_assertions", + "uuid", ] [[package]] @@ -758,9 +770,9 @@ [[package]] name = "uuid" -version = "1.1.2" +version = "1.3.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "dd6469f4314d5f1ffec476e05f17cc9a78bc7a27a6a857842170bdf8d6f98d2f" +checksum = "1674845326ee10d37ca60470760d4288a6f80f304007d92e5c53bab78c9cfd79" [[package]] name = "vcpkg" diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/sevctl-0.3.2+git.e37c4d6/Cargo.toml new/sevctl-0.3.2+git.255d370/Cargo.toml --- old/sevctl-0.3.2+git.e37c4d6/Cargo.toml 2023-01-24 20:51:41.000000000 +0100 +++ new/sevctl-0.3.2+git.255d370/Cargo.toml 2023-03-03 04:21:10.000000000 +0100 @@ -22,7 +22,7 @@ is-it-maintained-open-issues = { repository = "virtee/sevctl" } [dependencies] -sev = { version = "1.0.1", features = ["openssl"] } +sev = { version = "1.1.0", features = ["openssl"] } serde = { version = "1.0", features = ["derive"] } # serde_json is just for the example, not required in general serde_json = "1.0" @@ -35,7 +35,7 @@ native-tls = "0.2" url = "2.2" base64 = "0.13.0" -openssl = "0.10" +openssl = { version = "0.10", features = ["vendored"] } uuid = "1.1.2" anyhow = "1.0.57" log = "0.4" diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/sevctl-0.3.2+git.e37c4d6/README.md new/sevctl-0.3.2+git.255d370/README.md --- old/sevctl-0.3.2+git.e37c4d6/README.md 2023-01-24 20:51:41.000000000 +0100 +++ new/sevctl-0.3.2+git.255d370/README.md 2023-03-03 04:21:10.000000000 +0100 @@ -8,6 +8,21 @@ `sevctl` is a command line utility for managing the AMD Secure Encrypted Virtualization (SEV) platform. It currently supports the entire management API for the Naples generation of processors. +In order to provision a new server using a self-signed Owner's Certificate +Authority (OCA), you would typically perform a sequence similar to: + +```console +$ sevctl generate oca.cert oca.key +$ sevctl provision oca.cert oca.key +$ sevctl export --full /opt/sev/cert_chain.cert +``` + +After these steps, running the `sevctl verify` subcommand should show the whole +certificate chain, and `sevctl show flags` should indicate that the platform is +`owned`. Note that you can only provision once. Should you need to re-provision, +you will need to use `sevctl reset` first. + + ## Usage ### help diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/sevctl-0.3.2+git.e37c4d6/docs/sevctl.1.adoc new/sevctl-0.3.2+git.255d370/docs/sevctl.1.adoc --- old/sevctl-0.3.2+git.e37c4d6/docs/sevctl.1.adoc 2023-01-24 20:51:41.000000000 +0100 +++ new/sevctl-0.3.2+git.255d370/docs/sevctl.1.adoc 2023-03-03 04:21:10.000000000 +0100 @@ -112,11 +112,14 @@ *sevctl show*:: usage: sevctl show [flags || guests] - This command describes the state of the SEV platform. There are two + This command describes the state of the SEV platform. There are several platform details to describe: - SEV platform flags: sevctl show flags - SEV guest inforation: sevctl show guests + SEV platform flags: sevctl show flags + SEV guest inforation: sevctl show guests + SEV platform identifier: sevctl show identifier + SEV SNP status: sevctl show snp-status + SEV SNP VCEK URL: sevctl show veck-url options: -h, --help Show a help message diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/sevctl-0.3.2+git.e37c4d6/src/main.rs new/sevctl-0.3.2+git.255d370/src/main.rs --- old/sevctl-0.3.2+git.e37c4d6/src/main.rs 2023-01-24 20:51:41.000000000 +0100 +++ new/sevctl-0.3.2+git.255d370/src/main.rs 2023-03-03 04:21:10.000000000 +0100 @@ -16,7 +16,10 @@ use codicon::*; use ::sev::certs::*; -use ::sev::firmware::host::{types::Status, Firmware, PlatformStatusFlags}; +use ::sev::firmware::host::{ + types::{PlatformStatusFlags, SnpStatus, Status}, + Firmware, +}; use ::sev::Generation; use std::fs::File; @@ -186,6 +189,13 @@ .context("unable to fetch platform status") } +fn snp_platform_status() -> Result<SnpStatus> { + firmware()? + .snp_platform_status() + .map_err(|e| anyhow::anyhow!(format!("{:?}", e))) + .context("unable to fetch snp platform status") +} + fn chain() -> Result<sev::Chain> { const CEK_SVC: &str = "https://kdsintf.amd.com/cek/id"; @@ -270,6 +280,15 @@ #[structopt(about = "Show the current number of guests")] Guests, + #[structopt(about = "Show the platform identifier")] + Identifier, + + #[structopt(about = "Show the SNP platform status")] + SnpStatus, + + #[structopt(about = "Show the VCEK DER download URL")] + VcekUrl, + #[structopt(about = "Show the platform's firmware version")] Version, } @@ -280,6 +299,26 @@ match show { Show::Version => println!("{}", status.build), Show::Guests => println!("{}", status.guests), + Show::Identifier => { + let id = firmware()? + .get_identifier() + .map_err(|e| anyhow::anyhow!(format!("{:?}", e))) + .context("error fetching identifier")?; + println!("{}", id); + } + Show::SnpStatus => { + let snp_status = snp_platform_status()?; + println!("{:#?}", snp_status); + } + Show::VcekUrl => { + let id = firmware()? + .get_identifier() + .map_err(|e| anyhow::anyhow!(format!("{:?}", e))) + .context("error fetching identifier")?; + let snp_status = snp_platform_status()?; + println!("https://kdsintf.amd.com/vcek/v1/Milan/{}?blSPL={:02}&teeSPL={:02}&snpSPL={:02}&ucodeSPL={:02}", + id, snp_status.tcb.platform_version.bootloader, snp_status.tcb.platform_version.tee, snp_status.tcb.platform_version.snp, snp_status.tcb.platform_version.microcode); + } Show::Flags => { for f in [ PlatformStatusFlags::OWNED, diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/sevctl-0.3.2+git.e37c4d6/src/ok.rs new/sevctl-0.3.2+git.255d370/src/ok.rs --- old/sevctl-0.3.2+git.e37c4d6/src/ok.rs 2023-01-24 20:51:41.000000000 +0100 +++ new/sevctl-0.3.2+git.255d370/src/ok.rs 2023-03-03 04:21:10.000000000 +0100 @@ -36,19 +36,27 @@ // Get the SEV generation of the processor currently running on the machine. // To do this, we execute a CPUID (label 0x80000001) and read the EAX // register as an array of bytes (each byte representing 8 bits of a 32-bit - // value, thus the array is 4 bytes long). The formatting for this value is + // value, thus the array is 4 bytes long). The formatting for these values is // as follows: // - // Base model: 4:7 - // Base family: 8:11 - // Extended model: 16:19 - // Extended family: 20:27 - // - // Extract the bit values from the array, and compare them with known base - // model, base family, extended model, and extended family values for each - // SEV generation. Then, compare the values and return a SEV generation if - // its values match. + // Base model: bits 4:7 + // Base family: bits 8:11 + // Extended model: bits 16:19 + // Extended family: bits 20:27 // + // Extract the bit values from the array, and use them to calculate the MODEL + // and FAMILY of the processor. + // + // The family calculation is as follows: + // + // FAMILY = Base family + Extended family + // + // The model calculation is a follows: + // + // MODEL = Base model | (Extended model << 4) + // + // Compare these values with the models and families of known processor generations to + // determine which generation the current processor is a part of. fn current() -> Result<Self> { let cpuid = unsafe { x86_64::__cpuid(0x8000_0001) }; let bytes: Vec<u8> = cpuid.eax.to_le_bytes().to_vec(); @@ -65,12 +73,15 @@ low | high }; - let id = (base_model, ext_model, base_family, ext_family); + let model = (ext_model << 4) | base_model; + let family = base_family + ext_family; + + let id = (model, family); - let naples = (0x1, 0x0, 0xf, 0x8); - let rome = (0x1, 0x3, 0xf, 0x8); - let milan = (0x1, 0x0, 0xf, 0xa); - let genoa = (0x1, 0x1, 0xf, 0xa); + let naples = (1, 23); + let rome = (49, 23); + let milan = (1, 25); + let genoa = (17, 25); if id == naples { return Ok(SevGeneration::Sev); ++++++ sevctl.obsinfo ++++++ --- /var/tmp/diff_new_pack.THbs4e/_old 2023-03-15 18:54:45.652464201 +0100 +++ /var/tmp/diff_new_pack.THbs4e/_new 2023-03-15 18:54:45.652464201 +0100 @@ -1,5 +1,5 @@ name: sevctl -version: 0.3.2+git.e37c4d6 -mtime: 1674589901 -commit: e37c4d6868b8144b547ade68eff6062771c67eb0 +version: 0.3.2+git.255d370 +mtime: 1677813670 +commit: 255d370900f6c48fc50464fda4a03afe91286c0e ++++++ vendor.tar.xz ++++++ /work/SRC/openSUSE:Factory/sevctl/vendor.tar.xz /work/SRC/openSUSE:Factory/.sevctl.new.31432/vendor.tar.xz differ: char 27, line 1