Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-7570

virt-qemu-sev-validate broken when providing --cpu-family/model/stepping without --loader

XMLWordPrintable

    • libvirt-10.0.0-1.el9
    • None
    • Moderate
    • rhel-sst-virtualization
    • ssg_virtualization
    • 20
    • 27
    • None
    • QE ack, Dev ack
    • False
    • Hide

      None

      Show
      None
    • None
    • None
    • If docs needed, set a value
    • Unspecified
    • 10.0.0
    • None

      Description of problem:
      The following command line should validate a SEV guest, overriding the CPU model/stepping/family that are otherwise extracted from libvirt.

      1. virt-qemu-sev-validate --tik sev_es_dhcert_tik.bin --tek sev_es_dhcert_tek.bin --domain berrange --insecure --debug --cpu-model 1 --cpu-family 25 --cpu-stepping 1
        [DEBUG]: TIK(hex): 5802c018ba97b67cffb6e4634e613727
        [DEBUG]: TEK(hex): 5e766810c034d98345946884483198f0
        File "/usr/bin/virt-qemu-sev-validate", line 1301, in main
        attest(args)
        File "/usr/bin/virt-qemu-sev-validate", line 1262, in attest
        cvm.build_vmsas(args.cpu_family,
        File "/usr/bin/virt-qemu-sev-validate", line 713, in build_vmsas
        ovmf.load(self.firmware)
        File "/usr/bin/virt-qemu-sev-validate", line 469, in load
        actual = content[-48:-32]
        ERROR: 'NoneType' object is not subscriptable

      The failure is because when --cpu-family/model/stepping args are provided in combination with --domain, we try to build the VMSA before we've acquired the firmware.

      Adding --firmware to the above args is a workaround

      1. virt-qemu-sev-validate --tik sev_es_dhcert_tik.bin --tek sev_es_dhcert_tek.bin --domain berrange --insecure --debug --cpu-model 1 --cpu-family 25 --cpu-stepping 1 --firmware /usr/share/edk2/ovmf/OVMF.amdsev.fd
        [DEBUG]: Firmware(sha256): 906a0dcb21704b36758493a7e29b6f4102f50fd0dd800a04742c0f69f3ed6e19
        [DEBUG]: TIK(hex): 5802c018ba97b67cffb6e4634e613727
        [DEBUG]: TEK(hex): 5e766810c034d98345946884483198f0
        [DEBUG]: VMSA CPU 0(sha256): f8b52f775502472e5797d2674d9de21f6abc05dc05e9bc49cbb7b6a13688d5e7
        [DEBUG]: VMSA CPU 1(sha256): bcee5cb289f72882da17abd8dca5e8a7e9f8e2033e7ad96b4db0ab1a383a6487
        [DEBUG]: VM: id=1 name=berrange uuid=99999999-7f0d-44c3-abee-eb1424bb23e7
        [DEBUG]: VMSA(sha256): 0e5246de248812527b171d60d6851f37875ac4b22063f73f4e56d0dc4546d192
        [DEBUG]: Measured-data(sha256): 4a470ecd611f292e0e168828688c9d24539a05131a96ce092397a74c1cbad0d2
        [DEBUG]: Measured-msg(hex): 04013705070000004a470ecd611f292e0e168828688c9d24539a05131a96ce092397a74c1cbad0d2233e47003f79b80fa1177bfe04195f92
        [DEBUG]: Measurement reported(hex): aa0b21bb54bab669025cdefa744c2026ccdae77e9ac25196e0530bb7eb84b353
        [DEBUG]: Measurement computed(hex): aa0b21bb54bab669025cdefa744c2026ccdae77e9ac25196e0530bb7eb84b353
        OK: Looks good to me

      Version-Release number of selected component (if applicable):
      libvirt-client-qemu-9.5.0-5.el9.x86_64

      How reproducible:
      Always

      Steps to Reproduce:
      1. Use virt-qemu-sev-validate with --domain and --cpu-family/model/stepping, and WITHOUT --firmware

      Actual results:
      Exception trace

      Expected results:
      Validates guest

      Additional info:

              rhn-engineering-berrange Daniel Berrangé
              rhn-engineering-berrange Daniel Berrangé
              Han Han Han Han
              Votes:
              0 Vote for this issue
              Watchers:
              10 Start watching this issue

                Created:
                Updated:
                Resolved: