Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/virtee/sevctl

Administrative utility for AMD SEV
https://github.com/virtee/sevctl

Last synced: 4 days ago
JSON representation

Administrative utility for AMD SEV

Awesome Lists containing this project

README 

        
[![Workflow Status](https://github.com/virtee/sevctl/workflows/test/badge.svg)](https://github.com/virtee/sevctl/actions?query=workflow%3A%22test%22)

[![Average time to resolve an issue](https://isitmaintained.com/badge/resolution/virtee/sevctl.svg)](https://isitmaintained.com/project/virtee/sevctl "Average time to resolve an issue")

[![Percentage of issues still open](https://isitmaintained.com/badge/open/virtee/sevctl.svg)](https://isitmaintained.com/project/virtee/sevctl "Percentage of issues still open")

![Maintenance](https://img.shields.io/badge/maintenance-activly--developed-brightgreen.svg)



# sevctl



`sevctl` is a command line utility for managing the AMD Secure Encrypted Virtualization (SEV) platform.

It currently supports the entire management API for the Naples generation of processors.



In order to provision a new server using a self-signed Owner's Certificate

Authority (OCA), you would typically perform a sequence similar to:



```console

$ sevctl generate oca.cert oca.key

$ sevctl provision oca.cert oca.key

$ sevctl export --full /opt/sev/cert_chain.cert

```



After these steps, running the `sevctl verify` subcommand should show the whole

certificate chain, and `sevctl show flags` should indicate that the platform is

`owned`. Note that you can only provision once. Should you need to re-provision,

you will need to use `sevctl reset` first.



## Usage



### help



Every `sevctl` (sub)command comes with a quick `--help` option for a reference on its use. For example:



```console

$ sevctl --help

```



or



```console

$ sevctl show --help

```



### export



Exports the SEV certificate chain to the provided file path.



```console

$ sevctl export /path/to/where/you/want/the-certificate

```



### generate



Generates a new (self-signed) OCA certificate and key.



```console

$ sevctl generate ~/my-cert ~/my-key

```



### measurement build



Build measurement value from its component parts. The output is a

full measurement blob of measurement+nonce, similar to what qemu

and libvirt report.



```console

$ sevctl measurement build \

    --api-major 01 --api-minor 40 --build-id 40 \

    --policy 0x05 \

    --tik /path/to/VM_tik.bin \

    --launch-measure-blob /o0nzDKE5XgtVnUZWPhUea/WZYrTKLExR7KCwuMdbActvpWfXTFk21KMZIAAhQny \

    --firmware /usr/share/edk2/ovmf/OVMF.amdsev.fd \

    --kernel /path/to/kernel \

    --initrd /path/to/initrd \

    --cmdline "my kernel cmdline" \

    --vmsa-cpu0 /path/to/vmsa0.bin \

    --vmsa-cpu1 /path/to/vmsa1.bin \

    --num-cpus 4

```



### ok



Probes processor, sysfs, and KVM for AMD SEV, SEV-ES, and SEV-SNP related features on the host and emits the results.



```console

$ sevctl ok {sev, es, snp}   // Probes support for the generation specified.

$ sevctl ok                  // Probes support for the host hardware's generation.

```



### provision



Installs the operator-provided OCA certificate to take ownership of the platform.



```console

$ sevctl provision ~/owners-cert ~/owners-private-key

```



### reset



Resets the SEV platform. This will clear all persistent data managed by the platform.



```console

$ sevctl reset

```



### rotate



Rotates the Platform Diffie-Hellman (PDH).



```console

$ sevctl rotate

```



### secret build



Generate secret header and payload binary content, and write to specified

output paths. Secrets are passed as `--secret UUID:FILENAME` pairs



```console

$ sevctl secret build \

    --tik /path/to/VM_tik.bin \

    --tek /path/to/VM_tek.bin \

    --launch-measure-blob /o0nzDKE5XgtVnUZWPhUea/WZYrTKLExR7KCwuMdbActvpWfXTFk21KMZIAAhQny \

    --secret 736869e5-84f0-4973-92ec-06879ce3da0b:/path/to/secret.txt \

    /path/to/secret_header.bin \

    /path/to/secret_payload.bin

```



### session



Given a certificate chain file and 32-bit policy, generates base64-encoded GODH and launch session files; as

well as encoded (not base64) TIK and TEK files.



```console

$ sevctl session --name {name} {/pdh/cert/path} {policy}

```

### show



Describes the state of the SEV platform.



```console

$ sevctl show flags

```



```console

$ sevctl show guests

```



### verify



Verifies the full SEV/CA certificate chain. File paths to these certificates can be supplied as

command line arguments if they are stored on the local filesystem. If they are not supplied, the

well-known public components will be downloaded from their remote locations.



```console

$ sevctl verify

```



### vmsa build



Build a VMSA binary blob and save to the specified filename.



```console

$ sevctl vmsa build NEW-VMSA0.bin --userspace qemu --family 25 --stepping 1 --model 1 --firmware /path/to/OVMF.amdsev.fd --cpu 0

```



### vmsa update



Update an existing VMSA binary file in place, with the passed options.



```console

$ sevctl vmsa build EXISTING-VMSA0.bin --userspace qemu --family 25 --stepping 1 --model 1 --firmware /path/to/OVMF.amdsev.fd --cpu 0

```



### vmsa show



Print an existing VMSA binary file as JSON



```console

$ sevctl vmsa show EXISTING-VMSA0.bin

```



## Building



Some packages may need to be installed on the host system in order to build

sevctl.



### Ubuntu

```console

sudo apt install -y pkg-config libssl-dev asciidoctor

```



### RHEL and its compatible distributions

```console

sudo dnf install -y gcc openssl-devel pkg-config perl perl-FindBin perl-File-Compare

```



License: Apache-2.0