#amd #sev

app sevctl

Administrative utility for AMD SEV

3 releases (breaking)

0.3.0 Jun 16, 2022
0.2.0 Dec 20, 2021
0.1.0 Mar 30, 2021

#40 in Operating systems

Download history 27/week @ 2022-03-14 14/week @ 2022-03-21 4/week @ 2022-03-28 12/week @ 2022-04-04 1/week @ 2022-04-11 2/week @ 2022-04-18 12/week @ 2022-04-25 18/week @ 2022-05-02 2/week @ 2022-05-09 36/week @ 2022-05-16 12/week @ 2022-05-23 17/week @ 2022-05-30 6/week @ 2022-06-06 35/week @ 2022-06-13 3/week @ 2022-06-20 5/week @ 2022-06-27

53 downloads per month


1.5K SLoC

Workflow Status Average time to resolve an issue Percentage of issues still open Maintenance


sevctl is a command line utility for managing the AMD Secure Encrypted Virtualization (SEV) platform. It currently supports the entire management API for the Naples generation of processors.



Every sevctl (sub)command comes with a quick --help option for a reference on its use. For example:

$ sevctl --help


$ sevctl show --help


Exports the SEV certificate chain to the provided file path.

$ sevctl export /path/to/where/you/want/the-certificate


Generates a new (self-signed) OCA certificate and key.

$ sevctl generate ~/my-cert ~/my-key


Probes processor, sysfs, and KVM for AMD SEV, SEV-ES, and SEV-SNP related features on the host and emits the results.

$ sevctl ok {sev, es, snp}   // Probes support for the generation specified.
$ sevctl ok                  // Probes support for the host hardware's generation.


Installs the operator-provided OCA certificate to take ownership of the platform.

$ sevctl provision ~/owners-cert ~/owners-private-key


Resets the SEV platform. This will clear all persistent data managed by the platform.

$ sevctl reset


Rotates the Platform Diffie-Hellman (PDH).

$ sevctl rotate


Given a certificate chain file and 32-bit policy, generates base64-encoded GODH and launch session files; as well as encoded (not base64) TIK and TEK files.

$ sevctl session --name {name} {/pdh/cert/path} {policy}


Describes the state of the SEV platform.

$ sevctl show flags
$ sevctl show guests


Verifies the full SEV/CA certificate chain. File paths to these certificates can be supplied as command line arguments if they are stored on the local filesystem. If they are not supplied, the well-known public components will be downloaded from their remote locations.

$ sevctl verify

vmsa build

Build a VMSA binary blob and save to the specified filename.

$ sevctl vmsa build NEW-VMSA0.bin --userspace qemu --family 25 --stepping 1 --model 1 --firmware /path/to/OVMF.amdsev.fd --cpu 0

vmsa update

Update an existing VMSA binary file in place, with the passed options.

$ sevctl vmsa build EXISTING-VMSA0.bin --userspace qemu --family 25 --stepping 1 --model 1 --firmware /path/to/OVMF.amdsev.fd --cpu 0

vmsa show

Print an existing VMSA binary file as JSON

$ sevctl vmsa show EXISTING-VMSA0.bin

License: Apache-2.0


~253K SLoC