#amd #sev

app sevctl

Administrative utility for AMD SEV

3 releases (breaking)

0.3.0 Jun 16, 2022
0.2.0 Dec 20, 2021
0.1.0 Mar 30, 2021

#40 in Operating systems

Download history 27/week @ 2022-03-14 14/week @ 2022-03-21 4/week @ 2022-03-28 12/week @ 2022-04-04 1/week @ 2022-04-11 2/week @ 2022-04-18 12/week @ 2022-04-25 18/week @ 2022-05-02 2/week @ 2022-05-09 36/week @ 2022-05-16 12/week @ 2022-05-23 17/week @ 2022-05-30 6/week @ 2022-06-06 35/week @ 2022-06-13 3/week @ 2022-06-20 5/week @ 2022-06-27

53 downloads per month

Apache-2.0

61KB
1.5K SLoC

Workflow Status Average time to resolve an issue Percentage of issues still open Maintenance

sevctl

sevctl is a command line utility for managing the AMD Secure Encrypted Virtualization (SEV) platform. It currently supports the entire management API for the Naples generation of processors.

Usage

help

Every sevctl (sub)command comes with a quick --help option for a reference on its use. For example:

$ sevctl --help

or

$ sevctl show --help

export

Exports the SEV certificate chain to the provided file path.

$ sevctl export /path/to/where/you/want/the-certificate

generate

Generates a new (self-signed) OCA certificate and key.

$ sevctl generate ~/my-cert ~/my-key

ok

Probes processor, sysfs, and KVM for AMD SEV, SEV-ES, and SEV-SNP related features on the host and emits the results.

$ sevctl ok {sev, es, snp}   // Probes support for the generation specified.
$ sevctl ok                  // Probes support for the host hardware's generation.

provision

Installs the operator-provided OCA certificate to take ownership of the platform.

$ sevctl provision ~/owners-cert ~/owners-private-key

reset

Resets the SEV platform. This will clear all persistent data managed by the platform.

$ sevctl reset

rotate

Rotates the Platform Diffie-Hellman (PDH).

$ sevctl rotate

session

Given a certificate chain file and 32-bit policy, generates base64-encoded GODH and launch session files; as well as encoded (not base64) TIK and TEK files.

$ sevctl session --name {name} {/pdh/cert/path} {policy}

show

Describes the state of the SEV platform.

$ sevctl show flags
$ sevctl show guests

verify

Verifies the full SEV/CA certificate chain. File paths to these certificates can be supplied as command line arguments if they are stored on the local filesystem. If they are not supplied, the well-known public components will be downloaded from their remote locations.

$ sevctl verify

vmsa build

Build a VMSA binary blob and save to the specified filename.

$ sevctl vmsa build NEW-VMSA0.bin --userspace qemu --family 25 --stepping 1 --model 1 --firmware /path/to/OVMF.amdsev.fd --cpu 0

vmsa update

Update an existing VMSA binary file in place, with the passed options.

$ sevctl vmsa build EXISTING-VMSA0.bin --userspace qemu --family 25 --stepping 1 --model 1 --firmware /path/to/OVMF.amdsev.fd --cpu 0

vmsa show

Print an existing VMSA binary file as JSON

$ sevctl vmsa show EXISTING-VMSA0.bin

License: Apache-2.0

Dependencies

~6–12MB
~253K SLoC