Generating Certificates
The snpcert repository contains self-service tools to generate AMD SEV certifications for operating systems. The following instructions will utilize the user's AMD EPYC server to run a series of SEV acceptance tests on the operating system and create a Github Issue containing the test results and certificate.
- [Test Server] An AMD EPYC server enabled with SEV 3.0
-
[Dispatch Host] A separate computing instance with the following restrictions:
- Must have an IP reachable from the AMD EPYC server (the Test Server) for HTTP boot
- Must have support for:
- gh (GitHub CLI)
- avahi-daemon (currently not supported on Windows)
On your Dispatch Host, download and run the dispatch tool. This tool serves images from the snpcert repo. These images are configured to boot on the Test Server bare-metal and automatically run a series of tests before transmitting results back to the Dispatch server. Then dispatch opens a GH issue in the specified repo with the certification results. See the dispatch README for detailed information about how it works.
Install any missing dependencies from this list:
Ubuntu Example:
# Install GH and Avahi
sudo apt update
sudo apt install avahi-daemon
sudo apt install gh
Log into github:
gh auth login
Download the latest dispatch binaries through your browser or through gh:
gh release download -R github.com/AMDEPYC/dispatch --pattern 'dispatch-*'
chmod a+x dispatch*
Or clone the repository and build it from source.
If you would like to use the images available in AMD's snpcert repository & post the results in an issue there:
./dispatch-linux-x86_64 --owner AMDEPYC --repo snpcert --tag devel
You can optionally add a filter at the end if you want to run on a subset of images:
./dispatch-linux-x86_64 --owner AMDEPYC --repo snpcert --tag devel ubuntu
You can also fork the AMDEPYC/snpcert repository to build alternate images and have certification results posted in that repository's issues - see Forking snpcert for more information.
./dispatch-linux-x86_64 --owner <your org/username> --repo snpcert --tag devel
If you run the first command with no filter specified, you should see the following screen:
While this screen is up, the images specified are queued for testing. Each image has an status icon to the left of its name. See Workflow-Stats for a table of the icon meanings. Pressing q will kill the dispatch process.
Some server manuals may not yet be listed.
Instructions may differ based on the server offering. This may involve updating your firmware and enabling AMD SEV features in the BIOS/UEFI. See the Reference Manuals section above.
Running a certification test on a Test Server that is not property configured for SEV will result in an early failure on the snphost ok check. You can check the Github issue output for details on the specific SEV feature missing.
Set the HTTP boot path using the URL & port of your dispatch server. See the Reference Manuals section above for instructions. By default dispatch will expose port 8080 on your server, so the URL will look like:
http://<server.ip.address>:8080/dispatch
Note
Some server boot menus check that the path contains the .efi or .iso extension. Add a query parameter as a workaround:
http://<server.ip.address>:8080/dispatch?foo.efi
In the future dispatch will support adding the extension.
Update the boot order so that HTTP boot is first.
If configured correctly, in the Test Server's console you'll see it downloading the host image. You can switch back to your dispatch server and watch for the status of the test via the icons to the left of the images. See Workflow-Stats for a table of the icon meanings. When it reaches 🏁 , you should see a new Github Issue in the repository that you specified when invoking dispatch.
If you wish to build alternate images and/or send test results to an alternate repository, fork AMDEPYC/snpcert into your organization or personal account.
Fork this repository into your account or organization: AMDEPYC/snpcert See Forking a Repository
Trigger the github actions (either manually or through pushing a commit) to create a release with images.
Manually:
In either case, after this is complete you should see releases with tags devel in your fork.
If they are not already enabled, check the box to enable issues, so that dispatch can send certification results in the form of a new issue.
You can now run dispatch while specifying the new repository:
./dispatch-linux-x86_64 --owner <your-org or username> --repo snpcert --tag devel