Merge pull request ArmDeveloperEcosystem#700 from pareenaverma/conten…

…t_review

CCA container Learning Path

content/learning-paths/servers-and-cloud-computing/cca-container/_index.md

@@ -0,0 +1,37 @@
+---
+title: Run an application in a Realm using Arm Confidential Compute Architecture (CCA)
+
+minutes_to_complete: 120
+
+who_is_this_for: This is an introductory topic for software developers who want to learn how to run their applications in a Realm using Arm Confidential Compute Architecture (CCA).
+
+learning_objectives:
+    - Run the Arm reference CCA software stack on an Armv-A AEM Base FVP platform with support for RME extensions
+    - Create a virtual machine in a Realm running guest Linux using a pre-built docker container
+    - Run a simple application in a Realm running guest Linux
+
+prerequisites:
+    - An aarch64 or x86_64 computer running Linux. Cloud instances can be used, refer to the list of [Arm cloud service providers](/learning-paths/servers-and-cloud-computing/csp/).
+
+author_primary: Pareena Verma
+
+### Tags
+skilllevels: Introductory
+subjects: Performance and Architecture
+armips:
+    - Neoverse 
+operatingsystems:
+    - Linux 
+tools_software_languages:
+    - GCC
+    - FVP
+    - RME
+    - CCA
+    - Docker
+
+### FIXED, DO NOT MODIFY
+# ================================================================================
+weight: 1                       # _index.md always has weight of 1 to order correctly
+layout: "learningpathall"       # All files under learning paths have this same wrapper
+learning_path_main_page: "yes"  # This should be surfaced when looking for related content. Only set for _index.md of learning path content.
+---

content/learning-paths/servers-and-cloud-computing/cca-container/_next-steps.md

@@ -0,0 +1,40 @@
+---
+# ================================================================================
+#       Edit
+# ================================================================================
+
+next_step_guidance: >
+   You now have an understanding of how to run an application inside a Realm using Arm Confidential Compute Architecture. You can also build the complete Arm CCA software stack yourself and validate your applications on an Arm FVP ahead of silicon availability.
+
+# 1-3 sentence recommendation outlining how the reader can generally keep learning about these topics, and a specific explanation of why the next step is being recommended.
+
+recommended_path: "/learning-paths/servers-and-cloud-computing/rme-cca-basics/"
+# Link to the next learning path being recommended(For example this could be /learning-paths/servers-and-cloud-computing/mongodb).
+
+
+# further_reading links to references related to this path. Can be:
+    # Manuals for a tool / software mentioned   (type: documentation)
+    # Blog about related topics                 (type: blog)
+    # General online references                 (type: website) 
+
+further_reading:
+    - resource:
+        title: Arm Confidential Compute Architecture
+        link: https://www.arm.com/architecture/security-features/arm-confidential-compute-architecture
+        type: website
+    - resource:
+        title: Arm Confidential Compute Architecture open source enablement
+        link: https://www.youtube.com/watch?v=JXrNkYysuXw
+        type: video
+    - resource:
+        title: Learn the architecture - Realm Management Extension
+        link: https://developer.arm.com/documentation/den0126
+        type: documentation
+
+# ================================================================================
+#       FIXED, DO NOT MODIFY
+# ================================================================================
+weight: 21                  # set to always be larger than the content in this path, and one more than 'review'
+title: "Next Steps"         # Always the same
+layout: "learningpathall"   # All files under learning paths have this same wrapper
+---

content/learning-paths/servers-and-cloud-computing/cca-container/_review.md

@@ -0,0 +1,49 @@
+---
+# ================================================================================
+#       Edit
+# ================================================================================
+
+# Always 3 questions. Should try to test the reader's knowledge, and reinforce the key points you want them to remember.
+    # question:         A one sentence question
+    # answers:          The correct answers (from 2-4 answer options only). Should be surrounded by quotes.
+    # correct_answer:   An integer indicating what answer is correct (index starts from 0)
+    # explanation:      A short (1-3 sentence) explanation of why the correct answer is correct. Can add additional context if desired
+
+
+review:
+    - questions:
+        question: >
+            Arm Confidential Compute Architecture (CCA) is available on all Arm devices
+        answers:
+            - "True"
+            - "False"
+        correct_answer: 2
+        explanation: >
+            CCA requires the Realm Management Extension (RME) of Armv9-A architecture, as well as support within the software stack running on the device.
+    - questions:
+        question: >
+            kvmtool supports the creation of realm guests.
+        answers:
+            - "True"
+            - "False"
+        correct_answer: 1
+        explanation: >
+            kvmtool supports the creation of realm guests that conform with the Arm RME specification.
+    - questions:
+        question: >
+            An application running in the realm, inherits its confidential protection.
+        answers:
+            - "True"
+            - "False"
+        correct_answer: 1
+        explanation: >
+            The guest VM is the realm and an application running in it inherits the confidential protection of the guest VM.
+                  
+
+# ================================================================================
+#       FIXED, DO NOT MODIFY
+# ================================================================================
+title: "Review"                 # Always the same title
+weight: 20                      # Set to always be larger than the content in this path
+layout: "learningpathall"       # All files under learning paths have this same wrapper
+---

content/learning-paths/servers-and-cloud-computing/cca-container/cca-container.md

@@ -0,0 +1,164 @@
+---
+# User change
+title: "Run the Arm CCA stack using a pre-built docker container"
+
+weight: 2 # 1 is first, 2 is second, etc.
+
+# Do not modify these elements
+layout: "learningpathall"
+---
+
+## Before you begin
+
+You will need at least 30 GB of free disk space on your machine to run the docker container with the Arm CCA reference software stack.
+
+## Overview
+
+The Arm Confidential Compute Architecture (CCA) enables the construction of protected execution
+environments called Realms. Realms allow lower-privileged software, such as an application or a virtual machine to
+protect its content and execution from attacks by higher-privileged software, such as an OS or a hypervisor. Realms provide an environment for confidential computing, without requiring the Realm owner to trust the software components that manage the resources used by the Realm.
+
+The Arm Realm Management Extension (RME) is an Arm v9-A architecture extension and defines the set of hardware features and properties that are required to comply with the Arm CCA architecture. RME introduces a new security state "Realm world", in addition to the traditional Secure and Non-Secure states.
+
+In this learning path, you will learn how to run the reference integration software stack for Arm CCA in a pre-built docker container. Shown below is graphical depiction of the software stack you will run on your development machine:
+
+![img #center](cca-stack-overview.png)
+
+Within the pre-built docker container, you will learn how to create a Realm that runs a guest Linux kernel and run a simple application within the Realm. This learning path focuses on the common pattern of using a Realm to protect an entire virtual machine.
+
+## Download the docker image
+
+Start by downloading the docker container image. This docker image contains the pre-built binaries for the Arm CCA reference software stack and the Armv-A Base Architecture Envelop Model (AEM) FVP with support for RME extensions. 
+
+Install [docker engine](/install-guides/docker/docker-engine) on your machine.
+
+Pull the docker image from DockerHub:
+
+```console
+docker pull armswdev/aemfvp-cca-image
+```
+Confirm that the docker container image was dowloaded successfully:
+
+```console
+docker image list
+```
+
+The output should be similar to:
+
+```output
+REPOSITORY        				TAG       IMAGE ID       CREATED       SIZE
+armswdev/aemfvp-cca-image   	arm64     cf2cfc5c6391   3 days ago     26.2GB
+```
+Run the docker container:
+
+```console
+docker run -it armswdev/aemfvp-cca-image /bin/bash
+```
+You are now inside the `/tmp/cca-stack` directory of the running `armswdev/aemfvp-cca-image` container.
+
+```output
+ubuntu@84eb170a69b9:/tmp/cca-stack$
+```
+
+## Run the software stack
+
+The pre-built binaries for the Arm CCA reference software stack are present in the `output/aemfvp-a-rme` directory. 
+
+```console
+ls output/aemfvp-a-rme/
+```
+This includes the Trusted Firmware binaries, the host root filesystem and host linux kernel image:
+
+```output
+bl1.bin  fip.bin  fip-std-tests.bin  host-fs.ext4  Image
+```
+
+These binaries can run on an Armv-A Base Architecture Envelop Model (AEM) FVP with support for RME extensions. AEM FVPs are fixed configuration virtual platforms of Armv8-A and  Armv9-A architectures with comprehensive system IP. The FVP is also contained within this docker container.
+
+Launch the `run-cca-fvp.sh` script to run the Arm CCA pre-built binaries on the FVP:
+
+```console
+./run-cca-fvp.sh
+```
+
+{{% notice Note %}}
+A number of `Info` and `Warning` messages will be emitted by the FVP. These can safely be ignored.
+{{% /notice %}}
+
+The `run-cca-fvp.sh` script uses the `screen` command to connect to the different UARTs in the FVP.  
+
+You should see the host Linux kernel boot on your terminal:
+
+```output
+udhcpc: started, v1.31.1
+udhcpc: sending discover
+udhcpc: sending select for 172.20.51.1
+udhcpc: lease of 172.20.51.1 obtained, lease time 86400
+deleting routers
+adding dns 172.20.51.254
+FAIL
+Starting dropbear sshd: OK
+
+Welcome to Buildroot
+buildroot login:
+```
+
+You will be prompted to login to buildroot. Enter `root` as both the username and password.
+
+You have successfully booted four worlds (Root, Secure, Non-secure and Realm) on the FVP at this point. Trusted Firmware-A is running in root, Realm Management Monitor (RMM) in Realm, host Linux in non-secure and Hafnium in secure. 
+
+## Create a virtual guest in a Realm
+
+Guest VMs can be launched in a Realm using `kvmtool` from your host Linux prompt. The kernel `Image` and filesystem `realm-fs.ext4` for the Realm are packaged into the buildroot host file system.
+
+Use `kvmtool` to launch guest linux in a Realm:
+
+```console
+lkvm run --realm -c 2 -m 256 -k /realm/Image -d /realm/realm-fs.ext4 -p earlycon
+```
+You should see the guest Linux kernel starting to boot in a Realm. This step can take several minutes.
+
+After boot up, you will be prompted to login at the guest Linux buildroot prompt. Use `root` again as both the username and password.
+
+```output
+Starting network: udhcpc: started, v1.31.1
+udhcpc: sending discover
+udhcpc: sending select for 192.168.33.15
+udhcpc: lease of 192.168.33.15 obtained, lease time 14400
+deleting routers
+adding dns 172.20.51.254
+OK
+Starting dropbear sshd: OK
+
+Welcome to Buildroot
+buildroot login:
+```
+You have successfully created a virtual guest in a Realm using the Arm CCA reference software stack.
+
+To shutdown the guest, use the `poweroff` command.
+
+You should see the following output from the guest:
+
+```output
+Stopping dropbear sshd: OK
+Stopping network: OK
+Saving random seed: OK
+Stopping klogd: OK
+Stopping syslogd: OK
+umount: devtmpfs busy - remounted read-only
+[   42.595975] EXT4-fs (vda): re-mounted 9e9fa588-c41f-404a-a627-6616bb8491b1 ro. Quota mode: none.
+The system is going down NOW!
+Sent SIGTERM to all processes
+logout
+Sent SIGKILL to all processes
+Requesting system poweroff
+[   44.697156] reboot: Power down
+  Info: KVM session ended normally.
+```
+The guest has shut down and you are back at the host linux kernel prompt.
+
+To exit the simulation, use `Ctrl-a + d`. You will be placed back into the running docker container. 
+
+To exit the docker container, run `exit`.
+
+In the next section, you will learn how to run a simple application inside the Realm.