intermediate commit

Signed-off-by: Jake Correnti <[email protected]>

Author: jakecorrenti

build_libkrun.sh

@@ -0,0 +1 @@
+make clean && make TDX=1 && sudo make TDX=1 install

examples/Makefile

@@ -17,7 +17,8 @@ ifeq ($(SEV),1)
     EXAMPLES := launch-tee
 endif
 ifeq ($(TDX),1)
-    EXAMPLES := launch-tee
+    # EXAMPLES := launch-tee
+    EXAMPLES := chroot_vm
 endif
 ifeq ($(EFI),1)
     EXAMPLES := boot_efi
@@ -26,7 +27,8 @@ endif
 all: $(EXAMPLES)
 
 chroot_vm: chroot_vm.c
-	gcc -o $@ $< $(CFLAGS) $(LDFLAGS_$(ARCH)_$(OS))
+	# gcc -o $@ $< $(CFLAGS) $(LDFLAGS_$(ARCH)_$(OS))
+	gcc -o $@ $< $(CFLAGS) $(LDFLAGS_tdx)
 ifeq ($(OS),Darwin)
 	codesign --entitlements chroot_vm.entitlements --force -s - $@
 endif

examples/chroot_vm.c

@@ -234,12 +234,18 @@ int main(int argc, char *const argv[])
     }
 
     // Configure the number of vCPUs (1) and the amount of RAM (512 MiB).
-    if (err = krun_set_vm_config(ctx_id, 4, 4096)) {
+    if (err = krun_set_vm_config(ctx_id, 1, 4096)) {
         errno = -err;
         perror("Error configuring the number of vCPUs and/or the amount of RAM");
         return -1;
     }
 
+    if (err = krun_set_tee_config_file(ctx_id, "/home/jcorrent/slp-libkrun/examples/tdx-config-noattest.json")) {
+        errno = -err;
+        perror("Error setting the TEE config file");
+        return -1;
+    }
+
     // Raise RLIMIT_NOFILE to the maximum allowed to create some room for virtio-fs
     getrlimit(RLIMIT_NOFILE, &rlim);
     rlim.rlim_cur = rlim.rlim_max;

examples/launch-tee

@@ -0,0 +1 @@
+make clean && make TDX=1 && sudo LD_LIBRARY_PATH=/usr/local/lib64 ./chroot_vm ./rootfs_fedora /bin/sh

examples/output.txt

@@ -810,6 +810,7 @@ int setup_redirects()
 
 int main(int argc, char **argv)
 {
+	printf("HELLO FROM THE INIT BINARY\n");
 	struct ifreq ifr;
 	int sockfd;
 	char localhost[] = "localhost\0";

examples/run_tdx_example.sh

@@ -35,7 +35,7 @@ use vmm::resources::VmResources;
 #[cfg(feature = "blk")]
 use vmm::vmm_config::block::BlockDeviceConfig;
 use vmm::vmm_config::boot_source::{BootSourceConfig, DEFAULT_KERNEL_CMDLINE};
-#[cfg(not(feature = "tee"))]
+// #[cfg(not(feature = "tee"))]
 use vmm::vmm_config::fs::FsDeviceConfig;
 #[cfg(not(feature = "efi"))]
 use vmm::vmm_config::kernel_bundle::KernelBundle;
@@ -408,7 +408,7 @@ pub extern "C" fn krun_set_vm_config(ctx_id: u32, num_vcpus: u8, ram_mib: u32) -
 
 #[allow(clippy::missing_safety_doc)]
 #[no_mangle]
-#[cfg(not(feature = "tee"))]
+// #[cfg(not(feature = "tee"))]
 pub unsafe extern "C" fn krun_set_root(ctx_id: u32, c_root_path: *const c_char) -> i32 {
     let root_path = match CStr::from_ptr(c_root_path).to_str() {
         Ok(root) => root,
@@ -1109,6 +1109,8 @@ pub extern "C" fn krun_start_enter(ctx_id: u32) -> i32 {
         kernel_cmdline_epilog: Some(format!(" -- {}", ctx_cfg.get_args())),
     };
 
+    println!("boot_source: {:?}", boot_source);
+
     if ctx_cfg.vmr.set_boot_source(boot_source).is_err() {
         return -libc::EINVAL;
     }

init/init.c

@@ -643,6 +643,7 @@ pub fn build_microvm(
         )?;
     }
 
+    println!("kernel cmdline before adding to vmm: {:?}", kernel_cmdline);
     let mut vmm = Vmm {
         guest_memory,
         guest_memfd_regions,
@@ -713,6 +714,7 @@ pub fn build_microvm(
     }
 
     if let Some(s) = &vm_resources.boot_config.kernel_cmdline_epilog {
+        println!("EPILOG STRING: {:?}", s);
         vmm.kernel_cmdline.insert_str(s).unwrap();
     };
 
@@ -789,6 +791,7 @@ pub fn build_microvm(
         println!("Starting TEE/microVM.");
     }
 
+    println!("kernel cmdline before starting vcpus: {:?}", vmm.kernel_cmdline);
     vmm.start_vcpus(vcpus)
         .map_err(StartMicrovmError::Internal)?;
 
@@ -1176,6 +1179,41 @@ fn create_vcpus_x86_64(
             if entry.index == 0x1 {
                 entry.ecx &= 1 << 21;
             }
+
+            if entry.function == 0xD && entry.index == 0 {
+                const XFEATURE_MASK_XTILE: u32 = (1 << 17) | (1 << 18);
+                if (entry.eax & XFEATURE_MASK_XTILE) != XFEATURE_MASK_XTILE {
+                    entry.eax &= !XFEATURE_MASK_XTILE;
+                }
+            }
+
+            if entry.function == 0xD && entry.index == 1 {
+                entry.ecx &= !(1 << 15);
+                const XFEATURE_MASK_CET: u32 = (1 << 11) | (1 << 12);
+                if entry.ecx & XFEATURE_MASK_CET > 0 {
+                    entry.ecx |= XFEATURE_MASK_CET;
+                }
+            }
+
+            if entry.function == 0x4000_0001  {
+                // KVM feature bits
+                const KVM_FEATURE_CLOCKSOURCE_BIT: u8 = 0;
+                const KVM_FEATURE_CLOCKSOURCE2_BIT: u8 = 3;
+                const KVM_FEATURE_CLOCKSOURCE_STABLE_BIT: u8 = 24;
+                const KVM_FEATURE_ASYNC_PF_BIT: u8 = 4;
+                const KVM_FEATURE_ASYNC_PF_VMEXIT_BIT: u8 = 10;
+                const KVM_FEATURE_STEAL_TIME_BIT: u8 = 5;
+                const KVM_FEATURE_PV_EOI: u8 = 6;
+                
+                // These features are not supported by TDX
+                entry.eax &= !(1 << KVM_FEATURE_CLOCKSOURCE_BIT
+                    | 1 << KVM_FEATURE_CLOCKSOURCE2_BIT
+                    | 1 << KVM_FEATURE_CLOCKSOURCE_STABLE_BIT
+                    | 1 << KVM_FEATURE_ASYNC_PF_BIT
+                    | 1 << KVM_FEATURE_ASYNC_PF_VMEXIT_BIT
+                    | 1 << KVM_FEATURE_PV_EOI
+                    | 1 << KVM_FEATURE_STEAL_TIME_BIT);
+            }
         }
 
         #[cfg(feature = "intel-tdx")]

src/libkrun/src/lib.rs

@@ -24,7 +24,7 @@ pub enum Error {
 }
 
 pub struct IntelTdx {
-    caps: TdxCapabilities,
+//     caps: TdxCapabilities,
     vm: TdxVm,
     tdvf_sections: Vec<TdvfSection>,
     tdvf_file: File,
@@ -34,9 +34,9 @@ impl IntelTdx {
     pub fn new(vm_fd: &VmFd) -> Result<Self, Error> {
         // FIXME(jakecorrenti): need to specify the max number of VCPUs here and not just assume 100. This should come from the VmResources that we set when doing krun_set_vm_config()
         let vm = TdxVm::new(vm_fd, 1).or_else(|_| return Err(Error::CreateTdxVmStruct))?;
-        let caps = vm
-            .get_capabilities(vm_fd)
-            .or_else(|_| return Err(Error::GetCapabilities))?;
+        // let caps = vm
+        //     .get_capabilities(vm_fd)
+        //     .or_else(|_| return Err(Error::GetCapabilities))?;
 
         // let mut firmware = std::fs::File::open("/home/jcorrent/edk2/Build/IntelTdx/RELEASE_GCC5/FV/OVMF.fd")
         let mut firmware = std::fs::File::open("/home/slp/OVMF.fd")
@@ -45,7 +45,7 @@ impl IntelTdx {
             tdx::tdvf::parse_sections(&mut firmware).map_err(Error::ParseTdvfSections)?;
 
         Ok(IntelTdx {
-            caps,
+            // caps,
             vm,
             tdvf_sections,
             tdvf_file: firmware,

src/vmm/src/builder.rs

@@ -18,7 +18,7 @@ use kbs_types::Tee;
 #[cfg(feature = "blk")]
 use crate::vmm_config::block::{BlockBuilder, BlockConfigError, BlockDeviceConfig};
 use crate::vmm_config::boot_source::{BootSourceConfig, BootSourceConfigError};
-#[cfg(not(feature = "tee"))]
+// #[cfg(not(feature = "tee"))]
 use crate::vmm_config::fs::*;
 #[cfg(feature = "tee")]
 use crate::vmm_config::kernel_bundle::{InitrdBundle, QbootBundle, QbootBundleError};
@@ -92,7 +92,7 @@ pub struct VmResources {
     #[cfg(feature = "tee")]
     pub initrd_bundle: Option<InitrdBundle>,
     /// The fs device.
-    #[cfg(not(feature = "tee"))]
+    // #[cfg(not(feature = "tee"))]
     pub fs: Vec<FsDeviceConfig>,
     /// The vsock device.
     pub vsock: VsockBuilder,
@@ -233,7 +233,7 @@ impl VmResources {
         Ok(())
     }
 
-    #[cfg(not(feature = "tee"))]
+    // #[cfg(not(feature = "tee"))]
     pub fn add_fs_device(&mut self, config: FsDeviceConfig) {
         self.fs.push(config)
     }

src/vmm/src/linux/tee/inteltdx.rs

@@ -9,7 +9,7 @@ pub mod block;
 pub mod boot_source;
 
 /// Wrapper for configuring the Fs devices attached to the microVM.
-#[cfg(not(feature = "tee"))]
+// #[cfg(not(feature = "tee"))]
 pub mod fs;
 
 /// Wrapper over the microVM general information attached to the microVM.