Support ARM CCA feature

Enable to build confidential guests using ARM CCA (Confidential
Computing Architecture). This work relies on v7 series for Linux and v5
series for KVM. This has been tested only on the corresponding FVP model
simulator. For testing, you require specific kvm-ioctls and kvm-bindings
crates.

Signed-off-by: Matias Ezequiel Vara Larsen <[email protected]>

Author: MatiasVara

Makefile

@@ -27,6 +27,9 @@ ifeq ($(SEV),1)
     INIT_SRC += $(SNP_INIT_SRC)
 	BUILD_INIT = 0
 endif
+ifeq ($(CCA), 1)
+    FEATURE_FLAGS := --features cca
+endif
 ifeq ($(GPU),1)
     FEATURE_FLAGS += --features gpu
 endif

src/arch/Cargo.toml

@@ -5,6 +5,8 @@ authors = ["The Chromium OS Authors"]
 edition = "2021"
 
 [features]
+default = ["cca"]
+cca = []
 tee = []
 amd-sev = [ "tee" ]
 efi = []
@@ -18,8 +20,8 @@ smbios = { path = "../smbios" }
 utils = { path = "../utils" }
 
 [target.'cfg(target_os = "linux")'.dependencies]
-kvm-bindings = { version = ">=0.8", features = ["fam-wrappers"] }
-kvm-ioctls = ">=0.17"
+kvm-bindings = { version = ">=0.8", features = ["fam-wrappers"] , git = "https://github.com/virtee/kvm-bindings", branch = "add_bindings_for_realms" }
+kvm-ioctls = { version = ">=0.17", git = "https://github.com/virtee/kvm-ioctls", branch = "cca" }
 
 [target.'cfg(target_arch = "aarch64")'.dependencies]
 vm-fdt = ">= 0.2.0"

src/arch/src/aarch64/fdt.rs

@@ -285,7 +285,10 @@ fn create_psci_node(fdt: &mut FdtWriter) -> Result<()> {
     // Two methods available: hvc and smc.
     // As per documentation, PSCI calls between a guest and hypervisor may use the HVC conduit instead of SMC.
     // So, since we are using kvm, we need to use hvc.
+    #[cfg(not(feature = "cca"))]
     fdt.property_string("method", "hvc")?;
+    #[cfg(feature = "cca")]
+    fdt.property_string("method", "smc")?;
     fdt.end_node(node)?;
 
     Ok(())

src/arch/src/aarch64/linux/regs.rs

@@ -125,8 +125,10 @@ arm64_sys_reg!(MPIDR_EL1, 3, 0, 0, 0, 5);
 /// * `boot_ip` - Starting instruction pointer.
 /// * `mem` - Reserved DRAM for current VM.
 pub fn setup_regs(vcpu: &VcpuFd, cpu_id: u8, boot_ip: u64, mem: &GuestMemoryMmap) -> Result<()> {
-    // Get the register index of the PSTATE (Processor State) register.
+    // PSTATE cannot be accesed from the host in CCA
+    #[cfg(not(feature = "cca"))]
     #[allow(deref_nullptr)]
+    // Get the register index of the PSTATE (Processor State) register.
     vcpu.set_one_reg(arm64_core_reg!(pstate), &PSTATE_FAULT_BITS_64.to_le_bytes())
         .map_err(Error::SetCoreRegister)?;
 

src/cpuid/Cargo.toml

@@ -8,5 +8,5 @@ edition = "2021"
 vmm-sys-util = ">=0.11"
 
 [target.'cfg(target_os = "linux")'.dependencies]
-kvm-bindings = { version = ">=0.8", features = ["fam-wrappers"] }
-kvm-ioctls = ">=0.17"
+kvm-bindings = { version = ">=0.8", features = ["fam-wrappers"] , git = "https://github.com/virtee/kvm-bindings", branch = "add_bindings_for_realms" }
+kvm-ioctls = { version = ">=0.17", git = "https://github.com/virtee/kvm-ioctls", branch = "cca" }

src/devices/Cargo.toml

@@ -5,7 +5,9 @@ authors = ["The Chromium OS Authors"]
 edition = "2021"
 
 [features]
+default = ["cca"]
 tee = []
+cca = []
 amd-sev = ["blk", "tee"]
 net = []
 blk = []

src/devices/src/virtio/console/device.rs

@@ -30,9 +30,18 @@ use crate::virtio::{PortDescription, VmmExitObserver};
 pub(crate) const CONTROL_RXQ_INDEX: usize = 2;
 pub(crate) const CONTROL_TXQ_INDEX: usize = 3;
 
-pub(crate) const AVAIL_FEATURES: u64 = 1 << uapi::VIRTIO_CONSOLE_F_SIZE as u64
-    | 1 << uapi::VIRTIO_CONSOLE_F_MULTIPORT as u64
-    | 1 << uapi::VIRTIO_F_VERSION_1 as u64;
+// CCA requires VIRTIO_F_ACCESS_PLATFORM to ensure DMA-APIs
+// are triggered for virtio in Linux
+pub(crate) const AVAIL_FEATURES: u64 = if cfg!(feature = "cca") {
+    1 << uapi::VIRTIO_CONSOLE_F_SIZE as u64
+        | 1 << uapi::VIRTIO_CONSOLE_F_MULTIPORT as u64
+        | 1 << uapi::VIRTIO_F_VERSION_1 as u64
+        | 1 << uapi::VIRTIO_F_ACCESS_PLATFORM as u64
+} else {
+    1 << uapi::VIRTIO_CONSOLE_F_SIZE as u64
+        | 1 << uapi::VIRTIO_CONSOLE_F_MULTIPORT as u64
+        | 1 << uapi::VIRTIO_F_VERSION_1 as u64
+};
 
 #[repr(C)]
 #[derive(Default)]

src/devices/src/virtio/console/mod.rs

@@ -22,6 +22,7 @@ mod defs {
         pub const VIRTIO_CONSOLE_F_MULTIPORT: u32 = 1;
         pub const VIRTIO_F_VERSION_1: u32 = 32;
         pub const VIRTIO_ID_CONSOLE: u32 = 3;
+        pub const VIRTIO_F_ACCESS_PLATFORM: u32 = 33;
     }
 
     #[allow(dead_code)]

src/devices/src/virtio/fs/device.rs

@@ -9,7 +9,10 @@ use std::thread::JoinHandle;
 #[cfg(target_os = "macos")]
 use hvf::MemoryMapping;
 use utils::eventfd::{EventFd, EFD_NONBLOCK};
-use virtio_bindings::{virtio_config::VIRTIO_F_VERSION_1, virtio_ring::VIRTIO_RING_F_EVENT_IDX};
+use virtio_bindings::{
+    virtio_config::VIRTIO_F_ACCESS_PLATFORM, virtio_config::VIRTIO_F_VERSION_1,
+    virtio_ring::VIRTIO_RING_F_EVENT_IDX,
+};
 use vm_memory::{ByteValued, GuestMemoryMmap};
 
 use super::super::{
@@ -70,7 +73,13 @@ impl Fs {
                 .push(EventFd::new(utils::eventfd::EFD_NONBLOCK).map_err(FsError::EventFd)?);
         }
 
-        let avail_features = (1u64 << VIRTIO_F_VERSION_1) | (1u64 << VIRTIO_RING_F_EVENT_IDX);
+        let avail_features = if cfg!(feature = "cca") {
+            (1u64 << VIRTIO_F_VERSION_1)
+                | (1u64 << VIRTIO_RING_F_EVENT_IDX)
+                | (1 << VIRTIO_F_ACCESS_PLATFORM as u64)
+        } else {
+            (1u64 << VIRTIO_F_VERSION_1) | (1u64 << VIRTIO_RING_F_EVENT_IDX)
+        };
 
         let tag = fs_id.into_bytes();
         let mut config = VirtioFsConfig::default();

src/devices/src/virtio/rng/device.rs

@@ -13,12 +13,17 @@ use super::super::{
 use super::{defs, defs::uapi};
 use crate::legacy::GicV3;
 use crate::Error as DeviceError;
+use virtio_bindings::virtio_config::VIRTIO_F_ACCESS_PLATFORM;
 
 // Request queue.
 pub(crate) const REQ_INDEX: usize = 0;
 
 // Supported features.
-pub(crate) const AVAIL_FEATURES: u64 = 1 << uapi::VIRTIO_F_VERSION_1 as u64;
+pub(crate) const AVAIL_FEATURES: u64 = if cfg!(feature = "cca") {
+    1 << uapi::VIRTIO_F_VERSION_1 as u64 | 1 << VIRTIO_F_ACCESS_PLATFORM as u64
+} else {
+    1 << uapi::VIRTIO_F_VERSION_1 as u64
+};
 
 #[derive(Copy, Clone, Debug, Default)]
 #[repr(C, packed)]

src/libkrun/Cargo.toml

@@ -16,12 +16,14 @@ snd = []
 virgl_resource_map2 = []
 
 [dependencies]
+vm-memory = { version = ">=0.13", features = ["backend-mmap"] }
 crossbeam-channel = "0.5"
 env_logger = "0.9.0"
 libc = ">=0.2.39"
 log = "0.4.0"
 once_cell = "1.4.1"
 
+kvm-bindings = { version = ">=0.8", features = ["fam-wrappers"] , git = "https://github.com/virtee/kvm-bindings", branch = "add_bindings_for_realms" }
 devices = { path = "../devices" }
 polly = { path = "../polly" }
 utils = { path = "../utils" }

src/libkrun/src/lib.rs

@@ -1,6 +1,13 @@
 #[macro_use]
 extern crate log;
 
+use crossbeam_channel::unbounded;
+use kvm_bindings::kvm_memory_attributes;
+use libc::fallocate;
+use libc::madvise;
+use libc::FALLOC_FL_KEEP_SIZE;
+use libc::FALLOC_FL_PUNCH_HOLE;
+use libc::MADV_DONTNEED;
 use std::collections::hash_map::Entry;
 use std::collections::HashMap;
 use std::convert::TryInto;
@@ -11,10 +18,13 @@ use std::ffi::CString;
 #[cfg(target_os = "linux")]
 use std::os::fd::AsRawFd;
 use std::os::fd::RawFd;
+use std::os::raw::c_void;
 use std::path::PathBuf;
 use std::slice;
 use std::sync::atomic::{AtomicI32, Ordering};
 use std::sync::Mutex;
+use vm_memory::GuestMemoryRegion;
+use vm_memory::{Address, GuestMemory};
 
 #[cfg(target_os = "macos")]
 use crossbeam_channel::unbounded;
@@ -1225,9 +1235,12 @@ pub extern "C" fn krun_start_enter(ctx_id: u32) -> i32 {
     #[cfg(target_os = "macos")]
     let (sender, receiver) = unbounded();
 
+    let (io_sender, receiver) = unbounded();
+
     let _vmm = match vmm::builder::build_microvm(
         &ctx_cfg.vmr,
         &mut event_manager,
+        io_sender,
         ctx_cfg.shutdown_efd,
         #[cfg(target_os = "macos")]
         sender,
@@ -1242,6 +1255,61 @@ pub extern "C" fn krun_start_enter(ctx_id: u32) -> i32 {
     #[cfg(target_os = "macos")]
     let mapper_vmm = _vmm.clone();
 
+    let vm = _vmm.lock().unwrap().kvm_vm().fd.clone();
+    let guest_mem = _vmm.lock().unwrap().guest_memory().clone();
+    let guest_memfd = _vmm.lock().unwrap().guest_memfd_vec.clone();
+
+    std::thread::spawn(move || loop {
+        match receiver.recv() {
+            Err(e) => error!("Error in receiver: {:?}", e),
+            Ok(m) => {
+                let _ret = vm
+                    .lock()
+                    .unwrap()
+                    .set_memory_attributes(kvm_memory_attributes {
+                        address: m.addr,
+                        size: m.size,
+                        attributes: m.attributes as u64,
+                        flags: 0,
+                    });
+
+                // from private to shared
+                if m.attributes == 0 {
+                    for (index, region) in guest_mem.iter().enumerate() {
+                        // this supposes that m.addr + m.size < region.start + region.size
+                        // which may be false
+                        if (region.start_addr().raw_value() + region.size() as u64) > m.addr {
+                            let offset = m.addr - region.start_addr().raw_value();
+                            unsafe {
+                                let _ret = fallocate(
+                                    *guest_memfd.get(index).unwrap(),
+                                    FALLOC_FL_PUNCH_HOLE | FALLOC_FL_KEEP_SIZE,
+                                    offset as i64,
+                                    m.size as i64,
+                                );
+                            }
+                        }
+                    }
+                // from shared to private
+                } else {
+                    for (_index, region) in guest_mem.iter().enumerate() {
+                        if (region.start_addr().raw_value() + region.size() as u64) > m.addr {
+                            let offset = m.addr - region.start_addr().raw_value();
+                            let host_startaddr = m.addr + offset;
+                            unsafe {
+                                let _ret = madvise(
+                                    host_startaddr as *mut c_void,
+                                    m.size.try_into().unwrap(),
+                                    MADV_DONTNEED,
+                                );
+                            }
+                        }
+                    }
+                }
+            }
+        }
+    });
+
     #[cfg(target_os = "macos")]
     std::thread::Builder::new()
         .name("mapping worker".into())

src/vmm/Cargo.toml

@@ -5,8 +5,10 @@ authors = ["Amazon Firecracker team <[email protected]>"]
 edition = "2021"
 
 [features]
+default = ["cca"]
 tee = []
 amd-sev = [ "blk", "tee", "codicon", "kbs-types", "procfs", "rdrand", "serde", "serde_json", "sev", "curl" ]
+cca = []
 net = []
 blk = []
 efi = [ "blk", "net" ]
@@ -37,12 +39,14 @@ sev = { version = "4.0.0", features = ["openssl"], optional = true }
 curl = { version = "0.4", optional = true }
 nix = "0.24.1"
 
+cca = { git = "https://github.com/virtee/cca" }
+
 [target.'cfg(target_arch = "x86_64")'.dependencies]
 cpuid = { path = "../cpuid" }
 
 [target.'cfg(target_os = "linux")'.dependencies]
-kvm-bindings = { version = ">=0.10", features = ["fam-wrappers"] }
-kvm-ioctls = ">=0.17"
+kvm-bindings = { version = ">=0.8", features = ["fam-wrappers"] , git = "https://github.com/virtee/kvm-bindings", branch = "add_bindings_for_realms" }
+kvm-ioctls = { version = ">=0.17", git = "https://github.com/virtee/kvm-ioctls", branch = "cca" }
 
 [target.'cfg(target_os = "macos")'.dependencies]
 hvf = { path = "../hvf" }