Add support for arm cca #211
Conversation
MatiasVara
force-pushed
the
use-guest-memfd
branch
from
702d17f to
86f75cd
Compare
MatiasVara
force-pushed
the
use-guest-memfd
branch
from
b47ef94 to
9e6e5bb
Compare
MatiasVara
force-pushed
the
use-guest-memfd
branch
from
9e6e5bb to
68dff0c
Compare
MatiasVara
changed the title
MatiasVara
force-pushed
the
use-guest-memfd
branch
2 times, most recently
from
d5952be to
d4362d6
Compare
MatiasVara
force-pushed
the
use-guest-memfd
branch
3 times, most recently
from
cae99a3 to
4a0e61b
Compare
MatiasVara
force-pushed
the
use-guest-memfd
branch
3 times, most recently
from
5089b4f to
e7e2a90
Compare
MatiasVara
force-pushed
the
use-guest-memfd
branch
3 times, most recently
from
dae13da to
6cebf95
Compare
MatiasVara
force-pushed
the
use-guest-memfd
branch
from
6cebf95 to
94688b2
Compare
MatiasVara
force-pushed
the
use-guest-memfd
branch
from
94688b2 to
2077cfc
Compare
MatiasVara
force-pushed
the
use-guest-memfd
branch
2 times, most recently
from
18e9a7d to
edb2f4a
Compare
MatiasVara
requested review from
mtjhrc,
slp and
tylerfanelli
as code owners
MatiasVara
force-pushed
the
use-guest-memfd
branch
from
edb2f4a to
5ba47b6
Compare
|
@MatiasVara is this ready for review, or should I wait? |
|
@jakecorrenti I'm addressing the KVM guest_memfd changes (which @MatiasVara also added in this PR) to my latest SEV-SNP patches. This will probably require a rebase after that. Once that happens, it will likely be ready for a review. |
I think the PR is ready to review. The current issue is that it does not work for the latest series for KVM (v6). I am investigating the issue. |
MatiasVara
force-pushed
the
use-guest-memfd
branch
2 times, most recently
from
ba8a4b1 to
0cf214d
Compare
|
I just updated the PR with the fix for v6 series. The fix is only to set the |
MatiasVara
force-pushed
the
use-guest-memfd
branch
from
0cf214d to
866514c
Compare
|
@jakecorrenti @tylerfanelli @slp Feel free to give a quick look. I am pretty sure there many things to fix. |
MatiasVara
force-pushed
the
use-guest-memfd
branch
from
866514c to
3d4903a
Compare
MatiasVara
force-pushed
the
use-guest-memfd
branch
from
3d4903a to
7b1f763
Compare
Signed-off-by: Matias Ezequiel Vara Larsen <[email protected]>
Enable to build confidential guests using ARM CCA (Confidential Computing Architecture). This work relies on v7 series for Linux and v5 series for KVM. This has been tested only on the corresponding FVP model simulator. For testing, you require specific kvm-ioctls and kvm-bindings crates. Signed-off-by: Matias Ezequiel Vara Larsen <[email protected]>
MatiasVara
force-pushed
the
use-guest-memfd
branch
from
7b1f763 to
8b97dc4
Compare
| default = ["cca"] | ||
| cca = [] |
There was a problem hiding this comment.
We shouldn't make cca the default here. IMO, it should follow suit with the others
| default = ["cca"] | |
| cca = [] | |
| cca = ["tee"] |
There was a problem hiding this comment.
If I understand correctly, when I compile with cca flag:
cargo build --release --features ccaThe tee feature would be enabled. However, most of the code for tee is not required and I ended up doing this everywhere:
- #[cfg(feature = "tee")]
+ #[cfg(all(feature = "tee", not(feature = "cca")))]
let qboot_bundle = vm_resources
.qboot_bundle()
.ok_or(StartMicrovmError::MissingKernelConfig)?;Can't cca be just a different feature?
| kvm-bindings = { version = ">=0.8", features = ["fam-wrappers"] , git = "https://github.com/virtee/kvm-bindings", branch = "add_bindings_for_realms" } | ||
| kvm-ioctls = { version = ">=0.17", git = "https://github.com/virtee/kvm-ioctls", branch = "cca" } |
There was a problem hiding this comment.
Can you make a PR once these branches are ready? I'd like to have the deps be on the main branch
There was a problem hiding this comment.
Do you mean to use the main branch rather than the cca?
There was a problem hiding this comment.
Exactly. I'm going to have to make some changes for my TDX work, so I think we'll need to merge your CCA work and my TDX work into the main branch and then use that here.
There was a problem hiding this comment.
@tylerfanelli Do you think we can merge the cca branches into main for kvm-ioctl/bindings repos? Or, shall we have one branch per flavor? Bear in mind that those repo are temporal until changes are upstreamed.
| kvm-bindings = { version = ">=0.8", features = ["fam-wrappers"] , git = "https://github.com/virtee/kvm-bindings", branch = "add_bindings_for_realms" } | ||
| kvm-ioctls = { version = ">=0.17", git = "https://github.com/virtee/kvm-ioctls", branch = "cca" } |
| default = ["cca"] | ||
| tee = [] | ||
| cca = [] |
There was a problem hiding this comment.
| default = ["cca"] | |
| tee = [] | |
| cca = [] | |
| cca = ["tee"] |
There was a problem hiding this comment.
Should I not leave tee =[] here?
There was a problem hiding this comment.
You should. I think that was a suggestion error. I was trying to suggest just getting rid of default = ...
| crossbeam-channel = "0.5" | ||
| env_logger = "0.9.0" | ||
| libc = ">=0.2.39" | ||
| log = "0.4.0" | ||
| once_cell = "1.4.1" | ||
|
|
||
| kvm-bindings = { version = ">=0.8", features = ["fam-wrappers"] , git = "https://github.com/virtee/kvm-bindings", branch = "add_bindings_for_realms" } |
| //vmm.kernel_cmdline.insert_str("tsi_hijack")?; | ||
| #[cfg(feature = "net")] |
There was a problem hiding this comment.
Should this be CCA only? There's another one a few lines below as well
There was a problem hiding this comment.
I can't remember why I commented this line.
| // TODO: to remove this | ||
| Unsupported(39) => Ok(VcpuEmulation::Handled), |
| id: u8, | ||
| vm_fd: &VmFd, | ||
| exit_evt: EventFd, | ||
| sender_io: Sender<MemProperties>, |
There was a problem hiding this comment.
The memory fault exception isn't TEE-specific (although it could be used that way), so I don't think I agree that this should be CCA only.
There was a problem hiding this comment.
You're right. I did this part of the review before you and I had talked about the order of patches.
| @@ -1103,17 +1231,19 @@ fn create_vcpus_aarch64( | |||
| guest_mem: &GuestMemoryMmap, | |||
| entry_addr: GuestAddress, | |||
| exit_evt: &EventFd, | |||
| sender_io: Sender<MemProperties>, | |||
This PR aims at adding support to build realm guests. First commit adds support for
create_guest_memfd()andset_user_memory_region2(). To do this, thememory_init()is modified by adding a boolean parameter. This is required when building a confidential guest for arm cca and probably also required by other cases.The second commit imports the
virtee/ccacrate and adds the steps to build a cca guest. The following items should be completed before merge the PR:This has been testing using the v7 series for Linux as a guest and v6 series for KVM on FVP model.
Feedback is welcome.