lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-Id: <20240412084056.1733704-1-steven.price@arm.com>
Date: Fri, 12 Apr 2024 09:40:56 +0100
From: Steven Price <steven.price@....com>
To: kvm@...r.kernel.org,
	kvmarm@...ts.linux.dev
Cc: Steven Price <steven.price@....com>,
	Catalin Marinas <catalin.marinas@....com>,
	Marc Zyngier <maz@...nel.org>,
	Will Deacon <will@...nel.org>,
	James Morse <james.morse@....com>,
	Oliver Upton <oliver.upton@...ux.dev>,
	Suzuki K Poulose <suzuki.poulose@....com>,
	Zenghui Yu <yuzenghui@...wei.com>,
	linux-arm-kernel@...ts.infradead.org,
	linux-kernel@...r.kernel.org,
	Joey Gouly <joey.gouly@....com>,
	Alexandru Elisei <alexandru.elisei@....com>,
	Christoffer Dall <christoffer.dall@....com>,
	Fuad Tabba <tabba@...gle.com>,
	linux-coco@...ts.linux.dev,
	Ganapatrao Kulkarni <gankulkarni@...amperecomputing.com>
Subject: [v2] Support for Arm CCA VMs on Linux

We are happy to announce the second version of the Arm Confidential
Compute Architecture (CCA) support for the Linux stack. The intention is
to seek early feedback in the following areas:
 * KVM integration of the Arm CCA;
 * KVM UABI for managing the Realms, seeking to generalise the
   operations where possible with other Confidential Compute solutions;
 * Linux Guest support for Realms.

See the previous RFC[1] for a more detailed overview of Arm's CCA
solution, or visible the Arm CCA Landing page[2].

This series is based on the final RMM v1.0 (EAC5) specification[3].

Quick-start guide
=================

The easiest way of getting started with the stack is by using
Shrinkwrap[4]. Currently Shrinkwrap has a configuration for the initial
v1.0-EAC5 release[5], so the following overlay needs to be applied to
the standard 'cca-3world.yaml' file. Note that the 'rmm' component needs
updating to 'main' because there are fixes that are needed and are not
yet in a tagged release. The following will create an overlay file and
build a working environment:

cat<<EOT >cca-v2.yaml
build:
  linux:
    repo:
      revision: cca-full/v2
  kvmtool:
    repo:
      kvmtool:
        revision: cca/v2
  rmm:
    repo:
      revision: main
  kvm-unit-tests:
    repo:
      revision: cca/v2
EOT

shrinkwrap build cca-3world.yaml --overlay buildroot.yaml --btvar GUEST_ROOTFS='${artifact:BUILDROOT}' --overlay cca-v2.yaml

You will then want to modify the 'guest-disk.img' to include the files
necessary for the realm guest (see the documentation in cca-3world.yaml
for details of other options):

  cd ~/.shrinkwrap/package/cca-3world
  /sbin/e2fsck -fp rootfs.ext2 
  /sbin/resize2fs rootfs.ext2 256M
  mkdir mnt
  sudo mount rootfs.ext2 mnt/
  sudo mkdir mnt/cca
  sudo cp guest-disk.img KVMTOOL_EFI.fd lkvm Image mnt/cca/
  sudo umount mnt 
  rmdir mnt/

Finally you can run the FVP with the host:

  shrinkwrap run cca-3world.yaml --rtvar ROOTFS=$HOME/.shrinkwrap/package/cca-3world/rootfs.ext2

And once the host kernel has booted, login (user name 'root') and start
a realm guest:

  cd /cca
  ./lkvm run --realm --restricted_mem -c 2 -m 256 -k Image -p earlycon

Be patient and you should end up in a realm guest with the host's
filesystem mounted via p9.

It's also possible to use EFI within the realm guest, again see
cca-3world.yaml within Shrinkwrap for more details.

An branch of kvm-unit-tests including realm-specific tests is provided
here:
  https://gitlab.arm.com/linux-arm/kvm-unit-tests-cca/-/tree/cca/v2

[1] Previous RFC
    https://lore.kernel.org/r/20230127112248.136810-1-suzuki.poulose%40arm.com
[2] Arm CCA Landing page (See Key Resources section for various documentation)
    https://www.arm.com/architecture/security-features/arm-confidential-compute-architecture
[3] RMM v1.0-EAC5 specification
    https://developer.arm.com/documentation/den0137/1-0eac5/
[4] Shrinkwrap
    https://git.gitlab.arm.com/tooling/shrinkwrap
[5] Linux support for Arm CCA RMM v1.0-EAC5
    https://lore.kernel.org/r/fb259449-026e-4083-a02b-f8a4ebea1f87%40arm.com

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ