[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-Id: <20240412084056.1733704-1-steven.price@arm.com>
Date: Fri, 12 Apr 2024 09:40:56 +0100
From: Steven Price <steven.price@....com>
To: kvm@...r.kernel.org,
kvmarm@...ts.linux.dev
Cc: Steven Price <steven.price@....com>,
Catalin Marinas <catalin.marinas@....com>,
Marc Zyngier <maz@...nel.org>,
Will Deacon <will@...nel.org>,
James Morse <james.morse@....com>,
Oliver Upton <oliver.upton@...ux.dev>,
Suzuki K Poulose <suzuki.poulose@....com>,
Zenghui Yu <yuzenghui@...wei.com>,
linux-arm-kernel@...ts.infradead.org,
linux-kernel@...r.kernel.org,
Joey Gouly <joey.gouly@....com>,
Alexandru Elisei <alexandru.elisei@....com>,
Christoffer Dall <christoffer.dall@....com>,
Fuad Tabba <tabba@...gle.com>,
linux-coco@...ts.linux.dev,
Ganapatrao Kulkarni <gankulkarni@...amperecomputing.com>
Subject: [v2] Support for Arm CCA VMs on Linux
We are happy to announce the second version of the Arm Confidential
Compute Architecture (CCA) support for the Linux stack. The intention is
to seek early feedback in the following areas:
* KVM integration of the Arm CCA;
* KVM UABI for managing the Realms, seeking to generalise the
operations where possible with other Confidential Compute solutions;
* Linux Guest support for Realms.
See the previous RFC[1] for a more detailed overview of Arm's CCA
solution, or visible the Arm CCA Landing page[2].
This series is based on the final RMM v1.0 (EAC5) specification[3].
Quick-start guide
=================
The easiest way of getting started with the stack is by using
Shrinkwrap[4]. Currently Shrinkwrap has a configuration for the initial
v1.0-EAC5 release[5], so the following overlay needs to be applied to
the standard 'cca-3world.yaml' file. Note that the 'rmm' component needs
updating to 'main' because there are fixes that are needed and are not
yet in a tagged release. The following will create an overlay file and
build a working environment:
cat<<EOT >cca-v2.yaml
build:
linux:
repo:
revision: cca-full/v2
kvmtool:
repo:
kvmtool:
revision: cca/v2
rmm:
repo:
revision: main
kvm-unit-tests:
repo:
revision: cca/v2
EOT
shrinkwrap build cca-3world.yaml --overlay buildroot.yaml --btvar GUEST_ROOTFS='${artifact:BUILDROOT}' --overlay cca-v2.yaml
You will then want to modify the 'guest-disk.img' to include the files
necessary for the realm guest (see the documentation in cca-3world.yaml
for details of other options):
cd ~/.shrinkwrap/package/cca-3world
/sbin/e2fsck -fp rootfs.ext2
/sbin/resize2fs rootfs.ext2 256M
mkdir mnt
sudo mount rootfs.ext2 mnt/
sudo mkdir mnt/cca
sudo cp guest-disk.img KVMTOOL_EFI.fd lkvm Image mnt/cca/
sudo umount mnt
rmdir mnt/
Finally you can run the FVP with the host:
shrinkwrap run cca-3world.yaml --rtvar ROOTFS=$HOME/.shrinkwrap/package/cca-3world/rootfs.ext2
And once the host kernel has booted, login (user name 'root') and start
a realm guest:
cd /cca
./lkvm run --realm --restricted_mem -c 2 -m 256 -k Image -p earlycon
Be patient and you should end up in a realm guest with the host's
filesystem mounted via p9.
It's also possible to use EFI within the realm guest, again see
cca-3world.yaml within Shrinkwrap for more details.
An branch of kvm-unit-tests including realm-specific tests is provided
here:
https://gitlab.arm.com/linux-arm/kvm-unit-tests-cca/-/tree/cca/v2
[1] Previous RFC
https://lore.kernel.org/r/20230127112248.136810-1-suzuki.poulose%40arm.com
[2] Arm CCA Landing page (See Key Resources section for various documentation)
https://www.arm.com/architecture/security-features/arm-confidential-compute-architecture
[3] RMM v1.0-EAC5 specification
https://developer.arm.com/documentation/den0137/1-0eac5/
[4] Shrinkwrap
https://git.gitlab.arm.com/tooling/shrinkwrap
[5] Linux support for Arm CCA RMM v1.0-EAC5
https://lore.kernel.org/r/fb259449-026e-4083-a02b-f8a4ebea1f87%40arm.com
Powered by blists - more mailing lists