From: "Jean-Philippe Brucker" <jean-philippe@linaro.org>
To: Sami Mujawar <sami.mujawar@arm.com>
Cc: devel@edk2.groups.io, ardb+tianocore@kernel.org,
quic_llindhol@quicinc.com, kraxel@redhat.com, julien@xen.org,
michael.d.kinney@intel.com, gaoliming@byosoft.com.cn,
zhiguang.liu@intel.com, Pierre.Gondois@arm.com,
Suzuki.Poulose@arm.com, Ryan.Roberts@arm.com,
Matteo.Carlini@arm.com, Akanksha.Jain2@arm.com,
Ben.Adderson@arm.com, nd@arm.com
Subject: Re: [RFC PATCH v1 00/30] Support for Arm CCA guest firmware
Date: Thu, 4 May 2023 16:13:01 +0100 [thread overview]
Message-ID: <20230504151301.GA2861881@myrica> (raw)
In-Reply-To: <20230425160428.27980-1-sami.mujawar@arm.com>
Hello,
On Tue, Apr 25, 2023 at 05:03:58PM +0100, Sami Mujawar wrote:
> We are happy to announce an early RFC version of the Arm Confidential
> Compute Architecture (CCA) support for the Kvmtool guest firmware.
> The intention is to seek early feedback in the following areas:
> * Integration of the Arm CCA in ArmVirtPkg
> * Generalise the operations wherever possible with other Confidential
> Compute solutions and Virtual Machine Managers (VMMs)
Experimental support for ArmVirtQemu is available at [1]. Most of it
simply includes Sami's libraries into ArmVirtQemu, but there are a few
things specific to QEMU, one of which I still haven't figured out.
The early debug support in PEI is problematic. A realm must access the
emulated serial port through unprotected Intermediate Physical Address
(IPA aka GPA) which is the upper half of the IPA space. The IPA address
must have the most significant bit set. Once the MMU is enabled and
ArmCcaConfigureMmio() runs, the page tables point to the right IPA so
there is no problem. Before that however, EarlyFdtPL011SerialPortLib would
need to access the device using the unprotected IPA address. So far I
haven't managed to implement this, so the early serial debug is just
disabled.
Another QEMU-specific: in direct kernel boot (-kernel on the
command-line), the FwCfg device provides kernel, initrd and other blobs to
the guest firmware. Since these are not in guest RAM before VM boot, they
are not part of the Realm Initial Measurement, which provides image
attestation. In order for the Realm owner to authenticate these images,
I added a BlobVerifier that adds the hash of these blobs to the Realm
Extended Measurement.
I haven't looked at supporting ArmVirtQemuKernel yet. The latest QEMU VMM
support for Arm CCA is at [2], and a typical invocation would be:
qemu-system-aarch64 -M confidential-guest-support=rme0 -object rme-guest,id=rme0
-M virt -enable-kvm -M gic-version=3 -cpu host,sve=off -smp 2 -m 256M
-bios QEMU_EFI.fd -kernel Image -initrd rootfs.cpio
-overcommit mem-lock=on -no-acpi -nographic -append 'earlycon console=ttyAMA0'
Thanks,
Jean
[1] https://jpbrucker.net/git/edk2/ branch cca/qemu
[2] https://jpbrucker.net/git/qemu/ branch cca/rfc-v2
next prev parent reply other threads:[~2023-05-04 15:13 UTC|newest]
Thread overview: 41+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-04-25 16:03 [RFC PATCH v1 00/30] Support for Arm CCA guest firmware Sami Mujawar
2023-04-25 16:03 ` [RFC PATCH v1 01/30] ArmVirtPkg: kvmtool: Add Emulated Runtime variable support Sami Mujawar
2023-05-10 11:32 ` [edk2-devel] " Ard Biesheuvel
2023-05-15 10:36 ` Sami Mujawar
2023-04-25 16:04 ` [RFC PATCH v1 02/30] ArmPkg: Add helper function to detect RME Sami Mujawar
2023-04-25 16:04 ` [RFC PATCH v1 03/30] ArmPkg: Export SetMemoryRegionAttribute in ArmMmuLib Sami Mujawar
2023-04-25 16:04 ` [RFC PATCH v1 04/30] ArmPkg: Extend number of parameter registers in SMC call Sami Mujawar
2023-04-25 16:04 ` [RFC PATCH v1 05/30] ArmPkg & ArmVirtPkg: Make PcdMonitorConduitHvc a dynamic PCD Sami Mujawar
2023-05-10 11:38 ` Ard Biesheuvel
2023-05-15 10:37 ` Sami Mujawar
2023-04-25 16:04 ` [RFC PATCH v1 06/30] ArmVirtPkg: Add Arm CCA Realm Service Interface Library Sami Mujawar
2023-05-04 12:59 ` [edk2-devel] " Sami Mujawar
2023-04-25 16:04 ` [RFC PATCH v1 07/30] ArmVirtPkg: ArmCcaRsiLib: Add interfaces to manage the Realm IPA state Sami Mujawar
2023-04-25 16:04 ` [RFC PATCH v1 08/30] ArmVirtPkg: ArmCcaRsiLib: Add an interface to get an attestation token Sami Mujawar
2023-04-25 16:04 ` [RFC PATCH v1 09/30] ArmVirtPkg: ArmCcaRsiLib: Add interfaces to get/extend REMs Sami Mujawar
2023-04-25 16:04 ` [RFC PATCH v1 10/30] ArmVirtPkg: ArmCcaRsiLib: Add an interface to make a RSI Host Call Sami Mujawar
2023-04-25 16:04 ` [RFC PATCH v1 11/30] ArmVirtPkg: Define a GUID HOB for IPA width of a Realm Sami Mujawar
2023-04-25 16:04 ` [RFC PATCH v1 12/30] ArmVirtPkg: Add library for Arm CCA initialisation in PEI Sami Mujawar
2023-04-25 16:04 ` [RFC PATCH v1 13/30] ArmVirtPkg: Add NULL instance of ArmCcaInitPeiLib Sami Mujawar
2023-04-25 16:04 ` [RFC PATCH v1 14/30] ArmVirtPkg: Add library for Arm CCA helper functions Sami Mujawar
2023-04-25 16:04 ` [RFC PATCH v1 15/30] ArmVirtPkg: Add Null instance of ArmCcaLib Sami Mujawar
2023-04-25 16:04 ` [RFC PATCH v1 16/30] ArmVirtPkg: Define an interface to configure MMIO regions for Arm CCA Sami Mujawar
2023-04-25 16:04 ` [RFC PATCH v1 17/30] ArmVirtPkg: CloudHv: Add a NULL implementation of ArmCcaConfigureMmio Sami Mujawar
2023-04-25 16:04 ` [RFC PATCH v1 18/30] ArmVirtPkg: Qemu: " Sami Mujawar
2023-04-25 16:04 ` [RFC PATCH v1 19/30] ArmVirtPkg: Xen: " Sami Mujawar
2023-04-25 16:04 ` [RFC PATCH v1 20/30] ArmVirtPkg: Configure the MMIO regions for Arm CCA Sami Mujawar
2023-04-25 16:04 ` [RFC PATCH v1 21/30] ArmVirtPkg: Kvmtool: Use Null version of DebugLib in PrePi Sami Mujawar
2023-04-25 16:04 ` [RFC PATCH v1 22/30] ArmVirtPkg: Add Arm CCA libraries for Kvmtool guest firmware Sami Mujawar
2023-04-25 16:04 ` [RFC PATCH v1 23/30] ArmVirtPkg: Arm CCA configure system memory in early Pei Sami Mujawar
2023-04-25 16:04 ` [RFC PATCH v1 24/30] ArmVirtPkg: Perform Arm CCA initialisation in the Pei phase Sami Mujawar
2023-04-25 16:04 ` [RFC PATCH v1 25/30] ArmVirtPkg: Add ArmCcaDxe for early DXE phase initialisation Sami Mujawar
2023-05-10 12:08 ` Ard Biesheuvel
2023-05-15 10:39 ` Sami Mujawar
2023-04-25 16:04 ` [RFC PATCH v1 26/30] ArmVirtPkg: Introduce Realm Aperture Management Protocol Sami Mujawar
2023-04-25 16:04 ` [RFC PATCH v1 27/30] ArmVirtPkg: IoMMU driver to DMA from Realms Sami Mujawar
2023-04-25 16:04 ` [RFC PATCH v1 28/30] ArmVirtPkg: Enable Virtio communication for Arm CCA Sami Mujawar
2023-04-25 16:04 ` [RFC PATCH v1 29/30] MdePkg: Warn if AArch64 RNDR instruction is not supported Sami Mujawar
2023-04-25 16:04 ` [RFC PATCH v1 30/30] ArmVirtPkg: Kvmtool: Switch to use BaseRng for AArch64 Sami Mujawar
2023-05-04 15:13 ` Jean-Philippe Brucker [this message]
2023-05-04 15:36 ` [RFC PATCH v1 00/30] Support for Arm CCA guest firmware Ard Biesheuvel
2023-05-05 9:51 ` Jean-Philippe Brucker
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-list from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20230504151301.GA2861881@myrica \
--to=devel@edk2.groups.io \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox