Received: by 2002:ab2:7041:0:b0:1f4:bcc8:f211 with SMTP id x1csp12362lql; Fri, 12 Apr 2024 01:53:52 -0700 (PDT) X-Forwarded-Encrypted: i=3; AJvYcCWtkdv1RvVRP5B8lwJEUqm707U3uqqTCTkKDXwH/BTxOCpnyEey9j8Ck9NmMYOvkU0K2Bw0Un7D0dkobK6h6RLn4CYKPeX/nkuvPwAk0Q== X-Google-Smtp-Source: AGHT+IFM8OY3UQMh/9U34G7Pm/DpKPdUwOueh9Y4r+RB2aFmJ82SMtJhIR5dmsdoa/Q5nvh5t2fe X-Received: by 2002:a05:6870:5386:b0:22e:ace7:81b9 with SMTP id h6-20020a056870538600b0022eace781b9mr2068410oan.2.1712912031899; Fri, 12 Apr 2024 01:53:51 -0700 (PDT) ARC-Seal: i=2; a=rsa-sha256; t=1712912031; cv=pass; d=google.com; s=arc-20160816; b=iLQQW5Df1jmDg1+Dsq7ExztdYOSQgNTgfX/03afneHJ+iK29XFLZroOTI8ghrkaI/h nESpt3CXz/fUpzfrJ096DjJK1vD2kkEmCLKBKZT5+X9a5+7b66g0CNCN+Zy5TbCXlsVz s4MM+voWr07fg5zMOa5JnNegzIBP8mSPVN52eu8GkOuEOitF9ra00DLtwcs7QLi3bXsq 8iriQ40Q4KenWwAx2O3C1SmJDrvyCGZo45UTa01IwpFjOsXtq/WtGdg7jd3zJ12w4njR hPuFycieIRIm4Mq8fhclGZwsys+44sGSLOK4pkqOLsC6qCUmUdWFRaPpVTj1/MlHdIuM peGg== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=content-transfer-encoding:mime-version:list-unsubscribe :list-subscribe:list-id:precedence:message-id:date:subject:cc:to :from; bh=FhMb4laqEOqmBW3YOiagjKzqieBG7CU3msEbcLmu8SI=; fh=NDCPdPn2hiqHaiIRDYQAzsW9PK20CTia4nECGof6enU=; b=dqgCGaBRzzkwTNkdnIMixizZsAzB+F7Y0ytZf7ybQpTNx2MpKCeZTspl3/PLcR7Q0M h/NJOwC3UaMZkIAaH435fAB6ufa4c5n2Hhc/lXxGIrs/2jH/tGXmGRK7/Pqx2sRMkN8D rF72E0tllSXiQVn6nxWRj7jG6ciSBkUJPgE6y/HyZFrhXNDyjGuS6Y4jq3EV4GRSVPTF DOl4w7lDPLrJIkjOtSMtrjsjF/cbpH5nNezAWvCNUIKtupvlGU7rkxo3ZMHFTT2viyia V2ofRnQAVe4IhsifLLN4xdm0Zk9WAg27yR5Tiz++RoaA2pTVZOPtAJXf715LfOU4lNs1 KRAg==; dara=google.com ARC-Authentication-Results: i=2; mx.google.com; arc=pass (i=1 spf=pass spfdomain=arm.com dmarc=pass fromdomain=arm.com); spf=pass (google.com: domain of linux-kernel+bounces-142250-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:40f1:3f00::1 as permitted sender) smtp.mailfrom="linux-kernel+bounces-142250-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=arm.com Return-Path: Received: from sy.mirrors.kernel.org (sy.mirrors.kernel.org. [2604:1380:40f1:3f00::1]) by mx.google.com with ESMTPS id p8-20020a056a000b4800b006ed59d3df46si3042337pfo.120.2024.04.12.01.53.51 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 12 Apr 2024 01:53:51 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel+bounces-142250-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:40f1:3f00::1 as permitted sender) client-ip=2604:1380:40f1:3f00::1; Authentication-Results: mx.google.com; arc=pass (i=1 spf=pass spfdomain=arm.com dmarc=pass fromdomain=arm.com); spf=pass (google.com: domain of linux-kernel+bounces-142250-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:40f1:3f00::1 as permitted sender) smtp.mailfrom="linux-kernel+bounces-142250-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=arm.com Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by sy.mirrors.kernel.org (Postfix) with ESMTPS id 523E8B231BD for ; Fri, 12 Apr 2024 08:41:31 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id 27C2641C79; Fri, 12 Apr 2024 08:41:21 +0000 (UTC) Received: from foss.arm.com (foss.arm.com [217.140.110.172]) by smtp.subspace.kernel.org (Postfix) with ESMTP id 4CBBF38FA3; Fri, 12 Apr 2024 08:41:19 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=217.140.110.172 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1712911280; cv=none; b=fp6k4XQ+0uMchqzaz0ENFqHWHOXncarEezEtODWA74sQBOMLzVJykKJm+EMBQsU9Vb+DdDsED+nhp/xyzdlGzteU3kBqaGyZMxLgpKknNoefXHnXTVu/Xq/1pXyfx//lW4bniDldpT5FwGJoIv8j3J/iMfXWJV7sk5WUVSqg36M= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1712911280; c=relaxed/simple; bh=43sKYtsFLRVOrVPBcqhE8/RN5WZfWsuNH3OGHSxjLcU=; h=From:To:Cc:Subject:Date:Message-Id:MIME-Version; b=YGQOaBEmfiMlZo8NT+H2LivO4RJW+XdC7xnSRTGr1D3LlLGb9JCn9t0I6oXMi9KgaHnsVr2zbZg7IBFzGg3eOEQJ0fKTyR5XfRdLqilc81Ao6f9xTYoktdpqacHNeXbhKRZysmesrws59491qgG13Kq5v8la4diMoc5rw/jgYFw= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=arm.com; spf=pass smtp.mailfrom=arm.com; arc=none smtp.client-ip=217.140.110.172 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=arm.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=arm.com Received: from usa-sjc-imap-foss1.foss.arm.com (unknown [10.121.207.14]) by usa-sjc-mx-foss1.foss.arm.com (Postfix) with ESMTP id D7890339; Fri, 12 Apr 2024 01:41:47 -0700 (PDT) Received: from e112269-lin.cambridge.arm.com (e112269-lin.cambridge.arm.com [10.1.194.51]) by usa-sjc-imap-foss1.foss.arm.com (Postfix) with ESMTPSA id 7EDFC3F6C4; Fri, 12 Apr 2024 01:41:16 -0700 (PDT) From: Steven Price To: kvm@vger.kernel.org, kvmarm@lists.linux.dev Cc: Steven Price , Catalin Marinas , Marc Zyngier , Will Deacon , James Morse , Oliver Upton , Suzuki K Poulose , Zenghui Yu , linux-arm-kernel@lists.infradead.org, linux-kernel@vger.kernel.org, Joey Gouly , Alexandru Elisei , Christoffer Dall , Fuad Tabba , linux-coco@lists.linux.dev, Ganapatrao Kulkarni Subject: [v2] Support for Arm CCA VMs on Linux Date: Fri, 12 Apr 2024 09:40:56 +0100 Message-Id: <20240412084056.1733704-1-steven.price@arm.com> X-Mailer: git-send-email 2.39.2 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit We are happy to announce the second version of the Arm Confidential Compute Architecture (CCA) support for the Linux stack. The intention is to seek early feedback in the following areas: * KVM integration of the Arm CCA; * KVM UABI for managing the Realms, seeking to generalise the operations where possible with other Confidential Compute solutions; * Linux Guest support for Realms. See the previous RFC[1] for a more detailed overview of Arm's CCA solution, or visible the Arm CCA Landing page[2]. This series is based on the final RMM v1.0 (EAC5) specification[3]. Quick-start guide ================= The easiest way of getting started with the stack is by using Shrinkwrap[4]. Currently Shrinkwrap has a configuration for the initial v1.0-EAC5 release[5], so the following overlay needs to be applied to the standard 'cca-3world.yaml' file. Note that the 'rmm' component needs updating to 'main' because there are fixes that are needed and are not yet in a tagged release. The following will create an overlay file and build a working environment: cat<cca-v2.yaml build: linux: repo: revision: cca-full/v2 kvmtool: repo: kvmtool: revision: cca/v2 rmm: repo: revision: main kvm-unit-tests: repo: revision: cca/v2 EOT shrinkwrap build cca-3world.yaml --overlay buildroot.yaml --btvar GUEST_ROOTFS='${artifact:BUILDROOT}' --overlay cca-v2.yaml You will then want to modify the 'guest-disk.img' to include the files necessary for the realm guest (see the documentation in cca-3world.yaml for details of other options): cd ~/.shrinkwrap/package/cca-3world /sbin/e2fsck -fp rootfs.ext2 /sbin/resize2fs rootfs.ext2 256M mkdir mnt sudo mount rootfs.ext2 mnt/ sudo mkdir mnt/cca sudo cp guest-disk.img KVMTOOL_EFI.fd lkvm Image mnt/cca/ sudo umount mnt rmdir mnt/ Finally you can run the FVP with the host: shrinkwrap run cca-3world.yaml --rtvar ROOTFS=$HOME/.shrinkwrap/package/cca-3world/rootfs.ext2 And once the host kernel has booted, login (user name 'root') and start a realm guest: cd /cca ./lkvm run --realm --restricted_mem -c 2 -m 256 -k Image -p earlycon Be patient and you should end up in a realm guest with the host's filesystem mounted via p9. It's also possible to use EFI within the realm guest, again see cca-3world.yaml within Shrinkwrap for more details. An branch of kvm-unit-tests including realm-specific tests is provided here: https://gitlab.arm.com/linux-arm/kvm-unit-tests-cca/-/tree/cca/v2 [1] Previous RFC https://lore.kernel.org/r/20230127112248.136810-1-suzuki.poulose%40arm.com [2] Arm CCA Landing page (See Key Resources section for various documentation) https://www.arm.com/architecture/security-features/arm-confidential-compute-architecture [3] RMM v1.0-EAC5 specification https://developer.arm.com/documentation/den0137/1-0eac5/ [4] Shrinkwrap https://git.gitlab.arm.com/tooling/shrinkwrap [5] Linux support for Arm CCA RMM v1.0-EAC5 https://lore.kernel.org/r/fb259449-026e-4083-a02b-f8a4ebea1f87%40arm.com