[edk2-devel] [RFC PATCH v1 00/30] Support for Arm CCA guest firmware
Jean-Philippe Brucker
jean-philippe at linaro.org
Thu May 4 15:13:01 UTC 2023
Hello,
On Tue, Apr 25, 2023 at 05:03:58PM +0100, Sami Mujawar wrote:
> We are happy to announce an early RFC version of the Arm Confidential
> Compute Architecture (CCA) support for the Kvmtool guest firmware.
> The intention is to seek early feedback in the following areas:
> * Integration of the Arm CCA in ArmVirtPkg
> * Generalise the operations wherever possible with other Confidential
> Compute solutions and Virtual Machine Managers (VMMs)
Experimental support for ArmVirtQemu is available at [1]. Most of it
simply includes Sami's libraries into ArmVirtQemu, but there are a few
things specific to QEMU, one of which I still haven't figured out.
The early debug support in PEI is problematic. A realm must access the
emulated serial port through unprotected Intermediate Physical Address
(IPA aka GPA) which is the upper half of the IPA space. The IPA address
must have the most significant bit set. Once the MMU is enabled and
ArmCcaConfigureMmio() runs, the page tables point to the right IPA so
there is no problem. Before that however, EarlyFdtPL011SerialPortLib would
need to access the device using the unprotected IPA address. So far I
haven't managed to implement this, so the early serial debug is just
disabled.
Another QEMU-specific: in direct kernel boot (-kernel on the
command-line), the FwCfg device provides kernel, initrd and other blobs to
the guest firmware. Since these are not in guest RAM before VM boot, they
are not part of the Realm Initial Measurement, which provides image
attestation. In order for the Realm owner to authenticate these images,
I added a BlobVerifier that adds the hash of these blobs to the Realm
Extended Measurement.
I haven't looked at supporting ArmVirtQemuKernel yet. The latest QEMU VMM
support for Arm CCA is at [2], and a typical invocation would be:
qemu-system-aarch64 -M confidential-guest-support=rme0 -object rme-guest,id=rme0
-M virt -enable-kvm -M gic-version=3 -cpu host,sve=off -smp 2 -m 256M
-bios QEMU_EFI.fd -kernel Image -initrd rootfs.cpio
-overcommit mem-lock=on -no-acpi -nographic -append 'earlycon console=ttyAMA0'
Thanks,
Jean
[1] https://jpbrucker.net/git/edk2/ branch cca/qemu
[2] https://jpbrucker.net/git/qemu/ branch cca/rfc-v2
-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#104032): https://edk2.groups.io/g/devel/message/104032
Mute This Topic: https://groups.io/mt/98496036/1813853
Group Owner: devel+owner at edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [edk2-devel-archive at redhat.com]
-=-=-=-=-=-=-=-=-=-=-=-
More information about the edk2-devel-archive
mailing list