Nitro Enclaves support a special "debug" mode. When in debug mode, the Nitro Hypervisor provides a vsock port that the parent can connect to to receive serial console output of the Enclave. Add a new nitro-serial-vsock driver that implements short-circuit logic to establish the vsock connection to that port and feed its data into a chardev, so that a machine model can use it as serial device.
Signed-off-by: Alexander Graf <[email protected]> --- MAINTAINERS | 6 ++ hw/Kconfig | 1 + hw/meson.build | 1 + hw/nitro/Kconfig | 3 + hw/nitro/meson.build | 1 + hw/nitro/serial-vsock.c | 154 ++++++++++++++++++++++++++++++++ hw/nitro/trace-events | 4 + hw/nitro/trace.h | 4 + include/hw/nitro/serial-vsock.h | 26 ++++++ meson.build | 1 + 10 files changed, 201 insertions(+) create mode 100644 hw/nitro/Kconfig create mode 100644 hw/nitro/meson.build create mode 100644 hw/nitro/serial-vsock.c create mode 100644 hw/nitro/trace-events create mode 100644 hw/nitro/trace.h create mode 100644 include/hw/nitro/serial-vsock.h diff --git a/MAINTAINERS b/MAINTAINERS index 3d002143ae..53ce075e9a 100644 --- a/MAINTAINERS +++ b/MAINTAINERS @@ -3022,6 +3022,12 @@ F: hw/vmapple/* F: include/hw/vmapple/* F: docs/system/arm/vmapple.rst +Nitro Enclaves (native) +M: Alexander Graf <[email protected]> +S: Maintained +F: hw/nitro/ +F: include/hw/nitro/ + Subsystems ---------- Overall Audio backends diff --git a/hw/Kconfig b/hw/Kconfig index f8f92b5d03..b3ce1520a6 100644 --- a/hw/Kconfig +++ b/hw/Kconfig @@ -22,6 +22,7 @@ source isa/Kconfig source mem/Kconfig source misc/Kconfig source net/Kconfig +source nitro/Kconfig source nubus/Kconfig source nvme/Kconfig source nvram/Kconfig diff --git a/hw/meson.build b/hw/meson.build index 66e46b8090..36da5322f7 100644 --- a/hw/meson.build +++ b/hw/meson.build @@ -44,6 +44,7 @@ subdir('isa') subdir('mem') subdir('misc') subdir('net') +subdir('nitro') subdir('nubus') subdir('nvme') subdir('nvram') diff --git a/hw/nitro/Kconfig b/hw/nitro/Kconfig new file mode 100644 index 0000000000..86c817c766 --- /dev/null +++ b/hw/nitro/Kconfig @@ -0,0 +1,3 @@ +config NITRO_SERIAL_VSOCK + bool + depends on NITRO diff --git a/hw/nitro/meson.build b/hw/nitro/meson.build new file mode 100644 index 0000000000..d95ed8dd79 --- /dev/null +++ b/hw/nitro/meson.build @@ -0,0 +1 @@ +system_ss.add(when: 'CONFIG_NITRO_SERIAL_VSOCK', if_true: files('serial-vsock.c')) diff --git a/hw/nitro/serial-vsock.c b/hw/nitro/serial-vsock.c new file mode 100644 index 0000000000..12d6804a33 --- /dev/null +++ b/hw/nitro/serial-vsock.c @@ -0,0 +1,154 @@ +/* + * Nitro Enclave Vsock Serial + * + * Copyright © 2026 Amazon.com, Inc. or its affiliates. All Rights Reserved. + * + * Authors: + * Alexander Graf <[email protected]> + * + * With Nitro Enclaves in debug mode, the Nitro Hypervisor provides a vsock + * port that the parent can connect to to receive serial console output of + * the Enclave. This driver implements short-circuit logic to establish the + * vsock connection to that port and feed its data into a chardev, so that + * a machine model can use it as serial device. + * + * SPDX-License-Identifier: GPL-2.0-or-later + */ + +#include "qemu/osdep.h" +#include "qemu/error-report.h" +#include "qapi/error.h" +#include "qapi/visitor.h" +#include "chardev/char.h" +#include "chardev/char-fe.h" +#include "hw/core/qdev-properties.h" +#include "hw/core/qdev-properties-system.h" +#include "hw/core/sysbus.h" +#include "hw/nitro/serial-vsock.h" +#include "trace.h" + +#define CONSOLE_PORT_START 10000 +#define VMADDR_CID_HYPERVISOR_STR "0" + +static int nitro_serial_vsock_can_read(void *opaque) +{ + NitroSerialVsockState *s = opaque; + + /* Refuse vsock input until the output backend is ready */ + return qemu_chr_fe_backend_open(&s->output) ? 4096 : 0; +} + +static void nitro_serial_vsock_read(void *opaque, const uint8_t *buf, int size) +{ + NitroSerialVsockState *s = opaque; + + /* Forward all vsock data to the output chardev */ + qemu_chr_fe_write_all(&s->output, buf, size); +} + +static void nitro_serial_vsock_event(void *opaque, QEMUChrEvent event) +{ + /* No need to action on connect/disconnect events, but trace for debug */ + trace_nitro_serial_vsock_event(event); +} + +static void nitro_serial_vsock_set_cid(Object *obj, Visitor *v, + const char *name, void *opaque, + Error **errp) +{ + NitroSerialVsockState *s = NITRO_SERIAL_VSOCK(obj); + uint32_t cid, port; + g_autofree char *chardev_id = NULL; + Chardev *chr; + ChardevBackend *backend; + ChardevSocket *sock; + + if (!visit_type_uint32(v, name, &cid, errp)) { + return; + } + + s->cid = cid; + port = cid + CONSOLE_PORT_START; + + /* + * We know the Enclave CID to connect to now. Create a vsock + * client chardev that connects to the Enclave's console. + */ + chardev_id = g_strdup_printf("nitro-console-%u", cid); + + backend = g_new0(ChardevBackend, 1); + backend->type = CHARDEV_BACKEND_KIND_SOCKET; + sock = backend->u.socket.data = g_new0(ChardevSocket, 1); + sock->addr = g_new0(SocketAddressLegacy, 1); + sock->addr->type = SOCKET_ADDRESS_TYPE_VSOCK; + sock->addr->u.vsock.data = g_new0(VsockSocketAddress, 1); + sock->addr->u.vsock.data->cid = g_strdup(VMADDR_CID_HYPERVISOR_STR); + sock->addr->u.vsock.data->port = g_strdup_printf("%u", port); + sock->server = false; + sock->has_server = true; + + chr = qemu_chardev_new(chardev_id, TYPE_CHARDEV_SOCKET, + backend, NULL, errp); + if (!chr) { + return; + } + + if (!qemu_chr_fe_init(&s->vsock, chr, errp)) { + return; + } + + qemu_chr_fe_set_handlers(&s->vsock, + nitro_serial_vsock_can_read, + nitro_serial_vsock_read, + nitro_serial_vsock_event, + NULL, s, NULL, true); +} + +static void nitro_serial_vsock_get_cid(Object *obj, Visitor *v, + const char *name, void *opaque, + Error **errp) +{ + NitroSerialVsockState *s = NITRO_SERIAL_VSOCK(obj); + uint32_t cid = s->cid; + + visit_type_uint32(v, name, &cid, errp); +} + +static void nitro_serial_vsock_realize(DeviceState *dev, Error **errp) +{ + /* + * At realize we don't know the Enclave CID yet, because the nitro accel + * first needs to launch the Enclave. Delay creation of the connection + * until the nitro accel pushes the CID as QOM property. + */ +} + +static const Property nitro_serial_vsock_props[] = { + DEFINE_PROP_CHR("chardev", NitroSerialVsockState, output), +}; + +static void nitro_serial_vsock_class_init(ObjectClass *oc, const void *data) +{ + DeviceClass *dc = DEVICE_CLASS(oc); + dc->realize = nitro_serial_vsock_realize; + device_class_set_props(dc, nitro_serial_vsock_props); + + object_class_property_add(oc, "enclave-cid", "uint32", + nitro_serial_vsock_get_cid, + nitro_serial_vsock_set_cid, + NULL, NULL); +} + +static const TypeInfo nitro_serial_vsock_info = { + .name = TYPE_NITRO_SERIAL_VSOCK, + .parent = TYPE_SYS_BUS_DEVICE, + .instance_size = sizeof(NitroSerialVsockState), + .class_init = nitro_serial_vsock_class_init, +}; + +static void nitro_serial_vsock_register(void) +{ + type_register_static(&nitro_serial_vsock_info); +} + +type_init(nitro_serial_vsock_register); diff --git a/hw/nitro/trace-events b/hw/nitro/trace-events new file mode 100644 index 0000000000..20617a024a --- /dev/null +++ b/hw/nitro/trace-events @@ -0,0 +1,4 @@ +# See docs/devel/tracing.rst for syntax documentation. + +# serial-vsock.c +nitro_serial_vsock_event(int event) "event %d" diff --git a/hw/nitro/trace.h b/hw/nitro/trace.h new file mode 100644 index 0000000000..b455d6c17b --- /dev/null +++ b/hw/nitro/trace.h @@ -0,0 +1,4 @@ +/* + * SPDX-License-Identifier: GPL-2.0-or-later + */ +#include "trace/trace-hw_nitro.h" diff --git a/include/hw/nitro/serial-vsock.h b/include/hw/nitro/serial-vsock.h new file mode 100644 index 0000000000..92c9374eeb --- /dev/null +++ b/include/hw/nitro/serial-vsock.h @@ -0,0 +1,26 @@ +/* + * Nitro Enclave Serial (vsock) + * + * SPDX-License-Identifier: GPL-2.0-or-later + */ + +#ifndef HW_CHAR_NITRO_SERIAL_VSOCK_H +#define HW_CHAR_NITRO_SERIAL_VSOCK_H + +#include "hw/core/qdev.h" +#include "hw/core/sysbus.h" +#include "chardev/char-fe.h" +#include "qom/object.h" + +#define TYPE_NITRO_SERIAL_VSOCK "nitro-serial-vsock" +OBJECT_DECLARE_SIMPLE_TYPE(NitroSerialVsockState, NITRO_SERIAL_VSOCK) + +struct NitroSerialVsockState { + SysBusDevice parent_obj; + + CharFrontend output; /* chardev to write console output to */ + CharFrontend vsock; /* vsock chardev to enclave console */ + uint32_t cid; +}; + +#endif /* HW_CHAR_NITRO_SERIAL_VSOCK_H */ diff --git a/meson.build b/meson.build index bdeee65db2..3c6fa7a55a 100644 --- a/meson.build +++ b/meson.build @@ -3634,6 +3634,7 @@ if have_system 'hw/misc/macio', 'hw/net', 'hw/net/can', + 'hw/nitro', 'hw/nubus', 'hw/nvme', 'hw/nvram', -- 2.47.1 Amazon Web Services Development Center Germany GmbH Tamara-Danz-Str. 13 10243 Berlin Geschaeftsfuehrung: Christof Hellmis, Andreas Stieger Eingetragen am Amtsgericht Charlottenburg unter HRB 257764 B Sitz: Berlin Ust-ID: DE 365 538 597
