() notifier. We can't easily invert the order of
operation because it uses the old state bitmap to know which pages need
the populate() notifier.
For now add a flag to the IOMMU notifier to tell memory_get_xlat_addr()
that we're aware of the RAM discard manager state.
Signed-off-
sting VFIO support using Chenyi Qiang's series for shared device
assignment [2]
[1]
https://lore.kernel.org/qemu-devel/20241125195626.856992-2-jean-phili...@linaro.org/
[2]
https://lore.kernel.org/qemu-devel/20250217081833.21568-1-chenyi.qi...@intel.com/
Jean-Philippe Brucker (2):
system/m
ot install its own
address space at the moment. And since sysbus devices can't have an
IOMMU at the moment, DMA from non-PCI devices isn't supported.
Signed-off-by: Jean-Philippe Brucker
---
target/arm/kvm_arm.h | 15 +++
hw/arm/virt.c| 2 +
target
On Tue, Feb 04, 2025 at 05:27:17PM +1000, Gavin Shan wrote:
> On 11/26/24 5:56 AM, Jean-Philippe Brucker wrote:
> > All Realm IPA states are by default RIPAS_EMPTY, and accessing them in
> > that state causes injection of synchronous exception. Either the loader
> > or the g
On Tue, Feb 04, 2025 at 03:30:00PM +1000, Gavin Shan wrote:
> > +hwaddr ram_base;
> > +size_t ram_size;
> > };
>
> s/size_t/hwaddr. To be consistent with RmeRamRegion, we may reuse
> it like below.
>
> struct RmeGuest {
> :
> GSlist *populate_ram_regions;
> RmeRamRegion init
On Tue, Feb 04, 2025 at 03:33:10PM +1000, Gavin Shan wrote:
> > diff --git a/include/hw/loader.h b/include/hw/loader.h
> > index 7f6d06b956..0cd9905f97 100644
> > --- a/include/hw/loader.h
> > +++ b/include/hw/loader.h
> > @@ -353,6 +353,21 @@ void *rom_ptr_for_as(AddressSpace *as, hwaddr addr,
>
On Tue, Feb 04, 2025 at 03:02:41PM +1000, Gavin Shan wrote:
> > +reg.id = AARCH64_CORE_REG(regs.pc);
> > +reg.addr = (uintptr_t) &env->pc;
> > +ret = kvm_vcpu_ioctl(cs, KVM_SET_ONE_REG, ®);
> > +if (ret) {
> > +return ret;
> > +}
> > +
> > +return 0;
> > +}
> > +
>
Hi Gavin,
On Fri, Dec 13, 2024 at 10:03:08PM +1000, Gavin Shan wrote:
> Hi Jean,
>
> On 11/26/24 5:56 AM, Jean-Philippe Brucker wrote:
> > When RME is enabled, the upper GPA bit is used to distinguish protected
> > from unprotected addresses. Reserve it when setting up the
On Mon, Dec 09, 2024 at 05:34:13PM -0500, Stefan Berger wrote:
>
>
> On 11/25/24 2:56 PM, Jean-Philippe Brucker wrote:
> > Provide a library allowing the VMM to create an event log that describes
> > what is loaded into memory. During remote attestation in confidential
>
On Mon, Dec 09, 2024 at 05:08:37PM -0500, Stefan Berger wrote:
> > typedef struct {
> > hwaddr base;
> > hwaddr size;
> > +uint8_t *data;
> > +RmeLogFiletype *filetype;
> > } RmeRamRegion;
> > +typedef struct {
> > +charsignature[16];
> > +charname[32
On Thu, Dec 05, 2024 at 10:59:52PM +0100, Philippe Mathieu-Daudé wrote:
> On 25/11/24 20:56, Jean-Philippe Brucker wrote:
> > Add a function to register a notifier, that is invoked after a ROM gets
> > loaded into guest memory.
> >
> > It will be used by Arm confident
On Thu, Dec 05, 2024 at 10:47:13PM +0100, Philippe Mathieu-Daudé wrote:
> Hi Jean-Philippe,
>
> On 25/11/24 20:56, Jean-Philippe Brucker wrote:
> > Returning an error to kvm_init() is fatal anyway, no need to continue
> > the initialization.
> >
> > Sig
On Thu, Dec 05, 2024 at 11:23:09PM +0100, Philippe Mathieu-Daudé wrote:
> On 25/11/24 20:56, Jean-Philippe Brucker wrote:
> > Create a measurement log describing operations performed by QEMU to
> > initialize the guest, and load it into guest memory above the DTB.
> >
On Thu, Dec 05, 2024 at 11:21:19PM +0100, Philippe Mathieu-Daudé wrote:
> On 25/11/24 20:56, Jean-Philippe Brucker wrote:
> > In order to write an event log, the ROM load notification handler needs
> > two more fields.
>
> IMHO it makes more sense to squash that in the "
On Mon, Dec 02, 2024 at 10:58:01AM -0500, Stefan Berger wrote:
>
>
> On 11/26/24 11:21 AM, Jean-Philippe Brucker wrote:
> > On Tue, Nov 26, 2024 at 01:45:55PM +, Daniel P. Berrangé wrote:
> > > On Mon, Nov 25, 2024 at 05:23:44PM -0500, Stefan Berger wrote:
> >
On Tue, Nov 26, 2024 at 12:47:59PM +, Daniel P. Berrangé wrote:
> On Tue, Nov 26, 2024 at 08:20:42AM +0100, Markus Armbruster wrote:
> > Jean-Philippe Brucker writes:
> >
> > > The Realm Personalization Value (RPV) is provided by the user to
> > > dist
On Tue, Nov 26, 2024 at 08:20:42AM +0100, Markus Armbruster wrote:
> > +# @personalization-value: Realm personalization value, as a 64-byte
> > +# hex string. This optional parameter allows to uniquely identify
> > +# the VM instance during attestation. (default: 0)
>
> QMP commonly uses b
On Tue, Nov 26, 2024 at 12:37:02PM +, Daniel P. Berrangé wrote:
> When you create a new "user creatable" object, there should also be a
> corresponding addition to qapi/qom.json.
>
> I believe you have the qom.json addition in a later patch, but it
> should actually be here
Yes, I'll move it
On Tue, Nov 26, 2024 at 12:29:35PM +, Daniel P. Berrangé wrote:
> On Mon, Nov 25, 2024 at 07:56:00PM +0000, Jean-Philippe Brucker wrote:
> > The KVM_CHECK_EXTENSION ioctl can be issued either on the global fd
> > (/dev/kvm), or on the VM fd obtained with KVM_CREATE_VM. For most
On Mon, Dec 02, 2024 at 04:17:41PM -0800, Pierrick Bouvier wrote:
> This boot an OP-TEE environment, and launch a nested guest VM inside it
> using the Realms feature. We do it for virt and sbsa-ref platforms.
>
> Signed-off-by: Pierrick Bouvier
>
> -
>
> v2:
> - move test to its own file
>
On Tue, Nov 26, 2024 at 01:45:55PM +, Daniel P. Berrangé wrote:
> On Mon, Nov 25, 2024 at 05:23:44PM -0500, Stefan Berger wrote:
> >
> >
> > On 11/25/24 2:56 PM, Jean-Philippe Brucker wrote:
> > > Create an event log, in the format defined by Trusted Comp
pport acceleration via FEAT_SHA256 (Armv8.0) and not FEAT_SHA512
(Armv8.2). Future CPUs supporting RME are likely to also support
FEAT_SHA512.
Cc: Eric Blake
Cc: Markus Armbruster
Cc: Daniel P. Berrangé
Cc: Eduardo Habkost
Acked-by: Markus Armbruster
Signed-off-by: Jean-Philippe Brucker
---
v
Initialize the IPA state of RAM. Collect the images copied into guest
RAM into a sorted list, and issue POPULATE_REALM KVM ioctls once we've
created the Realm Descriptor. The images are part of the Realm Initial
Measurement.
Signed-off-by: Jean-Philippe Brucker
---
v2->v3: RIPA
When confidential-guest-support is enabled for the virt machine, add the
RME flag to the VM type.
The HVC conduit for PSCI is not supported for Realms.
Signed-off-by: Jean-Philippe Brucker
---
hw/arm/virt.c | 15 +--
1 file changed, 13 insertions(+), 2 deletions(-)
diff --git a/hw
Returning an error to kvm_init() is fatal anyway, no need to continue
the initialization.
Signed-off-by: Jean-Philippe Brucker
---
target/arm/kvm.c | 9 +
1 file changed, 5 insertions(+), 4 deletions(-)
diff --git a/target/arm/kvm.c b/target/arm/kvm.c
index 8bdf4abeb6..95bcecf804
. Berrangé
Cc: Eduardo Habkost
Acked-by: Markus Armbruster
Signed-off-by: Jean-Philippe Brucker
---
v2->v3: Fix documentation
---
qapi/qom.json| 15 ++
target/arm/kvm-rme.c | 111 +++
2 files changed, 126 insertions(+)
diff --git a/q
] https://docs.kernel.org/arch/arm64/booting.html
https://lore.kernel.org/all/20241004144307.66199-12-steven.pr...@arm.com/
Signed-off-by: Jean-Philippe Brucker
---
v2->v3: New: the Linux guest does not initialize RIPAS itself anymore,
and expects the loader to do it.
---
hw/arm/boot.c | 4
.
Signed-off-by: Jean-Philippe Brucker
---
include/hw/loader.h | 15 +++
hw/core/loader.c| 15 +++
2 files changed, 30 insertions(+)
diff --git a/include/hw/loader.h b/include/hw/loader.h
index 7f6d06b956..0cd9905f97 100644
--- a/include/hw/loader.h
+++ b/include/hw
vsm/blob/main/Documentation/docs/installation/INSTALL.md
[10] keybroker-demo with event log support
https://github.com/jpbrucker/keybroker-demo/commits/event-log/
Cc: Alex Bennée
Cc: Matias Ezequiel Vara Larsen
Cc: Paolo Bonzini
Cc: Peter Gonda
Cc: Peter Maydell
Cc: Philippe Mathieu-Daudé
ine->cgs member.
Signed-off-by: Jean-Philippe Brucker
---
hw/arm/virt.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/hw/arm/virt.c b/hw/arm/virt.c
index eb94997914..c4cf69ea33 100644
--- a/hw/arm/virt.c
+++ b/hw/arm/virt.c
@@ -2124,6 +2124,8 @@ static void ma
e any
information to the host, hence will not store its variables in clear
persistent memory. We can therefore replace the flash device with RAM,
and load the firmware there.
Signed-off-by: Jean-Philippe Brucker
---
include/hw/arm/boot.h | 9 +
hw/arm/boot.c
verifier independently compute the Realm Initial Measurement,
and check that the data we load into guest RAM is known-good images.
Without this log, the verifier has to guess where everything is loaded
and in what order.
Cc: Stefan Berger
Signed-off-by: Jean-Philippe Brucker
---
v2->v3: New
---
q
In order to write an event log, the ROM load notification handler needs
two more fields.
Signed-off-by: Jean-Philippe Brucker
---
v2->v3: New
---
include/hw/loader.h | 2 ++
hw/core/loader.c| 2 ++
2 files changed, 4 insertions(+)
diff --git a/include/hw/loader.h b/include/hw/loade
Currently the feature is automatically enabled, unless the user disables
it on the command-line. Change it to OnOffAuto, and automatically
disable it for confidential VMs, unless the user explicitly enables it.
Signed-off-by: Jean-Philippe Brucker
---
docs/system/arm/virt.rst | 9 +
The host cannot access registers of a Realm. Instead of showing all
registers as zero in "info registers", display a message about this
restriction.
Signed-off-by: Jean-Philippe Brucker
---
target/arm/cpu.c | 5 +
1 file changed, 5 insertions(+)
diff --git a/target/arm/cpu.c b/
Create a measurement log describing operations performed by QEMU to
initialize the guest, and load it into guest memory above the DTB.
Cc: Stefan Berger
Signed-off-by: Jean-Philippe Brucker
---
v2->v3: New
---
include/hw/arm/boot.h | 3 +++
include/hw/arm/virt.h | 1 +
hw/arm/boo
For confidential VMs it may be necessary to measure the DTB, to ensure a
malicious host does not insert harmful information in there. In case an
external tool can generated and measured the DTB, load it as is without
patching it.
Signed-off-by: Jean-Philippe Brucker
---
v2->v3: new
---
hw/
protocol [1].
[1] https://docs.kernel.org/arch/arm64/booting.html
Signed-off-by: Jean-Philippe Brucker
---
v2->v3: new
---
include/hw/arm/boot.h | 6 ++
hw/arm/boot.c | 23 +--
hw/arm/virt.c | 1 +
3 files changed, 24 insertions(+), 6 deletions(-)
d
kernel.org/kvm/875ybi0ytc@redhat.com/
[3] https://github.com/torvalds/linux/commit/92b591a4c46b
Cc: Marcelo Tosatti
Cc: Nicholas Piggin
Cc: Daniel Henrique Barboza
Cc: qemu-...@nongnu.org
Suggested-by: Cornelia Huck
Signed-off-by: Jean-Philippe Brucker
---
include/sysemu/kvm.h | 2 -
and
watchpoints, and influence the Realm Initial Measurement.
Signed-off-by: Jean-Philippe Brucker
---
target/arm/cpu.h | 4 ++
target/arm/kvm_arm.h | 2 +
target/arm/arm-qmp-cmds.c | 1 +
target/arm/cpu64.c| 77 +++
target/arm
KVM_GET_REG_LIST.
Signed-off-by: Jean-Philippe Brucker
---
target/arm/cpu.h | 3 +++
target/arm/kvm_arm.h | 15 +++
target/arm/kvm-rme.c | 10
target/arm/kvm.c | 61
4 files changed, 89 insertions(+)
diff --git a/target/arm/cpu.h b
t can also copy its content into a new one.
[1]
https://trustedcomputinggroup.org/resource/pc-client-specific-platform-firmware-profile-specification/
Cc: Stefan Berger
Signed-off-by: Jean-Philippe Brucker
---
v2->v3: New
---
qapi/tpm.json| 14 ++
include/hw/tpm/tpm_log.h | 89 ++
When RME is enabled, the upper GPA bit is used to distinguish protected
from unprotected addresses. Reserve it when setting up the guest memory
map.
Signed-off-by: Jean-Philippe Brucker
---
hw/arm/virt.c | 14 --
1 file changed, 12 insertions(+), 2 deletions(-)
diff --git a/hw/arm
registers are reset,
* activate the realm, at which point the realm is sealed.
Signed-off-by: Jean-Philippe Brucker
---
v2->v3:
* Cleaner error handling
---
target/arm/kvm_arm.h | 39
target/arm/kvm-rme.c | 106 +++
target/arm/kv
Add a "num-pmu-counters" CPU parameter to configure the number of
counters that KVM presents to the guest. This is needed for Realm VMs,
whose parameters include the number of PMU counters and influence the
Realm Initial Measurement.
Signed-off-by: Jean-Philippe Brucker
---
target
The confidential guest support in KVM limits the number of registers
that we can read and write. Split the get/put_registers function to
prepare for it.
Signed-off-by: Jean-Philippe Brucker
---
target/arm/kvm.c | 30 --
1 file changed, 28 insertions(+), 2 deletions
in following patches.
Cc: Eric Blake
Cc: Markus Armbruster
Cc: Daniel P. Berrangé
Cc: Eduardo Habkost
Acked-by: Markus Armbruster
Reviewed-by: Philippe Mathieu-Daudé
Reviewed-by: Richard Henderson
Signed-off-by: Jean-Philippe Brucker
---
v2->v3: remove some boilerplate w
to probe the VM's
capabilities.
Signed-off-by: Jean-Philippe Brucker
---
target/arm/kvm.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/target/arm/kvm.c b/target/arm/kvm.c
index a0de2efc41..870f51bf02 100644
--- a/target/arm/kvm.c
+++ b/target/arm/kvm.c
@@ -106,6 +
Hi Itaru,
On Thu, Nov 21, 2024 at 02:34:24PM +0900, Itaru Kitayama wrote:
> Hi Jean, Mathieu,
>
> I’ve been using you guys’ ccs/v3 QEMU for some time to bring up an Realm
> instance without a major issue, and as a one who is making changes libvirt to
> support CCA, I wonder if you could merge t
Hi Eric,
On Wed, Jul 17, 2024 at 05:07:57PM +0200, Eric Auger wrote:
> Hi Jean,
>
> On 7/15/24 10:45, Mostafa Saleh wrote:
> > The SMMUv3 spec (ARM IHI 0070 F.b - 7.3 Event records) defines the
> > class of events faults as:
> >
> > CLASS: The class of the operation that caused the fault:
> > - 0
nested”, and
> advertised to guests as (IDR0.S1P == 1 && IDR0.S2P == 2)
For the whole series (3-9, 11, 12, 15, 16, 18):
Reviewed-by: Jean-Philippe Brucker
(and I think patch 16 is missing Eric's R-b)
On Tue, Jul 09, 2024 at 07:14:19AM +, Mostafa Saleh wrote:
> Hi Jean,
>
> On Thu, Jul 04, 2024 at 07:12:35PM +0100, Jean-Philippe Brucker wrote:
> > On Mon, Jul 01, 2024 at 11:02:31AM +, Mostafa Saleh wrote:
> > > In the next patch, combine_tlb() will be ad
Hi Mostafa,
On Tue, Jul 09, 2024 at 07:12:59AM +, Mostafa Saleh wrote:
> > In this case I think we're reporting InputAddr as the CD address, but it
> > should be the IOVA
>
> As Eric mentioned this would require some rework to propagate the iova,
> but what I am more worried about is the read
o, it is easier just to change IDR5 and
> it propagages correctly.
> - Add additional checks when OAS is greater than 48bits.
> - Remove unused functions/macros: pa_range/MAX_PA.
>
> Reviewed-by: Eric Auger
> Signed-off-by: Mostafa Saleh
Reviewed-by: Jean-Philippe Brucker
On Mon, Jul 01, 2024 at 11:02:40AM +, Mostafa Saleh wrote:
> QEMU doesn's support memory attributes, so FWB is NOP, this
> might change in the future if memory attributre would be supported.
>
> Signed-off-by: Mostafa Saleh
> ---
> hw/arm/smmuv3.c | 8
> 1 file changed, 8 insertions
On Mon, Jul 01, 2024 at 11:02:39AM +, Mostafa Saleh wrote:
> Everything is in place, consolidate parsing of STE cfg and setting
> translation stage.
>
> Advertise nesting if stage requested is "nested".
>
> Signed-off-by: Mostafa Saleh
Reviewed-by: Jean-Philip
(cfg)->record_faults) || \
> +((ptw_info).stage == SMMU_STAGE_2 &&
> \
> + (cfg)->s2cfg.record_faults))
I guess this could be simplified as "(info.stage == STAGE_1)
On Mon, Jul 01, 2024 at 11:02:37AM +, Mostafa Saleh wrote:
> IOMMUTLBEvent only understands IOVA, for stage-1 or stage-2
> SMMU instances we consider the input address as the IOVA, but when
> nesting is used, we can't mix stage-1 and stage-2 addresses, so for
> nesting only stage-1 is considere
rted, otherwise
> invalidate everything, this required a new vmid invalidation
> function for stage-1 only (ASID >= 0)
>
> Also, rework trace events to reflect the new implementation.
>
> Signed-off-by: Mostafa Saleh
Reviewed-by: Jean-Philippe Brucker
> -
isn't bisectable.
Reviewed-by: Jean-Philippe Brucker
> ---
> hw/arm/smmu-common.c | 20 +---
> hw/arm/smmuv3.c | 2 +-
> include/hw/arm/smmu-common.h | 2 +-
> 3 files changed, 15 insertions(+), 9 deletions(-)
>
> diff --git
On Mon, Jul 01, 2024 at 11:02:34AM +, Mostafa Saleh wrote:
> With nesting, we would need to invalidate IPAs without
> over-invalidating stage-1 IOVAs. This can be done by
> distinguishing IPAs in the TLBs by having ASID=-1.
> To achieve that, rework the invalidation for IPAs to have a
> separat
On Mon, Jul 01, 2024 at 11:02:33AM +, Mostafa Saleh wrote:
> When nested translation is requested, do the following:
>
> - Translate stage-1 table address IPA into PA through stage-2.
> - Translate stage-1 table walk output (IPA) through stage-2.
> - Create a single TLB entry from stage-1 and
ova that would be cached is recalculated.
>- Translated_addr is chosen from stage-2.
>
> Signed-off-by: Mostafa Saleh
Reviewed-by: Jean-Philippe Brucker
> ---
> hw/arm/smmu-common.c | 37
> include/hw/arm/smmu-common.h | 1 +
>
On Mon, Jul 01, 2024 at 11:02:31AM +, Mostafa Saleh wrote:
> In the next patch, combine_tlb() will be added which combines 2 TLB
> entries into one for nested translations, which chooses the granule
> and level from the smallest entry.
>
> This means that with nested translation, an entry can
On Mon, Jul 01, 2024 at 11:02:30AM +, Mostafa Saleh wrote:
> According to ARM SMMU architecture specification (ARM IHI 0070 F.b),
> In "5.2 Stream Table Entry":
> [51:6] S1ContextPtr
> If Config[1] == 1 (stage 2 enabled), this pointer is an IPA translated by
> stage 2 and the programmed valu
On Mon, Jul 01, 2024 at 11:02:29AM +, Mostafa Saleh wrote:
> Soon, smmuv3_do_translate() will be used to translate the CD and the
> TTBx, instead of re-writting the same logic to convert the returned
> cached entry to an address, add a new macro CACHED_ENTRY_TO_ADDR.
>
> Signed-off-by: Mostafa
On Mon, Jul 01, 2024 at 11:02:25AM +, Mostafa Saleh wrote:
> The SMMUv3 spec (ARM IHI 0070 F.b - 7.3 Event records) defines the
> class of events faults as:
>
> CLASS: The class of the operation that caused the fault:
> - 0b00: CD, CD fetch.
> - 0b01: TTD, Stage 1 translation table fetch.
> -
rm/smmuv3: Add page table walk for stage-2”
> Reviewed-by: Eric Auger
> Signed-off-by: Mostafa Saleh
Reviewed-by: Jean-Philippe Brucker
> ---
> hw/arm/smmu-common.c | 10 ++
> hw/arm/smmuv3.c | 4
> 2 files changed, 10 insertions(+), 4 deletions(-)
>
ive IPA size for the given CD.
>
> However, this check was missing.
>
> There is already a similar check for stage-2 against effective PA.
>
> Reviewed-by: Eric Auger
> Signed-off-by: Mostafa Saleh
Reviewed-by: Jean-Philippe Brucker
> ---
> hw/arm/smmu-common.
On Thu, Jun 06, 2024 at 03:05:02PM +1000, Gavin Shan wrote:
> > This commit moves the page tables from .rodata to .data. When linking
> > IdMap.obj into ArmPlatformPrePeiCore.dll, the alignment of the .text
> > section changes from 0x1000 to 0x800. This change comes from the linker
> > script putti
On Wed, Jun 05, 2024 at 11:28:47AM +1000, Gavin Shan wrote:
> > >WriteSections64():
> > > /home/gavin/sandbox/CCA/edk2-guest/Build/ArmVirtQemu-AARCH64/DEBUG_GCC5/AARCH64/ArmPlatformPkg/PrePeiCore/PrePeiCoreUniCore/DEBUG/ArmPlatformPrePeiCore.dll
> > > AARCH64 small code model requires identic
On Fri, May 31, 2024 at 05:24:44PM +0200, Ard Biesheuvel wrote:
> > I'm able to reproduce this even without RME. This code was introduced
> > recently by c98f7f755089 ("ArmVirtPkg: Use dynamic PCD to set the SMCCC
> > conduit"). Maybe Ard (Cc'd) knows what could be going wrong here.
> >
> > A sligh
Hi Gavin,
On Tue, Jun 04, 2024 at 01:02:08PM +1000, Gavin Shan wrote:
> Hi Jean,
>
> On 6/3/24 18:24, Jean-Philippe Brucker wrote:
> > On Sat, Jun 01, 2024 at 08:14:46PM +1000, Gavin Shan wrote:
> > > ---> guest edk2
> > >
> > > # git clone https:/
Hi Gavin,
On Sat, Jun 01, 2024 at 08:14:46PM +1000, Gavin Shan wrote:
> ---> guest edk2
>
> # git clone https://git.codelinaro.org/linaro/dcap/edk2.git edk2-guest
> # cd edk2-guest; git checkout origin/cca/v2 -b cca/v2
> # git submodule update --init --recursive; \
> source edksetup.sh; make -
On Fri, May 31, 2024 at 11:16:30PM +0900, Itaru Kitayama wrote:
> Thanks! I wasn’t aware of it The good news is that after whole day of try and
> error attempts I was able to
> bring up a Realm VM on FVP. Here’s my version of overlay yaml, cca-v2.yaml:
That is good news, thanks for the update
>
Hi Gavin,
On Fri, May 31, 2024 at 04:23:13PM +1000, Gavin Shan wrote:
> I got a chance to try CCA software components, suggested by [1]. However, the
> edk2
> is stuck somewhere. I didn't reach to stage of loading guest kernel yet. I'm
> replying
> to see if anyone has a idea.
...
> INFO:BL3
Hi Itaru,
On Fri, May 31, 2024 at 10:57:13AM +0100, Peter Maydell wrote:
> On Fri, 31 May 2024 at 05:20, Itaru Kitayama wrote:
> >
> >
> >
> > > On May 30, 2024, at 22:30, Philippe Mathieu-Daudé
> > > wrote:
> > >
> > > Cc'ing more developers
> > >
> > > On 30/5/24 06:30, Itaru Kitayama wrote:
On Fri, Apr 19, 2024 at 05:25:12PM +0100, Daniel P. Berrangé wrote:
> On Fri, Apr 19, 2024 at 04:56:50PM +0100, Jean-Philippe Brucker wrote:
> > Add a new RmeGuest object, inheriting from ConfidentialGuestSupport, to
> > support the Arm Realm Management Extension (RME). It is
Currently the feature is automatically enabled, unless the user disables
it on the command-line. Change it to OnOffAuto, and automatically
disable it for confidential VMs, unless the user explicitly enables it.
Signed-off-by: Jean-Philippe Brucker
---
v1->v2: separate patch, use OnOffAuto
--
EMU to crash with a bus error.
Handle reboot requests by the guest more gracefully, by indicating to
runstate.c that the vCPUs of a Realm are not resettable, and that QEMU
should exit.
Reviewed-by: Richard Henderson
Signed-off-by: Jean-Philippe Brucker
---
target/arm/kvm.c | 3 ++-
1 file chan
The host cannot access registers of a Realm. Instead of showing all
registers as zero in "info registers", display a message about this
restriction.
Signed-off-by: Jean-Philippe Brucker
---
v1->v2: new
---
target/arm/cpu.c | 5 +
1 file changed, 5 insertions(+)
diff --git
regression of 2.8ms on a fast desktop,
5.7% of the QEMU setup time). On a slower host, the regression could be
much larger.
Instead, add a special case to initialize the kernel's BSS IPA range.
Signed-off-by: Jean-Philippe Brucker
---
v1->v2: new
---
target/arm/kvm_arm.h | 5 +
hw/ar
pport acceleration via FEAT_SHA256 (Armv8.0) and not FEAT_SHA512
(Armv8.2). Future CPUs supporting RME are likely to also support
FEAT_SHA512.
Cc: Eric Blake
Cc: Markus Armbruster
Cc: Daniel P. Berrangé
Cc: Eduardo Habkost
Signed-off-by: Jean-Philippe Brucker
---
v1->v2: use enum, pick
which point the realm is sealed.
Signed-off-by: Jean-Philippe Brucker
---
v1->v2:
* Use g_assert_not_reached() in stubs
* Init from kvm_arch_init() rather than hw/arm/virt
* Cache rme_guest
---
target/arm/kvm_arm.h | 16 +++
target/arm/kvm-rme.c |
KVM_GET_REG_LIST.
Signed-off-by: Jean-Philippe Brucker
---
v1->v2: only do the GP regs, since they are sync'd explicitly. Other
registers use the existing reglist facility.
---
target/arm/cpu.h | 3 +++
target/arm/kvm_arm.h | 1 +
target/arm/kvm-rme.c | 10
target/arm/kvm.c
and
watchpoints, and influence the Realm Initial Measurement.
Signed-off-by: Jean-Philippe Brucker
---
v1->v2: new
---
target/arm/cpu.h | 4 ++
target/arm/kvm_arm.h | 2 +
target/arm/arm-qmp-cmds.c | 1 +
target/arm/cpu64.c| 77 ++
attestation.
Signed-off-by: Jean-Philippe Brucker
---
v1->v2: new
---
include/hw/loader.h | 15 +++
hw/core/loader.c| 15 +++
2 files changed, 30 insertions(+)
diff --git a/include/hw/loader.h b/include/hw/loader.h
index 8685e27334..79fab25dd9 100644
--- a/include
ine->cgs member.
Signed-off-by: Jean-Philippe Brucker
---
v1->v2: new
---
hw/arm/virt.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/hw/arm/virt.c b/hw/arm/virt.c
index eca9a96b5a..bed19d0b79 100644
--- a/hw/arm/virt.c
+++ b/hw/arm/virt.c
@@ -2071,6 +2071,8
Collect the images copied into guest RAM into a sorted list, and issue
POPULATE_REALM KVM ioctls once we've created the Realm Descriptor. The
images are part of the Realm Initial Measurement.
Signed-off-by: Jean-Philippe Brucker
---
v1->v2: Use a ROM loader notifier
---
target/arm/k
Add a "num-pmu-counters" CPU parameter to configure the number of
counters that KVM presents to the guest. This is needed for Realm VMs,
whose parameters include the number of PMU counters and influence the
Realm Initial Measurement.
Signed-off-by: Jean-Philippe Brucker
---
v
se ms->require_guest_memfd is not yet
merged.
Signed-off-by: Jean-Philippe Brucker
---
v1->v2: new
---
target/arm/kvm-rme.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/target/arm/kvm-rme.c b/target/arm/kvm-rme.c
index 8f39e54aaa..71cc1d4147 100644
--- a/target/arm/kvm-rme.c
+++ b/target/arm/kvm-rme.
e any
information to the host, hence will not store its variables in clear
persistent memory. We can therefore replace the flash device with RAM,
and load the firmware there.
Signed-off-by: Jean-Philippe Brucker
---
v1->v2: new
---
include/hw/arm/boot.h | 9 +
hw/arm/boot.c
/20240322181116.1228416-1-pbonz...@redhat.com/
Jean-Philippe Brucker (22):
kvm: Merge kvm_check_extension() and kvm_vm_check_extension()
target/arm: Add confidential guest support
target/arm/kvm: Return immediately on error in kvm_arch_init()
target/arm/kvm-rme: Initialize realm
hw/arm/virt: Add support
Returning an error to kvm_init() is fatal anyway, no need to continue
the initialization.
Signed-off-by: Jean-Philippe Brucker
---
v1->v2: new
---
target/arm/kvm.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/target/arm/kvm.c b/target/arm/kvm.c
index 3371ffa
kernel.org/kvm/875ybi0ytc@redhat.com/
[3] https://github.com/torvalds/linux/commit/92b591a4c46b
Cc: Marcelo Tosatti
Cc: Nicholas Piggin
Cc: Daniel Henrique Barboza
Cc: qemu-...@nongnu.org
Suggested-by: Cornelia Huck
Signed-off-by: Jean-Philippe Brucker
---
v1:
https://lore.kernel.org/
. Berrangé
Cc: Eduardo Habkost
Signed-off-by: Jean-Philippe Brucker
---
v1->v2: Move parsing early, store as-is rather than reverted
---
qapi/qom.json| 15 +-
target/arm/kvm-rme.c | 111 +++
2 files changed, 125 insertions(+), 1 delet
When confidential-guest-support is enabled for the virt machine, call
the RME init function, and add the RME flag to the VM type.
Signed-off-by: Jean-Philippe Brucker
---
v1->v2:
* Don't explicitly disable steal_time, it's now done through KVM capabilities
* Split patch
---
hw/ar
When RME is enabled, the upper GPA bit is used to distinguish protected
from unprotected addresses. Reserve it when setting up the guest memory
map.
Signed-off-by: Jean-Philippe Brucker
---
v1->v2: separate patch
---
hw/arm/virt.c | 14 --
1 file changed, 12 insertions(+)
to probe the VM's
capabilities.
KVM only reports the maximum IPA it supports, but RMM may support
smaller sizes. If the VM creation fails with the value returned by KVM,
then retry with the smaller working address. This needs a better
solution.
Signed-off-by: Jean-Philippe Brucker
---
targe
The confidential guest support in KVM limits the number of registers
that we can read and write. Split the get/put_registers function to
prepare for it.
Signed-off-by: Jean-Philippe Brucker
---
target/arm/kvm.c | 30 --
1 file changed, 28 insertions(+), 2 deletions
1 - 100 of 503 matches
Mail list logo
