On Thu, 4 May 2023 at 17:13, Jean-Philippe Brucker <jean-phili...@linaro.org> wrote: > > Hello, > > On Tue, Apr 25, 2023 at 05:03:58PM +0100, Sami Mujawar wrote: > > We are happy to announce an early RFC version of the Arm Confidential > > Compute Architecture (CCA) support for the Kvmtool guest firmware. > > The intention is to seek early feedback in the following areas: > > * Integration of the Arm CCA in ArmVirtPkg > > * Generalise the operations wherever possible with other Confidential > > Compute solutions and Virtual Machine Managers (VMMs) > > Experimental support for ArmVirtQemu is available at [1]. Most of it > simply includes Sami's libraries into ArmVirtQemu, but there are a few > things specific to QEMU, one of which I still haven't figured out. > > The early debug support in PEI is problematic. A realm must access the > emulated serial port through unprotected Intermediate Physical Address > (IPA aka GPA) which is the upper half of the IPA space. The IPA address > must have the most significant bit set. Once the MMU is enabled and > ArmCcaConfigureMmio() runs, the page tables point to the right IPA so > there is no problem. Before that however, EarlyFdtPL011SerialPortLib would > need to access the device using the unprotected IPA address. So far I > haven't managed to implement this, so the early serial debug is just > disabled. >
Did you spot the changes I made recently for booting at EL1 with hard coded [initial] page tables in flash? It seems to me that mapping the serial port in there shouldn't be that hard. > Another QEMU-specific: in direct kernel boot (-kernel on the > command-line), the FwCfg device provides kernel, initrd and other blobs to > the guest firmware. Since these are not in guest RAM before VM boot, they > are not part of the Realm Initial Measurement, which provides image > attestation. In order for the Realm owner to authenticate these images, > I added a BlobVerifier that adds the hash of these blobs to the Realm > Extended Measurement. > > I haven't looked at supporting ArmVirtQemuKernel yet. The latest QEMU VMM > support for Arm CCA is at [2], and a typical invocation would be: > > qemu-system-aarch64 -M confidential-guest-support=rme0 -object > rme-guest,id=rme0 > -M virt -enable-kvm -M gic-version=3 -cpu host,sve=off -smp 2 -m 256M > -bios QEMU_EFI.fd -kernel Image -initrd rootfs.cpio > -overcommit mem-lock=on -no-acpi -nographic -append 'earlycon > console=ttyAMA0' > > Thanks, > Jean > > [1] https://jpbrucker.net/git/edk2/ branch cca/qemu > [2] https://jpbrucker.net/git/qemu/ branch cca/rfc-v2 Thanks, this looks very interesting. -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#104033): https://edk2.groups.io/g/devel/message/104033 Mute This Topic: https://groups.io/mt/98496036/21656 Group Owner: devel+ow...@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
