Re: [RFC] Support for Arm CCA VMs on Linux
From: Ryan Roberts
Date: Fri Feb 10 2023 - 11:51:34 EST
On 27/01/2023 11:22, Suzuki K Poulose wrote:
> [...]
> Running the stack
> ====================
>
> To run/test the stack, you would need the following components :
>
> 1) FVP Base AEM RevC model with FEAT_RME support [4]
> 2) TF-A firmware for EL3 [5]
> 3) TF-A RMM for R-EL2 [3]
> 4) Linux Kernel [6]
> 5) kvmtool [7]
> 6) kvm-unit-tests [8]
>
> Instructions for building the firmware components and running the model are
> available here [9]. Once, the host kernel is booted, a Realm can be launched by
> invoking the `lkvm` commad as follows:
>
> $ lkvm run --realm \
> --measurement-algo=["sha256", "sha512"] \
> --disable-sve \
> <normal-vm-options>
>
> Where:
> * --measurement-algo (Optional) specifies the algorithm selected for creating the
> initial measurements by the RMM for this Realm (defaults to sha256).
> * GICv3 is mandatory for the Realms.
> * SVE is not yet supported in the TF-RMM, and thus must be disabled using
> --disable-sve
>
> You may also run the kvm-unit-tests inside the Realm world, using the similar
> options as above.
Building all of these components and configuring the FVP correctly can be quite
tricky, so I thought I would plug a tool we have called Shrinkwrap, which can
simplify all of this.
The tool accepts a yaml input configuration that describes how a set of
components should be built and packaged, and how the FVP should be configured
and booted. And by default, it uses a Docker container on its backend, which
contains all the required tools, including the FVP. You can optionally use
Podman or have it run on your native system if you prefer. It supports both
x86_64 and aarch64. And you can even run it in --dry-run mode to see the set of
shell commands that would have been executed.
It comes with two CCA configs out-of-the-box; cca-3world.yaml builds TF-A, RMM,
Linux (for both host and guest), kvmtool and kvm-unit-tests. cca-4world.yaml
adds Hafnium and some demo SPs for the secure world (although since Hafnium
requires x86_64 to build, cca-4world.yaml doesn't currently work on an aarch64
build host).
See the documentation [1] and repository [2] for more info.
Brief instructions to get you up and running:
# Install shrinkwrap. (I assume you have Docker installed):
sudo pip3 install pyyaml termcolor tuxmake
git clone https://git.gitlab.arm.com/tooling/shrinkwrap.git
export PATH=$PWD/shrinkwrap/shrinkwrap:$PATH
# If running Python < 3.9:
sudo pip3 install graphlib-backport
# Build all the CCA components:
shrinkwrap build cca-3world.yaml [--dry-run]
# Run the stack in the FVP:
shrinkwrap run cca-3world.yaml -r ROOTFS=<my_rootfs.ext4> [--dry-run]
By default, building is done at ~/.shrinkwrap/build/cca-3world and the package
is created at ~/.shrinkwrap/package/cca-3world (this can be changed with
envvars).
The 'run' command will boot TF-A, RMM and host Linux kernel in the FVP, and
mount the provided rootfs. You will likely want to have copied the userspace
pieces into the rootfs before running, so you can create realms:
- ~/.shrinkwrap/package/cca-3world/Image (kernel with RMI and RSI support)
- ~/.shrinkwrap/package/cca-3world/lkvm (kvmtool able to launch realms)
- ~/.shrinkwrap/package/cca-3world/kvm-unit-tests.tgz (built kvm-unit-tests)
Once the FVP is booted to a shell, you can do something like this to launch a
Linux guest in a realm:
lkvm run --realm --disable-sve -c 1 -m 256 -k Image
[1] https://shrinkwrap.docs.arm.com
[2] https://gitlab.arm.com/tooling/shrinkwrap