Promotion to TVM from VMM (#79)

* Adjusting how we promote VMs to allow VMMs to promote VMs that has not yet been run
* Update patches to Linux kernel
* Added kvmtool to the build process
* fixing multi-vcpu setups
* support custom base address in cove-tap-tools
* generate TAP during build of example confidential guests

---------

Signed-off-by: Wojciech Ozga <woz@zurich.ibm.com>

Makefile

@@ -54,6 +54,9 @@ hypervisor: setup devtools
 hypervisor_dev:
 	PATH="$(RISCV_GNU_TOOLCHAIN_WORK_DIR)/bin:$(PATH)" ACE_DIR=$(ACE_DIR) $(MAKE) -C hypervisor dev
 
+hypervisor_kvmtool:
+	PATH="$(RISCV_GNU_TOOLCHAIN_WORK_DIR)/bin:$(PATH)" ACE_DIR=$(ACE_DIR) $(MAKE) -C hypervisor kvmtool
+
 confidential_vms: setup devtools hypervisor tools
 	PATH="$(RISCV_GNU_TOOLCHAIN_WORK_DIR)/bin:$(PATH)" ACE_DIR=$(ACE_DIR) $(MAKE) -C $(CONFIDENTIAL_VMS_SOURCE_DIR)/linux_vm/ buildroot ;\
 	PATH="$(RISCV_GNU_TOOLCHAIN_WORK_DIR)/bin:$(PATH)" ACE_DIR=$(ACE_DIR) $(MAKE) -C $(CONFIDENTIAL_VMS_SOURCE_DIR)/linux_vm/ overlay rootfs ;\

README.md

@@ -122,16 +122,22 @@ You should see the output from the boot process and a promt to login to the hype
 # login: root, password: passwd
 ```
 
-To run the sample Linux OS as a confidential VM (login: root, password: passwd) execute:
+To run the sample Linux OS as a confidential VM (login: root, password: passwd) execute.
+This demonstrates automatic promotion of a VM to TVM:
 ```
-./run_linux_vm.sh
+./run_linux_vm_qemu.sh
+```
+
+Run the sample Linux OS as a confidential VM using kvmtool.
+```
+./run_linux_vm_kvmtool.sh
 ```
 
 ## Local attestation
 Local attestation allows you to expose secrets (e.g., dm-crypt/LUKS key, TLS pre-shared key, etc) to your confidential VM in a secure way.
 
 Collect reference measurements of your virtual machines, like kernel, initrd, initial boot hart state.
-Below as, an example, we just collect kernel measurement:
+Below as, an example, we just collect the kernel measurement (for automatic promotion):
 ```
 cove-tap-tool measure --kernel-file $ACE_DIR/confidential_vms/linux_vm/buildroot/images/Image
 # Example output:
@@ -173,7 +179,7 @@ You should see the secret:
 [  203.107150] Secret=0xc0ffee
 ```
 
-Integrating local attestation with dm-crypt/LUKS is work in progress. When finished, you will encrypt your rootfs and pass the decryption key via TAP.
+Integrating local attestation with dm-crypt/LUKS is work in progress. When finished, you will be able to encrypt your rootfs and pass the decryption key via TAP.
 A script in initrd will then retrieve the decryption key from TAP and decrypt the rootfs.
 
 # License

confidential-vms/linux_vm/Makefile

@@ -19,6 +19,8 @@ LINUX_VM_OVERLAY_SOURCE_DIR			?= $(CONFIDENTIAL_VMS_LINUX_SOURCE_DIR)/overlay
 LINUX_VM_OVERLAY_WORK_DIR			?= $(CONFIDENTIAL_VMS_LINUX_WORK_DIR)/overlay
 LINUX_VM_OVERLAY_WORK_ROOT_DIR		?= $(LINUX_VM_OVERLAY_WORK_DIR)/root
 LINUX_VM_IMAGE						?= $(LINUX_VM_BUILDROOT_WORK_DIR)/images/Image
+LINUX_VM_COVE_TAP_QEMU				?= $(LINUX_VM_BUILDROOT_WORK_DIR)/images/cove_tap_qemu
+LINUX_VM_COVE_TAP_KVMTOOL			?= $(LINUX_VM_BUILDROOT_WORK_DIR)/images/cove_tap_kvmtool
 LINUX_VM_KERNEL_CONFIG				?= $(CONFIDENTIAL_VMS_LINUX_SOURCE_DIR)/configurations/linux64-defconfig
 LINUX_VM_BUILDROOT_CONFIG			?= $(CONFIDENTIAL_VMS_LINUX_SOURCE_DIR)/configurations/qemu_riscv64_virt_defconfig
 LINUX_VM_BUILDROOT_OVERRIDE_DIR		?= $(CONFIDENTIAL_VMS_LINUX_SOURCE_DIR)/configurations/package_override.dev
@@ -76,11 +78,20 @@ overlay: setup
 	cp $(LINUX_VM_ROOTFS_SOURCE_DIR)/*.sh $(HYPERVISOR_OVERLAY_ROOT_DIR)/ ;\
 	rm -rf $(HYPERVISOR_OVERLAY_LINUX_VM_DIR) && mkdir -p $(HYPERVISOR_OVERLAY_LINUX_VM_DIR) ;\
 	cp -r $(LINUX_VM_IMAGE) $(HYPERVISOR_OVERLAY_LINUX_VM_DIR)/ ;\
-	cp -r $(LINUX_VM_BUILDROOT_ROOTFS) $(HYPERVISOR_OVERLAY_LINUX_VM_DIR)
+	cp -r $(LINUX_VM_BUILDROOT_ROOTFS) $(HYPERVISOR_OVERLAY_LINUX_VM_DIR) ;\
+	rm -f $(LINUX_VM_COVE_TAP_QEMU) ;\
+	$(eval $@_TMP = $(shell $(TOOLS_WORK_DIR)/cove-tap-tool measure  --embedded-tap --kernel-file=$(LINUX_VM_IMAGE) | cut -d' ' -f2-;) )
+	$(TOOLS_WORK_DIR)/cove-tap-tool generate --pcrs 4=$($@_TMP) --secrets 0=0xc0ffee --output-file=$(LINUX_VM_COVE_TAP_QEMU)
+	cp $(LINUX_VM_COVE_TAP_QEMU) $(HYPERVISOR_OVERLAY_LINUX_VM_DIR)/
+	rm -f $(LINUX_VM_COVE_TAP_KVMTOOL)
+	$(eval $@_TMP = $(shell $(TOOLS_WORK_DIR)/cove-tap-tool measure --base-address=0x80200000 --kernel-file=$(LINUX_VM_IMAGE) | cut -d' ' -f2-;) )
+	$(TOOLS_WORK_DIR)/cove-tap-tool generate --pcrs 4=$($@_TMP) --secrets 0=0xc0ffee --output-file=$(LINUX_VM_COVE_TAP_KVMTOOL)
+	cp $(LINUX_VM_COVE_TAP_KVMTOOL) $(HYPERVISOR_OVERLAY_LINUX_VM_DIR)/
+
 
 rootfs: overlay
-	PATH="$(RISCV_GNU_TOOLCHAIN_WORK_DIR)/bin:$(PATH)" $(MAKE) -s -C $(LINUX_VM_BUILDROOT_SOURCE_DIR) RISCV=$(RISCV_GNU_TOOLCHAIN_WORK_DIR) PATH=$(PATH) ARCH=riscv64 KDIR=$(LINUX_DIR) CROSS_COMPILE=$(CROSS_COMPILE) O=$(LINUX_VM_BUILDROOT_WORK_DIR) rootfs-ext2; \
-	cp -r $(LINUX_VM_BUILDROOT_WORK_DIR)/images/rootfs.cpio $(HYPERVISOR_OVERLAY_LINUX_VM_DIR);
+	PATH="$(RISCV_GNU_TOOLCHAIN_WORK_DIR)/bin:$(PATH)" $(MAKE) -s -C $(LINUX_VM_BUILDROOT_SOURCE_DIR) RISCV=$(RISCV_GNU_TOOLCHAIN_WORK_DIR) PATH=$(PATH) ARCH=riscv64 KDIR=$(LINUX_DIR) CROSS_COMPILE=$(CROSS_COMPILE) O=$(LINUX_VM_BUILDROOT_WORK_DIR) rootfs-ext2;
+	# cp -r $(LINUX_VM_BUILDROOT_WORK_DIR)/images/rootfs.cpio $(HYPERVISOR_OVERLAY_LINUX_VM_DIR);
 
 clean:
 	rm -rf $(ACE_DIR)

confidential-vms/linux_vm/configurations/linux64-defconfig

@@ -327,6 +327,7 @@ CONFIG_FPU=y
 # CONFIG_RISCV_COVE_GUEST is not set
 CONFIG_RISCV_COVE_GUEST=y
 CONFIG_RISCV_COVE_GUEST_PROMOTE=y
+CONFIG_RISCV_COVE_GUEST_EMBEDDED_TAP=y
 # end of Confidential VM Extension(CoVE) Support
 # end of Platform type
 

confidential-vms/linux_vm/hypervisor_rootfs/run_linux_vm_kvmtool.sh

@@ -0,0 +1,9 @@
+#!/usr/bin/env bash
+# SPDX-FileCopyrightText: 2023 IBM Corporation
+# SPDX-FileContributor: Wojciech Ozga <woz@zurich.ibm.com>, IBM Research - Zurich
+# SPDX-License-Identifier: Apache-2.0
+
+KERNEL=/root/linux_vm/Image
+TAP=/root/linux_vm/cove_tap_kvmtool
+
+./lkvm-static run -c2 --console virtio --cove-vm --cove-tap=${TAP} --cove-single-step-init -p "console=ttyS0 ro root=/dev/vda swiotlb=mmnn,force" -k ${KERNEL} --virtio-transport=pci

hypervisor/Makefile

@@ -20,6 +20,8 @@ HYPERVISOR_OVERLAY_ROOT_DIR			?= $(HYPERVISOR_OVERLAY_DIR)/root
 HYPERVISOR_PATCHES_DIR				?= $(MAKEFILE_SOURCE_DIR)/patches
 HYPERVISOR_LINUX_PATCH				?= $(HYPERVISOR_PATCHES_DIR)/linux/6.3-rc4/
 
+KVMTOOL_WORK_DIR					?= $(HYPERVISOR_WORK_DIR)/kvmtool
+
 BUILDROOT_WORK_DIR					?= $(HYPERVISOR_WORK_DIR)/buildroot
 RISCV_GNU_TOOLCHAIN_WORK_DIR		?= $(ACE_DIR)/riscv-gnu-toolchain/
 export PATH 						:= $(RISCV_GNU_TOOLCHAIN_WORK_DIR)/bin:$(PATH)
@@ -52,11 +54,12 @@ buildroot: setup
 		$(MAKE) -s -C $(BUILDROOT_SOURCE_DIR) RISCV=$(RISCV_GNU_TOOLCHAIN_WORK_DIR) PATH=$(PATH) O=$(BUILDROOT_WORK_DIR) BR2_JLEVEL=0 ;\
 	fi
 
-overlay:
+overlay: kvmtool
 	echo "Setting up the content of the hypervisor's root directory" ;\
 	mkdir -p $(HYPERVISOR_OVERLAY_ROOT_DIR); \
 	mkdir -p $(HYPERVISOR_OVERLAY_DIR); \
-	cp $(HYPERVISOR_ROOTFS_SOURCE_DIR)/*.sh $(HYPERVISOR_OVERLAY_ROOT_DIR)/
+	cp $(HYPERVISOR_ROOTFS_SOURCE_DIR)/*.sh $(HYPERVISOR_OVERLAY_ROOT_DIR)/; \
+	cp ${KVMTOOL_WORK_DIR}/kvmtool/lkvm-static $(HYPERVISOR_OVERLAY_ROOT_DIR)/;
 
 dev:
 	sed "s@^BR2_PACKAGE_OVERRIDE_FILE=.*@BR2_PACKAGE_OVERRIDE_FILE=\"$(HYPERVISOR_BUILDROOT_OVERRIDE_DIR)\"@g" -i $(BUILDROOT_WORK_DIR)/.config; \
@@ -67,6 +70,26 @@ rootfs: overlay
 	echo "Generating hypervisor's root filesystem" ;\
 	$(MAKE) -s -C $(BUILDROOT_SOURCE_DIR) RISCV=$(RISCV_GNU_TOOLCHAIN_WORK_DIR) PATH=$(PATH) O=$(BUILDROOT_WORK_DIR) rootfs-ext2
 
+kvmtool:
+	mkdir -p $(KVMTOOL_WORK_DIR) && cd $(KVMTOOL_WORK_DIR) ;\
+    if [ ! -f "${KVMTOOL_WORK_DIR}/dtc/build/libfdt.so" ]; then \
+        rm -rf ${KVMTOOL_WORK_DIR}/dtc ;\
+        git clone git://git.kernel.org/pub/scm/utils/dtc/dtc.git ;\
+        cd dtc ;\
+        ARCH=riscv CC="${CROSS_COMPILE}gcc -mabi=${PLATFORM_RISCV_ABI} -march=${PLATFORM_RISCV_ISA}" make NO_PYTHON=1 NO_YAML=1 DESTDIR=$($CC -print-sysroot) PREFIX=${KVMTOOL_WORK_DIR}/dtc/build LIBDIR=${KVMTOOL_WORK_DIR}/dtc/build/$($CC -dumpmachine) install-lib install-includes ;\
+        cp ${KVMTOOL_WORK_DIR}/dtc/build/include/* ${KVMTOOL_WORK_DIR}/dtc/build/ ;\
+        cd .. ;\
+    fi ;\
+	if [ ! -f "${KVMTOOL_WORK_DIR}/kvmtool/lkvm-static" ]; then \
+		rm -rf ${KVMTOOL_WORK_DIR}/kvmtool ;\
+		git clone -b cove-integration-03072023 https://github.com/wojciechozga/kvmtool.git ;\
+		rm -f $(KVMTOOL_WORK_DIR)/kvmtool/lkvm-static ;\
+		cd $(KVMTOOL_WORK_DIR)/kvmtool ;\
+		ARCH=riscv LIBFDT_DIR=${KVMTOOL_WORK_DIR}/dtc/build/ make lkvm-static -j$(nproc) ;\
+		${CROSS_COMPILE}strip lkvm-static ;\
+		cd .. ;\
+	fi
+
 clean:
 	rm -rf $(HYPERVISOR_WORK_DIR)
 

hypervisor/configurations/linux64-defconfig

@@ -326,6 +326,9 @@ CONFIG_FPU=y
 
 CONFIG_RISCV_COVE_HOST=y
 # CONFIG_RISCV_COVE_GUEST is not set
+CONFIG_RISCV_COVE_GUEST=n
+CONFIG_RISCV_COVE_GUEST_PROMOTE=n
+CONFIG_RISCV_COVE_GUEST_EMBEDDED_TAP=n
 # end of Confidential VM Extension(CoVE) Support
 # end of Platform type