Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Local attestation #73

Merged
merged 20 commits into from
Nov 29, 2024
Merged

Local attestation #73

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
20 commits
Select commit Hold shift + click to select a range
ce1e175
Adjusted to proper CoVE naming of the SBI extension
wojciechozga Sep 5, 2024
5aa23cc
Adjusting COVH structures to the newest CoVE spec
wojciechozga Sep 5, 2024
21b1351
Adjusting COVH structures to the newest CoVE spec
wojciechozga Sep 5, 2024
c1cacfa
Added missing capability to allow for promote to tvm calls
wojciechozga Sep 5, 2024
74515fb
initial version of the tool to create TEE Attestation Payload
wojciechozga Sep 19, 2024
ebf7247
Added utility to create TEE attestation payload to the VM image
wojciechozga Sep 20, 2024
dee243f
merging with CoVE 0.7
wojciechozga Sep 23, 2024
f16eb0c
Created a common library for parsing and serializing CoVE TEE Attesta…
wojciechozga Oct 2, 2024
4bad096
Veryfing VM's measurements during promotion
wojciechozga Oct 6, 2024
c0074e2
Added SBI call to retrieve local attestation secret
wojciechozga Oct 6, 2024
e5d61f8
cleaning up
wojciechozga Oct 6, 2024
d7e1f5d
cleaning up
wojciechozga Oct 7, 2024
7b6477c
updated patches for Linux kernel
wojciechozga Oct 7, 2024
a49f9e8
fixing build process
wojciechozga Oct 7, 2024
09a1eb7
fix build process
wojciechozga Oct 9, 2024
2ff35ea
2nd approach to local attestation
wojciechozga Oct 10, 2024
400143c
Promote VM to confidential VM earlier in the boot process. CVM integr…
wojciechozga Oct 17, 2024
f16a216
renaming cove tap tools
wojciechozga Nov 29, 2024
359d958
merging with main
wojciechozga Nov 29, 2024
d36c84c
simplifying the buildroot configuration
wojciechozga Nov 29, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 2 additions & 0 deletions .gitignore
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,8 @@
/target/
build/*
target/*

tools/cove_tap_tool/target
qemu/
security-monitor/target

Expand Down
9 changes: 5 additions & 4 deletions Makefile
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -49,16 +49,16 @@ devtools: setup
hypervisor: setup devtools
PATH="$(RISCV_GNU_TOOLCHAIN_WORK_DIR)/bin:$(PATH)" ACE_DIR=$(ACE_DIR) $(MAKE) -C hypervisor

confidential_vms: setup devtools hypervisor
confidential_vms: setup devtools hypervisor tools
BIN_DIR="$(OVERLAY_ROOT_DIR)/" RELEASE="" $(MAKE) -C $(CONFIDENTIAL_VMS_SOURCE_DIR)/baremetal/ ;\
PATH="$(RISCV_GNU_TOOLCHAIN_WORK_DIR)/bin:$(PATH)" ACE_DIR=$(ACE_DIR) $(MAKE) -C $(CONFIDENTIAL_VMS_SOURCE_DIR)/linux_vm/ buildroot ;\
PATH="$(RISCV_GNU_TOOLCHAIN_WORK_DIR)/bin:$(PATH)" ACE_DIR=$(ACE_DIR) $(MAKE) -C $(CONFIDENTIAL_VMS_SOURCE_DIR)/linux_vm/ overlay ;\
PATH="$(RISCV_GNU_TOOLCHAIN_WORK_DIR)/bin:$(PATH)" ACE_DIR=$(ACE_DIR) $(MAKE) -C $(CONFIDENTIAL_VMS_SOURCE_DIR)/linux_vm/ overlay rootfs ;\
PATH="$(RISCV_GNU_TOOLCHAIN_WORK_DIR)/bin:$(PATH)" ACE_DIR=$(ACE_DIR) $(MAKE) -C hypervisor rootfs;

hypervisor_dev:
PATH="$(RISCV_GNU_TOOLCHAIN_WORK_DIR)/bin:$(PATH)" ACE_DIR=$(ACE_DIR) $(MAKE) -C hypervisor dev

dev:
dev: tools
$(MAKE) -C $(CONFIDENTIAL_VMS_SOURCE_DIR)/linux_vm/ dev ;\
$(MAKE) -C $(CONFIDENTIAL_VMS_SOURCE_DIR)/linux_vm/ overlay ;\
PATH="$(RISCV_GNU_TOOLCHAIN_WORK_DIR)/bin:$(PATH)" ACE_DIR=$(ACE_DIR) $(MAKE) -C hypervisor rootfs;
Expand All @@ -85,7 +85,8 @@ emulator: setup devtools

tools: setup
mkdir -p $(TOOLS_WORK_DIR)
cp -rf $(TOOLS_SOURCE_DIR)/* $(TOOLS_WORK_DIR)
cp -rf $(TOOLS_SOURCE_DIR)/*.sh $(TOOLS_WORK_DIR)/
cp -rf $(TOOLS_SOURCE_DIR)/ace $(TOOLS_WORK_DIR)/

verify:
rm -rf $(ACE_DIR)/security_monitor/verify/
Expand Down
21 changes: 15 additions & 6 deletions confidential-vms/linux_vm/Makefile
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -10,18 +10,20 @@ CONFIDENTIAL_VMS_WORK_DIR ?= $(ACE_DIR)/confidential_vms/
CONFIDENTIAL_VMS_LINUX_WORK_DIR ?= $(CONFIDENTIAL_VMS_WORK_DIR)/linux_vm/
CONFIDENTIAL_VMS_LINUX_SOURCE_DIR ?= $(MAKEFILE_SOURCE_DIR)

LINUX_VM_ROOTFS_SOURCE_DIR ?= $(CONFIDENTIAL_VMS_LINUX_SOURCE_DIR)/rootfs
LINUX_VM_ROOTFS_SOURCE_DIR ?= $(CONFIDENTIAL_VMS_LINUX_SOURCE_DIR)/hypervisor_rootfs
LINUX_VM_BUILDROOT_SOURCE_DIR ?= $(CONFIDENTIAL_VMS_LINUX_SOURCE_DIR)/../../hypervisor/buildroot
LINUX_VM_BUILDROOT_WORK_DIR ?= $(CONFIDENTIAL_VMS_LINUX_WORK_DIR)/buildroot
LINUX_VM_BUILDROOT_ROOTFS ?= $(LINUX_VM_BUILDROOT_WORK_DIR)/images/rootfs.ext2
LINUX_VM_BUILDROOT_ROOTFS_SIZE ?= "256M"
LINUX_VM_OVERLAY_SOURCE_DIR ?= $(CONFIDENTIAL_VMS_LINUX_SOURCE_DIR)/overlay
LINUX_VM_OVERLAY_WORK_DIR ?= $(CONFIDENTIAL_VMS_LINUX_WORK_DIR)/overlay
LINUX_VM_OVERLAY_WORK_ROOT_DIR ?= $(LINUX_VM_OVERLAY_WORK_DIR)/root
LINUX_VM_IMAGE ?= $(LINUX_VM_BUILDROOT_WORK_DIR)/images/Image
LINUX_VM_KERNEL_CONFIG ?= $(CONFIDENTIAL_VMS_LINUX_SOURCE_DIR)/configurations/linux64-defconfig
LINUX_VM_BUILDROOT_CONFIG ?= $(CONFIDENTIAL_VMS_LINUX_SOURCE_DIR)/configurations/qemu_riscv64_virt_defconfig
LINUX_VM_BUILDROOT_OVERRIDE_DIR ?= $(CONFIDENTIAL_VMS_LINUX_SOURCE_DIR)/configurations/package_override.dev
LINUX_VM_PATCHES_DIR ?= $(CONFIDENTIAL_VMS_LINUX_SOURCE_DIR)/patches/linux/6.3-rc4
LINUX_DIR ?= $(LINUX_VM_BUILDROOT_WORK_DIR)/build/linux-6.3-rc4/
# overlays
HYPERVISOR_OVERLAY_DIR ?= $(ACE_DIR)/hypervisor/overlay/
HYPERVISOR_OVERLAY_ROOT_DIR ?= $(HYPERVISOR_OVERLAY_DIR)/root/
Expand All @@ -42,34 +44,41 @@ buildroot: setup
echo "Building buildroot"; \
rm -rf $(LINUX_VM_BUILDROOT_WORK_DIR); \
mkdir -p $(LINUX_VM_BUILDROOT_WORK_DIR); \
mkdir -p $(LINUX_VM_OVERLAY_WORK_DIR); \
mkdir -p $(LINUX_VM_OVERLAY_WORK_ROOT_DIR); \
cp $(LINUX_VM_KERNEL_CONFIG) $(LINUX_VM_BUILDROOT_WORK_DIR)/linux64-config; \
cp $(LINUX_VM_BUILDROOT_CONFIG) $(LINUX_VM_BUILDROOT_WORK_DIR)/.config; \
sed "s@^BR2_ROOTFS_OVERLAY=.*@BR2_ROOTFS_OVERLAY=\"$(LINUX_VM_OVERLAY_WORK_DIR)\"@g" -i $(LINUX_VM_BUILDROOT_WORK_DIR)/.config; \
sed "s@^BR2_TARGET_ROOTFS_EXT2_SIZE=.*@BR2_TARGET_ROOTFS_EXT2_SIZE=\"$(LINUX_VM_BUILDROOT_ROOTFS_SIZE)\"@g" -i $(LINUX_VM_BUILDROOT_WORK_DIR)/.config; \
sed "s@^BR2_LINUX_KERNEL_CUSTOM_CONFIG_FILE=.*@BR2_LINUX_KERNEL_CUSTOM_CONFIG_FILE=\"$(LINUX_VM_KERNEL_CONFIG)\"@g" -i $(LINUX_VM_BUILDROOT_WORK_DIR)/.config; \
sed "s@^BR2_LINUX_KERNEL_CUSTOM_CONFIG_FILE=.*@BR2_LINUX_KERNEL_CUSTOM_CONFIG_FILE=\"$(LINUX_VM_BUILDROOT_WORK_DIR)/linux64-config\"@g" -i $(LINUX_VM_BUILDROOT_WORK_DIR)/.config; \
sed "s@^BR2_LINUX_KERNEL_PATCH=.*@BR2_LINUX_KERNEL_PATCH=\"$(LINUX_VM_PATCHES_DIR)\"@g" -i $(LINUX_VM_BUILDROOT_WORK_DIR)/.config; \
$(MAKE) -s -C $(LINUX_VM_BUILDROOT_SOURCE_DIR) RISCV=$(RISCV_GNU_TOOLCHAIN_WORK_DIR) PATH=$(PATH) O=$(LINUX_VM_BUILDROOT_WORK_DIR) CROSS_COMPILE=$(CROSS_COMPILE) BR2_JLEVEL=0 olddefconfig; \
$(MAKE) -s -C $(LINUX_VM_BUILDROOT_SOURCE_DIR) RISCV=$(RISCV_GNU_TOOLCHAIN_WORK_DIR) PATH=$(PATH) O=$(LINUX_VM_BUILDROOT_WORK_DIR) BR2_JLEVEL=0; \
fi

dev:
echo "Rebuilding buildroot"; \
sed "s@^BR2_ROOTFS_OVERLAY=.*@BR2_ROOTFS_OVERLAY=\"$(LINUX_VM_OVERLAY_WORK_DIR)\"@g" -i $(LINUX_VM_BUILDROOT_WORK_DIR)/.config; \
sed "s@^BR2_PACKAGE_OVERRIDE_FILE=.*@BR2_PACKAGE_OVERRIDE_FILE=\"$(LINUX_VM_BUILDROOT_OVERRIDE_DIR)\"@g" -i $(LINUX_VM_BUILDROOT_WORK_DIR)/.config ;\
sed "s@^BR2_LINUX_KERNEL_CUSTOM_CONFIG_FILE=.*@BR2_LINUX_KERNEL_CUSTOM_CONFIG_FILE=\"$(LINUX_VM_KERNEL_CONFIG)\"@g" -i $(LINUX_VM_BUILDROOT_WORK_DIR)/.config; \
sed "s@^BR2_TARGET_ROOTFS_EXT2_SIZE=.*@BR2_TARGET_ROOTFS_EXT2_SIZE=\"$(LINUX_VM_BUILDROOT_ROOTFS_SIZE)\"@g" -i $(LINUX_VM_BUILDROOT_WORK_DIR)/.config; \
$(MAKE) -s -C $(LINUX_VM_BUILDROOT_SOURCE_DIR) RISCV=$(RISCV_GNU_TOOLCHAIN_WORK_DIR) PATH=$(PATH) O=$(LINUX_VM_BUILDROOT_WORK_DIR) CROSS_COMPILE=$(CROSS_COMPILE) BR2_JLEVEL=0 linux-rebuild all

overlay: setup
mkdir -p $(LINUX_VM_OVERLAY_WORK_DIR) ;\
mkdir -p $(LINUX_VM_OVERLAY_WORK_ROOT_DIR); \
cp -r $(LINUX_VM_OVERLAY_SOURCE_DIR)/* $(LINUX_VM_OVERLAY_WORK_DIR)/ ;\
PATH="$(RISCV_GNU_TOOLCHAIN_WORK_DIR)/bin:$(PATH)" $(MAKE) -s -C $(LINUX_VM_OVERLAY_WORK_ROOT_DIR)/ace_module/ RISCV=$(RISCV_GNU_TOOLCHAIN_WORK_DIR) PATH=$(PATH) ARCH=riscv KDIR=$(LINUX_DIR) CROSS_COMPILE=$(CROSS_COMPILE) CC="riscv64-unknown-linux-gnu-gcc" O=$(LINUX_DIR) ;\
mkdir -p $(HYPERVISOR_OVERLAY_ROOT_DIR) ;\
cp $(LINUX_VM_ROOTFS_SOURCE_DIR)/*.sh $(HYPERVISOR_OVERLAY_ROOT_DIR)/ ;\
rm -rf $(HYPERVISOR_OVERLAY_LINUX_VM_DIR) ;\
mkdir -p $(HYPERVISOR_OVERLAY_LINUX_VM_DIR) ;\
rm -rf $(HYPERVISOR_OVERLAY_LINUX_VM_DIR) && mkdir -p $(HYPERVISOR_OVERLAY_LINUX_VM_DIR) ;\
cp -r $(LINUX_VM_IMAGE) $(HYPERVISOR_OVERLAY_LINUX_VM_DIR)/ ;\
cp -r $(LINUX_VM_BUILDROOT_ROOTFS) $(HYPERVISOR_OVERLAY_LINUX_VM_DIR)

rootfs: overlay
PATH="$(RISCV_GNU_TOOLCHAIN_WORK_DIR)/bin:$(PATH)" $(MAKE) -s -C $(LINUX_VM_BUILDROOT_SOURCE_DIR) RISCV=$(RISCV_GNU_TOOLCHAIN_WORK_DIR) PATH=$(PATH) ARCH=riscv64 KDIR=$(LINUX_DIR) CROSS_COMPILE=$(CROSS_COMPILE) O=$(LINUX_VM_BUILDROOT_WORK_DIR) rootfs-ext2; \
cp -r $(LINUX_VM_BUILDROOT_WORK_DIR)/images/rootfs.cpio $(HYPERVISOR_OVERLAY_LINUX_VM_DIR);

clean:
rm -rf $(ACE_DIR)

.PHONY: all buildroot linux clean overlay rootfs
.PHONY: all buildroot linux clean overlay
6 changes: 6 additions & 0 deletions confidential-vms/linux_vm/configurations/busybox.config
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,6 @@
CONFIG_MOUNT=y
CONFIG_FEATURE_MOUNT_FSTAB=y
CONFIG_UMOUNT=y
CONFIG_FEATURE_UMOUNT_ALL=y
CONFIG_CRYPTSETUP=y
CONFIG_LOSETUP=y
15 changes: 10 additions & 5 deletions confidential-vms/linux_vm/configurations/linux64-defconfig
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -186,7 +186,7 @@ CONFIG_CHECKPOINT_RESTORE=y
# CONFIG_SYSFS_DEPRECATED is not set
# CONFIG_RELAY is not set
CONFIG_BLK_DEV_INITRD=y
CONFIG_INITRAMFS_SOURCE=""
# CONFIG_INITRAMFS_SOURCE=""
CONFIG_RD_GZIP=y
CONFIG_RD_BZIP2=y
CONFIG_RD_LZMA=y
Expand Down Expand Up @@ -326,6 +326,7 @@ CONFIG_FPU=y
# CONFIG_RISCV_COVE_HOST is not set
# CONFIG_RISCV_COVE_GUEST is not set
CONFIG_RISCV_COVE_GUEST=y
CONFIG_RISCV_COVE_GUEST_PROMOTE=y
# end of Confidential VM Extension(CoVE) Support
# end of Platform type

Expand Down Expand Up @@ -410,7 +411,7 @@ CONFIG_HAVE_KVM_VCPU_ASYNC_IOCTL=y
CONFIG_KVM_XFER_TO_GUEST_WORK=y
CONFIG_KVM_GENERIC_HARDWARE_ENABLING=y
CONFIG_VIRTUALIZATION=y
CONFIG_KVM=m
CONFIG_KVM=n
CONFIG_ARCH_SUPPORTS_ACPI=y
CONFIG_ACPI=y
CONFIG_ACPI_GENERIC_GSI=y
Expand Down Expand Up @@ -1613,6 +1614,7 @@ CONFIG_DM_BIO_PRISON=m
CONFIG_DM_PERSISTENT_DATA=m
# CONFIG_DM_UNSTRIPED is not set
# CONFIG_DM_CRYPT is not set
CONFIG_DM_CRYPT=y
# CONFIG_DM_SNAPSHOT is not set
CONFIG_DM_THIN_PROVISIONING=m
# CONFIG_DM_CACHE is not set
Expand Down Expand Up @@ -4404,7 +4406,7 @@ CONFIG_CRYPTO_RSA=y
#
# Block ciphers
#
CONFIG_CRYPTO_AES=m
CONFIG_CRYPTO_AES=y
# CONFIG_CRYPTO_AES_TI is not set
# CONFIG_CRYPTO_ANUBIS is not set
# CONFIG_CRYPTO_ARIA is not set
Expand Down Expand Up @@ -4439,6 +4441,7 @@ CONFIG_CRYPTO_CTR=m
# CONFIG_CRYPTO_OFB is not set
# CONFIG_CRYPTO_PCBC is not set
# CONFIG_CRYPTO_XTS is not set
CONFIG_CRYPTO_XTS=y
# end of Length-preserving ciphers and modes

#
Expand Down Expand Up @@ -4466,8 +4469,8 @@ CONFIG_CRYPTO_HMAC=m
# CONFIG_CRYPTO_POLY1305 is not set
# CONFIG_CRYPTO_RMD160 is not set
CONFIG_CRYPTO_SHA1=y
CONFIG_CRYPTO_SHA256=m
CONFIG_CRYPTO_SHA512=m
CONFIG_CRYPTO_SHA256=y
CONFIG_CRYPTO_SHA512=y
# CONFIG_CRYPTO_SHA3 is not set
# CONFIG_CRYPTO_SM3_GENERIC is not set
# CONFIG_CRYPTO_STREEBOG is not set
Expand Down Expand Up @@ -4513,8 +4516,10 @@ CONFIG_CRYPTO_JITTERENTROPY=m
#
CONFIG_CRYPTO_USER_API=y
CONFIG_CRYPTO_USER_API_HASH=y
CONFIG_CRYPTO_USER_API_SKCIPHER=y
# CONFIG_CRYPTO_USER_API_SKCIPHER is not set
# CONFIG_CRYPTO_USER_API_RNG is not set
CONFIG_CRYPTO_USER_API_RNG=y
# CONFIG_CRYPTO_USER_API_AEAD is not set
CONFIG_CRYPTO_USER_API_ENABLE_OBSOLETE=y
# end of Userspace interface
Expand Down
41 changes: 20 additions & 21 deletions confidential-vms/linux_vm/configurations/qemu_riscv64_virt_defconfig
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
BR2_TARGET_GENERIC_HOSTNAME="cvm"
BR2_TARGET_GENERIC_ISSUE="Welcome to Confidential VM!"
BR2_TARGET_GENERIC_HOSTNAME="confidential_vm"
BR2_TARGET_GENERIC_ISSUE="Welcome to ACE Confidential VM!"
# Architecture
BR2_riscv=y
BR2_RISCV_64=y
Expand Down Expand Up @@ -28,16 +28,19 @@ BR2_TARGET_GENERIC_GETTY=y
BR2_TARGET_GENERIC_GETTY_PORT="ttyS0"
BR2_TARGET_GENERIC_ROOT_PASSWD="passwd"

# Filesystem
BR2_TARGET_ROOTFS_EXT2=y
# Filesystem
BR2_ROOTFS_OVERLAY=""
BR2_TARGET_ROOTFS_EXT2=y
BR2_TARGET_ROOTFS_EXT2_2=n
BR2_TARGET_ROOTFS_EXT2_3=n
BR2_TARGET_ROOTFS_EXT2_4=y
BR2_TARGET_ROOTFS_EXT2_SIZE="5G"

# Kernel
BR2_LINUX_KERNEL=y
# BR2_LINUX_KERNEL_CUSTOM_GIT=y
# BR2_LINUX_KERNEL_CUSTOM_REPO_URL=""
# BR2_LINUX_KERNEL_CUSTOM_REPO_VERSION=""
BR2_LINUX_KERNEL_CUSTOM_VERSION=y
BR2_LINUX_KERNEL_CUSTOM_VERSION_VALUE="6.3-rc4"
BR2_PACKAGE_HOST_LINUX_HEADERS_CUSTOM_6_3=y
Expand All @@ -52,29 +55,25 @@ BR2_LINUX_KERNEL_PATCH=""
# development with custom Linux kernel sources
BR2_PACKAGE_OVERRIDE_FILE=""

# Bootloader
# BR2_TARGET_OPENSBI=y
# BR2_TARGET_OPENSBI_USE_PLAT=y
# BR2_TARGET_OPENSBI_PLAT="qemu/virt"

# Packages
BR2_PACKAGE_DROPBEAR=y

BR2_TARGET_OPENSBI=y
BR2_TARGET_OPENSBI_PLAT="generic"

###
# BR2_TOOLCHAIN_BUILDROOT_GLIBC=y
# BR2_TOOLCHAIN_BUILDROOT_CXX=y
# BR2_PACKAGE_HOST_GDB=y
# BR2_PACKAGE_HOST_GDB_TUI=y
# BR2_PACKAGE_HOST_GDB_PYTHON3=y
# BR2_CCACHE=y
# BR2_CCACHE_INITIAL_SETUP="-M0 -F0"
# BR2_SSP_NONE=y

BR2_PER_PACKAGE_DIRECTORIES=y
BR2_VERBOSE=0


BR2_PACKAGE_NVME=y

# Initramfs
# BR2_TARGET_ROOTFS_INITRAMFS=y
# BR2_TARGET_ROOTFS_CPIO=y
# BR2_PACKAGE_BUSYBOX=y
# BR2_INIT_BUSYBOX=y
# BR2_PACKAGE_HOST_DRACUT=y
# BR2_TARGET_ROOTFS_CPIO_DRACUT=y
# # dm-crypt
# BR2_PACKAGE_HOST_GENIMAGE=y
# BR2_PACKAGE_CRYPTSETUP=y
# BR2_PACKAGE_HOST_CRYPTSETUP=y
# BR2_PACKAGE_E2FSPROGS=y
5 changes: 3 additions & 2 deletions ...ntial-vms/linux_vm/rootfs/run_linux_vm.sh → ...inux_vm/hypervisor_rootfs/run_linux_vm.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,7 @@
QEMU_CMD=qemu-system-riscv64
KERNEL=/root/linux_vm/Image
DRIVE=/root/linux_vm/rootfs.ext2
INITRAMFS=/root/linux_vm/rootfs.cpio

HOST_PORT="$((3000 + RANDOM % 3000))"
INTERACTIVE="-nographic"
Expand All @@ -31,7 +32,7 @@ for i in "$@"; do
-m=*|--memory=*)
MEMORY="${i#*=}"
shift
;;
;;
--daemonize*)
INTERACTIVE="-daemonize"
shift
Expand Down Expand Up @@ -60,4 +61,4 @@ ${QEMU_CMD} ${DEBUG_OPTIONS} \
-drive if=none,format=raw,file=${DRIVE},id=hd0 \
-device virtio-net-pci,netdev=net0,iommu_platform=on,disable-legacy=on,disable-modern=off \
-netdev user,id=net0,net=192.168.100.1/24,dhcpstart=192.168.100.128,hostfwd=tcp::${HOST_PORT}-:22 \
-nographic
-nographic
27 changes: 27 additions & 0 deletions confidential-vms/linux_vm/overlay/root/ace_module/Makefile
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,27 @@
CONFIG_MODULE_SIG=n

startstop-objs := start.o stop.o
obj-m += ace.o

ifeq ($(CONFIG_STATUS_CHECK_GCC),y)
CC=$(STATUS_CHECK_GCC)
ccflags-y += -fanalyzer
endif

KDIR ?= /lib/modules/$(shell uname -r)/build
PWD := $(CURDIR)

default:
$(MAKE) -C $(KDIR) CC="$(CC)" M="$(PWD)" modules
rm -f .Module* .modules* .ace* *.symvers *.order ace.mod.* *.o *.mod

load:
@insmod ace.ko

clean:
$(MAKE) -C /lib/modules/$(shell uname -r)/build CC="$(CC)" M="$(PWD)" clean
$(RM) other/cat_noblock *.plist

indent:
clang-format -i *[.ch]
clang-format -i other/*[.ch]
39 changes: 39 additions & 0 deletions confidential-vms/linux_vm/overlay/root/ace_module/ace.c
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,39 @@
#include<linux/init.h>
#include<linux/module.h>
#include <asm/sbi.h>
#include <linux/io.h>
#include <linux/kernel.h>
#include <linux/debugfs.h>
#include <linux/delay.h> /* usleep_range */
#include <linux/kthread.h>
#include <linux/seq_file.h> /* single_open, single_release */
#include <linux/slab.h> /* kmalloc, kfree */

MODULE_LICENSE("GPL");
MODULE_AUTHOR("Wojciech Ozga <woz@zurich.ibm.com>");

static int ace_init(void){
volatile u8 *secret;
struct sbiret ret;
int i;

printk(KERN_ALERT "Requesting secret from the security monitor\n");
secret = kmalloc(1024*sizeof(u8), GFP_KERNEL);
ret = sbi_ecall(0x434F5647, 9, virt_to_phys((void *) secret), 1024, 0, 0, 0, 0);
if (!ret.error) {
printk(KERN_ALERT "Secret=0x");
for (i=0; i<ret.value; i++) {
printk(KERN_CONT "%02x", secret[i]);
}
printk(KERN_CONT "\n");
} else {
printk(KERN_ALERT "Error: %lx %lx", ret.error, ret.value);
}
return 0;
}

static void ace_exit(void){
}

module_init(ace_init);
module_exit(ace_exit);
1 change: 1 addition & 0 deletions confidential-vms/linux_vm/overlay/root/this_is_confidential_vm_filesystem
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
hello from confidential VM's filesystem
1 change: 1 addition & 0 deletions confidential-vms/linux_vm/overlay/this_is_confidential_vm_filesystem
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
hello from confidential VM's filesystem
11 changes: 0 additions & 11 deletions hypervisor/configurations/qemu_riscv64_virt_defconfig
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -73,17 +73,6 @@ BR2_PACKAGE_QEMU_BLOBS=y
# below not needed?
BR2_TARGET_OPENSBI=y
BR2_TARGET_OPENSBI_PLAT="generic"
#BR2_PACKAGE_DEVMEM2=y

###
# BR2_TOOLCHAIN_BUILDROOT_GLIBC=y
# BR2_TOOLCHAIN_BUILDROOT_CXX=y
# BR2_PACKAGE_HOST_GDB=y
# BR2_PACKAGE_HOST_GDB_TUI=y
# BR2_PACKAGE_HOST_GDB_PYTHON3=y
# BR2_CCACHE=y
# BR2_CCACHE_INITIAL_SETUP="-M0 -F0"
# BR2_SSP_NONE=y

BR2_PER_PACKAGE_DIRECTORIES=y
BR2_VERBOSE=0
Expand Down
Loading
Loading