Hi, all.
This patch adds Arm CCA support to qemu driver for aarch64 system.
CCA is an abbreviation for Arm Confidential Compute Architecture
feature, it enhances the virtualization capabilities of
the platform by separating the management of resources from access
to those resources.
We are not yet at the stage where we can merge this patch as host
linux/qemu suppor is no yet merged, but I would like to receive
reviews and comments on the overall direction.
[summary]
At this stage, all you can do is getting the CCA capability with
the virsh domcapabilities command and start the CCA VM with
the virsh create command.
capability info uses qemu QMP to query qemu options. The option
that exists now is for selecting a hash algorithm.
qemu QMP sections currently only contains a single member, but
is wrapped in sections for expansion.
[Capability example]
Execution results of 'virsh domcapability" on qemu
<domaincapabilities>
...
<features>
...
</sgx>
<cca supported='yes'>
<enum name='measurement-algo'>
<value>sha256</value>
<value>sha512</value>
</enum>
</cca>
<hyperv supported='yes'>
...
</features>
</domaincapabilities>
[XML example]
<domain>
...
<launchsecurity type='cca'>
<measurement-algo>sha256</measurement-algo>
</launchsecurity>
...
</domain>
[limitations/tests]
To obtain capability info, it is necessary to support the qemu QMP
command, which qemu does not yet support. We added a QMP
command to retrieve CCA info for test (See "[software version]"
below). Also, I think we should check whether CPUFW supports
CCA or not in qemu_firmware.c, but it is not yet implemented.
We have confirmed that the added tests (qemucapabilitiestest,
domaincapstest and qemuxmlconftest) and the CCA VM startup test
(starting the CCA VM from the virsh create command) passed.
The "personalization-value" and "measurement-log" parameters that
exist in the current LinaroQEMU cca/v3 branch will not be specified
as CCA VM startup parameters with the virsh create command.
[software version]
I followed the steps in Linaro's blog below.
https://linaro.atlassian.net/wiki/spaces/QEMU/pages/29051027459/Building+an+RME+stack+for+QEMU#Launching-a-Realm-guest-using-QEMU
The Qemu used was enhanced with CCA QMP command and found at:
https://github.com/Kazuhiro-Abe-fj/linaro_qemu/tree/cca-qmp
which is based on Linaro QEMU (cca/v3)
https://git.codelinaro.org/linaro/dcap/qemu/-/tree/cca/v3?ref_type=heads
Changes in v2:
Split the patch into different features.
Fixed two string memory leaks.
String storage has been changed from pointer movement to memory
copying, preventing double freeing.
Added a test case to qemuconftest.
Fixed an issue where communication with QMP did not work properly.
Fixed an issue where <cca support="yes"> was output to the cache
file when using virsh with a qemu binary that does not support QMP.
RFC v1:
https://lists.libvirt.org/archives/list/devel@xxxxxxxxxxxxxxxxx/thread/V4S5657DIO5IYTFSGJLXJ7SM4RCEQQJE/#V4S5657DIO5IYTFSGJLXJ7SM4RCEQQJE
Signed-off-by: Akio Kakuno fj3333bs@xxxxxxxxxxx
Akio Kakuno (6):
src: Add ARM CCA support in qemu driver to launch VM
src: Add ARM CCA support in domain capabilities command
src: Add ARM CCA support in domain schema
qemucapabilitiestest: Adds Arm CCA support
domaincapstest: Adds Arm CCA support
qemuxmlconftest: Adds Arm CCA support
docs/formatdomain.rst | 28 +
docs/formatdomaincaps.rst | 27 +-
src/conf/domain_capabilities.c | 48 +
src/conf/domain_capabilities.h | 12 +
src/conf/domain_conf.c | 16 +
src/conf/domain_conf.h | 7 +
src/conf/domain_validate.c | 1 +
src/conf/schemas/domaincaps.rng | 14 +
src/conf/schemas/domaincommon.rng | 14 +
src/conf/virconftypes.h | 2 +
src/libvirt_private.syms | 1 +
src/qemu/qemu_capabilities.c | 145 +
src/qemu/qemu_capabilities.h | 4 +
src/qemu/qemu_cgroup.c | 2 +
src/qemu/qemu_command.c | 32 +
src/qemu/qemu_driver.c | 2 +
src/qemu/qemu_firmware.c | 1 +
src/qemu/qemu_monitor.c | 10 +
src/qemu/qemu_monitor.h | 3 +
src/qemu/qemu_monitor_json.c | 98 +
src/qemu/qemu_monitor_json.h | 4 +
src/qemu/qemu_namespace.c | 2 +
src/qemu/qemu_process.c | 4 +
src/qemu/qemu_validate.c | 4 +
src/security/security_dac.c | 2 +
.../qemu_9.1.0-virt.aarch64.xml | 243 +
tests/domaincapsdata/qemu_9.1.0.aarch64.xml | 243 +
.../caps_9.1.0_aarch64.replies | 36222 ++++++++++++++++
.../caps_9.1.0_aarch64.xml | 540 +
.../launch-security-cca.aarch64-latest.args | 30 +
.../launch-security-cca.aarch64-latest.xml | 24 +
tests/qemuxmlconfdata/launch-security-cca.xml | 16 +
tests/qemuxmlconftest.c | 2 +
33 files changed, 37802 insertions(+), 1 deletion(-)
create mode 100644 tests/domaincapsdata/qemu_9.1.0-virt.aarch64.xml
create mode 100644 tests/domaincapsdata/qemu_9.1.0.aarch64.xml
create mode 100644 tests/qemucapabilitiesdata/caps_9.1.0_aarch64.replies
create mode 100644 tests/qemucapabilitiesdata/caps_9.1.0_aarch64.xml
create mode 100644 tests/qemuxmlconfdata/launch-security-cca.aarch64-latest.args
create mode 100644 tests/qemuxmlconfdata/launch-security-cca.aarch64-latest.xml
create mode 100644 tests/qemuxmlconfdata/launch-security-cca.xml
--
2.34.1
