We are happy to announce the second version of the Arm Confidential
Compute Architecture (CCA) support for the Linux stack. The intention is
to seek early feedback in the following areas:
* KVM integration of the Arm CCA;
* KVM UABI for managing the Realms, seeking to generalise the
operations where possible with other Confidential Compute solutions;
* Linux Guest support for Realms.
See the previous RFC[1] for a more detailed overview of Arm's CCA
solution, or visible the Arm CCA Landing page[2].
This series is based on the final RMM v1.0 (EAC5) specification[3].
Quick-start guide
=================
The easiest way of getting started with the stack is by using
Shrinkwrap[4]. Currently Shrinkwrap has a configuration for the initial
v1.0-EAC5 release[5], so the following overlay needs to be applied to
the standard 'cca-3world.yaml' file. Note that the 'rmm' component needs
updating to 'main' because there are fixes that are needed and are not
yet in a tagged release. The following will create an overlay file and
build a working environment:
cat<<EOT >cca-v2.yaml
build:
linux:
repo:
revision: cca-full/v2
kvmtool:
repo:
kvmtool:
revision: cca/v2
rmm:
repo:
revision: main
kvm-unit-tests:
repo:
revision: cca/v2
EOT
shrinkwrap build cca-3world.yaml --overlay buildroot.yaml --btvar GUEST_ROOTFS='${artifact:BUILDROOT}' --overlay cca-v2.yaml
You will then want to modify the 'guest-disk.img' to include the files
necessary for the realm guest (see the documentation in cca-3world.yaml
for details of other options):
cd ~/.shrinkwrap/package/cca-3world
/sbin/e2fsck -fp rootfs.ext2
/sbin/resize2fs rootfs.ext2 256M
mkdir mnt
sudo mount rootfs.ext2 mnt/
sudo mkdir mnt/cca
sudo cp guest-disk.img KVMTOOL_EFI.fd lkvm Image mnt/cca/
sudo umount mnt
rmdir mnt/
Finally you can run the FVP with the host:
shrinkwrap run cca-3world.yaml --rtvar ROOTFS=$HOME/.shrinkwrap/package/cca-3world/rootfs.ext2
And once the host kernel has booted, login (user name 'root') and start
a realm guest:
cd /cca
./lkvm run --realm --restricted_mem -c 2 -m 256 -k Image -p earlycon
Be patient and you should end up in a realm guest with the host's
filesystem mounted via p9.
It's also possible to use EFI within the realm guest, again see
cca-3world.yaml within Shrinkwrap for more details.
An branch of kvm-unit-tests including realm-specific tests is provided
here:
https://gitlab.arm.com/linux-arm/kvm-unit-tests-cca/-/tree/cca/v2
[1] Previous RFC
https://lore.kernel.org/r/20230127112248.136810-1-suzuki.poulose%40arm.com
[2] Arm CCA Landing page (See Key Resources section for various documentation)
https://www.arm.com/architecture/security-features/arm-confidential-compute-architecture
[3] RMM v1.0-EAC5 specification
https://developer.arm.com/documentation/den0137/1-0eac5/
[4] Shrinkwrap
https://git.gitlab.arm.com/tooling/shrinkwrap
[5] Linux support for Arm CCA RMM v1.0-EAC5
https://lore.kernel.org/r/fb259449-026e-4083-a02b-f8a4ebea1f87%40arm.com
