We are happy to announce the second version of the Arm Confidential Compute Architecture (CCA) support for the Linux stack. The intention is to seek early feedback in the following areas: * KVM integration of the Arm CCA; * KVM UABI for managing the Realms, seeking to generalise the operations where possible with other Confidential Compute solutions; * Linux Guest support for Realms. See the previous RFC[1] for a more detailed overview of Arm's CCA solution, or visible the Arm CCA Landing page[2]. This series is based on the final RMM v1.0 (EAC5) specification[3]. Quick-start guide ================= The easiest way of getting started with the stack is by using Shrinkwrap[4]. Currently Shrinkwrap has a configuration for the initial v1.0-EAC5 release[5], so the following overlay needs to be applied to the standard 'cca-3world.yaml' file. Note that the 'rmm' component needs updating to 'main' because there are fixes that are needed and are not yet in a tagged release. The following will create an overlay file and build a working environment: cat<<EOT >cca-v2.yaml build: linux: repo: revision: cca-full/v2 kvmtool: repo: kvmtool: revision: cca/v2 rmm: repo: revision: main kvm-unit-tests: repo: revision: cca/v2 EOT shrinkwrap build cca-3world.yaml --overlay buildroot.yaml --btvar GUEST_ROOTFS='${artifact:BUILDROOT}' --overlay cca-v2.yaml You will then want to modify the 'guest-disk.img' to include the files necessary for the realm guest (see the documentation in cca-3world.yaml for details of other options): cd ~/.shrinkwrap/package/cca-3world /sbin/e2fsck -fp rootfs.ext2 /sbin/resize2fs rootfs.ext2 256M mkdir mnt sudo mount rootfs.ext2 mnt/ sudo mkdir mnt/cca sudo cp guest-disk.img KVMTOOL_EFI.fd lkvm Image mnt/cca/ sudo umount mnt rmdir mnt/ Finally you can run the FVP with the host: shrinkwrap run cca-3world.yaml --rtvar ROOTFS=$HOME/.shrinkwrap/package/cca-3world/rootfs.ext2 And once the host kernel has booted, login (user name 'root') and start a realm guest: cd /cca ./lkvm run --realm --restricted_mem -c 2 -m 256 -k Image -p earlycon Be patient and you should end up in a realm guest with the host's filesystem mounted via p9. It's also possible to use EFI within the realm guest, again see cca-3world.yaml within Shrinkwrap for more details. An branch of kvm-unit-tests including realm-specific tests is provided here: https://gitlab.arm.com/linux-arm/kvm-unit-tests-cca/-/tree/cca/v2 [1] Previous RFC https://lore.kernel.org/r/20230127112248.136810-1-suzuki.poulose%40arm.com [2] Arm CCA Landing page (See Key Resources section for various documentation) https://www.arm.com/architecture/security-features/arm-confidential-compute-architecture [3] RMM v1.0-EAC5 specification https://developer.arm.com/documentation/den0137/1-0eac5/ [4] Shrinkwrap https://git.gitlab.arm.com/tooling/shrinkwrap [5] Linux support for Arm CCA RMM v1.0-EAC5 https://lore.kernel.org/r/fb259449-026e-4083-a02b-f8a4ebea1f87%40arm.com