Enable tee only in x86-64

MatiasVara · MatiasVara · commit a8d08c5b5854 · 2025-03-19T12:10:50.000-04:00
The `tee` feature has been used by having in mind only the x86-64 case.
Currently, `tee` means sense only if `x86-64` is also enabled. In the
future, the `tee` will enable code that is shared by arm and x86-64.

Signed-off-by: Matias Ezequiel Vara Larsen &lt;mvaralar@redhat.com&gt;
diff --git a/src/libkrun/build.rs b/src/libkrun/build.rs
@@ -5,6 +5,6 @@ fn main() {
     println!("cargo:rustc-link-search=/opt/homebrew/lib");
     #[cfg(all(not(feature = "tee"), not(feature = "efi")))]
     println!("cargo:rustc-link-lib=krunfw");
-    #[cfg(feature = "tee")]
+    #[cfg(all(feature = "tee", target_arch = "x86_64"))]
     println!("cargo:rustc-link-lib=krunfw-sev");
 }
diff --git a/src/libkrun/src/lib.rs b/src/libkrun/src/lib.rs
@@ -51,7 +51,7 @@ use vmm::vmm_config::boot_source::{BootSourceConfig, DEFAULT_KERNEL_CMDLINE};
 use vmm::vmm_config::fs::FsDeviceConfig;
 #[cfg(not(feature = "efi"))]
 use vmm::vmm_config::kernel_bundle::KernelBundle;
-#[cfg(feature = "tee")]
+#[cfg(all(feature = "tee", target_arch = "x86_64"))]
 use vmm::vmm_config::kernel_bundle::{InitrdBundle, QbootBundle};
 use vmm::vmm_config::machine_config::VmConfig;
 #[cfg(feature = "net")]
@@ -103,7 +103,7 @@ struct ContextConfig {
     root_block_cfg: Option<BlockDeviceConfig>,
     #[cfg(feature = "blk")]
     data_block_cfg: Option<BlockDeviceConfig>,
-    #[cfg(feature = "tee")]
+    #[cfg(all(feature = "tee", target_arch = "x86_64"))]
     tee_config_file: Option<PathBuf>,
     unix_ipc_port_map: Option<HashMap<u32, (PathBuf, bool)>>,
     shutdown_efd: Option<EventFd>,
@@ -220,12 +220,12 @@ impl ContextConfig {
         }
     }
 
-    #[cfg(feature = "tee")]
+    #[cfg(all(feature = "tee", target_arch = "x86_64"))]
     fn set_tee_config_file(&mut self, filepath: PathBuf) {
         self.tee_config_file = Some(filepath);
     }
 
-    #[cfg(feature = "tee")]
+    #[cfg(all(feature = "tee", target_arch = "x86_64"))]
     fn get_tee_config_file(&self) -> Option<PathBuf> {
         self.tee_config_file.clone()
     }
@@ -263,7 +263,7 @@ extern "C" {
     fn krunfw_get_version() -> u32;
 }
 
-#[cfg(feature = "tee")]
+#[cfg(all(feature = "tee", target_arch = "x86_64"))]
 #[link(name = "krunfw-sev")]
 extern "C" {
     fn krunfw_get_qboot(size: *mut size_t) -> *mut c_char;
@@ -320,7 +320,7 @@ pub extern "C" fn krun_create_ctx() -> i32 {
     };
     ctx_cfg.vmr.set_kernel_bundle(kernel_bundle).unwrap();
 
-    #[cfg(feature = "tee")]
+    #[cfg(all(feature = "tee", target_arch = "x86_64"))]
     {
         let mut qboot_size: usize = 0;
         let qboot_host_addr = unsafe { krunfw_get_qboot(&mut qboot_size as *mut usize) };
@@ -919,7 +919,7 @@ pub unsafe extern "C" fn krun_set_env(ctx_id: u32, c_envp: *const *const c_char)
 
 #[allow(clippy::missing_safety_doc)]
 #[no_mangle]
-#[cfg(feature = "tee")]
+#[cfg(all(feature = "tee", target_arch = "x86_64"))]
 pub unsafe extern "C" fn krun_set_tee_config_file(ctx_id: u32, c_filepath: *const c_char) -> i32 {
     let filepath = match CStr::from_ptr(c_filepath).to_str() {
         Ok(f) => f,
@@ -1152,7 +1152,7 @@ pub extern "C" fn krun_start_enter(ctx_id: u32) -> i32 {
      * config is not set by this point, print the relevant error message and
      * fail.
      */
-    #[cfg(feature = "tee")]
+    #[cfg(all(feature = "tee", target_arch = "x86_64"))]
     if let Some(tee_config) = ctx_cfg.get_tee_config_file() {
         if let Err(e) = ctx_cfg.vmr.set_tee_config(tee_config) {
             error!("Error setting up TEE config: {:?}", e);
diff --git a/src/vmm/src/builder.rs b/src/vmm/src/builder.rs
@@ -33,11 +33,11 @@ use devices::virtio::{port_io, MmioTransport, PortDescription, Vsock};
 #[cfg(target_os = "macos")]
 use hvf::MemoryMapping;
 
-#[cfg(feature = "tee")]
+#[cfg(all(feature = "tee", target_arch = "x86_64"))]
 use kbs_types::Tee;
 
 use crate::device_manager;
-#[cfg(feature = "tee")]
+#[cfg(all(feature = "tee", target_arch = "x86_64"))]
 use crate::resources::TeeConfig;
 #[cfg(target_os = "linux")]
 use crate::signal_handler::register_sigint_handler;
@@ -55,12 +55,12 @@ use crate::vstate::KvmContext;
 use crate::vstate::MeasuredRegion;
 use crate::vstate::{Error as VstateError, Vcpu, VcpuConfig, Vm};
 use arch::ArchMemoryInfo;
-#[cfg(feature = "tee")]
+#[cfg(all(feature = "tee", target_arch = "x86_64"))]
 use arch::InitrdConfig;
 use device_manager::shm::ShmManager;
 #[cfg(not(feature = "tee"))]
 use devices::virtio::{fs::ExportTable, VirtioShmRegion};
-#[cfg(feature = "tee")]
+#[cfg(all(feature = "tee", target_arch = "x86_64"))]
 use kvm_bindings::KVM_MAX_CPUID_ENTRIES;
 use libc::{STDERR_FILENO, STDIN_FILENO, STDOUT_FILENO};
 use nix::unistd::isatty;
@@ -342,7 +342,7 @@ enum Payload {
     Empty,
     #[cfg(feature = "efi")]
     Efi,
-    #[cfg(feature = "tee")]
+    #[cfg(all(feature = "tee", target_arch = "x86_64"))]
     Tee(MmapRegion, u64, usize, u64, usize, u64, usize),
 }
 
@@ -370,17 +370,17 @@ pub fn build_microvm(
             .map_err(StartMicrovmError::KernelBundle)?
     };
 
-    #[cfg(feature = "tee")]
+    #[cfg(all(feature = "tee", target_arch = "x86_64"))]
     let qboot_bundle = vm_resources
         .qboot_bundle()
         .ok_or(StartMicrovmError::MissingKernelConfig)?;
 
-    #[cfg(feature = "tee")]
+    #[cfg(all(feature = "tee", target_arch = "x86_64"))]
     let initrd_bundle = vm_resources
         .initrd_bundle()
         .ok_or(StartMicrovmError::MissingKernelConfig)?;
 
-    #[cfg(feature = "tee")]
+    #[cfg(all(feature = "tee", target_arch = "x86_64"))]
     let payload = Payload::Tee(
         kernel_region,
         kernel_bundle.guest_addr,
@@ -402,7 +402,7 @@ pub fn build_microvm(
             .vm_config()
             .mem_size_mib
             .ok_or(StartMicrovmError::MissingMemSizeConfig)?,
-        #[cfg(feature = "tee")]
+        #[cfg(all(feature = "tee", target_arch = "x86_64"))]
         None,
         #[cfg(not(feature = "tee"))]
         Some(vm_resources),
@@ -422,7 +422,7 @@ pub fn build_microvm(
     #[allow(unused_mut)]
     let mut vm = setup_vm(&guest_memory)?;
 
-    #[cfg(feature = "tee")]
+    #[cfg(all(feature = "tee", target_arch = "x86_64"))]
     let (kvm, mut vm) = {
         let kvm = KvmContext::new()
             .map_err(Error::KvmContext)
@@ -431,10 +431,10 @@ pub fn build_microvm(
         (kvm, vm)
     };
 
-    #[cfg(feature = "tee")]
+    #[cfg(all(feature = "tee", target_arch = "x86_64"))]
     let tee = vm_resources.tee_config().tee;
 
-    #[cfg(feature = "tee")]
+    #[cfg(all(feature = "tee", target_arch = "x86_64"))]
     let sev_launcher = match tee {
         Tee::Sev => Some(
             vm.sev_secure_virt_prepare(&guest_memory)
@@ -443,7 +443,7 @@ pub fn build_microvm(
         _ => None,
     };
 
-    #[cfg(feature = "tee")]
+    #[cfg(all(feature = "tee", target_arch = "x86_64"))]
     let snp_launcher = match tee {
         Tee::Snp => Some(
             vm.snp_secure_virt_prepare(&guest_memory)
@@ -452,7 +452,7 @@ pub fn build_microvm(
         _ => None,
     };
 
-    #[cfg(feature = "tee")]
+    #[cfg(all(feature = "tee", target_arch = "x86_64"))]
     let measured_regions = {
         println!("Injecting and measuring memory regions. This may take a while.");
 
@@ -543,7 +543,7 @@ pub fn build_microvm(
 
     #[cfg(all(target_os = "linux", target_arch = "x86_64", not(feature = "tee")))]
     let boot_ip: GuestAddress = GuestAddress(kernel_bundle.entry_addr);
-    #[cfg(feature = "tee")]
+    #[cfg(all(feature = "tee", target_arch = "x86_64"))]
     let boot_ip: GuestAddress = GuestAddress(arch::RESET_VECTOR);
 
     let vcpus;
@@ -712,7 +712,7 @@ pub fn build_microvm(
     #[cfg(all(target_arch = "x86_64", not(feature = "tee")))]
     load_cmdline(&vmm)?;
 
-    #[cfg(feature = "tee")]
+    #[cfg(all(feature = "tee", target_arch = "x86_64"))]
     let initrd_config = Some(InitrdConfig {
         address: GuestAddress(arch::x86_64::layout::INITRD_SEV_START),
         size: initrd_bundle.size,
@@ -728,7 +728,7 @@ pub fn build_microvm(
     )
     .map_err(StartMicrovmError::Internal)?;
 
-    #[cfg(feature = "tee")]
+    #[cfg(all(feature = "tee", target_arch = "x86_64"))]
     {
         match tee {
             Tee::Sev => vmm
@@ -794,7 +794,7 @@ fn load_payload(
             .map_err(StartMicrovmError::GuestMemoryMmap),
         #[cfg(test)]
         Payload::Empty => Ok(guest_mem),
-        #[cfg(feature = "tee")]
+        #[cfg(all(feature = "tee", target_arch = "x86_64"))]
         Payload::Tee(
             kernel_region,
             kernel_load_addr,
@@ -919,7 +919,7 @@ pub(crate) fn setup_vm(
         .map_err(StartMicrovmError::Internal)?;
     Ok(vm)
 }
-#[cfg(all(target_os = "linux", feature = "tee"))]
+#[cfg(all(target_os = "linux", feature = "tee", target_arch = "x86_64"))]
 pub(crate) fn setup_vm(
     kvm: &KvmContext,
     guest_memory: &GuestMemoryMmap,
diff --git a/src/vmm/src/lib.rs b/src/vmm/src/lib.rs
@@ -269,7 +269,7 @@ impl Vmm {
     ) -> Result<()> {
         #[cfg(target_arch = "x86_64")]
         {
-            let cmdline_len = if cfg!(feature = "tee") {
+            let cmdline_len = if cfg!(all(feature = "tee", target_arch = "x86_64")) {
                 arch::x86_64::layout::CMDLINE_SEV_SIZE
             } else {
                 self.kernel_cmdline.len() + 1
diff --git a/src/vmm/src/linux/mod.rs b/src/vmm/src/linux/mod.rs
@@ -1,4 +1,4 @@
-#[cfg(feature = "tee")]
+#[cfg(all(feature = "tee", target_arch = "x86_64"))]
 pub mod tee;
 
 pub mod vstate;
diff --git a/src/vmm/src/linux/vstate.rs b/src/vmm/src/linux/vstate.rs
@@ -34,10 +34,10 @@ use super::tee::amdsev::{AmdSev, Error as SevError};
 #[cfg(feature = "amd-sev")]
 use super::tee::amdsnp::{AmdSnp, Error as SnpError};
 
-#[cfg(feature = "tee")]
+#[cfg(all(feature = "tee", target_arch = "x86_64"))]
 use kbs_types::Tee;
 
-#[cfg(feature = "tee")]
+#[cfg(all(feature = "tee", target_arch = "x86_64"))]
 use crate::resources::TeeConfig;
 use crate::vmm_config::machine_config::CpuFeaturesTemplate;
 #[cfg(target_arch = "aarch64")]
@@ -103,7 +103,7 @@ pub enum Error {
     #[cfg(target_arch = "x86_64")]
     /// Cannot set the local interruption due to bad configuration.
     LocalIntConfiguration(arch::x86_64::interrupts::Error),
-    #[cfg(feature = "tee")]
+    #[cfg(all(feature = "tee", target_arch = "x86_64"))]
     /// Missing TEE config
     MissingTeeConfig,
     #[cfg(target_arch = "x86_64")]
@@ -148,7 +148,7 @@ pub enum Error {
     #[cfg(feature = "amd-sev")]
     /// Error attesting the Secure VM (SNP).
     SnpSecVirtAttest(SnpError),
-    #[cfg(feature = "tee")]
+    #[cfg(all(feature = "tee", target_arch = "x86_64"))]
     /// The TEE specified is not supported.
     InvalidTee,
     /// Failed to signal Vcpu.
@@ -294,38 +294,38 @@ impl Display for Error {
             SetUserMemoryRegion2(e) => write!(f, "Cannot set the memory regions: {e}"),
             #[cfg(feature = "tee")]
             CreateGuestMemfd(e) => write!(f, "Cannot create guest memfd: {e}"),
-            #[cfg(feature = "tee")]
+            #[cfg(all(feature = "tee", target_arch = "x86_64"))]
             SevSecVirtInit(e) => {
                 write!(
                     f,
                     "Error initializing the Secure Virtualization Backend (SEV): {e:?}"
                 )
             }
-            #[cfg(feature = "tee")]
+            #[cfg(all(feature = "tee", target_arch = "x86_64"))]
             SevSecVirtPrepare(e) => write!(
                 f,
                 "Error preparing the VM for Secure Virtualization (SEV): {e:?}"
             ),
-            #[cfg(feature = "tee")]
+            #[cfg(all(feature = "tee", target_arch = "x86_64"))]
             SevSecVirtAttest(e) => write!(f, "Error attesting the Secure VM (SEV): {e:?}"),
 
-            #[cfg(feature = "tee")]
+            #[cfg(all(feature = "tee", target_arch = "x86_64"))]
             SnpSecVirtInit(e) => write!(
                 f,
                 "Error initializing the Secure Virtualization Backend (SEV): {e:?}"
             ),
 
-            #[cfg(feature = "tee")]
+            #[cfg(all(feature = "tee", target_arch = "x86_64"))]
             SnpSecVirtPrepare(e) => write!(
                 f,
                 "Error preparing the VM for Secure Virtualization (SNP): {e:?}"
             ),
 
-            #[cfg(feature = "tee")]
+            #[cfg(all(feature = "tee", target_arch = "x86_64"))]
             SnpSecVirtAttest(e) => write!(f, "Error attesting the Secure VM (SNP): {e:?}"),
 
             SignalVcpu(e) => write!(f, "Failed to signal Vcpu: {e}"),
-            #[cfg(feature = "tee")]
+            #[cfg(all(feature = "tee", target_arch = "x86_64"))]
             MissingTeeConfig => write!(f, "Missing TEE configuration"),
             #[cfg(target_arch = "x86_64")]
             MSRSConfiguration(e) => write!(f, "Error configuring the MSR registers: {e:?}"),
@@ -409,7 +409,7 @@ impl Display for Error {
             #[cfg(target_arch = "aarch64")]
             VcpuArmInit(e) => write!(f, "Error doing Vcpu Init on Arm: {e}"),
 
-            #[cfg(feature = "tee")]
+            #[cfg(all(feature = "tee", target_arch = "x86_64"))]
             InvalidTee => write!(f, "TEE selected is not currently supported"),
         }
     }
diff --git a/src/vmm/src/resources.rs b/src/vmm/src/resources.rs

Original file line number	Diff line number	Diff line change
`@@ -5,6 +5,6 @@ fn main() {`
`5`	`5`	`println!("cargo:rustc-link-search=/opt/homebrew/lib");`
`6`	`6`	`#[cfg(all(not(feature = "tee"), not(feature = "efi")))]`
`7`	`7`	`println!("cargo:rustc-link-lib=krunfw");`
`8`		`- #[cfg(feature = "tee")]`
	`8`	`+ #[cfg(all(feature = "tee", target_arch = "x86_64"))]`
`9`	`9`	`println!("cargo:rustc-link-lib=krunfw-sev");`
`10`	`10`	`}`
Original file line number	Diff line number	Diff line change
`@@ -269,7 +269,7 @@ impl Vmm {`
`269`	`269`	`) -> Result<()> {`
`270`	`270`	`#[cfg(target_arch = "x86_64")]`
`271`	`271`	`{`
`272`		`- let cmdline_len = if cfg!(feature = "tee") {`
	`272`	`+ let cmdline_len = if cfg!(all(feature = "tee", target_arch = "x86_64")) {`
`273`	`273`	`arch::x86_64::layout::CMDLINE_SEV_SIZE`
`274`	`274`	`} else {`
`275`	`275`	`self.kernel_cmdline.len() + 1`