Support ARM CCA feature

Enable to build confidential guests using ARM CCA (Confidential
Computing Architecture). This work relies on v7 series for Linux and v8
series for KVM. This has been tested only on the corresponding FVP model
simulator. For testing, you require specific kvm-ioctls and kvm-bindings
crates.

Signed-off-by: Matias Ezequiel Vara Larsen <[email protected]>

Author: MatiasVara

Makefile

@@ -27,6 +27,9 @@ ifeq ($(SEV),1)
     INIT_SRC += $(SNP_INIT_SRC)
 	BUILD_INIT = 0
 endif
+ifeq ($(CCA), 1)
+    FEATURE_FLAGS := --features cca
+endif
 ifeq ($(VIRGL_RESOURCE_MAP2),1)
 	FEATURE_FLAGS += --features virgl_resource_map2
 endif

src/arch/Cargo.toml

@@ -5,6 +5,7 @@ authors = ["The Chromium OS Authors"]
 edition = "2021"
 
 [features]
+cca = [ "tee" ]
 tee = []
 amd-sev = [ "tee" ]
 efi = []

src/arch/src/aarch64/linux/regs.rs

@@ -110,6 +110,9 @@ arm64_sys_reg!(MPIDR_EL1, 3, 0, 0, 0, 5);
 /// * `boot_ip` - Starting instruction pointer.
 /// * `mem` - Reserved DRAM for current VM.
 pub fn setup_regs(vcpu: &VcpuFd, cpu_id: u8, boot_ip: u64, mem: &GuestMemoryMmap) -> Result<()> {
+    // PSTATE cannot be accesed from the host in CCA
+    #[cfg(not(feature = "cca"))]
+    #[allow(deref_nullptr)]
     // Get the register index of the PSTATE (Processor State) register.
     vcpu.set_one_reg(arm64_core_reg!(pstate), &PSTATE_FAULT_BITS_64.to_le_bytes())
         .map_err(Error::SetCoreRegister)?;

src/devices/Cargo.toml

@@ -6,6 +6,7 @@ edition = "2021"
 
 [features]
 tee = []
+cca = [ "tee" ]
 amd-sev = ["blk", "tee"]
 net = []
 blk = []

src/devices/src/fdt/aarch64.rs

@@ -286,10 +286,12 @@ fn create_psci_node(fdt: &mut FdtWriter) -> Result<()> {
     // Two methods available: hvc and smc.
     // As per documentation, PSCI calls between a guest and hypervisor may use the HVC conduit instead of SMC.
     // So, since we are using kvm, we need to use hvc.
-    #[cfg(target_os = "linux")]
+    #[cfg(all(target_os = "linux", not(feature = "cca")))]
     fdt.property_string("method", "hvc")?;
     #[cfg(target_os = "macos")]
     fdt.property_string("method", "smc")?;
+    #[cfg(feature = "cca")]
+    fdt.property_string("method", "smc")?;
     fdt.end_node(node)?;
 
     Ok(())

src/devices/src/virtio/block/device.rs

@@ -27,6 +27,9 @@ use utils::eventfd::{EventFd, EFD_NONBLOCK};
 use virtio_bindings::{
     virtio_blk::*, virtio_config::VIRTIO_F_VERSION_1, virtio_ring::VIRTIO_RING_F_EVENT_IDX,
 };
+#[cfg(feature = "cca")]
+use virtio_bindings::virtio_config::VIRTIO_F_ACCESS_PLATFORM;
+
 use vm_memory::{ByteValued, GuestMemoryMmap};
 
 use super::worker::BlockWorker;
@@ -240,10 +243,19 @@ impl Block {
         let disk_properties =
             DiskProperties::new(Arc::clone(&disk_image), disk_image_id.clone(), cache_type)?;
 
-        let mut avail_features = (1u64 << VIRTIO_F_VERSION_1)
+
+        let mut avail_features = if cfg!(feature = "cca") {
+            (1u64 << VIRTIO_F_VERSION_1)
             | (1u64 << VIRTIO_BLK_F_FLUSH)
             | (1u64 << VIRTIO_BLK_F_SEG_MAX)
-            | (1u64 << VIRTIO_RING_F_EVENT_IDX);
+            | (1u64 << VIRTIO_RING_F_EVENT_IDX)
+            | (1 << VIRTIO_F_ACCESS_PLATFORM as u64)
+        } else {
+            (1u64 << VIRTIO_F_VERSION_1)
+            | (1u64 << VIRTIO_BLK_F_FLUSH)
+            | (1u64 << VIRTIO_BLK_F_SEG_MAX)
+            | (1u64 << VIRTIO_RING_F_EVENT_IDX)
+        };
 
         if is_disk_read_only {
             avail_features |= 1u64 << VIRTIO_BLK_F_RO;

src/devices/src/virtio/console/device.rs

@@ -10,6 +10,8 @@ use libc::TIOCGWINSZ;
 use nix::ioctl_read_bad;
 use utils::eventfd::EventFd;
 use vm_memory::{ByteValued, Bytes, GuestMemoryMmap};
+#[cfg(feature = "cca")]
+use virtio_bindings::virtio_config::VIRTIO_F_ACCESS_PLATFORM;
 
 use super::super::{
     ActivateError, ActivateResult, ConsoleError, DeviceState, Queue as VirtQueue, VirtioDevice,
@@ -30,9 +32,18 @@ use crate::virtio::{PortDescription, VmmExitObserver};
 pub(crate) const CONTROL_RXQ_INDEX: usize = 2;
 pub(crate) const CONTROL_TXQ_INDEX: usize = 3;
 
-pub(crate) const AVAIL_FEATURES: u64 = (1 << uapi::VIRTIO_CONSOLE_F_SIZE as u64)
-    | (1 << uapi::VIRTIO_CONSOLE_F_MULTIPORT as u64)
-    | (1 << uapi::VIRTIO_F_VERSION_1 as u64);
+// CCA requires VIRTIO_F_ACCESS_PLATFORM to ensure DMA-APIs
+// are triggered for virtio in Linux
+pub(crate) const AVAIL_FEATURES: u64 = if cfg!(feature = "cca") {
+    (1 << uapi::VIRTIO_CONSOLE_F_SIZE as u64)
+        | (1 << uapi::VIRTIO_CONSOLE_F_MULTIPORT as u64)
+        | (1 << uapi::VIRTIO_F_VERSION_1 as u64)
+        | (1 << VIRTIO_F_ACCESS_PLATFORM as u64)
+} else {
+    (1 << uapi::VIRTIO_CONSOLE_F_SIZE as u64)
+        | (1 << uapi::VIRTIO_CONSOLE_F_MULTIPORT as u64)
+        | (1 << uapi::VIRTIO_F_VERSION_1 as u64)
+};
 
 #[repr(C)]
 #[derive(Default)]

src/devices/src/virtio/fs/device.rs

@@ -9,7 +9,10 @@ use std::thread::JoinHandle;
 use utils::eventfd::{EventFd, EFD_NONBLOCK};
 #[cfg(target_os = "macos")]
 use utils::worker_message::WorkerMessage;
-use virtio_bindings::{virtio_config::VIRTIO_F_VERSION_1, virtio_ring::VIRTIO_RING_F_EVENT_IDX};
+use virtio_bindings::{
+    virtio_config::VIRTIO_F_ACCESS_PLATFORM, virtio_config::VIRTIO_F_VERSION_1,
+    virtio_ring::VIRTIO_RING_F_EVENT_IDX,
+};
 use vm_memory::{ByteValued, GuestMemoryMmap};
 
 use super::super::{
@@ -72,7 +75,13 @@ impl Fs {
                 .push(EventFd::new(utils::eventfd::EFD_NONBLOCK).map_err(FsError::EventFd)?);
         }
 
-        let avail_features = (1u64 << VIRTIO_F_VERSION_1) | (1u64 << VIRTIO_RING_F_EVENT_IDX);
+        let avail_features = if cfg!(feature = "cca") {
+            (1u64 << VIRTIO_F_VERSION_1)
+                | (1u64 << VIRTIO_RING_F_EVENT_IDX)
+                | (1 << VIRTIO_F_ACCESS_PLATFORM as u64)
+        } else {
+            (1u64 << VIRTIO_F_VERSION_1) | (1u64 << VIRTIO_RING_F_EVENT_IDX)
+        };
 
         let tag = fs_id.into_bytes();
         let mut config = VirtioFsConfig::default();

src/devices/src/virtio/rng/device.rs

@@ -13,12 +13,17 @@ use super::super::{
 use super::{defs, defs::uapi};
 use crate::legacy::IrqChip;
 use crate::Error as DeviceError;
+use virtio_bindings::virtio_config::VIRTIO_F_ACCESS_PLATFORM;
 
 // Request queue.
 pub(crate) const REQ_INDEX: usize = 0;
 
 // Supported features.
-pub(crate) const AVAIL_FEATURES: u64 = 1 << uapi::VIRTIO_F_VERSION_1 as u64;
+pub(crate) const AVAIL_FEATURES: u64 = if cfg!(feature = "cca") {
+    1 << uapi::VIRTIO_F_VERSION_1 as u64 | 1 << VIRTIO_F_ACCESS_PLATFORM as u64
+} else {
+    1 << uapi::VIRTIO_F_VERSION_1 as u64
+};
 
 #[derive(Copy, Clone, Debug, Default)]
 #[repr(C, packed)]

src/libkrun/Cargo.toml

@@ -7,6 +7,7 @@ build = "build.rs"
 
 [features]
 tee = []
+cca = [ "tee" ]
 amd-sev = [ "blk", "tee" ]
 net = []
 blk = []
@@ -19,6 +20,7 @@ nitro = [ "dep:nitro", "dep:nitro-enclaves" ]
 [dependencies]
 crossbeam-channel = ">=0.5.15"
 env_logger = "0.11"
+vm-memory = { version = ">=0.13", features = ["backend-mmap"] }
 libc = ">=0.2.39"
 libloading = "0.8"
 log = "0.4.0"