This project showcases a network TamaGo UEFI unikernel for execution under AMD Secure Encrypted Virtualization (SEV) using QEMU or Google Compute Engine.
It is based, and depends on, the go-boot code base.
The default operation is to present an interactive shell with commands
registered from the cmd package:
initializing EFI services
exiting EFI boot services
tamago-sev-example • tamago/amd64 (go1.26rc2) • UEFI x64
build # build information
cat <path> # show file contents
cpuid <leaf> <subleaf> # show CPU capabilities
date (time in RFC339 format)? # show/change runtime date and time
dns <host> # resolve domain
efivar (verbose)? # list all UEFI variables
exit,quit # exit application
halt,shutdown # shutdown system
help # this help
info # device information
ls (<path>)? # list directory contents
lspci # list PCI devices
msr <hex addr> # read model-specific register
net-gve # start gVNIC networking
net-uefi <ip> <mac> <gw> (debug)? # start UEFI networking
net-virtio <ip> <mask> <gw> (debug)? # start VirtIO networking
peek <hex addr> <size> # memory display (use with caution)
poke <hex addr> <hex value> # memory write (use with caution)
reset (cold|warm)? # reset system
sev # AMD SEV-SNP information
sev-kdf # AMD SEV-SNP key derivation
sev-report (raw|verify)? # AMD SEV-SNP attestation report
sev-tsc # AMD SEV-SNP TSC information
stack # goroutine stack trace (current)
stackall # goroutine stack trace (all)
stat <path> # show file information
terminate # exit EFI Boot Services
uefi # UEFI information
uptime # show system running time
> sev
SEV ................: true
SEV-ES .............: true
SEV-SNP ............: true
Encrypted bit ......: 51
SNP Version ........: 1
Secrets Page .......: 0x80d000 (4096 bytes)
Secrets Version ....: 4
TSC Factor .........: 0xc8
Launch Mitigations .: 0xb
VMPCK0 .............: 0x08 -- 0x4c
VMPCK1 .............: 0xd7 -- 0x99
VMPCK2 .............: 0x45 -- 0x86
VMPCK3 .............: 0xd5 -- 0xa0
> sev-report
Version ............: 5
VMPL ...............: 0
SignatureAlgo ......: 1
CurrentTCB .........: 1b1b00000000000a
Measurement ........: 81aee09d5c062ee862df833df9865a7bd54605e8dcbba8690c4bade521916c59234edeaad51ee801b09086878e6b13b9
ReportedTCB ........: 1b1b00000000000a
CommittedTCB .......: 1b1b00000000000a
Launch Mitigations : 0xb
Current Mitigations : 0xb
SignatureR .........: 1e6da2bac3327aedfa27fb675b92289d8a76ab8d1fa61b0d5c66d25b4e54c32a55f5fbd651137b7a820cc5b4a068ffea
SignatureS .........: 94cb3a662bd72146e3e31ba0a776f1b3ccba192c9d714d1631ac94d6cc3df9f9334b023e8bd3381cb32379ad45879cde
The TamaGo compiler is automatically
downloaded and compiled as a go tool by the Makefile.
Alternatively the TAMAGO environment variable can overridden to use the
latest binary release:
wget https://github.com/usbarmory/tamago-go/archive/refs/tags/latest.zip
unzip latest.zip
cd tamago-go-latest/src && ./all.bash
cd ../bin && export TAMAGO=`pwd`/goThe following environment variables configure the tamago-sev-example.efi
executable build:
IMAGE_BASE: must be set (in hex) within a memory range available in the target UEFI environment for the unikernel allocation, the HCL ormemmapcommand from an UEFI Shell can provide such value, when empty a common default value is set.
Build the tamago-sev-example.efi executable:
git clone https://github.com/usbarmory/tamago-sev-example && cd tamago-sev-example
make efi IMAGE_BASE=10000000
QEMU supported targets can be executed under emulation, using the Open Virtual Machine Firmware as follows:
make qemu OVMF=<path to OVMF.amdsev.fd>
For networking, tap0 should be configured as follows (Linux example):
ip tuntap add dev tap0 mode tap group <your user group>
ip addr add 10.0.0.2/24 dev tap0
ip link set tap0 up
The qemu-snp target provides an example of execution under
AMD Secure Encrypted Virtualization (SEV)
and can be used on compatible hardware.
The following example demonstrates how to create, and deploy, a UEFI-bootable image for confidential cloud deployments:
The following sections illustrate the network options available depending on the KVM configuration.
For all net-* commands the optional debug strings can be passed as final
argument to enable Go profiling server and
an unauthenticated SSH console exposing the unikernel shell.
> net-virtio 10.0.0.1 255.255.255.0 10.0.0.2 debug
starting debug servers:
http://10.0.0.1:80/debug/pprof
ssh://10.0.0.1:22
network initialized (10.0.0.1/24 da:e7:ac:e2:5e:05)
> dns golang.org
[142.251.209.17 2a00:1450:4002:410::2011]
When running under any QEMU target, VirtIO networking is available through the
net-virtio command.
The command takes an IP address, a network mask, and a gateway IP address as arguments.
> net-virtio 10.0.0.1 255.255.255.0 10.0.0.2
> network initialized (10.0.0.1 42010a840002)
When running under QEMU with the unikernel loaded from a disk image (e.g. make qemu or make qemu-snp-disk targets), UEFI Simple Nework Protocol is
available through the net-uefi command.
The command takes an IP address in CIDR notation, a fixed MAC address or : to
automatically generate a random MAC, and a gateway IP address as arguments.
> net-uefi 10.0.0.1/24 : 10.0.0.2
network initialized (10.0.0.1/24 da:e7:ac:e2:5e:05)
Warning
this is a work in progress, not yet operational
When running under Google Compute
Engine gVNIC support is available
through the net-gve command.
An emulated target can be debugged with GDB
using make qemu-gdb, this will make qemu waiting for a GDB connection that
can be launched as follows:
gdb -ex "target remote 127.0.0.1:1234"
Breakpoints can be set in the usual way:
b cpuinit
continue
tamago-sev-example | https://github.com/usbarmory/tamago-sev-example Copyright (c) The tamago-sev-example authors. All Rights Reserved.
These source files are distributed under the BSD-style license found in the LICENSE file.