mirrors/qemu
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
399c8082ca
qemu/include/hw/i386/microvm.h
Dorjoy Chowdhury f1826463d2 machine/nitro-enclave: New machine type for AWS Nitro Enclaves 
AWS nitro enclaves[1] is an Amazon EC2[2] feature that allows creating
isolated execution environments, called enclaves, from Amazon EC2
instances which are used for processing highly sensitive data. Enclaves
have no persistent storage and no external networking. The enclave VMs
are based on the Firecracker microvm with a vhost-vsock device for
communication with the parent EC2 instance that spawned it and a Nitro
Secure Module (NSM) device for cryptographic attestation. The parent
instance VM always has CID 3 while the enclave VM gets a dynamic CID.

An EIF (Enclave Image Format)[3] file is used to boot an AWS nitro enclave
virtual machine. This commit adds support for AWS nitro enclave emulation
using a new machine type option '-M nitro-enclave'. This new machine type
is based on the 'microvm' machine type, similar to how real nitro enclave
VMs are based on Firecracker microvm. For nitro-enclave to boot from an
EIF file, the kernel and ramdisk(s) are extracted into a temporary kernel
and a temporary initrd file which are then hooked into the regular x86
boot mechanism along with the extracted cmdline. The EIF file path should
be provided using the '-kernel' QEMU option.

In QEMU, the vsock emulation for nitro enclave is added using vhost-user-
vsock as opposed to vhost-vsock. vhost-vsock doesn't support sibling VM
communication which is needed for nitro enclaves. So for the vsock
communication to CID 3 to work, another process that does the vsock
emulation in  userspace must be run, for example, vhost-device-vsock[4]
from rust-vmm, with necessary vsock communication support in another
guest VM with CID 3. Using vhost-user-vsock also enables the possibility
to implement some proxying support in the vhost-user-vsock daemon that
will forward all the packets to the host machine instead of CID 3 so
that users of nitro-enclave can run the necessary applications in their
host machine instead of running another whole VM with CID 3. The following
mandatory nitro-enclave machine option has been added related to the
vhost-user-vsock device.
  - 'vsock': The chardev id from the '-chardev' option for the
vhost-user-vsock device.

AWS Nitro Enclaves have built-in Nitro Secure Module (NSM) device which
has been added using the virtio-nsm device added in a previous commit.
In Nitro Enclaves, all the PCRs start in a known zero state and the first
16 PCRs are locked from boot and reserved. The PCR0, PCR1, PCR2 and PCR8
contain the SHA384 hashes related to the EIF file used to boot the VM
for validation. The following optional nitro-enclave machine options
have been added related to the NSM device.
  - 'id': Enclave identifier, reflected in the module-id of the NSM
device. If not provided, a default id will be set.
  - 'parent-role': Parent instance IAM role ARN, reflected in PCR3
of the NSM device.
  - 'parent-id': Parent instance identifier, reflected in PCR4 of the
NSM device.

[1] https://docs.aws.amazon.com/enclaves/latest/user/nitro-enclave.html
[2] https://aws.amazon.com/ec2/
[3] https://github.com/aws/aws-nitro-enclaves-image-format
[4] https://github.com/rust-vmm/vhost-device/tree/main/vhost-device-vsock

Signed-off-by: Dorjoy Chowdhury <dorjoychy111@gmail.com>
Reviewed-by: Alexander Graf <graf@amazon.com>
Link: https://lore.kernel.org/r/20241008211727.49088-6-dorjoychy111@gmail.com
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2024-10-31 18:28:33 +01:00

114 lines
3.4 KiB
C
Raw Blame History

/*
* Copyright (c) 2018 Intel Corporation
* Copyright (c) 2019 Red Hat, Inc.
*
* This program is free software; you can redistribute it and/or modify it
* under the terms and conditions of the GNU General Public License,
* version 2 or later, as published by the Free Software Foundation.
*
* This program is distributed in the hope it will be useful, but WITHOUT
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for
* more details.
*
* You should have received a copy of the GNU General Public License along with
* this program. If not, see <http://www.gnu.org/licenses/>.
*/
#ifndef HW_I386_MICROVM_H
#define HW_I386_MICROVM_H
#include "exec/hwaddr.h"
#include "qemu/notify.h"
#include "hw/boards.h"
#include "hw/i386/x86.h"
#include "hw/acpi/acpi_dev_interface.h"
#include "hw/pci-host/gpex.h"
#include "qom/object.h"
/*
* IRQ | pc | microvm (acpi=on)
* --------+------------+------------------
* 0 | pit |
* 1 | kbd |
* 2 | cascade |
* 3 | serial 1 |
* 4 | serial 0 | serial
* 5 | - |
* 6 | floppy |
* 7 | parallel |
* 8 | rtc | rtc (rtc=on)
* 9 | acpi | acpi (ged)
* 10 | pci lnk | xhci (usb=on)
* 11 | pci lnk |
* 12 | ps2 | pcie
* 13 | fpu | pcie
* 14 | ide 0 | pcie
* 15 | ide 1 | pcie
* 16-23 | pci gsi | virtio
*/
/* Platform virtio definitions */
#define VIRTIO_MMIO_BASE 0xfeb00000
#define VIRTIO_CMDLINE_MAXLEN 64
#define GED_MMIO_BASE 0xfea00000
#define GED_MMIO_BASE_MEMHP (GED_MMIO_BASE + 0x100)
#define GED_MMIO_BASE_REGS (GED_MMIO_BASE + 0x200)
#define GED_MMIO_IRQ 9
#define MICROVM_XHCI_BASE 0xfe900000
#define MICROVM_XHCI_IRQ 10
#define PCIE_MMIO_BASE 0xc0000000
#define PCIE_MMIO_SIZE 0x20000000
#define PCIE_ECAM_BASE 0xe0000000
#define PCIE_ECAM_SIZE 0x10000000
/* Machine type options */
#define MICROVM_MACHINE_RTC "rtc"
#define MICROVM_MACHINE_PCIE "pcie"
#define MICROVM_MACHINE_IOAPIC2 "ioapic2"
#define MICROVM_MACHINE_ISA_SERIAL "isa-serial"
#define MICROVM_MACHINE_OPTION_ROMS "x-option-roms"
#define MICROVM_MACHINE_AUTO_KERNEL_CMDLINE "auto-kernel-cmdline"
struct MicrovmMachineClass {
X86MachineClass parent;
HotplugHandler *(*orig_hotplug_handler)(MachineState *machine,
DeviceState *dev);
void (*x86_load_linux)(X86MachineState *x86ms, FWCfgState *fw_cfg,
int acpi_data_size, bool pvh_enabled);
};
struct MicrovmMachineState {
X86MachineState parent;
/* Machine type options */
OnOffAuto rtc;
OnOffAuto pcie;
OnOffAuto ioapic2;
bool isa_serial;
bool option_roms;
bool auto_kernel_cmdline;
/* Machine state */
uint32_t pcie_irq_base;
uint32_t virtio_irq_base;
uint32_t virtio_num_transports;
bool kernel_cmdline_fixed;
Notifier machine_done;
Notifier powerdown_req;
struct GPEXConfig gpex;
/* device tree */
void *fdt;
uint32_t ioapic_phandle[2];
};
#define TYPE_MICROVM_MACHINE MACHINE_TYPE_NAME("microvm")
OBJECT_DECLARE_TYPE(MicrovmMachineState, MicrovmMachineClass, MICROVM_MACHINE)
#endif
Reference in New Issue View Git Blame Copy Permalink