Re: [RFC kvmtool 00/31] arm64: Support for Arm Confidential Compute Architecture

[Piotr Sawicki <piotr.sawickas@gmail.com>]

Hi Suzuki

> This series is an initial version of the support for running VMs under the
> Arm Confidential Compute Architecture. The purpose of the series is to gather
> feedback on the proposed UABI changes for running Confidential VMs with KVM.
> More information on the Arm CCA and instructions for how to get, build and run
> the entire software stack is available here [0].
> 
> A new option, `--realm` is added to the the `run` command to mark the VM as a
> confidential compute VM. This version doesn't use the Guest private memory [1]
> support yet, instead uses normal anonymous/hugetlbfs backed memory. Our aim is
> to switch to the guest private memory for the Realm.
> 
> The host including the kernel and kvmtool, must not access any memory allocated
> to the protected IPA of the Realm.
> 
> The series adds the support for managing the lifecycle of the Realm, which includes:
>     * Configuration
>     * Creation of Realm (RD)
>     * Load initial memory images
>     * Creation of Realm Execution Contexts (RECs aka VCPUs)a
>     * Activation of the Realm.
> 
> Patches are split as follows :
> 
> Patches 1 and 2 are fixes to existing code.
> Patch 3 adds a new option --nocompat to disable compat warnings
> Patches 4 - 6 are some preparations for Realm specific changes.
> 
> The remaining patches adds Realm support and using the --realm option is
> enabled in patch 30.
> 
> The v1.0 of the Realm Management Monitor (RMM) specification doesn't support
> paging protected memory of a Realm. Thus all of the memory backing the RAM
> is locked by the VMM.
> 
> Since the IPA space of a Realm is split into Protected and Unprotected, with
> one alias of the other, the VMM doubles the IPA Size for a Realm VM.
> 
> The KVM support for Arm CCA is advertised with a new cap KVM_CAP_ARM_RME.
> A new "VM type" field is defined in the vm_type for CREATE_VM ioctl to indicate
> that a VM is "Realm". Once the VM is created, the life cycle of the Realm is
> managed via KVM_ENABLE_CAP of KVM_CAP_ARM_RME.
> 
> Command line options are also added to configure the Realm parameters.
> These include :
>   - Hash algorithm for measurements
>   - Realm personalisation value
>   - SVE vector Length (Optional feature in v1.0 RMM spec. Not yet supported
>     by the TF-RMM. coming soon).
> 
> Support for PMU and self-hosted debug (number of watchpoint/breakpoit registers)
> are not supported yet in the KVM/RMM implementation. This will be added soon.
> 
> The UABI doesn't support discovering the "supported" configuration values. In
> real world, the Realm configuration 'affects' the initial measurement of the
> Realms and which may be verified by a remote entity. Thus, the VMM is not at
> liberty to make choices for configurations based on the "host" capabilities.
> Instead, VMM should launch a Realm with the user requested parameters. If this
> cannot be satisfied, there is no point in running the Realm. We are happy to
> change this if there is interest.
> 
> Special actions are required to load the initial memory images (e.g, kernel,
> firmware, DTB, initrd) in to the Realm memory.
> 
> For VCPUs, we add a new feature KVM_ARM_VCPU_REC, which will be used to control
> the creation of the REC object (via KVM_ARM_VCPU_FINALIZE). This must be done
> after the initial register state of the VCPUs are set.
> RMM imposes an order in which the RECs are created. i.e., they must be created
> in the ascending order of the MPIDR. This is for now a responsibility of the
> VMM.
> 
> Once the Realm images are loaded, VCPUs created, Realm is activated before
> the first vCPU is run.
> 
> virtio for the Realms enforces VIRTIO_F_ACCESS_PLATFORM flag.
> 
> Also, added support for injecting SEA into the VM for unhandled MMIO.
> 

I wonder if there is a plan to develop a dedicated (stand-alone) tool 
that allows a realm developer to calculate Realm Initial Measurements 
for realms. I mean a tool that can be compiled and run on a Linux PC 
machine.

As you know, the remote attestation mechanism requires a verifier to be 
provisioned with reference values. In this case, a realm verifier should 
have access to the initial reference measurement (RIM) of a realm that 
is intended to be run on a remote Arm CCA platform.

The algorithm that measures the initial state of realms (RIM) is highly 
sensitive to the content of a realm memory and the order of RMI 
operations. This means that not only the content of populated realm 
memory matters but also the implementation of the host components (e.g. 
kvm, kvmtool/qemu).In the  of kvmtool-cca, the layout of memory and the 
content of DTB highly depend on the provided options (DTB is generated 
in run-time). Unfortunately, the content of DTB also depends on the 
linking order of object files (the order of DTB generation is imposed by 
__attribute__((constructor)) that is used to register devices). This 
complicates development of a separate tool for calculating RIM, as the 
tool would have to emulate all quirks of the kvmtool.

One of the solution of retrieving Realm Initial Measurements seems to be 
running the whole firmware/software (e.g. kvmtool/Linux host/TF-RMM) 
stack on the FVP emulator and gathering the RIM directly from the 
TF-RMM. This would require a realm developer to have access to the whole 
firmware/software stack and the emulator of the CCA platform.

The other solution would require the implementation of a dedicated tool. 
For instance, a sensible approach could be to extend the functionality 
of kvmtool.

Is Arm going to develop a dedicated, stand-alone tool for calculating RIMs?

What is the recommended way of retrieving/calculating RIMs for realms?

Kind regards,
Piotr Sawicki