diff --git a/config/bootwrapper.yaml b/config/bootwrapper.yaml index 8d7ecde03744ab698e5e67ff4e9fce58c7741c97..f1f7e3036bbb7386f0133a10ea6571a47641cf12 100644 --- a/config/bootwrapper.yaml +++ b/config/bootwrapper.yaml @@ -32,6 +32,7 @@ run: -C bp.secure_memory: 0 -a cluster*.cpu*: ${rtvar:BOOTWRAPPER} -C bp.virtioblockdevice.image_path: ${rtvar:ROOTFS} + -C bp.pl011_uart0.shutdown_tag: '"reboot: System halted"' terminals: bp.terminal_0: diff --git a/config/cca.yaml b/config/cca.yaml new file mode 100644 index 0000000000000000000000000000000000000000..3b1b3c8d4bf70568603c8e5e374c1073e656724c --- /dev/null +++ b/config/cca.yaml @@ -0,0 +1,155 @@ +# Copyright (c) 2022, Arm Limited. +# SPDX-License-Identifier: MIT + +%YAML 1.2 +--- +description: >- + Brings together a software stack to demonstrate Arm CCA running on FVP in a + four-world configuration. Includes TF-A in root world, Hafnium and some demo + secure partitions in secure world, RMM in realm world, and Linux in Normal + world. + + In order to launch realm VMs, the user must bring their own rootfs that + contains a realm-aware kvmtool and an RSI-aware guest kernel image. + +concrete: true + +layers: + - tfa-base.yaml + - rmm-base.yaml + - hafnium-base.yaml + - linux-base.yaml + - kvmtool-base.yaml + - FVP_Base_RevC-2xAEMvA-base.yaml + - arch/v9.2.yaml + +build: + tfa: + params: + ENABLE_RME: 1 + RMM: ${artifact:RMM} + CTX_INCLUDE_EL2_REGS: 1 + SPD: spmd + SPMD_SPM_AT_SEL2: 1 + SP_LAYOUT_FILE: ${artifact:SP_LAYOUT} + BL32: ${artifact:HAFNIUM} + ARM_LINUX_KERNEL_AS_BL33: 1 + PRELOADED_BL33_BASE: 0x84000000 + + # SME is not supported concurrently with CCA yet. + ENABLE_SME_FOR_NS: 0 + ENABLE_SME_FOR_SWD: 0 + ENABLE_FEAT_HCX: 0 + + linux: + repo: + remote: https://git.gitlab.arm.com/linux-arm/linux-cca.git + revision: cca-full/rfc-v1 + + prebuild: + # Disable CPU_IDLE as a workaround to speed up the FVP. Since we are using + # the TF-A DT, which provides CPU idle state parameters, it otherwise + # causes Linux to constantly enter cpu idle, slowing the FVP down. We + # can't easily use the upstream DT right now, due to some RAM having been + # carved out for the RMM and this is not reflected in that DT. CPU_IDLE is + # selected by ACPI, so we have to disable that too to maintain a legal + # config. That's OK for now since we are using the DT. + - ./scripts/config --file ${param:builddir}/.config --disable CONFIG_ACPI + - ./scripts/config --file ${param:builddir}/.config --disable CONFIG_CPU_IDLE + + # Provides secure partitions that run under Hafnium for demonstration. + tfa-tests: + repo: + remote: https://git.trustedfirmware.org/TF-A/tf-a-tests.git + revision: v2.8 + + toolchain: aarch64-none-elf- + + params: + PLAT: fvp + DEBUG: 1 + + build: + # TODO: tfa-tests has makefile dependency bug that prevents parallel make (-j > 1). + - make BUILD_BASE=${param:builddir} ${param:join_equal} all pack_realm + + clean: + - make BUILD_BASE=${param:builddir} realclean + + artifacts: + SP_LAYOUT: ${param:builddir}/fvp/debug/sp_layout.json + + kvmtool: + repo: + dtc: + revision: v1.6.1 + kvmtool: + remote: https://gitlab.arm.com/linux-arm/kvmtool-cca + revision: cca/rfc-v1 + + kvm-unit-tests: + repo: + remote: https://gitlab.arm.com/linux-arm/kvm-unit-tests-cca + revision: cca/rfc-v1 + + toolchain: aarch64-linux-gnu- + + params: + --arch: arm64 + --cross-prefix: $${CROSS_COMPILE} + --target: kvmtool + + build: + - ./configure ${param:join_equal} + - make -j${param:jobs} + - tar -caf ${param:builddir}/kvm-unit-tests.tgz -C ${param:sourcedir} . + + clean: + - make -j${param:jobs} clean + + artifacts: + KVM_UNIT_TESTS: ${param:builddir}/kvm-unit-tests.tgz + +run: + rtvars: + BL1: + type: path + value: ${artifact:BL1} + + FIP: + type: path + value: ${artifact:FIP} + + KERNEL: + type: path + value: ${artifact:KERNEL} + + ROOTFS: + type: path + value: '' + + params: + -C bp.secureflashloader.fname: ${rtvar:BL1} + -C bp.flashloader0.fname: ${rtvar:FIP} + -C bp.virtioblockdevice.image_path: ${rtvar:ROOTFS} + --data cluster0.cpu0: ${rtvar:KERNEL}@0x84000000 + -C cluster0.rme_support_level: 2 + -C cluster1.rme_support_level: 2 + + # SME is not supported concurrently with CCA yet. + -C SVE.ScalableVectorExtension.has_sme: 0 + + + terminals: + bp.terminal_0: + friendly: tfa+linux + type: stdinout + + bp.terminal_1: + friendly: tfa-rt + + bp.terminal_2: + friendly: hafnium + + bp.terminal_3: + friendly: rmm diff --git a/config/kvmtool-base.yaml b/config/kvmtool-base.yaml new file mode 100644 index 0000000000000000000000000000000000000000..4ad34127e424cb7855e5332d8cdc67c67c90deee --- /dev/null +++ b/config/kvmtool-base.yaml @@ -0,0 +1,37 @@ +# Copyright (c) 2022, Arm Limited. +# SPDX-License-Identifier: MIT + +%YAML 1.2 +--- +description: >- + kvmtool is a lightweight Virtual Machine Monitor that can be used, in concert + with KVM, to create and manage virtual machines. This config fragment can be + used to build the kvmtool binary, which is exported as an artifact called + LKVM. Fancy optional extras which depend on 3rd party libraries are not + enabled. + +build: + kvmtool: + repo: + dtc: + remote: git://git.kernel.org/pub/scm/utils/dtc/dtc.git + revision: master + kvmtool: + remote: git://git.kernel.org/pub/scm/linux/kernel/git/will/kvmtool.git + revision: master + + toolchain: aarch64-linux-gnu- + + build: + - export CC=$${CROSS_COMPILE}gcc + - export ARCH=arm64 + - export LIBFDT_DIR=${param:sourcedir}/dtc/libfdt + - make -j${param:jobs} -C dtc libfdt + - make -j${param:jobs} -C kvmtool + + clean: + - make -j${param:jobs} -C dtc clean + - make -j${param:jobs} -C kvmtool clean + + artifacts: + LKVM: ${param:sourcedir}/kvmtool/lkvm \ No newline at end of file diff --git a/config/linux-base.yaml b/config/linux-base.yaml index bb31dad17378834d4c7806f930241150e30f1eb3..94fb4b1e300d46d3131da733c0f67300158804e1 100644 --- a/config/linux-base.yaml +++ b/config/linux-base.yaml @@ -6,7 +6,8 @@ description: >- Linux kernel build config. Builds the kernel image and set of modules. Image is exported as the KERNEL artifact, while the modules are exported in a tgz - archive as the KMODULES artifact. + archive as the KMODULES artifact. Modules are only built if a higher level + layer specifies `export BUILD_KMODULES=true` in the prebuild section. By default the defconfig is built. Users can optionally add commands to the prebuild list to modify the config (e.g. `./scripts/config ...`) or even @@ -21,7 +22,7 @@ build: toolchain: aarch64-none-elf- prebuild: - - export BUILD_KMODULES=true + - export BUILD_KMODULES=false - export ARCH=arm64 - make -j${param:jobs} O=${param:builddir} defconfig diff --git a/config/rmm-base.yaml b/config/rmm-base.yaml new file mode 100644 index 0000000000000000000000000000000000000000..3b4a1d85522e35219e06899780f0f66816a8595a --- /dev/null +++ b/config/rmm-base.yaml @@ -0,0 +1,24 @@ +# Copyright (c) 2022, Arm Limited. +# SPDX-License-Identifier: MIT + +%YAML 1.2 +--- +build: + rmm: + repo: + remote: https://git.trustedfirmware.org/TF-RMM/tf-rmm.git + revision: tf-rmm-v0.2.0 + + toolchain: aarch64-none-elf- + + params: + -DRMM_CONFIG: fvp_defcfg + -DCMAKE_BUILD_TYPE: Release + -DLOG_LEVEL: 40 + + build: + - cmake ${param:join_equal} -S . -B ${param:builddir} + - cmake --build ${param:builddir} -j ${param:jobs} + + artifacts: + RMM: ${param:builddir}/rmm.img diff --git a/docker/Dockerfile.slim b/docker/Dockerfile.slim index db2a93cbbf24cd98acdd098ef1214493ee08490c..7898a7d5cebc6c41cb8ff0c16afb54a8fa477615 100644 --- a/docker/Dockerfile.slim +++ b/docker/Dockerfile.slim @@ -70,6 +70,23 @@ RUN apt-get install --assume-yes --no-install-recommends --option=debug::pkgProb python3-distutils \ uuid-dev +# Install packages requried by RMM. +# From https://tf-rmm.readthedocs.io/en/latest/getting_started/getting-started.html. +RUN apt-get install --assume-yes --no-install-recommends --option=debug::pkgProblemResolver=yes \ + build-essential \ + git \ + make \ + ninja-build \ + python3 \ + python3-pip +RUN pip3 install \ + cmake + +# Install packages requried by kvmtool. +RUN apt-get install --assume-yes --no-install-recommends --option=debug::pkgProblemResolver=yes \ + build-essential \ + pkg-config + # TODO: Install any packages required by U-Boot, OP-TEE, Trusty, etc. # Install the aarch64-linux-gnu- toolchain. We use the stock Debian packages for diff --git a/test/test.py b/test/test.py index ec9c25f9576847192b343f8f8a4d1a95612cca2d..1938aad3243f4160bb3366abf5b5634c171f2d7f 100755 --- a/test/test.py +++ b/test/test.py @@ -171,6 +171,9 @@ def do_main(smoke_test): build_configs(['bootwrapper.yaml'], arch) run_config_bootwrap('bootwrapper.yaml', BOOTWRAPPER, ROOTFS, arch) + build_configs(['cca.yaml']) + run_config_kern('cca.yaml', KERNEL, ROOTFS) + print_results()