From 8a0f2b5970440ff440fecb612e1c71f3662818fa Mon Sep 17 00:00:00 2001 From: Jean-Philippe Brucker Date: Wed, 26 Feb 2025 16:32:32 +0000 Subject: [PATCH 1/6] configs/cca-3world: Update CCA components Use CCA KVM patches v7, and a compatible kvmtool. Signed-off-by: Jean-Philippe Brucker --- config/cca-3world.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/config/cca-3world.yaml b/config/cca-3world.yaml index bcca35b..1a5b32d 100644 --- a/config/cca-3world.yaml +++ b/config/cca-3world.yaml @@ -112,7 +112,7 @@ build: linux: repo: remote: https://git.gitlab.arm.com/linux-arm/linux-cca.git - revision: cca-full/v5+v7 + revision: cca-host/v7 kvmtool: repo: @@ -120,7 +120,7 @@ build: revision: v1.6.1 kvmtool: remote: https://gitlab.arm.com/linux-arm/kvmtool-cca - revision: cca/v3 + revision: cca/v5 edk2-cca-guest: repo: -- GitLab From 6eb647213709378392d132694d2568b1b4ed523a Mon Sep 17 00:00:00 2001 From: Jean-Philippe Brucker Date: Thu, 15 Aug 2024 15:18:31 +0100 Subject: [PATCH 2/6] configs/cca-3world: Enable CONFIG_ARM_CCA_GUEST When using a CCA config, users will want to test attestation. Enable the driver that provides attestation reports. Signed-off-by: Jean-Philippe Brucker --- config/cca-3world.yaml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/config/cca-3world.yaml b/config/cca-3world.yaml index 1a5b32d..a7dd1b2 100644 --- a/config/cca-3world.yaml +++ b/config/cca-3world.yaml @@ -113,6 +113,8 @@ build: repo: remote: https://git.gitlab.arm.com/linux-arm/linux-cca.git revision: cca-host/v7 + prebuild: + - ./scripts/config --file ${param:builddir}/.config --enable CONFIG_VIRT_DRIVERS --enable CONFIG_ARM_CCA_GUEST kvmtool: repo: -- GitLab From 0aad9581c2c04ca13ff2a4b41f51ad059160a006 Mon Sep 17 00:00:00 2001 From: Jean-Philippe Brucker Date: Wed, 27 Nov 2024 12:10:01 +0000 Subject: [PATCH 3/6] configs/cca-3world: Use CONFIG_HZ_100 for the kernel Running the CCA guest on an emulated platform is very slow. An easy optimization is reducing the number of context switches to the host due to timer interrupts, since context switches are very expensive on CCA. Using HZ_100 instead of the default HZ_250 improves guest boot time. Signed-off-by: Jean-Philippe Brucker --- config/cca-3world.yaml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/config/cca-3world.yaml b/config/cca-3world.yaml index a7dd1b2..bad76d4 100644 --- a/config/cca-3world.yaml +++ b/config/cca-3world.yaml @@ -115,6 +115,8 @@ build: revision: cca-host/v7 prebuild: - ./scripts/config --file ${param:builddir}/.config --enable CONFIG_VIRT_DRIVERS --enable CONFIG_ARM_CCA_GUEST + # Reduce the number of timer exits from the guest + - ./scripts/config --file ${param:builddir}/.config --disable CONFIG_HZ_250 --enable CONFIG_HZ_100 kvmtool: repo: -- GitLab From 3ba3daf3dcc46ad0a1e81e384843009d9ede0756 Mon Sep 17 00:00:00 2001 From: Jean-Philippe Brucker Date: Mon, 9 Sep 2024 09:48:43 +0100 Subject: [PATCH 4/6] configs/cca-3world: Reproducible Linux build Set a fixed build timestamp (the source tree timestamp) so repeat builds produce the same image. This is useful when testing remote attestation, allowing the user to only provision a verifier once. Signed-off-by: Jean-Philippe Brucker --- config/cca-3world.yaml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/config/cca-3world.yaml b/config/cca-3world.yaml index bad76d4..9898e13 100644 --- a/config/cca-3world.yaml +++ b/config/cca-3world.yaml @@ -114,6 +114,8 @@ build: remote: https://git.gitlab.arm.com/linux-arm/linux-cca.git revision: cca-host/v7 prebuild: + # Use source dir modification time as timestamp (for locally reproducible build) + - export KBUILD_BUILD_TIMESTAMP="@$$(stat -c '%Y' ${param:sourcedir})" - ./scripts/config --file ${param:builddir}/.config --enable CONFIG_VIRT_DRIVERS --enable CONFIG_ARM_CCA_GUEST # Reduce the number of timer exits from the guest - ./scripts/config --file ${param:builddir}/.config --disable CONFIG_HZ_250 --enable CONFIG_HZ_100 -- GitLab From 61945f5390d8e68f38346e134d9dc8f93220be50 Mon Sep 17 00:00:00 2001 From: Jean-Philippe Brucker Date: Thu, 15 Aug 2024 15:21:38 +0100 Subject: [PATCH 5/6] config: Add ${param:packagedir} to the run variables It may be useful for a run command to reference the package dir, for example to provide a default SHARE runtime variable: --rtvar SHARE='${param:packagedir}' Signed-off-by: Jean-Philippe Brucker --- documentation/userguide/configmodel.rst | 2 ++ shrinkwrap/utils/config.py | 1 + 2 files changed, 3 insertions(+) diff --git a/documentation/userguide/configmodel.rst b/documentation/userguide/configmodel.rst index 827b5c8..93331ee 100644 --- a/documentation/userguide/configmodel.rst +++ b/documentation/userguide/configmodel.rst @@ -133,6 +133,8 @@ macro scope ``${param:join_equal}`` build..{prebuild, build, postbuild} String containing all of the component's parameters (from its params dictionary), concatenated as ``key=value`` pairs. ``${param:join_space}`` build..{prebuild, build, postbuild} String containing all of the component's parameters (from its params dictionary), concatenated as ``key value`` pairs. ``${artifact:}`` build..{params, prebuild, build, postbuild, artifacts}, build.btvars Build path of an artifact declared by another component. Usage of these macros determine the component build dependency graph. +``${param:packagedir}`` run.rtvars + Root directory containing all component artifacts. ``${artifact:}`` run.rtvars Package path of an artifact. ``${rtvar:}`` run.params Run-time variables. The variable names, along with default values are declared in run.rtvars, and the user may override the value on the command line. ======================= ===================================================================================================================== ==== diff --git a/shrinkwrap/utils/config.py b/shrinkwrap/utils/config.py index 2f77d8d..372b0c2 100644 --- a/shrinkwrap/utils/config.py +++ b/shrinkwrap/utils/config.py @@ -676,6 +676,7 @@ def resolver(config, rtvars={}, clivars={}): # values for. lut = { 'param': { + 'packagedir': os.path.join(workspace.package, config['name']), **dict(clivars), }, 'artifact': {k: v['dst'] -- GitLab From 31f3ecfb75e83e44e150f65f89049358ce819f0c Mon Sep 17 00:00:00 2001 From: Jean-Philippe Brucker Date: Tue, 6 Aug 2024 11:30:14 +0100 Subject: [PATCH 6/6] configs: Add buildroot-cca overlay Include tools needed for CCA in the buildroot image. Signed-off-by: Jean-Philippe Brucker --- config/buildroot-cca.yaml | 113 ++++++++++++++++++++++++++++++++++++++ 1 file changed, 113 insertions(+) create mode 100644 config/buildroot-cca.yaml diff --git a/config/buildroot-cca.yaml b/config/buildroot-cca.yaml new file mode 100644 index 0000000..e230bab --- /dev/null +++ b/config/buildroot-cca.yaml @@ -0,0 +1,113 @@ +# Copyright (c) 2024, Linaro Limited. +# SPDX-License-Identifier: MIT + +%YAML 1.2 +--- +description: >- + Integrate tools for CCA into the buildroot image: + - cca-workload-attestation to display an attestation token or send it to a + verifier. + https://git.codelinaro.org/linaro/dcap/cca-demos/cca-workload-attestation-poc + - keybroker-demo to demonstrate remote attestation for downloading secrets. + https://github.com/veraison/keybroker-demo/ + - cca-realm-measurements to generate a DTB and run a VMM. + https://github.com/veraison/cca-realm-measurements + - kvmtool and QEMU to run Realm VMs. + - Automatically mount the shared 9p folder to /mnt, mount configfs for + attestation, and create a tap interface. + + Use it with: + + .. code-block:: shell + $ shrinkwrap build cca-3world.yaml --overlay buildroot-cca.yaml + $ shrinkwrap run cca-3world.yaml + + In the host, launch a VM with: + + .. code-block:: shell + $ gen-run-vmm.sh [--kvmtool] + + In the guest, you can obtain an attestation token, and send it to a verifier: + + .. code-block:: shell + $ cca-workload-attestation report + { + "cca-platform-token": { + ... + $ cca-workload-attestation passport + { + "ear.verifier-id": { + "build": "N/A", + "developer": "Veraison Project" + }, + ... + + You can also obtain a key from a keybroker running locally that performs + attestation. Run the keybroker-server on the build machine, using the + external IP of the build machine to be accessible from the keybroker-app (in + this case 192.168.0.10 on a local network): + + .. code-block:: shell + $ keybroker-server -e http://192.168.0.10 -v -a 0.0.0.0 + + In the guest, connect to the server + + .. code-block:: shell + $ keybroker-app -v -e http://192.168.0.10:8088 skywalker + +layers: + - buildroot.yaml + +build: + linux: + prebuild: + # We extend buildroot with an initscript that creates a macvtap interface, + # so enable it in the kernel + - ./scripts/config --file ${param:builddir}/.config --enable CONFIG_MACVLAN --enable CONFIG_MACVTAP + + buildroot-external-cca: + repo: + remote: https://git.codelinaro.org/linaro/dcap/buildroot-external-cca.git + revision: main + + artifacts: + BUILDROOT_EXTERNAL_CCA: + path: ${param:sourcedir} + export: false + + buildroot: + repo: + remote: https://github.com/buildroot/buildroot.git + revision: 2024.08.2 + + prebuild: + - make BR2_JLEVEL=${param:jobs} O=${param:builddir} BR2_EXTERNAL=${artifact:BUILDROOT_EXTERNAL_CCA} cca_defconfig + + # gen-vmm-run.sh configuration for the shrinkwrap package/ layout + - cat < ${param:builddir}/gen-run-vmm.cfg + - KERNEL=/mnt/Image + - INITRD=/mnt/rootfs.cpio + - EDK2_DIR=/mnt/ + - RUN_DISK=/mnt/guest-disk.img + - EOF + + - sed -i '\@BR2_PACKAGE_CCA_REALM_MEASUREMENTS_CFG@s@=.*@="\${param:builddir}/gen-run-vmm.cfg"@' ${param:builddir}/.config + + artifacts: + GUEST_INITRD: ${param:builddir}/images/rootfs.cpio + +buildex: + btvars: + GUEST_ROOTFS: + type: path + value: ${artifact:BUILDROOT} + +run: + rtvars: + ROOTFS: + type: path + value: ${artifact:BUILDROOT} + + SHARE: + type: path + value: ${param:packagedir} -- GitLab