On 10/23/24 16:27, Dorjoy Chowdhury wrote:
On Wed, Oct 16, 2024 at 7:58 PM Dorjoy Chowdhury <dorjoychy...@gmail.com> wrote:
Ping
This patch series has been reviewed by Alex. I am not sure if it needs
more review. If not, maybe this can be picked up for merging. Thanks!
Gentle ping.
This patch series has been reviewed by Alex and there hasn't been any
more reviews. it would be great if this could be picked up for
merging. Thanks!
Hi,
sorry about the delay -- the patches failed CI and I didn't have much
time to investigate until now.
The issues are basically:
1) some rST syntax errors
2) failures on non-Linux due to lack of VHOST_USER
3) failures on 32-bit due to uint64_t/long mismatch.
While fixing (2) I also moved the dependency on libcbor and gnutls from
meson to Kconfig, and added --enable-libcbor to configure. I also split
hw/core/eif.c to a separate symbol, just to simplify reproducing the
32-bit failure on the right commit.
And finally, VIRTIO_NSM should default to no (the nitro-enclave machne
takes care of selecting it).
No big deal; it's easier done than described. See attached patch for
the differences.
Paolo
diff --git a/docs/system/i386/nitro-enclave.rst b/docs/system/i386/nitro-enclave.rst
index 3fb9e068930..73e3edefe5b 100644
--- a/docs/system/i386/nitro-enclave.rst
+++ b/docs/system/i386/nitro-enclave.rst
@@ -1,8 +1,8 @@
'nitro-enclave' virtual machine (``nitro-enclave``)
===================================================
-``nitro-enclave`` is a machine type which emulates an ``AWS nitro enclave``
-virtual machine. `AWS nitro enclaves`_ is an `Amazon EC2`_ feature that allows
+``nitro-enclave`` is a machine type which emulates an *AWS nitro enclave*
+virtual machine. `AWS nitro enclaves`_ is an Amazon EC2 feature that allows
creating isolated execution environments, called enclaves, from Amazon EC2
instances which are used for processing highly sensitive data. Enclaves have
no persistent storage and no external networking. The enclave VMs are based
@@ -13,7 +13,7 @@ the enclave VM gets a dynamic CID. Enclaves use an EIF (`Enclave Image Format`_)
file which contains the necessary kernel, cmdline and ramdisk(s) to boot.
In QEMU, ``nitro-enclave`` is a machine type based on ``microvm`` similar to how
-``AWS nitro enclaves`` are based on ``Firecracker`` microvm. This is useful for
+AWS nitro enclaves are based on `Firecracker`_ microvm. This is useful for
local testing of EIF files using QEMU instead of running real AWS Nitro Enclaves
which can be difficult for debugging due to its roots in security. The vsock
device emulation is done using vhost-user-vsock which means another process that
@@ -23,13 +23,13 @@ must be run alongside nitro-enclave for the vsock communication to work.
``libcbor`` and ``gnutls`` are required dependencies for nitro-enclave machine
support to be added when building QEMU from source.
-.. _AWS nitro enlaves: https://docs.aws.amazon.com/enclaves/latest/user/nitro-enclave.html
-.. _Amazon EC2: https://aws.amazon.com/ec2/
+.. _AWS nitro enclaves: https://docs.aws.amazon.com/enclaves/latest/user/nitro-enclave.html
.. _Enclave Image Format: https://github.com/aws/aws-nitro-enclaves-image-format
.. _vhost-device-vsock: https://github.com/rust-vmm/vhost-device/tree/main/vhost-device-vsock
+.. _Firecracker: https://firecracker-microvm.github.io
Using the nitro-enclave machine type
-------------------------------
+------------------------------------
Machine-specific options
~~~~~~~~~~~~~~~~~~~~~~~~
@@ -45,11 +45,13 @@ It supports the following machine-specific options:
Running a nitro-enclave VM
~~~~~~~~~~~~~~~~~~~~~~~~~~
-First, run `vhost-device-vsock`_ (or a similar tool that supports vhost-user-vsock).
+First, run `vhost-device-vsock`__ (or a similar tool that supports vhost-user-vsock).
The forward-cid option below with value 1 forwards all connections from the enclave
VM to the host machine and the forward-listen (port numbers separated by '+') is used
for forwarding connections from the host machine to the enclave VM.
+__ https://github.com/rust-vmm/vhost-device/tree/main/vhost-device-vsock#using-the-vsock-backend
+
$ vhost-device-vsock \
--vm guest-cid=4,forward-cid=1,forward-listen=9001+9002,socket=/tmp/vhost4.socket
@@ -74,5 +76,3 @@ connect to the enclave VM, run them on the host machine after enclave VM starts.
You need to modify the applications to connect to CID 1 (instead of the enclave
VM's CID) and use the forward-listen (e.g., 9001+9002) option of vhost-device-vsock
to forward the ports they connect to.
-
-.. _vhost-device-vsock: https://github.com/rust-vmm/vhost-device/tree/main/vhost-device-vsock#using-the-vsock-backend
diff --git a/docs/system/target-i386.rst b/docs/system/target-i386.rst
index 23e84e3ba76..ab7af1a75d6 100644
--- a/docs/system/target-i386.rst
+++ b/docs/system/target-i386.rst
@@ -14,8 +14,9 @@ Board-specific documentation
.. toctree::
:maxdepth: 1
- i386/microvm
i386/pc
+ i386/microvm
+ i386/nitro-enclave
Architectural features
~~~~~~~~~~~~~~~~~~~~~~
diff --git a/meson.build b/meson.build
index 20300fca206..41458e3dba1 100644
--- a/meson.build
+++ b/meson.build
@@ -1709,7 +1709,11 @@ if (have_system or have_tools) and (virgl.found() or opengl.found())
endif
have_vhost_user_gpu = have_vhost_user_gpu and virgl.found() and opengl.found() and gbm.found()
-libcbor = dependency('libcbor', version: '>=0.7.0', required: false)
+libcbor = not_found
+if not get_option('libcbor').auto() or have_system
+ libcbor = dependency('libcbor', version: '>=0.7.0',
+ required: get_option('libcbor'))
+endif
gnutls = not_found
gnutls_crypto = not_found
@@ -3119,6 +3123,8 @@ host_kconfig = \
(spice.found() ? ['CONFIG_SPICE=y'] : []) + \
(have_ivshmem ? ['CONFIG_IVSHMEM=y'] : []) + \
(opengl.found() ? ['CONFIG_OPENGL=y'] : []) + \
+ (libcbor.found() ? ['CONFIG_LIBCBOR=y'] : []) + \
+ (gnutls.found() ? ['CONFIG_GNUTLS=y'] : []) + \
(x11.found() ? ['CONFIG_X11=y'] : []) + \
(fdt.found() ? ['CONFIG_FDT=y'] : []) + \
(have_vhost_user ? ['CONFIG_VHOST_USER=y'] : []) + \
@@ -4699,6 +4705,7 @@ summary_info += {'NUMA host support': numa}
summary_info += {'capstone': capstone}
summary_info += {'libpmem support': libpmem}
summary_info += {'libdaxctl support': libdaxctl}
+summary_info += {'libcbor support': libcbor}
summary_info += {'libudev': libudev}
# Dummy dependency, keep .found()
summary_info += {'FUSE lseek': fuse_lseek.found()}
diff --git a/hw/core/eif.c b/hw/core/eif.c
index d737d7f23c1..7f3b2edc9a7 100644
--- a/hw/core/eif.c
+++ b/hw/core/eif.c
@@ -467,7 +467,7 @@ bool read_eif_file(const char *eif_path, const char *machine_initrd,
uint16_t section_type;
if (fseek(f, eif_header.section_offsets[i], SEEK_SET) != 0) {
- error_setg_errno(errp, errno, "Failed to offset to %lu in EIF file",
+ error_setg_errno(errp, errno, "Failed to offset to %" PRIu64 " in EIF file",
eif_header.section_offsets[i]);
goto cleanup;
}
@@ -483,7 +483,7 @@ bool read_eif_file(const char *eif_path, const char *machine_initrd,
if (eif_header.section_sizes[i] != hdr.section_size) {
error_setg(errp, "EIF section size mismatch between header and "
- "section header: header %lu, section header %lu",
+ "section header: header %" PRIu64 ", section header %" PRIu64,
eif_header.section_sizes[i],
hdr.section_size);
goto cleanup;
diff --git a/Kconfig.host b/Kconfig.host
index 4ade7899d67..842cbe0d6c5 100644
--- a/Kconfig.host
+++ b/Kconfig.host
@@ -5,6 +5,12 @@
config LINUX
bool
+config LIBCBOR
+ bool
+
+config GNUTLS
+ bool
+
config OPENGL
bool
diff --git a/hw/core/Kconfig b/hw/core/Kconfig
index 24411f59306..d1bdf765ee8 100644
--- a/hw/core/Kconfig
+++ b/hw/core/Kconfig
@@ -34,3 +34,7 @@ config REGISTER
config SPLIT_IRQ
bool
+
+config EIF
+ bool
+ depends on LIBCBOR && GNUTLS
diff --git a/hw/core/meson.build b/hw/core/meson.build
index 5437a944902..9fd0b5aaa5e 100644
--- a/hw/core/meson.build
+++ b/hw/core/meson.build
@@ -24,9 +24,7 @@ system_ss.add(when: 'CONFIG_REGISTER', if_true: files('register.c'))
system_ss.add(when: 'CONFIG_SPLIT_IRQ', if_true: files('split-irq.c'))
system_ss.add(when: 'CONFIG_XILINX_AXI', if_true: files('stream.c'))
system_ss.add(when: 'CONFIG_PLATFORM_BUS', if_true: files('sysbus-fdt.c'))
-if libcbor.found() and gnutls.found()
- system_ss.add(when: 'CONFIG_NITRO_ENCLAVE', if_true: [files('eif.c'), zlib, libcbor, gnutls])
-endif
+system_ss.add(when: 'CONFIG_EIF', if_true: [files('eif.c'), zlib, libcbor, gnutls])
system_ss.add(files(
'cpu-sysemu.c',
diff --git a/hw/i386/Kconfig b/hw/i386/Kconfig
index 63271bf9153..32818480d26 100644
--- a/hw/i386/Kconfig
+++ b/hw/i386/Kconfig
@@ -131,7 +131,11 @@ config MICROVM
config NITRO_ENCLAVE
default y
- depends on MICROVM
+ depends on I386 && FDT # for MICROVM
+ depends on LIBCBOR && GNUTLS # for EIF and VIRTIO_NSM
+ depends on VHOST_USER # for VHOST_USER_VSOCK
+ select EIF
+ select MICROVM
select VHOST_USER_VSOCK
select VIRTIO_NSM
diff --git a/hw/i386/meson.build b/hw/i386/meson.build
index 1ddd7a83be9..10bdfde27c6 100644
--- a/hw/i386/meson.build
+++ b/hw/i386/meson.build
@@ -15,9 +15,7 @@ i386_ss.add(when: 'CONFIG_AMD_IOMMU', if_true: files('amd_iommu.c'),
if_false: files('amd_iommu-stub.c'))
i386_ss.add(when: 'CONFIG_I440FX', if_true: files('pc_piix.c'))
i386_ss.add(when: 'CONFIG_MICROVM', if_true: files('x86-common.c', 'microvm.c', 'acpi-microvm.c', 'microvm-dt.c'))
-if libcbor.found() and gnutls.found()
- i386_ss.add(when: 'CONFIG_NITRO_ENCLAVE', if_true: files('nitro_enclave.c'))
-endif
+i386_ss.add(when: 'CONFIG_NITRO_ENCLAVE', if_true: files('nitro_enclave.c'))
i386_ss.add(when: 'CONFIG_Q35', if_true: files('pc_q35.c'))
i386_ss.add(when: 'CONFIG_VMMOUSE', if_true: files('vmmouse.c'))
i386_ss.add(when: 'CONFIG_VMPORT', if_true: files('vmport.c'))
diff --git a/hw/virtio/Kconfig b/hw/virtio/Kconfig
index 0cedf48f982..70c77e183d4 100644
--- a/hw/virtio/Kconfig
+++ b/hw/virtio/Kconfig
@@ -8,8 +8,7 @@ config VIRTIO_RNG
config VIRTIO_NSM
bool
- default y
- depends on VIRTIO
+ depends on LIBCBOR && VIRTIO
config VIRTIO_IOMMU
bool
diff --git a/hw/virtio/meson.build b/hw/virtio/meson.build
index 1fe7cb4d72c..a5f9f7999dd 100644
--- a/hw/virtio/meson.build
+++ b/hw/virtio/meson.build
@@ -54,9 +54,7 @@ specific_virtio_ss.add(when: 'CONFIG_VIRTIO_PMEM', if_true: files('virtio-pmem.c
specific_virtio_ss.add(when: 'CONFIG_VHOST_VSOCK', if_true: files('vhost-vsock.c'))
specific_virtio_ss.add(when: 'CONFIG_VHOST_USER_VSOCK', if_true: files('vhost-user-vsock.c'))
specific_virtio_ss.add(when: 'CONFIG_VIRTIO_RNG', if_true: files('virtio-rng.c'))
-if libcbor.found()
- specific_virtio_ss.add(when: 'CONFIG_VIRTIO_NSM', if_true: [files('virtio-nsm.c', 'cbor-helpers.c'), libcbor])
-endif
+specific_virtio_ss.add(when: 'CONFIG_VIRTIO_NSM', if_true: [files('virtio-nsm.c', 'cbor-helpers.c'), libcbor])
specific_virtio_ss.add(when: 'CONFIG_VIRTIO_MEM', if_true: files('virtio-mem.c'))
specific_virtio_ss.add(when: 'CONFIG_VHOST_USER_SCMI', if_true: files('vhost-user-scmi.c'))
specific_virtio_ss.add(when: ['CONFIG_VIRTIO_PCI', 'CONFIG_VHOST_USER_SCMI'], if_true: files('vhost-user-scmi-pci.c'))
@@ -73,9 +71,7 @@ virtio_pci_ss.add(when: 'CONFIG_VIRTIO_CRYPTO', if_true: files('virtio-crypto-pc
virtio_pci_ss.add(when: 'CONFIG_VIRTIO_INPUT_HOST', if_true: files('virtio-input-host-pci.c'))
virtio_pci_ss.add(when: 'CONFIG_VIRTIO_INPUT', if_true: files('virtio-input-pci.c'))
virtio_pci_ss.add(when: 'CONFIG_VIRTIO_RNG', if_true: files('virtio-rng-pci.c'))
-if libcbor.found()
- virtio_pci_ss.add(when: 'CONFIG_VIRTIO_NSM', if_true: [files('virtio-nsm-pci.c', 'cbor-helpers.c'), libcbor])
-endif
+virtio_pci_ss.add(when: 'CONFIG_VIRTIO_NSM', if_true: [files('virtio-nsm-pci.c', 'cbor-helpers.c'), libcbor])
virtio_pci_ss.add(when: 'CONFIG_VIRTIO_BALLOON', if_true: files('virtio-balloon-pci.c'))
virtio_pci_ss.add(when: 'CONFIG_VIRTIO_9P', if_true: files('virtio-9p-pci.c'))
virtio_pci_ss.add(when: 'CONFIG_VIRTIO_SCSI', if_true: files('virtio-scsi-pci.c'))
diff --git a/meson_options.txt b/meson_options.txt
index 0ee4d7bb86b..24bf0090560 100644
--- a/meson_options.txt
+++ b/meson_options.txt
@@ -168,6 +168,8 @@ option('iconv', type : 'feature', value : 'auto',
description: 'Font glyph conversion support')
option('curses', type : 'feature', value : 'auto',
description: 'curses UI')
+option('libcbor', type : 'feature', value : 'auto',
+ description: 'libcbor support')
option('gnutls', type : 'feature', value : 'auto',
description: 'GNUTLS cryptography support')
option('nettle', type : 'feature', value : 'auto',
diff --git a/scripts/meson-buildoptions.sh b/scripts/meson-buildoptions.sh
index 6d08605b771..6f2bb08ecd8 100644
--- a/scripts/meson-buildoptions.sh
+++ b/scripts/meson-buildoptions.sh
@@ -133,6 +133,7 @@ meson_options_help() {
printf "%s\n" ' keyring Linux keyring support'
printf "%s\n" ' kvm KVM acceleration support'
printf "%s\n" ' l2tpv3 l2tpv3 network backend support'
+ printf "%s\n" ' libcbor libcbor support'
printf "%s\n" ' libdaxctl libdaxctl support'
printf "%s\n" ' libdw debuginfo support'
printf "%s\n" ' libiscsi libiscsi userspace initiator'
@@ -358,6 +359,8 @@ _meson_option_parse() {
--disable-kvm) printf "%s" -Dkvm=disabled ;;
--enable-l2tpv3) printf "%s" -Dl2tpv3=enabled ;;
--disable-l2tpv3) printf "%s" -Dl2tpv3=disabled ;;
+ --enable-libcbor) printf "%s" -Dlibcbor=enabled ;;
+ --disable-libcbor) printf "%s" -Dlibcbor=disabled ;;
--enable-libdaxctl) printf "%s" -Dlibdaxctl=enabled ;;
--disable-libdaxctl) printf "%s" -Dlibdaxctl=disabled ;;
--libdir=*) quote_sh "-Dlibdir=$2" ;;
