{"type":"doc","content":[{"type":"paragraph","content":[{"text":"The whole software stack for CCA is in development, meaning instructions will change frequently and repositories are temporary. Instructions to compile the stack, both manually and from the OP-TEE build environment, have been written from a Ubuntu 22.04 LTS based system.","type":"text"}]},{"type":"paragraph","content":[{"text":"Note: Even though this software stack uses OP-TEE build environment, it is not building and running OP-TEE itself.","type":"text"}]},{"type":"extension","attrs":{"layout":"default","extensionType":"com.atlassian.confluence.macro.core","extensionKey":"toc","parameters":{"macroParams":{"minLevel":{"value":"1"},"maxLevel":{"value":"6"},"outline":{"value":"false"},"style":{"value":"none"},"type":{"value":"list"},"printable":{"value":"true"}},"macroMetadata":{"macroId":{"value":"f9d21211-e70c-46b3-990b-2b302fd24546"},"schemaVersion":{"value":"1"},"title":"Table of Contents"}},"localId":"65d36293-0b74-4221-8fd4-979c4e5d893d"}},{"type":"heading","attrs":{"level":1},"content":[{"text":"Release Notes","type":"text"}]},{"type":"orderedList","attrs":{"order":1},"content":[{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"The latest build is “cca/v8”","type":"text","marks":[{"type":"strong"}]}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Since “cca/v7”, QEMU-virt went back to its original memory support of 3GB. QEMU-sbsa supports larger amounts of memory.","type":"text"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"The name of the branch matches the Linux kernel mailing list’s CCA patchset the reference stack is built upon. Individual projects listed in the manifest may or may not have the same naming convention, or may reference older patchsets. This is normal and expected.","type":"text"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"There is a lot of churn in the CCA reference stack. As such we encourage users to upgrade to the newest revision when available.","type":"text"}]}]}]},{"type":"heading","attrs":{"level":2},"content":[{"text":"With the OP-TEE build environment","type":"text"}]},{"type":"paragraph","content":[{"text":"This method requires at least the following tools and libraries. The manual build described below also requires most of them.","type":"text"}]},{"type":"bulletList","content":[{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"repo","type":"text","marks":[{"type":"link","attrs":{"href":"https://source.android.com/docs/setup/download/source-control-tools#installing-repo"}}]},{"text":" ","type":"text"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"python3-pyelftools, python3-venv","type":"text"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"acpica-tools","type":"text"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"openssl (debian libssl-dev)","type":"text"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"libglib2.0-dev, libpixman-1-dev","type":"text"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"dtc (debian device-tree-compiler)","type":"text"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"flex, bison","type":"text"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"make, cmake, ninja (debian ninja-build), curl, rsync","type":"text"}]}]}]},{"type":"paragraph","content":[{"text":"The easiest way to build and run a complete stack is through OP-TEE. We support two system emulation QEMU machines, i.e Virt and SBSA. The amount of system RAM supported by QEMU-virt is set to at most 8GB and can not be increased. QEMU-sbsa also uses 8GB by default but can be configured between 2GB and 1TB. ","type":"text","marks":[{"type":"annotation","attrs":{"annotationType":"inlineComment","id":"4572d4f4-3f0e-4382-8a33-c33d7380f664"}}]}]},{"type":"paragraph","content":[{"text":"The following commands will download all components and build them, in about thirty minutes on a fast machine. To avoid dealing with dependencies you can also build the latest stack in a container environment and run it in a tmux session with ","type":"text","marks":[{"type":"annotation","attrs":{"annotationType":"inlineComment","id":"4572d4f4-3f0e-4382-8a33-c33d7380f664"}}]},{"text":"this set of scripts","type":"text","marks":[{"type":"link","attrs":{"href":"https://github.com/pbo-linaro/qemu-rme-stack/tree/master"}}]},{"text":".","type":"text","marks":[{"type":"annotation","attrs":{"annotationType":"inlineComment","id":"4572d4f4-3f0e-4382-8a33-c33d7380f664"}}]}]},{"type":"heading","attrs":{"level":4},"content":[{"text":"Virt machine:","type":"text"}]},{"type":"codeBlock","content":[{"text":"mkdir cca\ncd cca\nrepo init -u https://git.codelinaro.org/linaro/dcap/op-tee-4.2.0/manifest.git -b cca/v8 -m qemu_v8_cca.xml\nrepo sync -j8 --no-clone-bundle\ncd build\nmake -j8 toolchains\nmake -j8","type":"text"}]},{"type":"heading","attrs":{"level":4},"content":[{"text":"SBSA machine:","type":"text"}]},{"type":"codeBlock","content":[{"text":"mkdir cca\ncd cca\nrepo init -u https://git.codelinaro.org/linaro/dcap/op-tee-4.2.0/manifest.git -b cca/v8 -m sbsa_cca.xml\nrepo sync -j8 --no-clone-bundle\ncd build\nmake -j8 toolchains\nmake -j8","type":"text"}]},{"type":"paragraph","content":[{"text":"Note: ","type":"text"}]},{"type":"bulletList","content":[{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"If the build fails, try without -j. It will point out missing dependencies.","type":"text"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Add ","type":"text"},{"text":"CLOUDHV=y","type":"text","marks":[{"type":"code"}]},{"text":" to build cloud-hypervisor. This requires a rust toolchain >= 1.77.","type":"text"}]}]}]},{"type":"paragraph","content":[{"text":"Images can be found under ","type":"text"},{"text":"cca/out/","type":"text","marks":[{"type":"code"}]},{"text":" and ","type":"text"},{"text":"cca/out-br/","type":"text","marks":[{"type":"code"}]},{"text":". The following command launches system emulation QEMU with the RME feature enabled, running TF-A, RMM and the Linux host.","type":"text"}]},{"type":"codeBlock","content":[{"text":"make run-only","type":"text"}]},{"type":"paragraph","content":[{"text":"This should launch 4 new terminals, i.e ","type":"text","marks":[{"type":"annotation","attrs":{"annotationType":"inlineComment","id":"7d7f5650-6afd-4d7c-95f5-b0ffc7088582"}}]},{"text":"Firmware","type":"text","marks":[{"type":"annotation","attrs":{"annotationType":"inlineComment","id":"7d7f5650-6afd-4d7c-95f5-b0ffc7088582"}},{"type":"em"}]},{"text":", ","type":"text","marks":[{"type":"annotation","attrs":{"annotationType":"inlineComment","id":"7d7f5650-6afd-4d7c-95f5-b0ffc7088582"}}]},{"text":"Host","type":"text","marks":[{"type":"annotation","attrs":{"annotationType":"inlineComment","id":"7d7f5650-6afd-4d7c-95f5-b0ffc7088582"}},{"type":"em"}]},{"text":", ","type":"text","marks":[{"type":"annotation","attrs":{"annotationType":"inlineComment","id":"7d7f5650-6afd-4d7c-95f5-b0ffc7088582"}}]},{"text":"Secure","type":"text","marks":[{"type":"annotation","attrs":{"annotationType":"inlineComment","id":"7d7f5650-6afd-4d7c-95f5-b0ffc7088582"}},{"type":"em"}]},{"text":" and ","type":"text","marks":[{"type":"annotation","attrs":{"annotationType":"inlineComment","id":"7d7f5650-6afd-4d7c-95f5-b0ffc7088582"}}]},{"text":"Realm","type":"text","marks":[{"type":"annotation","attrs":{"annotationType":"inlineComment","id":"7d7f5650-6afd-4d7c-95f5-b0ffc7088582"}},{"type":"em"}]},{"text":". ","type":"text","marks":[{"type":"annotation","attrs":{"annotationType":"inlineComment","id":"7d7f5650-6afd-4d7c-95f5-b0ffc7088582"}}]},{"text":"Output from the boot process will start flowing in the ","type":"text"},{"text":"Firmware","type":"text","marks":[{"type":"annotation","attrs":{"annotationType":"inlineComment","id":"7d7f5650-6afd-4d7c-95f5-b0ffc7088582"}},{"type":"em"}]},{"text":" terminal followed by the ","type":"text"},{"text":"Host","type":"text","marks":[{"type":"annotation","attrs":{"annotationType":"inlineComment","id":"7d7f5650-6afd-4d7c-95f5-b0ffc7088582"}},{"type":"em"}]},{"text":" terminal. The build environment automatically makes the ","type":"text"},{"text":"cca","type":"text","marks":[{"type":"annotation","attrs":{"annotationType":"inlineComment","id":"7d7f5650-6afd-4d7c-95f5-b0ffc7088582"}},{"type":"code"}]},{"text":" directory available to the host VM via 9p.","type":"text"}]},{"type":"paragraph","content":[{"text":"Read on for the details of the software stack, or skip to the following section to boot a Realm guest.","type":"text"}]},{"type":"heading","attrs":{"level":2},"content":[{"text":"Manual build","type":"text"}]},{"type":"paragraph","content":[{"text":"The following sections detail how to build and run all components of the CCA software stack. Two QEMU binaries are built. The system emulation QEMU implements a complete machine, emulating Armv9 CPUs with FEAT_RME and four security states: Root, Secure, Non-secure and Realm. The VMM (Virtual Machine Manager) QEMU is cross-built by buildroot, and launches the realm guest from Non-secure EL0.","type":"text"}]},{"type":"codeBlock","content":[{"text":" | REALM | NON-SECURE |\n-------+--------------+--------------+\n EL0 | Guest Rootfs | Host Rootfs |\n | | QEMU VMM |\n-------+--------------+--------------+\n EL1 | EDK2 | |\n | Linux Guest | |\n | | EDK2 |\n-------+--------------+ Linux Host |\n EL2 | TF-RMM | (KVM) |\n | | |\n-------+--------------+--------------+\n (ROOT)| |\n EL3 | TF-A |\n-------+-----------------------------+\n HW | QEMU |\n-------+-----------------------------+","type":"text"}]},{"type":"paragraph","content":[{"text":"Instructions to build the TF-RMM, TF-A and host EDK2 differ based on the QEMU machine selected for system emulation. All other components of the stack are common to both machines.","type":"text"}]},{"type":"paragraph","content":[{"text":"Manual build instructions for TF-RMM, TF-A and host EDK2 on QEMU-virt","type":"text","marks":[{"type":"link","attrs":{"href":"https://linaro.atlassian.net/wiki/spaces/QEMU/pages/29596450823"}}]}]},{"type":"paragraph","content":[{"text":"Manual build instructions for TF-RMM, TF-A and host EDK2 on QEMU-sbsa","type":"text","marks":[{"type":"link","attrs":{"href":"https://linaro.atlassian.net/wiki/spaces/QEMU/pages/29594910896"}}]}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"Host and guest Linux","type":"text"}]},{"type":"paragraph","content":[{"text":"Both host and guest need extra patches.","type":"text"}]},{"type":"paragraph","content":[{"text":"Status","type":"text","marks":[{"type":"strong"}]},{"text":": Guest support is in Linux v6.13. ","type":"text"},{"text":"Host support on the list","type":"text","marks":[{"type":"link","attrs":{"href":"https://lore.kernel.org/lkml/20250416134208.383984-1-steven.price@arm.com/"}}]}]},{"type":"paragraph","content":[{"text":"Repo","type":"text","marks":[{"type":"strong"}]},{"text":": ","type":"text"},{"text":"https://gitlab.arm.com/linux-arm/linux-cca","type":"text","marks":[{"type":"link","attrs":{"href":"https://gitlab.arm.com/linux-arm/linux-cca"}}]},{"text":" cca-host/v8","type":"text"}]},{"type":"paragraph","content":[{"text":"Build","type":"text","marks":[{"type":"strong"}]},{"text":":","type":"text"}]},{"type":"codeBlock","content":[{"text":"make CROSS_COMPILE=aarch64-linux-gnu- ARCH=arm64 defconfig\n# Enable the configfs-tsm driver that provides the attestation interface\nscripts/config -e VIRT_DRIVERS -e ARM_CCA_GUEST -e CONFIG_HZ_100 \\\n -d CONFIG_HZ_250 -e CONFIG_MACVLAN -e CONFIG_MACVTAP\nmake CROSS_COMPILE=aarch64-linux-gnu- ARCH=arm64 -j8 Image","type":"text"}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"Guest edk2","type":"text"}]},{"type":"paragraph","content":[{"text":"The QEMU VMM can either launch the guest kernel itself, or launch edk2 which launches the kernel or an intermediate bootloader. That latter method is generally used to boot a Linux distribution. Edk2 needs modifications in order to run as a Realm guest.","type":"text"}]},{"type":"paragraph","content":[{"text":"Status","type":"text","marks":[{"type":"strong"}]},{"text":": in development. Only the ArmVirtQemu firwmare supports booting in a Realm at the moment, not ArmVirtQemuKernel.","type":"text"}]},{"type":"paragraph","content":[{"text":"Repo","type":"text","marks":[{"type":"strong"}]},{"text":": ","type":"text"},{"text":"https://git.codelinaro.org/linaro/dcap/edk2","type":"text","marks":[{"type":"link","attrs":{"href":"https://git.codelinaro.org/linaro/dcap/edk2"}}]},{"text":" branch cca/latest","type":"text"}]},{"type":"paragraph","content":[{"text":"Build","type":"text","marks":[{"type":"strong"}]},{"text":":","type":"text"}]},{"type":"codeBlock","content":[{"text":"git submodule update --init --recursive\nsource edksetup.sh\nmake -j -C BaseTools\nexport GCC5_AARCH64_PREFIX=aarch64-linux-gnu-\nbuild -b RELEASE -a AARCH64 -t GCC5 -p ArmVirtPkg/ArmVirtQemu.dsc","type":"text"}]},{"type":"paragraph","content":[{"text":"Note that the RELEASE build is a lot faster than the DEBUG build, but doesn’t provide a lot of information. If the boot doesn’t work, try building with ","type":"text"},{"text":"-b DEBUG","type":"text","marks":[{"type":"code"}]},{"text":".","type":"text"}]},{"type":"paragraph","content":[{"text":"Direct kernel boot may fail while the EFI stub loads the initrd from edk2, because the memory is already fragmented at that point and edk2 may not find a contiguous region large enough to transfer the initrd to the kernel. If initrd loading fails, try increasing guest memory.","type":"text"}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"QEMU and kvmtool VMM","type":"text"}]},{"type":"paragraph","content":[{"text":"Both kvmtool and QEMU can be used to launch Realm guests.","type":"text","marks":[{"type":"annotation","attrs":{"annotationType":"inlineComment","id":"8e286974-d54d-4820-bcfa-7d14c41925f1"}}]}]},{"type":"paragraph","content":[{"text":"Status","type":"text","marks":[{"type":"strong"}]},{"text":": in development","type":"text"}]},{"type":"paragraph","content":[{"text":"Repo","type":"text","marks":[{"type":"strong"}]},{"text":": ","type":"text"},{"text":"https://git.codelinaro.org/linaro/dcap/qemu","type":"text","marks":[{"type":"link","attrs":{"href":"https://git.codelinaro.org/linaro/dcap/qemu"}}]},{"text":" branch cca/latest","type":"text"},{"type":"hardBreak"},{"text":" ","type":"text"},{"text":"https://git.codelinaro.org/linaro/dcap/kvmtool","type":"text","marks":[{"type":"link","attrs":{"href":"https://git.codelinaro.org/linaro/dcap/kvmtool"}}]},{"text":" branch cca/log","type":"text"}]},{"type":"paragraph","content":[{"text":"Build","type":"text","marks":[{"type":"strong"}]},{"text":":","type":"text"}]},{"type":"paragraph","content":[{"text":"The buildroot recipe below already includes kvmtool and QEMU for CCA, ","type":"text","marks":[{"type":"annotation","attrs":{"annotationType":"inlineComment","id":"8e286974-d54d-4820-bcfa-7d14c41925f1"}},{"type":"strong"}]},{"text":"so there is no need to download them separately","type":"text","marks":[{"type":"annotation","attrs":{"annotationType":"inlineComment","id":"8e286974-d54d-4820-bcfa-7d14c41925f1"}}]},{"text":". ","type":"text","marks":[{"type":"annotation","attrs":{"annotationType":"inlineComment","id":"8e286974-d54d-4820-bcfa-7d14c41925f1"}},{"type":"strong"}]},{"text":"For development you can use your own source directory: add a ","type":"text","marks":[{"type":"annotation","attrs":{"annotationType":"inlineComment","id":"8e286974-d54d-4820-bcfa-7d14c41925f1"}}]},{"text":"local.mk","type":"text","marks":[{"type":"annotation","attrs":{"annotationType":"inlineComment","id":"8e286974-d54d-4820-bcfa-7d14c41925f1"}},{"type":"link","attrs":{"href":"http://local.mk"}}]},{"text":" file at the root of the buildroot build directory, containing:","type":"text","marks":[{"type":"annotation","attrs":{"annotationType":"inlineComment","id":"8e286974-d54d-4820-bcfa-7d14c41925f1"}}]}]},{"type":"codeBlock","content":[{"text":"QEMU_CCA_OVERRIDE_SRCDIR = path/to/qemu\nKVMTOOL_CCA_OVERRIDE_SRCDIR = path/to/kvmtool","type":"text"}]},{"type":"paragraph","content":[{"text":"You will need to run ","type":"text"},{"text":"make qemu-cca-rebuild","type":"text","marks":[{"type":"code"}]},{"text":" in the buildroot build directory after making changes to the QEMU source.","type":"text"}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"Cloud-hypervisor","type":"text"}]},{"type":"paragraph","content":[{"text":"Status","type":"text","marks":[{"type":"strong"}]},{"text":": in development.","type":"text"}]},{"type":"paragraph","content":[{"text":"Repo","type":"text","marks":[{"type":"strong"}]},{"text":": ","type":"text"},{"type":"inlineCard","attrs":{"url":"https://github.com/jpbrucker/cloud-hypervisor/tree/cca/latest"}},{"text":" ","type":"text"}]},{"type":"paragraph","content":[{"text":"Build","type":"text","marks":[{"type":"strong"}]},{"text":":","type":"text"}]},{"type":"codeBlock","content":[{"text":"# Install the aarch64 target if necessary\nrustup target add aarch64-unknown-linux-gnu\n\nexport CARGO_TARGET_AARCH64_UNKNOWN_LINUX_GNU_LINKER=aarch64-linux-gnu-gcc\ncargo build --target=aarch64-unknown-linux-gnu --features=arm_rme","type":"text"}]},{"type":"paragraph","content":[{"text":"Then copy ","type":"text"},{"text":"target/aarch64-unknown-linux-gnu/debug/cloud-hypervisor","type":"text","marks":[{"type":"code"}]},{"text":" into the Root filesystem or the shared folder.","type":"text"}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"Root filesystem","type":"text"}]},{"type":"paragraph","content":[{"text":"Buildroot provides a convenient way to build lightweight root filesystems.","type":"text"}]},{"type":"paragraph","content":[{"text":"Repo","type":"text","marks":[{"type":"strong"}]},{"text":":","type":"text"}]},{"type":"bulletList","content":[{"type":"listItem","content":[{"type":"paragraph","content":[{"type":"inlineCard","attrs":{"url":"https://gitlab.com/buildroot.org/buildroot.git"}},{"type":"hardBreak"},{"text":"Use the master branch to have up-to-date recipes for building QEMU.","type":"text"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"https://git.codelinaro.org/linaro/dcap/buildroot-external-cca.git","type":"text","marks":[{"type":"link","attrs":{"href":"https://git.codelinaro.org/linaro/dcap/buildroot-external-cca.git"}}]},{"text":" contains additional packages used for demonstrating attestation and useful scripts. It also provides qemu-cca and kvmtool-cca packages that replace buildroot’s qemu and kvmtool, in order to use the latest work-in-progress VMM support for CCA.","type":"text"}]}]}]},{"type":"paragraph","content":[{"text":"Build","type":"text","marks":[{"type":"strong"}]},{"text":":","type":"text"}]},{"type":"codeBlock","content":[{"text":"git clone https://git.codelinaro.org/linaro/dcap/buildroot-external-cca.git\ngit clone https://gitlab.com/buildroot.org/buildroot.git\ncd buildroot\nmake BR2_EXTERNAL=path/to/buildroot-external-cca/ cca_defconfig\nmake -j16\ncp output/images/rootfs.ext4 ../images/\ncp output/images/rootfs.cpio ../images/","type":"text"}]},{"type":"paragraph","content":[{"text":"This creates the rootfs images in buildroot’s ","type":"text"},{"text":"output/images/","type":"text","marks":[{"type":"code"}]},{"text":" when building in-tree, or ","type":"text"},{"text":"images/","type":"text","marks":[{"type":"code"}]},{"text":" when building out of tree.","type":"text"}]},{"type":"heading","attrs":{"level":4},"content":[{"text":"Guest disk image for edk2","type":"text"}]},{"type":"paragraph","content":[{"text":"To create a guest disk image that resembles more a Linux distribution, containing the grub2 bootloader and the kernel, have a look at buildroot’s ","type":"text"},{"text":"configs/aarch64_efi_defconfig","type":"text","marks":[{"type":"code"}]},{"text":", which enables a few options to generate a disk with an EFI partition:","type":"text"}]},{"type":"codeBlock","content":[{"text":" BR2_PACKAGE_HOST_GENIMAGE=y\n BR2_PACKAGE_HOST_DOSFSTOOLS=y\n BR2_PACKAGE_HOST_MTOOLS=y\n BR2_TARGET_GRUB2=y\n BR2_TARGET_GRUB2_ARM64_EFI=y\n BR2_ROOTFS_POST_IMAGE_SCRIPT=\"board/aarch64-efi/post-image.sh support/scripts/genimage.sh\"\n BR2_ROOTFS_POST_SCRIPT_ARGS=\"-c board/aarch64-efi/genimage-efi.cfg\"\n\n# Copy the guest kernel Image into buildroot's build directory, where it will be\n# picked up by genimage.\nmkdir buildroot/output/images/\ncp linux/arch/arm64/boot/Image buildroot/output/images/Image\n\nmake aarch64_efi_defconfig\nmake","type":"text"}]},{"type":"paragraph","content":[{"text":"With these, after generating the root filesystem, buildroot packs it into another disk image under ","type":"text"},{"text":"output/images/disk.img","type":"text","marks":[{"type":"code"}]},{"text":"along with an EFI FAT partition that contains grub and the kernel Image (layout is defined by ","type":"text"},{"text":"board/aarch64-efi/genimage-efi.cfg","type":"text","marks":[{"type":"code"}]},{"text":"). File ","type":"text"},{"text":"output/images/disk.img","type":"text","marks":[{"type":"code"}]},{"text":" should be copied to a location accessible by the RME enabled base system. See variable ","type":"text"},{"text":"RUN_DISK","type":"text","marks":[{"type":"code"}]},{"text":" in file ","type":"text"},{"text":"/usr/share/cca-realm-measurements/gen-run-vmm.cfg","type":"text","marks":[{"type":"code"}]},{"text":" on the base root filesystem.","type":"text"}]},{"type":"heading","attrs":{"level":4},"content":[{"text":"Build the Ubuntu Rootfs","type":"text"}]},{"type":"paragraph","content":[{"text":"Below there is a scripts to automatically build the ubuntu 22.04 rootfs, it consists of several parts:","type":"text"}]},{"type":"bulletList","content":[{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Generate a 4G image, make partitions and mount.","type":"text"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Download the ubuntu-base filesystem and abstract the files to the image","type":"text"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Configure the essential files for ubuntu for installing packages.","type":"text"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Set up the ","type":"text"},{"text":"init","type":"text","marks":[{"type":"code"}]},{"text":" process for Ubuntu Rootfs boot.","type":"text"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Install essential packages via Chroot, in case of failing enabling the /dev/hvc0 when realm boot.","type":"text"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Umount","type":"text"}]}]}]},{"type":"paragraph","content":[{"text":"NOTE: Please copy this content below to a ubuntu_fs.sh and run it with ","type":"text"},{"text":"sudo","type":"text","marks":[{"type":"code"}]},{"text":", as the mount, chroot needs the root permissions.","type":"text"}]},{"type":"codeBlock","content":[{"text":"sudo ./ubuntu_fs.sh ubuntu22.img","type":"text"}]},{"type":"paragraph","content":[{"text":"The above command will generate a ubuntu 22 rootfs with the name ","type":"text"},{"text":"ubuntu22.img","type":"text","marks":[{"type":"code"}]},{"text":". It is very easy to launch, just change the disk image to ubuntu22.img and you can enjoy. It can be either running as the Realm Host, or the Realm itself for daily development. Just tweak the scripts below to suit your user cases.","type":"text"}]},{"type":"codeBlock","content":[{"text":"#!/bin/bash\n\nimg_name=\"$1\"\ndirectory=\"ubuntu_fs\"\nrealm_user=\"realm\"\nrealm_password=\"realm\"\n\nif [[ $EUID -ne 0 ]]; then\n echo \"Need to run with sudo\"\n exit 1\nfi\n\n# Check if the img file name parameter is provided\nif [ -z \"$img_name\" ]; then\n echo \"Please provide the generated img file name as the first parameter!\"\n exit 1\nfi\n\n#Generate a 4GB img file\necho \"Generating 4GB img file $img_name ...\"\ndd if=/dev/zero of=\"$img_name\" bs=1G count=4 || exit 1\n\n# Format the img file as ext4 file system\necho \"Formatting the img file as ext4 file system...\"\nmkfs.ext4 -F \"$img_name\" || exit 1\n\n# Check if the directory exists\nif [ -d \"$directory\" ]; then\n echo \"Directory $directory exists. Deleting its contents...\"\n rm -rf \"$directory\"/*\nelse\n echo \"Directory $directory does not exist. Creating the directory...\"\n mkdir \"$directory\"\nfi\n\n# Mount the img file to the ubuntu_fs directory\necho \"Mounting the img file to directory $directory...\"\nmount -o loop \"$img_name\" \"$directory\" || exit 1\n\n# Download the file\necho \"Downloading file $archive_file ...\"\narchive_url=\"https://cdimage.ubuntu.com/ubuntu-base/releases/22.04.4/release/ubuntu-base-22.04.4-base-arm64.tar.gz\"\narchive_file=\"ubuntu-base-22.04.4-base-arm64.tar.gz\"\nwget \"$archive_url\" -P \"$directory\"\n\n# Extract the file\necho \"Extracting file $archive_file to directory $directory...\"\ntar -xf \"$directory/$archive_file\" -C \"$directory\"\n\n# Remove the downloaded archive file\necho \"Removing downloaded archive file $archive_file ...\"\nrm \"$directory/$archive_file\"\n\n# Write nameserver to resolv.conf file\necho \"Writing nameserver to $directory/etc/resolv.conf file...\"\necho \"nameserver 8.8.8.8\" > \"$directory/etc/resolv.conf\"\n\ncat > \"$directory/etc/apt/sources.list\" << EOF\ndeb http://nova.clouds.ports.ubuntu.com/ubuntu-ports/ jammy main restricted\ndeb http://nova.clouds.ports.ubuntu.com/ubuntu-ports/ jammy-updates main restricted\ndeb http://nova.clouds.ports.ubuntu.com/ubuntu-ports/ jammy universe\ndeb http://nova.clouds.ports.ubuntu.com/ubuntu-ports/ jammy-updates universe\ndeb http://nova.clouds.ports.ubuntu.com/ubuntu-ports/ jammy multiverse\ndeb http://nova.clouds.ports.ubuntu.com/ubuntu-ports/ jammy-updates multiverse\ndeb http://nova.clouds.ports.ubuntu.com/ubuntu-ports/ jammy-backports main restricted universe multiverse\ndeb http://nova.clouds.ports.ubuntu.com/ubuntu-ports/ jammy-security main restricted\ndeb http://nova.clouds.ports.ubuntu.com/ubuntu-ports/ jammy-security universe\ndeb http://nova.clouds.ports.ubuntu.com/ubuntu-ports/ jammy-security multiverse\nEOF\n\n# Switch to chroot environment and execute apt command\necho \"Switching to chroot environment and executing apt command...\"\nmount -t proc /proc $directory/proc\nmount -t sysfs /sys $directory/sys\nmount -o bind /dev $directory/dev\nmount -o bind /dev/pts $directory/dev/pts\nchroot \"$directory\" /bin/bash -c \"apt update -y\" || exit 1\n\n# Create a new user with sudo privileges\necho \"Creating user $realm_user with sudo privileges...\"\nchroot \"$directory\" /bin/bash -c \"useradd -m -s /bin/bash -G sudo $realm_user\" || exit 1\n\n# Set the password for the new user\necho \"Setting password for user $realm_user...\"\necho \"$realm_user:$realm_password\" | chroot \"$directory\" /bin/bash -c \"chpasswd\" || exit 1\n\nchroot \"$directory\" /bin/bash -c \"chmod 1777 /tmp\" || exit 1\n\necho \"Generate the init file\"\ncat > \"$directory/init\" << EOF\n#!/bin/sh\n\n[ -d /dev ] || mkdir -m 0755 /dev\n[ -d /root ] || mkdir -m 0700 /root\n[ -d /sys ] || mkdir /sys\n[ -d /proc ] || mkdir /proc\n[ -d /tmp ] || mkdir /tmp\nmkdir -p /var/lock\nmount -t sysfs -o nodev,noexec,nosuid sysfs /sys\nmount -t proc -o nodev,noexec,nosuid proc /proc\n# Some things don't work properly without /etc/mtab.\nln -sf /proc/mounts /etc/mtab\n\ngrep -q '\\' /proc/cmdline || echo \"Loading, please wait...\"\n\n# Note that this only becomes /dev on the real filesystem if udev's scripts\n# are used; which they will be, but it's worth pointing out\nif ! mount -t devtmpfs -o mode=0755 udev /dev; then\n echo \"W: devtmpfs not available, falling back to tmpfs for /dev\"\n mount -t tmpfs -o mode=0755 udev /dev\n [ -e /dev/console ] || mknod -m 0600 /dev/console c 5 1\n [ -e /dev/null ] || mknod /dev/null c 1 3\nfi\nmkdir /dev/pts\nmount -t devpts -o noexec,nosuid,gid=5,mode=0620 devpts /dev/pts || true\nmount -t tmpfs -o \"noexec,nosuid,size=10%,mode=0755\" tmpfs /run\nmkdir /run/initramfs\n# compatibility symlink for the pre-oneiric locations\nln -s /run/initramfs /dev/.initramfs \n\n# Set modprobe env\nexport MODPROBE_OPTIONS=\"-qb\"\n\n# mdadm needs hostname to be set. This has to be done before the udev rules are called!\nif [ -f \"/etc/hostname\" ]; then\n /bin/hostname -b -F /etc/hostname 2>&1 1>/dev/null\nfi\n\nexec /sbin/init\nEOF\nchmod +x $directory/init || exit 1\n\nchroot \"$directory\" /bin/bash -c \"apt install systemd iptables -y\" || exit 1\nchroot \"$directory\" /bin/bash -c \"ln -s /lib/systemd/systemd /sbin/init\" || exit 1\n\necho \"Install other essential components, in case of booting blocking at /dev/hvc0 failed to bring up\"\nchroot \"$directory\" /bin/bash -c \"apt install vim bash-completion net-tools iputils-ping ifupdown ethtool ssh rsync udev htop rsyslog curl openssh-server apt-utils dialog nfs-common psmisc language-pack-en-base sudo kmod apt-transport-https -y\" || exit 1\n# Unmount the mounted directory\necho \"Unmounting the mounted directory $directory ...\"\numount $directory/proc\numount $directory/sys\numount $directory/dev/pts\numount $directory/dev\numount \"$directory\"\n\necho \"Operation completed!\"","type":"text"}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"QEMU system emulation","type":"text"}]},{"type":"paragraph","content":[{"text":"Repo","type":"text","marks":[{"type":"strong"}]},{"text":": ","type":"text"},{"type":"inlineCard","attrs":{"url":"https://gitlab.com/qemu-project/qemu.git"}},{"text":" or the same repository as the VMM.","type":"text"}]},{"type":"paragraph","content":[{"text":"Build","type":"text","marks":[{"type":"strong"}]},{"text":": do not build in the same source directory as the VMM! Since buildroot copies the whole content of that source directory, binary files will conflict (the VMM is cross-built while the system emulation QEMU is native).","type":"text"},{"text":" ","type":"text","marks":[{"type":"strong"}]}]},{"type":"codeBlock","content":[{"text":"git clone https://gitlab.com/qemu-project/qemu.git\ncd qemu\n./configure --target-list=aarch64-softmmu --enable-slirp --disable-docs\nmake -j16","type":"text"}]},{"type":"paragraph","content":[{"text":"If you want to use the same source directory as the target QEMU, QEMU integrated in buildroot","type":"text","marks":[{"type":"strong"}]},{"text":", do use a separate build directory as described here:","type":"text"}]},{"type":"codeBlock","content":[{"text":"mkdir -p ../build/qemu/ # outside of the source directory\ncd ../build/qemu/\n../../qemu/configure --target-list=aarch64-softmmu --enable-slirp --disable-docs\nmake -j16","type":"text"}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"Running the system emulation","type":"text"}]},{"type":"paragraph","content":[{"text":"QEMU will connect to four TCP ports for the different consoles. Create the servers manually with ","type":"text"},{"text":"socat -,rawer TCP-LISTEN:5432x","type":"text","marks":[{"type":"code"}]},{"text":" (x = 0, 1, 2, 3) or use the script given at the end in section “","type":"text"},{"text":"Spawn four consoles with servers listening for QEMU system emulation”","type":"text","marks":[{"type":"strong"}]},{"text":":","type":"text"}]},{"type":"heading","attrs":{"level":4},"content":[{"text":"QEMU-virt startup script:","type":"text"}]},{"type":"paragraph","content":[{"text":"Note: KASLR must be disabled to workaround a limitation of TF-A for virt platform (see ","type":"text"},{"text":"details","type":"text","marks":[{"type":"link","attrs":{"href":"https://gitlab.com/qemu-project/qemu/-/issues/2823#note_2423122633"}}]},{"text":")","type":"text"}]},{"type":"codeBlock","content":[{"text":"qemu-system-aarch64 -M virt,virtualization=on,secure=on,gic-version=3\n -M acpi=off -cpu max,x-rme=on -m 8G -smp 8\n -nographic\n -bios trusted-firmware-a/flash.bin\n -kernel linux-cca/arch/arm64/boot/Image\n -drive format=raw,if=none,file=buildroot/output/images/rootfs.ext4,id=hd0\n -device virtio-blk-pci,drive=hd0\n # The following parameters allow to use separate consoles for Firmware (port 54320),\n # Secure payload (54321), host (54322) and guest (54323).\n -nodefaults\n -serial tcp:localhost:54320\n -serial tcp:localhost:54321\n -chardev socket,mux=on,id=hvc0,port=54322,host=localhost\n -device virtio-serial-device\n -device virtconsole,chardev=hvc0\n -chardev socket,mux=on,id=hvc1,port=54323,host=localhost\n -device virtio-serial-device\n -device virtconsole,chardev=hvc1\n -append \"root=/dev/vda console=hvc0 nokaslr\"\n -device virtio-net-pci,netdev=net0 -netdev user,id=net0\n # This shares the current directory with the host, providing the files needed\n # to launch the guest.\n -device virtio-9p-device,fsdev=shr0,mount_tag=shr0\n -fsdev local,security_model=none,path=.,id=shr0","type":"text"}]},{"type":"heading","attrs":{"level":4},"content":[{"text":"QEMU-sbsa startup script:","type":"text"}]},{"type":"codeBlock","content":[{"text":"qemu-system-aarch64 \\\n -machine sbsa-ref -m 8G \\\n -cpu max,x-rme=on,sme=off,pauth-impdef=on \\\n -drive file=images/SBSA_FLASH0.fd,format=raw,if=pflash \\\n -drive file=images/SBSA_FLASH1.fd,format=raw,if=pflash \\\n -drive file=fat:rw:images/disks/virtual,format=raw \\\n -drive format=raw,if=none,file=buildroot/output/images/rootfs.ext4,id=hd0 \\\n -device virtio-blk-pci,drive=hd0 \\\n -serial tcp:localhost:54320 \\\n -serial tcp:localhost:54321 \\\n -chardev socket,mux=on,id=hvc0,port=54322,host=localhost \\\n -device virtio-serial-pci \\\n -device virtconsole,chardev=hvc0 \\\n -chardev socket,mux=on,id=hvc1,port=54323,host=localhost \\\n -device virtio-serial-pci \\\n -device virtconsole,chardev=hvc1 \\\n -device virtio-9p-pci,fsdev=shr0,mount_tag=shr0 \\\n -fsdev local,security_model=none,path=../../,id=shr0","type":"text"}]},{"type":"paragraph"},{"type":"paragraph","content":[{"text":"Crucially, the ","type":"text"},{"text":"x-rme=on","type":"text","marks":[{"type":"code"}]},{"text":" parameter enables the (experimental) FEAT_RME.","type":"text"}]},{"type":"paragraph","content":[{"text":"In the host kernel log, verify that KVM communicates with the RMM and is ready to launch Realm guests:","type":"text"}]},{"type":"codeBlock","content":[{"text":"[ 0.893261] kvm [1]: Using prototype RMM support (version 66.0)","type":"text"}]},{"type":"paragraph","content":[{"text":"Note: ","type":"text","marks":[{"type":"strong"}]},{"text":"The virt platform currently has at most 8GB of RAM, which we believe is enough memory to demonstrate how CCA works in a simulated environment. Modifications to the trusted firmware and RMM elements are needed if a different value is selected.","type":"text"}]},{"type":"heading","attrs":{"level":2},"content":[{"text":"Launching a Realm guest","type":"text"}]},{"type":"paragraph","content":[{"text":"Once at the host command line prompt simply use ","type":"text","marks":[{"type":"annotation","attrs":{"annotationType":"inlineComment","id":"7d7f5650-6afd-4d7c-95f5-b0ffc7088582"}}]},{"text":"root","type":"text","marks":[{"type":"annotation","attrs":{"annotationType":"inlineComment","id":"7d7f5650-6afd-4d7c-95f5-b0ffc7088582"}},{"type":"code"}]},{"text":" to log in.","type":"text","marks":[{"type":"annotation","attrs":{"annotationType":"inlineComment","id":"7d7f5650-6afd-4d7c-95f5-b0ffc7088582"}}]}]},{"type":"paragraph","content":[{"text":"Using buildroot-external-cca, the shared directory should be automatically mounted. Otherwise mount it with with:","type":"text"}]},{"type":"codeBlock","content":[{"text":"mount -t 9p shr0 /mnt","type":"text"}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"Launching a Realm guest using QEMU","type":"text"}]},{"type":"paragraph","content":[{"text":"When using buildroot-external-cca, the filesystem should contain a script provided by cca-realm-measurements. Launch the VM with:","type":"text"}]},{"type":"codeBlock","content":[{"text":"gen-run-vmm.sh --tap --extcon","type":"text"}]},{"type":"paragraph","content":[{"text":"Using a tap network puts the guest on the same network as the host, and allows running the attestation demo below.","type":"text"}]},{"type":"paragraph","content":[{"text":"Or manually (with user networking rather than tap):","type":"text"}]},{"type":"codeBlock","content":[{"text":"qemu-system-aarch64 \\\n -M confidential-guest-support=rme0 \\\n -object rme-guest,id=rme0,measurement-algorithm=sha512 \\\n -nodefaults \\\n -chardev stdio,mux=on,id=virtiocon0,signal=off \\\n -device virtio-serial-pci \\\n -device virtconsole,chardev=virtiocon0 \\\n -mon chardev=virtiocon0,mode=readline \\\n -kernel /mnt/out/bin/Image \\\n -initrd /mnt/out-br/images/rootfs.cpio \\\n -device virtio-net-pci,netdev=net0,romfile= \\\n -netdev user,id=net0 \\\n -cpu host -M virt -enable-kvm -M gic-version=3,its=on \\\n -smp 2 -m 512M -nographic \\\n -append console=hvc0 < /dev/hvc1 >/dev/hvc1","type":"text"}]},{"type":"paragraph","content":[{"text":"The ","type":"text"},{"text":"-M confidential-guest-support=rme0","type":"text","marks":[{"type":"code"}]},{"text":" and ","type":"text"},{"text":"-object rme-guest,id=rme0","type":"text","marks":[{"type":"code"}]},{"text":" parameters declare this as a Realm VM.","type":"text"}]},{"type":"paragraph","content":[{"text":"You should see RMM logs in the Firmware","type":"text"},{"text":" ","type":"text","marks":[{"type":"em"}]},{"text":"terminal:","type":"text"}]},{"type":"codeBlock","content":[{"text":"# RMI (Realm Management Interface) is the protocol that host uses to\n# communicate with the RMM\nSMC_RMM_REC_CREATE 45659000 456ad000 446b1000 > RMI_SUCCESS\nSMC_RMM_REALM_ACTIVATE 45659000 > RMI_SUCCESS\n\n# RSI (Realm Service Interface) is the protocol that the guest uses to\n# communicate with the RMM\nSMC_RSI_ABI_VERSION > d0000\nSMC_RSI_REALM_CONFIG 41afe000 > RSI_SUCCESS\nSMC_RSI_IPA_STATE_SET 40000000 60000000 1 0 > RSI_SUCCESS 60000000","type":"text"}]},{"type":"paragraph","content":[{"text":"Followed a few minutes later by the guest kernel starting in the Realm terminal.","type":"text"}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"Launching a Realm guest using Kvmtool","type":"text"}]},{"type":"codeBlock","content":[{"text":"gen-run-vmm.sh --kvmtool --tap --extcon","type":"text"}]},{"type":"paragraph","content":[{"text":"or manually:","type":"text"}]},{"type":"codeBlock","content":[{"text":"lkvm run --realm -c 2 -m 2G -k /mnt/out/bin/Image -d /mnt/out-br/images/rootfs.ext4 --restricted_mem -p \"console=hvc0 root=/dev/vda\" < /dev/hvc1 > /dev/hvc1","type":"text"}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"Launching a Realm guest using cloud-hypervisor","type":"text"}]},{"type":"paragraph","content":[{"text":"This example ","type":"text"},{"text":"uses a macvtap interface to connect the guest to the host network","type":"text","marks":[{"type":"link","attrs":{"href":"https://github.com/cloud-hypervisor/cloud-hypervisor/blob/main/docs/macvtap-bridge.md"}}]},{"text":". CONFIG_MACVTAP needs to be 'y' in the host kernel config.","type":"text"}]},{"type":"codeBlock","content":[{"text":"gen-run-vmm.sh --cloudhv --extcon","type":"text"}]},{"type":"paragraph","content":[{"text":"or manually:","type":"text"}]},{"type":"codeBlock","content":[{"text":"ip link add link eth0 name macvtap0 type macvtap\nip link set macvtap0 up\n\ntapindex=$(cat /sys/class/net/macvtap0/ifindex)\ntapaddress=$(cat /sys/class/net/macvtap0/address)\ntapdevice=\"/dev/tap$tapindex\"\n\n/mnt/out/bin/cloud-hypervisor --platform arm_rme=on --kernel /mnt/out/bin/Image --disk path=/mnt/out-br/images/rootfs.ext4 --cpus boot=2 --memory size=512M --net fd=3,mac=$tapaddress --cmdline \"console=hvc0 root=/dev/vda\" < /dev/hvc1 > /dev/hvc1 3<>$tapdevice","type":"text"}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"Running edk2 as a guest","type":"text"}]},{"type":"paragraph","content":[{"text":"Enable USE_EDK2 to boot the Realm guest with the edk2 firmware. It can either load kernel and initrd through the FwCfg device provided by QEMU, or launch a bootloader from a disk image (","type":"text"},{"text":"gen-run-vmm.sh --edk2 --disk-boot","type":"text","marks":[{"type":"code"}]},{"text":"). See section ","type":"text"},{"text":"Guest disk image for edk2","type":"text","marks":[{"type":"link","attrs":{"href":"https://linaro.atlassian.net/wiki/spaces/QEMU/pages/29051027459/Building+an+RME+stack+for+QEMU#Guest-disk-image-for-edk2"}}]},{"text":" for details on how to generate the disk image expected by ","type":"text"},{"text":"--disk-boot","type":"text","marks":[{"type":"code"}]},{"text":".","type":"text"}]},{"type":"paragraph","content":[{"text":" When booting the kernel directly, edk2 measures the kernel, initrd and parameters provided on the QEMU command-line and adds them to the Realm Extended Measurement via RSI calls, so that they can be attested later.","type":"text"}]},{"type":"paragraph","content":[{"text":"Notes:","type":"text"}]},{"type":"bulletList","content":[{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"When booting via grub2, the kernel parameters are stored in ","type":"text"},{"text":"grub.cfg","type":"text","marks":[{"type":"code"}]},{"text":" which is copied from ","type":"text"},{"text":"board/aarch64-efi/grub.cfg","type":"text","marks":[{"type":"code"}]},{"text":" by the buildroot script ","type":"text"},{"text":"board/aarch64-efi/post-image.sh","type":"text","marks":[{"type":"code"}]},{"text":". By default the kernel parameters do not define a ","type":"text"},{"text":"console","type":"text","marks":[{"type":"code"}]},{"text":", so Linux will determine the boot console from the device tree’s ","type":"text"},{"text":"/chosen/stdout-path","type":"text","marks":[{"type":"code"}]},{"text":" property, which QEMU initializes to the default serial console. So if you want to boot with virtconsole, add ","type":"text"},{"text":"console=hvc0","type":"text","marks":[{"type":"code"}]},{"text":" to ","type":"text"},{"text":"$(BUILDROOT)board/aarch64-efi/grub.cfg","type":"text","marks":[{"type":"code"}]},{"text":" before making buildroot.","type":"text"}]}]}]},{"type":"heading","attrs":{"level":2},"content":[{"text":"Attestation Proof of Concept","type":"text"}]},{"type":"paragraph","content":[{"text":"Two demonstration applications are available in the root file system.","type":"text"}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"cca-workload-attestation","type":"text"}]},{"type":"paragraph","content":[{"text":"From a Realm VM, you can query the RMM for a CCA attestation token that is printed to the console and saved to a file:","type":"text"}]},{"type":"codeBlock","content":[{"text":"cca-workload-attestation report","type":"text"}]},{"type":"paragraph","content":[{"text":"The tool can also demonstrate a typical interaction with an attestation service by communicating the CCA attestation token to an instance of the Veraison services:","type":"text"}]},{"type":"codeBlock","content":[{"text":"cca-workload-attestation passport","type":"text"}]},{"type":"paragraph","content":[{"text":"Details on the cca-workload-attestation, the Veraison services and the endorser that populate the endorsement values can be found ","type":"text"},{"text":"here.","type":"text","marks":[{"type":"link","attrs":{"href":"https://git.codelinaro.org/linaro/dcap/cca-demos/cca-workload-attestation-poc"}}]}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"keybroker-demo","type":"text"}]},{"type":"paragraph","content":[{"text":"The keybroker demo shows interaction between an attester, a relying party and a verifier. The keybroker-app, running in the Realm, requests a secret key from keybroker-server, run by the relying party. ","type":"text"}]},{"type":"paragraph","content":[{"text":"Repo","type":"text","marks":[{"type":"strong"}]},{"text":": ","type":"text"},{"type":"inlineCard","attrs":{"url":"https://github.com/veraison/keybroker-demo/"}},{"text":" ","type":"text"}]},{"type":"paragraph","content":[{"text":"Build","type":"text","marks":[{"type":"strong"}]},{"text":": the keybroker server","type":"text"}]},{"type":"codeBlock","content":[{"text":"cd rust-keybroker\ncargo build","type":"text"}]},{"type":"paragraph","content":[{"text":"Run","type":"text","marks":[{"type":"strong"}]},{"text":":","type":"text"}]},{"type":"paragraph","content":[{"text":"The server, on the build machine, listens on port 8088, and connects to the Linaro veraison instance for platform token verification. You can change these settings with command-line options.","type":"text"}]},{"type":"codeBlock","attrs":{"language":"shell"},"content":[{"text":"target/debug/keybroker-server -e http://10.0.2.2 -v","type":"text"}]},{"type":"paragraph","content":[{"text":"The client, in the Realm, requests secret key “skywalker”: ","type":"text"}]},{"type":"codeBlock","attrs":{"language":"shell"},"content":[{"text":"keybroker-app skywalker -e http://10.0.2.2:8088 -v","type":"text"}]},{"type":"paragraph","content":[{"text":"You will normally get the following error:","type":"text"}]},{"type":"codeBlock","content":[{"text":"INFO Attestation failure :-( ! AttestationFailure: No attestation result was obtained. No known-good reference values.","type":"text"}]},{"type":"paragraph","content":[{"text":"This means that the platform token verification succeeded, but the realm token verification did not. The Realm Initial Measurement is not known by the server:","type":"text"}]},{"type":"codeBlock","content":[{"text":"INFO Known-good RIM values are missing. If you trust the client that submitted\nevidence for challenge 2961561008, you should restart the keybroker-server with the following\ncommand-line option to populate it with known-good RIM values:\n--reference-values <(echo '{ \"reference-values\": [ \"WE/l0rYWLJykPTBwM92hM39VFpy9OdqvBHsQpjXfTEzXZGTf+D5n2Fqqhb4Zi/L3TMbYH9opnzjQL2EDa8TXUg==\" ] }')","type":"text"}]},{"type":"paragraph","content":[{"text":"Retrying the key request after restarting the server with the suggested parameter should now succeed:","type":"text"}]},{"type":"codeBlock","content":[{"text":"INFO Attestation success :-) ! The key returned from the keybroker is 'May the force be with you.'","type":"text"}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"realm-measurements","type":"text"}]},{"type":"paragraph","content":[{"text":"Instead of running the server twice, you can also predict the Realm Initial Measurement, even before running the guest, using the cca-realm-measurements tool.","type":"text"}]},{"type":"paragraph","content":[{"text":"Repo","type":"text","marks":[{"type":"strong"}]},{"text":": ","type":"text"},{"type":"inlineCard","attrs":{"url":"https://github.com/veraison/cca-realm-measurements.git"}},{"text":" ","type":"text"}]},{"type":"paragraph","content":[{"text":"Build","type":"text","marks":[{"type":"strong"}]},{"text":": ","type":"text"}]},{"type":"codeBlock","content":[{"text":"cargo build\n\n# Create a local configuration:\ncat << EOF > gen-run-vmm.cfg\nREALM_MEASUREMENTS=target/debug/realm-measurements\nCONFIGS_DIR=configs\n# The root of the optee build directory\nBUILD=path/to/cca\nKERNEL=\\$BUILD/out/bin/Image\nINITRD=\\$BUILD/out-br/images/rootfs.cpio\nEDK2_DIR=\\$BUILD/edk2\nEOF","type":"text"}]},{"type":"paragraph","content":[{"text":"Run","type":"text","marks":[{"type":"strong"}]},{"text":":","type":"text"}]},{"type":"codeBlock","content":[{"text":"scripts/gen-run-vmm.sh --gen-measurements\n# outputs:\n+ target/debug/realm-measurements -c configs/qemu-max-8.2.conf -c configs/kvm.conf -k /build/cca/out/bin/Image -i /build/cca/out-br/images/rootfs.cpio -f /Build/ArmVirtQemu-AARCH64/DEBUG_GCC5/FV/QEMU_EFI.fd --print-b64 qemu -M confidential-guest-support=rme0 -object rme-guest,id=rme0,measurement-algorithm=sha512 -nodefaults -chardev stdio,mux=on,id=virtiocon0,signal=off -device virtio-serial-pci -device virtconsole,chardev=virtiocon0 -mon chardev=virtiocon0,mode=readline -kernel /build/cca/out/bin/Image -initrd /build/cca/out-br/images/rootfs.cpio -device virtio-net-pci,netdev=net0,romfile= -netdev user,id=net0 -cpu host -M virt -enable-kvm -M gic-version=3,its=on -smp 2 -m 512M -nographic -dtb qemu-gen.dtb -append console=hvc0\nRIM: eZ25AQETulL4kIvgJi/yCVi12ASeD1MOvIwSq9gwNT7HYPAjWePnMcLfH4OaHEafW6V4MnZfgWxgr5uYQnG26Q==","type":"text"}]},{"type":"paragraph","content":[{"text":"Since this is the same script that you use to launch the VM, it already knows the QEMU command-line arguments that you use, and the generated DTB loaded into the VM. Since you also give it the kernel and initrd images that will be loaded into the Realm, it will correctly predict the resulting Realm Initial Measurement (","type":"text"},{"text":"RIM","type":"text","marks":[{"type":"em"}]},{"text":"). You can of course run the realm-measurements tool manually if you use a different VMM command-line.","type":"text"}]},{"type":"paragraph","content":[{"text":"Pass the resulting ","type":"text"},{"text":"RIM","type":"text","marks":[{"type":"em"}]},{"text":" to keybroker-server:","type":"text"}]},{"type":"codeBlock","content":[{"text":"target/debug/keybroker-server -e http://10.0.2.2 -v --reference-values <(echo '{ \"reference-values\": [ \"eZ25AQETulL4kIvgJi/yCVi12ASeD1MOvIwSq9gwNT7HYPAjWePnMcLfH4OaHEafW6V4MnZfgWxgr5uYQnG26Q==\" ] }')","type":"text"}]},{"type":"paragraph"},{"type":"paragraph","content":[{"text":"When running your own veraison instance (see the ","type":"text"},{"text":"documentation","type":"text","marks":[{"type":"link","attrs":{"href":"https://github.com/veraison/services"}}]},{"text":" and ","type":"text"},{"text":"poc-endorser","type":"text","marks":[{"type":"link","attrs":{"href":"https://git.codelinaro.org/linaro/dcap/cca-demos/poc-endorser/"}}]},{"text":"), you can also provision the verifier with reference values directly, so ","type":"text"},{"text":"cca-workload-attestation passport","type":"text","marks":[{"type":"code"}]},{"text":" can obtain an ","type":"text"},{"text":"affirming","type":"text","marks":[{"type":"em"}]},{"text":" appraisal of the realm token:","type":"text"}]},{"type":"codeBlock","content":[{"text":"scripts/gen-run-vmm.sh --corim-output realm-corim.cbor\nveraison -- cocli corim submit --corim-file realm-corim.cbor --media-type 'application/corim-unsigned+cbor; profile=\"http://arm.com/cca/realm/1\"'","type":"text"}]},{"type":"paragraph","content":[{"text":"And in the guest:","type":"text"}]},{"type":"codeBlock","content":[{"text":"# veraison.example points to the machine running the veraison instance (build machine)\n$ cat /etc/hosts\n10.0.2.2 veraison.example\n$ cca-workload-attestation passport\n{\n \"ear.verifier-id\": {\n \"build\": \"N/A\",\n \"developer\": \"Veraison Project\"\n },\n \"eat_nonce\": \"zM2RxZM5agCVJs2EyaWLmtDEM5qq7jj0xcXmLsdi56Bz8SnYSbBwQtpzdHUUMv5WWg5d8zFypap_oz5HzySknQ==\",\n \"eat_profile\": \"tag:github.com,2023:veraison/ear\",\n \"iat\": 1733322149,\n \"submods\": {\n \"CCA_REALM\": {\n \"ear.appraisal-policy-id\": \"policy:ARM_CCA\",\n \"ear.status\": \"affirming\",\n \"ear.trustworthiness-vector\": {\n \"configuration\": 0,\n \"executables\": 2,\n \"file-system\": 0,\n \"hardware\": 0,\n \"instance-identity\": 2,\n \"runtime-opaque\": 0,\n \"sourced-data\": 0,\n \"storage-opaque\": 0\n },\n \"ear.veraison.annotated-evidence\": {\n \"cca-realm-challenge\": \"zM2RxZM5agCVJs2EyaWLmtDEM5qq7jj0xcXmLsdi56Bz8SnYSbBwQtpzdHUUMv5WWg5d8zFypap/oz5HzySknQ==\",\n \"cca-realm-extensible-measurements\": [\n \"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==\",\n \"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==\",\n \"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==\",\n \"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==\"\n ],\n \"cca-realm-hash-algo-id\": \"sha-512\",\n \"cca-realm-initial-measurement\": \"pHeSIWwfShg9v8l38mqDGHloBvWCtBg7eJ9/zKG5hnjfQs2ACqZk/+sx1/f1A2h7TuKxoSPNhq4p5vkrKl1lBg==\",\n \"cca-realm-personalization-value\": \"q80AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==\",\n \"cca-realm-profile\": \"tag:arm.com,2023:realm#1.0.0\",\n \"cca-realm-public-key\": \"pAECIAIhWDB2+YgJG+WF7UGAGuz6uFhUjGMFfhaw5nYSC70NL5wp4FbF1BoBMOucIVF4mdwjFGsiWDAo4bBivT6ksxX9IZ8cu1KMtudMpJvhZ3NzT2GhymEDGyu/PZGPL5T/xCKOUJGVRK4=\",\n \"cca-realm-public-key-hash-algo-id\": \"sha-256\"\n }\n },\n \"CCA_SSD_PLATFORM\": {\n \"ear.appraisal-policy-id\": \"policy:ARM_CCA\",\n \"ear.status\": \"affirming\",\n ...","type":"text"}]},{"type":"heading","attrs":{"level":2},"content":[{"text":"Tips","type":"text"}]},{"type":"heading","attrs":{"level":4},"content":[{"text":"Automate some things in the host boot","type":"text"}]},{"type":"paragraph","content":[{"text":"You can add files to the buildroot images by providing an overlay directory. The ","type":"text"},{"text":"BR2_ROOTFS_OVERLAY","type":"text","marks":[{"type":"code"}]},{"text":" option points to the directory that will be added into the image. For example I use:","type":"text"}]},{"type":"codeBlock","content":[{"text":"├── etc\n│ ├── init.d\n│ │ └── S50-shr\n│ └── inittab","type":"text"}]},{"type":"paragraph","content":[{"text":"S50-shr is an initscript that mounts the shared directory:","type":"text"}]},{"type":"codeBlock","attrs":{"language":"shell"},"content":[{"text":"#!/bin/sh\n\ncase $1 in\n start)\n mkdir -p /mnt/shr0/\n mount -t 9p shr0 /mnt/shr0/\n ;;\n stop)\n umount /mnt/shr0/\n rmdir /mnt/shr0/\n ;;\nesac","type":"text"}]},{"type":"paragraph","content":[{"text":"inittab is buildroot’s ","type":"text"},{"text":"package/busybox/inittab","type":"text","marks":[{"type":"code"}]},{"text":", modified to automatically log into root (the respawn line). It could also mount the 9p filesystem.","type":"text"}]},{"type":"codeBlock","content":[{"text":"# /etc/inittab\n#\n# Copyright (C) 2001 Erik Andersen \n#\n# Note: BusyBox init doesn't support runlevels. The runlevels field is\n# completely ignored by BusyBox init. If you want runlevels, use\n# sysvinit.\n#\n# Format for each entry: :::\n#\n# id == tty to run on, or empty for /dev/console\n# runlevels == ignored\n# action == one of sysinit, respawn, askfirst, wait, and once\n# process == program to run\n\n# Startup the system\n::sysinit:/bin/mount -t proc proc /proc\n::sysinit:/bin/mount -o remount,rw /\n::sysinit:/bin/mkdir -p /dev/pts /dev/shm\n::sysinit:/bin/mount -a\n::sysinit:/bin/mount -t debugfs debugfs /sys/kernel/debug\n::sysinit:/sbin/swapon -a\nnull::sysinit:/bin/ln -sf /proc/self/fd /dev/fd\nnull::sysinit:/bin/ln -sf /proc/self/fd/0 /dev/stdin\nnull::sysinit:/bin/ln -sf /proc/self/fd/1 /dev/stdout\nnull::sysinit:/bin/ln -sf /proc/self/fd/2 /dev/stderr\n::sysinit:/bin/hostname -F /etc/hostname\n# now run any rc scripts\n::sysinit:/etc/init.d/rcS\n\n# Put a getty on the serial port\n#console::respawn:/sbin/getty -L console 0 vt100 # GENERIC_SERIAL\n\n::respawn:-/bin/sh\n\n# Stuff to do for the 3-finger salute\n#::ctrlaltdel:/sbin/reboot\n\n# Stuff to do before rebooting\n::shutdown:/etc/init.d/rcK\n::shutdown:/sbin/swapoff -a\n::shutdown:/bin/umount -a -r","type":"text"}]},{"type":"heading","attrs":{"level":4},"content":[{"text":"Spawn four consoles with servers listening for QEMU system emulation:","type":"text"}]},{"type":"paragraph","content":[{"text":"This uses OP-TEE’s ","type":"text"},{"text":"soc_term.py","type":"text","marks":[{"type":"link","attrs":{"href":"https://github.com/OP-TEE/build/blob/master/soc_term.py"}}]}]},{"type":"codeBlock","attrs":{"language":"shell"},"content":[{"text":"#!/bin/bash\n\nSOC_TERM=path/to/optee/soc_term.py\n\nxterm -title \"Firmware\" -e bash -c \"$SOC_TERM 54320\" &\nxterm -title \"Secure\" -e bash -c \"$SOC_TERM 54321\" &\nxterm -title \"host\" -e bash -c \"$SOC_TERM 54322\" &\nxterm -title \"Realm\" -e bash -c \"$SOC_TERM 54323\" &\n\nwhile ! nc -z 127.0.0.1 54320 || ! nc -z 127.0.0.1 54321 || ! nc -z 127.0.0.1 54322 || ! nc -z 127.0.0.1 54323; do sleep 1; done","type":"text"}]}],"version":1}

Browser not supported