[PATCH 04/10] hw/nitro/nitro-serial-vsock: Nitro Enclaves vsock console

[Alexander Graf <graf@amazon.com>]

Nitro Enclaves support a special "debug" mode. When in debug mode, the
Nitro Hypervisor provides a vsock port that the parent can connect to to
receive serial console output of the Enclave. Add a new nitro-serial-vsock
driver that implements short-circuit logic to establish the vsock
connection to that port and feed its data into a chardev, so that a machine
model can use it as serial device.

Signed-off-by: Alexander Graf <graf@amazon.com>
---
 MAINTAINERS                     |   6 ++
 hw/Kconfig                      |   1 +
 hw/meson.build                  |   1 +
 hw/nitro/Kconfig                |   3 +
 hw/nitro/meson.build            |   1 +
 hw/nitro/serial-vsock.c         | 154 ++++++++++++++++++++++++++++++++
 hw/nitro/trace-events           |   4 +
 hw/nitro/trace.h                |   4 +
 include/hw/nitro/serial-vsock.h |  26 ++++++
 meson.build                     |   1 +
 10 files changed, 201 insertions(+)
 create mode 100644 hw/nitro/Kconfig
 create mode 100644 hw/nitro/meson.build
 create mode 100644 hw/nitro/serial-vsock.c
 create mode 100644 hw/nitro/trace-events
 create mode 100644 hw/nitro/trace.h
 create mode 100644 include/hw/nitro/serial-vsock.h

diff --git a/MAINTAINERS b/MAINTAINERS
index 3d002143ae..53ce075e9a 100644
--- a/MAINTAINERS
+++ b/MAINTAINERS
@@ -3022,6 +3022,12 @@ F: hw/vmapple/*
 F: include/hw/vmapple/*
 F: docs/system/arm/vmapple.rst
 
+Nitro Enclaves (native)
+M: Alexander Graf <graf@amazon.com>
+S: Maintained
+F: hw/nitro/
+F: include/hw/nitro/
+
 Subsystems
 ----------
 Overall Audio backends
diff --git a/hw/Kconfig b/hw/Kconfig
index f8f92b5d03..b3ce1520a6 100644
--- a/hw/Kconfig
+++ b/hw/Kconfig
@@ -22,6 +22,7 @@ source isa/Kconfig
 source mem/Kconfig
 source misc/Kconfig
 source net/Kconfig
+source nitro/Kconfig
 source nubus/Kconfig
 source nvme/Kconfig
 source nvram/Kconfig
diff --git a/hw/meson.build b/hw/meson.build
index 66e46b8090..36da5322f7 100644
--- a/hw/meson.build
+++ b/hw/meson.build
@@ -44,6 +44,7 @@ subdir('isa')
 subdir('mem')
 subdir('misc')
 subdir('net')
+subdir('nitro')
 subdir('nubus')
 subdir('nvme')
 subdir('nvram')
diff --git a/hw/nitro/Kconfig b/hw/nitro/Kconfig
new file mode 100644
index 0000000000..86c817c766
--- /dev/null
+++ b/hw/nitro/Kconfig
@@ -0,0 +1,3 @@
+config NITRO_SERIAL_VSOCK
+    bool
+    depends on NITRO
diff --git a/hw/nitro/meson.build b/hw/nitro/meson.build
new file mode 100644
index 0000000000..d95ed8dd79
--- /dev/null
+++ b/hw/nitro/meson.build
@@ -0,0 +1 @@
+system_ss.add(when: 'CONFIG_NITRO_SERIAL_VSOCK', if_true: files('serial-vsock.c'))
diff --git a/hw/nitro/serial-vsock.c b/hw/nitro/serial-vsock.c
new file mode 100644
index 0000000000..12d6804a33
--- /dev/null
+++ b/hw/nitro/serial-vsock.c
@@ -0,0 +1,154 @@
+/*
+ * Nitro Enclave Vsock Serial
+ *
+ * Copyright © 2026 Amazon.com, Inc. or its affiliates. All Rights Reserved.
+ *
+ * Authors:
+ *   Alexander Graf <graf@amazon.com>
+ *
+ * With Nitro Enclaves in debug mode, the Nitro Hypervisor provides a vsock
+ * port that the parent can connect to to receive serial console output of
+ * the Enclave. This driver implements short-circuit logic to establish the
+ * vsock connection to that port and feed its data into a chardev, so that
+ * a machine model can use it as serial device.
+ *
+ * SPDX-License-Identifier: GPL-2.0-or-later
+ */
+
+#include "qemu/osdep.h"
+#include "qemu/error-report.h"
+#include "qapi/error.h"
+#include "qapi/visitor.h"
+#include "chardev/char.h"
+#include "chardev/char-fe.h"
+#include "hw/core/qdev-properties.h"
+#include "hw/core/qdev-properties-system.h"
+#include "hw/core/sysbus.h"
+#include "hw/nitro/serial-vsock.h"
+#include "trace.h"
+
+#define CONSOLE_PORT_START 10000
+#define VMADDR_CID_HYPERVISOR_STR "0"
+
+static int nitro_serial_vsock_can_read(void *opaque)
+{
+    NitroSerialVsockState *s = opaque;
+
+    /* Refuse vsock input until the output backend is ready */
+    return qemu_chr_fe_backend_open(&s->output) ? 4096 : 0;
+}
+
+static void nitro_serial_vsock_read(void *opaque, const uint8_t *buf, int size)
+{
+    NitroSerialVsockState *s = opaque;
+
+    /* Forward all vsock data to the output chardev */
+    qemu_chr_fe_write_all(&s->output, buf, size);
+}
+
+static void nitro_serial_vsock_event(void *opaque, QEMUChrEvent event)
+{
+    /* No need to action on connect/disconnect events, but trace for debug */
+    trace_nitro_serial_vsock_event(event);
+}
+
+static void nitro_serial_vsock_set_cid(Object *obj, Visitor *v,
+                                       const char *name, void *opaque,
+                                       Error **errp)
+{
+    NitroSerialVsockState *s = NITRO_SERIAL_VSOCK(obj);
+    uint32_t cid, port;
+    g_autofree char *chardev_id = NULL;
+    Chardev *chr;
+    ChardevBackend *backend;
+    ChardevSocket *sock;
+
+    if (!visit_type_uint32(v, name, &cid, errp)) {
+        return;
+    }
+
+    s->cid = cid;
+    port = cid + CONSOLE_PORT_START;
+
+    /*
+     * We know the Enclave CID to connect to now. Create a vsock
+     * client chardev that connects to the Enclave's console.
+     */
+    chardev_id = g_strdup_printf("nitro-console-%u", cid);
+
+    backend = g_new0(ChardevBackend, 1);
+    backend->type = CHARDEV_BACKEND_KIND_SOCKET;
+    sock = backend->u.socket.data = g_new0(ChardevSocket, 1);
+    sock->addr = g_new0(SocketAddressLegacy, 1);
+    sock->addr->type = SOCKET_ADDRESS_TYPE_VSOCK;
+    sock->addr->u.vsock.data = g_new0(VsockSocketAddress, 1);
+    sock->addr->u.vsock.data->cid = g_strdup(VMADDR_CID_HYPERVISOR_STR);
+    sock->addr->u.vsock.data->port = g_strdup_printf("%u", port);
+    sock->server = false;
+    sock->has_server = true;
+
+    chr = qemu_chardev_new(chardev_id, TYPE_CHARDEV_SOCKET,
+                           backend, NULL, errp);
+    if (!chr) {
+        return;
+    }
+
+    if (!qemu_chr_fe_init(&s->vsock, chr, errp)) {
+        return;
+    }
+
+    qemu_chr_fe_set_handlers(&s->vsock,
+                             nitro_serial_vsock_can_read,
+                             nitro_serial_vsock_read,
+                             nitro_serial_vsock_event,
+                             NULL, s, NULL, true);
+}
+
+static void nitro_serial_vsock_get_cid(Object *obj, Visitor *v,
+                                       const char *name, void *opaque,
+                                       Error **errp)
+{
+    NitroSerialVsockState *s = NITRO_SERIAL_VSOCK(obj);
+    uint32_t cid = s->cid;
+
+    visit_type_uint32(v, name, &cid, errp);
+}
+
+static void nitro_serial_vsock_realize(DeviceState *dev, Error **errp)
+{
+    /*
+     * At realize we don't know the Enclave CID yet, because the nitro accel
+     * first needs to launch the Enclave. Delay creation of the connection
+     * until the nitro accel pushes the CID as QOM property.
+     */
+}
+
+static const Property nitro_serial_vsock_props[] = {
+    DEFINE_PROP_CHR("chardev", NitroSerialVsockState, output),
+};
+
+static void nitro_serial_vsock_class_init(ObjectClass *oc, const void *data)
+{
+    DeviceClass *dc = DEVICE_CLASS(oc);
+    dc->realize = nitro_serial_vsock_realize;
+    device_class_set_props(dc, nitro_serial_vsock_props);
+
+    object_class_property_add(oc, "enclave-cid", "uint32",
+                              nitro_serial_vsock_get_cid,
+                              nitro_serial_vsock_set_cid,
+                              NULL, NULL);
+}
+
+static const TypeInfo nitro_serial_vsock_info = {
+    .name = TYPE_NITRO_SERIAL_VSOCK,
+    .parent = TYPE_SYS_BUS_DEVICE,
+    .instance_size = sizeof(NitroSerialVsockState),
+    .class_init = nitro_serial_vsock_class_init,
+};
+
+static void nitro_serial_vsock_register(void)
+{
+    type_register_static(&nitro_serial_vsock_info);
+}
+
+type_init(nitro_serial_vsock_register);
diff --git a/hw/nitro/trace-events b/hw/nitro/trace-events
new file mode 100644
index 0000000000..20617a024a
--- /dev/null
+++ b/hw/nitro/trace-events
@@ -0,0 +1,4 @@
+# See docs/devel/tracing.rst for syntax documentation.
+
+# serial-vsock.c
+nitro_serial_vsock_event(int event) "event %d"
diff --git a/hw/nitro/trace.h b/hw/nitro/trace.h
new file mode 100644
index 0000000000..b455d6c17b
--- /dev/null
+++ b/hw/nitro/trace.h
@@ -0,0 +1,4 @@
+/*
+ * SPDX-License-Identifier: GPL-2.0-or-later
+ */
+#include "trace/trace-hw_nitro.h"
diff --git a/include/hw/nitro/serial-vsock.h b/include/hw/nitro/serial-vsock.h
new file mode 100644
index 0000000000..92c9374eeb
--- /dev/null
+++ b/include/hw/nitro/serial-vsock.h
@@ -0,0 +1,26 @@
+/*
+ * Nitro Enclave Serial (vsock)
+ *
+ * SPDX-License-Identifier: GPL-2.0-or-later
+ */
+
+#ifndef HW_CHAR_NITRO_SERIAL_VSOCK_H
+#define HW_CHAR_NITRO_SERIAL_VSOCK_H
+
+#include "hw/core/qdev.h"
+#include "hw/core/sysbus.h"
+#include "chardev/char-fe.h"
+#include "qom/object.h"
+
+#define TYPE_NITRO_SERIAL_VSOCK "nitro-serial-vsock"
+OBJECT_DECLARE_SIMPLE_TYPE(NitroSerialVsockState, NITRO_SERIAL_VSOCK)
+
+struct NitroSerialVsockState {
+    SysBusDevice parent_obj;
+
+    CharFrontend output;    /* chardev to write console output to */
+    CharFrontend vsock;     /* vsock chardev to enclave console */
+    uint32_t cid;
+};
+
+#endif /* HW_CHAR_NITRO_SERIAL_VSOCK_H */
diff --git a/meson.build b/meson.build
index bdeee65db2..3c6fa7a55a 100644
--- a/meson.build
+++ b/meson.build
@@ -3634,6 +3634,7 @@ if have_system
     'hw/misc/macio',
     'hw/net',
     'hw/net/can',
+    'hw/nitro',
     'hw/nubus',
     'hw/nvme',
     'hw/nvram',
-- 
2.47.1




Amazon Web Services Development Center Germany GmbH
Tamara-Danz-Str. 13
10243 Berlin
Geschaeftsfuehrung: Christof Hellmis, Andreas Stieger
Eingetragen am Amtsgericht Charlottenburg unter HRB 257764 B
Sitz: Berlin
Ust-ID: DE 365 538 597