diff --git a/docs/system/i386/nitro-enclave.rst b/docs/system/i386/nitro-enclave.rst index 3fb9e068930..73e3edefe5b 100644 --- a/docs/system/i386/nitro-enclave.rst +++ b/docs/system/i386/nitro-enclave.rst @@ -1,8 +1,8 @@ 'nitro-enclave' virtual machine (``nitro-enclave``) =================================================== -``nitro-enclave`` is a machine type which emulates an ``AWS nitro enclave`` -virtual machine. `AWS nitro enclaves`_ is an `Amazon EC2`_ feature that allows +``nitro-enclave`` is a machine type which emulates an *AWS nitro enclave* +virtual machine. `AWS nitro enclaves`_ is an Amazon EC2 feature that allows creating isolated execution environments, called enclaves, from Amazon EC2 instances which are used for processing highly sensitive data. Enclaves have no persistent storage and no external networking. The enclave VMs are based @@ -13,7 +13,7 @@ the enclave VM gets a dynamic CID. Enclaves use an EIF (`Enclave Image Format`_) file which contains the necessary kernel, cmdline and ramdisk(s) to boot. In QEMU, ``nitro-enclave`` is a machine type based on ``microvm`` similar to how -``AWS nitro enclaves`` are based on ``Firecracker`` microvm. This is useful for +AWS nitro enclaves are based on `Firecracker`_ microvm. This is useful for local testing of EIF files using QEMU instead of running real AWS Nitro Enclaves which can be difficult for debugging due to its roots in security. The vsock device emulation is done using vhost-user-vsock which means another process that @@ -23,13 +23,13 @@ must be run alongside nitro-enclave for the vsock communication to work. ``libcbor`` and ``gnutls`` are required dependencies for nitro-enclave machine support to be added when building QEMU from source. -.. _AWS nitro enlaves: https://docs.aws.amazon.com/enclaves/latest/user/nitro-enclave.html -.. _Amazon EC2: https://aws.amazon.com/ec2/ +.. _AWS nitro enclaves: https://docs.aws.amazon.com/enclaves/latest/user/nitro-enclave.html .. _Enclave Image Format: https://github.com/aws/aws-nitro-enclaves-image-format .. _vhost-device-vsock: https://github.com/rust-vmm/vhost-device/tree/main/vhost-device-vsock +.. _Firecracker: https://firecracker-microvm.github.io Using the nitro-enclave machine type ------------------------------- +------------------------------------ Machine-specific options ~~~~~~~~~~~~~~~~~~~~~~~~ @@ -45,11 +45,13 @@ It supports the following machine-specific options: Running a nitro-enclave VM ~~~~~~~~~~~~~~~~~~~~~~~~~~ -First, run `vhost-device-vsock`_ (or a similar tool that supports vhost-user-vsock). +First, run `vhost-device-vsock`__ (or a similar tool that supports vhost-user-vsock). The forward-cid option below with value 1 forwards all connections from the enclave VM to the host machine and the forward-listen (port numbers separated by '+') is used for forwarding connections from the host machine to the enclave VM. +__ https://github.com/rust-vmm/vhost-device/tree/main/vhost-device-vsock#using-the-vsock-backend + $ vhost-device-vsock \ --vm guest-cid=4,forward-cid=1,forward-listen=9001+9002,socket=/tmp/vhost4.socket @@ -74,5 +76,3 @@ connect to the enclave VM, run them on the host machine after enclave VM starts. You need to modify the applications to connect to CID 1 (instead of the enclave VM's CID) and use the forward-listen (e.g., 9001+9002) option of vhost-device-vsock to forward the ports they connect to. - -.. _vhost-device-vsock: https://github.com/rust-vmm/vhost-device/tree/main/vhost-device-vsock#using-the-vsock-backend diff --git a/docs/system/target-i386.rst b/docs/system/target-i386.rst index 23e84e3ba76..ab7af1a75d6 100644 --- a/docs/system/target-i386.rst +++ b/docs/system/target-i386.rst @@ -14,8 +14,9 @@ Board-specific documentation .. toctree:: :maxdepth: 1 - i386/microvm i386/pc + i386/microvm + i386/nitro-enclave Architectural features ~~~~~~~~~~~~~~~~~~~~~~ diff --git a/meson.build b/meson.build index 20300fca206..41458e3dba1 100644 --- a/meson.build +++ b/meson.build @@ -1709,7 +1709,11 @@ if (have_system or have_tools) and (virgl.found() or opengl.found()) endif have_vhost_user_gpu = have_vhost_user_gpu and virgl.found() and opengl.found() and gbm.found() -libcbor = dependency('libcbor', version: '>=0.7.0', required: false) +libcbor = not_found +if not get_option('libcbor').auto() or have_system + libcbor = dependency('libcbor', version: '>=0.7.0', + required: get_option('libcbor')) +endif gnutls = not_found gnutls_crypto = not_found @@ -3119,6 +3123,8 @@ host_kconfig = \ (spice.found() ? ['CONFIG_SPICE=y'] : []) + \ (have_ivshmem ? ['CONFIG_IVSHMEM=y'] : []) + \ (opengl.found() ? ['CONFIG_OPENGL=y'] : []) + \ + (libcbor.found() ? ['CONFIG_LIBCBOR=y'] : []) + \ + (gnutls.found() ? ['CONFIG_GNUTLS=y'] : []) + \ (x11.found() ? ['CONFIG_X11=y'] : []) + \ (fdt.found() ? ['CONFIG_FDT=y'] : []) + \ (have_vhost_user ? ['CONFIG_VHOST_USER=y'] : []) + \ @@ -4699,6 +4705,7 @@ summary_info += {'NUMA host support': numa} summary_info += {'capstone': capstone} summary_info += {'libpmem support': libpmem} summary_info += {'libdaxctl support': libdaxctl} +summary_info += {'libcbor support': libcbor} summary_info += {'libudev': libudev} # Dummy dependency, keep .found() summary_info += {'FUSE lseek': fuse_lseek.found()} diff --git a/hw/core/eif.c b/hw/core/eif.c index d737d7f23c1..7f3b2edc9a7 100644 --- a/hw/core/eif.c +++ b/hw/core/eif.c @@ -467,7 +467,7 @@ bool read_eif_file(const char *eif_path, const char *machine_initrd, uint16_t section_type; if (fseek(f, eif_header.section_offsets[i], SEEK_SET) != 0) { - error_setg_errno(errp, errno, "Failed to offset to %lu in EIF file", + error_setg_errno(errp, errno, "Failed to offset to %" PRIu64 " in EIF file", eif_header.section_offsets[i]); goto cleanup; } @@ -483,7 +483,7 @@ bool read_eif_file(const char *eif_path, const char *machine_initrd, if (eif_header.section_sizes[i] != hdr.section_size) { error_setg(errp, "EIF section size mismatch between header and " - "section header: header %lu, section header %lu", + "section header: header %" PRIu64 ", section header %" PRIu64, eif_header.section_sizes[i], hdr.section_size); goto cleanup; diff --git a/Kconfig.host b/Kconfig.host index 4ade7899d67..842cbe0d6c5 100644 --- a/Kconfig.host +++ b/Kconfig.host @@ -5,6 +5,12 @@ config LINUX bool +config LIBCBOR + bool + +config GNUTLS + bool + config OPENGL bool diff --git a/hw/core/Kconfig b/hw/core/Kconfig index 24411f59306..d1bdf765ee8 100644 --- a/hw/core/Kconfig +++ b/hw/core/Kconfig @@ -34,3 +34,7 @@ config REGISTER config SPLIT_IRQ bool + +config EIF + bool + depends on LIBCBOR && GNUTLS diff --git a/hw/core/meson.build b/hw/core/meson.build index 5437a944902..9fd0b5aaa5e 100644 --- a/hw/core/meson.build +++ b/hw/core/meson.build @@ -24,9 +24,7 @@ system_ss.add(when: 'CONFIG_REGISTER', if_true: files('register.c')) system_ss.add(when: 'CONFIG_SPLIT_IRQ', if_true: files('split-irq.c')) system_ss.add(when: 'CONFIG_XILINX_AXI', if_true: files('stream.c')) system_ss.add(when: 'CONFIG_PLATFORM_BUS', if_true: files('sysbus-fdt.c')) -if libcbor.found() and gnutls.found() - system_ss.add(when: 'CONFIG_NITRO_ENCLAVE', if_true: [files('eif.c'), zlib, libcbor, gnutls]) -endif +system_ss.add(when: 'CONFIG_EIF', if_true: [files('eif.c'), zlib, libcbor, gnutls]) system_ss.add(files( 'cpu-sysemu.c', diff --git a/hw/i386/Kconfig b/hw/i386/Kconfig index 63271bf9153..32818480d26 100644 --- a/hw/i386/Kconfig +++ b/hw/i386/Kconfig @@ -131,7 +131,11 @@ config MICROVM config NITRO_ENCLAVE default y - depends on MICROVM + depends on I386 && FDT # for MICROVM + depends on LIBCBOR && GNUTLS # for EIF and VIRTIO_NSM + depends on VHOST_USER # for VHOST_USER_VSOCK + select EIF + select MICROVM select VHOST_USER_VSOCK select VIRTIO_NSM diff --git a/hw/i386/meson.build b/hw/i386/meson.build index 1ddd7a83be9..10bdfde27c6 100644 --- a/hw/i386/meson.build +++ b/hw/i386/meson.build @@ -15,9 +15,7 @@ i386_ss.add(when: 'CONFIG_AMD_IOMMU', if_true: files('amd_iommu.c'), if_false: files('amd_iommu-stub.c')) i386_ss.add(when: 'CONFIG_I440FX', if_true: files('pc_piix.c')) i386_ss.add(when: 'CONFIG_MICROVM', if_true: files('x86-common.c', 'microvm.c', 'acpi-microvm.c', 'microvm-dt.c')) -if libcbor.found() and gnutls.found() - i386_ss.add(when: 'CONFIG_NITRO_ENCLAVE', if_true: files('nitro_enclave.c')) -endif +i386_ss.add(when: 'CONFIG_NITRO_ENCLAVE', if_true: files('nitro_enclave.c')) i386_ss.add(when: 'CONFIG_Q35', if_true: files('pc_q35.c')) i386_ss.add(when: 'CONFIG_VMMOUSE', if_true: files('vmmouse.c')) i386_ss.add(when: 'CONFIG_VMPORT', if_true: files('vmport.c')) diff --git a/hw/virtio/Kconfig b/hw/virtio/Kconfig index 0cedf48f982..70c77e183d4 100644 --- a/hw/virtio/Kconfig +++ b/hw/virtio/Kconfig @@ -8,8 +8,7 @@ config VIRTIO_RNG config VIRTIO_NSM bool - default y - depends on VIRTIO + depends on LIBCBOR && VIRTIO config VIRTIO_IOMMU bool diff --git a/hw/virtio/meson.build b/hw/virtio/meson.build index 1fe7cb4d72c..a5f9f7999dd 100644 --- a/hw/virtio/meson.build +++ b/hw/virtio/meson.build @@ -54,9 +54,7 @@ specific_virtio_ss.add(when: 'CONFIG_VIRTIO_PMEM', if_true: files('virtio-pmem.c specific_virtio_ss.add(when: 'CONFIG_VHOST_VSOCK', if_true: files('vhost-vsock.c')) specific_virtio_ss.add(when: 'CONFIG_VHOST_USER_VSOCK', if_true: files('vhost-user-vsock.c')) specific_virtio_ss.add(when: 'CONFIG_VIRTIO_RNG', if_true: files('virtio-rng.c')) -if libcbor.found() - specific_virtio_ss.add(when: 'CONFIG_VIRTIO_NSM', if_true: [files('virtio-nsm.c', 'cbor-helpers.c'), libcbor]) -endif +specific_virtio_ss.add(when: 'CONFIG_VIRTIO_NSM', if_true: [files('virtio-nsm.c', 'cbor-helpers.c'), libcbor]) specific_virtio_ss.add(when: 'CONFIG_VIRTIO_MEM', if_true: files('virtio-mem.c')) specific_virtio_ss.add(when: 'CONFIG_VHOST_USER_SCMI', if_true: files('vhost-user-scmi.c')) specific_virtio_ss.add(when: ['CONFIG_VIRTIO_PCI', 'CONFIG_VHOST_USER_SCMI'], if_true: files('vhost-user-scmi-pci.c')) @@ -73,9 +71,7 @@ virtio_pci_ss.add(when: 'CONFIG_VIRTIO_CRYPTO', if_true: files('virtio-crypto-pc virtio_pci_ss.add(when: 'CONFIG_VIRTIO_INPUT_HOST', if_true: files('virtio-input-host-pci.c')) virtio_pci_ss.add(when: 'CONFIG_VIRTIO_INPUT', if_true: files('virtio-input-pci.c')) virtio_pci_ss.add(when: 'CONFIG_VIRTIO_RNG', if_true: files('virtio-rng-pci.c')) -if libcbor.found() - virtio_pci_ss.add(when: 'CONFIG_VIRTIO_NSM', if_true: [files('virtio-nsm-pci.c', 'cbor-helpers.c'), libcbor]) -endif +virtio_pci_ss.add(when: 'CONFIG_VIRTIO_NSM', if_true: [files('virtio-nsm-pci.c', 'cbor-helpers.c'), libcbor]) virtio_pci_ss.add(when: 'CONFIG_VIRTIO_BALLOON', if_true: files('virtio-balloon-pci.c')) virtio_pci_ss.add(when: 'CONFIG_VIRTIO_9P', if_true: files('virtio-9p-pci.c')) virtio_pci_ss.add(when: 'CONFIG_VIRTIO_SCSI', if_true: files('virtio-scsi-pci.c')) diff --git a/meson_options.txt b/meson_options.txt index 0ee4d7bb86b..24bf0090560 100644 --- a/meson_options.txt +++ b/meson_options.txt @@ -168,6 +168,8 @@ option('iconv', type : 'feature', value : 'auto', description: 'Font glyph conversion support') option('curses', type : 'feature', value : 'auto', description: 'curses UI') +option('libcbor', type : 'feature', value : 'auto', + description: 'libcbor support') option('gnutls', type : 'feature', value : 'auto', description: 'GNUTLS cryptography support') option('nettle', type : 'feature', value : 'auto', diff --git a/scripts/meson-buildoptions.sh b/scripts/meson-buildoptions.sh index 6d08605b771..6f2bb08ecd8 100644 --- a/scripts/meson-buildoptions.sh +++ b/scripts/meson-buildoptions.sh @@ -133,6 +133,7 @@ meson_options_help() { printf "%s\n" ' keyring Linux keyring support' printf "%s\n" ' kvm KVM acceleration support' printf "%s\n" ' l2tpv3 l2tpv3 network backend support' + printf "%s\n" ' libcbor libcbor support' printf "%s\n" ' libdaxctl libdaxctl support' printf "%s\n" ' libdw debuginfo support' printf "%s\n" ' libiscsi libiscsi userspace initiator' @@ -358,6 +359,8 @@ _meson_option_parse() { --disable-kvm) printf "%s" -Dkvm=disabled ;; --enable-l2tpv3) printf "%s" -Dl2tpv3=enabled ;; --disable-l2tpv3) printf "%s" -Dl2tpv3=disabled ;; + --enable-libcbor) printf "%s" -Dlibcbor=enabled ;; + --disable-libcbor) printf "%s" -Dlibcbor=disabled ;; --enable-libdaxctl) printf "%s" -Dlibdaxctl=enabled ;; --disable-libdaxctl) printf "%s" -Dlibdaxctl=disabled ;; --libdir=*) quote_sh "-Dlibdir=$2" ;;